aboutsummaryrefslogtreecommitdiff
path: root/docs/forge.md
blob: 364d813a4b5950eb04b3677e60859465fb6c9418 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Forge

Cyberia Forge is an instance of the [open source sourcehut software](https://sr.ht/).

It's hosted on Alpine Linux, because it has to be. ([Drew DeVault, sourcehut's creator](https://drewdevault.com/) distributes sourcehut's applications as [alpine packages]). 

Therefore this system is managed without the use of GTFO.

Forge lives on forge.cyberia.club (rosewater.cyberia.club), and runs the following software:

* meta.sr.ht
* git.sr.ht
* lists.sr.ht
    * lists.sr.ht-lmtp
    * lists.sr.ht-process
* todo.sr.ht
    * git.sr.ht-lmtp
* paste.sr.ht
* PostgreSQL
    * shared database
* Redis
    * shared cache
* OpenSMTPD
    * Ingests mail for mailing lists & todo

## Determining currently installed versions

Since sourcehut is distributed via alpine linux packages, you can grab the current version of each package with 

```
apk list --installed | grep sr.ht
```


## Debugging & OAuth Tokens

> Keep in mind that in the future sourcehut is moving to a graphql API which will use different authentication, so this documentation may be irrelevant once that happens. 

You can log into meta.cyberia.club as admin (If you aren't sure how, ask forest or j3s) and then view the list of oauth tokens:

![forge-oauth-tokens.png](forge-oauth-tokens.png)

These tokens have to be written into the config file `/etc/sr.ht/config.ini` for the source hut services to work. The source hut services don't have very good error handling or meaningful logging, so if they aren't working because of an invalid token, they probably won't log that. I was able to find out that the app was crashing because of an invalid token by capturing the http traffic on the server with `tcpdump` and analyzing it with wireshark. 

On the server:

```
rosewater:~$ sudo tcpdump -i any portrange 5000-5010 -w forest3.pcap

# ... wait a few minutes to collect data ...

# press ctrl-c to stop wireshark gracefully.

# upload the pcap file to my webclip server
rosewater:~$ curl -sS https://webclip.sequentialread.com/forest3.pcap | bash
```

On my workstation: 

```
# download the webclipped file 
forest@thingpad:~/Desktop$ curl -sS https://webclip.sequentialread.com/ > forest3.pcap
```

> **NOTE:** webclip has absolutely zero security, EXCEPT that it only lets you download the file once. So if you choose to use it, make sure to download the file you upload so its not sitting out there for some bot to discover... wire capture files like this almost always contain application secrets 😅 

Make sure you have an up-to-date version of wireshark (process might be different for your workstation):

```
apt show wireshark
sudo apt remove wireshark
sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt update
sudo apt install wireshark
apt show wireshark
```

Finally, you can run wireshark and open the pcap file you downloaded. You may want to set the filter to `http` to only display the http protocol messages.