awstin/achubb_website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
achubb_website/pages/ArchServer.html

278 lines
10 KiB
HTML
Executable file
Raw Blame History

id: archserver
title: Arch Server
date_created: 2023-08-28
date_last_updated: 2023-08-28
description: The set up for my Arch cloud server that hosts this website and some other stuff.
---
<h2>
Arch Server
</h2>
<p>
The majority of the process to set up this server was followed from <a href="https://sive.rs/ti" target="_blank">here</a>.
Here I will outline where I deviated and use workarounds to make all this work on Arch Linux.
</p>
<br>
<h3>Register a Domain -&gt; Create SSH Key</h3>
<ul class="list-decimal">
<li>No changes</li>
</ul>
<br>
<h3>Create Your Server</h3>
<ul class="list-decimal">
<li>Step 6: Select Arch as operating system istead of OpenBSD</li>
</ul>
<br>
<h3>Attach Storage -&gt; Point Your Domain Here</h3>
<ul class="list-decimal">
<li>No changes</li>
</ul>
<br>
<h3>SSH Into Root</h3>
<ul class="list-decimal">
<li>Step 9: command to update packages on Arch is <code>pacman -Syu</code> instead of <code>syspatch</code></li>
</ul>
<br>
<h3>Create Your Username</h3>
<ul class="list-decimal">
<li>Step 2-16: <code>useradd -m &lt;UserName&gt;</code> will automatically fill out all the defaults</li>
<li>Step 17-20: <code>passwd &lt;UserName&gt;</code> to set the users password.</li>
<li>Step 21: <code>usermod -aG wheel,wheelnpw &lt;UserName&gt;</code> to allow executing as root without password</li>
</ul>
<br>
<h3>Another User?</h3>
<ul class="list-decimal">
<li>No extra users added</li>
</ul>
<br>
<h3>Secure Your login</h3>
<ul class="list-decimal">
<li>Step 2: replace <code>doas</code> in command with <code>sudo</code></li>
<li>Step 5: replace <code>rcctl</code> in command with <code>systemctl</code></li>
</ul>
<br>
<h3>Format Storage</h3>
<p>
Here I deviated much more from the steps so I will write out the steps used without referring to Derek's original document.
</p>
<br>
<ul class="list-decimal">
<li><code>ssh &lt;UserName&gt;@yourdomain.name</code></li>
<li><code>sudo su</code></li>
<li><code>fdisk -l</code> will list the disks available, look for the one with the size of the blockstorage you added to your server.
<ul class="ml-10 list-disc">
<li>Likely /dev/vdb</li>
</ul>
</li>
<li><code>cryptsetup -y -v --type luks2 luksFormat /dev/vdb</code>
<ul class="ml-10 list-disc">
<li>Will ask for storage name, I used blockstorage</li>
<li>Enter your passphrase when asked and confirm it. Make sure you note this down somewhere, you will not be able to access your storage without it.</li>
</ul>
</li>
<li><code>dd if=/dev/zero of=/dev/mapper/blockstorage status=progress</code>
<ul class="ml-10 list-disc">
<li>This will write all 0s to the memory of the blockstorage and ensure that the data seen from the outside is random.</li>
<li>It will take a long time to complete. status=progress will show you the progress and you will be able to tell when it has completed.</li>
</ul>
</li>
<li><code>mkfs.ext4 /dev/mapper/blockstorage</code> will create the filesystem on the disk</li>
<li><code>mkdir /mnt/blockstorage</code> to create the mountpoint </li>
<li><code>chown /mnt/blockstorage &lt;UserName&gt;:&lt;UserName&gt;</code> to set ownership to your user</li>
<li>Basic commands to manually manage the filesystem
<ul class="ml-10 list-disc">
<li>To mount the filesystem <code>sudo mount /dev/mapper/blockstorage /mnt/blockstorage</code></li>
<li>To unlock the filesystem <code>sudo cryptsetup luksOpen /dev/vdb blockstorage</code></li>
<li>To lock the filesystem <code>sudo cryptsetup luksClose blockstorage</code></li>
<li>To unmount filesystem <code>sudo umount /mnt/blockstorage</code></li>
</ul>
</li>
</ul>
<br>
<p>
We don't need to deal with these complex commands each time. We can use aliasing to substitute much simpler commands to remember instead.
</p>
<br>
<ul class="list-decimal">
<li><code>echo "alias mntblk='sudo mount /dev/mapper/blockstorage /mnt/blockstorage' &gt;&gt; .bashrc"</code> will set the mounting command to <code>mntblk</code></li>
<li><code>echo "alias unlkblk='sudo cryptsetup luksOpen /dev/vdb blockstorage' &gt;&gt; .bashrc"</code> will set the unlocking command to <code>unlkblk</code></li>
<li><code>echo "alias lkblk='sudo cryptsetup luksClose blockstorage' &gt;&gt; .bashrc"</code> will set the locking command to <code>lkblk</code></li>
<li><code>echo "alias umntblk='sudo umount /mnt/blockstorage' &gt;&gt; .bashrc"</code> will set the unmounting command to <code>umntblk</code></li>
</ul>
<br>
<p>
This will still need 2 commands to mount, and 2 more to unmount.
I like having these aliased separately just in case I want to run one without the other for some reason.
To bring this to 1 command for each I will make 2 more aliases using the ones I just created.
You could make each of these 2 using the expanded commands above, but I find this way simpler to read.
</p>
<br>
<ul class="list-decimal">
<li><code>echo "alias m='mntblk &amp;&amp; unlkblk' &gt;&gt; .bashrc"</code> will make <code>m</code> mount the system and unlock it</li>
<li><code>echo "alias m-x='lkblk &amp;&amp; umntblk' &gt;&gt; .bashrc"</code> will make <code>m-x</code> lock the filesystem and unmount it</li>
<li>log out and log back in to be able to use these new aliases or run <code>source .bashrc</code></li>
</ul>
<br>
<h3>Use Your Storage</h3>
<ul class="list-decimal">
<li>No changes</li>
</ul>
<br>
<h3>FreeFileSync</h3>
<ul class="list-decimal">
<li>I did not use this</li>
</ul>
<br>
<h3>Verify and Unmount</h3>
<ul class="list-decimal">
<li>No changes</li>
</ul>
<br>
<h3>Web Server</h3>
<p>
Ports are not open externally by defaul on Arch.
<code>sudo ufw 80</code> will open the port for the web server.
Do not open unnecessary ports.
Arch is fully capable of hosting an apache server like is used in the guide.
I prefer Nginx and so used that.
The configuration is a little more complex than apache but I am more familiar with it and it works well for single site hosting.
</p>
<br>
<ul class="list-decimal">
<li>install with <code>sudo pacman -S nginx</code></li>
<li>enable with <code>sudo systemctl enable nginx.service</code></li>
<li>start with <code>sudo systemctl start nginx.service</code></li>
</ul>
<br>
<p>
When I was testing I was serving static content from /srv/http/domain.com/public_html.
In the /etc/nginx/nginx.conf file in the http block I added:
</p>
<pre><code>
server &#123:
server_name yourdomain www.yourdomain
location / &#123:
root /srv/http/yourdomain/public_html
&#125;
&#125;
</code></pre>
<br>
<p>
Run <code>nginx -s reload</code> to reload the configuration file.
</p>
<p>
Then the html files to be served can be put in whatever folder specified in root and will be served from there.
In the end I have my website built and served using SvelteKit and Nginx is working as a proxy for that program.
I will go into Svelte in the future.
</p>
<p>
To have a secure webserver (https) I need a certificate.
</p>
<ul class="list-decimal">
<li><code>sudo pacman -S certbot certbot-nginx</code> to install the certbot package and nginx plugin</li>
<li><code>sudo certbot --nginx</code> will scan for nginx sites and create certificates</li>
<li><code>sudo certbot renew</code> will renew all certificates on the machine managed by certbot.</li>
</ul>
<br>
<p>
To run this renewal periodically I made certref file in bin containing:
</p>
<pre><code>
#!/bin/bash
sudo certbot renew
</code></pre>
<p>
Set permissions to 700 with <code>sudo chmod 700 bin/certref</code>, then added a cronjob to run the refresh once a month.
</p>
<br>
<h3>Simple Website</h3>
<p>
Can use exactly what is in the guide here.
Just make sure the files are located in the root you specified in the Nginx configuration above.
</p>
<br>
<h3>File Sharing With Pub</h3>
<p>
Did not set this up with Nginx yet.
If I do will update this.
</p>
<br>
<h3>Calendar and Contacts</h3>
<p>
This is very similar for both Arch and OpenBSD so will list changes
Arch does not have htpasswd by default.
Install with <code>sudo pacman -S apache</code> then continue.
</p>
<br>
<ul class="list-decimal">
<li>Step 2: sudo su</li>
<li>Step 3: pacman -S radicale</li>
<li>Step 9: systemctl enable radicale.service</li>
<li>Step 10: systemctl start radicale.service</li>
</ul>
<br>
<h3>Android and Iphone + Test</h3>
<ul class="list-decimal">
<li>No changes</li>
</ul>
<br>
<h3>Backups</h3>
<ul class="list-decimal">
<li>Step 3: replace '/sh' with '/bash' and 'doas' with 'sudo' in the echo command.</li>
</ul>
<br>
<h3>Email</h3>
<p>
I decided to use an external email provider (FastMail) instead of setting up the email verification myself.
This was before the explanation for this was published in this article.
May try again in the future but for now I am happy with my own email for a few dollars a month that I can move to a different provider if needed
</p>
<br>
<h3>Git</h3>
<p>
I use git extensively in my coding projects, configurations, and notes so I wanted to be able to host my own git server.
</p>
<br>
<ul class="list-decimal">
<li>assume root with <code>sudo su</code></li>
<li>install with <code>pacman -S git</code></li>
<li>in /etc/passwd file set the home directory for the git user to /srv/git</li>
<li>created .ssh folder in /srv/git and added an ssh key like above to log into the server</li>
<li>enabled with <code>systemctl enable git-daemon.socket</code></li>
<li>started with <code>systemctl start git-daemon.socket</code></li>
</ul>
<br>
<p>
To make a new project I navigate to /srv/git and make a new project with <code>git -bare init &lt;projectName&gt;.git</code>.
Set ownership to git user with <code>chown &lt;projectName&gt;.git git:git</code>.
To set the remote origin for a project that is already initialized <code>git remote add origin git@url:/srv/git/&lt;projectName&gt;</code>
To clone a project from remote to local <code>git clone git://url/&lt;projectName&gt; localName</code>
</p>
<br>
<h2>Evolving</h2>
<p>
This project is slowly but constantly evolving.
The above state is how it is running currently and that may change.
I will endeavor to update it when things do.
Slowly grow from something mostly taken from Derek's guide (thank you so much for that) to something uniquely my own and serving the my exact needs.
</p>
Reference in a new issue View git blame Copy permalink