summaryrefslogtreecommitdiff
path: root/content/theses/self-sufficiency/web-server.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--content/theses/self-sufficiency/web-server.md97
1 files changed, 97 insertions, 0 deletions
diff --git a/content/theses/self-sufficiency/web-server.md b/content/theses/self-sufficiency/web-server.md
new file mode 100644
index 0000000..9ce5cfa
--- /dev/null
+++ b/content/theses/self-sufficiency/web-server.md
@@ -0,0 +1,97 @@
+---
+title: web-server
+weight: 7
+---
+In order to host anything online nowdays, everybody needs a couple of things. The first is a [domain](/notes/self-sufficiency/domain.md), and the second is a web server to handle the different domains/subdomains and the HTTP(S) requests, and deal with the SSL certificates.
+
+Here we will use [`nginx`](https://nginx.org); [`caddy`](https://caddyserver.com) is also an option (so is `apache`, etc) that automates SSL, but before moving to `NixOS` I was using `nginx`, so I am more familiar with the syntax
+
+We will put the following at the root of our own `modules/server/` folder, since it is the aggregation point for all the following services.
+
+## nix decleration
+
+Make a default.nix at `<PATH-TO-NIX-CONFIG>/modules/server`
+```sh
+$ touch <PATH-TO-NIX-CONFIG>/modules/server/default.nix
+```
+(or use the file explorer of your choice)
+
+### configuration
+
+Open `default.nix` in any text editor, and copy the following
+
+```nix
+{
+ imports = [
+ # ... all the services will go here
+ ];
+
+ services = {
+ nginx = {
+ enable = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ };
+
+ sshguard.enable = true;
+
+ openssh = {
+ enable = true;
+ settings = {
+ PermitRootLogin = false;
+ PasswordAuthentication = false;
+ AllowTcpForwarding = false;
+ X11Forwarding = false;
+ };
+ };
+
+ };
+
+ networking = {
+ firewall.allowedTCPPorts = [ 80 443 ];
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "<YOUR-EMAIL>";
+ }
+}
+```
+and you're done.
+
+Let's break the config file down.
+
+### explanation
+1) We declare `nginx` as enabled, and set it to use the recommended options.
+2) We enable `sshguard`, which protects hosts from brute-force attacks, among other things.
+3) We enable `openssh`, so that we can access the server via SSH, but configure it so that nobody can use a password to log in, and root login is disabled.
+4) We open ports `80 (HTTP)` and `443(HTTPS)` to the internet.
+5) We set up the `acme` service which fetches SSL certificates from LetsEncrypt. Certificates require to accept the terms and an email for communication, so we accept the terms and provide an email.
+
+{{% hint warning %}}
+Before you enable the openssh config as is, make sure you have an `authorizedKey` on your user, otherwise you can be locked out of your machine.
+To set an SSH authorized key add this tou your `user` config
+```nix
+users = {
+ users = {
+ <YOUR-USER> = {
+ # ...
+ openssh.authorizedKeys.keys = [
+ <YOUR-KEY-1>
+ <YOUR-KEY-2>
+ # ...
+ ]
+ # ...
+ }
+ }
+}
+```
+{{% /hint %}}
+
+{{% hint info %}}
+By default nixos sets a daily interval to renew the Let'sEncrypt SSL certificates, so we don't need to worry.
+{{% /hint %}}
+
+Now we can start adding services.
Directive (EU) 2019/790, Article 4(3); all rights regarding Text and Data Mining (TDM) are reserved.