#!/usr/bin/sh

pandoc -f markdown -t html5 --self-contained --css=./pandoc.css --metadata=title:"glit.sh setup notes" << END_MARKDOWN

This document describes how you could set up a server like
[glit.sh](https://glit.sh) yourself. It's also a reminder of how I set this
server up, so that I can figure out what's going on when I look back at this in
a week ;)

It's still a work in progress - see [my TODO list](./todo.sh) for the stuff I
want to get to but haven't yet :)

I'm running on a [DigitalOcean](https://www.digitalocean.com/) \$5/month
machine, running \`$(sed "s/\\\n\ \\\l//g" /etc/issue)\` in the
\`$(curl http://169.254.169.254/metadata/v1/region)\` region. I have
DigitalOcean's weekly backups turned on in addition to the daily tarsnap backups
described below for redundancy. **DO NOT** use a floating IP - you will not be
able to send outbound mail if you do. The name of the droplet should be the
hostname that you will be sending mail from, so that the PTR record is set
correctly.

Note that there may be some path-dependency issues in this document,
particularly around the HTTPS setup - I'm not describing things in exactly the
order I did them, since a lot of this doc pulls info and config files from the
running system.

## dns setup

* Add \`A\` and \`AAAA\` records for \`@\` and \`src\`
* Add \`CAA\` record \`issue\` - \`letsencrypt.org\` for \`@\` and \`src\`
* Add \`MX\` pointing to \`glit.sh\` (I set priority 10, but it doesn't matter)
* Add \`TXT\` record for \`@\` set to \`v=spf1 a mx -all\`.
* DKIM is also configured, but you need to wait until you've generated the keys
  to set that up :)
* Add a \`TXT\` record for \`_dmarc\` set to \`v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:wesleyac@glit.sh; ruf=mailto:wesleyac@glit.sh; rf=afrf; pct=100; ri=86400\`
  (wait until you've set up DKIM to do this)
* I added a \`CNAME\` record for [\`status\`](https://status.glit.sh/), to point
  to \`qkka.status.updown.io\`.

## web server setup

### install software

\`\`\`bash
apt update
apt upgrade
apt install lighttpd git socat # important
apt install curl telnet man htop tmux strace lsof expect make dtrx pandoc # just for fun (and rendering this doc!)
\`\`\`

### HTTPS Setup

Do this as root, in your home directory (\`/root/\`).

\`\`\`bash
git clone https://github.com/Neilpang/acme.sh.git
(cd ./acme.sh && ./acme.sh --install)
mkdir -vp /var/www/html/.well-known/acme-challenge/
chown -R www-data:www-data /var/www/html/.well-known/acme-challenge/
chmod -R 0555 /var/www/html/.well-known/acme-challenge/
mkdir -p /etc/lighttpd/ssl/glit.sh/
(cd /etc/lighttpd/ssl/glit.sh/ && openssl dhparam -out dhparam.pem -dsaparam 4096)
# log out and in again to get acme.sh in your path
acme.sh --issue -w /var/www/html -d glit.sh -d src.glit.sh -k 4096
\`\`\`

Set \`/root/.acme.sh/glit.sh/hook.sh\` to contain:

\`\`\`bash
$(cat /root/.acme.sh/glit.sh/hook.sh)
\`\`\`

Then run:

\`\`\`bash
chmod +x .acme.sh/glit.sh/hook.sh
acme.sh --installcert -d glit.sh -d src.glit.sh \\
        --capath /etc/lighttpd/ssl/glit.sh/ca.cer \\
        --reloadcmd /root/.acme.sh/glit.sh/hook.sh
\`\`\`

### \`lighttpd\` setup

\`\`\`bash
rm /etc/lighttpd/conf-enabled/99-unconfigured.conf
touch /var/log/lighttpd/access.log
chown www-data:www-data /var/log/lighttpd/access.log
\`\`\`

Set \`/etc/lighttpd/lighttpd.conf\` to contain the following:

\`\`\`
$(cat /etc/lighttpd/lighttpd.conf)
\`\`\`

This gets me an A+ on the
[SSL Labs](https://www.ssllabs.com/ssltest/analyze.html?d=glit.sh) test :)

### view source details

make a \`/root/viewsrc.sh\` file:

\`\`\`bash
$(cat /root/viewsrc.sh)
\`\`\`

this is to prevent shebangs with colons in them from being treated as HTTP
headers

## postfix setup

\`\`\`bash
apt install mailutils postfix # select "Internet Site" in postfix config
\`\`\`

edit \`/etc/postfix/main.cf\` to contain the following (change the
\`mydestination\` line):


\`\`\`
$(cat /etc/postfix/main.cf)
\`\`\`

restart postfix:

\`\`\`bash
systemctl restart postfix
\`\`\`

try to send mail:

\`\`\`bash
echo "<3 <3 <3" | mail -s "Glit.sh test email" me@wesleyac.com
\`\`\`

discover that you're on the CBL blacklist. Remove host from CBL blacklist. Try
to send mail again. Discover that you're greylisted by Fastmail. Cry. The
[SparkPost Authentication Checker](https://www.sparkpost.com/email-tools/authentication-checker/)
may be useful for verifying that SPF is set up correctly.

### dkim setup

\`\`\`bash
apt install opendkim opendkim-tools
opendkim-genkey -D /etc/dkimkeys/ -d glit.sh -s mail
chown opendkim:opendkim /etc/dkimkeys/*
chmod go-rwx /etc/dkimkeys/*
mkdir -p /var/spool/postfix/var/run/opendkim
chown opendkim. /var/spool/postfix/var/run/opendkim
chmod go-rwx /var/spool/postfix/var/run/opendkim
chmod g+x /var/spool/postfix/var/run/opendkim
\`\`\`

edit \`/etc/opendkim.conf\`:

\`\`\`
$(cat /etc/opendkim.conf)
\`\`\`

create \`/etc/dkimkeys/keytable\`:

\`\`\`
$(cat /etc/dkimkeys/keytable)
\`\`\`

create \`/etc/dkimkeys/signingtable\`:

\`\`\`
$(cat /etc/dkimkeys/signingtable)
\`\`\`

create \`/etc/dkimkeys/trustedhosts\`:

\`\`\`
$(cat /etc/dkimkeys/trustedhosts)
\`\`\`

\`\`\`bash
systemctl restart opendkim
adduser postfix opendkim
\`\`\`

Make a DNS TXT record based on \`/etc/dkimkeys/mail.txt\`.

## firewall setup

\`\`\`bash
apt install ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw allow 25
ufw enable
\`\`\`

## add a user!

\`\`\`bash
adduser wesleyac
usermod -aG sudo wesleyac
mkdir /home/wesleyac/.ssh
chown wesleyac:wesleyac /home/wesleyac/.ssh/
cp .ssh/authorized_keys /home/wesleyac/.ssh/authorized_keys
chown wesleyac:wesleyac /home/wesleyac/.ssh/authorized_keys
\`\`\`

there's a script at \`/root/mkusers.py\` that listens on \`localhost:420\` for
requests to add users:

\`\`\`python
$(cat /root/mkusers.py)
\`\`\`

and a systemd file to start it on boot at \`/lib/systemd/system/mkusers.service\`:

\`\`\`
$(cat /lib/systemd/system/mkusers.service)
\`\`\`

which you can enable via:

\`\`\`bash
systemctl start mkusers
systemctl enable mkusers
\`\`\`

## disable ssh root and password login

*(i might undo this soon, this is just while i have really weak passwords set
for testing)*

edit \`/etc/ssh/sshd_config\`:

\`\`\`
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no
\`\`\`

\`\`\`bash
sudo systemctl reload ssh
\`\`\`

## set up backups via [tarsnap](http://www.tarsnap.com/)

\`\`\`bash
apt install gpg
wget https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
# verify signature
apt-key add tarsnap-deb-packaging-key.asc
echo "deb http://pkg.tarsnap.com/deb/\$(lsb_release -s -c) ./" | sudo tee -a /etc/apt/sources.list.d/tarsnap.list
apt-get update
apt install tarsnap
tarsnap-keygen --keyfile /root/tarsnap-main.key --user me@wesleyac.com --machine glitsh
tarsnap-keymgmt --outkeyfile tarsnap.key -w tarsnap-main.key
# save tarsnap-main.key somewhere safe then delete it from the server
\`\`\`

make a \`/root/tarsnap-backup.sh\` file:

\`\`\`bash
$(cat /root/tarsnap-backup.sh)
\`\`\`

and go ahead and run it to check that it works (including checking that backup
restore works!)

and to \`/etc/crontab\`, add:

\`\`\`
11 4 * * * root /root/tarsnap-backup.sh
\`\`\`

to make a daily backup task. check back later to see that it worked.

# you're done!

enjoy <3

END_MARKDOWN