cd / ;
apropos ;
Prosody is a light and easy to set up XMPP server
Here are a few notes to install prosody on OpenBSD.
# pkg_add prosody
A record :
xmpp.athome.tld
SRV records :
_xmpp-client._tcp.athome.tld. 18000 IN SRV 0 5 5222 xmpp.athome.tld. _xmpp-server._tcp.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.
If you host MUCs :
_xmpp-server._tcp.conference.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.
Edit /etc/prosody/prosody.cfg.lua
VirtualHost "athome.tld"
ssl = {
certificate = "/etc/prosody/certs/athome.tld.crt";
key = "/etc/prosody/certs/athome.tld.key";
}
Certificate must be readable by _prosody user. If you got them with acme-client, then you need to install them in prosody directory :
install -g _prosody -o _prosody -m 400 /etc/ssl/private/athome.tld.key /etc/prosody/certs/ install -g _prosody -o _prosody -m 400 /etc/ssl/athome.tld.crt /etc/prosody/certs/
Add the previous commands to your periodic task (cron? weekly.local?) when certificates are renewed.
Add the admin:
# prosodyctl adduser batman@athome.tld
Check it's allright:
prosodyctl check config
Open 5222 (xmpp-client) and 5269 (xmpp-server).
Edit /etc/newsyslog.conf:
/var/prosody/prosody.log 644 5 300 * Z /var/prosody/prosody.err 644 5 300 * Z
If you enable http_file_share, make sure you open 5280 and 5281 ports.
https://prosody.im/doc/modules/mod_http_file_share
Also, add the domain for file sharing in tls certificate.
I suggest to use SQLite instead of the default plain text internal storage for less CPU usage.
storage = "sql" -- Default is "internal"
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
Add in /etc/prosody/prosody.cfg.lua:
plugin_server = "https://modules.prosody.im/rocks/"
You can now install/upgrade a module with:
prosodyctl install module_name
Add in /etc/daily.local the following line to know wether a new module version is available:
/usr/local/sbin/prosodyctl list --outdated
See also:
https://prosody.im/doc/installing_modules
Look official instructions 😉
https://prosody.im/doc/configure
While there are hundreds of social networks, with their own policies and ads, instant messenging apps, forums and so on, remember mailing lists are a thing. Mailing lists are the future because :
Here, we'll talk about mlmmj since it perform well on OpenBSD, is easy and secured.
mlmmj website
# pkg_add mlmmj
Make sure a MX record is registered for the domain you'll use for your list.
Use command mlmmj-make-ml and follow instructions.
Below is an example to create list "pizza" on the domain "list.athome.tld", so "pizza@list.athome.tld".
# mlmmj-make-ml Creating Directorys below /var/spool/mlmmj. Use '-s spooldir' to change What should the name of the Mailinglist be? [mlmmj-test] : pizza The Domain for the List? [] : athome.tld The emailaddress of the list owner? [postmaster] : batman@athome.tld For the list texts you can choose between the following languages or give a absolute path to a directory containing the texts. Available languages: ast cs de en fi fr gr it pt sk zh-cn The path to texts for the list? [en] : Don't forget to add this to /etc/aliases: pizza: "|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/" If you're not starting mlmmj-maintd in daemon mode, don't forget to add this to your crontab: 0 */2 * * * "/usr/local/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza/" ** FINAL NOTES ** 1) The mailinglist directory have to be owned by the user running the mailserver (i.e. starting the binaries to work the list) 2) Run newaliases
Make sure permissions are correct:
# chown -R _smtpd:_smtpd /var/spool/mlmmj/pizza
Edit root's (or a dedicated user) crontab (# crontab -e) to add the line given by mlmmj-make-ml. Btw, make sure you remove the double quotes suggested:
0 */2 * * * /usr/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza
Edit /etc/mail/smtpd.conf so it handles mailing list messages correctly:
table aliases "/etc/mail/aliases" [...] action local_mail maildir alias <aliases> [...] match from any for domain "list.athome.tld" action local_mail
It is important that action (local_mail here) handle aliases.
That's why you must edit /etc/mail/aliases to pipe incoming messages to mlmmj for the mailing list:
pizza:"|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/"
End with # newaliases command or restart smtpd.
You can customize a list by editing the files in /var/spool/mlmmj/pizza/control.
If files don't exist, just create them.
You can filter incoming messages depending on the sender, force plaintext, use custom text in templates, modify headers to keep users privacy and much more.
Look at the official documentation to learn more:
http://mlmmj.org/docs/tunables/
Gemini is a new internet protocol which is heavier than gopher, is lighter than the web, will not replace either, strives for maximum power to weight ratio, takes user privacy very seriously.
It is quite an amazing protocol to post your writings and focus first on content.
There a various servers, but I'd like to give a few advices to install vger, a gemini server designed for OpenBSD involving some of its mitigation mecanism (unveil, pledge...). I also recommend gmid, since it share same configuration as other OpenBSD daemons.
In order to keep vger as simple as possible, Solène -- vger's developer -- had the brilliant idea to use tools already in OpenBSD base install :
Install vger package:
# pkg_add vger
If you read the README, you can learn how to set up a new capsule (a gemini website).
Edit /etc/inetd.conf to set how vger will be run, with the required flags.
127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger
By default, vger look for requested files in /var/gemini.
You can add flags according to the manual. As example, if you want to serve multiple capsules, each one stored in a directory named after the domain name requested in /var/gemini (/var/gemini/athome.tld, /var/gemini/other.tld,...) with -v, enable auto index with -i:
# serve files in /var/gemini/domain localhost:11965 stream tcp6 nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i localhost:11965 stream tcp nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i
Pay attention to the lines above. inetd listens on localhost on port 11965 and send the incoming request to vger run as user _vger to avoid privilege escalation. A second line with tcp6 is added to serve on the IpV6. However, you should have filled /etc/hosts accordingly so localhost resolve to local ipv6:
127.0.0.1 localhost ::1 localhost
Then, you can add a new part to relayd in /etc/relayd.conf:
ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2"
log connection
tcp protocol "gemini" {
tls keypair chezmoi.tld
}
relay "gemini" {
listen on $ext_ip4 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
relay "gemini6" {
listen on $ext_ip6 port 1965 tls
protocol "gemini"
forward to localhost port 11965
}
A few words:
This is what happens when someone reach your capsule:
1965 11965 Visitor ---> Relayd ---> inetd ---> vger
Finally, enable and reload daemons :
# rcctl enable inetd relayd # rcctl start inetd relayd
Don't forget to open 1965/TCP in /etc/pf.conf
To go further, see following links:
Gemini official website
vger security analysis
https://dataswamp.org/%7Esolene/2021-01-14-vger-security.html
vger source code
https://tildegit.org/solene/vger
Also written by an OpenBSD developer, aka Omar Polo, gmid has a httpd's like syntax.
After installing gmid, look at man gmid.conf, it is very well explained and has examples at the end.
# pkg_add gmid # rcctl enable gmid # vi /etc/gmid.conf # gmid -n # rcctl start gmid
Below, find the gmid.conf I use with a chroot, a self signed certificate and a tor onion hidden service:
user "_gmid"
chroot "/var/gemini"
log style combined
types {
include "/usr/share/misc/mime.types"
}
server "si3t.ch" {
listen on * port 1965
cert "/etc/ssl/si3t.ch-self.crt"
key "/etc/ssl/private/si3t.ch-self.key"
root "si3t.ch"
lang fr
auto index on
}
server "b2khgkvb2wn4avjshjp63kknsjwikgwff5dwwydldia6qwf4kdnueyad.onion" {
listen on localhost port 11966
cert "/etc/ssl/si3t.ch-self.crt"
key "/etc/ssl/private/si3t.ch-self.key"
root "si3t.ch"
lang fr
auto index on
}
Gopher protocol is the precursor of widely used http. However, some still use it to transfer files and serve mostly text content.
You'll have to open 70 port.
Put the files you want to serve in /var/gopher, they will be available on gopher://athome.tld.
geomyidae server is written in C by one of suckless developpers.
http://r-36.net/scm/geomyidae/file/README.html
To install it:
# pkg_add geomyidae # rcctl enable geomyidae # rcctl start geomyidae
That's it, now fill /var/gopher 😊.
However, I strongly recomment to read geomyidae manpage to edit default flags. As example, you may want something like this:
# rcctl set geomyidae flags -c -e -h athome.tld -b /var/gopher/athome.tld -t /etc/ssl/private/athome.tld.key /etc/ssl/athome.tld.crt
Logs are in /var/log/geomyidae.log.
See also gophernicus server (gopher://gophernicus.org/) which can be unveiled under OpenBSD.
rtorrent is a light and efficient torrent client.
https://github.com/rakshasa/rtorrent/wiki/
It's text-based interface is nice if you don't want to bother with a webapp and remote control your seedbox with SSH.
# pkg_add rtorrent
Add a dedicated user _rtorrent for privileges separation. Now log in as _rtorrent:
# su _rtorrent
Create required directories:
$ mkdir -p seedbox/{download,session,torrents}
Now create ~/.rtorrent.rc from the example:
$ cp /usr/local/share/examples/rtorrent/rtorrent.rc ~/.rtorrent.rc
Edit that file.
# Global upload and download rate in KiB. "0" for unlimited. download_rate = 0 upload_rate = 20 directory = ~/seedbox/download session = ~/seedbox/session # When a torrent file is copied in torrents dir, it's added to rtorrent schedule = watch_directory,5,5,load_start=~/seedbox/torrents/*.torrent schedule = untied_directory,5,5,stop_untied=~/seedbox/torrents/*.torrent check_hash = yes use_udp_trackers = yes encryption = allow_incoming,try_outgoing,enable_retry dht = auto peer_exchange = yes # Run script to get alerts when download finish system.method.set_key = event.download.finished,notify_me,"execute=~/.rtorrent_mail.sh,$d.get_name=" # add dht node so magnets works fine schedule2 = dht_node_1, 5, 0, "dht.add_node=router.utorrent.com:6881" schedule2 = dht_node_2, 5, 0, "dht.add_node=dht.transmissionbt.com:6881" schedule2 = dht_node_3, 5, 0, "dht.add_node=router.bitcomet.com:6881" schedule2 = dht_node_4, 5, 0, "dht.add_node=dht.aelitis.com:6881"
Fill the script ~/.rtorrent_mail.sh to get alerts when a download is complete.
#!/bin/sh echo "$(date) : $1 - Download completed." | mail -s "[rtorrent] - Download completed : $1" root
To add a new torrent file, you may use scp:
$ scp *.torrent _rtorrent@chezmoi.tld:/home/_rtorrent/seedbox/torrents/
To have rtorrent automatically started at boot, edit _rtorrent user's crontab and add :
@reboot /usr/bin/tmux new -s rtorrent -d /usr/local/bin/rtorrent
We use tmux to put rtorrent in the background.
If you need to display rtorrent, log in as _rtorrent with ssh and run tmux a -t rtorrent. Press ctrl-b then "d" to detach. To add a magnet link, press "backspace" and copy the link.
When in doubt:
$ rtorrent -h
Transmission works very well and offer a web interface.
https://www.transmissionbt.com/
# pkg_add transmission
We start and stop daemon so we can create then edit configuration file.
# rcctl enable transmission_daemon # rcctl start transmission_daemon # rcctl stop transmission_daemon
Creates directories to download files and store .torrent.
# mkdir -p /var/transmission/{downloads,incomplete,torrents}
# chown -R _transmission:_transmission /var/transmission
If others can see the above directories:
# chmod a+rX /var/transmission
Now edit this file to configure transmission:
/var/transmission/.config/transmission-daemon/settings.json
You may set:
"download-dir": "/var/transmission/downloads", "encryption": 2, "incomplete-dir": "/var/transmission/incomplete", "incomplete-dir-enabled": true, "peer-port-random-on-start": true,
I suggest to add the following lines to automatically start downloading torents you copied (with SFTP as example) in /var/transmission/torrents.
"watch-dir": "/var/transmission/torrents", "watch-dir-enabled": true
To get an alert when a download is complete:
"script-torrent-done-enabled": true, "script-torrent-done-filename": "/var/transmission/dl-done.sh",
dl-done.sh script looks like this:
#!/bin/sh echo "$(date) : $TR_TORRENT_NAME - Download completed." | mail -s "[transmission] - Download completed : $TR_TORRENT_NAME" toto@example.com
Remember it must be executable:
# chmod +x /var/transmission/dl-done.sh
When you're done configuring, restart transmission:
# rcctl start transmission_daemon
The easiest to display the web interface is to use an SSH tunnel. From your computer, dig a tunnel to the server:
ssh -N -L 9999:127.0.0.1:9091 batman@athome.tld
Now open a browser at http://localhost:9999.
Syncthing is an amazing tool to keep your data on multiple devices.
It is supported on all platforms. Data is encrypted by default. It is really well done 😋.
# pkg_add syncthing
Let it run as a daemon:
# rcctl enable syncthing # rcctl start syncthing
By default, Syncthing configuration is stored in /var/syncthing. You may edit those files to add new shares and configure various options, but it is quite complex. Instead, I suggest to open the UI through a SSH tunnel 😊. From your computer, run:
ssh -N -L 9999:127.0.0.1:8384 batman@athome.tld
Then open a browser to http://localhost:9999.
Now look at official docs.
https://docs.syncthing.net/users/
You will learn what to do if you encounter issues or to run synthing inside a SSH tunnel between clients only.
Tor is software helping protect privacy on the Internet.
It relies on multiple layers onion-like router, that's why this project needs volunteers to run relay nodes.
Tor may need to open lots of connexions, so you'll need to edit /etc/sysctl.conf to increase limits:
kern.maxfiles=20000
Install and enable tor:
# pkg_add tor # rcctl enable tor
Then, make sure you open port 9001.
Then, edit /etc/tor/torrc, with the following lines :
SOCKSPort 0 ORPort 9001 Nickname nick RelayBandwidthRate 75 KB RelayBandwidthBurst 100 KB ContactInfo yourname <adress AT email dot tld> ExitPolicy reject *:* # no exits allowed
Adjust values according to your needs and how much bandwidth you want to allocate.
Finally, restart tor and look at such messages in var/log/messages:
May 12 12:20:41 athome Tor[12059]: Bootstrapped 80%: Connecting to the Tor network May 12 12:20:41 athome Tor[12059]: Bootstrapped 85%: Finishing handshake with first hop May 12 12:20:42 athome Tor[12059]: Bootstrapped 90%: Establishing a Tor circuit May 12 12:20:44 athome Tor[12059]: Tor has successfully opened a circuit. Looks like client functionality is working. May 12 12:20:44 athome Tor[12059]: Bootstrapped 100%: Done May 12 12:20:44 athome Tor[12059]: Now checking whether ORPort 109.190.xxx.xxx:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) May 12 12:21:10 athome Tor[12059]: Self-testing indicates your ORPort is reachab
Hidden services are availables with ".onion" URL.
⚠ Understand it is strongly discouraged to run a relay AND a hidden service.
It can be very handy, especially when you notice that the onion URL will remain unchanged even if your IP is modified for reasons in the future.
Enable a hidden service in /etc/tor/torrc:
SOCKSPort 0 HiddenServiceDir /var/tor/hidden/ HiddenServicePort 80 localhost:80
Reload Tor with # rcctl restart tor. Two new files are in /var/tor/hidden: hostname and private_key. Find your onion URL in hostname file :
# cat /var/tor/hidden/hostname 5rud2tr7sm3oskw5.onion
KEEP private_key safe and secret.
In the above example, we provide a website (port 80 on localhost). You can add a new section in httpd.conf to serve this URL:
server "5rud2tr7sm3oskw5.onion" {
listen on localhost port 80
root "/htdocs/athome.tld"
directory index index.html
[...]
}
Below are a few suggestions to keep an eye on your server's charge.
cpu0.temp0 51.00 degC acpitz0.temp0 26.80 degC zone temperature
Type q to quit.
Quick look at system load :
$ vmstat procs memory page disks traps cpu r s avm fre flt re pi po fr sr sd0 sd1 int sys cs us sy id 1 274 1500M 1253M 657 0 0 0 0 0 1 4 190 15482 1826 2 1 97
Look at symon/symux/syweb if you wan real-time graphs. It requires PHP.
https://wpd.home.xs4all.nl/symon/
Grafana draw nice graphs too.
Look at monit to get alerts when the load gets over a threshold.
SmokePing is a latency measurement tool.
https://oss.oetiker.ch/smokeping/