This contains a description of the network setup and any servers running.

Network Topology and Organization

WAN

Bezeq NGN 100Mbps/3Mbps via Bezeqint (username: telavivmakers@014)

Static WAN IP: 82.80.54.64

Also accessible via: space.telavivmakers.org (we also have proper reverse DNS records pointing back to that domain.)

(Phone line number is +972 3 5058210 but is blocked for PSTN usage. We are connected to a junction box on our floor, to port 90.)

LAN

TP-Link TL-WR4300 main router (10.81.2.1 / 2001:470:7038:cOf3::1) serving DHCP on 10.81.2.0/24

PPPoE through Netgear VVG2000 VDSL gateway (configured by Bezeq in bridge mode only - it's just a fucking modem).

Hosts:

• tami-x60

WLAN

• SSID TelAvivMakers in the clear (no encryption, use standard precautions)
• 5Ghz is provided via TelAvivMakers-5Ghz
• Paranoids can use the WPA-protected TelAvivMakers2 (with password international) but please don't expect your traffic to be private just because it's WPA.

Edimax BR-6428 (10.81.2.138) located behind kitchen counter broadcasting on channel 6

TP-Link TL-WDR4300 located on router board (next to balcony) broadcasting on channel 11 and 5GHz on channel 36

Incoming https/https

This is a flow diagram of where things go from Tami router. Updated 9/12/2018

IPv6

Disabled until further notice.

Available through hurricane elctric tunnelbroker.

2001:470:7038::/48 TAMI prefix

2001:470:7038:cOf3::/64 TAMI LAN

2001:470:7038:cOf3::1 WN801ND main router

External Services

we have a few different domains

• telavivmakers.org
  • DNS provider Amazon AWS

• tami.org.il
  • redirects to telavivmakers.org
  • DNS provider internic.co.il

Internal only services

Internal file server

FTP and big-ass file/media server - coming soon...

Network audio

Meeep - 10.81.2.44 See SoundSetup

RTL-SDR Radio

Using the attached USB dongle you can listen to any radio station with rtl_fm. A proper alias already exists in the .bashrc use syntax:

$ radio 106M   # 106FM
$ radio 91.8M  # galgalatz

The reception might not be so good, I still need to calibrate tuning errors and setup a nice antenna.

Network printer

There is a network connected Officejet 4500, tested with Windows XP and Fedora 19.

Network scanning

I installed sane and an xinetd service to provide network access to the scanner. However, the xeros_mfp driver of sane fails to detect the device and cheap fixes (adding the USB vendor/device ID) didn't work. Sorry.

Services (aka security holes)

StartSSLNotes - getting a certificate from the Eilat CA.

network camera

motion running on a TP-Link WR703n [1]

mpd

see SoundSetup
mpd is running on meeep (not mail.lan which is 10.81.2.2467 or mail.local, which also runs an FTP (NOT sftp) server on which the mp3 files are kept. Add to the music collection!)

to restart mpd (for instance to update the list of mp3's that you just uploaded) try updating the database using

mpc update

There is also a web interface for controlling the music played in the space on meeep:

http://meeep.lan/relax

Tor

A tor relay is configured and running

RIPE Atlas Probe

We host a RIPE Atlas probe, #18746, which is used for various internet health measurements.

MediaGoblin

We run our own instance at http://mediagoblin.tami.org.il/ , installation instructions, InstallingMediaGoblin

Kolab

(Not there yet) InstallingKolab

oVirt

(Closer but no cigar)

InstallingoVirt

Mail & Mailing lists

port 25 is now open for business on tami.org.il, or mail.tami.org.il

We don't have anything there yet for anyone - it's all local accounts. Mail can be delivered outwardly, thanks to a SPF record:

$ dig tami.org.il txt | grep "ANSWER SECTION" -A1
;; ANSWER SECTION:
tami.org.il.		86384	IN	TXT	"v=spf1" "a" "mx" "-all"

Current:

• mailman 2 instance at lists.tami.org.il

Plans:

• mailman 3 + hyperkitty, to give it a forum interface too

Watching:

• librelist - not sure why I would prefer it yet.

Todo

• how does it compare to google groups?
• can we run them side by side? test run where we keep using google groups and having hyperkitty on the side, using the same script that needs to be written anyway to pull content from google groups.

Discourse

Our is at [2], see Discourse

• http://meta.discourse.org/t/mailing-list-and-nntp-bridge/3453
• http://meta.discourse.org/t/openshift-as-free-discourse-host/8000

Mailman Howto

• Condensed version of: http://www.list.org/mailman-install.pdf

Using fedora package it's simpler:

• yum install mailman (version 2, not the developed version 3)
• /usr/share/doc/mailman-2.1.15/INSTALL.REDHAT

Google Groups - retrieving members and messages

There is no easy way to retrieve the messages so far.

To retrieve the member list:

• as a group owner there should be a csv export option

Google Apps API:

• https://developers.google.com/apps-script/reference/groups/groups-app?csw=1
• Haven't tested this yet.

And more

• Feature request for it issue 27. 3rd highest ranking.
• Faux API (add member only, php): https://github.com/auzigog/google-groups-php-api
• Stack Overflow discussion

FTP setup

ftp mail.local or 10.81.2.2467

Using vsftpd. Some settings required for renames and deletions to work:

• anon_mkdir_write_enable=YES
• anon_other_write_enable=YES

selinux notes: (man ftpd_selinux)

• enable anonymous uploads:
  • setsebool -P ftpd_anon_write 1
• set public things to public_content_rw_t
  • semanage fcontext -a -t public_content_rw_t "/media/ftp(/.*)?"
  • restorecon -F -R -v /media/ftp

sagemath

Sage is a free open-source mathematics software system licensed under the GPL. It combines the power of many existing open-source packages into a common Python-based interface.

we have a sagemath instance running internally

mail.lan:8080 open to new user creation, not visible externally. (local ip is 10.81.2.247 if name resolution fails)

We are running 5.13, it can be upgraded to 6.11 if there is a requirement for that.

etherpad

There is an etherpad sitting as a systemctl service on tamitam server.

docker

We have a docker service running on tamitam. It uses nginx-proxy container to serve http/https services across that machine, and handles https. So if you want to host something in tami/ have a machine in tami serving http/https you can by adding a container to that subnet.

(Uses now docker nginx-container)

github

our hitgub

Computers

router

• openwrt http://wiki.openwrt.org/toh/tp-link/tl-wdr4300

tamtam

Trivia

previously called mail.

Services

• mediagoblin
• yacy
• ftp

monitoring

There is a monitoring service to see if the internet was down at TAMI. You can access it at: https://status.telavivmakers.org/ It checks if space.telavivmakers.org is accessible, and logs a week back.

Log

• installed RAID 1 array using two 2 TB WD disks. Slightly weird (read: dumb) config:
  • boot partition not on raid, swap neither.
  • mirrored boot partition and swap unused on second disk (could set up a non metadata RAID for them, see mdadm)
  • third primary partition is the raid partition, with it's own partition table (under the raid block device), with two partitions, root and data (not yet mounted, 100G/1.89T)
    • /dev/sdb{1,2,3} + /dev/sdc{1,2,3} (1+2 unused), sdb3+sdc3=md127, /dev/md127p{1,2} where md127p1=>/, md127p2=>unmounted
• disabled nouveau_update_fan module (probable cause of SOFT LOCKUPS)
  • https://docs.fedoraproject.org/en-US/Fedora/16/html/Installation_Guide/rescuemode_drivers-blacklisting.html
  • for a quick test add kernel command line parameter rdblacklist=nouveau_fan_update
• removed Vortex OCX SSD with problems (SMART failures, read failures)
• Updated bios (use dok with freedos, labeled, on it)