From 367bbafa5f6e67ff2ae2057e5d01a9a35bc69696 Mon Sep 17 00:00:00 2001 From: deepend Date: Fri, 13 Feb 2026 18:10:13 +0000 Subject: [PATCH] =?UTF-8?q?Reworked=20the=20main=20setup=20guide=20into=20?= =?UTF-8?q?a=20modern,=20provider-agnostic=20=E2=80=9Cbuild=20your=20own?= =?UTF-8?q?=20tilde=E2=80=9D=20playbook=20with=20practical=20steps=20for?= =?UTF-8?q?=20provisioning,=20SSH=20hardening,=20public=5Fhtml=20setup,=20?= =?UTF-8?q?/etc/skel=20planning,=20user=20lifecycle=20workflows,=20and=20o?= =?UTF-8?q?perational=20safety.=20Added=20a=20structured=20=E2=80=9Cadd=20?= =?UTF-8?q?functionality=20in=20layers=E2=80=9D=20section=20(publishing,?= =?UTF-8?q?=20communication,=20collaboration,=20culture)=20plus=20a=20firs?= =?UTF-8?q?t-week=20launch=20checklist=20to=20help=20new=20operators=20gro?= =?UTF-8?q?w=20safely=20and=20intentionally.=20Updated=20README.md=20with?= =?UTF-8?q?=20a=20clear=20=E2=80=9Cstart=20here=E2=80=9D=20section=20that?= =?UTF-8?q?=20points=20operators=20to=20the=20key=20docs=20for=20creating?= =?UTF-8?q?=20and=20extending=20a=20tilde=20host.=20Updated=20docs/shellse?= =?UTF-8?q?rver.md=20to=20point=20at=20the=20new=20setup=20guide=20and=20i?= =?UTF-8?q?ntroduced=20a=20concise=20=E2=80=9Cquick=20priorities=E2=80=9D?= =?UTF-8?q?=20list=20for=20new=20admins.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 11 + docs/how-to-set-up-a-tilde.md | 620 ++++++++++++++++++++++++++++++---- docs/shellserver.md | 14 +- 3 files changed, 581 insertions(+), 64 deletions(-) diff --git a/README.md b/README.md index 066394c..6e67f37 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,17 @@ tilde.club server. It's all moving very fast. +# Getting started: run a tilde and help users build on it + +If your goal is to launch your own tilde-style host (or improve an existing one), start here: + +- [Build your own tilde-style server](docs/how-to-set-up-a-tilde.md) +- [Shell server setup notes](docs/shellserver.md) +- [SSH key onboarding guide](docs/ssh.md) +- [Current `/etc/skel` permissions reference](docs/etc-skel-permissions.md) + +These documents are focused on practical operations, onboarding, and adding community functionality in safe increments. + # Help Wanted Tilde.club is moving very quickly and is 100% volunteer led. diff --git a/docs/how-to-set-up-a-tilde.md b/docs/how-to-set-up-a-tilde.md index 92a7835..cf5f118 100644 --- a/docs/how-to-set-up-a-tilde.md +++ b/docs/how-to-set-up-a-tilde.md @@ -1,81 +1,575 @@ -## Preamble +## Build your own tilde-style server (beginner-friendly, step-by-step) -This document will talk you through setting up your own tilde.club flavoured server; the example `domain.club` is used below. +This guide is intentionally detailed for first-time operators. -## Prerequisites +If you have never run a server before, follow this in order and do not skip ahead. -* An [Amazon AWS account](https://aws.amazon.com), though any other cloud provider would work just as well. -* Your own domain -* A thirst for the unknown +--- -## Create an instance on Amazon EC2 +## What you are building -* On AWS click `Launch Instance` -* Select `Amazon Linux AMI` -* Select `t2.micro` -* Select the (recommended) thingy in the popup -* Click `Launch` -* In `Security Groups`: - * Right click on the security group used by your instance and: - * Click `Edit inbound rules` - * Add a rule for `HTTP` - * Add a rule for `SSH` - * Again, right click on the security group used by your instance and: - * Click `Edit outbound rules` - * Add a rule for `HTTP` - * Add a rule for `HTTPS` -* In `Elastic IPs`: - * Click `Allocate New Address` - * Choose `VPC` on the dropdown (it won't work otherwise, I forget why) - * Right click, `Associate Address` - * Choose the instance you just created -* Create an `A record` at your domain name registrar to point at the Elastic IP then wait for those changes to propagate. +A "tilde-style" host usually provides: -**NOTE** This could take up to 48 hours, use `dig domain.club +nostats +nocomments +nocmd` to see if you're in business. +- A Linux shell account for each user +- Personal web publishing from `~/public_html` +- Shared Unix tools for learning, writing, coding, and socializing +- Community norms and moderation -## SSH into your shiny instance using your `pem` file +In short: a small, friendly, multi-user Unix community. -* `ssh -i security.pem ec2-user@domain.club` -* `yum update` -* `sudo yum remove java` -* `sudo yum install git` +--- -## Change hostname +## 0) Before you touch a server -* `sudo vim /etc/hosts` change `localhost.localdomain` to `domain.club` -* `sudo vim /etc/sysconfig/network` change `localhost.localdomain` to `domain.club` -* `sudo reboot` +### 0.1 Buy or prepare these things first -## Allow passwords to log in +1. A domain name (example: `domain.club`) +2. One Linux server (VPS is fine) +3. SSH client on your laptop +4. A text editor you can use comfortably -* `sudo vim /etc/ssh/sshd_config` change `PasswordAuthentication` to `yes` -* `sudo service sshd restart` +### 0.2 Keep this safety rule in mind -## Create a test user `foo` account and `public_html` folder +Never close your current SSH session until you have confirmed a **new** SSH session works with your latest config changes. -* `sudo adduser foo` -* `sudo passwd foo` -* `sudo mkdir /home/foo/public_html` -* `sudo chown foo:foo /home/foo/public_html` -* `sudo chmod 755 /home/foo` -* `sudo chmod 755 /home/foo/public_html` +This one habit prevents most accidental lockouts. -## Install Apache +--- -* `sudo yum install httpd` -* `sudo /etc/init.d/httpd start` -* `sudo vim /etc/httpd/conf/httpd.conf`: - * comment out `UserDir disabled` - * uncomment `UserDir public_html` - * uncomment the `Control access to UserDir directories` block beginning with `` -* `sudo /etc/init.d/httpd restart` +## 1) Provision your Linux server -## Install other software +You can use AWS, Hetzner, Linode, DigitalOcean, or any other provider. -* `yum install tmux` -* `yum install mutt` -* `yum install irssi` -* `yum install tree` -* `yum install lynx` -* `yum install finger` -* etc +### Recommended minimum for a small starter community + +- 2 vCPU +- 4 GB RAM +- 40 GB SSD +- Ubuntu LTS or Debian stable (easiest for beginners) + +### 1.1 Point DNS at your server + +At your DNS provider: + +- Create an `A` record for `domain.club` -> your server IPv4 +- Optionally create `AAAA` for IPv6 + +DNS can take time to propagate. + +### 1.2 First login + +From your local machine: + +```bash +ssh root@domain.club +``` + +If your provider uses a default admin user (for example `ubuntu`), use that user and `sudo`. + +--- + +## 2) Base system setup (packages, hostname, firewall) + +This section includes both Debian/Ubuntu and Red Hat-family commands. + +### 2.1 Update the system + +**Debian / Ubuntu** + +```bash +apt update +apt -y upgrade +``` + +**RHEL / Rocky / Alma / Fedora** + +```bash +dnf -y upgrade +``` + +### 2.2 Install baseline tools + +**Debian / Ubuntu** + +```bash +apt -y install sudo git curl wget rsync tmux htop vim nano tree jq ufw +``` + +**RHEL / Rocky / Alma / Fedora** + +```bash +dnf -y install sudo git curl wget rsync tmux htop vim nano tree jq +``` + +### 2.3 Set hostname + +```bash +hostnamectl set-hostname domain.club +``` + +Check: + +```bash +hostnamectl +``` + +### 2.4 Configure a basic firewall + +If using `ufw` (common on Ubuntu): + +```bash +ufw default deny incoming +ufw default allow outgoing +ufw allow 22/tcp +ufw allow 80/tcp +ufw allow 443/tcp +ufw enable +ufw status verbose +``` + +If using `firewalld` (common on RHEL-family): + +```bash +systemctl enable --now firewalld +firewall-cmd --permanent --add-service=ssh +firewall-cmd --permanent --add-service=http +firewall-cmd --permanent --add-service=https +firewall-cmd --reload +firewall-cmd --list-services +``` + +--- + +## 3) Create a non-root admin account + +Running daily admin tasks as `root` is risky. + +### 3.1 Create admin user + +```bash +adduser admin +``` + +On some distros: + +```bash +useradd -m -s /bin/bash admin +passwd admin +``` + +### 3.2 Give sudo privileges + +**Debian / Ubuntu** + +```bash +usermod -aG sudo admin +``` + +**RHEL-family** + +```bash +usermod -aG wheel admin +``` + +### 3.3 Test sudo + +```bash +su - admin +sudo whoami +``` + +Expected output: `root` + +--- + +## 4) SSH hardening (safe order, no lockouts) + +Do this carefully. + +### 4.1 Set up admin SSH key directory and file + +```bash +install -d -m 700 /home/admin/.ssh +install -m 600 /dev/null /home/admin/.ssh/authorized_keys +chown -R admin:admin /home/admin/.ssh +``` + +### 4.2 Add your public key + +On your local machine, show your public key: + +```bash +cat ~/.ssh/id_ed25519.pub +``` + +Copy that line and paste it into: + +`/home/admin/.ssh/authorized_keys` + +Example on server: + +```bash +printf '%s\n' 'ssh-ed25519 AAAA... your-key-comment' >> /home/admin/.ssh/authorized_keys +chown admin:admin /home/admin/.ssh/authorized_keys +chmod 600 /home/admin/.ssh/authorized_keys +``` + +### 4.3 Keep passwords ON while you test keys + +Edit `/etc/ssh/sshd_config`: + +```text +PermitRootLogin no +PubkeyAuthentication yes +PasswordAuthentication yes +ChallengeResponseAuthentication no +UsePAM yes +``` + +Reload: + +```bash +systemctl reload sshd +``` + +From a **second local terminal**, test login: + +```bash +ssh admin@domain.club +``` + +If this fails, fix it now. Do **not** continue. + +### 4.4 Disable password auth only after key login works + +Edit `/etc/ssh/sshd_config`: + +```text +PasswordAuthentication no +``` + +Reload and test again from a second terminal: + +```bash +systemctl reload sshd +ssh admin@domain.club +``` + +Only after success should you end your old session. + +--- + +## 5) Install and configure Apache for user pages + +This is the baseline many tilde hosts use for `~username` pages. + +### 5.1 Install Apache + +**Debian / Ubuntu** + +```bash +apt -y install apache2 +systemctl enable --now apache2 +``` + +**RHEL-family** + +```bash +dnf -y install httpd +systemctl enable --now httpd +``` + +Check service status: + +```bash +systemctl status apache2 --no-pager +# or +systemctl status httpd --no-pager +``` + +### 5.2 Enable user directories (`~username` URLs) + +#### Debian / Ubuntu + +```bash +a2enmod userdir +systemctl restart apache2 +``` + +By default, this serves `/home/USERNAME/public_html` as: + +`http://domain.club/~USERNAME/` + +#### RHEL-family + +Edit Apache config (often `/etc/httpd/conf/httpd.conf`) and ensure: + +```apache +UserDir public_html + + + AllowOverride All + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + Require method GET POST OPTIONS + +``` + +Then restart: + +```bash +systemctl restart httpd +``` + +### 5.3 Create a test web user and page + +```bash +useradd -m -s /bin/bash testuser +mkdir -p /home/testuser/public_html +cat > /home/testuser/public_html/index.html <<'HTML' + + + testuser page +

hello from testuser

+ +HTML +chown -R testuser:testuser /home/testuser +chmod 755 /home/testuser +chmod 755 /home/testuser/public_html +chmod 644 /home/testuser/public_html/index.html +``` + +Now test locally on the server: + +```bash +curl -I http://localhost/~testuser/ +curl http://localhost/~testuser/ +``` + +Then test from your laptop: + +```bash +curl -I http://domain.club/~testuser/ +``` + +If it fails, check Apache logs: + +**Debian / Ubuntu** + +```bash +tail -n 100 /var/log/apache2/error.log +``` + +**RHEL-family** + +```bash +tail -n 100 /var/log/httpd/error_log +``` + +--- + +## 6) Prepare `/etc/skel` before inviting users + +`/etc/skel` is copied into every new account. Set it up early. + +### 6.1 Minimum recommended contents + +- `.bashrc` and/or `.zshrc` with helpful comments +- `public_html/index.html` starter page +- A README with first commands and local rules +- Optional `public_gemini/` and `public_gopher/` + +### 6.2 Example starter files + +```bash +install -d -m 755 /etc/skel/public_html +cat > /etc/skel/public_html/index.html <<'HTML' + + + Welcome + +

It works!

+

Edit this file to publish your page.

+ + +HTML +``` + +```bash +cat > /etc/skel/README-FIRST.txt <<'TXT' +Welcome to the server. + +Useful first commands: +- pwd +- ls -la +- nano ~/public_html/index.html + +Your web page lives at: +http://domain.club/~YOURUSERNAME/ +TXT +``` + +See also: `docs/etc-skel-permissions.md`. + +--- + +## 7) Install baseline user tools + +Give new users a capable, friendly default toolbox. + +**Debian / Ubuntu** + +```bash +apt -y install \ + zsh fish \ + emacs vim nano \ + irssi weechat \ + mutt alpine \ + lynx w3m links \ + git build-essential python3 nodejs npm +``` + +**RHEL-family** + +```bash +dnf -y install \ + zsh fish \ + emacs vim nano \ + irssi weechat \ + mutt alpine \ + lynx links \ + git gcc make python3 nodejs npm +``` + +Add or remove packages based on your community. + +--- + +## 8) Add users safely and consistently + +Use a repeatable checklist every time. + +### 8.1 Account creation checklist + +```bash +useradd -m -s /bin/bash USERNAME +passwd -l USERNAME +install -d -m 700 /home/USERNAME/.ssh +install -m 600 /dev/null /home/USERNAME/.ssh/authorized_keys +install -d -m 755 /home/USERNAME/public_html +chown -R USERNAME:USERNAME /home/USERNAME +``` + +### 8.2 Add the user's public key + +```bash +printf '%s\n' 'ssh-ed25519 AAAA... user@device' >> /home/USERNAME/.ssh/authorized_keys +chown USERNAME:USERNAME /home/USERNAME/.ssh/authorized_keys +chmod 600 /home/USERNAME/.ssh/authorized_keys +``` + +### 8.3 Verify login and web publishing + +```bash +ssh USERNAME@domain.club +curl -I http://domain.club/~USERNAME/ +``` + +--- + +## 9) Add "tilde functionality" in manageable layers + +Do not launch everything on day one. + +### Layer A: personal publishing + +- User web pages in `public_html` +- Basic HTML templates +- Optional Gemini and Gopher directories + +### Layer B: communication + +- IRC client docs +- Local mail (postfix + local delivery) +- Server bulletin/MOTD updates + +### Layer C: collaboration + +- Shared Git repos +- Local pastebin/snippet service +- Community docs/wiki process + +### Layer D: culture and learning + +- New-user orientation checklist +- Mentoring or office-hours in chat +- Monthly "show your tilde" events + +--- + +## 10) Operations, backup, and recovery + +### 10.1 Back up the important data + +At minimum, back up: + +- `/home` +- `/etc` +- Web server config (`/etc/apache2` or `/etc/httpd`) +- Mail config if used + +### 10.2 Example nightly backup script + +Create `/usr/local/sbin/backup-tilde.sh`: + +```bash +#!/usr/bin/env bash +set -euo pipefail + +DEST=/var/backups/tilde +DATE=$(date +%F) +mkdir -p "$DEST/$DATE" + +tar -czf "$DEST/$DATE/home.tgz" /home +tar -czf "$DEST/$DATE/etc.tgz" /etc +``` + +Make executable: + +```bash +chmod 700 /usr/local/sbin/backup-tilde.sh +``` + +Run once manually: + +```bash +/usr/local/sbin/backup-tilde.sh +``` + +Then automate with cron or systemd timers. + +### 10.3 Test restore (critical) + +A backup is not real until you test restoring at least one file. + +--- + +## 11) First-week launch checklist + +- [ ] DNS points to server +- [ ] Firewall allows only intended ports +- [ ] Admin key login works from a second terminal +- [ ] Password auth disabled only after key validation +- [ ] Apache running and `~testuser` page reachable +- [ ] `/etc/skel` tested by creating a new account +- [ ] Backup job ran and one restore test passed +- [ ] Rules/moderation/contact info published +- [ ] At least one backup admin has emergency access + +--- + +## 12) Where to continue in this repository + +- `docs/shellserver.md` for shell host operational notes +- `docs/etc-skel-permissions.md` for current skeleton permissions +- `docs/ssh.md` for SSH key onboarding details +- `docs/server.org` for historical package/setup notes diff --git a/docs/shellserver.md b/docs/shellserver.md index 8bd8a65..7c8d303 100644 --- a/docs/shellserver.md +++ b/docs/shellserver.md @@ -4,7 +4,19 @@ We want to document the ins and outs of setting up the server so others who are ## System setup -For now, this is all [documented in a separate server-setup document](https://github.com/tildeclub/tilde.club/blob/master/docs/server.org); ultimately, I presume we'll consolidate it all here. +Start with [Build your own tilde-style server](./how-to-set-up-a-tilde.md) for a modern baseline. Historical package notes still live in [docs/server.org](./server.org). + + +## Quick priorities for new operators + +If you are bringing up a new host, focus on these first: + +1. Lock down SSH and require keys. +2. Get `/etc/skel` right before creating many users. +3. Verify `~/public_html` publishing works. +4. Document onboarding, moderation, and backup/restore workflows. + +These four steps prevent many common early-stage tilde problems. ## /etc/skel directory