+++ /dev/null
-server
-======
-
-Configuration files for services deployed on a server. Each directory contains
-files for a single service. For example,
-
-sshd -- Configuration for the SSH server service.
-|
-|-> README -- Instructions for working with the service.
-|-> sshd_config -- Configuration of the service.
-`-> ssh.service -- systemd [1] unit file for the service.
-
-[1] systemd :: https://www.freedesktop.org/software/systemd/man/systemd.html
Install
-------
-```
-$ mkdir certs
-$ mkdir --mode=700 private certs/private
-```
-
Answer "." to each option except for `commonName`. Enter a password. `.pem` is an
instance of `.crt` [1].
dovecot -n
```
-Files
------
-
-dovecot
-|
-|-> dovecot.conf -- /etc/dovecot/
-|-> dovecot-dict-auth.conf.ext -- /etc/dovecot/
-|-> dovecot-dict-sql.conf.ext -- /etc/dovecot/
-|-> dovecot-sql.conf.ext -- /etc/dovecot/
-|-> 10-auth.conf -- /etc/dovecot/conf.d/
-|-> 10-director.conf -- /etc/dovecot/conf.d/
-|-> 10-logging.conf -- /etc/dovecot/conf.d/
-|-> 10-mail.conf -- /etc/dovecot/conf.d/
-|-> 10-master.conf -- /etc/dovecot/conf.d/
-|-> 10-ssl.conf -- /etc/dovecot/conf.d/
-|-> 10-tcpwrapper.conf -- /etc/dovecot/conf.d/
-|-> 15-lda.conf -- /etc/dovecot/conf.d/
-|-> 15-mailboxes.conf -- /etc/dovecot/conf.d/
-|-> 20-imap.conf -- /etc/dovecot/conf.d/
-|-> 20-lmtp.conf -- /etc/dovecot/conf.d/
-|-> 90-acl.conf -- /etc/dovecot/conf.d/
-|-> 90-plugin.conf -- /etc/dovecot/conf.d/
-|-> 90-quota.conf -- /etc/dovecot/conf.d/
-|-> auth-checkpassword.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-deny.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-dict.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-master.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-passwdfile.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-sql.conf.ext -- /etc/dovecot/conf.d/
-|-> auth-static.conf.ext -- /etc/dovecot/conf.d/
-`-> auth-system.conf.ext -- /etc/dovecot/conf.d/
-
-SSL
+DNS
---
Add DNS records. If no MX record is present, mail servers fall back to the A
_dmarc.example.com. 0 TXT v=DMARC1; p=none; rua=mailto:<email>
```
-Install `certbot`.
-
-```
-$ apt install certbot
-```
-
-Create a certificate with a generic name and add all domains under it.
-
-```
-$ certbot certonly --manual --preferred-challenges dns --cert-name mail \
- -d mail.<domain1> -d mail.<domain2>
-```
-
-Install
--------
-
-Each package corresponds to a plugin:
-
-```
-$ apt install dovecot-imapd dovecot-lmtpd dovecot-pgsql
-```
-
-Tables
-------
+Database
+--------
Create database `mail_db`.
Mailbox
-------
-Use `vmail` user for virtual mailboxes.
-
-```
-$ useradd --home-dir /var/vmail --shell /usr/sbin/nologin --lock \
- --create-home vmail
-$ touch /var/log/dovecot.log /var/log/dovecot-info.log
-$ chown vmail:vmail /var/log/{dovecot.log,dovecot-info.log}
-```
-
Create mailboxes.
```
clients. If the frequency of failed logins increases sharply (DDoS attack),
`fail2ban` will temporarly ban the specific IP address for that service.
-Files
------
-
-fail2ban
-|
-|-> paths-common.conf -- /etc/fail2ban/
-|-> fail2ban.local -- /etc/fail2ban/
-`-> jail.local -- /etc/fail2ban/
-
-Install
--------
-
-```
-$ apt install fail2ban
-```
-
Programs
--------
git
===
-Files
------
-
-gitweb
-|
-`-> gitweb.conf -- /etc
-
DNS
---
<domain> AAAA <IPv6 address>
git.<domain> CNAME <domain>
-SSL
----
-
-Obtain a certificate with `certbot-nginx`.
-
-Install
--------
-
-Install packages.
-
-```
-$ apt install fcgiwrap gitweb
-```
-
-Start services.
-
-```
-$ systemctl start fcgiwrap
-```
-
Notes
-----
-Create a new user.
-
-```
-$ apt install git
-$ adduser git # <password> <password>
-```
-
-Allow connection only with SSH keys.
-
-```
-$ chmod 400 ${SSH_DIR}/id_rsa*
-$ ssh-copy-id -i ${SSH_DIR}/id_rsa git@<server-ip>
-```
-
-Login with SSH key.
-
-```
-$ ssh -i ${SSH_DIR}/id_rsa git@<server>
-```
-
-Disable login with password.
-
-```
-$ passwd --lock git
-```
-
Create new bare repository.
```
-$ mkdir <repository>
$ git init --bare <repository>
```
Put repositories under `/srv/git` and change ownership.
```
-$ chgrp -R www-data /srv/git
+$ chown -R git:www-data /srv/git
```
<domain> AAAA <IPv6 address>
matrix.<domain> CNAME <domain>
-SSL
----
-
-Obtain a certificate with `certbot-nginx`.
-
-Files
------
-
-matrix
-|
-|-> homeserver.yaml -- /etc/matrix-synapse/ :: server configuration
-|-> server_name.yaml -- /etc/matrix-synapse/conf.d/ :: server name
-`-> report_stats.yaml -- /etc/matrix-synapse/conf.d/
-
-Install
--------
-
-```
-$ apt install matrix-synapse
-```
-
Users
-----
Load balancer and reverse proxy. Listens on ports and forwards requests according
to rules. Protects connections with SSL.
-
-Files
------
-
-nginx
-|
-|-> nginx.conf -- /etc/nginx/ :: Main configuration.
-|-> mime.types -- /etc/nginx/ :: Available mime types.
-|-> <domain>.template -- /etc/nginx/sites-available/.
-`-> matrix.<domain>.template -- /etc/nginx/sites-available.
-
-SSL
----
-
-`certbot` integrates with `nginx`.
-
-```
-$ apt install python3-certbot-nginx
-```
-
-Obtain a certificate for domains.
-
-```
-$ certbot certonly --nginx -d <domain1> -d <domain2>
-```
-
-Install
--------
-
-```
-$ apt install nginx
-```
-
-Sites
------
-
-Substitute `<...>` patterns in `*.template` files. Create symbolic links for
-files in /etc/nginx/sites-available.
-
-```
-$ ln -s /etc/nginx/sites-available/{...} /etc/nginx/sites-enabled
-```
it claims to have come from. It uses the /milter/ interface to provide DKIM
signing.
-Files
------
-
-opendkim
-|
-|-> opendkim -- /etc/default :: service configuration
-`-> opendkim.conf -- /etc/ :: configuration parameters
-
Notes
-----
```
Add `/etc/opendkim/keys/<domain>/<selector>.txt` as a DNS record.
-
-Install
--------
-
-```
-$ apt install opendkim libopendbx1-pgsql
-```
MTA (Mail Transfer Agent) server. Clients or other email servers connect to
`postfix` to transfer their email with Simple Mail Transfer Protocol (SMTP).
-Files
------
-
-`master.cf` configures the postfix daemon and `main.cf` configures the MTA
-server. Only root should have write permissions to these files.
-
-postfix
-|
-|-> main.cf -- /etc/postfix/ :: configuration parameters
-|-> master.cf -- /etc/postfix/ :: postfix daemon
-`-> address_book.cf -- /etc/postfix/ :: FROM query
-
-Install
--------
-
-```
-$ apt install postfix
-```
-
-Notes
------
-
-Set MTA server hostname, which is used by `$myhostname`.
-
-```
-$ hostname <hostname>
-```
-
Resources
---------
Relational database.
-Files
------
-
-postgres
-|
-|-> pg_hba.conf -- /etc/postgresql/$(version)/main/
-`-> postgresql.conf -- /etc/postgresql/$(version)/main/
-
DNS
---
<domain> AAAA <IPv6 address>
psql.<domain> CNAME <domain>
-SSL
----
-
-Postgres uses both server- and client-side certificates. Whenever a client tries
-to connect, verifies server's certificate and then presents their certificate.
-
-SSL (server)
-------------
-
-Obtain a certificate with `certbot`.
-
-```
-$ certbot certonly --standalone -d psql.<domain>
-```
-
-Copy the certificate to a directory owned by `postgres`. Change its ownership and
-permissions.
-
-```
-$ mkdir /etc/postgresql/<version>/main/private
-$ chmod 700 /etc/postgresql/<version>/main/private
-$ cp /etc/letsencrypt/live/psql.<domain>/{fullchain.pem,privkey.pem} \
- /etc/postgresql/<version>/main/private/
-$ chmod 600 /etc/postgresql/<version>/main/private/{fullchain.pem,privkey.pem}
-$ chown postgres:postgres -R /etc/postgresql/<version>/main/private
-```
-
SSL (client)
------------
dbname=<db_name> sslrootcert=/etc/ssl/certs/ca-certificates.crt \
sslmode=verify-full"
```
-
-Install
--------
-
-```
-$ apt install postgresql
-```
SSH server [1].
-Files
------
-
-sshd
-|
-|-> sshd_config -- /etc/ssh/
-`-> ssh.service -- /etc/systemd/system/
-
-Updates
--------
-
-After updating `/etc/ssh/sshd_config`, reload the service.
-
-```
-$ systemctl reload ssh
-```
-
SSL
---
projects / server.git / commitdiff