kato
/
installation_guides


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163
							### OpenBSD Server Installation Guide ###

##################################################

# Connecting to Server
ssh root@207.246.121.231

##################################################

# Configuring Users
passwd &&
useradd -G wheel -m user &&
passwd user &&

# Configuring Doas
echo -e "permit persist user as root" | tee /etc/doas.conf

##################################################

# Configuring SSH Authentication
ssh-keygen -t rsa -b 4096 &&
ssh-copy-id -i ~/.ssh/id_rsa.pub user@207.246.121.231 &&
ssh user@207.246.121.231

##################################################

# Updating Server
doas pkg_add -Uu &&

# Installing Packages
doas pkg_add rsync-3.2.7p1 tor i2pd &&

# Configuring Editor
echo -e "set number\nset verbose showmode" | tee ~/.nexrc &&

# Configuring Editor
doas rm /etc/motd &&

# Configuring Firewall

# Configuring SSH
doas sed -i 's/#Port 22/Port 2356/' /etc/ssh/sshd_config &&
doas sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config &&
doas sed -i 's/#StrictModes yes/StrictModes yes/' /etc/ssh/sshd_config &&
doas sed -i 's/#MaxAuthTries 6/MaxAuthTries 1/' /etc/ssh/sshd_config &&
doas sed -i 's/#MaxSessions 10/MaxSessions 1/' /etc/ssh/sshd_config &&
doas sed -i 's/#KbdInteractiveAuthentication yes/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config &&
doas sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
doas sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config &&
doas rcctl reload sshd &&

# httpd
doas cp /etc/examples/httpd.conf /etc/ &&
doas chmod -R 777 /var/www/htdocs &&
mkdir /var/www/htdocs/website.com &&

# http
echo 'server "website.com" {
        listen on * port 80
                root "/htdocs/website.com"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
}

server "www.website.com" {
        listen on * port 80
        block return 301 "http://website.com$REQUEST_URI"
}' | doas tee /etc/httpd.conf &&
doas rcctl enable httpd && doas rcctl start httpd && doas httpd -n &&

# ACME Client
doas cp /etc/examples/acme-client.conf /etc/ &&
doas sed -i 's/domain example.com/domain website.com/' /etc/acme-client.conf &&
doas sed -i 's/alternative names { secure.example.com }/alternative names { www.website.com }/' /etc/acme-client.conf &&
doas sed -i 's/domain key "\/etc\/ssl\/private\/example.com.key"/domain key "\/etc\/ssl\/private\/website.com.key"/' /etc/acme-client.conf &&
doas sed -i 's/domain full chain certificate "\/etc\/ssl\/example.com.fullchain.pem"/domain full chain certificate "\/etc\/ssl\/website.com.fullchain.pem"/' /etc/acme-client.conf &&
doas acme-client -v website.com &&

# https
echo 'server "website.com" {
        listen on * tls port 443
                root "/htdocs/website.com"
        tls {
                certificate "/etc/ssl/website.com.fullchain.pem"
                key "/etc/ssl/private/website.com.key"
        }
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
}

server "www.website.com" {
        listen on * tls port 443
        tls {
                certificate "/etc/ssl/website.com.fullchain.pem"
                key "/etc/ssl/private/website.com.key"
        }
        block return 301 "https://website.com$REQUEST_URI"
}

server "www.website.com" {
        listen on * port 80
        alias "website.com"
        block return 301 "https://www.website.com$REQUEST_URI"
}

# Include additional MIME types
types {
        include "/usr/share/misc/mime.types"
}' | doas tee /etc/httpd.conf &&
doas rcctl reload httpd && doas httpd -n &&

# TOR
doas sed -i 's/#HiddenServiceDir \/var\/tor\/hidden_service/HiddenServiceDir \/var\/tor\/hidden_service/' /etc/tor/torrc &&
doas sed -i 's/#HiddenServicePort 80 127.0.0.1:80/HiddenServicePort 80 127.0.0.1:80/' /etc/tor/torrc &&
doas rcctl enable tor &&
doas rcctl start tor &&
sleep 5 &&
onion_url=$(doas cat /var/tor/hidden_service/hostname) &&
echo "\nserver \"$onion_url\" {
        listen on * port 80
                root \"/htdocs/website.com\"
}" | doas tee -a /etc/httpd.conf &&
doas rcctl reload httpd && doas httpd -n &&

# I2P
doas sed -i 's/# notransit = true/notransit = true/' /etc/i2pd/i2pd.conf &&
echo -e "\n[website]
type = http
host = 127.0.0.1
port = 8080
keys = website.dat" | doas tee -a /etc/i2pd/tunnels.conf &&
doas rcctl enable i2pd &&
doas rcctl start i2pd &&
sleep 5 &&
ftp -o hostname http://127.0.0.1:7070/?page=i2p_tunnels && grep -oE '[^"[:space:]]+.b32.i2p:8080' hostname | sed 's/:8080//' | doas tee hostname &&
sleep 120 &&
i2p_url=$(doas cat hostname) &&
echo "\nserver \"$i2p_url\" {
        listen on * port 8080
                root \"/htdocs/website.com\"
}" | doas tee -a /etc/httpd.conf &&
doas rm hostname &&
doas rcctl reload httpd && doas httpd -n &&

# Crontab
echo "0 0 * * 0 /usr/local/bin/backupscript" | crontab - &&
echo "0 */6 * * * pkg_add -Uu && syspatch && reboot\n0 0 * * 0 acme-client -v website.com && rcctl reload httpd" | doas crontab - &&

# Backups
mkdir ~/backups &&
echo '#!/bin/sh
openrsync -artv /var/www/htdocs/website.com ~/backups/$(date "+%d_%m_%Y")' | doas tee /usr/local/bin/backupscript &&
doas chmod +x /usr/local/bin/backupscript

##################################################

# Syncing Website
rsync -rtvzPe 'ssh -p 2356' ~/documents/websites/website.com user@207.246.121.231:/var/www/htdocs/ --delete