These users should always be created as local users. Daemon users should be given /sbin/nologin or /bin/false as their login shell to prevent them from doing bad things -- systemd service files will appropriately set UID/GID on processes and shells aren't needed. These daemon users should always have local credentials to be immune to failures in remote services like [AniNIX/Sora](/AniNIX/Ubiqtorate/src/branch/main/roles/Sora).
* Many services, like IRC, TheRaven, Heartbeat, Sora, and others will use a daemon user at the OS level. These should be local passwords.
* At the OS, the admin will be the root user.
* SSH should have one deprivileged user that is local.
* IRC will have netadmins provisioned with local passwords; these netadmins will need a corresponding LDAP account only for IRCServices. Failure to log in with IRCServices is more acceptable than losing control of the daemon itself. The IRC modules can be unloaded and registration enabled if a local account is needed.
You have a new set of credentials to the AniNIX! Your new user ID is <uid> and your initial password is <password>. Please reset your password at https://password.aninix.net/
You now have access to all the public services of the AniNIX! Your credentials will work across the board. Please make sure to review our operational documentation (https://foundation.aninix.net/AniNIX/Wiki), particularly the User Ethics page, to understand what the AniNIX is and how to properly contribute.
If you have any questions, please stop by our IRC network (https://irc.aninix.net) and sign in to NickServ. We'd be happy to talk with you anytime -- admins are indicated with the '^', '~', or '@' sign in the #lobby channel. Again, welcome to the network!
This project should be the central credential store for end-users on the AniNIX. Below are some notes to help with the setup. Code for provisioning this access should be in the template configs in [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate)
OS Accounts can be added with PAM/NSLCD authentication being enabled. See [the Arch Wiki](https://wiki.archlinux.org/index.php/LDAP_authentication) and [this link](https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access) for more basic steps to set this up. _Note:_ Make sure SSH services are secured with a required group of ssh-allow before enabling this.
All LDAP accounts are enabled for IRC NickServ access -- the LDAP uid will be the owning nickname. Group membership is allowed, but admins may drop nicks if another user is being created with the uid.
Foundation allows user creation from LDAP -- we then disable registration in the config. Users can form their own organizations and create repos with admin oversight.
Services should be provisioned from the Foundation and Ubiqtorate -- this ensures that standards are followed and a best-attempt is made at security practices. Configure the service post-install to fit your need.
Hosts should be provisioned on an as-needed basis. A default AniNIX network is exemplified in [this inventory](/AniNIX/Ubiqtorate/src/branch/main/examples/msn0.yml).