Compare commits
No commits in common. "master" and "master" have entirely different histories.
@ -1,5 +1,5 @@
|
||||
[core]
|
||||
autocrlf = false #line ending issues should be handled in .gitattributes
|
||||
autocrlf = input
|
||||
whitespace = -tab-in-indent,tabwidth=4,indent-with-non-tab,trailing-space,space-before-tab
|
||||
safecrlf=warn
|
||||
[apply]
|
||||
|
6
.gitmodules
vendored
6
.gitmodules
vendored
@ -1,12 +1,12 @@
|
||||
[submodule "libsodium"]
|
||||
path = libsodium
|
||||
url = gitea@gitea.rho.la:cheng/libsodium.git
|
||||
url = ../libsodium.git
|
||||
branch = rho-fork
|
||||
[submodule "mpir"]
|
||||
path = mpir
|
||||
url = gitea@gitea.rho.la:cheng/mpir.git
|
||||
url = ../mpir.git
|
||||
branch = rho-fork
|
||||
[submodule "wxWidgets"]
|
||||
path = wxWidgets
|
||||
url = gitea@gitea.rho.la:cheng/wxWidgets.git
|
||||
url = ../wxWidgets.git
|
||||
branch = rho-fork
|
||||
|
34
README.md
34
README.md
@ -1,6 +1,5 @@
|
||||
#README
|
||||
|
||||
## About
|
||||
About
|
||||
-----
|
||||
|
||||
Wallet is open source software intended to become the manager of hierarchical
|
||||
deterministic keys for a social network that a superset of the Bitmessage social net,
|
||||
@ -10,30 +9,24 @@ it will not be private for much longer).
|
||||
|
||||
You cannot have truly end to end encryption, except you control your own keys directly.
|
||||
|
||||
To make an actually useful social net requires a lot of engineers doing a lot of work,
|
||||
which requires funding, which requires a profit model.
|
||||
The current business plan being to [eat SWIFT's lunch](./docs/manifesto/SWIFT.html),
|
||||
by creating an environment in which one can create and operate the necessary Daos.
|
||||
To make an actually useful social net requires a lot of engineers doing a lot of work, which requires funding, which requires a a profit model. The current business plan being to [eat SWIFT's lunch](./docs/manifesto/SWIFT.html), by creating an environment in which one can create and operate the necessary Daos.
|
||||
|
||||
We need uncensorable speech to save civilisation, but uncensorable speech does not pay the bills.
|
||||
Uncensorable money does pay the bills.
|
||||
The rest of the documentation is in Pandoc markdown, rather than Gitea or Github markdown, so you will have to build it before any of these links work.
|
||||
|
||||
The rest of the documentation is in Pandoc markdown, rather than Gitea or Github markdown,
|
||||
so you will have to build it before any of these links work.
|
||||
[pre alpha documentation (mostly a wish list)](docs/index.htm)
|
||||
|
||||
[copyright © and license](./license.txt)
|
||||
|
||||
|
||||
## Prerequisites
|
||||
Prerequisites
|
||||
---------
|
||||
|
||||
pre-requisite, Pandoc to build the html documentation from the markdown files.
|
||||
|
||||
Windows pre-requisites: Visual Studio and git-bash. This software is supposed to be cross platform, and is unlikely to get traction with highly motivate early adopters unless it is cross platform, but currently only builds on Windows.
|
||||
|
||||
## Download
|
||||
|
||||
The current state of the code is so incomplete and fragmentary
|
||||
that it is likely to be difficult for other people to usefully build on.
|
||||
Download
|
||||
---------
|
||||
|
||||
To obtain the source code from which the project can be built,
|
||||
including this README.html, from the bash command line (git-bash in windows).
|
||||
@ -48,9 +41,6 @@ wallet/docs/mkdocs.sh
|
||||
The above download relies on `https` for security, but `https` is vulnerable to enemy action by any adversary sufficiently powerful to have a certificate authority in his pocket, so our identity model relies on ssh keys, not domain names, so if you intend to make contributions, it would be preferable to create an account on `gitea.rho.la` with a fake email,
|
||||
upload your ssh public key to that account, and clone using `ssh` instead of `https`
|
||||
|
||||
Fork the repository and provide a comment explaining the fork, otherwise your
|
||||
login might be deleted as spam.
|
||||
|
||||
```bash
|
||||
git clone --recurse-submodules gitea@gitea.rho.la:cheng/wallet.git
|
||||
wallet/docs/mkdocs.sh
|
||||
@ -63,7 +53,8 @@ cd wallet
|
||||
docs/mkdocs.sh
|
||||
```
|
||||
|
||||
## Setup
|
||||
Setup
|
||||
------
|
||||
|
||||
To configure and build the required third party libraries in windows, then
|
||||
build the program and run unit test for the first time, you need to have
|
||||
@ -80,7 +71,7 @@ Or, if you are in the command shell or power shell,
|
||||
msvc\winConfigure.bat
|
||||
```
|
||||
|
||||
After a pull that gives you a status of modified submodules, to fix the submodules
|
||||
After a pull that gives you a status of modified submodules, a to fix the submodules
|
||||
|
||||
```bash
|
||||
git submodule update --init --recursive --remote
|
||||
@ -112,6 +103,7 @@ update in pushes, pulls, checkouts, and switches.
|
||||
|
||||
[cryptographic software is under attack]:./docs/setup/contributor_code_of_conduct.html#code-will-be-cryptographically-signed
|
||||
"Contributor Code of Conduct"
|
||||
{target="_blank"}
|
||||
|
||||
It will, however, also implement signed commits, and insist you have set up a key pair as
|
||||
explained in the contributor code of conduct because [cryptographic software is under attack] from NSA
|
||||
|
Binary file not shown.
Before Width: | Height: | Size: 24 KiB After Width: | Height: | Size: 38 KiB |
@ -3,11 +3,9 @@ title: How to Save the World
|
||||
...
|
||||
I have almost completed an enormous design document for an uncensorable social network intended to contain a non evil scalable proof of share currency, and I have a wallet that can generate secrets, but the wallet is missing no end of critical features – it is pre-pre alpha. When it is early pre alpha, I am going to publish it on Gitea, and call for assistance.
|
||||
|
||||
Here is a link to one version of the [white paper](manifesto/social_networking.html), focusing primarily on social media. (But though information wants to be free, programmers need to get paid.)
|
||||
Here is a link to one version of the [white paper](social_networking.html), focusing primarily on social media. (But though information wants to be free, programmers need to get paid.)
|
||||
|
||||
Here is a link to [another version](manifesto/white_paper.html) of the white paper, focusing primarily on money and getting rich by protecting capitalism from the state.
|
||||
|
||||
Here is a link to my plan for [conquering the world](manifesto/SWIFT.html).
|
||||
Here is a link to [another version](white_paper.html) of the white paper, focusing primarily on money and getting rich by protecting capitalism from the state.
|
||||
|
||||
# Speech and commerce
|
||||
|
||||
|
@ -912,9 +912,6 @@ But other systems like a `*.rpm` package, which is built by `git-buildpackage-rp
|
||||
|
||||
But desktop integration is kind of random.
|
||||
|
||||
To put a program into the desktop applications menu, put its desktop file in
|
||||
`~/.local/share/applications` (which may need to be created).
|
||||
|
||||
Under Mate and KDE Plasma, bitcoin implements run-on-login by generating a
|
||||
`bitcoin.desktop` file and writing it into `~/.config/autostart`
|
||||
|
||||
|
@ -1,7 +1,6 @@
|
||||
<div class="button-bar">
|
||||
<a href="vision.html">vision</a>
|
||||
<a href="scalability.html">scalability</a>
|
||||
<a href="social_networking.html">social net</a>
|
||||
<a href="social_networking.html">social networking</a>
|
||||
<a href="Revelation.html">revelation</a>
|
||||
<a href="../../README.html">source</a>
|
||||
</div>
|
||||
|
@ -1,131 +0,0 @@
|
||||
---
|
||||
title: >-
|
||||
README
|
||||
---
|
||||
|
||||
# About
|
||||
|
||||
Wallet is open source software intended to become the manager of hierarchical
|
||||
deterministic keys for a social network that a superset of the Bitmessage social net,
|
||||
for securely pseudonymous uncensorable public communication,
|
||||
and securely private communication. (Telegraph looks like
|
||||
it will not be private for much longer).
|
||||
|
||||
You cannot have truly end to end encryption, except you control your own keys directly.
|
||||
|
||||
To make an actually useful social net requires a lot of engineers doing a lot of work,
|
||||
which requires funding, which requires a profit model.
|
||||
The current business plan being to [eat SWIFT's lunch](./docs/manifesto/SWIFT.html),
|
||||
by creating an environment in which one can create and operate the necessary Daos.
|
||||
|
||||
We need uncensorable speech to save civilisation, but uncensorable speech does not pay the bills.
|
||||
Uncensorable money does pay the bills.
|
||||
|
||||
The rest of the documentation is in Pandoc markdown, rather than Gitea or Github markdown,
|
||||
so you will have to build it before any of these links work.
|
||||
|
||||
[copyright © and license](./license.txt){target="_blank"}
|
||||
|
||||
# Prerequisites
|
||||
|
||||
pre-requisite, Pandoc to build the html documentation from the markdown files.
|
||||
|
||||
Windows pre-requisites: Visual Studio and git-bash. This software is supposed to be cross platform, and is unlikely to get traction with highly motivate early adopters unless it is cross platform, but currently only builds on Windows.
|
||||
|
||||
# Download
|
||||
|
||||
The current state of the code is so incomplete and fragmentary
|
||||
that it is likely to be difficult for other people to usefully build on.
|
||||
|
||||
To obtain the source code from which the project can be built,
|
||||
including this README.html, from the bash command line (git-bash in windows).
|
||||
|
||||
```bash
|
||||
# assuming Pandoc is installed, and git-bash if you are on
|
||||
# windows
|
||||
git clone --recurse-submodules https://gitea.rho.la/cheng/wallet.git
|
||||
wallet/docs/mkdocs.sh
|
||||
```
|
||||
|
||||
The above download relies on `https` for security, but `https` is vulnerable to enemy action by any adversary sufficiently powerful to have a certificate authority in his pocket, so our identity model relies on ssh keys, not domain names, so if you intend to make contributions, it would be preferable to create an account on `gitea.rho.la` with a fake email,
|
||||
upload your ssh public key to that account, and clone using `ssh` instead of `https`
|
||||
|
||||
Fork the repository and provide a comment explaining the fork, otherwise your
|
||||
login might be deleted as spam.
|
||||
|
||||
```bash
|
||||
git clone --recurse-submodules gitea@gitea.rho.la:cheng/wallet.git
|
||||
wallet/docs/mkdocs.sh
|
||||
```
|
||||
|
||||
To build the docs, including the license file, you need Pandoc on the path.
|
||||
|
||||
```bash
|
||||
cd wallet
|
||||
docs/mkdocs.sh
|
||||
```
|
||||
|
||||
# Setup
|
||||
|
||||
To configure and build the required third party libraries in windows, then
|
||||
build the program and run unit test for the first time, you need to have
|
||||
Visual studio build tools at their default location)
|
||||
|
||||
```bash
|
||||
cd wallet
|
||||
msvc/winConfig.bat
|
||||
```
|
||||
|
||||
Or, if you are in the command shell or power shell,
|
||||
|
||||
```bat
|
||||
msvc\winConfigure.bat
|
||||
```
|
||||
|
||||
After a pull that gives you a status of modified submodules, to fix the submodules
|
||||
|
||||
```bash
|
||||
git submodule update --init --recursive --remote
|
||||
```
|
||||
|
||||
After a checkout or branch switch that gives you a status of modified submodules.
|
||||
|
||||
```bash
|
||||
git submodule update --recursive
|
||||
```
|
||||
|
||||
The documentation is in pandoc flavored markdown, which is
|
||||
conveniently edited in vscode with the `markdown lint` and `Pandoc`
|
||||
extensions included and, if you have launched `code` in the docs directory,
|
||||
with `file/preferences/Extensions/Markdown/Styles` set to
|
||||
`pandoc_templates\\style.css`, that being the style used by the `mkdocs.sh` documentation build script.
|
||||
|
||||
On Windows, if Git Bash and Pandoc has been installed, you should be
|
||||
able to run this shell file in bash by double clicking on it.
|
||||
|
||||
if you add the recommended repository configuration defaults to your local repository configuration
|
||||
|
||||
```bash
|
||||
git config --local include.path ../.gitconfig
|
||||
```
|
||||
|
||||
this will substantially mitigate the problem of submodules failing to
|
||||
update in pushes, pulls, checkouts, and switches.
|
||||
|
||||
[cryptographic software is under attack]:./docs/setup/contributor_code_of_conduct.html#code-will-be-cryptographically-signed
|
||||
"Contributor Code of Conduct"
|
||||
{target="_blank"}
|
||||
|
||||
It will, however, also implement signed commits, and insist you have set up a key pair as
|
||||
explained in the contributor code of conduct because [cryptographic software is under attack] from NSA
|
||||
entryists and shills, who seek to introduce backdoors.
|
||||
|
||||
`.gitconfig` also adds several git aliases:
|
||||
|
||||
1. `git lg` to display the git log with committer name from `.gitsigners` that corresponds to the public key
|
||||
1. `git graph` to graph the commit tree with the committer name from `.gitsigners` that corresponds to the public key
|
||||
1. `git alias` to display the git aliases.
|
||||
1. `git utcmt` to make a commit without revealing your time zone.
|
||||
|
||||
[Pre alpha release](./RELEASE_NOTES.html), which means it does not yet work even well
|
||||
enough for it to be apparent what it would do if it did work.
|
@ -16,7 +16,7 @@ that frequently strange and overcomplicated design decisions are made,
|
||||
decisions), decisions whose only apparent utility is to provide paths for
|
||||
hostile organizations to exploit subtle, complex, and unobvious security holes.
|
||||
|
||||
McAffee reported that this is a result of plants -- the state plants engineers
|
||||
McAffee reported that this is a result of plants - the state plants engineers
|
||||
in nominally private organizations to create backdoors. Shortly after he
|
||||
reported this he was arrested and murdered by the US government. (To be
|
||||
precise he was arrested at the instigation of the US government, and then
|
||||
@ -131,11 +131,10 @@ identified cryptographically, rather than through the domain name system.
|
||||
then at the root of your repository
|
||||
|
||||
```bash
|
||||
nm=gandalf
|
||||
ssh-keygen -t ed25519 -C $nm -f .git/$nm #to create your key pair
|
||||
git config user.signingkey .git/$nm.pub #tell git to use this key pair
|
||||
git config user.name $nm #will be ignored
|
||||
git config user.email $nm@ #fake email will be ignored
|
||||
ssh-keygen -t ed25519 - C gandalf -f .git/gandalf #to create your key pair
|
||||
git config user.signingkey .git/gandalf.pub #tell git to use this key pair
|
||||
git config user.name gandalf #will be ignored
|
||||
git config user.email gandalf@ #fake email will be ignored
|
||||
git config include.path ../.gitconfig #sets various defaults, ssh signing among them
|
||||
```
|
||||
|
||||
@ -144,7 +143,7 @@ git config include.path ../.gitconfig #sets various defaults, ssh signing among
|
||||
to the .gitsigners file to publish your public key to anyone
|
||||
who wants to make sure that commits are from the nym that they
|
||||
claim to be -- at least claim to be when their commits are
|
||||
displayed by the git lg alias provided by `.gitconfig`
|
||||
displayed by the git aliases of `.gitconfig`
|
||||
|
||||
The nym in `.gitsigners` is the one that matters, though `user.email`
|
||||
and `user.name` should be the same or sufficiently related to
|
||||
@ -158,10 +157,6 @@ Everyone shall be white, male, heterosexual, and vaguely Christian, even
|
||||
if they quite obviously are not, but no one shall unnecessarily and
|
||||
irrelevantly reveal their actual race, sex, religion, or political orientation.
|
||||
|
||||
No one shall be a citizen or resident of any identifiable country, as this results
|
||||
in the applicability of a pile of sanctions related laws. If you are resident of
|
||||
country X, this can cause problems for someone who is resident of country Y.
|
||||
|
||||
Unnecessarily informing people one is female or Jewish or nonwhite
|
||||
should get similar treatment to unnecessarily informing people one is a
|
||||
pure blooded Aryan.
|
||||
@ -271,13 +266,13 @@ practice people only used Zooko identity, and Web of Trust was a cloud
|
||||
of confusing complexity and user hostile interface on top of Zooko identity.
|
||||
What gpg identity is primarily used for in practice is to make sure you
|
||||
are getting the latest release from the same repository managed by the same person as
|
||||
you got the previous release -- which is Zooko identity, not Web of Trust
|
||||
you got the previous release - which is Zooko identity, not Web of Trust
|
||||
identity, and has no real relationship to email. Zooko identity is about
|
||||
constancy of identity, Web of Trust is about rightful use of email
|
||||
addresses. Web of trust was a true names mechanism, and today no one
|
||||
speaks the truth under their true name.
|
||||
|
||||
Web of trust was designed for a high trust society -- but in a high trust
|
||||
society you don't need it, and in our low trust society, the name servers were
|
||||
Web of trust was designed for a high trust society - but in a high trust
|
||||
society you don't need it, and in a low trust society, the name servers were
|
||||
too vulnerable to enemy action, and died, leaving the Web of Trust user
|
||||
interface in every installed copy of gpg a useless obstacle.
|
||||
|
@ -1,15 +1,6 @@
|
||||
---
|
||||
title: Install Dovecot on Debian 10
|
||||
sidebar: true
|
||||
notmine: false
|
||||
misc_links: >-
|
||||
<a href="set_up_build_environments.md" target="_blank">Set up build environments</a>.<br>
|
||||
<a href="wireguard.html" target="_blank">Wireguard</a>.<br>
|
||||
<a href="nix.html" target="_blank">nix</a>.<br>
|
||||
abstract: >-
|
||||
These files are not specific to rhocoin. This is a note on setting up dovecot. Every time I mess around
|
||||
and encounter some grief, I add to this pile of notes.
|
||||
|
||||
...
|
||||
|
||||
# Purpose
|
||||
|
@ -1,61 +0,0 @@
|
||||
---
|
||||
title:
|
||||
Guix and Shepherd
|
||||
sidebar: true
|
||||
misc_links: >-
|
||||
<a href="set_up_build_environments.md" target="_blank">Set up build environments</a><br>
|
||||
abstract: >-
|
||||
I know nothing about Guix. This file exists to record my learning
|
||||
experience.\
|
||||
|
||||
\
|
||||
|
||||
The plan is to be able to install Guix on debian, then load a reproducible
|
||||
configuration file so that I can instantly and reproducibly produce a
|
||||
host setup the way I want it. (Which nix, lacking its own init
|
||||
system, cannot quite do, because one always wants to run services.)
|
||||
...
|
||||
|
||||
Guix is primarily a package manager with a declarative functional language
|
||||
as its package manager.
|
||||
|
||||
Which makes it possible to reproducibly create a setup.
|
||||
Unfortunately the packages are hard to customise,
|
||||
because access to the
|
||||
configuration files is restricted and non trivial -- you have to derive your own package from an existing package
|
||||
|
||||
Guix solves the problem of dll hell by having any number of configurations living on the same machine --
|
||||
which leads to massive and rapid accumulation of garbage.
|
||||
Garbage collection is very slow, and requires either a lot of ram or a lot of swap (12GB swap recommended.
|
||||
This is a feature I do not want, but wind up suffering, for the advantage of reproducible setups.
|
||||
|
||||
To avoid bloat, can use a strategy of re-install from scratch, which Guix makes less painful.
|
||||
|
||||
"With Guix System, you declare all aspects of the operating system configuration and Guix takes care of
|
||||
instantiating the configuration in a transactional, reproducible, and stateless fashion
|
||||
(see [System Configuration](https://guix.gnu.org/manual/en/html_node/System-Installation.html))."
|
||||
|
||||
|
||||
# What Guix is
|
||||
|
||||
A Guix package is a pure function, which generates the install
|
||||
as directory identified by its hash in `/gnu/store` and then a symbolic link
|
||||
in the users directory references the package by human readable name, analogous
|
||||
to git having branch names that point to commits.
|
||||
|
||||
Which is great if you have a lot of users each of which might want a different
|
||||
version of software, but I want to install stuff that will run under
|
||||
the init system, Shepherd.
|
||||
|
||||
The package manager is a great pile of such pure functions,
|
||||
but if you want to install stuff that is fully configured the way you want it configured,
|
||||
you are going to have to derive a packages from an existing package
|
||||
|
||||
The Guix install system, Shepherd, cannot be a pure function, there can only be one http service,
|
||||
one wireguard service, and so forth. It has to be the escape hatch that makes a purely functional
|
||||
system actually do things by not being a purely functional system, akin to Haskell Monads,
|
||||
an isolated piece of procedural code that make all the purely functional code actually do something.
|
||||
|
||||
# Install Guix and Shepherd
|
||||
|
||||
not yet begun
|
@ -2,26 +2,6 @@
|
||||
title:
|
||||
Nixos
|
||||
sidebar: true
|
||||
misc_links: >-
|
||||
<a href="set_up_build_environments.md" target="_blank">Set up build environments</a><br>
|
||||
abstract: >-
|
||||
Unfortunately Nix and Nixos has fallen to the social justice warriors
|
||||
who are turning it into broken rubbish.\
|
||||
|
||||
\
|
||||
|
||||
Alternatives: Primary alternative is Guix, which has its own init system, Shepherd, and uses Scheme as its language.
|
||||
|
||||
\
|
||||
|
||||
I know nothing about nix. This file exists to record my learning
|
||||
experience.\
|
||||
|
||||
\
|
||||
|
||||
The plan is to be able to install nix on debian, then load a reproducible
|
||||
configuration file so that I can instantly and reproducibly produce a
|
||||
host setup the way I want it.
|
||||
...
|
||||
|
||||
Nixos is primarily a package manager with a declarative functional language as its package manager.
|
||||
@ -36,29 +16,8 @@ on pinning to a specific Nixos release.
|
||||
|
||||
# Install Nixos
|
||||
|
||||
On linux running systemd, with SELinux disabled, with curl, as root
|
||||
|
||||
```bash
|
||||
bash <(curl -L https://nixos.org/nix/install) --daemon
|
||||
```
|
||||
|
||||
log off, then open a new terminal
|
||||
|
||||
```bash
|
||||
nix-shell -p nix-info --run "nix-info -m"
|
||||
```
|
||||
|
||||
|
||||
You can open an issue at
|
||||
https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md
|
||||
|
||||
Or get in touch with the community: https://nixos.org/community
|
||||
|
||||
# minimal server
|
||||
|
||||
This describes nixos, which I would like to use, but probably cannot
|
||||
be conveniently installed in a hosting service.
|
||||
|
||||
ssh and avahi daemon, pubkeys setup for ssh, users created.
|
||||
|
||||
## configuration.nix
|
@ -2,17 +2,6 @@
|
||||
title:
|
||||
Set up build environments
|
||||
sidebar: true
|
||||
notmine: false
|
||||
misc_links: >-
|
||||
<a href="wireguard.html" target="_blank">Wireguard</a><br>
|
||||
<a href="dovecot.html" target="_blank">Dovecot</a><br>
|
||||
<a href="nix.html" target="_blank">nix</a><br>
|
||||
<a href="guix_and_shepherd.html" target="_blank">Guix and Shepherd</a><br>
|
||||
abstract: >-
|
||||
These files are not specific to rhocoin. They are a collection
|
||||
of notes on setting up operating systems and tools. Every time I mess around
|
||||
and encounter some grief, I add to this pile of notes, which has become
|
||||
inconveniently long and needs to be broken up.
|
||||
...
|
||||
# partitioning for linux
|
||||
|
||||
@ -138,7 +127,7 @@ m-a -qi prepare
|
||||
apt autoremove -qy
|
||||
mount /media/cdrom0
|
||||
cd /media/cdrom0 && sh ./VBoxLinuxAdditions.run
|
||||
usermod -a -G vboxsf «username»
|
||||
usermod -a -G vboxsf cherry
|
||||
```
|
||||
|
||||
You will need to do another `m-a prepare` and to reinstall it after a
|
||||
@ -169,7 +158,7 @@ to
|
||||
|
||||
```ini
|
||||
autologin-guest=false
|
||||
autologin-user=«username»
|
||||
autologin-user=cherry
|
||||
autologin-user-timeout=0
|
||||
```
|
||||
|
||||
@ -231,7 +220,7 @@ hostname && domainname -s && hostnamectl status
|
||||
And if need be, set them with
|
||||
|
||||
```bash
|
||||
fn=«example.com»
|
||||
fn=reaction.la
|
||||
domainname -b $fn
|
||||
hostnamectl set-hostname $fn
|
||||
```
|
||||
@ -240,7 +229,7 @@ Your /etc/hosts file should contain
|
||||
|
||||
```text
|
||||
127.0.0.1 localhost
|
||||
127.0.0.1 «example.com»
|
||||
127.0.0.1 reaction.la
|
||||
# The following lines are desirable for IPv6 capable hosts
|
||||
::1 ip6-localhost ip6-loopback
|
||||
fe00::0 ip6-localnet
|
||||
@ -265,7 +254,7 @@ ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
|
||||
Note that visual studio remote compile requires an `ecdsa-sha2-nistp256` key on the host machine that it is remote compiling for. If it is nist, it is
|
||||
backdoored
|
||||
|
||||
To change the snake oil certificate created and used by `xrdp`:
|
||||
To change the snake oil certificate:
|
||||
|
||||
```bash
|
||||
make-ssl-cert generate-default-snakeoil --force-overwrite
|
||||
@ -332,7 +321,7 @@ apt autoremove -qy
|
||||
Then you click on the autorun.sh in the cdrom through the gui.
|
||||
|
||||
```bash
|
||||
usermod -a -G vboxsf «username»
|
||||
usermod -a -G vboxsf cherry
|
||||
```
|
||||
|
||||
## Setting up OpenWrt in VirtualBox
|
||||
@ -577,7 +566,7 @@ On an actual server, it is advisable to enable passwordless sudo for one user.
|
||||
issue the command `visudo` and edit the sudoers file to contain the line:
|
||||
|
||||
``` default
|
||||
«username» ALL=(ALL) NOPASSWD:ALL
|
||||
cherry ALL=(ALL) NOPASSWD:ALL
|
||||
```
|
||||
|
||||
That user can now sudo any root command, with no password login nor
|
||||
@ -810,9 +799,9 @@ ssh-keygen -t ed25519 -f ssh_host_ed25519_key
|
||||
(I don't trust the other key algorithms, because I suspect the NSA has been up to cleverness with the details of the implementation.)
|
||||
|
||||
On windows, your secret key should be in `%HOMEPATH%/.ssh`, on linux
|
||||
in `/home/«username»/.ssh`, as is your config file for your ssh client, listing
|
||||
in `/home/cherry/.ssh`, as is your config file for your ssh client, listing
|
||||
the keys for hosts. The public keys of your authorized keys are in
|
||||
`/home/«username»/.ssh/authorized_keys`, enabling you to login from afar as
|
||||
`/home/cherry/.ssh/authorized_keys`, enabling you to login from afar as
|
||||
that user over the internet. The linux system for remote login is a cleaner
|
||||
and simpler system that the multitude of mysterious, complicated, and
|
||||
failure prone facilities for remote windows login, which is a major reason
|
||||
@ -1108,7 +1097,7 @@ rsync -aAXvzP --delete remote_host:~/name .
|
||||
To make sure the files are truly identical:
|
||||
|
||||
```bash
|
||||
rsync -aAXvzc --delete «example.com»:~/name .
|
||||
rsync -aAXvzc --delete reaction.la:~/name .
|
||||
```
|
||||
|
||||
`rsync, ssh, git` and so forth know how to logon from the
|
||||
@ -1210,7 +1199,7 @@ The sites-available directory looks like
|
||||
|
||||
```default
|
||||
000-default.conf
|
||||
«example.com».conf
|
||||
reaction.la.conf
|
||||
default-ssl.conf
|
||||
```
|
||||
|
||||
@ -1218,37 +1207,37 @@ The sites enabled directory looks like
|
||||
|
||||
```default
|
||||
000-default.conf -> ../sites-available/000-default.conf
|
||||
«example.com»-le-ssl.conf
|
||||
«example.com».conf
|
||||
reaction.la-le-ssl.conf
|
||||
reaction.la.conf
|
||||
```
|
||||
|
||||
And the contents of «example.com».conf are (before the https thingly has
|
||||
And the contents of reaction.la.conf are (before the https thingly has
|
||||
worked its magic)
|
||||
|
||||
```default
|
||||
<VirtualHost *:80>
|
||||
ServerName «example.com»
|
||||
ServerAlias www.«example.com»
|
||||
ServerAlias «foo.«example.com»»
|
||||
ServerAlias «bar.«example.com»»
|
||||
ServerName reaction.la
|
||||
ServerAlias www.reaction.la
|
||||
ServerAlias «foo.reaction.la»
|
||||
ServerAlias «bar.reaction.la»
|
||||
ServerAdmin «me@mysite»
|
||||
DocumentRoot /var/www/«example.com»
|
||||
DocumentRoot /var/www/reaction.la
|
||||
|
||||
<Directory /var/www/«example.com»>
|
||||
<Directory /var/www/reaction.la>
|
||||
Options -Indexes +FollowSymLinks
|
||||
AllowOverride All
|
||||
</Directory>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/«example.com»-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/«example.com»-access.log combined
|
||||
ErrorLog ${APACHE_LOG_DIR}/reaction.la-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/reaction.la-access.log combined
|
||||
RewriteEngine on
|
||||
RewriteCond %{HTTP_HOST} ^www\.«example.com»\.com [NC]
|
||||
RewriteRule ^(.*)$ https://«example.com»/$1 [L,R=301]
|
||||
RewriteCond %{HTTP_HOST} ^www\.reaction.la\.com [NC]
|
||||
RewriteRule ^(.*)$ https://reaction.la/$1 [L,R=301]
|
||||
</VirtualHost>
|
||||
```
|
||||
|
||||
All the other files don’t matter. The conf file gets you to the named
|
||||
server. The contents of /var/www/«example.com» are the html files, the
|
||||
server. The contents of /var/www/reaction.la are the html files, the
|
||||
important one being index.html.
|
||||
|
||||
[install certbot]:https://certbot.eff.org/instructions
|
||||
@ -1267,31 +1256,31 @@ your nameservers, and only those names, certbot automagically converts
|
||||
these from http virtual hosts to https virtual hosts and sets up
|
||||
redirect from http to https.
|
||||
|
||||
If you have an alias server such as www.«example.com» for «example.com»,
|
||||
certbot will guess you also have the domain name www.«example.com» and get
|
||||
If you have an alias server such as www.reaction.la for reaction.la,
|
||||
certbot will guess you also have the domain name www.reaction.la and get
|
||||
a certificate for that.
|
||||
|
||||
Thus, after certbot has worked its magic, your conf file looks like
|
||||
|
||||
```default
|
||||
<VirtualHost *:80>
|
||||
ServerName «example.com»
|
||||
ServerAlias foo.«example.com»
|
||||
ServerAlias bar.«example.com»
|
||||
ServerName reaction.la
|
||||
ServerAlias foo.reaction.la
|
||||
ServerAlias bar.reaction.la
|
||||
ServerAdmin me@mysite
|
||||
DocumentRoot /var/www/«example.com»
|
||||
DocumentRoot /var/www/reaction.la
|
||||
|
||||
<Directory /var/www/«example.com»>
|
||||
<Directory /var/www/reaction.la>
|
||||
Options -Indexes +FollowSymLinks
|
||||
AllowOverride All
|
||||
</Directory>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/«example.com»-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/«example.com»-access.log combined
|
||||
ErrorLog ${APACHE_LOG_DIR}/reaction.la-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/reaction.la-access.log combined
|
||||
RewriteEngine on
|
||||
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
|
||||
RewriteRule ^(.*)$ https://«example.com»/$1 [L,R=301]
|
||||
RewriteCond %{SERVER_NAME} =«example.com» [OR]
|
||||
RewriteRule ^(.*)$ https://reaction.la/$1 [L,R=301]
|
||||
RewriteCond %{SERVER_NAME} =reaction.la [OR]
|
||||
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
|
||||
</VirtualHost>
|
||||
```
|
||||
@ -1299,13 +1288,7 @@ Thus, after certbot has worked its magic, your conf file looks like
|
||||
## Lemp stack on Debian
|
||||
|
||||
```bash
|
||||
systemctl stop apache2
|
||||
apt-get remove --purge apache2 #apache is routinely installed by default,
|
||||
# and then nginix tries to respect its files and configuration,
|
||||
# with confusing and disturbing results.
|
||||
# Apache must die. DIE DIE DIE.
|
||||
apt-get upgrade
|
||||
apt-get -qy update && apt-get -qy install ufw nginx mariadb-server php php-cli php-xml php-mbstring php-mysql php-fpm
|
||||
apt-get -qy update && apt-get -qy install nginx mariadb-server php php-cli php-xml php-mbstring php-mysql php7.3-fpm
|
||||
nginx -t
|
||||
ufw status verbose
|
||||
```
|
||||
@ -1381,11 +1364,11 @@ when your site has your actual content on it.
|
||||
|
||||
Check again that the default nginx web page comes up when you browse to the server.
|
||||
|
||||
Create the directories `/var/www/«subdomain.example.com»` and `/var/www/«example.com»` and put some html files in them, substituting your actual domains for the example domains.
|
||||
Create the directories `/var/www/blog.reaction.la` and `/var/www/reaction.la` and put some html files in them, substituting your actual domains for the example domains.
|
||||
|
||||
```bash
|
||||
mkdir /var/www/«example.com» && nano /var/www/«example.com»/index.html
|
||||
mkdir /var/www/«subdomain.example.com» && nano /var/www/«subdomain.example.com»/index.html
|
||||
mkdir /var/www/reaction.la && nano /var/www/reaction.la/index.html
|
||||
mkdir /var/www/blog.reaction.la && nano /var/www/blog.reaction.la/index.html
|
||||
```
|
||||
|
||||
```default
|
||||
@ -1394,7 +1377,7 @@ mkdir /var/www/«subdomain.example.com» && nano /var/www/«subdomain.example.co
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
</head>
|
||||
<body><h1>«example.com» index file</h1></body>
|
||||
<body><h1>reaction.la index file</h1></body>
|
||||
</html>
|
||||
```
|
||||
|
||||
@ -1402,8 +1385,8 @@ Delete the default in `/etc/nginx/sites-enabled`, and create a file, which I
|
||||
arbitrarily name `config` that specifies how your domain names are to be
|
||||
handled, and how php is to be executed for each domain names.
|
||||
|
||||
This config file assumes your domain is called `«example.com»` and your
|
||||
service is called `php-fpm.service`. Create the following config file,
|
||||
This config file assumes your domain is called `reaction.la` and your
|
||||
service is called `php7.3-fpm.service`. Create the following config file,
|
||||
substituting your actual domains for the example domains, and your actual
|
||||
php fpm service for the fpm service.
|
||||
|
||||
@ -1411,6 +1394,8 @@ php fpm service for the fpm service.
|
||||
nginx -t
|
||||
# find the name of your php fpm service
|
||||
systemctl status php* | grep fpm.service
|
||||
# substitute the actual php fpm service for
|
||||
# php7.3-fpm.sock in the configuration file.
|
||||
systemctl stop nginx
|
||||
rm -v /etc/nginx/sites-enabled/*
|
||||
nano /etc/nginx/sites-enabled/config
|
||||
@ -1418,21 +1403,21 @@ nano /etc/nginx/sites-enabled/config
|
||||
|
||||
```default
|
||||
server {
|
||||
return 301 $scheme://«example.com»$request_uri;
|
||||
return 301 $scheme://reaction.la$request_uri;
|
||||
}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
index index.php index.html;
|
||||
server_name «subdomain.example.com»;
|
||||
root /var/www/«subdomain.example.com»;
|
||||
server_name blog.reaction.la;
|
||||
root /var/www/blog.reaction.la;
|
||||
index index.php index.html;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
location = /favicon.ico {access_log off; }
|
||||
location = /robots.txt {access_log off; allow all; }
|
||||
@ -1444,14 +1429,14 @@ server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
index index.php index.html;
|
||||
server_name «example.com»;
|
||||
root /var/www/«example.com»;
|
||||
server_name reaction.la;
|
||||
root /var/www/reaction.la;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
location = /favicon.ico {access_log off; }
|
||||
location = /robots.txt {access_log off; allow all; }
|
||||
@ -1460,8 +1445,8 @@ server {
|
||||
}
|
||||
}
|
||||
server {
|
||||
server_name *.«subdomain.example.com»;
|
||||
return 301 $scheme://«subdomain.example.com»$request_uri;
|
||||
server_name *.blog.reaction.la;
|
||||
return 301 $scheme://blog.reaction.la$request_uri;
|
||||
}
|
||||
```
|
||||
|
||||
@ -1473,7 +1458,7 @@ eliminates those pesky `www`s.
|
||||
|
||||
The root tells it where to find the actual files.
|
||||
|
||||
The first location tells nginx that if a file name is not found, give a 404 rather than doing the disastrously clever stuff that it is apt to do, and the second location tells it that if a file name ends in `.php`, pass it to `php-fpm.sock` (you did substitute your actual php fpm service for `php-fpm.sock`, right?)
|
||||
The first location tells nginx that if a file name is not found, give a 404 rather than doing the disastrously clever stuff that it is apt to do, and the second location tells it that if a file name ends in `.php`, pass it to `php7.3-fpm.sock` (you did substitute your actual php fpm service for `php7.3-fpm.sock`, right?)
|
||||
|
||||
Now check that your configuration is OK with `nginx -t`, and restart nginx to read your configuration.
|
||||
|
||||
@ -1488,12 +1473,12 @@ www gets redirected.
|
||||
Now we will create some php files in those directories to check that php works.
|
||||
|
||||
```bash
|
||||
echo "<?php phpinfo(); ?>" |tee /var/www/«example.com»/info.php
|
||||
echo "<?php phpinfo(); ?>" |tee /var/www/reaction.la/info.php
|
||||
```
|
||||
|
||||
Then take a look at `info.php` in a browser.
|
||||
|
||||
If that works, then create the file `/var/www/«example.com»/index.php` containing:
|
||||
If that works, then create the file `/var/www/reaction.la/index.php` containing:
|
||||
|
||||
```php
|
||||
<?php
|
||||
@ -1516,9 +1501,9 @@ If that works, then create the file `/var/www/«example.com»/index.php` contain
|
||||
?>
|
||||
```
|
||||
|
||||
[http://«example.com»]:http://«example.com»
|
||||
[http://reaction.la]:http://reaction.la
|
||||
|
||||
Browse to [http://«example.com»] If that works, delete the `info.php` file as it reveals private information. You now have domain names being served
|
||||
Browse to [http://reaction.la] If that works, delete the `info.php` file as it reveals private information. You now have domain names being served
|
||||
by lemp. Your database now is accessible over the internet through PHP
|
||||
on those domain names.
|
||||
|
||||
@ -1606,7 +1591,7 @@ map to the old server, until the new server works.)
|
||||
```bash
|
||||
certbot register --register-unsafely-without-email --agree-tos
|
||||
certbot run -a manual --preferred-challenges dns -i nginx \
|
||||
-d «example.com» -d «subdomain.example.com»
|
||||
-d reaction.la -d blog.reaction.la
|
||||
nginx -t
|
||||
```
|
||||
|
||||
@ -1648,11 +1633,11 @@ certbot renew --renew-by-default --http01
|
||||
Because certbot automatically renews using the previous defaults, you
|
||||
have to have previously used a process to obtain certificate suitable for
|
||||
automation, which mean you have to have given it the information\
|
||||
(`--webroot --webroot-path /var/www/«example.com»`)\
|
||||
(`--webroot --webroot-path /var/www/reaction.la`)\
|
||||
about how to do an automatic renewal by actually obtaining a certificate that way.
|
||||
|
||||
To backup and restore letsencrypt, to move your certificates from one
|
||||
server to another, `rsync -HAvaX «example.com»:/etc/letsencrypt /etc`, as root
|
||||
server to another, `rsync -HAvaX reaction.la:/etc/letsencrypt /etc`, as root
|
||||
on the computer which will receive the backup. The letsencrypt directory
|
||||
gets mangled by `tar`, `scp` and `sftp`.
|
||||
|
||||
@ -1669,19 +1654,19 @@ The certbot modified file for your ssl enabled domain should now look like
|
||||
|
||||
```default
|
||||
server {
|
||||
return 301 $scheme://«example.com»$request_uri;
|
||||
return 301 $scheme://reaction.la$request_uri;
|
||||
}
|
||||
server {
|
||||
index index.php index.html;
|
||||
server_name «subdomain.example.com»;
|
||||
root /var/www/«subdomain.example.com»;
|
||||
server_name blog.reaction.la;
|
||||
root /var/www/blog.reaction.la;
|
||||
index index.php;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
location = /favicon.ico {access_log off; }
|
||||
location = /robots.txt {access_log off; allow all; }
|
||||
@ -1690,21 +1675,21 @@ server {
|
||||
}
|
||||
listen [::]:443 ssl; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/«example.com»/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/«example.com»/privkey.pem; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/reaction.la/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/reaction.la/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
server {
|
||||
index index.html;
|
||||
server_name «example.com»;
|
||||
root /var/www/«example.com»;
|
||||
server_name reaction.la;
|
||||
root /var/www/reaction.la;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
|
||||
}
|
||||
location = /favicon.ico {access_log off; }
|
||||
location = /robots.txt {access_log off; allow all; }
|
||||
@ -1713,35 +1698,35 @@ server {
|
||||
}
|
||||
listen [::]:443 ssl ipv6only=on; # managed by Certbot
|
||||
listen 443 ssl; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/«example.com»/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/«example.com»/privkey.pem; # managed by Certbot
|
||||
ssl_certificate /etc/letsencrypt/live/reaction.la/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/reaction.la/privkey.pem; # managed by Certbot
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
|
||||
}
|
||||
server {
|
||||
server_name *.«subdomain.example.com»;
|
||||
return 301 $scheme://«subdomain.example.com»$request_uri;
|
||||
server_name *.blog.reaction.la;
|
||||
return 301 $scheme://blog.reaction.la$request_uri;
|
||||
}
|
||||
server {
|
||||
server_name *.«example.com»;
|
||||
return 301 $scheme://«example.com»$request_uri;
|
||||
server_name *.reaction.la;
|
||||
return 301 $scheme://reaction.la$request_uri;
|
||||
}
|
||||
server {
|
||||
if ($host = «example.com») {
|
||||
if ($host = reaction.la) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name «example.com»;
|
||||
server_name reaction.la;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
server {
|
||||
if ($host = «subdomain.example.com») {
|
||||
if ($host = blog.reaction.la) {
|
||||
return 301 https://$host$request_uri;
|
||||
} # managed by Certbot
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name «subdomain.example.com»;
|
||||
server_name blog.reaction.la;
|
||||
return 404; # managed by Certbot
|
||||
}
|
||||
```
|
||||
@ -1789,7 +1774,7 @@ apt-get -qy install php-curl php-gd php-intl php-mbstring php-soap php-xml php-x
|
||||
systemctl status php* | grep fpm.service
|
||||
# restart the service indicated above
|
||||
systemctl stop nginx
|
||||
systemctl stop php-fpm.service
|
||||
systemctl stop php7.3-fpm.service
|
||||
mariadb
|
||||
```
|
||||
|
||||
@ -1797,7 +1782,7 @@ mariadb
|
||||
CREATE DATABASE wordpress DEFAULT CHARACTER SET
|
||||
utf8mb4 COLLATE utf8mb4_unicode_ci;
|
||||
GRANT ALL ON wordpress.* TO 'wordpress_user'@'localhost'
|
||||
IDENTIFIED BY '«password»';
|
||||
IDENTIFIED BY 'FGikkdfj3878';
|
||||
FLUSH PRIVILEGES;
|
||||
exit
|
||||
```
|
||||
@ -1826,11 +1811,11 @@ cd temp
|
||||
curl -LO https://wordpress.org/latest.tar.gz
|
||||
tar -xzvf latest.tar.gz
|
||||
cp -v wordpress/wp-config-sample.php wordpress/wp-config.php
|
||||
cp -av wordpress/* /var/www/«subdomain.example.com»
|
||||
chown -R www-data:www-data /var/www/«subdomain.example.com» && find /var/www -type d -exec chmod 755 {} \; && find /var/www -type f -exec chmod 644 {} \;
|
||||
cp -av wordpress/. /var/www/blog.reaction.la
|
||||
chown -R www-data:www-data /var/www/blog.reaction.la && find /var/www -type d -exec chmod 755 {} \; && find /var/www -type f -exec chmod 644 {} \;
|
||||
# so that wordpress can write to the directory
|
||||
curl -s https://api.wordpress.org/secret-key/1.1/salt/
|
||||
nano /var/www/«subdomain.example.com»/wp-config.php
|
||||
nano /var/www/blog.reaction.la/wp-config.php
|
||||
```
|
||||
|
||||
Replace the defines that are there\
|
||||
@ -1847,7 +1832,7 @@ define('DB_NAME', 'wordpress');
|
||||
/** MySQL database username */
|
||||
define('DB_USER', 'wordpress_user');
|
||||
/** MySQL database password */
|
||||
define('DB_PASSWORD', '«password»');
|
||||
define('DB_PASSWORD', 'FGikkdfj3878');
|
||||
/** MySQL hostname */
|
||||
define( 'DB_HOST', 'localhost' );
|
||||
/** Database Charset to use in creating database tables. */
|
||||
@ -1858,6 +1843,7 @@ define( 'DB_COLLATE', 'utf8mb4_unicode_ci' );
|
||||
```
|
||||
|
||||
```bash
|
||||
systemctl start php7.3-fpm.service
|
||||
systemctl start nginx
|
||||
```
|
||||
|
||||
@ -1875,16 +1861,16 @@ PhpMyAdmin even though it is easer and safer.
|
||||
|
||||
```bash
|
||||
systemctl stop nginx
|
||||
systemctl stop php-fpm.service
|
||||
systemctl stop php7.3-fpm.service
|
||||
mdir temp && cd temp
|
||||
fn=blogdb
|
||||
db=wordpress
|
||||
dbuser=wordpress_user
|
||||
dbpass=«password»
|
||||
dbpass=FGikkdfj3878
|
||||
mysqldump -u $dbuser --password=$dbpass $db > $fn.sql
|
||||
head -n 30 $fn.sql
|
||||
zip $fn.sql.zip $fn.sql
|
||||
systemctl start php-fpm.service
|
||||
systemctl start php7.3-fpm.service
|
||||
systemctl start nginx
|
||||
```
|
||||
|
||||
@ -1898,7 +1884,7 @@ Copy everything from the web server source directory of the previous
|
||||
wordpress installation to the web server of the new wordpress installation.
|
||||
|
||||
```bash
|
||||
chown -R www-data:www-data /var/www/«subdomain.example.com»
|
||||
chown -R www-data:www-data /var/www/blog.reaction.la
|
||||
```
|
||||
|
||||
Replace the defines for `DB_NAME`, `DB_USER`, and `DB_PASSWORD` in `wp_config.php`, as described in [Wordpress on Lemp]
|
||||
@ -1907,6 +1893,7 @@ Replace the defines for `DB_NAME`, `DB_USER`, and `DB_PASSWORD` in `wp_config.ph
|
||||
|
||||
```bash
|
||||
systemctl stop nginx
|
||||
systemctl stop php7.3-fpm.service
|
||||
# we don’t want anyone browsing the blog while we are setting it up
|
||||
# nor the wordpress update service running.
|
||||
mariadb
|
||||
@ -1914,9 +1901,10 @@ mariadb
|
||||
|
||||
```sql
|
||||
DROP DATABASE IF EXISTS wordpress;
|
||||
CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8;
|
||||
CREATE DATABASE wordpress DEFAULT CHARACTER SET
|
||||
utf8mb4 COLLATE utf8mb4_unicode_ci;
|
||||
GRANT ALL ON wordpress.* TO 'wordpress_user'@'localhost'
|
||||
IDENTIFIED BY '«password»';
|
||||
IDENTIFIED BY 'FGikkdfj3878';
|
||||
exit
|
||||
```
|
||||
|
||||
@ -1926,19 +1914,15 @@ on Lemp]. Don’t do that, or if you start nginx and do that to make sure
|
||||
everything is working, then start over by deleting and recreating the
|
||||
database as above.
|
||||
|
||||
Alternatively, if you want to merge this content into an blog that has
|
||||
already been setup, perhaps an almost empty blog, you remove all the drop
|
||||
table commands and create table commands from the sql, and replace all the `INSERT INTO`
|
||||
statements with `INSERT IGNORE INTO`
|
||||
|
||||
Now we will populate the database.
|
||||
|
||||
```bash
|
||||
tar -xvf wordpress.sql.zst
|
||||
fn=wordpress
|
||||
db=wordpress
|
||||
dbuser=wordpress_user
|
||||
dbpass=«password»
|
||||
dbpass=FGikkdfj3878
|
||||
unzip $fn.sql.zip
|
||||
mv *.sql $fn.sql
|
||||
mariadb -u $dbuser --password=$dbpass $db < $fn.sql
|
||||
mariadb -u $dbuser --password=$dbpass $db
|
||||
```
|
||||
@ -1953,6 +1937,7 @@ exit
|
||||
Adjust `$table_prefix = 'wp_';` in `wp_config.php` if necessary.
|
||||
|
||||
```bash
|
||||
systemctl start php7.3-fpm.service
|
||||
systemctl start nginx
|
||||
```
|
||||
|
||||
@ -1978,6 +1963,7 @@ SELECT * FROM wp_comments l LIMIT 10;
|
||||
Adjust `$table_prefix = 'wp_';` in `wp_config.php` if necessary.
|
||||
|
||||
```bash
|
||||
systemctl start php7.3-fpm.service
|
||||
systemctl start nginx
|
||||
```
|
||||
|
||||
@ -1998,11 +1984,11 @@ Then edit the virtual servers to be logged, which are in the directory `/etc/ngi
|
||||
|
||||
```text
|
||||
server {
|
||||
server_name «example.com»;
|
||||
root /var/www/«example.com»;
|
||||
server_name reaction.la;
|
||||
root /var/www/reaction.la;
|
||||
…
|
||||
access_log /var/log/nginx/«example.com».access.log;
|
||||
error_log /var/log/nginx/«example.com».error.log;
|
||||
access_log /var/log/nginx/reaction.la.access.log;
|
||||
error_log /var/log/nginx/reaction.la.error.log;
|
||||
…
|
||||
}
|
||||
```
|
||||
@ -2082,7 +2068,7 @@ obscurely connected to the configuration of each of the other things.
|
||||
|
||||
### Setting DNS entries for email
|
||||
|
||||
An MX record for `«example.com»` will read simply `mail` (no full stop, that
|
||||
An MX record for `reaction.la` will read simply `mail` (no full stop, that
|
||||
is for the case that you are trying to have a totally unrelated host handle
|
||||
your mail) Check that it is working by using an MX lookup service such
|
||||
as [MX tools] and [Dig]
|
||||
@ -2156,8 +2142,8 @@ know for sure it is from you, and has not been altered in transit, but not be
|
||||
able to prove to the whole world that it is from you.
|
||||
|
||||
A DMARK record can tell the recipient that mail from
|
||||
`«example.com»` will always and only come senders like
|
||||
`user@«example.com»`. This can be an inconvenient restriction on
|
||||
`rhocoin.org` will always and only come senders like
|
||||
`user@rhocoin.org`. This can be an inconvenient restriction on
|
||||
one's ability to use a more relevant identity.
|
||||
|
||||
Further, intermediate servers keep manging messages sent through them,
|
||||
@ -2288,7 +2274,7 @@ The `postmaster: root` setting ensures that system-generated emails are sent
|
||||
to the `root` user. You want to edit these settings so these emails are rerouted
|
||||
to your email address. To accomplish that, replace «your_email_address»
|
||||
with your actual email address, or the name of a non root user.. Most systems do not allow email clients to
|
||||
login as root, so you cannot easily access emails that wind up as `root@mail.«example.com»`
|
||||
login as root, so you cannot easily access emails that wind up as `root@mail.rhocoin.org`
|
||||
|
||||
Probably you should create a user `postmaster`
|
||||
|
||||
@ -2413,8 +2399,8 @@ Modify `/etc/postfix/main.cf` using the postconf command:
|
||||
# SMTP from other servers to yours
|
||||
# Make sure to substitute your certificates in for the smtp
|
||||
# and smtpd certificates.
|
||||
postconf -e smtpd_tls_cert_file=/etc/letsencrypt/live/«example.com»/fullchain.pem
|
||||
postconf -e smtpd_tls_key_file=/etc/letsencrypt/live/«example.com»/privkey.pem
|
||||
postconf -e smtpd_tls_cert_file=/etc/letsencrypt/live/rhocoin.org/fullchain.pem
|
||||
postconf -e smtpd_tls_key_file=/etc/letsencrypt/live/rhocoin.org/privkey.pem
|
||||
postconf -e smtpd_tls_security_level = may
|
||||
postconf -e smtpd_tls_auth_only = yes
|
||||
postconf -e smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1, !TLSv1.1
|
||||
@ -2426,8 +2412,8 @@ postconf smtpd_tls_session_cache_database
|
||||
# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
|
||||
#
|
||||
# SMTP from your server to others
|
||||
postconf -e smtp_tls_cert_file=/etc/letsencrypt/live/«example.com»/fullchain.pem
|
||||
postconf -e smtp_tls_key_file=/etc/letsencrypt/live/«example.com»/privkey.pem
|
||||
postconf -e smtp_tls_cert_file=/etc/letsencrypt/live/rhocoin.org/fullchain.pem
|
||||
postconf -e smtp_tls_key_file=/etc/letsencrypt/live/rhocoin.org/privkey.pem
|
||||
postconf -e smtp_tls_security_level=may
|
||||
postconf -e smtp_tls_note_starttls_offer=yes
|
||||
postconf -e smtp_tls_mandatory_protocols='!SSLv2, !SSLv3, !TLSv1, !TLSv1.1'
|
||||
@ -2458,20 +2444,20 @@ cat /var/log/mail.log |grep TLS
|
||||
You should now see some TLS activity for those emails, and you should receive the emails.
|
||||
|
||||
OK, now we are all done, unless you want people to send you emails at
|
||||
«username»@«example.com», and to be actually able to usefully read those emails
|
||||
cherry@rhocoin.org, and to be actually able to usefully read those emails
|
||||
without setting up forwarding to another address.
|
||||
|
||||
Well, not quite done, for now that you can receive emails, need to add your email to to your DMARC policy.\
|
||||
`v=DMARC1; p=quarantine; rua=mailto:postmaster@«example.com»`
|
||||
`v=DMARC1; p=quarantine; rua=mailto:postmaster@rhocoin.org`
|
||||
|
||||
A dmarc record is a text record with the hostname `_dmarc`, and the policy is its text value.
|
||||
|
||||
### SASL
|
||||
|
||||
At this point any random person on the internet can send mail to
|
||||
`root@«example.com»`, and you can automatically forward it to an actually
|
||||
`root@rhocoin.org`, and you can automatically forward it to an actually
|
||||
usable email address, but you cannot access his email account at
|
||||
`root@«example.com»` from a laptop using thunderbird, and accessing it
|
||||
`root@rhocoin.org` from a laptop using thunderbird, and accessing it
|
||||
through the command line using `mail` is not very useful.
|
||||
|
||||
Because although Postfix by default accepts sasl authenticated mail
|
||||
@ -2484,11 +2470,11 @@ smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_una
|
||||
It has yet as yet nothing configured to provide `sasl` authentication.
|
||||
|
||||
We don't want random spammer on the internet to send email as
|
||||
`random@«example.com»`, but we do want authenticated users to be able to do
|
||||
`random@rhocoin.org`, but we do want authenticated users to be able to do
|
||||
as they please.
|
||||
|
||||
So, need to install and configure Dovecot to provide sasl, to authenticate
|
||||
«username» to Postfix. And need to tell Postfix to accept Dovecot authentication.
|
||||
cherry to Postfix. And need to tell Postfix to accept Dovecot authentication.
|
||||
|
||||
However, before we do any of that, there is a very big problem, that all
|
||||
email systems that allow clients to send email are a bleeding security hole,
|
||||
@ -2587,19 +2573,19 @@ For each domain name that has an MX record pointing at this host add the
|
||||
|
||||
```bash
|
||||
postconf virtual_alias_domains
|
||||
postconf -e virtual_alias_domains=«example.com»,«subdomain.example.com»
|
||||
postconf -e virtual_alias_domains=reaction.la,blog.reaction.la
|
||||
postconf -e virtual_alias_maps=hash:/etc/postfix/virtual
|
||||
```
|
||||
|
||||
Now create the file `/etc/postfix/virtual` which will list all the email addresses of users with email addresses ending in those domain names.
|
||||
|
||||
```default
|
||||
ann@«example.com» ann
|
||||
bob@«example.com» bob
|
||||
carol@«subdomain.example.com» carol
|
||||
dan@«subdomain.example.com» dan
|
||||
@«example.com» blackhole
|
||||
@«subdomain.example.com» blackhole
|
||||
ann@reaction.la ann
|
||||
bob@reaction.la bob
|
||||
carol@blog.reaction.la carol
|
||||
dan@blog.reaction.la dan
|
||||
@reaction.la blackhole
|
||||
@blog.reaction.la blackhole
|
||||
# ann, bob, carol, dan, and blackhole have to be actual users
|
||||
# on the actual host, or entries in its aliases file, even if there
|
||||
# is no way for them to actually login except through an
|
||||
@ -2629,9 +2615,9 @@ We then enter the email address and password, and click on `configure manually`
|
||||
|
||||
Select SSL/TLS and normal password
|
||||
|
||||
For the server, thunderbird will incorrectly propose `.«subdomain.example.com»`
|
||||
For the server, thunderbird will incorrectly propose `.blog.reaction.la`
|
||||
|
||||
Put in the correct value, `«example.com»`, then click on re-test. Thunderbird will then correctly set the port numbers itself, which are the standard port numbers.
|
||||
Put in the correct value, `rhocoin.org`, then click on re-test. Thunderbird will then correctly set the port numbers itself, which are the standard port numbers.
|
||||
|
||||
[tutorial](https://www.linux.com/training-tutorials/how-set-virtual-domains-and-virtual-users-postfix/)
|
||||
|
||||
@ -2957,7 +2943,7 @@ To set up Git on the cloud,
|
||||
and to use git on the cloud
|
||||
[see](http://blog.davidecoppola.com/2016/12/how-to-set-up-a-git-repository-locally-and-on-a-remote-server/).
|
||||
|
||||
On my system, I ssh into the remote system `«example.com»` as the user
|
||||
On my system, I ssh into the remote system `reaction.la` as the user
|
||||
`git` and then in the `git` home directory:
|
||||
|
||||
```bash
|
||||
@ -2975,7 +2961,7 @@ git init
|
||||
git add *
|
||||
git commit -m"this is a project to so and so"
|
||||
git remote -v
|
||||
git remote add origin git@«example.com»:~/MyProject
|
||||
git remote add origin git@reaction.la:~/MyProject
|
||||
git remote -v
|
||||
git push -u origin --all # pushes up the repo and its refs for the first time
|
||||
git push -u origin --tags
|
||||
@ -2995,8 +2981,8 @@ their public key with the putty key gen copy and paste public key.
|
||||
|
||||
Make sure the config file `~/.ssh/config` contains
|
||||
|
||||
Host «example.com»
|
||||
HostName «example.com»
|
||||
Host reaction.la
|
||||
HostName reaction.la
|
||||
Port 22
|
||||
IdentityFile ~/.ssh/id_ed25519
|
||||
|
||||
@ -3082,19 +3068,6 @@ then put a symlink to your directory in the repository in your apache
|
||||
directories, whereupon the clone command takes as its argument the
|
||||
directory url (with no trailing backslash).
|
||||
|
||||
### Merge Conflicts
|
||||
|
||||
Resolving a merge conflict is usually a little bit messy, creating opportunities to make mistakes
|
||||
|
||||
The safest way to resolve a merge conflict is to use git `mergetool`, followed by `git gui`.
|
||||
|
||||
`git gui` is useless for resolving merge conflicts, but after having resolved them in your mergetool, then when you click on commit in `git gui`, you
|
||||
can see that the situation is what you think it is before issuing the commit command.
|
||||
|
||||
In linux, git gui is not necessarily available unless you have installed not just `git`, but `git-all`
|
||||
|
||||
The best mergetool by far is Meld. But it is preferable to issue the commit command from within `git-gui`,
|
||||
since you get a more global view of the situation.
|
||||
|
||||
## Sharing git repositories
|
||||
|
||||
@ -3112,29 +3085,6 @@ This is by far the simplest and most direct way of allowing the world to get at
|
||||
|
||||
[Git Book for Git daemon](https://git-scm.com/book/en/v2/Git-on-the-Server-Git-Daemon)
|
||||
|
||||
When you have submodules, an issue arises with people accessing the submodules through different protocols.
|
||||
The fix is to make `.gitmodules` protocol agnostic by using relative urls. As for example
|
||||
|
||||
```.gitmodules
|
||||
[submodule "libsodium"]
|
||||
path = libsodium
|
||||
url = ../libsodium.git
|
||||
branch = rho-fork
|
||||
[submodule "mpir"]
|
||||
path = mpir
|
||||
url = ../mpir.git
|
||||
branch = rho-fork
|
||||
[submodule "wxWidgets"]
|
||||
path = wxWidgets
|
||||
url = ../wxWidgets.git
|
||||
branch = rho-fork
|
||||
```
|
||||
|
||||
This will enable recursive cloning and all that to work regardless of the root protocol.
|
||||
|
||||
After amending the `.gitmodules` file you need to execute the command `git submodule sync`,
|
||||
and now that you are using relative urls, when the base url changes, `git submodule sync --recursive`
|
||||
|
||||
### Gitweb
|
||||
|
||||
Does much the same thing as git-daemon, makes your repository public with a
|
||||
@ -3404,8 +3354,8 @@ to hppts governed by a lets encrypt certificate.
|
||||
[GitLab
|
||||
Mattermost](https://docs.gitlab.com/omnibus/gitlab-mattermost/#getting-started)
|
||||
expects to run on its own virtual host. In your DNS you would then have
|
||||
two entries pointing to the same machine, e.g. gitlab.«example.com» and
|
||||
mattermost.«example.com». GitLab Mattermost is disabled by default, to
|
||||
two entries pointing to the same machine, e.g. gitlab.reaction.la and
|
||||
mattermost.reaction.la. GitLab Mattermost is disabled by default, to
|
||||
enable it just put the external url in the configuration file.
|
||||
|
||||
Github, on the other hand, allows you to point [your own domain name to
|
||||
@ -3471,7 +3421,7 @@ Eight gig, two cores, which you will need to run gitlab for everyone, is
|
||||
|
||||
Also, [vpn on the cloud](https://github.com/Nyr/openvpn-install).
|
||||
|
||||
Currency project should be [hosted on digital ocean at git.«example.com», at
|
||||
Currency project should be [hosted on digital ocean at git.reaction.la, at
|
||||
\$20 per month (Four gig, two cores), using Gitlab free omnibus
|
||||
edition](ww.digitalocean.com/community/tutorials/how-to-use-the-gitlab-user-interface-to-manage-projects).
|
||||
They suggest configuring your own Postfix email server on the machine
|
||||
@ -3573,10 +3523,10 @@ $ cat ~/.local/share/applications/bitcoin.desktop
|
||||
[Desktop Entry]
|
||||
Type=Application
|
||||
Name=Bitcoin
|
||||
Exec=/home/«username»/bitcoin-22.0/bin/bitcoin-qt -min -chain=main
|
||||
Exec=/home/cherry/bitcoin-22.0/bin/bitcoin-qt -min -chain=main
|
||||
GenericName=Bitcoin core peer
|
||||
Comment=Bitcoin core peer.
|
||||
Icon=/home/«username»/bitcoin-22.0/bin/bitcoin-qt
|
||||
Icon=/home/cherry/bitcoin-22.0/bin/bitcoin-qt
|
||||
Categories=Office;Finance
|
||||
Terminal=false
|
||||
Keywords=bitcoin;crypto;blockchain;qwe;asd;
|
||||
@ -3586,7 +3536,7 @@ cat ~/.config/autostart/bitcoin.desktop
|
||||
[Desktop Entry]
|
||||
Type=Application
|
||||
Name=Bitcoin
|
||||
Exec=/home/«username»/bitcoin-22.0/bin/bitcoin-qt -min -chain=main
|
||||
Exec=/home/cherry/bitcoin-22.0/bin/bitcoin-qt -min -chain=main
|
||||
Terminal=false
|
||||
Hidden=false
|
||||
```
|
||||
|
@ -2,14 +2,12 @@
|
||||
title: Wireguard
|
||||
sidebar: true
|
||||
notmine: false
|
||||
misc_links: >-
|
||||
<a href="set_up_build_environments.md" target="_blank">Set up build environments</a>.<br>
|
||||
<a href="dovecot.html" target="_blank">Dovecot</a>.<br>
|
||||
<a href="nix.html" target="_blank">nix</a>.<br>
|
||||
abstract: >-
|
||||
Setting up your own vpn using wireguard and a Debian 11 server in the cloud
|
||||
...
|
||||
|
||||
::: myabstract
|
||||
[abstract:]{.bigbold}Setting up your own vpn using wireguard and a Debian 11 server in the cloud
|
||||
:::
|
||||
|
||||
This tutorial largely stolen from [Linuxbabe](https://www.linuxbabe.com/debian/wireguard-vpn-server-debian){target="_blank"} It is slightly
|
||||
more up to date than her version at the time of writing.
|
||||
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit de5189af55c7470422f4490ad0d85549b80c011d
|
||||
Subproject commit b6e1e94cfb3d8dffdb1bb92b6102e5fad5fe6093
|
@ -2,7 +2,7 @@
|
||||
using ro::base58;
|
||||
static constexpr char SrcFilename[]{ "src/display_wallet.cpp" };
|
||||
|
||||
display_wallet::display_wallet(wxWindow* parent, const wxFileName& walletfile) :
|
||||
display_wallet::display_wallet(wxWindow* parent, wxFileName& walletfile) :
|
||||
wxPanel(parent, myID_WALLET_UI, wxDefaultPosition, wxDefaultSize, wxTAB_TRAVERSAL, wxT("Wallet")),
|
||||
m_db(walletfile), m_DisplayWalletEditMenu(1),
|
||||
m_read_names_and_keys(m_db, R"|(SELECT * FROM "UserZookoIDs"; )|"),
|
||||
|
@ -2,7 +2,7 @@
|
||||
class display_wallet : public wxPanel
|
||||
{
|
||||
public:
|
||||
display_wallet(wxWindow*, const wxFileName&);
|
||||
display_wallet(wxWindow*, wxFileName&);
|
||||
~display_wallet();
|
||||
private:
|
||||
struct cleanup;
|
||||
|
@ -114,7 +114,7 @@ void Frame::StorePositionToConfig() {
|
||||
pConfig->SetPath(wxT("/"));
|
||||
}
|
||||
}
|
||||
void RecursiveCreateDirectory(const wxFileName& fn){
|
||||
void RecursiveCreateDirectory(wxFileName& fn){
|
||||
//Bug workaround, because wxPATH_MKDIR_FULL simply does not work
|
||||
if (!fn.DirExists()) {
|
||||
wxFileName parent(fn);
|
||||
@ -341,7 +341,7 @@ void Frame::OnDeleteConfiguration(wxCommandEvent&)
|
||||
}
|
||||
|
||||
using ro::bin2hex, ro::to_base64_string;
|
||||
void Frame::NewWallet(const wxFileName& filename, ristretto255::hash<256>& secret) {
|
||||
void Frame::NewWallet(wxFileName& filename, ristretto255::hash<256>& secret) {
|
||||
RecursiveCreateDirectory(filename);
|
||||
/*If creation fails, abort with exception. If it succeeds, set LastUsed to default filename.
|
||||
The exception in unit test should simply generate an error message, but if run during initialization,
|
||||
@ -439,7 +439,8 @@ COMMIT;
|
||||
}
|
||||
}
|
||||
|
||||
wxFileName Frame::GetPathForNewWallet() {
|
||||
void Frame::OnSaveNew(wxCommandEvent& WXUNUSED(event))
|
||||
{
|
||||
wxFileName wxFileWallet;
|
||||
if (m_DefaultWalletLocation.FileExists()) {
|
||||
// OK, the default wallet exists, so we need a new
|
||||
@ -485,27 +486,16 @@ wxFileName Frame::GetPathForNewWallet() {
|
||||
RecursiveCreateDirectory(m_DefaultWalletLocation);
|
||||
wxFileWallet = m_DefaultWalletLocation;
|
||||
}
|
||||
if (wxFileWallet.IsOk() == false) {
|
||||
throw MyException(sz_unexpected_error, __LINE__, __func__, SrcFilename);
|
||||
}
|
||||
return wxFileWallet;
|
||||
}
|
||||
|
||||
void Frame::NewWalletDisplay(const wxFileName& filename, const char* human_legible_secret) {
|
||||
ristretto255::hash<256> WalletSecret(human_legible_secret);
|
||||
NewWallet(filename, WalletSecret);
|
||||
wxLogMessage("new wallet created: %s", filename.GetFullPath());
|
||||
if (wxFileWallet.IsOk()) {
|
||||
ristretto255::hash<256> WalletSecret(wxFileWallet.GetFullPath().ToUTF8());
|
||||
NewWallet(wxFileWallet, WalletSecret);
|
||||
wxLogMessage("new wallet created: %s", wxFileWallet.GetFullPath());
|
||||
if (m_panel)m_panel->Close(true);
|
||||
m_panel = nullptr;
|
||||
auto panel = new display_wallet(this, filename);
|
||||
auto panel = new display_wallet(this, wxFileWallet);
|
||||
m_panel = panel;
|
||||
m_LastUsedWallet = filename; //We do this last, so that if an exception occurs the filename is forgotten.
|
||||
m_LastUsedWallet = wxFileWallet; //We do this last, so that if an exception occurs the filename is forgotten.
|
||||
}
|
||||
|
||||
void Frame::OnSaveNew(wxCommandEvent& WXUNUSED(event))
|
||||
{
|
||||
wxFileName wxFileWallet = GetPathForNewWallet();
|
||||
NewWalletDisplay(wxFileWallet, wxFileWallet.GetFullPath().ToUTF8());
|
||||
}
|
||||
|
||||
void Frame::OnFileOpen(wxCommandEvent&) {
|
||||
|
@ -114,10 +114,8 @@ private:
|
||||
void OnMyCloseMPanel(wxCommandEvent&);
|
||||
|
||||
public:
|
||||
wxFileName GetPathForNewWallet();
|
||||
void NewWalletDisplay(const wxFileName&, const char*);
|
||||
void OnSaveNew(wxCommandEvent&);
|
||||
void NewWallet(const wxFileName&, ristretto255::hash<256>&);
|
||||
void NewWallet(wxFileName&, ristretto255::hash<256>&);
|
||||
void RecreateWalletFromExistingSecret(wxCommandEvent&);
|
||||
void OnFileOpen(wxCommandEvent&);
|
||||
void OnClose(wxCloseEvent& event);
|
||||
|
@ -73,7 +73,6 @@ inline constexpr auto sz_name_does_not_correspond{ R"|(Public key of name fails
|
||||
inline constexpr auto sz_public_key_of{ R"|(Public key of ")|" };
|
||||
inline constexpr auto sz_fails_to_correspond{ R"|(" fails to correspond to master secret.
|
||||
This wallet cannot communicate as this identity.)|" };
|
||||
constexpr auto sz_unexpected_error{ R"|(unexpected error)|" };
|
||||
|
||||
//Command line parameters
|
||||
extern const wchar_t wsz_commandLineLogo[];
|
||||
|
@ -334,11 +334,7 @@ namespace ristretto255 {
|
||||
std::array<uint8_t, crypto_core_ristretto255_SCALARBYTES> blob;
|
||||
static_assert(sizeof(blob) == 32, "watch for size and alignment bugs. Everyone should standarize on 256 bit secret keys except for special needs");
|
||||
explicit scalar() = default;
|
||||
~scalar() noexcept { wxSecretValue::Wipe(sizeof(*this), this); } /*calls wipe to avoid leaving secrets around in memory.
|
||||
Because wxSecretValue::Wipe is in a different optimisation unit, a separately compiled library,
|
||||
optimisation of the destructor cannot optimise away the call to the wipe,
|
||||
because the destructor optimiser does not know that all wipe does is
|
||||
write to memory that is about to be discarded, nor can the wipe optimiser know that. */
|
||||
~scalar() noexcept { wxSecretValue::Wipe(sizeof(*this), this); }
|
||||
explicit constexpr scalar(std::array<uint8_t, crypto_core_ristretto255_BYTES>&& in) : blob{ in } {};
|
||||
explicit constexpr scalar(std::array<uint8_t, crypto_core_ristretto255_BYTES>* in) :blob(*in) {};
|
||||
explicit constexpr scalar(uintmax_t k){ for (auto& j : blob) { j = k; k = k >> 8; } }
|
||||
@ -349,9 +345,9 @@ namespace ristretto255 {
|
||||
static_assert (ro::is_standard_signed_integer<T>);
|
||||
if (i < 0) crypto_core_ristretto255_scalar_negate(&blob[0], &blob[0]);
|
||||
}
|
||||
scalar(scalar&&) = default; // Move constructor. Does not need to call wipe, because destructor will be called on source
|
||||
scalar(scalar&&) = default; // Move constructor
|
||||
scalar(const scalar&) = default; // Copy constructor
|
||||
scalar& operator=(scalar&&) = default; // Move assignment. Does not need to call wipe, because destructor will be called on source
|
||||
scalar& operator=(scalar&&) = default; // Move assignment.
|
||||
scalar& operator=(const scalar&) = default; // Copy assignment.
|
||||
/* Don't need constant time equality test
|
||||
bool operator==(const scalar& sc) const& {
|
||||
|
@ -427,8 +427,9 @@ static bool OpenWallet(void) {
|
||||
fWalletNameOk = true;
|
||||
}
|
||||
}
|
||||
else {
|
||||
else fWalletNameOk = true;
|
||||
std::unique_ptr<ISqlite3> db;
|
||||
if (fWalletNameOk) {
|
||||
if (!LastUsedSqlite.FileExists()) throw MyException("Expected wallet file not found", __LINE__, __func__, SrcFilename);
|
||||
db.reset(Sqlite3_open(LastUsedSqlite.GetFullPath().ToUTF8()));
|
||||
sql_read_from_misc read_from_misc(db.get());
|
||||
@ -451,6 +452,102 @@ static bool OpenWallet(void) {
|
||||
wxLogMessage(wxT("\t\t\"%s\" has expected public key #%s"), name, (wxString)(ro::base58(pubkey).operator const char* ()));
|
||||
}
|
||||
}
|
||||
else {
|
||||
// At this point in the code the filename LastUsedSqlite is a bad filename, normally the empty string, and the default wallet file does not exist in the default location.
|
||||
// Construct default wallet and filename*/
|
||||
wxFileName path{ StandardPaths.GetUserLocalDataDir() };
|
||||
try {
|
||||
// Disk operations to create wallet, which may throw.
|
||||
// This try/catch block exists to catch disk io issues.
|
||||
if (!path.DirExists())path.Mkdir();
|
||||
if (!DefaultSqlite.DirExists())DefaultSqlite.Mkdir();
|
||||
db.reset(Sqlite3_create(DefaultSqlite.GetFullPath().ToUTF8()));
|
||||
db->exec(R"|(
|
||||
PRAGMA journal_mode = WAL;
|
||||
PRAGMA synchronous = 1;
|
||||
BEGIN IMMEDIATE TRANSACTION;
|
||||
CREATE TABLE "Keys"(
|
||||
"ROWID" INTEGER PRIMARY KEY,
|
||||
"pubkey" BLOB NOT NULL UNIQUE,
|
||||
"id" integer NOT NULL,
|
||||
"use" INTEGER NOT NULL
|
||||
) STRICT;
|
||||
|
||||
CREATE UNIQUE INDEX i_pubkey ON Keys (pubkey);
|
||||
CREATE UNIQUE INDEX i_id ON Keys (use, id);
|
||||
|
||||
CREATE TABLE "Names"(
|
||||
"ROWID" INTEGER PRIMARY KEY,
|
||||
"name" TEXT NOT NULL UNIQUE
|
||||
) STRICT;
|
||||
|
||||
CREATE UNIQUE INDEX i_names ON Names (name);
|
||||
|
||||
CREATE TABLE "Misc"(
|
||||
"ROWID" INTEGER PRIMARY KEY,
|
||||
"m" ANY
|
||||
) STRICT;
|
||||
COMMIT;
|
||||
|
||||
BEGIN IMMEDIATE TRANSACTION;
|
||||
CREATE VIEW UserZookoIDs AS
|
||||
SELECT
|
||||
"Names".name AS name,
|
||||
"Keys".pubkey AS pubkey
|
||||
FROM "Names" INNER JOIN "Keys"
|
||||
ON "Names"."ROWID"="Keys"."id" AND "Keys"."use"=1
|
||||
ORDER BY LOWER("name"), "name"
|
||||
COLLATE BINARY;
|
||||
COMMIT;
|
||||
|
||||
BEGIN IMMEDIATE TRANSACTION;
|
||||
CREATE TRIGGER InsertUserZookoID INSTEAD OF INSERT ON UserZookoIDs FOR EACH ROW BEGIN
|
||||
INSERT OR FAIL INTO "Names" VALUES(
|
||||
NULL,
|
||||
NEW."name"
|
||||
);
|
||||
INSERT OR FAIL INTO "Keys" VALUES(
|
||||
NULL,
|
||||
NEW."pubkey",
|
||||
last_insert_rowid(),
|
||||
1
|
||||
);
|
||||
END;
|
||||
|
||||
CREATE TRIGGER DeleteUserZookoID INSTEAD OF DELETE ON UserZookoIDs FOR EACH ROW BEGIN
|
||||
DELETE FROM "Keys" WHERE "Keys"."pubkey" = OLD."pubkey";
|
||||
DELETE FROM "Names" WHERE "Names"."name" = OLD."name";
|
||||
END;
|
||||
COMMIT;
|
||||
)|");
|
||||
LastUsedSqlite = DefaultSqlite;
|
||||
singletonFrame->m_LastUsedWallet = LastUsedSqlite;
|
||||
wxLogMessage(wxT("\t\tConstructing default wallet %s"), DefaultSqlite.GetFullPath());
|
||||
// We now have a working wallet file with no valid data. Attempting to create a strong random secret, a name, and public and private keys for that name.
|
||||
|
||||
wxLogMessage(wxT("\t\tGenerating random 128 bit wallet secret"));
|
||||
auto text_secret{ DeriveTextSecret(ristretto255::scalar::random(), 1) };
|
||||
ro::msec start_time{ ro::msec_since_epoch() };
|
||||
ristretto255::CMasterSecret MasterSecret(scalar(DeriveStrongSecretHash(&text_secret[0])) );
|
||||
decltype(start_time) end_time{ ro::msec_since_epoch() };
|
||||
wxLogMessage(wxT("\t\tStrong secret derivation took %d milliseconds"), (end_time - start_time).count());
|
||||
sql_update_to_misc update_to_misc(db.get());
|
||||
update_to_misc(1, WALLET_FILE_IDENTIFIER);
|
||||
update_to_misc(2, WALLET_FILE_SCHEMA_VERSION_0_0);
|
||||
update_to_misc(3, &text_secret[0]);
|
||||
|
||||
update_to_misc(4, MasterSecret);
|
||||
sql_insert_name insert_name(db.get());
|
||||
const char cpsz[]{ "Unit Tester" };
|
||||
insert_name(cpsz, MasterSecret(cpsz).timesBase());
|
||||
}
|
||||
catch (const MyException & e) {
|
||||
ILogError(R"|(Failed to create or failed to properly initialize wallet)|");
|
||||
errorCode = 20;
|
||||
szError = e.what();
|
||||
ILogError(szError.c_str());
|
||||
}
|
||||
} // End of wallet creation branch
|
||||
}
|
||||
catch (const MyException& e) {
|
||||
errorCode = e.what_num();
|
||||
@ -472,42 +569,12 @@ static bool OpenWallet(void) {
|
||||
}
|
||||
|
||||
static bool StandardPaths(void) {
|
||||
try{
|
||||
wxStandardPaths& StandardPaths{ wxStandardPaths::Get() };
|
||||
StandardPaths.UseAppInfo(3);
|
||||
ILogMessage("\tStandard paths");
|
||||
wxLogMessage("\t\twxStandardPaths::GetUserLocalDataDir()\t %s", StandardPaths.GetUserLocalDataDir());
|
||||
wxLogMessage("\t\twxStandardPaths::GetUserDataDir() \t %s", StandardPaths.GetUserDataDir());
|
||||
wxLogMessage("\t\twxStandardPaths::GetLocalDataDir() \t %s", StandardPaths.GetLocalDataDir());
|
||||
wxLogMessage("\t\twxGetUserId()\t\t\t%s", wxGetUserId());
|
||||
wxSecretStore store = wxSecretStore::GetDefault();
|
||||
wxString errmsg;
|
||||
if (!store.IsOk(&errmsg))throw MyException(std::string("Secret Store not working. ") + errmsg, __LINE__, __func__, SrcFilename);
|
||||
wxSecretValue test_secret(9, "12345678");
|
||||
wxSecretValue test_secret_ret;
|
||||
if (!store.Save("MyApp/MyService", wxGetUserId(), test_secret))throw MyException("Failed to save credentials to the system secret store.", __LINE__, __func__, SrcFilename);
|
||||
// And to load it back :
|
||||
wxString username;
|
||||
if (!store.Load("MyApp/MyService", username, test_secret_ret))throw MyException("Unable to reload secret.", __LINE__, __func__, SrcFilename);
|
||||
if (test_secret != test_secret_ret)throw MyException(wxString(R"|(Reloaded unexpected secret: ")|") + (const char *)(test_secret_ret.GetData()) + R"|(")|", __LINE__, __func__, SrcFilename);
|
||||
if (username != wxGetUserId())throw MyException(std::string(R"|(Reloaded unexpected username: ")|") + username + R"|(")|", __LINE__, __func__, SrcFilename);
|
||||
wxLogMessage("\t\tSecret Store working as expected.");
|
||||
}
|
||||
catch (const MyException& e) {
|
||||
errorCode = e.what_num();
|
||||
szError = e.what();
|
||||
ILogError(szError.c_str());
|
||||
}
|
||||
catch (const std::exception& e) {
|
||||
errorCode = 19;
|
||||
szError = e.what();
|
||||
ILogError(szError.c_str());
|
||||
}
|
||||
catch (...) {
|
||||
szError = sz_unknown_error;
|
||||
errorCode = 19;
|
||||
ILogError(szError.c_str());
|
||||
}
|
||||
unit_test_action = &OpenWallet;
|
||||
return true;
|
||||
}
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 3d7f9294616fe018dec4334bf0728fd89ac20b6f
|
||||
Subproject commit 9a465d3d39f183e6fd4635f199e5e455d52b58c5
|
Loading…
Reference in New Issue
Block a user