Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.

== ''corn-syrup'' ==

PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

'''01/19/23: IPMI (temporarily) disconnected. (Require new patch cable)'''

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

We discourage running computationally-intensive jobs on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
(Work in progress)

cyanide is a Mac Mini

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in /music on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

= Syscom Only =

The following systems may only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

'''01/19/23: IPMI (temporarily) disconnected. (Require new patch cable)'''

==== Specs ====

* (clone of Xylitol)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics. Will act as a backup server for many things.

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]]

==== Notes ====

* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:

** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248

* For some reason, the keyboard is shit. Try to avoid having to use it. It's doable, but painful. IPMI works now, and then we don't need to bug about physical access so it's better anyway.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
* shibboleth (under development)

Also used for experimenting new CSC services.

==''citric-acid''==
A Dell PowerEdge provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Being configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) users

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* OpenStack primary controller services for csclub.cloud

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD

==== Services ====

* OpenStack block and object storage for csclub.cloud

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

Currently being used to set up NextCloud.

Was used to experiment the following then-new CSC services:

* logstash (testing of logstash)
* load-balancer-01
* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* block1.cloud
* object1.cloud

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

'''01/19/23: IPMI (temporarily) disconnected. (Require new patch cable)'''

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558.

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''digital cutter''==

See [[Digital Cutter|here]].

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Meeting:Termcom/Sunday 11 February 2024

2024-02-12T03:26:50Z

N4chung: updates

'''Updates'''

- CEO updates

- Netapp migration

- Hardware acquisition

'''Tasks'''

- repurposing citric-acid (Ohm)

- mirror checker deployment (Jonathan)

- hardware acquisition (Nathan)

- CSC Cloud migration (Frank)

- hardware inventory (Nathan, Frank?)

- Netapp migration (Leon)

- librarian api (postponed)

Meeting:Termcom/Sunday 11 February 2024

2024-02-12T02:03:30Z

N4chung: init

Machine List

2024-01-20T02:40:12Z

N4chung:

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

==== Specs ====

* currently a virtual machine hosted on phosphoric-acid
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [[Apache]]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon
* mail was migrated to [[#mail|mail]]

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.

== ''corn-syrup'' ==

PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection
* has ipmi on corn-syrup-ipmi.csclub.uwaterloo.ca.

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

We discourage running computationally-intensive jobs on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
(Work in progress)

cyanide is a Mac Mini

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in /music on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

= Syscom Only =

The following systems may only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* (clone of Xylitol)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics. Will act as a backup server for many things.

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]]

==== Notes ====

* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:

** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248

* For some reason, the keyboard is shit. Try to avoid having to use it. It's doable, but painful. IPMI works now, and then we don't need to bug about physical access so it's better anyway.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
* shibboleth (under development)

Also used for experimenting new CSC services.

==''citric-acid''==
A Dell PowerEdge provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 1 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

*

'''Services'''

* Being configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) users

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* OpenStack primary controller services for csclub.cloud

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD

==== Services ====

* OpenStack block and object storage for csclub.cloud

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

Currently being used to set up NextCloud.

Was used to experiment the following then-new CSC services:

* logstash (testing of logstash)
* load-balancer-01
* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* block1.cloud
* object1.cloud

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558.

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a NetApp FAS3040 series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

==''fs01''==

fs01 is a NetApp FAS3040 series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

= Other =

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''digital cutter''==

See [[Digital Cutter|here]].

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Meeting:Termcom/Saturday 13 January 2024

2024-01-18T03:26:02Z

N4chung:

= Termcom Notes - January 13, 2024 =

* Introduction to new/existing Termcom members
* Discussed about some on-going work
** Netapp migration
*** '''''This coming week'''''
** New Cloud Server acquision
** CSC Mirror Checker rewrite
** CEO PRs
== Priority Items ==

* CSC Mail moderation for held messages/emails
* CSCF Contact
** Mirror components
** Cloud server acquision
* CSC CloudStack replacement/maintenance

== Term Goals ==
- '''CSC Mirror Upgrades''': Current CSC mirror is under very high demand. It also faces regular attacks... We are replacing failing/failed hardware and upgrading our hardware to better meet demands.

- '''Security auditing/improvements''': Implement CIS standards. Review all public-face services/systems. Improve "observability" and logging (eg. SSH logs). Review system accounts and configs.

- '''Netapp Migration''': Inheriting out-of-service-contract CSCF hardware, replacing existing Netapp file server.

- '''New Cloud server acquisition''': Using MEF funding (~24k) we will be buying a new cloud server, hopefully with improved storage (flash nvme)

- '''CSC Cloud Software Maintenance''': (Long-term) Cloudstack maintenance issues. We may be migrating to a new platform

- '''Club Web Hosting''': Club-account support for CSC Cloud.

- '''CSC Mirror Checker''': Deploy new blackbox checker (written by yours truly). Implement unsupported "projects".

- '''CEO Issues''': Huge back log of deliverables from the past two years. <3 completed issues from F23 from Termcom....... (bruhh)

Meeting:Termcom/Saturday 13 January 2024

2024-01-14T02:06:57Z

N4chung:

Meeting:Termcom/Saturday 13 January 2024

2024-01-14T02:01:59Z

N4chung: Created page with "= Termcom Notes - January 13, 2024 = * Introduction to new/existing Termcom members * Discussed about some on-going work ** Netapp migration *** '''''This coming week''''' ** New Cloud Server acquision == Priority Items == * CSC Mail moderation for held messages/emails * CSCF Contact ** Mirror components ** Cloud server acquision * CSC CloudStack replacement/maintenance"

Acronyms

2024-01-09T21:13:37Z

N4chung: CSC Sussy Committee

Over the F22, W23, S23 terms, many members within the office speculated what CSC stands for. Here are their postulations (in alphabetical order):

* Caffeinated Students Club
* Calculator Slaves Club
* Calcium-deficient Students Club
* Camera-Shy Club
* Canadian Sussy Club
* Can't Sleep Club
* Can't Stop CSC
* Can't Succeed Club
* Card Skills Club
* Celeste Strawberry Collection
* Chair Sleeping Club
* Charge Smartphone Club
* Chess Studies Club
* Chopin Studies Club
* City Skylines Club
* Clown Syndicate Club
* Coffee Supply Club
* Come Seethe and Cope
* Comic Sans Club
* Committee Sacking Club
* Communal Shoe Club
* Communal Shower Club
* Complimentary Slackness Condition
* Compulsory Sadness Condition
* Computer Stop-working Club
* Confidential Secrets Club
* Connection Sucks Club
* Constant Sacrificing Club
* Cool Shit Club
* Cool Students Club
* Copyright Safeguarding Club
* Co-op Suckers Club
* Crazy Superglue Club
* Creature Saving Club
* Crying Students Club
* CSC Scribbling Club
* CSC Sussy Committee
* CSC Systems Committee
* Cutting Sticker Club
* Culinary Students Club

Acronyms

2024-01-09T21:13:08Z

N4chung: Canadian Sussy Club

Over the F22, W23, S23 terms, many members within the office speculated what CSC stands for. Here are their postulations (in alphabetical order):

* Caffeinated Students Club
* Calculator Slaves Club
* Calcium-deficient Students Club
* Camera-Shy Club
* Canadian Sussy Club
* Can't Sleep Club
* Can't Stop CSC
* Can't Succeed Club
* Card Skills Club
* Celeste Strawberry Collection
* Chair Sleeping Club
* Charge Smartphone Club
* Chess Studies Club
* Chopin Studies Club
* City Skylines Club
* Clown Syndicate Club
* Coffee Supply Club
* Come Seethe and Cope
* Comic Sans Club
* Committee Sacking Club
* Communal Shoe Club
* Communal Shower Club
* Complimentary Slackness Condition
* Compulsory Sadness Condition
* Computer Stop-working Club
* Confidential Secrets Club
* Connection Sucks Club
* Constant Sacrificing Club
* Cool Shit Club
* Cool Students Club
* Copyright Safeguarding Club
* Co-op Suckers Club
* Crazy Superglue Club
* Creature Saving Club
* Crying Students Club
* CSC Scribbling Club
* CSC Systems Committee
* Cutting Sticker Club
* Culinary Students Club

Termcom/Crashcourse

2023-12-24T19:39:00Z

N4chung: termcom crash course page

= Termcom Crash Course =
''(Page is still W.I.P)''

== Some Useful Links ==

* '''Membership''':
** https://csclub.uwaterloo.ca/get-involved/
** https://wusa.ca/product/uw-computer-science-club-membership/

* [[Machine List]]
* [[How to IRC]]
* [[How to SSH]]

Club Hosting

2023-11-09T07:39:15Z

N4chung:

The Computer Science Club provides web hosting to other clubs free of charge. We host many club web sites. If you have a question about our hosting service, contact syscom at csclub dot uwaterloo dot ca or visit our office in MC 3036.

== Hosting Features ==

* 4 GB web space
* Scripting
** PHP (mod_fcgid)
** Perl (https://wiki.csclub.uwaterloo.ca/Web_Hosting#Dynamic_Sites)
** Python (https://wiki.csclub.uwaterloo.ca/Web_Hosting#Dynamic_Sites)
*** Django (https://wiki.csclub.uwaterloo.ca/Web_Hosting#Dynamic_Sites)
** Ruby (https://wiki.csclub.uwaterloo.ca/Web_Hosting#Dynamic_Sites)
* Databases
** [[MySQL]]

This is not an exhaustive list. Contact us if you want something not listed or installed.

== Getting Hosted ==

To get hosted, you need a '''club account''' and one '''user account''' for each person who will be updating the club's web site or other files.

The general process to get yourself an account on our systems to host your club website is:

1. Request a free club account on the CSC systems by emailing syscom@csclub.uwaterloo.ca from an official club email (an official club email is one that is posted on your website or Facebook page, for example). Something along the lines of "I am from the ActSci club and am the current webmaster. Can I be registered for a club account to access the ActSci website?" Include the WatIAM userids (Quest ID) of any club reps that should be authorized to manage the club account in your email.

2. For each club rep that needs access, an email needs to be sent to syscom with the following information, if they don't already have a CSC account:

* a scan or photograph copy of the rep's WatCard,
* their WatIAM userid, and
* their acknowledgement of having read, understood, and agreeing with our Machine Usage Agreement.

These can be sent in one email or separately.

3. Once syscom receives these, the users will be given permission to access your club website by adding you to your corresponding club group (for example, the actsci user group).

=== Club Account ===

Each club we host has a "club account" that owns and stores club resources. You can request a club account via email or in person. The club account:

* Is named after the club, possibly abbreviated.
* Has a home directory named /users/clubname, where club files are stored.
* Is not permitted to log in. You must use your own user account to login.

The Systems Committee will create club accounts when sent a request from the club's email address to syscom@csclub.uwaterloo.ca. Verification of the club's university affiliation may be required, for instance by contacting the Federation of Students or the club's faculty advisor.

=== User Accounts ===

Each user who needs access to the club account must have his/her own user account on our machines. There are two ways to get an account:

* Become a member of the Computer Science Club. Membership is $2.00 per term.
* Request a free "club representative" account. These accounts are to be used solely for managing the club account, and expire at the end of the term.

Club representatives can request renewal of their free accounts (for one or more terms) if they still need the account to manage the club account in future terms.

Your user account must also be authorized to change club files. Each club has a "club group" whose members may update the clubs files. We add (and remove) users to the group when we are asked to do so by the club exec. The exec must email the Systems Committee (syscom@csclub.uwaterloo.ca) from a club email address.

Any office staff member may create and renew both member and club representative accounts using [[ceo]]. Only Systems Committee members may modify club access lists.

== Accessing Club Resources ==

At this point, you have a user account and a club account, and need to get started with your web site. Before you can do anything, you need to log into our machines somehow.

=== Shell Access ===

To gain shell access to your site, you can:

* Log in using a terminal in the office
* Log in from anywhere using SSH. We discourage SSH'ing into our web server (caffeine), you should use a different general-use machine (like corn-syrup.csclub.uwaterloo.ca)

The club's files are stored in /users/clubname.

If you want, you can become the club user by typing "become_club clubname". This is not usually necessary, as the permissions should allow you to make changes as yourself.

=== SFTP File Access ===

You may access files stored on our servers, or upload new ones, via SFTP and SCP. If you are a Windows user you should use [http://winscp.net/ WinSCP] or a similar client with SFTP/SCP abilities. If you are using OS X you can use the sftp or scp Terminal commands, or you can install a graphical client such as [http://cyberduck.ch/ Cyberduck]. Similarly on GNU/Linux you can use the shell commands or a graphical client such as gftp.

== Services ==

=== Web Hosting ===

See [[Web Hosting]].

=== Databases ===

See [[MySQL]].

You can create a MySQL database yourself through [[ceo]] by following [[MySQL#Using_ceo|these instructions]].

== Some Clubs We Support ==

* Math Society
* Software Engineering Society
* WiCS (Women in Computer Science)
* UW Blockchain
* WARG (Waterloo Aerial Robotics Group)
* Rocketry
* Pure Math Club
* mathNEWS
* Badminton Club
* CSA (Chinese Students Association)
* HVZ (Humans vs. Zombies)
* Warriors Band
* WLSG (Waterloo Libre Software Group)
* Physics Club
* CSSA (Canadian Shooting Sports Association)
* CAPSI (Canadian Association of Pharmacy Students and Interns)
* CWC (Centre for Wireless Communications?)

[[Category:Services]]

SSL

2023-10-17T06:51:26Z

N4chung: remove znc

== GlobalSign ==

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/certificate-authority/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/home/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>.

At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact.
Products: OrganizationSSL
SSL Certificate Type: Wildcard SSL Certificate
Validity Period: 1 year
Are you switching from a Competitor? No, I am not switching
Are you renewing this Certificate? Yes (paste current certificate)
30-day bonus: Yes (why not?)
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)
Enter Certificate Signing Request (CSR): Yes (paste CSR)
Contact Information:
First Name: Computer Science Club
Last Name: Systems Committee
Telephone: +1 519 888 4567 x33870
Email Address: syscom@csclub.uwaterloo.ca

=== Helpful links ===
* [https://support.globalsign.com/ssl/ssl-certificates-installation/generate-csr-openssl How to generate a new CSR and private key]
* [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/262013183/How+to+obtain+a+new+GlobalSign+certificate+or+renew+an+existing+one How to obtain a new GlobalSign certificate or renew an existing one]
* [https://system.globalsign.com/bm/public/certificate/poporder.do?domain=PAR12271n5w6s27pvg8d92v4150t GlobalSign UWaterloo self-service page]
* [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates GlobalSign intermediate certificate] (needed to create a certificate chain; see below)

=== OpenSSL cheat sheet ===
<ul>
<li>
Generate a new CSR and private key (do this in a new directory):
<pre>
openssl req -out csclub.uwaterloo.ca.csr -new -newkey rsa:2048 -keyout csclub.uwaterloo.ca.key -nodes
</pre>
Enter the following information at the prompts:
<pre>
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Waterloo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
Organizational Unit Name (eg, section) []:Computer Science Club
Common Name (e.g. server FQDN or YOUR name) []:*.csclub.uwaterloo.ca
Email Address []:systems-committee@csclub.uwaterloo.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
</li>
<li>
View the information inside a CSR:
<pre>
openssl req -noout -text -in csclub.uwaterloo.ca.csr
</pre>
</li>
<li>
View the information inside a private key:
<pre>
openssl pkey -noout -text -in csclub.uwaterloo.ca.key
</pre>
</li>
<li>
View information inside a certificate:
<pre>
openssl x509 -noout -text -in csclub.uwaterloo.ca.crt
</pre>
</li>
</ul>

=== csclub.cloud ===
Once a year, someone from IST will ask us to create a temporary TXT record for csclub.cloud to prove to GlobalSign that we own it. This must be created at the root of the domain. Since this zone is managed dynamically (via the acme.sh script on biloba, see below), we need to freeze the domain and update /var/lib/bind/db.csclub.cloud directly. Here are the steps:
<ol>
<li>Run <code>rndc freeze csclub.cloud</code>.</li>
<li>
Open /var/lib/bind/db.csclub.cloud and add a new TXT record. It'll look something like
<pre>
TXT "_globalsign-domain-verification=blablabla"
</pre>
</li>
<li>
In the same file, make sure to also update the SOA serial number. It should generally be YYYYMMDDNN where NN is a monotonically increasing counter (YYYYMMDD is the current date).
</li>
<li>Run <code>rndc reload</code>.</li>
<li>
Run a DNS query to make sure you can see the TXT record:
<pre>
dig -t txt @dns1 csclub.cloud
dig -t txt @dns2 csclub.cloud
</pre>
</li>
<li>Email back the person from IST and let them know that we created the TXT record.</li>
<li>
Once the certificate has been renewed, delete the TXT record, update the SOA serial number, and run <code>rndc reload</code>.
</li>
<li>Run <code>rndc thaw csclub.cloud</code>.</li>
</ol>

== Certificate Files ==
Let's say you obtain a new certificate for *.csclub.uwaterloo.ca. Here are the files which should be stored in the certs folder:
<ul>
<li>csclub.uwaterloo.ca.key: private key created by openssl</li>
<li>csclub.uwaterloo.ca.csr: certificate signing request created by openssl</li>
<li>order: order number from GlobalSign</li>
<li>csclub.uwaterloo.ca.crt: certificate created by GlobalSign</li>
<li>globalsign-intermediate.crt: intermediate certificate from GlobalSign, obtainable from [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates here]. As of this writing, we use the "OrganizationSSL SHA-256 R3 Intermediate Certificate". Just click the "View in Base64" button and copy the contents.
<ul>
<li>There is an alternative way to get the intermediate certificate: if you run <code>openssl x509 -noout -text -in csclub.uwaterloo.ca.crt</code>, under X509v3 extensions > Authority Information Access, there should be a field called "CA Issuers" which has a URL which looks like http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt. You can download that file and convert it to PEM:
<pre>
wget https://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
openssl x509 -inform der -in gsrsaovsslca2018.crt -out globalsign-intermediate.crt
rm gsrsaovsslca2018.crt
</pre>
</li>
</ul>
</li>
</ul><ul>
<li>csclub.uwaterloo.ca.chain: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.crt globalsign-intermediate.crt > csclub.uwaterloo.ca.chain
</pre>
</li>
<li>csclub.uwaterloo.ca.pem: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.key csclub.uwaterloo.ca.chain > csclub.uwaterloo.ca.pem
chmod 600 csclub.uwaterloo.ca.pem
</pre>
</li>
</ul>

== Certificate Locations ==

Keep a copy of newly generated certificates in /users/sysadmin/certs.

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)
* mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
* mailman:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* rt:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* phosphoric-acid:/etc/ssl/private/csclub-wildcard-chain.crt (for ceod)
* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy) [temporarily down 2020]
* chat:/etc/ssl/private/csclub-wildcard-chain.crt (for nginx)
* prometheus:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* bigbluebutton:/etc/nginx/ssl/csclub-wildcard-chain.crt (podman container on xylitol)
* icy:/etc/ssl/private/csclub-wildcard.pem (for Icecast)
* chamomile:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* biloba:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* nextcloud (nspawn container inside guayusa): /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)

Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.

=== More certificate locations ===
We have some SSL certificates which are not used by web servers, but still need to be renewed eventually.

==== Prometheus node exporter ====
All of our Prometheus node exporters are using mTLS via stunnel (every bare-metal host, as well as caffeine, coffee and mail, is running this exporter). The certificates (both client and server) are set to expire in September 2031; before then, create new keypairs in /opt/prometheus/tls, and deploy the new server.crt, node.crt and node.key to /etc/stunnel/tls on all machines. Restart prometheus and all of the node exporters.

==== ADFS ====
See [[ADFS]]. When the university's IdP certificate expires (October 2025), we can just download a new one and restart Apache; when our own certificate expires (July 2031), we need to submit a new form to IST (please do this before the cert expires).

==== Keycloak ====
See [[Keycloak]]. When the saml-passthrough certificate expires (January 2032), you need to create a new keypair in /srv/saml-passthrough on caffeine, and upload the new certificate into the Keycloak UI (IdP settings). When the Keycloak SP certificate expires (December 2031), make sure to create a new keypair and upload it to the Keycloak UI (Realm Settings).

== letsencrypt ==

We support letsencrypt for our virtual hosts with custom domains. We use the <tt>cerbot</tt> from debian repositories with a configuration file at <tt>/etc/letsencrypt/cli.ini</tt>, and a systemd timer to handle renewals.

The setup for a new domain is:

# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar.
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Set up the Apache site configuration using the example below. (apache config is in /etc/apache2) Note the permanent redirect to https.
# Make sure to commit your changes when you're done.
# Reloading apache config is <tt>sudo systemctl reload apache2</tt>.

<VirtualHost *:80>
ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

#DocumentRoot /users/example/www/
Redirect permanent / https://example.com/

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLStrictSNIVHostCheck on

ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

DocumentRoot /users/example/www

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

== acme.sh ==
We are using [https://github.com/acmesh-official/acme.sh acme.sh] for provisioning SSL certificates for some of our *.csclub.cloud domains. It is currently set up under /root/.acme.sh on biloba.

NOTE: acme.sh has a cron job which automatically renews certificates before they expire and reloads NGINX, so you do not have to do anything after issuing and installing a certificate (i.e. "set-and-forget").

=== How to add a new SSL cert for a custom domain on CSC cloud ===
Let's say user <code>ctdalek</code> wants <code>mydomain.com</code> to point to a VM on CSC cloud.
 
TLDR:
<pre>
# Obtain the cert.
# If a subdomain was also requested, pass the -d option multiple times, e.g.
# `-d mydomain.com -d sub.mydomain.com`. Make sure the "main" domain is specified first.
acme.sh --issue -d mydomain.com -w /var/www

# Install the cert.
# If a subdomain was also requested, only specify the "main" domain.
acme.sh --install-cert -d mydomain.com \
--key-file /etc/nginx/ceod/member-ssl/mydomain.com.key \
--fullchain-file /etc/nginx/ceod/member-ssl/mydomain.com.chain \
--reloadcmd "/root/bin/reload-nginx.sh"

# Create a vhost file.
# Look at the other files in the same directory for inspiration.
# Make sure the file starts with the username and an underscore, e.g. "ctdalek_",
# because this is how ceod keeps track of the vhosts.
# Make sure to set the custom domain name(s) and paths to the SSL key/cert.
vim /etc/nginx/ceod/member-vhosts/ctdalek_mydomain.com

# Finally, reload NGINX on both biloba and chamomile. The /etc/nginx/ceod directory
# is shared between them.
/root/bin/reload-nginx.sh
</pre>

=== Installation ===
<pre>
cd /opt
git clone --depth 1 https://github.com/acmesh-official/acme.sh
cd acme.sh
./acme.sh --install -m syscom@csclub.uwaterloo.ca
. "/root/.acme.sh/acme.sh.env"
</pre>
Important: If invoking acme.sh from another program, it needs the environment variables set in acme.sh.env. Currently, that is just
<pre>
LE_WORKING_DIR="/root/.acme.sh"
</pre>

For testing purposes, make sure to use the Let's Encrypt test server:
<pre>
acme.sh --set-default-ca --server letsencrypt_test
</pre>

=== NGINX setup ===
<pre>
mkdir -p /var/www/.well-known/acme-challenge
</pre>
Add the following snippet to your default NGINX file (e.g. /etc/nginx/sites-enabled/default):
<pre>
# For Let's Encrypt
location /.well-known/acme-challenge/ {
alias /var/www/.well-known/acme-challenge/;
}
</pre>

Now assuming that biloba has the IP address for *.csclub.cloud, you can test that everything is working:
<pre>
acme.sh --issue -d app.merenber.csclub.cloud -w /var/www
</pre>
To install a certificate after it's been issued:
<pre>
acme.sh --install-cert -d app.merenber.csclub.cloud \
--key-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain \
--reloadcmd "/root/bin/reload-nginx.sh"
</pre>
At this point, you should add your NGINX vhost file which uses that SSL certificate.
 
To remove a certificate:
<pre>
acme.sh --remove -d app.merenber.csclub.cloud
rm -r /root/.acme.sh/app.merenber.csclub.cloud
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key
</pre>
Don't forget to remove the NGINX vhost file too.

Once you think you're ready, use a real ACME provider, e.g.
<pre>
acme.sh --set-default-ca --server letsencrypt
</pre>

Since we have a [https://zerossl.com ZeroSSL] account, and ZeroSSL has no rate limit, we are going to use that instead:
<pre>
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
acme.sh --set-default-ca --server zerossl
</pre>

=== DNS challenge ===
To obtain a wildcard certificate (e.g. *.k8s.csclub.cloud), you will need to perform the DNS-01 challenge. We are going to use nsupdate to interact with our BIND9 server on dns1.

On dns1, run:
<pre>
tsig-keygen csc-cloud
</pre>
Paste the output into the appropriate section in /etc/bind/named.conf.local. Also paste it into a file somewhere on biloba, e.g. /etc/csc/csc-cloud-tsig.key.

Add the following to the csclub.cloud zone block:
<pre>
allow-update {
!{
!127.0.0.1;
!::1;
!129.97.134.0/24;
!2620:101:f000:4901::/64;
any;
};
key csc-cloud;
};
</pre>
(We're basically trying to restrict updates to the given IP ranges. See https://serverfault.com/a/417229.)

The 'bind' user can't write to files under /etc/bind, so we're going to move our zone file to /var/lib/bind instead.
Comment out 'file "/etc/bind/db.csclub.cloud";' from named.conf.local and add this line below it:
<pre>
file "/var/lib/bind/db.csclub.cloud";
</pre>
Then run:
<pre>
cp /etc/bind/db.csclub.cloud /var/lib/bind/db.csclub.cloud
chown bind:bind /var/lib/bind/db.csclub.cloud
rndc reload
</pre>

On biloba, check that everything's working:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
update add test.csclub.cloud 300 A 0.0.0.0
send
EOF
</pre>
Use a tool such as <code>dig</code> to make sure that the update was successful.
If it worked, you can delete the record:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
delete test.csclub.cloud
send
EOF
</pre>
Now we are ready to actually perform the challenge with acme.sh:
<pre>
export NSUPDATE_SERVER="dns1.csclub.uwaterloo.ca"
export NSUPDATE_KEY="/etc/csc/csc-cloud-tsig.key"
acme.sh --issue --dns dns_nsupdate -d 'k8s.csclub.cloud' -d '*.k8s.csclub.cloud'
</pre>
(If something goes wrong, use the <code>--debug</code> flag.)

If all went well, just install the certificate as usual:
<pre>
acme.sh --install-cert -d k8s.csclub.cloud \
--key-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.chain \
--reloadcmd 'systemctl reload nginx'
</pre>

SSL

2023-10-17T06:50:17Z

N4chung: remove logstash

== GlobalSign ==

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/certificate-authority/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/home/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>.

At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact.
Products: OrganizationSSL
SSL Certificate Type: Wildcard SSL Certificate
Validity Period: 1 year
Are you switching from a Competitor? No, I am not switching
Are you renewing this Certificate? Yes (paste current certificate)
30-day bonus: Yes (why not?)
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)
Enter Certificate Signing Request (CSR): Yes (paste CSR)
Contact Information:
First Name: Computer Science Club
Last Name: Systems Committee
Telephone: +1 519 888 4567 x33870
Email Address: syscom@csclub.uwaterloo.ca

=== Helpful links ===
* [https://support.globalsign.com/ssl/ssl-certificates-installation/generate-csr-openssl How to generate a new CSR and private key]
* [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/262013183/How+to+obtain+a+new+GlobalSign+certificate+or+renew+an+existing+one How to obtain a new GlobalSign certificate or renew an existing one]
* [https://system.globalsign.com/bm/public/certificate/poporder.do?domain=PAR12271n5w6s27pvg8d92v4150t GlobalSign UWaterloo self-service page]
* [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates GlobalSign intermediate certificate] (needed to create a certificate chain; see below)

=== OpenSSL cheat sheet ===
<ul>
<li>
Generate a new CSR and private key (do this in a new directory):
<pre>
openssl req -out csclub.uwaterloo.ca.csr -new -newkey rsa:2048 -keyout csclub.uwaterloo.ca.key -nodes
</pre>
Enter the following information at the prompts:
<pre>
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Waterloo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
Organizational Unit Name (eg, section) []:Computer Science Club
Common Name (e.g. server FQDN or YOUR name) []:*.csclub.uwaterloo.ca
Email Address []:systems-committee@csclub.uwaterloo.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
</li>
<li>
View the information inside a CSR:
<pre>
openssl req -noout -text -in csclub.uwaterloo.ca.csr
</pre>
</li>
<li>
View the information inside a private key:
<pre>
openssl pkey -noout -text -in csclub.uwaterloo.ca.key
</pre>
</li>
<li>
View information inside a certificate:
<pre>
openssl x509 -noout -text -in csclub.uwaterloo.ca.crt
</pre>
</li>
</ul>

=== csclub.cloud ===
Once a year, someone from IST will ask us to create a temporary TXT record for csclub.cloud to prove to GlobalSign that we own it. This must be created at the root of the domain. Since this zone is managed dynamically (via the acme.sh script on biloba, see below), we need to freeze the domain and update /var/lib/bind/db.csclub.cloud directly. Here are the steps:
<ol>
<li>Run <code>rndc freeze csclub.cloud</code>.</li>
<li>
Open /var/lib/bind/db.csclub.cloud and add a new TXT record. It'll look something like
<pre>
TXT "_globalsign-domain-verification=blablabla"
</pre>
</li>
<li>
In the same file, make sure to also update the SOA serial number. It should generally be YYYYMMDDNN where NN is a monotonically increasing counter (YYYYMMDD is the current date).
</li>
<li>Run <code>rndc reload</code>.</li>
<li>
Run a DNS query to make sure you can see the TXT record:
<pre>
dig -t txt @dns1 csclub.cloud
dig -t txt @dns2 csclub.cloud
</pre>
</li>
<li>Email back the person from IST and let them know that we created the TXT record.</li>
<li>
Once the certificate has been renewed, delete the TXT record, update the SOA serial number, and run <code>rndc reload</code>.
</li>
<li>Run <code>rndc thaw csclub.cloud</code>.</li>
</ol>

== Certificate Files ==
Let's say you obtain a new certificate for *.csclub.uwaterloo.ca. Here are the files which should be stored in the certs folder:
<ul>
<li>csclub.uwaterloo.ca.key: private key created by openssl</li>
<li>csclub.uwaterloo.ca.csr: certificate signing request created by openssl</li>
<li>order: order number from GlobalSign</li>
<li>csclub.uwaterloo.ca.crt: certificate created by GlobalSign</li>
<li>globalsign-intermediate.crt: intermediate certificate from GlobalSign, obtainable from [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates here]. As of this writing, we use the "OrganizationSSL SHA-256 R3 Intermediate Certificate". Just click the "View in Base64" button and copy the contents.
<ul>
<li>There is an alternative way to get the intermediate certificate: if you run <code>openssl x509 -noout -text -in csclub.uwaterloo.ca.crt</code>, under X509v3 extensions > Authority Information Access, there should be a field called "CA Issuers" which has a URL which looks like http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt. You can download that file and convert it to PEM:
<pre>
wget https://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
openssl x509 -inform der -in gsrsaovsslca2018.crt -out globalsign-intermediate.crt
rm gsrsaovsslca2018.crt
</pre>
</li>
</ul>
</li>
</ul><ul>
<li>csclub.uwaterloo.ca.chain: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.crt globalsign-intermediate.crt > csclub.uwaterloo.ca.chain
</pre>
</li>
<li>csclub.uwaterloo.ca.pem: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.key csclub.uwaterloo.ca.chain > csclub.uwaterloo.ca.pem
chmod 600 csclub.uwaterloo.ca.pem
</pre>
</li>
</ul>

== Certificate Locations ==

Keep a copy of newly generated certificates in /users/sysadmin/certs.

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)
* mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
* mailman:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* rt:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* phosphoric-acid:/etc/ssl/private/csclub-wildcard-chain.crt (for ceod)
* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy) [temporarily down 2020]
* chat:/etc/ssl/private/csclub-wildcard-chain.crt (for nginx)
* znc:/etc/ssl/private/csclub-wildcard-chain.crt (for ZNC and nginx)
* prometheus:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* bigbluebutton:/etc/nginx/ssl/csclub-wildcard-chain.crt (podman container on xylitol)
* icy:/etc/ssl/private/csclub-wildcard.pem (for Icecast)
* chamomile:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* biloba:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* nextcloud (nspawn container inside guayusa): /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)

Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.

=== More certificate locations ===
We have some SSL certificates which are not used by web servers, but still need to be renewed eventually.

==== Prometheus node exporter ====
All of our Prometheus node exporters are using mTLS via stunnel (every bare-metal host, as well as caffeine, coffee and mail, is running this exporter). The certificates (both client and server) are set to expire in September 2031; before then, create new keypairs in /opt/prometheus/tls, and deploy the new server.crt, node.crt and node.key to /etc/stunnel/tls on all machines. Restart prometheus and all of the node exporters.

==== ADFS ====
See [[ADFS]]. When the university's IdP certificate expires (October 2025), we can just download a new one and restart Apache; when our own certificate expires (July 2031), we need to submit a new form to IST (please do this before the cert expires).

==== Keycloak ====
See [[Keycloak]]. When the saml-passthrough certificate expires (January 2032), you need to create a new keypair in /srv/saml-passthrough on caffeine, and upload the new certificate into the Keycloak UI (IdP settings). When the Keycloak SP certificate expires (December 2031), make sure to create a new keypair and upload it to the Keycloak UI (Realm Settings).

== letsencrypt ==

We support letsencrypt for our virtual hosts with custom domains. We use the <tt>cerbot</tt> from debian repositories with a configuration file at <tt>/etc/letsencrypt/cli.ini</tt>, and a systemd timer to handle renewals.

The setup for a new domain is:

# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar.
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Set up the Apache site configuration using the example below. (apache config is in /etc/apache2) Note the permanent redirect to https.
# Make sure to commit your changes when you're done.
# Reloading apache config is <tt>sudo systemctl reload apache2</tt>.

<VirtualHost *:80>
ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

#DocumentRoot /users/example/www/
Redirect permanent / https://example.com/

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLStrictSNIVHostCheck on

ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

DocumentRoot /users/example/www

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

== acme.sh ==
We are using [https://github.com/acmesh-official/acme.sh acme.sh] for provisioning SSL certificates for some of our *.csclub.cloud domains. It is currently set up under /root/.acme.sh on biloba.

NOTE: acme.sh has a cron job which automatically renews certificates before they expire and reloads NGINX, so you do not have to do anything after issuing and installing a certificate (i.e. "set-and-forget").

=== How to add a new SSL cert for a custom domain on CSC cloud ===
Let's say user <code>ctdalek</code> wants <code>mydomain.com</code> to point to a VM on CSC cloud.
 
TLDR:
<pre>
# Obtain the cert.
# If a subdomain was also requested, pass the -d option multiple times, e.g.
# `-d mydomain.com -d sub.mydomain.com`. Make sure the "main" domain is specified first.
acme.sh --issue -d mydomain.com -w /var/www

# Install the cert.
# If a subdomain was also requested, only specify the "main" domain.
acme.sh --install-cert -d mydomain.com \
--key-file /etc/nginx/ceod/member-ssl/mydomain.com.key \
--fullchain-file /etc/nginx/ceod/member-ssl/mydomain.com.chain \
--reloadcmd "/root/bin/reload-nginx.sh"

# Create a vhost file.
# Look at the other files in the same directory for inspiration.
# Make sure the file starts with the username and an underscore, e.g. "ctdalek_",
# because this is how ceod keeps track of the vhosts.
# Make sure to set the custom domain name(s) and paths to the SSL key/cert.
vim /etc/nginx/ceod/member-vhosts/ctdalek_mydomain.com

# Finally, reload NGINX on both biloba and chamomile. The /etc/nginx/ceod directory
# is shared between them.
/root/bin/reload-nginx.sh
</pre>

=== Installation ===
<pre>
cd /opt
git clone --depth 1 https://github.com/acmesh-official/acme.sh
cd acme.sh
./acme.sh --install -m syscom@csclub.uwaterloo.ca
. "/root/.acme.sh/acme.sh.env"
</pre>
Important: If invoking acme.sh from another program, it needs the environment variables set in acme.sh.env. Currently, that is just
<pre>
LE_WORKING_DIR="/root/.acme.sh"
</pre>

For testing purposes, make sure to use the Let's Encrypt test server:
<pre>
acme.sh --set-default-ca --server letsencrypt_test
</pre>

=== NGINX setup ===
<pre>
mkdir -p /var/www/.well-known/acme-challenge
</pre>
Add the following snippet to your default NGINX file (e.g. /etc/nginx/sites-enabled/default):
<pre>
# For Let's Encrypt
location /.well-known/acme-challenge/ {
alias /var/www/.well-known/acme-challenge/;
}
</pre>

Now assuming that biloba has the IP address for *.csclub.cloud, you can test that everything is working:
<pre>
acme.sh --issue -d app.merenber.csclub.cloud -w /var/www
</pre>
To install a certificate after it's been issued:
<pre>
acme.sh --install-cert -d app.merenber.csclub.cloud \
--key-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain \
--reloadcmd "/root/bin/reload-nginx.sh"
</pre>
At this point, you should add your NGINX vhost file which uses that SSL certificate.
 
To remove a certificate:
<pre>
acme.sh --remove -d app.merenber.csclub.cloud
rm -r /root/.acme.sh/app.merenber.csclub.cloud
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key
</pre>
Don't forget to remove the NGINX vhost file too.

Once you think you're ready, use a real ACME provider, e.g.
<pre>
acme.sh --set-default-ca --server letsencrypt
</pre>

Since we have a [https://zerossl.com ZeroSSL] account, and ZeroSSL has no rate limit, we are going to use that instead:
<pre>
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
acme.sh --set-default-ca --server zerossl
</pre>

=== DNS challenge ===
To obtain a wildcard certificate (e.g. *.k8s.csclub.cloud), you will need to perform the DNS-01 challenge. We are going to use nsupdate to interact with our BIND9 server on dns1.

On dns1, run:
<pre>
tsig-keygen csc-cloud
</pre>
Paste the output into the appropriate section in /etc/bind/named.conf.local. Also paste it into a file somewhere on biloba, e.g. /etc/csc/csc-cloud-tsig.key.

Add the following to the csclub.cloud zone block:
<pre>
allow-update {
!{
!127.0.0.1;
!::1;
!129.97.134.0/24;
!2620:101:f000:4901::/64;
any;
};
key csc-cloud;
};
</pre>
(We're basically trying to restrict updates to the given IP ranges. See https://serverfault.com/a/417229.)

The 'bind' user can't write to files under /etc/bind, so we're going to move our zone file to /var/lib/bind instead.
Comment out 'file "/etc/bind/db.csclub.cloud";' from named.conf.local and add this line below it:
<pre>
file "/var/lib/bind/db.csclub.cloud";
</pre>
Then run:
<pre>
cp /etc/bind/db.csclub.cloud /var/lib/bind/db.csclub.cloud
chown bind:bind /var/lib/bind/db.csclub.cloud
rndc reload
</pre>

On biloba, check that everything's working:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
update add test.csclub.cloud 300 A 0.0.0.0
send
EOF
</pre>
Use a tool such as <code>dig</code> to make sure that the update was successful.
If it worked, you can delete the record:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
delete test.csclub.cloud
send
EOF
</pre>
Now we are ready to actually perform the challenge with acme.sh:
<pre>
export NSUPDATE_SERVER="dns1.csclub.uwaterloo.ca"
export NSUPDATE_KEY="/etc/csc/csc-cloud-tsig.key"
acme.sh --issue --dns dns_nsupdate -d 'k8s.csclub.cloud' -d '*.k8s.csclub.cloud'
</pre>
(If something goes wrong, use the <code>--debug</code> flag.)

If all went well, just install the certificate as usual:
<pre>
acme.sh --install-cert -d k8s.csclub.cloud \
--key-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.chain \
--reloadcmd 'systemctl reload nginx'
</pre>

Meeting:Orgcom Updates/Syscom and Termcom 2023 Fall

2023-10-16T23:38:24Z

N4chung: /* October 5, 2023 */

== December 28, 2023 ==

* '''Meeting Notes''':

== December 14, 2023 ==

* '''Meeting Notes''':

== November 30, 2023 ==

* '''Meeting Notes''':

== November 16, 2023 ==

* '''Meeting Notes''':

== November 2, 2023 ==

* '''Meeting Notes''':
* Installed and setup X99 office terminal with CSC systems

== October 19, 2023 ==

* '''Meeting Notes''':
* Diarized server room maintenance visit

== October 5, 2023 ==

* '''Meeting Notes''': [[Saturday 14 October 2023 Termcom Meeting]]
* Talked to CSCF about hardware acquisition
* Determined potential CSC Cloud server specifications
* Got quote for CSC Cloud server through CSCF
* Assembled new team for Mirror Checker rewrite.
* CSC Cloud and CSC Club Rep Infrastructure Upgrades
* Web Hosting maintenance

== September 21, 2023 ==

* '''Meeting Notes''': [[Saturday 23 September 2023 Termcom Meeting]]
* Researched new CSC Cloud server specifications
* Started new PyCeo tickets:
** https://git.csclub.uwaterloo.ca/public/pyceo/issues/103
* Continued development on new Linux mirror monitoring software
* Reached out to CSCF about Netapp migration
* Managed dozens of member registrations
* Onboarded a dozen club reps and new clubs/design-teams for club hosting for F23
* Revamped observability stack of CSC infrastructure (Vector and ClickHouse)
** Improved data durability and metric quality
** Improved monitoring capabilities and system reliability
* Mitigated security risks with banned member
* Performed system upgrades to some General Use machines (Debian Bookworm upgrade and migration)

Meeting:Saturday 14 October 2023 Termcom Meeting

2023-10-15T01:26:11Z

N4chung: Created page with "= Task Teams = * '''Mirror-Checker-NG''': Nathan, Leon, Jonathan https://git.csclub.uwaterloo.ca/n4chung/mirror-checker-ng/ * '''Club Web Hosting''': Eric * '''CSCF''': Leo, Nathan * '''Pyceo Issues''': Nathan * '''Netapp Migration''': ''helping hands + free labour anybody??'' 🥹 🥹 = Server Room Upgrades = === New CSC Cloud Server === * Currently getting quote from CSCF, then will finalize specs * Needs to last 10+ years === Mirror Upgrades === * Notify upstre..."

= Task Teams =

* '''Mirror-Checker-NG''': Nathan, Leon, Jonathan https://git.csclub.uwaterloo.ca/n4chung/mirror-checker-ng/
* '''Club Web Hosting''': Eric
* '''CSCF''': Leo, Nathan
* '''Pyceo Issues''': Nathan
* '''Netapp Migration''': ''helping hands + free labour anybody??'' 🥹 🥹

= Server Room Upgrades =

=== New CSC Cloud Server ===

* Currently getting quote from CSCF, then will finalize specs
* Needs to last 10+ years

=== Mirror Upgrades ===

* Notify upstream projects of down time
* Backup mirror?? (DNE anymore?)
** CSCF decommissioned it?
* Make sure we have enough RAM Dimms

=== Netapp Migration ===

* LOTS of hands!!
* CSC General-use Machine Downtime
* New rack space (this thing is HUGEE)
* Data migration (from old NetApp)

= Software =

=== Club Hosting ===

* Multiple clubs/design-teams have asked for improvements to our club hosting tech stack, specifically with '''dynamic web servers'''!
* need to upgrade tech stack
* Two Paths: improve tech stack on Caffeine and CSC Cloud "club account" (similar to members) @e266li
** Max is the CSC Cloud expert
** Web hosting is done on Caffeine
* '''''Ideally, this will be done in the upcoming months :)'''''

=== Pyceo ===

* Identify important Gitea Issues https://git.csclub.uwaterloo.ca/public/pyceo/issues @n4chung

Meeting:Orgcom Updates/Syscom and Termcom 2023 Fall

2023-10-01T05:25:41Z

N4chung: syscom and termcom

== December 28, 2023 ==

* '''Meeting Notes''':

== December 14, 2023 ==

* '''Meeting Notes''':

== November 30, 2023 ==

* '''Meeting Notes''':

== November 16, 2023 ==

* '''Meeting Notes''':

== November 2, 2023 ==

* '''Meeting Notes''':
* Installed and setup X99 office terminal with CSC systems

== October 19, 2023 ==

* '''Meeting Notes''':
* Diarized server room maintenance visit

== October 5, 2023 ==

* '''Meeting Notes''':
* Finalized new CSC Cloud server specifications
* Got quote for CSC Cloud server through CSCF
* Diarize

== September 21, 2023 ==

* '''Meeting Notes''': [[Saturday 23 September 2023 Termcom Meeting]]
* Researched new CSC Cloud server specifications
* Started new PyCeo tickets:
** https://git.csclub.uwaterloo.ca/public/pyceo/issues/103
* Continued development on new Linux mirror monitoring software
* Reached out to CSCF about Netapp migration
* Managed dozens of member registrations
* Onboarded a dozen club reps and new clubs/design-teams for club hosting for F23
* Revamped observability stack of CSC infrastructure (Vector and ClickHouse)
** Improved data durability and metric quality
** Improved monitoring capabilities and system reliability
* Mitigated security risks with banned member
* Performed system upgrades to some General Use machines (Debian Bookworm upgrade and migration)

Meeting:Orgcom Updates

2023-10-01T05:09:45Z

N4chung: syscom and termcom

The Organizing Committee periodically gives updates throughout the term. Check out the linked pages to stay in the know!

== President ==

=== Responsibilities ===

* Generally oversee everything and lead the club
* Coordinate among execs to make sure [important] things get done
* Act as the club's primary liaison with MathSoc, our parent society
* Generally help out wherever it's needed

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/President_2023_Fall|Fall]]

== Vice-President ==

=== Responsibilities ===

* Oversee the club like President, and take charge in the case of the President’s absence
* Help out with Presidential duties as needed
* Coordinate with team leads, make sure events/initiatives are running smoothly, and relay feedback

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Vice-President_2023_Fall|Fall]]

== Assistant Vice-President ==

=== Responsibilities ===

* Oversee club correspondence and respond to member inquiries
* Alert members of external opportunities such as company events, speakers, etc. via the CSC Discord Server
* Help out with Presidential duties as needed

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Assistant_Vice-President_2023_Fall|Fall]]

== Treasurer ==

=== Responsibilities ===

* Prepare and present the budget to MathSoc
* Ensure that the club stays within budget, and reallocate budget as necessary
* Sign off on cheque request forms, for reimbursement on club expenditures
* Track membership revenue and create membership lists
* Track swag revenue and inventory
* Track pop/snacks revenue

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Treasurer_2023_Fall|Fall]]

== Syscom and Termcom ==

=== Responsibilities (imagine... Platform Engineering + Devops) ===

* Manage existing CSC servers and services
* Update and improve CSC infrastructure based on user needs
* Ensuring CSC infrastructure is reliable, secure and performant
* Assisting other committees with all things related to CSC infrastructure
* Architecting and deploying systems for new and existing services

=== Ideal Candidate ===

* '''TLDR; be interested. be nice to work with. have skills/experience.'''
* highly-motivated to be part of Syscom/Termcom
* interested in CSC infrastructure and services which benefit CSC members and external users (eg. Linux Mirror, MathSoc)
* capable of self-learning and acquiring new skills
* strong time management skills and communication skills
* deep experience in software development and/or GNU/Linux operating systems
* preferably have (some) experience in self-hosted software

'''''NOTE''': Syscom and Termcom work quite closely together in maintaining all CSC infrastructure (both hardware and software). Although the responsibilities of Termcom are (technically) a "subset" of Syscom's responsibilities, Termcom's responsibilities are fairly similar to Syscom. Thus, they will be grouped together above!''

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Syscom_and_Termcom_2023_Fall|Fall]]

== CodeyBot Developers ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/CodeyBot_Developers_2023_Fall|Fall]]

== Community Representatives ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Community_Representatives_2023_Fall|Fall]]

== Design ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Design_2023_Fall|Fall]]

== Events ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Events_2023_Fall|Fall]]

== External Affairs ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/External_Affairs_2023_Fall|Fall]]

== Marketing ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Marketing_2023_Fall|Fall]]

== Office Staff ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Office_Staff_2023_Fall|Fall]]

== Photography ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Photography_2023_Fall|Fall]]

== Webcom ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Webcom_2023_Fall|Fall]]

Meeting:Orgcom Updates

2023-10-01T05:03:42Z

N4chung: syscom and termcom

The Organizing Committee periodically gives updates throughout the term. Check out the linked pages to stay in the know!

== President ==

=== Responsibilities ===

* Generally oversee everything and lead the club
* Coordinate among execs to make sure [important] things get done
* Act as the club's primary liaison with MathSoc, our parent society
* Generally help out wherever it's needed

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/President_2023_Fall|Fall]]

== Vice-President ==

=== Responsibilities ===

* Oversee the club like President, and take charge in the case of the President’s absence
* Help out with Presidential duties as needed
* Coordinate with team leads, make sure events/initiatives are running smoothly, and relay feedback

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Vice-President_2023_Fall|Fall]]

== Assistant Vice-President ==

=== Responsibilities ===

* Oversee club correspondence and respond to member inquiries
* Alert members of external opportunities such as company events, speakers, etc. via the CSC Discord Server
* Help out with Presidential duties as needed

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Assistant_Vice-President_2023_Fall|Fall]]

== Treasurer ==

=== Responsibilities ===

* Prepare and present the budget to MathSoc
* Ensure that the club stays within budget, and reallocate budget as necessary
* Sign off on cheque request forms, for reimbursement on club expenditures
* Track membership revenue and create membership lists
* Track swag revenue and inventory
* Track pop/snacks revenue

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Treasurer_2023_Fall|Fall]]

== Syscom and Termcom ==

=== Responsibilities ===

* Manage existing CSC servers and services
* Update and improve CSC infrastructure
* Resolve all problems
* Show strong knowledge of GNU/Linux systems and self-hosted software
* Ensuring CSC infrastructure is reliable, secure and performant
* Assisting other commitments with all things "tech"
* Architecting and deploying systems for new and existing services

=== Ideal Candidate ===

* highly-motivated to be part of Syscom/Termcom
* interested in CSC infrastructure and services which benefit CSC members and external users (eg. Linux Mirror, MathSoc)
* capable of self-learning and acquiring new skills
* strong time management skills and communication skills
* deep experience in software development and/or GNU/Linux operating systems

'''''NOTE''': Syscom and Termcom work quite closely together in maintaining all CSC infrastructure (both hardware and software). Although the responsibilities of Termcom are (technically) a "subset" of Syscom's responsibilities, Termcom's responsibilities are fairly similar to Syscom. Thus, they will be grouped together above!''

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Syscom_and_Termcom_2023_Fall|Fall]]

== CodeyBot Developers ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/CodeyBot_Developers_2023_Fall|Fall]]

== Community Representatives ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Community_Representatives_2023_Fall|Fall]]

== Design ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Design_2023_Fall|Fall]]

== Events ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Events_2023_Fall|Fall]]

== External Affairs ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/External_Affairs_2023_Fall|Fall]]

== Marketing ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Marketing_2023_Fall|Fall]]

== Office Staff ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Office_Staff_2023_Fall|Fall]]

== Photography ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Photography_2023_Fall|Fall]]

== Webcom ==

=== Responsibilities ===

* Coming soon!

=== Updates ===

==== 2023 ====

* [[Orgcom_Updates/Webcom_2023_Fall|Fall]]

Meeting:Saturday 23 September 2023 Termcom Meeting

2023-09-24T01:42:50Z

N4chung:

== Notes ==

* WATIAM of the maintainer/person doing the task is placed beside the item list
* To Termcom: feel free to volunteer yourself for anything below! Some things may require more subject domain knowledge and so on, but more senior Syscom members would be interested in helping!

== Todo List ==

=== "High(er)" Priority ===

* '''Determine new server specs'''
* '''Recap Mirror Upgrade Parts'''
** Upgrade BOM
** Where are the parts?
** Upgrade Logistics - ''mirror downtime??''
** Server Room Logistics
* '''CSCF contact for hardware purchase'''
** get hardware quotes
* '''Mirror checker'''
** Push latest source @n4chung
** Implement remaining/missing checkers @????
** Deploy to staging/prod?
* '''Faculty/CSCF Inheritance'''
** Potentially new servers (from last term) - ''they seem busy with their own things too''
** Netapp integration (from CSCF)
* '''Server Rack/Room Installation'''
** Helping hands? ''we need some people to bring the heavy server stuff around''
** Server Room Access
** Rearranging servers - ''the NetApp fills a full 42U?? (It's huge)''
**

=== Normal Priority ===

* '''Pyceo Issues (Notable Ones)''' https://git.csclub.uwaterloo.ca/public/pyceo
** #101 - Validate usernames of new members https://git.csclub.uwaterloo.ca/public/pyceo/issues/101
*** Should be straightforward and be good for learning about CSC infrastructure
** #99 - TLS certificates for expired members' custom domains should get deleted https://git.csclub.uwaterloo.ca/public/pyceo/issues/99
*** IMPORTANT: for allowing members to use CSC's limited IPs for port forwarding??
** #87 - Automate custom domain VHOST support in CSC Cloud https://git.csclub.uwaterloo.ca/public/pyceo/issues/87
*** Almost done... need to finish implementing some CI tests
** #102 - Add tracing https://git.csclub.uwaterloo.ca/public/pyceo/issues/102
* '''Certbot''': fix errors coming from two domains (expired raymo and WICS?)
* '''Kubernetes''': sketchy PV (persistent volume) setup
* '''CEO WebUI'''
** Membership Website Verification (with Webcom)
** ... ''(I think I missed something here) @Max''
* '''CSC Cloud Port Forwarding''' @j24chung
** Allow members to
* '''Club Custom Web Stack''' @e226li
** "It's 2023"... it shouldn't be this sketch

* '''Mailing List Moderation (Spam)''' Rotation Schedule
** Termcom could help moderate...
** Put mail in a "shared" location? ''Nextcloud?!?''
** ''Rorate every two weeks?''
** (Could mailman "intelligently" forward emails??)

=== Low Priority ===

* '''Observability Stack''': revamp logging
* '''X99 Office Terminal'''
** Requires decent GNU/Linux knowledge
** Install Debian
** Configure to use (potentially sussy) CSC infrastructure 
== Meeting Agenda Topics ==

* Mirror Hardware upgrade
* New Server Acquisition
* CEO Issues/PRs
* Mirror Checker Rewrite (mirror-checker-ng)
* Termcom responsibilities
* Information from Last Term

Meeting:Saturday 23 September 2023 Termcom Meeting

2023-09-24T01:38:31Z

N4chung:

== Notes ==

* WATIAM of the maintainer/person doing the task is placed beside the item list
* To Termcom: feel free to volunteer yourself for anything below! Some things may require more subject domain knowledge and so on, but more senior Syscom members would be interested in helping!

== Todo List ==

=== "High(er)" Priority ===

* '''Determine new server specs'''
* '''Recap Mirror Upgrade Parts'''
** Upgrade BOM
** Where are the parts?
** Upgrade Logistics - ''mirror downtime??''
** Server Room Logistics
* '''CSCF contact for hardware purchase'''
** get hardware quotes
* '''Mirror checker'''
** Push latest source @n4chung
** Implement remaining/missing checkers @????
** Deploy to staging/prod?
* '''Faculty/CSCF Inheritance'''
** Potentially new servers (from last term) - ''they seem busy with their own things too''
** Netapp integration (from CSCF)
* '''Server Rack/Room Installation'''
** Helping hands? ''we need some people to bring the heavy server stuff around''
** Server Room Access
** Rearranging servers - ''the NetApp fills a full 42U?? (It's huge)''
**

=== Normal Priority ===

* '''Pyceo Issues (Notable Ones)''' https://git.csclub.uwaterloo.ca/public/pyceo
** #101 - Validate usernames of new members https://git.csclub.uwaterloo.ca/public/pyceo/issues/101
*** Should be straightforward and be good for learning about CSC infrastructure
** #99 - TLS certificates for expired members' custom domains should get deleted https://git.csclub.uwaterloo.ca/public/pyceo/issues/99
*** IMPORTANT: for allowing members to use CSC's limited IPs for port forwarding??
** #87 - Automate custom domain VHOST support in CSC Cloud https://git.csclub.uwaterloo.ca/public/pyceo/issues/87
*** Almost done... need to finish implementing some CI tests
** #102 - Add tracing https://git.csclub.uwaterloo.ca/public/pyceo/issues/102
* '''Certbot''': fix errors coming from two domains (expired raymo and WICS?)
* '''Kubernetes''': sketchy PV (persistent volume) setup
* '''CEO WebUI'''
** Membership Website Verification (with Webcom)
** ... ''(I think I missed something here) @Max''
* '''CSC Cloud Port Forwarding''' @j24chung
** Allow members to
* '''Club Custom Web Stack'''
** "It's 2023"... it shouldn't be this sketch

* '''Mailing List Moderation (Spam)''' Rotation Schedule
** Termcom could help moderate...
** Put mail in a "shared" location? ''Nextcloud?!?''
** ''Rorate every two weeks?''
** (Could mailman "intelligently" forward emails??)

=== Low Priority ===

* '''Observability Stack''': revamp logging
* '''X99 Office Terminal'''
** Requires decent GNU/Linux knowledge
** Install Debian
** Configure to use (potentially sussy) CSC infrastructure 
== Meeting Agenda Topics ==

* Mirror Hardware upgrade
* New Server Acquisition
* CEO Issues/PRs
* Mirror Checker Rewrite (mirror-checker-ng)
* Termcom responsibilities
* Information from Last Term

Meeting:Saturday 23 September 2023 Termcom Meeting

2023-09-24T01:28:47Z

N4chung:

== Notes ==

* WATIAM of the maintainer/person doing the task is placed beside the item list

== Todo List ==

=== "High(er)" Priority ===

* CSCF contact for hardware
* Determine new server specs; get quotes
* Mirror checker
** Push latest source @n4chung
** Implement remaining/missing checkers @????
** Deploy to staging/prod?
* Netapp integration (from CSCF)

=== Normal Priority ===

* Pyceo Issues (Notable Ones) https://git.csclub.uwaterloo.ca/public/pyceo
** #101 - Validate usernames of new members https://git.csclub.uwaterloo.ca/public/pyceo/issues/101
*** Should be straightforward and be good for learning about CSC infrastructure
** #99 - TLS certificates for expired members' custom domains should get deleted https://git.csclub.uwaterloo.ca/public/pyceo/issues/99
*** IMPORTANT: for allowing members to use CSC's limited IPs for port forwarding??
** #87 - Automate custom domain VHOST support in CSC Cloud https://git.csclub.uwaterloo.ca/public/pyceo/issues/87
*** Almost done... need to finish implementing some CI tests
** #102 - Add tracing https://git.csclub.uwaterloo.ca/public/pyceo/issues/102
* Certbot: two domains
* Kubernetes: sketchy PV thing
* CEO WebUI
** Membership Website Verification (with Webcom)
** ... ''(I think I missed something here) @Max''
* CSC Cloud Port Forwarding @j24chung
** Allow members to
* Club Custom Web Stack
** "It's 2023"... it shouldn't be this sketch

* Mailing List Moderation (Spam) Rotation Schedule

=== Low Priority ===

* Observability Stack: revamp logging
* X99 Office Terminal

== Meeting Agenda Topics ==

* Mirror Hardware upgrade
* New Server Acquisition
* CEO Issues/PRs
* Mirror Checker Rewrite (mirror-checker-ng)
* Termcom responsibilities
* Information from Last Term

Meeting:Saturday 23 September 2023 Termcom Meeting

2023-09-24T01:28:03Z

N4chung: Created page with "== Notes == * WATIAM of the maintainer/person doing the task is placed beside the item list == Todo List == === "High(er)" Priority === * CSCF contact for hardware * Determine new server specs; get quotes * Mirror checker ** Push latest source @n4chung ** Implement remaining/missing checkers @???? ** Deploy to staging/prod? * Certbot: two domains * Kubernetes: sketchy PV thing * Netapp integration * * CEO WebUI ** Membership Website Verification (with Webcom) ** ......"

== Notes ==

* WATIAM of the maintainer/person doing the task is placed beside the item list

== Todo List ==

=== "High(er)" Priority ===

* CSCF contact for hardware
* Determine new server specs; get quotes
* Mirror checker
** Push latest source @n4chung
** Implement remaining/missing checkers @????
** Deploy to staging/prod?
* Certbot: two domains
* Kubernetes: sketchy PV thing
* Netapp integration
*
* CEO WebUI
** Membership Website Verification (with Webcom)
** ... ''(I think I missed something here) @Max''

=== Normal Priority ===

* Pyceo Issues (Notable Ones) https://git.csclub.uwaterloo.ca/public/pyceo
** #101 - Validate usernames of new members https://git.csclub.uwaterloo.ca/public/pyceo/issues/101
*** Should be straightforward and be good for learning about CSC infrastructure
** #99 - TLS certificates for expired members' custom domains should get deleted https://git.csclub.uwaterloo.ca/public/pyceo/issues/99
*** IMPORTANT: for allowing members to use CSC's limited IPs for port forwarding??
** #87 - Automate custom domain VHOST support in CSC Cloud https://git.csclub.uwaterloo.ca/public/pyceo/issues/87
*** Almost done... need to finish implementing some CI tests
** #102 - Add tracing https://git.csclub.uwaterloo.ca/public/pyceo/issues/102
*
* CSC Cloud Port Forwarding @j24chung
** Allow members to
* Club Custom Web Stack
** "It's 2023"... it shouldn't be this sketch

* Mailing List Moderation (Spam) Rotation Schedule

=== Low Priority ===

* Observability Stack: revamp logging
* X99 Office Terminal

== Meeting Agenda Topics ==

* Mirror Hardware upgrade
* New Server Acquisition
* CEO Issues/PRs
* Mirror Checker Rewrite (mirror-checker-ng)
* Termcom responsibilities
* Information from Last Term

How to (Extra) Ban Someone

2023-09-18T22:51:43Z

N4chung:

This is a (hopefully comprehensive) '''guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately'''. This guide is mainly intended for ''Syscom'' as it requires root or admin access to many CSC services.

=== Step 1: Remove Membership ===
Through CEO's TUI (`ceo`) and LDAP ([[Ceo#raymo's guide on how to fix things after screwing up|guide from Raymond]]):

* '''Remove All Membership Terms''': look for `memberTerm` in `ldapvi`
* '''Reset their password''' (**and don't tell them!**)

=== Step 2: Screw Up Their Account ===

* '''Change their Login Shell''' (through LDAP) to something like `/sbin/nologin` or `/bin/false`

'''NOTE''': CEO will not allow this change, so LDAP is best (and likely only way)

=== Step 3: Deauth Them Everywhere ===

* '''Suspend Kerberos''': https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
* '''Remove their SSH keys''':
** Go to a Syscom-only machine that could edit the `/users` directory ('''be extremely careful''')
** Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`)

=== Step 4: Remove all Their Resources ===

* '''Remove their CSC Cloud VMs''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
* (optional) Kill all processes they are running in General Use
* (optional) Delete their home directory

How to (Extra) Ban Someone

2023-09-18T17:07:09Z

N4chung: /* Step 4: Remove all Their Resources */

Ahem, so in recent times, we had to ''disable/ban'' a CSC user's account for their repeated attempts to circumvent their ban in MathSoc/CSC (FR, totally no pun intended)...

This is a (hopefully comprehensive) '''guide on ensuring their existing account (based on their WATIAM) is put out of action for good, and immediately'''. This guide is mainly intended for ''Syscom'' as it requires root or admin access to many CSC services.

=== Step 1: Remove Membership ===
Through CEO's TUI (`ceo`) and LDAP ([[Ceo#raymo's guide on how to fix things after screwing up|guide from Raymond]]):

* '''Remove All Membership Terms''': look for `memberTerm` in `ldapvi`
* '''Reset their password''' (**and don't tell them!**)

=== Step 2: Screw Up Their Account ===

* '''Change their Login Shell''' (through LDAP) to something like `/sbin/nologin` or `/bin/false`

'''NOTE''': CEO will not allow this change, so LDAP is best (and likely only way)

=== Step 3: Deauth Them Everywhere ===

* '''Suspend Kerberos''': https://wiki.csclub.uwaterloo.ca/Kerberos#Suspending_an_Account
* '''Remove their SSH keys''':
** Go to a Syscom-only machine that could edit the `/users` directory ('''be extremely careful''')
** Navigate to the banned users directory, and remove their ssh keys (`.ssh/authorized_keys`)

=== Step 4: Remove all Their Resources ===

* '''Remove their CSC Cloud VMs''': https://wiki.csclub.uwaterloo.ca/CloudStack#Administration
* (optional) Kill all processes they are running in General Use
* (optional) Delete their home directory

How to (Extra) Ban Someone

N4chung: add all-hands meeting notes: nov 21

== General ==

* LAST ALL-HANDS IS NEXT WEEK!
* Sign up for CSC Committees Coffee Chats here: <nowiki>https://files.csclub.uwaterloo.ca/apps/forms/</nowiki>[redacted]
** LAST ROUND!!!
** Deadline: Wednesday, November 30, 11:55 pm ET
* Organizing Committees Social at ChristKindl in Kitchener
** <nowiki>https://www.kitchener.ca/en/arts-culture-and-events/visit-christkindl-market.aspx</nowiki>
** Dec 2nd evening
* We will be posting All-hands notes publicly on our Wiki (with links/sensitive info removed ofc) - please keep this in mind when writing updates 🙂

== Termcom/Syscom ==

*

== Events ==

* Events coming up!
** Alt-tab (November 29)
** Tech club social (December 2)
** Afterhours (December 3)
** EOT 🥳🎊
* Organizing Committee social! (information above in general notes)

== Marketing ==

* Worked on:
** Hiring marketing
** Alt tab marketing
** Afterhours marketing
* Working on:
** EOT marketing
** Videos with reps

== External Affairs ==

* Looking for eot sponsor
* Reached out to some clubs regarding tech club social

== Photography ==

* CSC swag photoshoots complete!

* In progress: Project Program Showcase photo album [[File:All-hands-meeting-nov-28-2022-photos.png|1088x1088px]]

== Design ==

*

== Community Representatives (Reps) ==

* Swag
** Hoodies and beanies are currently being sold in the CSC office in MC 3036, don’t miss out on buying yours!!!
** CSC blue logo + CodeyLove vinyl laptop stickers (free!) will arrive at the CSC office TOMORROW
** Swag photoshoot has been completed (special thanks to photography for some absolutely stunning photos 🔥🔥🔥), design + marketing should get them out by this week
* Class Profile
** Questions have been complete
** Submitting to IAP this week (for real this time)
* Internship Repo
** Please contribute to the repo here and spread the word about its existence: <nowiki>https://github.com/uwcsc/2023-internships</nowiki>
* Office
** Chess tournament this Thursday, December 1st in the MC lounge outside of the CSC office!
** Don't forget to sign up for either the for-fun bracket or the competitive bracket by Wednesday, November 31st, 11:59pm :)
** A prize will be given to the winner of the competitive bracket 👀
** Sign-up link: <nowiki>https://forms.gle/1TYm9YbqvY1Uevn5A</nowiki>

== CodeyBot Developers (Discord) ==

* Implemented Crunchbase helper
* Continuing to work on issues from last week

== Web Committee ==

* Continuing work on class profile!

Meeting:Monday 21 November 2022

2022-12-24T08:43:33Z

N4chung: /* Photography */

== General ==

* We will be posting All-hands notes publicly on our Wiki (with links/sensitive info removed ofc) - please keep this in mind when writing updates 🙂
* Sign up for CSC Committees Coffee Chats here: <nowiki>https://files.csclub.uwaterloo.ca/apps/forms/</nowiki>[redacted]
** Plan is to do sign-ups every week (so you can opt out of weeks when you're busy)
** Deadline for this week: Monday, November 21, 11:55 pm ET
* Organizing Committees Social at ChristKindl in Kitchener
** <nowiki>https://www.kitchener.ca/en/arts-culture-and-events/visit-christkindl-market.aspx</nowiki>
** Dec 2nd evening

== Termcom/Syscom ==

* IPv6 issues over the weekend have been resolved - services are back up
* We found some cool old CSC hardware in a storage room and are looking to donate it to the computer history museum in DC

== Events ==

* Events we ran last week!
** WCI Outreach event (Q&A with high school students)
** November code party (cozy code cafe themed 🍂☕️)
** Project Program workshops (Rust and Unity)
** Prof talks!
* Events coming up!
** EOT!
** Alt-tab
** Afterhours
** Tech Club Social
* Organizing Committees Social at ChristKindl in Kitchener instead
** <nowiki>https://www.kitchener.ca/en/arts-culture-and-events/visit-christkindl-market.aspx</nowiki>
** Free entry!
** Dec 2nd evening

== Marketing ==

* (NOT) 73 questions video is out
* Marketing requests
** Hiring
*** Will be sending out newsletters + reaching out to other clubs
** AfterHours
** Merch release
*** Needs to go out asap
** Office interviews
** Alt tab event promo

== External Affairs ==

* Looked for some judges for project program
* Starting to look for potential sponsors for EOT

== Photography ==

* All general member headshots have been taken! Most photos are in the editing process and some have already been sent out :)
* Karaoke Photos
* Prof Talk Photos
* In progress:
** Project Program Workshops
** November Code Party
* Photo highlights:
[[File:All-hands-meeting-nov-21-2022-photo-highlights.png|alt=|frameless|764x764px]] 

== Design ==

* Done:
** CSC merch release
* In progress:
** Alt tab promo
** Afterhours

== Community Representatives (Reps) ==

* Swag
** Hoodies will be picked up on Tuesday!
** Beanies are currently being sold in the CSC office in MC 3036
** CSC blue logo + CodeyLove vinyl laptop stickers (free!) have been ordered and are coming soon!
* Class Profile
** Meeting with web committee to make 2023 Class Profile website development smoother by improving data collection
* Internship Repo
** Please contribute to the repo here and spread the word about its existence: <nowiki>https://github.com/uwcsc/2023-internships</nowiki>
* Office
** Office Board Game Night was a blast! Occurred last Thursday, thank you to those who came out/dropped by
** Possible chess tournament in the works of being planned – planning to be held sometime end of next week or the week after that
** Office interviews to be edited together this week

== CodeyBot Developers (Discord) ==

* Continuing working on issues from the past week

== Web Committee ==

* Continuing working on class profile!
** Finished Demographics page, currently working on the Academics and Co-op information pages.
* Continuing to improve the automatic membership system. Tested it out for the first time during code party 🥳

File:All-hands-meeting-nov-28-2022-photos.png

2022-12-24T08:41:38Z

N4chung: