4.3 KiB
Provisioning is the process by which new users, services, and hosts are added to the network.
Users
Notes on Administrative and Daemon Users
These users should always be created as local users. Daemon users should be given /sbin/nologin or /bin/false as their login shell to prevent them from doing bad things -- systemd service files will appropriately set UID/GID on processes and shells aren't needed. These daemon users should always have local credentials to be immune to failures in remote services like Sora
- Many services, like IRC, TheRaven, Heartbeat, Sora, and others will use a daemon user at the OS level. These should be local passwords.
- At the OS, the admin will be the root user.
- SSH should have one deprivileged user that is local.
- IRC will have netadmins provisioned with local passwords; these netadmins will need a corresponding LDAP account only for IRCServices. Failure to log in with IRCServices is more acceptable than losing control of the daemon itself. The IRC modules can be unloaded and registration enabled if a local account is needed.
- Wiki can only be either LDAP-enabled or local; as we want unified credentials, loss of edit privileges for everyone is acceotable in the case that LDAP has failed.
- The following snippet can be used to lock down a specific wiki so only administrators (sysop) can edit.
$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false; $wgGroupPermissions['user']['read'] = false; $wgGroupPermissions['user']['edit'] = false; $wgGroupPermissions['sysop']['read'] = true; $wgGroupPermissions['sysop']['edit'] = true;
Groups
Most groups will be local to a given host; ssh-allow and git permissions will be local, for example.
LDAP should at least have an ldapuser group to act as the primary group for LDAP users.
Sora
This project should be the central credential store for end-users on the AniNIX. Below are some notes to help with the setup.
ShadowArch
OS Accounts can be added with PAM/NSLCD authentication being enabled. See [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki] for basic steps to set this up.
Note: Make sure SSH services are secured with a required group of ssh-allow before enabling this. See [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] for how to enable SSH access.
IRC
All LDAP accounts are enabled for IRC NickServ access -- the LDAP uid will be the owning nickname. Group membership is allowed, but admins may drop nicks if another user is being created with the uid.
Wiki
Wiki's have LDAP groups attached to them; those who will be editors on a given Wiki will be given the Wiki's group to log in with.
Singularity
Category:TODO We are working to integrate the ttrss-ldap-auth-git package from the ArchLinux AUR.
Yggdrasil
Yggdrasil currently relies on Plex.tv for account management. Users seeking access to this project will need a Plex.tv account for streaming access. File access can be given with an SFTP jailed account in Sora.
Template User Notification
Hello, ,
You have a new set of credentials to the AniNIX! Your new user ID is and your initial password is . Please SSH#Available_Clients to @aninix.net and change your password as soon as possible.
You now have access to all the :Category:Public_Service of the AniNIX! Your credentials will work across the board. Please make sure to review :Category:Operation, particularly the User Ethics page, to understand what the AniNIX is and how to properly contribute.
If you have any questions, please stop by [https://aninix.net/irc our IRC network] and sign in to NickServ. We'd be happy to talk with you anytime -- admins are indicated with the '@' or '~' sign in the #lobby channel. Again, welcome to the network!
Services
Services should be provisioned from the Foundation -- this ensures that standards are followed and a best-attempt is made at security practices. Configure the service post-install to fit your need.
Hosts
Hosts should be provisioned on an as-needed basis. A default AniNIX network includes the following: