knowledgebase

Paritybit.ca Gemini-based Wiki
git clone https://git.sr.ht/~jbauer/knowledgebase
Log | Files | Refs | README

commit 9106099c1c79f498849b9cbaee1ab9f90d71c225
parent 7c413c392075f2addfdaf58d5e4ebc26e01c8d02
Author: Jake Bauer <jbauer@paritybit.ca>
Date:   Mon, 21 Feb 2022 17:27:52 -0500

Update server documentation

Diffstat:
Mindex.gmi | 15++++++++-------
Rsysadmin/homelab/freebsd-jail-based-server.gmi -> sysadmin/jaderune/freebsd-server.gmi | 0
Rsysadmin/homelab/openbsd-router.gmi -> sysadmin/openbsd-router.gmi | 0
Asysadmin/openbsd-server-details.gmi | 215+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asysadmin/openbsd-server-overview.gmi | 74++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 297 insertions(+), 7 deletions(-)

diff --git a/index.gmi b/index.gmi @@ -21,13 +21,15 @@ ## Sysadmin -### Homelab/Home Services +### Paritybit.ca -=> /sysadmin/homelab/overview.gmi Overview of the Homelab -=> /sysadmin/homelab/openbsd-router.gmi OpenBSD Router -=> /sysadmin/homelab/freebsd-jail-based-server.gmi FreeBSD Jail-based Server -=> /sysadmin/homelab/freebsd-nas.gmi FreeBSD NAS -=> /sysadmin/homelab/backups.gmi Backups +=> /sysadmin/openbsd-server-overview.gmi OpenBSD Server Overview +=> /sysadmin/openbsd-server-details.gmi OpenBSD Server Details +=> /sysadmin/misskey.gmi Misskey Setup + +### Homelab + +=> /sysadmin/openbsd-router.gmi OpenBSD Router ### JadeRune.net @@ -36,7 +38,6 @@ ### Other -=> /sysadmin/misskey.gmi Misskey Setup => /sysadmin/tarsnap-backups-with-acts.gmi Tarsnap Backups With Acts => /sysadmin/goaccess-with-openbsd-httpd.gmi Using Goaccess with OpenBSD's httpd => /sysadmin/uw-imap.gmi UW IMAP Server Documentation diff --git a/sysadmin/homelab/freebsd-jail-based-server.gmi b/sysadmin/jaderune/freebsd-server.gmi diff --git a/sysadmin/homelab/openbsd-router.gmi b/sysadmin/openbsd-router.gmi diff --git a/sysadmin/openbsd-server-details.gmi b/sysadmin/openbsd-server-details.gmi @@ -0,0 +1,215 @@ +# OpenBSD Server Details + +This article gives a detailed look at the configuration of the services I run. An overview and rationale is available in the following article: + +=> /sysadmin/openbsd-server-overview.gmi + +## IPv6 + +Hetzner supports IPv6, but seemingly only through DHCPv6 or manual configuration. OpenBSD supports IPv6, but only using SLAAC or manual configuration. Therefore, some manual configuration in hostname.vio0 was needed to get IPv6 to work: + +```/etc/hostname.vio0 +dhcp +inet6 alias 2a01:4ff:f0:f61::1 64 +!route add -inet6 default fe80::1%vio0 +``` + +Note that Hetzner routes all IPv6 traffic for their cloud instances through fe80::1. + +## HTTP Server + +All of the domains are served by the following httpd configuration. It also handles the file server since that is done over http. + +```httpd +types { + include "/usr/share/misc/mime.types" +} + +# For certificate renewal +server "paritybit.ca" { + alias "jbauer.ca" + alias "ftp.paritybit.ca" + alias "git.paritybit.ca" + listen on * port 80 + location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 + } + location * { + block return 301 "https://$HTTP_HOST$REQUEST_URI" + } +} + +# Redirect to WWW +server "paritybit.ca" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paritybit.ca.fullchain.pem" + key "/etc/ssl/private/paritybit.ca.key" + } + hsts { + max-age 31536000 + preload + subdomains + } + location * { + block return 301 "https://www.paritybit.ca$REQUEST_URI" + } +} + +server "www.paritybit.ca" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paritybit.ca.fullchain.pem" + key "/etc/ssl/private/paritybit.ca.key" + } + hsts { + max-age 31536000 + preload + } + + root "paritybit.ca" + + location match "/([^%.]+)$" { + request rewrite "/%1.html" + } +} + +server "jbauer.ca" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paritybit.ca.fullchain.pem" + key "/etc/ssl/private/paritybit.ca.key" + } + hsts { + max-age 31536000 + preload + subdomains + } + root "jbauer.ca" +} + +server "ftp.paritybit.ca" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paritybit.ca.fullchain.pem" + key "/etc/ssl/private/paritybit.ca.key" + } + hsts { + max-age 31536000 + preload + } + root "ftp.paritybit.ca" + directory auto index +} + +server "git.paritybit.ca" { + listen on * tls port 443 + tls { + certificate "/etc/ssl/paritybit.ca.fullchain.pem" + key "/etc/ssl/private/paritybit.ca.key" + } + hsts { + max-age 31536000 + preload + } + root "git.paritybit.ca" +} +``` + +### Gemini Server + +vger configuration is extremely simple, since it just uses inetd and relayd: + +This is the inetd configuration: + +```inetd +127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger +``` + +And this is the relayd configuration: + +```relayd +log connection +tcp protocol "gemini" { + tls keypair paritybit.ca +} + +relay "gemini" { + listen on egress port 1965 tls + protocol "gemini" + forward to 127.0.0.1 port 11965 +} +``` + +/etc/ssl/paritybit.ca.fullchain.pem is symlinked to /etc/ssl/paritybit.ca.crt for relayd. + +### Finger Server + +The configuration in inetd for fingerd is: + +```inetd +finger stream tcp nowait _fingerd /usr/libexec/fingerd fingerd -lsmu +finger stream tcp6 nowait _fingerd /usr/libexec/fingerd fingerd -lsmu +``` + +A user (jbauer) was created with ~/.plan and ~/.project files which are displayed by fingerd. + +### Git Server + +The static pages generated by stagit are served using the configuration in httpd.conf. Git repositories live in /var/git and updates are pushed there using SSH. The git daemon for cloning using the git:// protocol is invoked using inetd with the following configuration: + +```inetd +git stream tcp nowait _gitdaemon /usr/local/bin/git git daemon --inetd --verbose --base-path=/var/git --export-all /var/git/ +git stream tcp6 nowait _gitdaemon /usr/local/bin/git git daemon --inetd --verbose --base-path=/var/git --export-all /var/git/ +``` + +The following script is run as an hourly cronjob to update the static pages and incorporate recently pushed changes. I may switch to using a post-receive hook instead of a cronjob if this doesn't end up fitting my needs. + +```stagit-update +#!/bin/sh + +# Pull and update all individual repos +for repo in /var/git/*; do + cd "$repo" + git fetch --force --prune + cd /var/www/git.paritybit.ca/"$(basename "$repo" .git)" + stagit "$repo" +done + +# Re-generate the index page +cd /var/www/git.paritybit.ca +stagit-index /var/git/* > index.html +``` + +The following script is used to make adding a new repository quicker and easier: + +```stagit-new +#!/bin/sh + +printf "Project Name: " +read name + +printf "Project Description: " +read desc + +#printf "Project URL: " +#read url +url="https://git.sr.ht/~jbauer/$name" + +#printf "Project Owner: " +#read owner +owner="Jake Bauer" + +cd /var/www/git.paritybit.ca +mkdir "$name" && cd "$name" +ln -s ../favicon.png . +ln -s ../logo.png . +ln -s ../style.css . + +cd /var/git +git clone --bare "$url" +echo "$desc" > "$name".git/description +echo "$owner" > "$name".git/owner +echo "$url" > "$name".git/url +``` diff --git a/sysadmin/openbsd-server-overview.gmi b/sysadmin/openbsd-server-overview.gmi @@ -0,0 +1,74 @@ +# OpenBSD Server Overview + +All paritybit.ca services (except Misskey) run off of a single OpenBSD VPS. + +This article gives an overview of the rationale and list of services running. Setup details are in the following article: + +=> /sysadmin/openbsd-server-details.gmi + +## Why OpenBSD? + +OpenBSD ships with sensible and secure defaults. OpenBSD has excellent documentation: I can use the system to learn about the system instead of looking things up on half-baked, SEO-optimized, outdated articles. OpenBSD has straightforward and easy to manage system components (daemons, init system, updating, etc). OpenBSD doesn't randomly break or unexpectedly change things out from under you when there's an update (they let you know about changes well in advance of you needing to upgrade). + +To summarize: OpenBSD isn't a pain. + +## Why a VPS? + +I wanted to run everything from home to avoid paying for a VPS, but this came with its own set of drawbacks. I would be unable to experiment with things on my home network without taking down my public-facing services, there is no IPv6 access from my ISP, the bandwidth is limited so if someone wanted to download a larger file from me or many people were accessing my site at once my own internet access would suffer, and the cost of a relatively powerful VPS is €3.99/month which is very affordable. + +## Hardware + +The VPS runs on a Hetzner CPX11 which has: + +* 2 EPYC-based vCPUs +* 2GB RAM +* 40GB SSD +* 20TB Bandwidth + +This amount of resources is about double than what the things I publicly host use, but it leaves room for more services and I didn't want to go lower than 2 vCPUs so that the server would be able to deal with influxes of traffic. + +The total cost is €3.99/month which is approximately CAD$5.80/month; less than a USD$5/month VPS with providers like Vultr and Linode for better hardware. + +## Services + +The server hosts: an http server, a gemini server, a finger server, a git server, and a file sharing server. + +### HTTP Server + +The HTTP server uses OpenBSD's httpd which is very easy to configure and very light on resources. + +### Gemini Server + +I chose Solène Rapenne's vger as my gemini server. It uses OpenBSD's inetd to handle incoming connections and OpenBSD's relayd for TLS. + +=> https://tildegit.org/solene/vger vger gemini server + +### Finger Server + +OpenBSD's inetd is used to call OpenBSD's fingerd. + +### Git Server + +The "git server" is really nothing more than a git daemon to handle pushes and pulls and stagit to generate static pages for each repository so code and changes can be browsed from a web browser. + +=> https://codemadness.org/git/stagit/file/README.html stagit + +### File Server + +The file server is hosted over HTTP also using httpd. Although the subdomain is "ftp", the ftp daemon is not active as it doesn't actually provide any benefit or use over just serving files with HTTP. There are no users who need to upload their own files to the server and httpd and ftpd chroot to different locations which would complicate administration. + +## Software + +All of these services are run on the host machine. No "containers", "jails", or virtual machines are used. This was done intentionally to eliminate those as points of failure and administration headaches for a server that simply does not need to take advantage of those technologies. + +### Backups and Snapshots + +This server is not backed up. Configuration files are saved both here in this wiki and on my personal computer. If those are lost, they are easy to re-create anyways. All data on the server already lives in git repositories which are on sourcehut, my own machines, and the server itself. Files served by the file server are not critical and also already exist on my local machines. It is trivial to wipe away the server and re-create it so I have no need to pay extra for automated backups or tarsnap usage. + +Whenever updates are done or some significant change is needed, I can manually create a snapshot of the VPS in Hetzner's online console. + +### Mail + +Mail is set up using the configuration described in: + +=> /sysadmin/relaying-service-mail-with-opensmtpd.gmi