I.T. infrastructure for a growing charity

As Solent Youth Action‘s resident geek, I guess it’s inevitable that I get sucked in to anything I.T.-related.

Over the last few years, our I.T. resources have grown in an ad-hoc way – primarily driven by needing more PCs as we have grown our staff, and limited by how much money we have at the time!

In our last trustees meeting, we decided that we’ve grown to the point where we need to be more organised about our approach to I.T. Ideally, we want a roadmap which outlines not only our current I.T. needs, but identifies what we will need to meet where we see SYA growing in the future.

I wanted to bounce my ideas off friends, so thought rather than sending it round in an email it might be easier to put my ideas here, open it for comments and pass a link round.

So here goes… here are my first few ideas about what I think we need to do… please feel free to point out where I’ve said something stupid! 🙂


Where are we now?

We’re a small organisation – eight members of staff, currently based in three rooms we rent in ECS House in Eastleigh.

We’ve now got eight Windows XP desktop PCs, all networked together (some with ethernet, some over Wi-Fi, using our own router). We went for Wi-Fi because one of our three rooms is separated from the other two – and I didn’t fancy running network cables through a building.

We’ve got a couple of printers, one in one room on it’s own, one in the two rooms next to each other. Each is connected to a single PC, and shared to let the other staff send stuff to it.

We have a portable USB hard-drive, normally connected to one PC, which shares the drive on the network. This is our “shared filespace”, and is where the staff store finished files and documents, making them accessible by all staff.

Our records about young people are stored on a MySQL database, accessed via a bunch of custom PHP forms, hosted from one of the PCs using the Uniform Server bundle of the Apache/MySQL/PHP stack for Windows.

Increasingly, the staff are working regularly from outside ECS House – working from local schools, colleges, Students’ Unions, and other youth centres, such as Connexions centres. When doing this, they use our ISP’s webmail to keep in touch on email, a pay-as-you-go mobile for phone calls, and large A4 ring binders with everything else that they might need while out of the office.


What are the problems with this?

The SYA network can’t be accessed outside of ECS House. Carrying folders of forms and paperwork and binders with our current volunteering opportunities on a regular basis is far from ideal.

The network filespace is not accessible when the computer it is connected to is switched off. It is portable, so the staff can always physically go and get the drive and plug it in their own machine, but this feels a little clunky. And I’m not sure I like our primary store of data and documents living on a portable drive that is regularly moved around.

Similarly, printers are not accessible when the PC’s they are connected to are switched off.

Most of the PCs are running Windows XP Home (because it’s cheaper) which means that we’ve had many problems with the number of staff who can connect to networked resources like the filespace at any one time. This never used to be a problem when we had fewer than six computers, but as we’ve grown, we’re starting to bump into it more often.

The MySQL database of young people is not accessible when the PC it is hosted on is switched off. And it is not available outside of ECS House, meaning that staff will often resort to printing out large sections of the database when needing to working at partner sites. I really don’t like us carrying around personal information outside of the building in printed form.

Our backups process is manual – with an administrator responsible for dumping the MySQL database from one computer and burning it to CD with the documents from the portable USB hard-drive.


What should we do?

Idea 1 – Central file and print server

Replace the portable USB hard-drive with a Linux fileserver. Connect all of the printers to it, and also use it as a central print server

Why?

Linux does not have the limitation of six connections that Windows XP Home has – so some of the scaling problems as we grow beyond six members of staff would go away.

A powered file and print is always accessible – not needing any particular PC to remain on.

Linux is free – so it saves us needing another expensive Windows license.

Linux is better suited to supporting automated backups – we could use something like a cron job on it to kick off a backup task.

How?

I’m thinking that CentOS Linux is the best option – because I like RedHat but don’t want to have to pay for it! And Fedora Core is a bit too bleeding edge for what just needs to be a solid file server.

We’ve got a cheap, donated PC which should be adequate to run it. Although I’m thinking that we’d better start off with new hard-drives – not sure I want to rely on hard-drives in an unknown condition of an unknown age for our data.

We don’t have massive storage needs, so I’m thinking that it might be a good idea to put our money towards two smaller drives, and use RAID to give us some fault tolerance from disk errors and single disk failure. (Is two enough? Would it be overkill to go for a parity-based approach like RAID 5?)

Idea 2 – Virtual Private Network

Allow computers not in the ECS building to access the SYA network

Why?

We could allow staff to access stuff while working remotely from schools, colleges, Universities, etc.

It would also allow me to remotely control desktops in SYA to carry out I.T. support tasks from home or work. At the moment, if something goes wrong with one of the computers or one of the staff need help doing something, I need to find time to go to the office, ideally when the staff are there. This isn’t easy and can sometimes take me several days. If I could remote-desktop in on a lunch-break, then my typical response time could become hours instead of days.

Looking further ahead, we are working on plans to expand to office-space in other local towns in the medium term. Being restricted to working in Eastleigh was a good place to start, but is starting to become a limiting factor, and it seems likely that we will need a presence of some sort outside of Eastleigh in the coming years.

How?

Eek… this is the question. This needs to be done *very* carefully, to ensure that access remains limited to SYA staff.

I guess there are two main options:

VPN – install a VPN solution on a Linux box in the office. I’ve heard good things said about free solutions such as Hamachi but I’m sure there are others out there. (Such as the ones listed on Daily Cup of Tech‘s recent post on freeware security software.)

‘Roll your own’ security using SSH tunnelling / port forwarding – As we have our own router, we can specify some specific ports to forward on to a “VPN” Linux box which can access the SYA network.

Is one better than the other?

I guess the software solution approach would be simpler to configure… but then the SSH tunnelling approach probably wouldn’t be all that complicated anyway.

Do we need a dedicated machine for it? Instinctively, I’m thinking that it may be insecure to use the same box for this as for the fileserver I mentioned above. But practically, is it that much of a risk?

For remote desktop, a friend has recommended NoMachine‘s free remote access solutions as being worth a look particularly when using slower connections, and at first glance it looks quite powerful.

Stepping back a bit, is this really necessary? Am I over-engineering things? Would a bunch of USB memory keys and some approach to syncing with the office network be simpler?

Or maybe moving to an online approach – use WebMail for all email, Google Docs for all documents, pay for some online storage for non-Office docs like images and so on, and host our MySQL database externally… Perhaps then the need for an internal network goes away? This could make things like backups easier…. depending on how much we trust our online providers!

This leads me on to…

Idea 3 – External database hosting

Transfer database of young people to an externally hosted server

Why?

Externalising database makes it easier for staff to access it when working off-site. It also opens up the opportunity for young people to access (and update) their own information. Why not let them update their own phone number when they get a new mobile?

This could also give us a more formal rigorous approach to backups, including off-site backups, depending on the provider we go with. This gets us into the whole realm of Service Level Agreements, and needing to decide what we need – how long could we cope without access in the event of a problem? 1and1, who I’ve used in the past, offer MySQL hosting for £9.99 a month with a 99.99% uptime ‘guarantee’. At first glance, this looks like it’d be good enough.

How?

We can’t put the current PHP front-end to the database online. To start with, they are not at all secure – as we have always relied on the fact that access to the database was physically secured in the building. In addition, they are also a little quirky and clunky. Put it this way – the staff have just about figured out how to use them, but I don’t fancy the chances for any young person trying to figure it out!

I’m thinking of transferring the database to a drupal-powered system. Not only would this give us a more secure and reliable front-end to the database, but from what I’ve read about drupal it scales very well, which could become important if we open up access to our thousands of young people. The wealth of other drupal modules available would also allow us to roll out new features in the future that could foster the sort of online community that we’ve talked about wanting… content management for the website instead of the current static HTML, a blogging engine, discussion forums, and lots more.

It shouldn’t be that hard to script something which dumps the data out of the current MySQL database, maps it, and imports it in a new drupal MySQL database.

Not sure how much work it would be to get the basics up-and-running : port across the static HTML content, and setup the stuff needed for user profiles… and as it is gonna fall to me, whether I can block out a day or two to do it is gonna be a factor… but it feels like the right direction to go in.


Anything else?

So what do people think? Any comments on my ideas? Any suggestions or other ideas? Please feel free to comment here, or email me separately. Thanks!

9 Responses to “I.T. infrastructure for a growing charity”

  1. Marconi says:

    Over time, with activity, your server/desktop drives will experience file fragmentation and cause system slowdowns, so I’d suggest installing defragmentation software such as Diskeeper. We use Diskeeper Server on our windows servers and it does an admirable job of keeping fragmentation under control.

  2. Anton Piatek says:

    I would definitely go for the Linux fileserver method (I would recommend Debian, but I’m a Debian nut…) Raid is a must, either mirroring or mirror+stripe, but can all be done easily enough in software – just buy a few disks and youre off (upgrading that can be tricky as you need to do a full disk swapout, so need a few ide channels spare). There are enough tutorials on this to get you there.
    As for connection in, ssh+port forwarding is nasty as hell. VPN is the way forward. I never did it myself, but believe it is not too difficult on linux.
    External hosting is a possibility, but it has the same risks as hosting publicly yourself, except usually someone else is responsible for security of the box, but how good they are is up for debate (also how flexible). The one advantage is the bandwidth is usually better.
    A word of caution, drupal has a really complex DB structure, so think long and hard about moving to it… it can be a real pain to get data in/out of.
    To put your own server public, just use apache htaccess auth (or similar). And firewall everything but apache (or of course use the vpn route[recommended])

  3. Anton Piatek says:

    Forgot to say that 1 mirrored disk is going to be fine so long as you check logs for raid failures (or have them emailed to you) and buy a new disk asap after one fails. Test the mailing if you like by telling mdadm that one disk has failed and check if your logging/mailer service does notify you. Then just remove the disk from the array and add it again (will have to resync the data, but will be fine). Just remember that with raid 5 you will need to put at least /boot/ as mirrored, as grub can’t read striped raid…

  4. Felix says:

    Dale,
    I think these are all good ideas, and by no means mutually exclusive. I think it would make a lot of sense to get your db/php stuff out of the office and onto a web-server; you should be able to pick something up for less than £50 a year for your needs (I recommend dream-hosting.co.uk), and then if you run it all over SSL (some extra costs for licence) or just use simple .htaccess rules for security then that will be accessible to all.
    This also gives you a pretty big FTP space online for anything that should be accessible for outside the office. Not much use as a shared drive, but good for random bits and pieces. Perhaps you should look at a network attachable hard drive for the shared space instead, which would remain powered up but not require a computer to stay on.
    Running the Linux box in the office is a great idea; I’m currently handling a Win2k3 server, and it is horrid. Why not Ubuntu server, though? The set up will be much easier than CentOS.
    Having just moved openDemocracy to drupal, I will say it is a great system, but I’m not sure it is really suitable for what you are trying to do; it cqan be somewhat rigid and difficult to work with really novel content types and user fields, so be warned. But yes, a quick command line PHP script (use the drupal bootloader, it will make your life _much_ easier) will do your data import nicely. Again, dream-hosting is great for a drupal site.

    Hope that helps, feel free to mail with any questions…

    Felix

  5. Anonymous says:

    So… here’s my two cents:

    I generally agree with Anton’s comments. Software raid mirroring, with a stable Linux kernel (I would choose a RHEL5 based CentOS myself), and a backup process – here your USB hard-drive stays useful.

    On the VPN front, I’d be interested in looking at how difficult it is to setup openswan/secureswan. Maybe I’ll get a chance to do this, and can let you know. I’m always a bit wary of the ‘the basic version is free’ software, but that’s just me.

    Think the choice of having an external web portal vs. internal doc store & DB is an interesting one. I think you’d be biting off more than you could chew trying to get everybody to stop using word docs in a fileshare, and start using lots of other web-widgets. e.g. get the VPN running for business as usual, and then look at building a flasher public DB in the future.

  6. dale says:

    Thanks very much to everyone who helped with this – both with comments here, through emails that I got, and people who came and had a chat with me about it. It is all very much appreciated and has given me some useful pointers to get started. (Special thanks also to Pete for offering to help set things up once I’ve decided on a plan!)

    As a side note, I found it interesting that so many more people were more comfortable giving some very useful advice privately by email, rather than posting comments publicly here. It doesn’t make the advice any less useful (or any less appreciated!) but I guess I’ve got so used to the idea of doing everything publicly and online that I was just a little surprised by this. Actually that probably says more about me than anything else… 🙂

    Anyway, thanks again to everyone.

  7. John says:

    One question is – why do they need computers at all? The less they do on computers, the less you need support. Remember, as a volunteer, you deserve answers better than “We need Word” before accepting work.

    With those in mind I suggest the following:

    – Get as much off site and maintained by someone who’s job it is as possible. Use web based applications instead of Microsoft Office. Many solutions have integrated team tools. Also the MySQL database should have a web front end that you can server from a box maintained by someone else. This should help when you have roaming users and multiple sites.

    – In my experience, RAID will only protect you against hardware failures. For software, you need proper backups. For this, I would suggest something like Amazon’s S3 service – cheap, off site, reliable and someone else’s problem.

    – If any of your user’s machines need more than a base OS + Browser you need to be asking serious questions. Every addition is more responsibility for you.

    Finally, remember that, as the tech resource, you should be telling them how it’s going to work, not the other way around.

  8. […] blogged back in the summer when I was starting to think about overhauling the I.T. infrastructure for my youth charity, Solent […]

  9. Economist says:

    My Internet provider uses VPN really widely, and it’s the biggest one in the city. But there are some disadventage. I hate clicking the connect button to get my Internet access. But in other aspects the link works well.