AniNIX/Wiki
AniNIX
/
Wiki
2
0
Fork 0
Code Issues 10 Pull Requests 1 Releases Activity
Wiki/Operation/Provisioning.md

3.7 KiB
Raw Permalink Blame History

Provisioning is the process by which new users, services, and hosts are added to the network.

Users

Notes on Administrative and Daemon Users

These users should always be created as local users. Daemon users should be given /sbin/nologin or /bin/false as their login shell to prevent them from doing bad things -- systemd service files will appropriately set UID/GID on processes and shells aren't needed. These daemon users should always have local credentials to be immune to failures in remote services like AniNIX/Sora.

  • Many services, like IRC, TheRaven, Heartbeat, Sora, and others will use a daemon user at the OS level. These should be local passwords.
  • At the OS, the admin will be the root user.
  • SSH should have one deprivileged user that is local.
  • IRC will have netadmins provisioned with local passwords; these netadmins will need a corresponding LDAP account only for IRCServices. Failure to log in with IRCServices is more acceptable than losing control of the daemon itself. The IRC modules can be unloaded and registration enabled if a local account is needed.

Template User Notification

Hello, <user>,

You have a new set of credentials to the AniNIX! Your new user ID is <uid> and your initial password is <password>. Please reset your password at https://password.aninix.net/

You now have access to all the public services of the AniNIX! Your credentials will work across the board. Please make sure to review our operational documentation (https://foundation.aninix.net/AniNIX/Wiki), particularly the User Ethics page, to understand what the AniNIX is and how to properly contribute.

If you have any questions, please stop by our IRC network (https://irc.aninix.net) and sign in to NickServ. We'd be happy to talk with you anytime -- admins are indicated with the '^', '~', or  '@' sign in the #lobby channel. Again, welcome to the network!

~AniNIX Admins

Groups

Most groups will be local to a given host; ssh-allow and git permissions will be local, for example.

LDAP should at least have an ldapuser group to act as the primary group for LDAP users.

Service Authorization via AniNIX/Sora

This project should be the central credential store for end-users on the AniNIX. Below are some notes to help with the setup. Code for provisioning this access should be in the template configs in AniNIX/Ubiqtorate

ShadowArch

OS Accounts can be added with PAM/NSLCD authentication being enabled. See the Arch Wiki and this link for more basic steps to set this up. Note: Make sure SSH services are secured with a required group of ssh-allow before enabling this.

IRC

All LDAP accounts are enabled for IRC NickServ access -- the LDAP uid will be the owning nickname. Group membership is allowed, but admins may drop nicks if another user is being created with the uid.

Foundation

Foundation allows user creation from LDAP -- we then disable registration in the config. Users can form their own organizations and create repos with admin oversight.

Singularity

We are working to integrate the ttrss-ldap-auth-git package from the ArchLinux AUR.

Yggdrasil

Yggdrasil uses the Emby LDAP plugin set up inside the application to provide LDAP access.

Services

Services should be provisioned from the Foundation and Ubiqtorate -- this ensures that standards are followed and a best-attempt is made at security practices. Configure the service post-install to fit your need.

Hosts

Hosts should be provisioned on an as-needed basis. A default AniNIX network is exemplified in this inventory.