cd / ; apropos ; find * ;
Table des matières

Various #

XMPP #

Prosody is a light and easy to set up XMPP server

https://prosody.im

Here are a few notes to install prosody on OpenBSD.

Install prosody #

# pkg_add prosody

Add DNS fields for XMPP #

A record :

xmpp.athome.tld

SRV records :

_xmpp-client._tcp.athome.tld. 18000 IN SRV 0 5 5222 xmpp.athome.tld.
_xmpp-server._tcp.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.

If you host MUCs :

_xmpp-server._tcp.conference.athome.tld. 18000 IN SRV 0 5 5269 xmpp.athome.tld.

Prosody's Configuration #

Edit /etc/prosody/prosody.cfg.lua

VirtualHost "athome.tld"
    ssl = {
        certificate = "/etc/prosody/certs/athome.tld.crt";
        key = "/etc/prosody/certs/athome.tld.key";
    }

Certificate must be readable by _prosody user. If you got them with acme-client, then you need to install them in prosody directory :

install -g _prosody -o _prosody -m 400 /etc/ssl/private/athome.tld.key /etc/prosody/certs/
install -g _prosody -o _prosody -m 400 /etc/ssl/athome.tld.crt /etc/prosody/certs/

Add the previous commands to your periodic task (cron? weekly.local?) when certificates are renewed.

Add the admin:

# prosodyctl adduser batman@athome.tld

Check it's allright:

prosodyctl check config

Prosody's Ports #

Open 5222 (xmpp-client) and 5269 (xmpp-server).

Prosody's logs #

Edit /etc/newsyslog.conf:

/var/prosody/prosody.log                644  5     300  *     Z
/var/prosody/prosody.err                644  5     300  *     Z

mod_http_file_share #

If you enable http_file_share, make sure you open 5280 and 5281 ports.

https://prosody.im/doc/modules/mod_http_file_share

Also, add the domain for file sharing in tls certificate.

Improve performances with SQLite #

I suggest to use SQLite instead of the default plain text internal storage for less CPU usage.

storage = "sql" -- Default is "internal"
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.

Install and upgrade modules #

Add in /etc/prosody/prosody.cfg.lua:

plugin_server = "https://modules.prosody.im/rocks/"

You can now install/upgrade a module with:

prosodyctl install module_name

Add in /etc/daily.local the following line to know wether a new module version is available:

/usr/local/sbin/prosodyctl list --outdated

See also:

https://prosody.im/doc/installing_modules

More on Prosody #

Look official instructions 😉

https://prosody.im/doc/configure

mlmmj : Mailing List #

While there are hundreds of social networks, with their own policies and ads, instant messenging apps, forums and so on, remember mailing lists are a thing. Mailing lists are the future because :

Here, we'll talk about mlmmj since it perform well on OpenBSD, is easy and secured.

mlmmj website

https://mlmmj.org/

Install mlmmj #

# pkg_add mlmmj

DNS records for the list #

Make sure a MX record is registered for the domain you'll use for your list.

Create a new mailing list #

Use command mlmmj-make-ml and follow instructions.

Below is an example to create list "pizza" on the domain "list.athome.tld", so "pizza@list.athome.tld".

# mlmmj-make-ml
Creating Directorys below /var/spool/mlmmj. Use '-s spooldir' to change
What should the name of the Mailinglist be? [mlmmj-test] : pizza
The Domain for the List? [] : athome.tld
The emailaddress of the list owner? [postmaster] : batman@athome.tld

For the list texts you can choose between the following languages or
give a absolute path to a directory containing the texts.

Available languages:
ast   cs    de    en    fi    fr    gr    it    pt    sk    zh-cn
The path to texts for the list? [en] :

Don't forget to add this to /etc/aliases:
pizza:  "|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/"

If you're not starting mlmmj-maintd in daemon mode,
don't forget to add this to your crontab:
0 */2 * * * "/usr/local/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza/"

 ** FINAL NOTES **
1) The mailinglist directory have to be owned by the user running the
mailserver (i.e. starting the binaries to work the list)
2) Run newaliases

Make sure permissions are correct:

# chown -R _smtpd:_smtpd /var/spool/mlmmj/pizza

Edit root's (or a dedicated user) crontab (# crontab -e) to add the line given by mlmmj-make-ml. Btw, make sure you remove the double quotes suggested:

0 */2 * * *  /usr/bin/mlmmj-maintd -F -L /var/spool/mlmmj/pizza

Make smtpd ready for mlmmj #

Edit /etc/mail/smtpd.conf so it handles mailing list messages correctly:

table aliases "/etc/mail/aliases"
[...]
action local_mail maildir alias <aliases>
[...]
match from any for domain "list.athome.tld" action local_mail

It is important that action (local_mail here) handle aliases.

That's why you must edit /etc/mail/aliases to pipe incoming messages to mlmmj for the mailing list:

pizza:"|/usr/local/bin/mlmmj-receive -L /var/spool/mlmmj/pizza/"

End with # newaliases command or restart smtpd.

Customize a mailing list #

You can customize a list by editing the files in /var/spool/mlmmj/pizza/control.

If files don't exist, just create them.

You can filter incoming messages depending on the sender, force plaintext, use custom text in templates, modify headers to keep users privacy and much more.

Look at the official documentation to learn more:

http://mlmmj.org/docs/tunables/

Gemini #

Gemini is a new internet protocol which is heavier than gopher, is lighter than the web, will not replace either, strives for maximum power to weight ratio, takes user privacy very seriously.

It is quite an amazing protocol to post your writings and focus first on content.

There a various servers, but I'd like to give a few advices to install vger, a gemini server designed for OpenBSD involving some of its mitigation mecanism (unveil, pledge...). I also recommend gmid, since it share same configuration as other OpenBSD daemons.

vger #

In order to keep vger as simple as possible, Solène -- vger's developer -- had the brilliant idea to use tools already in OpenBSD base install :

Install vger package:

# pkg_add vger

If you read the README, you can learn how to set up a new capsule (a gemini website).

Edit /etc/inetd.conf to set how vger will be run, with the required flags.

127.0.0.1:11965 stream tcp nowait _vger /usr/local/bin/vger vger

By default, vger look for requested files in /var/gemini.

You can add flags according to the manual. As example, if you want to serve multiple capsules, each one stored in a directory named after the domain name requested in /var/gemini (/var/gemini/athome.tld, /var/gemini/other.tld,...) with -v, enable auto index with -i:

# serve files in /var/gemini/domain
localhost:11965 stream tcp6 nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i
localhost:11965 stream tcp nowait _vger /usr/local/bin/vger vger -v -d /var/gemini/ -i

Pay attention to the lines above. inetd listens on localhost on port 11965 and send the incoming request to vger run as user _vger to avoid privilege escalation. A second line with tcp6 is added to serve on the IpV6. However, you should have filled /etc/hosts accordingly so localhost resolve to local ipv6:

127.0.0.1   localhost
::1         localhost

Then, you can add a new part to relayd in /etc/relayd.conf:

ext_ip4 = "192.0.2.2"
ext_ip6 = "2001:db8::2"
log connection

tcp protocol "gemini" {
        tls keypair chezmoi.tld
}

relay "gemini" {
        listen on $ext_ip4 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}
relay "gemini6" {
        listen on $ext_ip6 port 1965 tls
        protocol "gemini"
        forward to localhost port 11965
}

A few words:

This is what happens when someone reach your capsule:

              1965       11965
Visitor ---> Relayd ---> inetd ---> vger

Finally, enable and reload daemons :

# rcctl enable inetd relayd
# rcctl start inetd relayd

Don't forget to open 1965/TCP in /etc/pf.conf

To go further, see following links:

Gemini official website

https://geminiprotocol.net/

vger security analysis

https://dataswamp.org/%7Esolene/2021-01-14-vger-security.html

vger source code

https://tildegit.org/solene/vger

gmid #

Also written by an OpenBSD developer, aka Omar Polo, gmid has a httpd's like syntax.

gemini://gmid.omarpolo.com

After installing gmid, look at man gmid.conf, it is very well explained and has examples at the end.

# pkg_add gmid
# rcctl enable gmid
# vi /etc/gmid.conf
# gmid -n
# rcctl start gmid

Below, find the gmid.conf I use with a chroot, a self signed certificate and a tor onion hidden service:

user "_gmid"
chroot "/var/gemini"
log style combined

types {
        include "/usr/share/misc/mime.types"
}

server "si3t.ch" {
        listen on * port 1965
        cert "/etc/ssl/si3t.ch-self.crt"
        key  "/etc/ssl/private/si3t.ch-self.key"
        root "si3t.ch"
        lang fr
        auto index on
}

server "b2khgkvb2wn4avjshjp63kknsjwikgwff5dwwydldia6qwf4kdnueyad.onion" {
        listen on localhost port 11966
        cert "/etc/ssl/si3t.ch-self.crt"
        key  "/etc/ssl/private/si3t.ch-self.key"
        root "si3t.ch"
        lang fr
        auto index on
}

Gopher (geomyidae) #

Gopher protocol is the precursor of widely used http. However, some still use it to transfer files and serve mostly text content.

You'll have to open 70 port.

Put the files you want to serve in /var/gopher, they will be available on gopher://athome.tld.

geomyidae server is written in C by one of suckless developpers.

http://r-36.net/scm/geomyidae/file/README.html

To install it:

# pkg_add geomyidae
# rcctl enable geomyidae
# rcctl start geomyidae

That's it, now fill /var/gopher 😊.

However, I strongly recomment to read geomyidae manpage to edit default flags. As example, you may want something like this:

# rcctl set geomyidae flags -c -e -h athome.tld -b /var/gopher/athome.tld -t /etc/ssl/private/athome.tld.key /etc/ssl/athome.tld.crt

Logs are in /var/log/geomyidae.log.

See also gophernicus server (gopher://gophernicus.org/) which can be unveiled under OpenBSD.

gopher://gophernicus.org/

Seedbox #

With rtorrent #

rtorrent is a light and efficient torrent client.

https://github.com/rakshasa/rtorrent/wiki/

It's text-based interface is nice if you don't want to bother with a webapp and remote control your seedbox with SSH.

# pkg_add rtorrent

Add a dedicated user _rtorrent for privileges separation. Now log in as _rtorrent:

# su _rtorrent

Create required directories:

$ mkdir -p seedbox/{download,session,torrents}

Now create ~/.rtorrent.rc from the example:

$ cp /usr/local/share/examples/rtorrent/rtorrent.rc ~/.rtorrent.rc

Edit that file.

# Global upload and download rate in KiB. "0" for unlimited.
download_rate = 0
upload_rate = 20

directory = ~/seedbox/download 
session = ~/seedbox/session

# When a torrent file is copied in torrents dir, it's added to rtorrent
schedule = watch_directory,5,5,load_start=~/seedbox/torrents/*.torrent
schedule = untied_directory,5,5,stop_untied=~/seedbox/torrents/*.torrent

check_hash = yes

use_udp_trackers = yes

encryption = allow_incoming,try_outgoing,enable_retry

dht = auto

peer_exchange = yes

# Run script to get alerts when download finish
system.method.set_key = event.download.finished,notify_me,"execute=~/.rtorrent_mail.sh,$d.get_name="

# add dht node so magnets works fine
schedule2 = dht_node_1, 5, 0, "dht.add_node=router.utorrent.com:6881"
schedule2 = dht_node_2, 5, 0, "dht.add_node=dht.transmissionbt.com:6881"
schedule2 = dht_node_3, 5, 0, "dht.add_node=router.bitcomet.com:6881"
schedule2 = dht_node_4, 5, 0, "dht.add_node=dht.aelitis.com:6881"

Fill the script ~/.rtorrent_mail.sh to get alerts when a download is complete.

#!/bin/sh
echo "$(date) : $1 - Download completed." | mail -s "[rtorrent] - Download completed : $1" root

To add a new torrent file, you may use scp:

$ scp *.torrent _rtorrent@chezmoi.tld:/home/_rtorrent/seedbox/torrents/

To have rtorrent automatically started at boot, edit _rtorrent user's crontab and add :

@reboot /usr/bin/tmux new -s rtorrent -d /usr/local/bin/rtorrent

We use tmux to put rtorrent in the background.

https://man.openbsd.org/tmux

If you need to display rtorrent, log in as _rtorrent with ssh and run tmux a -t rtorrent. Press ctrl-b then "d" to detach. To add a magnet link, press "backspace" and copy the link.

When in doubt:

$ rtorrent -h

Transmission #

Transmission works very well and offer a web interface.

https://www.transmissionbt.com/

# pkg_add transmission

We start and stop daemon so we can create then edit configuration file.

# rcctl enable transmission_daemon
# rcctl start transmission_daemon
# rcctl stop transmission_daemon

Creates directories to download files and store .torrent.

# mkdir -p /var/transmission/{downloads,incomplete,torrents}
# chown -R _transmission:_transmission /var/transmission

If others can see the above directories:

# chmod a+rX /var/transmission

Now edit this file to configure transmission:

/var/transmission/.config/transmission-daemon/settings.json

You may set:

"download-dir": "/var/transmission/downloads",
"encryption": 2,
"incomplete-dir": "/var/transmission/incomplete",
"incomplete-dir-enabled": true,
"peer-port-random-on-start": true,

I suggest to add the following lines to automatically start downloading torents you copied (with SFTP as example) in /var/transmission/torrents.

"watch-dir": "/var/transmission/torrents",
"watch-dir-enabled": true

To get an alert when a download is complete:

"script-torrent-done-enabled": true,
"script-torrent-done-filename": "/var/transmission/dl-done.sh",

dl-done.sh script looks like this:

#!/bin/sh
echo "$(date) : $TR_TORRENT_NAME - Download completed." | mail -s "[transmission] - Download completed : $TR_TORRENT_NAME" toto@example.com

Remember it must be executable:

# chmod +x /var/transmission/dl-done.sh

When you're done configuring, restart transmission:

# rcctl start transmission_daemon

The easiest to display the web interface is to use an SSH tunnel. From your computer, dig a tunnel to the server:

ssh -N -L 9999:127.0.0.1:9091 batman@athome.tld

Now open a browser at http://localhost:9999.

Syncthing #

Syncthing is an amazing tool to keep your data on multiple devices.

https://syncthing.net/

It is supported on all platforms. Data is encrypted by default. It is really well done 😋.

Install and configure #

# pkg_add syncthing

Let it run as a daemon:

# rcctl enable syncthing
# rcctl start syncthing

By default, Syncthing configuration is stored in /var/syncthing. You may edit those files to add new shares and configure various options, but it is quite complex. Instead, I suggest to open the UI through a SSH tunnel 😊. From your computer, run:

ssh -N -L 9999:127.0.0.1:8384 batman@athome.tld

Then open a browser to http://localhost:9999.

Now look at official docs.

https://docs.syncthing.net/users/

You will learn what to do if you encounter issues or to run synthing inside a SSH tunnel between clients only.

TOR : relay and hidden services #

Tor is software helping protect privacy on the Internet.

https://www.torproject.org/

It relies on multiple layers onion-like router, that's why this project needs volunteers to run relay nodes.

Configure a tor relay #

Tor may need to open lots of connexions, so you'll need to edit /etc/sysctl.conf to increase limits:

kern.maxfiles=20000

Install and enable tor:

# pkg_add tor
# rcctl enable tor

Then, make sure you open port 9001.

Then, edit /etc/tor/torrc, with the following lines :

SOCKSPort 0
ORPort 9001
Nickname nick
RelayBandwidthRate 75 KB  
RelayBandwidthBurst 100 KB 
ContactInfo yourname <adress AT email dot tld>
ExitPolicy reject *:* # no exits allowed

Adjust values according to your needs and how much bandwidth you want to allocate.

Finally, restart tor and look at such messages in var/log/messages:

May 12 12:20:41 athome Tor[12059]: Bootstrapped 80%: Connecting to the Tor network
May 12 12:20:41 athome Tor[12059]: Bootstrapped 85%: Finishing handshake with first hop
May 12 12:20:42 athome Tor[12059]: Bootstrapped 90%: Establishing a Tor circuit
May 12 12:20:44 athome Tor[12059]: Tor has successfully opened a circuit. Looks like client functionality is working.
May 12 12:20:44 athome Tor[12059]: Bootstrapped 100%: Done
May 12 12:20:44 athome Tor[12059]: Now checking whether ORPort 109.190.xxx.xxx:9001 is reachable... (this may
take up to 20 minutes -- look for log messages indicating success)
May 12 12:21:10 athome Tor[12059]: Self-testing indicates your ORPort is reachab

Configure a hidden service #

Hidden services are availables with ".onion" URL.

⚠ Understand it is strongly discouraged to run a relay AND a hidden service.

It can be very handy, especially when you notice that the onion URL will remain unchanged even if your IP is modified for reasons in the future.

Enable a hidden service in /etc/tor/torrc:

SOCKSPort 0
HiddenServiceDir /var/tor/hidden/
HiddenServicePort 80 localhost:80

Reload Tor with # rcctl restart tor. Two new files are in /var/tor/hidden: hostname and private_key. Find your onion URL in hostname file :

# cat /var/tor/hidden/hostname
5rud2tr7sm3oskw5.onion

KEEP private_key safe and secret.

In the above example, we provide a website (port 80 on localhost). You can add a new section in httpd.conf to serve this URL:

server "5rud2tr7sm3oskw5.onion" {
        listen on localhost port 80
        root "/htdocs/athome.tld"     
        directory index index.html

        [...]
}

Monitoring #

Below are a few suggestions to keep an eye on your server's charge.

systat #

cpu0.temp0          51.00 degC
acpitz0.temp0       26.80 degC      zone temperature

Type q to quit.

vmstat #

Quick look at system load :

$ vmstat
 procs    memory       page                    disks    traps          cpu
 r   s   avm     fre  flt  re  pi  po  fr  sr sd0 sd1  int   sys   cs us sy id
 1 274 1500M   1253M  657   0   0   0   0   0   1   4  190 15482 1826  2  1 97

Others #

Look at symon/symux/syweb if you wan real-time graphs. It requires PHP.

https://wpd.home.xs4all.nl/symon/

Grafana draw nice graphs too.

https://grafana.com/

Look at monit to get alerts when the load gets over a threshold.

https://www.mmonit.com/monit/

SmokePing is a latency measurement tool.

https://oss.oetiker.ch/smokeping/


Table of contents

Donate