beenull/servnest
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
servnest/README.md
Miraty 1b10e05fef More installation process in the readme
2021-04-14 14:56:35 +02:00

5 KiB
Raw Blame History

Niver

Presentation

Niver is an ecosystem whose main component is the Web interface written in PHP.

This PHP Web interface allow it's users to manage 3 services, that can be used together :

  • A domain registry
  • A nameserver
  • An hypertext service, that allow a directory containing hypertext documents to be accessed with the choice of the protocol and the routing method :
  • HTTP(S) or Gemini
  • DNS access or Onion (the Tor's system)

Setup

Niver will use and need specific configuration for

  • Knot DNS
  • OpenSSH
  • Nginx
  • Tor
  • Gmnisrv

To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver.

Niver has been deployed on the following distributions :

  • Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel.
  • Arch Linux

To provide all features:

# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite

Some tools you might find usefull to manage a server:

# pacman -S vnstat htop nload ufw vim man-db curl

maniver installation

# pacman -S rustup git
$ rustup default stable
$ git clone https://code.antopie.org/miraty/maniver-dev
$ cd maniver-dev
$ cargo build --release
# cp ./target/release/maniver /usr/local/bin/

gmnisrv installation

# pacman -S make git pkgconf openssl scdoc
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
$ mkdir gmnisrv/build
$ cd gmnisrv/build
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
$ make # Build gmnisrv
# make install # Install gmnisrv binary and manpages on the system
# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group
# vim /etc/systemd/system/gmnisrv.service

[Unit]
Description=A Gemini server
After=network.target
Wants=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/gmnisrv
ExecStop=
#Restart=on-failure
User=gmnisrv
Group=gmnisrv
WorkingDirectory=/srv/ht

[Install]
WantedBy=multi-user.target

# systemctl daemon-reload
# mkdir -p /srv/gemini/niver.atope.art
# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi
# mkdir /var/local/gmnisrv
# chmod -R 700 /var/local/gmnisrv
# chown -R gmnisrv:gmnisrv /var/local/gmnisrv
# vim /usr/local/etc/gmnisrv.ini

# Space-separated list of hosts
listen=0.0.0.0:1965 [::]:1965

[:tls]
# Path to store certificates on disk
store=/var/local/gmnisrv

[niver.atope.art]
root=/srv/gemini/niver.atope.art

To add knot as an additional group for user php-niver: usermod -aG knot php-niver

To generate a key/certificate pair with ed25519 expiring in 10 years openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt

SFTP setup

# groupadd ht
# echo "Ce compe n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt

Quota setup

# pacman -S quota-tool
# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet
# mkfs.ext4 /srv/ht.img
# mkdir /srv/ht
# mount /srv/ht.img /srv/ht

PHP setup

In php.ini : expose_php = Off

Niver PHP setup

EDITOR=vim visudo
php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver

Features

Web interface

  • Anonymous: you only need a pseudo/password set
  • Page lower than 10 KiB
  • No JavaScript, no images, and CSS are optionnal
  • Dark and light themes
  • Free service running libre software

Hypertext

  • SFTP access
  • HTTP and Gemini
  • IPv4 and IPv6
  • TLS 1.2 & 1.3 or TLS 1.3 only
  • DNS (ICANN, OpenNIC or anything) and Onion v3 (through Tor)
  • HTTP/1.1 and HTTP/2
  • Let's Encrypt certificates
  • All HTTP security headers

Nameserver

  • DNSSEC (with NSEC3)
  • NS, A, AAAA, TXT, and CAA records

Registry

  • Glue record
  • DNSSEC delegation with any modern cypher

Anti-features

  • No internationalized domain name support (you can only use ASCII in your domain name)
  • No BIND-style plaintext configuration (you need to fill a form for every record you add or remove)

Nginx mimetypes association

text/plain            txt;
text/gemini           gmi;
text/markdown         md;
text/html             html;
text/css              css;
text/xml              xml;
text/csv              csv;
text/javascript       js;

application/xhtml+xml xhtml;
application/atom+xml  atom;
application/rss+xml   rss;

application/json      json;
application/gzip      gz;
application/zip       zip;
application/epub+zip  epub;
application/pdf       pdf;

font/woff             woff;
font/woff2            woff2;

image/png             png;
image/tiff            tif tiff;
image/gif             gif;
image/jpeg            jpeg jpg;
image/svg+xml         svg svgz;
image/webp            webp;

audio/mpeg            mp3;
audio/ogg             ogg oga opus spx;
audio/webm            weba;
audio/flac            flac;

video/webm            webm;
video/mp4             mp4;
video/ogg             ogv;