From 01ab6c7f82c474a5bddfbb1dd9dae0715a956c88 Mon Sep 17 00:00:00 2001 From: David Huerta Date: Tue, 29 Mar 2016 03:09:33 -0400 Subject: [PATCH] setup.sh is p much done and should Just Work. --- config/ghost/config.js | 147 +++++++++++++++++++++++++++++ config/nginx/ghost | 19 ++++ config/tor/torrc | 204 +++++++++++++++++++++++++++++++++++++++++ setup.sh | 31 ++++++- 4 files changed, 397 insertions(+), 4 deletions(-) create mode 100644 config/ghost/config.js create mode 100644 config/nginx/ghost create mode 100644 config/tor/torrc diff --git a/config/ghost/config.js b/config/ghost/config.js new file mode 100644 index 0000000..af8d69c --- /dev/null +++ b/config/ghost/config.js @@ -0,0 +1,147 @@ +// # Ghost Configuration +// Setup your Ghost install for various [environments](http://support.ghost.org/config/#about-environments). + +// Ghost runs in `development` mode by default. Full documentation can be found at http://support.ghost.org/config/ + +var path = require('path'), + config; + +config = { + // ### Production + // When running Ghost in the wild, use the production environment. + // Configure your URL and mail settings here + production: { + url: 'ONION_PLACEHOLDER', + mail: {}, + database: { + client: 'sqlite3', + connection: { + filename: path.join(__dirname, '/content/data/ghost.db') + }, + debug: false + }, + + server: { + host: '127.0.0.1', + port: '2368' + }, + debug: false + }, + + // ### Development **(default)** + development: { + // The url to use when providing links to the site, E.g. in RSS and email. + // Change this to your Ghost blog's published URL. + url: 'http://localhost:2368', + + // Example mail config + // Visit http://support.ghost.org/mail for instructions + // ``` + // mail: { + // transport: 'SMTP', + // options: { + // service: 'Mailgun', + // auth: { + // user: '', // mailgun username + // pass: '' // mailgun password + // } + // } + // }, + // ``` + + // #### Database + // Ghost supports sqlite3 (default), MySQL & PostgreSQL + database: { + client: 'sqlite3', + connection: { + filename: path.join(__dirname, '/content/data/ghost-dev.db') + }, + debug: false + }, + // #### Server + // Can be host & port (default), or socket + server: { + // Host to be passed to node's `net.Server#listen()` + host: '127.0.0.1', + // Port to be passed to node's `net.Server#listen()`, for iisnode set this to `process.env.PORT` + port: '2368' + }, + // #### Paths + // Specify where your content directory lives + paths: { + contentPath: path.join(__dirname, '/content/') + } + }, + + // **Developers only need to edit below here** + + // ### Testing + // Used when developing Ghost to run tests and check the health of Ghost + // Uses a different port number + testing: { + url: 'http://127.0.0.1:2369', + database: { + client: 'sqlite3', + connection: { + filename: path.join(__dirname, '/content/data/ghost-test.db') + }, + pool: { + afterCreate: function (conn, done) { + conn.run('PRAGMA synchronous=OFF;' + + 'PRAGMA journal_mode=MEMORY;' + + 'PRAGMA locking_mode=EXCLUSIVE;' + + 'BEGIN EXCLUSIVE; COMMIT;', done); + } + } + }, + server: { + host: '127.0.0.1', + port: '2369' + }, + logging: false + }, + + // ### Testing MySQL + // Used by Travis - Automated testing run through GitHub + 'testing-mysql': { + url: 'http://127.0.0.1:2369', + database: { + client: 'mysql', + connection: { + host : '127.0.0.1', + user : 'root', + password : '', + database : 'ghost_testing', + charset : 'utf8' + } + }, + server: { + host: '127.0.0.1', + port: '2369' + }, + logging: false + }, + + // ### Testing pg + // Used by Travis - Automated testing run through GitHub + 'testing-pg': { + url: 'http://127.0.0.1:2369', + database: { + client: 'pg', + connection: { + host : '127.0.0.1', + user : 'postgres', + password : '', + database : 'ghost_testing', + charset : 'utf8' + } + }, + server: { + host: '127.0.0.1', + port: '2369' + }, + logging: false + } +}; + +module.exports = config; diff --git a/config/nginx/ghost b/config/nginx/ghost new file mode 100644 index 0000000..35af0b4 --- /dev/null +++ b/config/nginx/ghost @@ -0,0 +1,19 @@ +server { + listen 127.0.0.1:80 default_server; + #listen [::]:80 default_server ipv6only=on; + + server_name ONION_PLACEHOLDER; + + root /usr/share/nginx/html; + index index.html index.htm; + + client_max_body_size 10G; + + location / { + proxy_pass http://localhost:2368; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + } +} diff --git a/config/tor/torrc b/config/tor/torrc new file mode 100644 index 0000000..49a21f0 --- /dev/null +++ b/config/tor/torrc @@ -0,0 +1,204 @@ +## Configuration file for a typical Tor user +## Last updated 22 September 2015 for Tor 0.2.7.3-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't +## configure one below. Set "SOCKSPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. +#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SOCKSPolicy is set, we accept +## all (and only) requests that reach a SOCKSPort. Untrusted users who +## can access your SOCKSPort may be able to learn about the connections +## you make. +#SOCKSPolicy accept 192.168.0.0/16 +#SOCKSPolicy accept6 FC00::/7 +#SOCKSPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +HiddenServiceDir /var/lib/tor/hidden_service/ +HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "40 GB" may allow up to 80 GB total before +## hibernating. +## +## Set a maximum of 40 gigabytes each way per period. +#AccountingMax 40 GBytes +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. +## +## If you want to allow the same ports on IPv4 and IPv6, write your rules +## using accept/reject *. If you want to allow different ports on IPv4 and +## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules +## using accept/reject *4. +## +## If you want to _replace_ the default exit policy, end this with either a +## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) +## the default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to the configured primary public IPv4 and IPv6 addresses, +## and any public IPv4 and IPv6 addresses on any interface on the relay. +## See the man page entry for ExitPolicyRejectPrivate if you want to allow +## "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy +#ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + diff --git a/setup.sh b/setup.sh index cf9888e..d5e75a5 100644 --- a/setup.sh +++ b/setup.sh @@ -1,11 +1,34 @@ #!/bin/bash echo 'Removing any installed mail servers because they will hurt you.' -apt-get remove --purge exim -apt-get remove --purge postfix -apt-get remove --purge sendmail +echo 'Type "y" and hit enter to remove when asked.' +apt-get remove --purge exim postfix sendmail -echo 'Applying software updates... Type "y" and hit enter to install when asked.' +echo 'Applying software updates...' +echo 'Type "y" and hit enter to install when asked.' apt-get update apt-get upgrade +echo 'Installing Tor from official Tor software repository...' +echo 'Type "y" and hit enter to install when asked.' +add-apt-repository http://deb.torproject.org/torproject.org +gpg --keyserver keys.gnupg.net --recv 886DDD89 +gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - +apt-get update +apt-get install tor deb.torproject.org-keyring + +echo 'Setting up Tor onion service...' +mv /etc/tor/torrc /etc/tor/torrc.orig +cp config/tor/torrc /etc/tor/torrc +service tor reload +ONION_ADDRESS = `cat /var/lib/tor/hidden_service/hostname` + +echo 'Setting up the web server NGINX to use Tor onion service' +mv /etc/nginx/sites-available/ghost /etc/nginx/sites-available/ghost.orig +cp config/nginx/ghost /etc/nginx/sites-available/ghost +sed -i bak -e s/ONION_PLACEHOLDER/$ONION_ADDRESS/g /etc/nginx/sites-available/ghost + +echo 'Updating Ghost config to use .onion address.' +mv /var/www/ghost/config.js /var/www/ghost/config.js.orig +cp config/ghost/config.js /var/www/ghost/config.js +sed -i bak -e s/ONION_PLACEHOLDER/$ONION_ADDRESS/g /var/www/ghost/config.js \ No newline at end of file