Server: Difference between revisions

From Kanthaus wiki
VisualWikitext
"migration of handbook pages from https://git.kanthaus.online/kanthaus/handbook"
 
Timber1 (talk | contribs)
26 edits
Remove tor relay
 
(9 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= :star: Kanthaus server =
⭐️ We have a server running locally that provides a few services to residents as well as guests.
 
We have a server running locally that provides a few services to residents as well as guests.


== File sharing services ==
== File sharing services ==


The server provides the possibility to store and exchange data. Some services are publically available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[../technical/wifi.md|network]] and served via [Samba](https://en.wikipedia.org/wiki/Samba_(software)). Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers adress bar. This should work on most linux environments.
The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the <code>full</code> [[Wifi|network]] and served via [[wikipedia:Samba_(software)|Samba]]. Use your computers file manager to browse the available network computers and locate the server as <code>KANTHAUS-SERVER</code>. If this doesn’t show up in your file manager or the link is broken, you can try entering <code>smb://kanthaus-server/</code> directly into your file managers address bar. This should work on most Linux environments.


=== Getting a user account ===
=== Getting a user account ===
To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.


To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via <code>smbpasswd -r kanthaus-server -U yourusername</code>.
Actually, you have two passwords:


Actually, you have two passwords: * System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in * Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.
* System user account: Used for local access and SSH access. Change password using <code>passwd</code> when logged in  
* Samba account: Used for accessing the samba network shares. Change password using command above remotely or using <code>smbpasswd</code> when logged in.


==== Kanthaus cloud copy ====
==== Kanthaus cloud copy ====
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>kanthaus-public</code> offers an anonymously usable read only copy of the public part of the kanthaus cloud.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.
* The share <code>cloud.kanthaus.online</code> offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class <code>kanthaus</code>.


The cloud copy is synchronized from the kanthaus cloud once every minute.
The cloud copy is synchronized from the Kanthaus cloud once every minute.


==== Internal cloud ====
==== Internal cloud ====
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.
The share <code>internalcloud</code> stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class <code>internal</code>. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.


Line 27: Line 25:


==== Home folder ====
==== Home folder ====
Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).


Every user account also has their personal <code>home</code> folder available as the <code>homes</code> storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called <code>storage</code>. This folder lies on an easily expandable, cheap harddisk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).
Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.
 
Your home folder is part of a daily backup. Please put files called <code>.nobackup</code> into folders that you don’t want to be backed up (e.g. to save storage space). The <code>storage</code> folder is '''not''' part of the backup, but the harddisks have a raid configuration to tolerate the loss of one harddisk.


== Shell access ==
== Shell access ==


When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.
When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the <code>homes/.ssh/authorized_keys</code> and use that for logging in. Same as above: In your home directory there is a symlinked folder called <code>storage</code> which is on spinning disks, whereby the rest of your home folder is on limited SSD space.
== Limiting crawlers ==
Our web services all run through an NGINX reverse proxy web server. The recent intensification of crawling for LLM training was significantly affecting our Forgejo instance, with periodic spikes over 100% greater than baseline. To diagnose the issue, <code>ngxtop</code> was installed and can be ran with <code>/opt/kh-services/ngxtop/bin/ngxtop --group-by remote_addr -n 50 -l /data/services/data/nginx-logs/forgejo-access.log</code> this provides a "top-like" overview the HTTP responses the web server sends them back to (bucketed) IPs. Additionally, <code>tail -f /data/services/data/nginx-logs/<service>-access.log</code> provides a more detailed, chronological view of HTTP responses.
At the time of writing, for countermeasures we have
* an <code>nginx</code> rate limiting of 15 requests / second in addition to some burst allowances
* a <code>robots.txt</code> that forbids all robots entry
* an <code>nginx</code> blocklist that blocks all AI robots user agents
* <code>go-away</code> that blocks requests based on some non-javascript challenges, based on the [https://git.gammaspectra.live/git/go-away/src/branch/master/examples/forgejo.yml default example for forgejo] (with the only differences that <code>js-refresh</code> is replaced by <code>header-refresh</code> and the final <code>js-pow-sha256</code> challenge is removed)
Stats of <code>go-away</code> are available on [https://grafana.yunity.org/d/f7bd6db8-b503-48b3-8a4d-fd1011aac8e0/go-away grafana].


== SFTP Access ==
== SFTP Access ==
Line 40: Line 48:
You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.
You can use software like FileZilla to access your home folder through <code>sftp://kanthaus-server</code> providing your username. See the Shell Access section above for other details.


==== How to unlock the encrypted <code>kanthaus-server</code> via network ====
=== How to unlock the encrypted <code>kanthaus-server</code> via network ===
 
* be in <code>kh-admin</code>
* be in <code>kh-admin</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
* <code>ssh -p 2222 root@192.168.178.249</code>
Line 50: Line 57:
== System specs ==
== System specs ==


System is designed to save power but still have some computing resources. * CPU: Intel Core i5-4670 (4x 3.4 GHz) * Ram: 8 GB DDR3L (If there is the need we have 16 GB available, just needs more power) * SSD: 1 TB Samsung 860 Evo as root file system * HDD: BTRFS pool with 3 disks, 1 redundant. Current usable size ~3.5 TB
* System is designed to save power but still have some computing resources.  
* CPU: Intel Core i5-2500K (4x 3.3 GHz)  
* Ram: 16 GB DDR3L
* SSD: 1 TB Samsung 860 Evo as root file system  
* HDD: BTRFS pool with 2 disks. Current usable size 3 TB


== Backups ==
== Backups ==


Backups are done using borgmatic. The backup target is the local harddisk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.
Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.


== Other services ==
== Other services ==


* Foodsharing Gitlab CI runner (dockerized)
* Foodsharing Gitlab which CI runner (dockerized)
* House bus services
* House bus services
** local Web interface (dockerized)
** local Web interface (dockerized)
** Logging daemon to externally hosted influxdb
** Logging daemon to externally hosted influxdb
* Virtual machines (kvm/libvirt)
* Virtual machines (kvm/libvirt)
[[Category:Technical]]
[[Category:Digital]]

Latest revision as of 17:50, 18 November 2025

⭐️ We have a server running locally that provides a few services to residents as well as guests.

File sharing services

The server provides the possibility to store and exchange data. Some services are publicly available (e.g. connecting with an anonymous user), for others you need a user account with some privileges. All file services are only available in the full network and served via Samba. Use your computers file manager to browse the available network computers and locate the server as KANTHAUS-SERVER. If this doesn’t show up in your file manager or the link is broken, you can try entering smb://kanthaus-server/ directly into your file managers address bar. This should work on most Linux environments.

Getting a user account

To get a user account, speak to an admin (e.g. Antonin or Tilmann). The admin will add you to the Ansible user configuration and ask you to set a temporary password using your account. You can change the password yourself, e.g. via smbpasswd -r kanthaus-server -U yourusername.

Actually, you have two passwords:

  • System user account: Used for local access and SSH access. Change password using passwd when logged in
  • Samba account: Used for accessing the samba network shares. Change password using command above remotely or using smbpasswd when logged in.

Kanthaus cloud copy

  • The share kanthaus-public offers an anonymously usable read only copy of the public part of the kanthaus cloud.
  • The share cloud.kanthaus.online offers a read only copy of the whole kanthaus cloud. You need to have a user with the permissions class kanthaus.

The cloud copy is synchronized from the Kanthaus cloud once every minute.

Internal cloud

The share internalcloud stores some data which should only be available from inside Kanthaus (e.g. financial data) and is only available to users with the permissions class internal. Please make sure to only put security sensitive stuff in here and also make sure to not leak your user credentials or the contents of this folder, when you have access to it.

This folder is part of the daily backup.

Home folder

Every user account also has their personal home folder available as the homes storage. All data you put here is only available to yourself. Inside the home folder, there is a directory called storage. This folder lies on an easily expandable, cheap hard-disk storage. It is slower to access but suitable to store lots of data (e.g. backups of your computer).

Your home folder is part of a daily backup. Please put files called .nobackup into folders that you don’t want to be backed up (e.g. to save storage space). The storage folder is not part of the backup, but the hard-disks have a raid configuration to tolerate the loss of one hard-disk.

Shell access

When you have a user account, you can also use SSH to connect to the server and use it for computing tasks. To set an initial password, ask an admin. When you already have file sharing access, you can add your SSH public key to the homes/.ssh/authorized_keys and use that for logging in. Same as above: In your home directory there is a symlinked folder called storage which is on spinning disks, whereby the rest of your home folder is on limited SSD space.

Limiting crawlers

Our web services all run through an NGINX reverse proxy web server. The recent intensification of crawling for LLM training was significantly affecting our Forgejo instance, with periodic spikes over 100% greater than baseline. To diagnose the issue, ngxtop was installed and can be ran with /opt/kh-services/ngxtop/bin/ngxtop --group-by remote_addr -n 50 -l /data/services/data/nginx-logs/forgejo-access.log this provides a "top-like" overview the HTTP responses the web server sends them back to (bucketed) IPs. Additionally, tail -f /data/services/data/nginx-logs/<service>-access.log provides a more detailed, chronological view of HTTP responses.

At the time of writing, for countermeasures we have

  • an nginx rate limiting of 15 requests / second in addition to some burst allowances
  • a robots.txt that forbids all robots entry
  • an nginx blocklist that blocks all AI robots user agents
  • go-away that blocks requests based on some non-javascript challenges, based on the default example for forgejo (with the only differences that js-refresh is replaced by header-refresh and the final js-pow-sha256 challenge is removed)

Stats of go-away are available on grafana.

SFTP Access

You can use software like FileZilla to access your home folder through sftp://kanthaus-server providing your username. See the Shell Access section above for other details.

How to unlock the encrypted kanthaus-server via network

  • be in kh-admin
  • ssh -p 2222 root@192.168.178.249
    • your key must be stored on the server in /etc/dropbear-initramfs/authorized_keys -> update-initramfs -u
    • ED25519 key fingerprint: SHA256:mvCVYx8D/Fv/qYq+a/H4MoRAcfExAUsAFW3L2NVHnD0
  • enter password (stored in keepass -> Server)

System specs

  • System is designed to save power but still have some computing resources.
  • CPU: Intel Core i5-2500K (4x 3.3 GHz)
  • Ram: 16 GB DDR3L
  • SSD: 1 TB Samsung 860 Evo as root file system
  • HDD: BTRFS pool with 2 disks. Current usable size 3 TB

Backups

Backups are done using Borgmatic. The backup target is the local hard-disk storage, so it does not safe us against fire or theft of the computer. We might think about adding a remote backup as well.

Other services

  • Foodsharing Gitlab which CI runner (dockerized)
  • House bus services
    • local Web interface (dockerized)
    • Logging daemon to externally hosted influxdb
  • Virtual machines (kvm/libvirt)
Retrieved from "https://wiki.kanthaus.online/index.php?title=Server&oldid=2125"