Unicorn

2021-07-26T02:32:41Z

Pml: /* SSH Access */

Unicorn is a homage to our long dead server, formerly known as [[Stallion]].
It has no guaranteed uptime or functionality; it is up to you to keep the services you want running, running. Like a stallion. 
[[Image:Pissingponynb.png]]

This utility server is 4 cores, 24gb ram, 120gb ssd storage and 12tb bandwidth. 
'''Volunteers warmly encouraged to setup and maintain it! Please contact us via the main [https://lists.noisebridge.net/listinfo/noisebridge-discuss Noisebridge Discussion Mailing List] or on our [https://discuss.noisebridge.info Discuss forum]'''

== Services ==

Unicorn currently hosts:

* [https://noisebridge.info/ https://noisebridge.info/] - Unicorn homepage

* [https://status.noisebridge.info/ https://status.noisebridge.info/] - [https://sourcegraph.github.io/checkup/ Checkup] is [https://github.com/sourcegraph/checkup a status page] and associated service that notifies us in Slack if one of our services go down! [https://tryingtobeawesome.com/checkup/ Blog post describing setup] is located here.
** To add new health checks for other services, edit <code>/home/noisebridge/services/checkup/checkup.json</code>. [https://github.com/noisebridge/config/blob/master/checkup.json See the configuration file here on our GitHub].

* [https://mt.noisebridge.info:30000 https://mt.noisebridge.info:30000] - [https://www.minetest.net/ MineTest] is a fully open variant of Minecraft! Join us and enjoy.

* [https://minio.noisebridge.info/ https://minio.noisebridge.info/] - [https://minio.io/ Minio] instance (S3-compatible storage)
** Ask @elimisteve or [[User:James|@James]] for the auth keys needed for login

* [https://doc.noisebridge.info https://doc.noisebridge.info] - [https://github.com/hedgedoc/hedgedoc HedgeDoc] is a [[Doc|collaborative document]] editor formerly known as CodiMD

* [https://discuss.noisebridge.info/ https://discuss.noisebridge.info/] - [https://www.discourse.org/ Discourse] instance (discussion forums)

* [https://mumble.noisebridge.info/ https://mumble.noisebridge.info/] - [https://www.mumble.info/ Mumble] Audio chat over VOIP. Scales easily to hundreds of users.

* [https://gossip.noisebridge.info/ https://gossip.noisebridge.info/] - [https://www.scuttlebutt.nz/ Secure Scuttlebutt] - asynchronous p2p network. Details on our [[Pub]] wiki page.

* [https://bridge.noisebridge.info/ https://bridge.noisebridge.info/] - [https://github.com/RSS-Bridge/rss-bridge RSS-Bridge] converts arbitrary websites into RSS & Atom feeds. [[RSSbridge| See our wiki page]].
** You may [https://github.com/RSS-Bridge/rss-bridge/wiki/Whitelisting white list] new entries at <code>/home/noisebridge/data/rss-bridge/whitelist.txt</code>

* [https://test-discuss.noisebridge.info https://test-discuss.noisebridge.info] - testing instance of Discourse so we can mess with upgrades and plugins.

* [https://chat.noisebridge.info/ https://chat.noisebridge.info/] - [https://rocket.chat/ Rocket.chat] instance (to replace our Slack!)

* [https://leapchat.noisebridge.info/ https://leapchat.noisebridge.info/] - [https://www.leapchat.org/ LeapChat] instance (ephemeral encrypted Slack in your browser!)
** Visit [https://leapchat.noisebridge.info/ https://leapchat.noisebridge.info/] -> Get redirected to new end-to-end encrypted room
** Messages disappear after 90 days
** Was largely built at Noisebridge, by @elimisteve and other volunteers
** Contribute here (AGPLv3): [https://github.com/cryptag/leapchat https://github.com/cryptag/leapchat]

* [https://projects.noisebridge.info https://projects.noisebridge.info] - [https://secure.phabricator.com/ Phabricator] for management of Git, Mercurial, Subversion.

* [https://login.noisebridge.info https://login.noisebridge.info] - basic SSO for guarding services w/o their own account system (uses the Noisebridge Slack as the identity provider)

* [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] - remote access to the OctoPrint instance driving our Creality CR-10 3D printer

* [https://space.noisebridge.info space.noisebridge.info] - experimental virtualized www edition of nbsp by Ⅹ

* [https://x.noisebridge.info x.noisebridge.info] - experimental personal site for Ⅹ

* [https://share.noisebridge.info share.noisebridge.info] - Next Cloud VM instance setup by James & Ⅹ

== System Info ==

* Homepage URL: [https://noisebridge.info noisebridge.info]

* IP: <code>172.93.55.252</code>

* OS: Debian 10 Buster x86_64

* Web server: Nginx is running on ports 80 and 443

* Domains: Current domains and subdomains hosted on this server: (see <code>/etc/nginx/sites-enabled/*</code>)

* DNS: all <code>*.noisebridge.info</code> subdomains point to this server, as does the naked domain (<code>noisebridge.info</code>)

* SSL: certbot runs every day to renew certs for all (sub)domains it knows about
** ...but to manually renew, run <code>/home/noisebridge/bin/recert; sudo service nginx restart</code>

* To add a new service at, say, <code>somethingcool.noisebridge.info</code>...
** Create a file similar to <code>/etc/nginx/sites-available/noisebridge.info</code> called <code>/etc/nginx/sites-available/somethingcool.noisebridge.info</code>
** Run <code>sudo ln -s /etc/nginx/sites-available/somethingcool.noisebridge.info /etc/nginx/sites-enabled/somethingcool.noisebridge.info; sudo nginx -t</code>
** If you don't get any errors, add <code>-d somethingcool.noisebridge.info</code> to <code>/home/noisebridge/bin/recert</code> then run <code>/home/noisebridge/bin/recert</code> to (U)pdate the <code>*.noisebridge.info</code> SSL cert!

* Unicorn uses [https://wiki.ubuntu.com/UncomplicatedFirewall ufw] to whitelist which ports can receive incoming connections from the outside world.
** To add a port to the whitelist: <code>sudo ufw allow <port></code>
** To list firewall rules: <code>sudo ufw show added</code>
** To delete a firewall rule: <code>sudo ufw delete <rule></code>
** To view (and delete) rules chronologically rather than by port: <code>sudo ufw status numbered</code>

== Rules and Guidelines ==

* Be excellent to each other
** Don't fuck up other people's shit

* Usage of containers is encouraged where practical, but not required
** Databases sometimes have issues running in Docker, for example

* If you need a different version of some database that is already running on the default port, run the version you need in a Docker container, or on a different port (and that stores its data in a different directory!)

== SSH Config ==

<code>
I can haz access?
Yes, but you are agreeing to be excellent to each other!
</code>

Consider generating a new SSH key pair with

<code>$ ssh-keygen -b 4096</code>

then calling it, say, <code>unicorn-nb</code>, then add this to your <code>~/.ssh/config</code> file:

<code>
Host unicorn-nb 
User noisebridge 
Hostname 172.93.55.252 
PreferredAuthentications publickey 
IdentityFile ~/.ssh/unicorn-nb 
</code>

If your SSH pub key (<code>~/.ssh/unicorn-nb.pub</code>) has been added to <code>unicorn-nb:~/.ssh/authorized_keys</code>, you should now be able to shell in by typing

<code>$ ssh unicorn-nb</code>

...and thanks to the <code>~/.ssh/config</code> entry, the name of the server you're trying to SSH into -- namely <code>unicorn-nb</code> in this case -- should autocomplete! Add your name to the access list below!

== SSH Access ==

* [[User:Mpmckenna8|@mpmckenna8]] - Matt M
* [[User:James|@James]] - James
* [[User:bfb|@bfb]]
* [[User:mana|mana]]
* [[User:tdfischer|Victoria]]
* [[User:Elimisteve|@elimisteve]]
* [[User:Rando|@rando]]
* [[User:spinda|@spinda]]
* [[User:Ⅹ|Ⅹ]]
* [https://github.com/marcoEDU/ @marco]
* [https://discuss.noisebridge.info/u/jnaulty jnaulty]
* [[User:r|@r]]
* [[User:jermops|@jermops]]
* [[User:culteejen|@culteejen]]
* [[User:pml|@pml]]

For SSH access, [https://discuss.noisebridge.info/ post to Discuss] or visit the #Unicorn Slack channel and ask @jslack, @elimisteve.

== DNS Access ==

noisebridge.info is registered on NameCheap.com . As of 2019.02.13, @mindfu, @elimisteve, and @jslack have permission to edit DNS (on NameCheap).

Keeping in mind that <code>*.noisebridge.info</code> already points to Unicorn, if you nonetheless need to edit DNS, tell [[User:Elimisteve|@elimisteve]], [[User:James|@jslack]], or @mindfu your NameCheap username or email.

== Slack SSO ==

Services without their own authentication systems can be shielded a smidge from the ravages of the open internet by placing them behind the basic single sign-on (SSO) gateway at [https://login.noisebridge.info https://login.noisebridge.info].

In the target service's nginx configuration, add <code>include snippets/auth-init.conf;</code> toward the start of the main <code>server</code> block. Somewhere after that, add <code>include snippets/auth-require.conf;</code>, either in the <code>server</code> block or in the specific <code>location</code> block(s) you want to protect. See <code>/etc/nginx/sites-available/printprintprint.noisebridge.info</code> for an example.

Unauthenticated visitors will be redirected to Slack to sign in (via OAuth) with their Noisebridge Slack account, then redirected back to their destination. The login service injects a cookie to keep track of user sessions, and intercepts requests via nginx's <code>auth_request</code> mechanism to check for the presence of a valid cookie. See [https://printprintprint.noisebridge.info https://printprintprint.noisebridge.info] for what this looks like in the wild.

If configured on a reverse proxy-based service, the SSO gateway will automatically pass on the logged-in user's ID and Slack name via the <code>X-Noisebridge-User-ID</code> and <code>X-Noisebridge-User-Name</code> headers, respectively.

Note the intent here isn't to exclude anyone by requiring authentication, but to provide a modicum of protection against drive-by mischief for those services that need it (like OctoPrint).

Noisebridge - User contributions [en]

Unicorn