CSCWiki - User contributions [en]

Nextcloud

2025-11-21T19:21:10Z

Y266shen: Migration and debian 13 upgrade

== Installation Details ==
=== Container setup ===
See https://wiki.csclub.uwaterloo.ca/Systemd-nspawn .

=== Inside the container ===
Use <code>machinectl shell nextcloud</code> to obtain a root shell inside the container.

=== Network configuration ===
Add IPv4 and IPv6 address to <code>/etc/network/interfaces</code> as usual.

=== Install server software ===
Grab the essentials first.

<syntaxhighlight lang="bash">apt install apt-transport-https curl unzip
</syntaxhighlight>

We use PHP 8.4 from the upstream debian trixie (13) repository.
<x>
apt install nginx php8.4-fpm php8.4-curl php8.4-gd php8.4-mbstring php8.4-zip php8.4-mysql php8.4-bz2 php8.4-intl php8.4-redis php8.4-imagick ffmpeg php8.4-bcmath php8.4-ldap php8.4-apcu php8.4-xml php8.4-gmp
</x>

=== Setup Nginx ===
See full configuration at https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html. Change the PHP upstream to this:

<syntaxhighlight lang="nginx">upstream php-handler {
server unix:/var/run/php/php8.4-fpm.sock;
}
</syntaxhighlight>
Also change <code>root</code> to <code>/var/www/nextcloud</code>.

We will use the Mozilla intermediate SSL configuration. See https://ssl-config.mozilla.org/. As of SSL certificate, we will use our wildcard <code>csclub.uwaterloo.ca</code> certificate. Copy them from xylitol.

=== Database setup ===
We'll use the MariaDB instance at coffee. Create a db user and database for nextcloud there. Make sure it will allow connection from ip address of the nextcloud container.

=== Install Nextcloud ===
Download zip from https://nextcloud.com/install/ (find the Archive version). Extract to <code>/var/www/nextcloud</code>. Change owner of the folder to <code>www-data:www-data</code>.

The DNS should be configured by now. Go to https://files.csclub.uwaterloo.ca. Installation page should be up. Fill in the details to finish the installation.

=== Setup cron job ===
We goes the <code>systemd</code> approach. See https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/background_jobs_configuration.html#systemd.

Basically, setup a service and a timer. Enable the timer.

=== LDAP and OIDC setup ===
In our setup, OIDC will be used for SSO (Single Sign On) only. User and group information will then be handled via the LDAP plugin. This ensures user can sign in with their WatIM credential (just like Quest and Learn), and their group information is correctly assigned in Nextcloud.

First setup LDAP plugin. Enable <code>LDAP/AD integration</code> in Apps, then navigate to Settings-Administration-LDAP/AD integration (must be admin). Fill in the information as follows:

* Server
** ldaps://ldap1.csclub.uwaterloo.ca 636
** User DN && Password: blank
** Base DN: dc=csclub,dc=uwaterloo,dc=ca
* User
** LDAP Query: (&(objectClass=member)(!(shadowExpire=1)))
* Login attributes
** LDAP Query: (&(|(objectclass=member))(uid=%uid))
* Group
** LDAP Query: (&(objectClass=posixGroup)(uniqueMember=*))
* Advanced
** Backup (Replica) Host: ldaps://ldap2.csclub.uwaterloo.ca
** Base User Tree: ou=People,dc=csclub,dc=uwaterloo,dc=ca
** Base Group Tree: ou=Group,dc=csclub,dc=uwaterloo,dc=ca
** Group-Member association: uniqueMember
** Special Attributes: mailLocalAddress
** Internal Username: uid

If things goes okay, csc users should appear in Nextcloud's user list.

For OIDC, we use [https://github.com/nextcloud/user_oidc user_oidc] plugin maintained by Nextcloud. First, make sure OIDC won't create any user account (we use LDAP for that) by adding this line to <code>config.php</code>:

<pre>
'user_oidc' => [
'auto_provision' => false,
]
</pre>

Then, create an app in Keycloak (see https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak and [[Keycloak]]) and navigate to "OpenID Connect" tab on the admin panel and add a registered provider. You should only need to fill in "Client ID", "Client secret" and "Discovery endpoint" taken from Keycloak.

=== ''Speed'' ===

==== Memory caching ====

<code>redis</code> and <code>APCu</code> are used for caching. See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/caching_configuration.html. Note that since it's a local setup, we use a UNIX socket to connect to Redis.

<span id="dedicated-push-notification-server"></span>
==== Dedicated push notification server ====

There's a dedicated nextcloud client push notification server available, which should drastically reduce server load if a lot of people are using the Nextcloud client.

See https://github.com/nextcloud/notify_push. To set it up:

# Install "Client Push" app from Nextcloud app store
# Create and enable a systemd service
# Add reverse proxy configuration to nextcloud's Nginx config file

You should test the setup, use https://github.com/nextcloud/notify_push/tree/main/test_client. To those who are unfamiliar with Rust, just clone it and run <code>cargo build --release</code>. You'll find the binary at <code>target/release</code>.

<span id="miscellaneous"></span>
=== Miscellaneous ===

* Email setup
** Just fill it in admin panel.
* Theme
** We use https://github.com/mwalbeck/nextcloud-breeze-dark for some KDE vibe. Oh, change the icon too.

== Common Issues ==

=== 409: Resource in conflict, when auto-uploading ===
Normally caused by Nextcloud not being able to create a folder for whatever, you can just manually create the folder

== Historical ==
No-longer-valid information under here.

=== General Administration Notes (2022) ===
* To use the admin account, use https://files.csclub.uwaterloo.ca/login?direct=1&noredir=1 with the admin credentials found in syscom machine.

=== Storage setup (2022) ===
NFS mount. Add this to <code>/etc/fstab</code>.

<pre>fs00.csclub.uwaterloo.ca:/nextcloud /var/lib/machines/nextcloud/data nfs bg,vers=3,sec=sys,nosuid,nodev 0 0
</pre>
<span id="container-setup"></span>

=== Installing PHP (2022) ===
Nextcloud recommends PHP 8.0 (have JIT support, performance go brrr), but debian bullseye doesn't have it in official repository. So add a thrid-party repository.

Create <code>/etc/apt/sources.list.d/sury-php.list</code>.

<pre>deb https://packages.sury.org/php/ bullseye main
</pre>
And obtain the repository signing key.

<syntaxhighlight lang="bash">curl -O /etc/apt/trusted.gpg.d/sury-php.gpg https://packages.sury.org/php/apt.gpg
</syntaxhighlight>
Finally we can install server software packages.

<syntaxhighlight lang="bash">apt install nginx php8.0-fpm php8.0-curl php8.0-dom php8.0-gd php8.0-mbstring php8.0-zip php8.0-mysql php8.0-bz2 php8.0-intl php8.0-redis php8.0-imagick ffmpeg php8.0-bcmath php8.0-ldap php8.0-apcu libmagickcore-6.q16-6-extra/stable
</syntaxhighlight>
<span id="setup-nginx"></span>

=== OIDC setup (2022) ===
We use https://github.com/pulsejet/nextcloud-oidc-login for OIDC integration with KeyCloak.

First setup Keycloak. See https://github.com/pulsejet/nextcloud-oidc-login#usage-with-keycloak.

Then install this plugin in Nextcloud. Then, edit Nextcloud's config file at <code>/var/www/nextcloud/config/config.php</code>. Here're some highlights.

<syntaxhighlight lang="php">'oidc_login_client_id' => 'nextcloud',
'oidc_login_client_secret' => 'REDACTED',
'oidc_login_provider_url' => 'https://keycloak.csclub.uwaterloo.ca/auth/realms/csc',
'oidc_login_end_session_redirect' => true,
'oidc_login_logout_url' => 'https://files.csclub.uwaterloo.ca/apps/oidc_login/oidc',
'oidc_login_auto_redirect' => true,
'oidc_login_redir_fallback' => true,
'oidc_login_attributes' =>
array (
'id' => 'preferred_username',
'mail' => 'email',
'ldap_uid' => 'preferred_username',
),
'oidc_login_webdav_enabled' => true,
'oidc_login_disable_registration' => false,
'oidc_login_proxy_ldap' => true,
</syntaxhighlight>

Main Page

2025-11-14T02:34:43Z

Y266shen: /* Hardware Infrastructure (the bare metals) */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Club Operation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

== Systems Documentation ==
=== Introductions ===
Start here if you have no clue how a subsystem works
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Intro to Authentication]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Machine List]]
* [[Decommissioned Machines]]
* [[Filer]]
* [[Switches]]
* [[IPMI101]]
* [[Disk Drive RMA Process]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[CUDA]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Matrix]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[CodeyBot]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Immich]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New NetApp]]
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Intro to Authentication

2025-11-11T15:10:37Z

Y266shen: minor typo

CSC's user directory and authentication system consists of 4 major parts:
; LDAP : directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
; Kerberos (krb5) : authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
; pyceo : CSC's home-grown frontend for interacting with user directory and passwords
; Keycloak: SSO support for web applications, allows you to use WatIAM/CSC OTP to log into web based services

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
''Read more on:'' [[LDAP]]

LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member. It's also responsible for tracking which terms do a member have a valid membership of, and that's how we implement general-use server's access control based on membership.

In essence, it's just a database that keeps track of a bunch of unique entities (called Distinguished Name, or DN in LDAP world) and each entity can have a bunch of attributes associated with them. Here's the LDAP entry for our club mascot, C.T. Dalek:

<pre>
dn: uid=ctdalek,ou=People,dc=csclub,dc=uwaterloo,dc=ca
uid: ctdalek
homeDirectory: /users/ctdalek
cn: Calum T. Dalek
gecos: Calum T. Dalek,MC 3036,,,0
uidNumber: 20000
description: Prototypical Member Account
gidNumber: 20000
objectClass: account
objectClass: member
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: inetLocalMailRecipient
loginShell: /bin/false
userPassword: {SASL}ctdalek@CSCLUB.UWATERLOO.CA
term: f2016
term: f2017
term: f2018
givenName: Calum
sn: Dalek
mailLocalAddress: ctdalek@csclub.uwaterloo.ca
program: Alumni
</pre>

It's entirely possible to do all of these in a NoSQL database, but of course LDAP is a standard, and almost all SSO-capable system can speak LDAP, so that's why we use it.

=== Kerberos ===
''Read more on:'' [[Kerberos]]

Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a <code>host/$HOSTNAME.csclub.uwaterloo.ca</code> ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
''Read more on:'' [[CEO]]

Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

=== Keycloak ===
''Read more on:'' [[Keycloak]]

For security reasons, the university requires us to implement 2FA (two factor authentication) in some way for all of our services. For SSH we did it via [https://duo.com/docs/duounix pam_duo], and for web we use [https://www.keycloak.org/ Keycloak]. Keycloak behaves like an adapter to provide the "web" way of authentication (i.e. OpenID Connect) using data from the "UNIX" way of authentication (LDAP, Krb5), and provide additional security features like OTP (one time password).

A special thing we do with Keycloak is that we use it as an identity broker for WatIAM, which allow you to login via the university's WatIAM login portal and then use that session to log into CSC services without another password/OTP prompt.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Intro to Authentication

2025-11-11T15:08:10Z

Y266shen: add keycloak

CSC's user directory and authentication system consists of 3 major parts:
; LDAP : directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
; Kerberos (krb5) : authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
; pyceo : CSC's home-grown frontend for interacting with user directory and passwords
; Keycloak: SSO support for web applications, allows you to use WatIAM/CSC OTP to log into web based services

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
''Read more on:'' [[LDAP]]

LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member. It's also responsible for tracking which terms do a member have a valid membership of, and that's how we implement general-use server's access control based on membership.

In essence, it's just a database that keeps track of a bunch of unique entities (called Distinguished Name, or DN in LDAP world) and each entity can have a bunch of attributes associated with them. Here's the LDAP entry for our club mascot, C.T. Dalek:

<pre>
dn: uid=ctdalek,ou=People,dc=csclub,dc=uwaterloo,dc=ca
uid: ctdalek
homeDirectory: /users/ctdalek
cn: Calum T. Dalek
gecos: Calum T. Dalek,MC 3036,,,0
uidNumber: 20000
description: Prototypical Member Account
gidNumber: 20000
objectClass: account
objectClass: member
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: inetLocalMailRecipient
loginShell: /bin/false
userPassword: {SASL}ctdalek@CSCLUB.UWATERLOO.CA
term: f2016
term: f2017
term: f2018
givenName: Calum
sn: Dalek
mailLocalAddress: ctdalek@csclub.uwaterloo.ca
program: Alumni
</pre>

It's entirely possible to do all of these in a NoSQL database, but of course LDAP is a standard, and almost all SSO-capable system can speak LDAP, so that's why we use it.

=== Kerberos ===
''Read more on:'' [[Kerberos]]

Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a <code>host/$HOSTNAME.csclub.uwaterloo.ca</code> ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
''Read more on:'' [[CEO]]

Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

=== Keycloak ===
''Read more on:'' [[Keycloak]]

For security reasons, the university requires us to implement 2FA (two factor authentication) in some way for all of our services. For SSH we did it via [https://duo.com/docs/duounix pam_duo], and for web we use [https://www.keycloak.org/ Keycloak]. Keycloak behaves like an adapter to provide the "web" way of authentication (i.e. OpenID Connect) using data from the "UNIX" way of authentication (LDAP, Krb5), and provide additional security features like OTP (one time password).

A special thing we do with Keycloak is that we use it as an identity broker for WatIAM, which allow you to login via the university's WatIAM login portal and then use that session to log into CSC services without another password/OTP prompt.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Decommissioned Machines

2025-11-08T22:06:55Z

Y266shen: Created page with "= 2025 = ==''biloba''== Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv. Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack?? ==== Specs ==== * 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each] * 384GB RAM * 12 3.5" Hot Swap Drive Bays ** 2 x 480 GB SSD * 10GbE onboard, 10GbE SFP+ card (on loan from CSCF) ==== Services ==== * OpenStack Compute machine '''Notes''' * TODO: cloudst..."

= 2025 =
==''biloba''==

Dead, died after the poweroutage of May 9th, 2025, previously served as Cloudstack master node or wtv.

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

= Pre-2021 =
==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

Machine List

2025-11-08T22:05:44Z

Y266shen: move decommissioned section to a separate page

Intro to Authentication

2025-11-04T00:45:07Z

Y266shen: add links

CSC's user directory and authentication system consists of 3 major parts:
; LDAP : directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
; Kerberos (krb5) : authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
; pyceo : CSC's home-grown frontend for interacting with user directory and passwords

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
''Read more on:'' [[LDAP]]

LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member. It's also responsible for tracking which terms do a member have a valid membership of, and that's how we implement general-use server's access control based on membership.

In essence, it's just a database that keeps track of a bunch of unique entities (called Distinguished Name, or DN in LDAP world) and each entity can have a bunch of attributes associated with them. Here's the LDAP entry for our club mascot, C.T. Dalek:

<pre>
dn: uid=ctdalek,ou=People,dc=csclub,dc=uwaterloo,dc=ca
uid: ctdalek
homeDirectory: /users/ctdalek
cn: Calum T. Dalek
gecos: Calum T. Dalek,MC 3036,,,0
uidNumber: 20000
description: Prototypical Member Account
gidNumber: 20000
objectClass: account
objectClass: member
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: inetLocalMailRecipient
loginShell: /bin/false
userPassword: {SASL}ctdalek@CSCLUB.UWATERLOO.CA
term: f2016
term: f2017
term: f2018
givenName: Calum
sn: Dalek
mailLocalAddress: ctdalek@csclub.uwaterloo.ca
program: Alumni
</pre>

It's entirely possible to do all of these in a NoSQL database, but of course LDAP is a standard, and almost all SSO-capable system can speak LDAP, so that's why we use it.

=== Kerberos ===
''Read more on:'' [[Kerberos]]

Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a <code>host/$HOSTNAME.csclub.uwaterloo.ca</code> ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
''Read more on:'' [[CEO]]

Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Intro to Authentication

2025-11-04T00:41:34Z

Y266shen: add example to LDAP

CSC's user directory and authentication system consists of 3 major parts:
; LDAP : directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
; Kerberos (krb5) : authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
; pyceo : CSC's home-grown frontend for interacting with user directory and passwords

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member. It's also responsible for tracking which terms do a member have a valid membership of, and that's how we implement general-use server's access control based on membership.

In essence, it's just a database that keeps track of a bunch of unique entities (called Distinguished Name, or DN in LDAP world) and each entity can have a bunch of attributes associated with them. Here's the LDAP entry for our club mascot, C.T. Dalek:

<pre>
dn: uid=ctdalek,ou=People,dc=csclub,dc=uwaterloo,dc=ca
uid: ctdalek
homeDirectory: /users/ctdalek
cn: Calum T. Dalek
gecos: Calum T. Dalek,MC 3036,,,0
uidNumber: 20000
description: Prototypical Member Account
gidNumber: 20000
objectClass: account
objectClass: member
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: inetLocalMailRecipient
loginShell: /bin/false
userPassword: {SASL}ctdalek@CSCLUB.UWATERLOO.CA
term: f2016
term: f2017
term: f2018
givenName: Calum
sn: Dalek
mailLocalAddress: ctdalek@csclub.uwaterloo.ca
program: Alumni
</pre>

It's entirely possible to do all of these in a NoSQL database, but of course LDAP is a standard, and almost all SSO-capable system can speak LDAP, so that's why we use it.

=== Kerberos ===
Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a <code>host/$HOSTNAME.csclub.uwaterloo.ca</code> ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Main Page

2025-11-04T00:26:26Z

Y266shen: rearrange to promote "Club Operation" to top level and rename "Committees Documentation" to "Systems Documentation"

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Club Operation ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

== Systems Documentation ==
=== Introductions ===
Start here if you have no clue how a subsystem works
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Intro to Authentication]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Machine List]]
* [[Filer]]
* [[Switches]]
* [[IPMI101]]
* [[Disk Drive RMA Process]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Matrix]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[CodeyBot]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Immich]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New NetApp]]
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Intro to Authentication

2025-11-04T00:16:30Z

Y266shen: fix list

Intro to Authentication

2025-11-04T00:09:21Z

Y266shen:

CSC's user directory and authentication system consists of 3 major parts:
+ LDAP: directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
+ Kerberos: authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
+ pyceo: CSC's home-grown frontend for interacting with user directory and passwords

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member.

=== Kerberos ===
Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a <code>host/$HOSTNAME.csclub.uwaterloo.ca</code> ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Intro to Authentication

2025-11-04T00:05:02Z

Y266shen: Created page with "CSC's user directory and authentication system consists of 3 major parts: + LDAP: directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that) + Kerberos: authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5) + pyceo: CSC's home-grown frontend for interacting with user directory and passwords Basically, this is a UNIX-based Active Directory sy..."

CSC's user directory and authentication system consists of 3 major parts:
+ LDAP: directory service. stores all public user information (your name, program, WatIAM, UNIX groups, things like that)
+ Kerberos: authentication service. stores passwords, provide authentication to user logins/inter-server integrations (ceo and NFS uses krb5)
+ pyceo: CSC's home-grown frontend for interacting with user directory and passwords

Basically, this is a UNIX-based Active Directory system. Why not using Microsoft's offering? Well, we love UNIX, just look at the office, there's no Windows there.

== Client Side ==
=== LDAP ===
LDAP itself is just a protocol. In practice, it has 2 parts: a server that stores and serves user information, and a client that queries these information for various applications. All servers in CSC, no matter general-use or syscom-only, are hooked up to LDAP so that they can automatically sync users and groups so that we don't need to manually create/delete account for every member.

=== Kerberos ===
Kerberos is a very complicated protocol and deserve its own lecture, but the crash course is that you do an initial authentication with Kerberos (usually with username/password), and it grants you a "ticket" so that you can use such ticket to access other services without going through the central authentication node again.

One use case you might find useful is if you want to hop between CSC servers (for example, you are outside the campus network but you want to access a termcom machine that is campus-network only), you can use <code>kinit</code> to get yourself a ticket, and you won't need to input password any more because your SSH client will send the ticket first and will be accepted as your proof of identity.

Other than user authentication, we also use Kerberos for inter-machine authentication. All CSC machines have a \`host/\$NAME.csclub.uwaterloo.ca\` ticket installed on them, and they use this to authenticate and mount the <code>/users</code> NFS file share, so that you can use one single home folder on all of the CSC machines.

=== pyceo ===
Since editing LDAP databases is tediously and dangerous (you might bring down the whole fleet!), account management is handled by pyceo. Things like adding/renewing members and resetting passwords are in essence just modifying LDAP/Kerberos databases, but pyceo does autofilling and sanity check on day-to-day operations.

Note that pyceo's scope has expanded quite a bit after the introduction of CSC cloud, now it's more than just a frontend for LDAP/Krb5, but more of a frontend for most of the member services.

== Server implementations ==
We have two nspawn containers, <code>auth1</code> and <code>auth2</code>, on two physical locations (xylitol@MC and cobalamin@Science Machine Room). Both of them run <code>slapd</code> (the free LDAP server implementation) for LDAP and <code>krb5-kdc + krb5-admin-server</code> for Kerberos.

If you have read the LDAP spec or slapd/OpenLDAP documentation closely, you will know that there's an authentication mechanism in LDAP as well. But the documentation will also tell you it's generally a good idea to separate the public LDAP server and the secret-keeping ones, and that's exactly what we did: we store (hashed) passwords in Kerberos. But a lot of services (example being Nextcloud) uses the LDAP authentication; thus, when that happens, we proxy the authentication to Kerberos and just return the result. This is done via configuring slapd to use SASL auth mechanism, and run <code>saslauthd</code> on auth1/2 with backend set to kerberos5.

auth1 is the master server, and it will either actively send changes to auth2 (slapd) or auth2 will periodically pull changes from auth1 (krb5). There's also a cron job to periodically dump the complete database onto NFS.

Filer

2025-10-17T23:18:14Z

Y266shen: add zfs info

'''NOTE''' This page describes Filer Generation 3, which is put into production at Fall 2025. To see previous generations of filers, see [[New NetApp]] (2017-2025) and [[NetApp]] (2013-2017).

At Fall 2023, MFCF donated us their FAS8040 NetApp filers alongside several DS4243 disk shelves.

We decided to connect the disk shelves directly to one of our servers, since it's hard to keep syscom/termcom trained to use NetApp's proprietary system, and we can mostly get away with using just 1/2 disk shelves for our storage need anyways.

== Physical Configuration ==

Currently ranch is used as the head unit, and only one (one of the middle) disk shelves is connected to it.
A QSFP+ (SFF-8436) to External Mini-SAS (SFF-8088) Cable is used to connect the disk shelf to a SAS2308 HBA card. Note that according [https://forums.unraid.net/topic/89444-how-to-configure-a-netapp-ds4243-shelf-in-unraid/ Unraid Forum] ([https://web.archive.org/web/20250108225045/https://forums.unraid.net/topic/89444-how-to-configure-a-netapp-ds4243-shelf-in-unraid/ Wayback Machine]), it should be connected to the port marked with a '''black rectangle''' on the '''top IOM''' of the back of the disk shelf. Also make sure all PSUs (we currently have 2 PSU and 2 blank filler) are connected and powered on. If everything is connected correctly, you should not see any amber LED on the PSUs. After the filer is booted, you should see green/blue LNK LED next to the connected QSFP port on the disk shelf.

A total of 24x 2T disks are available, but 3 of them has shown signs of failure, so we only use 21 of them right now.

They are all 2TB drives from ~2010, so we should consider replacing them.

== Configuration ==

ranch runs regular Debian with ZFS, so that we can share the technology stack with mirror.

A '''pitfall''' of the disk shelf is that they only do disk spinups after your system has booted, and takes quite some time to do so (6 disks every 12s according to [https://docs.netapp.com/p/ontap-systems/platforms/Installation-And-Service-Guide.pdf]), so ZFS freaks out when only part of the pool is visible and report the pool as SUSPENDED. Do <code>systemctl edit zfs-import-cache.service</code> and put these in should fix this by delaying ZFS import for 3 minutes so the disk shelves have time to finish initialization:

<pre>
[Service]
ExecStartPre=/bin/sleep 180
</pre>

=== ZFS ===

We use [https://github.com/jimsalterjrs/sanoid sanoid] for auto snapshot management. To see a previous version of your file, go to <code>/users/.zfs/snapshots/$snapshot_name</code>.

In the future we will want to send a pair of server/disk shelf to a different machine room so that we can use sanoid's friend, syncoid to automatically send the ZFS snapshot over for off-site backup.

=== NFS ===

We use ZFS's <code>sharenfs</code> property to set NFS configuration for each datasets. This is done so that those NFS shares only start after ZFS is ready.

As before, we export <code>sec=sys</code> (so no authentication) on the special MC storage VLAN (VLAN 530, containing 172.19.168.32/27 and fd74:6b6a:8eca:4903::/64). This VLAN is only connected to trusted machines (NetApp, CSC servers in the MC 3015 or DC 3558 machine rooms).

All other machines uses <code>sec=krb5p</code>. By default, NFS clients will need a nfs/ Krb5 principal, but since all of CSC machines will need to mount /users anyways, we just reuse the host/ krb5 principal. This is done by running <code>systemctl edit rpc-svcgssd.service</code> and adding these (see rpc.svcgssd manual for more information):

<pre>
[Service]
ExecStart=
ExecStart=/usr/sbin/rpc.svcgssd -n
</pre>

We disabled NFSv3 and NFSv4.0 in <code>/etc/nfs.conf</code> since all of the machines are expected to run recent versions of debian.

Main Page

2025-10-17T15:40:01Z

Y266shen: /* Historical */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Machine List]]
* [[Filer]]
* [[Switches]]
* [[IPMI101]]
* [[Disk Drive RMA Process]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Matrix]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[CodeyBot]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Immich]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New NetApp]]
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Main Page

2025-10-17T15:39:48Z

Y266shen: /* Hardware Infrastructure (the bare metals) */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Machine List]]
* [[Filer]]
* [[Switches]]
* [[IPMI101]]
* [[Disk Drive RMA Process]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Matrix]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[CodeyBot]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Immich]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Main Page

2025-10-17T13:55:19Z

Y266shen: add filer

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Disk Drive RMA Process]]
* [[Machine List]]
* [[Filer]]
* [[IPMI101]]
* [[New NetApp]]
* [[Switches]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Matrix]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Proxmox]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[CodeyBot]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Immich]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Filer

2025-10-17T04:38:45Z

Y266shen: Initial edit

'''NOTE''' This page describes Filer Generation 3, which is put into production at Fall 2025. To see previous generations of filers, see [[New NetApp]] (2017-2025) and [[NetApp]] (2013-2017).

At Fall 2023, MFCF donated us their FAS8040 NetApp filers alongside several DS4243 disk shelves.

We decided to connect the disk shelves directly to one of our servers, since it's hard to keep syscom/termcom trained to use NetApp's proprietary system, and we can mostly get away with using just 1/2 disk shelves for our storage need anyways.

== Physical Configuration ==

Currently ranch is used as the head unit, and only one (one of the middle) disk shelves is connected to it.
A QSFP+ (SFF-8436) to External Mini-SAS (SFF-8088) Cable is used to connect the disk shelf to a SAS2308 HBA card. Note that based on homelab community's wisdom, it has to be the port on the top left corner (marked with a black rectangle) of the back of the disk shelf. Also make sure all 4 PSUs are connected and powered on.

A total of 24 disks are available, but 3 of them has shown signs of failure, so we only use 21 of them right now.

They are all 2TB drives from ~2010, so we should consider replacing them.

== Configuration ==

ranch runs regular Debian with ZFS, so that we can share the technology stack with mirror.

A quirk of the disk shelf is that they only do disk spinups after your system has booted, and takes quite some time to do so, so ZFS freaks out when only part of the pool is visible and report the pool as SUSPENDED. Do <code>systemctl edit zfs-import-cache.service</code> and put these in should fix this by delaying ZFS import for 3 minutes so the disk shelves have time to finish initialization:

<pre>
[Service]
ExecStartPre=/bin/sleep 180
</pre>

=== NFS ===

We use ZFS's <code>sharenfs</code> property to set NFS configuration for each datasets. This is done so that those NFS shares only start after ZFS is ready.

As before, we export <code>sec=sys</code> (so no authentication) on the special MC storage VLAN (VLAN 530, containing 172.19.168.32/27 and fd74:6b6a:8eca:4903::/64). This VLAN is only connected to trusted machines (NetApp, CSC servers in the MC 3015 or DC 3558 machine rooms).

All other machines uses <code>sec=krb5p</code>. By default, NFS clients will need a nfs/ Krb5 principal, but since all of CSC machines will need to mount /users anyways, we just reuse the host/ krb5 principal. This is done by running <code>systemctl edit rpc-svcgssd.service</code> and adding these (see rpc.svcgssd manual for more information):

<pre>
[Service]
ExecStart=
ExecStart=/usr/sbin/rpc.svcgssd -n
</pre>

We disabled NFSv3 and NFSv4.0 in <code>/etc/nfs.conf</code> since all of the machines are expected to run recent versions of debian.

Proxmox

2025-09-16T00:26:00Z

Y266shen: networking

== Setting up Proxmox ==
To setup proxmox, from `Server View`, open the `Datacenter` page. Then go to `Permissions -> Realms`.

Then just make sure pam is setup lol

== Networking ==
There are two ways to do networking: network bridge and NAT. Network bridge will put the container/virtual machine on the CSC network (basically side-by-side to proxmox itself), while NAT will encapsulate the container/VM inside a private subnet that is only visible to proxmox host itself.

For services that only exposes HTTP/HTTPS, NAT is more desirable since multiple services can share a host nginx instance, only requiring the host IP to have 80/443 port opened to the Internet, thus saving some IP address in our pool and save some trips to the IST for firewall exemption. But for services that requires custom ports to be opened (for example, BigBlueButton requires a range of UDP ports to be exposed for relaying video streams), using the network bridge and giving the container/VM its own public IP might be easier.

Currently, <code>vmbr0</code> is used for bridged network and <code>vmbr1</code> is used for NAT (see [https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_masquerading Proxmox's wiki on NAT networking] for setup instruction). <code>vmbr0</code> uses the CSC DHCP server, so you can use DHCP there, but <code>vmbr1</code> requires manual IP assignment.

Cloud Gen 2

2025-06-22T01:51:01Z

Y266shen: Created page with "'''Note''' This is currently just a proposal. Since CloudStack blown up during Winter 2025 and the general architecture is deemed beyond current syscom's capacity to maintain, we propose to set up a new cloud cluster using more understood and simpler (for current syscom fleet, as of Spring 2025) technologies. Which includes: * proxmox as virtualization host * pyceo for virtual machine lifecycle management (creation, expiry, deletion if no longer a member for long enoug..."

'''Note''' This is currently just a proposal.

Since CloudStack blown up during Winter 2025 and the general architecture is deemed beyond current syscom's capacity to maintain, we propose to set up a new cloud cluster using more understood and simpler (for current syscom fleet, as of Spring 2025) technologies.

Which includes:
* proxmox as virtualization host
* pyceo for virtual machine lifecycle management (creation, expiry, deletion if no longer a member for long enough)
* NFS for inter-node VM disk exchange

More specifically:
* proxmox will be connected to LDAP for user/group synchronization and authentication
* each user/club will have a dedicated resource pool for resource isolation
* all virtual machine creation/deletion will be done by pyceo, due to proxmox not having resource pool quota

Service List

2025-06-12T01:40:27Z

Y266shen: /* Mail */

A list of services we run and when they've been last updated.

== Infrastructure ==
=== LDAP/Kerberos ===
''See'': [[LDAP]] and [[Kerberos]]

Member information storage and authentication backend.
* Location: ''auth1'' container on [[Machine List#xylitol|xylitol]]
* Last updated: Unknown, updated alongside debian 12

=== Keycloak ===
''See'': [[Keycloak]]

SSO provider.
* Location: somewhere on k8s
* Last updated: Unknown, before Spring 2022

=== Mail ===
''See'': [[Mail]]

Postfix/Dovecot mail server
* Location: ''mail'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last updated: Fall 2024
* Roundcube last updated: Spring 2025

=== mailman3 ===
''See'': [[Mailing Lists]]

Mailing list handler
* Location: ''mailman3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Fall 2024, to mailman 3.10

=== prometheus ===
''See'': [[Observability]]

Also hosts ClickHouse and vector
* Location: ''qemu-2-prometheus'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, updated alongside debian 12

=== NFS ===
Hosted on [[New NetApp]]
* Location: [[New NetApp]] on MC CSC rack
* Last update: 2017, pending "New New NetApp"

=== Ceph ===
''See'': [[Ceph]]

Storage backend for CSCloud.
* Location: 3 node cluster on riboflavin, ginkgo and biloba
* Last update: Unknown

== General services ==
=== Mirror ===
''See'': [[Mirror]]

Our flagship service.
* Location: [[Machine List#potassium-benzoate|potassium-benzoate]]
* Last update: Constantly by syscom

=== CSC Cloud ===
''See'': [[Main Page#CSC Cloud|CSC Cloud]]

Another flagship service.
* Location: 3 node cluster on chamomile, ginkgo and biloba
* Last update: Unknown

=== VaultWarden ===
''See'': [[Vaultwarden]]

Bitwarden-compatible password manager.
* Location: ''Where?''
* Last update: Winter 2025

=== BigBlueButton ===
''See'': [[BigBlueButton]]

Online conferencing.
* Location: ''bigbluebutton3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Winter 2025

=== Plane ===
''See'': [[Plane]]

JIRA but selfhosted.
* Location: ''Where?''
* Last update: Unknown

=== IRC webchat (The Lounge) ===
''See'': [[How to IRC#The Lounge]]

* Location: ''chat'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Mattermost ===
''See'': [[MatterMost]]
* Location: ''mattermost'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Nextcloud ===
''See'': [[Nextcloud]]

CSC's file and calendar server.
* Location: ''nextcloud'' container on [[Machine List#guayusa|guayusa]]
* Last update: Winter 2025

=== Git ===
''See'': [[Git Hosting]]

Gitea server for various CSC projects.
* Location: [[Machine List #caffeine|caffeine]]
* Last update: Spring 2025
* CI: Drone (deprecated), Gitea Act Runner (''gitea-act-runner'' nspawn container on [[Machine List#phosphoric-acid|phosphoric-acid]])

== Web infra ==
=== Member/Club Hosting ===
''See'': [[Web Hosting]] and [[Club Hosting]]

Apache and PHP. Your regular, old-school hosting service.
* Location: ''caffeine'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Winter 2025

=== MySQL/PostgreSQL ===
''See'': [[MySQL]] and [[PostgreSQL]]

Databases for hosting.
* Location: ''coffee'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, still on PostgreSQL 15

Git Hosting

2025-06-01T03:37:58Z

Y266shen: /* Continuous Integration */

We have a [https://git.csclub.uwaterloo.ca Gitea] instance running on [[Machine List#caffeine|caffeine]]. You can sign in via LDAP to the web interface. Projects used by CSC as a whole are owned by the [https://git.csclub.uwaterloo.ca/public public] organization, except for website-committee related repos, which are owned by the [https://git.csclub.uwaterloo.ca/www www] org.

== Installation Details ==
<code>/etc/gitea</code> on caffeine contains the configs for Gitea. It's installed as a Debian package, with additional files in <code>/var/lib/gitea/</code>and a systemd service at <code>/lib/systemd/system/gitea.service</code>.

There is a custom locale (used to define CSC-custom strings in some pages) at <code>/var/lib/gitea/custom/options/locale/locale_en-US.ini</code> that may need to be updated when the Gitea APT package is updated. To update this, run the <code>update_custom_locale.sh</code> in that directory (as root).

== Usage ==
"It's basically GitHub"

- raymo

=== SSH keys ===
It is recommended to setup [https://git.csclub.uwaterloo.ca/user/settings/keys SSH keys] so that you do not have to enter your password each time you push to a repo. Once you have uploaded your public key, add the following to your ~/.ssh/config:
<pre>
Host csclub.uwaterloo.ca
HostName csclub.uwaterloo.ca
IdentityFile ~/.ssh/id_rsa
User git
</pre>
(Replace ~/.ssh/id_rsa by the location of your private SSH key.) Now you should be able to clone, push and pull over SSH.

== Continuous Integration ==
We have a Gitea Act Runner integrated directly into Gitea. It should have identical syntax as Github Actions (see [https://docs.gitea.com/usage/actions/comparison|Compared to GitHub Actions - Gitea]).

Before Spring 2025:
We are running a CI server at https://ci.csclub.uwaterloo.ca. It uses OAuth via Gitea for logins, so you need to have logged in to Gitea first. See https://docs.drone.io/ for documentation. All you have to do is create a .drone.yml file in your repo, then enable CI on the repo from the CSC Drone website. There is an example [https://git.csclub.uwaterloo.ca/merenber/drone-test here].

== Pushing and pulling from the filesystem ==
(for syscom only)
<br>
If you need to keep the ability to push/pull from the filesystem, in addition to Gitea, you will need to take the following steps.
In this example, we are migrating a repo called 'public/repo.git', which is a folder under /srv/git on caffeine (which is a symlink to /users/git).
The way we're doing this right now is kind of hacky, but it works:
<ol>
<li>Clone the original repo locally: <code>git clone /srv/git/public/repo.git</code></li>
<li>Delete the old repo (from phosphoric-acid, which has no_root_squash): <code>rm -rf /srv/git/public/repo.git</code></li>
<li>Create a new repo with the name 'repo' from the Gitea web UI. This should create a bare repository at <code>/srv/git/public/repo.git</code>. (Make sure you choose the 'public' org from the dropdown.)</li>
<li>
Push the original repo to the new remote:
<pre>
cd repo
git remote add gitea https://git.csclub.uwaterloo.ca/public/repo.git
git push gitea master
</pre>
</li>
<li>
Remove any git gooks which require gitea:
<pre>
rm $(grep -IRl gitea /srv/git/public/repo.git/hooks)
</pre>
</li>
<li>
Change file permissions:
<pre>
chown -R git:git /srv/git/public/repo.git
chmod -R g+w /srv/git/public/repo.git
</pre>
You will need to do this from phosphoric-acid (due to NFS root squashing).
</li>
</ol>
Note that the repo folder SHOULD be owned by git:git. Anything else will likely break Gitea. (If a user pushes something to the folder and their umask doesn't allow group members to read, for example, then Gitea will be unable to read the repo.)
<br>
This means that only trusted users should be in the git group - ideally, only syscom members.

== Troubleshooting ==
If you are having trouble pulling/pushing with SSH and have something like this when trying <code>ssh git@csclub.uwaterloo.ca</code>:

<pre>
PTY allocation request failed on channel 0
shell request failed on channel 0
</pre>

Just restart <code>gitea.service</code> on caffeine.

Service List

2025-06-01T03:35:48Z

Y266shen: /* General services */

A list of services we run and when they've been last updated.

== Infrastructure ==
=== LDAP/Kerberos ===
''See'': [[LDAP]] and [[Kerberos]]

Member information storage and authentication backend.
* Location: ''auth1'' container on [[Machine List#xylitol|xylitol]]
* Last updated: Unknown, updated alongside debian 12

=== Keycloak ===
''See'': [[Keycloak]]

SSO provider.
* Location: somewhere on k8s
* Last updated: Unknown, before Spring 2022

=== Mail ===
''See'': [[Mail]]

Postfix/Dovecot mail server
* Location: ''mail'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last updated: Fall 2024

=== mailman3 ===
''See'': [[Mailing Lists]]

Mailing list handler
* Location: ''mailman3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Fall 2024, to mailman 3.10

=== prometheus ===
''See'': [[Observability]]

Also hosts ClickHouse and vector
* Location: ''qemu-2-prometheus'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, updated alongside debian 12

=== NFS ===
Hosted on [[New NetApp]]
* Location: [[New NetApp]] on MC CSC rack
* Last update: 2017, pending "New New NetApp"

=== Ceph ===
''See'': [[Ceph]]

Storage backend for CSCloud.
* Location: 3 node cluster on riboflavin, ginkgo and biloba
* Last update: Unknown

== General services ==
=== Mirror ===
''See'': [[Mirror]]

Our flagship service.
* Location: [[Machine List#potassium-benzoate|potassium-benzoate]]
* Last update: Constantly by syscom

=== CSC Cloud ===
''See'': [[Main Page#CSC Cloud|CSC Cloud]]

Another flagship service.
* Location: 3 node cluster on chamomile, ginkgo and biloba
* Last update: Unknown

=== VaultWarden ===
''See'': [[Vaultwarden]]

Bitwarden-compatible password manager.
* Location: ''Where?''
* Last update: Winter 2025

=== BigBlueButton ===
''See'': [[BigBlueButton]]

Online conferencing.
* Location: ''bigbluebutton3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Winter 2025

=== Plane ===
''See'': [[Plane]]

JIRA but selfhosted.
* Location: ''Where?''
* Last update: Unknown

=== IRC webchat (The Lounge) ===
''See'': [[How to IRC#The Lounge]]

* Location: ''chat'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Mattermost ===
''See'': [[MatterMost]]
* Location: ''mattermost'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Nextcloud ===
''See'': [[Nextcloud]]

CSC's file and calendar server.
* Location: ''nextcloud'' container on [[Machine List#guayusa|guayusa]]
* Last update: Winter 2025

=== Git ===
''See'': [[Git Hosting]]

Gitea server for various CSC projects.
* Location: [[Machine List #caffeine|caffeine]]
* Last update: Spring 2025
* CI: Drone (deprecated), Gitea Act Runner (''gitea-act-runner'' nspawn container on [[Machine List#phosphoric-acid|phosphoric-acid]])

== Web infra ==
=== Member/Club Hosting ===
''See'': [[Web Hosting]] and [[Club Hosting]]

Apache and PHP. Your regular, old-school hosting service.
* Location: ''caffeine'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Winter 2025

=== MySQL/PostgreSQL ===
''See'': [[MySQL]] and [[PostgreSQL]]

Databases for hosting.
* Location: ''coffee'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, still on PostgreSQL 15

Web Hosting

2025-04-28T22:49:20Z

Y266shen: add anubis: fighting ai scrappers

The CSC offers web hosting for [[Club Hosting|clubs]] and [http://csclub.uwaterloo.ca/about/ our members] in accordance with our [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. This is a quick guide for the kinds of hosting we offer on our webserver, <tt>csclub.uwaterloo.ca</tt>, also known as [[Machine List#caffeine|caffeine]].

We run an Apache httpd webserver and we offer you the use of a [[MySQL|MySQL database]].

== What can I host on my website? ==

Web hosting is provided in accordance with the CSC [http://csclub.uwaterloo.ca/services/machine_usage Machine Usage Agreement]. As a reminder, you are '''not permitted''' to host any of the following:

* '''Ads.''' Advertisements are not permitted because using our machines for commercial purposes is forbidden by university policy.
* '''Your start-up's website.''' Again, commercial use of our hosting is not permitted.
* '''Unauthorized copyrighted materials.''' Violating the law is a violation of our Machine Usage Agreement.

Please note that '''this is not an exhaustive list. Websites may be taken down ''without notice''''' at the discretion of the Systems Committee. (We will always let you know that we took your site down, but if it is breaking our shared environment, we can't provide an advance warning.)

Some great examples of things members host on our webserver:

* Academic projects!
* A personal website or blog!
* [[Club Hosting|Club websites!]]

== How do I make a website? ==

If you just want to show some static content (e.g. blog posts, club information, technical articles), then we recommend that you use a static site generator (SSG). Static sites are faster, simpler and more secure than CMSs like WordPress (dynamic and written in PHP) for small sites. We routinely disable WordPress sites that are more than a few weeks out of date (or if a critical security flaw is disclosed).

Here are some SSGs which require little to no coding experience, and also have a great selection of themes to choose from:

* [https://jekyllrb.com/ Jekyll] (accepts Markdown, Liquid and HTML)
* [https://gohugo.io/ Hugo] (accepts a wide variety of formats, including Markdown and JSON)
* [https://hexo.io/ Hexo] (accepts Markdown and various Javascript-based templating engines)
* [https://www.11ty.dev/ Eleventy] (accepts Markdown, Liquid, HTML, and various Javascript-based templating engines)
* [https://www.getzola.org/ Zola] (accepts Markdown and Tera)
* [https://blog.getpelican.com/ Pelican] (accepts Markdown, reStructuredText and Jinja2)

[https://astro.build/ Astro] is an excellent static site builder which integrates with a wide variety of JS-based frameworks (including React, Vue, Svelte and Solid), but requires a bit more coding experience.

These SSGs require some experience with React.js:

* [https://nextjs.org/ Next.js]
* [https://www.gatsbyjs.com/ Gatsby.js]

These SSGs require some experience with Vue.js:

* [https://nuxtjs.org/ Nuxt.js]
* [https://vuepress.vuejs.org/ Vuepress]
* [https://vitepress.vuejs.org/ Vitepress]
* [https://gridsome.org/ Gridsome]

[https://jamstack.org/generators/ Here] is an awesome list of other generators to explore, if you are interested.

=== Transferring your files to the CSC servers ===
If you just need to transfer a single file, then the easiest option is to use the <code>scp</code> command (which is available on all major operating systems), e.g.

scp /path/to/your/file your_username@corn-syrup.csclub.uwaterloo.ca:~/

This will copy /path/to/your/file from your local PC to your CSC home directory (we use NFS, so you can access it from any of the general-use machines).

However, we strongly recommend setting up a git repository in your home directory instead.

=== Setting up a git repository ===
All of the files in the <code>www</code> directory in your home directory are accessible from csclub.uwaterloo.ca/~your_username. If everything is set up right, this can provide a GitHub Pages-like experience.

<ol>
<li>
<ul>
<li>For members:<br>
Create a "bare" git repository in your home directory (on the CSC machines). You will git push/pull from this directory.
<pre>
mkdir myrepo.git
cd myrepo.git
git init --bare
</pre>
</li>
<li>For club reps:<br>
Switch to the Unix user for your club, and use the <code>--shared</code> option to automatically add group write permissions.
<pre>
become_club myclub
cd ~
mkdir myrepo.git
cd myrepo.git
git init --bare --shared
</pre>
</li>
</ul>
</li>
<li>
Create a git post-receive hook which will automatically deploy your website whenever you git push. Paste the following script into hooks/post-receive (in the bare repo you created earlier). You may wish to customize it a bit first.
<pre>
#!/bin/bash

set -e
# Uncomment this to echo the commands as they are executed
#set -x
shopt -s dotglob
# FOR CLUB REPS ONLY: set the following variable to e.g. /users/myclub/www
DEPLOYMENT_DIR=~/www

while read oldrev newrev refname; do
branch=$(git rev-parse --symbolic --abbrev-ref $refname)
# Only the master branch will be deployed
if [ "$branch" != master ]; then
continue
fi
rm -rf $DEPLOYMENT_DIR/*
git --work-tree=$DEPLOYMENT_DIR checkout -f $branch
# FOR CLUB REPS ONLY: uncomment the following lines and replace 'myclub'
# with the Unix group name of your club
#chgrp -R myclub $DEPLOYMENT_DIR
#chmod -R g+w $DEPLOYMENT_DIR
done
</pre>
(The script was adapted from [https://peteris.rocks/blog/deploy-your-website-with-git/ here].)

Make the script executable:
<pre>
chmod +x hooks/post-receive
</pre>

<b>For club reps</b>: Make sure the www directory is group-writable. Switch to the Unix user of your club and run:
<pre>
chmod g+w ~/www
</pre>
</li>
<li>
If you have not done so already, add your public SSH key to your ~/.ssh/authorized_keys file (on the CSC machines). See [https://git-scm.com/book/en/v2/Git-on-the-Server-Generating-Your-SSH-Public-Key here] for a tutorial.
</li>
<li>
On your local computer, add [[Machine_List|any CSC machine]] as a remote of your git repo.
<ul>
<li>For members:<br>
Just use the directory of your git repo, e.g.
<pre>
git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:myrepo.git
</pre>
</li>
<li>For club reps:<br>
Use the full path of the repo in your club user's home directory, e.g.
<pre>
git remote add csc your_username@corn-syrup.csclub.uwaterloo.ca:/users/myclub/myrepo.git
</pre>
</li>
</ul>
</li>
<li>
Now you can just <code>git push</code> normally after a commit, e.g.
<pre>
git push csc master
</pre>
And the files should show up automatically in your www folder (or your club's www folder, if you are a club rep).
</li>
<li>
If you have any files in your repo which you don't want to be served from your website, use a [https://httpd.apache.org/docs/2.4/howto/htaccess.html .htaccess file] in your www folder (make sure this is committed to the git repo). For example, to deny access to the folder named src (in your www folder), you could use the following snippet:
<pre>
RewriteEngine On
RewriteRule "^src(/.*)?$" - [F,L]
</pre>
See [https://httpd.apache.org/docs/2.4/mod/core.html the Apache documentation] for more details.
</li>
</ol>

If you need help, email <tt>syscom@csclub.uwaterloo.ca[mailto:syscom@csclub.uwaterloo.ca]</tt> or come to the CS Club office on the MC 3rd floor across from the Mathsoc CnD.

== DNS and Your Domain Name ==

You can serve files without any additional configuration by placing them in your <tt>www</tt> directory and accessing them at <tt>http://csclub.uwaterloo.ca/~userid</tt>, where <tt>userid</tt> is your CSC user ID. However, many of our members and clubs prefer to use a custom domain name.

Note that this means you ''do not'' have to register a domain name to be able to use our services. You can just put a website at <tt>http://csclub.uwaterloo.ca/~userid</tt>.

=== uwaterloo.ca domain Names ===

If you represent a UWaterloo organization, you may be eligible for a custom <tt>uwaterloo.ca</tt> domain name, such as <tt>csclub.uwaterloo.ca</tt>. We can request this on your behalf.

In order to do so, we must have verified that the organization is a legitimate UWaterloo-affiliated group, and that you, the representative, are authorized to request a domain name on their behalf. This all takes place when you request [[Club Hosting|club hosting]] with the Computer Science Club.

Once you register as a club representative of your particular organization, you can send an email from your official club account to syscom@csclub.uwaterloo.ca to request the domain <tt>yourdomain.uwaterloo.ca</tt>. Assuming it is available, we will file a ticket and request the domain in your name.

=== Your personal domain name ===

These virtual hosts must be approved by the Executive and Systems Committee. If interested, send syscom@csclub.uwaterloo.ca an email. If your request is approved, the Systems Committee will direct you to create a CNAME record for your domain and point it at <tt>csclub.uwaterloo.ca</tt>.

If you are interested in receiving mail or having other records on your domain, the apex of your domain cannot be a CNAME. If this is the case, then your domain should contain an "A" record of <tt>129.97.134.17</tt> and a (optional, but recommended) "AAAA" record of <tt>2620:101:f000:4901:c5c::caff:e12e</tt>.

If you want TLS on your personal domain, mention this in your email to syscom (syscom: see [[SSL#letsencrypt]]).

== Static Sites ==

You can place all your static content into your web directory, <tt>/users/userid/www</tt>.

If you have been approved for a virtual host, you can access this content using your personal domain once the Systems Committee makes the appropriate configuration changes. Here is an example configuration file:

<VirtualHost *:80>
ServerName foobar.uwaterloo.ca
ServerAlias *.foobar.uwaterloo.ca foobar
ServerAdmin your@email.here.tld

DocumentRoot /users/userid/www/

ErrorLog /var/log/apache2/luser-userid-error.log
CustomLog /var/log/apache2/luser-userid-access.log combined
</VirtualHost>

== Dynamic Sites ==

If you require use of a database, we offer you the sole choice of MySQL. See [[MySQL|this guide]] for how to create your database and connect to MySQL.

=== ***NOTICE*** ===

We '''STRONGLY''' discourage the use of content management systems such as
WordPress. These packages are notorious for the number of security
vulnerabilities they contain and pose a threat to our systems if they are not
kept up to date. The Systems Committee '''WILL,''' at its discretion, disable
any website using a package such as WordPress that is not updated to the latest
version or that is found to contain exploitable security flaws. In such a case,
the member or club serving that site will be notified of the termination; the
site will not be re-enabled until the issues are addressed.

When pages are parked, access to them is restricted to on-campus IPs, so you can still fix your page, but anyone off-campus will not be able to access it, and will be shown this page instead: [https://csclub.uwaterloo.ca/~sysadmin/insecure/ https://csclub.uwaterloo.ca/~sysadmin/insecure/].

=== Using PHP ===

Because we use Apache, it's as simple as placing your <tt>index.php</tt> file in your <tt>/users/userid/www</tt>. That's it!

You can even include rewrite rules in an <tt>.htaccess</tt> file in your web directory.

=== Reverse Proxy (Python, Ruby, Perl, etc.) ===

(In progress... Cliff Notes below)

If computationally expensive, please run the server on a general-use server and proxy to Caffeine.

If Python, (1) use a [http://docs.python-guide.org/en/latest/dev/virtualenvs/ virtual environment] (2) host your app (within the virtualenv) with [http://gunicorn.org/ Gunicorn] on a high port (but campus firewalled, i.e. NOT Ports 28000-28500).

If Ruby (Note, I've never used Ruby so take this with a grain of salt), use [http://unicorn.bogomips.org/ Unicorn] in the same way.

==== .htaccess Config ====

Put the following in the appropriate .htaccess file (e.g. if you were running your app at ~ctdalek/python-app, put the .htaccess in ~ctdalek/www/python-app alongside the static files). Replace HOST with localhost if running on Caffeine or the hostname if running elsewhere; replace port with your chosen port number.

<pre>
RewriteEngine On

# If you want websockets, uncomment this:
#RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
#RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
#RewriteRule .* ws://HOST:RANDOM_PORT%{REQUEST_URI} [L,P]

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule "index.html" "http://HOST:RANDOM_PORT/" [P]

RewriteCond %{SCRIPT_FILENAME} !-d
RewriteCond %{SCRIPT_FILENAME} !-f
RewriteRule "^(.*)$" "http://HOST:RANDOM_PORT/$1" [P]
</pre>

== Requiring Authentication ==
<b>**UPDATE**</b>: CAS is deprecated; the instructions below are left for historical purposes only. The University of Waterloo now uses [[ADFS]] for web authentication. Unfortunately the Apache module which we use to integrate with ADFS (mod_auth_mellon) cannot be used from .htaccess files, which means that regular members cannot use this. ([https://github.com/latchset/mod_auth_mellon/issues/82 Here] is the relevant GitHub issue; as of this writing, it is still open.) If you require UW authentication for your website, please send an email to syscom and we will configure Apache for you.

=== CAS (no longer works) ===
You can require users to authenticate through the University's Central Authentication System (CAS) by adding the following contents to your .htaccess configuration file:

<pre>
AuthType CAS
Require valid-user
</pre>

You can replace <pre>Require valid-user</pre> with <pre>Require user ctdalek</pre> to restrict to specific users. See https://doubledoublesecurity.ca/uw/cas/user.html for more information.

== Syscom ==

=== Disabling insecure or infringing sites ===

To disable a webspace that has known security vulnerabilities add the following snippet to `/etc/apache2/conf-available/disable-vuln-site.conf`. This rewrites all accesses of the directory or its children to the given file. Note that our disable page always returns HTTP status code 503 (Service Unavailable).

<Directory /users/$BADUSER/www>
AllowOverride None
Redirect 503 /
ErrorDocument 503 /~sysadmin/insecure/index.html
</Directory>

For infringing sites:

<Directory "/users/$BADUSER/www/infringing-directory">
AllowOverride None
Redirect 503 /
ErrorDocument 503 /~sysadmin/infringing/index.html
</Directory>

For club domains (e.g. club1.uwaterloo.ca), redirect to the CSC domain instead:

<Directory "/users/$BADCLUB/www">
AllowOverride None
RewriteEngine On
RewriteRule . <nowiki>https://csclub.uwaterloo.ca/~sysadmin/insecure/index.php</nowiki> [L,P]
</Directory>

For WordPress sites specifically, insert a snippet similar to the following into conf-enabled/disable-wordpress.conf:

<Directory "/users/$BADCLUB/www">
Include snippets/disable-wordpress.conf
</Directory>

=== Expired Websites ===

There is a cron job running hourly on caffeine which disables expired member's websites (and re-enables them when they've renewed their membership).

The script is here: https://git.csclub.uwaterloo.ca/public/expire-sites

Some highlights:

* The script provides a 1-month grace period (corresponding to the grace period of pam-csc)
* The expired page returns HTTP status code of 503 (Service Unavailable)

=== Fighting AI scrappers ===
We use [https://github.com/TecharoHQ/anubis Anubis] to block excess AI scrappers. This sits between Apache2 and the real application to insert a proof-of-work challenge for the browser to solve, before proceeding to provide the actual content.

Since Anubis requires JavaScript, it is only selectively enabled on sites that a) is currently getting excessively scraped and b) need JavaScript already.

Currently, only [[Git Hosting]] is protected.

See <code>caffeine:/etc/anubis</code> for details.

=== Sample Apache config for website with both a custom domain and a UW subdomain ===

Define ENTITY_NAME pmclub
Define CUSTOM_DOMAIN puremath.club
Define UW_SUBDOMAIN ${ENTITY_NAME}.uwaterloo.ca
Define ADMIN_EMAIL ${ENTITY_NAME}@csclub.uwaterloo.ca
Define ENTITY_HOME https://csclub.uwaterloo.ca/~${ENTITY_NAME}

Define APACHE_LOG_DIR /var/log/apache2
Define ERROR_LOG ${APACHE_LOG_DIR}/${ENTITY_NAME}-error.log
Define CUSTOM_LOG "${APACHE_LOG_DIR}/${ENTITY_NAME}-access.log combined"

<VirtualHost *:80>
ServerName ${CUSTOM_DOMAIN}
ServerAlias *.${CUSTOM_DOMAIN} ${UW_SUBDOMAIN} *.${UW_SUBDOMAIN} ${ENTITY_NAME}
ServerAdmin ${ADMIN_EMAIL}

Redirect permanent / https://${CUSTOM_DOMAIN}/

ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${CUSTOM_DOMAIN}/privkey.pem
SSLStrictSNIVHostCheck on

ServerName ${CUSTOM_DOMAIN}
ServerAlias *.${CUSTOM_DOMAIN}
ServerAdmin ${ADMIN_EMAIL}

DocumentRoot /users/${ENTITY_NAME}/www

ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}

Redirect permanent /<special page> ${ENTITY_HOME}/<special path>/<special file>
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${UW_SUBDOMAIN}/privkey.pem
SSLStrictSNIVHostCheck on

ServerName ${UW_SUBDOMAIN}
ServerAlias *.${UW_SUBDOMAIN}
ServerAdmin ${ADMIN_EMAIL}

Redirect permanent / https://${CUSTOM_DOMAIN}/

ErrorLog ${ERROR_LOG}
CustomLog ${CUSTOM_LOG}
</VirtualHost>

Systemd-nspawn

2025-04-25T15:18:34Z

Y266shen: bookworm

[https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html systemd-nspawn] is a simpler alternative to [https://wiki.csclub.uwaterloo.ca/Virtualization_(LXC_Containers) LXC] which works well on modern versions of Debian (and, unlike LXC, it does not break very critical systemd services running in containers). For "pet" containers, we should be using systemd-nspawn; for "cattle" containers, [[Podman]] is more appropriate.

Some light reading:

* https://wiki.debian.org/nspawn
* https://wiki.archlinux.org/title/Systemd-nspawn

== Quickstart ==
In the example below, we will create a container called 'machine1'.

Create a directory for the rootfs:
<pre>
mkdir /var/lib/machines/machine1
</pre>
Or, if you are using an LVM volume, just create a symlink in /var/lib/machines to where the LV is mounted:
<pre>
ln -s /vm/machine1 /var/lib/machines/machine1
</pre>
Now bootstrap the rootfs:
<pre>
debootstrap --variant=minbase --include=dbus,systemd-container,vim bookworm . http://mirror.csclub.uwaterloo.ca/debian
</pre>
Note that the <code>systemd-container</code> package <b>must</b> be installed in the guest.

Now do a bit of setup in the rootfs:
<pre>
chroot /var/lib/machines/machine1
# Only do this if you want to use `machinectl login`
passwd -d root
cat <<EOF >>/etc/securetty
pts/0
pts/1
pts/2
pts/3
EOF
# set hostname
echo machine1 > /etc/hostname
# set FQDN
nano /etc/hosts
# Use systemd-networkd for network management. See
vim /etc/systemd/network/10-hostbr0.network
exit
</pre>
Now paste the following into /etc/systemd/nspawn/machine1.nspawn:
<pre>
[Exec]
Boot=yes
Hostname=machine1
PrivateUsers=no

[Network]
Bridge=br0
</pre>
Replace 'br0' by the bridge interface on the host to which the container should be attached (a veth pair will be created when the container starts up).

Also make sure to set 'PrivateUsers=no', because by default systemd-nspawn uses some randomized UID/GID mapping which makes it difficult to migrate the container to a different system.

Now start the container:
<pre>
systemctl start systemd-nspawn@machine1
</pre>
Or alternatively, using <code>machinectl</code>:
<pre>
machinectl start machine1
</pre>

To login to a container via an emulated serial console (I don't recommend doing this, since the TTY gets screwed up):
<pre>
machinectl login machine1
</pre>

Attach to a running container (similar to <code>lxc-attach</code>):
<pre>
machinectl shell machine1
</pre>

<b>Note</b>: if you see the error <code>sh: 2: exec: : Permission denied</code>, append /bin/bash to the end of the command:
<pre>
machinectl shell machine1 /bin/bash
</pre>

<b>Important</b>: make sure the container starts up at boot:
<pre>
systemctl enable systemd-nspawn@machine1
</pre>

== Multiple network interfaces ==
Unfortunately systemd does not have a built-in way to create [https://github.com/systemd/systemd/issues/11087 multiple bridged network interfaces]. Thankfully, it's not too difficult to accomplish this using the <code>VirtualEthernetExtra</code> option and a systemd drop-in; the idea is to create some extra veth pairs and then manually attach them to the bridge.

Let's say you have three bridges on the host: br0, br1 and br2, and you want the container to be attached to all three. Make your nspawn file look like this:
<pre>
...
[Network]
Bridge=br0
# These will be manually bridged to the host
VirtualEthernetExtra=ve-machine1-1:veth1
VirtualEthernetExtra=ve-machine1-2:veth2
</pre>
Now run <code>systemctl edit systemd-nspawn@machine1</code> and paste the following:
<pre>
[Service]
ExecStartPost=/usr/sbin/ip link set dev ve-machine1-1 master br1
ExecStartPost=/usr/sbin/ip link set dev ve-machine1-1 up
ExecStartPost=/usr/sbin/ip link set dev ve-machine1-2 master br2
ExecStartPost=/usr/sbin/ip link set dev ve-machine1-2 up
</pre>
In the container, there will be three interfaces:

* host0, which is attached to br0 on the host
* veth1, which is attached to br1 on the host
* veth2, which is attached to br2 on the host

Make sure you update /etc/systemd/network/10-hostbr.network in the container accordingly.

Machine List

2025-03-31T19:38:41Z

Y266shen: /* mannitol */ now has cuda

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''<u>If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.</u>'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF. CUDA is available on this node.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* NVIDIA GeForce RTX 3050 6G

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

The CI/CD stuff for the csclub.uwaterloo.ca runs on this vm (drone).

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 2 x Intel Xeon E5-2695 v4 (18 cores, 2.10GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RDIMM RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

Spec before 2025-03-27:
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* TODO: migrate Vaultwarden (https://pass.csclub.uwaterloo.ca/)??
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

'''NOTE: May have disappeared at some point'''

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Machine List

2025-03-31T19:36:55Z

Y266shen: mirror upgraded on 2025-03-27

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''<u>If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.</u>'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

The CI/CD stuff for the csclub.uwaterloo.ca runs on this vm (drone).

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 2 x Intel Xeon E5-2695 v4 (18 cores, 2.10GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RDIMM RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

Spec before 2025-03-27:
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* TODO: migrate Vaultwarden (https://pass.csclub.uwaterloo.ca/)??
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

'''NOTE: May have disappeared at some point'''

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Service List

2025-03-10T17:17:29Z

Y266shen: /* BigBlueButton */ update container name

A list of services we run and when they've been last updated.

== Infrastructure ==
=== LDAP/Kerberos ===
''See'': [[LDAP]] and [[Kerberos]]

Member information storage and authentication backend.
* Location: ''auth1'' container on [[Machine List#xylitol|xylitol]]
* Last updated: Unknown, updated alongside debian 12

=== Keycloak ===
''See'': [[Keycloak]]

SSO provider.
* Location: somewhere on k8s
* Last updated: Unknown, before Spring 2022

=== Mail ===
''See'': [[Mail]]

Postfix/Dovecot mail server
* Location: ''mail'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last updated: Fall 2024

=== mailman3 ===
''See'': [[Mailing Lists]]

Mailing list handler
* Location: ''mailman3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Fall 2024, to mailman 3.10

=== prometheus ===
''See'': [[Observability]]

Also hosts ClickHouse and vector
* Location: ''qemu-2-prometheus'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, updated alongside debian 12

=== NFS ===
Hosted on [[New NetApp]]
* Location: [[New NetApp]] on MC CSC rack
* Last update: 2017, pending "New New NetApp"

=== Ceph ===
''See'': [[Ceph]]

Storage backend for CSCloud.
* Location: 3 node cluster on riboflavin, ginkgo and biloba
* Last update: Unknown

== General services ==
=== Mirror ===
''See'': [[Mirror]]

Our flagship service.
* Location: [[Machine List#potassium-benzoate|potassium-benzoate]]
* Last update: Constantly by syscom

=== CSC Cloud ===
''See'': [[Main Page#CSC Cloud|CSC Cloud]]

Another flagship service.
* Location: 3 node cluster on chamomile, ginkgo and biloba
* Last update: Unknown

=== VaultWarden ===
''See'': [[Vaultwarden]]

Bitwarden-compatible password manager.
* Location: ''Where?''
* Last update: Winter 2025

=== BigBlueButton ===
''See'': [[BigBlueButton]]

Online conferencing.
* Location: ''bigbluebutton3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Winter 2025

=== Plane ===
''See'': [[Plane]]

JIRA but selfhosted.
* Location: ''Where?''
* Last update: Unknown

=== IRC webchat (The Lounge) ===
''See'': [[How to IRC#The Lounge]]

* Location: ''chat'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Mattermost ===
''See'': [[MatterMost]]
* Location: ''mattermost'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Nextcloud ===
''See'': [[Nextcloud]]

CSC's file and calendar server.
* Location: ''nextcloud'' container on [[Machine List#guayusa|guayusa]]
* Last update: Winter 2025

== Web infra ==
=== Member/Club Hosting ===
''See'': [[Web Hosting]] and [[Club Hosting]]

Apache and PHP. Your regular, old-school hosting service.
* Location: ''caffeine'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Winter 2025

=== MySQL/PostgreSQL ===
''See'': [[MySQL]] and [[PostgreSQL]]

Databases for hosting.
* Location: ''coffee'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, still on PostgreSQL 15

Main Page

2025-03-10T15:29:08Z

Y266shen: /* Software Infrastructure */

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [[PostgreSQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[How to (Extra) Ban Someone]]
* [[SCS Guide]]
* [[Kerberos |Password Reset]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Disk Drive RMA Process]]
* [[Machine List]]
* [[IPMI101]]
* [[New NetApp]]
* [[Switches]]
</div>

=== Software Infrastructure ===
To see a complete list of services, where to find them and when they are updated, see [[Service List]].

<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[MatterMost]]
* [[Load-balancer]]
* [[Plane]]
* [[RT]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
</div>

== Historical ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
* [[NFS/Kerberos]]
* [[Hardware]]
* [[Imapd Guide]]
__NOTOC__

Service List

2025-03-10T15:28:24Z

Y266shen: Created page with "A list of services we run and when they've been last updated. == Infrastructure == === LDAP/Kerberos === ''See'': LDAP and Kerberos Member information storage and authentication backend. * Location: ''auth1'' container on xylitol * Last updated: Unknown, updated alongside debian 12 === Keycloak === ''See'': Keycloak SSO provider. * Location: somewhere on k8s * Last updated: Unknown, before Spring 2022 === Mail === ''See'': Mail..."

A list of services we run and when they've been last updated.

== Infrastructure ==
=== LDAP/Kerberos ===
''See'': [[LDAP]] and [[Kerberos]]

Member information storage and authentication backend.
* Location: ''auth1'' container on [[Machine List#xylitol|xylitol]]
* Last updated: Unknown, updated alongside debian 12

=== Keycloak ===
''See'': [[Keycloak]]

SSO provider.
* Location: somewhere on k8s
* Last updated: Unknown, before Spring 2022

=== Mail ===
''See'': [[Mail]]

Postfix/Dovecot mail server
* Location: ''mail'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last updated: Fall 2024

=== mailman3 ===
''See'': [[Mailing Lists]]

Mailing list handler
* Location: ''mailman3'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Fall 2024, to mailman 3.10

=== prometheus ===
''See'': [[Observability]]

Also hosts ClickHouse and vector
* Location: ''qemu-2-prometheus'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, updated alongside debian 12

=== NFS ===
Hosted on [[New NetApp]]
* Location: [[New NetApp]] on MC CSC rack
* Last update: 2017, pending "New New NetApp"

=== Ceph ===
''See'': [[Ceph]]

Storage backend for CSCloud.
* Location: 3 node cluster on riboflavin, ginkgo and biloba
* Last update: Unknown

== General services ==
=== Mirror ===
''See'': [[Mirror]]

Our flagship service.
* Location: [[Machine List#potassium-benzoate|potassium-benzoate]]
* Last update: Constantly by syscom

=== CSC Cloud ===
''See'': [[Main Page#CSC Cloud|CSC Cloud]]

Another flagship service.
* Location: 3 node cluster on chamomile, ginkgo and biloba
* Last update: Unknown

=== VaultWarden ===
''See'': [[Vaultwarden]]

Bitwarden-compatible password manager.
* Location: ''Where?''
* Last update: Winter 2025

=== BigBlueButton ===
''See'': [[BigBlueButton]]

Online conferencing.
* Location: ''BigBlueButton'' nspawn container on [[Machine List#xylitol|xylitol]]
* Last update: Winter 2025

=== Plane ===
''See'': [[Plane]]

JIRA but selfhosted.
* Location: ''Where?''
* Last update: Unknown

=== IRC webchat (The Lounge) ===
''See'': [[How to IRC#The Lounge]]

* Location: ''chat'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Mattermost ===
''See'': [[MatterMost]]
* Location: ''mattermost'' container on [[Machine List#xylitol|xylitol]]
* Last update: Unknown

=== Nextcloud ===
''See'': [[Nextcloud]]

CSC's file and calendar server.
* Location: ''nextcloud'' container on [[Machine List#guayusa|guayusa]]
* Last update: Winter 2025

== Web infra ==
=== Member/Club Hosting ===
''See'': [[Web Hosting]] and [[Club Hosting]]

Apache and PHP. Your regular, old-school hosting service.
* Location: ''caffeine'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Winter 2025

=== MySQL/PostgreSQL ===
''See'': [[MySQL]] and [[PostgreSQL]]

Databases for hosting.
* Location: ''coffee'' VM on [[Machine List#phosphoric-acid|phosphoric-acid]]
* Last update: Unknown, still on PostgreSQL 15

Meeting:Meetings

2025-03-09T23:37:20Z

Y266shen:

==Minutes of Meetings (Executive)==
* [[Tuesday 16 September 2008]]

==General Meetings==

* [[Meetings/2025-01-13|Monday 13 January 2025]]
* [[Meetings/2024-01-11|Thursday 11 January 2024]]
* [[Tuesday 12 September 2023]]
* [[Wednesday 11 May 2023]]
* [[Meetings/2023-01-12|Thursday 12 January 2023]]
* [[Meetings/2022-09-12|Monday 12 September 2022]]
* [[Meetings/2022-05-05|Thursday 5 May 2022]]
* [[Thursday 2 October 2008]]
* [[Friday 19 October 2007]]

==Weekly All-Hands Meetings==
* [[Monday 5 December 2022]]
* [[Monday 28 November 2022]]
* [[Monday 21 November 2022]]
* [[Monday 14 November 2022]]
* [[Monday 7 November 2022]]
* [[Monday 31 October 2022]]
* [[Monday 24 October 2022]]
* [[Monday 17 October 2022]]
* [[Monday 3 October 2022]]
* [[Sunday 21 March 2021]]
* [[Sunday 14 March 2021]]
* [[Sunday 7 March 2021]]
* [[Sunday 28 February 2021]]

== Termcom/Syscom Meetings ==
* [[09 Mar 2025 Termcom Meeting]]
* [[Saturday 29 July 2023 Termcom Meeting]]
* [[Saturday 24 June 2023 Termcom Meeting]]
* [[Saturday 10 June 2023 Termcom Meeting]]
* [[Saturday 27 May 2023 Termcom Meeting]]
* [[Saturday 13 May 2023 Termcom Meeting]]
* [[Saturday 25 March 2023 Termcom Meeting]]
* [[Saturday 11 February 2023]]

== Source ==

* '''CSC All-hands Meeting Notes - Fall 2022''': https://docs.google.com/document/d/1Tl_E5nM3bguw9if9O2Woc4jNmeZxG7QVel5fzHdZgfQ/edit#

[[Category:Meetings]]

Meeting:09 Mar 2025 Termcom Meeting

2025-03-09T23:36:35Z

Y266shen: Created page with "== pyceo == * TODO: count members accurately == Mirror == * TODO: hardware maintenance == Mail == * TODO: moderation, probably through discord == Matrix == * TODO: create and bridge IRC/discord * HOLD: stuck by storage == Hosting == * TODO: high-availability web server * TODO: high-availability vaultwarden == CSCloud == * TODO: port forwarding with pyceo == New services == * ?: https://github.com/calcom/cal.com == Keycloak == * TODO: Upgrade (relatively easy, k8s magic)..."

== pyceo ==
* TODO: count members accurately
== Mirror ==
* TODO: hardware maintenance
== Mail ==
* TODO: moderation, probably through discord
== Matrix ==
* TODO: create and bridge IRC/discord
* HOLD: stuck by storage
== Hosting ==
* TODO: high-availability web server
* TODO: high-availability vaultwarden
== CSCloud ==
* TODO: port forwarding with pyceo
== New services ==
* ?: https://github.com/calcom/cal.com
== Keycloak ==
* TODO: Upgrade (relatively easy, k8s magic) and reintegrate with UW's ADFS system (hard!)
== Fundings ==
* MEF Spring 2023 (new cscloud server): expired, reapply
* SLEF (when?): new server
* MEF Fall 2024: server parts
== Community ==
* TODO: asking for services people want us host
* TODO: marketing for CSC for students outside math/cs

Music

2025-03-05T16:46:16Z

Y266shen: add `discoverable off` as standard procedure

Music is run off <code>powernap</code>, since that's the computer with the speakers attached.

Office staff/termcom/syscom permissions are required to play music in the office.

We also have MPD available, however this method is rarely used after 2022. ''kids these days''

==How to play music==

# Run <code>ssh [watid]@powernap.csclub.uwaterloo.ca</code>
# Run <code>bluetoothctl</code>
# Type <code>pairable on</code> and <code>discoverable on</code> into the console to enable pairing and discovery
# Connect to <code>powernap</code> from your device
# Respond yes to all the prompts on the terminal from <code>powernap</code>
# Type <code>trust [device_mac]</code> to automatically allow audio from your device next time
# You should be able to play audio like a normal audio device now
# After you are done pairing, type <code>discoverable off</code> to prevent distortions. See troubleshooting section for detail

==How to control audio server==
powernap uses PipeWire and can talk to PulseAudio client. To set volume, mute some audio stream, or change output setting, use an office terminal and do:

<pre>
PULSE_SERVER=powernap.csclub.uwaterloo.ca pavucontrol
</pre>

If you're using a Linux laptop then this should work too.

==MPD Controls==
To view the keybindings of ncmpcpp, press F1 while it's running.
The number keys switch between tabs in it.

*1 is current playlist
*2 is browsing files
*3 is search
*4 is browsing the media library
*5 is browsing saved playlists, etc.

You can add your own ''absolutely legitimately obtained'' music by copying them to <code>/music</code> on powernap. Then type <code>u</code> in ncmpcpp to refresh the database.

==Termcom Info==

*We require https://github.com/hrkfdn/mpdas to get scrobbling working as it "official" last.fm integration was removed from mpd in 2013.
**n.b. https://github.com/hrkfdn/mpdas/issues/58
*To control the mixer on other terminals, use <code>PULSE_SERVER=nullsleep pavucontrol</code>
*The official last.fm account credentials are stored in the exec password spot :)

==Troubleshooting Playback==
*Sometimes after connecting to powernap there is immense distortion and audio playback is not bearable.
*To fix type <code>discoverable off</code> in the bluetoothctl environment (after a successful connection of course).
*Current consensus is that this happens because there are so many bluetooth devices in MC that the compute on powernap gets overwhelmed.

Git Hosting

2025-02-13T15:54:45Z

Y266shen:

We have a [https://git.csclub.uwaterloo.ca Gitea] instance running on [[Machine List#caffeine|caffeine]]. You can sign in via LDAP to the web interface. Projects used by CSC as a whole are owned by the [https://git.csclub.uwaterloo.ca/public public] organization, except for website-committee related repos, which are owned by the [https://git.csclub.uwaterloo.ca/www www] org.

== Installation Details ==
<code>/etc/gitea</code> on caffeine contains the configs for Gitea. It's installed as a Debian package, with additional files in <code>/var/lib/gitea/</code>and a systemd service at <code>/lib/systemd/system/gitea.service</code>.

There is a custom locale (used to define CSC-custom strings in some pages) at <code>/var/lib/gitea/custom/options/locale/locale_en-US.ini</code> that may need to be updated when the Gitea APT package is updated. To update this, run the <code>update_custom_locale.sh</code> in that directory (as root).

== Usage ==
"It's basically GitHub"

- raymo

=== SSH keys ===
It is recommended to setup [https://git.csclub.uwaterloo.ca/user/settings/keys SSH keys] so that you do not have to enter your password each time you push to a repo. Once you have uploaded your public key, add the following to your ~/.ssh/config:
<pre>
Host csclub.uwaterloo.ca
HostName csclub.uwaterloo.ca
IdentityFile ~/.ssh/id_rsa
User git
</pre>
(Replace ~/.ssh/id_rsa by the location of your private SSH key.) Now you should be able to clone, push and pull over SSH.

== Continuous Integration ==
We are running a CI server at https://ci.csclub.uwaterloo.ca. It uses OAuth via Gitea for logins, so you need to have logged in to Gitea first. See https://docs.drone.io/ for documentation. All you have to do is create a .drone.yml file in your repo, then enable CI on the repo from the CSC Drone website. There is an example [https://git.csclub.uwaterloo.ca/merenber/drone-test here].

== Pushing and pulling from the filesystem ==
(for syscom only)
<br>
If you need to keep the ability to push/pull from the filesystem, in addition to Gitea, you will need to take the following steps.
In this example, we are migrating a repo called 'public/repo.git', which is a folder under /srv/git on caffeine (which is a symlink to /users/git).
The way we're doing this right now is kind of hacky, but it works:
<ol>
<li>Clone the original repo locally: <code>git clone /srv/git/public/repo.git</code></li>
<li>Delete the old repo (from phosphoric-acid, which has no_root_squash): <code>rm -rf /srv/git/public/repo.git</code></li>
<li>Create a new repo with the name 'repo' from the Gitea web UI. This should create a bare repository at <code>/srv/git/public/repo.git</code>. (Make sure you choose the 'public' org from the dropdown.)</li>
<li>
Push the original repo to the new remote:
<pre>
cd repo
git remote add gitea https://git.csclub.uwaterloo.ca/public/repo.git
git push gitea master
</pre>
</li>
<li>
Remove any git gooks which require gitea:
<pre>
rm $(grep -IRl gitea /srv/git/public/repo.git/hooks)
</pre>
</li>
<li>
Change file permissions:
<pre>
chown -R git:git /srv/git/public/repo.git
chmod -R g+w /srv/git/public/repo.git
</pre>
You will need to do this from phosphoric-acid (due to NFS root squashing).
</li>
</ol>
Note that the repo folder SHOULD be owned by git:git. Anything else will likely break Gitea. (If a user pushes something to the folder and their umask doesn't allow group members to read, for example, then Gitea will be unable to read the repo.)
<br>
This means that only trusted users should be in the git group - ideally, only syscom members.

== Troubleshooting ==
If you are having trouble pulling/pushing with SSH and have something like this when trying <code>ssh git@csclub.uwaterloo.ca</code>:

<pre>
PTY allocation request failed on channel 0
shell request failed on channel 0
</pre>

Just restart <code>gitea.service</code> on caffeine.

Git Hosting

2025-02-13T15:54:14Z

Y266shen:

We have a [https://git.csclub.uwaterloo.ca Gitea] instance running on [[Machine List#caffeine|caffeine]]. You can sign in via LDAP to the web interface. Projects used by CSC as a whole are owned by the [https://git.csclub.uwaterloo.ca/public public] organization, except for website-committee related repos, which are owned by the [https://git.csclub.uwaterloo.ca/www www] org.

== Installation Details ==
<code>/etc/gitea</code> on caffeine contains the configs for Gitea. It's installed as a Debian package, with additional files in <code>/var/lib/gitea/</code>and a systemd service at <code>/lib/systemd/system/gitea.service</code>.

There is a custom locale (used to define CSC-custom strings in some pages) at <code>/var/lib/gitea/custom/options/locale/locale_en-US.ini</code> that may need to be updated when the Gitea APT package is updated. To update this, run the <code>update_custom_locale.sh</code> in that directory (as root).

== Usage ==
"It's basically GitHub"

- raymo

=== SSH keys ===
It is recommended to setup [https://git.csclub.uwaterloo.ca/user/settings/keys SSH keys] so that you do not have to enter your password each time you push to a repo. Once you have uploaded your public key, add the following to your ~/.ssh/config:
<pre>
Host csclub.uwaterloo.ca
HostName csclub.uwaterloo.ca
IdentityFile ~/.ssh/id_rsa
User git
</pre>
(Replace ~/.ssh/id_rsa by the location of your private SSH key.) Now you should be able to clone, push and pull over SSH.

== Continuous Integration ==
We are running a CI server at https://ci.csclub.uwaterloo.ca. It uses OAuth via Gitea for logins, so you need to have logged in to Gitea first. See https://docs.drone.io/ for documentation. All you have to do is create a .drone.yml file in your repo, then enable CI on the repo from the CSC Drone website. There is an example [https://git.csclub.uwaterloo.ca/merenber/drone-test here].

== Pushing and pulling from the filesystem ==
(for syscom only)
<br>
If you need to keep the ability to push/pull from the filesystem, in addition to Gitea, you will need to take the following steps.
In this example, we are migrating a repo called 'public/repo.git', which is a folder under /srv/git on caffeine (which is a symlink to /users/git).
The way we're doing this right now is kind of hacky, but it works:
<ol>
<li>Clone the original repo locally: <code>git clone /srv/git/public/repo.git</code></li>
<li>Delete the old repo (from phosphoric-acid, which has no_root_squash): <code>rm -rf /srv/git/public/repo.git</code></li>
<li>Create a new repo with the name 'repo' from the Gitea web UI. This should create a bare repository at <code>/srv/git/public/repo.git</code>. (Make sure you choose the 'public' org from the dropdown.)</li>
<li>
Push the original repo to the new remote:
<pre>
cd repo
git remote add gitea https://git.csclub.uwaterloo.ca/public/repo.git
git push gitea master
</pre>
</li>
<li>
Remove any git gooks which require gitea:
<pre>
rm $(grep -IRl gitea /srv/git/public/repo.git/hooks)
</pre>
</li>
<li>
Change file permissions:
<pre>
chown -R git:git /srv/git/public/repo.git
chmod -R g+w /srv/git/public/repo.git
</pre>
You will need to do this from phosphoric-acid (due to NFS root squashing).
</li>
</ol>
Note that the repo folder SHOULD be owned by git:git. Anything else will likely break Gitea. (If a user pushes something to the folder and their umask doesn't allow group members to read, for example, then Gitea will be unable to read the repo.)
<br>
This means that only trusted users should be in the git group - ideally, only syscom members.

=== Troubleshooting ===
If you are having trouble pulling/pushing with SSH and have something like this when trying <code>ssh git@csclub.uwaterloo.ca</code>:

<pre>
PTY allocation request failed on channel 0
shell request failed on channel 0
</pre>

Just restart <code>gitea.service</code> on caffeine.

DNS

2025-02-10T14:47:26Z

Y266shen: /* Updating records */

== IST DNS ==

The University of Waterloo's DNS is managed through it's [https://ipam.private.uwaterloo.ca IP Address Management system]. IST has published some information on the [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/43401052394/IP+Address+Management IST Knowledge Base].

People who have access to Infoblox:

* ztseguin
* API account located in the standard syscom place

=== Managing Records ===
There are two primary types of records that are maintained: Hosts and Aliases.

''Note: Use the v4 and v6 toggles in the top left to switch between IPv4 and IPv6 networks.''

==== Add a new host ====

# Go to https://ipam.private.uwaterloo.ca
# Click on IPAM -> Networks
# Locate the appropriate network for the server
# Click on the IP address that you want to register
# Set the appropriate information
## Set the "MAC" address of the machine (''note: CSC networks don't use the IST DHCP system, so this is effectively ignored'')
## Under "IPAM to DNS replication"
### Domain: Click the grey button next to the text box and change "Inherit" to "Set". Then select the "csclub.uwaterloo.ca" domain (or other as appropriate)
### Shortname: The machine's name (e.g., caffeine)
## At the bottom
### Add "systems-committee@csclub.uwaterloo.ca" as a Technical Contact
### Select the appropriate Pol8 Classification (usually Public)
# Click "Next"
# Click "Next"
# Add any aliases for the host (these will be created as CNAME records)
# Click "OK"

Repeat the instructions for the IPv6 entry, however you may need to click the "+" to add the IP address on the network.

==== Add/remove an alias to an existing host ====

* Go to https://ipam.private.uwaterloo.ca
* Click on IPAM -> Networks
* Locate the appropriate network for the server
* Click on the IP address associated with the '''destination''' server (e.g., caffeine)
* If you get sent to a blank list.. click the "Address" object in the breadcrumb
* Click "Edit" under the ALIASES section on the screen
* Click "Next" twice
* Add or remove the alias to the list
* Click "OK"

== CSC DNS ==

CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).

Current authoritative domains:

* csclub.cloud
* uwaterloo.club
* csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the IPAM records.

Those DNS servers are also recursive for machines located on the University network.

=== Updating records ===
'''Note!''' This won't work for csclub.uwaterloo.ca, as your changes will be overwritten by the update script that pulls records from university's IPAM.

To manually update a record in the dns1 container (somewhere in /etc/bind):
<ol>
<li>
If this is a dynamic zone (so csclub.cloud), temporarily stop allowing dynamic updates via <code>rndc freeze $ZONE</code>
</li>
<li>
Modify the corresponding <code>db.$ZONE</code> file.
</li>
<li>
Make sure you also update the serial number for the SOA record for the corresponding zone.
</li>
<li>
Run <code>rndc reload</code> to apply changes.
</li>
</ol>

== Miscellaneous ==

=== LOC Records ===

If we really cared, we might add a [http://en.wikipedia.org/wiki/LOC_record LOC record] for csclub.uwaterloo.ca.

=== SSHFP ===

We could look into [http://tools.ietf.org/html/rfc4255 SSHFP] records. Apparently OpenSSH supports these. (Discussion moved to [[Talk:DNS]].)

[[Category:Systems]]

DNS

2025-02-07T05:17:57Z

Y266shen: /* Updating records */

== IST DNS ==

The University of Waterloo's DNS is managed through it's [https://ipam.private.uwaterloo.ca IP Address Management system]. IST has published some information on the [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/43401052394/IP+Address+Management IST Knowledge Base].

People who have access to Infoblox:

* ztseguin
* API account located in the standard syscom place

=== Managing Records ===
There are two primary types of records that are maintained: Hosts and Aliases.

''Note: Use the v4 and v6 toggles in the top left to switch between IPv4 and IPv6 networks.''

==== Add a new host ====

# Go to https://ipam.private.uwaterloo.ca
# Click on IPAM -> Networks
# Locate the appropriate network for the server
# Click on the IP address that you want to register
# Set the appropriate information
## Set the "MAC" address of the machine (''note: CSC networks don't use the IST DHCP system, so this is effectively ignored'')
## Under "IPAM to DNS replication"
### Domain: Click the grey button next to the text box and change "Inherit" to "Set". Then select the "csclub.uwaterloo.ca" domain (or other as appropriate)
### Shortname: The machine's name (e.g., caffeine)
## At the bottom
### Add "systems-committee@csclub.uwaterloo.ca" as a Technical Contact
### Select the appropriate Pol8 Classification (usually Public)
# Click "Next"
# Click "Next"
# Add any aliases for the host (these will be created as CNAME records)
# Click "OK"

Repeat the instructions for the IPv6 entry, however you may need to click the "+" to add the IP address on the network.

==== Add/remove an alias to an existing host ====

* Go to https://ipam.private.uwaterloo.ca
* Click on IPAM -> Networks
* Locate the appropriate network for the server
* Click on the IP address associated with the '''destination''' server (e.g., caffeine)
* If you get sent to a blank list.. click the "Address" object in the breadcrumb
* Click "Edit" under the ALIASES section on the screen
* Click "Next" twice
* Add or remove the alias to the list
* Click "OK"

== CSC DNS ==

CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).

Current authoritative domains:

* csclub.cloud
* uwaterloo.club
* csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the IPAM records.

Those DNS servers are also recursive for machines located on the University network.

=== Updating records ===
To manually update a record in the dns1 container (somewhere in /etc/bind):
<ol>
<li>
If this is a dynamic zone (so csclub.cloud), temporarily stop allowing dynamic updates via <code>rndc freeze $ZONE</code>
</li>
<li>
Modify the corresponding <code>db.$ZONE</code> file.
</li>
<li>
Make sure you also update the serial number for the SOA record for the corresponding zone.
</li>
<li>
Run <code>rndc reload</code> to apply changes.
</li>
</ol>

== Miscellaneous ==

=== LOC Records ===

If we really cared, we might add a [http://en.wikipedia.org/wiki/LOC_record LOC record] for csclub.uwaterloo.ca.

=== SSHFP ===

We could look into [http://tools.ietf.org/html/rfc4255 SSHFP] records. Apparently OpenSSH supports these. (Discussion moved to [[Talk:DNS]].)

[[Category:Systems]]

DNS

2025-02-07T05:10:57Z

Y266shen: add instructions on how to edit record in dns1 container

== IST DNS ==

The University of Waterloo's DNS is managed through it's [https://ipam.private.uwaterloo.ca IP Address Management system]. IST has published some information on the [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/43401052394/IP+Address+Management IST Knowledge Base].

People who have access to Infoblox:

* ztseguin
* API account located in the standard syscom place

=== Managing Records ===
There are two primary types of records that are maintained: Hosts and Aliases.

''Note: Use the v4 and v6 toggles in the top left to switch between IPv4 and IPv6 networks.''

==== Add a new host ====

# Go to https://ipam.private.uwaterloo.ca
# Click on IPAM -> Networks
# Locate the appropriate network for the server
# Click on the IP address that you want to register
# Set the appropriate information
## Set the "MAC" address of the machine (''note: CSC networks don't use the IST DHCP system, so this is effectively ignored'')
## Under "IPAM to DNS replication"
### Domain: Click the grey button next to the text box and change "Inherit" to "Set". Then select the "csclub.uwaterloo.ca" domain (or other as appropriate)
### Shortname: The machine's name (e.g., caffeine)
## At the bottom
### Add "systems-committee@csclub.uwaterloo.ca" as a Technical Contact
### Select the appropriate Pol8 Classification (usually Public)
# Click "Next"
# Click "Next"
# Add any aliases for the host (these will be created as CNAME records)
# Click "OK"

Repeat the instructions for the IPv6 entry, however you may need to click the "+" to add the IP address on the network.

==== Add/remove an alias to an existing host ====

* Go to https://ipam.private.uwaterloo.ca
* Click on IPAM -> Networks
* Locate the appropriate network for the server
* Click on the IP address associated with the '''destination''' server (e.g., caffeine)
* If you get sent to a blank list.. click the "Address" object in the breadcrumb
* Click "Edit" under the ALIASES section on the screen
* Click "Next" twice
* Add or remove the alias to the list
* Click "OK"

== CSC DNS ==

CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).

Current authoritative domains:

* csclub.cloud
* uwaterloo.club
* csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the IPAM records.

Those DNS servers are also recursive for machines located on the University network.

=== Updating records ===
To manually update a record in the dns1 container (somewhere in /etc/bind):
<ol>
<li>
Temporarily stop allowing dynamic updates via <code>rndc freeze $ZONE</code>
</li>
<li>
Modify the corresponding <code>db.$ZONE</code> file.
</li>
<li>
Make sure you also update the serial number for the SOA record for the corresponding zone.
</li>
<li>
Run <code>rndc reload</code> to apply changes.
</li>
</ol>

== Miscellaneous ==

=== LOC Records ===

If we really cared, we might add a [http://en.wikipedia.org/wiki/LOC_record LOC record] for csclub.uwaterloo.ca.

=== SSHFP ===

We could look into [http://tools.ietf.org/html/rfc4255 SSHFP] records. Apparently OpenSSH supports these. (Discussion moved to [[Talk:DNS]].)

[[Category:Systems]]

Mirror

2024-12-20T18:45:20Z

Y266shen: /* Writing Mirror News & Banner */

The [https://csclub.uwaterloo.ca Computer Science Club] runs a public mirror ([http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca]) on [[Machine_List#potassium-benzoate|potassium-benzoate]].

''We are listed on the ResNet "don't count" list, so downloading from our mirror will not count against one's ResNet quota.''

== Software Mirrored ==

A list of current archives (and their respective disk usage) is listed on our mirror's homepage at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

=== Mirroring Requests ===

Requests to mirror a particular distribution or archive should be made to [mailto:syscom@csclub.uwaterloo.ca syscom@csclub.uwaterloo.ca].

== Implementation Details ==

=== Syncing ===

==== Storage ====

All of our projects are stored on an 8x18TB disk raidz2 array (cscmirror0). There is an additional drive acting as a hot-spare.

* <code>/mirror/root/.cscmirror0</code>

Each project is given a filesystem the pool. Symlinks are created <code>/mirror/root</code> to point to the correct pool and file system.

==== Merlin ====
Project synchronization is done by "merlin" which is a Go rewrite of the Python script "merlin" originally written by a2brenna.

The program is stored in <code>~mirror/merlin</code> and is managed by the systemd unit <code>merlin-go.service</code>.

The config file <code>merlin-config.ini</code> contains the list of repositories along with their configurations.

To view the sync status, execute <code>~mirror/merlin/cmd/arthur/arthur status</code>. To force the sync of a project, execute <code>~mirror/merlin/cmd/arthur/arthur sync:PROJECT_NAME</code>.

'''Remark''': For syncing Debian repositories we were [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020998 requested] to use ftpsync which has configs in <code>~mirror/ftpsync</code>.

===== Push Sync =====

Some projects support push syncing via SSH.

We are running a special SSHD instance on mirror.csclub.uwaterloo.ca:22. This instance has been locked down, with the following settings:

* Only SSH key authentication
* Only users of the <code>push</code> group (except <code>mirror</code>) are allowed to connect
* X11 Forwarding, TCP Forwarding, Agent Forwarding, User RC and TTY are disabled
* Users are chrooted to <code>/mirror/merlin</code>

Most projects will connect using the <code>push</code> user. The SSH authorized keys file is located at <code>/home/push/.ssh/authorized_keys</code>. An example entry is:

<pre>
restrict,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="arthur sync:ubuntu >/dev/null 2>/dev/null </dev/null &",from="XXX.XXX.XXX.XXX" ssh-rsa ...
</pre>

==== Sync Scripts ====

Our collection of synchronization scripts are located in <code>~mirror/bin</code>. They currently include:

* <code>csc-sync-apache</code>
* <code>csc-sync-debian</code>
* <code>csc-sync-debian-cd</code>
* <code>csc-sync-gentoo</code>
* <code>csc-sync-ssh</code>
* <code>csc-sync-standard</code>

Most of these scripts take the following parameters:

<code>local_dir rsync_host rsync_dir</code>

=== HTTP(s) ===

We use [https://nginx.org nginx] as our webserver.

==== Index ====

An index of the archives we mirror is available at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

As of Spring 2023, it is now generated by Hugo.

<code>~mirror/mirror-index/deploy.sh</code> is scheduled in <code>/etc/cron.d/csc-mirror</code> to be run every minute.

The script will first run <code>synctask2project</code>, which pull project synchronization status from Merlin (using merlin's socket), combine sub-projects (for example <code>racket</code> is a combination for two merlin tasks, <code>plt-bundles</code> and <code>racket-installers</code>) and read the size of the project using <code>zfs list -Hp</code>. This Python script then spits out a json file to <code>data/sync.json</code>. Hugo then read the json file and generate the HTML table based on it. The table part is also generated separately into <code>public/project_table/index.html</code>, which can be read by htmx (JS library used on index page) to achieve live reload on sync status. Finally, the generated product of Hugo is copied to mirror root for display by nginx.

Project information is located at <code>synctask2project/config.toml</code> ('''NOT''' the config.toml in the root folder! That's the config for Hugo). Its format is as follows:
<pre class="toml">
merlin_sock = "/path/to/merlin/socket"
zfs_pools = ["mirror_zfs_pool1", "mirror_zfs_pool2"]

[project_name]
# This is supposed to be the short version shown on the website
# Mandatory field
site = "project.site"
# The full URL
# Mandatory field
url = "https://full.project.site"
# We are the upstream or archived project. Don't show sync error or last sync time
# Optional. Default: no
upstream = yes
# If this project contains multiple merlin sync tasks, list them here
# Optional. Default: project_name
merlin-tasks = ["task1", "task2"]

# define more projects below...
</pre>

The mirror-index also supports news. When adding new projects or making modifications, create a markdown file in <code>mirror-index/content/news/</code> to tell the user what was changed. It should be picked up by Hugo automatically on next generation.

On first setup, run <code>setup.sh</code>. When doing development (like change the sass or static files), run <code>build.sh</code> to build assets.

=== FTP ===

<b>UPDATE</b>: We now use vsftpd instead. See /etc/vsftpd.conf for details. Official documentation can be found [https://manpages.debian.org/stable/vsftpd/vsftpd.conf.5.en.html here].

We use [http://www.proftpd.org/ proftpd] (standalone daemon) as our FTP server.

To increase performance, we disable DNS lookups in <code>proftpd.conf</code>:

<pre>UseReverseDNS off
IdentLookups off</pre>
We also limit the amount of CPU/memory resources used (e.g. to minimize [https://en.wikipedia.org/wiki/Globbing Globbing] resources):

<pre>RLimitCPU session 10
RLimitMemory session 4096K</pre>
We allow a maximum of 500 concurrent FTP sessions:

<pre>MaxInstances 500
MaxClients 500</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

=== rsync ===

We use <code>rsyncd</code> (standalone daemon).

We disable compression and checksumming in <code>rsyncd.conf</code>:

<pre>dont compress = *
refuse options = c delete</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

== Mirror Administration ==

=== Making changes ===
Everything in the <code>~mirror</code> is managed by git (so a monorepo containing all sub-projects like Merlin and mirror-index). To make changes, switch to the mirror user and commit with <code>--author "FirstName LastName <email@csc></code> to show who made the change. Then run <code>git push</code> to push the changes. The remote is using the HTTPS URL, so just enter your CSC credentials.

=== Writing Mirror News & Banner ===
You can add news by putting a Markdown file into <code>~mirror/mirror-index/content/news</code>. A minimal post looks like this:
<pre>
+++
title = "New mirror index page"
date = "2023-05-04"
+++

We've updated the mirror index page to include more detailed synchronization status information.

If you experienced any usability issues due to browser compatibility, please let us know on [syscom@csclub.uwaterloo.ca](syscom@csclub.uwaterloo.ca).
</pre>
You can also put up a big banner on the front page for notifying critical information. Just edit <code>~mirror/mirror-index/config.toml</code>:
<pre>
[params]
banner = true
# Supported options: blue orange red
banner_color = "orange"
banner_title = "Scheduled Downtime"
# You can write markdown here
banner_text = "CSC Mirror will be down on Dec 22, 2024 from 7am to 4pm (EST/UTC-5). [More](/news/dec-22-2024-scheduled-downtime/)"
</pre>
And once the incident is over just set banner to be false.

=== Adding a new project ===

# Find the instructions for mirroring the project. Ideally, try to sync directly from the project’s source repository.
#* Note that some projects provide sync scripts, however we generally won’t use them. We will instead use our custom ones.
# Create a zfs filesystem to store the project in:
#*<code>zfs create cscmirror0/$PROJECT_NAME</code>
# Change the folder ownership
#*<code>chown mirror:mirror /mirror/root/.cscmirror0/$PROJECT_NAME</code>
# Create the symlink in <code>/mirror/root</code>
#*<code>ln -s .cscmirror0/$PROJECT_NAME $PROJECT_NAME</code> ('''NOTE''': The symlink must be relative to the <code>/mirror/root</code> directory. If it isn’t, the symlinks will not work when chrooted)
# Repeat the above steps on mirror-phys. <code>sudo ssh mirror-dc</code> on potassium-benzoate ['''NOTE: This machine is currently unavailable]'''
# Configure the project in merlin (<code>~mirror/merlin/merlin-config.ini</code>)
#* Select the appropriate sync script (typically <code>csc-sync-standard</code>) and supply the appropriate parameters
# Restart merlin: <code>systemctl restart merlin-go</code>
#* This will kick off the initial sync
#* Check <code>~mirror/merlin/log/$PROJECT_NAME</code> for errors, <code>~mirror/merlin/log-$PROTOCOL/$PROJECT_NAME-*.log</code> for transfer progress
# Configure the project in zfssync.yml (<code>~mirror/merlin/zfssync.yml</code>) ['''NOTE: The backup machine is currently unavailable, so this step is not currently needed]'''
# Update the mirror index configuration (<code>~mirror/mirror-index-ng/synctask2project/config.toml</code>)
# Add the project to rsync (<code>/etc/rsyncd.conf</code>)
#* Restart rsync with <code>systemctl restart rsync</code>

If push mirroring is available/required, see [[#Push_Sync|Push Sync]].

=== Rename project ===

# Change project name (title) and local_dir in <code>merlin-config.ini</code>
# Change zfs dataset name
#* <code>zfs rename cscmirror0/OLD_NAME cscmirror0/NEW_NAME</code>
# Reload merlin config
#* <code>systemctl reload merlin-go.service</code>
# Remove old symlink and create new symlink in mirror root
#* <code>rm OLD_DIR</code>
#* <code>ln -s .cscmirror0/NEW_DIR NEW_DIR</code>
# Add a symlink for the old name (in <code>/mirror/root</code>) so that existing users won't be broken by the change
#* <code>ln -s NEW_DIR OLD_DIR</code>
# Update the rsync daemon
#* Edit <code>/etc/rsyncd.conf</code>, adding a new entry for the new name (keep the old name too). Restart with <code>systemctl restart rsync</code>
# Modify index page generator config
#* At <code>~mirror/mirror-index-ng/synctask2project/config.toml</code>
# Update an mirror registrations with the project to ensure the new URLs are used

=== Secondary Mirror ===

The School of Computer Science's CSCF has provided us with a secondary mirror machine located in DC. This will limit the downtime of mirror.csclub in the event of an outage affecting the MC machine room.

As of June 2023, CSCF mirror is down. CSCF is planing to bring it back with new hardware but no ETA.

==== Keepalived ====

Mirror's IP addresses (129.97.134.71 and 2620:101:f000:4901:c5c::f:1055) have been configured has VRRP address on both machines. Keepalived does the monitoring and selecting of the active node.

Potassium-benzoate has higher priority and will typically be the active node. A node's priority is reduced when nginx, proftpd or rsync are not running. Potassium-benzoate starts with a score of 100 and mirror-dc starts with a priority of 90 (higher score wins).

When nginx is unavailable (checked w/ curl), the priority is reduced by 20. When proftpd is unavailable (checked with curl), the priority is reduced by 5. When rsync is unavailable (checking with rsync), the priority is reduced by 15.

The Systems Committee should received an email when the nodes swap position.

==== Project synchronization ====

Only potassium-benzoate is configure with merlin. mirror-dc has the software components, but they are probably not update to date nor configured to run correctly.

When a project sync is complete, merlin will kick off a custom script to sync the zfs dataset to the other node. These scripts live in /usr/local/bin and in ~mirror/merlin.

Mirror

2024-12-20T18:40:04Z

Y266shen: /* Writing Mirror News & Warning */

The [https://csclub.uwaterloo.ca Computer Science Club] runs a public mirror ([http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca]) on [[Machine_List#potassium-benzoate|potassium-benzoate]].

''We are listed on the ResNet "don't count" list, so downloading from our mirror will not count against one's ResNet quota.''

== Software Mirrored ==

A list of current archives (and their respective disk usage) is listed on our mirror's homepage at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

=== Mirroring Requests ===

Requests to mirror a particular distribution or archive should be made to [mailto:syscom@csclub.uwaterloo.ca syscom@csclub.uwaterloo.ca].

== Implementation Details ==

=== Syncing ===

==== Storage ====

All of our projects are stored on an 8x18TB disk raidz2 array (cscmirror0). There is an additional drive acting as a hot-spare.

* <code>/mirror/root/.cscmirror0</code>

Each project is given a filesystem the pool. Symlinks are created <code>/mirror/root</code> to point to the correct pool and file system.

==== Merlin ====
Project synchronization is done by "merlin" which is a Go rewrite of the Python script "merlin" originally written by a2brenna.

The program is stored in <code>~mirror/merlin</code> and is managed by the systemd unit <code>merlin-go.service</code>.

The config file <code>merlin-config.ini</code> contains the list of repositories along with their configurations.

To view the sync status, execute <code>~mirror/merlin/cmd/arthur/arthur status</code>. To force the sync of a project, execute <code>~mirror/merlin/cmd/arthur/arthur sync:PROJECT_NAME</code>.

'''Remark''': For syncing Debian repositories we were [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020998 requested] to use ftpsync which has configs in <code>~mirror/ftpsync</code>.

===== Push Sync =====

Some projects support push syncing via SSH.

We are running a special SSHD instance on mirror.csclub.uwaterloo.ca:22. This instance has been locked down, with the following settings:

* Only SSH key authentication
* Only users of the <code>push</code> group (except <code>mirror</code>) are allowed to connect
* X11 Forwarding, TCP Forwarding, Agent Forwarding, User RC and TTY are disabled
* Users are chrooted to <code>/mirror/merlin</code>

Most projects will connect using the <code>push</code> user. The SSH authorized keys file is located at <code>/home/push/.ssh/authorized_keys</code>. An example entry is:

<pre>
restrict,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="arthur sync:ubuntu >/dev/null 2>/dev/null </dev/null &",from="XXX.XXX.XXX.XXX" ssh-rsa ...
</pre>

==== Sync Scripts ====

Our collection of synchronization scripts are located in <code>~mirror/bin</code>. They currently include:

* <code>csc-sync-apache</code>
* <code>csc-sync-debian</code>
* <code>csc-sync-debian-cd</code>
* <code>csc-sync-gentoo</code>
* <code>csc-sync-ssh</code>
* <code>csc-sync-standard</code>

Most of these scripts take the following parameters:

<code>local_dir rsync_host rsync_dir</code>

=== HTTP(s) ===

We use [https://nginx.org nginx] as our webserver.

==== Index ====

An index of the archives we mirror is available at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

As of Spring 2023, it is now generated by Hugo.

<code>~mirror/mirror-index/deploy.sh</code> is scheduled in <code>/etc/cron.d/csc-mirror</code> to be run every minute.

The script will first run <code>synctask2project</code>, which pull project synchronization status from Merlin (using merlin's socket), combine sub-projects (for example <code>racket</code> is a combination for two merlin tasks, <code>plt-bundles</code> and <code>racket-installers</code>) and read the size of the project using <code>zfs list -Hp</code>. This Python script then spits out a json file to <code>data/sync.json</code>. Hugo then read the json file and generate the HTML table based on it. The table part is also generated separately into <code>public/project_table/index.html</code>, which can be read by htmx (JS library used on index page) to achieve live reload on sync status. Finally, the generated product of Hugo is copied to mirror root for display by nginx.

Project information is located at <code>synctask2project/config.toml</code> ('''NOT''' the config.toml in the root folder! That's the config for Hugo). Its format is as follows:
<pre class="toml">
merlin_sock = "/path/to/merlin/socket"
zfs_pools = ["mirror_zfs_pool1", "mirror_zfs_pool2"]

[project_name]
# This is supposed to be the short version shown on the website
# Mandatory field
site = "project.site"
# The full URL
# Mandatory field
url = "https://full.project.site"
# We are the upstream or archived project. Don't show sync error or last sync time
# Optional. Default: no
upstream = yes
# If this project contains multiple merlin sync tasks, list them here
# Optional. Default: project_name
merlin-tasks = ["task1", "task2"]

# define more projects below...
</pre>

The mirror-index also supports news. When adding new projects or making modifications, create a markdown file in <code>mirror-index/content/news/</code> to tell the user what was changed. It should be picked up by Hugo automatically on next generation.

On first setup, run <code>setup.sh</code>. When doing development (like change the sass or static files), run <code>build.sh</code> to build assets.

=== FTP ===

<b>UPDATE</b>: We now use vsftpd instead. See /etc/vsftpd.conf for details. Official documentation can be found [https://manpages.debian.org/stable/vsftpd/vsftpd.conf.5.en.html here].

We use [http://www.proftpd.org/ proftpd] (standalone daemon) as our FTP server.

To increase performance, we disable DNS lookups in <code>proftpd.conf</code>:

<pre>UseReverseDNS off
IdentLookups off</pre>
We also limit the amount of CPU/memory resources used (e.g. to minimize [https://en.wikipedia.org/wiki/Globbing Globbing] resources):

<pre>RLimitCPU session 10
RLimitMemory session 4096K</pre>
We allow a maximum of 500 concurrent FTP sessions:

<pre>MaxInstances 500
MaxClients 500</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

=== rsync ===

We use <code>rsyncd</code> (standalone daemon).

We disable compression and checksumming in <code>rsyncd.conf</code>:

<pre>dont compress = *
refuse options = c delete</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

== Mirror Administration ==

=== Making changes ===
Everything in the <code>~mirror</code> is managed by git (so a monorepo containing all sub-projects like Merlin and mirror-index). To make changes, switch to the mirror user and commit with <code>--author "FirstName LastName <email@csc></code> to show who made the change. Then run <code>git push</code> to push the changes. The remote is using the HTTPS URL, so just enter your CSC credentials.

=== Writing Mirror News & Banner ===
You can add news by putting a Markdown file into <code>~mirror/mirror-index/content/news</code>. A minimal post looks like this:
<pre>
+++
title = "New mirror index page"
date = "2023-05-04"
+++

We've updated the mirror index page to include more detailed synchronization status information.

If you experienced any usability issues due to browser compatibility, please let us know on [syscom@csclub.uwaterloo.ca](syscom@csclub.uwaterloo.ca).
</pre>
You can also put up a big banner on the front page for notifying critical information. Just edit <code>~mirror/mirror-index/config.toml</code>:
<pre>
[params]
banner = true
# Supported options: blue orange red
banner_color = "orange"
banner_title = "Scheduled Downtime"
# You can write markdown here
banner_text = "CSC Mirror will be down on Dec 22, 2024 from 7am to 4pm (EST/UTC-5). [More](/news/dec-22-2024-scheduled-downtime/)"
</pre>
And once the warning is over just set warning to be false.

=== Adding a new project ===

# Find the instructions for mirroring the project. Ideally, try to sync directly from the project’s source repository.
#* Note that some projects provide sync scripts, however we generally won’t use them. We will instead use our custom ones.
# Create a zfs filesystem to store the project in:
#*<code>zfs create cscmirror0/$PROJECT_NAME</code>
# Change the folder ownership
#*<code>chown mirror:mirror /mirror/root/.cscmirror0/$PROJECT_NAME</code>
# Create the symlink in <code>/mirror/root</code>
#*<code>ln -s .cscmirror0/$PROJECT_NAME $PROJECT_NAME</code> ('''NOTE''': The symlink must be relative to the <code>/mirror/root</code> directory. If it isn’t, the symlinks will not work when chrooted)
# Repeat the above steps on mirror-phys. <code>sudo ssh mirror-dc</code> on potassium-benzoate ['''NOTE: This machine is currently unavailable]'''
# Configure the project in merlin (<code>~mirror/merlin/merlin-config.ini</code>)
#* Select the appropriate sync script (typically <code>csc-sync-standard</code>) and supply the appropriate parameters
# Restart merlin: <code>systemctl restart merlin-go</code>
#* This will kick off the initial sync
#* Check <code>~mirror/merlin/log/$PROJECT_NAME</code> for errors, <code>~mirror/merlin/log-$PROTOCOL/$PROJECT_NAME-*.log</code> for transfer progress
# Configure the project in zfssync.yml (<code>~mirror/merlin/zfssync.yml</code>) ['''NOTE: The backup machine is currently unavailable, so this step is not currently needed]'''
# Update the mirror index configuration (<code>~mirror/mirror-index-ng/synctask2project/config.toml</code>)
# Add the project to rsync (<code>/etc/rsyncd.conf</code>)
#* Restart rsync with <code>systemctl restart rsync</code>

If push mirroring is available/required, see [[#Push_Sync|Push Sync]].

=== Rename project ===

# Change project name (title) and local_dir in <code>merlin-config.ini</code>
# Change zfs dataset name
#* <code>zfs rename cscmirror0/OLD_NAME cscmirror0/NEW_NAME</code>
# Reload merlin config
#* <code>systemctl reload merlin-go.service</code>
# Remove old symlink and create new symlink in mirror root
#* <code>rm OLD_DIR</code>
#* <code>ln -s .cscmirror0/NEW_DIR NEW_DIR</code>
# Add a symlink for the old name (in <code>/mirror/root</code>) so that existing users won't be broken by the change
#* <code>ln -s NEW_DIR OLD_DIR</code>
# Update the rsync daemon
#* Edit <code>/etc/rsyncd.conf</code>, adding a new entry for the new name (keep the old name too). Restart with <code>systemctl restart rsync</code>
# Modify index page generator config
#* At <code>~mirror/mirror-index-ng/synctask2project/config.toml</code>
# Update an mirror registrations with the project to ensure the new URLs are used

=== Secondary Mirror ===

The School of Computer Science's CSCF has provided us with a secondary mirror machine located in DC. This will limit the downtime of mirror.csclub in the event of an outage affecting the MC machine room.

As of June 2023, CSCF mirror is down. CSCF is planing to bring it back with new hardware but no ETA.

==== Keepalived ====

Mirror's IP addresses (129.97.134.71 and 2620:101:f000:4901:c5c::f:1055) have been configured has VRRP address on both machines. Keepalived does the monitoring and selecting of the active node.

Potassium-benzoate has higher priority and will typically be the active node. A node's priority is reduced when nginx, proftpd or rsync are not running. Potassium-benzoate starts with a score of 100 and mirror-dc starts with a priority of 90 (higher score wins).

When nginx is unavailable (checked w/ curl), the priority is reduced by 20. When proftpd is unavailable (checked with curl), the priority is reduced by 5. When rsync is unavailable (checking with rsync), the priority is reduced by 15.

The Systems Committee should received an email when the nodes swap position.

==== Project synchronization ====

Only potassium-benzoate is configure with merlin. mirror-dc has the software components, but they are probably not update to date nor configured to run correctly.

When a project sync is complete, merlin will kick off a custom script to sync the zfs dataset to the other node. These scripts live in /usr/local/bin and in ~mirror/merlin.

Mirror

2024-12-19T18:35:48Z

Y266shen: /* Mirror Administration */

The [https://csclub.uwaterloo.ca Computer Science Club] runs a public mirror ([http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca]) on [[Machine_List#potassium-benzoate|potassium-benzoate]].

''We are listed on the ResNet "don't count" list, so downloading from our mirror will not count against one's ResNet quota.''

== Software Mirrored ==

A list of current archives (and their respective disk usage) is listed on our mirror's homepage at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

=== Mirroring Requests ===

Requests to mirror a particular distribution or archive should be made to [mailto:syscom@csclub.uwaterloo.ca syscom@csclub.uwaterloo.ca].

== Implementation Details ==

=== Syncing ===

==== Storage ====

All of our projects are stored on an 8x18TB disk raidz2 array (cscmirror0). There is an additional drive acting as a hot-spare.

* <code>/mirror/root/.cscmirror0</code>

Each project is given a filesystem the pool. Symlinks are created <code>/mirror/root</code> to point to the correct pool and file system.

==== Merlin ====
Project synchronization is done by "merlin" which is a Go rewrite of the Python script "merlin" originally written by a2brenna.

The program is stored in <code>~mirror/merlin</code> and is managed by the systemd unit <code>merlin-go.service</code>.

The config file <code>merlin-config.ini</code> contains the list of repositories along with their configurations.

To view the sync status, execute <code>~mirror/merlin/cmd/arthur/arthur status</code>. To force the sync of a project, execute <code>~mirror/merlin/cmd/arthur/arthur sync:PROJECT_NAME</code>.

'''Remark''': For syncing Debian repositories we were [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020998 requested] to use ftpsync which has configs in <code>~mirror/ftpsync</code>.

===== Push Sync =====

Some projects support push syncing via SSH.

We are running a special SSHD instance on mirror.csclub.uwaterloo.ca:22. This instance has been locked down, with the following settings:

* Only SSH key authentication
* Only users of the <code>push</code> group (except <code>mirror</code>) are allowed to connect
* X11 Forwarding, TCP Forwarding, Agent Forwarding, User RC and TTY are disabled
* Users are chrooted to <code>/mirror/merlin</code>

Most projects will connect using the <code>push</code> user. The SSH authorized keys file is located at <code>/home/push/.ssh/authorized_keys</code>. An example entry is:

<pre>
restrict,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="arthur sync:ubuntu >/dev/null 2>/dev/null </dev/null &",from="XXX.XXX.XXX.XXX" ssh-rsa ...
</pre>

==== Sync Scripts ====

Our collection of synchronization scripts are located in <code>~mirror/bin</code>. They currently include:

* <code>csc-sync-apache</code>
* <code>csc-sync-debian</code>
* <code>csc-sync-debian-cd</code>
* <code>csc-sync-gentoo</code>
* <code>csc-sync-ssh</code>
* <code>csc-sync-standard</code>

Most of these scripts take the following parameters:

<code>local_dir rsync_host rsync_dir</code>

=== HTTP(s) ===

We use [https://nginx.org nginx] as our webserver.

==== Index ====

An index of the archives we mirror is available at [http://mirror.csclub.uwaterloo.ca mirror.csclub.uwaterloo.ca].

As of Spring 2023, it is now generated by Hugo.

<code>~mirror/mirror-index/deploy.sh</code> is scheduled in <code>/etc/cron.d/csc-mirror</code> to be run every minute.

The script will first run <code>synctask2project</code>, which pull project synchronization status from Merlin (using merlin's socket), combine sub-projects (for example <code>racket</code> is a combination for two merlin tasks, <code>plt-bundles</code> and <code>racket-installers</code>) and read the size of the project using <code>zfs list -Hp</code>. This Python script then spits out a json file to <code>data/sync.json</code>. Hugo then read the json file and generate the HTML table based on it. The table part is also generated separately into <code>public/project_table/index.html</code>, which can be read by htmx (JS library used on index page) to achieve live reload on sync status. Finally, the generated product of Hugo is copied to mirror root for display by nginx.

Project information is located at <code>synctask2project/config.toml</code> ('''NOT''' the config.toml in the root folder! That's the config for Hugo). Its format is as follows:
<pre class="toml">
merlin_sock = "/path/to/merlin/socket"
zfs_pools = ["mirror_zfs_pool1", "mirror_zfs_pool2"]

[project_name]
# This is supposed to be the short version shown on the website
# Mandatory field
site = "project.site"
# The full URL
# Mandatory field
url = "https://full.project.site"
# We are the upstream or archived project. Don't show sync error or last sync time
# Optional. Default: no
upstream = yes
# If this project contains multiple merlin sync tasks, list them here
# Optional. Default: project_name
merlin-tasks = ["task1", "task2"]

# define more projects below...
</pre>

The mirror-index also supports news. When adding new projects or making modifications, create a markdown file in <code>mirror-index/content/news/</code> to tell the user what was changed. It should be picked up by Hugo automatically on next generation.

On first setup, run <code>setup.sh</code>. When doing development (like change the sass or static files), run <code>build.sh</code> to build assets.

=== FTP ===

<b>UPDATE</b>: We now use vsftpd instead. See /etc/vsftpd.conf for details. Official documentation can be found [https://manpages.debian.org/stable/vsftpd/vsftpd.conf.5.en.html here].

We use [http://www.proftpd.org/ proftpd] (standalone daemon) as our FTP server.

To increase performance, we disable DNS lookups in <code>proftpd.conf</code>:

<pre>UseReverseDNS off
IdentLookups off</pre>
We also limit the amount of CPU/memory resources used (e.g. to minimize [https://en.wikipedia.org/wiki/Globbing Globbing] resources):

<pre>RLimitCPU session 10
RLimitMemory session 4096K</pre>
We allow a maximum of 500 concurrent FTP sessions:

<pre>MaxInstances 500
MaxClients 500</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

=== rsync ===

We use <code>rsyncd</code> (standalone daemon).

We disable compression and checksumming in <code>rsyncd.conf</code>:

<pre>dont compress = *
refuse options = c delete</pre>
The contents of <code>/mirror/root/include/motd.msg</code> are displayed when a user connects.

== Mirror Administration ==

=== Making changes ===
Everything in the <code>~mirror</code> is managed by git (so a monorepo containing all sub-projects like Merlin and mirror-index). To make changes, switch to the mirror user and commit with <code>--author "FirstName LastName <email@csc></code> to show who made the change. Then run <code>git push</code> to push the changes. The remote is using the HTTPS URL, so just enter your CSC credentials.

=== Writing Mirror News & Warning ===
You can add news by putting a Markdown file into <code>~mirror/mirror-index/content/news</code>. A minimal post looks like this:
<pre>
+++
title = "New mirror index page"
date = "2023-05-04"
+++

We've updated the mirror index page to include more detailed synchronization status information.

If you experienced any usability issues due to browser compatibility, please let us know on [syscom@csclub.uwaterloo.ca](syscom@csclub.uwaterloo.ca).
</pre>
You can also put up a big warning on the front page. Just edit <code>~mirror/mirror-index/config.toml</code>:
<pre>
[params]
warning = true
# You can write markdown here
warning_text = "CSC Mirror will be down on Dec 22, 2024 from 7am to 4pm (EST/UTC-5). [More](/news/dec-22-2024-scheduled-downtime/)"
</pre>
And once the warning is over just set warning to be false.

=== Adding a new project ===

# Find the instructions for mirroring the project. Ideally, try to sync directly from the project’s source repository.
#* Note that some projects provide sync scripts, however we generally won’t use them. We will instead use our custom ones.
# Create a zfs filesystem to store the project in:
#*<code>zfs create cscmirror0/$PROJECT_NAME</code>
# Change the folder ownership
#*<code>chown mirror:mirror /mirror/root/.cscmirror0/$PROJECT_NAME</code>
# Create the symlink in <code>/mirror/root</code>
#*<code>ln -s .cscmirror0/$PROJECT_NAME $PROJECT_NAME</code> ('''NOTE''': The symlink must be relative to the <code>/mirror/root</code> directory. If it isn’t, the symlinks will not work when chrooted)
# Repeat the above steps on mirror-phys. <code>sudo ssh mirror-dc</code> on potassium-benzoate ['''NOTE: This machine is currently unavailable]'''
# Configure the project in merlin (<code>~mirror/merlin/merlin-config.ini</code>)
#* Select the appropriate sync script (typically <code>csc-sync-standard</code>) and supply the appropriate parameters
# Restart merlin: <code>systemctl restart merlin-go</code>
#* This will kick off the initial sync
#* Check <code>~mirror/merlin/log/$PROJECT_NAME</code> for errors, <code>~mirror/merlin/log-$PROTOCOL/$PROJECT_NAME-*.log</code> for transfer progress
# Configure the project in zfssync.yml (<code>~mirror/merlin/zfssync.yml</code>) ['''NOTE: The backup machine is currently unavailable, so this step is not currently needed]'''
# Update the mirror index configuration (<code>~mirror/mirror-index-ng/synctask2project/config.toml</code>)
# Add the project to rsync (<code>/etc/rsyncd.conf</code>)
#* Restart rsync with <code>systemctl restart rsync</code>

If push mirroring is available/required, see [[#Push_Sync|Push Sync]].

=== Rename project ===

# Change project name (title) and local_dir in <code>merlin-config.ini</code>
# Change zfs dataset name
#* <code>zfs rename cscmirror0/OLD_NAME cscmirror0/NEW_NAME</code>
# Reload merlin config
#* <code>systemctl reload merlin-go.service</code>
# Remove old symlink and create new symlink in mirror root
#* <code>rm OLD_DIR</code>
#* <code>ln -s .cscmirror0/NEW_DIR NEW_DIR</code>
# Add a symlink for the old name (in <code>/mirror/root</code>) so that existing users won't be broken by the change
#* <code>ln -s NEW_DIR OLD_DIR</code>
# Update the rsync daemon
#* Edit <code>/etc/rsyncd.conf</code>, adding a new entry for the new name (keep the old name too). Restart with <code>systemctl restart rsync</code>
# Modify index page generator config
#* At <code>~mirror/mirror-index-ng/synctask2project/config.toml</code>
# Update an mirror registrations with the project to ensure the new URLs are used

=== Secondary Mirror ===

The School of Computer Science's CSCF has provided us with a secondary mirror machine located in DC. This will limit the downtime of mirror.csclub in the event of an outage affecting the MC machine room.

As of June 2023, CSCF mirror is down. CSCF is planing to bring it back with new hardware but no ETA.

==== Keepalived ====

Mirror's IP addresses (129.97.134.71 and 2620:101:f000:4901:c5c::f:1055) have been configured has VRRP address on both machines. Keepalived does the monitoring and selecting of the active node.

Potassium-benzoate has higher priority and will typically be the active node. A node's priority is reduced when nginx, proftpd or rsync are not running. Potassium-benzoate starts with a score of 100 and mirror-dc starts with a priority of 90 (higher score wins).

When nginx is unavailable (checked w/ curl), the priority is reduced by 20. When proftpd is unavailable (checked with curl), the priority is reduced by 5. When rsync is unavailable (checking with rsync), the priority is reduced by 15.

The Systems Committee should received an email when the nodes swap position.

==== Project synchronization ====

Only potassium-benzoate is configure with merlin. mirror-dc has the software components, but they are probably not update to date nor configured to run correctly.

When a project sync is complete, merlin will kick off a custom script to sync the zfs dataset to the other node. These scripts live in /usr/local/bin and in ~mirror/merlin.

Machine List

2024-10-22T13:26:24Z

Y266shen: /* phosphoric-acid */

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

''(Redundant active backup coming soon...)''

==== Specs ====

* LXC virtual machine hosted on [[Machine List#phosphoric-acid|phosphoric-acid]]
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [https://www.apache.org/ Apache]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. '''<u>If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.</u>'''

== ''corn-syrup'' ==

Dell PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]
'''Notes'''

* Missing moba IO shield (as of January 2024)

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

'''We strongly discourage running computationally-intensive jobs''' on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
'''Notes'''
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
cyanide is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)], identical in specification to powernap

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

== ''suika'' ==

Suika is an office terminal built from various components donated by our members.

==== Specs ====

* AMD Ryzen 7 2700X
* 2x 8GB DDR4
* 1x Samsung 256GB SSD
* AMD Radeon RX 550 4GB

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
** TODO: this is not the case anymore
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in `/music` on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

= Codey Bot Only =
Ran on CSC Cloud in a separate Cloudstack project. codey-staging, codey-dev, codey-prod.

TODO: migrating from cloudstack

= Syscom Only =

The following systems are only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

==== Specs ====

* (clone of Xylitol)
* 4x 2TB Kingston KC3000 (ZFS Z2 [Sustain 2-failures]) (KIN-SKC3000D2048G)
** Mounted on 2x Startech Dual M.2 PCIE SSD Adapter Cards (STA-PEX8M2E2)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]
*prometheus

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics, on Science Computing Rack 2. NICs are plugged into A1 and A2 on the adjacent rack. Acts as a backup server for many things.

TODO: should replace with another Syscom server when Science Computing clears out the rack (ETA before 09/2024)

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]] (kerberos)

==== Notes ====

* '''TODO: Mega unreliable.''' (Goes down once every few weeks... due to power outages in the PHYS server room)
** It is plugged into a UPS but the UPS has dead batteries.
* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:
** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248
* Physical access to the PHYS server rooms can be acquired by visiting Science Computing in PHYS 2006.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

TODO: "HA"-ish configuration

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

TODO: gone??

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
TODO: Debian 9?

==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
'''Notes'''

* Also used for experimenting new CSC services.

* TODO: use as backup server

==''citric-acid''==
A Dell PowerEdge R815 (TODO: check model) provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 2 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

'''Services'''

* Configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) user.
* [[Plane]], an internal (CSC) project management tool.
* Minio
'''Notes'''

* Being repurposed for Termcom training and development.
* TODO: migrate Vaultwarden (https://pass.csclub.uwaterloo.ca/)??
* UFW opened-ports: SSH, HTTP/HTTPS
* Upgraded to Podman 4.x

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* Cloudstack host
* TODO: cloudstack migration

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD
==== Services ====

* OpenStack block and object storage for csclub.cloud
* ????
'''Notes'''

* TODO: cloudstack migration

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

* load-balancer-01

Was used to experiment the following then-new CSC services:

* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* TODO: ???
** block1.cloud
** object1.cloud
'''Notes'''

* TODO: cloudstack migration
* TODO: ditch... Currently being used to set up NextCloud.

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

'''Notes'''
* TODO: cloudstack migration

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558. TODO: rack??

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine
'''Notes'''
* TODO: cloudstack migration

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* dual SFP connection to core switch

... TODO

==''fs01''==

fs01 is a '''NetApp FAS3040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====
... TODO

TODO: disconnected??

==''fs10''==

fs10 is a '''NetApp FAS8040''' series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

* FAS8040 (dual heads)
** ... TODO
* 6 DS4324 HDD shelves (24-disks each)
** 24 x 2TB HDDs (assorted brands/models)
** Dual IOM3 controllers.
** Loop 1: bottom 4 shelves
** Loop 2: top 2 shelves + SSD shelf
* 1 DS2246 SSD shelf (TODO: right model?)
** 24 Samsung SM1625 SSDs (MZ-6ER2000/0G3), 200GB (SAS 2, 2.5")

= Other =

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''digital cutter''==

See [[Digital Cutter|here]].

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)
= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

Mail

2024-10-21T19:31:53Z

Y266shen: add instructions on sieve/managesieve

Mail services are currently handled by [[Machine_List#mail|the mail container]] on [[Machine_List#xylitol|xylitol]].

== Reading your mail ==

You can use any user agent that supports maildir locally (mutt, alpine, etc), and any client that supports IMAP either locally or remotely. We also have webmail.

Here are the details:

* maildir
** Location: $HOME/.maildir/

* [[Webmail]]
** URL: https://mail.csclub.uwaterloo.ca/

* POP3
** No longer supported.

* IMAP
** Hostname: mail.csclub.uwaterloo.ca
** Port: 143 (IMAP), 993 (IMAPS)

* SMTP
** Hostname: mail.csclub.uwaterloo.ca
** SSL encryption and authentication required
** Port: 25, 465, or 587

== Mail Filtering ==
Mail filtering allows you to automatically organize mails into different places, like putting potential spam mail into Junk folder, or to put notifications into a separate folder to make your inbox clean.

Mail filtering can be done by writing a sieve script. Traditionally mail filtering is done through procmail, but it's currently being phased out due to its complex syntax and unmaintained state.

The easiest way to do it is to use the Filters setting on our [https://mail.csclub.uwaterloo.ca Webmail]. You can either edit with the GUI, or import a script. A simple script that puts suspected spam into "Junk" and puts syscom emails into "Mailing List" folder looks like this:

<pre>
require ["fileinto"];
# rule:[Spam]
if allof (header :contains "X-Spam-Level" "******")
{
fileinto "Junk";
}
# rule:[Mailing List]
if anyof (header :contains "list-id" "syscom.csclub.uwaterloo.ca", header :contains "list-id" "syscom-alerts.csclub.uwaterloo.ca", header :contains "list-id" "ceo.csclub.uwaterloo.ca")
{
fileinto "Mailing List";
}
</pre>

For more advanced use of sieve check out [https://doc.dovecot.org/2.3/configuration_manual/sieve/examples/ Pigeonhole Sieve examples - Dovecot].

== Mail User Agents ==
Here are instructions on how to access your CSC email using some common Mail User Agents (a.k.a. "email clients").

=== Apple Mail ===
Open the Mail app. On the Menu Bar, click on 'Mail', then 'Add account'.

[[File:Apple_mail_select_account_provider.png|300px]]

Select 'Other mail account', then 'Continue'.

[[File:Apple_mail_add_a_mail_account.png|300px]]

Fill in your real name, your CSC email address (should be watiam_id@csclub.uwaterloo.ca), and your CSC password. Click 'Sign in'.

[[File:Apple_mail_imap_details.png|300px]]

You will get an error saying 'Unable to verify account name or password'. Fill in the details as shown above, then click 'Sign in'.
Make sure to specify your WatIAM username as the username, and use <code>mail.csclub.uwaterloo.ca</code> for the incoming/outgoing
mail servers.

[[File:Apple_mail_select_apps_to_use_with_account.png|300px]]

Finally, check 'Mail', and click 'Done'.

[[File:Apple_mail_mailboxes_button.png|200px]]

If you had an existing Mail account, you will need to click on the 'Mailboxes' button to see your CSC account. There will be a dropdown
button beside 'Inboxes' on the left hand side where you can toggle between different inboxes.

=== Windows Mail ===
<b>Note</b>: Windows Mail can be <i>very</i> slow some times. I have no idea why. If you're looking for a decent email client on Windows, I strongly suggest using Thunderbird or Evolution instead.

Open the Mail app (as of this writing, 2021-04-23, its icon is a blue envelope). Click on 'Accounts' on the left hand side, then click on the '+ Add account' button. Select 'Advanced setup':

[[File:Windows_mail_choose_account_type.PNG|300px]]

Then choose 'Internet email':

[[File:Windows_mail_advanced_setup_type.PNG|300px]]

Here are some of the settings you'll need (replace your username, address, etc.):

[[File:Windows_mail_internet_account_info_1.PNG|400px]]

Here are the rest:

[[File:Windows_mail_internet_account_info_2.PNG|400px]]

Then click 'Sign in'. It may take you a <i>very</i> long time to connect for the first time, especially if Windows is doing one if its dreaded updates in the background. If it's still hanging after a few hours, it might be a good idea to close the window and try again.

Once you're signed in, you should be able to see your CSC account in the Mail app on the left hand side.

=== Gmail (SMTP Relay) ===
It is possible to [https://support.google.com/mail/answer/6304825 link third-party email accounts to Gmail]. Here's one way to do it.

Login to Gmail, go to Settings, and then under 'Accounts and Import', click 'Add another email address'.

[[File:Gmail_settings_accounts_1.png|800px]]

Fill in your real name and CSC email address (should be watiam_id@csclub.uwaterloo.ca). I would suggest unchecking the 'Treat as an alias'
box unless you want your CSC and Gmail addresses to be treated the same. See more info [https://support.google.com/a/answer/1710338 here].

[[File:Gmail_add_another_email_address_you_own.png|600px]]

Fill in your CSC username and password:

[[File:Gmail_add_account_credentials.png|600px]]

Google will send a confirmation email to your CSC address. Either click on the link in the email or enter the confirmation code.

[[File:Gmail_add_address_confirmation.png|600px]]

If you return to Gmail, you should now see your CSC account under your settings. I suggest selecting the 'Reply from the same address the message was sent to'
option.

[[File:Gmail_settings_accounts_2.png|800px]]

Now, if you click on the 'Compose' button on the left hand side, you should be able to select your CSC address as the sender.

[[File:Gmail_choose_sender.png|600px]]

If you want to receive your CSC messages via Gmail, just append your Gmail address to the end of the <code>.forward</code> file in your home directory on the CSC servers (it needs to be on a new line).

=== Outlook Desktop ===

This is probably the world's most powerful email client, but you need to jump through a lot of hoops to setup your CSC email with it. Luckily I've done those for you so just follow these steps:

[[File:Ol1.png|600px]]

Open Outlook and click File at the top left.

[[File:Ol2.png|600px]]

Click Account Settings and then Manage Profiles.

[[File:Ol3.png|600px]]

Click Email accounts...

[[File:Ol4.png|600px]]

Click New...

[[File:Ol5.png|600px]]

Enter your name, CSC email and password. If you have an email alias, don't use your alias, use your QuestID@csclub.uwaterloo.ca email. Click Next >

[[File:Ol6.png|600px]]

It will start searching for your account, this can take a minute or two.

[[File:Ol7.png|600px]]

Once it finishes configuring it you'll get a test email.

[[File:Ol8.png|600px]]

Uncheck Set up Outlook Mobile on my phone (unless you want to), and check Change account settings. Then click Next >

[[File:Ol9.png|600px]]

If you have an email alias, you can now change your email to that in the Email Address field. Don't change your logon info. You can click More Settings to change your mailbox name, or click Finish (setup is complete).

[[File:Ol10.png|600px]]

You can change the name here. That's it. I've provided the other two tabs' configs below just in case anyone (including future me) needs it.

[[File:Ol11.png|600px]]
[[File:Ol12.png|600px]]

=== Gnus ===

Gnus is one of the MUAs built into GNU Emacs. Gnus is very powerful and flexible, and comes with several "backend"s out of the box for reading newsgroups, email, RSS feeds, and more. Over the years people have written many other backends for it as well.

To get started using Gnus for reading your CSC mail over IMAPS, you can start with the following simple configuration based on Gnus's <code>nnimap</code> backend:

<nowiki>
(setq mail-user-agent 'gnus-user-agent
read-mail-command 'gnus
gnus-select-method '(nnnil "")
gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali"))))</nowiki>

The <code>gnus-secondary-select-methods</code> variable set above is the most important bit.

For reference sake, here's how we can do client-side mail splitting in Gnus: say we want to move all messages with a <code>X-Spam-Flag</code> header of <code>YES</code> to the Junk folder; here's how we tell Gnus to do that:

<nowiki>
(setq gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali")
(nnimap-inbox "INBOX")
(nnimap-split-methods 'nnimap-split-fancy)
(nnimap-split-fancy
(|
;; move spam to Junk
("X-Spam-Flag" "YES" "Junk")
;; catch-all; leave everything else in inbox
"INBOX")))))</nowiki>

Gnus has a plethora of useful and complex features, and one cat get very fancy with it. But that is left as an exercise for the [https://www.gnu.org/software/emacs/manual/gnus.html interested reader]. :-)

== Technical Details ==

=== Mail Transfer (Incoming) ===

[http://www.postfix.org/ Postfix] is our MTA and runs on mail. Incoming mail is received inbound on smtp/25 or ssmtp/465 and goes through a sequence of filters before being delivered to users.

We are using the following filters for incoming mail, to combat spam and malware:

* zen.spamhaus.org RBL
* Greylisting with rspamd (see below)

These filters reject truckloads of spam, preventing them from reaching your inbox. Greylisting adds a delay to mail delivery from unknown servers, but after a small number of successes they will be auto-whitelisted. If that isn't good enough, ask systems-committee@csclub.uwaterloo.ca to whitelist all mail to your address.

=== Spam filtering ===
Before mail is delivered, it is sent to rspamd for spam checking. rspamd might greylist and/or add headers to the mail. rspamd WON'T reject the mail on its own. It is up to the user's filter to decide what to do based on the spam headers (usually put mails tagged as spam into a folder like Junk).

=== Mail Delivery ===

User mail is delivered by LMTP to dovecot. This is configurable by adding a comma-separated list of destinations in $HOME/.forward. See aliases(5) for more details.

Dovecot, in turn, runs the mail through user's sieve filter script (in $HOME/.maildir/sieve/ with the active filer symlink-ed to $HOME/.maildir/.dovecot.sieve). If no sieve script is found, Dovecot defaults to an internal sieve script, which pipes the mail though procmail to maintain compatibility with existing $HOME/.procmailrc scripts. You can write sieve scripts by hand, or use the graphical editor provided by https://mail.csclub.uwaterloo.ca, under Settings/Filters.

Note that procmail compatibility might be removed in the future.

==== Failures ====

If you are out of quota or another error occurs writing to your home directory, dovecot will deliver your message to /var/mail/$USER on the mail server. If that too fails, the server is probably on fire. The message will be returned to the queue where it will eventually bounce.

==== Sieve/ManageSieve ====
Dovecot also allows editing sieve scripts via ManageSieve protocol on 4190.

==== Forwarding ====

Place the following in $HOME/.forward to keep a local copy of your mail as well as forward it to some other email account. Replace ctdalek with your CSC username, but make sure the backslash stays.

<nowiki>
\ctdalek
calumt@dalek.com</nowiki>

=== Mail Retrieval ===

We run [http://www.dovecot.org Dovecot], an IMAP server. It reads messages from $HOME/.maildir, so if you have procmail deliver your mail elsewhere you will be unable to retrieve your mail using IMAP.

=== Mail Submission (Outgoing) ===

On the mail container, outgoing mail is submitted directly to Postfix via the sendmail(1) wrapper or on submission/587. Submitted mail is then queued for delivery to its destination. The other systems have no MTA and instead run sSMTP, which relays mail through the mail container immediately without any queue or daemon.

[[Category:Software]]

Mail

2024-10-21T19:21:42Z

Y266shen: mail refresh on 2024-10

Mail services are currently handled by [[Machine_List#mail|the mail container]] on [[Machine_List#xylitol|xylitol]].

== Reading your mail ==

You can use any user agent that supports maildir locally (mutt, alpine, etc), and any client that supports IMAP either locally or remotely. We also have webmail.

Here are the details:

* maildir
** Location: $HOME/.maildir/

* [[Webmail]]
** URL: https://mail.csclub.uwaterloo.ca/

* POP3
** No longer supported.

* IMAP
** Hostname: mail.csclub.uwaterloo.ca
** Port: 143 (IMAP), 993 (IMAPS)

* SMTP
** Hostname: mail.csclub.uwaterloo.ca
** SSL encryption and authentication required
** Port: 25, 465, or 587

== Mail User Agents ==
Here are instructions on how to access your CSC email using some common Mail User Agents (a.k.a. "email clients").

=== Apple Mail ===
Open the Mail app. On the Menu Bar, click on 'Mail', then 'Add account'.

[[File:Apple_mail_select_account_provider.png|300px]]

Select 'Other mail account', then 'Continue'.

[[File:Apple_mail_add_a_mail_account.png|300px]]

Fill in your real name, your CSC email address (should be watiam_id@csclub.uwaterloo.ca), and your CSC password. Click 'Sign in'.

[[File:Apple_mail_imap_details.png|300px]]

You will get an error saying 'Unable to verify account name or password'. Fill in the details as shown above, then click 'Sign in'.
Make sure to specify your WatIAM username as the username, and use <code>mail.csclub.uwaterloo.ca</code> for the incoming/outgoing
mail servers.

[[File:Apple_mail_select_apps_to_use_with_account.png|300px]]

Finally, check 'Mail', and click 'Done'.

[[File:Apple_mail_mailboxes_button.png|200px]]

If you had an existing Mail account, you will need to click on the 'Mailboxes' button to see your CSC account. There will be a dropdown
button beside 'Inboxes' on the left hand side where you can toggle between different inboxes.

=== Windows Mail ===
<b>Note</b>: Windows Mail can be <i>very</i> slow some times. I have no idea why. If you're looking for a decent email client on Windows, I strongly suggest using Thunderbird or Evolution instead.

Open the Mail app (as of this writing, 2021-04-23, its icon is a blue envelope). Click on 'Accounts' on the left hand side, then click on the '+ Add account' button. Select 'Advanced setup':

[[File:Windows_mail_choose_account_type.PNG|300px]]

Then choose 'Internet email':

[[File:Windows_mail_advanced_setup_type.PNG|300px]]

Here are some of the settings you'll need (replace your username, address, etc.):

[[File:Windows_mail_internet_account_info_1.PNG|400px]]

Here are the rest:

[[File:Windows_mail_internet_account_info_2.PNG|400px]]

Then click 'Sign in'. It may take you a <i>very</i> long time to connect for the first time, especially if Windows is doing one if its dreaded updates in the background. If it's still hanging after a few hours, it might be a good idea to close the window and try again.

Once you're signed in, you should be able to see your CSC account in the Mail app on the left hand side.

=== Gmail (SMTP Relay) ===
It is possible to [https://support.google.com/mail/answer/6304825 link third-party email accounts to Gmail]. Here's one way to do it.

Login to Gmail, go to Settings, and then under 'Accounts and Import', click 'Add another email address'.

[[File:Gmail_settings_accounts_1.png|800px]]

Fill in your real name and CSC email address (should be watiam_id@csclub.uwaterloo.ca). I would suggest unchecking the 'Treat as an alias'
box unless you want your CSC and Gmail addresses to be treated the same. See more info [https://support.google.com/a/answer/1710338 here].

[[File:Gmail_add_another_email_address_you_own.png|600px]]

Fill in your CSC username and password:

[[File:Gmail_add_account_credentials.png|600px]]

Google will send a confirmation email to your CSC address. Either click on the link in the email or enter the confirmation code.

[[File:Gmail_add_address_confirmation.png|600px]]

If you return to Gmail, you should now see your CSC account under your settings. I suggest selecting the 'Reply from the same address the message was sent to'
option.

[[File:Gmail_settings_accounts_2.png|800px]]

Now, if you click on the 'Compose' button on the left hand side, you should be able to select your CSC address as the sender.

[[File:Gmail_choose_sender.png|600px]]

If you want to receive your CSC messages via Gmail, just append your Gmail address to the end of the <code>.forward</code> file in your home directory on the CSC servers (it needs to be on a new line).

=== Outlook Desktop ===

This is probably the world's most powerful email client, but you need to jump through a lot of hoops to setup your CSC email with it. Luckily I've done those for you so just follow these steps:

[[File:Ol1.png|600px]]

Open Outlook and click File at the top left.

[[File:Ol2.png|600px]]

Click Account Settings and then Manage Profiles.

[[File:Ol3.png|600px]]

Click Email accounts...

[[File:Ol4.png|600px]]

Click New...

[[File:Ol5.png|600px]]

Enter your name, CSC email and password. If you have an email alias, don't use your alias, use your QuestID@csclub.uwaterloo.ca email. Click Next >

[[File:Ol6.png|600px]]

It will start searching for your account, this can take a minute or two.

[[File:Ol7.png|600px]]

Once it finishes configuring it you'll get a test email.

[[File:Ol8.png|600px]]

Uncheck Set up Outlook Mobile on my phone (unless you want to), and check Change account settings. Then click Next >

[[File:Ol9.png|600px]]

If you have an email alias, you can now change your email to that in the Email Address field. Don't change your logon info. You can click More Settings to change your mailbox name, or click Finish (setup is complete).

[[File:Ol10.png|600px]]

You can change the name here. That's it. I've provided the other two tabs' configs below just in case anyone (including future me) needs it.

[[File:Ol11.png|600px]]
[[File:Ol12.png|600px]]

=== Gnus ===

Gnus is one of the MUAs built into GNU Emacs. Gnus is very powerful and flexible, and comes with several "backend"s out of the box for reading newsgroups, email, RSS feeds, and more. Over the years people have written many other backends for it as well.

To get started using Gnus for reading your CSC mail over IMAPS, you can start with the following simple configuration based on Gnus's <code>nnimap</code> backend:

<nowiki>
(setq mail-user-agent 'gnus-user-agent
read-mail-command 'gnus
gnus-select-method '(nnnil "")
gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali"))))</nowiki>

The <code>gnus-secondary-select-methods</code> variable set above is the most important bit.

For reference sake, here's how we can do client-side mail splitting in Gnus: say we want to move all messages with a <code>X-Spam-Flag</code> header of <code>YES</code> to the Junk folder; here's how we tell Gnus to do that:

<nowiki>
(setq gnus-secondary-select-methods
'((nnimap "csc"
(nnimap-stream tls)
(nnimap-address "mail.csclub.uwaterloo.ca")
(nnimap-user "abandali")
(nnimap-inbox "INBOX")
(nnimap-split-methods 'nnimap-split-fancy)
(nnimap-split-fancy
(|
;; move spam to Junk
("X-Spam-Flag" "YES" "Junk")
;; catch-all; leave everything else in inbox
"INBOX")))))</nowiki>

Gnus has a plethora of useful and complex features, and one cat get very fancy with it. But that is left as an exercise for the [https://www.gnu.org/software/emacs/manual/gnus.html interested reader]. :-)

== Spamfiltering ==

SpamAssassin is run on all incoming mail, but no action is taken based on the results. The results are appended to the headers of the email, so you can take action on it. We are running a shared Bayesian learner for all users' email, so there stands a chance of you not receiving legitimate mails due to false positives.

To use your own Bayesian learner instead of the site-wide one, simply add the following to <code>~/.spamassassin/user_prefs</code>:
<pre>
bayes_path ~/.spamassassin/bayes
bayes_auto_learn 1
</pre>
Alternatively, to disable Bayesian tests altogether:
<pre>
use_bayes 0
</pre>

You can configure procmail (the application that postfix calls to deliver any mail that it received to the user that it was sent to) to place a message in a special folder and/or delete it based on its spam score and/or whether it got flagged as spam or not. In order to do this, you need to configure procmail via .procmailrc in your home directory. An example such .procmailrc is below (adapted from [https://wiki2.dovecot.org/procmail here]):

<nowiki>
SHELL="/bin/bash"
DELIVER="/usr/lib/dovecot/deliver -d $LOGNAME"
DEFAULT="$HOME/.maildir/"
MAILDIR="$HOME/.maildir/"
LOGFILE=$MAILDIR/procmail.log
LOGABSTRACT=all
VERBOSE=off

# send spam to Trash folder
:0 w
* ^X-Spam-Status: Yes
| $DELIVER -m Trash</nowiki>

The folder to which the messages are sent must exist first. To create a new IMAP folder in the Roundcube web client, click on the gear icon in the lower left corner.

== Technical Details ==

=== Mail Transfer (Incoming) ===

[http://www.postfix.org/ Postfix] is our MTA and runs on mail. Incoming mail is received inbound on smtp/25 or ssmtp/465 and goes through a sequence of filters before being delivered to users.

We are using the following filters for incoming mail, to combat spam and malware:

* zen.spamhaus.org RBL
* Greylisting with rspamd (see below)

These filters reject truckloads of spam, preventing them from reaching your inbox. Greylisting adds a delay to mail delivery from unknown servers, but after a small number of successes they will be auto-whitelisted. If that isn't good enough, ask systems-committee@csclub.uwaterloo.ca to whitelist all mail to your address.

=== Spam filtering ===
Before mail is delivered, it is sent to rspamd for spam checking. rspamd might greylist and/or add headers to the mail. rspamd WON'T reject the mail on its own. It is up to the user's filter to decide what to do based on the spam headers (usually put mails tagged as spam into a folder like Junk).

=== Mail Delivery ===

User mail is delivered by LMTP to dovecot. This is configurable by adding a comma-separated list of destinations in $HOME/.forward. See aliases(5) for more details.

Dovecot, in turn, runs the mail through user's sieve filter script (in $HOME/.maildir/sieve/ with the active filer symlink-ed to $HOME/.maildir/.dovecot.sieve). If no sieve script is found, Dovecot defaults to an internal sieve script, which pipes the mail though procmail to maintain compatibility with existing $HOME/.procmailrc scripts. You can write sieve scripts by hand, or use the graphical editor provided by https://mail.csclub.uwaterloo.ca, under Settings/Filters.

Note that procmail compatibility might be removed in the future.

==== Failures ====

If you are out of quota or another error occurs writing to your home directory, dovecot will deliver your message to /var/mail/$USER on the mail server. If that too fails, the server is probably on fire. The message will be returned to the queue where it will eventually bounce.

==== Forwarding ====

Place the following in $HOME/.forward to keep a local copy of your mail as well as forward it to some other email account. Replace ctdalek with your CSC username, but make sure the backslash stays.

<nowiki>
\ctdalek
calumt@dalek.com</nowiki>

=== Mail Retrieval ===

We run [http://www.dovecot.org Dovecot], an IMAP server. It reads messages from $HOME/.maildir, so if you have procmail deliver your mail elsewhere you will be unable to retrieve your mail using IMAP.

=== Mail Submission (Outgoing) ===

On the mail container, outgoing mail is submitted directly to Postfix via the sendmail(1) wrapper or on submission/587. Submitted mail is then queued for delivery to its destination. The other systems have no MTA and instead run sSMTP, which relays mail through the mail container immediately without any queue or daemon.

[[Category:Software]]

Past Executive

2024-10-15T14:25:51Z

Y266shen: split current positions and historical positions

Data sources for this exec list have been: CSC records, MathNEWS.
According to the warrior wiki dudes, there was an article about the CSC being founded in the chevron: ''This week on campus''. The Chevron. January 5 1968. Page 16. -- somebody should get a copy of that.

= Definitions =
#define PR President
#define VP Vice-president
#define TR Treasurer
#define SE Secretary
#define AV Assistant Vice-president
#define SA Sysadmin
#define OF Office Manager
#define LI Librarian
#define WW Webmaster

#ifdef __HISTORICAL__
#define FL Flasher
#define DE Deity
#define SE-TR Secretary-Treasurer (Position was split)
#define FR Fridge Regent (IMAPd)
#endif /* __HISTORICAL__ */

<div style="float:right;margin-left: 1em;">__TOC__</div>

=Founding 1967=

Sponsor - J. Peter Sprung
PR: K. Rugger
VP: R. Jaques
SE-TR: G. Sutherland

Founding Members:
B. Kindree
R. Melen
V. Neglia
R. Charney
R. Truman
Glenn Berry
D. Meek

===Fall===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

Committee members: R. Stallwerthy, C. de Vries

=1968=

===Winter===

PR: Bill Kindred
VP: Rick Jacques
SE-TR: Graham Sutherland

===Fall===

SE-TR: Glenn Berry

=1969=

Unknown, only one letter found in the folder 'ACM History' addressed to Glenn Berry, which makes it likely that he was SE-TR once again. May be indicated in membership lists. The club appears to have died this academic year.

=1970=

===A note on ACM affiliation===

The first attempt at joining the ACM was started with an informal inquiry Dec 5, 1967. This lead to a series of constitution edits (working towards affiliation) in Winter 1968. There was a break for the spring (no correspondence found, I presume we were waiting on a reply). In the fall records indicate that our constitution and chartering was rejected, further correspondence was sent in Fall 1968 by Glenn Berry. A new inquiry, seemingly unaware of the first was sent Dec 7, 1970

===Fall===

PR: Rick Beach
VP: Lee Santon
TR: Randy Melen
SE: Vic Neglia

=1971=

===Spring===

VP: James H. "Jim" Finch and James W. Welch both signed letters as VP.

===Fall===

VP: James W. Welch

=1972=

It appears we visited Western and Western visited us this year (there is some reference to a similar occurrence the year previous). Documents from 1973 indicate a termly exec structure, this probably goes back to 1972.

===Winter===

PR: Mike Campbell
VP: Edgar Hew
SE-TR: Doug Lacy

There is also stuff from James W. Welch without a position.

===Fall===

PR: Ian McIntosh

=1973=

Faculty Sponsor: Morven Gentleman

===Winter===

SE: Douglas E. Lacy

===Spring===

PR: Jim Parry

===Fall===

PR: Jim Parry
VP: Ray Walden
TR: Slavko Stemberger
SE: Mario Festival

=1974=

===Fall===

PR: Russell Crook

=1975-1977=

Faculty Sponsor: Morven Gentleman??

Peter Raynham reports (first hand account): president for at least 2 or 3 terms in this period.
Sylvia Eng: 1975/6 as some position.
Dave Buckingham: a VP at some point
Allison Nolan: 1977 time
Peter Stevens: 1977
Russel Crook???

Dennis Ritchie came. So did Jeffrey D. Ullman.

=1976=

===Fall===
<code>Progcom: Peter Stevens</code>

=1977=

===Winter===

Progcom: Allison Nowlan

===Spring===

PR: Peter Stevens
Progcom: Allison Nowlan

===Fall===

PR: Andrzej Jan Taramina
Progcom: Allison Nowlan

=1978=

===Winter===

PR: Peter Stevens

===Spring===

TR: K.G. Dykes
SE: Kandry Mutheardy

Brian Kernighan gave a talk this term. So did Ken Thompson.

=1979=

===Spring===

PR: Robert Biddle
=1987=

===Fall===

PR: Jim Boritz
VP: Ted Timar
TR: Gayla Boritz
SE: Edwin Hoogerbeets

=1988=

Tim Timar - cc'd on memos/mentioned on mathsoc minutes in 1987/88.
The Sysadmin and Office Manager positions seem to have been created somewhere in here. The 'Record Management Profile' that Rob*n Stewart did as an assignment in 1991-1992 for some class at UBC
indicates the existence of both positions. We acquired an HP-9000 in the summer of 1988 and as this was our first "real" computer (previously we had an IBM PC and terminal), the sysadmin position was created, starting with the Fall 1988 term.

===Winter===
PR: Jim Boritz
(Source: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Fall===

SA: Wade Richards

=1989=

===Winter===

https://mirror.csclub.uwaterloo.ca/csclub/bill-gates-1989-big.jpg

Left to right: Jim Boritz (bottom), Wade Richards (top), Ted Timar, ???, Keven Smith, Bill Gates (not exec), Angela Chambers, Ross Ridge (top), Sean Goggin (bottom), ???

PR: Barry W. Smith
VP: Angela Chambers
SE: Sean Goggin
SA: Wade Richards / Ross Ridge

(President Kevin Smith confirmed: https://csclub.uwaterloo.ca/misc/procedure.pdf)

===Spring===

PR: Jim Thornton
VP: Gayla Boritz
TR: David Fenger
SE: Kivi Shapiro
SA: Reid Pinchback

Assistance to sysadmin: Jim Boritz.

===Fall===

PR: James Boritz
VP: Edmond Bourne
SA: Ross Ridge

=1990=

===Winter===

TR: Jim Thornton

===Spring===

TR: Karen Smith
SE: Rob*n Stewart
Robyn/Robin signed her emails as Rob*n and requested to be listed as such on this page.

===Fall===
PR: Wade Richards
TR: Carolyn Duke
SE: Rob*n Stewart - attended mathsoc meeting on our behalf.
Kivi Shapiro - attended mathsoc meeting on our behalf.
- Censured by mathsoc for his actions during the election.
Shannon Mann - attended mathsoc meeting on our behalf.

=1991=

===Winter===
VP: Edmond Bourne
TR: Carolyn Duke
SE: Rob*n Stewart
Shannon Mann - attended mathsoc meeting on our behalf.

John McCarthy came this term.

===Spring===
TR: Rob Leitman
Jason Knell - attended mathsoc meeting on our and PMC's behalf.

===Fall===
TR: Mike Van Lingen
Wiktor Wiewiorowski - attended mathsoc meeting on our behalf this term.
=1992=

===Winter===
TR: Norm Ross
SE: Brent Williams

===Spring===
PR: Dale Wick
TR: Stephen A. Mills

===Fall===
TR: Mark Plumb
=1993=

===Winter===
TR: Rob Leitman
VP: Tim Prime
OF: Dave Ebbo
LI: Norm Ross

Other exec for this term: Ellen Hsiang, Sam Coulombe, Peter Gray

===Spring===
TR: Mark Tompsett

===Fall===

PR: Ian Goldberg

=1994=

===Winter===
PR: Ian Goldberg
TR: Mark Tompsett
SE: Tom Rathbourne
LI: Michael Van Biesbrouck
Norm Ross assisted with finances.

===Spring===
PR: Dale Wick (?)
TR: Steve Mills
SA: Ian Goldberg (?)
Norm Ross assisted with finances.

===Fall===
PR: Ross Ridge
VP: Tom Rathbourne (?)
TR: Rob Leitman
SA: Zygo Blaxell
LI: Michael Van Biesbrouck
=1995=

===Winter===
TR: Sharlene Schmeichel
Amy Brown and Rob Ridge purchased books.

===Spring===
TR: Steve Mills

===Fall===
PR: Amy Brown (arbrown)
VP: Christina Norman (cbnorman)
TR: Steven Mills (samills)
SE: Allyson Graham (akgraham)
SA: Gavin Peters
=1996=

===Winter===
PR: Nikita Borisov (nborisov)
VP: Joseph Deu Ngoc (dtdeungo)
TR: Stephen Mills (samills)
SE: Sharlene Schmeichel (saschmei)
SA: Dave Brown (dagbrown)
OF: Somsack Tsai (stsai)
LI: Devin Carless (dccarles)
FL: Allyson Graham (akgraham)
DE: Ian Goldberg (iagoldbe)

===Spring===
PR: Blake Winton (bwinton)
VP: Nick Harvey (njaharve)
TR: Nikita Borisov (nborisov)
SE: Viet-Trung Luu (vluu)
SA: Drew Hamilton (awhamilt)
OF: Jillian Arnott (jarnott)
LI: Ross Ridge (rridge)
FL: Devin Carless (dccarles)

=== Fall ===
PR: Shannon Mann (sjbmann)
VP: Joe "Frosh" Deu Ngoc (jtdeungo) resigned (heavy workload)
TR: Michal Van Biesbrouck (mlvanbie)
SE: Nikita Borisov (nborisov)
SA: Chris Rovers
OF: Dax Hutcheon (ddhutche) became VP upon jtduengo's resignation
LI: Aliz Csenki (acsenki)
FL: Aaron Chmielowiec (archmiel)
DE: Skuld (no uwuserid yet...)
=1997=

===Winter===
PR: Dima Brodsky
VP: Nikita Borisov (nborisov)
TR: Stephen Mills (samills)
SE: Evan Jones (ejones)
SA: Alex Brodsky
OF: Chris Doherty
LI: Matt Corks
FL: Paul Prescod

=== Fall ===
PR: Chris Rovers (cdrovers)
VP: Michael van Biesbrouck (mlvanbie)
TR: Somsack Tsai (stsai)
SE: Matt Corks (mvcorks)
SA: Lennart Sorensen (lsorense)
LI: Chmielowiec (archmiel)
OF: Devin Carless (dccarles)
FL: Aaron Chmielowiec (archmiel)
= 1998 =

=== Winter ===
PR: Suresh Naidu
VP: Viet-Trung Luu
TR: Tim Coleman
SE: Dax Hutcheon
LI: Dax Hutcheon
Flasher: Dax Hutcheon
WW: Dax Hutcheon
SA: Robin Powell
OF: Aaron Chmielowiec

=== Spring ===

Position Name You might call them...
President roconnor Russell O'Connor
Vice-president trwcolem Tim Coleman
Treasurer knzarysk Karl Zaryski
Secretary (bwinton) (Blake Winton)
Sysadmin wbiggs Billy Biggs
Librarian snaidu Suresh Naidu
Flasher pechrysl Paul Chrysler
Office Manager dccarles Devin Carless
WWWW trwcolem Tim Coleman

=== Fall ===

President Joe Deu Ngoc jtdeungo
Vice-President Wai Ling Yee wlyee
Treasurer Fjord j2lynn
Secretary Matt Corks mvcorks
Sysadmin Andrew Hamilton awhamilt

World Wide Web Wench Dax Hutcheon ddhutche
Office Manager Richard Bell rlbell
Librarian Damian Gryski dgryski
Flasher Paul Chrysler pechrysl
Official Deity Ian Goldberg iagoldbe
Official Chairbeing Calum T. Dalek calum
=1999=

=== Winter ===
PR: geduggan
=2000=

=== Winter ===
PR: Will Chartrand (wgchartr)
VP: Gavin Duggan (geduggan)
SA: Lennart Sorensen (lsorense)

=== Fall ===
PR: geduggan
SA: bioster
=2001=

=== Winter ===
PR: geduggan

=== Spring ===
PR: geduggan

=2002=

https://web.archive.org/web/20130715012002/http://www.mathnews.uwaterloo.ca/Issues/mn8902/cscflash.php

=== Winter ===
PR: Billy Biggs
VP: Stefanus Du Toit
TR: Melissa Basinger
SE: James Perry
SA: Barry Genova
LI: Ryan Golbeck
WW: Jonathan Beverley
Office Manager: Sayan Li

=== Spring ===
PR: Alex Pop
VP: Melissa Basinger
TR: Siyan Li
SE: James A Morrison
SA: Jonathan Beverley
WW: Stefanus Du Toit

=== Fall ===
PR: James A. Morrison
VP: Stefanus Du Toit
TR: James Perry
SE: Michael Biggs
SA: Ryan Golbeck
LI: Mark Sherry, Cassandra Schopf
WW: Stefanus Du Toit
=2003=

=== Winter ===
PR: Kannan Vijayan (kvijayan)
VP: Meg Darragh (m2darrag)
TR: James Perry (jeperry)
SE: Wojciech Kosnik (wkosnik)
SA: Stefanus Du Toit (sjdutoit)
LI: Simon Law (sfllaw)
WM: Julie Lavoie (jlavoie)

===Fall===
PR: Stefanus Du Toit (sjdutoit)
VP: Meg Darragh (m2darrag)
TR: Tor Myklebust (tmyklebu)
SE: James Perry (jeperry)
SA: Simon Law (sfllaw)
=2004=

===Winter===
PR: Simon Law (sfllaw)
VP: fspacek
TR: ljain
SE: Julie Lavoie (jlavoie)
SA: Tor Myklebust(tmyklebu)

===Spring===
PR: dnmorton ?
VP: Tim Loach (tloach)
TR: Michael Biggs (mbiggs)
SE: Lesley Northam (lanortha)

===Fall ===
PR: jeperry
VP: mtsay
TR: Mark Sherry (mdsherry)
SE: Tor Myklebust (tmyklebu)
SA: jlavoie
=2005=

===Winter===

PR: mtsay
VP: Lesley Northam (lanortha)
TR: Holden Karau (hkarau)
SE: domorton
SA: Tor Myklebust (tmyklebu)

===Spring===

PR: Mark Sherry (mdsherry)
VP: Martin Kess (mdkess)
TR: Ali Piccioni (apiccion)
SE: Michael Biggs (mbiggs)
SA: Tor Myklebust (tmyklebu)

===Fall===

PR: Tim Loach (tloach)
VP: Lesley Northam (lanortha)
TR: Caelyn McAulay (cmcaulay)
SE: The Professor
SA: Holden Karau (hkarau)
=2006=

===Winter===

PR: Tor Myklebust (tmyklebu)
VP: Michael Druker (mdruker)
TR: Caelyn McAulay (cmcaulay)
SE: Mark Sherry (mdsherry)
SA: William O'Connor (woconnor)

===Spring===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: David Tenty (daltenty)
SE: Chris Evensen (cevensen)
SA: Holden Karau (hkarau)

===Fall===

PR: Martin Kess (mdkess)
VP: Mark Sherry (mdsherry)
TR: Sylvan L. Mably (slmably)
SE: Caelyn McAulay (cmcaulay)
SA: William O'Connor (woconnor)
=2007=

===Winter===
PR: David Bartley (dtbartle)
VP: David Belanger (dbelange)
TR: Caelyn McAulay (cmcaulay)
SE: David Tenty (daltenty)
SA: Holden Karau (hkarau)
WW: jnopporn

===Spring===
PR: Gaelan D'costa (gdcosta)
VP: Kyle Larose (kmlarose)
TR: Kyle Spaans (kspaans)
SE: Erik Louie (elouie)
SA: Michael Spang (mspang)
LI: David Tenty (daltenty)

===Fall ===
PR: Holden Karau (hkarau)
VP: Alex McCausland (amccausl)
TR: Dominik Chlobowski (dchlobow)
SE: Sean Cumming (sgcummin)
SA: David Tenty (daltenty)
WW: dtbartle / jnopporn
=2008=

===Winter ===
PR: Sean Cumming (sgcummin)
VP: Matt Lawrence (m3lawren)
TR: Mateusz Tarkowski (mtarkows)
SE: Edgar Bering (ebering)
SA: Jordan Saunders (jmsaunde)

===Summer ===
PR: Brennan Taylor (b4taylor)
VP: Qifan Xi (qxi)
TR: Matt Lawrence (m3lawren)
SE: Nick Guenther (nguenthe)

===Fall ===
PR: Matthew Lawrence (m3lawren)
VP: Edgar Bering (ebering)
TR: Michael Gregson (mgregson)
SE: James Simpson (j2simpso) resigned for medical reasons, replaced by Dominik 'Domo' Chłobowski
SA: Kyle Spaans (kspaans)
=2009=

===Winter===
PR: Michael Gregson (mgregson)
VP: Edgar Bering (ebering)
TR: Brennan Taylor (b4taylor)
SE: James Simpson (j2simpso) resigned for business reasons, replaced by Rebecca Putinski (rjputins)
SA: Jacob Parker (j3parker)
OF: XinChi Yang / Sapphyre Gervais (x23yang / sagervai) (both)

===Spring ===
PR: Michael Spang (mspang)
VP: Jacob Parker (j3parker)
TR: Sapphyre Gervais (sagervai)
SE: Matthew McPherrin (mimcpher)
SA: Anthony Brennan (a2brenna)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Michael Spang (mspang)
SE: Brennan Taylor (b4taylor)
SA: Michael Ellis (m2ellis)
OF: Rebecca Putinski (rjputins)
=2010=

===Winter===
PR: Kyle Spaans (kspaans)
VP: Edgar Bering (ebering)
TR: Sapphyre Gervais (sagervai)
SE: Ajnu Jacob (ajacob)
SA: Matthew Thiffault (mthiffau)
OF: Jacob Parker (j3parker)
Keyed office staffers: j3camero, jdonland, m2ellis, mimcpher, nsasherr

===Spring===
PR: Jeff Cameron (j3camero)
VP: Brennan Taylor (b4taylor)
TR: Vardhan Mudunuru (vmudunur)
SE: Matthew Lawrence (m3lawren)
SA: Michael Ellis (m2ellis)
OF: Edgar Bering (ebering)

===Fall===
PR: Jacob Parker (j3parker)
VP: Edgar Bering (ebering)
TR: Rebecca Putinski (rjputins)
SE: Kyle Spaans (kspaans)
SA: Jeremy Roman (jbroman)
OF: Amir Sayed Khader (askhader)
=2011=

===Winter===
PR: Edgar Bering (ebering)
VP: Jennifer "Emily" Wong (jy2wong)
TR: Kyle Spaans (kspaans)
SE: Elana "Alana" Hashman (ehashman)
SA: Peter "Bofh" Barfuss (pbarfuss)
OF: Marc Burns (Marc Burns)

===Spring===
PR: Matthew Thiffault (mthiffau)
VP: Matthew McPherrin (mimcpher)
TR: Kyle Spaans (kspaans)
SE: Kwame Andrew Ansong (kansong)
SA: Jeremy Brandon Roman (jbroman)
OF: Jennifer "Emily" Wong (jy2wong)

===Fall===
PR: Marc Burns (m4burns)
VP: Katharine Hyatt (kshyatt)
TR: Jacob Parker (j3parker)
SE: Elana Hashman (ehashman)
SA: Anthony "hatguy/hotgay" Brennan (a2brenna)
OF: Kyle Spaans (kspaans)
LI: Edgar Bering (ebering)
=2012=

===Winter===
PR: Marc Burns (m4burns)
VP: Elana Hashman (ehashman)
TR: Jacob Parker (j3parker)
SE: Matthew McPherrin (mimcpher)
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: Jennifer "Emily" Wong (jy2wong)

===Summer===
PR: Anthony Brennan (a2brenna)
VP: Luqman Aden (laden)
TR: Matthew McPherrin (mimcpher)
SE: Elana Hashman (ehashman)
SA: Sarah Harvey (sharvey)
OF: Marc Burns (m4burns)
LI: John Ladan (jladan)

===Fall===
PR: Marc Burns (m4burns)
VP: Salem Talha (satalha)
TR: Jennifer Wong (jy2wong)
SE: Elana Hashman (ehashman), resigned
SA: Jeremy Roman (jbroman)
OF: Luqman Aden (laden)
LI: John Ladan (jladan)
=2013=

===Winter===
PR: Anthony Brennan (a2brenna)
VP: Marc Burns (m4burns)
TR: John Mumford (jsmumfor)
SE: Matt Olechnowicz (mgolechn)
SA: Sarah Harvey (sharvey)
OF: Bryan Coutts (b2coutts)
LI: Matthew McPherrin (mimcpher)

===Spring===
PR: Shane Robert Creighton-Young (srcreigh)
VP: Visishta Vijayanand (vvijayan)
TR: Dominik Chlobowski (dchlobow)
SE: Youn Jin Kim (yj7kim)
SA: Anthony Brennan (a2brenna)
OF: Marc Burns (m4burns)
FR: Dominik Chlobowski (dchlobow)

===Fall===
PR: Elana Hashman (ehashman)
VP: Marc Burns (m4burns)
TR: Dominik Chlobowski (dchlobow)
SE: Edward Lee (e45lee)
SA: Jeremy Roman (jbroman)
OF: Alexis Hunt (aechunt)
= 2014 =

=== Winter ===
PR: Bryan Coutts (b2coutts)
VP: Visishta Vijayanand (vvijayan)
TR: Marc Burns (m4burns)
SE: Mark Farrell (m4farrel)
SA: Murphy Berzish (mtrberzi)
OF: Nicholas Black (nablack)

=== Spring ===
PR: Youn Jin Kim (yj7kim)
VP: Luke Franceschini (l3france)
TR: Joseph Chouinard (jchouina)
SE: Ifaz Kabir (ikabir)
SA: Murphy Berzish (mtrberzi)
OF: Matthew Thiffault (mthiffau)

=== Fall ===
PR: Youn Jin Kim (yj7kim)
VP: Theodor Belaire (tbelaire)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Shane Robert Creighton-Young (srcreigh)
SA: Alexis Hunt (aechunt)
OF: Mark Farrell (m4farrel)
LI: Gianni Leonardo Gambetti (glgambet)

= 2015 =

=== Winter ===
PR: Gianni Leonardo Gambetti (glgambet)
VP: Luke Franceschini (l3france)
TR: Edward Lee (e45lee)
SE: Patrick James Melanson (pj2melan)
SA: Murphy Berzish (mtrberzi)
OF: Shikhar Singh (s285sing)
LI: Aishwarya Gupta (a72gupta)
=== Spring ===
PR: Luqman Aden (laden)
VP: Patrick Melanson (pj2melan)
TR: Jonathan Bailey (jj2baile)
SE: Keri Warr (kpwarr)
SA: Nik Black (nablack)
OF: Ilia Chtcherbakov (ischtche)
LI: Yomna Nasser (ynasser)
=== Fall ===
PR: Simone Hu (ss2hu)
VP: Theo Belaire (tbelaire)
TR: Jordan Taylore Upiter (jtupiter)
SE: Daniel Marin (dmarin)
SA: Jordan Xavier Pryde (jxpryde)
OF: Ilia Chtcherbakov (ischtche)
= 2016 =

=== Winter ===
PR: Patrick Melanson (pj2melan)
VP: Patrick Melanson (pj2melan)
Acting VP, progcom chair: Theo Belaire (tbelaire)
TR: Luqman Aden (laden)
SE: Naomi Koo (m3koo)
SA: Zachary Seguin (ztseguin)
OF: Reila Zheng (wy2zheng)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

=== Spring ===
PR: Luqman Aden (laden)
VP: Melissa Angelica Mary Tedesco (matedesc)
TR: Jonathan Jerel Bailey (jj2baile)
SE: Aditya Shivam Kothari (askothar)
SA: Jordan Xavier Pryde (jxpryde)
OF: Zachary Seguin (ztseguin)
LI: Charlie Wang (s455wang)
FR: Marc Mailhot (mnmailho)

=== Fall ===
PR: Charlie Wang (s455wang)
VP: Bryan Coutts (b2coutts)
TR: Laura Song (lhsong)
SE: Uday Barar (ubarar)
SA: Zachary Seguin (ztseguin)
OF: Jamie Sinn (j2sinn)
LI: Felix Bauckholt (fbauckho)
FR: Ilia Chtcherbakov (ischtche)

= 2017 =

=== Winter ===
PR: Wilson Cheang (wyschean)
VP: Tristan Hume (tghume)
TR: Jordan Pryde (jxpryde)
SE: Amir Fata (aafata)
SA: Zachary Seguin (ztseguin)
OF: Felix Bauckholt (fbaukcho)
LI: Connor Murphy (cfmurph)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Felix Bauckholt (fbauckho)
VP: Zichuan Wei (z34wei)
TR: Laura Song (lhsong)
SE: Bo Mo (bzmo)
SA: Zachary Seguin (ztseguin)
OF: Uday Barar (ubarar)
LI: Patrick Melanson (pj2melan)
FR: Uday Barar (ubarar)

=== Fall ===

PR: Melissa Tedesco (matedesc)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
SE: Marc Mailhot (mnmailho)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Felix Bauckholt (fbauckho)
FR: Marc Mailhot (mnmailho)

= 2018 =

=== Winter ===

PR: Patrick Melanson (pj2melan)
VP: Charlie Wang (s455wang)
TR: Ashley Dewiputri Pranajaya (adpranaj)
SE: Arshia Mufti (a2mufti)
SA: Jordan Pryde (jxpryde)
OF: Zoë Laing (zlaing)
LI: Zichuan Wei (z34wei)
FR: Uday Barar (ubarar)

=== Spring ===

PR: Melissa Tedesco (matedesc)
VP: Dhruv Jauhar (djauhar)
TR: Tristan Hume (tghume)
AV: Marc Mailhot (mnmailho)
SA: Jennifer Zhou (c7zou)
OF: Aditya Thakral (a3thakra)
LI: Archer Zhang (z577zhan)
FR: Marc Mailhot (mnmailho)

=== Fall ===

PR: Zichuan Wei (z34wei)
VP: Uday Barar (ubarar)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Jennifer Zhou (c7zou)
OF: Alexander Zvorygin (azvorygi)
LI: Neil Parikh (n3parikh)
FR:

= 2019 =

=== Winter ===

PR: Marc Mailhot (mnmailho)
VP: Victor Brestoiu (vabresto)
TR: Tristan Hume (tghume)
AV: Aditya Thakral (a3thakra)
SA: Charlie Wang (s455wang)
OF: Archer Zhang (z577zhan)
LI: Rishabh Minocha (rkminoch)
FR: Marc Mailhot (mnmailho)

=== Spring ===

PR: Uday Barar (ubarar)
VP: Rajat Malhotra (r24malho)
TR: Raghav Sethi (r5sethi)
AV: Bo Mo (bzmo)
SA: Charlie Wang (s455wang)
OF: Hannah Wong (sm7wong)
LI: Nolan Munce (nmmunce)

=== Fall ===

PR: Dhruv Jauhar (djauhar)
VP: Aditya Thakral (a3thakra)
TR: Rishabh Minocha (rkminoch)
AV: Tammy Khalaf (tekhalaf)
SA: Murphy Berzish (mtrberzi)
OF: Zihan Zhang (z577zhan)
LI: Raghav Sethi (r5sethi)

= 2020 =

=== Winter ===
The office was closed midway through this term due to the COVID-19 pandemic.

The pandemic that threw the University and rest of the world into disarray drove all CSC activity virtual. Though everyone thought the pandemic would quickly be over, the Alpha, then Delta, then Omicron variants resulted in the majority of classes being held online until February 2022.

As a result, the office would stay closed for a full 5 terms, and only reopen in W2022.

PR: Richard Shi (r27shi)
VP: Anastassia Gaikovaia (agaikova)
TR: Alex Tomala (actomala)
AV: Neil Parikh (n3parikh)
SA: Amin Bandali (abandali)
OF: Alexander Zvorygin (azvorygi)
LI: Anastassia Gaikovaia (agaikova)
FR: Richard Shi (r27shi)

=== Spring ===

PR: Neil Parikh (n3parikh)
VP: Anastassia Gaikovaia (agaikova)
SA: Amin Bandali (abandali)

=== Fall ===

PR: Mokai Xu (m92xu)
VP: Anastassia Gaikovaia (agaikova) (stepped down as of 2020-11-30)
TR: Neil Parikh (n3parikh)
AV: Edwin Yang (e37yang)
SA: Murphy Berzish (mtrberzi)

= 2021 =
In 2021, CSC rapidly expanded the Program Committee, introducing subcommittees including Design, Events, Marketing, Photography, Reps, Discord mods, and Discord bot developers. The website committee also expanded, and the terminal committee was officially repurposed to serve a syscom-in-training role (since the office remained closed and the terminals powered off).

=== Winter ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Nakul Vijhani (nvijhani)
SA: Max Erenberg (merenber)

=== Spring ===

PR: Kallen Tu (k4tu)
VP: Gordon Le (g2le)
TR: Neil Parikh (n3parikh)
AV: Ravindu Angammana (rbangamm)
SA: Max Erenberg (merenber)

=== Fall ===

PR: Dora Su (d43su)
VP: Jason Sang (jzsang)
TR: Yanni Wang (y3859wan)
AV: Anjing Li (a348li)
SA: Max Erenberg (merenber)
Advising: Neil Parikh (n3parikh)

= 2022 =

=== Winter ===

PR: Juthika Hoque (j3hoque)
VP: Eric Huang (e48huang)
TR: Eden Chan (e223chan)
AV: Dina Orucevic (dmorucev)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Neil Parikh (n3parikh)

=== Spring ===

PR: Eden Chan (e223chan)
VP: Bonnie Peng (b38peng)
TR: Sat Arora (s97arora)
AV: Haley Song (h79song)
SA: Raymond Li (r389li)
WW: Amy Wang (a258wang)
OF: Sat Arora (s97arora)
LI: Santiago Montemayor (smontema) (appointed 2022-06-02)
FR: Sat Arora (s97arora) (appointed 2022-06-23)

=== Fall ===

PR: Amy Wang (a258wang)
VP: Anna Wang (aj2wang)
TR: Simon Zeng (s33zeng)
AV: Mabel Kwok (m23kwok)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Mark Chen (m375chen) (appointed 2022-09-21)
LI: John Oss (joss) (appointed 2022-10-06)
FR: Mark Chen (m375chen) and Simon Zeng (s33zeng) (appointed 2022-09-21)

= 2023 =

=== Winter ===

PR: Sat Arora (s97arora)
VP: Ivy Lei (ihlei)
TR: Laura Nguyen (l69nguye)
AV: Adele Chen (a332chen)
SA: Leo Shen (y266shen)
WW: Shahan Nedadahandeh (snedadah)
OF: Young Wang (y3285wan)
LI: John Oss (joss)

=== Spring ===

PR: Sat Arora (s97arora)
VP: Joshua Kim (j649kim)
TR: Amy Wang (a258wang)
AV: Andrea Ma (a49ma)
SA: Raymond Li (r389li)
WW: Shahan Nedadahandeh (snedadah)
OF: Sean Zhang (q434zhan)

=== Fall ===

PR: Laura Nguyen (l69nguye)
VP: Amol Venkataraman (avenkata)
TR: Bryan Chen (b28chen)
AV: Amy Wang (a258wang)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Ivy Lei (ihlei), Kevin Cui (k8cui)

= 2024 =

=== Winter ===
PR: Ivy Lei (ihlei)
VP: Gordon Lin (g3lin)
TR: Andrea Ma (a49ma)
AV: Saurin Patel (sa23pate)
SA: Nathan Chung (n4chung)
WW: Darren Lo (dlslo), Richard Shuai (r2shuai)
OF: Tiger Ding (t27ding)

=== Spring ===
PR: Gordon Lin (g3lin)
VP: Justin Wang (yw2wang)
TR: Andrea Ma (a49ma)
AV: Sean Zhang (q434zhan)
SA: Nathan Chung (n4chung)
WW: Tejas Srikanth (tcsrikan)
OF: Bryan Wang (b397wang)
=== Fall ===
PR: Iris Liao (a23liao)
VP: Siimar Leen Kaur (s32kaur)
TR: Grace Feng (g27feng)
AV: Ray Cao (r44cao)
SA: Ohm Patel (o32patel)
WW: Tejas Srikanth (tcsrikan)
OF: Ivy Fan-Chiang (qkfanchi)

Music

2024-06-11T02:23:09Z

Y266shen:

Music is run off <code>powernap</code>, since that's the computer with the speakers attached.

Office staff/termcom/syscom permissions are required to play music in the office.

We also have MPD available, however this method is rarely used after 2022. ''kids these days''

==How to play music==

# Run <code>ssh [watid]@powernap.csclub.uwaterloo.ca</code>
# Run <code>bluetoothctl</code>
# Type <code>pairable on</code> and <code>discoverable on</code> into the console to enable pairing and discovery
# Connect to <code>powernap</code> from your device
# Respond yes to all the prompts on the terminal from <code>powernap</code>
# Type <code>trust [device_mac]</code> to automatically allow audio from your device next time
# You should be able to play audio like a normal audio device now

==How to control audio server==
powernap uses PipeWire and can talk to PulseAudio client. To set volume, mute some audio stream, or change output setting, use an office terminal and do:

<pre>
PULSE_SERVER=powernap.csclub.uwaterloo.ca pavucontrol
</pre>

If you're using a Linux laptop then this should work too.

==MPD Controls==
To view the keybindings of ncmpcpp, press F1 while it's running.
The number keys switch between tabs in it.

*1 is current playlist
*2 is browsing files
*3 is search
*4 is browsing the media library
*5 is browsing saved playlists, etc.

You can add your own ''absolutely legitimately obtained'' music by copying them to <code>/music</code> on powernap. Then type <code>u</code> in ncmpcpp to refresh the database.

==Termcom Info==

*We require https://github.com/hrkfdn/mpdas to get scrobbling working as it "official" last.fm integration was removed from mpd in 2013.
**n.b. https://github.com/hrkfdn/mpdas/issues/58
*To control the mixer on other terminals, use <code>PULSE_SERVER=nullsleep pavucontrol</code>
*The official last.fm account credentials are stored in the exec password spot :)

Music

2024-02-18T03:34:11Z

Y266shen:

Music is run off `powernap`, since that's the computer with the speakers attached.

Office staff/termcom/syscom permissions are required to play music in the office.

We also have MPD available, however this method is rarely used after 2022. ''kids these days''

==How to play music==

# Run <code>ssh [watid]@powernap.csclub.uwaterloo.ca</code>
# Run <code>bluetoothctl</code>
# Type <code>pairable on</code> and <code>discoverable on</code> into the console to enable pairing and discovery
# Connect to <code>powernap</code> from your device
# Respond yes to all the prompts on the terminal from <code>powernap</code>
# Type <code>trust [device_mac]</code> to automatically allow audio from your device next time
# You should be able to play audio like a normal audio device now

==MPD Controls==
To view the keybindings of ncmpcpp, press F1 while it's running.
The number keys switch between tabs in it.

*1 is current playlist
*2 is browsing files
*3 is search
*4 is browsing the media library
*5 is browsing saved playlists, etc.

You can add your own ''absolutely legitimately obtained'' music by copying them to <code>/music</code> on powernap. Then type <code>u</code> in ncmpcpp to refresh the database.

==Termcom Info==

*We require https://github.com/hrkfdn/mpdas to get scrobbling working as it "official" last.fm integration was removed from mpd in 2013.
**n.b. https://github.com/hrkfdn/mpdas/issues/58
*To control the mixer on other terminals, use <code>PULSE_SERVER=nullsleep pavucontrol</code>
*The official last.fm account credentials are stored in the exec password spot :)

Machine List

2024-02-07T22:11:23Z

Y266shen: /* Cloud */ add cpu specs

Most of our machines are in the E7, F7, G7 and H7 racks (as of Jan. 2022) in the MC 3015 server room. There is an additional rack in the DC 3558 machine room on the third floor. Our office terminals are in the CSC office, in MC 3036/3037.

= Web Server =
You are highly encouraged to avoid running anything that's not directly related to your CSC webspace on our web server. We have plenty of general-use machines; please use those instead. You can even edit web pages from any other machine--usually the only reason you'd *need* to be on caffeine is for database access.

== ''caffeine'' ==

Caffeine is the Computer Science Club's web server. It serves websites, databases for websites, and a large amount of other services.

==== Specs ====

* currently a virtual machine hosted on phosphoric-acid
** 12 vCPUs
** 32GB of RAM

==== Services ====

* Club and member web sites with [[Apache]]
* [[MySQL]] databases
* [[PostgreSQL]] databases
* [[ceo]] daemon
* mail was migrated to [[#mail|mail]]

= General-Use Servers =

These machines can be used for (nearly) anything you like (though be polite and remember that these are shared machines). Recall that when you signed the Machine Usage Agreement, you promised not to use these machines to generate profit (so no cryptocurrency mining).

For computationally-intensive jobs (CPU/memory bound) we recommend running on high-fructose-corn-syrup, carbonated-water, sorbitol, mannitol, or corn-syrup, listed in roughly decreasing order of available resources. For low-intensity interactive jobs, such as IRC clients, we recommend running on neotame. If you have a long-running computationally intensive job, it's good to nice[https://en.wikipedia.org/wiki/Nice_(Unix)] your process, and possibly let syscom know too.

== ''corn-syrup'' ==

PowerEdge 2950

==== Specs ====

* 2 × Intel Xeon E5405 (2.00 GHz, 4 cores each)
* 32 GB RAM
* eth0 ("Gb0") mac addr 00:24:e8:52:41:27
* eth1 ("Gb1") mac addr 00:24:e8:52:41:29
* IPMI mac addr 00:24:e8:52:41:2b
* 3 × Western-Digital 160GB SATA hard drive (445 GB software RAID0 array)

==== Notes ====

* Use eth0/Gb0 for the mathstudentorgsnet connection
* has ipmi on corn-syrup-ipmi.csclub.uwaterloo.ca.

==== Services ====

* Hosts 1 TB <tt>[[scratch|/scratch]]</tt> and exports via NFS (sec=krb5)

== ''high-fructose-corn-syrup'' ==

High-fructose-corn-syrup (or hfcs) is a large SuperMicro server. It's been in CSC service since April 2012.

==== Specs ====

* 4x AMD Opteron 6272 (2.4 GHz, 16 cores each)
* 192 GB RAM
* Supermicro H8QGi+-F Motherboard Quad 1944-pin Socket [http://csclub.uwaterloo.ca/misc/manuals/motherboard-H8QGI+-F.pdf (Manual)]
* 500 GB Seagate Barracuda
* Supermicro Case Rackmount CSE-748TQ-R1400B 4U [http://csclub.uwaterloo.ca/misc/manuals/SC748.pdf (Manual)]

== ''carbonated-water'' ==

carbonated-water is a Dell R815 provided by CSCF.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* 4x AMD Opteron 6176 processors (2.3 GHz, 12 cores each)
* 128GB RAM

== ''neotame'' ==

neotame is a SuperMicro server funded by MEF. It is the successor to taurine.

We discourage running computationally-intensive jobs on neotame as many users run interactive applications such as IRC clients on it and any significant service degradation will be more likely to affect other users (who will probably notice right away).

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM
* SSH server also listens on ports 21, 22, 53, 80, 81, 443, 8000, 8080 for your convenience.

== ''sorbitol'' ==

sorbitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

== ''mannitol'' ==

mannitol is a SuperMicro server funded by MEF.

==== Specs ====

* 2x Intel Xeon E5-2630 v4 processors (2.2 GHz, 10 cores/20 threads each)
* 64GB RAM

= Office Terminals =

It's possible to SSH into these machines, but we discourage you from trying to use these machines when you're not sitting in front of them. They are bounced at least every time our login manager, lightdm, throws a tantrum (which is several times a day). These are for use inside our physical office.

== ''cyanide'' ==
(Work in progress)

cyanide is a Mac Mini

== ''natural-flavours'' ==

Natural-flavours is an office terminal; it used to be our mirror.

In Fall 2016, it received a major upgrade thanks the MathSoc's Capital Improvement Fund.

==== Specs ====

* Intel Core i7-6700k
* 2x8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
* Cup Holder (DVD drive has power, but not connected to mother board)

==''powernap''==
powernap is a [https://support.apple.com/kb/sp710 Mac Mini (Late 2014)].

=== Spec ===

* Intel i7-4578U (4) @ 3.500GHz
* 16GB RAM
* Intel Iris Graphics 5100
* 256GB On-board SSD

=== Speaker ===
powernap has the office speakers (a pair of nice studio monitors) currently connected to it.

=== Services ===
* MPD for playing music. Only office/termcom/syscom can log into powernap. Use `ncmpcpp` to control MPD.
* Bluetooth audio receiver. Only syscom can control bluetooth pairing. Use `bluetoothctl` to control bluetooth.

Music is located in /music on the office terminals.

= Progcom Only =
The Programme Committee has access to a VM on corn-syrup called 'progcom'. They have sudo rights in this VM so they may install and run their own software inside it. This VM should only be accessible by members of progcom or syscom.

= Syscom Only =

The following systems may only be accessible to members of the [[Systems Committee]] for a variety of reasons; the most common of which being that some of these machines host [[Kerberos]] authentication services for the CSC.

==''xylitol''==

xylitol is a Dell PowerEdge R815 donated by CSCF. It is primarily a container host for services previously hosted on aspartame and dextrose, including munin, rt, mathnews, auth1, and dns1. It was provisioned with the intent to replace both of those hosts.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* Dual AMD Opteron 6176 (2.3 GHz, 48 cores total)
* 128GB RAM
* 500GB volume group on RAID1 SSD (xylitol-mirrored)
* 500ish-GB volume group on RAID10 HDD (xylitol-raidten)

==''auth1''==

Container on [[#xylitol|xylitol]].

==== Services ====

*[[LDAP]] primary
*[[Kerberos]] primary

==''chat''==

Container on [[#xylitol|xylitol]].

==== Services ====

* The Lounge web IRC client (https://chat.csclub.uwaterloo.ca)

==''phosphoric-acid''==

phosphoric-acid is a Dell PowerEdge R815 donated by CSCF and is a clone of xylitol. It may be used to provide redundant cloud services in the future.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* (clone of Xylitol)

==== Services ====

*[[#caffeine|caffeine]]
*[[#coffee|coffee]]

==''coffee''==

Virtual machine running on phosphoric-acid.

==== Services ====

*[[Database#MySQL|MySQL]]
*[[Database#Postgres|Postgres]]

==''cobalamin''==

Dell PowerEdge 2950 donated to us by FEDS. Located in the Science machine room on the first floor of Physics. Will act as a backup server for many things.

==== Specs ====

* 1 × Intel Xeon E5420 (2.50 GHz, 4 cores)
* 16GB RAM
* Broadcom NetworkXtreme II
* 2x73GB Hard Drives, hardware RAID1
** Soon to be 2x1TB in MegaRAID1
*http://www.dell.com/support/home/ca/en/cabsdt1/product-support/servicetag/51TYRG1/configuration

==== Services ====

* Containers: [[#auth2|auth2]]

==== Notes ====

* The network card requires non-free drivers. Be sure to use an installation disc with non-free.

* We have separate IP ranges for cobalamin and its containers because the machine is located in a different building. They are:

** VLAN ID 506 (csc-data1): 129.97.18.16/29; gateway 129.97.18.17; mask 255.255.255.240
** VLAN ID 504 (csc-ipmi): 172.19.5.24/29; gateway 172.19.5.25; mask 255.255.255.248

* For some reason, the keyboard is shit. Try to avoid having to use it. It's doable, but painful. IPMI works now, and then we don't need to bug about physical access so it's better anyway.

==''auth2''==

Container on [[#cobalamin|cobalamin]].

==== Services ====

*[[LDAP]] secondary
*[[Kerberos]] secondary

MAC Address: c2:c0:00:00:00:a2

==''mail''==

mail is the CSC's mail server. It hosts mail delivery, imap(s), smtp(s), and mailman. It is also syscom-only. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[[Mail]] services
* mailman (web interface at [http://mailman.csclub.uwaterloo.ca/])
*[[Webmail]]
*[[ceo]] daemon

==''sodium-benzoate''==

Sodium-benzoate is our previous mirror server, funded by MEF.

It is currently sitting in the office pending repurposing. Will likely become a machine for backups in DC.

==== Specs ====

* Intel Xeon Quad Core E5405 @ 2.00 GHz
* 16GB RAM
* vg0: 228 GB block device behind DELL PERC 6/i (contains root partition)

Space disks are currently in the office underneath maltodextrin.

==''potassium-benzoate''==

potassium-benzoate is our mirror server, funded by MEF.

==== Specs ====

* 36 drive Supermicro chassis (SSG-6048R-E1CR36L)
* 1 x Intel Xeon E5-2630 v3 (8 cores, 2.40 GHz)
* 64 GB (4 x 16GB) of DDR4 (2133Mhz) ECC RAM
* 2 x 1 TB Samsung Evo 850 SSD drives
* 17 x 4 TB Western Digital Gold drives (separate funding from MEF)
* 9 x 18TB Seagate Exos X18 (8 ZFS, Z2,1 hot-spare)
* 10 Gbps SFP+ card (loaned from CSCF)
* 50 Gbps Mellanox QSFP card (from ginkgo; currently unconnected)

==== Network Connections ====

potassium-benzoate has two connections to our network:

* 1 Gbps to our switch (used for management)
* 2 x 10 Gbps (LACP bond) to mc-rt-3015-mso-a (for mirror)

Mirror's bandwidth is limited to 1 Gbps on each of the 4 campus internet links. Mirror's bandwidth is not limited on campus.

==== Services ====

*[[Mirror]]
*[[Talks]] mirror
*[[Debian_Repository|CSClub packages repository]]

==''munin''==

munin is a syscom-only monitoring and accounting machine. It is a [[Virtualization#Linux_Containers|Linux container]] at present.

==== Specs ====

* currently hosted on [[#xylitol|xylitol]]

==== Services ====

*[http://munin.csclub.uwaterloo.ca munin] systems monitoring daemon
==''yerba-mate''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2x75GB 15k drives (RAID 1)

==== Services ====

* test-ipv6 (test-ipv6.csclub.uwaterloo.ca; a test-ipv6.com mirror)
* shibboleth (under development)

Also used for experimenting new CSC services.

==''citric-acid''==
A Dell PowerEdge provided by CSCF to replace [[Machine List#aspartame|aspartame]].

'''Specs'''

* 1 x AMD Opteron 6174 (12 cores, 2.20 GHz)
* 128 GB RAM

*

'''Services'''

* Being configured for [https://pass.uwaterloo.ca pass.uwaterloo.ca], a university-wide password manager hosted by CSC as a demo service for all Nexus (ADFS) users

= Cloud =

These machines are used by [https://cloud.csclub.uwaterloo.ca cloud.csclub.uwaterloo.ca]. The machines themselves are restricted to Syscom only access.

==''chamomile''==

A Dell PowerEdge R815 provided by CSCF.

==== Specs ====

* 4x 2.20GHz 12-core processors (AMD Opteron(tm) Processor 6174)
* 128GB RAM
* 10GbE connection to core router

==== Services ====

* OpenStack primary controller services for csclub.cloud

==''riboflavin''==

A Dell PowerEdge R515 provided by CSCF.

==== Specs ====

* 2x 2.6 GHz 8-core processors (AMD Opteron(tm) Processor 4376 HE)
* 64GB RAM
* 10GbE connection to core router
* 2x 500GB internal SSD
* 12x Seagate 4TB SSHD

==== Services ====

* OpenStack block and object storage for csclub.cloud

==''guayusa''==

A Dell PowerEdge 2950 donated by a CSC member.

==== Specs ====

* 2x 3.00 GHz quad core Intel Xeon 5160
* 32GB RAM
* 2TB PCI-Express Flash SSD
* 2x75GB 15k drives (RAID 1)

==== Services ====

Currently being used to set up NextCloud.

Was used to experiment the following then-new CSC services:

* logstash (testing of logstash)
* load-balancer-01
* cifs (for booting ginkgo from CD)
* caffeine-01 (testing of multi-node caffeine)
* block1.cloud
* object1.cloud

==''ginkgo''==

Supermicro server funded by MEF for CSC web hosting. Locate in MC 3015.

'''01/19/23: IPMI (temporarily) disconnected.'''

==== Specs ====

* 2x Intel Xeon E5-2697 v4 @ 2.30GHz [18 cores each]
* 256GB RAM
* 2 x 1.2 TB SSD (400GB of each for RAID 1)
* 10GbE onboard, 25GbE SFP+ card (also included 50GbE SFP+ card which will probably go in mirror)

==== Services ====

* OpenStack Compute machine

No longer in use:

* controller1.cloud
* db1.cloud
* router1.cloud (NAT for cloud tenant network)
* network1.cloud

==''biloba''==

Supermicro server funded by SLEF for CSC web hosting. Located in DC 3558.

==== Specs ====

* 2x Intel Xeon Gold 6140 @ 2.30GHz [18 cores each]
* 384GB RAM
* 12 3.5" Hot Swap Drive Bays
** 2 x 480 GB SSD
* 10GbE onboard, 10GbE SFP+ card (on loan from CSCF)

==== Services ====

* OpenStack Compute machine

No longer in use:

* caffeine
* mail
* mattermost

= Storage =

==''fs00''==

fs00 is a NetApp FAS3040 series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

==''fs01''==

fs01 is a NetApp FAS3040 series fileserver donated by CSCF.

It is currently being used for testing of a HA NetApp nodes and serving home directories directly from the NetApp filer.

==== Specs ====

= Other =

== ps3 ==
This is just a very wide PS3, the model that supported running Linux natively before it was removed. Firmware was updated to remove this feature, however it can still be done via. homebrew.

'''Specs'''

* It's a PS3.

'''2022-10-24''' - Thermal paste replaced + firmware updated to latest supported version, also modded.

==''binaerpilot''==

This is a Gumstix Overo Tide CPU on a Tobi expansion board. It is currently attached to corn-syrup in the machine room and even more currently turned off until someone can figure out what is wrong with it.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''anamanaguchi''==

This is a Gumstix Overo Tide CPU on a Chestnut43 expansion board. It is currently in the hardware drawer in the CSC.

==== Specs ====

* TI OMAP 3530 750Mhz (ARM Cortex-A8)
* 512MB RAM

==''digital cutter''==

See [[Digital Cutter|here]].

==''mathnews''==

[[#xylitol|xylitol]] hosts a systemd-nspawn container which serves as the mathNEWS webserver. It is administered by mathNEWS, as a pilot for providing containers to select groups who have more specialized demands than the general-use infrastructure can meet.

= Decommissioned =

==''aspartame''==

aspartame was a taurine clone donated by CSCF. It was once our primary file server, serving as the gateway interface to space on phlogiston. It also used to host the [[#auth1|auth1]] container, which has been temporarily moved to [[#dextrose|dextrose]]. Decomissioned in March 2021 after refusing to boot following a power outage.

==''psilodump''==

psilodump is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling phlogiston, hosted disk shelves exported as iSCSI block devices.

psilodump was plugged into aspartame. It's still installed but inaccessible.

==''phlogiston''==

phlogiston is a NetApp FAS3000 series fileserver donated by CSCF. It, along with its sibling psilodump, hosted disk shelves exported as iSCSI block devices.

phlogiston is turned off and should remain that way. It is misconfigured to have its drives overlap with those owned by psilodump, and if it is turned on, it will likely cause irreparable data loss.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 10GB RAM

==== Notes from before decommissioning ====

* The lxc files are still present and should not be started up, or else the two copies of auth1 will collide.
* It currently cannot route the 10.0.0.0/8 block to a misconfiguration on the NetApp. This should be fixed at some point.

==''glomag''==

Glomag hosted [[#caffeine|caffeine]]. Decommissioned April 6, 2018.

==== Specs ====

* Intel Xeon X3450 @ 2.67 GHz
* 6 GB RAM
* vg0: 465 GB software RAID1 (contains root partition):
** 750 GB Seagate Barracuda SATA hard drive
** 500 GB Western-Digital Caviar Blue SATA hard drive
* vg1: 596 GB software RAID1 (contains caffeine):
** 2 × 640 GB Western-Digital Caviar Blue SATA hard drive

==== Services ====

* Before its decommissioning, glomag hosted [[#caffeine|caffeine]], [[#mail|mail]], and [[#munin|munin]] as [[Virtualization#Linux_Container|Linux containers]]

==''Lisp machine''==

A Symbolics XL1200 Lisp machine. Donated to a new home when we couldn't get it working.

http://www.globalnerdy.com/2008/12/03/symbolics-xl1200-lisp-machine-free-to-a-good-home/ for some history on this hardware.

==== Specs ====

Currently inoperable due to (at least) a missing console cable.

==''ginseng''==

Ginseng used to be our fileserver, before aspartame and the netapp took over.

==== Specs ====

* Intel Pentium Dual Core E2180
* 8GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/s3000ah_tps_1_1.pdf Intel S3000AHV Motherboard]
* 4 × 640 GB Western-Digital Caviar Blue in [[wikipedia:Nested_RAID_levels#RAID_10_.28RAID_1.2B0.29|RAID 10]] behind a [http://www.3ware.com/products/serial_ata2-9650.asp 3ware 9650SE RAID card].
[[Category:Hardware]]

==''calum''==

Calum used to be our main server and was named after Calum T Dalek. Purchased new by the club in 1994.

==== Specs ====

* SPARCserver 10 (headless SPARCstation 10)

==''paza''==

An iMac G3 that was used as a dumb terminal.

==== Specs ====

* 233Mhz PowerPC 740/750
* 96 MB RAM

==''romana''==

Romana was a BeBox that has been in the CSC's possession since long before BeOS became defunct.

Confirmed on March 19th, 2016 to be fully functional. An SSHv1 compatible client was installed from http://www.abstrakt.ch/be/ and a compatible firewalled daemon was started on Sucrose (living in /root, prefix is /root/ssh-romana). The insecure daemon is to be used a bastion host to jump to hosts only supporting >=SSHv2. The mail daemon on the BeBox has also been configured to send mail through mail.csclub.uwaterloo.ca.

==== Specs ====

* 2 PowerPC based processors
* Stylish Blinken processor-load lights

==''sodium-citrate''==

Sodium-citrate was an SGI O2 machine.

In order to net boot you need to set /proc/sys/net/ipv4/ip_no_pmtu_disc to 1. When the O2 boots, hit F5 at the boot menu and type bootp():.

==== Specs ====
* SGI O2 MIPS processor
* 423 MB (?) RAM
* 2 × 2 GB hard drive

==''acesulfame-potassium''==

An old office terminal.

==== Specs ====
* Intel Pentium 4 2.67GHz
* 1GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/ABIT_VT7.pdf ABIT VT7] Motherboard
* ATI Radeon 7000

==''skynet''==

skynet was a Sun E6500 machine donated by Sanjay Singh. It was never fully set up.

==== Specs ====

* 15 full CPU/memory boards
** 2x UltraSPARC II 464MHz / 8MB Cache Processors
** ??? RAM?
* 1 I/O board (type=???)
** ???x disks?
* 1 CD-ROM drive

*[http://mirror.csclub.uwaterloo.ca/csclub/sun_e6500/ent6k.srvr/ e6500 documentation (hosted on mirror, currently dead link)]
*[http://docs.oracle.com/cd/E19095-01/ent6k.srvr/ e6500 documentation (backup link)]
*[http://www.e6500.com/ e6500]

==''freebsd''==

FreeBSD was a virtual machine with FreeBSD installed.

==== Services ====

* Newer software

==''rainbowdragoneyes''==

Rainbowdragoneyes was our Lemote Fuloong MIPS machine. This machine is aliased to rde.csclub.uwaterloo.ca.

==== Specs ====

* 800MHz MIPS Loongson 2f CPU

==''denardo''==

Due to some instability, general uselessness, and the acquisition of a more powerful SPARC machine from MFCF, denardo was decommissioned in February 2015.

==== Specs ====

* Sun Fire V210
* TI UltraSparc IIIi (Jalapeño)
* 2 GB RAM
* 160 GB RAID array
* ALOM on denardo-alom.csclub can be used to power machine on/off
==''artificial-flavours''==

Artificial-flavours was our secondary (backup services) server. It used to be an office terminal. It was decommissioned in February 2015 and transferred to the ownership of Women in Computer Science (WiCS).

==== Specs ====

* Intel Celeron 3.2GHz
* 2GB RAM
*[http://csclub.uwaterloo.ca/misc/manuals/Biostar_P4M80-M4.pdf Biostar P4M80-M4] Motherboard
* Western-Digital 80 GB ATA hard drive

==''potassium-citrate''==

Potassium-citrate is a dual-processor Alpha machine. It is on extended loan from pbarfuss.

It is temporarily decommissioned pending the reinstallation of a supported operating system (such as OpenBSD).

==== Specs ====
* Alphaserver CS20 (2 833MHz EV68al CPUs)
* 512MB RAM
* 36 GB Seagate SCSI hard drive

==''potassium-nitrate''==

This was a Sun Fire E2900 from a decommissioned MFCF compute cluster. It had a SPARC architecture and ran OpenBSD, unlike many of our other systems which are x86/x86-64 and Linux/Debian. After multiple unsuccessful attempts to boot a modern Linux kernel and possible hardware instability, it was determined to be non-cost-effective and non-effort-effective to put more work into running this machine. The system was reclaimed by MFCF where someone from CS had better luck running a suitable operating system (probably Solaris).

The name is from saltpetre, because sparks.

==== Specs ====

* 24 CPUs
* 90GB main memory
* 400GB scratch disk local storage in /scratch-potassium-nitrate

There is a [[Sun 2900 Strategy Guide|setup guide]] available for this machine.

See also [[Sun 2900]].

==''taurine''==

'''Note: On August 21, 2019, just before 2:30PM EDT, we were informed that taurine caught fire'''. As a result, taurine has been decommissioned as of Fall 2019.

==== Specs ====

* 2 AMD Opteron 2218 CPUs
* 8GB RAM
* 136 GB LVM volume group

==== Services ====

* Virtual machines
* BitlBee IRC instant messaging gateway (localhost only)
*[[ident]] server to maintain high connection cap to freenode
* Runs ssh on ports 21,22,53,80,81,443,8000,8080 for user's convenience.

==''dextrose''==

dextrose was a [[#taurine|taurine]] clone donated by CSCF and was decommissioned in Fall 2019 after being replaced with a more powerful server.

==''sucrose''==

sucrose was a [[#taurine|taurine]] clone donated by CSCF. It was decommissioned in Fall 2019 following multiple hardware failures.

==''goto80''==
'''Note (2022-10-25): This seems to have gone missing or otherwise left our hands.'''

This was small ARM machine we picked up in order to have similar hardware to the Real Time Operating Systems (CS 452) course. It has a [[TS-7800_JTAG|JTAG]] interface. Located was the office on the top shelf above strombola.

==== Specs ====

* 500 MHz Feroceon (ARM926ej-s compatible) processor
* ARMv5TEJ architecture

Use -march=armv5te -mtune=arm926ej-s options to GCC.

For information on the TS-7800's hardware see here:
http://www.embeddedarm.com/products/board-detail.php?product=ts-7800

==''nullsleep''==

nullsleep is an [http://csclub.uwaterloo.ca/misc/manuals/ASRock_ION_330.pdf ASRock ION 330] machine given to us by CSCF and funded by MEF.

It's decommissioned on 2023-03-20 due to repeated unexpected shutdown. Replaced by [[#powernap|powernap]].

==== Specs ====

* Intel® Dual Core Atom™ 330
* 2GB RAM
* NVIDIA® ION™ graphics
* 1x 64GB SanDisk SDSSDP064G SSD
* DVD Burner

==== Speakers ====
Nullsleep has the office speakers (a pair of nice studio monitors) currently connected to it.

==== Services ====
Nullsleep runs MPD for playing music. Control of MPD is available only to users in the "audio" group.
Music is located in /music on the office terminal

== ''bit-shifter'' ==
bit-shifter was an office terminal, decommissioned April 2023 due to extended age. It was upgraded to the same specs as Strombola at an unknown point in time.

==== Specs ====

* Intel Core 2 Quad CPU Q8300
* 4GB RAM
* Nvidia GeForce GT 440
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD
* Jacob Parker's Firewire Card

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

== ''strombola''==
Strombola was an office terminal named after Gordon Strombola. It was retired in April 2023.

==== Specs ====
* Intel Pentium G4600 2 cores @ 3.6Ghz
* 8 GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD

==== Speakers ====
Strombola used to have integrated 5.1 channel sound before we got new speakers and moved audio stuff to nullsleep.

== ''gwem'' ==
gwem was an office terminal that was created because AMD donated a graphics card. It entered CSC service in February 2012.

=== Specs ===

* AMD FX-8150 3.6GHz 8-Core CPU
* 16 GB RAM
* AMD Radeon 6870 HD 1GB GPU
*[http://csclub.uwaterloo.ca/misc/manuals/ga-990fxa-ud7_e.pdf Gigabyte GA-990FXA-UD7] Motherboard
* 1x 64GB SanDisk SDSSDP064G SSD

== ''maltodextrin'' ==
(*specs are outdated at least as of 2023-05-27*)
*[http://csclub.uwaterloo.ca/misc/manuals/motherboard_manual_ga-ep45-ud3l.pdf Gigabyte GA-EP45-UD3L] Motherboard
Maltodextrin was an office terminal. It was upgraded in Spring 2014 after an unidentified failure. Not operational (no video output) as of July 2022.

==== Specs ====

* Intel Core i3-4130 @ 3.40 GHz
* 8GB RAM
* 1x 64GB SanDisk SDSSDP064G SSD
*[http://csclub.uwaterloo.ca/misc/manuals/E8425_H81I_PLUS.pdf ASUS H81-PLUS] Motherboard

==== Services ====

*[http://csclub.uwaterloo.ca/office/webcam Office webcam]

= UPS =

All of the machines in the MC 3015 machine room are connected to one of our UPSs.

All of our UPSs can be monitored via CSCF:

* MC3015-UPS-B2
* mc-3015-e7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced July 2014) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-e7-ups-1&var-Interval=30m)
* mc-3015-f7-ups-1.cs.uwaterloo.ca (rbc55, batteries replaced Feb 2017) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-f7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2010) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-1&var-Interval=30m)
* mc-3015-g7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-g7-ups-2&var-Interval=30m)
* mc-3015-h7-ups-1.cs.uwaterloo.ca (su5000t, batteries replaced 2004) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-1&var-Interval=30m)
* mc-3015-h7-ups-2.cs.uwaterloo.ca (unknown) (https://metrics.cscf.uwaterloo.ca/grafana/dashboard/db/ups-statistics?orgId=1&var-UPS=mc-3015-h7-ups-2&var-Interval=30m)

We will receive email alerts for any issues with the UPS. Their status can be monitored via [[SNMP]].

TODO: Fix labels & verify info is correct & figure out why we can't talk to cacti.

SSL

2023-10-19T18:06:11Z

Y266shen:

== GlobalSign ==

The CSC currently has an SSL Certificate from GlobalSign for *.csclub.uwaterloo.ca provided at no cost to us through IST. GlobalSign likes to take a long time to respond to certificate signing requests (CSR) for wildcard certs, so our CSR really needs to be handed off to IST at least 2 weeks in advance. You can do it sooner – the certificate expiry date will be the old expiry date + 1 year (+ a bonus ) Having an invalid cert for any length of time leads to terrible breakage, followed by terrible workarounds and prolonged problems.

When the certificate is due to expire in a month or two, syscom should (but apparently doesn't always) get an email notification. This will include a renewal link. Otherwise, use the [https://uwaterloo.ca/information-systems-technology/about/organizational-structure/information-security-services/certificate-authority/globalsign-signed-x5093-certificates/self-service-globalsign-ssl-certificates IST-CA self service system]. Please keep a copy of the key, CSR and (once issued) certificate in <tt>/home/sysadmin/certs</tt>. The OpenSSL examples linked there are good to generate a 2048-bit RSA key and a corresponding CSR. It's probably a good idea to change the private key (as it's not that much effort anyways). Just sure your CSR is for <tt>*.csclub.uwaterloo.ca</tt>.

At the self-service portal, these options worked in 2013. If you need IST assistance, [mailto:ist-ca@uwaterloo.ca ist-ca@uwaterloo.ca] is the email address you should contact.
Products: OrganizationSSL
SSL Certificate Type: Wildcard SSL Certificate
Validity Period: 1 year
Are you switching from a Competitor? No, I am not switching
Are you renewing this Certificate? Yes (paste current certificate)
30-day bonus: Yes (why not?)
Add specific Subject Alternative Names (SANs): No (*.csclub.uwaterloo.ca automatically adds csclub.uwaterloo.ca as a SAN)
Enter Certificate Signing Request (CSR): Yes (paste CSR)
Contact Information:
First Name: Computer Science Club
Last Name: Systems Committee
Telephone: +1 519 888 4567 x33870
Email Address: syscom@csclub.uwaterloo.ca

=== Helpful links ===
* [https://support.globalsign.com/ssl/ssl-certificates-installation/generate-csr-openssl How to generate a new CSR and private key]
* [https://uwaterloo.atlassian.net/wiki/spaces/ISTKB/pages/262013183/How+to+obtain+a+new+GlobalSign+certificate+or+renew+an+existing+one How to obtain a new GlobalSign certificate or renew an existing one]
* [https://system.globalsign.com/bm/public/certificate/poporder.do?domain=PAR12271n5w6s27pvg8d92v4150t GlobalSign UWaterloo self-service page]
* [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates GlobalSign intermediate certificate] (needed to create a certificate chain; see below)

=== OpenSSL cheat sheet ===
<ul>
<li>
Generate a new CSR and private key (do this in a new directory):
<pre>
openssl req -out csclub.uwaterloo.ca.csr -new -newkey rsa:2048 -keyout csclub.uwaterloo.ca.key -nodes
</pre>
Enter the following information at the prompts:
<pre>
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Waterloo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Waterloo
Organizational Unit Name (eg, section) []:Computer Science Club
Common Name (e.g. server FQDN or YOUR name) []:*.csclub.uwaterloo.ca
Email Address []:systems-committee@csclub.uwaterloo.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</pre>
</li>
<li>
View the information inside a CSR:
<pre>
openssl req -noout -text -in csclub.uwaterloo.ca.csr
</pre>
</li>
<li>
View the information inside a private key:
<pre>
openssl pkey -noout -text -in csclub.uwaterloo.ca.key
</pre>
</li>
<li>
View information inside a certificate:
<pre>
openssl x509 -noout -text -in csclub.uwaterloo.ca.crt
</pre>
</li>
</ul>

=== csclub.cloud ===
Once a year, someone from IST will ask us to create a temporary TXT record for csclub.cloud to prove to GlobalSign that we own it. This must be created at the <b>root</b> of the domain. Since this zone is managed dynamically (via the acme.sh script on biloba, see below), we need to freeze the domain and update /var/lib/bind/db.csclub.cloud directly. Here are the steps:
<ol>
<li>Run <code>rndc freeze csclub.cloud</code>.</li>
<li>
Open /var/lib/bind/db.csclub.cloud and add a new TXT record. It'll look something like
<pre>
TXT "_globalsign-domain-verification=blablabla"
</pre>
</li>
<li>
In the same file, make sure to also update the SOA serial number. It should generally be YYYYMMDDNN where NN is a monotonically increasing counter (YYYYMMDD is the current date).
</li>
<li>Run <code>rndc reload</code>.</li>
<li>
Run a DNS query to make sure you can see the TXT record:
<pre>
dig -t txt @dns1 csclub.cloud
dig -t txt @dns2 csclub.cloud
</pre>
</li>
<li>Email back the person from IST and let them know that we created the TXT record.</li>
<li>
Once the certificate has been renewed, delete the TXT record, update the SOA serial number, and run <code>rndc reload</code>.
</li>
<li>Run <code>rndc thaw csclub.cloud</code>.</li>
</ol>

== Certificate Files ==
Let's say you obtain a new certificate for *.csclub.uwaterloo.ca. Here are the files which should be stored in the certs folder:
<ul>
<li>csclub.uwaterloo.ca.key: private key created by openssl</li>
<li>csclub.uwaterloo.ca.csr: certificate signing request created by openssl</li>
<li>order: order number from GlobalSign</li>
<li>csclub.uwaterloo.ca.crt: certificate created by GlobalSign</li>
<li>globalsign-intermediate.crt: intermediate certificate from GlobalSign, obtainable from [https://support.globalsign.com/ca-certificates/intermediate-certificates/organizationssl-intermediate-certificates here]. As of this writing, we use the "OrganizationSSL SHA-256 R3 Intermediate Certificate". Just click the "View in Base64" button and copy the contents.
<ul>
<li>There is an alternative way to get the intermediate certificate: if you run <code>openssl x509 -noout -text -in csclub.uwaterloo.ca.crt</code>, under X509v3 extensions > Authority Information Access, there should be a field called "CA Issuers" which has a URL which looks like http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt. You can download that file and convert it to PEM:
<pre>
wget https://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
openssl x509 -inform der -in gsrsaovsslca2018.crt -out globalsign-intermediate.crt
rm gsrsaovsslca2018.crt
</pre>
</li>
</ul>
</li>
</ul><ul>
<li>csclub.uwaterloo.ca.chain: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.crt globalsign-intermediate.crt > csclub.uwaterloo.ca.chain
</pre>
</li>
<li>csclub.uwaterloo.ca.pem: create this with the following command:
<pre>
cat csclub.uwaterloo.ca.key csclub.uwaterloo.ca.chain > csclub.uwaterloo.ca.pem
chmod 600 csclub.uwaterloo.ca.pem
</pre>
</li>
</ul>

== Certificate Locations ==

Keep a copy of newly generated certificates in /users/sysadmin/certs.

A list of places you'll need to put the new certificate to keep our services running. Private key (if applicable) should be kept next to the certificate with the extension .key.

* caffeine:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* coffee:/etc/ssl/private/csclub.uwaterloo.ca (for PostgreSQL and MariaDB)
* mail:/etc/ssl/private/csclub-wildcard.crt (for Apache, Postfix and Dovecot)
* mailman:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* rt:/etc/ssl/private/csclub-wildcard.crt (for Apache)
* potassium-benzoate:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* phosphoric-acid:/etc/ssl/private/csclub-wildcard-chain.crt (for ceod)
* auth1:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* auth2:/etc/ssl/private/csclub-wildcard.crt (for slapd, make sure to <code>sudo service slapd restart</code>)
* mattermost:/etc/ssl/private/csclub-wildcard.crt (for nginx)
* load-balancer-0(1|2):/etc/ssl/private/csclub.uwaterloo.ca (for haproxy) [temporarily down 2020]
* chat:/etc/ssl/private/csclub-wildcard-chain.crt (for nginx)
* prometheus:/etc/ssl/private/csclub-wildcard-chain.crt (for Apache)
* bigbluebutton:/etc/nginx/ssl/csclub-wildcard-chain.crt (podman container on xylitol)
* icy:/etc/ssl/private/csclub-wildcard.pem (for Icecast)
* chamomile:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* biloba:/etc/ssl/private/cloud.csclub.uwaterloo.ca.chain.crt, /etc/ssl/private/csclub.cloud.chain, /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* nextcloud (nspawn container inside guayusa): /etc/ssl/private/csclub.uwaterloo.ca.chain (for nginx)
* citric-acid (runs vaultwarden): /etc/ssl/private/csclub.uwaterloo.ca.{chain,key}

Some services (e.g. Dovecot, Postfix) prefer to have the certificate chain in one file. Concatenate the appropriate intermediate root to the end of the certificate and store this as csclub-wildcard-chain.crt.

=== More certificate locations ===
We have some SSL certificates which are not used by web servers, but still need to be renewed eventually.

==== Prometheus node exporter ====
All of our Prometheus node exporters are using mTLS via stunnel (every bare-metal host, as well as caffeine, coffee and mail, is running this exporter). The certificates (both client and server) are set to expire in <b>September 2031</b>; before then, create new keypairs in /opt/prometheus/tls, and deploy the new server.crt, node.crt and node.key to /etc/stunnel/tls on all machines. Restart prometheus and all of the node exporters.

==== ADFS ====
See [[ADFS]]. When the university's IdP certificate expires (<b>October 2025</b>), we can just download a new one and restart Apache; when our own certificate expires (<b>July 2031</b>), we need to submit a new form to IST (please do this <i>before</i> the cert expires).

==== Keycloak ====
See [[Keycloak]]. When the saml-passthrough certificate expires (<b>January 2032</b>), you need to create a new keypair in /srv/saml-passthrough on caffeine, and upload the new certificate into the Keycloak UI (IdP settings). When the Keycloak SP certificate expires (<b>December 2031</b>), make sure to create a new keypair and upload it to the Keycloak UI (Realm Settings).

== letsencrypt ==

We support letsencrypt for our virtual hosts with custom domains. We use the <tt>cerbot</tt> from debian repositories with a configuration file at <tt>/etc/letsencrypt/cli.ini</tt>, and a systemd timer to handle renewals.

The setup for a new domain is:

# Become <tt>certbot</tt> on caffine with <tt>sudo -u certbot bash</tt> or similar.
# Run <tt>certbot certonly -c /etc/letsencrypt/cli.ini -d DOMAIN --logs-dir /tmp</tt>. The logs-dir isn't important and is only needed for troubleshooting.
# Set up the Apache site configuration using the example below. (apache config is in /etc/apache2) Note the permanent redirect to https.
# Make sure to commit your changes when you're done.
# Reloading apache config is <tt>sudo systemctl reload apache2</tt>.

<VirtualHost *:80>
ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

#DocumentRoot /users/example/www/
Redirect permanent / https://example.com/

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

<VirtualHost csclub:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLStrictSNIVHostCheck on

ServerName example.com
ServerAlias *.example.com
ServerAdmin example@csclub.uwaterloo.ca

DocumentRoot /users/example/www

ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
</VirtualHost>

== acme.sh ==
We are using [https://github.com/acmesh-official/acme.sh acme.sh] for provisioning SSL certificates for some of our *.csclub.cloud domains. It is currently set up under /root/.acme.sh on biloba.

<b>NOTE</b>: acme.sh has a cron job which automatically renews certificates before they expire and reloads NGINX, so you do not have to do anything after issuing and installing a certificate (i.e. "set-and-forget").

=== How to add a new SSL cert for a custom domain on CSC cloud ===
Let's say user <code>ctdalek</code> wants <code>mydomain.com</code> to point to a VM on CSC cloud.
<br>
TLDR:
<pre>
# Obtain the cert.
# If a subdomain was also requested, pass the -d option multiple times, e.g.
# `-d mydomain.com -d sub.mydomain.com`. Make sure the "main" domain is specified first.
acme.sh --issue -d mydomain.com -w /var/www

# Install the cert.
# If a subdomain was also requested, only specify the "main" domain.
acme.sh --install-cert -d mydomain.com \
--key-file /etc/nginx/ceod/member-ssl/mydomain.com.key \
--fullchain-file /etc/nginx/ceod/member-ssl/mydomain.com.chain \
--reloadcmd "/root/bin/reload-nginx.sh"

# Create a vhost file.
# Look at the other files in the same directory for inspiration.
# Make sure the file starts with the username and an underscore, e.g. "ctdalek_",
# because this is how ceod keeps track of the vhosts.
# Make sure to set the custom domain name(s) and paths to the SSL key/cert.
vim /etc/nginx/ceod/member-vhosts/ctdalek_mydomain.com

# Finally, reload NGINX on both biloba and chamomile. The /etc/nginx/ceod directory
# is shared between them.
/root/bin/reload-nginx.sh
</pre>

=== Installation ===
<pre>
cd /opt
git clone --depth 1 https://github.com/acmesh-official/acme.sh
cd acme.sh
./acme.sh --install -m syscom@csclub.uwaterloo.ca
. "/root/.acme.sh/acme.sh.env"
</pre>
<b>Important</b>: If invoking acme.sh from another program, it needs the environment variables set in acme.sh.env. Currently, that is just
<pre>
LE_WORKING_DIR="/root/.acme.sh"
</pre>

For testing purposes, make sure to use the Let's Encrypt test server:
<pre>
acme.sh --set-default-ca --server letsencrypt_test
</pre>

=== NGINX setup ===
<pre>
mkdir -p /var/www/.well-known/acme-challenge
</pre>
Add the following snippet to your default NGINX file (e.g. /etc/nginx/sites-enabled/default):
<pre>
# For Let's Encrypt
location /.well-known/acme-challenge/ {
alias /var/www/.well-known/acme-challenge/;
}
</pre>

Now assuming that biloba has the IP address for *.csclub.cloud, you can test that everything is working:
<pre>
acme.sh --issue -d app.merenber.csclub.cloud -w /var/www
</pre>
To install a certificate after it's been issued:
<pre>
acme.sh --install-cert -d app.merenber.csclub.cloud \
--key-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain \
--reloadcmd "/root/bin/reload-nginx.sh"
</pre>
At this point, you should add your NGINX vhost file which uses that SSL certificate.
<br><br>
To remove a certificate:
<pre>
acme.sh --remove -d app.merenber.csclub.cloud
rm -r /root/.acme.sh/app.merenber.csclub.cloud
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.chain
rm /etc/nginx/ceod/member-ssl/app.merenber.csclub.cloud.key
</pre>
Don't forget to remove the NGINX vhost file too.

Once you think you're ready, use a real ACME provider, e.g.
<pre>
acme.sh --set-default-ca --server letsencrypt
</pre>

Since we have a [https://zerossl.com ZeroSSL] account, and ZeroSSL has no rate limit, we are going to use that instead:
<pre>
acme.sh --register-account --server zerossl \
--eab-kid xxxxxxxxxxxx \
--eab-hmac-key xxxxxxxxx
acme.sh --set-default-ca --server zerossl
</pre>

=== DNS challenge ===
To obtain a wildcard certificate (e.g. *.k8s.csclub.cloud), you will need to perform the DNS-01 challenge. We are going to use nsupdate to interact with our BIND9 server on dns1.

On dns1, run:
<pre>
tsig-keygen csc-cloud
</pre>
Paste the output into the appropriate section in /etc/bind/named.conf.local. Also paste it into a file somewhere on biloba, e.g. /etc/csc/csc-cloud-tsig.key.

Add the following to the csclub.cloud zone block:
<pre>
allow-update {
!{
!127.0.0.1;
!::1;
!129.97.134.0/24;
!2620:101:f000:4901::/64;
any;
};
key csc-cloud;
};
</pre>
(We're basically trying to restrict updates to the given IP ranges. See https://serverfault.com/a/417229.)

The 'bind' user can't write to files under /etc/bind, so we're going to move our zone file to /var/lib/bind instead.
Comment out 'file "/etc/bind/db.csclub.cloud";' from named.conf.local and add this line below it:
<pre>
file "/var/lib/bind/db.csclub.cloud";
</pre>
Then run:
<pre>
cp /etc/bind/db.csclub.cloud /var/lib/bind/db.csclub.cloud
chown bind:bind /var/lib/bind/db.csclub.cloud
rndc reload
</pre>

On biloba, check that everything's working:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
update add test.csclub.cloud 300 A 0.0.0.0
send
EOF
</pre>
Use a tool such as <code>dig</code> to make sure that the update was successful.
If it worked, you can delete the record:
<pre>
nsupdate -k /etc/csc/csc-cloud-tsig.key -v <<EOF
delete test.csclub.cloud
send
EOF
</pre>
Now we are ready to actually perform the challenge with acme.sh:
<pre>
export NSUPDATE_SERVER="dns1.csclub.uwaterloo.ca"
export NSUPDATE_KEY="/etc/csc/csc-cloud-tsig.key"
acme.sh --issue --dns dns_nsupdate -d 'k8s.csclub.cloud' -d '*.k8s.csclub.cloud'
</pre>
(If something goes wrong, use the <code>--debug</code> flag.)

If all went well, just install the certificate as usual:
<pre>
acme.sh --install-cert -d k8s.csclub.cloud \
--key-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.key \
--fullchain-file /etc/nginx/ceod/syscom-ssl/k8s.csclub.cloud.chain \
--reloadcmd 'systemctl reload nginx'
</pre>

Main Page

2023-07-31T04:30:00Z

Y266shen:

This is the Wiki of the [[Computer Science Club]]. Feel free to start adding pages and information.

[[Special:AllPages]]

== Member/Club Rep Documentation ==
To access our Linux machines, see [[How to SSH]] and select one of the general-use machines from [[Machine List#General-Use Servers]].

To host a website, see [[Web Hosting]]. If you are trying to host websites for clubs, see [[Club Hosting]].

To use our VPS services (similar to Linode and Amazon EC2), see [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]. Note that you'll need to activate your account on one of CSC's machines before using the management panel.

To view instruction on playing music at the office, see [[Music]].

To use our Nextcloud instance (similar to Google Drive and Dropbox), go to [https://files.csclub.uwaterloo.ca CSC Files].

=== Guides ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[New Member Guide]]
* [[Club Hosting]]
* [[Web Hosting]]
* [[Git Hosting]]
* [[How to IRC]]
* [[How to SSH]]
* [[MySQL]]
* [https://docs.cloud.csclub.uwaterloo.ca/ CSC Cloud Documentation]
</div>

=== News and Events ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Meetings]]
* [[Talks]]
* [[Projects]]
</div>

== Committees Documentation ==
=== Club Operation ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Budget Guide]]
* [[ceo]]
* [[Exec Manual]]
* [[MEF Guide]]
* [[Office Policies]]
* [[Office Staff]]
* [[Sysadmin Guide]]
* [[Imapd Guide]]
* [[SCS Guide]]
* [[Kerberos | Password Reset ]]
* [[Keys and Fobs]]

* [[Talks Guide]]
</div>

=== Hardware Infrastructure (the bare metals) ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Disk Drive RMA Process]]
* [[Hardware]]
* [[Machine List]]
* [[IPMI101]]
* [[New NetApp]]
* [[Switches]]
</div>

=== Software Infrastructure ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[ADFS]]
* [[Authentication]]
* [[Backups]]
* [[DNS]]
* [[Debian Repository]]
* [[Firewall]]
* [[Kerberos]]
* [[Keycloak]]
* [[KVM]]
* [[LDAP]]
* [[Network]]
* [[New CSC Machine]]
* [[NFS/Kerberos]]
* [[Observability]]
* [[OID Assignment]]
* [[Podman]]
* [[Scratch]]
* [[SNMP]]
* [[SSL]]
* [[Syscom Todo]]
* [[Systemd-nspawn]]
* [[Two-Factor Authentication]]
* [[UID/GID Assignment]]
</div>

=== Services ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Application List]]
* [[BigBlueButton]]
* [[Mail]]
* [[Mailing Lists]]
* [[Mirror]]
* [[Music]]
* [[Nextcloud]]
* [[Printing]]
* [[Pulseaudio]]
* [[Webmail]]
</div>

=== CSC Cloud ===
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Ceph]]
* [[Cloud Networking]]
* [[CloudStack]]
* [[CloudStack Templates]]
* [[Kubernetes]]
</div>

== Miscellaneous ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Acronyms]]
* [[Budget]]
* [[Executive]]
* [[Past Executive]]
* [[History]]
* [[Library]]
* [[MEF Proposals]]
* [[Proposed Constitution Changes]]
</div>

== Historical or Obsolete Pages ==
<div style="-webkit-column-count:3; -moz-column-count:3; column-count:3;">
* [[Robot Arm]]
* [[Webcams]]
* [[Website]]
* [[Digital Cutter]]
* [[Electronics]]
* [[NetApp]]
* [[Frosh]]
* [[Virtualization (LXC Containers)]]
* [[Serial Connections]]
__NOTOC__

Debian 12 Transition

2023-07-31T03:57:15Z

Y266shen:

== Upgrade steps ==
1. Create the /etc/apt/keyrings folder.

2. Download the CSC keyring into it:
<pre>
wget -O /etc/apt/keyrings/csclub.gpg http://debian.csclub.uwaterloo.ca/csclub.gpg
</pre>

3. Make sure that the CSC keyring is the only one in /etc/apt/trusted.gpg:
<pre>
gpg --no-options --show-keys /etc/apt/trusted.gpg
</pre>

4. Delete /etc/apt/trusted.gpg and its backup file:
<pre>
rm -f /etc/apt/trusted.gpg /etc/apt/trusted.gpg~
</pre>

5. Replace the old-style /etc/apt/sources.list and /etc/apt/sources.list.d/*.list files with the new Deb822 "sources" style (see /etc/apt/sources.list.d/*.sources on sorbitol; don't copy the one for the Dell repo). Add a helpful note in /etc/apt/sources.list for other syscom members:
<pre>
# See /etc/apt/sources.list.d/*.sources
</pre>

6. apt update && apt dist-upgrade

7. apt autoremove --purge

8. During the upgrade, accept the new configuration files (choose the 'Y' option)
for the following files:
* /etc/fail2ban/fail2ban.conf
* /etc/fail2ban/jail.conf
* /etc/fail2ban/filter.d/sshd.conf
Everything else should keep the old file.

9. Copy the following files from sorbitol:
* /etc/fail2ban/fail2ban.local
* /etc/fail2ban/jail.local
* /etc/fail2ban/filter.d/sshd.local
Then restart fail2ban.

10. If the 'ntp' package is installed, purge it and install systemd-timesyncd instead. Enable the systemd-timesyncd service and copy /etc/systemd/timesyncd.conf.d/csclub.conf from sorbitol. Start the service and make sure it's working.

11. Get rid of python2 if it's still installed:
<pre>
apt purge python2.7-minimal
apt autoremove --purge
</pre>

== Pending machines ==
Machines/containers that have yet to upgrade to Debian 12. Remove entry when upgrade is done.

=== General-use servers ===

* corn-syrup: low on disk space (<10G)

=== Syscom Only ===

* xylitol: later?
** xylitol runs all sort of critical services
* phosphoric-acid: later?
** phosphoric-acid runs web
* yerba-mate
* cobalamin
* potassium-benzoate: ugh ubuntu and we can't shut down the mirror

=== Cloud ===

Everything. We will need to wait until ceph supports bookworm.

=== Containers ===

* on xylitol
** auth1
** mail
** chat
* on phosphoric-acid
** caffeine
** coffee
** prometheus