Make DNS entries for the new server. There might be multiple
entries, one for each $DOMAIN to be served. Keep the TTL value
at 5 minutes or less for now; the TTL can be increased to 24 hours
after everything has been set up and the system is stable.
"ssh" into the new server as root. Example: ssh root@$DOMAIN
Lock down SSHD
Edit /etc/ssh/sshd_config
Disable password authentication
Review other default configuration settings and make prudent
adjustments to ensure your server is secure.
rc-service sshd restart
Testing: log out, then reconnect to verify that you didn't break anything.
Fix nano
Edit /etc/nanorc and fix the key bindings for ^F and ^B so that
they work as in Emacs:
bind ^F forward main
bind ^B back main
Create the "www" user and setup /home/www as a chroot jail
adduser www
mkdir -p /home/www/dev /home/www/proc
→ In the following, mknod values are from Alpine but
also match Ubuntu. I think they are generic to Linux
mknod /home/www/dev/null c 1 3
mknod /home/www/dev/random c 1 8
mknod /home/www/dev/urandom c 1 9
chown root.root /home/www/dev/*
`chmoe 0666 /home/www/dev/*
chmod 0555 /home/www/proc
mount -t proc /proc /home/www/proc
→ Edit /etc/fstab to append a line:
/proc /home/www/proc none rw,bind 0 2
Install Fossil, both inside and outside the chroot jail
mkdir -p /home/www/usr/bin
chown www /home/www/logs /home/www/Fossils
→ Upload a static fossil binary into /home/www/usr/bin
TO DO: add a link here to instructions on how to build a
static Fossil binary.
→ Upload or clone zero or more Fossil repositories into
the new /home/www/Fossils dir.
→ For each $DOMAIN to be served:
mkdir /home/www/$DOMAIN.website
chown www /home/www/$DOMAIN.website
Create static an dynamic content files in $DOMAIN. Examples
shown below.
Example static content file ".../index.html": <p>Hello, world!</p>
Example dynamic content file ".../src" for invoking Fossil as a
CGI. Make this file executable. Adjust pathnames to point to the
Fossil repository, from the point of view of the chroot jail (omitting
the /home/www prefix):
Note: The althttpd server is launched to serve both unencrypted requests
on port 80 and TLS-encrypted requests on port 443. However, the cert does
not yet exist, so the 443 port option will be silently ignore for now.
rc-update add althttpd default
rc-service althttpd start
Verify that the website is accessible (via "http:" only) and works.
Since no encrypt is yet enabled, do not enter passwords or query
sensitive information.
Reboot the server and verify that everything comes back up correctly.
Install certbot
apk add certbot
Construct a script to generate a new cert in /home/www/sbin/cert-update.sh.
This script should read something like the following, except adjusting
the -w and -d arguments appropriately for the domains to be served.
Symbolic link from /home/www/sbin/cert-renew.sh into /etc/periodic/daily.
This will cause a renewal attempt to happen once per day.
/etc/periodic/daily/cert-renew.sh
↑ This should cause the cert to be obtained and the althttpd
server to restart and begin serving TLS-encrypted content.
Install and activate OpenSMPTD
apk add opensmtpd
rc-update add smtpd default
rc-service smtpd start
Notes: The default configuration for the opensmtpd package
is to operate in MTA (mail transfer agent) mode only. It will
not accept incoming email from other machine, only from the
local machine. It then relays the mail to its final recipient.
This is exactly want is wanted for email notification in Fossil,
hence no adjustments to the /etc/smptd/smptd.conf file are
necessary.
Testing OpenSMTPD
Create a email message in a text file "msg.txt" that is something
like the following:
To: your-email@gmail.com
From: root@$DOMAIN
Subject: OpenSMTPD test
This is a test message from the new machine, $DOMAIN.
Inject the message thusly:
sendmail -f root@$DOMAIN -t <msg.txt
Verify that the email arrives at your in-box.
Install wapptclsh (optional)
Note: This step is only needed if wapptclsh is used by CGIs
within the web content area. Skip it if you are not using wapptclsh
CGIs.
Upload a static build of wapptclsh to /home/www/usr/bin
TO DO: document how to generate a static wapptclsh
Add a symbolic link: ln -s /home/www/usr/bin/wapptclsh /usr/local/bin
Verify using: wapptclsh -v
Install TCL and the SQLite extension for TCL
Note: This is a prerequisite for the script in the next section that
transfers Fossil email notificates out of the jail and over to
OpenSMTPD for delivery.
Configure one or more of the Fossil repositories for sending email
notifications using the "Store in a database" method. Make the
database file "/data/emailqueue.db".
Send one or more Fossil notification messages to yourself. Verify
that those messages land in the /home/www/data/emailqueue.db file.
Run: tclsh /home/www/sbin/email-sender.tcl. Let
that command run for a few seconds to give enough time to transfer
all of the messages in emailqueue.db over to OpenSMTPD, then stop it
using Ctrl-C.
Check your email to make sure the messages got delivered.
Configure email-sender.tcl to run automatically
Create a new file "/etc/init.d/email-sender" that looks like the
follows:
#!/sbin/openrc-run
# docs: https://wiki.alpinelinux.org/wiki/Writing_Init_Scripts
# https://github.com/OpenRC/openrc/blob/master/service-script-guide.md
name=$RC_SVCNAME
description="script to export emails out of the chroot jail"
command=/usr/bin/tclsh
command_args="/home/www/sbin/email-sender.tcl"
command_background=true
pidfile="/run/${RC_SVCNAME}.pid"</pre>
rc-update add email-sender default
rc-service email-sender start
Test by using visiting the website and sending Fossil notifications
to yourself.
Installing rspamd (for DKIM signing of outgoing email)
Create and populate the domain folder /home/www/$DOMAIN.website
Set up DNS for $DOMAIN to point to the server
Verify page content using http:
Edit /home/www/sbin/certbot-update.sh to add the new domain:
Add a -w entry for /home/www/$DOMAIN.website followed by a -d $DOMAIN.
sh /home/www/sbin/certbot-update.sh
rc-service althttpd restart
Verify using https:
Updating the althttpd binary to a new version
Build a fully static binary on the desktop using procedures to be
published.
Verify: ldd ./althttpd
Verify: ./althttpd -version
`scp althttpd root@$SERVER:
ssh root@$SERVER
mv althttpd /usr/local/bin
rc-service althttpd restart
Updating the fossil binary to a new version
Build a fully static binary on the desktop using procedures to be
documented more carefully later.
Verify: ldd ./fossil
Verify: ./fossil version -v
scp fossil root@$SERVER:
ssh root@$SERVER
`mv fossil /home/www/usr/bin
Taking a website down for maintenance
Do this, for example, before migrating from one server to another, first
take the original website down so that it does not get modified
while the transfer is in progress.
mkdir /home/www/down.website
chown www /home/www/down.website
Create file "/home/www/down.website/not-found.html` with text like
the following, but with the date/time adjust appropriately:
<h1>Website Down For Maintenance<h1>
<p>Expect return to service on or before 2025-04-04 00:00Z</p>