# Various
## XMPP
Prosody is a light and easy to set up XMPP server
(HTM) https://prosody.im
Here are a few notes to install prosody on OpenBSD.
### Install prosody
```
# pkg_add prosody
```
### Add DNS fields for XMPP
A record :
```
xmpp.athome.tld
```
SRV records :
```
_xmpp-client._tcp.athome.tld. 18000 IN SRV 0 5 5222 xmpp.athome.tld.
_xmpp-server._tcp.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.
```
If you host MUCs :
```
_xmpp-server._tcp.conference.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.
```
### Prosody's Configuration
Edit /etc/prosody/prosody.cfg.lua
```
VirtualHost "athome.tld"
ssl = {
certificate = "/etc/prosody/certs/athome.tld.crt";
key = "/etc/prosody/certs/athome.tld.key";
}
```
Certificate must be readable by _prosody user. If you got them with acme-client, then you need to install them in prosody directory :
```
install -g _prosody -o _prosody -m 400 /etc/ssl/private/athome.tld.key /etc/prosody/certs/
install -g _prosody -o _prosody -m 400 /etc/ssl/athome.tld.crt /etc/prosody/certs/
```
Add the previous commands to your periodic task (cron? weekly.local?) when certificates are renewed.
Add the admin:
```
# prosodyctl adduser batman@athome.tld
```
Check it's allright:
```
prosodyctl check config
```
### Prosody's Ports
Open 5222 (xmpp-client) and 5269 (xmpp-server).
### Prosody's logs
Edit /etc/newsyslog.conf:
```
/var/prosody/prosody.log 644 5 300 * Z
/var/prosody/prosody.err 644 5 300 * Z
```
### mod_http_file_share
If you enable http_file_share, make sure you open 5280 and 5281 ports.
(HTM) https://prosody.im/doc/modules/mod_http_file_share
Also, add the domain for file sharing in tls certificate.
### Improve performances with SQLite
I suggest to use SQLite instead of the default plain text internal storage for less CPU usage.
```
storage = "sql" -- Default is "internal"
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
```
### Install and upgrade modules
Add in /etc/prosody/prosody.cfg.lua:
```
plugin_server = "https://modules.prosody.im/rocks/"
```
You can now install/upgrade a module with:
```
prosodyctl install module_name
```
Add in /etc/daily.local the following line to know wether a new module version is available:
```
/usr/local/sbin/prosodyctl list --outdated
```
See also:
(HTM) https://prosody.im/doc/installing_modules
### More on Prosody
Look official instructions π
(HTM) https://prosody.im/doc/configure
## mlmmj : Mailing List
While there are hundreds of social networks, with their own policies and ads, instant messenging apps, forums and so on, remember mailing lists are a thing. Mailing lists are the future because :
* Mails just works for everyone
* Mails will exist in 10 years.
* It's easy to manage
* Each user choose how to deal with emails
* You just need an email address to use mailing list, and everyone has an email.
Here, we'll talk about mlmmj since it perform well on OpenBSD, is easy and secured.
mlmmj website
(HTM) https://mlmmj.org/
### Install mlmmj
```
# pkg_add mlmmj
```
### DNS records for the list
Make sure a MX record is registered for the domain you'll use for your list.
### Create a new mailing list
Use command mlmmj-make-ml and follow instructions.
Below is an example to create list "pizza" on the domain "list.athome.tld", so "pizza@list.athome.tld".
```
# mlmmj-make-ml
Creating Directorys below /var/spool/mlmmj. Use '-s spooldir' to change
What should the name of the Mailinglist be? [mlmmj-test] : pizza
The Domain for the List? [] : athome.tld
The emailaddress of the list owner? [postmaster] : batman@athome.tld
For the list texts you can choose between the following languages or
give a absolute path to a directory containing the texts.
Available languages:
ast cs de en fi fr gr it pt sk zh-cn
The path to texts for the list? [en] :
Don't forget to add this to /etc/aliases:
pizza: "|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/"
If you're not starting mlmmj-maintd in daemon mode,
don't forget to add this to your crontab:
0 */2 * * * "/usr/local/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza/"
** FINAL NOTES **
1) The mailinglist directory have to be owned by the user running the
mailserver (i.e. starting the binaries to work the list)
2) Run newaliases
```
Make sure permissions are correct:
```
# chown -R _smtpd:_smtpd /var/spool/mlmmj/pizza
```
Edit root's (or a dedicated user) crontab (# crontab -e) to add the line given by mlmmj-make-ml. Btw, make sure you remove the double quotes suggested:
```
0 */2 * * * /usr/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza
```
### Make smtpd ready for mlmmj
Edit /etc/mail/smtpd.conf so it handles mailing list messages correctly:
```
table aliases "/etc/mail/aliases"
[...]
action local_mail maildir alias <aliases>
[...]
match from any for domain "list.athome.tld" action local_mail
```
It is important that action (local_mail here) handle aliases.
That's why you must edit /etc/mail/aliases to pipe incoming messages to mlmmj for the mailing list:
```
pizza:"|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/"
```
End with # newaliases command or restart smtpd.
### Customize a mailing list
You can customize a list by editing the files in /var/spool/mlmmj/pizza/control.
If files don't exist, just create them.
You can filter incoming messages depending on the sender, force plaintext, use custom text in templates, modify headers to keep users privacy and much more.
Look at the official documentation to learn more:
(HTM) http://mlmmj.org/docs/tunables/
## Gemini
> Gemini is a new internet protocol which is heavier than gopher, is lighter than the web, will not replace either, strives for maximum power to weight ratio, takes user privacy very seriously.
It is quite an amazing protocol to post your writings and focus first on content.
There a various servers, but I'd like to give a few advices to install vger, a gemini server designed for OpenBSD involving some of its mitigation mecanism (unveil, pledge...). I also recommend gmid, since it share same configuration as other OpenBSD daemons.
### vger
In order to keep vger as simple as possible, Solène -- vger's developer -- had the brilliant idea to use tools already in OpenBSD base install :
* relayd to deal with TLS
* inetd to daemonize vger.
Install vger package:
```
# pkg_add vger
```
If you read the README, you can learn how to set up a new capsule (a gemini website).
Edit /etc/inetd.conf to set how vger will be run, with the required flags.
```
127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger
```
By default, vger look for requested files in /var/gemini.
You can add flags according to the manual. As example, if you want to serve multiple capsules, each one stored in a directory named after the domain name requested in /var/gemini (/var/gemini/athome.tld, /var/gemini/other.tld,...) with -v, enable auto index with -i:
```
# serve files in /var/gemini/domain
localhost:11965 stream tcp6 nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i
localhost:11965 stream tcp nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i
```
Pay attention to the lines above. inetd listens on localhost on port 11965 and send the incoming request to vger run as user _vger to avoid privilege escalation. A second line with tcp6 is added to serve on the IpV6. However, you should have filled /etc/hosts accordingly so localhost resolve to local ipv6:
```
127.0.0.1 localhost
::1 localhost
```
Then, you can add a new part to relayd in /etc/relayd.conf:
```
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2"
log connection
tcp protocol "gemini" {
tls keypair chezmoi.tld
}
relay "gemini" {
listen on $ext_ip4 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
```
A few words:
* ext_ip4 and ext_ip6: public IP of your server.
* log connection: Keep log of incoming connections in /var/log/daemon
* tcp protocol "gemini"... Here we specify TLS keys location. If you followed instructions before, they should be /etc/ssl/private/athome.tld.key and /etc/ssl/athome.tld.crt. You probably should use a self-signed certificate to avoid clients a warning after each certificate renewal. If you want, set an expiration date very far in the future to the certificate.
* relay "gemini: incoming traffic on external port 1965 must be forwarded to port 11965 localhost for inetd.
This is what happens when someone reach your capsule:
```
1965 11965
Visitor ---> Relayd ---> inetd ---> vger
```
Finally, enable and reload daemons :
```
# rcctl enable inetd relayd
# rcctl start inetd relayd
```
Don't forget to open 1965/TCP in /etc/pf.conf
To go further, see following links:
Gemini official website
(HTM) https://geminiprotocol.net/
vger security analysis
(HTM) https://dataswamp.org/%7Esolene/2021-01-14-vger-security.html
vger source code
(HTM) https://tildegit.org/solene/vger
### gmid
Also written by an OpenBSD developer, aka Omar Polo, gmid has a httpd's like syntax.
(HTM) gemini://gmid.omarpolo.com
After installing gmid, look at man gmid.conf, it is very well explained and has examples at the end.
```
# pkg_add gmid
# rcctl enable gmid
# vi /etc/gmid.conf
# gmid -n
# rcctl start gmid
```
Below, find the gmid.conf I use with a chroot, a self signed certificate and a tor onion hidden service:
```
user "_gmid"
chroot "/var/gemini"
log style combined
types {
include "/usr/share/misc/mime.types"
}
server "si3t.ch" {
listen on * port 1965
cert "/etc/ssl/si3t.ch-self.crt"
key "/etc/ssl/private/si3t.ch-self.key"
root "si3t.ch"
lang fr
auto index on
}
server "b2khgkvb2wn4avjshjp63kknsjwikgwff5dwwydldia6qwf4kdnueyad.onion" {
listen on localhost port 11966
cert "/etc/ssl/si3t.ch-self.crt"
key "/etc/ssl/private/si3t.ch-self.key"
root "si3t.ch"
lang fr
auto index on
}
```
## Gopher (geomyidae)
Gopher protocol is the precursor of widely used http. However, some still use it to transfer files and serve mostly text content.
You'll have to open 70 port.
Put the files you want to serve in /var/gopher, they will be available on gopher://athome.tld.
geomyidae server is written in C by one of suckless developpers.
(HTM) http://r-36.net/scm/geomyidae/file/README.html
To install it:
```
# pkg_add geomyidae
# rcctl enable geomyidae
# rcctl start geomyidae
```
That's it, now fill /var/gopher π.
However, I strongly recomment to read geomyidae manpage to edit default flags. As example, you may want something like this:
```
# rcctl set geomyidae flags -c -e -h athome.tld -b /var/gopher/athome.tld -t /etc/ssl/private/athome.tld.key /etc/ssl/athome.tld.crt
```
Logs are in /var/log/geomyidae.log.
See also gophernicus server (gopher://gophernicus.org/) which can be unveiled under OpenBSD.
(DIR) gopher://gophernicus.org/
## Seedbox
### With rtorrent
rtorrent is a light and efficient torrent client.
(HTM) https://github.com/rakshasa/rtorrent/wiki/
It's text-based interface is nice if you don't want to bother with a webapp and remote control your seedbox with SSH.
```
# pkg_add rtorrent
```
Add a dedicated user _rtorrent for privileges separation. Now log in as _rtorrent:
```
# su _rtorrent
```
Create required directories:
```
$ mkdir -p seedbox/{download,session,torrents}
```
Now create ~/.rtorrent.rc from the example:
```
$ cp /usr/local/share/examples/rtorrent/rtorrent.rc ~/.rtorrent.rc
```
Edit that file.
```
# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 20
directory = ~/seedbox/download
session = ~/seedbox/session
# When a torrent file is copied in torrents dir, it's added to rtorrent
schedule = watch_directory,5,5,load_start=~/seedbox/torrents/*.torrent
schedule = untied_directory,5,5,stop_untied=~/seedbox/torrents/*.torrent
check_hash = yes
use_udp_trackers = yes
encryption = allow_incoming,try_outgoing,enable_retry
dht = auto
peer_exchange = yes
# Run script to get alerts when download finish
system.method.set_key = event.download.finished,notify_me,"execute=~/.rtorrent_mail.sh,$d.get_name="
# add dht node so magnets works fine
schedule2 = dht_node_1, 5, 0, "dht.add_node=router.utorrent.com:6881"
schedule2 = dht_node_2, 5, 0, "dht.add_node=dht.transmissionbt.com:6881"
schedule2 = dht_node_3, 5, 0, "dht.add_node=router.bitcomet.com:6881"
schedule2 = dht_node_4, 5, 0, "dht.add_node=dht.aelitis.com:6881"
```
Fill the script ~/.rtorrent_mail.sh to get alerts when a download is complete.
```
#!/bin/sh
echo "$(date) : $1 - Download completed." | mail -s "[rtorrent] - Download completed : $1" root
```
To add a new torrent file, you may use scp:
```
$ scp *.torrent _rtorrent@chezmoi.tld:/home/_rtorrent/seedbox/torrents/
```
To have rtorrent automatically started at boot, edit _rtorrent user's crontab and add :
```
@reboot /usr/bin/tmux new -s rtorrent -d /usr/local/bin/rtorrent
```
We use tmux to put rtorrent in the background.
(HTM) https://man.openbsd.org/tmux
If you need to display rtorrent, log in as _rtorrent with ssh and run tmux a -t rtorrent. Press ctrl-b then "d" to detach. To add a magnet link, press "backspace" and copy the link.
When in doubt:
```
$ rtorrent -h
```
### Transmission
Transmission works very well and offer a web interface.
(HTM) https://www.transmissionbt.com/
```
# pkg_add transmission
```
We start and stop daemon so we can create then edit configuration file.
```
# rcctl enable transmission_daemon
# rcctl start transmission_daemon
# rcctl stop transmission_daemon
```
Creates directories to download files and store .torrent.
```
# mkdir -p /var/transmission/{downloads,incomplete,torrents}
# chown -R _transmission:_transmission /var/transmission
```
If others can see the above directories:
```
# chmod a+rX /var/transmission
```
Now edit this file to configure transmission:
```
/var/transmission/.config/transmission-daemon/settings.json
```
You may set:
```
"download-dir": "/var/transmission/downloads",
"encryption": 2,
"incomplete-dir": "/var/transmission/incomplete",
"incomplete-dir-enabled": true,
"peer-port-random-on-start": true,
```
I suggest to add the following lines to automatically start downloading torents you copied (with SFTP as example) in /var/transmission/torrents.
```
"watch-dir": "/var/transmission/torrents",
"watch-dir-enabled": true
```
To get an alert when a download is complete:
```
"script-torrent-done-enabled": true,
"script-torrent-done-filename": "/var/transmission/dl-done.sh",
```
dl-done.sh script looks like this:
```
#!/bin/sh
echo "$(date) : $TR_TORRENT_NAME - Download completed." | mail -s "[transmission] - Download completed : $TR_TORRENT_NAME" toto@example.com
```
Remember it must be executable:
```
# chmod +x /var/transmission/dl-done.sh
```
When you're done configuring, restart transmission:
```
# rcctl start transmission_daemon
```
The easiest to display the web interface is to use an SSH tunnel. From your computer, dig a tunnel to the server:
```
ssh -N -L 9999:127.0.0.1:9091 batman@athome.tld
```
Now open a browser at http://localhost:9999.
## Syncthing
Syncthing is an amazing tool to keep your data on multiple devices.
(HTM) https://syncthing.net/
It is supported on all platforms. Data is encrypted by default. It is really well done π.
### Install and configure
```
# pkg_add syncthing
```
Let it run as a daemon:
```
# rcctl enable syncthing
# rcctl start syncthing
```
By default, Syncthing configuration is stored in /var/syncthing. You may edit those files to add new shares and configure various options, but it is quite complex. Instead, I suggest to open the UI through a SSH tunnel π. From your computer, run:
```
ssh -N -L 9999:127.0.0.1:8384 batman@athome.tld
```
Then open a browser to http://localhost:9999.
Now look at official docs.
(HTM) https://docs.syncthing.net/users/
You will learn what to do if you encounter issues or to run synthing inside a SSH tunnel between clients only.
## TOR : relay and hidden services
Tor is software helping protect privacy on the Internet.
(HTM) https://www.torproject.org/
It relies on multiple layers onion-like router, that's why this project needs volunteers to run relay nodes.
### Configure a tor relay
Tor may need to open lots of connexions, so you'll need to edit /etc/sysctl.conf to increase limits:
```
kern.maxfiles=20000
```
Install and enable tor:
```
# pkg_add tor
# rcctl enable tor
```
Then, make sure you open port 9001.
Then, edit /etc/tor/torrc, with the following lines :
```
SOCKSPort 0
ORPort 9001
Nickname nick
RelayBandwidthRate 75 KB
RelayBandwidthBurst 100 KB
ContactInfo yourname <adress AT email dot tld>
ExitPolicy reject *:* # no exits allowed
```
Adjust values according to your needs and how much bandwidth you want to allocate.
Finally, restart tor and look at such messages in var/log/messages:
```
May 12 12:20:41 athome Tor[12059]: Bootstrapped 80%: Connecting to the Tor network
May 12 12:20:41 athome Tor[12059]: Bootstrapped 85%: Finishing handshake with first hop
May 12 12:20:42 athome Tor[12059]: Bootstrapped 90%: Establishing a Tor circuit
May 12 12:20:44 athome Tor[12059]: Tor has successfully opened a circuit. Looks like client functionality is working.
May 12 12:20:44 athome Tor[12059]: Bootstrapped 100%: Done
May 12 12:20:44 athome Tor[12059]: Now checking whether ORPort 109.190.xxx.xxx:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
May 12 12:21:10 athome Tor[12059]: Self-testing indicates your ORPort is reachab
```
### Configure a hidden service
Hidden services are availables with ".onion" URL.
β Understand it is strongly discouraged to run a relay AND a hidden service.
It can be very handy, especially when you notice that the onion URL will remain unchanged even if your IP is modified for reasons in the future.
Enable a hidden service in /etc/tor/torrc:
```
SOCKSPort 0
HiddenServiceDir /var/tor/hidden/
HiddenServicePort 80 localhost:80
```
Reload Tor with # rcctl restart tor. Two new files are in /var/tor/hidden: hostname and private_key. Find your onion URL in hostname file :
```
# cat /var/tor/hidden/hostname
5rud2tr7sm3oskw5.onion
```
KEEP private_key safe and secret.
In the above example, we provide a website (port 80 on localhost). You can add a new section in httpd.conf to serve this URL:
```
server "5rud2tr7sm3oskw5.onion" {
listen on localhost port 80
root "/htdocs/athome.tld"
directory index index.html
[...]
}
```
## Monitoring
Below are a few suggestions to keep an eye on your server's charge.
### systat
* systat vm: top-like for disks, processes, memory and network.
* systat ifstat: look at network interfaces stress.
* systat sensors: temperature.
```
cpu0.temp0 51.00 degC
acpitz0.temp0 26.80 degC zone temperature
```
Type q to quit.
### vmstat
Quick look at system load :
```
$ vmstat
procs memory page disks traps cpu
r s avm fre flt re pi po fr sr sd0 sd1 int sys cs us sy id
1 274 1500M 1253M 657 0 0 0 0 0 1 4 190 15482 1826 2 1 97
```
### Others
Look at symon/symux/syweb if you wan real-time graphs. It requires PHP.
(HTM) https://wpd.home.xs4all.nl/symon/
Grafana draw nice graphs too.
(HTM) https://grafana.com/
Look at monit to get alerts when the load gets over a threshold.
(HTM) https://www.mmonit.com/monit/
SmokePing is a latency measurement tool.
(HTM) https://oss.oetiker.ch/smokeping/
---
(DIR) Table of contents
(BIN) Donate
---
(DIR) /