dev-libre-is/docs/_source/code-libre-is.rst

=============
code.libre.is
=============
This is documentation for the system administrators of

  `<https://code.libre.is/>`_

The code server is a git server running Forgejo.

Status
======
Under development.


Issues
======
Issues are tracked with Forgejo:

  `<https://code.libre.is/libre/dev-libre-is/issues>`_


Links
=====

  `<https://code.libre.is/>`_

  `<https://dev.libre.is/>`_

  `<https://code.libre.is/libre/dev-libre-is>`_


Operating System
================
Install Debian stable, bookworm at present.

Install dependenices:

.. code-block:: sh

  sudo apt install python3-certbot-apache git git-lfs gpg mariadb-server \
    rsyslog
  sudo apt clean

Open up firewalls as needed.


Apache
======
Set up apache and get other dependencies, ala:

.. code-block:: sh

  sudo su -
  echo "code.libre.is" > /var/www/html/index.html
  certbot -d code.libre.is


Firewall
========
Briefly, something like this. Note change the real ssh port,
as defined in /etc/ssh/sshd_config, from 9999 to whatever it
is on the server. This runs two ssh servers. One for server admin,
one for Forgejo connections.
File: /etc/iptables.test.rules 

.. code-block:: sh

  # iptables.test.rules
  *filter
  
  # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
  -A INPUT -i lo -j ACCEPT
  
  # Accepts all established inbound connections
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  # Allows all outbound traffic
  # You could modify this to only allow certain traffic
  -A OUTPUT -j ACCEPT
  
  # SSH Access Port
  -A INPUT -p tcp --dport 9999 -j ACCEPT
  
  # Forgejo ssh
  # redirect
  -A INPUT -p tcp --dport 22 -j ACCEPT
  -A INPUT -p tcp --dport 2222 -j ACCEPT
  
  # web
  -A INPUT -p tcp --dport 80 -j ACCEPT
  -A INPUT -p tcp --dport 443 -j ACCEPT
  
  # Allow ping
  #-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  
  # log iptables denied calls (access via 'dmesg' command)
  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  
  # Reject all other inbound - default deny unless explicitly allowed policy:
  -A INPUT -j DROP
  -A FORWARD -j DROP
  COMMIT
  
  # Redirect for Forgejo from 2222 to 22
  *nat
  :PREROUTING ACCEPT [0:0]
  :INPUT ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
  -A OUTPUT -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222
  COMMIT


MariaDB
=======
It is best to use Forgejo with a database for 10+ users.
MariaDB is like MySQL, but a better fork.
For now, the database will be hosted on the same server as the Forgejo server.
If it gets bigger, it can be moved to a dedicated machine.
If it gets even bigger than that, it can be clustered with Galera.

Set up MariaDB thusly:

.. code-block:: sh

  sudo mariadb-admin password
  mariadb -uroot -p

In the database run:

.. code-block:: sql

  SET old_passwords=0;
  CREATE USER 'forgejo'@'%' IDENTIFIED BY 'mypassword';
  CREATE DATABASE forgejodb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin';
  GRANT ALL PRIVILEGES ON forgejodb.* TO 'forgejo';
  FLUSH PRIVILEGES;
  EXIT

Test the new database setup thusly:

.. code-block:: sh

  mariadb -u forgejo -p forgejodb


Forgejo
=======

Forgejo main site:

  `<https://forgejo.org/>`_

Forgejo release information:

  `<https://forgejo.org/docs/next/contributor/release/>`_

For this server we'll be using the Long Term Support (LTS) releases,
currently starting with the major version "7".

Download information: `<https://forgejo.org/download/>`_

Latest releases can be found here:

  `<https://codeberg.org/forgejo/forgejo/releases/>`_

Binary install docs here:

  `<https://forgejo.org/docs/latest/admin/installation-binary/>`_

Get Forgejo GPG key:

.. code-block:: sh

  gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710

Install Forgejo thusly.


.. code-block:: sh

  wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64
  wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.sha256
  wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.asc
  cat forgejo-7.0.8-linux-amd64.sha256 ; sha256sum forgejo-7.0.8-linux-amd64
  gpg --verify forgejo-7.0.8-linux-amd64.asc forgejo-7.0.8-linux-amd64
  sudo cp forgejo-7.0.8-linux-amd64 /usr/local/bin/forgejo
  sudo chmod 755 /usr/local/bin/forgejo
  sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' \
    --group --disabled-password --home /home/git  git
  sudo mkdir /var/lib/forgejo
  sudo chown git:git /var/lib/forgejo
  sudo chmod 750 /var/lib/forgejo
  sudo mkdir /etc/forgejo
  sudo chown root:git /etc/forgejo
  sudo chmod 770 /etc/forgejo
  sudo wget -O /etc/systemd/system/forgejo.service \
    https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service
  sudo sed -i -e 's/#Wants=mariadb.service/Wants=mariadb.service/g' \
    /etc/systemd/system/forgejo.service
  sudo sed -i -e 's/#After=mariadb.service/After=mariadb.service/g' \
    /etc/systemd/system/forgejo.service
  sudo systemctl daemon-reload
  sudo systemctl enable forgejo.service
  sudo systemctl start forgejo.service


Reverse Proxy
=============
Set up Apache to be a reverse proxy for Forgejo.


.. code-block:: sh

  sudo a2enmod proxy proxy_http
  sudo vim /etc/apache2/sites-available/code-libre-is.conf
  <VirtualHost 70.39.110.155:80>
  	ServerName code.libre.is
  	ServerAdmin webmaster@localhost
  	DocumentRoot /var/www/html
  	ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log
  	CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined
  	RewriteEngine on
  	RewriteCond %{SERVER_NAME} =code.libre.is
  	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
  </VirtualHost>
  
  <VirtualHost 70.39.110.155:443>
  	ServerName code.libre.is
  	ServerAdmin webmaster@localhost
  	DocumentRoot /var/www/html
  	ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log
  	CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined
  	RewriteEngine on
        ProxyPreserveHost On
        ProxyRequests off
        AllowEncodedSlashes NoDecode
        ProxyPass / http://127.0.0.1:3000/ nocanon
  	Include /etc/letsencrypt/options-ssl-apache.conf
  	SSLCertificateFile /etc/letsencrypt/live/code.libre.is/fullchain.pem
  	SSLCertificateKeyFile /etc/letsencrypt/live/code.libre.is/privkey.pem
  </VirtualHost>
  # vim: syntax=apache ts=4 sw=4 sts=4 sr noet


Remove old Apache configs, and put new one in place.

.. code-block:: sh

  sudo rm /etc/apache2/sites-enabled/000-default.conf
  sudo rm /etc/apache2/sites-enabled/000-default-le-ssl.conf
  sudo ln -s /etc/apache2/sites-available/code-libre-is.conf \
    /etc/apache2/sites-enabled/
  sudo systemctl daemon-reload
  sudo systemctl restart apache2


Admin Setup
===========

Now connect to the newly created site and configure:

  `<https://code.libre.is/>`_

Most of the defaults are ok. Set:

* Database type: MySQL
* Host: 127.0.0.1:3306
* Username: forgejo
* Password: Set to database password
* Database name: forgejodb  (note "db" at end, like above)
* Instance title: Libre Code
* SSH server port: 22

The reset should be ok by default.
The main SSH should be on an alternative port.
Email settings will be set up at another point.

Uncheck:

* Enable OpenID sign-in

Set up:

* Administrator account settings
* Administrator username: codeadmin


Configure Forgejo
=================

Configuration cheat sheet:

  `<https://forgejo.org/docs/latest/admin/config-cheat-sheet/>`_

Configure Forgejo thusly:

.. code-block:: sh

  sudo vim /etc/forgejo/app.ini


In the very top section, add:

.. code-block:: sh

  APP_NAME = Libre Code
  APP_SLOGAN = Code free or die
  APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}

Add to the [server] section, so port 3000 is just listening on localhost.
Also set the SSH to use a different than the main openssh server.
This way admin and Forgejo key/ports/etc are separate.
This requires forwarding port 2222 to port 22 in the firewall.

.. code-block:: sh

  HTTP_ADDR = 127.0.0.1
  SSH_PORT = 22
  START_SSH_SERVER = true
  SSH_LISTEN_PORT = 2222


Under [service] change this to true:

.. code-block:: sh

  DISABLE_REGISTRATION = true


Add sections:

.. code-block:: sh

  [ui]
  SHOW_USER_EMAIL = false
  
  [ui.meta]
  AUTHOR = Libre Developers
  DESCRIPTION = Free Software
code.libre.is documentation 2024-08-31 12:30:08 -06:00			`=============`
			`code.libre.is`
			`=============`
			`This is documentation for the system administrators of`

			`<https://code.libre.is/>`_

			`The code server is a git server running Forgejo.`

			`Status`
			`======`
			`Under development.`


			`Issues`
			`======`
			`Issues are tracked with Forgejo:`

			`<https://code.libre.is/libre/dev-libre-is/issues>`_


			`Links`
			`=====`

			`<https://code.libre.is/>`_

			`<https://dev.libre.is/>`_

			`<https://code.libre.is/libre/dev-libre-is>`_


			`Operating System`
			`================`
			`Install Debian stable, bookworm at present.`

			`Install dependenices:`

			`.. code-block:: sh`

			`sudo apt install python3-certbot-apache git git-lfs gpg mariadb-server \`
			`rsyslog`
			`sudo apt clean`

			`Open up firewalls as needed.`


			`Apache`
			`======`
			`Set up apache and get other dependencies, ala:`

			`.. code-block:: sh`

			`sudo su -`
			`echo "code.libre.is" > /var/www/html/index.html`
			`certbot -d code.libre.is`


			`Firewall`
			`========`
			`Briefly, something like this. Note change the real ssh port,`
			`as defined in /etc/ssh/sshd_config, from 9999 to whatever it`
			`is on the server. This runs two ssh servers. One for server admin,`
			`one for Forgejo connections.`
			`File: /etc/iptables.test.rules`

			`.. code-block:: sh`

			`# iptables.test.rules`
			`*filter`

			`# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0`
			`-A INPUT -i lo -j ACCEPT`

			`# Accepts all established inbound connections`
			`-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`

			`# Allows all outbound traffic`
			`# You could modify this to only allow certain traffic`
			`-A OUTPUT -j ACCEPT`

			`# SSH Access Port`
			`-A INPUT -p tcp --dport 9999 -j ACCEPT`

			`# Forgejo ssh`
			`# redirect`
			`-A INPUT -p tcp --dport 22 -j ACCEPT`
			`-A INPUT -p tcp --dport 2222 -j ACCEPT`

			`# web`
			`-A INPUT -p tcp --dport 80 -j ACCEPT`
			`-A INPUT -p tcp --dport 443 -j ACCEPT`

			`# Allow ping`
			`#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT`

			`# log iptables denied calls (access via 'dmesg' command)`
			`-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7`

			`# Reject all other inbound - default deny unless explicitly allowed policy:`
			`-A INPUT -j DROP`
			`-A FORWARD -j DROP`
			`COMMIT`

			`# Redirect for Forgejo from 2222 to 22`
			`*nat`
			`:PREROUTING ACCEPT [0:0]`
			`:INPUT ACCEPT [0:0]`
			`:OUTPUT ACCEPT [0:0]`
			`:POSTROUTING ACCEPT [0:0]`
			`-A PREROUTING -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222`
			`-A OUTPUT -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 2222`
			`COMMIT`


			`MariaDB`
			`=======`
			`It is best to use Forgejo with a database for 10+ users.`
			`MariaDB is like MySQL, but a better fork.`
			`For now, the database will be hosted on the same server as the Forgejo server.`
			`If it gets bigger, it can be moved to a dedicated machine.`
			`If it gets even bigger than that, it can be clustered with Galera.`

			`Set up MariaDB thusly:`

			`.. code-block:: sh`

			`sudo mariadb-admin password`
			`mariadb -uroot -p`

			`In the database run:`

			`.. code-block:: sql`

			`SET old_passwords=0;`
			`CREATE USER 'forgejo'@'%' IDENTIFIED BY 'mypassword';`
			`CREATE DATABASE forgejodb CHARACTER SET 'utf8mb4' COLLATE 'utf8mb4_bin';`
			`GRANT ALL PRIVILEGES ON forgejodb.* TO 'forgejo';`
			`FLUSH PRIVILEGES;`
			`EXIT`

			`Test the new database setup thusly:`

			`.. code-block:: sh`

			`mariadb -u forgejo -p forgejodb`



			`Forgejo`
			`=======`

			`Forgejo main site:`

			`<https://forgejo.org/>`_

			`Forgejo release information:`

			`<https://forgejo.org/docs/next/contributor/release/>`_

			`For this server we'll be using the Long Term Support (LTS) releases,`
			`currently starting with the major version "7".`

			Download information: `<https://forgejo.org/download/>`_

			`Latest releases can be found here:`

			`<https://codeberg.org/forgejo/forgejo/releases/>`_

			`Binary install docs here:`

			`<https://forgejo.org/docs/latest/admin/installation-binary/>`_

			`Get Forgejo GPG key:`

			`.. code-block:: sh`

			`gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710`

			`Install Forgejo thusly.`


			`.. code-block:: sh`

			`wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64`
			`wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.sha256`
			`wget https://codeberg.org/forgejo/forgejo/releases/download/v7.0.8/forgejo-7.0.8-linux-amd64.asc`
			`cat forgejo-7.0.8-linux-amd64.sha256 ; sha256sum forgejo-7.0.8-linux-amd64`
			`gpg --verify forgejo-7.0.8-linux-amd64.asc forgejo-7.0.8-linux-amd64`
			`sudo cp forgejo-7.0.8-linux-amd64 /usr/local/bin/forgejo`
			`sudo chmod 755 /usr/local/bin/forgejo`
			`sudo adduser --system --shell /bin/bash --gecos 'Git Version Control' \`
			`--group --disabled-password --home /home/git git`
			`sudo mkdir /var/lib/forgejo`
			`sudo chown git:git /var/lib/forgejo`
			`sudo chmod 750 /var/lib/forgejo`
			`sudo mkdir /etc/forgejo`
			`sudo chown root:git /etc/forgejo`
			`sudo chmod 770 /etc/forgejo`
			`sudo wget -O /etc/systemd/system/forgejo.service \`
			`https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/contrib/systemd/forgejo.service`
			`sudo sed -i -e 's/#Wants=mariadb.service/Wants=mariadb.service/g' \`
			`/etc/systemd/system/forgejo.service`
			`sudo sed -i -e 's/#After=mariadb.service/After=mariadb.service/g' \`
			`/etc/systemd/system/forgejo.service`
			`sudo systemctl daemon-reload`
			`sudo systemctl enable forgejo.service`
			`sudo systemctl start forgejo.service`


			`Reverse Proxy`
			`=============`
			`Set up Apache to be a reverse proxy for Forgejo.`


			`.. code-block:: sh`

			`sudo a2enmod proxy proxy_http`
			`sudo vim /etc/apache2/sites-available/code-libre-is.conf`
			`<VirtualHost 70.39.110.155:80>`
			`ServerName code.libre.is`
			`ServerAdmin webmaster@localhost`
			`DocumentRoot /var/www/html`
			`ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log`
			`CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined`
			`RewriteEngine on`
			`RewriteCond %{SERVER_NAME} =code.libre.is`
			`RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]`
			`</VirtualHost>`

			`<VirtualHost 70.39.110.155:443>`
			`ServerName code.libre.is`
			`ServerAdmin webmaster@localhost`
			`DocumentRoot /var/www/html`
			`ErrorLog ${APACHE_LOG_DIR}/error-code-libre-is.log`
			`CustomLog ${APACHE_LOG_DIR}/access-code-libre-is.log combined`
			`RewriteEngine on`
			`ProxyPreserveHost On`
			`ProxyRequests off`
			`AllowEncodedSlashes NoDecode`
			`ProxyPass / http://127.0.0.1:3000/ nocanon`
			`Include /etc/letsencrypt/options-ssl-apache.conf`
			`SSLCertificateFile /etc/letsencrypt/live/code.libre.is/fullchain.pem`
			`SSLCertificateKeyFile /etc/letsencrypt/live/code.libre.is/privkey.pem`
			`</VirtualHost>`
			`# vim: syntax=apache ts=4 sw=4 sts=4 sr noet`


			`Remove old Apache configs, and put new one in place.`

			`.. code-block:: sh`

			`sudo rm /etc/apache2/sites-enabled/000-default.conf`
			`sudo rm /etc/apache2/sites-enabled/000-default-le-ssl.conf`
			`sudo ln -s /etc/apache2/sites-available/code-libre-is.conf \`
			`/etc/apache2/sites-enabled/`
			`sudo systemctl daemon-reload`
			`sudo systemctl restart apache2`


			`Admin Setup`
			`===========`

			`Now connect to the newly created site and configure:`

			`<https://code.libre.is/>`_

			`Most of the defaults are ok. Set:`

			`* Database type: MySQL`
			`* Host: 127.0.0.1:3306`
			`* Username: forgejo`
			`* Password: Set to database password`
			`* Database name: forgejodb (note "db" at end, like above)`
			`* Instance title: Libre Code`
			`* SSH server port: 22`

			`The reset should be ok by default.`
			`The main SSH should be on an alternative port.`
			`Email settings will be set up at another point.`

			`Uncheck:`

			`* Enable OpenID sign-in`

			`Set up:`

			`* Administrator account settings`
			`* Administrator username: codeadmin`


			`Configure Forgejo`
			`=================`

			`Configuration cheat sheet:`

			`<https://forgejo.org/docs/latest/admin/config-cheat-sheet/>`_

			`Configure Forgejo thusly:`

			`.. code-block:: sh`

			`sudo vim /etc/forgejo/app.ini`


			`In the very top section, add:`

			`.. code-block:: sh`

			`APP_NAME = Libre Code`
			`APP_SLOGAN = Code free or die`
			`APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}`

			`Add to the [server] section, so port 3000 is just listening on localhost.`
			`Also set the SSH to use a different than the main openssh server.`
			`This way admin and Forgejo key/ports/etc are separate.`
			`This requires forwarding port 2222 to port 22 in the firewall.`

			`.. code-block:: sh`

			`HTTP_ADDR = 127.0.0.1`
			`SSH_PORT = 22`
			`START_SSH_SERVER = true`
			`SSH_LISTEN_PORT = 2222`


			`Under [service] change this to true:`

			`.. code-block:: sh`

			`DISABLE_REGISTRATION = true`


			`Add sections:`

			`.. code-block:: sh`

			`[ui]`
			`SHOW_USER_EMAIL = false`

			`[ui.meta]`
			`AUTHOR = Libre Developers`
			`DESCRIPTION = Free Software`