summaryrefslogblamecommitdiff
path: root/docs/server/server.md
blob: 22dc5512a310eaf19590e49f16cba66678387528 (plain) (tree) 
be0a9df ^















































8cb4eb2 ^




be0a9df ^



















































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

48
49
50
51

52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134















































                                                                                                   



                                         


















































































                                                                                                                                    
# Homelab Server Setup

This page describes how I setup my personal webserver

I'm hosting a website, wiki, caldav using Radicale, git using cgit and Gitolite, and webdav support

## Linux Distribution Used

Debian 12 Bookworm.

Update the system.

	# apt update
	# apt upgrade

## SSH

Generate ssh keys

	ssh-keygen -t [keytype]

Add ssh keys to `~/.ssh/authorized_keys`

	ssh-copy-id -i /path/to/pubkey [user@]machine

### Optional security enhancements

Change the port in `/etc/sshd_config` to a nonstandard port to harden security.

	Port 1234

Disable password login in `/etc/sshd_config/`

	PubkeyAuthentication yes
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	KbdInteractiveAuthentication no
	UsePAM no

Disable XForwarding

	X11Forwarding no

Disable remote root login

	PermitRootLogin no

Disable root account

	$ sudo chsh -s /sbin/nologin root

## DDNS

Setup [Dyanmic DNS (ddns) with Porkbun and ddns-updater](ddns.md).

## Caddy

Install the [Caddy](https://caddyserver.com/docs/install#debian-ubuntu-raspbian) package from Caddy directly.

## Cgit & gitolite

Setup [cgit with gitolite and caddy](cgit.md).

## Radicale

Install the [Radicale](https://packages.debian.org/bookworm/radicale) package.

Start the Radicale service.

	systemctl enable radicale.service
	systemctl start radicale.service

Generate secure passwords using htpasswd.

	# Create a new htpasswd file with the user "user1"
	$ htpasswd -c /path/to/users user1
	New password:
	Re-type new password:
	# Add another user
	$ htpasswd /path/to/users user2
	New password:
	Re-type new password:

Edit configuration to add users

	[auth]
	type = htpasswd
	htpasswd_filename = /path/to/users
	# encryption method used in the htpasswd file
	htpasswd_encryption = md5

Add configuration to caddy.

	caldav.joshuayun.com {
		handle_path /* {
			reverse_proxy localhost:5232 {
			header_up X-Script-Name /radicale
			}
		}
		handle_path /radicale/* {
			reverse_proxy localhost:5232 {
				header_up X-Script-Name /radicale
			}
		}
	}


## Webdav

Add the Webdav module to Caddy.

	sudo caddy add-package github.com/mholt/caddy-webdav
	sudo systemctl restart caddy

Add Webdav to the Caddy configuration

Example configuration with protected file browsing, see the [github](https://github.com/mholt/caddy-webdav) for more configurations.


	webdav.joshuayun.com {
		@get method GET
		root * WEBDAV_PATH
		route {
			basicauth {
				joshua CADDY_HASH
			}
			file_server @get browse
			webdav
		}
	}

To generate the hash:

	caddy hash-password
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 03:12:21 +0000