Unicorn: Difference between revisions

From Noisebridge
Jump to navigation Jump to search
m (→‎Services: space & x)
m (→‎Services: +share)
Line 47: Line 47:
* [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] - remote access to the OctoPrint instance driving our Creality CR-10 3D printer
* [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] - remote access to the OctoPrint instance driving our Creality CR-10 3D printer


* [https://space.noisebridge.info space.noisebridge.info experimental virtualized www edition of nbsp by Ⅹ]
* [https://space.noisebridge.info] experimental virtualized www edition of nbsp by Ⅹ


* [https://x.noisebridge.info x.noisebridge.info experimental personal site for Ⅹ]
* [https://x.noisebridge.info] experimental personal site for Ⅹ
 
* [https://share.noisebridge.info] Next Cloud VM instance setup by James & Ⅹ


== System Info ==
== System Info ==

Revision as of 16:49, 18 December 2020

Unicorn is a homage to our long dead server, formerly known as Stallion. It has no guaranteed uptime or functionality; it is up to you to keep the services you want running, running. Like a stallion.
Pissingponynb.png

This utility server is 4 cores, 24gb ram, 120gb ssd storage and 12tb bandwidth.
Volunteers warmly encouraged to setup and maintain it! Please contact us via the main Noisebridge Discussion Mailing List or on our Discuss forum


Services

Unicorn currently hosts:

  • [1] experimental virtualized www edition of nbsp by Ⅹ
  • [2] experimental personal site for Ⅹ
  • [3] Next Cloud VM instance setup by James & Ⅹ

System Info

  • IP: 172.93.55.252
  • OS: Debian 9 x86_64
  • Web server: Nginx is running on ports 80 and 443
  • Domains: Current domains and subdomains hosted on this server: (see /etc/nginx/sites-enabled/*)
  • DNS: all *.noisebridge.info subdomains point to this server, as does the naked domain (noisebridge.info)
  • SSL: certbot runs every day to renew certs for all (sub)domains it knows about
    • ...but to manually renew, run /home/noisebridge/bin/recert; sudo service nginx restart
  • To add a new service at, say, somethingcool.noisebridge.info...
    • Create a file similar to /etc/nginx/sites-available/noisebridge.info called /etc/nginx/sites-available/somethingcool.noisebridge.info
    • Run sudo ln -s /etc/nginx/sites-available/somethingcool.noisebridge.info /etc/nginx/sites-enabled/somethingcool.noisebridge.info; sudo nginx -t
    • If you don't get any errors, add -d somethingcool.noisebridge.info to /home/noisebridge/bin/recert then run /home/noisebridge/bin/recert to (U)pdate the *.noisebridge.info SSL cert!
  • Unicorn uses ufw to whitelist which ports can receive incoming connections from the outside world.
    • To add a port to the whitelist: sudo ufw allow <port>
    • To list firewall rules: sudo ufw show added
    • To delete a firewall rule: sudo ufw delete <rule>
    • To view (and delete) rules chronologically rather than by port: sudo ufw status numbered

Rules and Guidelines

  • Be excellent to each other
    • Don't fuck up other people's shit
  • Usage of containers is encouraged where practical, but not required
    • Databases sometimes have issues running in Docker, for example
  • If you need a different version of some database that is already running on the default port, run the version you need in a Docker container, or on a different port (and that stores its data in a different directory!)


SSH Config

I can haz access? Yes, but you are agreeing to be excellent to each other!

Consider generating a new SSH key pair with

$ ssh-keygen -b 4096

then calling it, say, unicorn-nb, then add this to your ~/.ssh/config file:

Host unicorn-nb
User noisebridge
Hostname 172.93.55.252
PreferredAuthentications publickey
IdentityFile ~/.ssh/unicorn-nb

If your SSH pub key (~/.ssh/unicorn-nb.pub) has been added to unicorn-nb:~/.ssh/authorized_keys, you should now be able to shell in by typing

$ ssh unicorn-nb

...and thanks to the ~/.ssh/config entry, the name of the server you're trying to SSH into -- namely unicorn-nb in this case -- should autocomplete! Add your name to the access list below!


SSH Access

For SSH access, post to Discuss or visit the #Unicorn Slack channel and ask @jslack, @elimisteve.

DNS Access

noisebridge.info is registered on NameCheap.com . As of 2019.02.13, @mindfu, @elimisteve, and @jslack have permission to edit DNS (on NameCheap).

Keeping in mind that *.noisebridge.info already points to Unicorn, if you nonetheless need to edit DNS, tell @elimisteve, @jslack, or @mindfu your NameCheap username or email.


Slack SSO

Services without their own authentication systems can be shielded a smidge from the ravages of the open internet by placing them behind the basic single sign-on (SSO) gateway at https://login.noisebridge.info.

In the target service's nginx configuration, add include snippets/auth-init.conf; toward the start of the main server block. Somewhere after that, add include snippets/auth-require.conf;, either in the server block or in the specific location block(s) you want to protect. See /etc/nginx/sites-available/printprintprint.noisebridge.info for an example.

Unauthenticated visitors will be redirected to Slack to sign in (via OAuth) with their Noisebridge Slack account, then redirected back to their destination. The login service injects a cookie to keep track of user sessions, and intercepts requests via nginx's auth_request mechanism to check for the presence of a valid cookie. See https://printprintprint.noisebridge.info for what this looks like in the wild.

If configured on a reverse proxy-based service, the SSO gateway will automatically pass on the logged-in user's ID and Slack name via the X-Noisebridge-User-ID and X-Noisebridge-User-Name headers, respectively.

Note the intent here isn't to exclude anyone by requiring authentication, but to provide a modicum of protection against drive-by mischief for those services that need it (like OctoPrint).