IRC Infrastructure
The WTPA IRC server is at irc.wherestheparty.at. Mike and Matt administer the server. Shell accounts are provided on request and the IRC server itself is publicly accessible. Here is some information on managing the infrastructure.
The IRC server and shell box both live on a single host, ipad.wherestheparty.at. Mike and Matt have access to this server.
The IRC server (irc.wherestheparty.at) and shell host (mosquitoes.wherestheparty.at) are both FreeBSD jails, sharing the same physical host.
They maintain a todo list on ipad in ~root/TODO.
SSH
Only matthoran.com and mike-burns.com have access to ipad and irc, and their ssh port is 8022. In order to connect from a host other than matthoran.com or mike-burns.com, the following may be added to ~/.ssh/config
Host ipad.wherestheparty.at ipad Hostname ipad.wherestheparty.at ProxyCommand ssh -W %h:%p matthoran.com Port 8022
Host irc.wherestheparty.at irc Hostname irc.wherestheparty.at ProxyCommand ssh -W %h:%p matthoran.com Port 8022
SSH is protected by sshguard, which monitors the logfiles specified in /etc/rc.conf option sshguard_watch_logs. Offending IPs are blocked via the pf table sshguard and are written to /var/db/sshguard/blacklist.db. IPs can be whitelisted by adding them to /usr/local/etc/sshguard.whitelist.
ipad SSH key fingerprints:
1024 SHA256:MjaRzLcx8wa7yZoEB9a97nj3YO9tpd+BoL0xkP+9Dxg root@matt-horan-2.cust.arpnetworks.com (DSA) 256 SHA256:Qnsih9y7xyONP4huxF+3BSUxOzLjk5lYvbzHXdSUn+0 root@ipad.wherestheparty.at (ECDSA) 256 SHA256:tg+EV5K4g2/QE3o8dEnhXJtVXFwgFJGVX66xmowbFRQ root@ipad.wherestheparty.at (ED25519) 2048 SHA256:cxFC2AP0r+U4xijFAoAeB2cBJ0FOnx6LyDvj69lGrEE root@matt-horan-2.cust.arpnetworks.com (RSA)
irc SSH key fingerprints:
1024 SHA256:DH54HXhgYebCAThFO7uEQT7AmTqNP/Gc6IyjijyKTao root@irc.wherestheparty.at (DSA) 256 SHA256:9cbIDF9C2HnLexuKXW21gGtX1D8KbhJNEtye0y+s2+0 root@irc.wherestheparty.at (ECDSA) 256 SHA256:8tjV+4GDA/n8FBqLA2WIkzOXhL69Q63biocVs0LbK+8 root@irc.wherestheparty.at (ED25519) 2048 SHA256:vxg/UZjavCdUDNiKRRjiqIHg+8gOPRjvwNPQNxEfwVc root@irc.wherestheparty.at (RSA)
mosquitoes SSH key fingerprints:
1024 SHA256:SbjmBy0ekWGepiWNrZyGzOibMh8ZpwU91tibWDXMDmM root@mosquitoes.wherestheparty.at (DSA) 256 SHA256:v5L9VNtT/4MrR0m74s8LB9Ie/klQQQ9JUw026NQLydI root@mosquitoes.wherestheparty.at (ECDSA) 256 SHA256:CRM9PYILCwKmTWAcX/IY3gWOSQZWT43ykXL4OOfN/04 root@mosquitoes.wherestheparty.at (ED25519) 2048 SHA256:ZOaUL/yJ2E01iQyW7XVRbby/8fvD6WI0eZ4ESEmh3eA root@mosquitoes.wherestheparty.at (RSA)
Base
To update the base system, freebsd-update(8) may be used.
To update ipad, run freebsd-update fetch install.
To update the jails, run freebsd-update fetch install from ipad with the -b option:
freebsd-update -b /usr/local/jails/$JAIL.wherestheparty.at/ fetch install
You should set jail_enable="NO" in /etc/rc.conf on ipad so that jails do not autostart after reboot.
Run the three freebsd-updates, then reboot and finalize it (freebsd-update install, three times).
To perform a major upgrade, follow the Handbook, ensuring that jail_enable="NO" is set on ipad before rebooting.
Once ipad has been upgraded, the jails may be upgraded. The --currently-running flag must be set to the previous release version before the upgrade will continue.
freebsd-update --currently-running 11.3-RELEASE -r 12.1-RELEASE -b /usr/local/jails/$JAIL.wherestheparty.at/ upgrade
Ports and Packages
Use packages instead of ports for all except a special case on irc. For ipad run pkg update upgrade. For irc and mosquiotes run pkg -j $JAIL update upgrade. It is safe to run that even on irc
irc uses a mix of packages and ports because /etc/make.conf has settings required for ircd-ratbox-devel. ircd-ratbox-devel has been locked to prevent accidental package upgrade via pkg lock ircd-ratbox-devel.
To manage ports on irc, simply SSH in and run portsnap fetch update. Then use portmaster(8) to update ports.
Afterboot
After rebooting you can help some IRC users out by starting weechat-headless for them:
sudo -u $user weechat-headless --daemon
Upgrading Using Ansible
Parts of the upgrade can be scripted.
In the special case where you know ahead of time that the upgrade will not require a reboot, and that you only need to run a series of freebsd-update and pkg commands, use this set up:
Inventory
In hosts:
[shell_hosts] ipad.wherestheparty.at [shell_hosts:vars] ansible_python_interpreter=/usr/local/bin/python
Playbook
In simple-upgrade.yml:
---
- hosts: shell_hosts
become: yes
tasks:
- name: fetch host OS upgrades
command: /usr/sbin/freebsd-update fetch --not-running-from-cron
register: host_fetch_output
- name: install host OS upgrades
command: /usr/sbin/freebsd-update install
when: host_fetch_output.stdout.find('No updates needed') == -1
- name: fetch irc OS upgrades
command: /usr/sbin/freebsd-update -b /usr/local/jails/irc.wherestheparty.at/ fetch --not-running-from-cron
register: irc_fetch_output
- name: install irc OS upgrades
command: /usr/sbin/freebsd-update -b /usr/local/jails/irc.wherestheparty.at/ install
when: irc_fetch_output.stdout.find('No updates needed') == -1
- name: fetch mosquitoes OS upgrades
command: /usr/sbin/freebsd-update -b /usr/local/jails/mosquitoes.wherestheparty.at/ fetch --not-running-from-cron
register: mosquitoes_fetch_output
- name: install mosquitoes OS upgrades
command: /usr/sbin/freebsd-update -b /usr/local/jails/mosquitoes.wherestheparty.at/ install
when: mosquitoes_fetch_output.stdout.find('No updates needed') == -1
- name: update host packages
command: /usr/sbin/pkg update
- name: upgrade host pkgng package
command: /usr/sbin/pkg upgrade -y pkg
- name: show host package upgrade plan
command: /usr/sbin/pkg upgrade -n
register: host_package_upgrade_plan
- name: confirm package upgrade plan
debug: var=host_package_upgrade_plan.stdout_lines
- pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
- name: upgrade host packages
command: /usr/sbin/pkg upgrade -y
- name: update irc packages
command: /usr/sbin/pkg -j irc update
- name: upgrade irc pkgng package
command: /usr/sbin/pkg -j irc upgrade -y pkg
- name: show irc package upgrade plan
command: /usr/sbin/pkg -j irc upgrade -n
register: irc_package_upgrade_plan
- name: confirm package upgrade plan
debug: var=irc_package_upgrade_plan.stdout_lines
- pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
- name: upgrade host packages
command: /usr/sbin/pkg -j irc upgrade -y
- name: update mosquitoes packages
command: /usr/sbin/pkg -j mosquitoes update
- name: upgrade mosquitoes pkgng package
command: /usr/sbin/pkg -j mosquitoes upgrade -y pkg
- name: show mosquitoes package upgrade plan
command: /usr/sbin/pkg -j mosquitoes upgrade -n
register: mosquitoes_package_upgrade_plan
- name: confirm package upgrade plan
debug: var=mosquitoes_package_upgrade_plan.stdout_lines
- pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
- name: upgrade host packages
command: /usr/sbin/pkg -j mosquitoes upgrade -y
Run it
To run that playbook:
ansible-playbook simple-upgrade.yml -ihosts -K
The -K is only required if you need to type your password to become root using sudo(8).
This playbook will prompt you before upgrading the packages on each subsystem, but will otherwise run unattended.