From 7e49db5ddefe8c515b5f3931a5c701efaac33d91 Mon Sep 17 00:00:00 2001 From: David Luevano Alvarado Date: Fri, 16 Dec 2022 17:45:03 -0600 Subject: change structure for new pyssg version --- blog/src/a/acomodada_la_pagina_de_arte.md | 13 - blog/src/a/asi_nomas_esta_quedando.md | 17 - blog/src/a/devs_android_me_trozaron.md | 30 -- blog/src/a/el_blog_ya_tiene_timestamps.md | 16 - blog/src/a/first_blog_post.md | 14 - blog/src/a/git_server_with_cgit.md | 189 ------- blog/src/a/hoy_toco_desarrollo_personaje.md | 29 -- blog/src/a/mail_server_with_postfix.md | 517 ------------------ blog/src/a/new_blogging_system.md | 20 - blog/src/a/password_manager_authenticator_setup.md | 24 - blog/src/a/tenia_esto_descuidado.md | 19 - blog/src/a/volviendo_a_usar_la_pagina.md | 15 - blog/src/a/vpn_server_with_openvpn.md | 362 ------------- blog/src/a/website_with_nginx.md | 166 ------ blog/src/a/xmpp_server_with_prosody.md | 579 --------------------- 15 files changed, 2010 deletions(-) delete mode 100644 blog/src/a/acomodada_la_pagina_de_arte.md delete mode 100644 blog/src/a/asi_nomas_esta_quedando.md delete mode 100644 blog/src/a/devs_android_me_trozaron.md delete mode 100644 blog/src/a/el_blog_ya_tiene_timestamps.md delete mode 100644 blog/src/a/first_blog_post.md delete mode 100644 blog/src/a/git_server_with_cgit.md delete mode 100644 blog/src/a/hoy_toco_desarrollo_personaje.md delete mode 100644 blog/src/a/mail_server_with_postfix.md delete mode 100644 blog/src/a/new_blogging_system.md delete mode 100644 blog/src/a/password_manager_authenticator_setup.md delete mode 100644 blog/src/a/tenia_esto_descuidado.md delete mode 100644 blog/src/a/volviendo_a_usar_la_pagina.md delete mode 100644 blog/src/a/vpn_server_with_openvpn.md delete mode 100644 blog/src/a/website_with_nginx.md delete mode 100644 blog/src/a/xmpp_server_with_prosody.md (limited to 'blog/src/a') diff --git a/blog/src/a/acomodada_la_pagina_de_arte.md b/blog/src/a/acomodada_la_pagina_de_arte.md deleted file mode 100644 index 2cac170..0000000 --- a/blog/src/a/acomodada_la_pagina_de_arte.md +++ /dev/null @@ -1,13 +0,0 @@ -title: Al fin ya me acomodé la página pa' los dibujos -author: David Luévano -lang: es -summary: Actualización en el estado de la página, en este caso sobre la existencia de una nueva página para los dibujos y arte en general. -tags: short - update - spanish - -Así es, ya quedó acomodado el sub-dominio `art.luevano.xyz` pos pal [arte](https://art.luevano.xyz) veda. Entonces pues ando feliz por eso. - -Este pedo fue gracias a que me reescribí la forma en la que `pyssg` maneja los templates, ahora uso el sistema de `jinja` en vez del cochinero que hacía antes. - -Y pues nada más eso, aquí está el [primer post](https://art.luevano.xyz/a/elephant_octopus.html) y por supuesto acá está el link del RSS [https://art.luevano.xyz/rss.xml](https://art.luevano.xyz/rss.xml). diff --git a/blog/src/a/asi_nomas_esta_quedando.md b/blog/src/a/asi_nomas_esta_quedando.md deleted file mode 100644 index c1ed74c..0000000 --- a/blog/src/a/asi_nomas_esta_quedando.md +++ /dev/null @@ -1,17 +0,0 @@ -title: Así nomás está quedando el página -author: David Luévano -lang: es -summary: Actualización en el estado de la página, el servidor de XMPP y Matrix que me acomodé y próximas cosas que quiero hacer. -tags: short - update - spanish - -Estuve acomodando un poco más el *sItIo*, al fin agregué la "sección" de [contact](https://luevano.xyz/contact.html) y de [donate](https://luevano.xyz/donate.html) por si hay algún loco que quiere tirar varo. - -También me puse a acomodar un servidor de [XMPP](https://xmpp.org/) el cual, en pocas palabras, es un protocolo de mensajería instantánea (y más) descentralizado, por lo cual cada quien puede hacer una cuenta en el servidor que quiera y conectarse con cuentas creadas en otro servidor... exacto, como con los correos electrónicos. Y esto está perro porque si tú tienes tu propio server, así como con uno de correo electrónico, puedes controlar qué características tiene, quiénes pueden hacer cuenta, si hay *end-to-end encryption* (o mínimo *end-to-server*), entre un montón de otras cosas. - -Ahorita este server es SUMISO (*compliant* en español, jeje) para jalar con la app [conversations](https://conversations.im/) y con la red social [movim](https://movim.eu/), pero realmente funcionaría con casi cualquier cliente de XMPP, amenos que ese cliente implemente algo que no tiene mi server. Y también acomodé un server de [Matrix](https://matrix.org/) que es muy similar pero es bajo otro protocolo y se siente más como un discord/slack (al menos en el [element](https://element.io/)), muy chingón también. - -Si bien aún quedan cosas por hacer sobre estos dos servers que me acomodé (además de hacerles unas entradas para documentar cómo lo hice), quiero moverme a otra cosa que sería acomodar una sección de dibujos, lo cual en teoría es bien sencillo, pero como quiero poder automatizar la publicación de estos, quiero modificar un poco el [pyssg](https://github.com/luevano/pyssg) para que jale chido para este pex. - -Ya por último también quiero moverle un poco al CSS, porque lo dejé en un estado muy culerón y quiero meterle/ajustar unas cosas para que quede más limpio y medianamente bonito... *dentro de lo que cabe porque evidentemente me vale verga si se ve como una página del 2000*. diff --git a/blog/src/a/devs_android_me_trozaron.md b/blog/src/a/devs_android_me_trozaron.md deleted file mode 100644 index 9cc7dad..0000000 --- a/blog/src/a/devs_android_me_trozaron.md +++ /dev/null @@ -1,30 +0,0 @@ -title: Los devs de Android/MIUI me trozaron -author: David Luévano -lang: es -summary: Perdí un día completo resolviendo un problema muy estúpido, por culpa de los devs de Android/MIUI. -tags: rant - update - spanish - -Llevo dos semanas posponiendo esta entrada porque andaba bien enojado (todavía, pero ya se anda pasando) y me daba *zzz*. Pero bueno, antes que nada este pex ocupa un poco de contexto sobre dos cositas: - -- [Tachiyomi](https://tachiyomi.org/): Una aplicación de android que uso para descargar y leer manga. Lo importante aquí es que por default se guardan los mangas con cada página siendo una sola imagen, por lo que al mover el manga de un lado a otro tarda mucho tiempo. -- [Adoptable storage](https://source.android.com/devices/storage/adoptable): Un *feature* de android que básicamente te deja usar una micro SD (mSD) externa como si fuera interna, encriptando y dejando la mSD inutilizable en cualquier otro dispositivo. La memoria interna se *pierde* o algo por el estilo (bajo mi experiencia), por lo que parece es bastante útil cuando la capacidad de la memoria interna es baja. - -Ahora sí vamonos por partes, primero que nada lo que sucedió fue que ordené una mSD con más capacidad que la que ya tenía (64 GB -> 512 GB, poggies), porque últimamente he estado bajando y leyendo mucho manga entonces me estaba quedando sin espacio. Ésta llegó el día de mi cumpleaños lo cuál estuvo chingón, me puse a hacer backup de la mSD que ya tenía y preparando todo, muy bonito, muy bonito. - -Empecé a tener problemas, porque al estar moviendo tanto archivo pequeño (porque recordemos que el *tachiyomi* trata a cada página como una sola imagen), la conexión entre el celular y mi computadora se estaba corte y corte por alguna razón; en general muchos pedos. Por lo que mejor le saqué la nueva mSD y la metí directo a mi computadora por medio de un adaptador para batallar menos y que fuera más rápido. - -Hacer este pedo de mover archivos directamente en la mSD puede llevar a corromper la memoria, no se los detalles pero pasa (o quizá estoy meco e hice algo mal). Por lo que al terminar de mover todo a la nueva mSD y ponerla en el celular, éste se emputó que porque no la detectaba y que quería tirar un formateo a la mSD. A este punto no me importaba mucho, sólo era questión de volvera mover archivos y ser más cuidadoso; "*no issues from my end*" diría en mis *standups*. - -Todo valió **vergota** porque en cierto punto al elegir sí formatear la mSD mi celular me daba la opción de "*usar la micro SD para el celular*" o "*usar la micro SD como memoria portátil*" (o algo entre esas líneas), y yo, estúpidamente, elegí la primera, porque me daba sentido: "no, pues simón, voy a usar esta memoria para este celular". - -Pues mamé, resulta que esa primera opción lo que realmente quería decir es que se iba a usar la micro SD como interna usando el pex este de *adoptable storage*. Entonces básicamente *perdí* mi capacidad de memoria interna (128 GB aprox.), y toda la mSD nueva se usó como memoria interna. Todo se juntó, si intentaba sacar la mSD todo se iba a la mierda y no podía usar muchas aplicaciones. "*No hay pedo*", pensé, "*nada más es cuestión de desactivar esta mamada de adoptable storage*". - -Ni madres dijeron los devs de Android, este pedo nada más es un *one-way*: puedes activar *adoptable storage* pero para desactivarlo **ocupas, a huevo, formatear tu celular a estado de fábrica**. Chingué a mi madre, comí mierda, perdí. - -Pues eso fue lo que hice, ni modo. Hice backup de todo lo que se me ocurrió (también me di cuenta que G\*\*gl\* authenticator es cagada ya que no te deja hacer backup, entre otras cosas, mejor usen [Aegis authenticator](https://getaegis.app/)), desactivé todo lo que se tenía que desactivar y tocó hacer *factory reset*, ni modo. Pero como siempre las cosas salen mal y tocó comer mierda del banco porque me bloquearon la tarjeta, perdí credenciales necesarias para el trabajo (se resolvió rápido), etc., etc.. Ya no importa, ya casi todo está resuelto, sólo queda ir al banco a resolver lo de la tarjeta bloqueada (esto es para otro *rant*, pinches apps de bancos piteras, ocupan hacer una sola cosa y la hacen mal). - -Al final del día, la causa del problema fueron los malditos mangas (por andar queriendo *backupearlos*), que terminé bajando de nuevo manualmente y resultó mejor porque aparentemente *tachiyomi* agregó la opción de "*zippear*" los mangas en formato [CBZ](https://docs.fileformat.com/ebook/cbz/), por lo que ya son más fácil de mover de un lado para otro, el fono no se queda pendejo, etc., etc.. - -Por último, quiero decir que los devs de Android son unos pendejos por no hacer reversible la opción de *adoptable storage*, y los de MIUI son todavía más por no dar detalles de lo que significan sus opciones de formateo, especialmente si una opción es tan chingadora que para revertirla necesitas formatear a estado de fábrica tu celular; más que nada es culpa de los de MIUI, todavía que ponen un chingo de A(i)DS en todas sus apps, no pueden poner una buena descripción en sus opciones. **REEEE**. \ No newline at end of file diff --git a/blog/src/a/el_blog_ya_tiene_timestamps.md b/blog/src/a/el_blog_ya_tiene_timestamps.md deleted file mode 100644 index 4fbe9bd..0000000 --- a/blog/src/a/el_blog_ya_tiene_timestamps.md +++ /dev/null @@ -1,16 +0,0 @@ -title: Así es raza, el blog ya tiene timestamps -author: David Luévano -lang: es -summary: Actualización en el estado del blog y el sistema usado para crearlo. -tags: short - update - tools - spanish - -Pues eso, esta entrada es sólo para tirar update sobre mi [primer post](https://blog.luevano.xyz/a/first_blog_post.html). Ya modifiqué el `ssg` lo suficiente como para que maneje los *timestamps*, y ya estoy más familiarizado con este script entonces ya lo podré extender más, pero por ahora las entradas ya tienen su fecha de creación (y modificación en dado caso) al final y en el índice ya están organizados por fecha, que por ahora está algo simple pero está sencillo de extender. - -Ya lo único que queda es cambiar un poco el formato del blog (y de la página en general), porque en un momento de desesperación puse todo el texto en justificado y pues no se ve chido siempre, entonces queda corregir eso. *Y aunque me tomó más tiempo del que quisiera, así nomás quedó, diría un cierto personaje.* - -El `ssg` modificado está en mis [dotfiles](https://git.luevano.xyz/.dots) (o directamente [aquí](https://git.luevano.xyz/.dots/tree/.local/bin/ssg)). - -Por último, también quité las extensiones `.html` de las URLs, porque se veía bien pitero, pero igual los links con `.html` al final redirigen a su link sin `.html`, así que no hay rollo alguno. diff --git a/blog/src/a/first_blog_post.md b/blog/src/a/first_blog_post.md deleted file mode 100644 index b4851f2..0000000 --- a/blog/src/a/first_blog_post.md +++ /dev/null @@ -1,14 +0,0 @@ -title: This is the first blog post, just for testing purposes -author: David Luévano -lang: en -summary: Just my first blog post where I state what tools I'm using to build this blog. -tags: short - update - tools - english - -I'm making this post just to figure out how [`ssg5`](https://www.romanzolotarev.com/ssg.html) and [`lowdown`](https://kristaps.bsd.lv/lowdown/) are supposed to work (and eventually also [`rssg`](https://www.romanzolotarev.com/rssg.html)). - -At the moment, I'm not satisfied because there's no automatic date insertion into the 1) html file, 2) the blog post itself and 3) the listing system in the [blog homepage](https://blog.luevano.xyz/) (and there's also the problem with the ordering of the entries...). And all of this just because I didn't want to use [Luke's](https://github.com/LukeSmithxyz/lb) solution (don't really like that much how he handles the scripts... *but they just work*). - -Hopefully, for tomorrow all of this will be sorted out and I'll have a working blog system. diff --git a/blog/src/a/git_server_with_cgit.md b/blog/src/a/git_server_with_cgit.md deleted file mode 100644 index 4eb440c..0000000 --- a/blog/src/a/git_server_with_cgit.md +++ /dev/null @@ -1,189 +0,0 @@ -title: Create a git server and setup cgit web app (on Nginx) -author: David Luévano -lang: en -summary: How to create a git server using cgit on a server running Nginx. This is a follow up on post about creating a website with Nginx and Certbot. -tags: server - tools - tutorial - english - -My git server is all I need to setup to actually *kill* my other server (I've been moving from servers on these last 2-3 blog entries), that's why I'm already doing this entry. I'm basically following [git's guide on setting up a server](https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server) plus some specific stuff for (btw i use) Arch Linux ([Arch Linux Wiki: Git server](https://wiki.archlinux.org/index.php/Git_server#Web_interfaces) and [Step by step guide on setting up git server in arch linux (pushable)](https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/)). - -Note that this is mostly for personal use, so there's no user/authentication control other than that of SSH. Also, most if not all commands here are run as root. - -## Prerequisites - -I might get tired of saying this (it's just copy paste, basically)... but you will need the same prerequisites as before (check my [website](https://blog.luevano.xyz/a/website_with_nginx.html) and [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) entries), with the extras: - -- (Optional, if you want a "front-end") A **CNAME** for "git" and (optionally) "www.git", or some other name for your sub-domains. -- An SSL certificate, if you're following the other entries, add a `git.conf` and run `certbot --nginx` to extend the certificate. - -## Git - -[Git](https://wiki.archlinux.org/title/git) is a version control system. - -If not installed already, install the `git` package: - -```sh -pacman -S git -``` - -On Arch Linux, when you install the `git` package, a `git` user is automatically created, so all you have to do is decide where you want to store the repositories, for me, I like them to be on `/home/git` like if `git` was a "normal" user. So, create the `git` folder (with corresponding permissions) under `/home` and set the `git` user's home to `/home/git`: - -```sh -mkdir /home/git -chown git:git /home/git -usermod -d /home/git git -``` - -Also, the `git` user is "expired" by default and will be locked (needs a password), change that with: - -```sh -chage -E -1 git -passwd git -``` - -Give it a strong one and remember to use `PasswordAuthentication no` for `ssh` (as you should). Create the `.ssh/authorized_keys` for the `git` user and set the permissions accordingly: - -```sh -mkdir /home/git/.ssh -chmod 700 /home/git/.ssh -touch /home/git/.ssh/authorized_keys -chmod 600 /home/git/.ssh/authorized_keys -chown -R git:git /home/git -``` - -Now is a good idea to copy over your local SSH public keys to this file, to be able to push/pull to the repositories. Do it by either manually copying it or using `ssh`'s built in `ssh-copy-id` (for that you may want to check your `ssh` configuration in case you don't let people access your server with user/password). - -Next, and almost finally, we need to edit the `git-daemon` service, located at `/usr/lib/systemd/system/` (called `git-daemon@.service`): - -```ini -... -ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/git --enable=receive-pack -... -``` - -I just appended `--enable=receive-pack` and note that I also changed the `--base-path` to reflect where I want to serve my repositories from (has to match what you set when changing `git` user's home). - -Now, go ahead and start and enable the `git-daemon` socket: - -```sh -systemctl start git-daemon.socket -systemctl enable git-daemon.socket -``` - -You're basically done. Now you should be able to push/pull repositories to your server... except, you haven't created any repository in your server, that's right, they're not created automatically when trying to push. To do so, you have to run (while inside `/home/git`): - -```sh -git init --bare {repo_name}.git -chown -R git:git repo_name.git -``` - -Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame... although there are options to "automate" this, I like it this way). - -After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check [this gist](https://gist.github.com/rvl/c3f156e117e22a25f242). - -## Cgit - -[Cgit](https://wiki.archlinux.org/title/Cgit) is a fast web interface for git. - -This is optionally since it's only for the web application. - -Install the `cgit` and `fcgiwrap` packages: - -```sh -pacman -S cgit fcgiwrap -``` - -Now, just start and enable the `fcgiwrap` socket: - -```sh -systemctl start fcgiwrap.socket -systemctl enable fcgiwrap.socket -``` - -Next, create the `git.conf` as stated in my [nginx setup entry](https://blog.luevano.xyz/a/website_with_nginx.html). Add the following lines to your `git.conf` file: - -```nginx -server { - listen 80; - listen [::]:80; - root /usr/share/webapps/cgit; - server_name {yoursubdomain}.{yourdomain}; - try_files $uri @cgit; - - location @cgit { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi; - fastcgi_param PATH_INFO $uri; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_pass unix:/run/fcgiwrap.sock; - } -} -``` - -Where the `server_name` line depends on you, I have mine setup to `git.luevano.xyz` and `www.git.luevano.xyz`. Optionally run `certbot --nginx` to get a certificate for those domains if you don't have already. - -Now, all that's left is to configure `cgit`. Create the configuration file `/etc/cgitrc` with the following content (my personal options, pretty much the default): - -```apache -css=/cgit.css -logo=/cgit.png - -enable-http-clone=1 -# robots=noindex, nofollow -virtual-root=/ - -repo.url={url} -repo.path={dir_path} -repo.owner={owner} -repo.desc={short_description} - -... -``` - -Where you can uncomment the `robots` line to let web crawlers (like Google's) to index your `git` web app. And at the end keep all your repositories (the ones you want to make public), for example for my [*dotfiles*](https://git.luevano.xyz/.dots) I have: - -```apache -... -repo.url=.dots -repo.path=/home/git/.dots.git -repo.owner=luevano -repo.desc=These are my personal dotfiles. -... -``` - -Otherwise you could let `cgit` to automatically detect your repositories (you have to be careful if you want to keep "private" repos) using the option `scan-path` and setup `.git/description` for each repository. For more, you can check [cgitrc(5)](https://man.archlinux.org/man/cgitrc.5). - -By default you can't see the files on the site, you need a highlighter to render the files, I use `highlight`. Install the `highlight` package: - -```sh -pacman -S highlight -``` - -Copy the `syntax-highlighting.sh` script to the corresponding location (basically adding `-edited` to the file): - -```sh -cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh -``` - -And edit it to use the version 3 and add `--inline-css` for more options without editing `cgit`'s CSS file: - -```sh -... -# This is for version 2 -# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null - -# This is for version 3 -exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null -... -``` - -Finally, enable the filter in `/etc/cgitrc` configuration: - -```apache -source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh -``` - -That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for `cgit`. diff --git a/blog/src/a/hoy_toco_desarrollo_personaje.md b/blog/src/a/hoy_toco_desarrollo_personaje.md deleted file mode 100644 index a32dd01..0000000 --- a/blog/src/a/hoy_toco_desarrollo_personaje.md +++ /dev/null @@ -1,29 +0,0 @@ -title: Hoy me tocó desarrollo de personaje -author: David Luévano -lang: es -summary: Una breve historia sobre cómo estuvo mi día, porque me tocó desarrollo de personaje y lo quiero sacar del coraje que traigo. -tags: spanish - -Sabía que hoy no iba a ser un día tan bueno, pero no sabía que iba a estar tan horrible; me tocó desarrollo de personaje y saqué el *bad ending*. - -Básicamente tenía que cumplir dos misiones hoy: ir al banco a un trámite y vacunarme contra el Covid-19. Muy sencillas tareas. - -Primero que nada me levanté de una pesadilla horrible en la que se puede decir que se me subió el muerto al querer despertar, esperé a que fuera casi la hora de salida de mi horario de trabajo, me bañé y fui directo al banco primero. Todo bien hasta aquí. - -En el camino al banco, durante la plática con el conductor del Uber salió el tema del horario del banco. Yo muy tranquilo dije "pues voy algo tarde, pero sí alcanzo, cierran a las 5, ¿no?" a lo que me respondió el conductor "nel jefe, a las 4, y se van media hora antes"; quedé. Chequé y efectivamente cerraban a las 4. Entonces le dije que le iba a cambiar la ruta directo a donde me iba a vacunar, pero ya era muy tarde y quedaba para la dirección opuesta."Ni pedo, ahí déjame y pido otro viaje, no te apures", le dije y como siempre pues me deseó que se compusiera mi día; **afortunadamente** el banco sí estaba abierto para lo que tenía que hacer, así que fue un buen giro. Me puse muy feliz y asumí que sería un buen día, como me lo dijo mi conductor; **literalmente NO SABÍA**. - -Salí feliz de poder haber completado esa misión y poder irme a vacunar. Pedí otro Uber a donde tenía que ir y todo bien. Me tocó caminar mucho porque la entrada estaba en punta de la chingada de donde me dejó el conductor, pero no había rollo, era lo de menos. Me desanimé cuando vi que había una cantidad estúpida de gente, era una fila que abarcaba todo el estacionamiento y daba demasiadas vueltas; "ni pedo", dije, "si mucho me estaré aquí una hora, hora y media"... otra vez, **literalmente NO SABÍA**. - -Pasó media hora y había avanzado lo que parecía ser un cuarto de la fila, entonces todo iba bien. Pues nel, había avanzado el equivalente a un octavo de la fila, este pedo no iba a salir en una hora-hora y media. Para acabarla de chingar era todo bajo el tan amado sol de Chiwawa. "No hay pedo, me entretengo tirando chal con alguien en el wasap", pues no, aparentemente no cargué el celular y ya tenía 15-20% de batería... volví a quedar. - -Se me acabó la pila, ya había pasado una hora y parecía que la fila era infinita, simplemente avanzábamos demasiado lento, a pesar de que los que venían atrás de mí repetían una y otra vez "mira, avanza bien rápido, ya mero llegamos", ilusos. Duré aproximadamente 3 horas formado, aguantando conversaciones estúpidas a mi alrededor, gente quejándose por estar parada (yo también me estaba quejando pero dentro de mi cabeza), y por alguna razón iban familias completas de las cuales al final del día sólo uno o dos integrantes de la familia entraban a vacunarse. - -En fin que se acabó la tortura y ya tocaba irse al cantón, todo bien. "No hay pedo, no me tocó irme en Uber, aquí agarro un camíon" pensé. Pero no, ningún camión pasó durante la hora que estuve esperando y de los 5 taxis que intenté parar **NINGUNO** se detuvo. Decidí irme caminado, ya qué más daba, en ese punto ya nada más era hacer corajes *dioquis*. - -En el camino vi un Oxxo y decidí desviarme para comprar algo de tomar porque andaba bien deshidratado. En el mismo segundo que volteé para ir hacia el Oxxo pasó un camión volando y lo único que pensaba era que el conductor me decía "Jeje ni pedo:)". Exploté, me acabé, simplemente perdí, saqué el *bad ending*. - -Ya estaba harto y hasta iba a comprar un cargador para ya irme rápido, estaba cansado del día, simplemente ahí terminó la quest, había sacado el peor final. Lo bueno es que se me ocurrió pedirle al cajero un cargador y que me *tirara paro*. Todo bien, pedí mi Uber y llegué a mi casa sano y a salvo, pero con la peor rabia que me había dado en mucho tiempo. Simplemente ¿mi culo? explotado. Este día me tocó un desarrollo de personaje muy cabrón, se mamó el D\*\*\*\*\*o. - -Lo único rescatable fue que había una (más bien como 5) chica muy guapa en la fila, lástima que los *stats* de mi personaje me tienen bloqueadas las conversaciones con desconocidos. - -Y pues ya, este pex ya me sirvió para desahogarme, una disculpa por la redacción tan *pitera*. Sobres. diff --git a/blog/src/a/mail_server_with_postfix.md b/blog/src/a/mail_server_with_postfix.md deleted file mode 100644 index 63bf564..0000000 --- a/blog/src/a/mail_server_with_postfix.md +++ /dev/null @@ -1,517 +0,0 @@ -title: Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM -author: David Luévano -lang: en -summary: How to create mail server using Postfix, Dovecot, SpamAssassin and OpenDKIM. This is a follow up on post about creating a website with Nginx and Certbot. -tags: server - tools - tutorial - english - -The entry is going to be long because it's a *tedious* process. This is also based on [Luke Smith's script](https://github.com/LukeSmithxyz/emailwiz), but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I'm in the process of installing/configuring the mail server on a new VPS of mine; also I'm going to be writing a script that does everything in one go (for Arch Linux), that will be hosted [here](https://git.luevano.xyz/server_scripts.git). - -This configuration works for local users (users that appear in `/etc/passwd`), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges. - -## Prerequisites - -Basically the same as with the [website with Nginx and Certbot](https://blog.luevano.xyz/a/website_with_nginx.html), with the extras: - -- You will need a **CNAME** for "mail" and (optionally) "www.mail", or whatever you want to call the sub-domains (although the [RFC 2181](https://tools.ietf.org/html/rfc2181#section-10.3) states that it NEEDS to be an **A** record, fuck the police). -- An SSL certificate. You can use the SSL certificate obtained following my last post using `certbot` (just create a `mail.conf` and run `certbot --nginx` again). -- Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall. - -## Postfix - -[Postfix](https://wiki.archlinux.org/title/postfix) is a "mail transfer agent" which is the component of the mail server that receives and sends emails via SMTP. - -Install the `postfix` package: - -```sh -pacman -S postfix -``` - -We have two main files to configure (inside `/etc/postfix`): `master.cf` ([master(5)](https://man.archlinux.org/man/master.5)) and `main.cf` ([postconf(5)](https://man.archlinux.org/man/postconf.5)). We're going to edit `main.cf` first either by using the command `postconf -e 'setting'` or by editing the file itself (I prefer to edit the file). - -Note that the default file itself has a lot of comments with description on what each thing does (or you can look up the manual, linked above), I used what Luke's script did plus some other settings that worked for me. - -Now, first locate where your website cert is, mine is at the default location `/etc/letsencrypt/live/`, so my `certdir` is `/etc/letsencrypt/live/luevano.xyz`. Given this information, change `{yourcertdir}` on the corresponding lines. The configuration described below has to be appended in the `main.cf` configuration file. - -Certificates and ciphers to use for authentication and security: - -```apache -smtpd_tls_key_file = {yourcertdir}/privkey.pem -smtpd_tls_cert_file = {yourcertdir}/fullchain.pem -smtpd_use_tls = yes -smtpd_tls_auth_only = yes -smtp_tls_security_level = may -smtp_tls_loglevel = 1 -smtp_tls_CAfile = {yourcertdir}/cert.pem -smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -tls_preempt_cipherlist = yes -smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, - DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, - RSA+AES, eNULL - -smtp_tls_CApath = /etc/ssl/certs -smtpd_tls_CApath = /etc/ssl/certs - -smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination -``` - -Also, for the *connection* with `dovecot`, append the next few lines (telling postfix that `dovecot` will use user/password for authentication): - -```apache -smtpd_sasl_auth_enable = yes -smtpd_sasl_type = dovecot -smtpd_sasl_path = private/auth -smtpd_sasl_security_options = noanonymous, noplaintext -smtpd_sasl_tls_security_options = noanonymous -``` - -Specify the mailbox home (this is going to be a directory inside your user's home containing the actual mail files): - -```apache -home_mailbox = Mail/Inbox/ -``` - -Pre-configuration to work seamlessly with `dovecot` and `opendkim`: - -```apache -myhostname = {yourdomainname} -mydomain = localdomain -mydestination = $myhostname, localhost.$mydomain, localhost - -milter_default_action = accept -milter_protocol = 6 -smtpd_milters = inet:127.0.0.1:8891 -non_smtpd_milters = inet:127.0.0.1:8891 -mailbox_command = /usr/lib/dovecot/deliver -``` - -Where `{yourdomainname}` is `luevano.xyz` in my case, or if you have `localhost` configured to your domain, then use `localhost` for `myhostname` (`myhostname = localhost`). - -Lastly, if you don't want the sender's IP and user agent (application used to send the mail), add the following line: - -```apache -smtp_header_checks = regexp:/etc/postfix/smtp_header_checks -``` - -And create the `/etc/postfix/smtp_header_checks` file with the following content: - -```coffee -/^Received: .*/ IGNORE -/^User-Agent: .*/ IGNORE -``` - -That's it for `main.cf`, now we have to configure `master.cf`. This one is a bit more tricky. - -First look up lines (they're uncommented) `smtp inet n - n - - smtpd`, `smtp unix - - n - - smtp` and `-o syslog_name=postfix/$service_name` and either delete or uncomment them... or just run `sed -i "/^\s*-o/d;/^\s*submission/d;/\s*smtp/d" /etc/postfix/master.cf` as stated in Luke's script. - -Lastly, append the following lines to complete postfix setup and pre-configure for `spamassassin`. - -```txt -smtp unix - - n - - smtp -smtp inet n - y - - smtpd - -o content_filter=spamassassin -submission inet n - y - - smtpd - -o syslog_name=postfix/submission - -o smtpd_tls_security_level=encrypt - -o smtpd_sasl_auth_enable=yes - -o smtpd_tls_auth_only=yes -smtps inet n - y - - smtpd - -o syslog_name=postfix/smtps - -o smtpd_tls_wrappermode=yes - -o smtpd_sasl_auth_enable=yes -spamassassin unix - n n - - pipe - user=spamd argv=/usr/bin/vendor_perl/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient} -``` - -Now, I ran into some problems with postfix, one being [smtps: Servname not supported for ai_socktype](https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/), to fix it, as *Till* posted in that site, edit `/etc/services` and add: - -```apache -smtps 465/tcp -smtps 465/udp -``` - -Before starting the `postfix` service, you need to run `newaliases` first, but you can do a bit of configuration beforehand editing the file `/etc/postfix/aliases`. I only change the `root: you` line (where `you` is the account that will be receiving "root" mail). After you're done, run: - -```sh -postalias /etc/postfix/aliases -newaliases -``` - -At this point you're done configuring `postfix` and you can already start/enable the `postfix` service: - -```sh -systemctl start postfix.service -systemctl enable postfix.service -``` - -## Dovecot - -[Dovecot](https://wiki.archlinux.org/title/Dovecot) is an IMAP and POP3 server, which is what lets an email application retrieve the mail. - -Install the `dovecot` and `pigeonhole` (sieve for `dovecot`) packages: - -```sh -pacman -S dovecot pigeonhole -``` - -On arch, by default, there is no `/etc/dovecot` directory with default configurations set in place, but the package does provide the example configuration files. Create the `dovecot` directory under `/etc` and, optionally, copy the `dovecot.conf` file and `conf.d` directory under the just created `dovecot` directory: - -```sh -mkdir /etc/dovecot -cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf -cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot -``` - -As Luke stated, `dovecot` comes with a lot of "modules" (under `/etc/dovecot/conf.d/` if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole `dovecot.conf` file; although, I would like to check each of the separate configuration files `dovecot` provides I think the options Luke provides are more than good enough. - -I'm working with an empty `dovecot.conf` file. Add the following lines for SSL and login configuration (also replace `{yourcertdir}` with the same certificate directory described in the Postfix section above, note that the `<` is required): - -```apache -ssl = required -ssl_cert = <{yourcertdir}/fullchain.pem -ssl_key = <{yourcertdir}/privkey.pem -ssl_min_protocol = TLSv1.2 -ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH -ssl_prefer_server_ciphers = yes -ssl_dh = virtual IP address -# associations in this file. -ifconfig-pool-persist ipp.txt - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. -;push "route 192.168.10.0 255.255.255.0" -;push "route 192.168.20.0 255.255.255.0" - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -push "redirect-gateway def1 bypass-dhcp" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. -# Google DNS. -;push "dhcp-option DNS 8.8.8.8" -;push "dhcp-option DNS 8.8.4.4" - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -keepalive 10 120 - -# The maximum number of concurrently connected -# clients we want to allow. -max-clients 5 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -user nobody -group nobody - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun - -# Output a short status file showing -# current connections, truncated -# and rewritten every minute. -status openvpn-status.log - -# Set the appropriate level of log -# file verbosity. -# -# 0 is silent, except for fatal errors -# 4 is reasonable for general usage -# 5 and 6 can help to debug connection problems -# 9 is extremely verbose -verb 3 - -# Notify the client that when the server restarts so it -# can automatically reconnect. -# Only usable with udp. -explicit-exit-notify 1 -``` - -`#` and `;` are comments. Read each and every line, you might want to change some stuff (like the logging), specially the first line which is your server public IP. - -Now, we need to enable *packet forwarding* (so we can access the web while connected to the VPN), which can be enabled on the interface level or globally (you can check the different options with `sysctl -a | grep forward`). I'll do it globally, run: - -```sh -sysctl net.ipv4.ip_forward=1 -``` - -And create/edit the file `/etc/sysctl.d/30-ipforward.conf`: - -``` -net.ipv4.ip_forward=1 -``` - -Now we need to configure `ufw` to forward traffic through the VPN. Append the following to `/etc/default/ufw` (or edit the existing line): - -``` -... -DEFAULT_FORWARD_POLICY="ACCEPT" -... -``` - -And change the `/etc/ufw/before.rules`, appending the following lines after the header **but before the \*filter line**: - -``` -... -# NAT (Network Address Translation) table rules -*nat -:POSTROUTING ACCEPT [0:0] - -# Allow traffic from clients to the interface --A POSTROUTING -s 10.8.0.0/24 -o interface -j MASQUERADE - -# do not delete the "COMMIT" line or the NAT table rules above will not be processed -COMMIT - -# Don't delete these required lines, otherwise there will be errors -*filter -... -``` - -Where `interface` must be changed depending on your system (in my case it's `ens3`, another common one is `eth0`); I always check this by running `ip addr` which gives you a list of interfaces (the one containing your server public IP is the one you want, or whatever interface your server uses to connect to the internet): - -``` -... -2: ens3: bla bla - link/ether bla:bla - altname enp0s3 - inet my.public.ip.addr bla bla -... -``` - -And also make sure the `10.8.0.0/24` matches the subnet mask specified in the `server.conf` file (in this example it matches). You should check this very carefully, because I just spent a good 2 hours debugging why my configuration wasn't working, and this was te reason (I could connect to the VPN, but had no external connection to the web). - -Finally, allow the OpenVPN port you specified (in this example its `1194/udp`) and reload `ufw`: - -```sh -ufw allow 1194/udp comment "OpenVPN" -ufw reload -``` - -At this point, the server-side configuration is done and you can start and enable the service: - -```sh -systemctl start openvpn-server@server.service -systemctl enable openvpn-server@server.service -``` - -Where the `server` after `@` is the name of your configuration, `server.conf` without the `.conf` in my case. - -### Create client configurations - -You might notice that I didn't specify how to actually connect to our server. For that we need to do a few more steps. We actually need a configuration file similar to the `server.conf` file that we created. - -The real way of doing this would be to run similar steps as the ones with `easy-rsa` locally, send them to the server, sign them, and retrieve them. Nah, we'll just create all configuration files on the server as I was mentioning earlier. - -Also, the client configuration file has to match the server one (to some degree), to make this easier you can create a `client-common` file in `/etc/openvpn/server` with the following content: - -``` -client -dev tun -remote 1.2.3.4 1194 udp # change this to match your ip and port -resolv-retry infinite -nobind -persist-key -persist-tun -remote-cert-tls server -auth SHA512 -verb 3 -``` - -Where you should make any changes necessary, depending on your configuration. - -Now, we need a way to create and revoke new configuration files. For this I created a script, heavily based on one of the links I mentioned at the beginning, by the way. You can place these scripts anywhere you like, and you should take a look before running them because you'll be running them as root. - -In a nutshell, what it does is: generate a new client certificate keypair, update the CRL and create a new `.ovpn` configuration file that consists on the `client-common` data and all of the required certificates; or, revoke an existing client and refresh the CRL. The file is placed under `~/ovpn`. - -Create a new file with the following content (name it whatever you like) and don't forget to make it executable (`chmod +x vpn_script`): - -``` -#!/bin/sh -# Client ovpn configuration creation and revoking. -MODE=$1 -if [ ! "$MODE" = "new" -a ! "$MODE" = "rev" ]; then - echo "$1 is not a valid mode, using default 'new'" - MODE=new -fi - -CLIENT=${2:-guest} -if [ -z $2 ];then - echo "there was no client name passed as second argument, using 'guest' as default" -fi - -# Expiration config. -EASYRSA_CERT_EXPIRE=3650 -EASYRSA_CRL_DAYS=3650 - -# Current PWD. -CPWD=$PWD -cd /etc/easy-rsa/ - -if [ "$MODE" = "rev" ]; then - easyrsa --batch revoke $CLIENT - - echo "$CLIENT revoked." -elif [ "$MODE" = "new" ]; then - easyrsa build-client-full $CLIENT nopass - - # This is what actually generates the config file. - { - cat /etc/openvpn/server/client-common - echo "" - cat /etc/easy-rsa/pki/ca.crt - echo "" - echo "" - sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/easy-rsa/pki/issued/$CLIENT.crt - echo "" - echo "" - cat /etc/easy-rsa/pki/private/$CLIENT.key - echo "" - echo "" - sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key - echo "" - } > "$(eval echo ~${SUDO_USER:-$USER}/ovpn/$CLIENT.ovpn)" - - eval echo "~${SUDO_USER:-$USER}/ovpn/$CLIENT.ovpn file generated." -fi - -# Finish up, re-generates the crl -easyrsa gen-crl -chown nobody:nobody pki/crl.pem -chmod o+r pki/crl.pem -cd $CPWD -``` - -And the way to use is to run `vpn_script new/rev client_name` as sudo (when revoking, it doesn't actually deletes the `.ovpn` file in `~/ovpn`). Again, this is a little script that I put together, so you should check it out, it may need tweaks (depending on your directory structure for `easy-rsa`) and it could have errors. - -Now, just get the `.ovpn` file generated, import it to OpenVPN in your client of preference and you should have a working VPN service. diff --git a/blog/src/a/website_with_nginx.md b/blog/src/a/website_with_nginx.md deleted file mode 100644 index 7e4624a..0000000 --- a/blog/src/a/website_with_nginx.md +++ /dev/null @@ -1,166 +0,0 @@ -title: Create a website with Nginx and Certbot -author: David Luévano -lang: en -summary: How to create website that runs on Nginx and uses Certbot for SSL certificates. This is a base for future blog posts about similar topics. -tags: server - tools - tutorial - english - -These are general notes on how to setup a Nginx web server plus Certbot for SSL certificates, initially learned from [Luke's video](https://www.youtube.com/watch?v=OWAqilIVNgE) and after some use and research I added more stuff to the mix. And, actually at the time of writing this entry, I'm configuring the web server again on a new VPS instance, so this is going to be fresh. - -As a side note, (((i use arch btw))) so everything here es aimed at an Arch Linux distro, and I'm doing everything on a VPS. Also note that most if not all commands here are executed with root privileges. - -## Prerequisites - -You will need two things: - -- A domain name (duh!). I got mine on [Epik](https://www.epik.com/?affid=da5ne9ru4) (affiliate link, btw). - - With the corresponding **A** and **AAA** records pointing to the VPS' IPs ("A" record points to the ipv4 address and "AAA" to the ipv6, basically). I have three records for each type: empty one, "www" and "\*" for a wildcard, that way "domain.name", "www.domain.name", "anythingelse.domain.name" point to the same VPS (meaning that you can have several VPS for different sub-domains). -- A VPS or somewhere else to host it. I'm using [Vultr](https://www.vultr.com/?ref=8732849) (also an affiliate link). - - With `ssh` already configured both on the local machine and on the remote machine. - - Firewall already configured to allow ports 80 (HTTP) and 443 (HTTPS). I use `ufw` so it's just a matter of doing `ufw allow 80,443/tcp` as root and you're golden. - - `cron` installed if you follow along (you could use `systemd` timers, or some other method you prefer to automate running commands every X time). - -## Nginx - -[Nginx](https://wiki.archlinux.org/title/Nginx) is a web (HTTP) server and reverse proxy server. - -You have two options: `nginx` and `nginx-mainline`. I prefer `nginx-mainline` because it's the "up to date" package even though `nginx` is labeled to be the "stable" version. Install the package and enable/start the service: - -```sh -pacman -S nginx-mainline -systemctl enable nginx.service -systemctl start nginx.service -``` - -And that's it, at this point you can already look at the default initial page of Nginx if you enter the IP of your server in a web browser. You should see something like this: - -![Nginx welcome page](images/b/notes/nginx/nginx_welcome_page.png "Nginx welcome page") - -As stated in the welcome page, configuration is needed, head to the directory of Nginx: - -```sh -cd /etc/nginx -``` - -Here you have several files, the important one is `nginx.conf`, which as its name implies, contains general configuration of the web server. If you peek into the file, you will see that it contains around 120 lines, most of which are commented out and contains the welcome page server block. While you can configure a website in this file, it's common practice to do it on a separate file (so you can scale really easily if needed for mor websites or sub-domains). - -Inside the `nginx.conf` file, delete the `server` blocks and add the lines `include sites-enabled/*;` (to look into individual server configuration files) and `types_hash_max_size 4096;` (to get rid of an ugly warning that will keep appearing) somewhere inside the `http` block. The final `nginx.conf` file would look something like (ignoring the comments just for clarity, but you can keep them as side notes): - -```nginx -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include sites-enabled/*; - include mime.types; - default_type application/octet-stream; - - sendfile on; - - keepalive_timeout 65; - - types_hash_max_size 4096; -} -``` - -Next, inside the directory `/etc/nginx/` create the `sites-available` and `sites-enabled` directories, and go into the `sites-available` one: - -```sh -mkdir sites-available -mkdir sites-enabled -cd sites-available -``` - -Here, create a new `.conf` file for your website and add the following lines (this is just the sample content more or less): - -```nginx -server { - listen 80; - listen [::]:80; - - root /path/to/root/directory; - server_name domain.name another.domain.name; - index index.html anotherindex.otherextension; - - location /{ - try_files $uri $uri/ =404; - } -} -``` - -That could serve as a template if you intend to add more domains. - -Note some things: - -- `listen`: we're telling Nginx which port to listen to (IPv4 and IPv6, respectively). -- `root`: the root directory of where the website files (`.html`, `.css`, `.js`, etc. files) are located. I followed Luke's directory path `/var/www/some_folder`. -- `server_name`: the actual domain to "listen" to (for my website it is: `server_name luevano.xyz www.luevano.xyz;` and for this blog is: `server_name blog.luevano.xyz www.blog.luevano.xyz;`). -- `index`: what file to serve as the index (could be any `.html`, `.htm`, `.php`, etc. file) when just entering the website. -- `location`: what goes after `domain.name`, used in case of different configurations depending on the URL paths (deny access on `/private`, make a proxy on `/proxy`, etc). - - `try_files`: tells what files to look for. - -Then, make a symbolic link from this configuration file to the `sites-enabled` directory: - -```sh -ln -s /etc/nginx/sites-available/your_config_file.conf /etc/nginx/sites-enabled -``` - -This is so the `nginx.conf` file can look up the newly created server configuration. With this method of having each server configuration file separate you can easily "deactivate" any website by just deleting the symbolic link in `sites-enabled` and you're good, or just add new configuration files and keep everything nice and tidy. - -All you have to do now is restart (or enable and start if you haven't already) the Nginx service (and optionally test the configuration): - -```sh -nginx -t -systemctl restart nginx -``` - -If everything goes correctly, you can now go to your website by typing `domain.name` on a web browser. But you will see a "404 Not Found" page like the following (maybe with different Nginx version): - -![Nginx 404 Not Found page](images/b/notes/nginx/nginx_404_page.png "Nginx 404 Not Found page") - -That's no problem, because it means that the web server it's actually working. Just add an `index.html` file with something simple to see it in action (in the `/var/www/some_folder` that you decided upon). If you keep seeing the 404 page make sure your `root` line is correct and that the directory/index file exists. - -I like to remove the `.html` and trailing `/` on the URLs of my website, for that you need to add the following `rewrite` lines and modify the `try_files` line (for more: [Sean C. Davis: Remove HTML Extension And Trailing Slash In Nginx Config](https://www.seancdavis.com/blog/remove-html-extension-and-trailing-slash-in-nginx-config/)): - -```nginx -server { - ... - rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent; - rewrite ^/(.*)/$ /$1 permanent; - ... - try_files $uri/index.html $uri.html $uri/ $uri =404; - ... -``` - -## Certbot - -[Certbot](https://wiki.archlinux.org/title/Certbot) is what provides the SSL certificates via [Let's Encrypt](https://letsencrypt.org/). - -The only "bad" (bloated) thing about Certbot, is that it uses `python`, but for me it doesn't matter too much. You may want to look up another alternative if you prefer. Install the packages `certbot` and `certbot-nginx`: - -```sh -pacman -S certbot certbot-nginx -``` - -After that, all you have to do now is run `certbot` and follow the instructions given by the tool: - -```sh -certbot --nginx -``` - -It will ask you for some information, for you to accept some agreements and the names to activate HTTPS for. Also, you will want to "say yes" to the redirection from HTTP to HTTPS. And that's it, you can now go to your website and see that you have HTTPS active. - -Now, the certificate given by `certbot` expires every 3 months or something like that, so you want to renew this certificate every once in a while. Using `cron`, you can do this by running: - -```sh -crontab -e -``` - -And a file will be opened where you need to add a new rule for Certbot, just append the line: `1 1 1 * * certbot renew` (renew on the first day of every month) and you're good. Alternatively use `systemd` timers as stated in the [Arch Linux Wiki](https://wiki.archlinux.org/title/Certbot#Automatic_renewal). - -That's it, you now have a website with SSL certificate. diff --git a/blog/src/a/xmpp_server_with_prosody.md b/blog/src/a/xmpp_server_with_prosody.md deleted file mode 100644 index e3e33b5..0000000 --- a/blog/src/a/xmpp_server_with_prosody.md +++ /dev/null @@ -1,579 +0,0 @@ -title: Create an XMPP server with Prosody compatible with Conversations and Movim -author: David Luévano -lang: en -summary: How to create an XMPP server using Prosody on a server running Nginx. This server will be compatible with at least Conversations and Movim. -tags: server - tools - tutorial - english - -Recently I set up an XMPP server (and a Matrix one, too) for my personal use and for friends if they want one; made one for ???[EL ELE EME](https://lmcj.xyz)???, for example. So, here are the notes on how I set up the server that is compatible with the [Conversations](https://conversations.im/) app and the [Movim](https://movim.eu/) social network. You can see my addresses in [contact](https://luevano.xyz/contact.html) and the XMPP compliance/score of the server. - -One of the best resources I found that helped me a lot was [Installing and Configuring Prosody XMPP Server on Debian 9](https://community.hetzner.com/tutorials/prosody-debian9), and of course the [Arch Wiki](https://wiki.archlinux.org/title/Prosody) and the [oficial documentation](https://prosody.im/). - -As with my other entries, this is under a server running Arch Linux, with the Nginx web server and Certbot certificates. And all commands here are executed as root (unless specified otherwise) - -## Prerequisites - -Same as with my other entries ([website](https://luevano.xyz/a/website_with_nginx.html), [mail](https://blog.luevano.xyz/a/mail_server_with_postfix.html) and [git](https://blog.luevano.xyz/a/git_server_with_cgit.html)) plus: - -- **A** and (optionally) **AAA** DNS records for: - - `xmpp`: the actual XMPP server and the file upload service. - - `muc` (or `conference`): for multi-user chats. - - `pubsub`: the publish-subscribe service. - - `proxy`: a proxy in case one of the users needs it. - - `vjud`: user directory. -- (Optionally, but recommended) the following **SRV** DNS records; make sure it is pointing to an **A** or **AAA** record (matching the records from the last point, for example): - - `_xmpp-client._tcp.**your.domain**.` for port `5222` pointing to `xmpp.**your.domain**.` - - `_xmpp-server._tcp.**your.domain**.` for port `5269` pointing to `xmpp.**your.domain**.` - - `_xmpp-server._tcp.muc.**your.domain**.` for port `5269` pointing to `xmpp.**your.domain**.` -* SSL certificates for the previous subdomains; similar that with my other entries just create the appropriate `prosody.conf` (where `server_name` will be all the subdomains defined above) file and run `certbot --nginx`. You can find the example configuration file almost at the end of this entry. -- Email addresses for `admin`, `abuse`, `contact`, `security`, etc. Or use your own email for all of them, doesn't really matter much as long as you define them in the configuration and are valid, I have aliases so those emails are forwarded to me. -- Allow ports `5000`, `5222`, `5269`, `5280` and `5281` for [Prosody](https://prosody.im/doc/ports) and, `3478` and `5349` for [Turnserver](https://webrtc.org/getting-started/turn-server) which are the defaults for `coturn`. - -## Prosody - -[Prosody](https://wiki.archlinux.org/title/Prosody) is an implementation of the XMPP protocol that is flexible and extensible. - -Install the `prosody` package (with optional dependencies) and the `mercurial` package: - -```sh -pacman -S prosody, mercurial, lua52-sec, lua52-dbi, lua52-zlib -``` - -We need mercurial to be able to download and update the extra modules needed to make the server compliant with `conversations.im` and `mov.im`. Go to `/var/lib/prosody`, clone the latest Prosody modules repository and prepare the directories: - -```sh -cd /var/lib/prosody -hg clone https://hg.prosody.im/prosody-modules modules-available -mkdir modules-enabled -``` - -You can see that I follow a similar approach that I used with Nginx and the server configuration, where I have all the modules available in a directory, and make a symlink to another to keep track of what is being used. You can update the repository by running `hg pull --update` while inside the `modules-available` directory (similar to Git). - -Make symbolic links to the following modules: - -``` -ln -s /var/lib/prosody/modules-available/MODULE_NAME /var/lib/prosody/modules-enabled/ -... -``` - -- Modules: - - `mod_bookmarks` - - `mod_cache_c2s_caps` - - `mod_checkcerts` - - `mod_cloud_notify` - - `mod_csi_battery_saver` - - `mod_default_bookmarks` - - `mod_external_services` - - `mod_http_avatar` - - `mod_http_pep_avatar` - - `mod_http_upload` - - `mod_http_upload_external` - - `mod_idlecompat` - - `mod_muc_limits` - - `mod_muc_mam_hints` - - `mod_muc_mention_notifications` - - `mod_presence_cache` - - `mod_pubsub_feeds` - - `mod_pubsub_text_interface` - - `mod_smacks` - - `mod_strict_https` - - `mod_vcard_muc` - - `mod_vjud` - - `mod_watchuntrusted` - -And add other modules if needed, but these work for the apps that I mentioned. You should also change the permissions for these files: - -```sh -chown -R prosody:prosody /var/lib/prosody -``` - -Now, configure the server by editing the `/etc/prosody/prosody.cfg.lua` file. It's a bit tricky to configure, so here is my configuration file (lines starting with `--` are comments). Make sure to change according to your domain, and maybe preferences. Read each line and each comment to know what's going on, It's easier to explain it with comments in the file itself than strip it in a lot of pieces. - -And also, note that the configuration file has a "global" section and a per "virtual server"/"component" section, basically everything above all the VirtualServer/Component sections are global, and bellow each VirtualServer/Component, corresponds to that section. - -``` --- important for systemd -daemonize = true -pidfile = "/run/prosody/prosody.pid" - --- or your account, not that this is an xmpp jid, not email -admins = { "admin@your.domain" } - -contact_info = { - abuse = { "mailto:abuse@your.domain", "xmpp:abuse@your.domain" }; - admin = { "mailto:admin@your.domain", "xmpp:admin@your.domain" }; - admin = { "mailto:feedback@your.domain", "xmpp:feedback@your.domain" }; - security = { "mailto:security@your.domain" }; - support = { "mailto:support@your.domain", "xmpp:support@muc.your.domain" }; -} - --- so prosody look up the plugins we added -plugin_paths = { "/var/lib/prosody/modules-enabled" } - -modules_enabled = { - -- Generally required - "roster"; -- Allow users to have a roster. Recommended ;) - "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. - "tls"; -- Add support for secure TLS on c2s/s2s connections - "dialback"; -- s2s dialback support - "disco"; -- Service discovery - -- Not essential, but recommended - "carbons"; -- Keep multiple clients in sync - "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more - "private"; -- Private XML storage (for room bookmarks, etc.) - "blocklist"; -- Allow users to block communications with other users - "vcard4"; -- User profiles (stored in PEP) - "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard - "limits"; -- Enable bandwidth limiting for XMPP connections - -- Nice to have - "version"; -- Replies to server version requests - "uptime"; -- Report how long server has been running - "time"; -- Let others know the time here on this server - "ping"; -- Replies to XMPP pings with pongs - "register"; -- Allow users to register on this server using a client and change passwords - "mam"; -- Store messages in an archive and allow users to access it - "csi_simple"; -- Simple Mobile optimizations - -- Admin interfaces - "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands - --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 - -- HTTP modules - "http"; -- Explicitly enable http server. - "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" - "websocket"; -- XMPP over WebSockets - "http_files"; -- Serve static files from a directory over HTTP - -- Other specific functionality - "groups"; -- Shared roster support - "server_contact_info"; -- Publish contact information for this service - "announce"; -- Send announcement to all online users - "welcome"; -- Welcome users who register accounts - "watchregistrations"; -- Alert admins of registrations - "motd"; -- Send a message to users when they log in - --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. - --"s2s_bidi"; -- not yet implemented, have to wait for v0.12 - "bookmarks"; - "checkcerts"; - "cloud_notify"; - "csi_battery_saver"; - "default_bookmarks"; - "http_avatar"; - "idlecompat"; - "presence_cache"; - "smacks"; - "strict_https"; - --"pep_vcard_avatar"; -- not compatible with this version of pep, wait for v0.12 - "watchuntrusted"; - "webpresence"; - "external_services"; - } - --- only if you want to disable some modules -modules_disabled = { - -- "offline"; -- Store offline messages - -- "c2s"; -- Handle client connections - -- "s2s"; -- Handle server-to-server connections - -- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. -} - -external_services = { - { - type = "stun", - transport = "udp", - host = "proxy.your.domain", - port = 3478 - }, { - type = "turn", - transport = "udp", - host = "proxy.your.domain", - port = 3478, - -- you could decide this now or come back later when you install coturn - secret = "YOUR SUPER SECRET TURN PASSWORD" - } -} - ---- general global configuration -http_ports = { 5280 } -http_interfaces = { "*", "::" } - -https_ports = { 5281 } -https_interfaces = { "*", "::" } - -proxy65_ports = { 5000 } -proxy65_interfaces = { "*", "::" } - -http_default_host = "xmpp.your.domain" -http_external_url = "https://xmpp.your.domain/" --- or if you want to have it somewhere else, change this -https_certificate = "/etc/prosody/certs/xmpp.your.domain.crt" - -hsts_header = "max-age=31556952" - -cross_domain_bosh = true ---consider_bosh_secure = true -cross_domain_websocket = true ---consider_websocket_secure = true - -trusted_proxies = { "127.0.0.1", "::1", "192.169.1.1" } - -pep_max_items = 10000 - --- this is disabled by default, and I keep it like this, depends on you ---allow_registration = true - --- you might want this options as they are -c2s_require_encryption = true -s2s_require_encryption = true -s2s_secure_auth = false ---s2s_insecure_domains = { "insecure.example" } ---s2s_secure_domains = { "jabber.org" } - --- where the certificates are stored (/etc/prosody/certs by default) -certificates = "certs" -checkcerts_notify = 7 -- ( in days ) - --- rate limits on connections to the server, these are my personal settings, because by default they were limited to something like 30kb/s -limits = { - c2s = { - rate = "2000kb/s"; - }; - s2sin = { - rate = "5000kb/s"; - }; - s2sout = { - rate = "5000kb/s"; - }; -} - --- again, this could be yourself, it is a jid -unlimited_jids = { "admin@your.domain" } - -authentication = "internal_hashed" - --- if you don't want to use sql, change it to internal and comment the second line --- since this is optional, i won't describe how to setup mysql or setup the user/database, that would be out of the scope for this entry -storage = "sql" -sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "PROSODY USER SECRET PASSWORD", host = "localhost" } - -archive_expires_after = "4w" -- configure message archive -max_archive_query_results = 20; -mam_smart_enable = true -default_archive_policy = "roster" -- archive only messages from users who are in your roster - --- normally you would like at least one log file of certain level, but I keep all of them, the default is only the info = "*syslog" one -log = { - info = "*syslog"; - warn = "prosody.warn"; - error = "prosody.err"; - debug = "prosody.debug"; - -- "*console"; -- Needs daemonize=false -} - --- cloud_notify -push_notification_with_body = false -- Whether or not to send the message body to remote pubsub node -push_notification_with_sender = false -- Whether or not to send the message sender to remote pubsub node -push_max_errors = 5 -- persistent push errors are tolerated before notifications for the identifier in question are disabled -push_max_devices = 5 -- number of allowed devices per user - --- by default every user on this server will join these muc rooms -default_bookmarks = { - { jid = "room@muc.your.domain", name = "The Room" }; - { jid = "support@muc.your.domain", name = "Support Room" }; -} - --- could be your jid -untrusted_fail_watchers = { "admin@your.domain" } -untrusted_fail_notification = "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha1. $errors" - ------------ Virtual hosts ----------- -VirtualHost "your.domain" - name = "Prosody" - http_host = "xmpp.your.domain" - -disco_items = { - { "your.domain", "Prosody" }; - { "muc.your.domain", "MUC Service" }; - { "pubsub.your.domain", "Pubsub Service" }; - { "proxy.your.domain", "SOCKS5 Bytestreams Service" }; - { "vjud.your.domain", "User Directory" }; -} - - --- Multi-user chat -Component "muc.your.domain" "muc" - name = "MUC Service" - modules_enabled = { - --"bob"; -- not compatible with this version of Prosody - "muc_limits"; - "muc_mam"; -- message archive in muc, again, a placeholder - "muc_mam_hints"; - "muc_mention_notifications"; - "vcard_muc"; - } - - restrict_room_creation = false - - muc_log_by_default = true - muc_log_presences = false - log_all_rooms = false - muc_log_expires_after = "1w" - muc_log_cleanup_interval = 4 * 60 * 60 - - --- Upload -Component "xmpp.your.domain" "http_upload" - name = "Upload Service" - http_host= "xmpp.your.domain" - -- you might want to change this, these are numbers in bytes, so 10MB and 100MB respectively - http_upload_file_size_limit = 1024*1024*10 - http_upload_quota = 1024*1024*100 - - --- Pubsub -Component "pubsub.your.domain" "pubsub" - name = "Pubsub Service" - pubsub_max_items = 10000 - modules_enabled = { - "pubsub_feeds"; - "pubsub_text_interface"; - } - - -- personally i don't have any feeds configured - feeds = { - -- The part before = is used as PubSub node - --planet_jabber = "http://planet.jabber.org/atom.xml"; - --prosody_blog = "http://blog.prosody.im/feed/atom.xml"; - } - - --- Proxy -Component "proxy.your.domain" "proxy65" - name = "SOCKS5 Bytestreams Service" - proxy65_address = "proxy.your.domain" - - --- Vjud, user directory -Component "vjud.your.domain" "vjud" - name = "User Directory" - vjud_mode = "opt-in" -``` - -You ???HAVE??? to read all of the configuration file, because there are a lot of things that you need to change to make it work with your server/domain. Test the configuration file with: - -```sh -luac5.2 -p /etc/prosody/prosody.cfg.lua -``` - -Notice that by default `prosody` will look up certificates that look like `sub.your.domain`, but if you get the certificates like I do, you'll have a single certificate for all subdomains, and by default it is in `/etc/letsencrypt/live`, which has some strict permissions. So, to import it you can run: - -```sh -prosodyctl --root cert import /etc/letsencrypt/live -``` - -Ignore the complaining about not finding the subdomain certificates and note that you will have to run that command on each certificate renewal, to automate this, add the `--deploy-hook` flag to your automated Certbot renewal system; for me it's a `systemd` timer with the following `certbot.service`: - -```ini -[Unit] -Description=Let's Encrypt renewal - -[Service] -Type=oneshot -ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "systemctl reload nginx.service && prosodyctl --root cert import /etc/letsencrypt/live" -``` - -And if you don't have it already, the `certbot.timer`: - -```ini -[Unit] -Description=Twice daily renewal of Let's Encrypt's certificates - -[Timer] -OnCalendar=0/12:00:00 -RandomizedDelaySec=1h -Persistent=true - -[Install] -WantedBy=timers.target -``` - -Also, go to the `certs` directory and make the appropriate symbolic links: - -```sh -cd /etc/prosody/certs -ln -s your.domain.crt SUBDOMAIN.your.domain.crt -ln -s your.domain.key SUBDOMAIN.your.domain.key -... -``` - -That's basically all the configuration that needs Prosody itself, but we still have to configure Nginx and Coturn before starting/enabling the `prosody` service. - -## Nginx configuration file - -Since this is not an ordinary configuration file I'm going to describe this too. Your `prosody.conf` file should have the following location blocks under the main server block (the one that listens to HTTPS): - -```nginx -# HTTPS server block -server { - root /var/www/prosody/; - server_name xmpp.luevano.xyz muc.luevano.xyz pubsub.luevano.xyz vjud.luevano.xyz proxy.luevano.xyz; - index index.html; - - # for extra https discovery (XEP-0256) - location /.well-known/acme-challenge { - allow all; - } - - # bosh specific - location /http-bind { - proxy_pass https://localhost:5281/http-bind; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - tcp_nodelay on; - } - - # websocket specific - location /xmpp-websocket { - proxy_pass https://localhost:5281/xmpp-websocket; - - proxy_http_version 1.1; - proxy_set_header Connection "Upgrade"; - proxy_set_header Upgrade $http_upgrade; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 900s; - } - - # general proxy - location / { - proxy_pass https://localhost:5281; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - } - ... - # Certbot stuff -} -# HTTP server block (the one that certbot creates) -server { - ... -} -``` - -Also, you need to add the following to your actual `your.domain` (this cannot be a subdomain) configuration file: - -```nginx -server { - ... - location /.well-known/host-meta { - default_type 'application/xrd+xml'; - add_header Access-Control-Allow-Origin '*' always; - } - - location /.well-known/host-meta.json { - default_type 'application/jrd+json'; - add_header Access-Control-Allow-Origin '*' always; - } - ... -} -``` - -And you will need the following `host-meta` and `host-meta.json` files inside the `.well-known/acme-challenge` directory for `your.domain` (following my nomenclature: `/var/www/yourdomaindir/.well-known/acme-challenge/`). - -For `host-meta` file: - -```xml - - - - - -``` - -And `host-meta.json` file: - -```json -{ - "links": [ - { - "rel": "urn:xmpp:alt-connections:xbosh", - "href": "https://xmpp.your.domain:5281/http-bind" - }, - { - "rel": "urn:xmpp:alt-connections:websocket", - "href": "wss://xmpp.your.domain:5281/xmpp-websocket" - } - ] -} -``` - -Remember to have your `prosody.conf` file symlinked (or discoverable by Nginx) to the `sites-enabled` directory. You can now restart your `nginx` service (and test the configuration, optionally): - -```sh -nginx -t -systemctl restart nginx.service -``` - -## Coturn - -[Coturn](https://github.com/coturn/coturn) is the implementation of TURN and STUN server, which in general is for (at least in the XMPP world) voice support and external service discovery. - -Install the `coturn` package: - -```sh -pacman -S coturn -``` - -You can modify the configuration file (located at `/etc/turnserver/turnserver.conf`) as desired, but at least you need to make the following changes (uncomment or edit): - -```ini -use-auth-secret -realm=proxy.your.domain -static-auth-secret=YOUR SUPER SECRET TURN PASSWORD -``` - -I'm sure there is more configuration to be made, like using SQL to store data and whatnot, but for now this is enough for me. Note that you may not have some functionality that's needed to create dynamic users to use the TURN server, and to be honest I haven't tested this since I don't use this feature in my XMPP clients, but if it doesn't work, or you know of an error or missing configuration don't hesitate to [contact me](https://luevano.xyz/contact.html). - -Start/enable the `turnserver` service: - -```sh -systemctl start turnserver.service -systemctl enable turnserver.service -``` - -You can test if your TURN server works at [Trickle ICE](https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/). You may need to add a user in the `turnserver.conf` to test this. - -## Wrapping up - -At this point you should have a working XMPP server, start/enable the `prosody` service now: - -```sh -systemctl start prosody.service -systemctl enable prosody.service -``` - -And you can add your first user with the `prosodyctl` command (it will prompt you to add a password): - -```sh -prosodyctl adduser user@your.domain -``` - -You may want to add a `compliance` user, so you can check if your server is set up correctly. To do so, go to [XMPP Compliance Tester](https://compliance.conversations.im/add/) and enter the `compliance` user credentials. It should have similar compliance score to mine: - - - -Additionally, you can test the security of your server in [IM Observatory](https://xmpp.net/index.php), here you only need to specify your `domain.name` (not `xmpp.domain.name`, if you set up the **SRV** DNS records correctly). Again, it should have a similar score to mine: - -xmpp.net score - -You can now log in into your XMPP client of choice, if it asks for the server it should be `xmpp.your.domain` (or `your.domain` for some clients) and your login credentials `you@your.domain` and the password you chose (which you can change in most clients). - -That's it, send me a message david@luevano.xyz if you were able to set up the server successfully. -- cgit v1.2.3-70-g09d2