Okupy/Installation

Warning
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles that need formatting improvements.

Development environment

Repositories

Clone somewhere the gentoo-identity-bootstrap repository:

user $git clone git://github.com/dastergon/gentoo-identity-bootstrap

Clone (in a different directory) the identity.gentoo.org repository:

user $git clone git://github.com/gentoo/identity.gentoo.org

Dependencies

Get the dependencies (choose one of the followings):

With pip

Optional: setup virtualenv
Install the dependencies:

user $pip install -r requirements/base.txt --use-mirrors

With setup.py

Optional: setup virtualenv
Install the dependencies:

user $./setup.py install

With emerge (Gentoo-specific)

Add the okupy overlay:

root #

eselect repository add okupy git https://github.com/tampakrap/okupy-overlay.git

root #emerge --sync okupy

Install the dependencies:

root #ACCEPT_KEYWORDS="**" emerge --onlydeps okupy

Configuration

Copy the sample settings files:

user $

cd identity.gentoo.org

user $

cp okupy/settings/development.py.sample okupy/settings/development.py

user $

cp okupy/settings/local_settings.py.sample okupy/settings/local_settings.py

Edit development.py:
- In STATICFILES_DIRS, replace /path/to/gentoo-identity-bootstrap with the absolute path that you cloned the gentoo-identity-bootstrap repository earlier
Edit local_settings.py
- Add sqlite3 db (sufficient for testing)
- Add LDAP configuration (if applicable)
Configure Memcached
Sync the database:

user $python manage.py syncdb

Production environment

Create the dedicated user that will run okupy

root #useradd -m okupy

Perform the same setup as for Development environment (using the okupy user)

uWSGI setup

Install www-servers/uwsgi with USE=python
Copy /etc/conf.d/uwsgi to /etc/conf.d/uwsgi.okupy
Put the following options in /etc/conf.d/uwsgi.okupy

FILE /etc/conf.d/uwsgi.okupy

  UWSGI_SOCKET=/home/okupy/okupy.wsgi
  UWSGI_LOG_FILE=/home/okupy/uwsgi.okupy.log
  UWSGI_DIR=/home/okupy/identity.gentoo.org
  UWSGI_USER=okupy
  UWSGI_GROUP=okupy
  # buffer-size is necessary to pass SSL certificates
  UWSGI_EXTRA_OPTIONS='--buffer-size 65536 --plugins python27 --wsgi okupy.wsgi'

Symlink to /etc/init.d/uwsgi from /etc/init.d/uwsgi.okupy, and start it:

root #

ln -s /etc/init.d/uwsgi /etc/init.d/uwsgi.okupy

root #/etc/init.d/uwsgi.okupy start

NGINX setup

Install www-servers/nginx

root #emerge --ask --verbose www-servers/nginx

Copy the server certificates and private keys to /etc/ssl/nginx/
Concatenate all the allowed CA certificates for client auth:

root #cat /etc/ssl/* > /etc/ssl/nginx/all_certs.pem

Add the following options in /etc/nginx/nginx.conf

FILE /etc/nginx/nginx.conf

 http {
     ssl_session_cache  shared:SSL:10m;
 
     upstream okupy {
       # connect to uWSGI
       server unix:///home/okupy/okupy.wsgi;
     }
 
     server {
         listen 0.0.0.0;
         server_name identity.tampakrap.gr;
 
         access_log /var/log/nginx/localhost.access_log main;
         error_log /var/log/nginx/localhost.error_log info;
 
         root /var/www/localhost/htdocs;
 
         # redirect all http traffic to https://
         location / {
             rewrite     ^ https://$http_HOST$request_uri permanent;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name identity.tampakrap.gr;
 
         ssl on;
         # certificates for the main domain
         ssl_certificate /etc/ssl/nginx/identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/identity_tampakrap_gr.key;
         ssl_session_timeout 10m;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name auth.identity.tampakrap.gr;
 
         ssl on;
         # certificates for auth. subdomain
         ssl_certificate /etc/ssl/nginx/auth_identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/auth_identity_tampakrap_gr.key;
         ssl_client_certificate /etc/ssl/nginx/all_certs.pem;
 
         # verify_client == ask for user certificate
         ssl_session_timeout 30s;
         ssl_verify_client optional;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
 
             # pass certificate verification result
             # and the certificate (so we could extract e-mails)
             uwsgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
             uwsgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;
         }
     }
 }

Additional

virtualenv

Install virtualenv (replace the following command with an equivalent in case you are working in a non-Gentoo distro)

root #

emerge -av dev-python/virtualenv

root #

virtualenv .virtualenv

root #source .virtualenv/bin/activate

The .virtualenv directory is already in .gitignore, so please prefer this name
The deactivate command will exit the virtual environment

memcached

Copy /etc/conf.d/memcached to /etc/conf.d/memcached.okupy

root #cp /etc/conf.d/memcached /etc/conf.d/memcached.okupy

Symlink /etc/init.d/memcached.okupy to /etc/init.d/memcached

root #ln -s /etc/init.d/memcached /etc/init.d/memcached.okupy

Put the following data in /etc/conf.d/memcached.okupy:

FILE /etc/conf.d/memcached.okupy

# The user that will be running okupy
MEMCACHED_RUNAS="okupy"
# disable TCP/IP
LISTENON=""
PORT=""
# enable UNIX socket (put correct path here as well)
MISC_OPTS="-s /home/okupy/memcached.sock"

edit okupy/settings/local.py and put the same path in CACHES:

FILE okupy/settings/local.py

CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'unix://home/okupy/memcached.sock',
    }
}

Start memcached

root #/etc/init.d/memcached.okupy start

OpenLDAP

OpenLDAP Server

(TODO)

OpenLDAP client only

We have a testing instance on ldap://evidence.tampakrap.gr
Contact tampakrap to get the certificates and the rootDN credentials
Install OpenLDAP package:
- In Gentoo:

root #

echo net-nds/openldap minimal >> /etc/portage/package.use/okupy

root #emerge --ask --verbose openldap

Put the certificates in /etc/openldap/ssl
Put the following content in /etc/openldap/ldap.conf:

FILE /etc/openldap/ldap.conf

BASE        dc=tampakrap, dc=gr
SIZELIMIT   0
TIMELIMIT   10
TLS_REQCERT demand
TLS_CACERT  /etc/openldap/ssl/cacert.pem
TLS_CERT    /etc/openldap/ssl/evidence.tampakrap.gr.crt
TLS_KEY     /etc/openldap/ssl/evidence.tampakrap.gr.key
URI         ldap://evidence.tampakrap.gr

In settings/local.py:

FILE settings/local.py

AUTH_LDAP_SERVER_URI = 'ldap://evidence.tampakrap.gr'
 
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_X_TLS_DEMAND: False,
}
 
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
 
AUTH_LDAP_ADMIN_BIND_DN = '(the rootDN you got from tampakrap)'
AUTH_LDAP_ADMIN_BIND_PASSWORD = '(the rootpw you got from tampakrap)'
 
AUTH_LDAP_USER_ATTR = 'uid'
AUTH_LDAP_USER_BASE_DN = 'ou=users,dc=tampakrap,dc=gr'
 
AUTH_LDAP_PERMIT_EMPTY_PASSWORD = False
 
AUTH_LDAP_START_TLS = True
 
# objectClasses that are used by any user
AUTH_LDAP_USER_OBJECTCLASS = ['top', 'person', 'organizationalPerson',
                               'inetOrgPerson', 'posixAccount', 'shadowAccount',
                               'ldapPublicKey', 'gentooGroup']
# additional objectClasses that are used by developers
AUTH_LDAP_DEV_OBJECTCLASS = ['gentooDevGroup']