[tor-bugs] #32532 [Internal Services/Tor Sysadmin Team]: Install ZNC on Chives, make pastly admin it
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 18 21:35:36 UTC 2019
#32532: Install ZNC on Chives, make pastly admin it
-------------------------------------------------+-------------------------
Reporter: pastly | Owner: pastly
Type: defect | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* owner: anarcat => pastly
* status: accepted => assigned
Comment:
i have created the ircbouncer role (user) and group on chives. the user
has the rights to keep persistent user-level services running through
systemd, also known as "lingering". the documentation on how to use that
to run services is detailed here:
https://help.torproject.org/tsa/doc/services/
it is your responsibility to start the service and keep it running, our
systemd things will just run whatever the service file says. :)
so `sudo -u ircbouncer` to get to the privileged account. i've made you
part of the group which should give you that privilege, let me know if
that doesn't work.
i've also added the `ircbouncer` user to the `ssl-cert` group so it can
access the X509 certificates. those certs are the following files:
{{{
root at chives:~# ls -al /etc/ssl/private/ircbouncer.torproject.org.*
/etc/ssl/torproject/certs/ircbouncer.torproject.org.crt*
-r--r----- 1 root ssl-cert 7178 nov 18 20:42
/etc/ssl/private/ircbouncer.torproject.org.combined
-r--r----- 1 root ssl-cert 3244 nov 18 20:42
/etc/ssl/private/ircbouncer.torproject.org.key
-r--r--r-- 1 root root 2286 nov 18 20:42
/etc/ssl/torproject/certs/ircbouncer.torproject.org.crt
-r--r--r-- 1 root root 1649 nov 18 20:42
/etc/ssl/torproject/certs/ircbouncer.torproject.org.crt-chain
-r--r--r-- 1 root root 3934 nov 18 20:42
/etc/ssl/torproject/certs/ircbouncer.torproject.org.crt-chained
}}}
Those are basically:
* `.key`: the private key
* `.crt`: the public key
* `.crt-chain`: the "chain" bits that might be required in some browsers
* `.crt-chained`: the above two together
* `.combined`: all of the above
Usually, the `.key` and `.crt` are enough, but sometimes you need the
`.crt-chained` instead of the `.crt`.
The onion service is also up and running, under (i believe)
`eibwzyiqgk6vgugg.onion`. It currently points at
ircbouncer.torproject.org:80 which of course is not listening. That's the
next step: we need to figure our how to give you access to port 80 here.
My suggestion would be that you start by setting up the bouncer and its
web interface on whatever (stable) port you can, and access it over an SSH
tunnel for now. Once you're happy with this (or if you can't use SSH
tunnels for some reason), let me know what the port number is, and I'll
setup an Nginx forward, reusing those nice little X509 certs as well.
TL;DR: checklist status:
* [x] znc install (anarcat)
* [x] ircbouncer role account and group (anarcat)
* [x] sudo access (anarcat)
* [x] enable-linger (anarcat)
* [x] x509 certs (anarcat)
* [x] hidden service (anarcat)
* [ ] systemd.service configuration (pastly)
* [ ] znc configuration (pastly)
* [ ] web interface configuration (pastly)
* [ ] nginx proxy (anarcat)
let me know if you have any questions!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32532#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list