The WTPA IRC server is at irc.wherestheparty.at. Mike and Matt administer the server. Shell accounts are provided on request and the IRC server itself is publicly accessible. Here is some information on managing the infrastructure.
The IRC server and shell box both live on a single host, ipad.wherestheparty.at. Mike and Matt have access to this server.
The IRC server (irc.wherestheparty.at) and shell host (mosquitoes.wherestheparty.at) are both FreeBSD jails, sharing the same physical host.
They maintain a todo list on ipad in ~root/TODO.
Only matthoran.com and mike-burns.com have access to ipad and irc, and their ssh port is 8022. In order to connect from a host other than matthoran.com or mike-burns.com, the following may be added to ~/.ssh/config
Host ipad.wherestheparty.at ipad Hostname ipad.wherestheparty.at ProxyCommand ssh -W %h:%p matthoran.com Port 8022
Host irc.wherestheparty.at irc Hostname irc.wherestheparty.at ProxyCommand ssh -W %h:%p matthoran.com Port 8022
SSH is protected by sshguard, which monitors the logfiles specified in /etc/rc.conf option sshguard_watch_logs. Offending IPs are blocked via the pf table sshguard and are written to /var/db/sshguard/blacklist.db. IPs can be whitelisted by adding them to /usr/local/etc/sshguard.whitelist.
SSH key fingerprints:
256 SHA256:Qnsih9y7xyONP4huxF+3BSUxOzLjk5lYvbzHXdSUn+0 email@example.com (ECDSA) 256 SHA256:9cbIDF9C2HnLexuKXW21gGtX1D8KbhJNEtye0y+s2+0 firstname.lastname@example.org (ECDSA) 256 SHA256:v5L9VNtT/4MrR0m74s8LB9Ie/klQQQ9JUw026NQLydI email@example.com (ECDSA)
To update the base system, freebsd-update(8) may be used.
To update ipad, run freebsd-update fetch install.
To update the jails, run freebsd-update fetch install from ipad with the -b option:
freebsd-update -b /usr/local/jails/$JAIL.wherestheparty.at/ fetch install
You should set jail_enable="NO" in /etc/rc.conf on ipad so that jails do not autostart after reboot.
Run the three freebsd-updates, then reboot and finalize it (freebsd-update install, three times).
To perform a major upgrade, follow the Handbook, ensuring that jail_enable="NO" is set on ipad before rebooting.
Once ipad has been upgraded, the jails may be upgraded. The --currently-running flag must be set to the previous release version before the upgrade will continue.
freebsd-update --currently-running 11.3-RELEASE -r 12.1-RELEASE -b /usr/local/jails/$JAIL.wherestheparty.at/ upgrade
Ports and Packages
Use packages instead of ports for all except a special case on irc. For ipad run pkg update upgrade. For irc and mosquiotes run pkg -j $JAIL update upgrade. It is safe to run that even on irc
irc uses a mix of packages and ports because /etc/make.conf has settings required for ircd-ratbox-devel. ircd-ratbox-devel has been locked to prevent accidental package upgrade via pkg lock ircd-ratbox-devel.
To manage ports on irc, simply SSH in and run
portsnap fetch update. Then use portmaster(8) to update ports.
After rebooting you can help some IRC users out by starting weechat-headless for them:
sudo -u $user weechat-headless --daemon
Upgrading Using Ansible
Parts of the upgrade can be scripted.
In the special case where you know ahead of time that the upgrade will not require a reboot, and that you only need to run a series of freebsd-update and pkg commands, use this set up:
[shell_hosts] ipad.wherestheparty.at [shell_hosts:vars] ansible_python_interpreter=/usr/local/bin/python
--- - hosts: shell_hosts become: yes tasks: - name: fetch host OS upgrades command: /usr/sbin/freebsd-update fetch --not-running-from-cron register: host_fetch_output - name: install host OS upgrades command: /usr/sbin/freebsd-update install when: host_fetch_output.stdout.find('No updates needed') == -1 - name: fetch irc OS upgrades command: /usr/sbin/freebsd-update -b /usr/local/jails/irc.wherestheparty.at/ fetch --not-running-from-cron register: irc_fetch_output - name: install irc OS upgrades command: /usr/sbin/freebsd-update -b /usr/local/jails/irc.wherestheparty.at/ install when: irc_fetch_output.stdout.find('No updates needed') == -1 - name: fetch mosquitoes OS upgrades command: /usr/sbin/freebsd-update -b /usr/local/jails/mosquitoes.wherestheparty.at/ fetch --not-running-from-cron register: mosquitoes_fetch_output - name: install mosquitoes OS upgrades command: /usr/sbin/freebsd-update -b /usr/local/jails/mosquitoes.wherestheparty.at/ install when: mosquitoes_fetch_output.stdout.find('No updates needed') == -1 - name: update host packages command: /usr/sbin/pkg update - name: upgrade host pkgng package command: /usr/sbin/pkg upgrade -y pkg - name: show host package upgrade plan command: /usr/sbin/pkg upgrade -n register: host_package_upgrade_plan - name: confirm package upgrade plan debug: var=host_package_upgrade_plan.stdout_lines - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a" - name: upgrade host packages command: /usr/sbin/pkg upgrade -y - name: update irc packages command: /usr/sbin/pkg -j irc update - name: upgrade irc pkgng package command: /usr/sbin/pkg -j irc upgrade -y pkg - name: show irc package upgrade plan command: /usr/sbin/pkg -j irc upgrade -n register: irc_package_upgrade_plan - name: confirm package upgrade plan debug: var=irc_package_upgrade_plan.stdout_lines - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a" - name: upgrade host packages command: /usr/sbin/pkg -j irc upgrade -y - name: update mosquitoes packages command: /usr/sbin/pkg -j mosquitoes update - name: upgrade mosquitoes pkgng package command: /usr/sbin/pkg -j mosquitoes upgrade -y pkg - name: show mosquitoes package upgrade plan command: /usr/sbin/pkg -j mosquitoes upgrade -n register: mosquitoes_package_upgrade_plan - name: confirm package upgrade plan debug: var=mosquitoes_package_upgrade_plan.stdout_lines - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a" - name: upgrade host packages command: /usr/sbin/pkg -j mosquitoes upgrade -y
To run that playbook:
ansible-playbook simple-upgrade.yml -ihosts -K
The -K is only required if you need to type your password to become root using sudo(8).
This playbook will prompt you before upgrading the packages on each subsystem, but will otherwise run unattended.