- Anonymous read-only access to a subset of git repositories via:
- - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for
- GUI git browsing with syntax highlighting, diffs, etc
+ - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for
+ GUI git browsing with syntax highlighting, diffs, etc
- Git-daemon for cloning repositories via the `git://` protocol
# TODO List #
- - Setup SSL with automatic certificate renewal.
-
- - Find a reliable way to alert me when renewal fails.
-
- - Websites should auto-redirect to the SSL version of the site for newer
- browsers only. All sites should still be accessible on pre-SSL vintage
- computers.
-
- Take a snapshot on Linode's backup service once the basic services are
operational.
- Improve CSS on gitweb, especially for displaying READMEs.
+ - Add some form of web logfile viewing.
+
# Basic Configuration #
### SSL ###
-TODO
+Install certbot and generate a key for its use.
-TODO
+ apt-get install certbot
+ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
-TODO
+Create `/etc/apache2/conf-available/ssl-params.conf` with the following
+contents.
-TODO
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder off
+ SSLSessionTickets off
+
+ SSLUseStapling On
+ SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
+ Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+ Header always set X-Frame-Options SAMEORIGIN
+ Header always set X-Content-Type-Options nosniff
+
+ SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
-TODO
+Enable the new configuration and required mods, then restart Apache2.
-TODO
+ a2enconf ssl-params
+ a2enmod ssl
+ a2enmod headers
+ systemctl restart apache2
-TODO
+Retrieve an initial certificate with the following command, modified to match
+the desired webroot and server names.
-TODO
+<http://subgeniuskitty.com> and <http://logicavalanche.com>:
+
+ certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/subgeniuskitty.com/site/data/ -d subgeniuskitty.com -d www.subgeniuskitty.com
+
+<http://archive.subgeniuskitty.com> and <http://git.subgeniuskitty.com>:
+
+ certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/archive.subgeniuskitty.com/ -d archive.subgeniuskitty.com
+
+Edit `/etc/apache2/sites-available/subgeniuskitty.com`, adding the following
+`VirtualHost` definition that mostly copies the non-SSL entry.
+
+ <VirtualHost *:443>
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/subgeniuskitty.com/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/subgeniuskitty.com/privkey.pem
+
+ ...copy of vhost definition for host *:80...
+ </VirtualHost>
+
+Edit `/etc/cron.d/certbot` and append `--renew-hook "systemctl reload apache2"`
+to the certbot invokation.
+
+Test with `certbot renew --dry-run`.
+
+Repeat the process for any other sites hosted on this server.
+
+Backup the `/etc/letsencrypt` folder off-server periodically.
## Basic Website ##
On the server, as user `ataylor`:
mkdir ~/.ssh
- chmod 700 ~/.ssh
- touch ~/.ssh/authorized_keys
- chmod 600 ~/.ssh/authorized_keys
+ chmod 700 ~/.ssh
+ touch ~/.ssh/authorized_keys
+ chmod 600 ~/.ssh/authorized_keys
Then `cat` the public SSH key from the workstation to the server, appending it
onto `~/.ssh/authorized_keys`.