1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
|
<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0"
xml:base="https://static.luevano.xyz"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:content="http://purl.org/rss/1.0/modules/content/">
<channel>
<title>Luévano's Blog</title>
<link>https://blog.luevano.xyz</link>
<atom:link href="https://blog.luevano.xyz/rss.xml" rel="self" type="application/rss+xml"/>
<description>A personal weblog ranging from rants to how to's and other thoughts.</description>
<language>en-us</language>
<category>Blog</category>
<copyright>Copyright 2021 David Luévano Alvarado</copyright>
<managingEditor>david@luevano.xyz (David Luévano Alvarado)</managingEditor>
<webMaster>david@luevano.xyz (David Luévano Alvarado)</webMaster>
<pubDate>Tue, 08 Jun 2021 06:57:28 GMT</pubDate>
<lastBuildDate>Tue, 08 Jun 2021 06:57:28 GMT</lastBuildDate>
<generator>pyssg v0.5.9</generator>
<docs>https://validator.w3.org/feed/docs/rss2.html</docs>
<ttl>30</ttl>
<image>
<url>https://static.luevano.xyz/images/blog.png</url>
<title>Luévano's Blog</title>
<link>https://blog.luevano.xyz</link>
</image>
<item>
<title>Al fin ya me acomodé la página pa' los dibujos</title>
<link>https://blog.luevano.xyz/a/acomodada_la_pagina_de_arte.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/acomodada_la_pagina_de_arte.html</guid>
<pubDate>Sun, 06 Jun 2021 19:06:09 GMT</pubDate>
<category>Short</category>
<category>Spanish</category>
<category>Update</category>
<description>Actualización en el estado de la página, en este caso sobre la existencia de una nueva página para los dibujos y arte en general.</description>
<content:encoded><![CDATA[<p>Así es, ya quedó acomodado el sub-dominio <code>art.luevano.xyz</code> pos pal <a href="https://art.luevano.xyz">arte</a> veda. Entonces pues ando feliz por eso.</p>
<p>Este pedo fue gracias a que me reescribí la forma en la que <code>pyssg</code> maneja los templates, ahora uso el sistema de <code>jinja</code> en vez del cochinero que hacía antes.</p>
<p>Y pues nada más eso, aquí está el <a href="https://art.luevano.xyz/a/elephant_octopus.html">primer post</a> y por supuesto acá está el link del RSS <a href="https://art.luevano.xyz/rss.xml">https://art.luevano.xyz/rss.xml</a>.</p>]]></content:encoded>
</item>
<item>
<title>Así nomás está quedando el página</title>
<link>https://blog.luevano.xyz/a/asi_nomas_esta_quedando.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/asi_nomas_esta_quedando.html</guid>
<pubDate>Fri, 04 Jun 2021 08:24:03 GMT</pubDate>
<category>Short</category>
<category>Spanish</category>
<category>Update</category>
<description>Actualización en el estado de la página, el servidor de XMPP y Matrix que me acomodé y próximas cosas que quiero hacer.</description>
<content:encoded><![CDATA[<p>Estuve acomodando un poco más el <em>sItIo</em>, al fin agregué la “sección” de <a href="https://luevano.xyz/contact.html">contact</a> y de <a href="https://luevano.xyz/donate.html">donate</a> por si hay algún loco que quiere tirar varo.</p>
<p>También me puse a acomodar un servidor de <a href="https://xmpp.org/">XMPP</a> el cual, en pocas palabras, es un protocolo de mensajería instantánea (y más) descentralizado, por lo cual cada quien puede hacer una cuenta en el servidor que quiera y conectarse con cuentas creadas en otro servidor… exacto, como con los correos electrónicos. Y esto está perro porque si tú tienes tu propio server, así como con uno de correo electrónico, puedes controlar qué características tiene, quiénes pueden hacer cuenta, si hay <em>end-to-end encryption</em> (o mínimo <em>end-to-server</em>), entre un montón de otras cosas.</p>
<p>Ahorita este server es SUMISO (<em>compliant</em> en español, jeje) para jalar con la app <a href="https://conversations.im/">conversations</a> y con la red social <a href="https://movim.eu/">movim</a>, pero realmente funcionaría con casi cualquier cliente de XMPP, amenos que ese cliente implemente algo que no tiene mi server. Y también acomodé un server de <a href="https://matrix.org/">Matrix</a> que es muy similar pero es bajo otro protocolo y se siente más como un discord/slack (al menos en el <a href="https://element.io/">element</a>), muy chingón también.</p>
<p>Si bien aún quedan cosas por hacer sobre estos dos servers que me acomodé (además de hacerles unas entradas para documentar cómo lo hice), quiero moverme a otra cosa que sería acomodar una sección de dibujos, lo cual en teoría es bien sencillo, pero como quiero poder automatizar la publicación de estos, quiero modificar un poco el <a href="https://github.com/luevano/pyssg">pyssg</a> para que jale chido para este pex.</p>
<p>Ya por último también quiero moverle un poco al CSS, porque lo dejé en un estado muy culerón y quiero meterle/ajustar unas cosas para que quede más limpio y medianamente bonito… <em>dentro de lo que cabe porque evidentemente me vale verga si se ve como una página del 2000</em>.</p>]]></content:encoded>
</item>
<item>
<title>I'm using a new blogging system</title>
<link>https://blog.luevano.xyz/a/new_blogging_system.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/new_blogging_system.html</guid>
<pubDate>Fri, 28 May 2021 03:21:39 GMT</pubDate>
<category>English</category>
<category>Short</category>
<category>Tools</category>
<category>Update</category>
<description>I created a new blogging system called pyssg, which is based on what I was using but, to be honest, better.</description>
<content:encoded><![CDATA[<p>So, I was tired of working with <code>ssg</code> (and then <code>sbg</code> which was a modified version of <code>ssg</code> that I “wrote”), for one general reason: not being able to extend it as I would like; and not just dumb little stuff, I wanted to be able to have more control, to add tags (which another tool that I found does: <code>blogit</code>), and even more in a future.</p>
<p>The solution? Write a new program “from scratch” in <em>pYtHoN</em>. Yes it is bloated, yes it is in its early stages, but it works just as I want it to work, and I’m pretty happy so far with the results and have with even more ideas in mind to “optimize” and generally clean my wOrKfLoW to post new blog entries. I even thought of using it for posting into a “feed” like gallery for drawings or pictures in general.</p>
<p>I called it <a href="https://github.com/luevano/pyssg"><code>pyssg</code></a>, because it sounds nice and it wasn’t taken in the PyPi. It is just a terminal program that reads either a configuration file or the options passed as flags when calling the program.</p>
<p>It still uses Markdown files because I find them very easy to work with. And instead of just having a “header” and a “footer” applied to each parsed entry, you will have templates (generated with the program) for each piece that I thought made sense (idea taken from <code>blogit</code>): the common header and footer, the common header and footer for each entry and, header, footer and list elements for articles and tags. When parsing the Markdown file these templates are applied and stitched together to make a single HTML file. Also generates an RSS feed and the <code>sitemap.xml</code> file, which is nice.</p>
<p>It might sound convoluted, but it works pretty well, with of course room to improve; I’m open to suggestions, issue reporting or direct contributions <a href="https://github.com/luevano/pyssg">here</a>. BTW, it only works on Linux for now (and don’t think on making it work on windows, but feel free to do PR for the compatibility).</p>
<p>That’s it for now, the new RSS feed is available here: <a href="https://blog.luevano.xyz/rss.xml">https://blog.luevano.xyz/rss.xml</a>.</p>]]></content:encoded>
</item>
<item>
<title>Create a git server and setup cgit web app (on Nginx)</title>
<link>https://blog.luevano.xyz/a/git_server_with_cgit.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/git_server_with_cgit.html</guid>
<pubDate>Sun, 21 Mar 2021 19:00:29 GMT</pubDate>
<category>English</category>
<category>Server</category>
<category>Tools</category>
<category>Tutorial</category>
<description>How to create a git server using cgit on a server running Nginx. This is a follow up on post about creating a website with Nginx and Certbot.</description>
<content:encoded><![CDATA[<p>My git server is all I need to setup to actually <em>kill</em> my other server (I’ve been moving from servers on these last 2-3 blog entries), that’s why I’m already doing this entry. I’m basically following <a href="https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server">git’s guide on setting up a server</a> plus some specific stuff for (btw i use) Arch Linux (<a href="https://wiki.archlinux.org/index.php/Git_server#Web_interfaces">Arch Linux Wiki: Git server</a> and <a href="https://miracoin.wordpress.com/2014/11/25/step-by-step-guide-on-setting-up-git-server-in-arch-linux-pushable/">Step by step guide on setting up git server in arch linux (pushable)</a>).</p>
<p>Note that this is mostly for personal use, so there’s no user/authentication control other than that of SSH. Also, most if not all commands here are run as root.</p>
<h2 id="prerequisites">Prerequisites</h2>
<p>I might get tired of saying this (it’s just copy paste, basically)… but you will need the same prerequisites as before (check my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website</a> and <a href="https://blog.luevano.xyz/a/mail_server_with_postfix.html">mail</a> entries), with the extras:</p>
<ul>
<li>(Optional, if you want a “front-end”) A <strong>CNAME</strong> for “git” and (optionally) “www.git”, or some other name for your sub-domains.</li>
<li>An SSL certificate, if you’re following the other entries, add a <code>git.conf</code> and run <code>certbot --nginx</code> to extend the certificate.</li>
</ul>
<h2 id="git">Git</h2>
<p><a href="https://wiki.archlinux.org/title/git">Git</a> is a version control system.</p>
<p>If not installed already, install the <code>git</code> package:</p>
<pre><code class="language-sh">pacman -S git
</code></pre>
<p>On Arch Linux, when you install the <code>git</code> package, a <code>git</code> user is automatically created, so all you have to do is decide where you want to store the repositories, for me, I like them to be on <code>/home/git</code> like if <code>git</code> was a “normal” user. So, create the <code>git</code> folder (with corresponding permissions) under <code>/home</code> and set the <code>git</code> user’s home to <code>/home/git</code>:</p>
<pre><code class="language-sh">mkdir /home/git
chown git:git /home/git
usermod -d /home/git git
</code></pre>
<p>Also, the <code>git</code> user is “expired” by default and will be locked (needs a password), change that with:</p>
<pre><code class="language-sh">chage -E -1 git
passwd git
</code></pre>
<p>Give it a strong one and remember to use <code>PasswordAuthentication no</code> for <code>ssh</code> (as you should). Create the <code>.ssh/authorized_keys</code> for the <code>git</code> user and set the permissions accordingly:</p>
<pre><code class="language-sh">mkdir /home/git/.ssh
chmod 700 /home/git/.ssh
touch /home/git/.ssh/authorized_keys
chmod 600 /home/git/.ssh/authorized_keys
chown -R git:git /home/git
</code></pre>
<p>Now is a good idea to copy over your local SSH public keys to this file, to be able to push/pull to the repositories. Do it by either manually copying it or using <code>ssh</code>‘s built in <code>ssh-copy-id</code> (for that you may want to check your <code>ssh</code> configuration in case you don’t let people access your server with user/password).</p>
<p>Next, and almost finally, we need to edit the <code>git-daemon</code> service, located at <code>/usr/lib/systemd/system/</code> (called <code>git-daemon@.service</code>):</p>
<pre><code class="language-ini">...
ExecStart=-/usr/lib/git-core/git-daemon --inetd --export-all --base-path=/home/git --enable=receive-pack
...
</code></pre>
<p>I just appended <code>--enable=receive-pack</code> and note that I also changed the <code>--base-path</code> to reflect where I want to serve my repositories from (has to match what you set when changing <code>git</code> user’s home).</p>
<p>Now, go ahead and start and enable the <code>git-daemon</code> socket:</p>
<pre><code class="language-sh">systemctl start git-daemon.socket
systemctl enable git-daemon.socket
</code></pre>
<p>You’re basically done. Now you should be able to push/pull repositories to your server… except, you haven’t created any repository in your server, that’s right, they’re not created automatically when trying to push. To do so, you have to run (while inside <code>/home/git</code>):</p>
<pre><code class="language-sh">git init --bare {repo_name}.git
chown -R git:git repo_name.git
</code></pre>
<p>Those two lines above will need to be run each time you want to add a new repository to your server (yeah, kinda lame… although there are options to “automate” this, I like it this way).</p>
<p>After that you can already push/pull to your repository. I have my repositories (locally) set up so I can push to more than one remote at the same time (my server, GitHub, GitLab, etc.); to do so, check <a href="https://gist.github.com/rvl/c3f156e117e22a25f242">this gist</a>.</p>
<h2 id="cgit">Cgit</h2>
<p><a href="https://wiki.archlinux.org/title/Cgit">Cgit</a> is a fast web interface for git.</p>
<p>This is optionally since it’s only for the web application.</p>
<p>Install the <code>cgit</code> and <code>fcgiwrap</code> packages:</p>
<pre><code class="language-sh">pacman -S cgit fcgiwrap
</code></pre>
<p>Now, just start and enable the <code>fcgiwrap</code> socket:</p>
<pre><code class="language-sh">systemctl start fcgiwrap.socket
systemctl enable fcgiwrap.socket
</code></pre>
<p>Next, create the <code>git.conf</code> as stated in my <a href="https://blog.luevano.xyz/a/website_with_nginx.html">nginx setup entry</a>. Add the following lines to your <code>git.conf</code> file:</p>
<pre><code class="language-nginx">server {
listen 80;
listen [::]:80;
root /usr/share/webapps/cgit;
server_name {yoursubdomain}.{yourdomain};
try_files $uri @cgit;
location @cgit {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/cgit.cgi;
fastcgi_param PATH_INFO $uri;
fastcgi_param QUERY_STRING $args;
fastcgi_param HTTP_HOST $server_name;
fastcgi_pass unix:/run/fcgiwrap.sock;
}
}
</code></pre>
<p>Where the <code>server_name</code> line depends on you, I have mine setup to <code>git.luevano.xyz</code> and <code>www.git.luevano.xyz</code>. Optionally run <code>certbot --nginx</code> to get a certificate for those domains if you don’t have already.</p>
<p>Now, all that’s left is to configure <code>cgit</code>. Create the configuration file <code>/etc/cgitrc</code> with the following content (my personal options, pretty much the default):</p>
<pre><code class="language-apache">css=/cgit.css
logo=/cgit.png
enable-http-clone=1
# robots=noindex, nofollow
virtual-root=/
repo.url={url}
repo.path={dir_path}
repo.owner={owner}
repo.desc={short_description}
...
</code></pre>
<p>Where you can uncomment the <code>robots</code> line to let web crawlers (like Google’s) to index your <code>git</code> web app. And at the end keep all your repositories (the ones you want to make public), for example for my <a href="https://git.luevano.xyz/.dots"><em>dotfiles</em></a> I have:</p>
<pre><code class="language-apache">...
repo.url=.dots
repo.path=/home/git/.dots.git
repo.owner=luevano
repo.desc=These are my personal dotfiles.
...
</code></pre>
<p>Otherwise you could let <code>cgit</code> to automatically detect your repositories (you have to be careful if you want to keep “private” repos) using the option <code>scan-path</code> and setup <code>.git/description</code> for each repository. For more, you can check <a href="https://man.archlinux.org/man/cgitrc.5">cgitrc(5)</a>.</p>
<p>By default you can’t see the files on the site, you need a highlighter to render the files, I use <code>highlight</code>. Install the <code>highlight</code> package:</p>
<pre><code class="language-sh">pacman -S highlight
</code></pre>
<p>Copy the <code>syntax-highlighting.sh</code> script to the corresponding location (basically adding <code>-edited</code> to the file):</p>
<pre><code class="language-sh">cp /usr/lib/cgit/filters/syntax-highlighting.sh /usr/lib/cgit/filters/syntax-highlighting-edited.sh
</code></pre>
<p>And edit it to use the version 3 and add <code>--inline-css</code> for more options without editing <code>cgit</code>‘s CSS file:</p>
<pre><code class="language-sh">...
# This is for version 2
# exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3
exec highlight --force --inline-css -f -I -O xhtml -S "$EXTENSION" 2>/dev/null
...
</code></pre>
<p>Finally, enable the filter in <code>/etc/cgitrc</code> configuration:</p>
<pre><code class="language-apache">source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh
</code></pre>
<p>That would be everything. If you need support for more stuff like compressed snapshots or support for markdown, check the optional dependencies for <code>cgit</code>.</p>]]></content:encoded>
</item>
<item>
<title>Create a mail server with Postfix, Dovecot, SpamAssassin and OpenDKIM</title>
<link>https://blog.luevano.xyz/a/mail_server_with_postfix.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/mail_server_with_postfix.html</guid>
<pubDate>Sun, 21 Mar 2021 04:05:59 GMT</pubDate>
<category>English</category>
<category>Server</category>
<category>Tools</category>
<category>Tutorial</category>
<description>How to create mail server using Postfix, Dovecot, SpamAssassin and OpenDKIM. This is a follow up on post about creating a website with Nginx and Certbot.</description>
<content:encoded><![CDATA[<p>The entry is going to be long because it’s a <em>tedious</em> process. This is also based on <a href="https://github.com/LukeSmithxyz/emailwiz">Luke Smith’s script</a>, but adapted to Arch Linux (his script works on debian-based distributions). This entry is mostly so I can record all the notes required while I’m in the process of installing/configuring the mail server on a new VPS of mine; also I’m going to be writing a script that does everything in one go (for Arch Linux), that will be hosted <a href="https://git.luevano.xyz/server_scripts.git">here</a>.</p>
<p>This configuration works for local users (users that appear in <code>/etc/passwd</code>), and does not use any type of SQL Database. And note that most if not all commands executed here are run with root privileges.</p>
<h2 id="prerequisites">Prerequisites</h2>
<p>Basically the same as with the <a href="https://blog.luevano.xyz/a/website_with_nginx.html">website with Nginx and Certbot</a>, with the extras:</p>
<ul>
<li>You will need a <strong>CNAME</strong> for “mail” and (optionally) “www.mail”, or whatever you want to call the sub-domains (although the <a href="https://tools.ietf.org/html/rfc2181#section-10.3">RFC 2181</a> states that it NEEDS to be an <strong>A</strong> record, fuck the police).</li>
<li>An SSL certificate. You can use the SSL certificate obtained following my last post using <code>certbot</code> (just create a <code>mail.conf</code> and run <code>certbot --nginx</code> again).</li>
<li>Ports 25, 587 (SMTP), 465 (SMTPS), 143 (IMAP) and 993 (IMAPS) open on the firewall.</li>
</ul>
<h2 id="postfix">Postfix</h2>
<p><a href="https://wiki.archlinux.org/title/postfix">Postfix</a> is a “mail transfer agent” which is the component of the mail server that receives and sends emails via SMTP.</p>
<p>Install the <code>postfix</code> package:</p>
<pre><code class="language-sh">pacman -S postfix
</code></pre>
<p>We have two main files to configure (inside <code>/etc/postfix</code>): <code>master.cf</code> (<a href="https://man.archlinux.org/man/master.5">master(5)</a>) and <code>main.cf</code> (<a href="https://man.archlinux.org/man/postconf.5">postconf(5)</a>). We’re going to edit <code>main.cf</code> first either by using the command <code>postconf -e 'setting'</code> or by editing the file itself (I prefer to edit the file).</p>
<p>Note that the default file itself has a lot of comments with description on what each thing does (or you can look up the manual, linked above), I used what Luke’s script did plus some other settings that worked for me.</p>
<p>Now, first locate where your website cert is, mine is at the default location <code>/etc/letsencrypt/live/</code>, so my <code>certdir</code> is <code>/etc/letsencrypt/live/luevano.xyz</code>. Given this information, change <code>{yourcertdir}</code> on the corresponding lines. The configuration described below has to be appended in the <code>main.cf</code> configuration file.</p>
<p>Certificates and ciphers to use for authentication and security:</p>
<pre><code class="language-apache">smtpd_tls_key_file = {yourcertdir}/privkey.pem
smtpd_tls_cert_file = {yourcertdir}/fullchain.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = {yourcertdir}/cert.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tls_preempt_cipherlist = yes
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,
RSA+AES, eNULL
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, defer_unauth_destination
</code></pre>
<p>Also, for the <em>connection</em> with <code>dovecot</code>, append the next few lines (telling postfix that <code>dovecot</code> will use user/password for authentication):</p>
<pre><code class="language-apache">smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
</code></pre>
<p>Specify the mailbox home (this is going to be a directory inside your user’s home containing the actual mail files):</p>
<pre><code class="language-apache">home_mailbox = Mail/Inbox/
</code></pre>
<p>Pre-configuration to work seamlessly with <code>dovecot</code> and <code>opendkim</code>:</p>
<pre><code class="language-apache">myhostname = {yourdomainname}
mydomain = localdomain
mydestination = $myhostname, localhost.$mydomain, localhost
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
mailbox_command = /usr/lib/dovecot/deliver
</code></pre>
<p>Where <code>{yourdomainname}</code> is <code>luevano.xyz</code> in my case, or if you have <code>localhost</code> configured to your domain, then use <code>localhost</code> for <code>myhostname</code> (<code>myhostname = localhost</code>).</p>
<p>Lastly, if you don’t want the sender’s IP and user agent (application used to send the mail), add the following line:</p>
<pre><code class="language-apache">smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
</code></pre>
<p>And create the <code>/etc/postfix/smtp_header_checks</code> file with the following content:</p>
<pre><code class="language-coffee">/^Received: .*/ IGNORE
/^User-Agent: .*/ IGNORE
</code></pre>
<p>That’s it for <code>main.cf</code>, now we have to configure <code>master.cf</code>. This one is a bit more tricky.</p>
<p>First look up lines (they’re uncommented) <code>smtp inet n - n - - smtpd</code>, <code>smtp unix - - n - - smtp</code> and <code>-o syslog_name=postfix/$service_name</code> and either delete or uncomment them… or just run <code>sed -i "/^\s*-o/d;/^\s*submission/d;/\s*smtp/d" /etc/postfix/master.cf</code> as stated in Luke’s script.</p>
<p>Lastly, append the following lines to complete postfix setup and pre-configure for <code>spamassassin</code>.</p>
<pre><code class="language-txt">smtp unix - - n - - smtp
smtp inet n - y - - smtpd
-o content_filter=spamassassin
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/vendor_perl/spamc -f -e /usr/sbin/sendmail -oi -f \${sender} \${recipient}
</code></pre>
<p>Now, I ran into some problems with postfix, one being <a href="https://www.faqforge.com/linux/fix-for-opensuse-error-postfixmaster-fatal-0-0-0-0smtps-servname-not-supported-for-ai_socktype/">smtps: Servname not supported for ai_socktype</a>, to fix it, as <em>Till</em> posted in that site, edit <code>/etc/services</code> and add:</p>
<pre><code class="language-apache">smtps 465/tcp
smtps 465/udp
</code></pre>
<p>Before starting the <code>postfix</code> service, you need to run <code>newaliases</code> first, but you can do a bit of configuration beforehand editing the file <code>/etc/postfix/aliases</code>. I only change the <code>root: you</code> line (where <code>you</code> is the account that will be receiving “root” mail). After you’re done, run:</p>
<pre><code class="language-sh">postalias /etc/postfix/aliases
newaliases
</code></pre>
<p>At this point you’re done configuring <code>postfix</code> and you can already start/enable the <code>postfix</code> service:</p>
<pre><code class="language-sh">systemctl start postfix.service
systemctl enable postfix.service
</code></pre>
<h2 id="dovecot">Dovecot</h2>
<p><a href="https://wiki.archlinux.org/title/Dovecot">Dovecot</a> is an IMAP and POP3 server, which is what lets an email application retrieve the mail.</p>
<p>Install the <code>dovecot</code> and <code>pigeonhole</code> (sieve for <code>dovecot</code>) packages:</p>
<pre><code class="language-sh">pacman -S dovecot pigeonhole
</code></pre>
<p>On arch, by default, there is no <code>/etc/dovecot</code> directory with default configurations set in place, but the package does provide the example configuration files. Create the <code>dovecot</code> directory under <code>/etc</code> and, optionally, copy the <code>dovecot.conf</code> file and <code>conf.d</code> directory under the just created <code>dovecot</code> directory:</p>
<pre><code class="language-sh">mkdir /etc/dovecot
cp /usr/share/doc/dovecot/example-config/dovecot.conf /etc/dovecot/dovecot.conf
cp -r /usr/share/doc/dovecot/example-config/conf.d /etc/dovecot
</code></pre>
<p>As Luke stated, <code>dovecot</code> comes with a lot of “modules” (under <code>/etc/dovecot/conf.d/</code> if you copied that folder) for all sorts of configurations that you can include, but I do as he does and just edit/create the whole <code>dovecot.conf</code> file; although, I would like to check each of the separate configuration files <code>dovecot</code> provides I think the options Luke provides are more than good enough.</p>
<p>I’m working with an empty <code>dovecot.conf</code> file. Add the following lines for SSL and login configuration (also replace <code>{yourcertdir}</code> with the same certificate directory described in the <a href="#postfix">Postfix</a> section above, note that the <code><</code> is required):</p>
<pre><code class="language-apache">ssl = required
ssl_cert = <{yourcertdir}/fullchain.pem
ssl_key = <{yourcertdir}/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384:!LOW@STRENGTH
ssl_prefer_server_ciphers = yes
ssl_dh = </etc/dovecot/dh.pem
auth_mechanisms = plain login
auth_username_format = %n
protocols = $protocols imap
</code></pre>
<p>You may notice we specify a file we don’t have under <code>/etc/dovecot</code>: <code>dh.pem</code>. We need to create it with <code>openssl</code> (you should already have it installed if you’ve been following this entry and the one for <code>nginx</code>). Just run (might take a few minutes):</p>
<pre><code class="language-sh">openssl dhparam -out /etc/dovecot/dh.pem 4096
</code></pre>
<p>After that, the next lines define what a “valid user is” (really just sets the database for users and passwords to be the local users with their password):</p>
<pre><code class="language-apache">userdb {
driver = passwd
}
passdb {
driver = pam
}
</code></pre>
<p>Next, comes the mail directory structure (has to match the one described in the Postfix section). Here, the <code>LAYOUT</code> option is important so the boxes are <code>.Sent</code> instead of <code>Sent</code>. Add the next lines (plus any you like):</p>
<pre><code class="language-apache">mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = subscribe
autoexpunge = 30d
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox Trash {
special_use = \Trash
}
mailbox Archive {
special_use = \Archive
}
}
</code></pre>
<p>Also include this so Postfix can use Dovecot’s authentication system:</p>
<pre><code class="language-apache">service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
</code></pre>
<p>Lastly (for Dovecot at least), the plugin configuration for <code>sieve</code> (<code>pigeonhole</code>):</p>
<pre><code class="language-apache">protocol lda {
mail_plugins = $mail_plugins sieve
}
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
plugin {
sieve = ~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_dir = ~/.sieve
sieve_global_dir = /var/lib/dovecot/sieve/
</code></pre>
<p>Where <code>/var/lib/dovecot/sieve/default.sieve</code> doesn’t exist yet. Create the folders:</p>
<pre><code class="language-sh">mkdir -p /var/lib/dovecot/sieve
</code></pre>
<p>And create the file <code>default.sieve</code> inside that just created folder with the content:</p>
<pre><code class="language-nginx">require ["fileinto", "mailbox"];
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
}
</code></pre>
<p>Now, if you don’t have a <code>vmail</code> (virtual mail) user, create one and change the ownership of the <code>/var/lib/dovecot</code> directory to this user:</p>
<pre><code class="language-sh">grep -q "^vmail:" /etc/passwd || useradd -m vmail -s /usr/bin/nologin
chown -R vmail:vmail /var/lib/dovecot
</code></pre>
<p>Note that I also changed the shell for <code>vmail</code> to be <code>/usr/bin/nologin</code>. After that, to compile the configuration file run:</p>
<pre><code class="language-sh">sievec /var/lib/dovecot/sieve/default.sieve
</code></pre>
<p>A <code>default.svbin</code> file will be created next to <code>default.sieve</code>.</p>
<p>Next, add the following lines to <code>/etc/pam.d/dovecot</code> if not already present (shouldn’t be there if you’ve been following these notes):</p>
<pre><code class="language-txt">auth required pam_unix.so nullok
account required pam_unix.so
</code></pre>
<p>That’s it for Dovecot, at this point you can start/enable the <code>dovecot</code> service:</p>
<pre><code class="language-sh">systemctl start dovecot.service
systemctl enable dovecot.service
</code></pre>
<h2 id="opendkim">OpenDKIM</h2>
<p><a href="https://wiki.archlinux.org/title/OpenDKIM">OpenDKIM</a> is needed so services like G**gle (we don’t mention that name here [[[this is a meme]]]) don’t throw the mail to the trash. DKIM stands for “DomainKeys Identified Mail”.</p>
<p>Install the <code>opendkim</code> package:</p>
<pre><code class="language-sh">pacman -S opendkim
</code></pre>
<p>Generate the keys for your domain:</p>
<pre><code class="language-sh">opendkim-genkey -D /etc/opendkim -d {yourdomain} -s {yoursubdomain} -r -b 2048
</code></pre>
<p>Where you need to change <code>{yourdomain}</code> and <code>{yoursubdomain}</code> (doesn’t really need to be the sub-domain, could be anything that describes your key) accordingly, for me it’s <code>luevano.xyz</code> and <code>mail</code>, respectively. After that, we need to create some files inside the <code>/etc/opendkim</code> directory. First, create the file <code>KeyTable</code> with the content:</p>
<pre><code class="language-txt">{yoursubdomain}._domainkey.{yourdomain} {yourdomain}:{yoursubdomain}:/etc/opendkim/{yoursubdomain}.private
</code></pre>
<p>So, for me it would be:</p>
<pre><code class="language-txt">mail._domainkey.luevano.xyz luevano.xyz:mail:/etc/opendkim/mail.private
</code></pre>
<p>Next, create the file <code>SigningTable</code> with the content:</p>
<pre><code class="language-txt">*@{yourdomain} {yoursubdomain}._domainkey.{yourdomain}
</code></pre>
<p>Again, for me it would be:</p>
<pre><code class="language-txt">*@luevano.xyz mail._domainkey.luevano.xyz
</code></pre>
<p>And, lastly create the file <code>TrustedHosts</code> with the content:</p>
<pre><code class="language-txt">127.0.0.1
::1
10.1.0.0/16
1.2.3.4/24
localhost
{yourserverip}
...
</code></pre>
<p>And more, make sure to include your server IP and something like <code>subdomain.domainname</code>.</p>
<p>Next, edit <code>/etc/opendkim/opendkim.conf</code> to reflect the changes (or rather, addition) of these files, as well as some other configuration. You can look up the example configuration file located at <code>/usr/share/doc/opendkim/opendkim.conf.sample</code>, but I’m creating a blank one with the contents:</p>
<pre><code class="language-apache">Domain {yourdomain}
Selector {yoursubdomain}
Syslog Yes
UserID opendkim
KeyFile /etc/opendkim/{yoursubdomain}.private
Socket inet:8891@localhost
</code></pre>
<p>Now, change the permissions for all the files inside <code>/etc/opendkim</code>:</p>
<pre><code class="language-sh">chown -R root:opendkim /etc/opendkim
chmod g+r /etc/postfix/dkim/*
</code></pre>
<p>I’m using <code>root:opendkim</code> so <code>opendkim</code> doesn’t complain about the <code>{yoursubdomani}.private</code> being insecure (you can change that by using the option <code>RequireSafeKeys False</code> in the <code>opendkim.conf</code> file, as stated <a href="http://lists.opendkim.org/archive/opendkim/users/2014/12/3331.html">here</a>).</p>
<p>That’s it for the general configuration, but you could go more in depth and be more secure with some extra configuration.</p>
<p>Now, just start/enable the <code>opendkim</code> service:</p>
<pre><code class="language-sh">systemctl start opendkim.service
systemctl enable opendkim.service
</code></pre>
<p>And don’t forget to add the following <strong>TXT</strong> records on your domain registrar (these examples are for Epik):</p>
<ol>
<li><em>DKIM</em> entry: look up your <code>{yoursubdomain}.txt</code> file, it should look something like:</li>
</ol>
<pre><code class="language-txt">{yoursubdomain}._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; "
"p=..."
"..." ) ; ----- DKIM key mail for {yourdomain}
</code></pre>
<p>In the TXT record you will place <code>{yoursubdomain}._domainkey</code> as the “Host” and <code>"v=DKIM1; k=rsa; s=email; " "p=..." "..."</code> in the “TXT Value” (replace the dots with the actual value you see in your file).</p>
<ol start="2">
<li>
<p><em>DMARC</em> entry: just <code>_dmarc.{yourdomain}</code> as the “Host” and <code>"v=DMARC1; p=reject; rua=mailto:dmarc@{yourdomain}; fo=1"</code> as the “TXT Value”.</p>
</li>
<li>
<p><em>SPF</em> entry: just <code>@</code> as the “Host” and <code>"v=spf1 mx a:{yoursubdomain}.{yourdomain} - all"</code> as the “TXT Value”.</p>
</li>
</ol>
<p>And at this point you could test your mail for spoofing and more.</p>
<h2 id="spamassassin">SpamAssassin</h2>
<p><a href="https://wiki.archlinux.org/title/SpamAssassin">SpamAssassin</a> is just <em>a mail filter to identify spam</em>.</p>
<p>Install the <code>spamassassin</code> package (which will install a bunch of ugly <code>perl</code> packages…):</p>
<pre><code class="language-sh">pacman -S spamassassin
</code></pre>
<p>For some reason, the permissions on all <code>spamassassin</code> stuff are all over the place. First, change owner of the executables, and directories:</p>
<pre><code class="language-sh">chown spamd:spamd /usr/bin/vendor_perl/sa-*
chown spamd:spamd /usr/bin/vendor_perl/spam*
chwown -R spamd:spamd /etc/mail/spamassassin
</code></pre>
<p>Then, you can edit <code>local.cf</code> (located in <code>/etc/mail/spamassassin</code>) to fit your needs (I only uncommented the <code>rewrite_header Subject ...</code> line). And then you can run the following command to update the patterns and compile them:</p>
<pre><code class="language-sh">sudo -u spamd sa-update
sudo -u spamd sa-compile
</code></pre>
<p>And since this should be run periodically, create the service <code>spamassassin-update.service</code> under <code>/etc/systemd/system</code> with the following content:</p>
<pre><code class="language-ini">[Unit]
Description=SpamAssassin housekeeping
After=network.target
[Service]
User=spamd
Group=spamd
Type=oneshot
ExecStart=/usr/bin/vendor_perl/sa-update --allowplugins
SuccessExitStatus=1
ExecStart=/usr/bin/vendor_perl/sa-compile
ExecStart=/usr/bin/systemctl -q --no-block try-restart spamassassin.service
</code></pre>
<p>And you could also execute <code>sa-learn</code> to train <code>spamassassin</code>‘s bayes filter, but this works for me. Then create the timer <code>spamassassin-update.timer</code> under the same directory, with the content:</p>
<pre><code class="language-ini">[Unit]
Description=SpamAssassin housekeeping
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
</code></pre>
<p>You can now start/enable the <code>spamassassin-update</code> timer:</p>
<pre><code class="language-sh">systemctl start spamassassin-update.timer
systemctl enable spamassassin-update.timer
</code></pre>
<p>Next, you may want to edit the <code>spamassassin</code> service before starting and enabling it, because by default, it could <a href="https://rimuhosting.com/howto/memory.jsp">spawn a lot of “childs”</a> eating a lot of resources and you really only need one child. Append <code>--max-children=1</code> to the line <code>ExecStart=...</code> in <code>/usr/bin/systemd/system/spamassassin.service</code>:</p>
<pre><code class="language-ini">...
ExecStart=/usr/bin/vendor_perl/spamd -x -u spamd -g spamd --listen=/run/spamd/spamd.sock --listen=localhost --max-children=1
...
</code></pre>
<p>Finally, start and enable the <code>spamassassin</code> service:</p>
<pre><code class="language-sh">systemctl start spamassassin.service
systemctl enable spamassassin.service
</code></pre>
<h2 id="wrapping-up">Wrapping up</h2>
<p>We should have a working mail server by now. Before continuing check your journal logs (<code>journalctl -xe --unit={unit}</code>, where <code>{unit}</code> could be <code>spamassassin.service</code> for example) to see if there was any error whatsoever and try to debug it, it should be a typo somewhere (the logs are generally really descriptive) because all the settings and steps detailed here just (literally just finished doing everything on a new server as of the writing of this text) worked <em>(((it just werks on my machine)))</em>.</p>
<p>Now, to actually use the mail service: first of all, you need a <em>normal</em> account (don’t use root) that belongs to the <code>mail</code> group (<code>gpasswd -a user group</code> to add a user <code>user</code> to group <code>group</code>) and that has a password.</p>
<p>Next, to actually login into a mail app/program/whateveryouwanttocallit, you will use the following settings, at least for <code>thunderdbird</code>(I tested in windows default mail app and you don’t need a lot of settings):</p>
<ul>
<li>* server: subdomain.domain (mail.luevano.xyz in my case)</li>
<li><strong>SMTP</strong> port: 587</li>
<li><strong>SMTPS</strong> port: 465 (I use this one)</li>
<li><strong>IMAP</strong> port: 143</li>
<li><strong>IMAPS</strong> port: 993 (again, I use this one)</li>
<li>Connection/security: SSL/TLS</li>
<li>Authentication method: Normal password</li>
<li>Username: just your <code>user</code>, not the whole email (<code>david</code> in my case)</li>
<li>Password: your <code>user</code> password (as in the password you use to login to the server with that user)</li>
</ul>
<p>All that’s left to do is test your mail server for spoofing, and to see if everything is setup correctly. Go to <a href="https://www.appmaildev.com/en/dkim">DKIM Test</a> and follow the instructions (basically click next, and send an email with whatever content to the email that they provide). After you send the email, you should see something like:</p>
<figure id="__yafg-figure-3">
<img alt="DKIM Test successful" src="images/b/notes/mail/dkim_test_successful.png" title="DKIM Test successful">
<figcaption>DKIM Test successful</figcaption>
</figure>
<p>Finally, that’s actually it for this entry, if you have any problem whatsoever you can <a href="https://luevano.xyz/contact.html">contact me</a>.</p>]]></content:encoded>
</item>
<item>
<title>Create a website with Nginx and Certbot</title>
<link>https://blog.luevano.xyz/a/website_with_nginx.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/website_with_nginx.html</guid>
<pubDate>Fri, 19 Mar 2021 02:58:15 GMT</pubDate>
<category>English</category>
<category>Server</category>
<category>Tools</category>
<category>Tutorial</category>
<description>How to create website that runs on Nginx and uses Certbot for SSL certificates. This is a base for future blog posts about similar topics.</description>
<content:encoded><![CDATA[<p>These are general notes on how to setup a Nginx web server plus Certbot for SSL certificates, initially learned from <a href="https://www.youtube.com/watch?v=OWAqilIVNgE">Luke’s video</a> and after some use and research I added more stuff to the mix. And, actually at the time of writing this entry, I’m configuring the web server again on a new VPS instance, so this is going to be fresh.</p>
<p>As a side note, (((i use arch btw))) so everything here es aimed at an Arch Linux distro, and I’m doing everything on a VPS. Also note that most if not all commands here are executed with root privileges.</p>
<h2 id="prerequisites">Prerequisites</h2>
<p>You will need two things:</p>
<ul>
<li>A domain name (duh!). I got mine on <a href="https://www.epik.com/?affid=da5ne9ru4">Epik</a> (affiliate link, btw).<ul>
<li>With the corresponding <strong>A</strong> and <strong>AAA</strong> records pointing to the VPS’ IPs (“A” record points to the ipv4 address and “AAA” to the ipv6, basically). I have three records for each type: empty one, “www” and “*” for a wildcard, that way “domain.name”, “www.domain.name”, “anythingelse.domain.name” point to the same VPS (meaning that you can have several VPS for different sub-domains).</li>
</ul>
</li>
<li>A VPS or somewhere else to host it. I’m using <a href="https://www.vultr.com/?ref=8732849">Vultr</a> (also an affiliate link).<ul>
<li>With <code>ssh</code> already configured both on the local machine and on the remote machine.</li>
<li>Firewall already configured to allow ports 80 (HTTP) and 443 (HTTPS). I use <code>ufw</code> so it’s just a matter of doing <code>ufw allow 80,443/tcp</code> as root and you’re golden.</li>
<li><code>cron</code> installed if you follow along (you could use <code>systemd</code> timers, or some other method you prefer to automate running commands every X time).</li>
</ul>
</li>
</ul>
<h2 id="nginx">Nginx</h2>
<p><a href="https://wiki.archlinux.org/title/Nginx">Nginx</a> is a web (HTTP) server and reverse proxy server.</p>
<p>You have two options: <code>nginx</code> and <code>nginx-mainline</code>. I prefer <code>nginx-mainline</code> because it’s the “up to date” package even though <code>nginx</code> is labeled to be the “stable” version. Install the package and enable/start the service:</p>
<pre><code class="language-sh">pacman -S nginx-mainline
systemctl enable nginx.service
systemctl start nginx.service
</code></pre>
<p>And that’s it, at this point you can already look at the default initial page of Nginx if you enter the IP of your server in a web browser. You should see something like this:</p>
<figure id="__yafg-figure-1">
<img alt="Nginx welcome page" src="images/b/notes/nginx/nginx_welcome_page.png" title="Nginx welcome page">
<figcaption>Nginx welcome page</figcaption>
</figure>
<p>As stated in the welcome page, configuration is needed, head to the directory of Nginx:</p>
<pre><code class="language-sh">cd /etc/nginx
</code></pre>
<p>Here you have several files, the important one is <code>nginx.conf</code>, which as its name implies, contains general configuration of the web server. If you peek into the file, you will see that it contains around 120 lines, most of which are commented out and contains the welcome page server block. While you can configure a website in this file, it’s common practice to do it on a separate file (so you can scale really easily if needed for mor websites or sub-domains).</p>
<p>Inside the <code>nginx.conf</code> file, delete the <code>server</code> blocks and add the lines <code>include sites-enabled/*;</code> (to look into individual server configuration files) and <code>types_hash_max_size 4096;</code> (to get rid of an ugly warning that will keep appearing) somewhere inside the <code>http</code> block. The final <code>nginx.conf</code> file would look something like (ignoring the comments just for clarity, but you can keep them as side notes):</p>
<pre><code class="language-nginx">worker_processes 1;
events {
worker_connections 1024;
}
http {
include sites-enabled/*;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
types_hash_max_size 4096;
}
</code></pre>
<p>Next, inside the directory <code>/etc/nginx/</code> create the <code>sites-available</code> and <code>sites-enabled</code> directories, and go into the <code>sites-available</code> one:</p>
<pre><code class="language-sh">mkdir sites-available
mkdir sites-enabled
cd sites-available
</code></pre>
<p>Here, create a new <code>.conf</code> file for your website and add the following lines (this is just the sample content more or less):</p>
<pre><code class="language-nginx">server {
listen 80;
listen [::]:80;
root /path/to/root/directory;
server_name domain.name another.domain.name;
index index.html anotherindex.otherextension;
location /{
try_files $uri $uri/ =404;
}
}
</code></pre>
<p>That could serve as a template if you intend to add more domains.</p>
<p>Note some things:</p>
<ul>
<li><code>listen</code>: we’re telling Nginx which port to listen to (IPv4 and IPv6, respectively).</li>
<li><code>root</code>: the root directory of where the website files (<code>.html</code>, <code>.css</code>, <code>.js</code>, etc. files) are located. I followed Luke’s directory path <code>/var/www/some_folder</code>.</li>
<li><code>server_name</code>: the actual domain to “listen” to (for my website it is: <code>server_name luevano.xyz www.luevano.xyz;</code> and for this blog is: <code>server_name blog.luevano.xyz www.blog.luevano.xyz;</code>).</li>
<li><code>index</code>: what file to serve as the index (could be any <code>.html</code>, <code>.htm</code>, <code>.php</code>, etc. file) when just entering the website.</li>
<li><code>location</code>: what goes after <code>domain.name</code>, used in case of different configurations depending on the URL paths (deny access on <code>/private</code>, make a proxy on <code>/proxy</code>, etc).<ul>
<li><code>try_files</code>: tells what files to look for.</li>
</ul>
</li>
</ul>
<p>Then, make a symbolic link from this configuration file to the <code>sites-enabled</code> directory:</p>
<pre><code class="language-sh">ln -s /etc/nginx/sites-available/your_config_file.conf /etc/nginx/sites-enabled
</code></pre>
<p>This is so the <code>nginx.conf</code> file can look up the newly created server configuration. With this method of having each server configuration file separate you can easily “deactivate” any website by just deleting the symbolic link in <code>sites-enabled</code> and you’re good, or just add new configuration files and keep everything nice and tidy.</p>
<p>All you have to do now is restart (or enable and start if you haven’t already) the Nginx service (and optionally test the configuration):</p>
<pre><code class="language-sh">nginx -t
systemctl restart nginx
</code></pre>
<p>If everything goes correctly, you can now go to your website by typing <code>domain.name</code> on a web browser. But you will see a “404 Not Found” page like the following (maybe with different Nginx version):</p>
<figure id="__yafg-figure-2">
<img alt="Nginx 404 Not Found page" src="images/b/notes/nginx/nginx_404_page.png" title="Nginx 404 Not Found page">
<figcaption>Nginx 404 Not Found page</figcaption>
</figure>
<p>That’s no problem, because it means that the web server it’s actually working. Just add an <code>index.html</code> file with something simple to see it in action (in the <code>/var/www/some_folder</code> that you decided upon). If you keep seeing the 404 page make sure your <code>root</code> line is correct and that the directory/index file exists.</p>
<p>I like to remove the <code>.html</code> and trailing <code>/</code> on the URLs of my website, for that you need to add the following <code>rewrite</code> lines and modify the <code>try_files</code> line (for more: <a href="https://www.seancdavis.com/blog/remove-html-extension-and-trailing-slash-in-nginx-config/">Sean C. Davis: Remove HTML Extension And Trailing Slash In Nginx Config</a>):</p>
<pre><code class="language-nginx">server {
...
rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
rewrite ^/(.*)/$ /$1 permanent;
...
try_files $uri/index.html $uri.html $uri/ $uri =404;
...
</code></pre>
<h2 id="certbot">Certbot</h2>
<p><a href="https://wiki.archlinux.org/title/Certbot">Certbot</a> is what provides the SSL certificates via <a href="https://letsencrypt.org/">Let’s Encrypt</a>.</p>
<p>The only “bad” (bloated) thing about Certbot, is that it uses <code>python</code>, but for me it doesn’t matter too much. You may want to look up another alternative if you prefer. Install the packages <code>certbot</code> and <code>certbot-nginx</code>:</p>
<pre><code class="language-sh">pacman -S certbot certbot-nginx
</code></pre>
<p>After that, all you have to do now is run <code>certbot</code> and follow the instructions given by the tool:</p>
<pre><code class="language-sh">certbot --nginx
</code></pre>
<p>It will ask you for some information, for you to accept some agreements and the names to activate HTTPS for. Also, you will want to “say yes” to the redirection from HTTP to HTTPS. And that’s it, you can now go to your website and see that you have HTTPS active.</p>
<p>Now, the certificate given by <code>certbot</code> expires every 3 months or something like that, so you want to renew this certificate every once in a while. Using <code>cron</code>, you can do this by running:</p>
<pre><code class="language-sh">crontab -e
</code></pre>
<p>And a file will be opened where you need to add a new rule for Certbot, just append the line: <code>1 1 1 * * certbot renew</code> (renew on the first day of every month) and you’re good. Alternatively use <code>systemd</code> timers as stated in the <a href="https://wiki.archlinux.org/title/Certbot#Automatic_renewal">Arch Linux Wiki</a>.</p>
<p>That’s it, you now have a website with SSL certificate.</p>]]></content:encoded>
</item>
<item>
<title>Así es raza, el blog ya tiene timestamps</title>
<link>https://blog.luevano.xyz/a/el_blog_ya_tiene_timestamps.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/el_blog_ya_tiene_timestamps.html</guid>
<pubDate>Tue, 16 Mar 2021 02:46:24 GMT</pubDate>
<category>Short</category>
<category>Spanish</category>
<category>Tools</category>
<category>Update</category>
<description>Actualización en el estado del blog y el sistema usado para crearlo.</description>
<content:encoded><![CDATA[<p>Pues eso, esta entrada es sólo para tirar update sobre mi <a href="https://blog.luevano.xyz/a/first_blog_post.html">primer post</a>. Ya modifiqué el <code>ssg</code> lo suficiente como para que maneje los <em>timestamps</em>, y ya estoy más familiarizado con este script entonces ya lo podré extender más, pero por ahora las entradas ya tienen su fecha de creación (y modificación en dado caso) al final y en el índice ya están organizados por fecha, que por ahora está algo simple pero está sencillo de extender.</p>
<p>Ya lo único que queda es cambiar un poco el formato del blog (y de la página en general), porque en un momento de desesperación puse todo el texto en justificado y pues no se ve chido siempre, entonces queda corregir eso. <em>Y aunque me tomó más tiempo del que quisiera, así nomás quedó, diría un cierto personaje.</em></p>
<p>El <code>ssg</code> modificado está en mis <a href="https://git.luevano.xyz/.dots">dotfiles</a> (o directamente <a href="https://git.luevano.xyz/.dots/tree/.local/bin/ssg">aquí</a>).</p>
<p>Por último, también quité las extensiones <code>.html</code> de las URLs, porque se veía bien pitero, pero igual los links con <code>.html</code> al final redirigen a su link sin <code>.html</code>, así que no hay rollo alguno.</p>]]></content:encoded>
</item>
<item>
<title>This is the first blog post, just for testing purposes</title>
<link>https://blog.luevano.xyz/a/first_blog_post.html</link>
<guid isPermaLink="true">https://blog.luevano.xyz/a/first_blog_post.html</guid>
<pubDate>Sat, 27 Feb 2021 13:08:33 GMT</pubDate>
<category>English</category>
<category>Short</category>
<category>Tools</category>
<category>Update</category>
<description>Just my first blog post where I state what tools I'm using to build this blog.</description>
<content:encoded><![CDATA[<p>I’m making this post just to figure out how <a href="https://www.romanzolotarev.com/ssg.html"><code>ssg5</code></a> and <a href="https://kristaps.bsd.lv/lowdown/"><code>lowdown</code></a> are supposed to work (and eventually also <a href="https://www.romanzolotarev.com/rssg.html"><code>rssg</code></a>).</p>
<p>At the moment, I’m not satisfied because there’s no automatic date insertion into the 1) html file, 2) the blog post itself and 3) the listing system in the <a href="https://blog.luevano.xyz/">blog homepage</a> (and there’s also the problem with the ordering of the entries…). And all of this just because I didn’t want to use <a href="https://github.com/LukeSmithxyz/lb">Luke’s</a> solution (don’t really like that much how he handles the scripts… <em>but they just work</em>).</p>
<p>Hopefully, for tomorrow all of this will be sorted out and I’ll have a working blog system.</p>]]></content:encoded>
</item>
</channel>
</rss>
|
