Coder Social home page Coder Social logo

ikreb7 / ca.berlin.freifunk.net Goto Github PK

View Code? Open in Web Editor NEW

This project forked from freifunk-berlin/ca.berlin.freifunk.net

0.0 2.0 0.0 262 KB

Webinterface for certificate creation; e.g for Tunnel-Berlin and VPN03

Home Page: https://wiki.freifunk.net/Berlin:Server

License: MIT License

Python 79.04% CSS 4.00% HTML 13.42% Mako 1.22% Shell 2.33%

ca.berlin.freifunk.net's Introduction

ca.berlin.freifunk.net

Coverage Status

This project helps us (Freifunk Berlin) to automate the certificate request process. In the past a user requested a certificate for our vpn service VPN03 via the mailinglist which caused a lot of noise on the mailing list and work on the admin side of the process. Today we use a webinterface for user input that lives at https://ca.berlin.freifunk.net. This code is also used for our new Community tunnel Tunnel Berlin. The user provides us with an id and e-mail and generates a certificate request in the database. After the generation of the request an admin has to execute python3 manage.py requests process on the server to create the certificate and send it to the user. To send an already existing certificate again use python3 manage.py certificates send.

See also: python3 manage.py requests --help python3 manage.py certificates --help

Development

Required packages (Ubuntu 14.04)

sudo apt-get install python-virtualenv python-pip python3-dev libffi-dev libssl-dev

Use virtualenv with:

virtualenv env -p python3
. env/bin/activate

Install dependencies with pip:

pip3 install -r requirements.txt

Setup the initial database

./manage.py db init
./manage.py db migrate
./manage.py db upgrade

Note that the default path for the database is in /tmp so you will lose your data when rebooting.

Run the application

python3 manage.py runserver

To change the host you can add the -h 0.0.0.0 parameter.

To change the port you can add the -p 1337 parameter.

All development should be done in Python 3.

Deployment

For each deployed system there is a branch "instance/" where the actual deployed setup will be hosted. On a new host just branch from master and put your host-specific changes into this branch.

Since this code only requires Python and no additional system-access is required, there is no need to run this instance with root-access for signing. the following lines show some commands that suggest some level of privilege-separation for the daily operation.

basic system setup

# setup of basic system-accounts
addgroup freifunk
addgroup tunnelberlin-signer
addgroup tunnelberlin-admin
adduser --ingroup tunnelberlin-admin --disabled-password --disabled-login tunnelberlin-keymaster
mkdir /home/tunnelberlin-keymaster/ssl-data
# this ca.files needs to be set in the config.py
cp <ca.crt> /home/tunnelberlin-keymaster/ssl-data
cp <ca.key> /home/tunnelberlin-keymaster/ssl-data
chown -R tunnelberlin-keymaster:tunnelberlin-signer /home/tunnelberlin-keymaster/ssl-data
chmod 710 /home/tunnelberlin-keymaster/ssl-data
chmod 640 /home/tunnelberlin-keymaster/ssl-data/ca.*
adduser --ingroup tunnelberlin-signer --disabled-password --disabled-login tunnelberlin-sign
# this directory needs to be set in the config.py and will contain the created certs & keys
mkdir /home/tunnelberlin-sign/certs
chown tunnelberlin-sign:tunnelberlin-signer /home/tunnelberlin-sign/certs
chmod 2770 /home/tunnelberlin-sign/certs

# change the umask that all users of group "tunnelberlin-signer" can write to the files made by other users
sed -i -e "s/UMASK.*/UMASK 002/" /etc/login.defs

# setup of web-frontend, users of group "tunnelberlin-admin" will be able to change the code  (e.g. git pull, git checkout)
mkdir /var/www/tunnel.berln.freifunk.net
chmod 775 /var/www/tunnel.berln.freifunk.net
chgrp tunnelberlin-admin /var/www/tunnel.berln.freifunk.net
cd /var/www/tunnel.berln.freifunk.net
sg tunnelberlin-admin
git clone https://github.com/freifunk-berlin/ca.berlin.freifunk.net.git .
su postgreq -c "createdb -O ca tunnelberlin-ca"

adding a new user

adduser --ingroup freifunk <username>
addgroup <username> tunnelberlin-signer

procesing requests

cd <instance> # e.g. /var/www/tunnel.berlin.freifunk.net
sg tunnelberlin-signer
. env/bin/activate
./manage ....

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.