<pubDate>Sun, 29 Aug 2021 15:35:48 -0400</pubDate>
<description><![CDATA[
<header><h1>Self hosting</h1></header>
<main>
<h2>Introduction</h2>
<p>When you have a(n old) computer lying around, and you have cheap electricity and a good internet connection, self hosting might be a good option for you.</p>
<h3>Why would you choose selfhosting?</h3>
<ul>
<li>
You have control over the hardware, and you can upgrade your server in the future. For example: if you host a file server and your hard drive goes full, you can simply add another hard drive or upgrade it.
</li>
<li>
No bandwith limits, storage limits, etc. (some VPSes have this)
</li>
<li>
It <strong>can</strong> be cheaper than using a VPS. This only is the case if you got the server for really cheap and your electricity is cheap.
</li>
<li>
You can have a media server to consoom your content (for example with <code>Jellyfin</code>). You can technically do this on a VPS, but that will be more expensive than self hosting. If you have a media server, you can stream media from your server to more devices. (I recommend just downloading it on your device, but if you have multiple devices, this could be a good solution)
</li>
</ul>
<h3>Downsides</h3>
<p>Some possible downsides of choosing to host at home could be:</p>
<ul>
<li>
Your ISP not approving of what you're doing. Some ISP's do not condone you hosting at home. Usually when this is the case, it could be harder if you want to forward ports, or it could be impossible to get a static IP address. Check your ISP's terms of service. Sometimes, it will say that hosting a webserver, email server, and more, is not allowed.
</li>
<li>
This can also include blocked ports. ISPs can block certain ports to the world. Sometimes ISPs only block 445/139 (which is for the better as Samba, using these ports isn't really secure and it's outdated). But some ISPs (sadly) block crucial ports like 80 and/or 443. You need to check this before trying anything. If this is the case, a way to get around it is to get another ISP or use an alternative port. A great website to check this is: <ahref="https://canyouseeme.org/">canyouseeme.org</a>. You can also check if you did the port forwaring correctly here.</li>
<li>
Security. Opening your network to the public could bring security risks. For example, never open a Samba server to the public, because it's a pretty old protocol, and it has some security vulnerabilities. Be sure you are forwarding the right port, and don't just forward random ports to the internet. Also, if you are getting DDoSed, your ISP will temporarily shut down your whole internet connection.
</li>
<li>
When setting up an email server, it can be way harder to not have your email show up as spam in other's people email. If you use a VPS, this is way easier.
</li>
<li>
Space, power consumption and noise. Of course, this differs per server.
</li>
</ul>
<p>Your mileage may vary, go and check each of these points, and see if selfhosting is the right choice for you. Try and calculate your power consumption and see if your electricity cost is not too expensive.</p>
<p>For me, the upsides outweighed the downsides, which is why I chose to host at home. But, this differs with each person and scenario. Go and research what your exact situation is, before trying anything. Otherwise you'll have to face some bad surprises.</p>
<h2>Hardware</h2>
<h3>What kind of hardware should you choose?</h3>
<p>If you pay your own electricity bill, power consumption is a big factor. Most old laptop computers are ideal in the sense that they don't use a lot of power, and if the battery still works, you have a built-in UPS! The bad thing is, most old laptop computers aren't that powerful, and they lack in upgradability. (you shouldn't really be using anything older than 2006, and I recommend at least a performance equivalant of a Core 2 CPU)
</p>
<p>If you can find an energy efficient desktop (under 100W), that is a great option. They are pretty upgradable and they don't use a lot of power. They can also be pretty cheap, but old laptops are usually cheaper. If you can afford new hardware, and are willing to build a PC, you can find really power effecient CPU/motherboard combos, and they can be cheap, for example the Celeron J3060. I recommend a low wattage power supply or an effecient one for these kinds of builds. Pico PSUs are pretty tiny and efficient solutions in these builds.</p>
<p>Of course, if you don't pay your electricity bill or cost is not a problem for you, you can use just about any old desktop (as long as it's not from the 90's, I recommend at least a Core 2 chip again, or an Athlon 64 X2).</p>
<h3>Usecases</h3>
<p>Of course, hardware choices depend on the usecase. The above recommendations I gave you work fine for e-mail server, webserver and fileserver types of applications, but they will struggle to transcode video if you are going to host a media server. You'll need a faster CPU, but also a faster GPU. As an example, the Athlon 200GE or 3000G are good and efficient choices for these builds. They are decent CPUs, but also have a built in GPU that will transcode video just fine.</p>
<p>
If you need a lot of storage, go for a case with a lot of mounts for hard drives, this way you can easily mount multiple hard drives. Pros of multiple hard drives are redundancy and speed. Cons could be that they create more heat and noise. You can't use a laptop if you want multiple drives, except if you use a hard drive caddy for the CD/DVD drive bay. Some business laptops even support RAID 1 (redundancy) and RAID 0 (speed and more storage, but you lose your files if one hard drive breaks) this way.</p>
<h2>Getting started</h2>
<h3>Installing Debian</h3>
<p>Once you have the machine, you can install the OS. I recommend Debian, as all of the guides on this website are Debian specific. Debian just werks as a server OS.</p>
</p>
<p>You'll need to burn a Debian install image onto a USB flash drive or a CD. You can download the image <ahref="https://www.debian.org/CD/netinst/">here</a>, and you can also find information on how to burn the image onto a USB flash drive or CD there.
</p>
<p>While installing Debian, do not install any desktop environment. But install an SSH server when you get the chance. Also leave webserver unchecked, even if you want to use it as a webserver. You'll have a chance to install this later.</p>
<h3>Port forwaring</h3>
<p>Every time you are going to set up a new server program, you need to forward a port corresponding to that program. For example, HTTP is port 80, HTTPS is 443, etc. You need to set this up on your router's NAT settings (sometimes just called port forwarding, this differs per router). These steps differ for each router. Refer to your routers manual. A simple command to see what your servers IP address is, is to run <code>ifconfig</code> on your server. This shows a lot of network info, but it will also show your local IP address needed for port forwarding.
</p>
<p>Basic ports:</p>
<ul>
<li>
SSH: port 22 (open this port if you want to admin your server outside your network)
</li>
<li>
HTTP: port 80 (open this port if you want basic webserver functionality)
</li>
<li>
HTTPS: port 443 (you should open this port if you are setting up a webserver because encryption)
</li>
</ul>
<h3>Static or dynamic IP address</h3>
<p>If you want to host your server at home, make sure you have a static IP address, or you can change your dynamic IP address to a static one. Refer to your router settings, some ISPs will have options on this here. If you can't find anything on this, get in touch with your ISP.</p>
<p>Once you've made sure you have a static IP address, you can find out what the IP address is with various websites. You can use a search engine to easily find this out. Write this down as you'll need it later.</p>
<p>Once you're done, you can pretty much follow every guide on this website, the only difference is that you'll need to forward the ports you'll be using for the server.</p>
<h3>Finding the ports you'll need to forward</h3>
<p>If you need to know what port you'll need to forward, there's a command for that. Just type <code>netstat -tulpn</code> in your servers command line. If you want to see the name of the programs, you need to run it as a root user. You can do this by putting <code>sudo</code> before the command.</p>
<pre><code>Local Address State PID/Program name
0.0.0.0:25 LISTEN 887/master
0.0.0.0:1883 LISTEN 22452/mosquitto
0.0.0.0:445 LISTEN 798/smbd
0.0.0.0:993 LISTEN 381/dovecot
127.0.0.1:3306 LISTEN 560/mysqld
0.0.0.0:587 LISTEN 887/master
0.0.0.0:139 LISTEN 798/smbd
127.0.1.1:12301 LISTEN 412/opendkim
0.0.0.0:143 LISTEN 381/dovecot
0.0.0.0:465 LISTEN 887/master
0.0.0.0:22 LISTEN 472/sshd
:::25 LISTEN 887/master
:::443 LISTEN 1769/apache2
:::1883 LISTEN 22452/mosquitto
:::445 LISTEN 798/smbd</code></pre>
<p><em>Example output</em></p>
<p>In this example, if you need to find the port number from <code>dovecot</code>, you can look for it in the <code>Program name</code> column. Then you can see in the local address column that the reported local address is <code>0.0.0.0:993</code>. You need to look for the part after the semicolon. In this case it's 993. So you'll need to forward port 993.</p>
<spanclass="next"><ahref="dns.html">Next: Connect Your Domain and Server</a></span>
<hr>
<p><em>Written by <ahref="https://github.com/hidde-j">hiddej</a></em>
From here, the steps are almost identical to setting up a normal website configuration file.
Follow the steps as if you were making a new website on the webserver
<ahref="nginx.html">tutorial</a> up until the server block of code. Instead, paste this:
</p>
<pre><code>server {
listen 127.0.0.1:8080 ;
root /var/www/<strong>example</strong> ;
index index.html ;
}</code></pre>
<aside>
<h4>Clarifications<h4>
<p>
Nginx will listen in port 8080, but i2pd will forward your port
8080 to the i2p site port 80. This way you don't have to deal with server names or anything like that
</p>
</aside>
<p>
From here we are almost done, all we have to do is enable the site and reload nginx which is also covered in <ahref="nginx.html#enable">the webserver tutorial</a>.
</p>
<h3>Update regularly!</h3>
<p>Make sure to update I2P on a regular basis by running:</p>
<li>Android (<ahref="https://f-droid.org/en/packages/org.jitsi.meet/">F-Droid</a> and <ahref="https://play.google.com/store/apps/details?id=org.jitsi.meet">Google Play</a>)</li>
<strong>When using a Jitsti app for the first time, remember to go to the "Settings" menu and change your server name to the Jitsi site you just created.</strong>
</p>
<p>When you create a video chatroom, its address will appear as <code><strong>meet.example.org/yourvideochatname</strong></code> and can be shared as such.</p>
<h2>More info</h2>
<p>
This article is based on <ahref="https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart"target="blank">the original documentation</a>. There you can find more details and configurations.
</p>
<ul>
<li>Written by <ahref="https://josefabio.com"target="blank">Jose Fabio.</a> Donate Monero: <codeclass="crypto">484RLdsXQCDGSthNatGApRPTyqcCbM3PkM97axXezEuPZppimXmwWegiF3Et4BHBgjWR7sVXuEUoAeVNpBiVznhoDLqLV7j</code><ahref="https://josefabio.com/figures/monero.jpg"class="crypto"target="blank">[QR]</a></li>
<li>Edited and revised by <ahref="https://lukesmith.xyz">Luke</a>.</li>
<p>PeerTube also requires <strong>NodeJS 14</strong> and <strong>yarn</strong> which cannot be installed from the Debian repositories. This means they have to be installed from separate, external repos:</p>
<p>It's <strong>highly recommended</strong> to generate certificates for use with your PeerTube site, and this can be easily done with Let's Encrypt's <code>certbot</code> command:</p>
<p>Login to your PeerTube instance using the admin email specified in your <code>production.yaml</code> file and the admin password you just set.</p>
<imgsrc="pix/peertube-login.jpg"height=400px>
<p>Once logged in, it's recommended to create a separate user without admin privileges for uploading videos to PeerTube.
This can be done easily from the users tab in the administration section:</p>
<p>Enjoy your PeerTube instance!</p>
<hr>
<h2>Updating PeerTube</h2>
<p>PeerTube is constantly adding new features, so it's a good idea to <ahref="https://github.com/Chocobozzz/PeerTube/blob/develop/CHANGELOG.md">check for new updates</a> and add them if you wish. Just in the past year, they have added livestreaming and more.</p>
<p>Updating is fairly easy now since an <code>upgrade.sh</code> script has been added. Just run:</p>
Although check the <ahref="https://github.com/Chocobozzz/PeerTube/blob/develop/CHANGELOG.md">changelog</a> to see if there are additional manual requirements for particular updates.
</p>
<hr>
<p><em>Written by <ahref="https://denshi.live">Denshi.</a> Donate Monero <ahref="https://denshi.live/donate.html">here</a><ahref="https://denshi.live/images/monero.png">[QR]</a></em></p>
<p>Check the config file for other settings you might want to change.
For example, if you want to run a general public XMPP server, you can allow anyone to create an account by changing <code>allow_registration</code> to <code>true</code>.
</p>
<h2>Certificates</h2>
<p>
Obviously, we want to have client-to-server and server-to-server encryption.
Nowadays, use can use Certbot to generate certificates and use a convenient command below <code>prosodyctl</code> to import them.
</p>
<p>
<strong>If you have multi-user chat enabled, be sure to get a certificate for that subdomain as well.</strong>
Include the <code>--nginx</code> option assuming you have an Nginx server running.
<li><ahref="https://xmpp.org/software/clients.html">See a more complete list kept by XMPP</a></li>
</ul>
<p>
Install whichever of these clients you want on your computer or phone and you can log into your new XMPP server with the account you made.
Note that if you enabled public registration, anyone can create an account on your server through one of these clients.
</p>
<h3>Account addresses</h3>
<p>
XMPP account addressed look just like email addresses: <code><strong>username@example.org</strong></code>.
You can message any account on any XMPP server on the internet with that format.
</p>
<h3>Note on MUCs (multi-user chats)</h3>
<p>
Remember that MUCs are kept on a separate subdomain that we created and should've gotten a certificate for above, for example, <code><strong>muc.example.org</strong></code>.
Chatrooms are created and referred to in the following format: <code><strong>#chatroomname@muc.example.org</strong></code>.
<p>RSS Bridge is a useful utility you can use to help you avoid the big tech sites, like Facebook and Twitter, which instead of the feed you usually would see, will be a based and minimalist RSS feed. </p>
<p>You'll need a server or VPS. Nearly any Operating system is supported but for this tutorial I'm gonna presume you're using a Debian-based OS. You'll also need a domain name pointing to your server's IP address <ahref="https://diyhosting.bhh.sh/dns.html">which is explained in this tutorial.</a>
<p>First things first you'll need to make sure that you've hardened you SSH so that password authentication is disabled and you'll also want to setup Fail2Ban.
<p>Then we have to create the folder where the service will reside in.</p>
<pre><code>mkdir -p /var/www/rss-bridge
cd /var/www/rss-bridge
</code></pre>
<p>Lets download the latest version of RSS-Bridge in the directory.</p>
<p>The newest version can be found <ahref="https://github.com/RSS-Bridge/rss-bridge/releases">here</a>, at the time of writing that is "RSS-Bridge 2021-04-25."</p>
<p>This will create a directory called rss-bridge-version-number, we now want to move all the file contents of the newly created directory to the one we are in</p>
<p>That's it, you should now have a working rss-bridge installed. But you should definately get an SSL certifcate installed <ahref="https://diyhosting.bhh.sh/certbot.html">which is done briefly here</a>.</p>
<header><h1>Rsync: Upload and Sync Files and Websites</h1></header>
<main>
<p>rsync is a simple way to copy files and folders between your local computer and server.</p>
<p>It not only makes file-transfer easy, but it allows you to build and maintain your website offline, then easily upload it to the proper directory on your server so you don't need to constantly be logged into your server to modify your site.</p>
<h2id="installing-rsync">Installing rsync</h2>
<p>Run the following on your server <em>and</em> on your local machine.</p>
<pre><code>apt install rsync</code></pre>
<h2id="uploading-files-with-rsync">Uploading files with rsync</h2>
<p>From your local machine you can upload files to your server like this:</p>
<p>You will be prompted for the root password and then uploading will commence.</p>
<p>If you omit <strong>root@</strong>, rsync will not attempt to log in as root, but whatever your local username is.</p>
<h3>Options to rsync</h3>
<p>In this command, we give several options to rsync:</p>
<ul>
<li><code>-r</code>– run recurssively (include directories)</li>
<li><code>-u</code>– update files (do not reupload files that are not changed since last upload)</li>
<li><code>-v</code>– visual, show files uploaded</li>
<li><code>-z</code>– compress files for upload</li>
<li><code>-P</code>– if uploading a large file and upload breaks, pick up where we left off rather than reuploading the entire file</li>
</ul>
<p>Avoid using the commonly used <code>-a</code> option when uploading. It changes can transfer your local machine's user and group permissions to your server, which might cause breakage.</p>
<h3>Scriptability</h3>
<p>It's a good idea to build your website offline, then make an rsync script or bash alias like the one above to upload the edited files when you have made updates.</p>
<h3>Password-less authentication</h3>
<p>To avoid having to manually input your password each upload, you can set up <ahref="sshkeys.html">SSH keys</a> to securely idenitify yourself and computer as a trusted.</p>
<h3>Picky trailing slashes</h3>
<p>rsync is very particular about trailing slashes. This is useful, but can be confusing to some new users. Suppose we run the following wanting to mirror our offline copy of our website in the directory we use on our server (<code>/var/www/websitefiles/</code>):</p>
<p>This will <em>not actually do quite what we want</em>. It will take our local <code>websitefiles</code> directory and put it <em>inside</em><code>websitefiles</code> on the remote machine, ending up with: <code>/var/www/websitefiles/websitefiles</code>.</p>
<p>Instead, remove the trailing slash from the remote server location:</p>
<p>Hopefully by now you won't have to be sold on the invasive practices that social media companies conduct. Websites such as Facebook and Twitter aquire so much data on users that they often know more about you than you know about yourself.
The simple solution to this is to not use social media. However, that just isn't an option for most people. So the next best thing is to setup a self-hosted and federalised social media site so that you have full control over your data.
I've previously made<ahref="https://www.youtube.com/watch?v=l7mVsLSsotU"> a video showing all the steps in depth if you want to check it out.</a> If you run into any issues I suggest you look at the video.
<p>You'll need a server or VPS. Nearly any Operating system is supported but for this tutorial I'm gonna presume you're using a Debian-based OS. You'll also need a domain name pointing to your server's IP address <ahref="https://diyhosting.bhh.sh/dns.html">which is explained in this tutorial.</a>
<p>First things first you'll need to make sure that you've hardened you SSH so that password authentication is disabled and you'll also want to setup Fail2Ban.
You can manually configure postgreSQL to suit your system better. <ahref="https://docs-develop.pleroma.social/backend/configuration/postgresql/">Check out the documentation here</a> and then run the below command:
<aside><p>Note that we are downloading the <strong>amd64</strong> version here. If you know you have a different CPU architecture, replace that with whatever your architecture is.</p></aside>
<pre><code>mv /tmp/release/* /opt/pleroma
rmdir /tmp/release
rm /tmp/pleroma.zip
./bin/pleroma_ctl instance gen --output /etc/pleroma/config.exs --output-psql /tmp/setup_db.psql</code></pre>
<p>We need to briefly return to the root user so we can run the following command (via the postgres user) to set up the database.
Type <code>ctrl-d</code> or run <code>exit</code> to return to the root user, then run:
If everything worked then when you go to your domain in the web browser you should see a bare-bones Pleroma instance.
</p>
<h3>Creating an Admin User</h3>
<p>You'll be able to create new accounts on the Pleroma instance in the login section on the website but the easiest way to setup an admin account is with the CLI. Simply run the below command replaced with your username:
</p>
<pre><code>su -l pleroma
./bin/pleroma_ctl user new <strong>username</strong><strong>username</strong>@<strong>example.org</strong> --admin</code></pre>
<p>
If you run into any issues then <ahref="https://docs-develop.pleroma.social/backend/installation/otp_en/">feel free to checkout the documentation</a> or send me an email or message. My details are below.
<header><h1>Certbot on Standalone Domains and Subdomains</h1></header>
<main>
<p>The command <code>certbot --nginx</code> will take an unencrypted website on an Nginx configuration file, get a certificate for it and change the configuration to use that certificate and thus HTTPS.</p>
<p>Sometimes, however, you are given an Nginx configuration template that already has encryption/HTTPS, so running the automated <code>certbot --nginx</code> is not possible, as it will simply give an error saying that the certicate that Nginx is looking for doesn't already exist and thus the Nginx config is broken.</p>
<p>So suppose you want to get a certificate for <strong>pleroma.example.org</strong> because you are installing Pleroma and the configuration file presupposes a certificate.
<p>What we do here is temporarily turn of Nginx, then run a <code>certonly</code> subcommand that generates a certificate for the domain without changing or caring about the Nginx configuration. Then we reactivate Nginx, thus turning back on our webserver.</p>
<p>The reason we deactivate Nginx is that it uses the ports that Certbot will want to bind to, and thus we must temporarily turn Nginx off to let Certbot use those ports. (What it actually does is spin up a dummy webserver that doesn't need to think about the Nginx configuration.)</p>
<p>This is just a little note of something that might confuse people, but the three commands above should suffice. If your site is still managed by Nginx, it should still be able to renew with simple <code>certbot renew --nginx</code> without a problem.</p>
<strong>Uncomplicated Firewall</strong> (UFW) is a front-facing program for the more involved <code>iptables</code> firewall program installed in most GNU/Linux distributions.
We can use <code>ufw</code> to restrict machines on the internet to only access the services (SSH, websites etc) you want them to, but it can also be used to prevent programs on the computer itself from accesing parts of the internet it shouldn't.
</p>
<h2id="how-to-get-it">How to Get It</h2>
<p>Log into your server by pulling up a terminal and typing:</p>
This command will attempt to log into your server and run a remote shell.
If you leave the settings default, it should prompt you for your password, and you can just copy or type in the password from Vultr's site.
</p>
<p>
Some VPS providers automatically install <code>ufw</code>, but if you do not have it installed already, install it in the typical way:
</p>
<pre><code>apt install ufw</code></pre>
<h2id="first-time-setup">First-Time Setup</h2>
<p>You can check the status of <code>ufw</code> right now by running:</p>
<pre><code>ufw status</code></pre>
<p>Without any changes, it should report back <code>Status: inactive</code>. Let's set it up so that only connections to SSH (standardized at port 22) are allowed in, and then enable the firewall:</p>
<aside>
<strong>Careful!</strong> Enabling <code>ufw</code> without allowing SSH will block you from remoting to your server.
Double-check that you have allowed SSH, and if you have changed the default SSH port, put in <em>that</em> number instead.
</aside>
<pre><code>ufw default deny incoming # block all incoming connections by default
ufw allow in ssh # or: ufw allow in 22
ufw enable</code></pre>
<aside>
<code>ufw</code> has an internal list of protocols applications, and the ports used by them.
In this case, it knwos SSH is on port 22.
We'll go more in detail how to view all protocols <code>ufw</code> knows about.
By default, when you allow an incoming port, it allows that port both on IPv4 and IPv6.
</aside>
<p>
With the firewall enabled and allowing only SSH in, all other ports are prortected from incoming requests.
To view all your rules, run:
</p>
<pre><code>ufw status verbose</code></pre>
<p>A firewall that allows to connect to SSH and their website may look like:</p>
80,443/tcp (WWW Full (v6)) ALLOW IN Anywhere (v6)</code></pre>
<p>If you want to delete e.g. the 'WWW Full' rule, run:</p>
<pre><code>ufw delete allow in 'WWW Full'
ufw reload</pre></code>
<h2id="enabling-common-services">Enabling Common Services</h2>
<p>
You have blocked all incoming ports but SSH, which means no outsiders would be able to access other services, like an email server or your website.
You should look at the ports your services are open on and enable them individually.
Here is a list of a few common services:
</p>
<h3>Opening Port Numbers</h3>
<p>Suppose you install <ahref="gemini.html">a Gemini server</a>, which must broadcast on port 1965. By default <code>ufw</code> blocks all incoming connections on all ports, so whenever you install a new service like this you will have to tell <code>ufw</code> to enable the desired port:</p>
<pre><code>ufw allow 1985</code></pre>
<h3>Websites: HTTP and HTTPS</h3>
<p>HTTP uses port 80 and HTTPS uses port 443. We can enable them like this:</p>
<pre><code>ufw allow 80
ufw allow 443</code></pre>
<p>But <code>ufw</code> additionally knows the typical ports of common serives, so you can also run this:</p>
<pre><code>ufw allow http
ufw allow https</code></pre>
<p>And that will do the same thing. There are also other abbreviations for common port lists:</p>
<pre><code>ufw allow in 'WWW Full'</code></pre>
<p>To see these other "apps" that <code>ufw</code> knows by default, run <code>ufw app list</code></p>
<h3>Email: IMAP, POP3, and SMTP</h3>
<pre><code>ufw allow in IMAPS
ufw allow in POP3
ufw allow in SMTP
ufw allow in 'Postfix SMTPS'
ufw allow in 'Mail Submission'</pre></code>
<h2id="fine-tuning-rules">Fine-Tuning Rules</h2>
<p>Instead of denying all ports by default, you may want to deny (ignores incoming requests) or reject (explicitly tells requests they're not allowed):</p>
<pre><code>ufw default allow in
ufw deny in <strong>PORT</strong>
ufw reject in <strong>PORT</strong>
ufw reload</code></pre>
<p>You can add rules to comments to remember what they are there for:</p>
<pre><code>ufw allow in <strong>PORT</strong> comment 'Secret SSH'
ufw reload
ufw status verbose</code></pre>
<p>Output:</p>
<pre><code>To Action From
-- ------ ----
<strong>PORT</strong> ALLOW IN Anywhere # Secret SSH
<strong>PORT</strong> (v6) ALLOW IN Anywhere (v6) # Secret SSH</pre></code>
<p>To deny outgoing ports:</p>
<pre><code>ufw deny out <strong>PORT</strong></code></pre>
<p>Ratelimiting is useful to protect against brute-force login attacks, like in SSH. Only IPv4 is supported for now. Enable it by running:</p>
<header><h1>Creating Your Own Chat Server With IRC</h1></header>
<main>
<imgclass=titleimgsrc="pix/irc.svg">
<p>
Creating your own chat server for you and your friends is easy, and you don't have to rely on a complicated system to get started.
IRC is an old but gold protocol, and has clients for basically every operating system made since the 80s, with many powerful modern ones on Linux, Mac, and Windows.
</p>
<p>
Having a chat server for you and your friends makes it impossible for a group of arbitrarily appointed moderators to deplatform you for wrong-think, and gives you greater freedom of communication.
</p>
<h2id="installing">Installing an IRCd</h2>
<p>
An IRCd is short for "IRC daemon", which just means an IRC server.
The most easy IRCd to setup is <ahref="https://ergo.chat/">Ergo</a>.
</p>
<p>
The first thing you need to do is create a new user for the server to be run by.
This is good practice for installing software/servers manually, as it give you more fine-grained control over which permissions the application has.
</p>
<pre><code>useradd -m ergo -s /bin/bash</code></pre>
<p>
Next, we want to switch to our newly created <code>ergo</code> user and create the server directory.
</p>
<pre><code>sudo -i -u ergo
mkdir server</code></pre>
<p>
You can find the latest release of Ergo on its GitHub <ahref="https://github.com/ergochat/ergo/releases/latest">latest release</a> page.<br>
There are several platforms available, but you want to choose Linux, most likely <code>linux-x86_64</code>.<br>
Once you have selected the correct package, copy its URL and replace <code><i><release url></i></code> with the package URL (still as the <code>ergo</code> user):
<p>Executing <code>ls -l</code> should now yield something like this:</p>
<pre><code>-rw-r--r-- 1 ergo ergo 118825 Jun 8 00:51 CHANGELOG.md
-rw-r--r-- 1 ergo ergo 1983 May 31 01:48 README
-rw-r--r-- 1 ergo ergo 41440 Jun 8 00:42 default.yaml
drwxr-xr-x 2 ergo ergo 4096 Jul 1 09:01 docs
-rwxr-xr-x 1 ergo ergo 9654272 Jun 8 00:53 ergo
-rw-r--r-- 1 ergo ergo 1753 May 31 01:48 ergo.motd
drwxr-xr-x 2 ergo ergo 12288 Jul 1 09:01 languages
-rw-r--r-- 1 ergo ergo 39722 Jun 8 00:42 traditional.yaml</code></pre>
<p>If you see something similar to the above, that means Ergo is installed, although not quite ready to run yet.</p>
<h2id="configuring">Configuring Ergo</h2>
<p>
Now that Ergo is installed, you want to configure it to fit the needs of your group.<br>
The configuration in this section is tailored towards a small group of people, and less for a possibly large network,
but it should work for any size of group.
</p>
<p>
First thing, make sure you're still using the <code>ergo</code> user, and are in the <code>~/server</code> directory.<br>
If you aren't, you can run the following to get back there:
</p>
<pre><code>sudo -i -u ergo
cd ~/server</code></pre>
<p>
Next, generate certificate files for TLS:
</p>
<pre><code>./ergo mkcerts</code></pre>
<p>
Ergo comes with a default configuration file with detailed documentation that can be used to guide you through the configuration process.
This guide will help you setup the server for a typical use-case, but if you see any settings that you would like to change along the way,
go ahead and change them, as long as you know what you're doing.
</p>
<p>To start configuring, we need to copy some files:</p>
<pre><code>cp default.yaml ircd.yaml
cp ergo.motd ircd.motd</code></pre>
<p>
The next steps involve editing the newly copied <code>ircd.yaml</code> file. If you do not know how to edit text files from the comment line,
you can use <code>nano</code>, which is very simple, using arrow keys to navigate, <code>CTRL+O</code> to save, and <code>CTRL+X</code> to exit.<br>
Another option is <code>vim</code>, which is a much more powerful text editor, but has a learning curve. It is only recommended for this guide if you already know it.<br>
Lastly, you can copy the <code>ircd.yaml</code> file to a text editor on your computer and edit it with a GUI text editor of your choice.
If that is what you choose to do, you may want to just download the file from <ahref="https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml">Ergo's GitHub</a>,
edit it on your computer, clear the <code>ircd.yaml</code> file on the server, and then paste the contents from your computer into the blank file.<br>
No matter how you do it, the next steps assume you can edit the configuration file.
</p>
<p>
<b>Note</b>:<br>
The options highlighted in this section are not a complete overview of all options.
Instead, the options shown are the ones which are most relevant to a small network.<br>
You should read over the configuration file yourself if you are curious about everything you can change.
</p>
<h3id="configuring-names">Network and server names</h3>
<p>
One of the first properties in the config file is network name.
You can change this to whatever you like, as it will show up as the name when you connect to the server.
</p>
<pre><code># network configuration
network:
# name of the network
name: "Land-Chat"</code></pre>
<p>Change the server name to your server's domain name.</p>
<h3id="configuring-motd">Message of the day (MotD)</h3>
<p>Change the MotD (<b>M</b>essage <b>o</b>f <b>t</b>he <b>D</b>ay) file to the one you copied earlier:</p>
<pre><code># motd filename
# if you change the motd, you should move it to ircd.motd
motd: ircd.motd</code></pre>
<p>Feel free to edit <code>ircd.motd</code> to your heart's content. Its contents will be sent to clients when they connect to the network.</p>
<h3id="configuring-ip-limits">IP limits</h3>
<p>
For security purposes, you might want to limit the amount of client connections per IP.
For a private network, 4 is likely the maximum amount of connections you will have per IP, so that is a safe value.<br>
If your network is password protected, this is less of an issue, since the only people connecting will be people who have the password.
The following is the default, but you can change it to be whichever value you like:
</p>
<pre><code># IP-based DoS protection
ip-limits:
# whether to limit the total number of concurrent connections per IP/CIDR
count: true
# maximum concurrent connections per IP/CIDR
max-concurrent-connections: 16</code></pre>
<h3id="configuring-ip-cloaking">IP cloaking</h3>
<p>
Traditionally, IRC networks expose users' IP addresses to everyone. This is not a good practice for privacy, however.
With Ergo, IP cloaking is enable by default. You can enable or disable it if you like, and change how it looks to users.<br>
In this case, <code>netname</code> was changed to <code>"chad"</code>.
</p>
<pre><code># IP cloaking hides users' IP addresses from other users and from channel admins
# (but not from server admins), while still allowing channel admins to ban
# offending IP addresses or networks. In place of hostnames derived from reverse
# DNS, users see fake domain names like pwbs2ui4377257x8.irc. These names are
# generated deterministically from the underlying IP address, but if the underlying
# IP is not already known, it is infeasible to recover it from the cloaked name.
# If you disable this, you should probably enable lookup-hostnames in its place.
ip-cloaking:
# whether to enable IP cloaking
enabled: true
# whether to use these cloak settings (specifically, `netname` and `num-bits`)
# to produce unique hostnames for always-on clients. you can enable this even if
# you disabled IP cloaking for normal clients above. if this is disabled,
# always-on clients will all have an identical hostname (the server name).
enabled-for-always-on: true
# fake TLD at the end of the hostname, e.g., pwbs2ui4377257x8.irc
# you may want to use your network name here
netname: "chad"</code></pre>
<h3id="configuring-hexchat-password">Password enforcement adjustments for HexChat (and possibly other clients)</h3>
<p>
Ergo offers account registration to allow users to do things like use history and bouncer features, register channels, etc.<br>
In clients such as HexChat, server password may conflict with account passwords, so the following setting should be enable if you wish to use accounts with clients such as HexChat.<br>
Note that this could under some circumstances be considered a security hazard, as a user with an account does not need to know the server password to connect,
although that user would have needed to register an account before the server had a password, and then a password would need to have been set after the fact, so this can be considered a very small concern if your setup always has had a password.<br>
Also keep in mind that this setting has no effect if your network does not even have a password at all.
</p>
<pre><code># some clients (notably Pidgin and Hexchat) offer only a single password field,
# which makes it impossible to specify a separate server password (for the PASS
# command) and SASL password. if this option is set to true, a client that
# successfully authenticates with SASL will not be required to send
# PASS as well, so it can be configured to authenticate with SASL only.
Traditionally, IRC servers have no message history, and once you close your client, you cannot receive messages, and are not shown to be online at all.
Ergo includes functionality to allow users to both receive history, and keep their clients "online" even after they have left.
It also allows multiple clients to connect to the same account.<br>
If you are running a private network for friends, you should set <code>always-on</code> and <code>auto-away</code> to <code>opt-out</code>,
to have all users with accounts to appear as if they are online at all times, and be able to receive messages when they are offline.<br>
For a public network, keep everything as their default values, since you probably do not want randoms having this by default.<br>
If for some reason you do not want any of these features at all, you can set <code>enabled</code> to <code>false</code>, but this is not recommended.
Below are the recommended values for a private network (e.g. for friends) where users with accounts will be able to receive messages and history while they are offline.
</p>
<pre><code># multiclient controls whether Ergo allows multiple connections to
# attach to the same client/nickname identity; this is part of the
# functionality traditionally provided by a bouncer like ZNC
multiclient:
# when disabled, each connection must use a separate nickname (as is the
# typical behavior of IRC servers). when enabled, a new connection that
# has authenticated with SASL can associate itself with an existing
# client
enabled: true
# if this is disabled, clients have to opt in to bouncer functionality
# using nickserv or the cap system. if it's enabled, they can opt out
# via nickserv
allowed-by-default: true
# whether to allow clients that remain on the server even
# when they have no active connections. The possible values are:
# "disabled", "opt-in", "opt-out", or "mandatory".
always-on: "opt-out"
# whether to mark always-on clients away when they have no active connections:
auto-away: "opt-out"
# QUIT always-on clients from the server if they go this long without connecting
# (use 0 or omit for no expiration):
#always-on-expiration: 90d</code></pre>
<h3id="configuring-vhosts">VHosts</h3>
<p>
IP cloaking was mentioned previously, and somewhat related to that, Ergo includes "vhost" functionality, which allows users to set a custom IP/host string.
This is mostly for cosmetic value, and does not interfere with operators being able to see actual IP addresses for banning, but if you do not want it enable for some reason, you can disable it.
</p>
<pre><code># vhosts controls the assignment of vhosts (strings displayed in place of the user's
# hostname/IP) by the HostServ service
vhosts:
# are vhosts enabled at all?
enabled: true</code></pre>
<h3id="configuring-channels">Channels</h3>
<p>
Channels are where everyone on an IRC network talk. By default, anyone can create a channel, and anyone with an account can register one.
The difference between a normal channel and a registered one is that the registered one will preserve the operator status of the person who created,
whereas a normal channel's owner will lose operator status if they leave the channel or disconnect from the network.<br>
There are various settings for channels available, but the defaults are suitable for a private network with trust among users, or where you just want anyone to have the ability to create a channel.
Below are the default values:
</p>
<pre><code># channel options
channels:
# modes that are set when new channels are created
# +n is no-external-messages and +t is op-only-topic
# see /QUOTE HELP cmodes for more channel modes
default-modes: +nt
# how many channels can a client be in at once?
max-channels-per-client: 100
# if this is true, new channels can only be created by operators with the
# `chanreg` operator capability
operator-only-creation: false
# channel registration - requires an account
registration:
# can users register new channels?
enabled: true
# restrict new channel registrations to operators only?
# (operators can then transfer channels to regular users using /CS TRANSFER)
This is a modified version of the default oper entry. The account name is "gigachad", but you can change it to anything.<br>
Replace <code><i><your oper password></i></code> with a password generated by <code>./ergo genpasswd</code>, and you will have a new oper account to use.<br>
Note that to log into an oper account, clients have to enter <code>/OPER <i><oper name></i><i><oper password></i></code> each time they log in.
This can be automated by most clients by setting the command to be executed when the client logs in.
In the case of HexChat, you can edit your network and add the command to the <code>Connect commands</code> tab of the menu.<br>
You can copy everything from <code>"gigachad"</code> to the end of the line, paste it again, and change the name to create another oper account.
Another, less privileged example of an oper is shown as a comment below the above configuration snippet.
</p>
<h3id="configuring-history">Chat history</h3>
<p>
Traditionally, IRC networks do not store, relay, or handle chat history in any way.<br>
On a privacy standpoint, this is a good thing, since chats are entirely ephemeral and handled by clients.<br>
On a practicality standpoint, this is a bad thing, since people have to keep a client connected 24/7 to see message history.<br>
For normalfriends, this can be a big problem, not only because having to stay online 24/7 is just annoying or infeasible,
but also because they are likely used to chat platforms that handle history for them.<br>
With this in mind, enabling history is a good idea if you want to move friends over to IRC, and will make things a lot more pleasant for private networks.
</p>
<p>
Ergo's <code>history</code> configuration group is very long, so it is encouraged to read over it yourself.
This section will go over the most important pieces of that configuration group.
</p>
<p>
History is not endless (unless you want it to be), and the amount that can be stored for channels is configurable:
</p>
<pre><code># how many channel-specific events (messages, joins, parts) should be tracked per channel?
channel-length: 2048</code></pre>
<p>
History is already enabled by default, but that just means it is being collected, not relayed by default.
To relay history to clients when they connect, change the following to the amount of messages that you think is appropriate:
</p>
<pre><code># number of messages to automatically play back on channel join (0 to disable):
autoreplay-on-join: 250</code></pre>
<p>
History older than a certain time can be configured to be deleted or be inaccessible.
The default cutoff time is 1 week, but this is configurable as well.
</p>
<pre><code>
# options to delete old messages, or prevent them from being retrieved
restrictions:
# if this is set, messages older than this cannot be retrieved by anyone
# (and will eventually be deleted from persistent storage, if that's enabled)
expire-time: 1w
</code></pre>
<p>
By default, Ergo only stores chat history in memory, so when the server restarts, all history is lost.
If you wish to have chat history persist beyond restarts, you must store it in a MySQL database:
</p>
<pre><code># options to store history messages in a persistent database (currently only MySQL).
# in order to enable any of this functionality, you must configure a MySQL server
# in the `datastore.mysql` section.
persistent:
enabled: true
# store unregistered channel messages in the persistent database?
unregistered-channels: true</code></pre>
<br>
<pre><code># connection information for MySQL (currently only used for persistent history):
mysql:
enabled: false
host: "localhost"
port: 3306
# if socket-path is set, it will be used instead of host:port
#socket-path: "/var/run/mysqld/mysqld.sock"
user: "ergo"
password: "hunter2"
history-database: "ergo_history"
timeout: 3s
max-conns: 4
# this may be necessary to prevent middleware from closing your connections:
#conn-max-lifetime: 180s</code></pre>
<p>
For privacy reasons, you may want to allow users to delete their own messages in history, or export their messages to JSON:
</p>
<pre><code># options to control how messages are stored and deleted:
retention:
# allow users to delete their own messages from history?
allow-individual-delete: true
# if persistent history is enabled, create additional index tables,
# allowing deletion of JSON export of an account's messages. this
# may be needed for compliance with data privacy regulations.
enable-account-indexing: true</code></pre>
<h3id="configuring-spam">Spam reduction</h3>
<p>
Most IRC networks have measures in place to reduce chat spam. By default, "fakelag" is enabled in Ergo, and that can deal with most aggregious chat spam.<br>
If you are running a private network where user trust is high, you can disable it so that there are no limits on the speed that messages can be sent.
</p>
<pre><code># fakelag: prevents clients from spamming commands too rapidly
fakelag:
# whether to enforce fakelag
enabled: true
# time unit for counting command rates
window: 1s
# clients can send this many commands without fakelag being imposed
burst-limit: 5
# once clients have exceeded their burst allowance, they can send only
# this many commands per `window`:
messages-per-window: 2
# client status resets to the default state if they go this long without
# sending any commands:
cooldown: 2s</code></pre>
<h2id="using">Starting and using your server</h3>
<p>
Now that Ergo is both installed and configured, you can actually start using it!
</p>
<h3id="using-starting">Starting the server</h3>
<p>
First thing, make sure you're still using the <code>ergo</code> user, and are in the <code>~/server</code> directory.<br>
If you aren't, you can run the following to get back there:
</p>
<pre><code>sudo -i -u ergo
cd server</code></pre>
<p>
Starting the server is done in one command:
</p>
<pre><code>./ergo run</code></pre>
<p>
It will stay online until you close the terminal, or press CTRL+C. Don't worry, the next section goes over how to make it run like a normal server with a SystemD service.<br>
If you have not already, make sure the port <code>6697</code> is not blocked on your server. If you are using UFW as your firewall,
you need to run <code>ufw enable 6697</code> (not as the <code>ergo</code> user, of course).<br>
If you make and configuration changes while the server is running, you can apply them without restarting by typing <code>/rehash</code> as an operator.
</p>
<h3id="using-connecting">Connecting to the server</h3>
<p>
To use IRC, you of course need an IRC client. There are many choices available, but the most widely used for Windows and Linux is <ahref="https://hexchat.github.io/">HexChat</a>.
On Mac, you have a slightly nicer option with <ahref="https://www.codeux.com/textual/">Textual</a>, although you have to <ahref="https://github.com/Codeux-Software/Textual/#building-textual">compile it from source</a> if you want to use it for free.<br>
A more user-friendly and modern client choice is TheLounge, which is explained in the last section of this guide, if you want to look into it.
</p>
<p>
Connecting with HexChat is very easy. When you start it, you will see something like this:
<p>Ergo is now installed and running as a service, and will automatically start when the system boots.</p>
<h2id="registering">Registering accounts and channels</h2>
<p>
Account and channel registration were mentioned multiple times in this guide, and are indeed very important parts of the modern IRC ecosystem.
You can connect to most IRC networks and talk without creating an account, but you will not be able to reserve your nickname or register channels, so it is important to register an account.
</p>
<h3id="registering-accounts">Registering an account with NickServ</h3>
<p>
First, make sure you are connected to your IRC network.
Once you are, type <code>/nickserv help</code> to make sure NickServ (the registration system) is working propertly.<br>
If all is well, type the following, replacing <code><i><your password></i></code> with the password you want to use:
The final step is to configure authentication with your client.
</p>
<p>In HexChat, all that needs to be done is changing <code>Login method</code> to <code>SASL (username + password)</code>, and entering your NickServ password that you used earlier into the password field:</p>
<imgsrc="pix/irc/hexchat-sasl.png"alt="HexChat SASL in network edit menu">
<p>
In Textual, open up your network in the menu, and click <code>Identity</code> under <code>Server Properties</code>.
Enter your password in <code>Personal Password</code>, and check <code>Wait for identification before joining channels</code>.
<p>You will now be logged into your account when you connect to your network.</p>
<h3id="registering-channels">Registering channels with ChanServ</h3>
<p>
Once you have an account registered, you can register channels with ChanServ.<br>
To do so, join the channel you want to register, then type the following, replacing <code><i><your channel></i></code> with the name of the channel you want to register:
You are now the channel owner, and are free to appoint operators, administrators, etc for it.
When you go offline, you won't lose ownership, and you cannot be removed as the owner unless you unregister the channel later.
</p>
<h2id="moderation">Moderation</h2>
<p>
Like any chat, there will come a point where you need to use moderation tools to keep things under control.
Many IRC setup guides do not go over moderation, so it can be stressful when operators need to actually use moderation tools.<br>
The main difference between IRC and other chat systems in terms of moderation is the difference between channel bans and network bans.
Channel ban keeps a person out of channel a channel, whereas a network ban keeps a person out of the entire network.
</p>
<h3id="moderation-masks">Understanding masks</h3>
<p>
Bans are applied "masks", which are formatted pieces of text that contain a user's nick (username), their realname value, and their IP address or host.<br>
This is what a mask looks like: <code>nick!~nick-dude@127.0.0.1</code>.<br>
In bans, asterisks can be used as wildcards, which is useful for banning IP address ranges, patterns of nicknames, or whatever else you can think of.<br>
A ban on the nick <code>person</code>, for example, would look like this: <code>person!*@*</code>.<br>
A ban on anyone with the IP address <code>127.0.0.1</code> would look like this: <code>*!*@127.0.0.1</code>
</p>
<h3id="moderation-real-ips">Discovering real IPs</h3>
<p>
Even if IP cloaking is enabled on your network, you can still obtain real IP addresses/hosts if you are an operator.
See the <b>Operators</b> part of the configuration section of this guide on how to become an operator.<br>
To find out a user's real IP, simply type <code>/whois</code> along with the user's nick, and you will see information about the user, along with their real IP address/host.<br>
<code>/whois</code> is not a command that is exclusive to operators, but it does not reveal as much information to non-operators.
</p>
<h3id="moderation-network-ban">Banning someone from the network</h3>
<p>
Any netword-wide moderation action requires being an operator. See the <b>Operators</b> part of the configuration section of this guide on how to become an operator.<br>
Banning someone from the network is achieved with the <code>/kline</code> command. To see more info on the command, type <code>/helpop kline</code>.<br>
Note that this will only ban the user, not kick them immediately.
You will want to run <code>/kick</code> along with the user's nick to also kick them.<br>
To unban a user, run the command above, but replace the <code>+</code> with a <code>-</code>.<br>
You can see who is banned in a channel by typing <code>/banlist</code>.
</p>
<h3id="moderation-muting">Muting people in a channel</h3>
<p>
By default, anyone can speak in an IRC channel. To change this, you must be a channel owner, administrator, or operator.<br>
Channels, along with users, have modes, which modify their behavior. There is a special mode for channels called <code>m</code> (moderated) which requires users to be privileged in some way to talk.<br>
To set a channel as moderated, type the following in the channel:
</p>
<pre><code>/mode +m</code></pre>
<p>
Now, users must be an owner, administrator, operator, or be voiced to talk in the channel
This be reversed by typing the command above, but changing the <code>+</code> to a <code>-</code>.<br>
To voice a user, run the following, replacing <i><nick></i> with the user's nick:
You can also use <code>/op</code> and <code>/deop</code> on most clients to appoint and remove an operator.<br>
To remove administrator or operator status, run either of the above commands, but replace the <code>+</code> with a <code>-</code>.
</p>
<h2id="thelounge">Bringing modern-day features to IRC with TheLounge</h3>
<p>
A large downside to IRC as a protocol is just how old it is, and the limitations that exist because of it.
Other old protocols such as HTTP were built to be content-agnostic and versitile, but IRC was built with a very specific set of features, so it has not held up so well to contemporary chat systems.<br>
A notable thing that IRC as a protocol is missing is file uploads, and other fancy features that many other chats have.<br>
With that said, these problems can be fixed by clients, although many clients are still very primitive.
</p>
<p>
<ahref="https://thelounge.chat/">TheLounge</a> is a modern self-hosted IRC web client that tries to make IRC as user-friendly as possible.
It can be the answer to many of the complaints that normalfriends may have about IRC. It runs on anything with a web browser, can be "installed" since it is a PWA (Progressive Web App),
and is optimized for both desktops and mobile devices. It keeps you logged in even when you are gone, and even supports file uploads and embeds.<br>
Effectively, it brings IRC up to the standard of most other chat systems.
</p>
<p>
If you would like to setup an instance of TheLounge for you and your friends, you can take a look at their <ahref="https://thelounge.chat/docs/install-and-upgrade">installation guide</a>.<br>
It is a self-hosted web app, so you can run it for multiple people, not just yourself.
</p>
<hr>
<p><i>Written by <ahref="https://termer.net/">Termer</a></i></p>
<p>Gitea allows you to self-host your git repositories similar to <ahref="git.html">bare repositories</a>, but comes with additional features that you might know from GitHub, such as issues, pull requests or multiple users. Its advantage over GitLab—another Free Software GitHub clone—is that it is much more lightweight and easier to setup.</p>
<p>Head over to <ahref="https://gitea.com">gitea.com</a> to see what it looks like in practice.</p>
<p>Although Gitea is lighter than Gitlab, if you have a VPS with only 512MB of RAM, you will probably have to upgrade. Gitea is more memory-intensive than having just a bare git repository.</p>
<h2>Installing Gitea</h2>
<p>First install a few dependencies:</p>
<pre><code>apt install curl sqlite3</code></pre>
<p>Unfortunately, Gitea itself is not in the official Debian repos, so we will add a third-party repository for it.</p>
<p>Add the repo's gpg key to apt's trusted keys:</p>
<p>Since apt automatically enables and starts the Gitea service, it should already be running on port <code>3000</code> on your server!</p>
<h2>Setting up a Nginx reverse proxy</h2>
<p>You should know how to generate SSL certificates and use Nginx by now. Add this to your Nginx config to proxy requests made to your git subdomain to Gitea running on port 3000:</p>
<p>If everything worked fine you should now see a setup screen when you go to your configured domain in the browser. The options should be pretty self-explanatory, it is only important to select SQLite3 and to replace the base url and SSH server domain with your own.</p>
<dl>
<dt>Database Type:</dt>
<dd>SQLite3</dd>
<dt>SSH Server Domain:</dt>
<dd><strong>git.example.org</strong></dd>
<dt>Gitea Base URL:</dt>
<dd><strong>git.example.org</strong></dd>
</dl>
<p>These and other settings can be changed in a configuration file later so don't worry about making wrong decisions right now.</p>
<p>After clicking the install button you should now be able to log into your Gitea instance with the account you just created! Explore the settings for more things to do, such as setting up your SSH keys.</p>
<p>If Gitea does not load fully and has random errors, it is possible that you need to increase your available memory on your VPS. This can usually be done on your VPS-provider's website without too much trouble.</p>
<h2>A few extras</h2>
<h3>Automatically create a new repo on push</h3>
<p>This is an incredicly useful feature for me. Open up <code>/etc/gitea/app.ini</code> and add <code>DEFAULT_PUSH_CREATE_PRIVATE = true</code> to the <code>repository</code> section like so:</p>
<imgsrc=pix/gitea-push-create.png>
<br>
<p>If you now add a remote to a repository like this</p>
<imgclass=titleimgsrc="pix/auth.svg"alt="access control with nginx"/>
<p>HTTP basic authentication will allow you to secure parts (or all) of your website with a username and password without the trouble of PHP or Javascript.
This will work with any Nginx server.
</p>
<h2>Installation</h2>
<p>We will be using the command <code>htpasswd</code> to make username and password pairs.</p>
<pre><code>apt install apache2-utils</code></pre>
<aside>
<p>The apache utils has a small username-password pair encryption tool.</p>
<p>Like the other on this site, this tutorial is for Nginx, <strong>not</strong> for Apache servers.</p>
</aside>
<p>
Now think of a username and password and remember them.
Cron is a service that lets you run scheduled tasks. These tasks are called <strong> cronjobs. </strong> If you have already followed the initial course you will have already used cron when you set up certbot.
</p>
<h2> What tasks would I want to schedule? </h2>
<p>
You can schedule anything! Some examples of what you might have done already include:
<ul>
<li><code> updatedb </code> to update your <code> locate </code> database </li>
<li><code> certbot </code> to update renewing of your https certs </li>
</ul>
Some tasks that you might <em>want</em> to schedule may include:
<ul>
<li> Package updates - if you really just want to leave your server alone you can automated updating packages on your server </li>
<li> Backups - you may want to backup certain files every day and some every week, this is possible with cron </li>
</ul>
<p>
And many more, anything you can do can be turned into a cronjob.
</p>
<h2>Basic Cronjobs</h2>
<p>
This the preferred method for personal tasks and scripts, it's also the easiest to get started with. Run the command <code> crontab -e </code> to access your users crontab
</p>
<p>
Once you have figured out the command you want to run you need to figure out how often you want to run it and when. I am going to schedule my system updates once a week on at 3:30 AM on a Monday.
</p>
<p>
We now have to convert this time (Every Monday at 3:30 AM) into a cron time. Cron uses a simple but effective way of scheduling when to run things.
</p>
<p>
Crontab expressions look like this <code> * * * * * command-to-run </code>
The five elements before the command tell when the command is supposed to be run automatically.
<p>
So for our Monday at 3:30AM job we would do the following:
<li>On the day of the week option, Sunday is 0 and counting up from there, Saturday will be 6.</li>
<li><code>*</code> designates "everything". Our command above has a <code>*</code> in the day of month and month columns. This means it will run regardless of the day of the month or month.</li>
<li>The hour option uses 24 hour time. 3 = 3AM, while use 15 for 3PM.</li>
</ul>
<h3>More examples</h3>
<p>
Let's add another job, our backup job (for the purposes of this our backup command is just called <code> backup</code>) We want to run <code> backup </code> Every evening at 11PM, once we work out the timings for this we can add the to the same file as the above by running <code> crontab -e </code> This would mean our full crontab would look like this:
<pre><code>0 23 * * * backup</code></pre>
<h3>Consecutive times</h3>
<p>
Suppose we want a command to run every weekday.
We know we can put <code>1</code> (Monday), but we can also use <code>1-5</code>
<p>We can also easily run a command very several minutes or months, without specifying the specific times:
</p>
<pre><code>*/15 * * * * updatedb</code></pre>
<p>
This cronjob will run the <code>updatedb</code> command every 15 minutes.
</p>
<h3>Beware of this Rookie Mistake Though...</h3>
<p>
Suppose you want to run a script once every other month.
You might be <em>tempted</em> write this:
</p>
<pre><code>* * * */2 *</code></pre>
<p>
That might <em>feel right</em>, but this script <em>will be running once every minute during that every other month</em>.
You should specify the first two arguments, because with <code>*</code> it will be running every minute and hour!
</p>
<pre><code>0 0 1 */2 *</code></pre>
<p>This makes the command run <em>only</em> at 0:00 (12:00AM) on the first day of every two months, which is what we really want.</p>
<p>
Consult the website <ahref="https://crontab.guru">crontab.guru</a> for an intuitive and interactive tester of cronjobs.
</p>
<h2>User vs. Root Cronjobs</h2>
<p>
It is important to note that user accounts all have different cronjobs.
If you have a user account <code>chad</code> and edit his crontab with <code>crontab -e</code>,
the commands you add will be run as the <code>chad</code> user, not <code>root</code> or anyone else.
</p>
<p>
Bear in mind that if you need root access to run a particular command,
you will usually want to add it as root.
</p>
<h2>System-wide cron directories</h2>
<p>
<code>crontab -e</code> is the typical interface for adding cronjobs, but it's important to at least know that system-wide jobs are often stored in the file directory.
Some programs which need cronjobs will automatically install them in the following way.
</p>
<p>
Run the command <code> ls /etc/cron* </code> you should see a list of directories and there contents. The directories should be something like the below
<ul>
<li> /etc/cron.d <em> This is a crontab like the ones that you create with </em><code> crontab -e </code></li>
<li> /etc/cron.hourly </li>
<li> /etc/cron.daily </li>
<li> /etc/cron.weekly </li>
<li> /etc/cron.monthly </li>
</ul>
<p>
The directories cron.{hourly,daily,weekly,monthly} are where you can put <strong> scripts </strong> to run at those times. You don't put normal cron entries here. I prefer to use these directories for system wide jobs that don't relate to an individual user.
<p>Nginx will listen on port 80 for your <em>server's</em> localhost.</p>
<p>The <code>root</code> line is the path to whichever website of yours you'd like to mirror.</p>
</aside>
<p>
From here we are almost done, all we have to do is enable the site and reload nginx which is also covered in <ahref="nginx.html#enable">the webserver tutorial</a>.
</p>
<h3>Update regularly!</h3>
<p>Make sure to update Tor on a regular basis by running:</p>
<pubDate> Tue, 29 Jun 2021 08:10:31 -0400</pubDate>
<description><![CDATA[<p>There is now a set of basic tutorials on cryptocurrency wallets and concepts up.
The goal here is to allow people to receive tips for sites using all free and open source and peer-to-peer technology.</p>
<p>More tutorials on crypto management and exchanging may be added later, but these focus simply on basic concepts and setting up wallets. They include:</p>
<p>This website is for step-by-step tutorials that allow people to host and maintain their own website and other web services on the cheap or free.</p>