TildeClub/tilde.club
1
0
Fork 0
mirror of https://github.com/tildeclub/tilde.club.git synced 2026-03-10 05:00:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reworked the main setup guide into a modern, provider-agnostic “build your own tilde” playbook with practical steps for provisioning, SSH hardening, public_html setup, /etc/skel planning, user lifecycle workflows, and operational safety.

Browse Source 
Added a structured “add functionality in layers” section (publishing, communication, collaboration, culture) plus a first-week launch checklist to help new operators grow safely and intentionally.
Updated README.md with a clear “start here” section that points operators to the key docs for creating and extending a tilde host.
Updated docs/shellserver.md to point at the new setup guide and introduced a concise “quick priorities” list for new admins.
This commit is contained in:
deepend
2026-02-13 18:10:13 +00:00
parent ff09643b73
commit 367bbafa5f
3 changed files with 581 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -21,6 +21,17 @@ tilde.club server.
It's all moving very fast. It's all moving very fast.
# Getting started: run a tilde and help users build on it
If your goal is to launch your own tilde-style host (or improve an existing one), start here:
- [Build your own tilde-style server](docs/how-to-set-up-a-tilde.md)
- [Shell server setup notes](docs/shellserver.md)
- [SSH key onboarding guide](docs/ssh.md)
- [Current `/etc/skel` permissions reference](docs/etc-skel-permissions.md)
These documents are focused on practical operations, onboarding, and adding community functionality in safe increments.
# Help Wanted # Help Wanted
Tilde.club is moving very quickly and is 100% volunteer led. Tilde.club is moving very quickly and is 100% volunteer led.

620
docs/how-to-set-up-a-tilde.md
View File

@@ -1,81 +1,575 @@
## Preamble ## Build your own tilde-style server (beginner-friendly, step-by-step)
This document will talk you through setting up your own tilde.club flavoured server; the example `domain.club` is used below. This guide is intentionally detailed for first-time operators.
## Prerequisites If you have never run a server before, follow this in order and do not skip ahead.
* An [Amazon AWS account](https://aws.amazon.com), though any other cloud provider would work just as well. ---
* Your own domain
* A thirst for the unknown
## Create an instance on Amazon EC2 ## What you are building
* On AWS click `Launch Instance` A "tilde-style" host usually provides:
* Select `Amazon Linux AMI`
* Select `t2.micro`
* Select the (recommended) thingy in the popup
* Click `Launch`
* In `Security Groups`:
* Right click on the security group used by your instance and:
* Click `Edit inbound rules`
* Add a rule for `HTTP`
* Add a rule for `SSH`
* Again, right click on the security group used by your instance and:
* Click `Edit outbound rules`
* Add a rule for `HTTP`
* Add a rule for `HTTPS`
* In `Elastic IPs`:
* Click `Allocate New Address`
* Choose `VPC` on the dropdown (it won't work otherwise, I forget why)
* Right click, `Associate Address`
* Choose the instance you just created
* Create an `A record` at your domain name registrar to point at the Elastic IP then wait for those changes to propagate.
**NOTE** This could take up to 48 hours, use `dig domain.club +nostats +nocomments +nocmd` to see if you're in business. - A Linux shell account for each user
- Personal web publishing from `~/public_html`
- Shared Unix tools for learning, writing, coding, and socializing
- Community norms and moderation
## SSH into your shiny instance using your `pem` file In short: a small, friendly, multi-user Unix community.
* `ssh -i security.pem ec2-user@domain.club` ---
* `yum update`
* `sudo yum remove java`
* `sudo yum install git`
## Change hostname ## 0) Before you touch a server
* `sudo vim /etc/hosts` change `localhost.localdomain` to `domain.club` ### 0.1 Buy or prepare these things first
* `sudo vim /etc/sysconfig/network` change `localhost.localdomain` to `domain.club`
* `sudo reboot`
## Allow passwords to log in 1. A domain name (example: `domain.club`)
2. One Linux server (VPS is fine)
3. SSH client on your laptop
4. A text editor you can use comfortably
* `sudo vim /etc/ssh/sshd_config` change `PasswordAuthentication` to `yes` ### 0.2 Keep this safety rule in mind
* `sudo service sshd restart`
## Create a test user `foo` account and `public_html` folder Never close your current SSH session until you have confirmed a **new** SSH session works with your latest config changes.
* `sudo adduser foo` This one habit prevents most accidental lockouts.
* `sudo passwd foo`
* `sudo mkdir /home/foo/public_html`
* `sudo chown foo:foo /home/foo/public_html`
* `sudo chmod 755 /home/foo`
* `sudo chmod 755 /home/foo/public_html`
## Install Apache ---
* `sudo yum install httpd` ## 1) Provision your Linux server
* `sudo /etc/init.d/httpd start`
* `sudo vim /etc/httpd/conf/httpd.conf`:
* comment out `UserDir disabled`
* uncomment `UserDir public_html`
* uncomment the `Control access to UserDir directories` block beginning with `<Directory /home/*/public_html>`
* `sudo /etc/init.d/httpd restart`
## Install other software You can use AWS, Hetzner, Linode, DigitalOcean, or any other provider.
* `yum install tmux` ### Recommended minimum for a small starter community
* `yum install mutt`
* `yum install irssi` - 2 vCPU
* `yum install tree` - 4 GB RAM
* `yum install lynx` - 40 GB SSD
* `yum install finger` - Ubuntu LTS or Debian stable (easiest for beginners)
* etc
### 1.1 Point DNS at your server
At your DNS provider:
- Create an `A` record for `domain.club` -> your server IPv4
- Optionally create `AAAA` for IPv6
DNS can take time to propagate.
### 1.2 First login
From your local machine:
```bash
ssh root@domain.club
```
If your provider uses a default admin user (for example `ubuntu`), use that user and `sudo`.
---
## 2) Base system setup (packages, hostname, firewall)
This section includes both Debian/Ubuntu and Red Hat-family commands.
### 2.1 Update the system
**Debian / Ubuntu**
```bash
apt update
apt -y upgrade
```
**RHEL / Rocky / Alma / Fedora**
```bash
dnf -y upgrade
```
### 2.2 Install baseline tools
**Debian / Ubuntu**
```bash
apt -y install sudo git curl wget rsync tmux htop vim nano tree jq ufw
```
**RHEL / Rocky / Alma / Fedora**
```bash
dnf -y install sudo git curl wget rsync tmux htop vim nano tree jq
```
### 2.3 Set hostname
```bash
hostnamectl set-hostname domain.club
```
Check:
```bash
hostnamectl
```
### 2.4 Configure a basic firewall
If using `ufw` (common on Ubuntu):
```bash
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
ufw status verbose
```
If using `firewalld` (common on RHEL-family):
```bash
systemctl enable --now firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
firewall-cmd --list-services
```
---
## 3) Create a non-root admin account
Running daily admin tasks as `root` is risky.
### 3.1 Create admin user
```bash
adduser admin
```
On some distros:
```bash
useradd -m -s /bin/bash admin
passwd admin
```
### 3.2 Give sudo privileges
**Debian / Ubuntu**
```bash
usermod -aG sudo admin
```
**RHEL-family**
```bash
usermod -aG wheel admin
```
### 3.3 Test sudo
```bash
su - admin
sudo whoami
```
Expected output: `root`
---
## 4) SSH hardening (safe order, no lockouts)
Do this carefully.
### 4.1 Set up admin SSH key directory and file
```bash
install -d -m 700 /home/admin/.ssh
install -m 600 /dev/null /home/admin/.ssh/authorized_keys
chown -R admin:admin /home/admin/.ssh
```
### 4.2 Add your public key
On your local machine, show your public key:
```bash
cat ~/.ssh/id_ed25519.pub
```
Copy that line and paste it into:
`/home/admin/.ssh/authorized_keys`
Example on server:
```bash
printf '%s\n' 'ssh-ed25519 AAAA... your-key-comment' >> /home/admin/.ssh/authorized_keys
chown admin:admin /home/admin/.ssh/authorized_keys
chmod 600 /home/admin/.ssh/authorized_keys
```
### 4.3 Keep passwords ON while you test keys
Edit `/etc/ssh/sshd_config`:
```text
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
```
Reload:
```bash
systemctl reload sshd
```
From a **second local terminal**, test login:
```bash
ssh admin@domain.club
```
If this fails, fix it now. Do **not** continue.
### 4.4 Disable password auth only after key login works
Edit `/etc/ssh/sshd_config`:
```text
PasswordAuthentication no
```
Reload and test again from a second terminal:
```bash
systemctl reload sshd
ssh admin@domain.club
```
Only after success should you end your old session.
---
## 5) Install and configure Apache for user pages
This is the baseline many tilde hosts use for `~username` pages.
### 5.1 Install Apache
**Debian / Ubuntu**
```bash
apt -y install apache2
systemctl enable --now apache2
```
**RHEL-family**
```bash
dnf -y install httpd
systemctl enable --now httpd
```
Check service status:
```bash
systemctl status apache2 --no-pager
# or
systemctl status httpd --no-pager
```
### 5.2 Enable user directories (`~username` URLs)
#### Debian / Ubuntu
```bash
a2enmod userdir
systemctl restart apache2
```
By default, this serves `/home/USERNAME/public_html` as:
`http://domain.club/~USERNAME/`
#### RHEL-family
Edit Apache config (often `/etc/httpd/conf/httpd.conf`) and ensure:
```apache
UserDir public_html
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
```
Then restart:
```bash
systemctl restart httpd
```
### 5.3 Create a test web user and page
```bash
useradd -m -s /bin/bash testuser
mkdir -p /home/testuser/public_html
cat > /home/testuser/public_html/index.html <<'HTML'
<!doctype html>
<html>
<head><meta charset="utf-8"><title>testuser page</title></head>
<body><h1>hello from testuser</h1></body>
</html>
HTML
chown -R testuser:testuser /home/testuser
chmod 755 /home/testuser
chmod 755 /home/testuser/public_html
chmod 644 /home/testuser/public_html/index.html
```
Now test locally on the server:
```bash
curl -I http://localhost/~testuser/
curl http://localhost/~testuser/
```
Then test from your laptop:
```bash
curl -I http://domain.club/~testuser/
```
If it fails, check Apache logs:
**Debian / Ubuntu**
```bash
tail -n 100 /var/log/apache2/error.log
```
**RHEL-family**
```bash
tail -n 100 /var/log/httpd/error_log
```
---
## 6) Prepare `/etc/skel` before inviting users
`/etc/skel` is copied into every new account. Set it up early.
### 6.1 Minimum recommended contents
- `.bashrc` and/or `.zshrc` with helpful comments
- `public_html/index.html` starter page
- A README with first commands and local rules
- Optional `public_gemini/` and `public_gopher/`
### 6.2 Example starter files
```bash
install -d -m 755 /etc/skel/public_html
cat > /etc/skel/public_html/index.html <<'HTML'
<!doctype html>
<html>
<head><meta charset="utf-8"><title>Welcome</title></head>
<body>
<h1>It works!</h1>
<p>Edit this file to publish your page.</p>
</body>
</html>
HTML
```
```bash
cat > /etc/skel/README-FIRST.txt <<'TXT'
Welcome to the server.
Useful first commands:
- pwd
- ls -la
- nano ~/public_html/index.html
Your web page lives at:
http://domain.club/~YOURUSERNAME/
TXT
```
See also: `docs/etc-skel-permissions.md`.
---
## 7) Install baseline user tools
Give new users a capable, friendly default toolbox.
**Debian / Ubuntu**
```bash
apt -y install \
zsh fish \
emacs vim nano \
irssi weechat \
mutt alpine \
lynx w3m links \
git build-essential python3 nodejs npm
```
**RHEL-family**
```bash
dnf -y install \
zsh fish \
emacs vim nano \
irssi weechat \
mutt alpine \
lynx links \
git gcc make python3 nodejs npm
```
Add or remove packages based on your community.
---
## 8) Add users safely and consistently
Use a repeatable checklist every time.
### 8.1 Account creation checklist
```bash
useradd -m -s /bin/bash USERNAME
passwd -l USERNAME
install -d -m 700 /home/USERNAME/.ssh
install -m 600 /dev/null /home/USERNAME/.ssh/authorized_keys
install -d -m 755 /home/USERNAME/public_html
chown -R USERNAME:USERNAME /home/USERNAME
```
### 8.2 Add the user's public key
```bash
printf '%s\n' 'ssh-ed25519 AAAA... user@device' >> /home/USERNAME/.ssh/authorized_keys
chown USERNAME:USERNAME /home/USERNAME/.ssh/authorized_keys
chmod 600 /home/USERNAME/.ssh/authorized_keys
```
### 8.3 Verify login and web publishing
```bash
ssh USERNAME@domain.club
curl -I http://domain.club/~USERNAME/
```
---
## 9) Add "tilde functionality" in manageable layers
Do not launch everything on day one.
### Layer A: personal publishing
- User web pages in `public_html`
- Basic HTML templates
- Optional Gemini and Gopher directories
### Layer B: communication
- IRC client docs
- Local mail (postfix + local delivery)
- Server bulletin/MOTD updates
### Layer C: collaboration
- Shared Git repos
- Local pastebin/snippet service
- Community docs/wiki process
### Layer D: culture and learning
- New-user orientation checklist
- Mentoring or office-hours in chat
- Monthly "show your tilde" events
---
## 10) Operations, backup, and recovery
### 10.1 Back up the important data
At minimum, back up:
- `/home`
- `/etc`
- Web server config (`/etc/apache2` or `/etc/httpd`)
- Mail config if used
### 10.2 Example nightly backup script
Create `/usr/local/sbin/backup-tilde.sh`:
```bash
#!/usr/bin/env bash
set -euo pipefail
DEST=/var/backups/tilde
DATE=$(date +%F)
mkdir -p "$DEST/$DATE"
tar -czf "$DEST/$DATE/home.tgz" /home
tar -czf "$DEST/$DATE/etc.tgz" /etc
```
Make executable:
```bash
chmod 700 /usr/local/sbin/backup-tilde.sh
```
Run once manually:
```bash
/usr/local/sbin/backup-tilde.sh
```
Then automate with cron or systemd timers.
### 10.3 Test restore (critical)
A backup is not real until you test restoring at least one file.
---
## 11) First-week launch checklist
- [ ] DNS points to server
- [ ] Firewall allows only intended ports
- [ ] Admin key login works from a second terminal
- [ ] Password auth disabled only after key validation
- [ ] Apache running and `~testuser` page reachable
- [ ] `/etc/skel` tested by creating a new account
- [ ] Backup job ran and one restore test passed
- [ ] Rules/moderation/contact info published
- [ ] At least one backup admin has emergency access
---
## 12) Where to continue in this repository
- `docs/shellserver.md` for shell host operational notes
- `docs/etc-skel-permissions.md` for current skeleton permissions
- `docs/ssh.md` for SSH key onboarding details
- `docs/server.org` for historical package/setup notes

14
docs/shellserver.md
View File

@@ -4,7 +4,19 @@ We want to document the ins and outs of setting up the server so others who are
## System setup ## System setup
For now, this is all [documented in a separate server-setup document](https://github.com/tildeclub/tilde.club/blob/master/docs/server.org); ultimately, I presume we'll consolidate it all here. Start with [Build your own tilde-style server](./how-to-set-up-a-tilde.md) for a modern baseline. Historical package notes still live in [docs/server.org](./server.org).
## Quick priorities for new operators
If you are bringing up a new host, focus on these first:
1. Lock down SSH and require keys.
2. Get `/etc/skel` right before creating many users.
3. Verify `~/public_html` publishing works.
4. Document onboarding, moderation, and backup/restore workflows.
These four steps prevent many common early-stage tilde problems.
## /etc/skel directory ## /etc/skel directory