Add git server entry

author: David Luevano Alvarado <david@luevano.xyz> 2021-03-20 23:00:47 -0700
committer: David Luevano Alvarado <david@luevano.xyz> 2021-03-20 23:00:47 -0700
commit: 1d3d721229e060c70ee28848d8b8d227e764990a (patch)
tree: 1bf1761400bc6edbe6e6a9cf64718b7da2620a5d /blog
parent: e331c60377e62f158bdcdedfc7a0664104cd8e03 (diff)
5 files changed, 210 insertions, 57 deletions
diff --git a/blog/dst/a/mail_server_with_postfix.html b/blog/dst/a/mail_server_with_postfix.html
index eafb6bf..2d5c178 100644
--- a/blog/dst/a/mail_server_with_postfix.html
+++ b/blog/dst/a/mail_server_with_postfix.html
@@ -61,7 +61,7 @@
       </ul>
       </nav>
     </header>
-<h1>Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1>
+<h1>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</h1>
 
 <p>The entry is going to be long because it's a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith's script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p>
 
@@ -106,7 +106,7 @@
 
 <p>Certificates and ciphers to use for authentication and security:</p>
 
-<pre><code class="language-conf">smtpd_tls_key_file = {yourcertdir}/privkey.pem
+<pre><code class="language-apache">smtpd_tls_key_file = {yourcertdir}/privkey.pem
 smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
 smtpd_use_tls = yes
 smtpd_tls_auth_only = yes
@@ -130,7 +130,7 @@ smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_u
 
 <p>Also, for the <em>connection</em> with <code>dovecot</code>, append the next few lines (telling postfix that <code>dovecot</code> will use user/password for authentication):</p>
 
-<pre><code class="language-conf">smtpd_sasl_auth_enable = yes
+<pre><code class="language-apache">smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_security_options = noanonymous, noplaintext
@@ -139,12 +139,12 @@ smtpd_sasl_tls_security_options = noanonymous
 
 <p>Specify the mailbox home (this is going to be a directory inside your user's home):</p>
 
-<pre><code class="language-conf">home_mailbox = Mail/Inbox/
+<pre><code class="language-apache">home_mailbox = Mail/Inbox/
 </code></pre>
 
 <p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p>
 
-<pre><code class="language-conf">myhostname = {yourdomainname}
+<pre><code class="language-apache">myhostname = {yourdomainname}
 mydomain = localdomain
 mydestination = $myhostname, localhost.$mydomain, localhost
 
@@ -159,12 +159,12 @@ mailbox_command = /usr/lib/dovecot/deliver
 
 <p>Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line:</p>
 
-<pre><code class="language-conf">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
+<pre><code class="language-apache">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
 </code></pre>
 
 <p>And create the <code>/etc/postfix/smtp_header_checks</code> file with the following content:</p>
 
-<pre><code class="language-conf">/^Received: .*/     IGNORE
+<pre><code class="language-coffee">/^Received: .*/     IGNORE
 /^User-Agent: .*/   IGNORE
 </code></pre>
 
@@ -174,7 +174,7 @@ mailbox_command = /usr/lib/dovecot/deliver
 
 <p>Lastly, append the following lines to complete postfix setup and pre-configure for <code>spamassassin</code>.</p>
 
-<pre><code class="language-conf">smtp unix - - n - - smtp
+<pre><code class="language-txt">smtp unix - - n - - smtp
 smtp inet n - y - - smtpd
     -o content_filter=spamassassin
 submission inet n - y - - smtpd
@@ -192,7 +192,7 @@ spamassassin unix - n n - - pipe
 
 <p>Now, I ran into some problems with postfix, one being <a href="https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/">smtps: Servname not supported for ai_socktype</a>, to fix it, as <em>Till</em> posted in that site, edit <code>/etc/services</code> and add:</p>
 
-<pre><code class="language-conf">smtps 465/tcp
+<pre><code class="language-apache">smtps 465/tcp
 smtps 465/udp
 </code></pre>
 
@@ -228,7 +228,7 @@ cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
 
 <p>I'm working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the Postfix section above, note that the <code>&#60;</code> is required):</p>
 
-<pre><code class="language-conf">ssl = required
+<pre><code class="language-apache">ssl = required
 ssl_cert = &#60;{yourcertdir}/fullchain.pem
 ssl_key = &#60;{yourcertdir}/privkey.pem
 ssl_min_protocol = TLSv1.2
@@ -248,7 +248,7 @@ protocols = $protocols imap
 
 <p>After that, the next lines define what a &#8220;valid user is&#8221; (really just sets the database for users and passwords to be the local users with their password):</p>
 
-<pre><code class="language-conf">userdb {
+<pre><code class="language-apache">userdb {
     driver = passwd
 }
 
@@ -259,7 +259,7 @@ passdb {
 
 <p>Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the <code>LAYOUT</code> option is important so the boxes are <code>.Sent</code> instead of <code>Sent</code>. Add the next lines (plus any you like):</p>
 
-<pre><code class="language-conf">mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+<pre><code class="language-apache">mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
 namespace inbox {
     inbox = yes
 
@@ -291,7 +291,7 @@ namespace inbox {
 
 <p>Also include this so Postfix can use Dovecot's authentication system:</p>
 
-<pre><code class="language-conf">service auth {
+<pre><code class="language-apache">service auth {
     unix_listener /var/spool/postfix/private/auth {
         mode = 0660
         user = postfix
@@ -302,7 +302,7 @@ namespace inbox {
 
 <p>Lastly (for <code>dovecot</code> at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p>
 
-<pre><code class="language-conf">protocol lda {
+<pre><code class="language-apache">protocol lda {
     mail_plugins = $mail_plugins sieve
 }
 
@@ -324,7 +324,7 @@ plugin {
 
 <p>And create the file <code>default.sieve</code> inside that just created folder with the content:</p>
 
-<pre><code class="language-conf">require ["fileinto", "mailbox"];
+<pre><code class="language-nginx">require ["fileinto", "mailbox"];
 if header :contains "X-Spam-Flag" "YES" {
     fileinto "Junk";
 }
@@ -345,7 +345,7 @@ chown -R vmail:vmail /var/lib/dovecot
 
 <p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn't be there if you've been following these notes):</p>
 
-<pre><code class="language-conf">auth required pam_unix.so nullok
+<pre><code class="language-txt">auth required pam_unix.so nullok
 account required pam_unix.so
 </code></pre>
 
@@ -371,27 +371,27 @@ systemctl enable dovecot.service
 
 <p>Where you need to change <code>{yourdomain}</code> and <code>{yoursubdomain}</code> (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's <code>luevano.xyz</code> and <code>mail</code>, respectively. After that, we need to create some files inside the <code>/etc/opendkim</code> directory. First, create the file <code>KeyTable</code> with the content:</p>
 
-<pre><code class="language-conf">{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
+<pre><code class="language-txt">{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
 </code></pre>
 
 <p>So, for me it would be:</p>
 
-<pre><code class="language-conf">mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
+<pre><code class="language-txt">mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
 </code></pre>
 
 <p>Next, create the file <code>SigningTable</code> with the content:</p>
 
-<pre><code class="language-conf">*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
+<pre><code class="language-txt">*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
 </code></pre>
 
 <p>Again, for me it would be:</p>
 
-<pre><code class="language-conf">*@luevano.xyz mail._domainkey.luevano.xyz
+<pre><code class="language-txt">*@luevano.xyz mail._domainkey.luevano.xyz
 </code></pre>
 
 <p>And, lastly create the file <code>TrustedHosts</code> with the content:</p>
 
-<pre><code class="language-conf">127.0.0.1
+<pre><code class="language-txt">127.0.0.1
 ::1
 10.1.0.0/16
 1.2.3.4/24
@@ -404,7 +404,7 @@ localhost
 
 <p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I'm creating a blank one with the contents:</p>
 
-<pre><code class="language-conf">Domain {yourdomain}
+<pre><code class="language-apache">Domain {yourdomain}
 Selector {yoursubdomain}
 
 Syslog Yes
@@ -416,7 +416,7 @@ Socket inet:8891@localhost
 
 <p>Now, change the permissions for all the files inside <code>/etc/opendkim</code>:</p>
 
-<pre><code class="language-conf">chown -R root:opendkim /etc/opendkim
+<pre><code class="language-sh">chown -R root:opendkim /etc/opendkim
 chmod g+r /etc/postfix/dkim/*
 </code></pre>
 
@@ -474,7 +474,7 @@ sudo -u spamd sa-compile
 
 <p>And since this should be run periodically, create the service <code>spamassassin-update.service</code> under <code>/etc/systemd/system</code> with the following content:</p>
 
-<pre><code class="language-conf">[Unit]
+<pre><code class="language-ini">[Unit]
 Description=SpamAssassin housekeeping
 After=network.target
 
@@ -491,7 +491,7 @@ ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
 
 <p>And you could also execute <code>sa-learn</code> to train <code>spamassassin</code>'s bayes filter, but this works for me. Then create the timer <code>spamassassin-update.timer</code> under the same directory, with the content:</p>
 
-<pre><code class="language-conf">[Unit]
+<pre><code class="language-ini">[Unit]
 Description=SpamAssassin housekeeping
 
 [Timer]
@@ -510,7 +510,7 @@ systemctl enable spamassassin-update.timer
 
 <p>Next, you may want to edit the <code>spamassassin</code> service before starting and enabling it, because by default, it could <a href="https://rimuhosting.com/howto/memory.jsp">spawn a lot of &#8220;childs&#8221;</a> eating a lot of resources and you really only need one child. Append <code>--max-children=1</code> to the line <code>ExecStart=...</code> in <code>/usr/bin/systemd/system/spamassassin.service</code>:</p>
 
-<pre><code class="language-conf">...
+<pre><code class="language-ini">...
 ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
 ...
 </code></pre>
@@ -551,7 +551,7 @@ systemctl enable spamassassin.service
 
 <div class=timestamp>
 <hr>
-<p>Created: Sat, Mar 20, 2021 @ 02:23 MST</p>
+<p>Created: Sat, Mar 20, 2021 @ 02:54 MST; modified: Sat, Mar 20, 2021 @ 03:06 MST</p>
 </div>
     <footer class="footer">
       <i class="fas fa-envelope" alt="Email"></i>
diff --git a/blog/dst/index.html b/blog/dst/index.html
index 703c74b..2046246 100644
--- a/blog/dst/index.html
+++ b/blog/dst/index.html
@@ -71,7 +71,7 @@
 
 <h3>March 2021</h3>
 
-<li>Mar 20 - <a href=https://blog.luevano.xyz/a/mail_server_with_postfix>Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</a></li>
+<li>Mar 20 - <a href=https://blog.luevano.xyz/a/mail_server_with_postfix>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</a></li>
 <li>Mar 18 - <a href=https://blog.luevano.xyz/a/website_with_nginx>Create a website with Nginx and Certbot</a></li>
 <li>Mar 15 - <a href=https://blog.luevano.xyz/a/el_blog_ya_tiene_timestamps>Así es raza, el blog ya tiene timestamps</a></li>
 <li>Mar 13 - <a href=https://blog.luevano.xyz/a/shell_scripting>Shell scripting tutorial video notes</a></li>
diff --git a/blog/src/.files b/blog/src/.files
index 810e603..b6383f6 100644
--- a/blog/src/.files
+++ b/blog/src/.files
@@ -5,4 +5,4 @@
 1614695711 0 ./a/sql_video_notes.md
 1614431313 0 ./a/first_blog_post.md
 1615701443 0 ./a/linux_video_notes.md
-1616232199 0 ./a/mail_server_with_postfix.md
+1616234086 1616234777 ./a/mail_server_with_postfix.md
diff --git a/blog/src/a/git_server_with_cgit.md b/blog/src/a/git_server_with_cgit.md
new file mode 100644
index 0000000..975eaf7
--- /dev/null
+++ b/blog/src/a/git_server_with_cgit.md
@@ -0,0 +1,153 @@
+# Create a git server with cgit (nginx)
+
+My git server is all I need to setup up to actually *kill* my other server (I've been moving from servers on these last 2-3 blog entries), that's why I'm already doing this entry. I'm basically following [git's guide on setting up a server](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server) plus some specific stuff for (btw i use) Arch Linux ([Arch Linux Wiki: Git server](https://wiki.archlinux.org/index.php/Git_server#Web_interfaces) and [Step by step guide on setting up git server in arch linux (pushable)](https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/)).
+
+Note that this is mostly for personal use, so there's no user/authentication control other than that of SSH. Also, most if not all commands here are run as root.
+
+## Prerequisites
+
+I might get tired of saying this (it's just copy paste, basically)... but similar as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries):
+
+* (This time, optional) A domain name if you want to have a "front end" to show your repositories. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw).
+	* With a **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains.
+* A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link).
+	* `ssh` configured.
+	* (Optionally, if doing the domain name thingy) With `nginx` and `certbot` setup and running.
+	* Of course, `git` already installed (it should be a must have always).
+
+## git server
+
+If not installed already, install the `git` package:
+
+```sh
+pacman -S git
+```
+
+On Arch Linux, when you install the `git` package, a `git` user is automatically created, so all you have to do is decide where you want to store the repositories, for me, I like them to be on `/home/git` like if `git` was a "normal" user. So, create the `git` folder (with corresponding permissions) under `/home` and set the `git` user's home to `/home/git`:
+
+```sh
+mkdir /home/git
+chown git:git /home/git
+usermod -d /home/git git
+```
+
+Also, the `git` user is "expired" by default and will be locked (needs a password), change that with:
+
+```sh
+chage -E -1 git
+passwd git
+```
+
+Give it a strong one and remember to use `PasswordAuthentication no` for `ssh` (as you should). Create the `.ssh/authorized_keys` for the `git` user and set the permissions accordingly:
+
+```sh
+mkdir /home/git/.ssh
+chmod 700 /home/git/.ssh
+touch /home/git/.ssh/authorized_keys
+chmod 600 /home/git/.ssh/authorized_keys
+chown -R git:git /home/git
+```
+
+Now is a good idea to copy over your local SSH public keys to this file, to be able to push/pull to the repositories. Do it by either manually copying it or using `ssh`'s built in `ssh-copy-id` (for that you may want to check your `ssh` configuration in case you don't let people access your server with user/password).
+
+Next, and almost finally, we need to edit the `git-daemon` service, located at `/usr/lib/systemd/system/` (called `git-daemon@.service`):
+
+```ini
+...
+ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/git --enable=receive-pack
+...
+```
+
+I just appended `--enable=receive-pack` and note that I also changed the `--base-path` to reflect where I want to serve my repositories from (has to match what you set when changing `git` user's home).
+
+Now, go ahead and start and enable the `git-daemon` socket:
+
+```sh
+systemctl start git-daemon.socket
+systemctl enable git-daemon.socket
+```
+
+You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to do the following sequence (assuming you're "`cd`'ed" into the `/home/git` directory):
+
+```sh
+mkdir {project_name}.git
+cd {project_name}.git
+```
+
+Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame... although there are options to "automate" this, I like it this way).
+
+After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.), which is detailed [here](https://gist.github.com/rvl/c3f156e117e22a25f242).
+
+## cgit
+
+This bit is optional if you only wanted a git server (really easy to set up), this is so you can have a web application. This is basically a copy paste of [Arch Linux Wiki: Cgit](https://wiki.archlinux.org/index.php/Cgit#Nginx) so you can go there and get more in-depth configurations.
+
+Install the `cgit` and `fcgiwrap` packages:
+
+```sh
+pacman -S cgit fcgiwrap
+```
+
+Now, just start and enable the `fcgiwrap` socket:
+
+```sh
+systemctl start fcgiwrap.socket
+systemctl enable fcgiwrap.socket
+```
+
+Next, the way I configure `nginx` is creating a separate file `{module}.conf` (`git.conf` in this case) under `/etc/nginx/sites-available` and create a symlink to `/etc/nginx/sites-enabled` as stated in my [`nginx` setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file:
+
+```nginx
+server {
+	listen 80;
+	listen [::]:80;
+	root /usr/share/webapps/cgit;
+	server_name {yoursubdomain}.{yourdomain};
+	try_files $uri @cgit;
+
+	location @cgit {
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
+		fastcgi_param PATH_INFO $uri;
+		fastcgi_param QUERY_STRING $args;
+		fastcgi_param HTTP_HOST $server_name;
+		fastcgi_pass unix:/run/fcgiwrap.sock;
+	}
+}
+```
+
+Where the `server_name` line depends on you, I have mine setup to `git.luevano.xyz` and `www.git.luevano.xyz`. Optionally run `certbot --nginx` to get a certificate for those domains if you don't have already.
+
+Now, all that's left is to configure `cgit`. Create the configuration file `/etc/cgitrc` with the following content (my personal options, pretty much the default):
+
+```
+css=/cgit.css
+source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh
+logo=/cgit.png
+
+enable-http-clone=1
+# robots=noindex, nofollow
+virtual-root=/
+
+repo.url={url}
+repo.path={dir_path}
+repo.owner={owner}
+repo.desc={short_description}
+
+...
+```
+
+Where you can uncomment the `robots` line to let web crawlers (like Google's) to index your `git` web app. And at the end keep all your repositories (the ones you want to make public), for example for my [*dotfiles*](https://git.luevano.xyz/.dots) I have:
+
+```
+...
+repo.url=.dots
+repo.path=/home/git/.dots.git
+repo.owner=luevano
+repo.desc=These are my personal dotfiles.
+...
+```
+
+Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. I will add more to my actual configuration, but for now it is useful as it is. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5).
+
+Finally, if you want further support for highlighting, other compressed snapshots or support for markdown, checkout the optional dependencies for `cgit` and also the Arch Wiki goes in detail on how to setup highlighting with two different packages.
diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md
index 017d716..11e704a 100644
--- a/blog/src/a/mail_server_with_postfix.md
+++ b/blog/src/a/mail_server_with_postfix.md
@@ -1,4 +1,4 @@
-# Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM
+# Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM
 
 The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git).
 
@@ -12,9 +12,9 @@ Basically the same as with the [website with Nginx and Certbot](https://blog.lue
 
 * A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw).
 	* Later we'll be adding some **MX**  and **TXT** records.
-	* You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`).
+	* You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`) with `certbot` (just create a `mail.conf` for `nginx`, similar to how we created it in the website entry).
 * A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link).
-	* Also `ssh` configured.
+	* `ssh` configured.
 	* Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`).
 	* With `nginx` and `certbot` setup and running.
 
@@ -36,7 +36,7 @@ Now, first locate where your website cert is, mine is at the default location `/
 
 Certificates and ciphers to use for authentication and security:
 
-```conf
+```apache
 smtpd_tls_key_file = {yourcertdir}/privkey.pem
 smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
 smtpd_use_tls = yes
@@ -61,7 +61,7 @@ smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_u
 
 Also, for the *connection* with `dovecot`, append the next few lines (telling postfix that `dovecot` will use user/password for authentication):
 
-```conf
+```apache
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
@@ -71,13 +71,13 @@ smtpd_sasl_tls_security_options = noanonymous
 
 Specify the mailbox home (this is going to be a directory inside your user's home):
 
-```conf
+```apache
 home_mailbox = Mail/Inbox/
 ```
 
 Pre-configuration to work seamlessly with `dovecot` and `opendkim`:
 
-```conf
+```apache
 myhostname = {yourdomainname}
 mydomain = localdomain
 mydestination = $myhostname, localhost.$mydomain, localhost
@@ -93,13 +93,13 @@ Where `{yourdomainname}` is `luevano.xyz` in my case, or if you have `localhost`
 
 Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line:
 
-```conf
+```apache
 smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
 ```
 
 And create the `/etc/postfix/smtp_header_checks` file with the following content:
 
-```conf
+```coffee
 /^Received: .*/		IGNORE
 /^User-Agent: .*/	IGNORE
 ```
@@ -110,7 +110,7 @@ First look up lines (they're uncommented) `smtp inet n - n - - smtpd`, `smtp uni
 
 Lastly, append the following lines to complete postfix setup and pre-configure for `spamassassin`.
 
-```conf
+```txt
 smtp unix - - n - - smtp
 smtp inet n - y - - smtpd
 	-o content_filter=spamassassin
@@ -129,7 +129,7 @@ spamassassin unix - n n - - pipe
 
 Now, I ran into some problems with postfix, one being [smtps: Servname not supported for ai_socktype](https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/), to fix it, as *Till* posted in that site, edit `/etc/services` and add:
 
-```conf
+```apache
 smtps 465/tcp
 smtps 465/udp
 ```
@@ -170,7 +170,7 @@ As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/con
 
 I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the Postfix section above, note that the `<` is required):
 
-```conf
+```apache
 ssl = required
 ssl_cert = <{yourcertdir}/fullchain.pem
 ssl_key = <{yourcertdir}/privkey.pem
@@ -192,7 +192,7 @@ openssl dhparam -out /etc/dovecot/dh.pem 4096
 
 After that, the next lines define what a "valid user is" (really just sets the database for users and passwords to be the local users with their password):
 
-```conf
+```apache
 userdb {
 	driver = passwd
 }
@@ -204,7 +204,7 @@ passdb {
 
 Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the `LAYOUT` option is important so the boxes are `.Sent` instead of `Sent`. Add the next lines (plus any you like):
 
-```conf
+```apache
 mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
 namespace inbox {
 	inbox = yes
@@ -237,7 +237,7 @@ namespace inbox {
 
 Also include this so Postfix can use Dovecot's authentication system:
 
-```conf
+```apache
 service auth {
 	unix_listener /var/spool/postfix/private/auth {
 		mode = 0660
@@ -249,7 +249,7 @@ service auth {
 
 Lastly (for `dovecot` at least), the plugin configuration for `sieve` (`pigeonhole`):
 
-```conf
+```apache
 protocol lda {
 	mail_plugins = $mail_plugins sieve
 }
@@ -273,7 +273,7 @@ mkdir -p /var/lib/dovecot/sieve
 
 And create the file `default.sieve` inside that just created folder with the content:
 
-```conf
+```nginx
 require ["fileinto", "mailbox"];
 if header :contains "X-Spam-Flag" "YES" {
 	fileinto "Junk";
@@ -297,7 +297,7 @@ To compile the configuration file (a `default.svbin` file will be created next t
 
 Next, add the following lines to `/etc/pam.d/dovecot` if not already present (shouldn't be there if you've been following these notes):
 
-```conf
+```txt
 auth required pam_unix.so nullok
 account required pam_unix.so
 ```
@@ -327,31 +327,31 @@ opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048
 
 Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content:
 
-```conf
+```txt
 {yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
 ```
 
 So, for me it would be:
 
-```conf
+```txt
 mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
 ```
 
 Next, create the file `SigningTable` with the content:
 
-```conf
+```txt
 *@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
 ```
 
 Again, for me it would be:
 
-```conf
+```txt
 *@luevano.xyz mail._domainkey.luevano.xyz
 ```
 
 And, lastly create the file `TrustedHosts` with the content:
 
-```conf
+```txt
 127.0.0.1
 ::1
 10.1.0.0/16
@@ -365,7 +365,7 @@ And more, make sure to include your server IP and something like `subdomain.doma
 
 Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents:
 
-```conf
+```apache
 Domain {yourdomain}
 Selector {yoursubdomain}
 
@@ -378,7 +378,7 @@ Socket inet:8891@localhost
 
 Now, change the permissions for all the files inside `/etc/opendkim`:
 
-```conf
+```sh
 chown -R root:opendkim /etc/opendkim
 chmod g+r /etc/postfix/dkim/*
 ```
@@ -439,7 +439,7 @@ sudo -u spamd sa-compile
 
 And since this should be run periodically, create the service `spamassassin-update.service` under `/etc/systemd/system` with the following content:
 
-```conf
+```ini
 [Unit]
 Description=SpamAssassin housekeeping
 After=network.target
@@ -457,7 +457,7 @@ ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
 
 And you could also execute `sa-learn` to train `spamassassin`'s bayes filter, but this works for me. Then create the timer `spamassassin-update.timer` under the same directory, with the content:
 
-```conf
+```ini
 [Unit]
 Description=SpamAssassin housekeeping
 
@@ -478,7 +478,7 @@ systemctl enable spamassassin-update.timer
 
 Next, you may want to edit the `spamassassin` service before starting and enabling it, because by default, it could [spawn a lot of "childs"](https://rimuhosting.com/howto/memory.jsp) eating a lot of resources and you really only need one child. Append `--max-children=1` to the line `ExecStart=...` in `/usr/bin/systemd/system/spamassassin.service`:
 
-```conf
+```ini
 ...
 ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
 ...
author	David Luevano Alvarado <david@luevano.xyz>	2021-03-20 23:00:47 -0700
committer	David Luevano Alvarado <david@luevano.xyz>	2021-03-20 23:00:47 -0700
commit	1d3d721229e060c70ee28848d8b8d227e764990a (patch)
tree	1bf1761400bc6edbe6e6a9cf64718b7da2620a5d /blog
parent	e331c60377e62f158bdcdedfc7a0664104cd8e03 (diff)