vilmibm / puppet-tilde Goto Github PK

a puppet module for setting up a tilde style server

License: GNU General Public License v3.0

Puppet 17.41% HTML 67.57% Shell 10.90% Vim Script 4.12%

puppet-tilde's Introduction

puppet-tilde

This is an experimental, alpha Puppet module for setting up an Ubuntu server in the style of tilde.club.

What is in master is generally guaranteed to have been tested casually on an AWS EC2 micro running Ubuntu 14.04 at tilde.town, but aside from that, there are no guarantees about the code. YMMV. I'm trying to keep the README up to date as I change things / add features.

Installation

All of these steps assume you are running as the root user.

Install the puppet and puppetmaster packages (they can be on the same server). 3.4.x+ is required.
puppet module install jfryman-nginx -v 0.0.10 (must install v0.0.10, see here)
apt-get install -y puppetmaster puppet.
puppet module install camptocamp-postfix
Set up hiera:
add a hiera.yaml to /etc/puppet/
ln -s /etc/puppet/hiera.yaml /etc/hiera.yaml
mkdir /etc/puppet/hieradata
add and configure common.yaml to /etc/puppet/hieradata/
cd /etc/puppet/modules
apt-get install -y git-core
git clone https://github.com/nathanielksmith/puppet-tilde.git tilde
git clone https://github.com/nathanielksmith/puppet-ngircd ngircd
edit site.pp and save to /etc/puppet/manifests/site.pp
puppet agent -t --server={your_tilde_host_name}

Adding Users

To add users to your tilde server, add them to your common.yaml (or whatever) like so:

tilde::users:
  vilmibm:
    pubkey: '...'
  cmr:
    pubkey: '...'
  datagrok:
    pubkey: '...'

The module purges any non-system users not managed by Puppet; in other words, to ban a user, simply delete them from the tilde::users hash in common.yaml.

You can also specify pubkey_type in the user hash if the user is fancy and not using ssh-rsa. The supported types are whatever is supported by puppet's authorized key type

Password based logins are not currently supported. You'll have to manually enable that if you want it.

/etc/skel

/etc/skel is managed as a set of files in the module. If you'd like to modify these, make a local branch on the module and edit away. You can add or remove files from the directory (note, old users will not retroactively get changes to /etc/skel).

Nginx

Currently, the module looks for tilde::hostname (e.g. tilde.town or tilde.farm or drawbridge.club) and sets up an Nginx virtual host with:

a homepage for your tilde server (/var/www/<your domain>/index.html)
user directories (/~<username>) which map to /home/<username>/public_html
server names $hostname and www.$hostname
IMPORTANT Make sure port 80 is open for your server.

IRC

The module sets up ngircd for you.

localhost only
irc alias added to users' .bashrc file.
per-user irssi configuration this will auto-connect to the server and auto-join #<hostname> where hostname is a .-less string substitution of the hostname you specified as tilde::hostname.

It does not set up an operator. IRC governance is up to the autonomous collective to determine.

Mail

The module sets up postfix for you. Just like tilde.club, it's local mail only. Alpine and mutt are installed by default.

MotD

There is basic Message of the Day support. To customize the motd, make a branch of the checked out puppet module and edit templates/motd.erb. The default template just has a basic cowsay with a few instructions (and shows your server's hostname).

A motd alias that just runs cat /etc/motd is also added by the aliases file in /etc/skel.

NNTP (Usenet)

The program inn2 is set up and configured for local access. The clients slrn, tin, and alpine are all installed by default. In order to transfer news with peers, you must enable both inbound and outbound traffic on TCP port 119 (for EC2 users, this may mean editing your security groups, for others it may mean editing iptables rules).

IMPORTANT: Make sure port 119 is open for your server.

IMPORTANT: Refer to the example common.yaml file to see how to configure newsgroups/peers. No groups are configured by default.

Quota support

This module enables 3mb user quotas for all non-system users. You'll need to add the usrquota option to your / mount with something like this in your site.pp, though, for it to work:

mount { '/':
    ensure  => 'mounted',
    device  => 'LABEL=cloudimg-rootfs',
    dump    => '0',
    fstype  => 'ext4',
    options => 'defaults,discard,usrquota',
    pass    => '0',
    target  => '/etc/fstab',
  }
}

If you do not want disk quotas, include the tilde class like this in your site.pp:

class { 'tilde':
    use_quota => false,
}

Or configure common.yaml with:

tilde::use_quota: false

TODO

A "customization" section in this README on how to modify things like the server's homepage or /etc/skel.
Flags for switching on/off various services from common.yaml (if you don't want NTTP, for example).

Authors

Nathaniel Smith [email protected]
Chris Roddy [email protected]

License

This module is licensed under the terms of the GNU Public License version 3 (GPLv3)

puppet-tilde's People

Contributors

Stargazers

Watchers

Forkers

audiodude englishm rjw1 tildecity lorenzoboccaccia flowerhack michaelcoyote croddy clehner pombredanne iap sanqui tildetown inspectordidi daro125125

puppet-tilde's Issues

ngircd and charybdis do NOT appear to be able to talk to each other

I just wanted to let you know that in my hour-plus of testing tonight, I am unable to get ngircd to talk server-to-server with charybdis, no matter what I try (and with extensive on-the-wire debugging to see if I could figure out where the negotiation was breaking down). So ultimately, this means that so far as I can tell, the IRC daemon you're including in this puppet config won't talk to the IRC daemon running on tilde.club.

Figured you'd want to know.

[ENHANCEMENT] Come say hello to tilde.club if you ever want to

You guys are doing great work and it's fun to follow along. There's no hurry or pressure but if you ever want to collaborate directly with the tilde.club sysops along these lines please ping us. In particular @delfuego and @reppep are doing a lot of coordination, and @dphiffer is doing a lot of thinking about small hardware devices plugged into unexpected places.

As more machines come online as public servers (four or five so far) it'd be good to be able to speak about a baseline "default" tilde.club.

custom hiera backend

yaml is getting unwieldy for hundreds of users. something like sqlite would be awesome. seems like a custom backend would need to be written via ruby tho.

Error must pass users to class[tilde]

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Must pass users to Class[Tilde] at /etc/puppet/manifests/site.pp:12 on node nodename.net

This is what I get no matter what version of ubuntu I have used. tried on 14.04.5 as well as 16.04 .

configure an irc daemon

getaddrinfo

When I run the agent, I get this error. Not sure what's wrong.

λ aether ~ → sudo puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: getaddrinfo: Name or service not known
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: getaddrinfo: Name or service not known
Wrapped exception:
getaddrinfo: Name or service not known
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': getaddrinfo: Name or service not known
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: getaddrinfo: Name or service not known
Wrapped exception:
getaddrinfo: Name or service not known
Error: Could not retrieve catalog from remote server: getaddrinfo: Name or service not known
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: getaddrinfo: Name or service not known

port to Raspbian to run on Raspberry Pi?

This is mostly a wild-eyed idea right now, but I'd love to entertain notions on how to start from puppet-tilde (for Ubuntu) and port what's here to run on the Raspbian distro for the Raspberry Pi, or to do similar on the Beagle Bone, so that you might have a sub-$100 public access system built from the same tooling.

A possibly relevant issue / blog post here:

http://blog.csanchez.org/2014/01/23/installing-puppet-3-in-a-beaglebone-or-raspberry-pi/

Nginx configuration: enable cross-origin requests?

See tildeclub/tilde.club#80

TL;DR: tilde.town serves only static content so it's safe to add the header to every HTTP response (or to only .txt and .json responses to save a teensy bit of bandwidth):

Access-Control-Allow-Origin: *

Which will allow JavaScript widgets on any other website to use $.getJSON() and other XHR style requests to retrieve content hosted on tilde.town.

basic ~ nginx config should be done with tilde::webserver class params, not hiera

The tilde.town homepage / user content settings should be configured through class params on tilde::webserver that are configured with a hostname in site.pp. Otherwise users have to copy and paste the nginx config and manually update the hostname.

documentation in puppet-tilde.wiki

I'm going to open this item to track progress of documenting puppet-tilde in a little more depth, using the github puppet-tilde.wiki to track down system-level documentation about components (admin docs, not user docs). I see that as a complement to the user docs I'm working on the tilde.club.wiki (which is coming along nicely, btw).

support easy motd configuration

Multiple authorized_keys

As it stands an user can only have one key (the default) in ~/.ssh/authorized_keys. Otherwise it gets overwritten when puppet does whatever it does.

Not too, important, though. I mean, it even says it's "definitely not recommended" to manage the file manually, but I did it anyway. I only have myself to blame!

audit dot files

we're only providing a basic .bashrc and .vimrc. Consider .tmux and friends as well.

default /etc/profile should not try to source bash scripts for non-bash shells

Currently:

$ exec ksh --login
/etc/profile[26]: .[94]: local: not found [No such file or directory]
/etc/profile[26]: .[95]: local: not found [No such file or directory]
$

This is because /etc/profile.d/Z99-cloud-locale-test.sh (which comes from the distro) uses 'local', which is a bashism. Probably all these scripts should run only for bash-compatible shells if the distro thinks /bin/sh is /bin/bash anyway.

Puppet changes my shell back to default

I changed my shell to /usr/bin/zsh, but every so often my shell will change back to bash. How can avoid this behavior? Thanks.

Make puppet stop messing with my ~/.ssh/authorized_keys

When I modify my authorized_keys file, puppet overwrites my changes (even if there's only a single key in there.)

I think that puppet should not assume responsibility for making modifications to any files in any user's $HOME after the initial setup. But if you disagree, could we provide a flag or something that I might set to tell puppet not to ever mess with my $HOME?