Okupy/Installation

From Gentoo Wiki
< Okupy
Jump to:navigation Jump to:search
This article has been flagged for not conforming to the wiki guidelines. Please help out, if possible.

Development environment

Repositories

Dependencies

Get the dependencies (choose one of the followings):

With pip

  • Optional: setup virtualenv
  • Install the dependencies:
user $pip install -r requirements/base.txt --use-mirrors

With setup.py

  • Optional: setup virtualenv
  • Install the dependencies:
user $./setup.py install

With emerge (Gentoo-specific)

root #eselect repository add okupy git https://github.com/tampakrap/okupy-overlay.git
root #emerge --sync okupy
  • Install the dependencies:
root #ACCEPT_KEYWORDS="**" emerge --onlydeps okupy

Configuration

  • Copy the sample settings files:
user $cd identity.gentoo.org
user $cp okupy/settings/development.py.sample okupy/settings/development.py
user $cp okupy/settings/local_settings.py.sample okupy/settings/local_settings.py
  • Edit development.py:
    • In STATICFILES_DIRS, replace /path/to/gentoo-identity-bootstrap with the absolute path that you cloned the gentoo-identity-bootstrap repository earlier
  • Edit local_settings.py
  • Configure Memcached
  • Sync the database:
user $python manage.py syncdb

Production environment

  • Create the dedicated user that will run okupy
root #useradd -m okupy
  • Perform the same setup as for Development environment (using the okupy user)

uWSGI setup

  • Install www-servers/uwsgi with USE=python
  • Copy /etc/conf.d/uwsgi to /etc/conf.d/uwsgi.okupy
  • Put the following options in /etc/conf.d/uwsgi.okupy
FILE /etc/conf.d/uwsgi.okupy
  UWSGI_SOCKET=/home/okupy/okupy.wsgi
  UWSGI_LOG_FILE=/home/okupy/uwsgi.okupy.log
  UWSGI_DIR=/home/okupy/identity.gentoo.org
  UWSGI_USER=okupy
  UWSGI_GROUP=okupy
  # buffer-size is necessary to pass SSL certificates
  UWSGI_EXTRA_OPTIONS='--buffer-size 65536 --plugins python27 --wsgi okupy.wsgi'
  • Symlink to /etc/init.d/uwsgi from /etc/init.d/uwsgi.okupy, and start it:
root #ln -s /etc/init.d/uwsgi /etc/init.d/uwsgi.okupy
root #/etc/init.d/uwsgi.okupy start

NGINX setup

root #emerge --ask --verbose www-servers/nginx
  • Copy the server certificates and private keys to /etc/ssl/nginx/
  • Concatenate all the allowed CA certificates for client auth:
root #cat /etc/ssl/* > /etc/ssl/nginx/all_certs.pem
  • Add the following options in /etc/nginx/nginx.conf
FILE /etc/nginx/nginx.conf
 http {
     ssl_session_cache  shared:SSL:10m;
 
     upstream okupy {
       # connect to uWSGI
       server unix:///home/okupy/okupy.wsgi;
     }
 
     server {
         listen 0.0.0.0;
         server_name identity.tampakrap.gr;
 
         access_log /var/log/nginx/localhost.access_log main;
         error_log /var/log/nginx/localhost.error_log info;
 
         root /var/www/localhost/htdocs;
 
         # redirect all http traffic to https://
         location / {
             rewrite     ^ https://$http_HOST$request_uri permanent;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name identity.tampakrap.gr;
 
         ssl on;
         # certificates for the main domain
         ssl_certificate /etc/ssl/nginx/identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/identity_tampakrap_gr.key;
         ssl_session_timeout 10m;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name auth.identity.tampakrap.gr;
 
         ssl on;
         # certificates for auth. subdomain
         ssl_certificate /etc/ssl/nginx/auth_identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/auth_identity_tampakrap_gr.key;
         ssl_client_certificate /etc/ssl/nginx/all_certs.pem;
 
         # verify_client == ask for user certificate
         ssl_session_timeout 30s;
         ssl_verify_client optional;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
 
             # pass certificate verification result
             # and the certificate (so we could extract e-mails)
             uwsgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
             uwsgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;
         }
     }
 }

Additional

virtualenv

  • Install virtualenv (replace the following command with an equivalent in case you are working in a non-Gentoo distro)
root #emerge -av dev-python/virtualenv
root #virtualenv .virtualenv
root #source .virtualenv/bin/activate
  • The .virtualenv directory is already in .gitignore, so please prefer this name
  • The deactivate command will exit the virtual environment

memcached

  • Copy /etc/conf.d/memcached to /etc/conf.d/memcached.okupy
root #cp /etc/conf.d/memcached /etc/conf.d/memcached.okupy
  • Symlink /etc/init.d/memcached.okupy to /etc/init.d/memcached
root #ln -s /etc/init.d/memcached /etc/init.d/memcached.okupy
  • Put the following data in /etc/conf.d/memcached.okupy:
FILE /etc/conf.d/memcached.okupy
# The user that will be running okupy
MEMCACHED_RUNAS="okupy"
# disable TCP/IP
LISTENON=""
PORT=""
# enable UNIX socket (put correct path here as well)
MISC_OPTS="-s /home/okupy/memcached.sock"
  • edit okupy/settings/local.py and put the same path in CACHES:
FILE okupy/settings/local.py
CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'unix://home/okupy/memcached.sock',
    }
}
  • Start memcached
root #/etc/init.d/memcached.okupy start

OpenLDAP

OpenLDAP Server

  • (TODO)

OpenLDAP client only

  • We have a testing instance on ldap://evidence.tampakrap.gr
  • Contact tampakrap to get the certificates and the rootDN credentials
  • Install OpenLDAP package:
    • In Gentoo:
root #echo net-nds/openldap minimal >> /etc/portage/package.use/okupy
root #emerge --ask --verbose openldap
  • Put the certificates in /etc/openldap/ssl
  • Put the following content in /etc/openldap/ldap.conf:
FILE /etc/openldap/ldap.conf
BASE        dc=tampakrap, dc=gr
SIZELIMIT   0
TIMELIMIT   10
TLS_REQCERT demand
TLS_CACERT  /etc/openldap/ssl/cacert.pem
TLS_CERT    /etc/openldap/ssl/evidence.tampakrap.gr.crt
TLS_KEY     /etc/openldap/ssl/evidence.tampakrap.gr.key
URI         ldap://evidence.tampakrap.gr
  • In settings/local.py:
FILE settings/local.py
AUTH_LDAP_SERVER_URI = 'ldap://evidence.tampakrap.gr'
 
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_X_TLS_DEMAND: False,
}
 
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
 
AUTH_LDAP_ADMIN_BIND_DN = '(the rootDN you got from tampakrap)'
AUTH_LDAP_ADMIN_BIND_PASSWORD = '(the rootpw you got from tampakrap)'
 
AUTH_LDAP_USER_ATTR = 'uid'
AUTH_LDAP_USER_BASE_DN = 'ou=users,dc=tampakrap,dc=gr'
 
AUTH_LDAP_PERMIT_EMPTY_PASSWORD = False
 
AUTH_LDAP_START_TLS = True
 
# objectClasses that are used by any user
AUTH_LDAP_USER_OBJECTCLASS = ['top', 'person', 'organizationalPerson',
                               'inetOrgPerson', 'posixAccount', 'shadowAccount',
                               'ldapPublicKey', 'gentooGroup']
# additional objectClasses that are used by developers
AUTH_LDAP_DEV_OBJECTCLASS = ['gentooDevGroup']