Anyone know of a good wiki site for linux how-to recipes that has a social aspect? Was thinking about adding that feature to this site with the next roll out as I haven't found anything that isn't crap.
How-to forge used to be awesome back in the day, but doesn't seem to have the social inertia. I have no desire to write how-tos all day but it seems like we could build a stack-overflow like thingie for howtos and recipes for various flavors of linux.
I'm having a difficult time thinking of an answer to this. It depends on exactly what kind of social things your looking for?
Wikihow I think does one of the best implementations of mediawiki. Articles are nicely setup, have a overview of who contributed, how many people found it useful, links to articles and community members, the discussion section for articles is easy to use and reply to people. But that's about as far as a social aspect that it has, this seams to be the case for most wiki like howto places.
Theres plenty of plugins too, but its a case of how much effort needs put in to make something like mediawiki turn out how you want it.
Stack overflow is a lot more social, but for howtos i think that kind of Q & A system may not be the best.
Edit: and yeah, theres basically no good linux howto sites.
To add, I think the Gentoo and Funtoo wikis are excellent for how linux howtos/tutorials should be laid out, but they dont really have any social aspect to them.
https://wiki.gentoo.org
Most Wikis are Distro specific. Wikipedia actually has a ton of good stuff
This might be a killer idea for a social site/social addon for this.
Think mediawiki with decent commenting/diffing on revisions. We actually have a really cool revision thing on the site here for posts. editing a post just makes a new revision. I could create an interface similar to mediawiki but that also has comment-on-the-revision functionality like github: https://github.com/ansible/ansible/commit/e37b63386c0c77e8ab8216e5520be80400ea6170
I like the "meta commentary" on github and the how-tos can be sharpened up like the Q&A answers on stackoverflow with open commentary on why particular choices were made.
The gentoo wiki is useful... but less cookbook-like.
(This works better than nuking everything, I think). I think we would have to be distro specific, for sure, with wiki-howtos.. some of the distros have decent recipe guides, but they are rarely updated and never seem to be in a wikiformat. The folks that write the docs level up and move on, leaving hilariously out of date documentation (kernel.org , I'm looking at you and your btrfs docs)
I like their wiki and you could supplement with the gentoo wiki
https://wiki.sabayon.org/index.php?title=En:Main_Page
nice conversational tone
I felt bad about what nuking me would do
I like more of the style of the Getnoo wiki, for example the templates used for notes, warnings, cli, configs, etc, I think work well for (https://wiki.gentoo.org/wiki/Home_Router).
About the distro specific problem. I recon theres a good opportunity to make a wiki that can accommodate multiple distros in one article. Theres only a couple areas in my mind that are distro specific, the install instructions, init system, and in a few cases (less so these days) the directory structure.
The first isnt a problem. Dont have install instructions on articles. People should know how to install packages. Instead you could have articles on howto use distro package managers and on each article a list of required main packages.
Alternatively one that might work for all differences is to have some collapsible structure thats remembered for users across the wiki. For example if your main system was a systemd system you could have that set as default and it would expand the systemd specific instructions and collapse all other specific instructions. That said I don't know how hard that would be to do.
Maybe a Instructables meets stack overflow for Linux/Foss
Ask Ubuntu does a good job for Q&A (formatwise)
Page has 3 tabs one guide, one discuss, and one Q&A.
Yup, there isn't a lot in terms of low threshold GNU/Linux 101 in English on the Internet. There is in German or Italian or Spanish or French or Russian, but that's probably not helpful.
The only good GNU/Linux wiki is the ArchWiki imho. Arch does have a proprietary definition of "social" though.
The best online manual is OpenSuSE's.
Gentoo is great for obscure problem solving, but not that great for basic use things.
Ubuntu fora are just chaos lolz.
The format (not content) of Ask Ubuntu is pretty nice though.
Arch does have a nice Wiki. OpenSuse's guides especially BTRS and Xen are very good.
The ArchWiki site is good, but on that or the Gentoo Wiki are there examples of "Recipes" -- e.g. here is the best setup for doing this kind of thing. Here is the best setup for that thing.
What prompted this is I've done a competent exchange replacement with Postfix, Roundcube, Z-Push, mysql backend, shared calendar, contacts, etc. Based initially on Kolab packages. I'm doing a how-to, in order to set that up. It turned out way better than I expected. But to setup a competent mail server even things like yunohost just don't give you the most awesomest thing that Open Source can give you. All these how-tos out there seem to just setup a few packages which don't cover a lot of the cool stuff. If I didn't have 100,000 kilometers of experience with Postfix already a lot of stuff would be left in a default config which is a bit yucky.
Check out these kinds of how-tos from howtoforge:
http://www.howtoforge.com/the-perfect-desktop-linux-mint-17.1-qiana (perhaps a bit pedestrian)
http://www.howtoforge.com/perfect-server-centos-7-x86_64-nginx-dovecot-ispconfig-3 (somewhat mroe esoteric)
Howtoforge doesn't have the social momentum it once did, imho, for these longer tutorials. I do like the AskUbuntu format, but I'm not aware of anything that is this in depth. However, I could see a section of the site that is "what's the best way for me to get a tray instant messenger in gnome 3?" being a question then askubuntu/stackoverflow style answers covering the vast, vast array of instant messaging programs and the pros/cons of that kind of thing. The thing that Howtoforge fails specifically on (for these longer tutorials) is improvements from the community, better packages, updates with time, etc. So the wiki format could be useful there if the changelog can be a little more accessible to normal users (like commit diffs on github).
Anyway, here's my longass draft of a howto that I'm going to publish soon along with a video. The format for these how-tos are "Here is a video showing you this setup which is ferrari-like that used eleventy billion packages, but look how awesome it is. it is amazing. check out all these features and all this stuff it does blah blah blah" and then if you want a step by step guide for that, you get that from the article and not the video. Who can sit through 3 hours watching someone stumble their way through apt-get, man and vi? But A format that shows you the "after" first to get you hooked, then show you the step by step.. that might be something that would generate a lot of traffic.
Eventually, we could take how-tos from the community on our site (I could imagine us paying for said how-tos in exchange for the right to publish them exclusively for 5 years) and then do the how-tos and put a little video in front of it showing the features, why you'd want to do that and the mindset. That's the other problem with howtoforge. No one knows where to look to see the greener grass in order to desire it. That's the momentum problem Linux has that we can solve. maybe.
Anyway, Longass article:
Exchange for Fun and Profit
Prerequisities
So, you want an awesome mail server that can do mail, calendars, contacts and file storage. Great! However, fo you to have that awesome domain [email protected] you will have to have bought yourdomain.com, and you will have to have configured your DNS entries with your domain registrar to point at your new mail server.
You can run your mail server anywhere – there typically are not a lot of restrictions. You can even do it with a dynamic IP address as long as you use a dynamic DNS service and keep your IP address up to date in DNS. However, you should know that a lot of internet service providers block inbound port 25 on residential home connections. So if you want to run your mail server on a home connection, check that it is allowed with your ISP. Otherwise use Linode, yunohost, or another inexpensive linux VM provider.
Install Debian Wheezy. Name your system something appropriate.
Since this is a tutorial on setting up your own mail server, you should have your own domain name. Specify that on the next screen:
Next up you'll set up a user account and password, and another password for the root user. The next question is about partitioning. Since you are most likely planning to setup this mailbox for personal use and not a lot of mailboxes, guided -- use entire disk is probably all you need.
Depending on the particulars of how you plan to run your mail server, you may be able to use encrypted LVM to encrypt your entire mail server. It means that when your mail server reboots, though, that you would have to log into your VM's host, service provider or hypervisor and supply the LVM password to continue booting the machine. SSH is usually not an option to logging in to specify the LVM password. It is possible to create a root and boot file system using only a portion of the disk, and setup an encrypted partiton later. That would allow you to SSH into the box and mount the encrypted mail store with a password.
Finally, it is also possible to use something like a loopback file system to handle the encryption that way as well. For simplicity's sake, we'll just use the entire disk for this tutorial. Feel free to ask about more esoteric setups in our forum at teksyndicate.com, however.
You can next through most of the next questions until you get to the “Software Selection” prompt. We're going to select Web Server, Mail Server, SSH server and Standard system utilities. To keep things light, we want to be sure we disable the desktop environment.
Next up, the install should complete and reboot the machine. A login prompt should come up. Login with your root account, and let's secure the box.
Securing Your Box
You just logged in with root! That's terrible! The first thing we want to do is update the box, but it'll ask us for the install CD. We want it to download whatever it needs and not pull from the CD. You want to edit /etc/apt/sources.list and place a # in front of the CD line to comment it out.
If this box is on the internet, I hope you picked a suitably complex root password because there is probably someone, somewhere, trying to brute force their way into your machine. SSH to your machine and make sure it is working for you. Once you've got your SSH session open, do
apt-get update
followed by
apt-get dist-upgrade
to bring you to the current version of Debian Wheezy. Once that's done, we need to install a firewall. My two favorites for debian are the package ufw and arno-iptables-firewall . UFW is worth your time to learn – it'll allow you a little more flexibility than arno-iptables-firewall but for our purposes here we'll install arno-iptables-firewall. Stay tuned for a guide on UFW from teksyndicate, and as always, if you have any questions ask them in our forum.
apt-get install arno-iptables-firewall
answer “Yes” to managing the firewall with debconf (for now). We'll want to specify the primary ethernet interface, which is usually eth0. If in doubt, ssh in on a second connection and type ifconfig and look at the interface that has been assigned the IP address you are using, and use that as the external interface.
We'll specify the following ports to be open:
22 – for ssh
443 – for SSL HTTP
80 – for unencrypted HTTP
25 – for inbound email
143 – for unencrypted imap
993 – for encrypted imap
For now, we will not have any inbound udp ports. To reconfigure later, you can use the command:
dpkg-reconfigure arno-iptables-firewall
If you install ufw later, don't forget to apt-get remove arno-iptables-firewall first.
Next up, we want to secure the SSH server a bit better. Edit
/etc/ssh/ssd_config
and go down to PermitRootLogin and change yes to no (or make sure it says no). It would be a good idea if you did away with passwords alltogether and only used SSH keys, but since this is a personal server, we'll let that slide for right now. You would set the options
PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
– but you should only do this if you've added your public key(s) to ~/.ssh/authorized_keys and have tested key-based logins on your server.
Run
service ssh restart
to make the changes to the ssh configuration active.
You can also run the command
iptables -L
and verify your output looks similar to the below. The default rules with Arno's setup are pretty good in terms of trapping synfloods, resets, window shrinks and other random bad things. It also has some stuff for logging stealth scans, which work pretty well for advance warnings of people poking about your system.
Next up, we'll install fail2ban which will automatically block hosts that fail to login properly repeatedly.
apt-get install fail2ban
the options are at /etc/fail2ban but the defaults are okay most of the time.
If you're going to treat this box like an appliance, I would recommend that you configure automatic updates.
apt-get install unattended-upgrades
It won't ask you any questions, and the defaults are basically okay. However, you are welcome to look at
/etc/apt/apt.conf.d
and the unattended upgrade options there. Generally you at least want the security updates. As this is Debian Stable, it is probably also okay to uncomment the line that says
o=Debian,a=stable
If you don't mind being bothered via email, there are a few sections of this how-to that will allow you to get status reports from your machine via email. This is generally a handy thing and in this particular instance, we can get a report about available updates. (I'd recommend mailing a gmail or other mail address not hosted on this box for best results.)
alt-get install apticron
You will need to edit
/etc/apticron/apticron.conf
to specify the address you want to receive those update emails.
Finally, you might want to also install logwatch – it will email you copies of the system's logs.
apt-get install logwatch
then edit the file located at
/etc/cron.daily/00logwatch
to change --output mail to --mailto [email protected] instead as the comment in the file indicates. You can optionally tack on --detail high to the end of that to get more verbose emails.
I feel like I need to put a note in here for very experienced Linux Folks: In a “do it the modern way” mindset, if you are doing this kind of thing for a lot of hosts or virtual machines, almost all of this should be automated by your configuration/container management platform. Even a script doing this type of securing is too much work – you want to have all this stuff managed by your management platform. Puppet or Chef are good starting points for this kind of thing, but there are many more choices. If this is just for your personal mail server, just ignore that and we'll march on.
There is a lot more you can do to secure your system; these are just the basics. You should check out a package called 'snoopy' that will allow you to see all commands entered into the system. If you're extra paranoid I'd suggest you look into encrypting the file system and services that ship the system logs, in real time, to other machines. Another favorite of mine is the integrit package. It emails you any files that change on the filesystem and includes the md5 sums of the files. There is generally a lot more that I normally do to secure the system, but this is an okay start.
Next Up – Let's install Postfix! And related packages.
Gone are the days that one expects a mail server to simply listen for connections on port 25 and then dump messages to flat files on the file system. Today, the modern mail client expects their mail server to have encryption (TLS, in our case, probably), to have IMAP connectivity and they may also expect other advanced features such as the availability of ActiveSync or MAPI protocols. With the advent of smartphones, it has become commonplace to expect calendar and contact sync as well.
On the Microsoft side of things, Exchange provides all of this functionality and more. At the core of Exchange, a modified version of Microsoft SQL server was used as the message store engine. This isn't an unreasonable choice; it provides proven resiliency in the face of failures, crash-log replayability, ACID compliance, etc. Exchange isn't even the only program necessary for a functional enviornment – it also relies on the IIS web server to handle the webmail front-end and the ActiveSync protocol interface.
Similarly on Linux, we're going to have a lot of different packages working in concert together to create a choeshive feature-rich mail experience. In addition to Postfix for the mail, we'll also need Apache to handle the web side of things, but we'll get into that in the next section. The Kolab packages also take care of a huge number of moving parts on the web site – CalendarDAV, ActiveSync (via Synchroton), webmail client via roundcube with extensions for contacts, files, notes etc.
For Postfix, we'll also enable antispam, greylisting and some other cool features.
Finally, once we've got Postfix working, we're going to install Kolab, which is a great groupware package that provides webmail and an ActiveSync interface with full Outlook 2013 compatibility.
To Be Continued. (I have pictures too for many steps so.. its even more longer!) Apologies for lack of formatting.
That was a great write up and would love to see something more permanent than a thread post. The only thing I could see as an issue with you guides is: FOSS poeple are some of the most nit-picky geeks out there.
There could be almost stupid amount of arguing over just what client you use as your webmail alone. So there has to be some control or it will be chaos when it comes to the guides.
I can just image debates over Kolab vs Citadel vs Zimbra turning into ad-hominem pissing matches, lol. Maybe I am just a pessimist.
STREAM OF TEXT... DAMAGED BRAIN... SYSTEM REBOOT :)
I agree about the passiveness. One thing I see on ycombinator is a lot of negativity but no lead by example. Of we had a fork button on the how to then by all means fork it fix it and let the community upvote that one.
I have tried them all in terms of groupware. Zimbra kinda sucks these days and the ol connector is bugged to hell because they want you to pay. At least kolab gives you a choice of zpush and synchrotron. And ol2013 on desktop doesn't need mapi anymore so that is nice. With activesync my phone uses 30% less power than IMAP set for every 5 mins and I get calendar and contact sync as well.
I tried 6 ready made distros including zimbra..There will be more info about that in the overview video. CentOS lost out as the host is because selinux is not yet condusive to so many little programs strung together working in concert. The kolab folks are the only ones I see actively working on the selinux rules to make it work though.
This will be a howto article.. Soon.. I think.. Lol.
And more info about signing up for cloud hosting and yunohost and blah blah blah
Yunohost is good stuff for lazy people like me lol.
Look forward to the new stuff.
On the other hand the good thing about open collaboration and documents is you can write your own howto guide that covers the implementation that you do.
With activesync my phone uses 30% less power than IMAP set for every 5 mins and I get calendar and contact sync as well.
?
I have blocked all ActiveX on firewall level, everything can be synced better and faster without exchange, and exchange compatibility is the most onerous part of an otherwise perfectly reliable and user friendly open source solution. My phones last for days, without Google crapware and without exchange crapware, and with hours and hours of pretty heavy use. I just don't understand, isn't that making it unnecessarily hard on yourself? Who would these days still be interested in exchange compatibility unless they're a large company that can't migrate entirely to open source because they haven't written off their existing crap yet or because they have a large IT department that doesn't have any proper training? Yunohost and Kolab are so easy to install and work right out of the box, and offer more than enough features for most users. Exchange just seems so... wrong... where all of these people have devoted so much time to make out-of-the-box solutions that you can install in 5 minutes with your eyes closed. That's also why they only have a FAQ and no wiki, because the products are so easy to install and use.
It's also jumping ahead pretty massively, most users on the site don't even know how to harden their kernel if they're going to use a bare and old kernel like the ones that come with Debian Stable, or don't even know that iptables is deprecated, will never use ufw because nftables is so incredibly easy to configure with your eyes closed and doesn't even require logical building up of the rules like iptables, it's a one-line-rule system, and ufw doesn't work with nftables.
It's a nice work, and it's commendable that you invest so much time into this, but most people will want to run stuff on a RasPi or PC-on-a-stick if they do things like this (Yunohost is wildly popular on RasPi), to avoid an absurd energy bill, and they will be satisfied with a solution like Yunohost, which works just fine, offers a built-in free DNS service solution (most users on the forum will not pay for such a service, and will not pay for server hosting), and doesn't risk breakage because of exchange/activesync, which is software that is not made to open source standards, and it's a pain in the arse to deal with on open source. The best example of this is that you forego on a MAC to get it up and running. A private mail server without MAC/RBAC? I'd rather take the MAC and lose the exchange compatibility lolz...
I have blocked all ActiveX on firewall level
ActiveSync -- not ActiveX. And, for my workload, it uses considerably less power than imap. I tried to debug that once and it seemed to be the case that when the imap protocol was used, the android phone (cyanogenmod of a vintage appropriate for a galaxy SIII about.. a year ago? 18 months?) would have about one connection open to the server per imap folder. (which in my case is a lot). On ActiveSync, only 1. I am not sure, but I may have had activesync setup for polling once every 5-10 mins vs push but even with push the battery savings was significant -- more than 20% for my mailbox. (~30% with 5 mins polling)
https://z-push.org/ More about activesync there.
Out of curiosity -- how do you sync your appointments and contacts among multiple devices? I've got to have the ability for folks other than me to be able to update my appointments, prune my contacts, etc. The desktop client doesn't enter into it much. You may be thinking of the horrors that is MAPI for old exchange. I was doing some stuff with that in 2005-2006. It wasn't pretty.
Microsoft can't even do MAPI in the cloud properly. This is why OL2013 uses (can use) activesync to connect to Exchange instead of MAPI. I'm not advocating adding MAPI to the stack here, but for small businesses I think the proposition of more than just imap connectivity for multi-device two-way sync of more than just mail is important. I'm aware of CalendarDAV stuff but I'm curious what you do to handle this scenario w/o activesync? Calendar, Contacts and Tasks/ToDo/Notes.
The fact that the out-of-the-box 5-min install is lacking in some kind of obvious and stupid ways is one reason to go with a well-supported underlying distro (like debian, or something else) instead of the pre-packaged thing. The pre-packaged zimba was so incredibly unfriendly and fragile that making simple changes will break things in non-obvious ways.
Even with Kolab, out of the box, you essentially get nothing cool from postfix.Heck, it doesn't even use postfix-mysql as a backend (and doesn't seem to be compatible at the moment, though I wish it were?). More importantly clamav and good antispam out of the box are not enabled. So if one does the 5 minute install, they don't get the best possible experience they can because (technically) these things are outside the wheelhouse of Kolab.
I do like that the Kolab folks have added some baseline ldap stuff to make that part of it easy, but simultaneously they've made it a bit more challenging to integrate it into an existing ldap setup with a 5 minute install, is part of my point.
I agree that this kind of thing should run well from a raspberry pi or a very cheap vps (e.g. 1gb ram, limited disk space, etc etc) which I think nothing done here will prevent that. Even Kolab 3.3 is shipping with Synchroton on their 5 minute install these days -- which is their version of an activesync daemon that provides functionality beyond imap (you can only get so far with imap's IDLE command....). So that means that exchange crap is coming with the yunohost regardless.. it could just be so much better with a little bit of work. Greylisting is the most awesome thing to come along in antispam weaponry in a long time and that works well with a postfix/kolab setup. And nothing I'm talking about breaks your ability to forward apt-get upgrade anymore than you would already.
I do have a bit of work to do making things more accessible. I can't believe I'm defending activesync lolol but.. its not a completely horrible protocol for what it does.
Wendell
And this is why I love this site.
Comparing mobile battery life with activesync vs imap can't find that shit anywhere else. Once I move I will have to try yunohost on a raspi until I have a true server setup. Might be building a NASferatu later with debian in a VM
I am blown away by the maturity of freebsd and the freenas project out there these days. I am running two linux VMs at home on my nasferatu including one that does USB passthrough to myhttv and that consumes OTA/HD media, removes commercials and stores it in plex. It is really slightly insane. I put a quota on it of 250gb because I will never watch that much. Feels good having recorded (almost) every episode of every startrek, knight rider, macguyver, magnum pi, etc. even though I'll probably never watch them all. I usually watch _something_ when I go for a run on the treadmill, but lately it's been more books-on-tape than brainrot-box stuff.
p.s. the beaglebone black and bananapi are sooooo much faster. I've got to get one of the intel x86 boards and see how it stacks up to an rpi. I have an olimex arm board I use for home automation that is about 4-5x the speed of an rpi for most things and I love it. I got a touch LCD for it, and a usb cam hooked up.