diff --git a/docs/setup/conf/caddy/Caddyfile.speechsample b/docs/setup/conf/caddy/Caddyfile.speechsample new file mode 100644 index 00000000..a413080c --- /dev/null +++ b/docs/setup/conf/caddy/Caddyfile.speechsample @@ -0,0 +1,9 @@ +# Replace {{EXAMPLE.COM}} with 'yourdomain.com', omitting quotes + +www.{{EXAMPLE.COM}} { + redir https://{{EXAMPLE.COM}} +} + +{{EXAMPLE.COM}} { + proxy / localhost:3000 +} diff --git a/docs/setup/conf/caddy/caddy.service b/docs/setup/conf/caddy/caddy.service new file mode 100644 index 00000000..47f4bc5f --- /dev/null +++ b/docs/setup/conf/caddy/caddy.service @@ -0,0 +1,14 @@ +[Unit] +Description=Caddy HTTP/2 web server + +[Service] +User=www-data +Group=www-data +Environment=CADDYPATH=/opt/caddy/store +ExecStart=/usr/local/bin/caddy -agree=true -log=/opt/caddy/logs/caddy.log -conf=/opt/caddy/Caddyfile -root=/dev/null +ExecReload=/bin/kill -USR1 $MAINPID +LimitNOFILE=1048576 +LimitNPROC=64 + +[Install] +WantedBy=multi-user.target diff --git a/docs/setup/conf/nginx/letsencrypt.conf b/docs/setup/conf/nginx/letsencrypt.conf new file mode 100644 index 00000000..e3e7a5b7 --- /dev/null +++ b/docs/setup/conf/nginx/letsencrypt.conf @@ -0,0 +1,8 @@ +#/etc/nginx/snippets/letsencrypt.conf + +location ^~ /.well-known/acme-challenge/ { + allow all; + root /var/lib/letsencrypt/; + default_type "text/plain"; + try_files $uri =404; +} diff --git a/docs/setup/conf/nginx/myspeech b/docs/setup/conf/nginx/myspeech new file mode 100644 index 00000000..a8af8a2e --- /dev/null +++ b/docs/setup/conf/nginx/myspeech @@ -0,0 +1,51 @@ +#/etc/nginx/sites-available/myspeech + +server { + listen 80; + listen [::]:80; + + server_name {{DOMAIN_NAME}} {{WWW_DOMAIN_NAME}} + include snippets/letsencrypt.conf; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + server_name {{WWW_DOMAIN_NAME}}; + ssl_certificate /etc/letsencrypt/live/{{DOMAIN_NAME}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{DOMAIN_NAME}}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{DOMAIN_NAME}}/chain.pem; + include snippets/ssl.conf; + include snippets/letsencrypt.conf; + + access_log /var/log/nginx/www-myspeech.access.log; + error_log /var/log/nginx/www-myspeech.error.log; + + return 301 https://{{DOMAIN_NAME}}$request_uri; +} + +server { + #YOUR SITE HERE + listen 443 ssl http2; + server_name {{DOMAIN_NAME}}; + + ssl_certificate /etc/letsencrypt/live/{{DOMAIN_NAME}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{DOMAIN_NAME}}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{DOMAIN_NAME}}/chain.pem; + include snippets/ssl.conf; + include snippets/letsencrypt.conf; + + access_log /var/log/nginx/myspeech.access.log; + error_log /var/log/nginx/myspeech.error.log; + + location / { + proxy_read_timeout 5m; + proxy_pass http://localhost:3000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + proxy_pass_header Server; + } +} diff --git a/docs/setup/conf/nginx/ssl.conf b/docs/setup/conf/nginx/ssl.conf new file mode 100644 index 00000000..9f5f9607 --- /dev/null +++ b/docs/setup/conf/nginx/ssl.conf @@ -0,0 +1,20 @@ +#/etc/nginx/snippets/ssl.conf + +ssl_dhparam /etc/ssl/certs/dhparam.pem; + +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; +ssl_prefer_server_ciphers on; + +ssl_stapling on; +ssl_stapling_verify on; +resolver 8.8.8.8 8.8.4.4 valid=300s; +resolver_timeout 30s; + +add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"; +add_header X-Frame-Options SAMEORIGIN; +add_header X-Content-Type-Options nosniff; diff --git a/docs/setup/conf/speech/chainqueryConfig.json b/docs/setup/conf/speech/chainqueryConfig.json new file mode 100644 index 00000000..2ef4c607 --- /dev/null +++ b/docs/setup/conf/speech/chainqueryConfig.json @@ -0,0 +1,8 @@ +{ + "host": "public.chainquery.lbry.io", + "port": "3306", + "timeout": 30, + "database": "chainquery", + "username": "speechpublic", + "password": "7uITJLwZRvHBZYS3JZDykD1-7hLVkVA1jDWfcgqi6QnC" +} diff --git a/docs/setup/scripts/firewall.sh b/docs/setup/scripts/firewall.sh new file mode 100644 index 00000000..ac3be0a8 --- /dev/null +++ b/docs/setup/scripts/firewall.sh @@ -0,0 +1,12 @@ +#!/bin/bash +sudo ufw status +sudo ufw allow 80 +sudo ufw allow 443 +sudo ufw allow 22 +sudo ufw allow 3333 +sudo ufw allow 4444 +sudo ufw default allow outgoing +sudo ufw default deny incoming +sudo ufw show added +sudo ufw enable +sudo ufw status diff --git a/docs/setup/scripts/newuser.sh b/docs/setup/scripts/newuser.sh new file mode 100644 index 00000000..e69de29b diff --git a/docs/ubuntu16vpspersonal.md b/docs/ubuntu16vpspersonal.md new file mode 100644 index 00000000..b7950b33 --- /dev/null +++ b/docs/ubuntu16vpspersonal.md @@ -0,0 +1,261 @@ +# Create Your Own Spee.ch on Ubuntu 16.x 18.x VPS + +# Overview + +## Prerequisites + * UBUNTU 16+ VPS with root access + * Your login info ready + * Domain name with @ and www pointed at your VPS IP + * Email Address + * Ability to send 5+ LBRY credits to an address + * Noncommercial use + * We recommend that you fork Spee.ch so that you can customize the site. + +## You'll be installing: + * MYSQL DB + * Default Port + * NODE v8+ + * HTTPS PROXY SERVER + * Caddy for personal use + * Exposed ports: 22, 80, 443, 3333, 4444 + * Reverse proxies to App on 3000 + * SPEE.CH + * LBRYNET DAEMON + + +# 1. Update OS and install packages +## OS + `sudo apt-get update -y` + + `ulimit -n 8192` + +## Git + + `sudo apt-get install git -y` + +## NODE v8 + + `wget -qO- https://deb.nodesource.com/setup_8.x | sudo -E bash -` + + `sudo apt-get install -y nodejs` + +## Curl, Tmux, Unzip, ffmpeg + + `sudo apt-get install curl tmux unzip ffmpeg -y` + +## Grab config files + + `git clone https://github.com/jessopb/speechconfigs.git` + + `chmod 640 -R ~/speechconfigs` + +# 2 Secure the UFW firewall +## UFW + + `sudo ufw status` + + `sudo ufw allow 80` + + `sudo ufw allow 443` + + `sudo ufw allow 22` + + `sudo ufw allow 3333` + + `sudo ufw allow 4444` + + `sudo ufw default allow outgoing` + + `sudo ufw default deny incoming` + + `sudo ufw show added` + + `sudo ufw enable` (yes, you've allowed ssh 22) + + `sudo ufw status` + +# 3 Install Caddy to handle https and reverse proxy +## Get Caddy + + `curl https://getcaddy.com | bash -s personal` + +## Set up Caddy + + `mkdir -p /opt/caddy/logs/` + + `mkdir -p /opt/caddy/store/` + + `cp ~/speechconfigs/caddy/Caddyfile.speechsample ~/speechconfigs/caddy/Caddyfile` + + `nano ~/speechconfigs/caddy/Caddyfile` + ( Change {{EXAMPLE.COM}} to YOURDOMAIN.COM ) + + `cp ~/speechconfigs/caddy/Caddyfile /opt/caddy/` + +## Set up Caddy to run as systemd service + + `cp ~/speechconfigs/caddy/caddy.service /etc/systemd/system/caddy.service` + + `chmod 644 /etc/systemd/system/caddy.service` + + `chown -R www-data:www-data /opt/caddy/` + + `setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy` + + `systemctl daemon-reload` + + `systemctl start caddy` + + `systemctl status caddy` + + At this point, navigating to yourdomain.com should give you a 502 bad gateway error. That's good! + +# 4 Set up MySql + +## Install MySql + + `sudo apt-get install mysql-server -y` + ( enter blank password each time ) + `sudo systemctl status mysql` (q to exit) + +## Secure Setup + + `sudo mysql_secure_installation` + * No to password validation + * Y to all other options + * password abcd1234 + +## Login to mysql from root to complete setup: + + `mysql` to enter mysql> console + + mysql> `ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'abcd1234';` + + mysql> `FLUSH PRIVILEGES;` + + Control+D to exit + + Verify: + + `mysql -u root -p` and then entering your password abcd1234 should give you the mysql> shell + +# 5 Get Lbrynet Daemon + +### TODO: Enable something like sudo systemctl start lbrynet so it runs as www-data + +## Enter tmux + + `tmux` + * Ctrl+b, d detaches leaving session running. + * ~# `tmux`, Ctrl+b, ( goes back to that session. + +## Get the daemon + `wget -O ~/latest_daemon.zip https://lbry.io/get/lbrynet.linux.zip` + + `unzip -o -u ~/latest_daemon.zip` + +## Start the daemon + ~# `./lbrynet start` +## Detatch tmux session + `Control+b, then d` to leave lbrynet daemon running and exit the session + + `tmux` if you want to get back into tmux + + `Control+b, then ) in tmux` to cycle back to your lbrynet session to see output + +## Display wallet address to which to send 5+ LBC. +### These commands work when `lbrynet start` is already running in another tmux + + `./lbrynet commands` to check out the current commands + + `./lbrynet address_list` to get your wallet address + + `Ctrl + Shift + C` after highlighting an address to copy. + + Use a LBRY app or daemon to send LBC to the address. Sending LBC may take a few seconds or longer. + + `./lbrynet account_balance` to check your balance after you've sent LBC. + +# 6 Set up spee.ch +## Clone speech either from your own fork, or from the lbryio/spee.ch repo. + +### Developers + + SSH? + + `git clone git@github.com:{{youraccount}}/spee.ch` + + HTTPS? + + `git clone https://github.com/{{youraccount}}/spee.ch.git` + +### Publishers + + `git clone -b release https://github.com/lbryio/spee.ch` + +## Build it + `cd spee.ch` + + ~/spee.ch# `npm install` + + `cp ~/speechconfigs/speech/chainqueryConfig.json ~/spee.ch/site/config/chainqueryConfig.json` + + ~/spee.ch# `npm run configure` (once your wallet balance has cleared) + * DATABASE: lbry + * USER NAME: root + * PASSWORD: abcd1234 + * PORT: 3000 + * Site Title: Your Site Name + * Enter your site's domain name: https://freezepeach.fun (this must include https://) + * Enter a directory where uploads should be stored: (/home/lbry/Uploads) + + ~/spee.ch/# `npm run start` + +## Try it + + Navigate to yourdomain.fun! + + +### 7 Maintenance Proceedures +* Change wallet + * TODO +* Change daemon + * wget daemon from https://github.com/lbryio/lbry/releases + * wget --quiet -O ~/your_name_daemon.zip https://your_copied_file_path.zip + * rm ./lbrynet + * unzip -o -u ~/your_name_daemon.zip + +### 7 TODO +* Don't run as root +* Use Dockerized Spee.ch and Lbrynet + * https://github.com/lbryio/lbry-docker/tree/master/www.spee.ch + * https://github.com/lbryio/lbry-docker/tree/master/lbrynet-daemon + * https://blog.hasura.io/an-exhaustive-guide-to-writing-dockerfiles-for-node-js-web-apps-bbee6bd2f3c4 + * https://docs.traefik.io/user-guide/docker-and-lets-encrypt/ + * https://docs.traefik.io/configuration/acme/ +* Systemd unit files + * https://nodesource.com/blog/running-your-node-js-app-with-systemd-part-1/ + * Spee.ch + * sudo nano /lib/systemd/system/speech.service + * Lbrynet + * sudo nano /lib/systemd/system/lbrynet.service + ``` + [Unit] + Description=hello_env.js - making your environment variables read + Documentation=https://example.com + After=network.target + + [Service] + Environment=NODE_PORT=3001 + Type=simple + User=ubuntu + ExecStart=node path/server.js + Restart=on-failure + + [Install] + WantedBy=multi-user.target + ``` +* Provide spee.ch build releases? +* Provide system to configure chainqueryConfig.json +* Clone speech to stripped version, streamline customization +* Automate for testing