Changes

Philipp Winter · 0b1e294e
--- a/Survival-Guides/Snowflake-Broker-Installation-Guide.md
+++ b/Survival-Guides/Snowflake-Broker-Installation-Guide.md
+These are instructions for setting up a Snowflake broker on Debian 10.
+
+Set up APT and etckeeper.
+Install etckeeper.
+```
+root# vi /etc/apt/source.list # remove "contrib" and "non-free"
+root# apt update
+root# apt upgrade
+root# apt install etckeeper
+```
+
+Add a normal user.
+```
+root# adduser user
+root# adduser user sudo
+root# su - user
+user$ mkdir -m 700 .ssh
+user$ echo "ssh-ed25519 ..." >> .ssh/authorized_keys
+user$ exit
+root# exit
+```
+
+Log in as the normal user and disable login for root.
+```
+user$ sudo -s
+root# vi /etc/ssh/sshd_config
+        PermitRootLogin no
+        AllowUsers user
+        PasswordAuthentication no
+root# rm /root/.ssh/authorized_keys 
+root# service sshd restart
+```
+
+Add other users.
+```
+root# adduser user1
+root# adduser user1 sudo
+root# adduser user2
+root# adduser user2 sudo
+root# adduser user3
+root# adduser user3 sudo
+root# vi /etc/ssh/sshd_config
+        AllowUsers user user1 user2 user3
+root# etckeeper commit "Add users."
+```
+
+Set up a firewall.
+```
+root# apt install ferm # Enable ferm on bootup? Yes
+root# vi /etc/ferm/ferm.conf
+	domain (ip ip6) {
+	    table filter {
+		chain INPUT {
+		...
+	        # allow HTTP connections (for ACME HTTP-01 challenge)
+	        proto tcp dport http ACCEPT;
+
+		# allow HTTPS connections
+		proto tcp dport https ACCEPT;
+		}
+		...
+	    }
+	}
+root# service ferm restart
+root# etckeeper commit "Allow HTTP and HTTPS through the firewall."
+```
+
+Set up an IPv6 address. You can use any address in the 2a00:c6c0:0:154:4::/80 prefix.
+```
+root# python -c 'import os; print ":".join(os.urandom(2).encode("hex") for _ in range(3))'
+d8aa:b4e6:c89f
+root# vi /etc/network/interfaces
+	iface eth0 inet6 static
+		address 2a00:c6c0:0:154:4:d8aa:b4e6:c89f
+		netmask 64
+		gateway 2a00:c6c0:0:154::1
+root# etckeeper commit "Add IPv6 address."
+root# reboot
+```
+
+Install the broker.
+```
+root# install --owner root /home/user/broker /usr/local/bin/
+root# apt install runit-systemd tor-geoipdb
+root# echo "/runit/**/supervise" >> /etc/.gitignore
+root# adduser --system snowflake-broker
+root# mkdir -p /etc/runit/snowflake-broker
+root# vi /etc/runit/snowflake-broker/run
+	#!/bin/sh -e
+	setcap 'cap_net_bind_service=+ep' /usr/local/bin/broker
+	exec chpst -u snowflake-broker -o 32768 /usr/local/bin/broker --metrics-log /home/snowflake-broker/metrics.log --acme-hostnames snowflake-broker.bamsoftware.com,snowflake-broker.freehaven.net,snowflake-broker.torproject.net --acme-email dcf@torproject.org --acme-cert-cache /home/snowflake-broker/acme-cert-cache 2>&1
+root# chmod +x /etc/runit/snowflake-broker/run
+root# mkdir -p /etc/runit/snowflake-broker/log
+root# vi /etc/runit/snowflake-broker/log/run
+root# chmod +x /etc/runit/snowflake-broker/log/run
+        #!/bin/sh -e
+        svlogd /var/log/snowflake-broker
+root# mkdir -p /var/log/snowflake-broker
+root# vi /var/log/snowflake-broker/config
+	# http://smarden.org/runit/svlogd.8.html
+	# limit size to 10MB before rotation
+	s10000000
+	# don't delete old logs 
+	n0
+	# unless the filesystem is full
+	N1
+	# compress old logs
+	!xz
+root# ln -s /etc/runit/snowflake-broker /etc/service
+root# etckeeper commit "Install snowflake-broker."
+```
+
+Install prometheus-node-exporter for resource monitoring (#29863).
+```
+root# apt install prometheus-node-exporter
+root# vi /etc/default/prometheus-node-exporter
+	ARGS="--no-collector.arp --no-collector.bcache --no-collector.bonding --no-collector.conntrack --no-collector.cpu --no-collector.edac --no-collector.entropy --no-collector.filefd --no-collector.hwmon --no-collector.infiniband --no-collector.ipvs --no-collector.loadavg --no-collector.mdadm --no-collector.meminfo --no-collector.netclass --no-collector.netdev --no-collector.netstat --no-collector.nfs --no-collector.nfsd --no-collector.sockstat --no-collector.stat --no-collector.textfile --no-collector.timex --no-collector.uname --no-collector.vmstat --no-collector.xfs --no-collector.zfs"
+root# service prometheus-node-exporter restart
+root# etckeeper commit "Install prometheus-node-exporter."
+```
+
+Do some other nice configuration.
+```
+root# apt install unattended-upgrades man screen rsync
+root# update-alternatives --config editor # Choose /usr/bin/vim.tiny
+```
\ No newline at end of file