diff options
| author | David Luevano Alvarado <david@luevano.xyz> | 2021-06-08 00:58:33 -0600 |
|---|---|---|
| committer | David Luevano Alvarado <david@luevano.xyz> | 2021-06-08 00:58:33 -0600 |
| commit | 5415f37e8da7615b524173f2bb6968be46128d20 (patch) | |
| tree | f108327d8a65ad14ea4007bcd317adaacb3f5eb8 | |
| parent | a3e6abf899f8185ff84089474dee6398d064f593 (diff) | |
add 404 pages, edit entries and start skeleton for xmpp server entry
| l--------- | art/dst/404.html | 1 | ||||
| l--------- | blog/dst/404.html | 1 | ||||
| -rw-r--r-- | blog/dst/a/git_server_with_cgit.html | 57 | ||||
| -rw-r--r-- | blog/dst/a/mail_server_with_postfix.html | 61 | ||||
| -rw-r--r-- | blog/dst/a/website_with_nginx.html | 49 | ||||
| -rw-r--r-- | blog/dst/rss.xml | 167 | ||||
| -rw-r--r-- | blog/dst/sitemap.xml | 20 | ||||
| -rw-r--r-- | blog/src/.files | 6 | ||||
| -rw-r--r-- | blog/src/a/git_server_with_cgit.md | 65 | ||||
| -rw-r--r-- | blog/src/a/mail_server_with_postfix.md | 54 | ||||
| -rw-r--r-- | blog/src/a/website_with_nginx.md | 58 | ||||
| -rw-r--r-- | blog/xmpp_server_with_prosody.md | 189 |
12 files changed, 482 insertions, 246 deletions
diff --git a/art/dst/404.html b/art/dst/404.html new file mode 120000 index 0000000..2274043 --- /dev/null +++ b/art/dst/404.html @@ -0,0 +1 @@ +/home/lz/dox/www/luevano.xyz/luevano/404.html
\ No newline at end of file diff --git a/blog/dst/404.html b/blog/dst/404.html new file mode 120000 index 0000000..2274043 --- /dev/null +++ b/blog/dst/404.html @@ -0,0 +1 @@ +/home/lz/dox/www/luevano.xyz/luevano/404.html
\ No newline at end of file diff --git a/blog/dst/a/git_server_with_cgit.html b/blog/dst/a/git_server_with_cgit.html index 7259b42..64cd553 100644 --- a/blog/dst/a/git_server_with_cgit.html +++ b/blog/dst/a/git_server_with_cgit.html @@ -81,20 +81,13 @@ <p>My git server is all I need to setup to actually <em>kill</em> my other server (I’ve been moving from servers on these last 2-3 blog entries), that’s why I’m already doing this entry. I’m basically following <a href="https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server">git’s guide on setting up a server</a> plus some specific stuff for (btw i use) Arch Linux (<a href="https://wiki.archlinux.org/index.php/Git_server#Web_interfaces">Arch Linux Wiki: Git server</a> and <a href="https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/">Step by step guide on setting up git server in arch linux (pushable)</a>).</p> <p>Note that this is mostly for personal use, so there’s no user/authentication control other than that of SSH. Also, most if not all commands here are run as root.</p> <h2 id="prerequisites">Prerequisites</h2> -<p>I might get tired of saying this (it’s just copy paste, basically)… but similar as before (check my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website</a> and <a href="https://blog.luevano.xyz/a/mail_server_with_postfix.html">mail</a> entries):</p> +<p>I might get tired of saying this (it’s just copy paste, basically)… but you will need the same prerequisites as before (check my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website</a> and <a href="https://blog.luevano.xyz/a/mail_server_with_postfix.html">mail</a> entries), with the extras:</p> <ul> -<li>(This time, optional) A domain name if you want to have a “front end” to show your repositories. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul> -<li>With a <strong>CNAME</strong> for “git” and (optionally) “www.git”, or some other name for your sub-domains.</li> +<li>(Optional, if you want a “front-end”) A <strong>CNAME</strong> for “git” and (optionally) “www.git”, or some other name for your sub-domains.</li> +<li>An SSL certificate, if you’re following the other entries, add a <code>git.conf</code> and run <code>certbot --nginx</code> to extend the certificate.</li> </ul> -</li> -<li>A VPS or somewhere else to host. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul> -<li><code>ssh</code> configured.</li> -<li>(Optionally, if doing the domain name thingy) With <code>nginx</code> and <code>certbot</code> setup and running.</li> -<li>Of course, <code>git</code> already installed (it should be a must have always).</li> -</ul> -</li> -</ul> -<h2 id="git-server">git server</h2> +<h2 id="git">Git</h2> +<p><a href="https://wiki.archlinux.org/title/git">Git</a> is a version control system.</p> <p>If not installed already, install the <code>git</code> package:</p> <pre><code class="language-sh">pacman -S git </code></pre> @@ -125,14 +118,15 @@ ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/g <pre><code class="language-sh">systemctl start git-daemon.socket systemctl enable git-daemon.socket </code></pre> -<p>You’re basically done. Now you should be able to push/pull repositories to your server… except, you haven’t created any repository in your server, that’s right, they’re not created automatically when trying to push. To do so, you have to do the following sequence (assuming you’re “<code>cd</code>‘ed” into the <code>/home/git</code> directory):</p> -<pre><code class="language-sh">mkdir {repo_name}.git -cd {repo_name}.git +<p>You’re basically done. Now you should be able to push/pull repositories to your server… except, you haven’t created any repository in your server, that’s right, they’re not created automatically when trying to push. To do so, you have to run (while inside <code>/home/git</code>):</p> +<pre><code class="language-sh">git init --bare {repo_name}.git +chown -R git:git repo_name.git </code></pre> <p>Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame… although there are options to “automate” this, I like it this way).</p> -<p>After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.), which is detailed <a href="https://gist.github.com/rvl/c3f156e117e22a25f242">here</a>.</p> -<h2 id="cgit">cgit</h2> -<p>This bit is optional if you only wanted a git server (really easy to set up), this is so you can have a web application. This is basically a copy paste of <a href="https://wiki.archlinux.org/index.php/Cgit#Nginx">Arch Linux Wiki: Cgit</a> so you can go there and get more in-depth configurations.</p> +<p>After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check <a href="https://gist.github.com/rvl/c3f156e117e22a25f242">this gist</a>.</p> +<h2 id="cgit">Cgit</h2> +<p><a href="https://wiki.archlinux.org/title/Cgit">Cgit</a> is a fast web interface for git.</p> +<p>This is optionally since it’s only for the web application.</p> <p>Install the <code>cgit</code> and <code>fcgiwrap</code> packages:</p> <pre><code class="language-sh">pacman -S cgit fcgiwrap </code></pre> @@ -140,7 +134,7 @@ cd {repo_name}.git <pre><code class="language-sh">systemctl start fcgiwrap.socket systemctl enable fcgiwrap.socket </code></pre> -<p>Next, the way I configure <code>nginx</code> is creating a separate file <code>{module}.conf</code> (<code>git.conf</code> in this case) under <code>/etc/nginx/sites-available</code> and create a symlink to <code>/etc/nginx/sites-enabled</code> as stated in my <a href="https://blog.luevano.xyz/a/website_with_nginx.html"><code>nginx</code> setup entry</a>. Add the following lines to your <code>git.conf</code> file:</p> +<p>Next, create the <code>git.conf</code> as stated in my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">nginx setup entry</a>. Add the following lines to your <code>git.conf</code> file:</p> <pre><code class="language-nginx">server { listen 80; listen [::]:80; @@ -161,7 +155,6 @@ systemctl enable fcgiwrap.socket <p>Where the <code>server_name</code> line depends on you, I have mine setup to <code>git.luevano.xyz</code> and <code>www.git.luevano.xyz</code>. Optionally run <code>certbot --nginx</code> to get a certificate for those domains if you don’t have already.</p> <p>Now, all that’s left is to configure <code>cgit</code>. Create the configuration file <code>/etc/cgitrc</code> with the following content (my personal options, pretty much the default):</p> <pre><code class="language-apache">css=/cgit.css -source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh logo=/cgit.png enable-http-clone=1 @@ -183,14 +176,32 @@ repo.owner=luevano repo.desc=These are my personal dotfiles. ... </code></pre> -<p>Otherwise you could let <code>cgit</code> to automatically detect your repositories (you have to be careful if you want to keep “private” repos) using the option <code>scan-path</code> and setup <code>.git/description</code> for each repository. I will add more to my actual configuration, but for now it is useful as it is. For more, you can check <a href="https://man.archlinux.org/man/cgitrc.5">cgitrc(5)</a>.</p> -<p>Finally, if you want further support for highlighting, other compressed snapshots or support for markdown, checkout the optional dependencies for <code>cgit</code> and also the Arch Wiki goes in detail on how to setup highlighting with two different packages.</p> +<p>Otherwise you could let <code>cgit</code> to automatically detect your repositories (you have to be careful if you want to keep “private” repos) using the option <code>scan-path</code> and setup <code>.git/description</code> for each repository. For more, you can check <a href="https://man.archlinux.org/man/cgitrc.5">cgitrc(5)</a>.</p> +<p>By default you can’t see the files on the site, you need a highlighter to render the files, I use <code>highlight</code>. Install the <code>highlight</code> package:</p> +<pre><code class="language-sh">pacman -S highlight +</code></pre> +<p>Copy the <code>syntax-highlighting.sh</code> script to the corresponding location (basically adding <code>-edited</code> to the file):</p> +<pre><code class="language-sh">cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh +</code></pre> +<p>And edit it to use the version 3 and add <code>--inline-css</code> for more options without editing <code>cgit</code>‘s CSS file:</p> +<pre><code class="language-sh">... +# This is for version 2 +# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null +... +</code></pre> +<p>Finally, enable the filter in <code>/etc/cgitrc</code> configuration:</p> +<pre><code class="language-apache">source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +</code></pre> +<p>That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for <code>cgit</code>.</p> <hr> <div class="article-info"> <p>By David Luévano</p> <p>Created: Sun, Mar 21, 2021 @ 19:00 UTC</p> - <p>Modified: Fri, Jun 04, 2021 @ 07:59 UTC</p> + <p>Modified: Tue, Jun 08, 2021 @ 06:53 UTC</p> <div class="article-tags"> <p>Tags: <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> diff --git a/blog/dst/a/mail_server_with_postfix.html b/blog/dst/a/mail_server_with_postfix.html index e44d4d2..04a1b54 100644 --- a/blog/dst/a/mail_server_with_postfix.html +++ b/blog/dst/a/mail_server_with_postfix.html @@ -79,25 +79,16 @@ <h1>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1> <p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p> -<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges.</p> -<p>More in depth configuration is detailed in the Arch Wiki for each package used here.</p> +<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.</p> <h2 id="prerequisites">Prerequisites</h2> -<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>:</p> +<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>, with the extras:</p> <ul> -<li>A domain name. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul> -<li>Later we’ll be adding some <strong>MX</strong> and <strong>TXT</strong> records.</li> -<li>You also need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on <code>nginx</code> and <code>certbot</code>) with <code>certbot</code> (just create a <code>mail.conf</code> for <code>nginx</code>, similar to how we created it in the website entry).</li> -</ul> -</li> -<li>A VPS or somewhere else to host. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul> -<li><code>ssh</code> configured.</li> -<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use <code>ufw</code>).</li> -<li>With <code>nginx</code> and <code>certbot</code> setup and running.</li> -</ul> -</li> +<li>You will need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police).</li> +<li>An SSL certificate. You can use the SSL certificate obtained following my last post using <code>certbot</code> (just create a <code>mail.conf</code> and run <code>certbot --nginx</code> again).</li> +<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall.</li> </ul> <h2 id="postfix">Postfix</h2> -<p><a href="https://wiki.archlinux.org/index.php/Postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> +<p><a href="https://wiki.archlinux.org/title/postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> <p>Install the <code>postfix</code> package:</p> <pre><code class="language-sh">pacman -S postfix </code></pre> @@ -133,7 +124,7 @@ smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous </code></pre> -<p>Specify the mailbox home (this is going to be a directory inside your user’s home):</p> +<p>Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):</p> <pre><code class="language-apache">home_mailbox = Mail/Inbox/ </code></pre> <p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p> @@ -177,7 +168,7 @@ spamassassin unix - n n - - pipe <pre><code class="language-apache">smtps 465/tcp smtps 465/udp </code></pre> -<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first (but you can do a bit of configuration beforehand). Edit the file <code>/etc/postfix/aliases</code> and edit accordingly. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). Check the Arch Wiki for more info and other alternatives/options. After you’re done, run:</p> +<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first, but you can do a bit of configuration beforehand editing the file <code>/etc/postfix/aliases</code>. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). After you’re done, run:</p> <pre><code class="language-sh">postalias /etc/postfix/aliases newaliases </code></pre> @@ -186,7 +177,7 @@ newaliases systemctl enable postfix.service </code></pre> <h2 id="dovecot">Dovecot</h2> -<p><a href="https://wiki.archlinux.org/index.php/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> +<p><a href="https://wiki.archlinux.org/title/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> <p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p> <pre><code class="language-sh">pacman -S dovecot pigeonhole </code></pre> @@ -195,8 +186,8 @@ systemctl enable postfix.service cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot </code></pre> -<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> -<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code><</code> is required):</p> +<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> +<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the <a href="#postfix">Postfix</a> section above, note that the <code><</code> is required):</p> <pre><code class="language-apache">ssl = required ssl_cert = <{yourcertdir}/fullchain.pem ssl_key = <{yourcertdir}/privkey.pem @@ -260,7 +251,7 @@ namespace inbox { } } </code></pre> -<p>Lastly (for <code>dovecot</code> at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p> +<p>Lastly (for Dovecot at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p> <pre><code class="language-apache">protocol lda { mail_plugins = $mail_plugins sieve } @@ -288,20 +279,20 @@ if header :contains "X-Spam-Flag" "YES" { <pre><code class="language-sh">grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin chown -R vmail:vmail /var/lib/dovecot </code></pre> -<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, run:</p> +<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, to compile the configuration file run:</p> <pre><code class="language-sh">sievec /var/lib/dovecot/sieve/default.sieve </code></pre> -<p>To compile the configuration file (a <code>default.svbin</code> file will be created next to <code>default.sieve</code>).</p> +<p>A <code>default.svbin</code> file will be created next to <code>default.sieve</code>.</p> <p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn’t be there if you’ve been following these notes):</p> <pre><code class="language-txt">auth required pam_unix.so nullok account required pam_unix.so </code></pre> -<p>That’s it for <code>dovecot</code>, at this point you can start/enable the <code>dovecot</code> service:</p> +<p>That’s it for Dovecot, at this point you can start/enable the <code>dovecot</code> service:</p> <pre><code class="language-sh">systemctl start dovecot.service systemctl enable dovecot.service </code></pre> <h2 id="opendkim">OpenDKIM</h2> -<p><a href="https://wiki.archlinux.org/index.php/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> +<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> <p>Install the <code>opendkim</code> package:</p> <pre><code class="language-sh">pacman -S opendkim </code></pre> @@ -330,7 +321,7 @@ localhost ... </code></pre> <p>And more, make sure to include your server IP and something like <code>subdomain.domainname</code>.</p> -<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p> +<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p> <pre><code class="language-apache">Domain {yourdomain} Selector {yoursubdomain} @@ -345,7 +336,7 @@ Socket inet:8891@localhost chmod g+r /etc/postfix/dkim/* </code></pre> <p>I’m using <code>root:opendkim</code> so <code>opendkim</code> doesn’t complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p> -<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the <a href="https://wiki.archlinux.org/index.php/OpenDKIM#Security">Arch Wiki entry for OpenDKIM</a>.</p> +<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration.</p> <p>Now, just start/enable the <code>opendkim</code> service:</p> <pre><code class="language-sh">systemctl start opendkim.service systemctl enable opendkim.service @@ -367,9 +358,9 @@ systemctl enable opendkim.service <p><em>SPF</em> entry: just <code>@</code> as the “Host” and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the “TXT Value”.</p> </li> </ol> -<p>And at this point you could test your mail for spoofing and more, but you don’t know -yet- how to login (it’s really easy, but I’m gonna state that at the end of this entry).</p> +<p>And at this point you could test your mail for spoofing and more.</p> <h2 id="spamassassin">SpamAssassin</h2> -<p><a href="https://wiki.archlinux.org/index.php/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> +<p><a href="https://wiki.archlinux.org/title/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> <p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p> <pre><code class="language-sh">pacman -S spamassassin </code></pre> @@ -422,7 +413,7 @@ ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/sp systemctl enable spamassassin.service </code></pre> <h2 id="wrapping-up">Wrapping up</h2> -<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code>for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> +<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> <p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don’t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p> <p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p> <ul> @@ -437,15 +428,17 @@ systemctl enable spamassassin.service <li>Password: your <code>user</code> password (as in the password you use to login to the server with that user)</li> </ul> <p>All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p> -<p><img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png"></p> -<p>(Yes, I blurred a lot in the picture just to be sure, either way what’s important is the list on the bottom part of the image)</p> -<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you have my info down below.</p> +<figure id="__yafg-figure-3"> +<img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png" title="DKIM Test successful"> +<figcaption>DKIM Test successful</figcaption> +</figure> +<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you can <a href="https://luevano.xyz/contact.html">contact me</a>.</p> <hr> <div class="article-info"> <p>By David Luévano</p> <p>Created: Sun, Mar 21, 2021 @ 04:05 UTC</p> - <p>Modified: Sun, Jun 06, 2021 @ 00:24 UTC</p> + <p>Modified: Tue, Jun 08, 2021 @ 06:27 UTC</p> <div class="article-tags"> <p>Tags: <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> diff --git a/blog/dst/a/website_with_nginx.html b/blog/dst/a/website_with_nginx.html index 7e5bd99..caf756f 100644 --- a/blog/dst/a/website_with_nginx.html +++ b/blog/dst/a/website_with_nginx.html @@ -95,14 +95,18 @@ </li> </ul> <h2 id="nginx">Nginx</h2> +<p><a href="https://wiki.archlinux.org/title/Nginx">Nginx</a> is a web (HTTP) server and reverse proxy server.</p> <p>You have two options: <code>nginx</code> and <code>nginx-mainline</code>. I prefer <code>nginx-mainline</code> because it’s the “up to date” package even though <code>nginx</code> is labeled to be the “stable” version. Install the package and enable/start the service:</p> <pre><code class="language-sh">pacman -S nginx-mainline systemctl enable nginx.service systemctl start nginx.service </code></pre> -<p>And that’s it, at this point you can already look at the default initial page of nginx if you enter the ip of your server in a web browser. You should see something like this:</p> -<p><img alt="Nginx welcome page" src="images/b/notes/nginx/nginx_welcome_page.png"></p> -<p>As stated in the welcome page, configuration is needed, head to the directory of nginx:</p> +<p>And that’s it, at this point you can already look at the default initial page of Nginx if you enter the IP of your server in a web browser. You should see something like this:</p> +<figure id="__yafg-figure-1"> +<img alt="Nginx welcome page" src="images/b/notes/nginx/nginx_welcome_page.png" title="Nginx welcome page"> +<figcaption>Nginx welcome page</figcaption> +</figure> +<p>As stated in the welcome page, configuration is needed, head to the directory of Nginx:</p> <pre><code class="language-sh">cd /etc/nginx </code></pre> <p>Here you have several files, the important one is <code>nginx.conf</code>, which as its name implies, contains general configuration of the web server. If you peek into the file, you will see that it contains around 120 lines, most of which are commented out and contains the welcome page server block. While you can configure a website in this file, it’s common practice to do it on a separate file (so you can scale really easily if needed for mor websites or sub-domains).</p> @@ -125,7 +129,7 @@ http { types_hash_max_size 4096; } </code></pre> -<p>Next, inside the directory <code>/etc/nginx/</code> create the <code>sites-available</code> and <code>sites-enabled</code>, and go into the <code>sites-available</code> one:</p> +<p>Next, inside the directory <code>/etc/nginx/</code> create the <code>sites-available</code> and <code>sites-enabled</code> directories, and go into the <code>sites-available</code> one:</p> <pre><code class="language-sh">mkdir sites-available mkdir sites-enabled cd sites-available @@ -144,28 +148,32 @@ cd sites-available } } </code></pre> -<p>Note several things:</p> +<p>That could serve as a template if you intend to add more domains.</p> +<p>Note some things:</p> <ul> -<li><code>listen</code>: we’re telling nginx which port to listen to (ipv4 and ipv6, respectively).</li> +<li><code>listen</code>: we’re telling Nginx which port to listen to (IPv4 and IPv6, respectively).</li> <li><code>root</code>: the root directory of where the website files (<code>.html</code>, <code>.css</code>, <code>.js</code>, etc. files) are located. I followed Luke’s directory path <code>/var/www/some_folder</code>.</li> -<li><code>server_name</code>: the actual domain to “listen” to (for my website it is: <code>server_name luevano.xyz www.luevano.xyz</code>; and for this blog is: <code>server_name blog.luevano.xyz www.blog.luevano.xyz</code>).</li> +<li><code>server_name</code>: the actual domain to “listen” to (for my website it is: <code>server_name luevano.xyz www.luevano.xyz;</code> and for this blog is: <code>server_name blog.luevano.xyz www.blog.luevano.xyz;</code>).</li> <li><code>index</code>: what file to serve as the index (could be any <code>.html</code>, <code>.htm</code>, <code>.php</code>, etc. file) when just entering the website.</li> -<li><code>location</code>: used in case of different configurations across different URL paths.<ul> -<li><code>try_files</code>: tells what files to look for, don’t look into this too much for now.</li> +<li><code>location</code>: what goes after <code>domain.name</code>, used in case of different configurations depending on the URL paths (deny access on <code>/private</code>, make a proxy on <code>/proxy</code>, etc).<ul> +<li><code>try_files</code>: tells what files to look for.</li> </ul> </li> </ul> -<p>Then, make a symbolic from this config file to the <code>sites-enabled</code> directory:</p> +<p>Then, make a symbolic link from this configuration file to the <code>sites-enabled</code> directory:</p> <pre><code class="language-sh">ln -s /etc/nginx/sites-available/your_config_file.conf /etc/nginx/sites-enabled </code></pre> -<p>This is so the <code>nginx.conf</code> file can look up the newly created server config. With this method of having each server configuration file separate you can easily “deactivate” any website by just deleting the symbolic link in <code>sites-enabled</code> and you’re good, or just add new configuration files and keep everything nice and tidy.</p> -<p>All you have to do now is restart (or enable and start if you haven’t already) the nginx service (and optionally test the configuration):</p> +<p>This is so the <code>nginx.conf</code> file can look up the newly created server configuration. With this method of having each server configuration file separate you can easily “deactivate” any website by just deleting the symbolic link in <code>sites-enabled</code> and you’re good, or just add new configuration files and keep everything nice and tidy.</p> +<p>All you have to do now is restart (or enable and start if you haven’t already) the Nginx service (and optionally test the configuration):</p> <pre><code class="language-sh">nginx -t systemctl restart nginx </code></pre> -<p>If everything goes correctly, you can now go to your website by typing “domain.name” on a web browser. But you will see a “404 Not Found” page like the following (maybe with different nginx version):</p> -<p><img alt="Nginx 404 page" src="images/b/notes/nginx/nginx_404_page.png"></p> -<p>That’s no problem, because it means that the web server it’s actually working. Just add an <code>index.html</code> file with something simple to see it in action. If you keep seeing the 404 page make sure your <code>root</code> line is correct and that the directory/index file exists.</p> +<p>If everything goes correctly, you can now go to your website by typing <code>domain.name</code> on a web browser. But you will see a “404 Not Found” page like the following (maybe with different Nginx version):</p> +<figure id="__yafg-figure-2"> +<img alt="Nginx 404 Not Found page" src="images/b/notes/nginx/nginx_404_page.png" title="Nginx 404 Not Found page"> +<figcaption>Nginx 404 Not Found page</figcaption> +</figure> +<p>That’s no problem, because it means that the web server it’s actually working. Just add an <code>index.html</code> file with something simple to see it in action (in the <code>/var/www/some_folder</code> that you decided upon). If you keep seeing the 404 page make sure your <code>root</code> line is correct and that the directory/index file exists.</p> <p>I like to remove the <code>.html</code> and trailing <code>/</code> on the URLs of my website, for that you need to add the following <code>rewrite</code> lines and modify the <code>try_files</code> line (for more: <a href="https://www.seancdavis.com/blog/remove-html-extension-and-trailing-slash-in-nginx-config/">Sean C. Davis: Remove HTML Extension And Trailing Slash In Nginx Config</a>):</p> <pre><code class="language-nginx">server { ... @@ -175,27 +183,26 @@ systemctl restart nginx try_files $uri/index.html $uri.html $uri/ $uri =404; ... </code></pre> -<p>For more: <a href="https://wiki.archlinux.org/index.php/nginx">Arch Linux Wiki: nginx</a>.</p> <h2 id="certbot">Certbot</h2> -<p>The only “bad” (bloated) thing about certbot, is that it uses <code>python</code>, but for me it doesn’t matter too much. You may want to look up another alternative if you prefer. Install the packages <code>certbot</code> and <code>certbot-nginx</code>:</p> +<p><a href="https://wiki.archlinux.org/title/Certbot">Certbot</a> is what provides the SSL certificates via <a href="https://letsencrypt.org/">Let’s Encrypt</a>.</p> +<p>The only “bad” (bloated) thing about Certbot, is that it uses <code>python</code>, but for me it doesn’t matter too much. You may want to look up another alternative if you prefer. Install the packages <code>certbot</code> and <code>certbot-nginx</code>:</p> <pre><code class="language-sh">pacman -S certbot certbot-nginx </code></pre> <p>After that, all you have to do now is run <code>certbot</code> and follow the instructions given by the tool:</p> <pre><code class="language-sh">certbot --nginx </code></pre> -<p>It will ask you for some information, for you to accept some agreements and the names to activate https for. Also, you will want to “say yes” to the redirection from http to https. And that’s it, you can now go to your website and see that you have https active.</p> +<p>It will ask you for some information, for you to accept some agreements and the names to activate HTTPS for. Also, you will want to “say yes” to the redirection from HTTP to HTTPS. And that’s it, you can now go to your website and see that you have HTTPS active.</p> <p>Now, the certificate given by <code>certbot</code> expires every 3 months or something like that, so you want to renew this certificate every once in a while. Using <code>cron</code>, you can do this by running:</p> <pre><code class="language-sh">crontab -e </code></pre> -<p>And a file will be opened where you need to add a new rule for certbot, just append the line: <code>1 1 1 * * certbot renew</code> (renew on the first day of every month) and you’re good. Alternatively use <code>systemd</code> timers as stated in the <a href="https://wiki.archlinux.org/index.php/Certbot#Automatic_renewal">Arch Linux Wiki</a>.</p> -<p>For more: <a href="https://wiki.archlinux.org/index.php/Certbot">Arch Linux Wiki: Certbot</a>.</p> +<p>And a file will be opened where you need to add a new rule for Certbot, just append the line: <code>1 1 1 * * certbot renew</code> (renew on the first day of every month) and you’re good. Alternatively use <code>systemd</code> timers as stated in the <a href="https://wiki.archlinux.org/title/Certbot#Automatic_renewal">Arch Linux Wiki</a>.</p> <p>That’s it, you now have a website with SSL certificate.</p> <hr> <div class="article-info"> <p>By David Luévano</p> <p>Created: Fri, Mar 19, 2021 @ 02:58 UTC</p> - <p>Modified: Sun, Jun 06, 2021 @ 00:23 UTC</p> + <p>Modified: Tue, Jun 08, 2021 @ 06:11 UTC</p> <div class="article-tags"> <p>Tags: <a href="https://blog.luevano.xyz/tag/@english.html">english</a>, <a href="https://blog.luevano.xyz/tag/@server.html">server</a>, <a href="https://blog.luevano.xyz/tag/@tools.html">tools</a>, <a href="https://blog.luevano.xyz/tag/@tutorial.html">tutorial</a> </p> diff --git a/blog/dst/rss.xml b/blog/dst/rss.xml index 248050b..94e819c 100644 --- a/blog/dst/rss.xml +++ b/blog/dst/rss.xml @@ -13,9 +13,9 @@ <copyright>Copyright 2021 David Luévano Alvarado</copyright> <managingEditor>david@luevano.xyz (David Luévano Alvarado)</managingEditor> <webMaster>david@luevano.xyz (David Luévano Alvarado)</webMaster> - <pubDate>Sun, 06 Jun 2021 19:08:48 GMT</pubDate> - <lastBuildDate>Sun, 06 Jun 2021 19:08:48 GMT</lastBuildDate> - <generator>pyssg v0.5.7</generator> + <pubDate>Tue, 08 Jun 2021 06:57:28 GMT</pubDate> + <lastBuildDate>Tue, 08 Jun 2021 06:57:28 GMT</lastBuildDate> + <generator>pyssg v0.5.9</generator> <docs>https://validator.w3.org/feed/docs/rss2.html</docs> <ttl>30</ttl> <image> @@ -81,20 +81,13 @@ <content:encoded><![CDATA[<p>My git server is all I need to setup to actually <em>kill</em> my other server (I’ve been moving from servers on these last 2-3 blog entries), that’s why I’m already doing this entry. I’m basically following <a href="https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server">git’s guide on setting up a server</a> plus some specific stuff for (btw i use) Arch Linux (<a href="https://wiki.archlinux.org/index.php/Git_server#Web_interfaces">Arch Linux Wiki: Git server</a> and <a href="https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/">Step by step guide on setting up git server in arch linux (pushable)</a>).</p> <p>Note that this is mostly for personal use, so there’s no user/authentication control other than that of SSH. Also, most if not all commands here are run as root.</p> <h2 id="prerequisites">Prerequisites</h2> -<p>I might get tired of saying this (it’s just copy paste, basically)… but similar as before (check my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website</a> and <a href="https://blog.luevano.xyz/a/mail_server_with_postfix.html">mail</a> entries):</p> +<p>I might get tired of saying this (it’s just copy paste, basically)… but you will need the same prerequisites as before (check my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website</a> and <a href="https://blog.luevano.xyz/a/mail_server_with_postfix.html">mail</a> entries), with the extras:</p> <ul> -<li>(This time, optional) A domain name if you want to have a “front end” to show your repositories. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul> -<li>With a <strong>CNAME</strong> for “git” and (optionally) “www.git”, or some other name for your sub-domains.</li> +<li>(Optional, if you want a “front-end”) A <strong>CNAME</strong> for “git” and (optionally) “www.git”, or some other name for your sub-domains.</li> +<li>An SSL certificate, if you’re following the other entries, add a <code>git.conf</code> and run <code>certbot --nginx</code> to extend the certificate.</li> </ul> -</li> -<li>A VPS or somewhere else to host. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul> -<li><code>ssh</code> configured.</li> -<li>(Optionally, if doing the domain name thingy) With <code>nginx</code> and <code>certbot</code> setup and running.</li> -<li>Of course, <code>git</code> already installed (it should be a must have always).</li> -</ul> -</li> -</ul> -<h2 id="git-server">git server</h2> +<h2 id="git">Git</h2> +<p><a href="https://wiki.archlinux.org/title/git">Git</a> is a version control system.</p> <p>If not installed already, install the <code>git</code> package:</p> <pre><code class="language-sh">pacman -S git </code></pre> @@ -125,14 +118,15 @@ ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/g <pre><code class="language-sh">systemctl start git-daemon.socket systemctl enable git-daemon.socket </code></pre> -<p>You’re basically done. Now you should be able to push/pull repositories to your server… except, you haven’t created any repository in your server, that’s right, they’re not created automatically when trying to push. To do so, you have to do the following sequence (assuming you’re “<code>cd</code>‘ed” into the <code>/home/git</code> directory):</p> -<pre><code class="language-sh">mkdir {repo_name}.git -cd {repo_name}.git +<p>You’re basically done. Now you should be able to push/pull repositories to your server… except, you haven’t created any repository in your server, that’s right, they’re not created automatically when trying to push. To do so, you have to run (while inside <code>/home/git</code>):</p> +<pre><code class="language-sh">git init --bare {repo_name}.git +chown -R git:git repo_name.git </code></pre> <p>Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame… although there are options to “automate” this, I like it this way).</p> -<p>After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.), which is detailed <a href="https://gist.github.com/rvl/c3f156e117e22a25f242">here</a>.</p> -<h2 id="cgit">cgit</h2> -<p>This bit is optional if you only wanted a git server (really easy to set up), this is so you can have a web application. This is basically a copy paste of <a href="https://wiki.archlinux.org/index.php/Cgit#Nginx">Arch Linux Wiki: Cgit</a> so you can go there and get more in-depth configurations.</p> +<p>After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check <a href="https://gist.github.com/rvl/c3f156e117e22a25f242">this gist</a>.</p> +<h2 id="cgit">Cgit</h2> +<p><a href="https://wiki.archlinux.org/title/Cgit">Cgit</a> is a fast web interface for git.</p> +<p>This is optionally since it’s only for the web application.</p> <p>Install the <code>cgit</code> and <code>fcgiwrap</code> packages:</p> <pre><code class="language-sh">pacman -S cgit fcgiwrap </code></pre> @@ -140,7 +134,7 @@ cd {repo_name}.git <pre><code class="language-sh">systemctl start fcgiwrap.socket systemctl enable fcgiwrap.socket </code></pre> -<p>Next, the way I configure <code>nginx</code> is creating a separate file <code>{module}.conf</code> (<code>git.conf</code> in this case) under <code>/etc/nginx/sites-available</code> and create a symlink to <code>/etc/nginx/sites-enabled</code> as stated in my <a href="https://blog.luevano.xyz/a/website_with_nginx.html"><code>nginx</code> setup entry</a>. Add the following lines to your <code>git.conf</code> file:</p> +<p>Next, create the <code>git.conf</code> as stated in my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">nginx setup entry</a>. Add the following lines to your <code>git.conf</code> file:</p> <pre><code class="language-nginx">server { listen 80; listen [::]:80; @@ -161,7 +155,6 @@ systemctl enable fcgiwrap.socket <p>Where the <code>server_name</code> line depends on you, I have mine setup to <code>git.luevano.xyz</code> and <code>www.git.luevano.xyz</code>. Optionally run <code>certbot --nginx</code> to get a certificate for those domains if you don’t have already.</p> <p>Now, all that’s left is to configure <code>cgit</code>. Create the configuration file <code>/etc/cgitrc</code> with the following content (my personal options, pretty much the default):</p> <pre><code class="language-apache">css=/cgit.css -source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh logo=/cgit.png enable-http-clone=1 @@ -183,8 +176,26 @@ repo.owner=luevano repo.desc=These are my personal dotfiles. ... </code></pre> -<p>Otherwise you could let <code>cgit</code> to automatically detect your repositories (you have to be careful if you want to keep “private” repos) using the option <code>scan-path</code> and setup <code>.git/description</code> for each repository. I will add more to my actual configuration, but for now it is useful as it is. For more, you can check <a href="https://man.archlinux.org/man/cgitrc.5">cgitrc(5)</a>.</p> -<p>Finally, if you want further support for highlighting, other compressed snapshots or support for markdown, checkout the optional dependencies for <code>cgit</code> and also the Arch Wiki goes in detail on how to setup highlighting with two different packages.</p>]]></content:encoded> +<p>Otherwise you could let <code>cgit</code> to automatically detect your repositories (you have to be careful if you want to keep “private” repos) using the option <code>scan-path</code> and setup <code>.git/description</code> for each repository. For more, you can check <a href="https://man.archlinux.org/man/cgitrc.5">cgitrc(5)</a>.</p> +<p>By default you can’t see the files on the site, you need a highlighter to render the files, I use <code>highlight</code>. Install the <code>highlight</code> package:</p> +<pre><code class="language-sh">pacman -S highlight +</code></pre> +<p>Copy the <code>syntax-highlighting.sh</code> script to the corresponding location (basically adding <code>-edited</code> to the file):</p> +<pre><code class="language-sh">cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh +</code></pre> +<p>And edit it to use the version 3 and add <code>--inline-css</code> for more options without editing <code>cgit</code>‘s CSS file:</p> +<pre><code class="language-sh">... +# This is for version 2 +# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null +... +</code></pre> +<p>Finally, enable the filter in <code>/etc/cgitrc</code> configuration:</p> +<pre><code class="language-apache">source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +</code></pre> +<p>That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for <code>cgit</code>.</p>]]></content:encoded> </item> <item> <title>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</title> @@ -197,25 +208,16 @@ repo.desc=These are my personal dotfiles. <category>Tutorial</category> <description>How to create mail server using Postfix, Dovecot, SpamAssassin and OpenDKIM. This is a follow up on post about creating a website with Nginx and Certbot.</description> <content:encoded><![CDATA[<p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p> -<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges.</p> -<p>More in depth configuration is detailed in the Arch Wiki for each package used here.</p> +<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.</p> <h2 id="prerequisites">Prerequisites</h2> -<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>:</p> +<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>, with the extras:</p> <ul> -<li>A domain name. Got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul> -<li>Later we’ll be adding some <strong>MX</strong> and <strong>TXT</strong> records.</li> -<li>You also need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on <code>nginx</code> and <code>certbot</code>) with <code>certbot</code> (just create a <code>mail.conf</code> for <code>nginx</code>, similar to how we created it in the website entry).</li> -</ul> -</li> -<li>A VPS or somewhere else to host. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul> -<li><code>ssh</code> configured.</li> -<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use <code>ufw</code>).</li> -<li>With <code>nginx</code> and <code>certbot</code> setup and running.</li> -</ul> -</li> +<li>You will need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police).</li> +<li>An SSL certificate. You can use the SSL certificate obtained following my last post using <code>certbot</code> (just create a <code>mail.conf</code> and run <code>certbot --nginx</code> again).</li> +<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall.</li> </ul> <h2 id="postfix">Postfix</h2> -<p><a href="https://wiki.archlinux.org/index.php/Postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> +<p><a href="https://wiki.archlinux.org/title/postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p> <p>Install the <code>postfix</code> package:</p> <pre><code class="language-sh">pacman -S postfix </code></pre> @@ -251,7 +253,7 @@ smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous </code></pre> -<p>Specify the mailbox home (this is going to be a directory inside your user’s home):</p> +<p>Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):</p> <pre><code class="language-apache">home_mailbox = Mail/Inbox/ </code></pre> <p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p> @@ -295,7 +297,7 @@ spamassassin unix - n n - - pipe <pre><code class="language-apache">smtps 465/tcp smtps 465/udp </code></pre> -<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first (but you can do a bit of configuration beforehand). Edit the file <code>/etc/postfix/aliases</code> and edit accordingly. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). Check the Arch Wiki for more info and other alternatives/options. After you’re done, run:</p> +<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first, but you can do a bit of configuration beforehand editing the file <code>/etc/postfix/aliases</code>. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). After you’re done, run:</p> <pre><code class="language-sh">postalias /etc/postfix/aliases newaliases </code></pre> @@ -304,7 +306,7 @@ newaliases systemctl enable postfix.service </code></pre> <h2 id="dovecot">Dovecot</h2> -<p><a href="https://wiki.archlinux.org/index.php/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> +<p><a href="https://wiki.archlinux.org/title/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p> <p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p> <pre><code class="language-sh">pacman -S dovecot pigeonhole </code></pre> @@ -313,8 +315,8 @@ systemctl enable postfix.service cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot </code></pre> -<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> -<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code><</code> is required):</p> +<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p> +<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the <a href="#postfix">Postfix</a> section above, note that the <code><</code> is required):</p> <pre><code class="language-apache">ssl = required ssl_cert = <{yourcertdir}/fullchain.pem ssl_key = <{yourcertdir}/privkey.pem @@ -378,7 +380,7 @@ namespace inbox { } } </code></pre> -<p>Lastly (for <code>dovecot</code> at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p> +<p>Lastly (for Dovecot at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p> <pre><code class="language-apache">protocol lda { mail_plugins = $mail_plugins sieve } @@ -406,20 +408,20 @@ if header :contains "X-Spam-Flag" "YES" { <pre><code class="language-sh">grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin chown -R vmail:vmail /var/lib/dovecot </code></pre> -<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, run:</p> +<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, to compile the configuration file run:</p> <pre><code class="language-sh">sievec /var/lib/dovecot/sieve/default.sieve </code></pre> -<p>To compile the configuration file (a <code>default.svbin</code> file will be created next to <code>default.sieve</code>).</p> +<p>A <code>default.svbin</code> file will be created next to <code>default.sieve</code>.</p> <p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn’t be there if you’ve been following these notes):</p> <pre><code class="language-txt">auth required pam_unix.so nullok account required pam_unix.so </code></pre> -<p>That’s it for <code>dovecot</code>, at this point you can start/enable the <code>dovecot</code> service:</p> +<p>That’s it for Dovecot, at this point you can start/enable the <code>dovecot</code> service:</p> <pre><code class="language-sh">systemctl start dovecot.service systemctl enable dovecot.service </code></pre> <h2 id="opendkim">OpenDKIM</h2> -<p><a href="https://wiki.archlinux.org/index.php/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> +<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p> <p>Install the <code>opendkim</code> package:</p> <pre><code class="language-sh">pacman -S opendkim </code></pre> @@ -448,7 +450,7 @@ localhost ... </code></pre> <p>And more, make sure to include your server IP and something like <code>subdomain.domainname</code>.</p> -<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p> +<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p> <pre><code class="language-apache">Domain {yourdomain} Selector {yoursubdomain} @@ -463,7 +465,7 @@ Socket inet:8891@localhost chmod g+r /etc/postfix/dkim/* </code></pre> <p>I’m using <code>root:opendkim</code> so <code>opendkim</code> doesn’t complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p> -<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the <a href="https://wiki.archlinux.org/index.php/OpenDKIM#Security">Arch Wiki entry for OpenDKIM</a>.</p> +<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration.</p> <p>Now, just start/enable the <code>opendkim</code> service:</p> <pre><code class="language-sh">systemctl start opendkim.service systemctl enable opendkim.service @@ -485,9 +487,9 @@ systemctl enable opendkim.service <p><em>SPF</em> entry: just <code>@</code> as the “Host” and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the “TXT Value”.</p> </li> </ol> -<p>And at this point you could test your mail for spoofing and more, but you don’t know -yet- how to login (it’s really easy, but I’m gonna state that at the end of this entry).</p> +<p>And at this point you could test your mail for spoofing and more.</p> <h2 id="spamassassin">SpamAssassin</h2> -<p><a href="https://wiki.archlinux.org/index.php/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> +<p><a href="https://wiki.archlinux.org/title/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p> <p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p> <pre><code class="language-sh">pacman -S spamassassin </code></pre> @@ -540,7 +542,7 @@ ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/sp systemctl enable spamassassin.service </code></pre> <h2 id="wrapping-up">Wrapping up</h2> -<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code>for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> +<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p> <p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don’t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p> <p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p> <ul> @@ -555,9 +557,11 @@ systemctl enable spamassassin.service <li>Password: your <code>user</code> password (as in the password you use to login to the server with that user)</li> </ul> <p>All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p> -<p><img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png"></p> -<p>(Yes, I blurred a lot in the picture just to be sure, either way what’s important is the list on the bottom part of the image)</p> -<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you have my info down below.</p>]]></content:encoded> +<figure id="__yafg-figure-3"> +<img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png" title="DKIM Test successful"> +<figcaption>DKIM Test successful</figcaption> +</figure> +<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you can <a href="https://luevano.xyz/contact.html">contact me</a>.</p>]]></content:encoded> </item> <item> <title>Create a website with Nginx and Certbot</title> @@ -586,14 +590,18 @@ systemctl enable spamassassin.service </li> </ul> <h2 id="nginx">Nginx</h2> +<p><a href="https://wiki.archlinux.org/title/Nginx">Nginx</a> is a web (HTTP) server and reverse proxy server.</p> <p>You have two options: <code>nginx</code> and <code>nginx-mainline</code>. I prefer <code>nginx-mainline</code> because it’s the “up to date” package even though <code>nginx</code> is labeled to be the “stable” version. Install the package and enable/start the service:</p> <pre><code class="language-sh">pacman -S nginx-mainline systemctl enable nginx.service systemctl start nginx.service </code></pre> -<p>And that’s it, at this point you can already look at the default initial page of nginx if you enter the ip of your server in a web browser. You should see something like this:</p> -<p><img alt="Nginx welcome page" src="images/b/notes/nginx/nginx_welcome_page.png"></p> -<p>As stated in the welcome page, configuration is needed, head to the directory of nginx:</p> +<p>And that’s it, at this point you can already look at the default initial page of Nginx if you enter the IP of your server in a web browser. You should see something like this:</p> +<figure id="__yafg-figure-1"> +<img alt="Nginx welcome page" src="images/b/notes/nginx/nginx_welcome_page.png" title="Nginx welcome page"> +<figcaption>Nginx welcome page</figcaption> +</figure> +<p>As stated in the welcome page, configuration is needed, head to the directory of Nginx:</p> <pre><code class="language-sh">cd /etc/nginx </code></pre> <p>Here you have several files, the important one is <code>nginx.conf</code>, which as its name implies, contains general configuration of the web server. If you peek into the file, you will see that it contains around 120 lines, most of which are commented out and contains the welcome page server block. While you can configure a website in this file, it’s common practice to do it on a separate file (so you can scale really easily if needed for mor websites or sub-domains).</p> @@ -616,7 +624,7 @@ http { types_hash_max_size 4096; } </code></pre> -<p>Next, inside the directory <code>/etc/nginx/</code> create the <code>sites-available</code> and <code>sites-enabled</code>, and go into the <code>sites-available</code> one:</p> +<p>Next, inside the directory <code>/etc/nginx/</code> create the <code>sites-available</code> and <code>sites-enabled</code> directories, and go into the <code>sites-available</code> one:</p> <pre><code class="language-sh">mkdir sites-available mkdir sites-enabled cd sites-available @@ -635,28 +643,32 @@ cd sites-available } } </code></pre> -<p>Note several things:</p> +<p>That could serve as a template if you intend to add more domains.</p> +<p>Note some things:</p> <ul> -<li><code>listen</code>: we’re telling nginx which port to listen to (ipv4 and ipv6, respectively).</li> +<li><code>listen</code>: we’re telling Nginx which port to listen to (IPv4 and IPv6, respectively).</li> <li><code>root</code>: the root directory of where the website files (<code>.html</code>, <code>.css</code>, <code>.js</code>, etc. files) are located. I followed Luke’s directory path <code>/var/www/some_folder</code>.</li> -<li><code>server_name</code>: the actual domain to “listen” to (for my website it is: <code>server_name luevano.xyz www.luevano.xyz</code>; and for this blog is: <code>server_name blog.luevano.xyz www.blog.luevano.xyz</code>).</li> +<li><code>server_name</code>: the actual domain to “listen” to (for my website it is: <code>server_name luevano.xyz www.luevano.xyz;</code> and for this blog is: <code>server_name blog.luevano.xyz www.blog.luevano.xyz;</code>).</li> <li><code>index</code>: what file to serve as the index (could be any <code>.html</code>, <code>.htm</code>, <code>.php</code>, etc. file) when just entering the website.</li> -<li><code>location</code>: used in case of different configurations across different URL paths.<ul> -<li><code>try_files</code>: tells what files to look for, don’t look into this too much for now.</li> +<li><code>location</code>: what goes after <code>domain.name</code>, used in case of different configurations depending on the URL paths (deny access on <code>/private</code>, make a proxy on <code>/proxy</code>, etc).<ul> +<li><code>try_files</code>: tells what files to look for.</li> </ul> </li> </ul> -<p>Then, make a symbolic from this config file to the <code>sites-enabled</code> directory:</p> +<p>Then, make a symbolic link from this configuration file to the <code>sites-enabled</code> directory:</p> <pre><code class="language-sh">ln -s /etc/nginx/sites-available/your_config_file.conf /etc/nginx/sites-enabled </code></pre> -<p>This is so the <code>nginx.conf</code> file can look up the newly created server config. With this method of having each server configuration file separate you can easily “deactivate” any website by just deleting the symbolic link in <code>sites-enabled</code> and you’re good, or just add new configuration files and keep everything nice and tidy.</p> -<p>All you have to do now is restart (or enable and start if you haven’t already) the nginx service (and optionally test the configuration):</p> +<p>This is so the <code>nginx.conf</code> file can look up the newly created server configuration. With this method of having each server configuration file separate you can easily “deactivate” any website by just deleting the symbolic link in <code>sites-enabled</code> and you’re good, or just add new configuration files and keep everything nice and tidy.</p> +<p>All you have to do now is restart (or enable and start if you haven’t already) the Nginx service (and optionally test the configuration):</p> <pre><code class="language-sh">nginx -t systemctl restart nginx </code></pre> -<p>If everything goes correctly, you can now go to your website by typing “domain.name” on a web browser. But you will see a “404 Not Found” page like the following (maybe with different nginx version):</p> -<p><img alt="Nginx 404 page" src="images/b/notes/nginx/nginx_404_page.png"></p> -<p>That’s no problem, because it means that the web server it’s actually working. Just add an <code>index.html</code> file with something simple to see it in action. If you keep seeing the 404 page make sure your <code>root</code> line is correct and that the directory/index file exists.</p> +<p>If everything goes correctly, you can now go to your website by typing <code>domain.name</code> on a web browser. But you will see a “404 Not Found” page like the following (maybe with different Nginx version):</p> +<figure id="__yafg-figure-2"> +<img alt="Nginx 404 Not Found page" src="images/b/notes/nginx/nginx_404_page.png" title="Nginx 404 Not Found page"> +<figcaption>Nginx 404 Not Found page</figcaption> +</figure> +<p>That’s no problem, because it means that the web server it’s actually working. Just add an <code>index.html</code> file with something simple to see it in action (in the <code>/var/www/some_folder</code> that you decided upon). If you keep seeing the 404 page make sure your <code>root</code> line is correct and that the directory/index file exists.</p> <p>I like to remove the <code>.html</code> and trailing <code>/</code> on the URLs of my website, for that you need to add the following <code>rewrite</code> lines and modify the <code>try_files</code> line (for more: <a href="https://www.seancdavis.com/blog/remove-html-extension-and-trailing-slash-in-nginx-config/">Sean C. Davis: Remove HTML Extension And Trailing Slash In Nginx Config</a>):</p> <pre><code class="language-nginx">server { ... @@ -666,20 +678,19 @@ systemctl restart nginx try_files $uri/index.html $uri.html $uri/ $uri =404; ... </code></pre> -<p>For more: <a href="https://wiki.archlinux.org/index.php/nginx">Arch Linux Wiki: nginx</a>.</p> <h2 id="certbot">Certbot</h2> -<p>The only “bad” (bloated) thing about certbot, is that it uses <code>python</code>, but for me it doesn’t matter too much. You may want to look up another alternative if you prefer. Install the packages <code>certbot</code> and <code>certbot-nginx</code>:</p> +<p><a href="https://wiki.archlinux.org/title/Certbot">Certbot</a> is what provides the SSL certificates via <a href="https://letsencrypt.org/">Let’s Encrypt</a>.</p> +<p>The only “bad” (bloated) thing about Certbot, is that it uses <code>python</code>, but for me it doesn’t matter too much. You may want to look up another alternative if you prefer. Install the packages <code>certbot</code> and <code>certbot-nginx</code>:</p> <pre><code class="language-sh">pacman -S certbot certbot-nginx </code></pre> <p>After that, all you have to do now is run <code>certbot</code> and follow the instructions given by the tool:</p> <pre><code class="language-sh">certbot --nginx </code></pre> -<p>It will ask you for some information, for you to accept some agreements and the names to activate https for. Also, you will want to “say yes” to the redirection from http to https. And that’s it, you can now go to your website and see that you have https active.</p> +<p>It will ask you for some information, for you to accept some agreements and the names to activate HTTPS for. Also, you will want to “say yes” to the redirection from HTTP to HTTPS. And that’s it, you can now go to your website and see that you have HTTPS active.</p> <p>Now, the certificate given by <code>certbot</code> expires every 3 months or something like that, so you want to renew this certificate every once in a while. Using <code>cron</code>, you can do this by running:</p> <pre><code class="language-sh">crontab -e </code></pre> -<p>And a file will be opened where you need to add a new rule for certbot, just append the line: <code>1 1 1 * * certbot renew</code> (renew on the first day of every month) and you’re good. Alternatively use <code>systemd</code> timers as stated in the <a href="https://wiki.archlinux.org/index.php/Certbot#Automatic_renewal">Arch Linux Wiki</a>.</p> -<p>For more: <a href="https://wiki.archlinux.org/index.php/Certbot">Arch Linux Wiki: Certbot</a>.</p> +<p>And a file will be opened where you need to add a new rule for Certbot, just append the line: <code>1 1 1 * * certbot renew</code> (renew on the first day of every month) and you’re good. Alternatively use <code>systemd</code> timers as stated in the <a href="https://wiki.archlinux.org/title/Certbot#Automatic_renewal">Arch Linux Wiki</a>.</p> <p>That’s it, you now have a website with SSL certificate.</p>]]></content:encoded> </item> <item> diff --git a/blog/dst/sitemap.xml b/blog/dst/sitemap.xml index bf22510..40b3af4 100644 --- a/blog/dst/sitemap.xml +++ b/blog/dst/sitemap.xml @@ -22,19 +22,19 @@ </url> <url> <loc>https://blog.luevano.xyz/a/git_server_with_cgit.html</loc> - <lastmod>2021-06-04</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>weekly</changefreq> <priority>1.0</priority> </url> <url> <loc>https://blog.luevano.xyz/a/mail_server_with_postfix.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>weekly</changefreq> <priority>1.0</priority> </url> <url> <loc>https://blog.luevano.xyz/a/website_with_nginx.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>weekly</changefreq> <priority>1.0</priority> </url> @@ -53,43 +53,43 @@ <url> <loc>https://blog.luevano.xyz/tag/@english.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@server.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@short.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@spanish.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@tools.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@tutorial.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> <url> <loc>https://blog.luevano.xyz/tag/@update.html</loc> - <lastmod>2021-06-06</lastmod> + <lastmod>2021-06-08</lastmod> <changefreq>daily</changefreq> <priority>0.5</priority> </url> diff --git a/blog/src/.files b/blog/src/.files index b15023b..cc15f1c 100644 --- a/blog/src/.files +++ b/blog/src/.files @@ -1,11 +1,11 @@ -a/website_with_nginx.md 1616122695.085315 1622938985.447357 english,server,tools,tutorial -a/git_server_with_cgit.md 1616353229.8983006 1622793595.4845119 english,server,tools,tutorial +a/website_with_nginx.md 1616122695.085315 1623132678.0349047 english,server,tools,tutorial +a/git_server_with_cgit.md 1616353229.8983006 1623135227.874393 english,server,tools,tutorial a/el_blog_ya_tiene_timestamps.md 1615862784.9032707 1621284818.4731243 short,spanish,tools,update a/shell_scripting_video_notes.md 1615701454.6499224 1622793622.0414143 english,notes a/sql_video_notes.md 1614695711.6048582 1622950879.0081563 english,notes a/first_blog_post.md 1614431313.2090824 1621284833.6700118 english,short,tools,update a/linux_video_notes.md 1615701443.6397786 1622793573.704325 english,notes -a/mail_server_with_postfix.md 1616299559.6570284 1622939041.148257 english,server,tools,tutorial +a/mail_server_with_postfix.md 1616299559.6570284 1623133655.6586692 english,server,tools,tutorial a/new_blogging_system.md 1622172099.117893 1622173322.4337702 english,short,tools,update a/asi_nomas_esta_quedando.md 1622795043.0874712 0.0 short,spanish,update a/acomodada_la_pagina_de_arte.md 1623006369.6071973 1623006525.2665823 short,spanish,update diff --git a/blog/src/a/git_server_with_cgit.md b/blog/src/a/git_server_with_cgit.md index da6464a..9d7ab44 100644 --- a/blog/src/a/git_server_with_cgit.md +++ b/blog/src/a/git_server_with_cgit.md @@ -13,16 +13,14 @@ Note that this is mostly for personal use, so there's no user/authentication con ## Prerequisites -I might get tired of saying this (it's just copy paste, basically)... but similar as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries): +I might get tired of saying this (it's just copy paste, basically)... but you will need the same prerequisites as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries), with the extras: -* (This time, optional) A domain name if you want to have a "front end" to show your repositories. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). - * With a **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains. -* A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). - * `ssh` configured. - * (Optionally, if doing the domain name thingy) With `nginx` and `certbot` setup and running. - * Of course, `git` already installed (it should be a must have always). +* (Optional, if you want a "front-end") A **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains. +* An SSL certificate, if you're following the other entries, add a `git.conf` and run `certbot --nginx` to extend the certificate. -## git server +## Git + +[Git](https://wiki.archlinux.org/title/git) is a version control system. If not installed already, install the `git` package: @@ -74,20 +72,22 @@ systemctl start git-daemon.socket systemctl enable git-daemon.socket ``` -You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to do the following sequence (assuming you're "`cd`'ed" into the `/home/git` directory): +You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to run (while inside `/home/git`): ```sh -mkdir {repo_name}.git -cd {repo_name}.git +git init --bare {repo_name}.git +chown -R git:git repo_name.git ``` Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame... although there are options to "automate" this, I like it this way). -After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.), which is detailed [here](https://gist.github.com/rvl/c3f156e117e22a25f242). +After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check [this gist](https://gist.github.com/rvl/c3f156e117e22a25f242). + +## Cgit -## cgit +[Cgit](https://wiki.archlinux.org/title/Cgit) is a fast web interface for git. -This bit is optional if you only wanted a git server (really easy to set up), this is so you can have a web application. This is basically a copy paste of [Arch Linux Wiki: Cgit](https://wiki.archlinux.org/index.php/Cgit#Nginx) so you can go there and get more in-depth configurations. +This is optionally since it's only for the web application. Install the `cgit` and `fcgiwrap` packages: @@ -102,7 +102,7 @@ systemctl start fcgiwrap.socket systemctl enable fcgiwrap.socket ``` -Next, the way I configure `nginx` is creating a separate file `{module}.conf` (`git.conf` in this case) under `/etc/nginx/sites-available` and create a symlink to `/etc/nginx/sites-enabled` as stated in my [`nginx` setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file: +Next, create the `git.conf` as stated in my [nginx setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file: ```nginx server { @@ -129,7 +129,6 @@ Now, all that's left is to configure `cgit`. Create the configuration file `/etc ```apache css=/cgit.css -source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh logo=/cgit.png enable-http-clone=1 @@ -155,6 +154,36 @@ repo.desc=These are my personal dotfiles. ... ``` -Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. I will add more to my actual configuration, but for now it is useful as it is. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5). +Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5). + +By default you can't see the files on the site, you need a highlighter to render the files, I use `highlight`. Install the `highlight` package: + +```sh +pacman -S highlight +``` + +Copy the `syntax-highlighting.sh` script to the corresponding location (basically adding `-edited` to the file): + +```sh +cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh +``` + +And edit it to use the version 3 and add `--inline-css` for more options without editing `cgit`'s CSS file: + +```sh +... +# This is for version 2 +# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null +... +``` + +Finally, enable the filter in `/etc/cgitrc` configuration: + +```apache +source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +``` -Finally, if you want further support for highlighting, other compressed snapshots or support for markdown, checkout the optional dependencies for `cgit` and also the Arch Wiki goes in detail on how to setup highlighting with two different packages. +That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for `cgit`. diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md index b65cf54..e254416 100644 --- a/blog/src/a/mail_server_with_postfix.md +++ b/blog/src/a/mail_server_with_postfix.md @@ -9,25 +9,19 @@ tags: server The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git). -This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL. And note that most if not all commands executed here are run with root privileges. - -More in depth configuration is detailed in the Arch Wiki for each package used here. +This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges. ## Prerequisites -Basically the same as with the [website with Nginx and Certbot](https://blog.luevano.xyz/a/website_with_nginx.html): +Basically the same as with the [website with Nginx and Certbot](https://blog.luevano.xyz/a/website_with_nginx.html), with the extras: -* A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). - * Later we'll be adding some **MX** and **TXT** records. - * You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`) with `certbot` (just create a `mail.conf` for `nginx`, similar to how we created it in the website entry). -* A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). - * `ssh` configured. - * Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`). - * With `nginx` and `certbot` setup and running. +- You will need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police). +- An SSL certificate. You can use the SSL certificate obtained following my last post using `certbot` (just create a `mail.conf` and run `certbot --nginx` again). +- Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall. ## Postfix -[Postfix](https://wiki.archlinux.org/index.php/Postfix) is a "mail transfer agent" which is the component of the mail server that receives and sends emails via SMTP. +[Postfix](https://wiki.archlinux.org/title/postfix) is a "mail transfer agent" which is the component of the mail server that receives and sends emails via SMTP. Install the `postfix` package: @@ -76,7 +70,7 @@ smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous ``` -Specify the mailbox home (this is going to be a directory inside your user's home): +Specify the mailbox home (this is going to be a directory inside your user's home containing the actual mail files): ```apache home_mailbox = Mail/Inbox/ @@ -141,7 +135,7 @@ smtps 465/tcp smtps 465/udp ``` -Before starting the `postfix` service, you need to run `newaliases` first (but you can do a bit of configuration beforehand). Edit the file `/etc/postfix/aliases` and edit accordingly. I only change the `root: you` line (where `you` is the account that will be receiving "root" mail). Check the Arch Wiki for more info and other alternatives/options. After you're done, run: +Before starting the `postfix` service, you need to run `newaliases` first, but you can do a bit of configuration beforehand editing the file `/etc/postfix/aliases`. I only change the `root: you` line (where `you` is the account that will be receiving "root" mail). After you're done, run: ```sh postalias /etc/postfix/aliases @@ -157,7 +151,7 @@ systemctl enable postfix.service ## Dovecot -[Dovecot](https://wiki.archlinux.org/index.php/Dovecot) is an IMAP and POP3 server, which is what lets an email application retrieve the mail. +[Dovecot](https://wiki.archlinux.org/title/Dovecot) is an IMAP and POP3 server, which is what lets an email application retrieve the mail. Install the `dovecot` and `pigeonhole` (sieve for `dovecot`) packages: @@ -173,9 +167,9 @@ cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot ``` -As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/conf.d/` if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edits/creates the whole `dovecot.conf` file; although, I would like to check each of the separate configuration files `dovecot` provides I think the options Luke provides are more than good enough. +As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/conf.d/` if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole `dovecot.conf` file; although, I would like to check each of the separate configuration files `dovecot` provides I think the options Luke provides are more than good enough. -I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the Postfix section above, note that the `<` is required): +I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the [Postfix](#postfix) section above, note that the `<` is required): ```apache ssl = required @@ -254,7 +248,7 @@ service auth { } ``` -Lastly (for `dovecot` at least), the plugin configuration for `sieve` (`pigeonhole`): +Lastly (for Dovecot at least), the plugin configuration for `sieve` (`pigeonhole`): ```apache protocol lda { @@ -294,13 +288,13 @@ grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin chown -R vmail:vmail /var/lib/dovecot ``` -Note that I also changed the shell for `vmail` to be `/usr/bin/nologin`. After that, run: +Note that I also changed the shell for `vmail` to be `/usr/bin/nologin`. After that, to compile the configuration file run: ```sh sievec /var/lib/dovecot/sieve/default.sieve ``` -To compile the configuration file (a `default.svbin` file will be created next to `default.sieve`). +A `default.svbin` file will be created next to `default.sieve`. Next, add the following lines to `/etc/pam.d/dovecot` if not already present (shouldn't be there if you've been following these notes): @@ -309,7 +303,7 @@ auth required pam_unix.so nullok account required pam_unix.so ``` -That's it for `dovecot`, at this point you can start/enable the `dovecot` service: +That's it for Dovecot, at this point you can start/enable the `dovecot` service: ```sh systemctl start dovecot.service @@ -318,7 +312,7 @@ systemctl enable dovecot.service ## OpenDKIM -[OpenDKIM](https://wiki.archlinux.org/index.php/OpenDKIM) is needed so services like G\*\*gle (we don't mention that name here \[\[\[this is a meme\]\]\]) don't throw the mail to the trash. DKIM stands for "DomainKeys Identified Mail". +[OpenDKIM](https://wiki.archlinux.org/title/OpenDKIM) is needed so services like G\*\*gle (we don't mention that name here \[\[\[this is a meme\]\]\]) don't throw the mail to the trash. DKIM stands for "DomainKeys Identified Mail". Install the `opendkim` package: @@ -370,7 +364,7 @@ localhost And more, make sure to include your server IP and something like `subdomain.domainname`. -Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: +Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: ```apache Domain {yourdomain} @@ -392,7 +386,7 @@ chmod g+r /etc/postfix/dkim/* I'm using `root:opendkim` so `opendkim` doesn't complain about the `{yoursubdomani}.private` being insecure (you can change that by using the option `RequireSafeKeys False` in the `opendkim.conf` file, as stated [here](http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html)). -That's it for the general configuration, but you could go more in depth and be more secure with some extra configuration as described in the [Arch Wiki entry for OpenDKIM](https://wiki.archlinux.org/index.php/OpenDKIM#Security). +That's it for the general configuration, but you could go more in depth and be more secure with some extra configuration. Now, just start/enable the `opendkim` service: @@ -417,11 +411,11 @@ In the TXT record you will place `{yoursubdomain}._domainkey` as the "Host" and 3. *SPF* entry: just `@` as the "Host" and `"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"` as the "TXT Value". -And at this point you could test your mail for spoofing and more, but you don't know -yet- how to login (it's really easy, but I'm gonna state that at the end of this entry). +And at this point you could test your mail for spoofing and more. ## SpamAssassin -[SpamAssassin](https://wiki.archlinux.org/index.php/SpamAssassin) is just *a mail filter to identify spam*. +[SpamAssassin](https://wiki.archlinux.org/title/SpamAssassin) is just *a mail filter to identify spam*. Install the `spamassassin` package (which will install a bunch of ugly `perl` packages...): @@ -500,7 +494,7 @@ systemctl enable spamassassin.service ## Wrapping up -We should have a working mail server by now. Before continuing check your journal logs (`journalctl -xe --unit={unit}`, where `{unit}` could be `spamassassin.service`for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked *(((it just werks on my machine)))*. +We should have a working mail server by now. Before continuing check your journal logs (`journalctl -xe --unit={unit}`, where `{unit}` could be `spamassassin.service` for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked *(((it just werks on my machine)))*. Now, to actually use the mail service: first of all, you need a *normal* account (don't use root) that belongs to the `mail` group (`gpasswd -a user group` to add a user `user` to group `group`) and that has a password. @@ -518,8 +512,6 @@ Next, to actually login into a mail app/program/whateveryouwanttocallit, you wil All that's left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to [DKIM Test](https://www.appmaildev.com/en/dkim) and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like: - - -(Yes, I blurred a lot in the picture just to be sure, either way what's important is the list on the bottom part of the image) + -Finally, that's actually it for this entry, if you have any problem whatsoever you have my info down below. +Finally, that's actually it for this entry, if you have any problem whatsoever you can [contact me](https://luevano.xyz/contact.html). diff --git a/blog/src/a/website_with_nginx.md b/blog/src/a/website_with_nginx.md index 95c90c1..09a7781 100644 --- a/blog/src/a/website_with_nginx.md +++ b/blog/src/a/website_with_nginx.md @@ -15,15 +15,17 @@ As a side note, (((i use arch btw))) so everything here es aimed at an Arch Linu You will need two things: -* A domain name (duh!). I got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). - * With the corresponding **A** and **AAA** records pointing to the VPS' IPs ("A" record points to the ipv4 address and "AAA" to the ipv6, basically). I have three records for each type: empty one, "www" and "\*" for a wildcard, that way "domain.name", "www.domain.name", "anythingelse.domain.name" point to the same VPS (meaning that you can have several VPS for different sub-domains). -* A VPS or somewhere else to host it. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). - * With `ssh` already configured both on the local machine and on the remote machine. - * Firewall already configured to allow ports 80 (HTTP) and 443 (HTTPS). I use `ufw` so it's just a matter of doing `ufw allow 80,443/tcp` as root and you're golden. - * `cron` installed if you follow along (you could use `systemd` timers, or some other method you prefer to automate running commands every X time). +- A domain name (duh!). I got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). + - With the corresponding **A** and **AAA** records pointing to the VPS' IPs ("A" record points to the ipv4 address and "AAA" to the ipv6, basically). I have three records for each type: empty one, "www" and "\*" for a wildcard, that way "domain.name", "www.domain.name", "anythingelse.domain.name" point to the same VPS (meaning that you can have several VPS for different sub-domains). +- A VPS or somewhere else to host it. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). + - With `ssh` already configured both on the local machine and on the remote machine. + - Firewall already configured to allow ports 80 (HTTP) and 443 (HTTPS). I use `ufw` so it's just a matter of doing `ufw allow 80,443/tcp` as root and you're golden. + - `cron` installed if you follow along (you could use `systemd` timers, or some other method you prefer to automate running commands every X time). ## Nginx +[Nginx](https://wiki.archlinux.org/title/Nginx) is a web (HTTP) server and reverse proxy server. + You have two options: `nginx` and `nginx-mainline`. I prefer `nginx-mainline` because it's the "up to date" package even though `nginx` is labeled to be the "stable" version. Install the package and enable/start the service: ```sh @@ -32,11 +34,11 @@ systemctl enable nginx.service systemctl start nginx.service ``` -And that's it, at this point you can already look at the default initial page of nginx if you enter the ip of your server in a web browser. You should see something like this: +And that's it, at this point you can already look at the default initial page of Nginx if you enter the IP of your server in a web browser. You should see something like this: - + -As stated in the welcome page, configuration is needed, head to the directory of nginx: +As stated in the welcome page, configuration is needed, head to the directory of Nginx: ```sh cd /etc/nginx @@ -66,7 +68,7 @@ http { } ``` -Next, inside the directory `/etc/nginx/` create the `sites-available` and `sites-enabled`, and go into the `sites-available` one: +Next, inside the directory `/etc/nginx/` create the `sites-available` and `sites-enabled` directories, and go into the `sites-available` one: ```sh mkdir sites-available @@ -91,35 +93,37 @@ server { } ``` -Note several things: +That could serve as a template if you intend to add more domains. + +Note some things: -* `listen`: we're telling nginx which port to listen to (ipv4 and ipv6, respectively). +* `listen`: we're telling Nginx which port to listen to (IPv4 and IPv6, respectively). * `root`: the root directory of where the website files (`.html`, `.css`, `.js`, etc. files) are located. I followed Luke's directory path `/var/www/some_folder`. -* `server_name`: the actual domain to "listen" to (for my website it is: `server_name luevano.xyz www.luevano.xyz`; and for this blog is: `server_name blog.luevano.xyz www.blog.luevano.xyz`). +* `server_name`: the actual domain to "listen" to (for my website it is: `server_name luevano.xyz www.luevano.xyz;` and for this blog is: `server_name blog.luevano.xyz www.blog.luevano.xyz;`). * `index`: what file to serve as the index (could be any `.html`, `.htm`, `.php`, etc. file) when just entering the website. -* `location`: used in case of different configurations across different URL paths. - * `try_files`: tells what files to look for, don't look into this too much for now. +* `location`: what goes after `domain.name`, used in case of different configurations depending on the URL paths (deny access on `/private`, make a proxy on `/proxy`, etc). + * `try_files`: tells what files to look for. -Then, make a symbolic from this config file to the `sites-enabled` directory: +Then, make a symbolic link from this configuration file to the `sites-enabled` directory: ```sh ln -s /etc/nginx/sites-available/your_config_file.conf /etc/nginx/sites-enabled ``` -This is so the `nginx.conf` file can look up the newly created server config. With this method of having each server configuration file separate you can easily "deactivate" any website by just deleting the symbolic link in `sites-enabled` and you're good, or just add new configuration files and keep everything nice and tidy. +This is so the `nginx.conf` file can look up the newly created server configuration. With this method of having each server configuration file separate you can easily "deactivate" any website by just deleting the symbolic link in `sites-enabled` and you're good, or just add new configuration files and keep everything nice and tidy. -All you have to do now is restart (or enable and start if you haven't already) the nginx service (and optionally test the configuration): +All you have to do now is restart (or enable and start if you haven't already) the Nginx service (and optionally test the configuration): ```sh nginx -t systemctl restart nginx ``` -If everything goes correctly, you can now go to your website by typing "domain.name" on a web browser. But you will see a "404 Not Found" page like the following (maybe with different nginx version): +If everything goes correctly, you can now go to your website by typing `domain.name` on a web browser. But you will see a "404 Not Found" page like the following (maybe with different Nginx version): - + -That's no problem, because it means that the web server it's actually working. Just add an `index.html` file with something simple to see it in action. If you keep seeing the 404 page make sure your `root` line is correct and that the directory/index file exists. +That's no problem, because it means that the web server it's actually working. Just add an `index.html` file with something simple to see it in action (in the `/var/www/some_folder` that you decided upon). If you keep seeing the 404 page make sure your `root` line is correct and that the directory/index file exists. I like to remove the `.html` and trailing `/` on the URLs of my website, for that you need to add the following `rewrite` lines and modify the `try_files` line (for more: [Sean C. Davis: Remove HTML Extension And Trailing Slash In Nginx Config](https://www.seancdavis.com/blog/remove-html-extension-and-trailing-slash-in-nginx-config/)): @@ -133,11 +137,11 @@ server { ... ``` -For more: [Arch Linux Wiki: nginx](https://wiki.archlinux.org/index.php/nginx). - ## Certbot -The only "bad" (bloated) thing about certbot, is that it uses `python`, but for me it doesn't matter too much. You may want to look up another alternative if you prefer. Install the packages `certbot` and `certbot-nginx`: +[Certbot](https://wiki.archlinux.org/title/Certbot) is what provides the SSL certificates via [Let's Encrypt](https://letsencrypt.org/). + +The only "bad" (bloated) thing about Certbot, is that it uses `python`, but for me it doesn't matter too much. You may want to look up another alternative if you prefer. Install the packages `certbot` and `certbot-nginx`: ```sh pacman -S certbot certbot-nginx @@ -149,7 +153,7 @@ After that, all you have to do now is run `certbot` and follow the instructions certbot --nginx ``` -It will ask you for some information, for you to accept some agreements and the names to activate https for. Also, you will want to "say yes" to the redirection from http to https. And that's it, you can now go to your website and see that you have https active. +It will ask you for some information, for you to accept some agreements and the names to activate HTTPS for. Also, you will want to "say yes" to the redirection from HTTP to HTTPS. And that's it, you can now go to your website and see that you have HTTPS active. Now, the certificate given by `certbot` expires every 3 months or something like that, so you want to renew this certificate every once in a while. Using `cron`, you can do this by running: @@ -157,8 +161,6 @@ Now, the certificate given by `certbot` expires every 3 months or something like crontab -e ``` -And a file will be opened where you need to add a new rule for certbot, just append the line: `1 1 1 * * certbot renew` (renew on the first day of every month) and you're good. Alternatively use `systemd` timers as stated in the [Arch Linux Wiki](https://wiki.archlinux.org/index.php/Certbot#Automatic_renewal). - -For more: [Arch Linux Wiki: Certbot](https://wiki.archlinux.org/index.php/Certbot). +And a file will be opened where you need to add a new rule for Certbot, just append the line: `1 1 1 * * certbot renew` (renew on the first day of every month) and you're good. Alternatively use `systemd` timers as stated in the [Arch Linux Wiki](https://wiki.archlinux.org/title/Certbot#Automatic_renewal). That's it, you now have a website with SSL certificate. diff --git a/blog/xmpp_server_with_prosody.md b/blog/xmpp_server_with_prosody.md new file mode 100644 index 0000000..60f459b --- /dev/null +++ b/blog/xmpp_server_with_prosody.md @@ -0,0 +1,189 @@ +title: Create an XMPP server with Prosody compatible with Conversations and Movim +author: David Luévano +lang: en +summary: How to create an XMPP server using Prosody on a server running Nginx. This server will be compatible with at least Conversations and Movim. +tags: server + tools + tutorial + english + +My git server is all I need to setup to actually *kill* my other server (I've been moving from servers on these last 2-3 blog entries), that's why I'm already doing this entry. I'm basically following [git's guide on setting up a server](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server) plus some specific stuff for (btw i use) Arch Linux ([Arch Linux Wiki: Git server](https://wiki.archlinux.org/index.php/Git_server#Web_interfaces) and [Step by step guide on setting up git server in arch linux (pushable)](https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/)). + +Note that this is mostly for personal use, so there's no user/authentication control other than that of SSH. Also, most if not all commands here are run as root. + +## Prerequisites + +I might get tired of saying this (it's just copy paste, basically)... but you will need the same prerequisites as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries), with the extras: + +* (Optional, if you want a "front-end") A **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains. +* An SSL certificate, if you're following the other entries, add a `git.conf` and run `certbot --nginx` to extend the certificate. + +## Git + +[Git](https://wiki.archlinux.org/title/git) is a version control system. + +If not installed already, install the `git` package: + +```sh +pacman -S git +``` + +On Arch Linux, when you install the `git` package, a `git` user is automatically created, so all you have to do is decide where you want to store the repositories, for me, I like them to be on `/home/git` like if `git` was a "normal" user. So, create the `git` folder (with corresponding permissions) under `/home` and set the `git` user's home to `/home/git`: + +```sh +mkdir /home/git +chown git:git /home/git +usermod -d /home/git git +``` + +Also, the `git` user is "expired" by default and will be locked (needs a password), change that with: + +```sh +chage -E -1 git +passwd git +``` + +Give it a strong one and remember to use `PasswordAuthentication no` for `ssh` (as you should). Create the `.ssh/authorized_keys` for the `git` user and set the permissions accordingly: + +```sh +mkdir /home/git/.ssh +chmod 700 /home/git/.ssh +touch /home/git/.ssh/authorized_keys +chmod 600 /home/git/.ssh/authorized_keys +chown -R git:git /home/git +``` + +Now is a good idea to copy over your local SSH public keys to this file, to be able to push/pull to the repositories. Do it by either manually copying it or using `ssh`'s built in `ssh-copy-id` (for that you may want to check your `ssh` configuration in case you don't let people access your server with user/password). + +Next, and almost finally, we need to edit the `git-daemon` service, located at `/usr/lib/systemd/system/` (called `git-daemon@.service`): + +```ini +... +ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/git --enable=receive-pack +... +``` + +I just appended `--enable=receive-pack` and note that I also changed the `--base-path` to reflect where I want to serve my repositories from (has to match what you set when changing `git` user's home). + +Now, go ahead and start and enable the `git-daemon` socket: + +```sh +systemctl start git-daemon.socket +systemctl enable git-daemon.socket +``` + +You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to run (while inside `/home/git`): + +```sh +git init --bare {repo_name}.git +chown -R git:git repo_name.git +``` + +Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame... although there are options to "automate" this, I like it this way). + +After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check [this gist](https://gist.github.com/rvl/c3f156e117e22a25f242). + +## Cgit + +[Cgit](https://wiki.archlinux.org/title/Cgit) is a fast web interface for git. + +This is optionally since it's only for the web application. + +Install the `cgit` and `fcgiwrap` packages: + +```sh +pacman -S cgit fcgiwrap +``` + +Now, just start and enable the `fcgiwrap` socket: + +```sh +systemctl start fcgiwrap.socket +systemctl enable fcgiwrap.socket +``` + +Next, create the `git.conf` as stated in my [nginx setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file: + +```nginx +server { + listen 80; + listen [::]:80; + root /usr/share/webapps/cgit; + server_name {yoursubdomain}.{yourdomain}; + try_files $uri @cgit; + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/run/fcgiwrap.sock; + } +} +``` + +Where the `server_name` line depends on you, I have mine setup to `git.luevano.xyz` and `www.git.luevano.xyz`. Optionally run `certbot --nginx` to get a certificate for those domains if you don't have already. + +Now, all that's left is to configure `cgit`. Create the configuration file `/etc/cgitrc` with the following content (my personal options, pretty much the default): + +```apache +css=/cgit.css +logo=/cgit.png + +enable-http-clone=1 +# robots=noindex, nofollow +virtual-root=/ + +repo.url={url} +repo.path={dir_path} +repo.owner={owner} +repo.desc={short_description} + +... +``` + +Where you can uncomment the `robots` line to let web crawlers (like Google's) to index your `git` web app. And at the end keep all your repositories (the ones you want to make public), for example for my [*dotfiles*](https://git.luevano.xyz/.dots) I have: + +```apache +... +repo.url=.dots +repo.path=/home/git/.dots.git +repo.owner=luevano +repo.desc=These are my personal dotfiles. +... +``` + +Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5). + +By default you can't see the files on the site, you need a highlighter to render the files, I use `highlight`. Install the `highlight` package: + +```sh +pacman -S highlight +``` + +Copy the `syntax-highlighting.sh` script to the corresponding location (basically adding `-edited` to the file): + +```sh +cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh +``` + +And edit it to use the version 3 and add `--inline-css` for more options without editing `cgit`'s CSS file: + +```sh +... +# This is for version 2 +# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null + +# This is for version 3 +exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null +... +``` + +Finally, enable the filter in `/etc/cgitrc` configuration: + +```apache +source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +``` + +That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for `cgit`. |