docs/shellserver.md

# Setting up the tilde.club shell server (user host)

We want to document the ins and outs of setting up the server so others who are interested can learn (and help!).

## System setup

Start with [Build your own tilde-style server](./how-to-set-up-a-tilde.md) for a modern baseline. Historical package notes still live in [docs/server.org](./server.org).


## Quick priorities for new operators

If you are bringing up a new host, focus on these first:

1. Lock down SSH and require keys.
2. Get `/etc/skel` right before creating many users.
3. Verify `~/public_html` publishing works.
4. Document onboarding, moderation, and backup/restore workflows.

These four steps prevent many common early-stage tilde problems.

## /etc/skel directory

This is the directory that's used as the basis for all newly-created users' home directories, so it's good to get it right before adding new users to a shell server. We've created [a separate repo for the contents of the directory itself](https://github.com/tildeclub/tilde.etcskel), but since it's impossible to check in the appropriate file and directory permissions, [they're documented here](https://github.com/tildeclub/tilde.club/blob/master/docs/etc-skel-permissions.md).

## Email

The default MTA on CentOS is `postfix`. Our goal was to have a `localhost`-only mail service, which required that we configure `postfix` to listen only to `localhost`, and to bounce any email which local users try to send off-server. Both configuration changes are handled in `/etc/postfix/main.cf`.

* the `inet_interfaces` value should just be `localhost` (`inet_interfaces = localhost`)
* the `default_transport` parameter should be the bounce message we want (so add `default_transport = error: outside mail is not deliverable` to the bottom of the file)

### pine

Pine is sort of brain-dead about creating its `.addressbook` file in a user's home directory with `744` permissions; there doesn't appear to be an option to fix this. Instead, it's probably important to work around it before adding any new users:

1. Add `~/mail/` to `/etc/skel` with permissions `700` so that there's a user-accessible-only place for the file to live.
2. Create an `/etc/pine.conf` file that includes the config directive `address-book=mail/.addressbook` to put that file into this new home.

## identd

Users will connect from their shell account to an IRC server, so it is *very* handy to have an `identd` server. For us that just meant installing the standard CentOS `identd` server and configuring it to start automatically:

```
sudo yum install oidentd
sudo /etc/init.d/oidentd start
sudo chkconfig oidentd on
```
Sorry! `` looks awful in GitHub headers. Removed. 2014-10-08 23:21:33 -04:00			`# Setting up the tilde.club shell server (user host)`
start documenting shell server setup 2014-10-08 22:41:17 -04:00
Prettify shell server building docs. 2014-10-08 23:05:18 -04:00			`We want to document the ins and outs of setting up the server so others who are interested can learn (and help!).`
start documenting shell server setup 2014-10-08 22:41:17 -04:00
			`## System setup`

Reworked the main setup guide into a modern, provider-agnostic “build your own tilde” playbook with practical steps for provisioning, SSH hardening, public_html setup, /etc/skel planning, user lifecycle workflows, and operational safety. Added a structured “add functionality in layers” section (publishing, communication, collaboration, culture) plus a first-week launch checklist to help new operators grow safely and intentionally. Updated README.md with a clear “start here” section that points operators to the key docs for creating and extending a tilde host. Updated docs/shellserver.md to point at the new setup guide and introduced a concise “quick priorities” list for new admins. 2026-02-13 18:10:13 +00:00			`Start with [Build your own tilde-style server](./how-to-set-up-a-tilde.md) for a modern baseline. Historical package notes still live in [docs/server.org](./server.org).`


			`## Quick priorities for new operators`

			`If you are bringing up a new host, focus on these first:`

			`1. Lock down SSH and require keys.`
			2. Get `/etc/skel` right before creating many users.
			3. Verify `~/public_html` publishing works.
			`4. Document onboarding, moderation, and backup/restore workflows.`

			`These four steps prevent many common early-stage tilde problems.`
start documenting shell server setup 2014-10-08 22:41:17 -04:00
Update shellserver.md 2014-10-14 23:44:39 -04:00			`## /etc/skel directory`

			`This is the directory that's used as the basis for all newly-created users' home directories, so it's good to get it right before adding new users to a shell server. We've created [a separate repo for the contents of the directory itself](https://github.com/tildeclub/tilde.etcskel), but since it's impossible to check in the appropriate file and directory permissions, [they're documented here](https://github.com/tildeclub/tilde.club/blob/master/docs/etc-skel-permissions.md).`

start documenting shell server setup 2014-10-08 22:41:17 -04:00			`## Email`

Prettify shell server building docs. 2014-10-08 23:05:18 -04:00			The default MTA on CentOS is `postfix`. Our goal was to have a `localhost`-only mail service, which required that we configure `postfix` to listen only to `localhost`, and to bounce any email which local users try to send off-server. Both configuration changes are handled in `/etc/postfix/main.cf`.
start documenting shell server setup 2014-10-08 22:41:17 -04:00
Prettify shell server building docs. 2014-10-08 23:05:18 -04:00			* the `inet_interfaces` value should just be `localhost` (`inet_interfaces = localhost`)
start documenting shell server setup 2014-10-08 22:41:17 -04:00			* the `default_transport` parameter should be the bounce message we want (so add `default_transport = error: outside mail is not deliverable` to the bottom of the file)

add info about proper up-front configuration of Pine .addressbook file (#27) 2014-10-14 20:45:47 -04:00			`### pine`

			Pine is sort of brain-dead about creating its `.addressbook` file in a user's home directory with `744` permissions; there doesn't appear to be an option to fix this. Instead, it's probably important to work around it before adding any new users:

			1. Add `~/mail/` to `/etc/skel` with permissions `700` so that there's a user-accessible-only place for the file to live.
			2. Create an `/etc/pine.conf` file that includes the config directive `address-book=mail/.addressbook` to put that file into this new home.

Sorry! `` looks awful in GitHub headers. Removed. 2014-10-08 23:21:33 -04:00			`## identd`
start documenting shell server setup 2014-10-08 22:41:17 -04:00
Prettify shell server building docs. 2014-10-08 23:05:18 -04:00			Users will connect from their shell account to an IRC server, so it is very handy to have an `identd` server. For us that just meant installing the standard CentOS `identd` server and configuring it to start automatically:
start documenting shell server setup 2014-10-08 22:41:17 -04:00
			```
fix CentOS-vs-Ubuntu mixup in package repo stuff 2014-10-12 23:03:21 -04:00			`sudo yum install oidentd`
start documenting shell server setup 2014-10-08 22:41:17 -04:00			`sudo /etc/init.d/oidentd start`
			`sudo chkconfig oidentd on`
			```