[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [687] more fsf page migration
|
From: |
iank |
|
Subject: |
[Savannah-cvs] [687] more fsf page migration |
|
Date: |
Wed, 6 Dec 2023 16:51:45 -0500 (EST) |
Revision: 687
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=687
Author: iank
Date: 2023-12-06 16:51:43 -0500 (Wed, 06 Dec 2023)
Log Message:
-----------
more fsf page migration
Modified Paths:
--------------
trunk/sviki/fsf.mdwn
Added Paths:
-----------
trunk/sviki/fsf/checklists/
trunk/sviki/fsf/checklists/SpinningDisks.mdwn
trunk/sviki/fsf/debugging/
trunk/sviki/fsf/debugging/libreplanet-upgrade.mdwn
trunk/sviki/fsf/debugging/reinstallinggrub.mdwn
trunk/sviki/fsf/debugging/service-down.mdwn
trunk/sviki/fsf/hardware/
trunk/sviki/fsf/hardware/X60.mdwn
trunk/sviki/fsf/hardware/disable-option-roms-with-cbfstool.mdwn
trunk/sviki/fsf/hardware/disable-thinkpad-battery-beep-with-nvramtool.mdwn
trunk/sviki/fsf/hardware/graphics-cards.mdwn
trunk/sviki/fsf/hardware/kcma-d8.mdwn
trunk/sviki/fsf/hardware/kgpe-d16.mdwn
trunk/sviki/fsf/hardware/lemote-parts.mdwn
trunk/sviki/fsf/hardware/live-usb-loader.sh
trunk/sviki/fsf/hardware/mapping-to-dimms.mdwn
trunk/sviki/fsf/hardware/purchase-failure-history.mdwn
trunk/sviki/fsf/hardware/ram-question.mdwn
trunk/sviki/fsf/hardware/seabios-x200.mdwn
trunk/sviki/fsf/services/
trunk/sviki/fsf/services/asterisk.mdwn
trunk/sviki/fsf/services/civicrm-bounce-processing.mdwn
trunk/sviki/fsf/services/discourse.mdwn
trunk/sviki/fsf/services/gnusocial.mdwn
trunk/sviki/fsf/services/ikiwiki.mdwn
trunk/sviki/fsf/services/mediagoblin.mdwn
trunk/sviki/fsf/services/mediawiki.mdwn
trunk/sviki/fsf/services/varnish.mdwn
trunk/sviki/fsf/services/wordpress.mdwn
Added: trunk/sviki/fsf/checklists/SpinningDisks.mdwn
===================================================================
--- trunk/sviki/fsf/checklists/SpinningDisks.mdwn
(rev 0)
+++ trunk/sviki/fsf/checklists/SpinningDisks.mdwn 2023-12-06 21:51:43 UTC
(rev 687)
@@ -0,0 +1,131 @@
+[[!toc levels=2]]
+
+# Testing New and Old Disks
+
+New disks need to be tested before production use. This policy applies for New
and Used disks. Policy for testing new disks is as follows:
+
+1) Plug the drive into the disk station located in the SysAdmin office. (ask a
SysAdmin if you are unsure which machine this is).
+
+2) See what new drive has been attached with the command:
+ $ dmesg | tail
+
+You will see something like:
+
+ [ 2.291612] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500
GB/465 GiB)
+ [ 2.291830] sd 2:0:0:0: [sda] Write Protect is off
+ [ 2.291839] sd 2:0:0:0: [sda] Mode Sense: 00 3a 00 00
+ [ 2.291905] sd 2:0:0:0: [sda] Write cache: enabled, read cache:
enabled, doesn't support DPO or FUA
+ [ 2.334873] sda: sda1 sda2
+
+In this case, sda is the new drive.
+
+3) Run badblocks against the harddrive:
+
+ badblocks -svw /dev/sda
+
+* -s Will enable the status display of the process.
+* -v Will enable the verbose display of the process.
+* -w Will enable the '''write''' test. Be aware, this will wipe the drive.
+
+4) This process will take a long time (over three days for a 3TB disk). Wait
until it completes. Failures will be indicated by the drive eitiher: Going off
line -OR- Displaying known badblocks
+
+* If a drive passes the test, it goes in the server room in the box labled
"Drives Ready to Use".
+* If the drive fails the first time being bad blocked, run badblocks again.
+* If the drive fails a second time and is new it is to be RMA'd.
+* If the drive fails a second and is old, follow the '''Disposing of Old
Disks''' instructions below.
+
+# Disposing of Old Disks
+
+Before an old spinning disk can be retired and recycled it must be purged. For
drives >1.5TB please test it with the above '''Testing New/Old Disks'''
instructions above (even if it has SMART errors).
+
+1) Plug the drive into the disk station located in the SysAdmin office. (ask a
SysAdmin if you are unsure which machine this is).
+
+2) See what new drive has been attached with the command:
+ $ dmesg | tail
+
+You will see something like:
+
+ [ 2.291612] sd 2:0:0:0: [sda] 976773168 512-byte logical blocks: (500
GB/465 GiB)
+ [ 2.291830] sd 2:0:0:0: [sda] Write Protect is off
+ [ 2.291839] sd 2:0:0:0: [sda] Mode Sense: 00 3a 00 00
+ [ 2.291905] sd 2:0:0:0: [sda] Write cache: enabled, read cache:
enabled, doesn't support DPO or FUA
+ [ 2.334873] sda: sda1 sda2
+
+3) Shred the drive with random data (three passes) and a fourth pass of 0s to
delete any signs of random wiping:
+ shred -vz /dev/sda
+
+* -z Adds a fourth pass of 0s to hide traces of wiping.
+* -v Displays verbose output.
+
+# Using parted on disk greater than 2TB
+
+## formatting the disk for GPT
+
+ # parted /dev/sdg
+ GNU Parted 2.3
+ Using /dev/sdg
+ Welcome to GNU Parted! Type 'help' to view a list of commands.
+ (parted) mklabel
+ New disk label type? gpt
+ (parted) print
+ Model: ATA WDC WD40EZRX-00S (scsi)
+ Disk /dev/sdg: 4001GB
+ Sector size (logical/physical): 512B/4096B
+ Partition Table: gpt
+
+ Number Start End Size File system Name Flags
+
+## creating the partitions
+ (parted) mkpart 1 0G 500G
+ (parted) mkpart 2 500G 1000G
+ (parted) mkpart 3 1000G 1500G
+
+## setting up the raid flag
+ (parted) set 1 raid
+ New state? [on]/off?
+
+## deleting the partitions
+ (parted) rm 3
+
+## calculate new partition size
+if md8 has a missing disk:
+
+ md8 : active raid1 sdg6[3] sdn8[0] sdm8[2]
+ 227729280 blocks [3/2] [U_U]
+
+check the size on one of the disk from the raid:
+
+
+ # mdadm -E /dev/sdm8
+ /dev/sdm8:
+ Magic : a92b4efc
+ Version : 0.90.00
+ UUID : 00126a6b:629042e0:4dc1fa5f:b3880838 (local to host
colonialone.fsf.org)
+ Creation Time : Tue Dec 21 16:47:38 2010
+ Raid Level : raid1
+ Used Dev Size : 227729280 (217.18 GiB 233.19 GB)
+ Array Size : 227729280 (217.18 GiB 233.19 GB)
+ Raid Devices : 3
+ Total Devices : 3
+ Preferred Minor : 8
+
+ Update Time : Wed Mar 26 13:08:06 2014
+ State : clean
+ Active Devices : 2
+ Working Devices : 3
+ Failed Devices : 1
+ Spare Devices : 1
+ Checksum : bafb094e - correct
+ Events : 392890
+
+
+ Number Major Minor RaidDevice State
+ this 2 8 200 2 active sync /dev/sdm8
+
+ 0 0 8 216 0 active sync /dev/sdn8
+ 1 1 0 0 1 faulty removed
+ 2 2 8 200 2 active sync /dev/sdm8
+ 3 3 8 102 3 spare /dev/sdg6
+
+
+'''233.19 GB''' in this case
Added: trunk/sviki/fsf/debugging/libreplanet-upgrade.mdwn
===================================================================
--- trunk/sviki/fsf/debugging/libreplanet-upgrade.mdwn
(rev 0)
+++ trunk/sviki/fsf/debugging/libreplanet-upgrade.mdwn 2023-12-06 21:51:43 UTC
(rev 687)
@@ -0,0 +1,122 @@
+## install
+ ~# aptitude install openssh-client apache2 curl htop imagemagick
+ mysql-server php5 php-cas php5-cgi php5-curl php5-gd php5-mysql
+ php5-xmlrpc unzip emacs24-nox nano
+
+ a2dissite 000-default.conf
+
+
+## Apache
+
+ a2enmod rewrite
+ mkdir -p /var/log/apache2/libreplanet/
+
+ /var/www/.htaccess
+
+ RewriteEngine On
+ RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/w/index.php [L]
+ ############
+
+
+ /etc/apache2/sites-available/libreplanet.org
+ ############
+ <VirtualHost *:80>
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www
+ <Directory /var/www>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride All
+ Order allow,deny
+ allow from all
+ </Directory>
+ /var/log/apache2/libreplanet/error.log
+ /var/log/apache2/libreplanet/access.log combined
+ </VirtualHost>
+ ############
+
+ /etc/apache2/sites-available/libreplanet.org-ssl
+
+ service apache2 reload
+
+
+##MYSQL
+
+ mysql -uroot -p'pass'; #login to mysql
+ create database mediawiki; #create database
+ grant all privileges on mediawiki.* to mediawiki@localhost identified by
+ 'mUqL3juF'; #create user and grant all permissions to use the database
+ mysql -umediawiki -pmUqL3juF mediawiki < libreplanet.2015.05.05.sql
+
+##Files
+
+ WWW=/var/www/ #set path variable for the www environment
+ LP=/var/www/w #set path variable for the new wiki
+ OLP=/var/www/w_old #set path variable the old wiki
+
+ tar zxf libreplanet-2015-05-05.tgz -C $WWW #untars old wiki into www
+ mv $LP $OLP # moves old wiki to backup directory
+
+ wget -P $WWW
+ http://releases.wikimedia.org/mediawiki/1.25/mediawiki-1.25.1.tar.gz
+ #gets latest version of mediawiki
+ tar zxf $WWW/mediawiki-1.25.1.tar.gz -C $WWW # untars latest verion of
+ wiki into www
+ mv $WWW/mediawiki-1.25.1 $LP #changes the name from mediawiki to w under
+ www directory
+ mkdir $LP/tmp #creates tmp folder under the latest mediawikiversion
+ directory
+
+ cp $OLP/LocalSettings.php $LP/LocalSettings.php # copies the original
+ config file to the new mediawiki version
+ cp -r $OLP/images $LP/ # copies al immages from the old wiki to the new one
+
+ #comment ;' at $LP/LocalSettings:348
+
+ awk -F'/' '/extensions/ {print $3}' $LP/LocalSettings.php|sort #gets a
+ sorted list of the extensions installed
+ awk -F'/' '/extensions/ {print $3}' $LP/LocalSettings.php|sort >
+ $LP/tmp/required_extensions
+
+ ls $LP/extensions/|sort # gets a list of the already available
+ extensions under the latest mediawiki version
+ ls $LP/extensions/|sort > $LP/tmp/available_extensions>
+ $LP/tmp/available_extensions # gets a list of the already available
+ extensions under the latest mediawiki version
+
+ sdiff $LP/tmp/available_extensions $LP/tmp/required_extensions
+
+
+ cp -r $OLP/extensions/UserMerge/ $LP/extensions/
+ cp -r $OLP/extensions/Calendar/ $LP/extensions/
+ cp -r $OLP/extensions/SemanticForms $LP/extensions/
+ cp -r $OLP/extensions/SemanticMediaWiki $LP/extensions/
+ cp -r $OLP/extensions/MultiPages $LP/extensions/
+ cp -r $OLP/extensions/SubPageList3 $LP/extensions/
+ cp -r $OLP/extensions/Maintenance $LP/extensions/
+ cp -r $OLP/extensions/bad-behavior $LP/extensions/
+ cp -r $OLP/extensions/WikiCurl $LP/extensions/
+ cp -r $OLP/extensions/CASAuth $LP/extensions/
+ cp -r $OLP/extensions/MagicNoCache.php $LP/extensions/
+ cp -r $OLP/extensions/WikiBanner $LP/extensions/
+ cp $OLP/includes/DatabaseFunctions.php $LP/includes/
+ cp $OLP/skins/common/images/groups-logo.png $LP/skins/logo.png
+
+ wget http://downloads.wordpress.org/plugin/bad-behavior.2.2.16.zip
+ mv $LP/extension/bad-behavior $LP/extension/bad-behavior_bak
+ unzip bad-behavior.2.2.16.zip -d $LP/extensions/
+ rm bad-behavior.2.2.16.zip
+
+ #comment wfLoadExtensionMessages at
$LP/extensions/Calendar/Calendar.php:115
+ #comment wfLoadExtensionMessages at
+ $LP/extensions/SemanticForms/includes/SF_LinkUtils.inc:209
+
+ $wgLogo = "$wgStylePath/logo.png";
+ $wgEnableUploads = true;
+ $wgUseImageMagick = false;
+ $wgImageMagickConvertCommand = "/usr/bin/convert";
+ $wgTmpDirectory = "$IP/images/temp";
+
+ $LP/maintenance/update.php
+
+ find ./ -type f -exec chmod -R 0644 {} \; ;find ./ -type d -exec chmod
+ -R 0755 {} \;CustomLogErrorLog############
Added: trunk/sviki/fsf/debugging/reinstallinggrub.mdwn
===================================================================
--- trunk/sviki/fsf/debugging/reinstallinggrub.mdwn
(rev 0)
+++ trunk/sviki/fsf/debugging/reinstallinggrub.mdwn 2023-12-06 21:51:43 UTC
(rev 687)
@@ -0,0 +1,56 @@
+## Why?
+
+Grub has failed to install, upgrade, or be configured properly to the point
the system cannot boot. The grub recovery console is not available in times
like this.
+
+## How?
+
+To boot strap yourself into grub, the best way is to chroot the system from a
fully working system. A live USB/CD image would do this, as well as simply
pulling the drive and mounting it on ones workstation. Once you have access to
a working system, this is the proccedure:
+
+In this setup we will assume the following:
+
+* You are booting off a USB image, /dev/sda.
+* Your target system (broken grub) is /dev/sdb.
+* /dev/sdb1 is /boot
+* /dev/sdb2 is /
+
+### Mount the target
+
+* Mount the target system, in this example we will use /mnt
+
+ mount /dev/sdb2 /mnt
+
+* Next, mount the /boot partition into the `/mnt' target.
+
+ mount /dev/sdb1 /mnt/boot
+
+### Bind mount your system to the target
+
+* We wil have to bind mount /dev, /sys, and /proc into the target `/mnt'
system so that we can trick `grub-install' into thinking our system is really
running:
+
+ mount -o bind /dev /mnt/dev
+ mount -o bind /proc /mnt/proc
+ mount -o bind /sys /mnt/sys
+
+### Chroot to the target, and install grub.
+
+* Now we can do what we came here for, chroot and install grub. First, chroot:
+
+ chroot /mnt
+
+* If the above command worked, you can now install grub to the target disk,
/dev/sdb:
+
+ grub-install /dev/sdb
+
+### Exit the chroot, and cleanup
+
+* Exit the chroot:
+
+ exit
+
+* Remove all the bind mounts, then unmount the partitions:
+
+ umount /mnt/sys
+ umount /mnt/proc
+ umount /mnt/dev
+ umount /mnt/boot
+ umount /mnt
Added: trunk/sviki/fsf/debugging/service-down.mdwn
===================================================================
--- trunk/sviki/fsf/debugging/service-down.mdwn (rev 0)
+++ trunk/sviki/fsf/debugging/service-down.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,9 @@
+Check to see if its being overwhelmed by a bot. If so, ban it. For
+example, on directory.fsf.org, if it shows an ip doing many several
+requets per minute, ban it.
+
+```
+awk '$5 == "apache:" {print $6}' /var/log/syslog | sort | uniq -c | sort -n
+# XXX = redacted
+ufw insert 1 deny from 207.46.XXX.XX
+```
Added: trunk/sviki/fsf/hardware/X60.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/X60.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/X60.mdwn 2023-12-06 21:51:43 UTC (rev 687)
@@ -0,0 +1,89 @@
+# Fan control
+
+To manually disable/enable the fan, you can use the kernel interface at
/proc/acpi/ibm/fan
+
+That file contains the current status of the fan, like:
+ ---
+ status: enabled
+ speed: 2852
+ level: auto
+ commands: level <level> (<level> is 0-7, auto, disengaged, full-speed)
+ commands: enable, disable
+ commands: watchdog <timeout> (<timeout> is 0 (off), 1-120 (seconds))
+ ---
+
+You can send commands to it this way:
+
+ # echo disable > /proc/acpi/ibm/fan
+ # echo enable > /proc/acpi/ibm/fan
+ # echo level 3 > /proc/acpi/ibm/fan
+ # echo level auto > /proc/acpi/ibm/fan
+
+Be aware that disabling the fan could make the computer crash by
+overheating. Also, the changes done by those commands are not permanent,
+if you reboot or suspend the fan will go back to its default settings
+(enabled).
+
+# Temperature sensors
+http://www.thinkwiki.org/wiki/Thermal_Sensors#ThinkPad_X60
+
+<pre>
+# cat /proc/acpi/ibm/thermal
+Index Location Sensor* Idle** Idle*** Comments
+1 CPU CPU (0x78) 62 C 39 C
+3 Card? Crd (0x7A) -- --
+2 ?? APS (0x97) 43 C 46 C
+4 GPU GPU (0x7B) 59 C 39 C
+5 Battery No5 (0x7c) Disappears when
battery removed
+7 Battery Bat (0x7E) Disappears when
battery removed
+9 ?? Bus (0xC0) 44 C 41 C
+10 ?? PCI (0xC1) 50 C 35 C
+11 ?? Pwr (0xC2) -- --
+
+Unused/-known sensor numbers:
+6 -- Value N/A
+8 -- Value N/A
+12-16 -- Value N/A
+
+* Sensor names taken from "TPFanControl V0.62 by troubadix" for Windows
+** Idle values when running under TPFanControl's "Smart" mode; fan never
engages if the machine just sits idle
+*** Mostly idle values when running in Linux Mint with the machine's
firmware-based fan control
+</pre>
+
+# CPU freq control
+
+The x60 cpu comes back from suspend running at full speed, a script is needed
to fix this.
+That command should be put in /etc/pm/sleep.d/ as 10_cpufreq or similar
+name, with execution permissions. Content should look like:
+
+ #!/bin/bash
+ case "$1" in
+ suspend)
+ echo powersave > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
+ ;;
+ esac
+
+You can also make it run on boot time by adding this to /etc/rc.local :
+sh /etc/pm/sleep.d/10_cpufreq suspend
+
+# Other power saving commands:
+
+<pre>
+
+# disable wake-on-lan on the ethernet
+ethtool -s eth0 wol d
+
+# enable powersave on the sound card
+echo 1 > /sys/module//snd_hda_intel/parameters/power_save
+
+# enable powersaving on sata devices
+echo min_power > /sys/class/scsi_host/host0/link_power_management_policy
+echo min_power > /sys/class/scsi_host/host1/link_power_management_policy
+echo min_power > /sys/class/scsi_host/host2/link_power_management_policy
+echo min_power > /sys/class/scsi_host/host3/link_power_management_policy
+
+# enable powersaving on pci devices
+for file in $(find /sys/devices/pci* -wholename *power/control); do
+ echo auto > $file
+done
+</pre>
Added: trunk/sviki/fsf/hardware/disable-option-roms-with-cbfstool.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/disable-option-roms-with-cbfstool.mdwn
(rev 0)
+++ trunk/sviki/fsf/hardware/disable-option-roms-with-cbfstool.mdwn
2023-12-06 21:51:43 UTC (rev 687)
@@ -0,0 +1,61 @@
+# disable option roms with cbfstool
+
+This method applies a hard-coded variable to the LibreBoot / Coreboot ROM that
+tells it to not load external option roms. (LibreBoot from 2016 loads option
+roms by default.)
+
+## documentation on this method
+
+* <https://www.coreboot.org/SeaBIOS#Other_Configuration_items>
+* <https://seabios.org/Runtime_config>
+
+If those pages are missing, visit <https://archive.is> or
+<https://archive.org>.
+
+## compile cbfstool
+
+Clone the Coreboot git repo:
+
+ git clone http://review.coreboot.org/coreboot.git
+
+Compile cbfstool:
+
+ cd coreboot
+ cd util/cbfstool
+
+ make -j5
+
+ sudo cp cbfstool /usr/local/bin/
+
+If dependencies are missing, `libreboot_r20160907_util.tar.xz` has a compiled
version at the `https://libreboot.org/download.html` mirrors.
+
+## get the LibreBoot rom from the machine
+
+Downloading the rom from the machine itself is a good approach so you don't
+have to worry about **setting the MAC address** to a non-generic value before
+writing the patched rom.
+
+If you are able to boot to GNU/Linux on the device:
+
+ flashrom -p internal -r libreboot.rom
+
+## patch the LibreBoot ROM
+
+> *Controls option ROM execution for roms found on PCI devices (as opposed to
+> roms found in CBFS/fw_cfg). Valid values are 0: Execute no ROMs, 1: Execute
+> only VGA ROMs, 2: Execute all ROMs. The default is 2 (execute all ROMs).*
+
+ cbfstool libreboot.rom add-int -i 1 -n etc/pci-optionrom-exec
+ cbfstool libreboot.rom print
+
+## write the LibreBoot ROM
+
+If you are using a fresh ROM image, don't forget to patch it so there aren't
+**MAC collisions**. Alternatively, get the rom from the machine itself (see
+above).
+
+If you are booted into GNU/Linux on the device:
+
+ flashrom -p internal -w libreboot.rom
+
+Do a shutdown, then a cold boot.
Added:
trunk/sviki/fsf/hardware/disable-thinkpad-battery-beep-with-nvramtool.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/disable-thinkpad-battery-beep-with-nvramtool.mdwn
(rev 0)
+++ trunk/sviki/fsf/hardware/disable-thinkpad-battery-beep-with-nvramtool.mdwn
2023-12-06 21:51:43 UTC (rev 687)
@@ -0,0 +1,77 @@
+# Disable thinkpad battery beep with nvramtool
+
+This method applies a hard-coded variable to the LibreBoot / Coreboot ROM that
+tells it to not load external option roms. (LibreBoot from 2016 loads option
+roms by default.)
+
+## Documentation on this method
+
+* <https://libreboot.org/docs/misc/#power-management-beeps-on-thinkpads>
+
+Tools can be found here:
<https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/libreboot_r20160907_util.tar.xz>
+
+Bash Script to backup the rom, make the changes, and flash the modified rom to
the system.
+
+```
+#!/bin/bash
+
+# libreboot-disablebeeps.sh
+# Disable battery beeps and alarm on librebooted Thinkpad laptops.
+
+# Run this script with:
+# sudo bash libreboot-disablebeeps.sh
+
+# Based on https://libreboot.org/docs/misc/#power-management-beeps-on-thinkpads
+
+# Initialization checks
+
+# Check for /bin/bash.
+if [ "$BASH_VERSION" = '' ]; then
+ echo "You are not using bash."
+ echo "Use this syntax instead:"
+ echo "sudo bash bluearchive.sh"
+ exit 1
+fi
+
+# Check for root.
+if [[ $EUID -ne 0 ]]; then
+ echo "This script must be run as root"
+ exit 1
+fi
+
+# Check networking
+#
https://unix.stackexchange.com/questions/190513/shell-scripting-proper-way-to-
+# check-for-internet-connectivity
+echo Checking network...
+if ping -q -c 1 -W 1 google.com >/dev/null; then
+ echo "The network is up."
+else
+ echo "The network is down."
+ echo "Check connection and restart script!"
+ exit 1
+fi
+
+echo "Installing dependencies..."
+apt update
+apt install -y libftdi1
+wget
https://www.mirrorservice.org/sites/libreboot.org/release/stable/20160907/libreboot_r20160907_util.tar.xz
+tar xvf libreboot_r20160907_util.tar.xz
+mkdir -p
+
+echo "Extracing libreboot image..."
+romfile=roms/t400-$(date +%Y%m%d-%H%M).rom
+mkdir -p roms
+./libreboot_r20160907_util/flashrom/x86_64/flashrom -p internal -r ./$romfile
+
+echo "Backing up libreboot image..."
+cp $romfile $romfile.bak
+
+echo "Modifying libreboot image..."
+./libreboot_r20160907_util/nvramtool/x86_64/nvramtool -v
+
+./libreboot_r20160907_util/nvramtool/x86_64/nvramtool -C ./$romfile -w
power\_management\_beeps=Disable
+./libreboot_r20160907_util/nvramtool/x86_64/nvramtool -C ./$romfile -w
low\_battery\_beep=Disable
+
+echo "Flashing modified libreboot image..."
+./libreboot_r20160907_util/flashrom/x86_64/flashrom -p internal -w $romfile
+```
Added: trunk/sviki/fsf/hardware/graphics-cards.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/graphics-cards.mdwn
(rev 0)
+++ trunk/sviki/fsf/hardware/graphics-cards.mdwn 2023-12-06 21:51:43 UTC
(rev 687)
@@ -0,0 +1,64 @@
+# graphics cards
+
+## Intel
+
+On X200 and other Intel-based laptops, integrated graphics are stable, but on
+newer machines, we don't have a free BIOS + ME. (On some Intel Models, like
+Pentium, there may be no ME there, but still some non-free firmware). For this
+reason, as of 2022, the latest free Intel-based system that the FSF can use is
+the X200.
+
+A while back, Intel announced that they were creating discreen graphics cards,
+but it's not clear if those are available, too expensive, overpowered, or
+non-libre for our needs.
+
+## Nvidia
+
+<https://nouveau.freedesktop.org/CodeNames.html>
+
+We have many of such cards, some of which seem to basically work, but are
+unstable, some of which are rock solid, and others that are unknown due to
+insufficient communication staff who are using them.
+
+One potential reason for instability is that we install and replace graphics
+cards in active systems until they're pretty stable, then we run out of good
+graphics cards that are working. The broken cards may be due to compatibility
+issues with Trisquel 10, or because those physical instances have had unknown
+hardware failures. Also, some desktop motherboards may have their own hardware
+issues.
+
+Note that "Ti" and other models may use a different underlying hardware
+revision than the plain version. It may also be that some unadvertised
+submodels don't have decent support, whereas others do.
+
+* Rock solid, even with hardware rendering enabled in Xorg
+ * GTX 670 - on librestation04 (Ian's graphics card used by Devin,
previously Anouk)
+ * GTX 650 - on librestation00 (Davis' machine) - "nouveau.noaccel=1" on
/proc/cmdline, Xorg hw accel enabled
+
+* Seems stable
+ * GeForce 7200 GS / 7300 SE - librestation01
+
+* Unknown status (ask staff about it)
+ * GeForce 7200 GS / 7300 SE - on librestation03 (Dawn's computer)
+ * GeForce 7200 GS / 7300 SE - testing on librestation05
+
+* Boots, but is unstable
+ * GT 710 - on librestation01 (crashes once per day, more frequently with
kdenlive, very frequently for anouk)
+ * GeForce 8400 GS Rev. 3 - unstable on librestation01
+
+* Doesn't show grpahics, or won't boot (maybe just for some desktops, or some
of the time)
+ * GT 710 (unstable on some librestation01, won't boot on test machine)
+ * GTX 650 (won't boot on test machine or librestation01)
+ * GeForce 7200 GS / 7300 SE
+ * 2x MSI N8400GS (nvidia model number unknown)
+
+## AMD
+
+After 2023, most cards work with trisquel 11, and they are more stable
+than nvidia cards. They rely much more on cpu for graphic intensive
+tasks.
+
+Before 2023 we could not these, because at least the ones we tested
+required loading a non-free firmware blob into the graphics card before
+it will do anything. Maybe there is a specific model that has some
+functionality before firmware is loaded.
Added: trunk/sviki/fsf/hardware/kcma-d8.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/kcma-d8.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/kcma-d8.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,67 @@
+# kcma-d8 motherboard
+
+## coreboot config
+
+place into `.config` in coreboot git repo, with branch `4.11_branch`:
+
+```
+\# This image was built using coreboot 4.11-55-g4401498041
+CONFIG_VENDOR_ASUS=y
+CONFIG_BOARD_ASUS_KCMA_D8=y
+CONFIG_DRIVERS_PS2_KEYBOARD=y
+CONFIG_PXE_ROM_ID="8086,10d3"
+CONFIG_POWER_STATE_PREVIOUS_AFTER_FAILURE=y
+CONFIG_CPU_MICROCODE_CBFS_NONE=y
+CONFIG_SEABIOS_ADD_SERCON_PORT_FILE=y
+CONFIG_PXE=y
+CONFIG_BUILD_IPXE=y
+CONFIG_MEMTEST_SECONDARY_PAYLOAD=y
+```
+
+Ethernet PCI IDs, for iPXE: 8086,10d3
+
+## fancontrol
+
+ian: for some reason I did fancontrol instead of thinkfan on John's
+d8. I can't remember why.
+
+```
+apt install fancontrol lm-sensors
+
+cat >/etc/modules <<'EOF'
+# from sensors-detect
+w83627ehf
+w83795
+EOF
+
+# the module loading order matters for the names of the devices.
+# /etc/modules sets a specific order.
+# if for some reason they were loaded in a different order, you will
+# need to reboot.
+
+modprobe w83627ehf
+modprobe w83795
+
+cat > /etc/fancontrol <<'EOF'
+# Configuration file generated by pwmconfig, changes will be lost
+INTERVAL=10
+DEVPATH=hwmon4=devices/pci0000:00/0000:00:14.0/i2c-1/1-002f
+DEVNAME=hwmon4=w83795g
+FCTEMPS=hwmon4/device/pwm1=hwmon4/device/temp7_input
+FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input
+# based on our thinkfan config
+MINTEMP=hwmon4/device/pwm1=55
+MAXTEMP=hwmon4/device/pwm1=75
+# pwncomfig put this at 150, way too high
+MINSTART=hwmon4/device/pwm1=50
+MINSTOP=hwmon4/device/pwm1=0
+
+# note, the k10temp has duplicate temp of the cpu,
+# but upon reboot, its path changed from hwmon1 to hwmon2
+# so better to use hwmon4
+EOF
+```
+
+Device names on a specific motherboard might be different from above, in
+that case, run pwmconfig to generate a working config, then possibly
+copy in some values from the above config.
Added: trunk/sviki/fsf/hardware/kgpe-d16.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/kgpe-d16.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/kgpe-d16.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,177 @@
+# kgpe-d16
+
+## form factor
+
+From the pdf manual:
+
+"To optimize the motherboard features, we highly recommend that you install it
+in an SSI EEB 1.1 compliant chassis."
+
+## purcahse failure / success tracking / history
+
+[[purchase-failure-history]]
+
+## internal connectors
+
+[problem] **The red internal header that looks like a USB header is actually a
+firewire one. Do not plug in USB there, or you risk setting the motherboard on
+fire.**
+
+## booting with Libreboot
+
+### Libreboot + GRUB
+
+For the default Libreboot config to detect your boot partition, plug that
+ssd/hd into the first sata slot. It's the one closest to the front of the
+board, near the vertical usb port.
+
+Getting to the GRUB menu takes about 3 minutes when there is 250 GB of ram
+installed. (tested with version 2016-09-07)
+
+### Libreboot + SeaBios
+
+The seabios version works as well. Version 20160907 loads option roms.
+
+### Trisquel Install via netboot USB
+
+Use [[/hardware/motherboards/kgpe-d16/live-usb-loader.sh]] to generate a
+bootable Trisquel image. Use the "install via command line" option. This works
+with SeaBios, but GRUB doesn't detect the USB drive for LibreBoot 20190907.
+
+### Graphical issues and workaround
+
+When using Libreboot, there are issues with full resolution graphics. Using VGA
+resolution mode exclusively works around the issue. This issue seems to be
+limited to some monitors with some image positioning or color adjustment
+settings.
+
+To work around this, add the following to your `/etc/default/grub` file:
+
+ GRUB_CMDLINE_LINUX_DEFAULT="[...] nomodeset vga=normal [...]"
+ ...
+ GRUB_TERMINAL_OUTPUT="vga_text"
+
+(Note that the during boot, there is a deprecation warning on boot saying to
use `set
+gfxpayload=vga=normal` instead. I'm not sure whether it applies to Grub or
Linux. [info][1])
+
+[1]: https://wiki.debian.org/GrubTransition
+
+Then run `update-grub` and reboot.
+
+See below for a full grub config with serial output.
+
+## grub config
+
+Put this in `/etc/default/grub`:
+
+ GRUB_CMDLINE_LINUX_DEFAULT="[...] console=tty0 console=ttyS0,115200n8"
+
+ GRUB_TERMINAL_INPUT="serial console"
+ GRUB_TERMINAL_OUTPUT="serial console vga_text"
+ GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no
--stop=1"
+
+For lods of grub debug output, put this in `/etc/grub.d/40_custom`:
+
+ set debug=all
+
+Then run `update-grub`.
+
+## ixgbe issues with multiple cards
+
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1245938
+
+Put this in `/etc/default/grub`:
+
+ GRUB_CMDLINE_LINUX_DEFAULT="[...] pci=realloc=off"
+
+## fan control
+
+### driver
+
+`sensors-detect` is likely to mis-identify the fan driver.
+
+ $ modprobe w83795
+ $ cat /etc/modules
+ w83795
+
+### sensors
+
+To see various sensor readings:
+
+ $ sensors
+
+### fan control
+
+**Note that the thinkfan configs we are using are managed via ansible. We
+deploy a script that generates the proper thinkfan configuration file, given
+that there are multiple pwm1 files in /sys/ with two sensor drivers loaded. The
+text below is a bit out of date.**
+
+The fancontrol program from lm\_sensors doesn't support tracking more than two
+fans associated with one pwm device. This mobo (for the 2016-09-07 version of
+libreboot) has 5 fans controlled by pwm1. fancontrol is also unable to monitor
+multiple sensors in order to control one pwm device.
+
+Thinkfan supports tracking multiple generic thermal hwmon sensors and
+controlling with pwm devices. Use thinkfan instead of lm\_sensors/fancontrol.
+
+ $ cat /etc/thinkfan.conf
+
+ sensor /sys/class/hwmon/hwmon6/device/temp1_input
+ sensor /sys/class/hwmon/hwmon6/device/temp7_input
+ sensor /sys/class/hwmon/hwmon6/device/temp8_input
+
+ # these should change when pci/pcie cards are added or removed. otherwise,
thinkfan will not start.
+ sensor
/sys/module/k10temp/drivers/pci:k10temp/0000:00:18.3/hwmon/hwmon2/temp1_input
+ sensor
/sys/module/k10temp/drivers/pci:k10temp/0000:00:19.3/hwmon/hwmon3/temp1_input
+ sensor
/sys/module/k10temp/drivers/pci:k10temp/0000:00:1a.3/hwmon/hwmon4/temp1_input
+ sensor
/sys/module/k10temp/drivers/pci:k10temp/0000:00:1b.3/hwmon/hwmon5/temp1_input
+
+
+ fan /sys/class/hwmon/hwmon6/device/pwm1
+
+ (0, 0, 48)
+ (40, 44, 52)
+ (85, 48, 56)
+ (130, 52, 60)
+ (175, 56, 64)
+ (210, 60, 68)
+ (255, 64, 32767)
+
+^ Check to make sure that your devices are properly named I saw hwmon6 get
+renamed as hwmon0 and the other names shifted, across a reboot. Check for PCIe
+device scaled temperature sensors with this command:
+
+ ls
/sys/module/k10temp/drivers/pci\:k10temp/0000\:00\:1*/hwmon/hwmon?/temp1_input
+
+If thinkfan does not start due to changes in the PCIe card setup, or due to
+changes in the "hwmon?" number/path, then the fans should run at their previous
+speed if thinkfan has not been successfully run since boot up. This should be
+sufficient to avoid overheating if the thinkfan config breaks across boots,
+since it appears that Libreboot sets fans at full speed during the early boot
+process and they stay that way until something changes the fan speeds.
+
+It's not clear what temp1 refers to, but it gets the hottest of the three
sensors when the cpus are mostly idle. Thinkfan can monitor multiple sensors,
so that shouldn't be a problem.
+
+ $ sensors
+ ...
+ temp1: +55.0 C (high = +70.0 C, hyst = +65.0 C)
+ (crit = +85.0 C, hyst = +80.0 C) sensor = thermal
diode
+ temp7: +23.2 C (high = +70.0 C, hyst = +65.0 C)
+ (crit = +85.0 C, hyst = +80.0 C) sensor = AMD AMDSI
+ temp8: +21.5 C (high = +70.0 C, hyst = +65.0 C)
+ (crit = +85.0 C, hyst = +80.0 C) sensor = AMD AMDSI
+ ...
+
+Test, start and enable service:
+
+ $ thinkfan -n
+ ...
+ ^C
+
+ $ cat /etc/default/thinkfan
+ ...
+ START=yes
+
+ $ /etc/init.d/thinkfan start
+ $ update-rc.d thinkfan enable
Added: trunk/sviki/fsf/hardware/lemote-parts.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/lemote-parts.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/lemote-parts.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,19 @@
+# Useful Parts
+
+## Camera
+
+### Wiring
+
+ 1 2 3 4 5
+ +-----------+
+ | U U U U U |
+ \ /
+ | |
+ +---------+
+ |||||
+
+ 1: Yellow : Ground : (USB Black)
+ 2: Orange : Ground (ID?) : (USB Black)
+ 3: Red : Data+ : (USB Green)
+ 4: Brown : Data- : (USB White)
+ 5: Black : Power : (USB Red)
Added: trunk/sviki/fsf/hardware/live-usb-loader.sh
===================================================================
--- trunk/sviki/fsf/hardware/live-usb-loader.sh (rev 0)
+++ trunk/sviki/fsf/hardware/live-usb-loader.sh 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# Copyright (C) 2012-2019 Ruben Rodriguez <ruben@trisquel.info>
+# Copyright (C) 2019 Andrew Engelbrecht <andrew@fsf.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#
+
+set -x
+
+usage(){
+
+ echo This fixes a live usb ISO so it will boot on a kgpe-d16 with seabios
+
+ echo You need to run this script as root
+ echo Usage: sudo $0 distro.iso /dev/sdX
+ echo Example: sudo $0 foobar_5.0_i386.iso /dev/sdb
+ echo
+ echo WARNING!: this script will delete all data on the whole disk you pass
as the second parameter. Make sure it is your USB drive and not your internal
hard drive!
+ echo ANOTHER WARNING!: This script can bite your dog. Use it with care,
backup your data.
+ exit 1
+}
+
+[ $(id -u) != 0 ] && usage
+[ $# != 2 ] && usage
+
+ISO=$1
+DEV=$2
+
+ISOTMP=$(mktemp -d)
+DEVTMP=$(mktemp -d)
+
+umount $DEV*
+mount -o loop $ISO $ISOTMP
+mkfs.vfat -I -F32 $DEV -n FSF-BOOT
+sync
+#mount -o sync $DEV $DEVTMP
+mount $DEV $DEVTMP
+cp -vr $ISOTMP/* $ISOTMP/.disk $DEVTMP
+umount $ISOTMP
+sync
+
+cp -r $DEVTMP/isolinux $DEVTMP/syslinux
+mv $DEVTMP/syslinux/isolinux.cfg $DEVTMP/syslinux/syslinux.cfg
+# Disable gfxboot, breaks on SeaBios in some cases
+sed '/gfxboot/d' -i $DEVTMP/syslinux/syslinux.cfg
+
+sync
+umount $DEVTMP
+syslinux $DEV
+sync
+
+eject $DEV
+
+# Did we sync already?
+sync
+
+echo "re-plug drive"
+echo "check that syslinux install worked properly above, otherwise try again"
+echo "update 'vga=...' to 'vga=normal nomodeset' in syslinux/txt.cfg"
Added: trunk/sviki/fsf/hardware/mapping-to-dimms.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/mapping-to-dimms.mdwn
(rev 0)
+++ trunk/sviki/fsf/hardware/mapping-to-dimms.mdwn 2023-12-06 21:51:43 UTC
(rev 687)
@@ -0,0 +1,31 @@
+
+# Mapping RAM ECC warnings to the right DIMM
+
+EEC ram warnings on librebooted kgpe-d16 with 4.2.0 kernel:
+
+ [32310.838759] [Hardware Error]: Corrected error, no action required.
+ [32310.838781] [Hardware Error]: CPU:24 (15:1:2)
MC4_STATUS[-|CE|MiscV|-|AddrV|-|-|CECC]: 0x9c2c4000f8080a13
+ [32310.838811] [Hardware Error]: MC4 Error Address: 0x0000003feee4e3f0
+ [32310.838817] [Hardware Error]: MC4 Error (node 3): DRAM ECC error
detected on the NB.
+ [32310.838841] EDAC MC3: 1 CE on mc#3csrow#1channel#0 (csrow:1 channel:0
page:0x3feee4e offset:0x3f0 grain:0 syndrome:0xf858)
+ [32310.838846] [Hardware Error]: cache level: L3/GEN, mem/io: MEM, mem-tx:
RD, part-proc: RES (no timeout)
+
+This location corresponds to this device in the sysfs (in a 4.2 kernel):
+
+ $ cat /sys/devices/system/edac/mc/mc3/rank2/dimm_label
+ mc#3csrow#1channel#0
+
+Advice on #coreboot regarding which ram module may be the culprit (see likely
correction below):
+
+ 11:54 < personB> personA: MC 3 CSROW 1 is "memory controller 3" and if you
are using dual-rank DIMMs it would be the first DIMM on the channel. I'd guess
slot D1
+ 11:54 < personB> or actually D2, given ASUS flipped the numbers
+ 12:41 < personA> personB: I predict this might corresponds to slot G2.
(A/B would correspond to mc0, so G/H would be mc3. channel 0, so G, not H. And
slot 2, not 1, because csrow 1 of
+ dual-ranked ram is slot 0 (slot 2 in a kgpe-d16?), so
possibly G2.) What do you think?
+ 12:42 < personB> personA: Yes, you are correct. I was thinking of a
different CPU entirely, mea culpa
+
+It seems likely that csrow0/1 is slot 1 and csrow2/3 is slot 2 on the kgpe-d16
when using dual ranked ram. This is being tested at the time of writing.
+
+Other helpful information that may assist in mapping errors to specific ram
slots:
+
+* https://www.kernel.org/doc/Documentation/edac.txt
+* https://serverfault.com/questions/5672/ecc-chipkill-errors-which-dimm#8785
Added: trunk/sviki/fsf/hardware/purchase-failure-history.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/purchase-failure-history.mdwn
(rev 0)
+++ trunk/sviki/fsf/hardware/purchase-failure-history.mdwn 2023-12-06
21:51:43 UTC (rev 687)
@@ -0,0 +1,19 @@
+# motherboard purchase failure / success history
+
+## kgpe-d16
+
+### ebay 'techy\_parts' (US)
+
+* 2022-10-07
+ * revision 1.05 - works
+ * revision 1.05 - works
+
+### ebay 'daily-mart' (Hong Kong, ships from US)
+
+* 2022-10-07
+ * revision 1.03G - works
+
+### ebay 'taishan1980' (ships from China)
+
+* 2022-10-07
+ * revision 1.03G - works
Added: trunk/sviki/fsf/hardware/ram-question.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/ram-question.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/ram-question.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,3 @@
+What was the RAM model you were using at the FSF with the D16 mobos?
+
+We use HMT42GR7AFR4A-PB on one of our servers, and we managed to get 256 GB of
memory installed there. not sure if we lucked out with unknown aspects of our
hardware configuration though (at least that's the memory model according to
dmidecode on that server)
Added: trunk/sviki/fsf/hardware/seabios-x200.mdwn
===================================================================
--- trunk/sviki/fsf/hardware/seabios-x200.mdwn (rev 0)
+++ trunk/sviki/fsf/hardware/seabios-x200.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,19 @@
+Useful for testing option roms for ryf
+
+Based on https://notabug.org/libreboot/libreboot/issues/467
+
+```
+sudo flashrom -p internal -r rom
+sudo chown $USER:$USER rom
+cp rom $HOSTNAME.libreboot.rom
+wget
https://mirror.splentity.com/libreboot/stable/20160907/rom/seabios/libreboot_r20160907_seabios_d945gclf.tar.xz
+dtrx libreboot_r20160907_seabios_d945gclf.tar.xz
+cbfstool libreboot_r20160907_seabios_d945gclf/d945gclf_txtmode.rom extract -n
vgaroms/vgabios.bin -f vgabios.bin
+cbfstool rom add -f vgabios.bin -n vgaroms/vgabios.bin -t raw
+cbfstool rom remove -n bootorder
+cbfstool rom remove -n etc/show-boot-menu
+cbfstool rom add-int -i 2 -n etc/pci-optionrom-exec
+sudo flashrom -p internal -w rom
+```
+
+Then backup $HOSTNAME.libreboot.rom to a different machine
Added: trunk/sviki/fsf/services/asterisk.mdwn
===================================================================
--- trunk/sviki/fsf/services/asterisk.mdwn (rev 0)
+++ trunk/sviki/fsf/services/asterisk.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,226 @@
+# asterisk
+
+[Website](https://www.asterisk.org/)
+
+[Documentation](https://www.asterisk.org/community/documentation/)
+
+[Wiki](https://wiki.asterisk.org/wiki/display/AST/Home)
+
+[Source](https://gerrit.asterisk.org/admin/repos) [GitHub
mirror](https://github.com/asterisk/asterisk)
+
+[FSD](https://directory.fsf.org/wiki/Asterisk)
+
+## Logging in
+
+Asterisk is on [[/hosts/physical/watson.fsf.org]] server.
+
+ ssh root@watson.fsf.org
+
+## Debugging
+
+If there is choppiness on the conference bridge (meetme), login to
watson.fsf.org and become root, then try the following:
+
+Pull up the asterisk console
+
+ asterisk -vr
+
+Look to see if there are ghosts or duplicate users on the bridge:
+
+ asterisk> confbridge list 7600
+
+If you do not see anyone, they might be in a different room. You can use the
command from `Check for users before restarting` to list all participants.
+
+This should show you something like the following:
+
+ Channel Flags User Profile Bridge Profile
Menu CallerID
+ ============================== ====== ================ ================
================ ================
+ SIP/jrasata-00000015 default_user default_bridge
default_menu jrasata
+
+Old instructions: Notice that User #: 02 is the same as #08. In this case we
can tell that the channel SIP/johns-00000083 has been open for 5 hours and 27
mins, this is obvious a ghost and causing the meetme plugin to generate
additional traffic that the client cannot receive (causing choppy sounds over
the bridge).
+
+The solution here is to kill the channel, meetme has a clean way of doing
this from the plugin itself with the following command:
+
+ asterisk> confbridge kick 7600 SIP/jrasata-00000015
+
+This command kicks the User from the bridge and kills its channel cleanly. At
this point the conference bridge should be back to normal.
+
+When you are done, keep the asterisk shell up and running in a `tmux` session.
This displays more useful recent info than the regular file-based logs do.
+
+## Check for users before restarting
+
+ asterisk> core show channels
+
+## fail2ban and firewall
+
+If you restore the firewall, ensure that you restart the fail2ban service, or
+our host will be unprotected from brute force attempts and this will also
+reduce the performance of the asterisk server. To verify correctness, look for
+fail2ban sections in the output of "iptables -L -v"
+
+## CLI-help
+
+When you are in the asterisk CLI, you can type `?` or TAB at any point in your
+command for suggested command completions
+
+## Reloading modules
+
+After editing extensions.conf, run the following in the asterisks CLI:
+
+ > dialplan reload
+
+After editing sip.conf:
+
+ > sip reload
+
+If that is not enough (this does more than systemctl reload):
+
+ > reload
+
+## Files you will likely edit
+
+Under `/etc/asterisk/`:
+
+* `extensions.conf` (dialplan)
+* `sip.conf` (SIP config, to be replaced by `pjsip.conf` when we are ready)
+* `voicemail.conf` (voicemail)
+* `confbridge.conf` (conference calling)
+* `chan_dahdi.conf` (for editing physical phone lines)
+
+### Extensions.conf
+
+First of all, read the **`README-SERIOUSLY.bestpractices.md`** file linked
+below. We must not allow others to commit toll fraud (dialing arbitrary numbers
+from external calls) with our phone system, otherwise we will face a large bill
+and/or downtime. There is also a risk of **arbitrary code execution** if we are
+not careful.
+
+Security highlights:
+
+* Use strict pattern matching, avoid using `.` or `!`. use FILTER() to avoid
+ injection from arbitrary user input via caller id or dialed strings.
+* Do not use numbers for SIP device names (can be brute forced).
+* Secure passwords.
+* Avoid typos by using `same => n,...` syntax.
+* Avoid use of `EXEC*` to avoid arbitrary code execution.
+* Keep `live_dangerously` set to `no`.
+
+Extension number formatting (from PDF linked below):
+
+ _ denotes a pattern matching extension
+ N matches any number from 2 through 9
+ X matches any single digit
+ . matches one or more of any digit
+ [2-6] matches any of 2,3,4,5,6
+
+Call Andrew according to `ANDREW=SIP/andrew/` variable set above:
+
+ # extension,rule_number,command
+ exten => 39,1,NoOp(About to call Andrew's SIP line) # prints to console
+ exten => 39,2,Dial(${ANDREW},5,t)
+
+Do more tasks based on order of inclusion, rather than explicit numbering
+
+ exten => 39,n,NoOp(Done calling Andrew's SIP line)
+ exten => 39,n,NoOp(Done calling Andrew's SIP line)
+ same => n,NoOp(Done calling Andrew's SIP line)
+
+(I am not sure if those commands get processed if they reach voicemail, but a
+hangup event from either party should terminate the rule processing).
+
+The `s` extension stands for a special (or start?) extension
+
+ exten => 0,1,GoTo(4,7)
+ exten => 4,7,GoTo(context-name,s,1)
+
+ [context-name]
+ exten => s,1,NoOp(Got to this rule)
+
+Note that parameters in `()` in at least some cases are required / counted from
+right to left. So you can leave off the beginning of a parameter list to be
+more concise, but you must include parameters through the end.
+
+There is extensive documentation in the extensions.conf file itself, but you
will
+have to scroll down to the appropriate section to find it. Try searching the
+file for `Any category other`.
+
+Do not forget to reload the Asterisk configs after making changes.
+
+### sip.conf
+
+We use `allowguest=yes` in our sip.conf file. This allows other SIP hosts to
+connect to our SIP server without a user account password, and without us
+allowlisting their IP address. Some companies might not want that, as they want
+to be dialed by a phone number via the SIP trunk of their SIP provider, and
+none of their customers use SIP to connect directly to other hosts. In our
+case, if Free Software Org Foo wants to connect from their SIP server to ours,
+disallowing guests would not allow them to connect.
+
+<https://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-2/>
+
+## Custom voicemail name / greeting
+
+For RMS' mailbox 43, the automated voicemail voice replies splices RMS' name
+in his own voice, rather than saying "extension 43":
+
+ /var/spool/asterisk/voicemail/default/43/greet.gsm
+
+`file -sL` has this to say about the above file:
+
+ greet.WAV: RIFF (little-endian) data, WAVE audio, GSM 6.10, mono 8000 Hz
+
+So if someone wants the voicemail to refer to them by name, ask them to record
+their name into a microphone, then convert it into a similar format as above.
+
+## Call logs
+
+Call logs are found in the `/var/log/asterisk/cdr-csv/Master.csv` file where
cdr stands for [Call Detail
Records](http://asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/asterisk-SysAdmin-SECT-1.html).
+
+An outgoing call starts with a sip account and is followed by the number that
they dialed like so:
+
+`"","michael","918657127946",`
+
+An incoming call starts with an external number and is followed by the
extension they used like so:
+
+`"","18657127946","501",`
+
+### Verbose, recent logs
+
+The best way to see detailed logs is to see them on the console of `asterisk
+-vvvvr`, because not all messages are logged to files, but they do show at that
+command prompt. For this reason, I like to keep a `tmux` session open with this
+command, so we can look at recent lines if any issue comes up.
+
+## More Documentation
+
+Security:
+
+*
<https://github.com/asterisk/asterisk/blob/master/README-SERIOUSLY.bestpractices.md>
+* <https://www.callcentric.com/support/device/security>
+* <https://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-2/>
+
+General:
+
+* <https://www.redhat.com/sysadmin/introduction-voip>
+* <https://www.redhat.com/sysadmin/introduction-asterisk>
+* <https://www.redhat.com/sysadmin/sip-endpoint>
+* <https://www.redhat.com/sysadmin/asterisk-dialplan>
+* <https://www.redhat.com/sysadmin/asterisk-public-switched-telephone-network>
+*
<https://www.apricot.net/apricot2006/slides/tutorial/tuesday/Jonny_Martin-Asterisk.pdf>
+* <https://www.voip-info.org/asterisk/>
+
+Faxing:
+
+* <https://wiki.asterisk.org/wiki/display/AST/T.38+Fax+Gateway>
+* <https://www.asteriskguru.com/tutorials/asterisk_fax.html>
+*
<http://www.asteriskdocs.org/en/3rd_Edition/asterisk-book-html-chunk/Fax_id265396.html>
+
+## Random notes
+
+& means to ring multiple phones at the same time.
+
+We have billing limits with callcentric, they will pause our account if
+we spend too much money, for example if someone figures out how to do
+fraud through our asterisk.
+
+There are protocols for t.38, which should allow us to send faxes, but
+not sure if our fax machine supports it.
Added: trunk/sviki/fsf/services/civicrm-bounce-processing.mdwn
===================================================================
--- trunk/sviki/fsf/services/civicrm-bounce-processing.mdwn
(rev 0)
+++ trunk/sviki/fsf/services/civicrm-bounce-processing.mdwn 2023-12-06
21:51:43 UTC (rev 687)
@@ -0,0 +1,230 @@
+Relevant documentation:
+https://docs.civicrm.org/sysadmin/en/latest/setup/civimail/inbound
+
+Bounce processing was disabled from nov 1 2016 to 2020-05-06
+because it marked too many false positives, RT#1087723
+
+There are regexes in the db used to classify bounces. We disabled some
+categories and a few bad regexes to fix the problem. Also, needed to
+update the db to ignore bounces in its log from before the date when we
+started using new rules.
+
+An even better solution might be to
+use https://github.com/sisimai/rb-Sisimai and do our own bounce processing.
+
+bounce addresses look like this:
+crmmailer+b
+ but there are other letters:
+civicrm-core/CRM/Utils/Mail/EmailProcessor.php:
+b|bounce|c|confirm|o|optOut|r|reply|re|e|resubscribe|u|unsubscribe
+
+
+```
+select * from civicrm_mailing_bounce_type;
+
++----+----------+-----------------------------------------------+----------------+
+| id | name | description |
hold_threshold |
++----+----------+-----------------------------------------------+----------------+
+| 1 | AOL | AOL Terms of Service complaint |
1 |
+| 2 | Away | Recipient is on vacation |
99 |
+| 3 | DNS | Unable to resolve recipient domain |
3 |
+| 4 | Host | Unable to deliver to destintation mail server |
3 |
+| 5 | Inactive | User account is no longer active |
1 |
+| 6 | Invalid | Email address is not valid |
1 |
+| 7 | Loop | Mail routing error |
3 |
+| 8 | Quota | User inbox is full |
3 |
+| 9 | Relay | Unable to reach destination mail server |
3 |
+| 10 | Spam | Message caught by a content filter |
1 |
+| 11 | Syntax | Error in SMTP transaction |
3 |
++----+----------+-----------------------------------------------+----------------+
+
+
+# These seem good to stop mailing.
+| 1 | AOL | AOL Terms of Service complaint |
1 |
+| 6 | Invalid | Email address is not valid |
1 |
+# For smaller providers, I expect there could ocasionally be a temporary
bounce with this
+# so change to 5 or so once we start processing all bounces
+| 5 | Inactive | User account is no longer active |
1 |
+
+
+# Avoid this for now until we upgrade our mail servers and maybe
+# we stop being seen as spam.
+| 10 | Spam | Message caught by a content filter |
1 |
+
+
+# These have no effect on deliverability or some within them do, but need to
be separated and have some retries
+| 3 | DNS | Unable to resolve recipient domain |
3 |
+| 4 | Host | Unable to deliver to destintation mail server |
3 |
+| 9 | Relay | Unable to reach destination mail server |
3 |
+| 2 | Away | Recipient is on vacation |
99 |
+| 7 | Loop | Mail routing error |
3 |
+| 8 | Quota | User inbox is full |
3 |
+
+# All unclassified bounces also get this number. Clearly not a good idea.
+| 11 | Syntax | Error in SMTP transaction |
3 |
+
+
+update civicrm_mailing_bounce_type set hold_threshold=40000000 where id != 1
and id != 6 and id != 5;
+
+# Update 2022-10-08, we got added to spamhaus sbl blocklist. So I'm lowering
them
+# down:
+
+update civicrm_mailing_bounce_type set hold_threshold=99 where id = 2;
+
+update civicrm_mailing_bounce_type set hold_threshold=10 where id = 4 or id =
8 or id = 11;
+
+update civicrm_mailing_bounce_type set hold_threshold=6 where id = 10;
+
+
+
+
+# gmail had a bug where it returned 500 for 6k contacts and they immediately
went on hold.
+# Civicrm was dumb to be treating any permanent error as permanent, so
increate to 3.
+update civicrm_mailing_bounce_type set hold_threshold = 3 where hold_threshold
= 1;
+```
+
+To see the regexes these will match,
+```
+select * from civicrm_mailing_bounce_pattern where bounce_type_id = 1 or
bounce_type_id = 6 or bounce_type_id = 5;
+```
+
++-----+----------------+-------------------------------------------------------------------------------------------------+
+| id | bounce_type_id | pattern
|
++-----+----------------+-------------------------------------------------------------------------------------------------+
+| 1 | 1 | Client TOS Notification
|
+| 21 | 5 | (my )?e-?mail( address)? has changed
|
+| 22 | 5 | account (inactive|expired|deactivated)
|
+| 23 | 5 | account is locked
|
+| 24 | 5 | changed w+( e-?mail)? address
|
+| 25 | 5 | deactivated mailbox
|
+| 26 | 5 | disabled or discontinued
|
+| 27 | 5 | inactive user
|
+| 28 | 5 | is inactive on this domain
|
+| 29 | 5 | mail receiving disabled
|
+| 30 | 5 | mail( ?)address is administrative?ly disabled
|
+| 32 | 5 | no longer (accepting mail|on server|in
use|with|employed|on staff|works for|using this account) |
+| 33 | 5 | not accepting (mail|messages)
|
+| 34 | 5 | please use my new e-?mail address
|
+| 35 | 5 | this address no longer accepts mail
|
+| 36 | 5 | user account suspended
|
+| 37 | 6 | (user|recipient( name)?) is not recognized
|
+| 38 | 6 | 554 delivery error
|
+| 39 | 6 | address does not exist
|
+| 40 | 6 | address(es)?( you (entered|specified))? (could|was)(
not|n.t)( be)? found |
+| 41 | 6 | address(ee)? (unknown|invalid)
|
+| 42 | 6 | bad destination
|
+| 43 | 6 | badly formatted address
|
+| 44 | 6 | can't open mailbox for
|
+| 45 | 6 | cannot deliver
|
+| 46 | 6 | delivery to the following recipient(s)? failed
|
+| 47 | 6 | destination addresses were unknown
|
+| 48 | 6 | did not reach the following recipient
|
+| 49 | 6 | does not exist
|
+| 50 | 6 | does not like recipient
|
+| 51 | 6 | does not specify a valid notes mail file
|
+| 52 | 6 | illegal alias
|
+| 53 | 6 | invalid (mailbox|(e-?mail )?address|recipient|final
delivery) |
+| 54 | 6 | invalid( or unknown)?( virtual)? user
|
+| 55 | 6 | (mail )?delivery (to this user )?is not allowed
|
+| 56 | 6 | mailbox (not found|unavailable|name not allowed)
|
+| 57 | 6 | message could not be forwarded
|
+| 58 | 6 | missing or malformed local(-| )part
|
+| 59 | 6 | no e-?mail address registered
|
+| 60 | 6 | no such (mail drop|mailbox( \w+)?|(e-?mail
)?address|recipient|(local )?user|person)( here)? |
+| 61 | 6 | no mailbox (here )?by that name
|
+| 62 | 6 | not (listed in|found in directory|known at this
site|our customer) |
+| 63 | 6 | not a valid( (user|mailbox))?
|
+| 64 | 6 | not present in directory entry
|
+| 65 | 6 | recipient (does not exist|(is
)?unknown|rejected|denied|not found) |
+| 66 | 6 | this user doesn't have a yahoo.com address
|
+| 67 | 6 | unavailable to take delivery of the message
|
+| 68 | 6 | unavailable mailbox
|
+| 69 | 6 | unknown (local( |-)part|recipient|address error)
|
+| 70 | 6 | unknown( or illegal)? user( account)?
|
+| 71 | 6 | unrecognized recipient
|
+| 72 | 6 | unregistered address
|
+| 73 | 6 | user (unknown|(does not|doesn't) exist)
|
+| 74 | 6 | user doesn't have an? w+ account
|
+| 75 | 6 | user('s e-?mail name is)? not found
|
+| 124 | 6 | ^Validation failed for:
|
+| 141 | 5 | account that you tried to reach is disabled
|
+| 142 | 5 | User banned
|
+| 150 | 6 | 5.1.0 Address rejected
|
+| 151 | 6 | no valid recipients?
|
+| 152 | 6 | RecipNotFound
|
+| 153 | 6 | no one at this address
|
+| 155 | 6 | account is not allowed
|
+| 156 | 6 | Address .<[^>]*>. not known here
|
+| 157 | 6 | Recipient address rejected:
([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,} |
+| 158 | 6 | Non sono riuscito a trovare l.indirizzo e-mail
|
+| 159 | 6 | nadie con esta direcci..?n
|
+| 160 | 6 | ni bilo mogo..?e najti prejemnikovega e-po..?tnega
naslova |
+| 161 | 6 | Elektronski naslov (je ukinjen|ne obstaja)
|
+| 162 | 6 | nepravilno nastavljen predal
|
++-----+----------------+-------------------------------------------------------------------------------------------------+
+
+
+these ones could be a temporary, remove them.
+
+```
+delete from civicrm_mailing_bounce_pattern where pattern = 'misconfigured
forwarding address';
+delete from civicrm_mailing_bounce_pattern where pattern = 'mailbox
(temporarily disabled|currently suspended)';
+
+```
+
+
+in mail account settings
+
+https://my.fsf.org/civicrm/admin/mailSettings?reset=1
+
+I changed protocol from imap to localdir, and added a source path.
+
+
+```
+# to see on_hold logic,
+# based on query in CRM/Core/BAO/Email.php
+
+SELECT count(civicrm_mailing_event_bounce.id) as bounces,
+ civicrm_mailing_bounce_type.hold_threshold as
threshold
+ FROM civicrm_mailing_event_bounce
+ INNER JOIN civicrm_mailing_bounce_type
+ ON civicrm_mailing_event_bounce.bounce_type_id =
civicrm_mailing_bounce_type.id
+ INNER JOIN civicrm_mailing_event_queue
+ ON civicrm_mailing_event_bounce.event_queue_id =
civicrm_mailing_event_queue.id
+ INNER JOIN civicrm_email
+ ON civicrm_mailing_event_queue.email_id =
civicrm_email.id
+ WHERE civicrm_email.id = (select id from civicrm_email
where email = 'info@zlug.ly')
+ AND (civicrm_email.reset_date IS NULL
+ OR civicrm_mailing_event_bounce.time_stamp >=
civicrm_email.reset_date)
+ GROUP BY civicrm_mailing_event_bounce.bounce_type_id
+ ORDER BY threshold, bounces desc;
+
+
+# to find the past bounces: of x@x.com
+
+SELECT civicrm_mailing_event_bounce.bounce_type_id,
civicrm_mailing_event_bounce.bounce_reason,
civicrm_mailing_event_bounce.time_stamp
+ FROM civicrm_mailing_event_bounce
+ INNER JOIN civicrm_mailing_bounce_type
+ ON civicrm_mailing_event_bounce.bounce_type_id =
civicrm_mailing_bounce_type.id
+ INNER JOIN civicrm_mailing_event_queue
+ ON civicrm_mailing_event_bounce.event_queue_id =
civicrm_mailing_event_queue.id
+ INNER JOIN civicrm_email
+ ON civicrm_mailing_event_queue.email_id =
civicrm_email.id
+ WHERE civicrm_email.id = (select id from civicrm_email
where email = 'x@x.com')
+ AND (civicrm_email.reset_date IS NULL
+ OR civicrm_mailing_event_bounce.time_stamp >=
civicrm_email.reset_date);
+
+
+## setting a reset_date for all emails that have a bounce, but are not
on_hold. essentially like discarding old bounces we didnt act on, when at some
point in the past, we set on_hold to 0 for most contacts.
+
+# count of records to update: emails that have a past bounce and are not on
hold.
+select count(*) from (select distinct(civicrm_email.id) from civicrm_email
inner join civicrm_mailing_event_queue on civicrm_email.id =
civicrm_mailing_event_queue.email_id INNER JOIN civicrm_mailing_event_bounce
ON civicrm_mailing_event_bounce.event_queue_id =
civicrm_mailing_event_queue.id where civicrm_email.on_hold = 0) as c;
+
+
+# doing the update, it is so different from the counting, that I wrapped in a
transaction in case it updated a different number:
+start transaction;
+update civicrm_email as cmail inner join civicrm_mailing_event_queue on
cmail.id = civicrm_mailing_event_queue.email_id INNER JOIN
civicrm_mailing_event_bounce ON civicrm_mailing_event_bounce.event_queue_id =
civicrm_mailing_event_queue.id set cmail.reset_date = '2020-05-01 12:00:00'
where cmail.on_hold = 0;
+commit;
+# if it had updated an unexpected number, then run: rollback;
+
+```
Added: trunk/sviki/fsf/services/discourse.mdwn
===================================================================
--- trunk/sviki/fsf/services/discourse.mdwn (rev 0)
+++ trunk/sviki/fsf/services/discourse.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,504 @@
+# Discourse
+
+[[!toc levels=5]]
+
+## WARNINGS
+
+* **do NOT enable the `sso overrides email` option.**
+
+## Documentation for admins
+
+### SSO settings note
+
+Do not enable `sso overrides email`, because users can change their my.fsf.org
+/ CAS email address without validation. It's important that users are forced to
+validate email addresses upon signup or editing their Discourse account,
+otherwise accounts will get merged based on email addresses. Before you
+consider changing this on the live forum, do thorough testing on the dev forum
+and talk to Andrew. Note that you'll have to change the email address on two
+accounts on my.fsf.org to move an email address from one account to another on
+my.fsf.org / CAS.
+
+### Running psql to inspect database
+
+```
+docker container ls # get container id, c3ac4fbfe7e3 in next command
+docker exec -it c3ac4fbfe7e3 /bin/bash -c 'su -c "psql -d discourse" postgres'
+
+```
+
+Example of searching for uses of a keyword, ip_add, in fields in the db
+
+```
+docker exec -it c3ac4fbfe7e3 /bin/bash
+su postgres
+for t in $(echo '\x on;\dt'|psql -d discourse | sed -nr
's/^Name.*\s(\S+)/\1/p'); do for f in $(echo "\d+ $t"|psql -d discourse | sed
-nr 's/^\s*(\w*ip_add\w*).*/\1/p'); do echo $t - $f; echo "select count(*) from
$t where $f is not NULL;"|psql -d discourse; done; done
+```
+
+### Theme customization settings
+
+The theme customization editor won't let you copy more than one line out
+of the editor. So, here are the edits:
+
+CSS:
+
+```
+#fsf-footer-text { text-align: right; padding: 20px; }
+```
+
+Footer:
+
+```
+<div id="fsf-footer-text">
+ <p><a href="https://www.fsf.org/about/dmca-notice";>Copyright Infringement
Notification</a></p>
+ <p>Source code:
+ <a href="https://github.com/discourse/discourse";>#1</a>,
+ <a href="https://weblabels.fsf.org/forum.members.fsf.org/CURRENT/";
rel="jslicense">JS Licenses</a>
+ <a href="https://github.com/eriko/discourse_cas_sso";>#3</a>,
+ <a href="https://weblabels.fsf.org/forum.members.fsf.org/CURRENT/";
rel="jslicense">JS Licenses</a>
+ </p>
+</div>
+```
+
+## Installing discourse
+
+### DNS
+
+enter something like this. check that the ipv4 address points to eggs, and you
+should configure `eggs.gnu.org` as the smtp server below.
+
+ MX 10 forum.members.fsf.org.
+ TXT v=spf1 a mx ip4:208.118.235.92 ~all
+
+### Ansible
+
+add the vm to the `vm`, `behind-http-proxy`, `ufw`, `nginx`,
+`discourse`, `docker`, and `rvm` groups. check other recent vms for other
+groups. note that `forum0d` is a member of some unnecessary groups.
+
+After you run ansible for the first time, add it to the `office-only-web` group
+until the site is ready for use by others.
+
+### Setting up the environment
+
+Git repo: <https://github.com/discourse/discourse>
+
+Instructions come from here:
<https://github.com/discourse/discourse/blob/master/docs/INSTALL-cloud.md>
+
+<https://github.com/discourse/discourse_docker.git> should be cloned as
`/var/discourse/`
+
+To change existing low level site configuration variables, edit
+`/var/discourse/containers/app.yml` and run `./launcher rebuild app`. To
+generate `app.yml` for the first time, stop nginx, run `./discourse-setup`,
+enter `eggs.gnu.org` for the smtp address (`localhost` won't work), enter `""`
+answers for SMTP user name and password, enter `25` as port number, provide
+`sysadmin@gnu.org,yourname@fsf.org` as admin emails, skip LE setup, then edit
+`app.yml`.
+
+add something like these configs under `env:` in `containers/app.yml` (note the
+forum domain name):
+
+ # -- sudoman 2018-06-01
+ HTTP_PROXY: http://serverproxy0p.fsf.org:8118
+ HTTPS_PROXY: http://serverproxy0p.fsf.org:8118
+ NO_PROXY: localhost,127.0.0.0/8,forum.members.fsf.org
+
+comment out the `expose:` section.
+
+add this line to the `templates:` section:
+
+ - "templates/web.socketed.template.yml" # -- sudoman 2018-06-01
+
+change the smtp password to `""`.
+
+if this is your first time building the image, run `./launcher bootstrap app &&
+./launcher start app`, otherwise, run `./launcher rebuild app`.
+
+Look at the `nginx` configurations on `forum0p.members.fsf.org`, or whichever
+vm hosts discourse, to see the socket configuration for talking with discourse.
+
+Comment out the XSS config in `/etc/nginx/conf.d/` (Discourse sets its own) and
+set the CSP config to something like:
+
+ add_header Content-Security-Policy "default-src 'self'; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';";
+
+### Initial setup up via the web interface
+
+Go to your domain's URL in a browser and follow along with the steps. Your user
+name should be you CAS user name. It's pretty straight-forward, but when it
+asks you for "Your community’s name", you should put in something like "The
+Free Software Foundation Associate Member Forum", not "The FSF". The forum
+should be marked private.
+
+### Installing plugins
+
+<https://meta.discourse.org/t/install-plugins-in-discourse/19157>
+
+Using `./launcher enter app` then cloning the repo in
+`/var/www/discourse/plugins` manually inside the image causes the data to be
+lost after running `./launcher rebuild app`.
+
+### Installing and setting up cas sso web service
+
+The developer of the extension says not to use this code base. We should move
+to SAML+CAS in the future.
+
+You need to install an older version of ruby. add the server to the 'rvm' group
+in ansible and then run `rvm autolibs disabled` then `rvm install 2.3` and
+something like `rvm use 2.3.7`.
+
+Clone `https://vcs.fsf.org/git/discourse_cas_sso.git` under
+`/srv/discourse_cas_sso` as the `discourse` user. Use the `fsf-config` branch.
+
+If these instructions are incomplete, instructions can be found here:
+<https://github.com/eriko/discourse_cas_sso>
+
+Copy the random secret password from `/etc/discourse/` and add it to the admin
+section of the site. (Search the admin pannel for "sso secret".)
+
+Update the configurations as described in the instructions. Edit configs under
+`/etc/discourse/` via ansible. The `sso.secret` value (set via ansible) must
+match the "sso secret" value in Discourse. `require_activation` should be set
+to true.
+
+ export HTTP_PROXY=http://serverproxy0p.fsf.org:8118; export
HTTPS_PROXY=http://serverproxy0p.fsf.org:8118; export
NO_PROXY=localhost,127.0.0.1
+
+ cd /srv/discourse_cas_sso/
+
+ bundle install
+ bundle exec rake --tasks
+
+ RAILS_ENV=production bundle exec rake db:migrate
+
+ chown -R discourse:discourse /srv/discourse_cas_sso/
+
+Start the server with `systemctl start discourse_cas_sso`.
+
+### Enabling / disabling SSO
+
+#### Disabling
+
+If you need to disable SSO due to brokenness, see "What if you check it by
+mistake?" at the top of the page:
+<https://meta.discourse.org/t/official-single-sign-on-for-discourse-sso/13045>
+
+ cd /var/discourse
+ ./launcher enter app
+ rails c
+ irb > SiteSetting.enable_sso = false
+ irb > SiteSetting.enable_local_logins = true
+ irb > exit
+ exit
+
+#### Enabling
+
+confirm all new settings as you make them:
+
+* enable invite only
+* enable login required
+* set "sso url" to something like <https://forum0p.members.fsf.org/sso>
+* set "sso secret" to secret value in
`/srv/discourse_cas_sso/config/configatron/production.rb` or vice versa
+* set "logout redirect" to someting like
<https://cas.fsf.org/logout?service=https://forum0p.members.fsf.org>
+* should enable user name override
+* disable "enable local logins"
+* do **NOT** enable email overrides. this would break account identities and
+ cause accounts to get mixed up because we don't validate email addresses in
+ CAS / my.fsf.org.
+* select "enable sso" (note that if using the proper `discourse_cas_sso`
+ config, emails don't need verification by the external site.
+
+before you log out of that account or try to log in, you need to log in as
+another user in a private window and then to grant that user admin access
+from your open login. then in the private window, delete the account you used
to
+set up the site, because it doesn't have cas credentials associated with it.
+then restart your private session and log in with the user name you used to set
+up the site. then revoke admin access from the second user account.
+
+#### Debugging cas sso
+
+edit `/srv/discourse_cas_sso/config/environments/production.rb` and set
+`config.log_level = :info`. Make sure to revert this and to restart the
service after you are done
+debugging, because it logs private information like user names and ip
+addresses. At the time of writing, log rotation is not set up for this file.
+
+### Setting up email reply delivery
+
+exim is configured via the `discourse` ansible role to listen on port 26 so
+that the discourse postfix service can listen on port 25. local delivery to the
+world still works even with the non-standard port.
+
+<https://meta.discourse.org/t/straightforward-direct-delivery-incoming-mail/49487>
+
+ # if you don't have a mail-receiver config, copy it from
/var/discourse/samples/ and edit.
+ vim /var/discourse/containers/mail-receiver.yml
+
+change the mail domain, the discourse enpoint, add an API key generated from
+`/admin/api/keys`, add something like this to the `env:` section (note the
+forum domain name):
+
+ # -- sudoman 2018-09-19
+ HTTP_PROXY: http://serverproxy0p.fsf.org:8118
+ HTTPS_PROXY: http://serverproxy0p.fsf.org:8118
+ NO_PROXY: localhost,127.0.0.0/8,forum.members.fsf.org
+
+then run these commands:
+
+ ./launcher bootstrap mail-receiver
+
+ ./launcher start mail-receiver
+
+make an mx record for the recipient domain. make sure to update the mx record
+when migrating hosts.
+
+configure `reply by email enabled`, `reply by email address` with a value of
+something like `replies+%{reply_key}@forum.members.fsf.org`, and `manual
+polling enabled`.
+
+Add a config like this to `mail.fsf.org:/etc/exim4/conf.d/routers.conf` near an
+existing forum conf:
+
+ forum0d_members_fsf_router:
+ driver = manualroute
+ domains = forum0d.members.fsf.org
+ transport = remote_smtp
+ route_list = * forum0d.members.fsf.org
+
+useful commands:
+
+ ./launcher logs mail-receiver
+
+ ./launcher enter mail-receiver
+ mailq
+ exit
+
+### Other settings
+
+set the backup frequency to be once per day, instead of once every seven days.
+enable "force https" once you're sure that you are ready for that. disable
+"automatically download gravatars".
+
+## Upgrading
+
+make sure to take a database snapshot before upgrading.
+
+### Via the web browser
+
+Don't use this method until we get the removal of the restricted repos merged
+upstream. If we upgrade via the web, it might try a git pull on
+`/var/discourse` that will fail due to a merge conflict with our code. When
+that happens, we need to build our own patched version of the base docker image
+and use that.
+
+If the web upgrade fails, run `./launcher start app` or `./launcher rebuild
+app` from the command line in `/var/discourse` to get the app started again,
+then try to do an upgrade via the cli.
+
+To upgrade via the web interface, visit `/admin/upgrade` in a web browser.
+
+### Via the command line
+
+To begin upgrading Discourse and to check whether we need to build a new Docker
+base image, do the following on your **local machine**:
+
+ ### First time only
+ git clone https://github.com/discourse/discourse_docker
+ cd discourse_docker/
+ git remote add fsf git@vcs.fsf.org:discourse_docker.git
+ git pull fsf
+
+ ### Do the following every time
+ git checkout main # not master
+ git pull
+
+ git checkout fsf-master
+ git pull
+ git merge main # not master
+
+ ## Fix conflicts, add major changes to the FSF-CHANGELOG.mdwn
+
+ git add -p
+ git commit
+
+ git push
+
+Check `image/base/slim.Dockerfile` to see whether it adds any non-free repos,
and
+ensure that Debian is still the base image (check top of that file). If either
+have changed, we need to figure out whether the software will work without the
+non-free bits, and potentially edit our `fsf-master` branch, and build a new
+base image. (Skip to section about building a new base image below.)
+
+If there were no merge errors about `/var/discourse/launcher`
+containing the line `image=discourse/base:build` instead of the default value,
go
+ahead with the normal upgrade procedure. Otherwise, you'll need to **build a
new
+Docker base image first**. (Skip to that section further below.)
+
+If there is a new entry for `image=discourse/base:...`, then pre-fetch the
+Docker images before taking the site offline:
+
+ ssh root@forum.members.fsf.org
+
+ cd /var/discourse
+ git checkout fsf-master
+ git pull
+
+ docker pull $(grep -E "^image=\"discourse/base" launcher | grep -E -o
"discourse/base:[0-9.-]+")
+
+You may also want to run:
+
+ docker pull discourse/mail-receiver:release
+
+Make a **backup** of the database by making a snapshot under the admin web
+interface.
+
+Make an out of band notice. Example:
<https://hostux.social/@fsfstatus/102882143256592757>
+
+SSH to forum.members.fsf.org
+
+ ssh root@forum.members.fsf.org
+
+When taking Discourse offline for a `./launcher rebuild app` step, not when
+building a new base image, it's good to set up the site-wide 503 error page.
+Make sure to revert your changes when done.
+
+ cd /etc/nginx/sites-enabled/
+ rm -f *-ssl.conf
+ ln -s ../sites-available/503-everything.conf
+ service nginx reload
+
+To upgrade Discourse:
+
+ cd /var/discourse
+ git checkout fsf-master
+ git pull
+
+ ./launcher rebuild app
+
+Answer `n` to the question about recovering space.
+
+ Would you like to attempt to recover space by cleaning docker images and
containers in the system?(y/N)n
+
+Then update the mail receiver:
+
+ ./launcher rebuild mail-receiver
+
+Now add the hard-coded line that adds a link to the weblabels, and replace
text about non-free browsers:
+
+ ./launcher enter app
+
+```
+patch -p1 << EOF
+diff --git a/app/views/layouts/application.html.erb
b/app/views/layouts/application.html.erb
+index 9cb5efcce9..5003d5e57c 100644
+--- a/app/views/layouts/application.html.erb
++++ b/app/views/layouts/application.html.erb
+@@ -96,6 +96,8 @@
+ <section id='main'>
+ </section>
+
++ <div style="display: none"><a
href="https://weblabels.fsf.org/forum.members.fsf.org/CURRENT/";
rel="jslicense">JS Licenses</a></div>
++
+ <% unless current_user %>
+ <form id='hidden-login-form' method="post"
action="<%=main_app.login_path%>" style="display: none;">
+ <input name="username" type="text" id="signin_username">
+
+EOF
+```
+
+ grep -ril https://browsehappy.com . | xargs -i sed -i -e
's:https\://browsehappy.com:https\://directory.fsf.org/wiki/Category/Internet-application/web-browser:g;
s: href="https\://www.discourse.org/faq/#browser"::g' {}
+
+ exit
+
+ ./launcher restart app ## not 'rebuild'!
+
+At the time of writing, the configs you should re-enable when done are:
+
+ forum0p.members.fsf.org.conf
+ forum0p.members.fsf.org-discourse-docker-proxy-ssl.conf
+ forum0p.members.fsf.org-ssl.conf
+
+Use these commands to bring the site back up:
+
+ cd /etc/nginx/sites-enabled/
+ rm -f 503-everything.conf
+ ln -s ../sites-available/*ssl* .
+ service nginx reload
+
+Open the <https://forum.members.fsf.org/> up in a private browser window
`CTRL+SHIFT+P` and test the login.
+
+Once the forum is up and running, and if everything is working properly, run
+the following command to remove images that are not currently running: [support
+thread](https://meta.discourse.org/t/launcher-script-removed-locally-compiled-base-build/113771)
+
+ ./launcher cleanup
+
+This step may take less than 13 minutes.
+
+Now make sure that the **LibreJS weblabels** are up to to date. If not, add
+entries to the `git@vcs.fsf.org:weblabels.fsf.org.git` repo.
+
+Make an out of band notice. Example:
<https://hostux.social/@fsfstatus/102882143256592757>
+
+Update the weblabels for the FSF forum (see below).
+
+#### Weblabels updates
+
+I suggest copying and pasting the new, rejected JS file names over the existing
+file names in the weblabels repo. Then do a git diff to see a summary of what
+has changed. Look under each diff entry to see the .tgz file that needs to be
+updated. unpack the original tgz files and look at what is inside of them.
+clone the discourse app repo, and check out the used git version according to
+the forum admin page. run a find command in the discourse app repo for one of
+those files in the unpacked tgz. look at what is in its parent folder. if its
+contents matches, that's one of the tgzs you need to create and copy into the
+weblabels repo. copy them over, clean out the temporary tgz unpack directories,
+then commit and push. visit the weblabels page to refresh the js list cache for
+the plugin. visit the forum to see what else needs fixing. rinse and repeat.
+
+#### Building a new Docker base image
+
+If the base image is still Debian based, and adds no non-free repos / programs,
+and the base image in the `launcher` file is like this:
+`image="discourse/base:2.0.20190625-0946"`, but with a date after 2019-08-23,
+then we may be able to continue using the upstream image, and skip building a
+new image. Otherwise, we should add in `image=discourse/base:build`, fix
+freedom issues, and build the image, as described below. Note that major
+changes to the docker image may break the forum, so this should be talked about
+with the team before making such changes.
+
+If merging the master branch into fsf-master creates a conflict with the code
+that removes the `restricted` repo, or sets the Docker base image name in the
+launcher script, then we need to build a new local docker image with our local
+changes.
+
+Stopping Discourse and setting up the 503 page is not necessary for this step
+of the upgrade.
+
+While the forum is up and running, run the following command to remove images
+that are not currently running: [support
+thread](https://meta.discourse.org/t/launcher-script-removed-locally-compiled-base-build/113771)
+
+ ./launcher cleanup
+
+Then proceed with building the new base image.
+
+ cd /var/discourse
+ git checkout fsf-master
+ git pull
+
+ git log # to check for your recent commit
+
+`/var/discourse/image/base/Dockerfile` should not contain the word
+`restricted`.
+
+Make sure that `/var/discourse/launcher` contains the line
+`image=discourse/base:build` instead of the default value.
+
+Building a new base image will take a long time, so it should be done while the
+previous version of Discourse is still running.
+
+ cd /var/discourse/image/
+ ruby auto_build.rb base
+
+This step takes about an hour.
+
+Continue with the instructions
[above](https://gluestick.office.fsf.org/hosts/services/discourse/#index13h3).
Added: trunk/sviki/fsf/services/gnusocial.mdwn
===================================================================
--- trunk/sviki/fsf/services/gnusocial.mdwn (rev 0)
+++ trunk/sviki/fsf/services/gnusocial.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,12 @@
+# gnu social
+
+## clear the caches
+
+some of these steps may not be necessary.
+
+ telnet localhost 11211
+ flush_all
+ quit
+
+ service memcached restart
+ service apache2 restart
Added: trunk/sviki/fsf/services/ikiwiki.mdwn
===================================================================
--- trunk/sviki/fsf/services/ikiwiki.mdwn (rev 0)
+++ trunk/sviki/fsf/services/ikiwiki.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,29 @@
+# Ikiwiki
+
+[Website](https://ikiwiki.info/)
+
+## Common Tickets
+
+### example.fsf.org ikiwiki SVN status found stray .tmp files
+
+#### Root Cause
+
+A temporary file from the web UI has not been cleaned properly.
+
+### Solution
+
+* Confirm there it is only stray tmp files and not a more serious problem with
the repository. To do this run the following command from the SVN Root on the
ikiwiki server:
+
+<pre>
+$ svn status
+? tempfile.tmp
+? tempfile.2.tmp
+</pre>
+
+As you can see in the above example, there are only tmp files stuck.
+
+* Delete the tmp files:
+
+<pre>
+svn status | awk '{print $2}' | xargs rm -rf
+</pre>
Added: trunk/sviki/fsf/services/mediagoblin.mdwn
===================================================================
--- trunk/sviki/fsf/services/mediagoblin.mdwn (rev 0)
+++ trunk/sviki/fsf/services/mediagoblin.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,73 @@
+# mediagoblin
+
+## updating front page
+
+see <https://brains.fsf.org/wiki/campaigns/manual/www/media.libreplanet.org/>
+for info about campaigns' side of the process. This git repo:
+
+```
+git clone git@vcs.fsf.org:mediagoblin-libreplanet.git
+```
+
+contains module code, but it appears to be very much out of date.
+
+The deployed module on the server itself can be found here:
+`/srv/gmg/mediagoblin/mediagoblin/plugins/libreplanet`. Make sure to run `su -l
+mediagoblin` before you make changes to that deployed repo. **Note** that the
+`.git` directory is missing, and that there may be newer changes on the server
+compared to the git repo.
+
+Syntax errors and undefined variables generally lead to crashing the entire
+site, so review changes carefully before deploying them. Only some changes are
+applied immediately, whereas others require restarting gmg, as described below.
+Some code that is valid may be only half deployed, which can lead to crashes.
+
+## starting and stopping gmg
+
+### on gnuhope stack
+
+ systemctl stop mediagoblin-paster.service ; systemctl stop
mediagoblin-celeryd.service
+
+ systemctl start mediagoblin-paster.service ; systemctl start
mediagoblin-celeryd.service
+
+## software updates
+
+### on media.libreplanet.org
+
+we are using the `fsf-stable` branch on `git@vcs.fsf.org:mediagoblin.git`.
+
+### on gnuhope stack
+
+make sure to run the following commands in a terminal window before performing
+automatic updates to software:
+
+ export http_proxy="http://serverproxy.fsf.org:8118";
+ export https_proxy="http://serverproxy.fsf.org:8118";
+
+### generic
+
+from the [deployment
+guide](http://mediagoblin.readthedocs.io/en/stable/siteadmin/deploying.html):
+
+ git submodule update && ./bin/python setup.py develop --upgrade &&
./bin/gmg dbupdate
+
+Note that we have a patch for weblabels and PDF.js at the following path. It
+may break the above commands, and needs to be re-added if it gets removed.
+
+````
+cd /srv/gmg/mediagoblin/extlib/pdf.js/
+
+git diff
+
+diff --git a/web/viewer.html b/web/viewer.html
+index 4e97e50..072f564 100644
+--- a/web/viewer.html
++++ b/web/viewer.html
+@@ -234,5 +234,6 @@ limitations under the License.
+
+ </div> <!-- outerContainer -->
+ <div id="printContainer"></div>
++ <div style="display: none"><a
href="https://weblabels.fsf.org/media.libreplanet.org/CURRENT/";
rel="jslicense">JavaScript license information</a></div>
+ </body>
+ </html>
+````
Added: trunk/sviki/fsf/services/mediawiki.mdwn
===================================================================
--- trunk/sviki/fsf/services/mediawiki.mdwn (rev 0)
+++ trunk/sviki/fsf/services/mediawiki.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,299 @@
+# MediaWiki
+
+MediaWiki is used by these sites:
+
+* <https://directory.fsf.org>
+* <https://libreplanet.org>
+* <https://wiki.endsoftwarepatents.org>
+* <strike><http://gplv3.fsf.org></strike> (now a static site)
+
+For general information, visit [the mediawiki page on
brains](https://brains.fsf.org/wiki/tools/mediawiki/).
+
+## Upgrading
+
+* ***Make sure to transfer over / maintain the custom patch on our CAS
module.***
+* Also disable Piwik / Matomo image tracking on the new site
+
+We strongly prefer use of LTS releases.
+
+Read the [general MediaWiki documentation for
+upgrading](https://www.mediawiki.org/wiki/Manual:Upgrading). Read
+[release-specific notes](https://www.mediawiki.org/wiki/Release_notes/1.31) on
+upgrading to the new and intermediate versions. Do a test run on a dev server
first.
+
+We should translate this workflow to git in the future.
+
+### Backup
+
+Login to each instance.
+
+ ssh root@libreplanet.org
+ ssh root@directory.fsf.org
+ ssh root@wiki.endsoftwarepatents.org
+
+Make sure to make backups of the doc root and the database. You may need to
+make an additional binary-formatted backup, as recommended by the wiki upgrade
+instructions, with:
+
+```
+cd /var/www/
+rsync -avhSAXP wiki/ wiki.bak-$(date +%Y-%m-%d)/
+mysqldump --default-character-set=binary --user=root mediawiki >
mediawiki-binary-$(date +%Y-%m-%d).sql # LibrePlanet wiki
+mysqldump --default-character-set=binary --user=root wikidb >
wikidb-binary-$(date +%Y-%m-%d).sql # FSD & ESP
+dump-mysql
+```
+
+Check for the database characterset setting in the `LocalSettings.php` file.
+
+### Patch
+
+If you are upgrading one increment, the patch file is available in the release
links. If you are upgrading more than one increment, you must generate the
patch.
+
+#### Download patch
+
+```
+cd /root/src/mediawiki/
+wget https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz
+wget
https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.patch.gz.sig
+```
+
+Verify signature
+
+ gpg --verify mediawiki-1.31.8.patch.gz.sig mediawiki-1.31.8.patch.gz
+
+These keys have been used for tarball signatures:
+
+* `1D98 867E 8298 2C8F E0AB C25F 9B69 B310 9D3B B7B0`
+* `41B2 ABE8 17AD D3E5 2BDA 946F 72BC 1C5D 2310 7F8A`
+
+Unarchive
+
+ gunzip mediawiki-1.31.8.patch.gz
+
+#### Generate patch
+
+Download Tarball
+
+```
+cd /root/src/mediawiki/
+wget https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz
+wget https://releases.wikimedia.org/mediawiki/1.31/mediawiki-1.31.8.tar.gz.sig
+```
+
+Verify signature
+
+ gpg --verify mediawiki-1.31.8.tar.gz.sig mediawiki-1.31.8.tar.gz
+
+These keys have been used for tarball signatures:
+
+* `1D98 867E 8298 2C8F E0AB C25F 9B69 B310 9D3B B7B0`
+* `41B2 ABE8 17AD D3E5 2BDA 946F 72BC 1C5D 2310 7F8A`
+
+If the release change is very minor, such as 1.27.2 to 1.27.4, you can generate
+a diff between the two unpacked tarballs with `diff -urN` and apply the patch
+to the existing installation instead of starting from a new docroot and copying
+changes. (As of 2017-11-15, we have various changes in our installations that
+need to be preserved, including the Vector template on the directory.)
+
+```
+tar zxvf mediawiki-1.31.8.tar.gz
+diff -urN mediawiki-1.31.6/ mediawiki-1.31.8/ > 1.31.6-8.patch
+```
+
+Cleanup the directories.
+
+```
+rm -fr mediawiki-1.31.6
+rm -fr mediawiki-1.31.8
+```
+
+### Apply patch
+
+Copy the patch to the MediaWiki instances.
+
+ scp mediawiki-1.31.16.patch root@directory.fsf.org:/root/
+ scp mediawiki-1.31.16.patch root@libreplanet.org:/root/
+ scp mediawiki-1.31.16.patch root@wiki.endsoftwarepatents.org:/root/
+
+Change to the directory.
+
+ cd /var/www/wiki
+
+See the changes that the patch would make with a dry run.
+
+ patch -p1 --dry-run < ~/mediawiki1.31.6-8.patch
+
+Note: Make sure you are not upgrading during the [FSD
meeting](https://directory.fsf.org/wiki/Free_Software_Directory:Meetings).
+
+Make a notice on our OOB notice board [like
so](https://hostux.social/@fsfstatus/106031612976036629).
+
+ wiki.endsoftwarepatents.org, libreplanet.org, and directory.fsf.org will
be going offline for a MediaWiki security patch.
+
+Stop apache.
+
+ service apache2 stop
+
+Apply the patch.
+
+ patch -p1 < ~/mediawiki1.31.6-8.patch
+
+### Update with composer
+
+Consider using a different user for composer like we do with
[[/hosts/services/drupal8/]].
+
+Allow outbound connection.
+
+ export HTTP_PROXY=http://serverproxy0p.fsf.org:8118; export
HTTPS_PROXY=http://serverproxy0p.fsf.org:8118; export
NO_PROXY=localhost,127.0.0.1
+
+Update extensions.
+
+```
+composer.phar update --no-dev # libreplanet.org
+/root/composer.phar update --no-dev # directory.fsf.org
+```
+
+Run `update.php`. Note: This takes longer on the directory.
+
+ php maintenance/update.php
+
+If the upgrade seems stuck, open `htop` in another pane to see what is running
in the background.
+
+Check to see if it ran without error.
+
+ echo $?
+
+Start apache.
+
+ service apache2 start
+
+Test that everything works.
+
+* Check version pages. [FSD](https://directory.fsf.org/wiki/Special:Version)
[LP](https://libreplanet.org/wiki/Special:Version)
+* Try various pages.
+* Try editing a page.
+* Try editing an FSD entry with the form.
+
+Make a notice on our OOB notice board [like
so](https://hostux.social/@fsfstatus/106031612976036629).
+
+ directory.fsf.org and libreplanet.org are back online.
+
+Consider upgrading modules. Modules may have configs in their directory, so
+make sure to copy them over. They may also have their own dependencies that
+need to be installed in the module directory.
+
+Consider uploading core and module code to agpl.fsf.org, but be careful about
+not including any config files that may contain sensitive information.
+
+Consider rebuilding the SMW data site-wide. This will update pages one by one.
+<https://www.semantic-mediawiki.org/wiki/Help:Maintenance_script_rebuildData.php>
+
+### Update phpCAS
+
+[Check for a new release.](https://github.com/apereo/phpCAS/releases) Compare
with the installed version.
+
+ ls -la /var/www/wiki/extensions/CASAuth/CAS
+ lrwxrwxrwx 1 root root 9 Jun 1 17:07 /var/www/wiki/extensions/CASAuth/CAS
-> CAS-1.4.0
+
+If applicable, install the newest version of phpCAS (for example version
1.4.0):
+
+ cd /var/www/wiki/extensions/CASAuth/
+ wget https://github.com/apereo/phpCAS/releases/download/1.4.0/CAS-1.4.0.tgz
+ tar xvf CAS-1.4.0.tgz
+ rm -f CAS-1.4.0.tgz
+ chown -R root:www-data CAS-1.4.0
+ rm -f CAS && ln -s CAS-1.4.0 CAS && ls -la CAS
+ /etc/init.d/php7.0-fpm reload
+
+### agpl.fsf.org
+
+MediaWiki is not AGPLv3, but GPLv2. After an upgrade or patch, it is good
practice to update the tarball.
+
+#### directory.fsf.org
+
+Login to the directory as root.
+
+ ssh root@directory.fsf.org
+
+Verify that the `agpl.sh` script will remove all sensitive information from
the staging directory before we publish.
+
+ less agpl.sh
+
+Run the command to generate a new backup.
+
+ bash agpl.sh
+
+Log out of the directory.
+
+ exit
+
+On your local system, change to a temporary location.
+
+ cd /tmp
+
+Download the recently created backup file.
+
+ scp root@directory.fsf.org:/root/directory.tar.gz directory.tar.gz
+
+Upload the recently created backup file to agpl.fsf.org.
+
+ scp directory.tar.gz
root@agpl.fsf.org:/var/www/agpl.fsf.org/directory.fsf.org/CURRENT/
+
+## Command line
+
+### Manage privileges
+
+[createAndPromote.php
Documentation](https://www.mediawiki.org/wiki/Manual:CreateAndPromote.php)
+
+Add bureaucrat to an account that already exists.
+
+ cd /var/www/w
+ php maintenance/createAndPromote.php --bureaucrat --force USERNAMEHERE
+
+### Nuking page and page history
+
+[NukePage.php doc](https://www.mediawiki.org/wiki/Manual:NukePage.php)
+
+Login to the server and navigate to the mediawiki directory.
+
+ cd /var/www/wiki
+
+Do a dry-run to verify that you are targeting the correct file.
+
+ php maintenance/nukePage.php "User:Doom/Profile"
+
+Output looks like this with a non-zero page id.
+
+```
+Searching for "User:Doom/Profile"...found "User:Doom/Profile" with ID 8312.
+Searching for revisions...found 4.
+```
+
+If the line ends with `ID 0.`, do not remove it in this manner.
+
+Nuke the page and page history.
+
+ php maintenance/nukePage.php "User:Doom/Profile" --delete
+
+You can copy and paste lines from a user's contribution page and add them to a
text file and clean it up and format it with these commands:
+
+```
+editor nuke.sh
+sed -i 's/^.* \. \. //g' nuke.sh # Remove front matter
+sed -i 's/^N //g' nuke.sh # Remove front matter for redirects.
+sed -i 's/ (.*$//g' nuke.sh # Remove back matter
+sed -i 's|^|php maintenance/nukePage.php "|g' nuke.sh # Add front matter.
+sed -i 's|$|"|g' nuke.sh # Add closing quote.
+sort nuke.sh | uniq > nuke.sh.tmp # Sort keep unique entries
+mv nuke.sh.tmp nuke.sh # Overwrite redundant file with unique file
+bash nuke.sh | less # Check that the dry-run does not include ID 0 for any
entries.
+editor nuke.sh # Remove items that returned ID 0.
+sed -i 's|$| --delete|g' nuke.sh # Turn off dry-run.
+bash nuke.sh # Nuke.
+```
+
+## QualityBox
+
+<strike>Consider using QualityBox, which is a free software MW deployment
system.
+Andrew spoke to Gregory Rundlett about it at LP 18.
<https://discourse.equality-tech.com/></strike>
+Do not use QualityBox, since the ansible rules are written like bash scripts
and can
+only be run once, while creating the site.
Added: trunk/sviki/fsf/services/varnish.mdwn
===================================================================
--- trunk/sviki/fsf/services/varnish.mdwn (rev 0)
+++ trunk/sviki/fsf/services/varnish.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,53 @@
+# Varnish
+
+This can be used with [[drupal8]] with its tag based tracking of pages that
+will need an update when data changes in the site. Cache invalidation works
+great with this system.
+
+## clearing out the cache
+
+ systemctl restart varnish
+
+You can also clear out a specific page or tag:
+
+ curl -q -X BAN http://127.0.0.1:6081/ -H "Cache-Tags: node:1"
+
+## Installing Varnish for Drupal
+
+### configuring varnish on Drupal
+
+Use [this module](https://www.drupal.org/project/varnish_purge). Instructions
+are linked from the site, but the custom config we used on `ryf.fsf.org` are
+described a bit below.
+
+Varnish ignores the "Browser and proxy cache maximum age" under
+`/admin/config/development/performance`, so it only affects browsers. (I'm
+pretty sure that it's not used for invalidating Drupal's internal cache, but it
+might be worth verifying that.) 15 minutes is a good setting, and can be
+adjusted. Note that Drupal will display a warning about this on the Drupal
+dashboard, possibly because it thinks that Varnish caches will not persist for
+long, but that would be wrong.
+
+### varinish config
+
+A Varnish config is required. See `/etc/varnish/default.vcl` for an example on
+`ryf.fsf.org`.
+
+### configuring apache
+
+A useful way to set it up is to have Apache handle HTTPS on the frontend,
+Varnish in the middle, and Apache on the backend, which talks to PHP-FPM. See
+the Apache configs in `ryf.fsf.org` for an example.
+
+You may want to set `retry=0` on the `ProxyPass` directive so Apache will not
+break when someone loads a page while Varnish is being restarted or runs into
+an issue.
+
+### configuring jemalloc
+
+the malloc (memory based) backend uses jemalloc. To reduce fragmentation, run
+this command, then restart varnish:
+
+ ln -s "lg_dirty_mult:8,lg_chunk:18" /etc/malloc.conf
+
+<https://info.varnish-software.com/blog/understanding-varnish-cache-memory-usage>
Added: trunk/sviki/fsf/services/wordpress.mdwn
===================================================================
--- trunk/sviki/fsf/services/wordpress.mdwn (rev 0)
+++ trunk/sviki/fsf/services/wordpress.mdwn 2023-12-06 21:51:43 UTC (rev
687)
@@ -0,0 +1,98 @@
+# Wordpress
+
+## Sites using wordpress
+
+* [blog.endsoftpatents.org](https://blog.endsoftpatents.org)
+ * [Brains doc](https://brains.fsf.org/wiki/campaigns/patents)
+
+## Logging in
+
+visit `/login`
+
+## Upgrading
+
+**Do not upgrade the theme** during a regular updgrade. This will remove some
+of our customizations.
+
+First make a backup of the database and the Web root directory.
+
+The upgrade from Wordpress 4.2.x to 5.8.x via the CLI after years of automatic
+updates was seamless, therefore I put a lot of trust in Web based updater. If
+you would rather do it via the CLI, that's easy too; just reference the
+following guide:
+
+<https://wordpress.org/support/article/updating-wordpress/#step-1-replace-wordpress-files>.
+
+Note that instead of copying file by file from wp-content into the live site's
+wp-content folder, I suggest using an rsync command, then making sure that
+everything has the ownership of `www-data:www-data`. The other steps, such as
+fully replacing a couple of directories, can be taken more literally.
+
+If you upgrade the theme, you may need to manually add some code back into the
+theme template. See below.
+
+### Theme tweak recovery
+
+If you upgrade the theme, and our changes are lost, you can recover the most
+important bits like so:
+
+In `/var/www/wordpress/wp-content/themes/twentytwelve/footer.php`, after
`<link rel="pingback"`, add:
+
+```
+<span style="margin-left: 20px;">
+ <a rel="jslicense"
href="https://weblabels.fsf.org/blog.endsoftpatents.org/CURRENT/";>JavaScript
License Information</a>
+</span>
+```
+
+In `/var/www/wordpress/wp-content/themes/twentytwelve/header.php`, after
`<link rel="pingback"`, add:
+
+<pre>
+<script type="text/javascript">
+ /* GPL-2.0-or-later
+ *
+ * @licstart The following is the entire license notice for the
+ * JavaScript code in this page
+ *
+ * MediaWiki contributors, including those listed in the CREDITS file,
+ * hold the copyright to this work.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * @licend The above is the entire license notice
+ * for the JavaScript code in this page.
+ */
+</script>
+</pre>
+
+## Remove Google font
+
+Edit the `/var/www/wordpress/wp-content/themes/twentytwelve/functions.php`
file.
+
+Manually set the `font_url` variable before it is returned.
+
+```
+ /* Michael hack to remove dependency on Google Font 2021-08-06. */
+ $font_url =
'https://static.endsoftpatents.org/nosvn/fonts/opensans.css';
+
+ return $font_url;
+```
+
+Also, find the place where gstatic is preconnected. Replace the return with
`return null;` like so:
+
+```
+ /* Michael hack to not connect to gstatic for fonts. */
+ /*return $urls;*/
+ return null;
+```
Modified: trunk/sviki/fsf.mdwn
===================================================================
--- trunk/sviki/fsf.mdwn 2023-12-06 21:04:15 UTC (rev 686)
+++ trunk/sviki/fsf.mdwn 2023-12-06 21:51:43 UTC (rev 687)
@@ -11,11 +11,23 @@
[[!map pages="fsf/tools/* and ! fsf/tools/*/*"]]
+### Services - Like tools, but they keep running
+
+[[!map pages="fsf/services/* and ! fsf/services/*/*"]]
+
### Tickets - How to handle various common & rare tickets
[[!map pages="fsf/tickets/* and ! fsf/tickets/*/*"]]
+### Checklists - Similar to tickets
+[[!map pages="fsf/checklists/* and ! fsf/checklists/*/*"]]
+
+### Storage
+
+[[!map pages="fsf/checklists/* and ! fsf/checklists/*/*"]]
+
+
## Background info
FSF tech team has an internal ikiwiki wiki called gluestick for various
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [687] more fsf page migration,
iank <=