/meta/ - Meta and Operations

Wheel-Greasing

Want your event posted here? Requests accepted in this /meta/ thread.

Max message length: 5120

Drag files to upload or
click here to select them

Maximum 5 files / Maximum size: 20.00 MB

More

(used to delete files and postings)


Open file (26.41 KB 300x400 screen.png)
InstantIB.LynxChan + Onion: An Imageboard Host Builder Anonymous Board owner 04/30/2020 (Thu) 17:08:36 No.10678
I'm releasing a modified version of Anon.cafe's build and maintenance tooling. It is an Ansible role that turns a CentOS 7 server into a LynxChan 2.3.7 host with an nginx reverse proxy in front to handle HTTPS termination and traffic limiting. It is very configurable and includes variable documentation as well as a tutorial to help those unfamiliar with Ansible get up to speed. It's my hope that this will help Anon spin up new imageboards without having to struggle against many of their software's peculiarities and tedium. I've also added a role that will set up Tor hidden services; it permits either hands-off management of the hidden service private key or storage of the hidden service private key in an encrypted Ansible Vault. InstantIB.LynxChan is at https://gitgud.io/Skyline/instantib.lynxchan InstantIB.Onion is at https://gitgud.io/Skyline/instantib.onion The role bundles and builds several pieces of software not available in CentOS repositories (e.g. ExifTool to strip EXIF from images and FFmpeg to generate better thumbnails), may optionally create a special user that can pull remote MongoDB database dumps from elsewhere, ensures that both MongoDB and LynxChan will restart on failure, detects and handles necessary service restarts/reloads, may install and configure the webring/alternate captcha/native image generation addons if desired, supports proper multi-device favicons, provides enhanced TLS security by default, optionally generates strong custom Diffie-Hellman (DH) key-exchange parameters for extra security, allows optional IP range blocking at the network firewall, configures Security-Enhanced Linux to work gracefully with MongoDB, and allows optional use of the notoriously obtuse Sendmail to relay email from LynxChan to an external mail host. If you have some basic GNU/Linux literacy and follow the tutorial then read the documentation carefully, you will be able to use this to spin up and maintain a LynxChan imageboard of your own. You can override and adjust the variables and then re-run your playbook to gracefully detect and adjust only what needs to be adjusted on your server. The role is presently in alpha; although I use it with full confidence on anon.cafe, it is possible that it might not work for some combination of options I've never tried, or I've broken it while adding the latest enhancements for genpop use. I recommend that you try it out thoroughly against a virtual machine before using it on any kind of production instance. Be careful and methodical. Future tutorials will include the Paranoid Admin's Imageboard Hosting Primer, in which I will briefly explain the different privacy and security trade-offs you can make as an imageboard admin for yourself and your users, making payments and taking donations without compromising your identity, understanding how to maintain OPSEC+COMSEC+FINSEC in such a way that a single breach will not be your undoing, how all this might be done in practice, and more. To those who do not have the literacy this tooling assumes and would prefer something a little more intensively hand-holding, more will come. I nevertheless encourage you to muddle your way through with a VM, a CentOS 7 netinst ISO, and a search engine - if nothing else, you will come out knowing a little more than you came in with.
Edited last time by root_admin on 05/16/2020 (Sat) 14:33:46.
>>10686 >honeypot I beat you all to it. Dolphin won.
>>10686 In short: Yes. The idea that anyone and everyone - including noobs - can run an imageboard securely and well is a very dangerous one. I expect that a few hosts will also pop up and down when their admins realise the difficulty of the hotpocket life. Blithely stumbling into this can hurt the admin and their posters. You're absolutely right on all counts. At the same time, we can't rely on a very small cadre of those willing and able to do the work. More need to come along the path. So I've put this tooling out here because I know it'll do the right thing and remove a lot of opportunity to fuck up. >>10687 It's possible you're using an old version that didn't have the transport. What's the version number output by "ansible-galaxy --version"? >>10685 >rpi3 How does the altarch CentOS work on that? Or are you trying to use it as a control machine that points somewhere else?
The usual suspect is posting instructions to wget and run scripts from dolphin-themed domains with sudo elevation. Exercise the usual caution as with any random telling you to execute a script from the Internet with root permissions.
Open file (261.21 KB 889x573 dolphin_bat.png)
>>10695 In Julay IRC: <BlueDolphin> Yes. <BlueDolphin> [01:06:55] GMAY2612: It's basically between pringles and euphoria <Klab> cool <Klab> it works <BlueDolphin> Nice. <BlueDolphin> Demo URL? <Klab> http://chan.loli.church/ <BlueDolphin> nice <Klab> it doesn't do uh <BlueDolphin> Make sure to change the admin URL <Klab> redirection though <BlueDolphin> Yeah, change that yourself <BlueDolphin> It's for admins who want the choose <BlueDolphin> *choice <Klab> cool, service works. nice <BlueDolphin> Yeah, the script took
Ban evasion. Original ban: Breaking Rule 1 by linking to child pornography.
>>10693 ansible-galaxy 2.0.0.2
>>10698 That's a very old version. Most distro package managers freeze the version for some time. Have a look at https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html to get the latest.
Open file (223.38 KB 1024x887 SJW in disguise (color).JPG)
Isn't it odd how when the Admin here creates a good tool to effectively help the more general Anons spread out into lots of different IBs everywhere, there's a sudden influx of 'concern' springing up over it? Kek.
>>10699 Thanks, I was able to figure out that issue. Another one came up though, when I try running the playbook it doesnt prompt me for my ssh password. and just fails.
>>10701 Do you mean the passphrase that protects your SSH key, or are you using tunneled plaintext passwords? If you're using a key, try establishing a normal SSH session to make sure the key's being properly recognised by SSH. If you're using plaintext passwords then you need to add --ask-pass so that Ansible will prompt you for it.
>>10700 There wasn't a "sudden influx", it was just me making a single post, and even Admin validated my worries by saying I was "absolutely right on all counts". I just don't want anyone getting fucked over hard because somebody inexperienced didn't really know what they were doing, because I can definitely see that happening.
>>10703 I mean the obvious-tier tranny/glowstick concern-trolling going on here anon. There are legitimate concerns ofc, but I would ask you: What are the alternatives? Simply capitulate and be herded like cattle in the hiroshima and pigjim's little cuck-farms, ripe for the slaughter? Wars are messy, and we're in one, after a sort. There will be mistakes, errors made, and losses. But far better to make the effort and fight for what's valuable and important. Bring it on I say. The Admin here is entirely right in what he's doing, and we need far more like him.
>>10704 > the obvious-tier tranny/glowstick concern-trolling going on here going on where?
>>10705 are you really this new?
>>10703 >>10704 Hurry up and get to the kissing, you two. I’ve never seen two anons agree as erotically as this.
>>10707 >complaining about muh shills because one anon made one post I don't know if you're in a position to call me new, newfriend
>>10685 >>10693 Possible things to address for new chan admins: Trustworthy VPS and domain hosts, along with owner/registrant obfuscation. Legal info support ie how will the admin not get fucked over for illegal posts. I get there's the plausible deniability of "I'll delete it when I see it/as it's reported," but what are those terms if someone wanted to astroturf or frame the admin/webhost. Would compartmentalising every board into its own chan be a help or a hindrance? Splinterchan?
Sick of anon.cafe's owner's lies? Come home to fivepuppies.xyz/b/ https://pleaserunmyscript.xyz/install_lynxchan_maybe.sh AAAAaaaa the mods are rulecucks
dolphin_bat.png
Edited last time by root_admin on 05/01/2020 (Fri) 04:44:42.
>>10712 THANK YOU BASED DOLPHIN
Open file (186.46 KB 1105x580 mmmAAAAAH THE FRENCH.jpeg)
>>10710 >Would compartmentalising every board into its own chan be a help or a hindrance? Splinterchan? The main problem with this is moderation. Someone can do a lot of damage if they attack a low traffic board. In order to pull this off, you would either need a "global mod node" where you could apply for global mod support, or just have agreements with other boards for some sort of shared modding. If there were a global mod arrangement, I would imagine it would work as follows: 1. anon reports 2. report has a timer, if timer exceeded, report is upstreamed to global mod pool a wordfilter could also be used to reduce global mod reports 3. if report is denied by globals it's kicked back down to local Separate sites for each board is preferable, but then there's the problem with the linking document. If we continue to rely on the cafe, the cafe will become the next target. This could be solved through the use of a blockchain ledger, or even a simple signed json file shared by magnet link or webtorrent. If either of these methods were used, we wouldn't even need dns providers. Think of it as a grey net. The main issue is boomers re-entering the webring, which means you need some sort of barrier to entry which the average anon isn't going to have a problem with, but the average facetwatgram faggot isn't going to be able to stand. Maybe even ban certain useragents, like phones or macs.
>>10686 I see an advantage in this, though. Redundancy and an unlimited amount of bunkers. Let's say you have /board/. Several anons want a /board/ board, so each one makes their own site, hosts it and it shows on the webring. After a while, one version of /board/ will be the most popular and show up on the webring above all others. This is the part that I can see the most problems with, though. If at any point that imageboard goes down for whatever reason, the only thing an Anon has to do is scroll down a bit more and find another /board/ to resume posting, making that the most popular /board/ at the moment. For the idiots that keep trying to deplatform IBs, they'd have to contact multiple hosts, each with their own ideas and rules and keep checking on it everyday in case some mad lad has setup another IB just to have another /board/ board. It keeps giving options to Anons while increasing the amount of work needed to deplatform /board/. It's not perfect, but it's quite good a concept. Better than this only IPFS or OpenNIC, which hopefully should be used as well, but at that point it'd be a good idea to have some script or simple guide for regular users to join in.
>>10711 >>10712 >>10713 >>10714 >>10715 >>10716 >>10719 >>10721 >>10723 The fact that you are spamming another board like an autist shows that you are absolutely incapable of running your own board. Do everyone a favor for once and neck yourself
>>10702 Thanks for pointing me in the right direction. I managed to get the playbook to run but am running into another error when I try creating the root user (With my own username and password): MongoParseError: Unescaped colon in authority section at parseConnectionString (/opt/lynxchan/src/be/node_modules/mongodb-core/lib/uri_parser.js:549:23) at connect (/opt/lynxchan/src/be/node_modules/mongodb/lib/operations/mongo_client_ops.js:195:3) at connectOp (/opt/lynxchan/src/be/node_modules/mongodb/lib/operations/mongo_client_ops.js:284:3) at executeOperation (/opt/lynxchan/src/be/node_modules/mongodb/lib/utils.js:416:24) at MongoClient.connect (/opt/lynxchan/src/be/node_modules/mongodb/lib/mongo_client.js:175:10) at Function.MongoClient.connect (/opt/lynxchan/src/be/node_modules/mongodb/lib/mongo_client.js:341:22) at connect (/opt/lynxchan/src/be/db.js:938:21) at Timeout._onTimeout (/opt/lynxchan/src/be/db.js:952:11) at listOnTimeout (internal/timers.js:549:17) at processTimers (internal/timers.js:492:7) { [Symbol(mongoErrorContextSymbol)]: {} } Retrying in 10 seconds
>>10732 Great work getting this far. That message looks like LynxChan itself is failing to parse the Mongo connection string. Did you perhaps randomly generate the application-level MongoDB password, and it includes a colon? Try changing the Mongo application password in the vault file to a long random alphanumeric string and re-run the playbook. It should handle changing the Mongo password and updating LynxChan's config file.
Where would someone start if they wanted to really understand this stuff? Like the inner workings of imageboard software, hosting, all of it. From a complete and utter beginner who doesn't knowing any coding. Are there coding languages that need to be learned? In which order should they be studied? Is it even reasonable to try and learn this sort of stuff from the ground up? Awhile back I had the idea of trying to learn to make a nanochan like imageboard that operated almost entirely without JS, but I lost the motivation.
>>10750 Get the source of the IB software you wish to use, look at what language it's using and learn that, as well as any software associated with it. For example, picochan uses lua and SQL, lynxchan uses javascript, hell, the Raving BBS is written entirely in ANSI C. If you write your own, you can do it in any language. CSS and XML would probably be useful in any setup. As for hosting, getting an administrators handbook for your chosen OS can't hurt (Absolute OpenBSD would be a classic in that regard). That mostly explains how to setup a system of that OS in a secure way, how to maintain it, etc. etc.
2.3.7-alpha.2 has been released. You can now disable spamlist IP checks by enabling lynxchan_disable_spam_ip_check. LynxChan's captchas by default in 2.3.7 use a font that isn't available. The default was changed in later versions of LynxChan, and we've made this fix as a default setting in 2.3.7, which means you can now use a different font for captchas if you please. Fixed a bug in the nginx config template that caused ciphers not to be restricted when custom DH parameters are enabled. XanderLynx and the default favicon packs now live in separate default files that will only be used if you don't provide your own frontend.zip and/or favicon_pack.zip files. A tutorial error has been fixed. A couple of configuration file formatting errors have also been corrected. They didn't affect anything but did make things look a little untidy.
Edited last time by root_admin on 05/02/2020 (Sat) 17:12:45.
>>10761 Thank you very much Admin. I look forward to trying this out.
There a version for Debian? I'm not familiar enough with CentOS.
>>11636 I'm afraid not. I usually use and prefer Debian but in this case I chose CentOS for its longer support cycle and a few packages that at the time matched LynxChan's expected versions more closely than Debian's. The role is licensed under GPLv3 so you could adapt the role for use on Debian by changing the package manager/packages, replacing the SELinux stuff with AppArmor, and a few other things. I can afford to keep this one up to date because it's what we use here in production.
2.3.7-alpha.3 has been released. You can use group-specific frontends and favicons by placing their packages into files/<group_name>/<filename>.zip off your Ansible directory root. The tutorial and readme has been updated accordingly. Multiple domain HTTP->HTTPS redirection now works properly.
>>10678 >Paranoid Admin's Imageboard Hosting Primer I just wanted to say I'm very interested in this. I could likely master any technological topics necessary to host and develop an imageboard, but it sounds too personally risky.
Is there a retards guide to buying a VPS anonymously and hosting a site over tor? I haven't the slightest clue what I'm doing when it comes to VPS's, tor, or websites but I'd like to get into it somehow
>>13196 >>13206 Agreed, and thanks for your efforts, admin. I know a lot of comms are via IRC, but even namefagging on a VPN seems like too much exposure for me. Has that been anyone else's experience?
>>13207 I'm a BO on julay, and I'd like to stay in touch with them, but I don't trust rizon with my barebacked IP and I simply don't know how to avoid it. I've tried routing to it via an IRC client (hexchat) using torify, and also setting it's socks settings to use the tor port on my box, but Rizon boots me out over it, so I'm stuck with no way to communicate outside of the IB itself. I expect the same problem will occur for our bunker here on Anon.cafe unless someone who knows their shit can spoonfeed this stuff to us. :/
>>13229 BTW, I can't get a VPN r/n, so it's TOR or nothing tbh.
>>13230 Why not use a shitty free vpn?
>>13239 yes, openVPN with vpngate for your favorite proxies. slow as shit
>>13229 There's a specialized I2P IRC server. Problem being, you have to convince everyone to use it. Alternatively, people can switch to retroshare (over TOR or I2P).
Open file (1.17 MB 1920x1920 guard node.jpg)
2.3.7-alpha.4 of InstantIB.LynxChan has been released. This version adds support for hidden services, extends nginx rate limiting to plain HTTP, performs an nginx config restructure, and fixes frontend reload. Speaking of hidden services, I have also released 1.0.0-alpha.1 of InstantIB.Onion. This can be added on top of InstantIB.LynxChan to handle setup of Tor hidden services. It includes optional private key management, cleanup of old hidden services, multiple hidden service support, and general quality of life. You can find it at https://gitgud.io/Skyline/instantib.onion and a tutorial is available at https://gitgud.io/Skyline/instantib.onion/-/blob/master/TUTORIAL.md
>>13229 Just use tor, it takes a few tries because rizon blocks certain tor nodes.
>>13255 Ahh, I see. I guess I gave up too soon then. (stopped after 3-4 different circuits using their browser interface) I could try again. Any particular advice about using Hexchat, etc., set up? I tried using both port 9050 & 9051 iirc, but it also didn't work (and I think I gave up immediately on that one).
>>13240 >>13241 sorry i missed these thanks, anons.
Why does the site keep going down Is it just server maintenance or something else? Hope everything is daijoubu.
>>13343 >Why does the site keep going down Do you mean today's downtime? As far as we're aware we haven't been down for months until today, not counting occasional minute-long interruptions when software components automatically restart. >Is it just server maintenance or something else? Hope everything is daijoubu. Something went wrong with the machine our VPS was hosted on. I posted about it at >>13342 after we came back up from the few hours' downtime. That thread is where you should post about this,, rather than here in the InstantIB thread.
>>13345 Had another blip just now, and I've seen around 3 or 4 over the past 24 hours.
>>13585 Same here, I've been having problems.
>>13345 Reporting the same problem. The site would be up all morning, then after a while pages stop loading or refreshing and it comes up as offline, even when using services like Down For Me. What's going on?
I'm having periodic issues too still. It seems to be less than it was

Report/Delete/Moderation Forms
Delete
Report

Captcha (required for reports and bans by board staff)

no cookies?