From be0a9dfcbd5ea62eca32f3cebb104ae39855a4f2 Mon Sep 17 00:00:00 2001 From: joshua Date: Fri, 29 Dec 2023 23:18:01 -0500 Subject: updated wiki on how to make server --- docs/server/cgit.md | 141 ++++++++++++++++++++++++++++++++++++++++++++++++++ docs/server/ddns.md | 49 ++++++++++++++++++ docs/server/server.md | 130 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 320 insertions(+) create mode 100644 docs/server/cgit.md create mode 100644 docs/server/ddns.md create mode 100644 docs/server/server.md (limited to 'docs/server') diff --git a/docs/server/cgit.md b/docs/server/cgit.md new file mode 100644 index 0000000..72db5ed --- /dev/null +++ b/docs/server/cgit.md @@ -0,0 +1,141 @@ +# Cgit with gitolite and caddy + +## Setup + +Install dependencies. + + # apt install cgit python-is-python3 python3-pygments python3-markdown docutils-common groff perl + +Make a git user. + + sudo adduser --system --shell /bin/bash --group --disabled-password --home /home/git git + +Allow ssh passwordless login. + + usermod -p '*' username + +## Gitolite + +Install the [gitolite](https://gitolite.com/gitolite/install.html) package from the repository directly. + +### Configuration with cgit + +Configuration of gitolite is done by modifying `$HOME/.gitolite.rc`. + +To work correctly with cgit, gitweb and cgit configuration options need to work with gitolite. + +Change: + + GIT_CONFIG_KEYS => '', + +To: + + GIT_CONFIG_KEYS => '.*', + +To have permissions work correctly, + +Change: + + UMASK => 0077, + +To: + + UMASK => 0027, + +In the `ENABLE` field, add gitweb and cgit to the list. + +### Usage + +Detailed usage of gitolite can be found [here](https://gitolite.com/gitolite/basic-admin.html) + +### Repository ignore + +After cgit is configured, cgit can be told to ignore a repo with this syntax. + + repo gitolite-admin + config cgit.ignore=1 + +### Adding Hooks to gitolite + +This [page](https://gitolite.com/gitolite/cookbook#adding-other-non-update-hooks) details how to add hooks to your repositories. + +Example hook that updates a website every git push. Make sure this directory is owned by git. + + #!/bin/sh + GIT_WORK_TREE=/desired/website/directory git checkout -f + + +## Cgit + +### Running cgit with caddy + +Install the [fcgiwrap](https://packages.debian.org/bookworm/fcgiwrap) package. + +Create a systemd service that wraps cgit with FastCGI. + + # systemctl edit --full --force cgit.service + + + + [Unit] + Description=CGI web interface to the Git SCM + After=network.target + + [Service] + Type=exec + ExecStart=fcgiwrap -f -p "/usr/lib/cgit/cgit.cgi" -s tcp:127.0.0.1:8999 + + [Install] + WantedBy=multi-user.target + + + + # systemctl start cgit + +Add cgit configuration to caddy. + + git.joshuayun.com { + handle_path /cgit-css/* { + root * /usr/share/cgit/ + file_server + } + + handle { + reverse_proxy localhost:8999 { + transport fastcgi { + env DOCUMENT_ROOT /usr/lib/cgit/ + env SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi + } + } + } + } + + +## Cgit configuration + +More detailed documentation can be found on the cgitrc(5) [manual](https://linux.die.net/man/5/cgitrc). + +enable-git-config is used to allow for gitweb.* configurations in gitolite, e.g. description, owner. + + + enable-git-config=1 + +project-list sets where cgit looks for projects, this list is the one updated by gitolite + + project-list=/home/git/projects.list + +scan-path sets where the actual git repositories live + + scan-path=/home/git/repositories + +## References + +[SixFoisNeuf](https://www.sixfoisneuf.fr/posts/setting-up-cgit-with-caddy2/) Used this blog to run cgit using fcgiwrap rather than a caddy plugin. The entire cgit with caddy section was using his work. + +[Mateja Maric](https://matejamaric.com/blog/git-server/) Used this blog to help configure cgitrc, gitolite.rc + +[Luke Hsiao](https://luke.hsiao.dev/blog/cgit-caddy-gitolite/) Used the git user creation command from this blog. + +[Omar Polo (yumh)](https://www.omarpolo.com/post/cgit-gitolite.html) Used this blog to help configure cgitrc for hidden repos. + +[Bryan Brattlof](https://bryanbrattlof.com/cgit-nginx-gitolite-a-personal-git-server/) Not much used here, kept as reference. diff --git a/docs/server/ddns.md b/docs/server/ddns.md new file mode 100644 index 0000000..f81f5d7 --- /dev/null +++ b/docs/server/ddns.md @@ -0,0 +1,49 @@ +# DDNS Setup + +## Porkbun API + +Follow this [porkbun](https://kb.porkbun.com/article/190-getting-started-with-the-porkbun-api) guide on enabling the api for your domain. + +## ddns-updater + +[ddns-updater](https://github.com/qdm12/ddns-updater) is the program used to update Porkbun's A record of your domain. + +### Docker install + +Install the [docker](https://docs.docker.com/engine/install/debian/) package from official docker repositories. + +### Setup + +Create a directory with config.json inside, and make sure that its owner has a uid of 1000. + + mkdir data + touch data/config.json + # Owned by user ID of Docker container (1000) + chown -R 1000 data + # all access (for creating json database file data/updates.json) + chmod 700 data + # read access only + chmod 400 data/config.json + +Configuration for porkbun in config.json + + { + "settings": [ + { + "provider": "porkbun", + "domain": "domain.com", + "host": "@", + "api_key": "PORKBUN SECRET KEY", + "secret_api_key": "PORKBUN API KEY", + "ip_version": "ipv4" + } + ] + } + +Optional `"ttl"` paramter specifing A record TTL not included. + +### Usage + docker run -d -p 8000:8000/tcp -v "$(pwd)"/data:/updater/data qmcgaw/ddns-updater + +This will start a docker container that will start updating the DNS records. +Status updates can be seen in a web server by going to localhost:8000. diff --git a/docs/server/server.md b/docs/server/server.md new file mode 100644 index 0000000..a5381f4 --- /dev/null +++ b/docs/server/server.md @@ -0,0 +1,130 @@ +# Homelab Server Setup + +This page describes how I setup my personal webserver + +I'm hosting a website, wiki, caldav using Radicale, git using cgit and Gitolite, and webdav support + +## Linux Distribution Used + +Debian 12 Bookworm. + +Update the system. + + # apt update + # apt upgrade + +## SSH + +Generate ssh keys + + ssh-keygen -t [keytype] + +Add ssh keys to `~/.ssh/authorized_keys` + + ssh-copy-id -i /path/to/pubkey [user@]machine + +### Optional security enhancements + +Change the port in `/etc/sshd_config` to a nonstandard port to harden security. + + Port 1234 + +Disable password login in `/etc/sshd_config/` + + PubkeyAuthentication yes + ChallengeResponseAuthentication no + PasswordAuthentication no + KbdInteractiveAuthentication no + UsePAM no + +Disable XForwarding + + X11Forwarding no + +Disable remote root login + + PermitRootLogin no + +## DDNS + +Setup [Dyanmic DNS (ddns) with Porkbun and ddns-updater](ddns.md). + +## Caddy + +Install the [Caddy](https://caddyserver.com/docs/install#debian-ubuntu-raspbian) package from Caddy directly. + +## Cgit & gitolite + +Setup [cgit with gitolite and caddy](cgit.md). + +## Radicale + +Install the [Radicale](https://packages.debian.org/bookworm/radicale) package. + +Start the Radicale service. + + systemctl enable radicale.service + systemctl start radicale.service + +Generate secure passwords using htpasswd. + + # Create a new htpasswd file with the user "user1" + $ htpasswd -c /path/to/users user1 + New password: + Re-type new password: + # Add another user + $ htpasswd /path/to/users user2 + New password: + Re-type new password: + +Edit configuration to add users + + [auth] + type = htpasswd + htpasswd_filename = /path/to/users + # encryption method used in the htpasswd file + htpasswd_encryption = md5 + +Add configuration to caddy. + + caldav.joshuayun.com { + handle_path /* { + reverse_proxy localhost:5232 { + header_up X-Script-Name /radicale + } + } + handle_path /radicale/* { + reverse_proxy localhost:5232 { + header_up X-Script-Name /radicale + } + } + } + + +## Webdav + +Add the Webdav module to Caddy. + + sudo caddy add-package github.com/mholt/caddy-webdav + sudo systemctl restart caddy + +Add Webdav to the Caddy configuration + +Example configuration with protected file browsing, see the [github](https://github.com/mholt/caddy-webdav) for more configurations. + + + webdav.joshuayun.com { + @get method GET + root * WEBDAV_PATH + route { + basicauth { + joshua CADDY_HASH + } + file_server @get browse + webdav + } + } + +To generate the hash: + + caddy hash-password -- cgit v1.2.3