From 1d3d721229e060c70ee28848d8b8d227e764990a Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Sat, 20 Mar 2021 23:00:47 -0700 Subject: Add git server entry --- blog/src/a/git_server_with_cgit.md | 153 +++++++++++++++++++++++++++++++++ blog/src/a/mail_server_with_postfix.md | 56 ++++++------ 2 files changed, 181 insertions(+), 28 deletions(-) create mode 100644 blog/src/a/git_server_with_cgit.md (limited to 'blog/src/a') diff --git a/blog/src/a/git_server_with_cgit.md b/blog/src/a/git_server_with_cgit.md new file mode 100644 index 0000000..975eaf7 --- /dev/null +++ b/blog/src/a/git_server_with_cgit.md @@ -0,0 +1,153 @@ +# Create a git server with cgit (nginx) + +My git server is all I need to setup up to actually *kill* my other server (I've been moving from servers on these last 2-3 blog entries), that's why I'm already doing this entry. I'm basically following [git's guide on setting up a server](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server) plus some specific stuff for (btw i use) Arch Linux ([Arch Linux Wiki: Git server](https://wiki.archlinux.org/index.php/Git_server#Web_interfaces) and [Step by step guide on setting up git server in arch linux (pushable)](https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/)). + +Note that this is mostly for personal use, so there's no user/authentication control other than that of SSH. Also, most if not all commands here are run as root. + +## Prerequisites + +I might get tired of saying this (it's just copy paste, basically)... but similar as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries): + +* (This time, optional) A domain name if you want to have a "front end" to show your repositories. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). + * With a **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains. +* A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). + * `ssh` configured. + * (Optionally, if doing the domain name thingy) With `nginx` and `certbot` setup and running. + * Of course, `git` already installed (it should be a must have always). + +## git server + +If not installed already, install the `git` package: + +```sh +pacman -S git +``` + +On Arch Linux, when you install the `git` package, a `git` user is automatically created, so all you have to do is decide where you want to store the repositories, for me, I like them to be on `/home/git` like if `git` was a "normal" user. So, create the `git` folder (with corresponding permissions) under `/home` and set the `git` user's home to `/home/git`: + +```sh +mkdir /home/git +chown git:git /home/git +usermod -d /home/git git +``` + +Also, the `git` user is "expired" by default and will be locked (needs a password), change that with: + +```sh +chage -E -1 git +passwd git +``` + +Give it a strong one and remember to use `PasswordAuthentication no` for `ssh` (as you should). Create the `.ssh/authorized_keys` for the `git` user and set the permissions accordingly: + +```sh +mkdir /home/git/.ssh +chmod 700 /home/git/.ssh +touch /home/git/.ssh/authorized_keys +chmod 600 /home/git/.ssh/authorized_keys +chown -R git:git /home/git +``` + +Now is a good idea to copy over your local SSH public keys to this file, to be able to push/pull to the repositories. Do it by either manually copying it or using `ssh`'s built in `ssh-copy-id` (for that you may want to check your `ssh` configuration in case you don't let people access your server with user/password). + +Next, and almost finally, we need to edit the `git-daemon` service, located at `/usr/lib/systemd/system/` (called `git-daemon@.service`): + +```ini +... +ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/git --enable=receive-pack +... +``` + +I just appended `--enable=receive-pack` and note that I also changed the `--base-path` to reflect where I want to serve my repositories from (has to match what you set when changing `git` user's home). + +Now, go ahead and start and enable the `git-daemon` socket: + +```sh +systemctl start git-daemon.socket +systemctl enable git-daemon.socket +``` + +You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to do the following sequence (assuming you're "`cd`'ed" into the `/home/git` directory): + +```sh +mkdir {project_name}.git +cd {project_name}.git +``` + +Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame... although there are options to "automate" this, I like it this way). + +After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.), which is detailed [here](https://gist.github.com/rvl/c3f156e117e22a25f242). + +## cgit + +This bit is optional if you only wanted a git server (really easy to set up), this is so you can have a web application. This is basically a copy paste of [Arch Linux Wiki: Cgit](https://wiki.archlinux.org/index.php/Cgit#Nginx) so you can go there and get more in-depth configurations. + +Install the `cgit` and `fcgiwrap` packages: + +```sh +pacman -S cgit fcgiwrap +``` + +Now, just start and enable the `fcgiwrap` socket: + +```sh +systemctl start fcgiwrap.socket +systemctl enable fcgiwrap.socket +``` + +Next, the way I configure `nginx` is creating a separate file `{module}.conf` (`git.conf` in this case) under `/etc/nginx/sites-available` and create a symlink to `/etc/nginx/sites-enabled` as stated in my [`nginx` setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file: + +```nginx +server { + listen 80; + listen [::]:80; + root /usr/share/webapps/cgit; + server_name {yoursubdomain}.{yourdomain}; + try_files $uri @cgit; + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_pass unix:/run/fcgiwrap.sock; + } +} +``` + +Where the `server_name` line depends on you, I have mine setup to `git.luevano.xyz` and `www.git.luevano.xyz`. Optionally run `certbot --nginx` to get a certificate for those domains if you don't have already. + +Now, all that's left is to configure `cgit`. Create the configuration file `/etc/cgitrc` with the following content (my personal options, pretty much the default): + +``` +css=/cgit.css +source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +logo=/cgit.png + +enable-http-clone=1 +# robots=noindex, nofollow +virtual-root=/ + +repo.url={url} +repo.path={dir_path} +repo.owner={owner} +repo.desc={short_description} + +... +``` + +Where you can uncomment the `robots` line to let web crawlers (like Google's) to index your `git` web app. And at the end keep all your repositories (the ones you want to make public), for example for my [*dotfiles*](https://git.luevano.xyz/.dots) I have: + +``` +... +repo.url=.dots +repo.path=/home/git/.dots.git +repo.owner=luevano +repo.desc=These are my personal dotfiles. +... +``` + +Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. I will add more to my actual configuration, but for now it is useful as it is. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5). + +Finally, if you want further support for highlighting, other compressed snapshots or support for markdown, checkout the optional dependencies for `cgit` and also the Arch Wiki goes in detail on how to setup highlighting with two different packages. diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md index 017d716..11e704a 100644 --- a/blog/src/a/mail_server_with_postfix.md +++ b/blog/src/a/mail_server_with_postfix.md @@ -1,4 +1,4 @@ -# Create a Mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM +# Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git). @@ -12,9 +12,9 @@ Basically the same as with the [website with Nginx and Certbot](https://blog.lue * A domain name. Got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). * Later we'll be adding some **MX** and **TXT** records. - * You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`). + * You also need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police), to actually work and to get SSL certificate (you can also use the SSL certificate obtained if you created a website following my other notes on `nginx` and `certbot`) with `certbot` (just create a `mail.conf` for `nginx`, similar to how we created it in the website entry). * A VPS or somewhere else to host. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). - * Also `ssh` configured. + * `ssh` configured. * Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall (I use `ufw`). * With `nginx` and `certbot` setup and running. @@ -36,7 +36,7 @@ Now, first locate where your website cert is, mine is at the default location `/ Certificates and ciphers to use for authentication and security: -```conf +```apache smtpd_tls_key_file = {yourcertdir}/privkey.pem smtpd_tls_cert_file = {yourcertdir}/fullchain.pem smtpd_use_tls = yes @@ -61,7 +61,7 @@ smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_u Also, for the *connection* with `dovecot`, append the next few lines (telling postfix that `dovecot` will use user/password for authentication): -```conf +```apache smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth @@ -71,13 +71,13 @@ smtpd_sasl_tls_security_options = noanonymous Specify the mailbox home (this is going to be a directory inside your user's home): -```conf +```apache home_mailbox = Mail/Inbox/ ``` Pre-configuration to work seamlessly with `dovecot` and `opendkim`: -```conf +```apache myhostname = {yourdomainname} mydomain = localdomain mydestination = $myhostname, localhost.$mydomain, localhost @@ -93,13 +93,13 @@ Where `{yourdomainname}` is `luevano.xyz` in my case, or if you have `localhost` Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line: -```conf +```apache smtp_header_checks = regexp:/etc/postfix/smtp_header_checks ``` And create the `/etc/postfix/smtp_header_checks` file with the following content: -```conf +```coffee /^Received: .*/ IGNORE /^User-Agent: .*/ IGNORE ``` @@ -110,7 +110,7 @@ First look up lines (they're uncommented) `smtp inet n - n - - smtpd`, `smtp uni Lastly, append the following lines to complete postfix setup and pre-configure for `spamassassin`. -```conf +```txt smtp unix - - n - - smtp smtp inet n - y - - smtpd -o content_filter=spamassassin @@ -129,7 +129,7 @@ spamassassin unix - n n - - pipe Now, I ran into some problems with postfix, one being [smtps: Servname not supported for ai_socktype](https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/), to fix it, as *Till* posted in that site, edit `/etc/services` and add: -```conf +```apache smtps 465/tcp smtps 465/udp ``` @@ -170,7 +170,7 @@ As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/con I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the Postfix section above, note that the `<` is required): -```conf +```apache ssl = required ssl_cert = <{yourcertdir}/fullchain.pem ssl_key = <{yourcertdir}/privkey.pem @@ -192,7 +192,7 @@ openssl dhparam -out /etc/dovecot/dh.pem 4096 After that, the next lines define what a "valid user is" (really just sets the database for users and passwords to be the local users with their password): -```conf +```apache userdb { driver = passwd } @@ -204,7 +204,7 @@ passdb { Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the `LAYOUT` option is important so the boxes are `.Sent` instead of `Sent`. Add the next lines (plus any you like): -```conf +```apache mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs namespace inbox { inbox = yes @@ -237,7 +237,7 @@ namespace inbox { Also include this so Postfix can use Dovecot's authentication system: -```conf +```apache service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 @@ -249,7 +249,7 @@ service auth { Lastly (for `dovecot` at least), the plugin configuration for `sieve` (`pigeonhole`): -```conf +```apache protocol lda { mail_plugins = $mail_plugins sieve } @@ -273,7 +273,7 @@ mkdir -p /var/lib/dovecot/sieve And create the file `default.sieve` inside that just created folder with the content: -```conf +```nginx require ["fileinto", "mailbox"]; if header :contains "X-Spam-Flag" "YES" { fileinto "Junk"; @@ -297,7 +297,7 @@ To compile the configuration file (a `default.svbin` file will be created next t Next, add the following lines to `/etc/pam.d/dovecot` if not already present (shouldn't be there if you've been following these notes): -```conf +```txt auth required pam_unix.so nullok account required pam_unix.so ``` @@ -327,31 +327,31 @@ opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048 Where you need to change `{yourdomain}` and `{yoursubdomain}` (doesn't really need to be the sub-domain, could be anything that describes your key) accordingly, for me it's `luevano.xyz` and `mail`, respectively. After that, we need to create some files inside the `/etc/opendkim` directory. First, create the file `KeyTable` with the content: -```conf +```txt {yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private ``` So, for me it would be: -```conf +```txt mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private ``` Next, create the file `SigningTable` with the content: -```conf +```txt *@{yourdomain} {yoursubdomain}._domainkey.{yourdomain} ``` Again, for me it would be: -```conf +```txt *@luevano.xyz mail._domainkey.luevano.xyz ``` And, lastly create the file `TrustedHosts` with the content: -```conf +```txt 127.0.0.1 ::1 10.1.0.0/16 @@ -365,7 +365,7 @@ And more, make sure to include your server IP and something like `subdomain.doma Next, edit `/etc/opendkim/opendkim.conf` to reflect the changes (or rather, additions) of these files, as well as some other configuration. You can look up the example configuration file located at `/usr/share/doc/opendkim/opendkim.conf.sample`, but I'm creating a blank one with the contents: -```conf +```apache Domain {yourdomain} Selector {yoursubdomain} @@ -378,7 +378,7 @@ Socket inet:8891@localhost Now, change the permissions for all the files inside `/etc/opendkim`: -```conf +```sh chown -R root:opendkim /etc/opendkim chmod g+r /etc/postfix/dkim/* ``` @@ -439,7 +439,7 @@ sudo -u spamd sa-compile And since this should be run periodically, create the service `spamassassin-update.service` under `/etc/systemd/system` with the following content: -```conf +```ini [Unit] Description=SpamAssassin housekeeping After=network.target @@ -457,7 +457,7 @@ ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service And you could also execute `sa-learn` to train `spamassassin`'s bayes filter, but this works for me. Then create the timer `spamassassin-update.timer` under the same directory, with the content: -```conf +```ini [Unit] Description=SpamAssassin housekeeping @@ -478,7 +478,7 @@ systemctl enable spamassassin-update.timer Next, you may want to edit the `spamassassin` service before starting and enabling it, because by default, it could [spawn a lot of "childs"](https://rimuhosting.com/howto/memory.jsp) eating a lot of resources and you really only need one child. Append `--max-children=1` to the line `ExecStart=...` in `/usr/bin/systemd/system/spamassassin.service`: -```conf +```ini ... ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1 ... -- cgit v1.2.3-70-g09d2