From d6cb8dcbb48fe5a6d6164c1fa018dce7c878651a Mon Sep 17 00:00:00 2001
From: Ben Harris <ben@tilde.team>
Date: Mon, 2 Sep 2019 19:51:32 -0400
Subject: [PATCH] update admin docs

---
 wiki/pages/administration.md | 169 ++++++-----------------------------
 1 file changed, 29 insertions(+), 140 deletions(-)

diff --git a/wiki/pages/administration.md b/wiki/pages/administration.md
index 0b2831e..403ba2a 100644
--- a/wiki/pages/administration.md
+++ b/wiki/pages/administration.md
@@ -11,103 +11,49 @@ category:
  1. [adding users](#adding-users)
  2. [backups](#backups)
  3. [bypassing resource limits as services user](#bypassing-resource-limits)
- 4. [lxd](#lxd)
+ 4. [runaway processes/excessive resource usage](#runaway-processes)
 
 ## adding users
 
-> this is deprecated. use the new [makeuser](https://tildegit.org/team/makeuser/src/branch/bash-edition) script
-
-1. generate a random password
-    ```
-    pwgen -1B 15
-    ```
-
-1. create a new user account:
-    ```
-    sudo adduser newusername
-    ```
-
-1. add their ssh pubkey:
-
-    ```
-    echo "ssh pubkey from their signup email" | sudo tee /home/newusername/.ssh/authorized_keys
-    ```
-
-1. drop the requested username and generated password in the placeholder below. reply all so that other admins will know that it's been handled.
-
-welcome mail template:
-
-    hey ~newusername,
-
-    welcome to tilde.team!
-
-    your new account has been established. you can ssh into tilde.team with
-    the ssh key you supplied on registration.
-
-    your password is "[[password]]". please change it when you log in for
-    the first time. the password is used for imap/smtp auth, not shell login,
-    which is set to only use ssh key authentication.
-
-    to get started, type `motd` at the command prompt to see a few ways to
-    get started. have fun!
-
-    the greatest value of tilde.team is not the services provided by the
-    server, but rather the interesting and welcoming community built by its
-    users. this is possible because of people like you who choose to make
-    this a great place. the best way you can help tilde.team is by working
-    to support a great system culture. chat on irc; build cool programs and
-    share them with others; focus on learning, and help others learn; be a
-    good example for others; have fun!
-
-    also, your ~/public_html directory is served at
-    https://tilde.team/~newusername/
-    (you can also use https://newusername.tilde.team)
-
-    check out our wiki at https://tilde.team/wiki/ for more information (and
-    maybe help us write a new wiki article:)
-
-    our irc is tilde.chat, an irc network connecting several
-    tilde servers. the `chat` command on your ~team shell will open up
-    weechat with some nice default configs and plugins.
-    see our wiki article (https://tilde.team/wiki/irc)
-    or https://tilde.chat site for information on how to connect from elsewhere.
-    we also have a webclient at https://irc.tilde.team that you can
-    register for by running the `webirc` command from a shell session.
-
-    we look forward to seeing you around! welcome to the ~team!
-
-    ~tilde.team admins
-
+> see the [makeuser](https://tildegit.org/team/makeuser) script's documentation
 
 
 ## backups
 
-tilde.team uses [tarsnap](https://tarsnap.com) for backups and is configured to save 12 hourly backups, 7 daily backups, 6 weekly backups, and 2 years' worth of monthly backups.
+tilde.team uses [borg](https://borgbackup.readthedocs.io/en/stable/) (via 
+[borgmatic](https://torsion.org/borgmatic)) for backups and is configured 
+to save 7 daily backups, 4 weekly backups, 6 monthly, and 1 yearly backup.
+backups run once daily during the night.
 
 to see a list of the backups:
 
-```
-sudo tarsnap --list-archives
-```
+    sudo borgmatic list
+
+to see general backup stats:
+
+    sudo borgmatic info
 
 to restore a backup:
 
-```
-tarsnap -x -f name-of-backup
-```
+    sudo borgmatic extract --archive <archive name> --progress --restore-path=/path/to/restore
 
 we keep backups of:
 * `/home`
 * `/etc`
-* `/var` (excluding `/var/log` and `/var/lib/lxd`)
+* mysql and postgres databases (dumped before each backup run)
+* [nextcloud](https://cloud.tilde.team/) data
+* [tildegit](https://tildegit.org) database and repos
+* `/var/spool/cron` - your crontabs
+* `/tilde` - user-submitted scripts
+* [mailman3](https://lists.tildeverse.org) list and archive data
 
-see the [tarsnap documentation](https://www.tarsnap.com/usage.html) for more information.
 
 ## bypassing resource limits
 
 (by [~khuxkm](https://khuxkm.tilde.team/))
 
-So occasionally, when you're working with the services user, you'll run into "error: fork: retry: Resource temporarily unavailable" errors.
+So occasionally, when you're working with the services user, you'll run into 
+"error: fork: retry: Resource temporarily unavailable" errors.
 
 Here's how to fix it:
 
@@ -120,74 +66,17 @@ Here's how to fix it:
     07:12 <~khuxkm>  then exit the bash session
 
 
-## lxd
+## runaway processes
 
-> we're not provisioning lxd containers for users at this time
+if a user consistently uses a lot of resources, send them a note via email
+to request that they mind their usage levels. if they fail to respond within
+a day or two, feel free to kill the process by pid or with `killall`. if they
+resume using excessive resources and haven't responded to communications, then
+feel free to lock them out by changing their shell to `/usr/sbin/nologin`.
 
-this is the process that i use to create lxd containers for users.
+    sudo chsh -s /usr/sbin/nologin <username>
 
-you need two things from the user: an ssh public key (on their ~team shell) and a [distro choice](https://us.images.linuxcontainers.org/)
+don't forget to kill their existing session with:
 
+    sudo loginctl terminate-user <username>
 
-1. create the container
-    ```
-    # debian
-    lxc launch images:debian/stretch <username>
-    # ubuntu
-    lxc launch ubuntu: <username>
-    ```
-
-1. make sure the container has an sshd running
-    ```
-    lxc exec <username> bash
-    # might have to adjust this if the image is not a debian-derivative
-    root@<username> $ apt install openssh-server
-    ```
-
-1. copy the user's ssh pubkey to root on the container
-    ```
-    lxc exec <username> bash
-    mkdir -m 700 .ssh
-    echo "pubkey" >> ~/.ssh/authorized_keys
-    chmod 600 ~/.ssh/authorized_keys
-    ```
-
-> now the user can run `ssh root@<username>.lxd` to get a shell inside their container
-> the .lxd dns resolver is provided by the lxd daemon itself through dnsmasq
-
-### make the container public
-
-> check with the user and find out what they want the container to be available as (which domain)
-> nginx matches concrete `server_name`s first, so you can replace the `*.tilde.team` match
-
-1. copy user-lxd.template
-    ```
-    cd /etc/nginx/sites-available
-    sudo cp user-lxd.template <username>.tilde.team
-    sudo vim <username>.tilde.team
-    ```
-
-1. replace the username
-    ```
-    :%s/<user>/<username>/g
-    :wq
-    ```
-
-1. enable the vhost
-    ```
-    cd /etc/nginx/sites-enabled
-    sudo ln -s ../sites-available/<username>.tilde.team .
-    ```
-
-1. reload nginx
-    ```
-    # make sure the configs look ok
-    sudo nginx -t
-    sudo service nginx reload
-    ```
-
-bam! now `<username>.tilde.team` will forward requests to the container.
-
-make sure that the user is running some kind of webserver on port 80 inside the container!
-
-feel free to add other configs to their vhost or use any of the other [tildepage domains](tildepages)