beenull/servnest
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
servnest/README.md
Miraty 1b10e05fef More installation process in the readme
2021-04-14 14:56:35 +02:00

218 lines
5 KiB
Markdown
Raw Blame History

# Niver
## Presentation
Niver is an ecosystem whose main component is the Web interface written in PHP.
This PHP Web interface allow it's users to manage 3 services, that can be used together :
* A domain registry
* A nameserver
* An hypertext service, that allow a directory containing hypertext documents to be accessed with the choice of the protocol and the routing method :
* HTTP(S) or Gemini
* DNS access or Onion (the Tor's system)
## Setup
Niver will use and need specific configuration for
* Knot DNS
* OpenSSH
* Nginx
* Tor
* Gmnisrv
To do root-level actions, Niver will also use a privileged binary, written in Rust, called Maniver.
Niver has been deployed on the following distributions :
* Debian 10, using Nginx 1.14.2 and OpenSSH 7.9p1, and latest available version of Tor, Knot and gmnisrv using their official release channel.
* Arch Linux
To provide all features:
`# pacman -S tor knot openssh sudo nginx nginx-mod-headers-more certbot certbot-nginx php-fpm php-sqlite`
Some tools you might find usefull to manage a server:
`# pacman -S vnstat htop nload ufw vim man-db curl`
### maniver installation
```
# pacman -S rustup git
$ rustup default stable
$ git clone https://code.antopie.org/miraty/maniver-dev
$ cd maniver-dev
$ cargo build --release
# cp ./target/release/maniver /usr/local/bin/
```
### gmnisrv installation
```
# pacman -S make git pkgconf openssl scdoc
$ git clone https://git.sr.ht/~sircmpwn/gmnisrv # Download gmnisrv sources
$ mkdir gmnisrv/build
$ cd gmnisrv/build
$ ../configure --prefix=/usr # Check gmnisrv dependencies and setup files needed for building
$ make # Build gmnisrv
# make install # Install gmnisrv binary and manpages on the system
# useradd -U -r -s /usr/bin/nologin gmnisrv # Add the gmnisrv system user and group
# vim /etc/systemd/system/gmnisrv.service
```
```
[Unit]
Description=A Gemini server
After=network.target
Wants=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/gmnisrv
ExecStop=
#Restart=on-failure
User=gmnisrv
Group=gmnisrv
WorkingDirectory=/srv/ht
[Install]
WantedBy=multi-user.target
```
```
# systemctl daemon-reload
# mkdir -p /srv/gemini/niver.atope.art
# echo "This is a testing Gemini capsule" > /srv/gemini/niver.atope.art/index.gmi
# mkdir /var/local/gmnisrv
# chmod -R 700 /var/local/gmnisrv
# chown -R gmnisrv:gmnisrv /var/local/gmnisrv
# vim /usr/local/etc/gmnisrv.ini
```
```
# Space-separated list of hosts
listen=0.0.0.0:1965 [::]:1965
[:tls]
# Path to store certificates on disk
store=/var/local/gmnisrv
[niver.atope.art]
root=/srv/gemini/niver.atope.art
```
To add knot as an additional group for user php-niver:
`usermod -aG knot php-niver`
To generate a key/certificate pair with ed25519 expiring in 10 years
`openssl req -subj '/CN=domain' -new -newkey ED25519 -days 3650 -nodes -x509 -keyout domain.key -out domain.crt`
### SFTP setup
```
# groupadd ht
# echo "Ce compe n'est accessible qu'en SFTP, pas en SSH.
This account is only available over SFTP, not over SSH." > /etc/nologin.txt
```
### Quota setup
```
# pacman -S quota-tool
# dd if=/dev/zero of=/srv/ht.img count=4194304 # count is the size in octet
# mkfs.ext4 /srv/ht.img
# mkdir /srv/ht
# mount /srv/ht.img /srv/ht
```
### PHP setup
In php.ini :
expose_php = Off
### Niver PHP setup
```
EDITOR=vim visudo
php-niver ALL=(root) NOPASSWD: /usr/local/bin/maniver
```
## Features
### Web interface
* Anonymous: you only need a pseudo/password set
* Page lower than 10 KiB
* No JavaScript, no images, and CSS are optionnal
* Dark and light themes
* Free service running libre software
### Hypertext
* SFTP access
* HTTP and Gemini
* IPv4 and IPv6
* TLS 1.2 & 1.3 or TLS 1.3 only
* DNS (ICANN, OpenNIC or anything) and Onion v3 (through Tor)
* HTTP/1.1 and HTTP/2
* Let's Encrypt certificates
* All HTTP security headers
### Nameserver
* DNSSEC (with NSEC3)
* NS, A, AAAA, TXT, and CAA records
### Registry
* Glue record
* DNSSEC delegation with any modern cypher
## Anti-features
* No internationalized domain name support (you can only use ASCII in your domain name)
* No BIND-style plaintext configuration (you need to fill a form for every record you add or remove)
## Nginx mimetypes association
```
text/plain txt;
text/gemini gmi;
text/markdown md;
text/html html;
text/css css;
text/xml xml;
text/csv csv;
text/javascript js;
application/xhtml+xml xhtml;
application/atom+xml atom;
application/rss+xml rss;
application/json json;
application/gzip gz;
application/zip zip;
application/epub+zip epub;
application/pdf pdf;
font/woff woff;
font/woff2 woff2;
image/png png;
image/tiff tif tiff;
image/gif gif;
image/jpeg jpeg jpg;
image/svg+xml svg svgz;
image/webp webp;
audio/mpeg mp3;
audio/ogg ogg oga opus spx;
audio/webm weba;
audio/flac flac;
video/webm webm;
video/mp4 mp4;
video/ogg ogv;
```
Reference in a new issue View git blame Copy permalink