IRC Infrastructure

From Whiteboard
Jump to navigation Jump to search

The WTPA IRC server is at Mike and Matt administer the server. Shell accounts are provided on request and the IRC server itself is publicly accessible. Here is some information on managing the infrastructure.

The IRC server and shell box both live on a single host, Mike and Matt have access to this server.

The IRC server ( and shell host ( are both FreeBSD jails, sharing the same physical host.

They maintain a todo list on ipad in ~root/TODO.


Only and have access to ipad and irc, and their ssh port is 8022. In order to connect from a host other than or, the following may be added to ~/.ssh/config

Host ipad
  ProxyCommand ssh -W %h:%p
  Port 8022
Host irc
  ProxyCommand ssh -W %h:%p
  Port 8022

SSH is protected by sshguard, which monitors the logfiles specified in /etc/rc.conf option sshguard_watch_logs. Offending IPs are blocked via the pf table sshguard and are written to /var/db/sshguard/blacklist.db. IPs can be whitelisted by adding them to /usr/local/etc/sshguard.whitelist.

ipad SSH key fingerprints:

 1024 SHA256:MjaRzLcx8wa7yZoEB9a97nj3YO9tpd+BoL0xkP+9Dxg (DSA)
 256 SHA256:Qnsih9y7xyONP4huxF+3BSUxOzLjk5lYvbzHXdSUn+0 (ECDSA)
 256 SHA256:tg+EV5K4g2/QE3o8dEnhXJtVXFwgFJGVX66xmowbFRQ (ED25519)
 2048 SHA256:cxFC2AP0r+U4xijFAoAeB2cBJ0FOnx6LyDvj69lGrEE (RSA)

irc SSH key fingerprints:

 1024 SHA256:DH54HXhgYebCAThFO7uEQT7AmTqNP/Gc6IyjijyKTao (DSA)
 256 SHA256:9cbIDF9C2HnLexuKXW21gGtX1D8KbhJNEtye0y+s2+0 (ECDSA)
 256 SHA256:8tjV+4GDA/n8FBqLA2WIkzOXhL69Q63biocVs0LbK+8 (ED25519)
 2048 SHA256:vxg/UZjavCdUDNiKRRjiqIHg+8gOPRjvwNPQNxEfwVc (RSA)

mosquitoes SSH key fingerprints:

 1024 SHA256:SbjmBy0ekWGepiWNrZyGzOibMh8ZpwU91tibWDXMDmM (DSA)
 256 SHA256:v5L9VNtT/4MrR0m74s8LB9Ie/klQQQ9JUw026NQLydI (ECDSA)
 256 SHA256:CRM9PYILCwKmTWAcX/IY3gWOSQZWT43ykXL4OOfN/04 (ED25519)
 2048 SHA256:ZOaUL/yJ2E01iQyW7XVRbby/8fvD6WI0eZ4ESEmh3eA (RSA)


To update the base system, freebsd-update(8) may be used.

To update ipad, run freebsd-update fetch install.

To update the jails, run freebsd-update fetch install from ipad with the -b option:

 freebsd-update -b /usr/local/jails/$ fetch install

You should set jail_enable="NO" in /etc/rc.conf on ipad so that jails do not autostart after reboot.

Run the three freebsd-updates, then reboot and finalize it (freebsd-update install, three times).

To perform a major upgrade, follow the Handbook, ensuring that jail_enable="NO" is set on ipad before rebooting.

Once ipad has been upgraded, the jails may be upgraded. The --currently-running flag must be set to the previous release version before the upgrade will continue.

 freebsd-update --currently-running 11.3-RELEASE -r 12.1-RELEASE -b /usr/local/jails/$ upgrade

Ports and Packages

Use packages instead of ports for all except a special case on irc. For ipad run pkg update upgrade. For irc and mosquiotes run pkg -j $JAIL update upgrade. It is safe to run that even on irc

irc uses a mix of packages and ports because /etc/make.conf has settings required for ircd-ratbox-devel. ircd-ratbox-devel has been locked to prevent accidental package upgrade via pkg lock ircd-ratbox-devel.

To manage ports on irc, simply SSH in and run portsnap fetch update. Then use portmaster(8) to update ports.


After rebooting you can help some IRC users out by starting weechat-headless for them:

 sudo -u $user weechat-headless --daemon

Upgrading Using Ansible

Parts of the upgrade can be scripted.

In the special case where you know ahead of time that the upgrade will not require a reboot, and that you only need to run a series of freebsd-update and pkg commands, use this set up:


In hosts:



In simple-upgrade.yml:

 - hosts: shell_hosts
   become: yes
     - name: fetch host OS upgrades
       command: /usr/sbin/freebsd-update fetch --not-running-from-cron
       register: host_fetch_output
     - name: install host OS upgrades
       command: /usr/sbin/freebsd-update install
       when: host_fetch_output.stdout.find('No updates needed') == -1
     - name: fetch irc OS upgrades
       command: /usr/sbin/freebsd-update -b /usr/local/jails/ fetch --not-running-from-cron
       register: irc_fetch_output
     - name: install irc OS upgrades
       command: /usr/sbin/freebsd-update -b /usr/local/jails/ install
       when: irc_fetch_output.stdout.find('No updates needed') == -1
     - name: fetch mosquitoes OS upgrades
       command: /usr/sbin/freebsd-update -b /usr/local/jails/ fetch --not-running-from-cron
       register: mosquitoes_fetch_output
     - name: install mosquitoes OS upgrades
       command: /usr/sbin/freebsd-update -b /usr/local/jails/ install
       when: mosquitoes_fetch_output.stdout.find('No updates needed') == -1
     - name: update host packages
       command: /usr/sbin/pkg update
     - name: upgrade host pkgng package
       command: /usr/sbin/pkg upgrade -y pkg
     - name: show host package upgrade plan
       command: /usr/sbin/pkg upgrade -n
       register: host_package_upgrade_plan
     - name: confirm package upgrade plan
       debug: var=host_package_upgrade_plan.stdout_lines
     - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
     - name: upgrade host packages
       command: /usr/sbin/pkg upgrade -y
     - name: update irc packages
       command: /usr/sbin/pkg -j irc update
     - name: upgrade irc pkgng package
       command: /usr/sbin/pkg -j irc upgrade -y pkg
     - name: show irc package upgrade plan
       command: /usr/sbin/pkg -j irc upgrade -n
       register: irc_package_upgrade_plan
     - name: confirm package upgrade plan
       debug: var=irc_package_upgrade_plan.stdout_lines
     - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
     - name: upgrade host packages
       command: /usr/sbin/pkg -j irc upgrade -y
     - name: update mosquitoes packages
       command: /usr/sbin/pkg -j mosquitoes update
     - name: upgrade mosquitoes pkgng package
       command: /usr/sbin/pkg -j mosquitoes upgrade -y pkg
     - name: show mosquitoes package upgrade plan
       command: /usr/sbin/pkg -j mosquitoes upgrade -n
       register: mosquitoes_package_upgrade_plan
     - name: confirm package upgrade plan
       debug: var=mosquitoes_package_upgrade_plan.stdout_lines
     - pause: prompt="To continue with upgrade, ^c then c. To abort, ^c then a"
     - name: upgrade host packages
       command: /usr/sbin/pkg -j mosquitoes upgrade -y

Run it

To run that playbook:

 ansible-playbook simple-upgrade.yml -ihosts -K

The -K is only required if you need to type your password to become root using sudo(8).

This playbook will prompt you before upgrading the packages on each subsystem, but will otherwise run unattended.