fosslinux
/
tilde.team
forked from team/site
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update admin docs

This commit is contained in:
Ben Harris 2019-09-02 19:51:32 -04:00
parent 12e9442ff5
commit d6cb8dcbb4
1 changed files with 29 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
wiki/pages/administration.md
View File

@ -11,103 +11,49 @@ category:
1. [adding users](#adding-users)
2. [backups](#backups)
3. [bypassing resource limits as services user](#bypassing-resource-limits)
4. [lxd](#lxd)
4. [runaway processes/excessive resource usage](#runaway-processes)
## adding users
> this is deprecated. use the new [makeuser](https://tildegit.org/team/makeuser/src/branch/bash-edition) script
1. generate a random password
```
pwgen -1B 15
```
1. create a new user account:
```
sudo adduser newusername
```
1. add their ssh pubkey:
```
echo "ssh pubkey from their signup email" | sudo tee /home/newusername/.ssh/authorized_keys
```
1. drop the requested username and generated password in the placeholder below. reply all so that other admins will know that it's been handled.
welcome mail template:
hey ~newusername,
welcome to tilde.team!
your new account has been established. you can ssh into tilde.team with
the ssh key you supplied on registration.
your password is "[[password]]". please change it when you log in for
the first time. the password is used for imap/smtp auth, not shell login,
which is set to only use ssh key authentication.
to get started, type `motd` at the command prompt to see a few ways to
get started. have fun!
the greatest value of tilde.team is not the services provided by the
server, but rather the interesting and welcoming community built by its
users. this is possible because of people like you who choose to make
this a great place. the best way you can help tilde.team is by working
to support a great system culture. chat on irc; build cool programs and
share them with others; focus on learning, and help others learn; be a
good example for others; have fun!
also, your ~/public_html directory is served at
https://tilde.team/~newusername/
(you can also use https://newusername.tilde.team)
check out our wiki at https://tilde.team/wiki/ for more information (and
maybe help us write a new wiki article:)
our irc is tilde.chat, an irc network connecting several
tilde servers. the `chat` command on your ~team shell will open up
weechat with some nice default configs and plugins.
see our wiki article (https://tilde.team/wiki/irc)
or https://tilde.chat site for information on how to connect from elsewhere.
we also have a webclient at https://irc.tilde.team that you can
register for by running the `webirc` command from a shell session.
we look forward to seeing you around! welcome to the ~team!
~tilde.team admins
> see the [makeuser](https://tildegit.org/team/makeuser) script's documentation
## backups
tilde.team uses [tarsnap](https://tarsnap.com) for backups and is configured to save 12 hourly backups, 7 daily backups, 6 weekly backups, and 2 years' worth of monthly backups.
tilde.team uses [borg](https://borgbackup.readthedocs.io/en/stable/) (via
[borgmatic](https://torsion.org/borgmatic)) for backups and is configured
to save 7 daily backups, 4 weekly backups, 6 monthly, and 1 yearly backup.
backups run once daily during the night.
to see a list of the backups:
```
sudo tarsnap --list-archives
```
sudo borgmatic list
to see general backup stats:
sudo borgmatic info
to restore a backup:
```
tarsnap -x -f name-of-backup
```
sudo borgmatic extract --archive <archive name> --progress --restore-path=/path/to/restore
we keep backups of:
* `/home`
* `/etc`
* `/var` (excluding `/var/log` and `/var/lib/lxd`)
* mysql and postgres databases (dumped before each backup run)
* [nextcloud](https://cloud.tilde.team/) data
* [tildegit](https://tildegit.org) database and repos
* `/var/spool/cron` - your crontabs
* `/tilde` - user-submitted scripts
* [mailman3](https://lists.tildeverse.org) list and archive data
see the [tarsnap documentation](https://www.tarsnap.com/usage.html) for more information.
## bypassing resource limits
(by [~khuxkm](https://khuxkm.tilde.team/))
So occasionally, when you're working with the services user, you'll run into "error: fork: retry: Resource temporarily unavailable" errors.
So occasionally, when you're working with the services user, you'll run into
"error: fork: retry: Resource temporarily unavailable" errors.
Here's how to fix it:
@ -120,74 +66,17 @@ Here's how to fix it:
07:12 <~khuxkm> then exit the bash session
## lxd
## runaway processes
> we're not provisioning lxd containers for users at this time
if a user consistently uses a lot of resources, send them a note via email
to request that they mind their usage levels. if they fail to respond within
a day or two, feel free to kill the process by pid or with `killall`. if they
resume using excessive resources and haven't responded to communications, then
feel free to lock them out by changing their shell to `/usr/sbin/nologin`.
this is the process that i use to create lxd containers for users.
sudo chsh -s /usr/sbin/nologin <username>
you need two things from the user: an ssh public key (on their ~team shell) and a [distro choice](https://us.images.linuxcontainers.org/)
don't forget to kill their existing session with:
sudo loginctl terminate-user <username>
1. create the container
```
# debian
lxc launch images:debian/stretch <username>
# ubuntu
lxc launch ubuntu: <username>
```
1. make sure the container has an sshd running
```
lxc exec <username> bash
# might have to adjust this if the image is not a debian-derivative
root@<username> $ apt install openssh-server
```
1. copy the user's ssh pubkey to root on the container
```
lxc exec <username> bash
mkdir -m 700 .ssh
echo "pubkey" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```
> now the user can run `ssh root@<username>.lxd` to get a shell inside their container
> the .lxd dns resolver is provided by the lxd daemon itself through dnsmasq
### make the container public
> check with the user and find out what they want the container to be available as (which domain)
> nginx matches concrete `server_name`s first, so you can replace the `*.tilde.team` match
1. copy user-lxd.template
```
cd /etc/nginx/sites-available
sudo cp user-lxd.template <username>.tilde.team
sudo vim <username>.tilde.team
```
1. replace the username
```
:%s/<user>/<username>/g
:wq
```
1. enable the vhost
```
cd /etc/nginx/sites-enabled
sudo ln -s ../sites-available/<username>.tilde.team .
```
1. reload nginx
```
# make sure the configs look ok
sudo nginx -t
sudo service nginx reload
```
bam! now `<username>.tilde.team` will forward requests to the container.
make sure that the user is running some kind of webserver on port 80 inside the container!
feel free to add other configs to their vhost or use any of the other [tildepage domains](tildepages)