Infrastructure

Domain name

dezentrale.space

it is paid up until 2022-06-11T23:59:59.0Z, as a donation, and now it is legally owned by the e.V.

Gandi account is accessible to anyone in the Vorstand already.

DNS hosting

(temporarily?) being provided by the domain registrar Gandi.net, free of charge, but we should set up something better (with DNSSEC) ourselves someday

emails

vorstand@dezentrale.space goes to all of the Vorstand

konto-*@dezentrale.space goes to all of the Vorstand, where the "*" can be the name of any company/organisation that the e.V. registers an account with

There is no catch-all for *@dezentrale.space, because that would receive spam sent to any random address, and make it easier for spammers to forge email from us (sender-verification would always pass), and we would have difficulty later if we wanted to migrate to new infrastructure that doesn't support catch-alls (there would be no easy way to enumerate all of the addresses we really need/use).

VPSes

lokke and steven both have root access

steven pays for the host machine at Hetzner, but the e.V. should someday replace it (when it has money, or maybe some servers on-site)

Both VPSes have IPv6, and a directly routed IPv4 address each. Reverse DNS for IPv6 and IPv4 are correctly set up to match the hostname.

SPF allows "A" and "MX" entries to send mail from @dezentrale.space. Mailman changes "Sender:" to the mailing list's address, so that it passes SPF checks (but not DKIM).

TODO: emails for root/listmaster/webmaster are not currently going anywhere...

NTP is set up already on the host machine (so it is not needed inside of the VPSes).

Certbot runs every few days via Cron, it should automatically renew the SSL certificates from LetsEncrypt.org every 2-3 months

Qualys SSL Server Test: grade A as of 2017-08-29 grade A as of 2017-08-29

TODO: (someday) OCSP stapling, if Apache supports it supported as of 2.3.3, otherwise consider setting up Nginx for that purpose

TODO: we redirect from http: to https:, but we don't send HSTS headers yet.

/etc on all servers is tracked inside Git (by etckeeper)

Ikiwiki tracks all of its content in Git (and configuration?)

TODO: build the main website

TODO: put the website content, mailman configurations into Git repositories too

TODO: distribute the Git repositories somewhere (ideally can all be public, because passwords and private keys are excluded)

TODO: back up private data (e.g. list archives) somewhere secure

TODO: document how to rebuild the entire machines from backups, and actually test this

www.dezentrale.space

https://dezentrale.space - main website

https://dezentrale.space/wiki/ - Ikiwiki, all of the Vorstand have admin access already

https://dezentrale.space/munin/ - operational stats

lists.dezentrale.space

https://lists.dezentrale.space - mailman web interface

to get the mailman "site password", please look at /root/docs/mailman.txt on that VPS

Girokonto

The money legally belongs to the e.V.

Only steven and georg are authorised by Sparkasse to access the account at the moment.

Only steven has an EC-Karte and Online Banking access at the moment. The card is required to deposit/withdraw cash or print bank statements.