add shell web service

site/content/additional/maintlog/_index.md

@@ -7,6 +7,13 @@ A log of changes to the burble.dn42 network.
 
 ---
 
+## 27th June 2021
+
+The shell servers now have apache2 installed to provide home directory
+public_html access.  
+See the [Shell Accounts](/services/shell/) service page
+for more info.
+
 ## 23rd June 2021
 
 Added shell.ca-bhs2.burble.dn42 as a new shell server.

site/content/services/shell.md

@@ -14,8 +14,7 @@ The shell service imports user information from the dn42 registry allowing
 any MNTNER with an SSH auth method to log in to the servers. Usernames
 are constructed by lowercasing and removing the '-MNT' suffix.
 
-For example:
+{{<hint info>}}
-
 **FOO-MNT**
 ```
 mntner:             FOO-MNT
@@ -26,6 +25,7 @@ Log in using the key specified in the auth method:
 ```shell
 ssh foo@shell.fr-rbx1.burble.dn42
 ```
+{{</hint>}}
 
 Your home directory is created automatically on first access and will then
 persist across logins.
@@ -45,6 +45,40 @@ The current set of packages can be found in the shell config repo:
 Requests for additional packages are welcome, please raise these as
 [issues](https://git.dn42.dev/burble/config-shell/issues) in the repo.
 
+### Webserver
+
+The shell servers include a webserver with user directories (`~/public_html/`)
+and CGI (`~/public_html/cgi-bin/`) enabled. The webserver is accessed over https
+and has a dn42 certificate auto-renewed from the
+[ACME service](https://acme.dn42/about.html).
+
+- `https://shell.fr-rbx1.burble.dn42/<username>/`
+- `https://shell.ca-bhs2.burble.dn42/<username>/`
+
+{{<hint info>}}
+Remember that any files need to be accessible by the webserver
+which runs as user/group www-data/www-data; CGI scripts must also be executable.
+The default umask of 077 means that the webserver won't be able to
+read your public_html folder or any files within it without changing permissions.
+
+A simplistic approach would be to make your home directory, and
+public_html directory world readable:
+
+```shell
+chmod a+rX ~
+chmod -R a+rX ~/public_html
+chmod -R a+rx ~/public_html/cgi-bin
+```
+
+A more secure way of allowing access would be to use posix ACLs:
+
+```shell
+setfacl -m "u:www-data:rX" ~
+setfacl -Rdm "u:www-data:rX" ~/public_html
+setfacl -Rdm "u:www-data:rx" ~/public_html/cgi-bin
+```
+{{</hint>}}
+
 ### Scratch Area (*fr-rbx1 only*)
 
 A large storage area is mounted on to /scratch
@@ -55,8 +89,10 @@ area it is recommended to create your own directory (named after your
 username) and then store all your stuff in the new directory; this will help
 prevent clutter.
 
+{{<hint warning>}}
 Note that the storage for /scratch is nfs mounted across dn42 so
 performance will be variable.
+{{</hint>}}
 
 ### Changing Shell
 
@@ -64,11 +100,13 @@ The registry import process currently limits the initial shell to /bin/bash
 and currently this cannot be changed. If you want to use something different,
 just exec to the new shell in your .profile or .bashrc.
 
+{{<hint info>}}
 Example .bashrc line for zsh:
 
 ```shell
 if [[ $- == *i* ]]; then exec /usr/bin/zsh; fi
 ```
+{{</hint>}}
 
 ### Cron, Batch and Services