Anarchaserver - User contributions [en]

Anarcha section

2023-03-15T17:14:27Z

M4ra: /* Get involved */

If you are interested in Anarchaserver architecture, hosting services & data, future plans, and how to get involved read the following page.

-------------
== About Us ==

=== ENG ===
AnarchaServer is a feminist server which contributes to the maintenance of autonomous infrastructure on the Internet for feminists projects.

It is an open project, even though moderated where we privilege trust, consensus, autonomy and feminist collaboration for deciding our next adventures in inhabiting this feminist infrastructure, in synchronicity with other feminist servers initiatives.

AnarchaServer has some kind of presence in different locations around the world such as calafou, belgium, france, germany, greece, iceland, the netherlands, mexico, sweeden, uruguay ...

Our politics are transfeminists, anticapitalist, decolonialist and aim at creating interspecies solidarity with other bodies, nature and machines. Our group of sysadmin is currently composed by different non-binaries, cis women and one cis men. We use English and Spanish (even-tough those are not always our first languages) for our internal communications.

AnarchaServer can provide to other feminists the following infrastructure: Blogs in the wordpress farm, Encrypted files sending, Encrypted pastebin, Standard polls and events scheduling, Online surveys, Archiving online a feminist website that will close soon, Uploading pictures and videos about cyberfeminism in our repository of collective memories....

If you are interested in any of these options, please contact us at anarchaserver@autistiche.org and we will see what we can do. Please take into account that we can not always answer. To coordinate among ourselves, we privilege the no pressure policy for advancing tasks that are freely chosen based on the energy, dreams and availability of AnarchaServer inhabitants.

=== CAST ===

AnarchaServer es un servidor feminista que contribuye al mantenimiento de una infraestructura autónoma en Internet para proyectos feministas.

Es un proyecto abierto, aunque moderado, en el que privilegiamos la confianza, el consenso, la autonomía y la colaboración para decidir nuestras próximas aventuras al habitar esta infraestructura feminista, en sincronía con otras iniciativas de servidores feministas.

AnarchaServer tiene algún tipo de presencia en diferentes lugares del mundo como calafou, bélgica, francia, alemania, grecia, holanda, islandia, méxico, suecia, uruguay...

Nuestra política es transfeminista, anticapitalista, descolonialista y tiene como objetivo crear solidaridades interespecie con otros cuerpos, ecosistemas y máquinas. Nuestro grupo de sysadmin está actualmente compuesto por diferentes personas, mujeres cis, no binarixs y un hombre cis. Usamos el inglés y el español (aunque no siempre son nuestros primeros idiomas) para nuestras comunicaciones internas.

AnarchaServer puede proporcionar a otras feministas la siguiente infraestructura: Blogs en su granja de wordpress, Envío de archivos cifrados, Pastebin cifrados, Encuestas estándar y sondeo de fechas, Cuestionarios online, Archivo online de paginas webs feministas, Repositorio audiovisual ciberfeminista de memorias colectivas....

Si te interesa alguna de estas opciones, ponte en contacto con nosotras en anarchaserver@autistiche.org y veremos qué podemos hacer. Ten en cuenta que no siempre podemos responder. Para coordinarnos entre nosotras, privilegiamos una política de no presión para avanzar en las tareas que se eligen libremente en base a la energía, los sueños y la disponibilidad de las habitantes de AnarchaServer.

== Anarchaserver architecture ==

=== Living data container ===

We talk about living data when data are available online, get updates, posts and are actively contributed to . We range under living data the contents of this [https://alexandria.anarchaserver.org mediawiki] and the [https://zoiahorn.anarchaserver.org/ WordPress farm Zoia Horn].

===== Alexandria =====

This is [https://alexandria.anarchaserver.org/ our wiki] that you are reading at the moment. Here we provide space for documenting our work setting up and inhabiting AS and how to engage and get involved and for [[Main_Page#Anarchaserver|documenting feminist infrastructure]] herstory, initiatives and events such as the TransHackFeminist Convergences.

===== Zoia Horn =====

This is a feminist multisite blogging platform based on Wordpress. At the moment we are beta-testing different blogs and use cases. We hope to be able in the future to provide wordpress to feminists collectives that require one for documenting and communicating about what they do. Check it out:

[http://zoiahorn.anarchaserver.org/ Zoiahorn blog] for documenting anarcha physical interface and new blogs inhabited in this container.

[https://zoiahorn.anarchaserver.org/specfic/ Feminist futurotopias workshops]

[https://zoiahorn.anarchaserver.org/misexualidad/ Mi sexualidad es una creación artística]

[https://zoiahorn.anarchaserver.org/holobionte/ Holobionte]

=== Transitional data container ===

We talk about transitional data when data needs to remain available only for a while and then should be erased properly. We have set up specific services such as:
* Encrypted files sending (Jirafeau https://transitional.anarchaserver.org/jirafeau/)
* Encrypted pastebin where the server has zero knowledge of pasted data. (Zerobin https://transitional.anarchaserver.org/zerobin/). Data is encrypted/decrypted in the browser using 256 bits AES.
* Standard polls and events scheduling (Open Sondage https://transitional.anarchaserver.org/date/)
* Online surveys (LimeSurvey https://transitional.anarchaserver.org/poll/). Only available to inhabitants.
* Next Cloud (Upload documents, pictures, decks, surveys https://transitional.anarchaserver.org/cloud/apps/forms/). Only available to inhabitants.

=== Nekrocemetery container ===

We talk about dead data when data has gone offline and it needs to be archived in a way that it remains possible to bring it back to life again. Our nekrocemetery is oriented at feminist websites and projects that are offline and could become zombie data. More on the [https://alexandria.anarchaserver.org/index.php/Nekrocemetery:_Hello_from_the_dead Nekrocemetery:_Hello_from_the_dead ].

[https://zoiahorn.anarchaserver.org/thf2022/2022/04/20/agenda-hello-from-the-dead-anarchaserver-feminist-kekrocementery-archive/ Documentation about the node held about the Anarchaserver Nekrocemetery during the THF2022]

List of archived websites:
* Static backup of [https://gendersec.anarchaserver.org/ Gendersec wiki]
* Static backup of [https://nekrocemetery.anarchaserver.org/mlff/ mlff wesbite]
* Static backup of [https://geekfeminism.anarchaserver.org/ Geek Feminism Wiki]
* Static backup of [https://nekrocemetery.anarchaserver.org/redefeminista.org/ Redes Autonomas e Feministas]
* Static backup of TransHackFeminist 2022 website

=== Repository container ===

Collective memories, a [https://repository.anarchaserver.org/ cyberfeminist repository] for archiving images, sounds and videos set up with piwigo [[Repository|Container repository]].

=== Sonification ===

If you want to listen to AnarchaServer please [http://anarchaserver.org:8000/ connect here and you will ear a sonification of the server]. We have a icecast2 streaming tool installed in AS.

=== More information ===

* Anarcha host : Apache2 : landing page and vhosts to proxy to the containers
** Container livingdata : Apache2 vhosts for the wiki and the wordpress farm
*** https://alexandria.anarchaserver.org : Mediawiki
*** https://zoiahorn.anarchaserver.org/ : Wordpress Farm
** Container repository : Apache2 vhost for the repository
*** https://repository.anarchaserver.org/ : piwigo (upload images, sounds and vidéos)
** Container transitional : nginx with Yunohost
*** https://transitional.anarchaserver.org/yunohost/sso/ : Access to the services (jirafeau, opensondage, zerobin, limesurvey, mytinytodo)
*** https://transitional.anarchaserver.org/yunohost/admin/#/ : Admin yunohost (create users, install applications, make backups)
** Container nekrocemetery : Apache2 vhosts for each website

----

[[File:BlackquantumFuturism.gif|thumb]]

== Future is now: Milestones ==

=== Old Roadmap ===

[[Roadmap To do List 2019]].

[[Roadmap To do List 2020]]

=== Current ===

From October 2020, we list to do tasks and issues in Anarchaserver project in [https://git.systerserver.net/groups/anarchaserver/-/issues the gitlab of systerserver].

===== Maintenance & Infrastructure =====

* How to [[be a guardian, a fire extinguisher, a scriba, an interface]]

===== Accessing =====

* How to [[access server]]
* How to use [[screen]]
* How to access [[database]]

===== Installing/Testing hardware +distribution =====

2020:
[[Moving to new machine binti]]

2019 and before:
[[machine]]

HowTos:
* [[backup]] system
* [[Upgrade]] debian
* Old: Server [[security]] for Anoia
* [[Check list security for feminist servers]]
* [https://netdata.anarchaserver.org Netdata] for monitoring the different containers of the VM
* Install [[https certbot]] with let's encrypt initiative
* [[Moving_to_new_machine_binti#Serveur_Sonification|Streaming + Sonification]]

===== Virtualisation =====

How to set up a LXC container to host others web applications with Linux [[Containers]] (LXC)

* '''Living data''' > blogging platform & documentation,
** MediaWiki : [[Updating]] sites Mediawiki 1.25 > 1.32 and How to reset passwords for [[mediawiki]]
** [[WordPress Multisites]] a farm of blogs : installation, configuration and utilisation
* '''Transitional''' > [[In transition]] encrypted data transfer, survey's,..., Yunohost installation >> [[How to use yunohost]]
* '''Nekrocemetery''' > [[Nekrocemetery]] and zombie sites
* '''Repository''' > [[Repository]] Image, sound, video - a media repository: Piwigo

===== Narratives =====

* Logo, images, video design about Anarchaserver
* Ckeck List pages for Las Guardianas/Custodians + Apagafuegos/Fire Extinguishers + Escribas + Interfaces
* Prepare [[Terms of Use and Feminist Science Fiction Narrative]]
* Prepare [[Project:Privacy_policy]]
* [[AS SF Narratives]]

[[File:Computer-criminal.jpg|center]]
WRITE READ EXECUTE

== Get involved ==

Anarchaserver is an open project, even though moderated where we privilege trust, consensus, autonomy and feminist collaboration for deciding our next adventures in inhabiting AS, in synchronicity with other feminist servers initiatives.

Our politics are transfeminists, anticapitalist, decolonialist and aim at creating interspecies solidarity with other bodies, nature and machines. Our group of sysadmin is currently composed by different non-binaries, cis women and one cis man. We use English and Spanish (even-though those are not our first languages) for our internal communications and we intend to build inclusive spaces so that sysadmins from around the world can join Anarchaserver.

To coordinate among ourselves, we privilege the no pressure policy for advancing tasks that are freely chosen based on the energy, dreams and availability of AS inhabitants. We are using different means and tools to coordinate and advance the different tasks among ourselves. If you want to get involved, check out our current [[Channels of communication]].

Backup

2021-10-01T11:31:42Z

M4ra:

= Workshop =

In this workshop, we will create a bash script to run as a cron job for our system backups. We have installed and run restic for one-off backups and we would like to schedule them on a daily basis. The backup takes place between anarchaserver and a remote server, which is the backup repository. But it can be also applied between our PC and a raspberry-pi or any home based file server.

Meeting Sunday 04 April 2021 - 3PM CET Time here: https://bbb.futuretic.fr/b/spi-utv-eo9-lqe

En este taller, vamos a crear un script bash para ejecutar como un trabajo cron para nuestras copias de seguridad del sistema. Hemos instalado y ejecutado restic para copias de seguridad puntuales y nos gustaría programarlas diariamente. La copia de seguridad tiene lugar entre anarchaserver y un servidor remoto, que es el repositorio de la copia de seguridad. Pero también se puede aplicar entre nuestro PC y una raspberry-pi o un servidor de archivos casero.

Cita el Domingo 04 de Abril - 3PM CET time aqui: https://bbb.futuretic.fr/b/spi-utv-eo9-lqe

= Current setup =
Now the backup of Binti is done with a script that relies on Restic tool

We used to do backups with duplicity but we opted for restic as it is easier to install than duplicity. However duplicity has more options on how to fine tune backups.

Simplest tool for backups is rsync (https://rsync.samba.org/) which copies files, which can be archived or not, and checks if a file has been modified, or is removed or created and updates the backup target repo accordingly. But it doesn't create snapshots and thus we cannot access the state of a system's files of a specific date in the past. Dedicated backup tools create snapshots and retain a history of the changes, so we can choose what version to restore. However we need to be aware of the backup's size storage and remove older snapshots.

== Steps we follow to backup AS LXC containers ==
Note: all system paths and parameters in this HOWTO are fictional.

=== Process ===
* stop the containers (because AS containers were created and managed by root user, they need root privlege to stop them. We solved this by allowing the specific lxc stop/start commands for the backup user via the sudoers.d configuration.)
* backup the containers
* restart the containers

=== System setup ===
* a backup 'user'
* ssh keys to access remote backup repo
* password for restic backup command
* bash script with the necessary commands to run the process above
* cron job added via the backup user to run the bash script on regular intervals

=== Configuration of the system setup ===
==== 1. How to access the remote backup repo? ====
* create new ssh keys for ssh access to the remote backup repo, and give directory flag for saving the keys under the desired directory.
* scp the new pub key in the remote backup repo, under the remote user's home .ssh/authorized_keys. Remote user is the one we use to ssh to the remote machine.

==== 2. How to run the backup command without root privelege ====
when some of the filesystem to be backed-up is accessed only by root, aka execute a binary meant for root without being root? The idea is to execute the restic binary from backup user's home or from /usr/bin.

creates the new user and a group with the same name
useradd backupuser
makes user root and group backupuser owners of the restic binary
chown root:backupuser /usr/bin/restic
user root has now read, write, execute permissions, and users in backupuser group can execute and read the restic binary
chmod 750 /usr/bin/restic
assigns capabilities to backup the whole system
setcap cap_dac_read_search=+ep ~backupuser/bin/restic </code>

Ref: https://restic.readthedocs.io/en/stable/080_examples.html#backing-up-your-system-without-running-restic-as-root

==== 3. How to run specific root commands by a non root user? ====
Note: we needed that for stopping, checking status and starting of the lxc containers
We should run our LXC containers rootless. This requires to change configuration of containers, lxc config files (to be checked/implemented in the future, tasks to do for AS, to be added in tasks in gitlab; Mika can you create a git issue for this too?)

Ref: https://www.cyberciti.biz/faq/how-to-create-unprivileged-linux-containers-on-ubuntu-linux/

But for now we will give the backupuser restricted root privelege for the specific lxc commands we need to run in the backup script.
usermod -aG sudo backupuser

Give the backup user the acces for specific commands to be executed as 'root'.
Add these commands in a new file under /etc/sudoers.d/
vi /etc/sudoers.d/00-backupuser
bintibackup ALL=(ALL) NOPASSWD: /usr/bin/lxc-stop, /usr/bin/lxc-start, /usr/bin/lxc-info, /usr/bin/lxc-ls

Ref: https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/

++++
chown root:bintibackup /usr/bin/lxc-stop
> this is for changing the property to usr/bin/lxc-stop to root group and bintibackup

first, we are trying to make this happen with a bintibackup user with no root privilege - if it does no work, will switch to possibility to give the bintibackup user root provileges, but this will imply to have a vert strict security management policy for that userthis
above scratched steps didn't work!
++++

==== One line command to run backups from terminal ====
Needs the following parameters:

path to password file:
PASSWORD="~backupuser/pass"
absolute path to the remote backup repo:
remote-repo ="/var/backups"
abosulte path to the directory we want to backup:
local-repo="/var/foo"
remote host:
$host="backups.org"
$user="backuphost"
So the command becomes:
restic -p ~/backup/pass -r sftp:backuphost@backups.org:/var/backups --verbose backup /var/foo
OR:
restic -p $PASSWORD -r sftp:$user@$host:$remote-path --verbose backup

Final bash script (the exact paths haave been changed to fictional ones)
<syntaxhighlight lang="bash">
#!/bin/bash
# a backup to our backup server of the LXC containers

set -e
PASSWORD=/root/mypassword_enter
# Destination
DEST="sftp:binti-backups:/server/backups"
STATIC_OPTIONS="--verbose backup"
ROOT="/var/lib/lxc"
# list containers
CONTAINERS="$(sudo lxc-ls)"
declare -a STOPPED_CONTAINERS

# Check if containers are running and then stop the containers
echo $containers
for container in ${CONTAINERS[@]}; do
echo $container
status="$(sudo lxc-info $container | grep 'State' | xargs | cut -d' ' -f2)"
echo $status
if [[ $status == "STOPPED" ]]; then
STOPPED_CONTAINERS+=("$container")
elif [[ $status == "RUNNING" ]]; then
sudo lxc-stop $container
# Update the list of stopped containers
STOPPED_CONTAINERS+=("$container")
fi
done
set +e
restic -p $PASSWORD -r $DEST $STATIC_OPTIONS $ROOT

BACKUP_SUCCESS=$?
set -e

if [[ $BACKUP_SUCCESS -eq 0 ]]; then
echo "BACKUP succeeded"
else
# Send email to admins
echo "BACKUP failed"
sendemail admin@backups.org < ./mail.txt
fi

for container in ${STOPPED_CONTAINERS[@]}; do
echo $container
sudo lxc-start $container
done

</syntaxhighlight>

== Resources for backup scripts and helpful tips ==
restic for backups
* https://restic.readthedocs.io/en/stable/040_backup.html
duplicity
* https://blog.xmatthias.com/duplicity_backup_script/
What to backup
* https://www.debian.org/doc/manuals/debian-reference/ch10.en.html#_backup_and_recovery
Read password from a file:
* https://www.foxinfotech.in/2019/03/reading-a-password-from-a-file-in-linux.html

= Old setup =

We currently make a nightly backup of all containers from our virtual machine (called <code>anoia</code>) to the virtual machine of calafou.org (called <code>ebro</code>).

We use the backup tool called <code>duplicity</code> through a package from the Debian repository.

We wrote a script that performs that backup, which is located at <code>/usr/local/bin/backup3.sh</code>

The backup script runs every night around 4am, because we run it via <code>cron</code> (configured with <code>sudo crontab -e</code> command).

In the cron job we redirect the script output to <code>/var/log/backup.log</code>

The script stops ALL the containers (to have enough RAM for running <code>duplicity</code> and to make sure that the databases and other volatile files inside the containers are not changing during the backup), backs up the containers, then starts the containers again. Obviously, while the containers are stopped and the backup is running, the anarchaserver services are not available. We have many ideas about how to do a backup without service interruption, but we have not implemented them yet.

There are many possible improvements to this system:

* Change remote: switch from calafou virtual machine to S14
* Optimise the script: rewrite the script to be a more beautiful program
* Test backup recovery: try to restore the backup to make sure it is possible
* Change the backup tool: use <code>borgbackup</code> instead of <code>duplicity</code>
* Use a backup manager such as <code>backupninja</code>
* Etc.

We also have a S14 for setting up the tunnel for backup and openvpn, [[info about back-tunnel here]].

= Restore a backup =
duplicity scp://anoia@ebro.tachanka.org//home/anoia/backup/repository /var/lib/lxc --ssh-options="-oIdentityFile=/var/backups/.ssh/id_binti" --verbosity 6

= Useful links =

* How to back up a Debian system using backupninja? http://xmodulo.com/backup-debian-system-backupninja.html
* Using Duplicity to backup LXC containers https://www.savjee.be/2017/05/Using-Duplicity-to-Backup-LXC-Containers/
* Implement a backup system of livingdata and repository containers (gitlab issue on systerserver) https://git.systerserver.net/collective-anarchaserver/organizing/issues/1
* Roadmap https://git.systerserver.net/collective-anarchaserver/organizing/issues/1

= Older notes =

STEP 1
check data usage
df -h

STEP 2
check access to another virtual machine

STEP 3
start screen session in root

STEP 4
copy data to virtual machine

rsync -ravz --progress --exclude "/proc" --exclude "/sys" --exclude "/dev" -e "ssh -p 8022" / root@188.210.92.35:/var/backups/vm/anarcha

r (recursive)
a (archive - for special files)
v (verbose)
z (compressed)

STEP 5
diagnostics

watch
watch -n 180 "du -sh /var/backups/vm/anarcha"

proc/kcore is a special directory which is created each time the computer boots
so we have to exclude it from the rsync command

bwm-ng
we want to know whether the data is arriving and at which speed, data amount
http://linux.die.net/man/1/bwm-ng

apt-get install bwm-ng