update admin docs
This commit is contained in:
parent
12e9442ff5
commit
d6cb8dcbb4
|
@ -11,103 +11,49 @@ category:
|
|||
1. [adding users](#adding-users)
|
||||
2. [backups](#backups)
|
||||
3. [bypassing resource limits as services user](#bypassing-resource-limits)
|
||||
4. [lxd](#lxd)
|
||||
4. [runaway processes/excessive resource usage](#runaway-processes)
|
||||
|
||||
## adding users
|
||||
|
||||
> this is deprecated. use the new [makeuser](https://tildegit.org/team/makeuser/src/branch/bash-edition) script
|
||||
|
||||
1. generate a random password
|
||||
```
|
||||
pwgen -1B 15
|
||||
```
|
||||
|
||||
1. create a new user account:
|
||||
```
|
||||
sudo adduser newusername
|
||||
```
|
||||
|
||||
1. add their ssh pubkey:
|
||||
|
||||
```
|
||||
echo "ssh pubkey from their signup email" | sudo tee /home/newusername/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
1. drop the requested username and generated password in the placeholder below. reply all so that other admins will know that it's been handled.
|
||||
|
||||
welcome mail template:
|
||||
|
||||
hey ~newusername,
|
||||
|
||||
welcome to tilde.team!
|
||||
|
||||
your new account has been established. you can ssh into tilde.team with
|
||||
the ssh key you supplied on registration.
|
||||
|
||||
your password is "[[password]]". please change it when you log in for
|
||||
the first time. the password is used for imap/smtp auth, not shell login,
|
||||
which is set to only use ssh key authentication.
|
||||
|
||||
to get started, type `motd` at the command prompt to see a few ways to
|
||||
get started. have fun!
|
||||
|
||||
the greatest value of tilde.team is not the services provided by the
|
||||
server, but rather the interesting and welcoming community built by its
|
||||
users. this is possible because of people like you who choose to make
|
||||
this a great place. the best way you can help tilde.team is by working
|
||||
to support a great system culture. chat on irc; build cool programs and
|
||||
share them with others; focus on learning, and help others learn; be a
|
||||
good example for others; have fun!
|
||||
|
||||
also, your ~/public_html directory is served at
|
||||
https://tilde.team/~newusername/
|
||||
(you can also use https://newusername.tilde.team)
|
||||
|
||||
check out our wiki at https://tilde.team/wiki/ for more information (and
|
||||
maybe help us write a new wiki article:)
|
||||
|
||||
our irc is tilde.chat, an irc network connecting several
|
||||
tilde servers. the `chat` command on your ~team shell will open up
|
||||
weechat with some nice default configs and plugins.
|
||||
see our wiki article (https://tilde.team/wiki/irc)
|
||||
or https://tilde.chat site for information on how to connect from elsewhere.
|
||||
we also have a webclient at https://irc.tilde.team that you can
|
||||
register for by running the `webirc` command from a shell session.
|
||||
|
||||
we look forward to seeing you around! welcome to the ~team!
|
||||
|
||||
~tilde.team admins
|
||||
|
||||
> see the [makeuser](https://tildegit.org/team/makeuser) script's documentation
|
||||
|
||||
|
||||
## backups
|
||||
|
||||
tilde.team uses [tarsnap](https://tarsnap.com) for backups and is configured to save 12 hourly backups, 7 daily backups, 6 weekly backups, and 2 years' worth of monthly backups.
|
||||
tilde.team uses [borg](https://borgbackup.readthedocs.io/en/stable/) (via
|
||||
[borgmatic](https://torsion.org/borgmatic)) for backups and is configured
|
||||
to save 7 daily backups, 4 weekly backups, 6 monthly, and 1 yearly backup.
|
||||
backups run once daily during the night.
|
||||
|
||||
to see a list of the backups:
|
||||
|
||||
```
|
||||
sudo tarsnap --list-archives
|
||||
```
|
||||
sudo borgmatic list
|
||||
|
||||
to see general backup stats:
|
||||
|
||||
sudo borgmatic info
|
||||
|
||||
to restore a backup:
|
||||
|
||||
```
|
||||
tarsnap -x -f name-of-backup
|
||||
```
|
||||
sudo borgmatic extract --archive <archive name> --progress --restore-path=/path/to/restore
|
||||
|
||||
we keep backups of:
|
||||
* `/home`
|
||||
* `/etc`
|
||||
* `/var` (excluding `/var/log` and `/var/lib/lxd`)
|
||||
* mysql and postgres databases (dumped before each backup run)
|
||||
* [nextcloud](https://cloud.tilde.team/) data
|
||||
* [tildegit](https://tildegit.org) database and repos
|
||||
* `/var/spool/cron` - your crontabs
|
||||
* `/tilde` - user-submitted scripts
|
||||
* [mailman3](https://lists.tildeverse.org) list and archive data
|
||||
|
||||
see the [tarsnap documentation](https://www.tarsnap.com/usage.html) for more information.
|
||||
|
||||
## bypassing resource limits
|
||||
|
||||
(by [~khuxkm](https://khuxkm.tilde.team/))
|
||||
|
||||
So occasionally, when you're working with the services user, you'll run into "error: fork: retry: Resource temporarily unavailable" errors.
|
||||
So occasionally, when you're working with the services user, you'll run into
|
||||
"error: fork: retry: Resource temporarily unavailable" errors.
|
||||
|
||||
Here's how to fix it:
|
||||
|
||||
|
@ -120,74 +66,17 @@ Here's how to fix it:
|
|||
07:12 <~khuxkm> then exit the bash session
|
||||
|
||||
|
||||
## lxd
|
||||
## runaway processes
|
||||
|
||||
> we're not provisioning lxd containers for users at this time
|
||||
if a user consistently uses a lot of resources, send them a note via email
|
||||
to request that they mind their usage levels. if they fail to respond within
|
||||
a day or two, feel free to kill the process by pid or with `killall`. if they
|
||||
resume using excessive resources and haven't responded to communications, then
|
||||
feel free to lock them out by changing their shell to `/usr/sbin/nologin`.
|
||||
|
||||
this is the process that i use to create lxd containers for users.
|
||||
sudo chsh -s /usr/sbin/nologin <username>
|
||||
|
||||
you need two things from the user: an ssh public key (on their ~team shell) and a [distro choice](https://us.images.linuxcontainers.org/)
|
||||
don't forget to kill their existing session with:
|
||||
|
||||
sudo loginctl terminate-user <username>
|
||||
|
||||
1. create the container
|
||||
```
|
||||
# debian
|
||||
lxc launch images:debian/stretch <username>
|
||||
# ubuntu
|
||||
lxc launch ubuntu: <username>
|
||||
```
|
||||
|
||||
1. make sure the container has an sshd running
|
||||
```
|
||||
lxc exec <username> bash
|
||||
# might have to adjust this if the image is not a debian-derivative
|
||||
root@<username> $ apt install openssh-server
|
||||
```
|
||||
|
||||
1. copy the user's ssh pubkey to root on the container
|
||||
```
|
||||
lxc exec <username> bash
|
||||
mkdir -m 700 .ssh
|
||||
echo "pubkey" >> ~/.ssh/authorized_keys
|
||||
chmod 600 ~/.ssh/authorized_keys
|
||||
```
|
||||
|
||||
> now the user can run `ssh root@<username>.lxd` to get a shell inside their container
|
||||
> the .lxd dns resolver is provided by the lxd daemon itself through dnsmasq
|
||||
|
||||
### make the container public
|
||||
|
||||
> check with the user and find out what they want the container to be available as (which domain)
|
||||
> nginx matches concrete `server_name`s first, so you can replace the `*.tilde.team` match
|
||||
|
||||
1. copy user-lxd.template
|
||||
```
|
||||
cd /etc/nginx/sites-available
|
||||
sudo cp user-lxd.template <username>.tilde.team
|
||||
sudo vim <username>.tilde.team
|
||||
```
|
||||
|
||||
1. replace the username
|
||||
```
|
||||
:%s/<user>/<username>/g
|
||||
:wq
|
||||
```
|
||||
|
||||
1. enable the vhost
|
||||
```
|
||||
cd /etc/nginx/sites-enabled
|
||||
sudo ln -s ../sites-available/<username>.tilde.team .
|
||||
```
|
||||
|
||||
1. reload nginx
|
||||
```
|
||||
# make sure the configs look ok
|
||||
sudo nginx -t
|
||||
sudo service nginx reload
|
||||
```
|
||||
|
||||
bam! now `<username>.tilde.team` will forward requests to the container.
|
||||
|
||||
make sure that the user is running some kind of webserver on port 80 inside the container!
|
||||
|
||||
feel free to add other configs to their vhost or use any of the other [tildepage domains](tildepages)
|
||||
|
|
Loading…
Reference in New Issue