| 2 |
DENIED
|
moderate
|
App\Entity\Entry {#1585
+user: App\Entity\User {#264 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1731 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1619 …}
+slug: "Any-advice-on-running-a-pubnix-tilde"
+title: "Any advice on running a pubnix/tilde?"
+url: null
+body: """
I’m thinking about running my own pubnix/tilde. It would be invite-only and have a bunch of cool things:\n
\n
- git hosting with cgit or sourcehut\n
- gemini hosting\n
- web hosting\n
- gopher hosting\n
- FTP access\n
- about 2GB of storage\n
- matrix accounts + chat portal (Hydrogen seems cool)\n
- internal message board/email?\n
- maybe a CardDAV server?\n
\n
I think it would be a very cool opportunity to learn a bit about Linux and the internet. However, I literally have *no clue* how to set this up. I found this comment on Reddit:\n
\n
> It happens that you’re trying to build a tilde/pubnix? From my experience, tilde admins often give direct access to the system, but with proper permission elevation. Create a user group with limited permission (i.e. no sudo, disable specific software) and add their usernames to, give them a space in /home. Secondly, disable SSH passwords, ask them to send you their public keys, and only authenticate via public key. Finally, write a good/strict policy but also send a welcoming message. Also, you can look for further security practices, like changing default port, etc. but the key thing is proper user permission.\n
\n
That’s what I want. I was thinking about allowing password logins tho. I already have a VPS, which I want to reinstall to turn into this thing.\n
\n
I basically want to configure the services in a way, that they all depend on Unix accounts. That way I can create a Unix account with suitable permissions for every member, and stuff should Just Work™.\n
\n
So, I was thinking:\n
\n
- Exposing all git repos in `~/git/` at the URL `http(s)://git.example.com/~user/` (using cgit) and `gemini://git.example.com/~user/` (using git.gmi)\n
- Exposing `~/pub/gem/` at `gemini://example.com/~user/`\n
- Exposing `~/pub/web/` at `http(s)://example.com/~user/`\n
- Exposing `~/pub/goph` at `gopher://example.com/~user/`\n
- Creating `@user:example.com` matrix account with the same password as Unix. Changing the Unix password will also change the matrix password and changing the password from a matrix client should not be allowed.\n
- Hosting Hydrogen (matrix client) at `https://chat.example.com`\n
- Maybe host a CardDAV server with an account for every user, similar to what I want for matrix.\n
\n
Any pointers on how to set up something like this? How would I handle backups? (I know I can just backup all files in every member’s home directory, but how would I handle something more complicated, like the matrix accounts?). How would I make something like this secure?
"""
+type: "article"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 1
+favouriteCount: 0
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1697723274 {#1574
date: 2023-10-19 15:47:54.0 +02:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: [
"@user"
]
+comments: Doctrine\ORM\PersistentCollection {#1702 …}
+votes: Doctrine\ORM\PersistentCollection {#1683 …}
+reports: Doctrine\ORM\PersistentCollection {#1689 …}
+favourites: Doctrine\ORM\PersistentCollection {#1724 …}
+notifications: Doctrine\ORM\PersistentCollection {#1727 …}
+badges: Doctrine\ORM\PersistentCollection {#2464 …}
+children: []
-id: 18324
-titleTs: "'advic':2 'pubnix/tilde':6 'run':4"
-bodyTs: "'/example.com/~user':289 '/git':263 '/git.example.com/~user':269 '/home':139 '/pub/gem':279 '/pub/goph':291 '/pub/web':285 '/~user/':275,283,295 '2gb':37 'access':35,107 'account':41,234,242,300,342,393 'add':130 'admin':103 'allow':199,328 'alreadi':204 'also':164,169,312 'ask':144 'authent':154 'backup':367,373 'basic':219 'bit':66 'board/email':49 'build':96 'bunch':18 'carddav':52,338 'cgit':25,271 'chang':178,307,313,318 'chat':42 'chat.example.com':334 'client':324,332 'clue':77 'comment':86 'complic':389 'configur':222 'cool':20,46,61 'creat':116,239,296 'default':179 'depend':231 'direct':106 'directori':381 'disabl':126,141 'elev':115 'etc':181 'everi':247,344,377 'example.com':282,294,298 'example.com/~user/':281,293 'experi':101 'expos':258,278,284,290 'file':375 'final':158 'found':84 'ftp':34 'gemini':28 'git':22,260 'git.example.com':274 'git.example.com/~user/':273 'git.gmi':277 'give':105,134 'good/strict':161 'gopher':32 'group':119 'handl':366,386 'happen':90 'home':380 'host':23,29,31,33,329,336 'howev':72 'http':267,287 'hydrogen':44,330 'i.e':123 'intern':47 'internet':71 'invit':13 'invite-on':12 'key':151,157,184 'know':369 'learn':64 'like':177,361,390,399 'limit':121 'linux':68 'liter':74 'login':201 'look':172 'm':2 'make':397 'matrix':40,299,315,323,331,352,392 'mayb':50,335 'member':248,378 'messag':48,168 'often':104 'opportun':62 'password':143,200,304,310,316,320 'permiss':114,122,189,245 'pointer':354 'polici':162 'port':180 'portal':43 'practic':176 'proper':113,187 'public':150,156 'pubnix/tilde':8 're':93 'reddit':88 'reinstal':212 'repo':261 'run':5 'second':140 'secur':175,401 'seem':45 'send':147,165 'server':53,339 'servic':224 'set':80,358 'similar':346 'softwar':128 'someth':360,387,398 'sourcehut':27 'space':137 'specif':127 'ssh':142 'storag':39 'stuff':250 'sudo':125 'suitabl':244 'system':110 'thing':21,185,217 'think':3,55,197,257 'tho':202 'tild':102 'tilde/pubnix':98 'tri':94 'turn':214 'unix':233,241,306,309 'url':266 'use':270,276 'user':118,188,297,345 'usernam':132 'via':155 'vps':207 'want':194,210,220,350 'way':227,236 'web':30 'welcom':167 'work':253 'would':10,57,364,384,395 'write':159"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1697628085
+visibility: "visible "
+apId: "https://beehaw.org/post/8820647"
+editedAt: null
+createdAt: DateTimeImmutable @1697621585 {#1409
date: 2023-10-18 11:33:05.0 +02:00
}
} |
| 3 |
DENIED
|
edit
|
App\Entity\Entry {#1585
+user: App\Entity\User {#264 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1731 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1619 …}
+slug: "Any-advice-on-running-a-pubnix-tilde"
+title: "Any advice on running a pubnix/tilde?"
+url: null
+body: """
I’m thinking about running my own pubnix/tilde. It would be invite-only and have a bunch of cool things:\n
\n
- git hosting with cgit or sourcehut\n
- gemini hosting\n
- web hosting\n
- gopher hosting\n
- FTP access\n
- about 2GB of storage\n
- matrix accounts + chat portal (Hydrogen seems cool)\n
- internal message board/email?\n
- maybe a CardDAV server?\n
\n
I think it would be a very cool opportunity to learn a bit about Linux and the internet. However, I literally have *no clue* how to set this up. I found this comment on Reddit:\n
\n
> It happens that you’re trying to build a tilde/pubnix? From my experience, tilde admins often give direct access to the system, but with proper permission elevation. Create a user group with limited permission (i.e. no sudo, disable specific software) and add their usernames to, give them a space in /home. Secondly, disable SSH passwords, ask them to send you their public keys, and only authenticate via public key. Finally, write a good/strict policy but also send a welcoming message. Also, you can look for further security practices, like changing default port, etc. but the key thing is proper user permission.\n
\n
That’s what I want. I was thinking about allowing password logins tho. I already have a VPS, which I want to reinstall to turn into this thing.\n
\n
I basically want to configure the services in a way, that they all depend on Unix accounts. That way I can create a Unix account with suitable permissions for every member, and stuff should Just Work™.\n
\n
So, I was thinking:\n
\n
- Exposing all git repos in `~/git/` at the URL `http(s)://git.example.com/~user/` (using cgit) and `gemini://git.example.com/~user/` (using git.gmi)\n
- Exposing `~/pub/gem/` at `gemini://example.com/~user/`\n
- Exposing `~/pub/web/` at `http(s)://example.com/~user/`\n
- Exposing `~/pub/goph` at `gopher://example.com/~user/`\n
- Creating `@user:example.com` matrix account with the same password as Unix. Changing the Unix password will also change the matrix password and changing the password from a matrix client should not be allowed.\n
- Hosting Hydrogen (matrix client) at `https://chat.example.com`\n
- Maybe host a CardDAV server with an account for every user, similar to what I want for matrix.\n
\n
Any pointers on how to set up something like this? How would I handle backups? (I know I can just backup all files in every member’s home directory, but how would I handle something more complicated, like the matrix accounts?). How would I make something like this secure?
"""
+type: "article"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 1
+favouriteCount: 0
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1697723274 {#1574
date: 2023-10-19 15:47:54.0 +02:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: [
"@user"
]
+comments: Doctrine\ORM\PersistentCollection {#1702 …}
+votes: Doctrine\ORM\PersistentCollection {#1683 …}
+reports: Doctrine\ORM\PersistentCollection {#1689 …}
+favourites: Doctrine\ORM\PersistentCollection {#1724 …}
+notifications: Doctrine\ORM\PersistentCollection {#1727 …}
+badges: Doctrine\ORM\PersistentCollection {#2464 …}
+children: []
-id: 18324
-titleTs: "'advic':2 'pubnix/tilde':6 'run':4"
-bodyTs: "'/example.com/~user':289 '/git':263 '/git.example.com/~user':269 '/home':139 '/pub/gem':279 '/pub/goph':291 '/pub/web':285 '/~user/':275,283,295 '2gb':37 'access':35,107 'account':41,234,242,300,342,393 'add':130 'admin':103 'allow':199,328 'alreadi':204 'also':164,169,312 'ask':144 'authent':154 'backup':367,373 'basic':219 'bit':66 'board/email':49 'build':96 'bunch':18 'carddav':52,338 'cgit':25,271 'chang':178,307,313,318 'chat':42 'chat.example.com':334 'client':324,332 'clue':77 'comment':86 'complic':389 'configur':222 'cool':20,46,61 'creat':116,239,296 'default':179 'depend':231 'direct':106 'directori':381 'disabl':126,141 'elev':115 'etc':181 'everi':247,344,377 'example.com':282,294,298 'example.com/~user/':281,293 'experi':101 'expos':258,278,284,290 'file':375 'final':158 'found':84 'ftp':34 'gemini':28 'git':22,260 'git.example.com':274 'git.example.com/~user/':273 'git.gmi':277 'give':105,134 'good/strict':161 'gopher':32 'group':119 'handl':366,386 'happen':90 'home':380 'host':23,29,31,33,329,336 'howev':72 'http':267,287 'hydrogen':44,330 'i.e':123 'intern':47 'internet':71 'invit':13 'invite-on':12 'key':151,157,184 'know':369 'learn':64 'like':177,361,390,399 'limit':121 'linux':68 'liter':74 'login':201 'look':172 'm':2 'make':397 'matrix':40,299,315,323,331,352,392 'mayb':50,335 'member':248,378 'messag':48,168 'often':104 'opportun':62 'password':143,200,304,310,316,320 'permiss':114,122,189,245 'pointer':354 'polici':162 'port':180 'portal':43 'practic':176 'proper':113,187 'public':150,156 'pubnix/tilde':8 're':93 'reddit':88 'reinstal':212 'repo':261 'run':5 'second':140 'secur':175,401 'seem':45 'send':147,165 'server':53,339 'servic':224 'set':80,358 'similar':346 'softwar':128 'someth':360,387,398 'sourcehut':27 'space':137 'specif':127 'ssh':142 'storag':39 'stuff':250 'sudo':125 'suitabl':244 'system':110 'thing':21,185,217 'think':3,55,197,257 'tho':202 'tild':102 'tilde/pubnix':98 'tri':94 'turn':214 'unix':233,241,306,309 'url':266 'use':270,276 'user':118,188,297,345 'usernam':132 'via':155 'vps':207 'want':194,210,220,350 'way':227,236 'web':30 'welcom':167 'work':253 'would':10,57,364,384,395 'write':159"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1697628085
+visibility: "visible "
+apId: "https://beehaw.org/post/8820647"
+editedAt: null
+createdAt: DateTimeImmutable @1697621585 {#1409
date: 2023-10-18 11:33:05.0 +02:00
}
} |
| 4 |
DENIED
|
moderate
|
App\Entity\Entry {#1585
+user: App\Entity\User {#264 …}
+magazine: Proxies\__CG__\App\Entity\Magazine {#1731 …}
+image: null
+domain: Proxies\__CG__\App\Entity\Domain {#1619 …}
+slug: "Any-advice-on-running-a-pubnix-tilde"
+title: "Any advice on running a pubnix/tilde?"
+url: null
+body: """
I’m thinking about running my own pubnix/tilde. It would be invite-only and have a bunch of cool things:\n
\n
- git hosting with cgit or sourcehut\n
- gemini hosting\n
- web hosting\n
- gopher hosting\n
- FTP access\n
- about 2GB of storage\n
- matrix accounts + chat portal (Hydrogen seems cool)\n
- internal message board/email?\n
- maybe a CardDAV server?\n
\n
I think it would be a very cool opportunity to learn a bit about Linux and the internet. However, I literally have *no clue* how to set this up. I found this comment on Reddit:\n
\n
> It happens that you’re trying to build a tilde/pubnix? From my experience, tilde admins often give direct access to the system, but with proper permission elevation. Create a user group with limited permission (i.e. no sudo, disable specific software) and add their usernames to, give them a space in /home. Secondly, disable SSH passwords, ask them to send you their public keys, and only authenticate via public key. Finally, write a good/strict policy but also send a welcoming message. Also, you can look for further security practices, like changing default port, etc. but the key thing is proper user permission.\n
\n
That’s what I want. I was thinking about allowing password logins tho. I already have a VPS, which I want to reinstall to turn into this thing.\n
\n
I basically want to configure the services in a way, that they all depend on Unix accounts. That way I can create a Unix account with suitable permissions for every member, and stuff should Just Work™.\n
\n
So, I was thinking:\n
\n
- Exposing all git repos in `~/git/` at the URL `http(s)://git.example.com/~user/` (using cgit) and `gemini://git.example.com/~user/` (using git.gmi)\n
- Exposing `~/pub/gem/` at `gemini://example.com/~user/`\n
- Exposing `~/pub/web/` at `http(s)://example.com/~user/`\n
- Exposing `~/pub/goph` at `gopher://example.com/~user/`\n
- Creating `@user:example.com` matrix account with the same password as Unix. Changing the Unix password will also change the matrix password and changing the password from a matrix client should not be allowed.\n
- Hosting Hydrogen (matrix client) at `https://chat.example.com`\n
- Maybe host a CardDAV server with an account for every user, similar to what I want for matrix.\n
\n
Any pointers on how to set up something like this? How would I handle backups? (I know I can just backup all files in every member’s home directory, but how would I handle something more complicated, like the matrix accounts?). How would I make something like this secure?
"""
+type: "article"
+lang: "en"
+isOc: false
+hasEmbed: false
+commentCount: 1
+favouriteCount: 0
+score: 0
+isAdult: false
+sticky: false
+lastActive: DateTime @1697723274 {#1574
date: 2023-10-19 15:47:54.0 +02:00
}
+ip: null
+adaAmount: 0
+tags: null
+mentions: [
"@user"
]
+comments: Doctrine\ORM\PersistentCollection {#1702 …}
+votes: Doctrine\ORM\PersistentCollection {#1683 …}
+reports: Doctrine\ORM\PersistentCollection {#1689 …}
+favourites: Doctrine\ORM\PersistentCollection {#1724 …}
+notifications: Doctrine\ORM\PersistentCollection {#1727 …}
+badges: Doctrine\ORM\PersistentCollection {#2464 …}
+children: []
-id: 18324
-titleTs: "'advic':2 'pubnix/tilde':6 'run':4"
-bodyTs: "'/example.com/~user':289 '/git':263 '/git.example.com/~user':269 '/home':139 '/pub/gem':279 '/pub/goph':291 '/pub/web':285 '/~user/':275,283,295 '2gb':37 'access':35,107 'account':41,234,242,300,342,393 'add':130 'admin':103 'allow':199,328 'alreadi':204 'also':164,169,312 'ask':144 'authent':154 'backup':367,373 'basic':219 'bit':66 'board/email':49 'build':96 'bunch':18 'carddav':52,338 'cgit':25,271 'chang':178,307,313,318 'chat':42 'chat.example.com':334 'client':324,332 'clue':77 'comment':86 'complic':389 'configur':222 'cool':20,46,61 'creat':116,239,296 'default':179 'depend':231 'direct':106 'directori':381 'disabl':126,141 'elev':115 'etc':181 'everi':247,344,377 'example.com':282,294,298 'example.com/~user/':281,293 'experi':101 'expos':258,278,284,290 'file':375 'final':158 'found':84 'ftp':34 'gemini':28 'git':22,260 'git.example.com':274 'git.example.com/~user/':273 'git.gmi':277 'give':105,134 'good/strict':161 'gopher':32 'group':119 'handl':366,386 'happen':90 'home':380 'host':23,29,31,33,329,336 'howev':72 'http':267,287 'hydrogen':44,330 'i.e':123 'intern':47 'internet':71 'invit':13 'invite-on':12 'key':151,157,184 'know':369 'learn':64 'like':177,361,390,399 'limit':121 'linux':68 'liter':74 'login':201 'look':172 'm':2 'make':397 'matrix':40,299,315,323,331,352,392 'mayb':50,335 'member':248,378 'messag':48,168 'often':104 'opportun':62 'password':143,200,304,310,316,320 'permiss':114,122,189,245 'pointer':354 'polici':162 'port':180 'portal':43 'practic':176 'proper':113,187 'public':150,156 'pubnix/tilde':8 're':93 'reddit':88 'reinstal':212 'repo':261 'run':5 'second':140 'secur':175,401 'seem':45 'send':147,165 'server':53,339 'servic':224 'set':80,358 'similar':346 'softwar':128 'someth':360,387,398 'sourcehut':27 'space':137 'specif':127 'ssh':142 'storag':39 'stuff':250 'sudo':125 'suitabl':244 'system':110 'thing':21,185,217 'think':3,55,197,257 'tho':202 'tild':102 'tilde/pubnix':98 'tri':94 'turn':214 'unix':233,241,306,309 'url':266 'use':270,276 'user':118,188,297,345 'usernam':132 'via':155 'vps':207 'want':194,210,220,350 'way':227,236 'web':30 'welcom':167 'work':253 'would':10,57,364,384,395 'write':159"
+cross: false
+upVotes: 0
+downVotes: 0
+ranking: 1697628085
+visibility: "visible "
+apId: "https://beehaw.org/post/8820647"
+editedAt: null
+createdAt: DateTimeImmutable @1697621585 {#1409
date: 2023-10-18 11:33:05.0 +02:00
}
} |