Guides explain in practical terms how we do stuff. Any Hypha member can change these.1

We are inspired by the idea of "protocols" from the Lab Book of the Civic Laboratory for Environmental Action Research (CLEAR)

Protocols are the "attitudes" or "the manner in which one approaches each and every element in our space." They are different than pure rules or instructions; they are ways that we establish order and maintain practices across our group [...] -- They define the way we ought to proceed or behave in different situations. As such, they are normative, or premised on values, morals, and an idea of how things ought to be done. They are a manifestation of our values.



Syncing your SOGo calendar

You can use CalDAV to two-way sync your SOGo calendar with calendar applications on mobile and desktop devices:

For using Calendar app on Android, install CalDAV Sync Adapter from F-Droid, then navigate to Settings > Accounts and configure the Sync Adapter with server and your SOGo credentials. Please make sure the Account name is your Hypha email address or you cannot send out invite emails. By default the app has syncing disabled, make sure you enable it.

For Thunderbird, open the calendar tab, click on +, a Create New Calendar dialog will pop up. Select On the Network button then click next. Select CalDAV button, the username is your Hypha email and the location of your personal calendar will be<USER> replacing <USER> with your username. Keep Offline Support selected and click next. The Name field should be your Hypha email and the Email selector select your Hypha email and click next and your calendar is now added to Thunderbird.

If there are other calendars you want to add from SOGo you can login to SOGo then navigate to the 3 dots beside the calendar you want to add and select Links to this Calendar and use the CalDAV link for the location.

For iOS and macOS, follow instructions in Using your existing email client which also sets up your calendar.

For other applications and platforms that support CalDAV, the default calendar is<USER> Some applications may require you to use or the full path to your calendar, which can be found and copied from within SOGo.

Creating a shared calendar

We have a shared calendar account which also us to share calendars internally with a group. Using your own account for this purpose will not allow invite emails to be sent out.

  1. Login to the shared calendar SOGo account with the Virtual Office Shared Calendar credentials on our Passbolt.

  2. Navigate to the Calendar interface and create a new calendar

  3. Configure shared access by selecting Sharing... in the new calendar

  4. If there are external collaborators who need Modify access, request a SOGo account for them on the hypha.local domain and configure as follow


  5. Optionally, sync with calendar applications using the CalDAV and WebDAV URLs for Authenticated User Access and Public Access


Creating new inboxes (Administrators)

What you'll need:

  • Admin access to our Mailcow email server
  • The following user info (from
    • preferred email handle e.g., (under "" column)
    • preferred public name (under "Public Name")
    • email they'd like forwarded to (under "Primary Email")
    • Signal-friendly phone number (under "Signal Phone" or "Phone")

Note: Consider creating a new GitHub issue in hyphacoop/organizing to track email onboarding.

  1. Sign into Mailcow:
    View Screenshot 🔎 Screenshot of Mailcow login page
  2. Navigate to "Mailboxes" tab
  3. Click "+Add mailbox" button at top-right of screen
    • If the namespace is already taken by an alias, ensure it's not in use before deleting it.
      View Screenshot 🔎 Screenshot of Mailcow mailbox tab
  4. Fill out the following fields, noting the password:
    • Username: [use preferred email handle]
    • Domain:
    • Full name: [use preferred public name]
    • Quota: 4096
    • Password: [auto-generated]
    • Active: checked
      View Screenshot 🔎 Screenshot of Mailcow mailbox creation popup

We'll now log in to confirm access, and set up an initial forwarder if requested to make first-time usage simpler.

  1. Open an incognito browser and access webmail login:
  2. Log into the account you just created.
    View Screenshot 🔎 Screenshot of webmail login screen
  3. Navigate through these menus:
    (top-left) > Mail menu item > Forward tab
  4. Check "Forward incoming mail" and enter provided primary email, clicking "Keep a copy".
    View Screenshot 🔎 Screenshot of webmail forwarding settings
  5. From your own email, send a welcome email, like this template:

    Hi XXXX --

    Yay! Your Hypha email's set up and forwarding to your personal inbox. People can start emailing you at this address immediately, without any extra effort on your part.

    Your new email (and login):
    Your password: Sent via Signal to XXX-XXX-XXXX

    Having said that, when you'd like to start sending email as, you'll need to take some more steps.

    The next steps will depend on how you like to handle email:

    Once you're set up, let us know by sending a test email to, ideally with a short emoji-only story. (Keypad mashes a-ok!) We'll send a friendly poke in a week if we haven't heard back.

    Questions? Feedback? Reach out via or for chat.

    In Solidarity,

  6. Send a Signal message with the previously noted password, for example: 🍄 hypha email password: xxxxxxxx

Using your new inbox (Users)

Accessing your inbox can be done via the hosted webmail interface or by using the same email client you're already using.

What you'll need:

  • Your new email address
  • Your password (sent to you by admin on initial setup)

Using the webmail interface

  1. Visit our email server:
  2. Click on Webmail button
  3. Enter your username and password:
    • Username is your email
  4. Once logged in you can read your emails and configure your user settings.
  5. By default your emails are forwarded to your personal email to disable that follow step 1 in Using your existing email client.

Using your existing email client

These docs are condensed from Mailcow's in-depth email client configuration docs. (Substitute your info for that of "Maria Sanchez").

  1. If requested, the emails to your are forwarded to your personal email address by default. If you want to turn off forwarding of your email, log in to webmail (instructions above)
    • Navigate through these menus:
      (top-left) > Mail menu item > Forward tab
  2. Uncheck the "Forward incoming messages", and save.
  3. Open your email client.
  4. Go to the "add email account" setting in your client.
  5. Enter your name that you prefer that will show up in your outgoing emails and email address when prompted.
  6. When prompted for username and password use your new email address e.g., for username and your password for your new email.
  7. Most email clients will auto-detect server settings based on your email address. If your email client does not auto-detect these settings, enter:
    • IMAP: Port: 993 (TLS/SSL)
    • SMTP: Port: 465 (TLS/SSL)
  8. Once added, you should now be able to send from your new email. In your email client, compose an email to with a short subject and send.
  9. Visit the corresponding cloud inbox and confirm your message has arrived, It might take a few minutes.
  10. Don’t forget to email Infra WG as mentioned in onboarding email.

For iOS and macOS following these steps will setup your email client and calendar automatically:

  1. Login to your Mailcow Account in the Mailbox tab under Apple connection profile click on Email, calendars and contacts IMAP, SMTP, Cal/CardDAV to download the Apple connection profile.
  2. You can open the file right on your device then open the System Preferences app and the Profiles icon should have a 1 beside it.
  3. Open the Profiles settings to install the profile.

Using Gmail

  1. Log into Gmail
  2. Go to Gmail settings, by navigating through these menus:
    (top-left) > Settings menu item > Accounts and Import tab
  3. Under "Send mail as", click "Add another email address".
    View Screenshot 🔎 Screenshot of Gmail settings page
  4. In the new popup, enter:
    • Name: e.g., Maria S (as will appear to email recipients)
    • Email address: e.g.,
    • Treat as alias: checked
      View Screenshot 🔎 Screenshot of new alias popup
  5. Click "Next", then:
    • SMTP Server: (auto-filled)
    • Port: 587 (auto-filled)
    • Username: e.g., (ignore auto-filled)
    • Password: [your password]
    • TLS: checked
      View Screenshot 🔎 Screenshot of new alias popup
  6. Click "Add Account".

We'll now send your first email to Mailinator, a cloud inbox that's helpful for email testing. Then you can confirm for yourself whether it works.

  1. Back in your Gmail inbox, click "Compose" to create a new email message.
  2. Click the "From" address, and select your new email address from the drop-down.
    View Screenshot 🔎 Screenshot of selecting new email alias
  3. Enter as the "To" address, add a short subject and message, and hit send!
  4. Visit the corresponding cloud inbox and confirm your message has arrived, it might take a few minutes.
    View Screenshot 🔎 Screenshot of Mailinator interface
  5. Once it's safely arrived, you're all set! Start sending email!
  6. Don't forget to email Infra WG as mentioned in onboarding email. 📤🎉

Expense Reimbursement

Employees should submit eligible expenses in the same quarter they are incurred. The Finance WG reviews submitted expenses before each pay period, and pays out reimbursement amounts on the next pay day.

Submitting an expense

  1. Upload the expense receipt to Employee Expense Receipts with file name xx-YYYY-MM-DD-title.ext where xx is the initials of the member, title describes the expense, and ext is the file extension, then make note of the URL.

  2. Open the Employee Expenses sheet and fill in a new row according to instructions in the sheet.

    • Date of Expense: [date on your receipt]
    • Employee: [employee to reimburse]
    • Description of Expense: [short description of what the expense is for]
    • Total Amount: [total receipt amount, including HST]
    • HST Amount: [total HST on the receipt]
    • Currency: [currency of the receipt] (default to CAD)
    • Exchange Rate: [currency exchange rate to CAD] (default to 1.000 for CAD, you can use the rate on your credit card statement or Bank of Canada rate on the receipt date)
    • Receipt Link: [link to uploaded receipt]
  3. That's it. Once finance approves the expense it will show up beside your name on the Employee Payroll sheet and you will be reimbursed in that pay period. The amount will not appear on your tax forms.

Approving an expense for reimbursement

For the Finance WG to approve an expense:

  1. Verify all expenses that do not have a Pay Period of Reimbursement selected.

  2. Select a Cost Center / Project and Pay Period of Reimbursement.

  3. Verify that the Total Amount (CAD) is added to the Reimbursement Summary sheet to the correct Pay Period of Reimbursement and Employee.

  4. Verify that the amount shows up correctly on the Expense Reimbursement column on Employee Payroll of the applicable pay period, so it gets entered into Wagepoint on the next payroll run.

  5. After reimbursements are paid out through Wagepoint, our bookkeeper will file the the amounts into expense accounts in Quickbooks Online based on the Posting Journals and Employee Expenses sheet.


Onboarding a member

When a new member or employee is about to start their position at Hypha, Operations will work set them up in the virtual office following the Onboarding materials and checklist.

Inactivating Membership

When members seek to go inactive they should do the following:

  1. Send an email to with notification of the change and the date you wish to become inactive and return (if known).

Operations then will work with Infrastructure to update appropriate permissions and access inline with our Working Open guidelines and offboarding checklist.


Prior to creating an invoice, confirm with the client whether they would like to pay in CAD, USD, EUR, or GBP, and in what country their financial institution is based, then proceed with the following steps.

Creating an invoice for a client

  1. Go to Quickbooks Online, open the Invoicing > Customers tab.

  2. If the client is not in the customer list, click New customer to create a new profile for the client.

  3. Click Create invoice on the client you wish to invoice, and use the following settings:

    • Cc.:
    • Terms: Net 15 (may vary by project)
    • Message on invoice: [Payment instructions] (e.g. Please pay USD 3,135.00)
    • Attachments: [Timesheet PDFs]
  4. At the bottom of the page, click Customize to select a style, or create a new style template as needed.

  5. If creating a new style template or the payment information needs to be changed, select the Content tab, click on the bottom section of the template preview to reveal the Add payment details and footer section, then enter the applicable payment information.

    For example:

     By ACH or domestic wire transfer to:
     ACH Transfer No. (ABA): 026073150
     Wire Transfer No. (ABA): 026073008
     Account No.: [REDACTED]
     Beneficiary Name: Hypha Worker Co-operative Inc.
     Beneficiary Address:
         19 W 24th Street
         New York
         United States
     Invoice amount will be adjusted to reflect actual exchange rate after payment.

    This is an invoice for a client based in the United States, payable in USD to our TransferWise account. Look at a previous invoice for examples.

    Review the invoice preview, then click Done.

  6. Fill in the line items and calculate totals. See example below.

    All invoices are in CAD, even if the customer is paying in a foreign currency. This means RATE and AMOUNT columns are in CAD, and if the contract is an hourly rate based on a foreign currency, you can include the information in the DESCRIPTION column, and use an estimated CAD equivalent in the RATE column and to calculate the AMOUNT.

  7. In the SALES TAX column, select one of HST ON, zero-rated, exempt, or out of scope for each line item. See example below.

  8. Review the invoice preview, then click Save and send to email the invoice to the client.

Software development for Jan 2020
(52.25 @ USD 60.00 = 3,135.00)
52.25 80.00 4,180.00 zero-rated
Software development for Feb 2020
(20.00 @ USD 60.00 = 1,200.00)
20.00 80.00 1,600.00 zero-rated

Settling an invoice payment

Once the client has paid the invoice, we must check the amount received at our receiving account at Desjardins (domestic) or TransferWise (foreign currency), and record the transaction in Quickbooks Online.


  1. After the money arrives to Desjardins, we need to update our records in Quickbooks Online:

    1. In the Banking tab, select our Chequing account and click Update to sync our Desjardins account.

    2. Find the transaction from the client and click on it, then select Find match to select the incoming transaction to match.

    3. If there is a discrepancy in the amounts, click the Resolve button and change CATEGORY to Bank charges, and GST/HST to Exempt (0%) since bank charges are exempt items, then click Save.

  2. Archive the PDF of the paid and finalized invoice in our shared drive under the Invoices directory with filename xxxx-project.pdf, where xxxx is the invoice number (e.g. 1001-aether.pdf).

Foreign Currency

  1. Confirm the correct amount is received, then convert the foreign currency to CAD. We can either move the money to the CAD balance in TransferWise, or if the amount is large, we can directly deposit the exchanged amount into our Desjardins account. The following example shows how to do that in a single transaction from TransferWise:

    1. Confirm that the invoice amount of 3,757.50 USD is received to our USD balance, then click Send USD.



    2. Choose My business and enter in our Desjardins account information for the deposit.



    3. Note the invoice number in the Reference field, then click Confirm and send.


      In this example, a client in the United States sent 3,757.50 USD to the Hypha USD account at TransferWise, and we deposited 4,904.11 CAD at the Hypha CAD account at Desjardins. The transaction and exchange fee was 20.61 USD, and the exchange rate was 1.31235.

      If invoice amounts are small, we may batch many of them in TransferWise before depositing to Desjardins, but we should still convert foreign currencies to CAD as soon as possible and hold the amount as CAD in our TransferWise CAD balance.

    4. In the USD balance, click on Download a statement and download a CSV file for the date range that includes the transaction(s). Open the file and multiply the amounts with the exchange rate column, then save.

  2. After the money arrives to Desjardins, we need to update our records in Quickbooks Online:

    1. Click on the invoice and add a line item that accommodates for the discrepancy in estimated and actual exchange rates.

      In our example where we deposited 4,904.11 CAD to Desjardins, if our invoice estimated a CAD AMOUNT of 4,950.00 CAD, we would record an Exchange rate adjustment @ 1.31235 line item with -45.89 as AMOUNT. Make sure you take the exchange rate from the TransferWise CSV.

    2. In the Banking tab, select our Chequing account and click Update to sync our Desjardins account. Find the transaction from TransferWise and click on it, and change the Category to TransferWise, change Tax code to Out of Scope (Sales) since this is an internal transfer, then click Add.

    3. In the Banking tab, select our TransferWise account to click File upload (down arrow next to Update) to update our TransferWise account. Browse and upload the TransferWise CSV we saved earlier, select TransferWise as the account, then click Next and enter the following:

      • Date: Column 2
      • Description: Column 5
      • Amount: Column 3

      Click Next twice, and then Yes to import.

    4. Find the transaction from the client and click on it, then select Find match to select the incoming transaction to match. There should be no discrepancy in the amounts.

    5. Find the transaction from our TransferWise account to Desjardins account, then select Find match. We expect a discrepancy in the amounts. Click the Resolve button and change CATEGORY to Bank charges, then click Save.

    6. If there is a discrepancy, click the Resolve button and change CATEGORY to Bank charges, and GST/HST to Exempt (0%) since bank charges are exempt items, then click Save.

  3. Archive the PDF of the paid and finalized invoice in our shared drive under the Invoices directory with filename xxxx-project.pdf, where xxxx is the invoice number (e.g. 1001-aether.pdf).

Issue Labels

We have specific GitHub repos (known as synced repos throughout this guide) configured to mirror all labels from the root hyphacoop/organizing, on each change to the root repo's labels. Though some of the below steps are more complicated than we'd ideally like, this is because the automation is cautious and won't delete any in-use labels (regardless of open/closed state), so nothing destructive will happen.

To manage the list of synced repos (e.g., ensuring a new repo starts having labels synced), add a new entry to LABEL_REPO_TARGETS in this configuration file and ensure @hyphacoop-bot has write-access to each synced repo.

To create a new label, just add it to the hyphacoop/organizing repo, and it will be added to others within a few minutes. (Sync events are logged in this issue as new comments for troubleshooting.)

To delete an existing label, search for the label you'd like to delete, like so. Our automation is cautious, and so will only delete labels from repos where it's NOT in use. For any repos represented in the search results, delete the label from that repo. Once no labelled issues show up, delete the label from hyphacoop/organizing, and anything else will be cleaned up. If you leave any issues labelled, the automation will simply do cleanup on its next run. As soon as a label is unused in a repo, the automation will remove it on the next run.

To rename an existing label (this one's a bit tricky), search for the label you'd like to rename, like so. Ignore hyphacoop/organizing for now, we'll save it for last. For every other repo where it's used, click the "repo" link, and visit the label page to manually rename. Lastly, rename the label in hyphacoop/organizing, and it will ensure the label is removed in any repos where it wasn't in-use. (Renaming is understood by the automation as a newly created label and a deleted label.)

To force a label sync, assuming you're impatient for it to do clean-up of unsued labels, slightly change a description or color of a label in hyphacoop/organizing.


Scheduling a meeting

Note: Consider whether this meeting might be a global interest to other members. Skip the steps below at your discretion for low-stakes topics.

  • Try to announce your intention to schedule a meeting on a topic and ask who's interested in participating. Allow at least 48 hours for people to respond.
  • Consider who might be most interested and what timing might work for them.
  • If 2-3 candidate timeslots feel obvious from looking at people's availabilities:
    • Reserve them all in Hypha calendar immediately, for example: HOLD: Infrastructure Meeting (Option 1)
    • Ask in chat whether anyone who wants to attend has any blocks on any of the options
  • If short-notice or speed of booking is important:
    • Claim an open HOLD :information_source: slot.
      • If time permits or topic isn't an all-hands matter, consider leaving the hold available for someone else
      • If claiming a hold, edit the calendar immediately and announce meeting in chat
  • If your must find a new timeslot:
    • Create a new poll (we currently use When2Meet)
    • Leave ample time for completion (ideally 1 week)
    • Check on non-responders in following days and send (gentle) reminders as needed

Hosting a meeting

  • Before the meeting...
    • create a stub agenda as soon as possible (can be done before scheduling)
    • add the agenda to the meetings index
    • update the organizational calendar as early as possible with candidate and finalized time slots progresses
    • mention the meeting time in chat, and link the agenda.
    • encourage migration of related actions, decisions and discussions into agenda from chat
  • During the meeting...
    • ask for agenda items (start of meeting)
    • facilitate discussion
    • keep time
    • call attention to action items, upcoming decisions and discussions
  • After the meeting...
    • add important dates/reminders to calendar
    • review and merge notes
    • update meeting index as best location changes (hackmd => review (PR) => file)
    • as needed, set up loomio threads and decisions
    • as needed, send reminders of action items
    • migrate action items into task tracker

Joining a BigBlueButton Call

💻 Desktop and 📱Mobile. Follow to our default conference platform.

🎤 Mic Selection - Some browsers (such as FireFox) you will ask you for your microphone selection at the same time the browser asks you for permission to use the microphone. Other browsers (such as Chrome) will not. In those cases you will have to proceed to the Echo Test and answer No to Do you hear audio?. This will bring up a dialog to change your mic input. 📞 Phone

  1. Ask a member already in the conference room for the pin number which is shown in the Public Chat area.
  2. Use the private dial-in number from our technical BigBlueButton documentation.
  3. After prompt, enter the pin number for the meeting
  4. Use the below number keys to change your settings

    • Press 0 to toggle mute and unmute
    • Increase your mic volume

      • 3 Talk Volume Up
      • 2 Talk Volume Zero (default)
      • 1 Talk Volume Down
    • Increase everyone else’s volume

      • 6 Listen Volume Up
      • 5 Listen Volume Zero (default)
      • 4 Listen Volume Down
    • Energy level is a threshold that dictates the level at which a person is determined to be speaking versus the background noise received.

      • 9 Energy Up
      • 8 Energy Zero (default)
      • 7 Energy Down


This guide describes how to use our payroll service provider, Wagepoint, to set up a payroll run for the pay period. You should have a completed Employee Payroll sheet for the pay period ready, which indicates the wage information for each Employee that you will need to enter into Wagepoint.

If this is the first time you use Wagepoint, please first review the Running your first payroll with Wagepoint - Canadavideo.

Running payroll

  1. Log into Wagepoint as a user with admin privileges.

  2. Visit the PAYROLL tab.

  3. Paygroup: Hit NEXT since we only have one monthly paygroup.


  4. Paydates: Set the pay cycle to cover the current month (e.g., March 1-31) and the Pay Date to be the 15th of the current month (e.g., March 15) or the last working day prior if the 15th happens to land on a holiday (e.g., March 13). During that period, we settle amounts owed up to the end of the previous month (e.g., Feb 29).


    Set the dates as per the above, and hit NEXT. Nothing is finalized until the last step, and you must hit SAVE/NEXT during each step to preserve "draft" progress.

  5. Hours: Hit SAVE/NEXT to skip since we currently do not use the Hourly pay type.

  6. Salary: Enter HOURS, CURRENT PAY, EXPENSE REIMBURSEMENT, and PUBLIC HOLIDAY PAY according to the Employee Payroll sheet for the pay period. Ensure that hours and pay line up, as these are the basis for ensuring legal minimum wage.

    The VACATION HRS for everyone is 0 due to our variable work hours and that annualized amounts will be paid out each pay period.

    In the PAY? column, select YES for any Employee who will be paid in this payroll.

    You can review past payrolls under the REPORTS tab.

  7. Process: Click VIEW ALL to verify each Employee's amount, and that we have sufficient funds in our bank account to pay the invoice total. Click APPROVE PAYROLL.

  8. Confirm: Confirm the payroll run for this pay period. It will be queued for processing and deposits to Employee accounts will happen on the Pay Date.

  9. Three working days ahead of the Pay Date, Wagepoint will withdraw funds from our bank account. After we receive a notification from Wagepoint that payroll reports are ready, we need to upload the following PDFs for our bookkeeper to update Quickbooks once per month:

Adding a new employee

  1. Log into Wagepoint as a user with admin privileges.

  2. Click the EMPLOYEES tab and then the ADD NEW EMPLOYEE button at the bottom right corner.

  3. Add stub details for new employee. Since we calculate wages per pay period outside of Wagepoint, set:

    • Pay Type: Yearly
    • Pay Rate: 0


  4. Return to the EMPLOYEES tab and click the Employee's name. You should now be on their profile, specifically THE PERSON tab, which you can fill out with info from our employee records.


    Fill out everything you can, but leave External ID blank.

  5. In the THE JOB tab, set up the Employee with the salaried method:

    • Pay Type: Yearly
    • Annual Salary: $0.00
    • Expected Hour per Week: 0.00
    • Job Title: No title
    • Department: Salary
    • Vacation will: be paid out each pay


  6. In the TAX INFO tab, set up the Employee's tax info based on the TD1 and TD1-ON forms they submitted. For example:


  7. In the DIRECT DEPOSIT tab, set up the bank account for direct deposit based on account information or a void cheque they submitted.

  8. Return to the "Employee" tab listing, and use the "mail" icon to send an invite to the Employee to Wagepoint.



Setting up an Initiative

An initiative proposal should be brief and provide and overview and argument and use the template. You can add more sections as appropriate, including sample code, project roadmap, etc. Examples can be found in our initives archive 🔒.

Once a proposal has been drafted and approved, the squad will set up a new initiative with support from the Operations squad

Leads, Opportunities & Client Proposals

While the Opportunities squad is mainly in charge of sales lead generation, all members may pursue leads as they come up. Members are strongly encouraged to record leads into the co-operative's leads tracking system whether or not we want to pursue this lead.

If a member decides to pursue a lead, they can reach out to gauge potential interest in working together. If the lead expresses intention to proceed with a concrete project in mind, this becomes an opportunity. The member now heads up this sales effort and drafts an Initiative Proposal with support from the Opportunities squad, then present it (e.g., at a meeting, or via virtual channels) to see whether the co-operative wants to move forward. In this meeting, we should discuss any concerns by other members, and gauge team capacity given project timelines.

An initiative proposal should be brief and provide and overview and argument and use the template for setting up an initiative.

Drafting and Submission

Proposals to be submitted to a potential client or grant committee should be drafted by members who will participate in the project with support from the Opportunities squad. The squad has expertise in drafting client and grant project proposals, and managing the proposal process, so it is helpful to involve members of that group from the drafting stage. All involved in the proposal drafting make up the initiative squad that will sign off on the final draft to be submitted.

If a proposal is accepted, this squad will lead the initial consultation meetings with the client (e.g. discuss terms of payment and project logistics), draft and sign a Client Agreement (see template). If a proposal fails, we encourage reaching out to the client or grant committee for feedback and holding an internal retrospective.

Regardless whether the proposal is successful, the squad should add a copy to the folder in our shared drive for future reference.

Sensitive Data

In general, most members prefer not to use third-party SaaS services, like Google Drive, for storing sensitive information.

We store short strings (like SINs or codes) as password entries in Passbolt. These entries should be shared with both a privileged group that needs access (e.g., Finance WG) and the individual.

If we must store sensitive docs (like PDFs) in a shared drive for convenience (e.g., Google Drive), we first encrypt them with a password. We keep this in Passbolt under the entry Shared Drive: Encrypted Files. All employees can access this password. Simpler encryption schemes are preferred, for example, default PDF encryption. We recommend any secured file.pdf be renamed to file.encrypted.pdf for easy discovery.

As a last resort for sensitive docs, a member can choose to have the document printed and stored in a folder in the office.


Signing internal documents

The Board of Directors uses PGP signatures to digitally sign resolutions. We recommend using the GnuPG command line, but you can also use the Keybase command line, to sign and verify resolutions.

  • Signing with GnuPG:

      $ gpg --sign --armor \
        --output \

    with Keybase:

      $ keybase pgp sign \
        --infile \
  • Verifying with GnuPG:

      $ gpg --verify

    with Keybase:

      $ keybase pgp verify \

The text of the signed document is embedded in the signature file, so you can drop any signature file into to verify a signature. For example, you can try verifying

Signing external documents

Members also use other tools such as HelloSign for signing client-facing documents.

See this related GitHub issue for an example of prior usage.

We use a custom shortlink service at It helps us:

  • resolve keywords to URLs from any computer,
  • make commonly used resources quickly and easily accessible,
  • simplify link-sharing in spoken conversations, and
  • align on shorthand keywords for resources.

Instructions on creating and managing shortlinks are available in our configuration repo under hyphacoop/shortlinks directory.

Hint: You can use a URL hash to deep-link into an expanded shortlink. Example:

Shortlinks work on their own in the address bar, but for even easier access on your own workstation, you can add a "custom search engine" keyword to your browser.

This allows you to type something like h<tab>shortlinks into the search bar, and get

Here's a screencast of how it works on Chrome:

screenshot of adding/using shortlinks as keywords with custom search
engine set in browser

Instructions: Chrome | Firefox (requires extension)


Members log their work hours using Clockify, and project timesheets may be generated to determine the invoice amount each period for some clients, and often for calculating member wages. This process is done using the Clockify Summary Report. Shared reports are found under Shared Reports.

Setting up a new project

When a project begins, generate a Summary Report for the project:

  1. Select the appropriate Client (and/or Project) and Billing filters timesheets-0

  2. Configure the table headings to Group by: Project > User > Description

  3. Click the share button to reveal the Share report dialog timesheets-1

  4. Name the report project_YYYYMM where YYYYMM indicates the first month the project is active, leave the Lock dates unlocked, and select the appropriate Visibility for the project

  5. You can now find the link to your project under Shared Reports

Generating project timesheets

  1. To generate timesheets, open the Shared Report for your project (e.g. meetcoop_202005) and export as PDF for the applicable report period (to be sent to client, if applicable)

  2. Timesheet PDFs sent to clients or for internal payroll calculation should be archived in our shared drive under the Timesheets directory

Virtual Machines

We use Proxmox to run our VMs. To access the management interface you need to SSH tunnel to on port 34634 or connect over the VPN.


Proxmox is the hypervisor that all the virtual machines run on. There are two ways of accessing the Proxmox servers management interface. An inventory of machines running on this server can be found in the inventory-private repo.

  • SSH tunnel

    1. Tunnel the web interface over SSH with ssh -p 34634 -L 8006:
    2. Access the panel using
    3. The username is root and enter the password in our shared password manager Passbolt
  • VPN (Recommended)

    1. Connect to OpenVPN (If you do not already have access please ping someone in the infra for the OpenVPN config file.)
    2. Access the panel using
    3. The username is root and enter the password in our shared password manager Passbolt

Jump server

To be able to ssh into the different virtual machines running on the infrastructure, authentication must be done via the jump server. This means you must first login to the jump server with your ssh key, and once there, you can use the keys on the jump server to connect and authenticate to the other virtual machines.

  • Connecting to staging Ansible1 (Our provisioning and jump server for staging machines) By default all members access to the production environment

    1. You'll need to ensure that your key has been added. You can do that by making a PR here.
    2. ssh sysadmin@ansible1.hypha.stg -p 8002 -i ~/.ssh/id_rsa (assuming ~/.ssh/id_rsa is your key you use to access Hypha's infra.)
    3. From there you can SSH into the backend systems using their .stg hostnames or directly with their IP address. The passphase for ~/.ssh/id_rsa is here
  • Connecting to production Ansible1 (Our provisioning and jump server for production machines) By default only members that have a need to access have permissions to log in to the production environment

    1. You'll need to ensure that your key has been added. You can do that by making a PR here.
    2. ssh -p 9154 -i ~/.ssh/id_rsa (assuming ~/.ssh/id_rsa is your key you use to access Hypha's infra.)
    3. From there you can SSH into the backend systems using their .prod hostnames or directly with their IP address. The passphase for ~/.ssh/id_rsa is here

Alternatively by adding a host profile for each hostname to ~/.ssh/config. Doing this, when you ssh to the hostname specified, it will automatically jump you through the jump server, and into the target server. Example of a profile that uses the ansible's keys below.

Host [[hostname]]
  RemoteCommand ssh %n
  User sysadmin
  Port 9154
  RequestTTY yes


Accessing Voicemail

We use a VoIP phone line provider with forwarding and voicemail from It helps us:

  • Have a phone number without tying it to a physical location
  • Receive voicemail by email to
  • Receive text messages (SMS) to common e-mail

To access voicemail inbox you can either call remotely or through a configured SIP client.

  • Remotely

    1. Call the number 4378876936
    2. Wait for the intro audio to finish followed by a 1 second pause
    3. When the audio resumes press *
    4. Listen and confirm you hear the prompt Extension 3101, password
    5. Enter our password followed by #:
  • SIP client: Dial *98

Managing Voicemail and Phone Forwarding

To record or update the voicemail greeting access the voicemail per above and select the following options:

  • 0 - Mailbox Options
  • 1 - Record your unavailable message


We use pfSense to manage OpenVPN users and gain access to internal resources and also provides internet access over a Canadian IP address.

Using the VPN

To use the VPN you require to have

  • an installed OpenVPN client on your device
  • a configuration file that is generated by pfsense. You will receive this from the member that sets up your account.
  • a username and password. This will be shared with you in Passbolt.

Adding OpenVPN users on pfSense

  • To add OpenVPN users on pfSense:

    1. Log in to pfSense panel by SSH tunneling or over the VPN
      • Recommanded to use VPN if you already have an VPN account
      • The pfSense panel can be accessed here
    2. Go to System -> User Manager
    3. Click + Add green button
    4. Enter the username, it should be ovpn_firstname
    5. Create a random strong password example: the output of dd if=/dev/urandom bs=1M count=100 | md5sum
    6. Tick Click to create a user certificate
    7. Create Certificate for user
      • Discriptive name: same as username
      • Certificate authority:
      • Key length: 4096
      • Lifetime: 3650
    8. Click Save
  • Exporting OpenVPN file:

    1. Log in to pfSense panel with instructions above
    2. Go to VPN -> OpenVPN
    3. Click on Client Export tab
    4. Select Remote Access Server VPN Access UDP4:13313
    5. Leaving all other settings untouched scroll down to OpenVPN Clients and click Most Clients under Inline Configurations beside the user you want to download.
    6. Send the OpenVPN file to user over encrypted means such as Signal or encrypted Matrix direct chat.
  • Deleting OpenVPN user on pfSense

    1. Go to System -> User Manager
    2. Delete the user(s)
    3. Log in to pfSense panel by SSH tunneling or over the VPN
    4. Go to System -> Cert. Manager
    5. Click on Certificate Revocation tab
    6. Click the ✏︎ beside Certificate Revocation
    7. Choose the ovpn_username you are removing
    8. Choose Reason and click + Add


1. Inspired by Enspiral Handbook: Guides

results matching ""

    No results matching ""