* SFTPGo, is usually not available from most distributions (as of january 2023)
* Ports 22, 53 and 443 on public IPv6 and IPv4 addresses (not required for a local development/testing setup)
## Steps
[The `servnest-mkosi` repository](https://code.antopie.org/servnest/servnest-mkosi) contains all the information needed to automatically build systems configured to run ServNest. Configuration files used in this document refer to it's `install/` subdirectory.
### DNS resolution
A caching, DNSSEC-validating and TLS-forwarding local stub resolver is recommended, e.g. systemd-resolved, Knot Resolver or Unbound. For systemd-resolved, `ResolveUnicastSingleLabel=yes` is required.
### sudo / sudoers
For the HTTP hosting service, ServNest requires to execute some commands as other users through sudo.
The required sudoers configuration is `sudoers` and can be placed at `/etc/sudoers.d/servnest`.
### Tor
Install the `torrc` file as your Tor configuration. The `%include` statement inside it includes configuration files that will be placed inside any subdirectory of `/srv/servnest/tor-config/`, and is central to the way ServNest uses Tor.
```shell
mkdir /srv/servnest/tor-config
chown -R servnest:tor /srv/servnest/tor-config
chmod -R u=rwX,g=rX,o= /srv/servnest/tor-config
mkdir /srv/servnest/tor-keys
chown -R tor: /srv/servnest/tor-keys
chmod -R u=rwX,g=,o= /srv/servnest/tor-keys
```
If you're using systemd, you might need to override your distribution configuration by placing `tor.service.override.conf` inside `/etc/systemd/system/tor.service.d/`.
### Knot DNS
A local primary Knot DNS server is used for both the registry and name server services. Knot DNS configuration is inside `knot.conf`. Change `42053` port to `53` and local IPs to `::` and `0.0.0.0` (or specific ones).
For a public server, at least one secondary server should be set up. As zones can be dynamically added and deleted from the primary server, [catalog zones](https://zones.cat/) should be used. Configuration for a primary and a secondary server can be found respectively at `mkosi.extra/etc/knot/knot-primary.conf` and `mkosi.extra/etc/knot/knot-secondary.conf`.
Add user `servnest` to group `knot` to allow ServNest to send commands to Knot:
```shell
usermod -aG knot servnest
```
#### Database configuration
Knot configuration must be dynamic, therefore the configuration must stored in database, using:
The configuration file won't be used by Knot anymore.
#### Database configuration edition
Database configuration can be changed using `knotc conf-*` commands, see [Knot DNS 3.2 documentation > Operation > Dynamic configuration](https://www.knot-dns.cz/docs/3.2/html/operation.html#dynamic-configuration). If you don't want to use that and don't want the best uptime possible, you can do the following steps to edit configuration through a plaintext file:
1. Set `enabled` to `false` in `[reg]` and `[ns]` sections of `config.ini`
In addition to PHP itself, the following PHP extensions are required and their packages probably needs to be installed:
* pdo
* pdo_sqlite
* libsodium
* gettext
* curl (only for the `check.php` script)
You might also want to enable the OPcache extension to improve performance.
#### `php.ini`
Set appropriately your `php.ini` to either `php.ini-production` or `php.ini-development` (distributions usually ship `php.ini-production` as the default `php.ini`).
Use `php.ini` as additional PHP configuration (e.g. in `/etc/php/conf.d/servnest.ini`).
#### `php-fpm.conf`
Use `php-fpm.conf` as the PHP-FPM configuration (e.g. in `/etc/php/php-fpm.d/servnest.conf`).
### For systemd
`php-fpm.service.override.conf` may be required as the PHP-FPM service configuration override.
### Certbot
If you are setting up a testing environment, running `certbot` commands in this document without `--test-cert` is probably useless.
Register an ACME account for Let's Encrypt (production and staging):
```shell
certbot register --no-eff-email
certbot register --no-eff-email --test-cert
```
Copy and adapt `certbot.ini` in `/etc/letsencrypt/cli.ini`
A precise configuration is inside the `nginx/` directory. It requires the *headers more* nginx module.
This configuration listens on `[::1]:42443`, `127.0.0.1:42443`, `[::1]:42080` and `127.0.0.1:42080`. For a public server, these should be replaced respectively by `[::]:443`, `0.0.0.0:443`, `[::]:80` and `0.0.0.0:80`. Other addresses (i.e for Onion services and SFTPGo authentication) are not meant to be publicly exposed.
Once this configuration is put in place, replace self-signed certificates by Let's Encrypt certificates:
```shell
certbot certonly -d "ht.servnest.example"
certbot certonly -d "servnest.example"
```
Getting a Let's Encrypt certificate for a wildcard domain requires an ACME [DNS challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). The following command asks to setup a DNS record, this can be done by editing `/srv/servnest/reg/servnest.example` then reload configuration using `knotc zone-reload servnest.example`.
This method also requires manual operations for renewal.
The nginx configuration provided above uses the self-signed key pair at the locations set in the `openssl` command above. Replace those by the ones Certbot told you and reload nginx configuration.
Apache in distributions is usually named `httpd`, `apache` or `apache2`. Adapt these instructions as appropriate.
Apache configuration is inside the `apache/` directory. It runs Apache inside a chroot, though it is not required by the ServNest design. Some paths may need adaptation according to the distribution used (e.g. modules or logs).
Set up the directory where Apache will be chrooted:
Copy the SFTPGo configuration: `cp /install/sftpgo.toml /etc/sftpgo/sftpgo.toml`. For a public setup, change `[[sftpd.bindings]]` sections in it to public IPs and port 22. You can optionally set up in `/etc/sftpgo/banner.txt` a message displayed to users when logging in.
Add user `servnest` to group `sftpgo`:
```shell
usermod -aG sftpgo servnest
```
Permissions for `/etc/sftpgo`:
```shell
chown -R sftpgo: /etc/sftpgo
chmod -R u=rX,g=rX,o= /etc/sftpgo
chmod u=r,g=,o= /etc/sftpgo/ed25519
```
Generate and add SSHFP record for the public SFTP domain: