Skynet/wiki
6
0
Fork 5
Code Issues 2 Pull requests 1 Projects Releases Packages Wiki Activity Actions

WIP: Add more documentation/procedures #31

Draft
silver wants to merge 22 commits from fyp_procedures into main
pull from: fyp_procedures
merge into: Skynet:main
Conversation 0 Commits 22 Files changed 23 +809 -26
23 changed files with 809 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.githooks/post-checkout
View file

@ -1,3 +0,0 @@
#!/bin/sh
command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-checkout' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; }
git lfs post-checkout "$@"

3
.githooks/post-commit
View file

@ -1,3 +0,0 @@
#!/bin/sh
command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-commit' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; }
git lfs post-commit "$@"

3
.githooks/post-merge
View file

@ -1,3 +0,0 @@
#!/bin/sh
command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'post-merge' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; }
git lfs post-merge "$@"

4
.githooks/pre-commit
View file

@ -1,4 +0,0 @@
#!/usr/bin/env bash
tar czf _git.tar.gz --exclude .git/lfs .git
git add _git.tar.gz

3
.githooks/pre-push
View file

@ -1,3 +0,0 @@
#!/bin/sh
command -v git-lfs >/dev/null 2>&1 || { echo >&2 "\nThis repository is configured for Git LFS but 'git-lfs' was not found on your path. If you no longer wish to use Git LFS, remove this hook by deleting the 'pre-push' file in the hooks directory (set by 'core.hookspath'; usually '.git/hooks').\n"; exit 2; }
git lfs pre-push "$@"

BIN
_git.tar.gz (Stored with Git LFS)
View file

Binary file not shown.

4
flake.nix
View file

@ -19,8 +19,6 @@
packages = with pkgs.python3Packages; [
mkdocs
mkdocs-material
mkdocs-git-authors-plugin
mkdocs-git-revision-date-localized-plugin
];
in {
formatter = alejandra.defaultPackage.${system};
@ -28,7 +26,7 @@
name = "skynet-wiki";
src = self;
buildInputs = packages;
buildPhase = "tar -zxf _git.tar.gz && mkdocs build";
buildPhase = "mkdocs build";
installPhase = "mkdir -p $out; cp -R site/* $out;";
};

8
mkdocs.yml
View file

@ -25,10 +25,10 @@ theme:
view: material/eye
plugins:
- search
- git-authors:
show_email_address: false
- git-revision-date-localized:
enable_creation_date: true
# - git-authors:
# show_email_address: false
# - git-revision-date-localized:
# enable_creation_date: true
markdown_extensions:
- tables
- pymdownx.caret

78
src/procedures/admin_modify.md Normal file
View file

@ -0,0 +1,78 @@
# Change Admins
A Skynet Admin is a user with teh highest level of access to the cluster, having been trained up over a year.
This guide will cover adding and removing an Admin.
The normal Committee Member process applies to them as well, so check [here](committee_modify.md#adding) for teh specific details.
A user cannot add or remove themselves from being an admin, an existing admin must do so (one who will still be admin after the procedure).
## Add
Steps to add a new Admin
### NixOS
There are several steps related to the NixOS repo on Forgejo.
#### Username Added
Like a normal committee member the users username must be added to the [``config/users.nix``][users.nix], specifically the admin section.
This gives teh user teh correct Skynet roles on our services.
This also enables them to use their personal account to login to all the servers.
#### SSH Key
##### Root Account
There is a ``root`` account that admins can use.
To be able to login as root you have to add you key to the keys for ``root``
You can add it in the [``machines/_base.nix``][base.nix].
##### Secrets Management
We store our secrets encrypted in the repo using a tool called ``agenix``, a nix implementation of [age][age].
In order to create/edit any secret your key has to be added to [``secrets/secrets.nix``][secrets.nix].
Add the key mimicking the format for the other admins.
Then add it to the users list/array.
Finally re-key the secrets
###### Re-key Secrets
In order to re-key the secrets your key must have been previously added (this just not work if you have just added your key, an existing admin must do this).
```shell
# enter the devshell
nix develop
# Move into teh secrets folder
cd secrets
# Re-key the secrets
agenix -R
```
Then commit the changes.
### VPN
The VPN is what allows admins to get access to the internal parts of teh cluster when not on campus.
It is provided by ITD.
1. Add an entry to the bottom of [``ITD/VPN_Admins.csv``][VPN_Admins.csv]
2. Add an entry to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv] with ``Pending`` for teh Action.
3. Open up a [TopDesk request with ITD](./topdesk.md) to add the new Admin.
4. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
5. When complete mark the entry ``Added`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
## Remove
For teh most part the removal/retirement of an admin is just the opposite of the adding.
The main difference is contacting ITD to remove them from the VPN.
### VPN
1. Open up a TopDesk request with ITD to remove the old Admin.
2. Add the ticket reference to [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv]
3. When complete mark the entry ``Removed`` on [``ITD/VPN_Admins_changes.csv``][VPN_Admins_changes.csv].
[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/config/users.nix#L76
[base.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/machines/_base.nix#L75
[secrets.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/secrets/secrets.nix#L3-L18
[VPN_Admins.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins.csv
[VPN_Admins_changes.csv]: https://forgejo.skynet.ie/Skynet/nixos/src/commit/b46eca16b0b207d14e173d4e40286160749c5c07/ITD/VPN_Admins_changes.csv
[age]: https://github.com/FiloSottile/age

0
src/procedures/admin_ssh.md Normal file
View file

95
src/procedures/alumni_verify.md Normal file
View file

@ -0,0 +1,95 @@
# Alumni Verification
We are an old Society (1992-<span id="year">now</span>) with a long history of members staying members long after they leave UL.
In 2023 we had an outage ([see here for more information][outage_2023]) which lead to us loosing contact with many of these since their contact details were their Skynet email.
We are also required to ensure that all active Skynet accounts are linked to a UL Computer Society membership.
This put us in the catch22, where folks needed their Skynet account in order to gain access to their Skynet account.
Many of these people want to regain access to their accounts and will make a request for help.
## How to process Requests
These requests to gain access to an old Skynet account may come in through one of our Email addresses (``contact@skynet.ie``) or from our [Discord][discord]
### Email
Keep an eye on the inboxes ye have access to.
Ensure that you have set up the aliases correctly (TODO: Email Aliases).
Aside from that be polite.
### Discord
Generally users will bring up their query in ``help-and-support``.
It is recommended that you create a Private thread and ping them to bring them into it.
This ensures that no private information will leak out.
#### How to create a Private Thread
1. Bottom left there is a Plus icon, click on that and select the ``Thread`` option.
![plus_icon.png](alumni_verify/plus_icon.png)
2. In teh segment that popped up tick the Private Thread checkbox.
![private_thread.png](alumni_verify/private_thread.png)
## The user recovers their own account.
The easiest way is that the user can recover their own account.
This works if they know their own username/password.
See [Account Recovery here][account_recovery] for more details.
If the user's account is old enough that the password is hashed with CRYPT then tehy will be unable to reset it themselves (even if they know teh password).
This is due to CRYPT being specific to the *machine* it is on, and the LDAP server has moved several times since in the last two decades.
In which case check out the following methods.
## Check if there is ``.forward``
A ``.forward`` file was placed in a users home directory to forward all incoming mail to that address.
```shell
USER="username"
# Output a list of paths if one exists for this user
find /skynet_old/{mailconfig,home}/$USER-name '.forward'
# use cat to output the contents to teh terminal
cat /skynet_old/mailconfig/$USER/.forward
```
### Usernames
One possible contents of the file is one or more Skynet usernames.
These are not too useful for our use case.
```
usera
userb
```
### Email(s)
What we are looking for is an email (identity) to tie the Skynet account to.
In which case you can check with the user that they still have access to teh email.
Get them to send you a mail from that account and verify the headers (TODO: Email headers)
```
username@example.com
```
## Find a link to Personal Email
Nothing in the ``.forwards`` or they no longer have access to the email its time to see if you can tie their current identity to skynet.
This is mostly possible since many members used to send mail between their Skynet account and their private account.
SSH into ``skynet.skynet.ie`` and run:
```shell
EMAIL="email@example.ie"
USER="username"
grep -r "$EMAIL" /skynet_old/{home,mail,mailconfig}/$USER
```
It may take a while to run depending on the contents of these folders.
in some cases they may have proof of their ID, in which case you can search for that.
Honestly the output of this is vibes based.
If there are forwarded email headers its a strong indication.
If a file in their ``public_html`` shows up that is also a strong indication.
The easiest one is if nothing pops up.
Remember you are the guardian of data on Skynet, if a user cannot prove a connection you are not obligated to grant them access.
[outage_2023]: ../support/recovery.md
[discord]: https://discord.skynet.ie
[account_recovery]: ../../support/recovery#account-recovery
<script>
/* I am a lazy fucker */
document.getElementById('year').textContent = new Date().getFullYear().toString()
</script>

BIN
src/procedures/alumni_verify/plus_icon.png (Stored with Git LFS) Normal file
View file

Binary file not shown.

BIN
src/procedures/alumni_verify/private_thread.png (Stored with Git LFS) Normal file
View file

Binary file not shown.

48
src/procedures/committee_modify.md Normal file
View file

@ -0,0 +1,48 @@
# Change Committee Members
This page covers the adding and removing of UL Computer Society committee members.
## Adding
Before starting the committee member in question *must* have a Skynet Account.
This is because we have several services that require authentication to access.
Details on how to create one can be found [here][skynet_account_creation].
Once they have an account add their username to [``config/users.nix``][users.nix].
Then commit and push.
Once everything is deployed they should have access to all resources within 15 min.
If you require it sooner than that see the [Force Update](#force-update) section below.
Next checkout the page on [VaultWarden](vaultwarden.md) to add the user to the password manager.
## Removing
Removing is essentially the same as adding.
Remove their username to [``config/users.nix``][users.nix].
Then commit and push.
## Force Update
If you need to hasten an update you can log into teh server to give it a (virtual) kick.
### SSH into Kitt
Kit is teh home of the user accounts.
```shell
ssh root@kitt.skynet.ie
```
### Once attached run these commands
```shell
# reboot the main process
systemctl restart skynet_ldap_backend.service
# Update the data (this ensures that folks are current members)
systemctl restart skynet_ldap_backend-update_data.service
# Apply the new group roles
systemctl restart skynet_ldap_backend-update_groups.service
```
### Exit the terminal.
```shell
quit
```
[skynet_account_creation]: ../tutorials/skynet/create_account.md
[users.nix]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/config/users.nix#L52

19
src/procedures/domains_renew.md Normal file
View file

@ -0,0 +1,19 @@
# Renewing Domains
While ``skynet.ie`` is sponsored by Blacknight (and we have one more from UL) we still have ``ulcompsoc.ie`` as a backup.
It needs renewing every two years and costs roughly €40/year for this.
Renewing every two years gives us some breathing space.
1. [Login][login] to Blacknight
* ``username`` and ``password`` are on [Vaultwarden](./vaultwarden.md)
2. ``Domains`` > ``My Domains`` > ``ulcompsoc.ie``
3. Under ``Actions`` select ``Renew Domain``
4. ``Add to Cart`` > ``Checkout``
5. In the ``Review & Checkout`` page there are several options to pay.
* Card - probably the fastest, you will have to submit an invoice to the Treasurer though. (TODO: Section on how to submit invoices)
* Paypal - Same as Card.
* Bank Transfer - Possibly the best, talk to Treasurer about this.
6. Done
[login]: https://cp.blacknighthosting.com/index.php/login

186
src/procedures/minecraft.md Normal file
View file

@ -0,0 +1,186 @@
# Minecraft Server
Skynet can host many game servers, however one of the most popular (going back through teh years) is Minecraft.
## Base Templates
The base templates for the servers are called [eggs][eggs].
These are basically scripts to setup and run the servers in question.
These are created by laying other eggs on top of each otehr to create a single config.
Bit of a PITA to make.
### mcsleepingserverstarter-Packwiz-Purpur-Geyser-Floodgate
This is the core Minecraft egg and can be found [here][eggs_main].
It comprises of several components bodged together
#### Sleeping Server Starter
This is a core component of being able to host multiple servers for multiple Clubs/Socs as it allows us to reduce the footprint of the server when nto so many folks are using it.
It listens on Java and Bedrock ports as a low power process and when someone tries to connect it spins up the full server.
Coupled with a plugin which shuts down teh server after the last person leaves it is pretty good for keeping resourse useage low.
#### Packwiz
Packwiz is a package/plugin/mod manager for minecraft which is compatible with source control.
The main repo for the plugins can be found [here][config_repo], with branches for each server configured with it
It allows us to have several plugins as a base that can be used by all servers.
##### Geyser and Floodgate
These pair together to allow bedrock players to connect and play with a Java server.
Quite useful as this encompasses console players.
##### ViaVersion
This and its partner plugins allow people who dont have the exact right version to match the server to connect.
Not perfect but it works pretty well.
#### Purpur
Purpur is a minecraft server which supports plugins.
It is a descendant of Paper and Bukkit and can use plugins built for those.
## Server - New
### Create user account
On the [admin page][panel_users] create an account for the Club/Soc which is getting the server.
Use their UL Wolves email for the email, username can be whatever as long as its descriptive of the Club/Soc.
Their role should be ``Server Admin``.
For password use a random string (I use 42 characters) and then email it to their Wolves address.
We are able to reset it in the future if required.
### Server setup
#### Config
1. On the [config repo][config_repo] fork off of main and name it after the Club/Soc and push.
2. Then on the web version of teh repo find that branch and teh ``pack.toml`` and click into it.
3. In the top right hand corner of the file you will see a button called ``raw``, select that.
![Raw File Button](minecraft/raw_file.png)
4. Copy the link of the page, will be used shortly.
#### Pelican Setup
On Pelican, on the [servers page][panel_servers] create a new server.
##### Information
###### Name
Enter teh Club/Soc who is getting it.
###### Owner
Select teh account you created earlier.
###### Primary Allocation
You will need to select the ``+``.
For ``IP Address`` select teh ``193.1.99.xyz`` address.
For ``Ports`` enter the minecraft port you have chosen, you can see the existing ports on [NixOS][nixos_minecraft]
Java ports take the form of ``255XY`` while Bedrock takes ``244XY``, with teh ``XY`` being teh same for both (makes it easier to keep track).
Once ye have that chosen click on teh ``Next Step``.
##### Egg Configuration
###### Egg
Select the ``mcsleepingserverstarter-Packwiz-Purpur-Geyser-Floodgate`` egg.
###### Packwiz URL
Then enter teh URL you copied previously into the input.
Once ye have that chosen click on teh ``Next Step``.
##### Environment Configuration
###### Memory
Set this to be ``Limited`` and between ``8000`` and ``12000``
Once ye have that chosen click on teh ``Create Server``.
#### NixOS
In NixOS you have to create DNS entries so folks can easily connect to teh server.
Location is in [``minecraft.nix``][nixos_minecraft], copy the existing format.
This will allow players to connect to ``minecraft.$CLUBSOC.games.skynet.ie``, although bedrock players will still need to use the port.
### Server Configuration
#### Discord
TODO: https://essentialsx.net/wiki/Discord-Tutorial.html
#### ``plugins/voicechat/voicechat-server.properties``
(TODO: add more about teh voice port)
Set teh port for use in teh voice chat.
```
port=24424
```
#### ``server.properties``
This is to allow bedrock users to text chat
````
enforce-secure-profile: false
````
#### ``plugins/Geyser-Spigot/config.yml``
Set the bedrock port
```yaml
bedrock:
port: 24423
```
Also set the authtype to be ``floodgate``
```yaml
remote:
auth-type: floodgate
```
#### ``sleepingSettings.yml``
Bedrock port needs to be added to this file:
```yaml
bedrockPort: 24423
```
## Server - Update
### Plugins Modification
#### DevShell
In the [config repo][config_repo] run this command to enter teh devshell which gives you access to ``packwiz``:
```shell
nix develop
```
#### Add
Once in the devshell use the add command to add a plugin.
```shell
packwiz modrinth add $LinkToModrinthPlugin
```
Commit and push.
#### Update
To update all plugins you can use this command
```shell
packwiz update --all
```
Commit and push.
#### Remove
To remove a plugin just delete the ``*.pw.toml``.
Then run the refresh command to update teh pack
```shell
packwiz refresh
```
Commit and push.
### Server Update
Now that teh pack has been updated you need to restart teh server to pull it in.
1. ``Stop`` the server
* This stops the java server, does not start teh ``sleepingserverstarter`` server.
2. ``Kill`` the server
* This stops the ``sleepingserverstarter`` server.
3. ``Start`` the server
* This restarts everything and pulls in teh updates.
[eggs]: https://panel.games.skynet.ie/admin/eggs
[eggs_main]: https://panel.games.skynet.ie/admin/eggs/22/edit?tab=-configuration-tab
[config_repo]: https://forgejo.skynet.ie/silver/Testing_packwiz
[panel_users]: https://panel.games.skynet.ie/admin/users
[panel_servers]: https://panel.games.skynet.ie/admin/servers
[nixos_minecraft]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/applications/games/minecraft.nix#L27

BIN
src/procedures/minecraft/raw_file.png (Stored with Git LFS) Normal file
View file

Binary file not shown.

37
src/procedures/proxmox.md Normal file
View file

@ -0,0 +1,37 @@
# Proxmox
A collection of all things proxmox related.
## Access
Proxmox can be found at [``193.1.99.73:8006``][webgui] when either on UL network or connected to the [VPN][vpn].
Login with your Skynet account.
The ``root`` account can be found on [Vaultwarden][vaultwarden].
If you are on Firefox you may need to refresh teh page if the ``No Valid Subscription`` popup fails to disappear after clicking ``ok``.
## Rebooting
### LCX's
For some LXC's (haven't tracked down teh root cause) their MAC address has issues when they reboot.
If you are trying to ssh into a LXC which has rebooted it can display ``No route to host``.
To fix:
1. [Login to Proxmox](#access)
2. Navigate to the LXC
3. Network tab, then double click on the network row.
* Clicking the row then the ``Edit`` button has teh same function.
4. Clear the MAC (so it reads ``auto``) then ``Save``
You will be able to ssh into that server now.
### Proxmox
[webgui]: https://193.1.99.73:8006/
[vpn]: ./admin_modify.md#vpn
[vaultwarden]: ./vaultwarden.md

178
src/procedures/server_new.md Normal file
View file

@ -0,0 +1,178 @@
# New Server (LXC)
This is the instruction guide for setting up a new LXC server.
Rough steps are as follows:
1. Plan the servers config
2. Login to Proxmox
3. Create Container using the base LXC image
4. Login to Server
5. Push new configuration
## Plan server Configuration
To allocate he correct resources there are a few questions that need to be asked and answered.
1. What will this server be **For**?
2. What will its **Name** be?
3. What will its **IP** be?
4. Fill the details into the tracking sheet.
### What is it **For**?
What a server is for dictates what hardware resources need to be allocated.
Is there one already existing that you can copy the configuration of?
Do you have prior experience with what will be hosted on it?
Is there documentation that you can use as a foundation?
When you know these, write it down and save for later.
### What is its **Name**?
In our cluster we have a very definite naming scheme for the servers we have.
There are two rules:
1. The login server (where folks have their home dirs and websites) is called Skynet.
* [This can be traced back to 2007][server_name_skynet]
* > By popular demand, the skynet name was retained for the login server
2. All other servers are also named after AI's
In the current cluster we tend to use groups of AI names for particular functions.
For example:
* Vigil/Vendetta were AI's in the Mass effect series, pointing Shepherd forward, so they are our DNS servers
* Glados/Wheatly from Portal, that game runs on the Source Engine, so they are our Source control servers
* Optimus/Bumblebee from Transformers, their origin is a line of toys, so fittingly our games servers.
* Neuromancer/Wintermute, from Neuromancer, each with multiple minds, thus became our backup (redundancy) servers.
If at all possible try to get the name to match its task.
Some past names and ideas for others can be found on [the nixos wiki][server_names]
### What is its **IP** address?
We have a ``/26`` allocation, so about 60 IP's we can make use of.
Like with the names above several servers are grouped together IP wise.
Check the [Server Inventory][server_inventory] to see what addresses are available.
### Tracking sheet
Now that ye have all the details about the build it is time to add them to the [Server Inventory][server_inventory].
Add a new one, incrementing the index, and fill in the rest of the information.
For the IP address if the last segment (ABC in this: 193.1.99.ABC) is less than 100 then add a leading ``0`` to it.
This is so that it can be easily sorted.
## Login to Proxmox
[Login to Proxmox](./proxmox.md#access)
## Create Container Using the Base LXC Image
The Proxmox documentation for LXC's is available [here][proxmox_lxc].
Top right there is a button [Create CT], that brings up a window.
Each section below is one of the tabs in the window.
### General
#### Hostname
This is the **Name** of the server, lowercase.
#### Unprivileged
Ensure this is ticked.
#### Nesting
Ensure this is ticked.
#### SSH Public Keys
Enter the ``root`` pub ssh key.
This is used to login to teh container later.
### Template
Select the container image, most likely ``nixos-system-x86_64-linux.tar.xz``.
### Disks
#### Storage
Most likely it is ``main_pool``, it should have a significant amount of storage available.
**DO NOT** use ``local-zfs``, this is on Proxmox's own drive and not suited for container data.
#### Disk Size
Self-explanatory, how much space you want to give teh container.
A minimum of 30Gb is suggested.
### CPU
One core minimum, larger servers will require up to 6 or so.
### Memory
Nixos will happily run on 512Mb if its load is not too intensive
### Network
#### Bridge
The main bridge we use is ``vmbr0`` which is for most servers as it connects to the normal Skynet DMZ.
We also have ``vmbr1`` which is for ``skynet.skynet.ie`` and connects to Skynet-EXT DMZ.
This is due to our users needing ssh access.
#### IPv4
##### IPv5/CIDR
This is the **IP** followed by ``/26``.
For example ``193.1.99.75/26``
##### Gateway
The main gateway we use is ``193.1.99.65``.
There is a secondary one for ``skynet.skynet.ie`` which is ``193.1.96.161``.
### DNS
You can either use ``use host settings`` or fill in ``193.1.99.120`` and ``193.1.99.109``.
### Confirm
Use this as a chance to review all the options.
There are a few gotcha's outlined above that ye do have to look over.
#### Start after created
Tick this box if you want it to boot up immediately after being installed.
## Login to Server
Now that the server is up and running it is time to login to it.
Assuming you have your SSH configured like (TODO: admin ssh config).
You just have to use ``ssh root@IP`` (for example ``ssh root@192.99.1.111``)
### Getting the server ssh key
We are logging in because we need to get the servers own ssh key.
You can find it in ``/etc/ssh``.
You have a choice between ``ssh_host_ed25519_key.pub`` and ``ssh_host_rsa_key.pub``.
``ssh_host_ed25519_key.pub`` is the recommended one.
### Using the server ssh key
This key is used to decrypt secrets stored in our Nixos repo and as such needs to be added there.
1. Add the key with the other system keys [here][nixos_secrets].
2. Add it to the systems array underneath that.
3. In the ``secrets`` folder run ``cd secrets && agenix -r`` to rekey the secrets.
* This is to give the new server access.
4. Commit all the changed files
## Push new configuration
### Create config
An example server config for nixos is [available here][nixos_template].
Copy it to a new file and name it ``name.nix``.
Fill in all relevant details (name/ip/name details/its purpose/...).
Finally add it to the bottom of the [``flake.nix``][nixos_flake].
Save and commit the files.
### Push Config
There are two ways to test out the config, manual and pipeline.
Each has pros and cons.
#### Manually
This requires your key to be added the the keys for the [root account][nixos_root] and your ``~/.ssh/config`` to be set up properly (TODO: SSH tutorial)
1. Build it with ``colmena build --on name``
2. If it builds ye can test deployment
3. Deploy it using ``colmena apply --on name``
#### Pipeline
Just push it to the repo and the pipeline will handle building and deployment.
The disadvantage of this is you cannot fix any mistakes before they are pushed.
[server_name_skynet]: https://2009.skynet.ie/history.html
[server_names]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/Possible_Server_Names.md
[server_inventory]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/ITD/Server_Inventory.csv
[proxmox_lxc]: https://pve.proxmox.com/wiki/Linux_Container
[nixos_secrets]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/secrets/secrets.nix#L35
[nixos_template]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/machines/_template.nix
[nixos_flake]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/flake.nix#L156
[nixos_root]: https://forgejo.skynet.ie/Skynet/nixos/src/branch/main/machines/_base.nix#L75

84
src/procedures/server_update_nixos.md Normal file
View file

@ -0,0 +1,84 @@
# Updating Servers (NixOS)
A short guide on how to update NixOS servers.
This is required at least once a semester in order to keep the systems up to date.
These are some of the easiest servers we have to update.
This is how you update it locally, and then deploy.
## Update
Invoke the devshell for the NixOS repo locally on your computer (TODO: Setup nix and into to devshell).
This will give you all the tools you need to update the NixOS servers.
In that shell you can run these commands.
```shell
# this will update every input, sometimes that is not desired
nix flake update
# This will update a single input, nixpkgs which will update the OS's
nix flake update nixpkgs colmena
# Update multiple at once, these are the core tools and utilities
# Recommended command
nix flake update nixpkgs flake-utils agenix arion alejandra colmena
```
## Build
Now that the inputs have been updated it is time to build it locally to ensure no errors pop up.
For any errors that pop up you can use ``--key-result`` in order to explore the system output.
```shell
# This will build all the servers locally
colmena build
# Build a single one
colmena build --on glados
# Build a logical group of them
colmena build --on @active-dns
# Build all but keep the outputs in ``.gcroots``
# This is useful if you need to explore the config locally
colmena build --keep-result
```
## Deploy
It is now time to commit and deploy the updates.
### Manually
Most of the flags from the build step above apply for teh deploy step.
You dont need to have the files committed to do this, so it cna be useful for testing.
```shell
# This will build all the servers locally
colmena deploy
# Build a single one
colmena deploy --on glados
# Build a logical group of them
colmena deploy --on @active-dns
```
### Pipeline
To deploy via the pipeline simply commit and push to Forgejo.
The pipeline will build and deploy to almost all the servers.
Downside of this is slow iteration for testing, but it is useful if you are pretty sure of teh changes.
#### Git Server/Runner
The CI/CD pipelines we have run on Glados and Wheatly, as such the pipelines are not able to update these two servers on their own.
These need to be updated manually using any of these commands:
```shell
# This will deploy all the servers
colmena deploy
# Deploy a single one
colmena deploy --on glados wheatly
# Deploy a logical group of them
colmena deploy --on @active-git
```

16
src/procedures/server_update_proxmox.md Normal file
View file

@ -0,0 +1,16 @@
# Updating Servers (Proxmox)
A short guide on how to update servers running Proxmox VM Host
There is documentation for Proxmox available on teh [web][docs_web] and locally on teh server [itself][docs_inbuilt].
The inbuilt ones are preferred since they match teh version of Proxmox we are using.
In both there is a chapter called [``System Software Updates``][docs_inbuilt_update] which tells you how to update.
When there is a major version released there will be a new link on [this page][docs_wiki] in teh format of:
``Upgrade from $VersionCurrent to $VersionNext``
[docs_inbuilt]: https://193.1.99.73:8006/pve-docs/pve-admin-guide.html
[docs_inbuilt_update]: https://193.1.99.73:8006/pve-docs/pve-admin-guide.html#system_software_updates
[docs_web]: https://pve.proxmox.com/pve-docs/pve-admin-guide.html
[docs_wiki]: https://pve.proxmox.com/wiki/Category:Upgrade

18
src/procedures/topdesk.md Normal file
View file

@ -0,0 +1,18 @@
# Topdesk Tickets
UL and ITD uses TopDesk to allow students to submit support tickets to ITD.
In our case we mostly use it to open and close ports.
ITD also uses it to contact us about any security issues.
Because we have to keep records, and because Skynet is not a student we cannot use TopDesk teh normal way.
1. Ensure that you have set up your email aliasing for ``skynet_topdesk[at symbol]skynet.ie``. (TODO: email aliasing)
2. Login to your Skynet email account and enable the ``skynet_topdesk[at symbol]skynet.ie`` profile.
3. Set ``[Skynet]`` to be the first part of the Subject, the remainder can be about teh contents of teh ticket.
4. Set the to address to be``ITD.ServiceDesk[at symbol]ul.ie``.
Check yer inbox often enough after that, they normally respond within 24hrs and may have some questions.
Sometimes they also use it in case their security software captures any issues.
Additionally if they attach any images/files to the ticket also request that they send it to ``skynet_topdesk[at symbol]skynet.ie``.
Because we cannot view the ticket on TopDesk these dont get loaded for us.

36
src/procedures/vaultwarden.md Normal file
View file

@ -0,0 +1,36 @@
# Vaultwarden
[Vaultwarden][vaultwarden_github] is rust based server implmentation of [Bitwarden][bitwarden_github].
One of the core reasons why we went with Vaultwarden over the original Bitwarden is that it gives us access to Org Mode.
This allows us to have an organisation with multiple members with access to passwords, as well as controlling their access.
Additionally we are using [Bitwarden Directory Connector][bitwarden-dc_github] to sync our ldap groups to vaultwarden.
This is how Admins and Committee can access the password manager.
it also removes folks access once they no longer meet the requirements (be committee or admin).
Vaultwarden is not available for regular Skynet users since we do not want teh responsibility of managing their passwords, since the cost of failing is so high (for us)
The instance is available at [``pw.skynet.ie``][pw].
## Adding Users
When a committee member gets [added](committee_modify.mddding) they will become of teh committee LDAP group.
When this group is synced with Vaultwarden then that member will get an email to their Skynet account to ``Join UL Computer Society``.
The member should then click on teh link in that email.
They will then have to choose a password to access the password manager, the password tied to their Skynet account does nto sync for security reasons.
The user will then need to be confirmed in the [organisation panel][pw_org].
Once that is complete they will have access to Computer Societies AND/OR Skynet's passwords, depending if they are committee or a Skynet admin.'
## Resending Invites
If the user does not accept the invite within a day or so the invite will expire.
In the [organisation panel][pw_org], to the far right of teh user there is a ``⋮``.
Selecting it will give an option to resend the invite.
[vaultwarden_github]: https://github.com/dani-garcia/vaultwarden
[bitwarden_github]: https://github.com/bitwarden/server
[bitwarden-dc_github]: https://github.com/bitwarden/directory-connector
[pw]: https://pw.skynet.ie/
[pw_org]: https://pw.skynet.ie/#/organizations/ca0eacc2-988f-4368-b85f-40061eefd453/members