From c6eb79b2f7b0fc7693ab7671ca50e4aa9ec15bd1 Mon Sep 17 00:00:00 2001
From: Cadence Ember <cadence@disroot.org>
Date: Sat, 27 Feb 2021 14:53:17 +1300
Subject: [PATCH] Add installing documentation

---
 docs/Installing CloudTube.md | 217 +++++++++++++++++++++++++++++++++++
 docs/Installing NewLeaf.md   | 105 +++++++++++++++++
 2 files changed, 322 insertions(+)
 create mode 100644 docs/Installing CloudTube.md
 create mode 100644 docs/Installing NewLeaf.md

diff --git a/docs/Installing CloudTube.md b/docs/Installing CloudTube.md
new file mode 100644
index 0000000..e084e38
--- /dev/null
+++ b/docs/Installing CloudTube.md	
@@ -0,0 +1,217 @@
+# Installing CloudTube
+
+## System dependencies
+
+- node.js (v12+)
+- nginx (needed for public instances only)
+
+## Prepare
+
+**Install NewLeaf first.**
+
+[→ Installing NewLeaf](./Installing%20NewLeaf.md)
+
+Change to the CloudTube user you created before:
+
+```
+# su cloudtube
+```
+
+## Installing
+
+Clone the repo:
+
+```
+$ git clone https://git.sr.ht/~cadence/cloudtube
+$ cd cloudtube
+```
+
+Install dependencies:
+
+```
+$ npm install
+```
+
+Set up the configuration. Configuration is read from the filename `config/config.js`. Copy the sample file to that name, **then edit it.**
+
+You must set the setting for the default instance. You should write an address that is reachable from the machine running CloudTube. Hint: If CloudTube and NewLeaf are on the same machine, you can write `http://localhost:3000`.
+
+```
+$ pushd config
+$ cp config.sample.js config.js
+$ $EDITOR config.js
+$ popd
+```
+
+All done! Start CloudTube:
+
+```
+$ npm run start
+```
+
+In the future, from a new terminal session, CloudTube can be started with:
+
+```
+$ cd [installation directory]
+$ npm run start
+```
+
+## systemd service
+
+If you want to control the services with systemd, you can use these files. This is optional.
+
+This service should be run as the cloudtube user rather than as the system.
+
+You may need to adjust the paths in these files.
+
+If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).
+
+```
+[Unit]
+Description=cloudtube website
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/node /home/cloudtube/cloudtube/server.js
+WorkingDirectory=/home/cloudtube/cloudtube
+
+# Restart timing
+Restart=always
+RestartSec=60
+
+SyslogIdentifier=cloudtube
+
+[Install]
+WantedBy=default.target
+```
+
+Save it to `~/.config/systemd/user/cloudtube.service`, then issue these commands:
+
+```
+$ systemctl daemon-reload
+$ systemctl start cloudtube
+```
+
+...and if all is successful...
+
+```
+$ systemctl enable cloudtube
+```
+
+## nginx reverse proxy
+
+This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar.
+
+It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need it.
+
+SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
+)
+
+Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397))
+
+```
+# mkdir -p /etc/nginx/ssl
+# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem
+```
+
+Then create a file inside the directory /etc/nginx/sites-available (suggested name: cloudtube-proxy) with contents like this:
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name cloudtube.example.com; # [1]
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name cloudtube.example.com; # [1]
+
+    ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
+    ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    ssl_dhparam /etc/nginx/ssl/dhparam; # [3]
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    location / {
+        proxy_pass http://127.0.0.1:10412;
+    }
+}
+```
+
+- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters.
+- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
+- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)
+
+Set the configuration as enabled:
+
+```
+# cd /etc/nginx/sites-enabled
+# ln -sv ../sites-available/cloudtube-proxy .
+```
+
+And delete the default "it works" server that comes with nginx:
+
+```
+# rm default
+```
+
+Check your configuration. If there are errors, find them and fix them.
+This sample config should be good on its own.
+
+```
+# nginx -t
+```
+
+Once there are no errors in the configuration, start nginx:
+
+```
+# systemctl start nginx
+```
+
+Enable the nginx service to automatically start nginx after a machine reboot:
+
+```
+# systemctl enable nginx
+```
+
+If nginx is already running, you only have to reload the configuration:
+
+```
+# systemctl reload nginx
+```
+
+Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))
+
+1. First, go to the [SSLMate CAA record generator.][caa generator]
+1. Enter your domain name, then press "auto-generate policy".
+1. Scroll the list and make sure all boxes are unchecked _except_ for
+the one that has your certificate authority.
+1. If it's all good, go down to the "publish your CAA policy" section
+and examine the first code block. You need to create a DNS record with
+this information on your domain.
+
+[caa generator]: https://sslmate.com/caa/
+
+Once you've set everything up, open your domain
+(ex: `https://cloudtube.example.com`) in your browser and check that:
+
+1. The CloudTube home page appears
+1. You are connected over HTTPS
+
+Now that that works,
+[run the Qualys SSL Labs server test][ssl server test] to make sure
+your configuration is secure. The test will take a few minutes to run.
+
+[ssl server test]: https://www.ssllabs.com/ssltest/
diff --git a/docs/Installing NewLeaf.md b/docs/Installing NewLeaf.md
new file mode 100644
index 0000000..3ab509d
--- /dev/null
+++ b/docs/Installing NewLeaf.md	
@@ -0,0 +1,105 @@
+# Installing NewLeaf
+
+## System dependencies
+
+- python3 (v3.7+ ?)
+- python3-venv
+
+## Prepare
+
+We suggest you create a new user to run NewLeaf as, for security reasons.
+
+```
+# adduser cloudtube
+# su cloudtube
+```
+
+## Installing
+
+Clone the repo:
+
+```
+$ git clone https://git.sr.ht/~cadence/NewLeaf
+$ cd NewLeaf
+```
+
+Create a Python virtual environment, for separating dependencies:
+
+Note: `/bin/activate` only works with the bash shell. [See here for fish shell.](https://github.com/justinmayer/virtualfish)
+
+```
+$ python3 -m venv newleaf-venv
+$ source newleaf-venv/bin/activate
+```
+
+Install dependencies:
+
+```
+$ pip3 install -r requirements.txt
+```
+
+Set up the configuration. Configuration is read from the filename `configuration.py`. Copy the sample file to that name, **then edit it.**
+
+```
+$ cp configuration.sample.py configuration.py
+$ $EDITOR configuration.py
+```
+
+All done! Start NewLeaf:
+
+```
+$ python3 index.py
+```
+
+In the future, from a new terminal session, NewLeaf can be started with:
+
+```
+$ cd [installation directory]
+$ source newleaf-venv/bin/activate
+$ python3 index.py
+```
+
+## systemd service
+
+If you want to control the services with systemd, you can use these files. This is optional.
+
+This service should be run as the cloudtube user rather than as the system.
+
+You may need to adjust the paths in these files.
+
+If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).
+
+```
+[Unit]
+Description=NewLeaf
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/python3 /home/cloudtube/NewLeaf/index.py
+WorkingDirectory=/home/cloudtube/NewLeaf
+
+# Restart timing
+Restart=always
+RestartSec=60
+
+# Disable logs
+StandardOutput=null
+StandardError=null
+SyslogIdentifier=newleaf
+
+[Install]
+WantedBy=multi-user.target
+```
+
+As above, save it to `~/.config/systemd/user/newleaf.service`, then issue these commands:
+
+```
+$ systemctl daemon-reload
+$ systemctl start newleaf
+```
+
+...and if all is successful...
+
+```
+$ systemctl enable newleaf
+```