~m15o/ichi

ichi
add csrf
Add status cafe info and check to use key or not
few changes

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~m15o/ichi
read/write
git@git.sr.ht:~m15o/ichi

You can also use your local clone with git send-email.

#ICHI

Ichi is a tiny internet community where people can create their homepages for free. These pages are listed on Ichi's index, allowing everyone to explore, discover, and engage with one another.

This doc shows how to install ichi on a Debian 10 machine.

I like using mg as my editor, so here's how to install it:

apt-get update
apt-get install mg

Before getting started, let's install a firewall to protect the machine:

apt-get install ufw
ufw allow ssh
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

We will do the following:

  1. Set up the SFTP server
  2. Set up the web service

#Set up the SFTP server

We will:

  1. Set up disk quota
  2. Create a group for sftp users
  3. Set up a root folder for sftp users
  4. Update ssh config
  5. Copy newuser.sh script
  6. Test

#Set up disk quota

sudo apt install quota

Add usrquota,grpquota to list of options in fstab

mg /etc/fstab

Remount and start

mount -o remount /
quotacheck -ugm /
quotaon -v /

#Create a group for sftp users

groupadd ftpaccess

#Set up a root folder for sftp users

mkdir /var/ichi

#Update Update ssh config

Add the following lines at the end of /etc/ssh/sshd_config:

# override default of no subsystems
Subsystem       sftp    internal-sftp

Match group ftpaccess
ChrootDirectory /var/ichi/
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d %u

Restart ssh service

systemctl restart sshd

#Copy newuser.sh script

Add the following to /root/newuser.sh

#!/bin/bash

set -e
useradd -r -s /sbin/nologin -g ftpaccess $1
setquota -u $1 10M 10M 0 0 /
echo "$1:$2" | chpasswd
mkdir $4$1
chown $1:$3 $4$1

Make it executable

chmod +x /root/newuser.sh

#Test

Create a user "foo":

newuser.sh foo foo ftpaccess /var/ichi

Try to connect to sftp with foo:foo and validate that you can upload. You shouldn't be able to upload more than 10MB.

Delete user

userdel foo

#Set up web service

We will

  1. Install postgres
  2. Install inotify-tools
  3. Create assets folder
  4. Copy executable
  5. Copy file management scripts
  6. Create, enable and start service

#Install postgresql

apt-get install postgresql
su - postgres
createuser -P ichi
createdb -O ichi ichi

Save password.

#Install inotify-tools

apt-get install inotify-tools

#Create assets folder

mkdir /var/assets/

#Copy executable

Copy binary to: /usr/local/bin

#Copy file management scripts

The web interface allows users to manage their files. It leverages scripts to let them do so. Copy them at /root, or elsewhere. The scripts are:

#checkpwd

Used for logging-in

#!/bin/bash

# checkpwd "name" "password"

IN=$(cat /etc/shadow | grep $1)
arrIN=(${IN//:/ })

SLT=${arrIN[1]}
arrSLT=(${SLT//$/ })
salt=${arrSLT[1]}

res=$(perl -e "print crypt('$2','\$6\$$salt\$')")

if [[ "$SLT" == "$res" ]]; then
    exit 0
else
    exit 1
fi
#write

Used to write or update a file

#!/bin/bash

if ! su -s /bin/bash -c "tee $2 >/dev/null" $1; then
	rm $2
	exit 1
fi
#writeFolder

Used to create folders

#!/bin/bash

su -s /bin/bash -c "mkdir $2" $1
#checkquota

Used to check a user's disk quota

#!/bin/bash
# checkquota user

quota -vs $1 | grep sda

#Create, enable and start service

Add following file in /etc/systemd/system/ichi.service. Replace everything in [] with the correct value.

[Install]
WantedBy=multi-user.target

[Unit]
Description=ichi

[Service]
Environment="ENV=PROD"
Environment="DATABASE_URL=postgres://ichi:test@localhost/ichi?sslmode=disable"
Environment="HOST=ichi.city"
Environment="SESSION_KEY=sdfjlkwj23209jfks2"
Environment="SITES_DIRECTORY=/var/ichi/"
Environment="NEW_USER_SCRIPT=/root/newuser.sh"
Environment="GROUP=ftpaccess"
Environment="ASSETS_DIR=/var/assets/"
Environment="CERT_FILE=/etc/letsencrypt/live/ichi.city/fullchain.pem"
Environment="KEY_FILE=/etc/letsencrypt/live/ichi.city/privkey.pem"
Environment="NEW_FILE_SCRIPT=/root/write"
Environment="CHECK_PWD_SCRIPT=/root/checkpwd"
Environment="NEW_FOLDER_SCRIPT=/root/writeFolder"
Environment="QUOTA_SCRIPT=/root/checkquota"
ExecStart=/usr/local/bin/ichi

Start the web service:

systemctl daemon-reload
systemctl enable ichi
systemctl start ichi

#Administration

The following script are useful to administrate the instance. Create a /root/admin folder and add them to it.

#change-name.sh

#!/bin/bash

# change-name current-name new-name
# Change the name of current-name to new-name

pkill -u $1 -9

usermod -l $2 $1 || exit 1
mv /var/ichi/$1 /var/ichi/$2 || exit 1
su -s /bin/bash -c "psql ichi -c \"update homepages set author='$2' where author='$1';\"" postgres

#delete-user.sh

#!/bin/bash

# Delete the user from ichi
# ./delete-user.sh user

if [ -z "$1" ]
then
	echo "provide username"
	exit 1
fi

pkill -u $1 -9
userdel $1
cp -r /var/ichi/$1 /tmp/ichi
rm -rf /var/ichi/$1
su -s /bin/bash -c "psql ichi -c \"delete from homepages where author='$1';\"" postgres