Page Speed

EcoCore website

2025-01-31 https://pagespeed.web.dev/analysis/https-ecocore-org/qf23ypn4xt?form_factor=mobile

2025-02-18 (after migration) https://pagespeed.web.dev/analysis/https-ecocore-org/mo332pqvsv?form_factor=mobile

Google Recaptcha Keys

EcoCore reCAPTCHA https://cloud.google.com/security/products/recaptcha?hl=en

v2 no robots site key: 6Leagd8qAAAAAPg_2t1Nuz1LMRi7yciJ0U7j6byb

v2 secret: 6Leagd8qAAAAAGD-TBj2YnY5Rz95tjg28K7IAJdR

v3 site key: 6LcC_cAUAAAAABA9IebNeeSBw6dl-oBLk73Fxyyw

v3 secret: 6LcC_cAUAAAAAGJHrWtkYLXgeF8qT4nEGGlv6qVj

WordPress

Plugins:
1. MiniOrange OpenID Connect Login ( OpenID Connect Client)

NextCloud

Set up the SSO server app in NextCloud top right user menu
- Click "+ App"
- Search on "OIDC"
- enable "OIDC Identity Provider"
Go to Settings, scroll down to Administration in left-hand menu column, choose Security
Set up OpenID Connect client (not OAuth2.0) for WordPress in conjunction with the MiniOrange OIDC client
Set up OAuth2 client for Flarum in conjunction with the Flarum FoF OAuth extension, and the Flarum NextCloud OAuth extension

Flarum

Extensions:

add the NextCloud OAuth extension: https://extiverse.com/extension/frie/flarum-nextcloud-oauth

MediaWiki

Add extensions to /home/carbonc/sites/mediawiki/w
OpenID-Connect extension https://www.mediawiki.org/wiki/Extension:OpenID_Connect
Add the following configuration to the sites/mediawiki/w/LocalSettings.php

wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabelMessage = 'Login with your EcoCounts account';
wfLoadExtension( 'OpenIDConnect' );
$wgPluggableAuth_Config[] = [
     'plugin' => 'OpenIDConnect',
     'data' => [
         'providerURL' => 'https://cloud.ecocounts.community',
         'clientID' => 'I8MfDD8oPXvmNc4OxyafXHKKsrhiekRisC9toFLwm2o9Oz6NMEcqiAhuelHuCfTS',
         'clientsecret' => '5C4aBrz7xR9I9hvBo95jefLJm5pZ9FxY40r2YGko4TrIJuHUUXXVhwguFS34qq92'
      ]
];
$wgOpenIDConnect_UseRealNameAsUserName = true;

Adding User Accounts

Admin user must add username, password and email to https://cloud.ecocounts.community
- this sends an email with username to the email address
- log in with their credentials to Flarum - beware of the "Oops! Something went wrong. Please reload the page and try again." (just cancel and login again)
- log in to Wiki (top right "login" link)
- log in to the Wordpress site
- log in to Flarum as admin and give new user appropriate role
- same for Wordpress and add first & last name, editor role and email address
- forward the user the password, the link to the sites and ask them to log in to confirm their accounts work

Backups

BackupPC: HomeServer

Flarum: https://discuss.flarum.org/d/29768/3

Mediawiki package

Help: https://www.mediawiki.org/wiki/Project:Support_desk

Mediawiki installation.

Put in a link: sudo ln -s /var/lib/mediawiki /var/www/permacode/w
install the php5-intl package
install the php5-xcache package
make sure the file upload directory wgUploadDirectory is non-executable chmod 644 ....
mediawiki config settings
script that does the install: /usr/share/mediawiki/includes/installer/Install.php
setup a mediawiki user in mysql:
mysql> GRANT ALL ON *.* TO 'mediawiki'@'localhost' IDENTIFIED BY 'password';
for security's sake, exit mysql and zero length .mysql_history >.mysql_history
browse the wiki and go through config settings, and then grab the LocalSettings.php file and scp it across, then:

mv LocalSettings.php /etc/mediawiki
chmod 700 /etc/mediawiki/LocalSettings.php
chown www-data /etc/mediawiki/LocalSettings.php

setup wikipedia editor toolbar in LocalSettings.php: require_once ( "$IP/extensions/WikiEditor/WikiEditor.php" );
configure longer session time-out in /etc/php5/apache2/php.ini: session.gc_maxlifetime = 864400 (24 hours)
configure Mediawiki short URLs:
- enable mod_rewrite: a2enmod rewrite
- add apache config in /etc/apache2/site-available/permacode:
  # configure short URLs
  RewriteEngine On
  RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/w/index.php [L]
- add mediawiki config in /etc/mediawiki/LocalSettings.php:
  $wgScriptPath = "/w";
  $wgArticlePath = "/wiki/$1";
put a robots.txt into /var/www/permacode:
User-agent: *
Disallow: /w/
Add Markdown syntax https://github.com/bharley/mw-markdown

Wordpress Plugin - Google Analytics

The Newsletter Plugin

This is more complex than the other plugins.

Start with this one:

https://www.thenewsletterplugin.com/

Once that's installed, you need to get the free license key by registering with the developers:

https://www.thenewsletterplugin.com/account

and once that is installed, you need to install the add-on downloader via their Addons menu

and then when that's done, you go to their Addons Manager page and you need to install their "WP User Integration" add-on which you'll see there under "Integrations". It requires the free license key first.

Podcast

Podcast account at podbean: https://carbonwatchdog.podbean.com/

Podcast validator: https://podba.se/validate/?url=https://carbonwatchdog.org/feed/podcast/

Podcast RSS feed on Wordpress: https://martech.zone/wordpress-publish-external-podcast-feed/

Podcast services: https://martech.zone/where-to-promote-your-podcast/

- https://carbonwatchdog.org/feed/podcast/
- https://podcastsmanager.google.com
  https://podcasts.google.com/feed/aHR0cHM6Ly9jYXJib253YXRjaGRvZy5vcmcvZmVlZC9wb2RjYXN0Lw
- https://podcasters.spotify.com 
  https://open.spotify.com/show/3YqQC21Uew4shO7w72LCaz
- https://podcastsconnect.apple.com/
  https://podcasts.apple.com/gb/podcast/the-carbon-watchdog-podcast/id1534302716
- https://partners.stitcher.com/join
  https://www.stitcher.com/s?fid=579503&refid=stpr
- https://www.pocketcasts.com/submit/
  https://pca.st/ze7l451m
- https://podcasters.deezer.com/submission
  https://deezer.com/show/1851042
- https://amp.pandora.com
  https://www.pandora.com/podcast/the-carbon-watchdog-podcast/PC:37546
- https://www.iheart.com/content/submit-your-podcast/
  https://www.iheart.com/podcast/269-the-carbon-watchdog-podcas-73688814/

Imagick for Wordpress images

Linux installs imagick by default with a security restriction on PDF operations, so this has to be lifted for normal operations. The security issue is caused by the potential for hackers to upload dangerous PDFs that do weird stuff to imagick so it doesn't affect us since we don't allow uploads except by admin.

Depending on the system, you may need to edit /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml and change this line:

to:

You can read more here: https://imagemagick.org/script/security-policy.php

You should give real thought if you want to enable it though because there are security issues with it:

https://searchsecurity.techtarget.com/tip/More-Ghostscript-vulnerabilities-more-PostScript-problems

https://portswigger.net/daily-swig/imagemagick-pdf-parsing-flaw-allowed-attacker-to-execute-shell-commands-via-maliciously-crafted-image

CSS Scraps

cite, figcaption, .wp-caption-text, 
.post-meta, .entry-content .wp-block-archives li, 
.entry-content .wp-block-categories li,
.entry-content .wp-block-latest-posts li,
.wp-block-latest-comments__comment-date,
.wp-block-latest-posts__post-date, 
.wp-block-embed figcaption, 
.wp-block-image figcaption, 
.wp-block-pullquote cite, 
.comment-metadata, 
.comment-respond .comment-notes, 
.comment-respond .logged-in-as, 
.pagination .dots, 
.entry-content hr:not(.has-background),
hr.styled-separator, 
:root .has-secondary-color,
.dip-article-block h4,
.entry-title a,
.ub-block-post-grid header .ub-block-post-grid-title a,
.wp-block-ub-content-toggle-accordion-title h2 {
	color: #f2f6f9 !important;
	fill: #f2f6f9;
}

backuppc

install BackupPC
- Ubuntu package automatically configures the Apache CGI interface but it requires SSL
- add SSL syntax to /etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:443>
        ServerName gondolin.localdomain

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/ca.crt
        SSLCertificateKeyFile /etc/apache2/ssl/ca.key
</VirtualHost>

create an SSL cert:

adam@gondolin:~$ sudo a2enmod ssl
adam@gondolin:~$ sudo systemctl restart apache2
adam@gondolin:~$ sudo openssl genrsa -out ca.key 2048
Generating RSA private key...
adam@gondolin:~$ sudo openssl req -nodes -new -key ca.key -out ca.csr
You are about ...
adam@gondolin:~$ sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Signature ok ...
adam@gondolin:~$ sudo mkdir /etc/apache2/ssl
adam@gondolin:~$ sudo cp ca.crt ca.key ca.csr /etc/apache2/ssl/
adam@gondolin:~$ sudo emacs /etc/apache2/conf-available/backuppc.conf #follow instructions in comments

also install package par2
create the mount point for the USB drive in /etc/fstab:

LABEL=Seagate-4TB /media/backuppc/usbbackup auto defaults 0 1

make sure TopDir in config.pl points to it (and that the local hostname is correct)
put symlink in /var/log because by default it's not easy to find:

sudo ln -s /var/lib/backuppc/log/LOG /var/log/backuppc

check there is a backuppc.conf file in /etc/apache2/conf-enabled and if not, create a link there pointing to the correct conf file (caused by a poor upgrade in Apache apparently so not always a problem, just sometimes:

sudo ln -s /etc/backuppc/apache.conf /etc/apache2/conf-enabled/backuppc.conf

setup the backuppc user password htpasswd /etc/backuppc/htpasswd backuppc
set up ssh passwordless logins from backuppc server to each client
- be careful to test with the correct user on the server and the correct user on the client as per above "sshd" section. User 'backuppc' on server and 'backup' on client
configure backup directory onto USB drive
- create a mount point with access rights

mkdir /media/backuppc/usbbackup
chgrp backuppc /media/backuppc/usbbackup
chown backuppc /media/backuppc/usbbackup
chmod 750 /media/backuppc/usbbackup

- make sure all dirs in path give backuppc rx privileges
- set config variable TopDir in config.pl to /media/backuppc/usbbackup
- edit /etc/fstab