from Rob's Dev Log
We will run WriteFreely behind nginx , so we can run other applications on the same server.
In this guide we will setup the application for multiple user's and with registrations open. You can adjust to your use case, details will be provided.
I will give instructions assuming your are logged into your server are root for the duration of this guide. If you prefer to login with the user created in the guide you will need to use sudo. i.e.
sudo ufw allow ssh
Server Set Up
Start by provisioning a new Ubuntu 19.04 VPS, or get an image and install Ubuntu on an old computer.
Without a VPS you will likely need to find another method of obtaining and using a static IP address, which is outside the scope of this article.
I like to use Vultr *affiliate link, you get $50 free credit and I get $25.
Basic Security Hardening
I'm going to cheat here and just give an overview and some links.
There are a few basic things you should have in place to protect your new server from curious third parties.
Create Another User
This will be the user account you use when administering the server, it should have sudo privileges. guide
Before you make any changes make sure you have generated an SSH key on your local machine. Then copy the ID up to the server.
ssh-copy-id username@server-ip, assuming you created the standard
Then disallow root login over SSH, as well as password based logins.
Some people prefer to change the default port, which doesn't stop potential intrusions but does reduce the logging and attempts.
My own guide here.
A basic firewall goes a long way. Using UFW makes this easy.
Allow ssh, so we can come back and don't lose our connection when we restart the SSH daemon.
ufw allow ssh
Then enable it with
ufw enable, you can see the status with
Fail2Ban helps filter out and ban failed login attempts, as well as provide some insights as to the current volume and origin of attempts. guide
In this guide we will set up the open source mysql implementation, MariaDB.
Follow the set up here and remember to store your secure admin password somewhere safe. *The tutorial is for 18.04 but should work the same.
Follow the guide here *Again for 18.04 but nothing has changed here.
Install and Configure WriteFreely
Now we will go over the installation and configuration of the WriteFreely application itself. This includes setting up our database and NGINX configuration.
Download and install the latest version of WriteFreely from here.
Then follow the production guide.
writefreely --config you need to chose the following, most are default:
* Server setup:
* Production, behind reverse proxy
* Local port: 8080
* Database setup:
* Username: pick a mysql username
* Password: pick a mysql password
* Host: localhost
* Port: 3360
* App Setup:
* Multi-user instance
* Instance name: chose an instance name
* Public URL: enter a public domain you own
* Registration: you pick
* Max blogs per user: you pick
* Federation: enabled
* Federation usage stats privacy: public
* Metadata privacy: public
You can just copy the NGINX config from that guide and use it to replace the contents of your
/etc/nginx/sites-available/default. Make sure to edit the parts in bold.
Do the same for the systemd service making necessary changes.
Before starting this, make sure to update your domain's DNS settings to point at the new server, unfortunately outside the scope of this guide.
Now add the certbot ppa:
$ apt-add-repository ppa:/certbot/certbot
Press enter to confirm when prompted. Then update the cache and install cerbot with it's dependencies:
$ apt update ... $ apt install certbot python-certbot-nginx
Then have certbot setup and provision some certificates for you. Follow the prompts provided.
$ certbot --nginx
That's it for certificates. The email entered during this step will be notified when expiry is getting close. It should take care of that automatically with a cron job though, to test if it's working run
certbot renew --dry-run.
On the first run, the user you sign up with becomes the admin. Then you can adjust some of the settings from within the admin panel.
Coming soon. I promise, as soon as I figure it out.
I use a home server that is not exposed to the internet to sync backups from my cloud VPS. It's just a cron job and a simple script that runs rsync. The home server has it's own ssh key for authentication.