Unicorn: Difference between revisions
Elimisteve (talk | contribs) mNo edit summary |
m (→Services) |
||
(9 intermediate revisions by 4 users not shown) | |||
Line 21: | Line 21: | ||
* [https://discuss.noisebridge.info/ https://discuss.noisebridge.info/] - [https://www.discourse.org/ Discourse] instance (discussion forums) | * [https://discuss.noisebridge.info/ https://discuss.noisebridge.info/] - [https://www.discourse.org/ Discourse] instance (discussion forums) | ||
* [https://gossip.noisebridge.info/ https://gossip.noisebridge.info/] - [https://www.scuttlebutt.nz/ Secure Scuttlebutt] - asynchronous p2p network | |||
* [https://test-discuss.noisebridge.info https://test-discuss.noisebridge.info] - testing instance of Discourse so we can mess with upgrades and plugins. | |||
* [https://chat.noisebridge.info/ https://chat.noisebridge.info/] - [https://rocket.chat/ Rocket.chat] instance (to replace our Slack!) | * [https://chat.noisebridge.info/ https://chat.noisebridge.info/] - [https://rocket.chat/ Rocket.chat] instance (to replace our Slack!) | ||
Line 30: | Line 34: | ||
** Contribute here (AGPLv3): [https://github.com/cryptag/leapchat https://github.com/cryptag/leapchat] | ** Contribute here (AGPLv3): [https://github.com/cryptag/leapchat https://github.com/cryptag/leapchat] | ||
* [https://projects.noisebridge.info https://projects.noisebridge.info] - this is a placeholder for a project management solution, currently a few are under review | |||
* [https://login.noisebridge.info https://login.noisebridge.info] - basic SSO for guarding services w/o their own account system (uses the Noisebridge Slack as the identity provider) | |||
* [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] - remote access to the OctoPrint instance driving our Creality CR-10 3D printer | |||
== System Info == | == System Info == | ||
Line 46: | Line 55: | ||
* SSL: certbot runs every day to renew certs for all (sub)domains it knows about | * SSL: certbot runs every day to renew certs for all (sub)domains it knows about | ||
** ...but to manually renew, run `$ /home/noisebridge/bin/recert; sudo service nginx restart` | |||
* To add a new service at, say, <code>somethingcool.noisebridge.info</code>... | * To add a new service at, say, <code>somethingcool.noisebridge.info</code>... | ||
Line 97: | Line 107: | ||
* [[User:Elimisteve|@elimisteve]] | * [[User:Elimisteve|@elimisteve]] | ||
* [[User:Rando|@rando]] | * [[User:Rando|@rando]] | ||
* [[User:spinda|@spinda]] | |||
For SSH access, visit the Unicorn Slack channel and ask @jslack, @elimisteve, or @Rando. | For SSH access, visit the Unicorn Slack channel and ask @jslack, @elimisteve, or @Rando. | ||
Line 106: | Line 117: | ||
Keeping in mind that <code>*.noisebridge.info</code> already points to Unicorn, if you nonetheless need to edit DNS, tell [[User:Elimisteve|@elimisteve]], [[User:James|@jslack]], or @mindfu your NameCheap username or email. | Keeping in mind that <code>*.noisebridge.info</code> already points to Unicorn, if you nonetheless need to edit DNS, tell [[User:Elimisteve|@elimisteve]], [[User:James|@jslack]], or @mindfu your NameCheap username or email. | ||
== Slack SSO == | |||
Services without their own authentication systems can be shielded a smidge from the ravages of the open internet by placing them behind the basic single sign-on (SSO) gateway at [https://login.noisebridge.info https://login.noisebridge.info]. | |||
In the target service's nginx configuration, add <code>include snippets/auth-init.conf;</code> toward the start of the main <code>server</code> block. Somewhere after that, add <code>include snippets/auth-require.conf;</code>, either in the <code>server</code> block or in the specific <code>location</code> block(s) you want to protect. See <code>/etc/nginx/sites-available/printprintprint.noisebridge.info</code> for an example. | |||
Unauthenticated visitors will be redirected to Slack to sign in (via OAuth) with their Noisebridge Slack account, then redirected back to their destination. The login service injects a cookie to keep track of user sessions, and intercepts requests via nginx's <code>auth_request</code> mechanism to check for the presence of a valid cookie. See [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] for what this looks like in the wild. | |||
If configured on a reverse proxy-based service, the SSO gateway will automatically pass on the logged-in user's ID and Slack name via the <code>X-Noisebridge-User-ID</code> and <code>X-Noisebridge-User-Name</code> headers, respectively. | |||
Note the intent here isn't to exclude anyone by requiring authentication, but to provide a modicum of protection against drive-by mischief for those services that need it (like OctoPrint). |
Revision as of 20:16, 5 August 2019
Unicorn is a homage to our long dead server, formerly known as Stallion.
It has no guaranteed uptime or functionality; it is up to you to keep the services you want running, running. Like a stallion.
This utility server is 4 cores, 24gb ram, 120gb ssd storage and 12tb bandwidth.
Volunteers warmly encouraged to setup and maintain it! Please contact us via the main Noisebridge Discussion Mailing List
Services
Unicorn currently hosts:
- https://noisebridge.info/ - Unicorn homepage
- https://status.noisebridge.info/ - Checkup is a status page and associated service that notifies us in Slack if one of our services go down! Blog post describing setup is located here.
- To add new health checks for other services, edit
/home/noisebridge/services/checkup/checkup.json
. See the configuration file here on our GitHub.
- To add new health checks for other services, edit
- https://minio.noisebridge.info/ - Minio instance (S3-compatible storage)
- Ask @elimisteve for the auth keys needed for login
- https://discuss.noisebridge.info/ - Discourse instance (discussion forums)
- https://gossip.noisebridge.info/ - Secure Scuttlebutt - asynchronous p2p network
- https://test-discuss.noisebridge.info - testing instance of Discourse so we can mess with upgrades and plugins.
- https://chat.noisebridge.info/ - Rocket.chat instance (to replace our Slack!)
- https://leapchat.noisebridge.info/ - LeapChat instance (ephemeral encrypted Slack in your browser!)
- Visit https://leapchat.noisebridge.info/ -> Get redirected to new end-to-end encrypted room
- Messages disappear after 90 days
- Was largely built at Noisebridge, by @elimisteve and other volunteers
- Contribute here (AGPLv3): https://github.com/cryptag/leapchat
- https://projects.noisebridge.info - this is a placeholder for a project management solution, currently a few are under review
- https://login.noisebridge.info - basic SSO for guarding services w/o their own account system (uses the Noisebridge Slack as the identity provider)
- https://printprintprint.noisebridge.info - remote access to the OctoPrint instance driving our Creality CR-10 3D printer
System Info
- Homepage URL: noisebridge.info
- IP:
172.93.55.252
- OS: Debian 9 x86_64
- Web server: Nginx is running on ports 80 and 443
- Domains: Current domains and subdomains hosted on this server: (see
/etc/nginx/sites-enabled/*
)
- DNS: all
*.noisebridge.info
subdomains point to this server, as does the naked domain (noisebridge.info
)
- SSL: certbot runs every day to renew certs for all (sub)domains it knows about
- ...but to manually renew, run `$ /home/noisebridge/bin/recert; sudo service nginx restart`
- To add a new service at, say,
somethingcool.noisebridge.info
...- Create a file similar to
/etc/nginx/sites-available/noisebridge.info
called/etc/nginx/sites-available/somethingcool.noisebridge.info
- Run
sudo ln -s /etc/nginx/sites-available/somethingcool.noisebridge.info /etc/nginx/sites-enabled/somethingcool.noisebridge.info; sudo nginx -t
- If you don't get any errors, now run
sudo service nginx restart
- Create a file similar to
Rules and Guidelines
- Be excellent to each other
- Don't fuck up other people's shit
- Usage of containers is encouraged where practical, but not required
- Databases sometimes have issues running in Docker, for example
- If you need a different version of some database that is already running on the default port, run the version you need in a Docker container, or on a different port (and that stores its data in a different directory!)
SSH Config
I can haz access?
Yes, but you are agreeing to be excellent to each other!
Consider generating a new SSH key pair with
$ ssh-keygen -b 4096
then calling it, say, unicorn-nb
, then add this to your ~/.ssh/config
file:
Host unicorn-nb
User noisebridge
Hostname 172.93.55.252
PreferredAuthentications publickey
IdentityFile ~/.ssh/unicorn-nb
If your SSH pub key (~/.ssh/unicorn-nb.pub
) has been added to unicorn-nb:~/.ssh/authorized_keys
, you should now be able to shell in by typing
$ ssh unicorn-nb
...and thanks to the ~/.ssh/config
entry, the name of the server you're trying to SSH into -- namely unicorn-nb
in this case -- should autocomplete! Add your name to the access list below!
SSH Access
- @jslack - James
- Victoria
- @elimisteve
- @rando
- @spinda
For SSH access, visit the Unicorn Slack channel and ask @jslack, @elimisteve, or @Rando.
DNS Access
noisebridge.info is registered on NameCheap.com . As of 2019.02.13, @mindfu, @elimisteve, and @jslack have permission to edit DNS (on NameCheap).
Keeping in mind that *.noisebridge.info
already points to Unicorn, if you nonetheless need to edit DNS, tell @elimisteve, @jslack, or @mindfu your NameCheap username or email.
Slack SSO
Services without their own authentication systems can be shielded a smidge from the ravages of the open internet by placing them behind the basic single sign-on (SSO) gateway at https://login.noisebridge.info.
In the target service's nginx configuration, add include snippets/auth-init.conf;
toward the start of the main server
block. Somewhere after that, add include snippets/auth-require.conf;
, either in the server
block or in the specific location
block(s) you want to protect. See /etc/nginx/sites-available/printprintprint.noisebridge.info
for an example.
Unauthenticated visitors will be redirected to Slack to sign in (via OAuth) with their Noisebridge Slack account, then redirected back to their destination. The login service injects a cookie to keep track of user sessions, and intercepts requests via nginx's auth_request
mechanism to check for the presence of a valid cookie. See https://printprintprint.noisebridge.info for what this looks like in the wild.
If configured on a reverse proxy-based service, the SSO gateway will automatically pass on the logged-in user's ID and Slack name via the X-Noisebridge-User-ID
and X-Noisebridge-User-Name
headers, respectively.
Note the intent here isn't to exclude anyone by requiring authentication, but to provide a modicum of protection against drive-by mischief for those services that need it (like OctoPrint).