Tiki Suite Install

• Please help to improve / clarify. If unclear ask questions directly in this wiki page.
• If you want to test a reference installation (to see how it works or to compare with your own) please see: Tiki Suite Demo.
• Only install the components you want
• If you are just testing, the simplest is to get a pay-by-the hour 1 gig Linode instance @ USD$10 per month.
  • See also Tiki Suite deployment scenarios and Tiki Suite Hardware
• To keep things simpler, we are putting as much as possible on the main server. As your needs grow, you can split to various servers with sub-domains.
• In the future, we want to automate things more. If you have skills in this area, please do get in touch to help out. For now, here is the recipe.
• You should use your own domain name but if you don't have one, you can use the *.poweredbyclear.com domain supplied for free by the folks at ClearCenter
  • You can also transfer your domain to ClearCenter (Makes things simpler)
    • Using Dynamic DNS is for when you don't have a fixed IP address. This is pretty much the default if you are self-hosting with DSL or Cable internet. You need to make sure this is activated at https://secure.clearcenter.com/portal/dns.jsp
• If something is not working quite right with the instructions below, try rebooting server. Some things take effect after a full reboot. For example, if Jitsi is telling you "Authentication failed for jo at example.org (Jabber). The password you entered is not valid." but you know the password is OK.
  • The Services Manager app provides an overview of all services (daemons) running on your system. It is a convenient way to quickly see a high level overview of your server with respect to what services are running and set to start at boot.
• If an app is not working, try temporarily turning off your firewall, by toggling between "Standalone" and "Standalone - No Firewall" as Network Mode here: https://example.org:81/app/network

Servers

Server 1 example.org

ClearOS

• Install from ISO, latest stable version, or USB
  • 32 bit should work fine as well, but we'll be mostly testing with 64-bit
• system registration is part of the post-installation wizard, which, while not mandatory, is recommended.
  • All Tiki Suite software will be packaged as "apps" in the ClearCenter marketplace, and thus, you need to have an account unless you are going to install all the apps manually (if you have the skills to do this, please instead join the Tiki Suite team!)
• Activate & configure the features you need from the ClearCenter Marketplace. We are compiling a Quick Select File (QSF)
  • VPN
  • flexshare Share files via Web (HTTP/HTTPS), FTP (FTP/FTPS) or File Shares (Samba)
• You should have an SSL if you don't want to use self-signed certificate automatically made by ClearOS
  • Wildcard SSL is better because several sub-domains will need to be secured (for XMPP, etc.)
• You should disable SSLv2 and SSLv3 and the weak ciphers
  • Edit /etc/httpd/conf.d/ssl.conf to be like this (only edit appropriate section)
    Copy to clipboard

    #   SSL Protocol support:
    # List the enable protocol levels with which clients will be able to
    # connect.  Disable SSLv2 access by default:
    # SSLProtocol all -SSLv2
    SSLProtocol All -SSLv2 -SSLv3
    
    #   SSL Cipher Suite:
    # List the ciphers that the client is permitted to negotiate.
    # See the mod_ssl documentation for a complete list.
    # SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:!MEDIUM:+HIGH

  • Edit /etc/httpd/conf.d/flex-443.conf to be like this (do this for each domain name)
    Copy to clipboard

    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    # SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:!MEDIUM:+HIGH
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    SSLProtocol All -SSLv2 -SSLv3

  • Then restart httpd
    Copy to clipboard

    # service httpd restart

• Install DenyHosts for SSH brute force attack protection
• To make file management easier: http://www.clearfoundation.com/docs/howtos/midnight_commander

Zarafa

• Use ClearCenter marketplace. You must pay $10 to use marketplace but this is the AGPL package. If you want to avoid $10 fee, install Zarafa manually. The $10 is to encourage Tim Burgess, who did the packaging / integration (which is quite a bit of work).
• See installation instructions at: http://www.clearcenter.com/support/documentation/user_guide/zarafa_community_for_clearos
  • You need to permit connection to HTTPS
• To get latest versions of Zarafa, visit https://example.org:81/app/software_repository, activate zarafa-community-testing and visit https://example.org:81/app/software_updates and click "update all". As of 2014-04-10, this will take your to zarafa-7.1.8-44004 and Zarafa WebApp 1.5-43703 (instead of 7.0.x and 1.3.x)

SMTP

• https://example.org:81/app/smtp should have your domain name for Domain and Hostname (ex.: example.org)

Domain name configuration

• See http://www.clearcenter.com/support/documentation/clearos_guides/setting_up_a_mail_server_even_if_your_isp_is_making_it_hard_to_do_so for general tips
• You need to set MX records. Check with http://www.dnsstuff.com/ to see if it's good.
  • If your domain is with ClearCenter: https://secure.clearcenter.com/portal/dns_mx.jsp
    • If the mail is on the same domain, you can set your MX to be the same as your "Hostname"
  • You can also have mail/MX backup:If you enable the mail/MX backup for a domain, dedicated mail backup servers will queue the mail when the primary mail server is unavailable.
• It is highly recommended to configure SPF records to help prevent email spoofing
• If you have a fixed IP address, it is highly recommended to set a PTR Record for your domain.

Related software

• For ActiveSync configuration tips, see below
• If you want offline access to emails, see the Thunderbird section below (you will need to open firewall ports)

Tiki

• Install ClearOS 6.6.0
• Make sure ports 80 (HTTP) and 443 (HTTPS) accept connections
  • To do so, go to https://example.org:81/app/incoming_firewall
• Then, run the following command to get Tiki 12.2 (and soon 12.3):
• Copy to clipboard

  yum install app-tiki

• Then, go to Server -> Messaging and Collaboration -> Tiki Wiki CMS Groupware in the menu to complete the setup.
  • If not already done, you'll want to make sure you have a working domain name (example.org)

After this beta period, Tiki will become an app in the marketplace. More info at: Tiki on ClearOS

We can also get OPcache. It's standard in PHP 5.5, but we can install on 5.3:
http://www.clearfoundation.com/docs/howtos/opcache

In ClearOS, you can't create a group which has the same name as a user. In Tiki, this is possible, so you should have a convention. Ex.: Users: first.name groups: must be different than usernames, no dots (.)

Other useful tools include:

• http://www.clearfoundation.com/docs/howtos/mc
• http://www.clearfoundation.com/docs/howtos/nano
• http://www.clearfoundation.com/docs/howtos/subversion

To check logs (error, access, etc.), visit:
https://example.org:81/app/log_viewer/index

• Todo: Get http://www.clearfoundation.com/docs/howtos/wkhtmltopdf working
• Todo: decide about InnoDB vs MyISAM, MySQL 5.5 vs 5.6

Cron job

This is an adaptation of http://doc.tiki.org/Cron+Job+to+Rebuild+Search+Index for ClearOS

$ crontab -u apache -e

0 0 * * * cd /var/www/html/; php console.php index:rebuild >/dev/null 2>&1

[root@labalab html]# crontab -u apache -l
0 0 * * * cd /var/www/html/; php console.php index:rebuild >/dev/null 2>&1

See also: http://www.clearfoundation.com/docs/howtos/cron

PHP 5.5

• Problem: ClearOS 6.x has PHP 5.3 but PHP 5.5 would be so much better.
  • Tiki 13 requires PHP 5.5
  • PHP 5.3.x reaches end of life in July 2014
  • OPcache is built-in
  • Jitsi provisioning was written for Tiki 13 in PHP 5.5 syntax, but was backported to 12.3 so we are OK in PHP 5.3
  • How to install PHP 5.5 on ClearOS 6.x

Piwik

• http://www.clearfoundation.com/docs/howtos/piwik
  • Question: is there any advantage for Piwik not to be on the same server as Tiki?
• Configure with Tiki as per Tiki-Piwik docs
• You can get SaaS from https://piwik.pro/

Openfire Meetings

The base package is with Openfire Meetings (XMPP+WebRTC). If you also need a PBX phone system: FreeSWITCH + FusionPBX

Todo: document how to install Openfire Meetings on ClearOS with

• OpenLDAP integration
• Firewall ports
• SRV records (If your server name is different than your XMPP domain)
• Turn Server
• SSL

Todo

• https://github.com/stpeter/manifesto/blob/master/manifesto.txt
• Get chatrooms working
  • Users should auto-join chatrooms via Jitsi provisioning
  • We'll want a web interface but which one?
• Make a basic admin panel for ClearOS, and perhaps a link to a standalone more complete admin panel -> http://tracker.clearfoundation.com/view.php?id=1714
• What if ClearOS is installed on a subdomain? Need SRV records...

RADIUS Server

• http://www.clearcenter.com/marketplace/network/RADIUS_Server.html
• https://github.com/FreeRADIUS/freeradius-server/pull/367/commits

Turn Server

• http://www.rtcquickstart.org/ICE-STUN-TURN-server-installation
• http://www.resiprocate.org/Improving_RADIUS_Support
• http://www.resiprocate.org/RADIUS
• https://blog.andyet.com/2015/01/14/turn-for-webrtc

QoS

• http://www.clearfoundation.com/docs/developer/apps/qos/taking_qos_for_a_spin
• http://www.clearcenter.com/support/documentation/user_guide/qos

POTS

• Todo: connect JitMeet to FreeSWITCH
  • to call out to attendees
  • for attendees to be able to call in

Elasticsearch

https://doc.tiki.org/Elasticsearch
http://wikisuite.org/How-to-install-Elasticsearch-on-ClearOS

TogetherJS

• For real-time collaborative editing of eventually all features in Tiki, TogetherJS integration has started. By default, it uses the always up to date version hosted by Mozilla. But you can host your own
  • This is still quite experimental so you should probably skip this unless you want to help code this 😉 -> Together

Server 2 - Kaltura

If you are not managing videos, just skip this one and install later

• Install from iso
  • http://kaltura.github.io/ce-packager/docs/screencasts.html
  • http://blog.kaltura.org/introducing-kipp-kaltura-install-made-simple
  • https://github.com/kaltura/platform-install-packages/blob/master/doc/install-kaltura-redhat-based.md (todo: test this on a ClearOS install)
• Set to video.example.org
• Connect to Tiki as per Tiki-Kaltura docs
• Since Tiki Suite is by default https, you need to set your Kaltura server to be https as well. Ex.: https://www.kaltura.com/
  • It's the new default, starting in Tiki 12.1
• http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,61298/

Laptops

• On each client (Windows, MacOS X, GNU/Linux), install the following.

Firefox

• Use installer for your platform

Jitsi

• Use installer for your platform
• Configure your XMPP with Openfire Meetings
  • u: first.name at example.org
• Set up your address book to connect to OpenLDAP
  • Contrary to Thunderbird, it doesn't need http://tracker.clearfoundation.com/view.php?id=1260
• Protect all your account passwords by setting up a master password in Jitsi.
• We have a Jitsi provisioning feature in Tiki
  • The provisioning URL for Jitsi in Tiki 12.3 is (for example):

https://example.org/tiki-ajax_services.php?controller=suite&action=jitsi?username=${username}&password=${password}

• This is another example in trunk

http://demo.tiki.org/trunk/tiki-ajax_services.php?controller=suite&action=jitsi&username=${username}&password=${password}

• Docs are here: Jitsi
• Bug & feature requests are here: Jitsi
• Later, we'll also do SIP / FreeSWITCH

Thunderbird

• This is optional if you want offline emails
  • You need to open firewall ports IMAP (143), SMTP (25) and perhaps some of the ports listed here: https://example.org:81/app/zarafa_community
• Use installer for your platform
• Configure IMAP to Zarafa
• Folder names need to be changed from the defaults to the ones used by Zarafa & ActiveSync
  • Sent Items is used by Zarafa & ActiveSync so let's just change the settings of Thunderbird
  • Deleted Items is used by Zarafa & ActiveSync so let's just change the settings of Thunderbird
  • Archives?
  • Draft? Draft made with ActiveSync don't always seem to be in sync with Zarafa & Thunderbird
  • Spam?
  • Outbox?
• Set up Lightning calendar to connect to Zarafa
• Protect all your account passwords by setting up a master password in Thunderbird.
• Configure address book to ClearOS OpenLDAP: http://www.clearfoundation.com/docs/howtos/connect_thunderbird_to_clearos_directory

Syncthing

https://github.com/syncthing/syncthing-gtk is a nice GUI for Syncthing

OpenVPN

• Configure OpenVPN for your platform.

A quick way is to grab the 5 files in https://example.org:81/app/user_certificates and add them to a subdirectory of OpenVPN's config folder

ex.:
C:\Program Files\OpenVPN\config\projectA\(5 files for project A go here)
C:\Program Files\OpenVPN\config\projectB\(5 files for project B go here)

On Windows, you need to start OpenVPN as an administrator.

Mobile

ActiveSync Mail-Contacts-Calendar

• Configure ActiveSync with Zarafa
  • Name differs per platform. Look for something like "Corporate Mail" or "Exchange", but not POP, IMAP or Gmail.
  • http://www.clearcenter.com/support/documentation/clearos_deployment_guides/synchronizing_zarafa_mail_contacts_and_calendars_-_mobile_devices
  • When setting ActiveSync on mobile devices, and you have the self-signed certificate, you may need to indicate to clients to accept all certificates
  • By default, ActiveSync configuration just asks for email & password. If that doesn't work, you will get a more advanced interface. Often, the field "Domain\user name" needs to be edited from for example \marc.laporte to example.org\marc.laporte
• How to move mail from one account to another? It works in Thunderbird, but how to do with ActiveSync?
• To test ActiveSync: https://testconnectivity.microsoft.com/
• 2014-02-25: There was an issue with ActiveSync not connecting, which was related to error reporting.
  Peter Baldwin wrote
  Copy to clipboard

  I turned off PHP error reporting for z-push by adding the following to /etc/httpd/conf.d/zarafa-z-push.conf
  
      # Make sure error reporting is off
      php_flag display_errors off

SIP-XMPP

• Android: install Jitsi 2.5 nightly build (needs testing with Openfire Meetings)
• Other platforms: you need to find SIP / XMPP clients

OpenVPN

• Install for your platform
  • http://www.clearcenter.com/support/documentation/clearos_guides/connecting_android_phones_to_openvpn
  • https://play.google.com/store/apps/details?id=net.openvpn.openvpn
• Configure with ClearOS's VPN Server
  •