commit e3a626fa6dd224e6e0332ce3fcbdfa3ed24acc3c
parent 70a4e47c96fd3779ed5e1016207480ab77247cff
Author: Shimmy Xu <shimmy.xu@shimmy1996.com>
Date: Wed, 27 Sep 2017 23:23:04 -0500
New post "My Server Setup and Whatnot"
Diffstat:
7 files changed, 544 insertions(+), 32 deletions(-)
diff --git a/content/posts/2017-08-31-hello-world.en.org b/content/posts/2017-08-31-hello-world.en.org
@@ -1,14 +0,0 @@
-+++
-title = "Hello World!"
-description = "Cuz's it's always the right name for a first post!"
-date = 2017-08-31T23:09:59-05:00
-draft = false
-tags = ["Hugo"
- ]
-categories = ["Site Related"
- ]
-slug = "hello world"
-+++
-
-* Hello world!
-Hello world!
diff --git a/content/posts/2017-08-31-hello-world.zh.org b/content/posts/2017-08-31-hello-world.zh.org
@@ -1,14 +0,0 @@
-+++
-title = "你好世界!"
-description = "第一篇文章!"
-date = 2017-08-31T23:09:59-05:00
-draft = false
-tags = ["Hugo"
- ]
-categories = ["Site Related"
- ]
-slug = "hello world"
-+++
-
-* 你好世界!
-你好世界!
diff --git a/content/posts/2017-09-03-get-emacs-to-work-with-fcitx.zh.org b/content/posts/2017-09-03-get-emacs-to-work-with-fcitx.zh.org
@@ -3,8 +3,7 @@ title = "在emacs里使用fcitx"
description = ""
date = 2017-09-03T23:20:27-05:00
draft = true
-tags = [
- ]
+tags = []
categories = [
]
slug = "get-emacs-to-work-with-fcitx"
diff --git a/content/posts/2017-09-25-server-setup.en.org b/content/posts/2017-09-25-server-setup.en.org
@@ -0,0 +1,264 @@
++++
+title = "My Server Setups and Whatnot"
+date = 2017-09-24T10:43:29-05:00
+draft = false
+tags = ["Arch Linux",
+ "Server"]
+categories = ["Site Related"]
+slug = "my server setups and whatnot"
++++
+
+** Why move the blog? And to where?
+
+After putting up with the clunky WordPress blog (and Bluehost's 2003-looking admin panel for that matter) for three years, I finally decided to ditch everything I currently have and restart my blog in a more civilized manner. There was a couple of things that I was not happy about my old WordPress setup, namely:
+
+- Clunky and eats up my server storage.
+- Not as easy way to back up with tools I know.
+- Does not come with a command line interface, which is becoming my preferred way of doing almost anything.
+- Lacking some basic features I wanted, i.e. multilingual support. As powerful as WordPress may be in the right hands, I do not want to invest too much effort in learning CSS/js/php nor do I want to use some plugin from some sketchy WordPress plugin marketplace.
+- These theme and plugin marketplaces creeps me out in the same way as ubuntu software center.
+- WordPress has a lot of features I do not actually need, i.e. user permission system, which is an overkill for my personal blog site.
+
+Picking an alternative blogging system was not too hard once I am aware of my needs: a fast and minimalist static site generator implemented in a language I know (or I found valuable to learn) with out-of-the-box multilingual support, a.k.a. =hugo=.
+
+As for hosting services, I considered github pages and netlify to be fast and easy solutions but I want something more substantial for a personal blog, like a VPS. Besides, github pages not supporting https for custom domains is a deal breaker for me. I filtered down the list of VPS hosting providers with Arch Linux support and I ended up with DigitalOcean. Since I wanted to completely sever my connection with Bluehost, I also moved my domain name host to Google Domains.
+
+** Install Arch Linux
+Do note that Arch Linux is probably not the best suited server Linux distro. Use a non-rolling distro if stability is a concern. I use it only because I also run it on all my other computers. Backup the droplet often if you decided to go down this route: it hasn't happened to me yet but I've heard people complaining about Arch breaking too often.
+
+*** Installation
+Apparently my information on DigitalOcean supporting Arch Linux is outdated, as they stopped supporting it a while back. Thankfully, it is still not to hard to bring Arch Linux to a droplet (this is how DigitalOcean refer to a server) due to the awesome project [[https://github.com/gh2o/digitalocean-debian-to-arch][digitalocean-debian-to-arch]]. All I needed to to was [[https://www.digitalocean.com/community/tutorials/how-to-create-your-first-digitalocean-droplet][set up a droplet]], =ssh= into the server, and follow the instructions:
+
+#+BEGIN_SRC sh
+# wget https://raw.githubusercontent.com/gh2o/digitalocean-debian-to-arch/debian9/install.sh -O install.sh
+# bash install.sh
+#+END_SRC
+
+*** Low Level Setup
+Once the script finishes running, I have an Arch Linux system running on my droplet with internet access. Most of the additional setups needed can be found in [[https://wiki.archlinux.org/index.php/Installation_guide][Arch Wiki]]. Since I am by no means a great tutorial writer, I suggest referring to Arch Wiki for detailed steps. The recorded commands here are just for book-keeping purposes and is by no means the best way to do things.
+
+**** System Clock
+Sync system clock and set time zone.
+#+BEGIN_SRC sh
+# timedatectl set-ntp true
+# timedatectl settimezone <Region>/<City>
+#+END_SRC
+
+**** Base Packages
+Install/update base packages.
+#+BEGIN_SRC sh
+# pacman -S base base-devel
+#+END_SRC
+
+**** Fstab
+
+Generate =fstab=.
+#+BEGIN_SRC sh
+# genfstab -U / >> /etc/fstab
+#+END_SRC
+
+**** Set Locale
+Uncomment =en_US.UTF-8 UTF-8= in =/etc/locale.conf= then generate locale with:
+#+BEGIN_SRC sh
+locale-gen
+#+END_SRC
+
+Set =LANG=en_US.UTF-8= in =/etc/locale.conf=.
+
+**** Hostname
+Edit =/etc/hosts= and add hostname of droplet:
+#+BEGIN_SRC sh
+127.0.1.1 <hostname>.localdomain <hostname>
+#+END_SRC
+
+**** Boot Loader and Initramfs
+Optimizations for intel processors:
+#+BEGIN_SRC
+# pacman -S intel-ucode
+# grub-mkconfig -o /boot/grub/grub.cfg
+#+END_SRC
+
+Add =crc32= modules to initramfs, as otherwise the droplet fails to boot. Edit =/etc/mkinitcpio.conf= :
+#+BEGIN_SRC sh
+MODULES= "crc32 libcrc32c crc32c_generic crc32c-intel crc32-pclmul"
+#+END_SRC
+Regenerate the initramfs image.
+#+BEGIN_SRC sh
+# mkinitcpio -p linux
+#+END_SRC
+
+**** Root Password
+You know the drill.
+#+BEGIN_SRC sh
+# passwd
+#+END_SRC
+
+*** User Setups
+Here are some additional settings to make Arch Linux more useable.
+
+**** Creature User
+
+Obviously it is not a good idea to use root account:
+#+BEGIN_SRC sh
+# useradd -m -G wheel -s /bin/bash <username>
+# passwd <username>
+#+END_SRC
+
+**** Add User to Sudoer
+
+Edit =/etc/sudoers= and add:
+#+BEGIN_SRC sh
+<username> ALL=(ALL) ALL
+#+END_SRC
+
+**** Login As User
+We will finish the rest of the configuration using the user account.
+#+BEGIN_SRC
+su <username>
+#+END_SRC
+
+**** Package Manager
+I used to use =packer= as wrapper around AUR and =pacman=. However, after learning about [[https://wiki.archlinux.org/index.php/AUR_helpers#Comparison_table][inherent insecurity]] in their package building processes, I switched to a more secure AUR helper =trizen= (=pacaur= is another choice, and fun fact: there is a reddit bot that tells you to switch to =pacaur= every time =yaourt= is mentioned in a post): =trizen= prompts user to inspect =PKGBUILD=, =*.install= and other scripts before sourcing them and =trizen= is written in Perl instead of Bash. To install =trizen=, first install dependencies via =pacman= according to its [[https://aur.archlinux.org/packages/trizen/][AUR Page]], then clone its [[https://github.com/trizen/trizen][git repo]] to a local directory. Navigate to the directory containing =PKGBUILD= and run
+#+BEGIN_SRC sh
+$ makepkg
+#+END_SRC
+to make package and
+#+BEGIN_SRC sh
+$ pacman -U trizen-*.pkg.tzr.xz
+#+END_SRC
+to install =trizen=.
+
+**** Useful Packages
+Once package manager is in place, install packages to your heart's content! Some of my bread-and-butter packages include =emacs= (I installed the cli-only version, =emacs-nox=), =tmux= (terminal multiplexor, very useful), =zsh=, =vim= (for quick edits), and etc.
+
+** Security Related Stuff
+Now that a usable Arch Linux installation is in place, I would employ some security measures before hosting my website on it.
+
+*** Secure Login via =ssh=
+On local machine, generate your ssh keypair:
+#+BEGIN_SRC sh
+$ ssh-keygen -t rsa
+#+END_SRC
+
+Send your ssh keys to server:
+#+BEGIN_SRC sh
+$ ssh-copy-id <username>@<server>
+#+END_SRC
+
+Now, on server, make the following edits to =/etc/ssh/sshd_config= :
+#+BEGIN_SRC sh
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+AllowUsers <username>
+#+END_SRC
+These changes will disable root login, disable password login and only allow specified user to login via ssh.
+
+It is advisible to also change the default port (22) used for ssh connection, in the same file, specify port by (please remember this port selection):
+#+BEGIN_SRC sh
+port <non-std-port>
+#+END_SRC
+
+For these changes to take effect, restart =ssh= daemon:
+#+BEGIN_SRC sh
+$ sudo systemctl restart sshd.service
+#+END_SRC
+
+Keep this =ssh= session intact and attempt to start another =ssh= connection in local machine to see if the changes have taken effect (the original session is needed in case things are not working):
+#+BEGIN_SRC sh
+$ ssh -p <non-std-port> <username>@<server>
+#+END_SRC
+
+*** Firewall Settings
+
+I use =ufw= as my firewall and it is very easy to setup. Install =ufw= with =trizen= and enable the desired ports:
+#+BEGIN_SRC sh
+$ trizen -S ufw
+$ sudo ufw allow <port>/<protocol>
+#+END_SRC
+
+For instance, to allow =ssh= communication, allow =22/tcp= or =ssh= (if you used a non-standard port, allow =<non-std-port>/tcp=). Some other useful ports are:
+
+| Port | Usage |
+|-----------+-------------------------------------|
+| =80/tcp= | =http= |
+| =443/tcp= | =https= |
+| =143= | imap access |
+| =993= | imap over =ssl= |
+| =25= | receive incoming mail |
+| =587= | smtp access (with or without =ssl=) |
+
+To review the added ports and enable them:
+#+BEGIN_SRC sh
+$ sudo ufw show added
+$ sudo ufw enable
+#+END_SRC
+
+Auto start up:
+#+BEGIN_SRC sh
+$ sudo systemctl enable ufw.service
+#+END_SRC
+
+*** Sync Server Time
+Sync server time with =ntp= :
+#+BEGIN_SRC sh
+$ trizen -S ntp
+$ sudo systemctl enable ntpd.service
+#+END_SRC
+
+Check time server status with:
+#+BEGIN_SRC sh
+$ ntpq -p
+#+END_SRC
+
+** Firing up the Server
+Next step would be actually preparing the server for serving contents.
+
+*** Create Web Directory
+Create a directory for serving web contents, a common choice would be:
+#+BEGIN_SRC sh
+$ mkdir ~/public_html
+#+END_SRC
+Make sure to give this directory (including the user =home= folder) appropriate permission with =chmod= (=755= would normally work). Populate the directory with a simple =index.html= for testing if you want.
+
+*** Instal =nginx=
+
+Install =nginx= with =trizen=, and edit =/etc/nginx/nginx.conf= to set up =http= server (the one set to =listen 80 default_server=):
+#+BEGIN_SRC
+server_name www.<domainname> <domainname>
+root /path/to/public_html
+#+END_SRC
+For the =server_name= line add as many as you want. You may want to put your mail server address on it as well so that you can generate a single ssl certificate for everything. After these changes are made, (re)start and enable =nginx=:
+#+BEGIN_SRC sh
+$ sudo systemctl restart nginx.service
+$ sudo systemctl enable nginx.service
+#+END_SRC
+
+*** DNS Setup
+
+The next step is to set up DNS records for our server. There are three types of records that need to be set up initially, =NS=, =A=, and =CNAME=. I also included some other useful records:
+
+| Type | Hostname | Value | Usage |
+| =NS= | @ | nameserver address | specifiec name server to use |
+| =A= | @ | supplied IPv4 address | redirects host name to IPv4 address |
+| =CNAME= | www (can be anything) | @ | sets =www.<hostname>= as an alias |
+| =MX= | @ | mail server address | specifiec mail server to use |
+| =CAA= | @ | authorizor of SSL certificate | prevents other authority from certifying SSL certificate |
+
+In my case, though I use Google Domains to host my domain, I still use DigitalOcean's name server. So I needed to setup these records on DigitalOcean and =NS= records on Google Domains.
+
+After this step, you website should be accessible via your domain name, although it may take a few hours for the DNS record to populate.
+
+*** SSL Certificate
+[[https://letsencrypt.org][Let's Encrypt]] is a great project and [[https://certbot.eff.org/][=certbot=]] is an awesome tool for SSL certificate generation. Kudos to the nice folks at EFF and Linux Foundation. I simply followed the instructions on [[https://certbot.eff.org/#arch-nginx][EFF site]]:
+
+#+BEGIN_SRC sh
+$ sudo pacman -S certbot-nginx
+$ sudo certbot --nginx
+#+END_SRC
+
+To provide some extra credibility to the certificate, I added an =CAA= record in my DNS settings with issue authority granted for =letsencrypt.org=. For now Let's Encrypt does not support wildcard certificate but will be [[https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html][January 2018]], and this is why I added a bunch of subdomains into my =nginx.config= (so that the certificate covers these subdomains as well).
+
+** What Now?
+After a couple hours (mostly waiting for DNS records to populate), and my website is online again. With a VPS at my disposal, I also host my personal email now and I might organize my random notes pieced from various websites into a post as well. I am still trying to figure out an efficient workflow for writing multilingual post with =org-mode= in =hugo= and once I am convinced I have found an acceptable solution, I will also post it.
diff --git a/content/posts/2017-09-25-server-setup.zh.org b/content/posts/2017-09-25-server-setup.zh.org
@@ -0,0 +1,265 @@
++++
+title = "新站点架设过程"
+date = 2017-09-24T10:43:29-05:00
+draft = false
+tags = ["Arch Linux",
+ "Server"]
+categories = ["Site Related"]
+slug = "my server setups and whatnot"
++++
+
+** 为何要重新建站?新站建在哪里?
+
+在忍受了笨重的 Wordpress 三年后(以及 Bluehost 充满2003年设计感的管理面板),我终于决定放弃旧站另起炉灶。我对 Wordpress 博客主要有这些不满:
+
+- 体积庞大,占用很多不必要的服务器空间。
+- 没法使用我熟悉的工具来方便地备份。
+- 没有良好的命令行界面,而命令行正在成为我做任何事情的首选工具。
+- 缺少一些我所需要的基本功能,比如多语言支持。在部分人手里 WordPress 或许极为强大,但是我不想投入时间学习 CSS/js/php ,也不想从那些源头不明的 WordPress 插件商店里下载任何东西。
+- 这些 WordPress 主题/插件商店让我想起 Ubuntu 软件中心。
+- WordPress 有很多我用不到的功能,比如用户系统。这用在个人博客上显然是杀鸡用牛刀。
+
+在我确定了自己的需求后,我很容易地就找到了替代品:一个用我所知道的编程语言(或者我愿意学习的编程语言)所实现的快而小巧并带有原生多语言支持的静态站点生成器,那就是 =hugo= 。
+
+至于站点托管服务,我本来考虑使用 github pages 或 netlify 这种简单快速的解决办法,但是考虑到是个人站点,还是 VPS 这种功能强大一些的选择比较合适。而且 github pages 不支持自定义域名的 https ,这对我来说无法接受。我列出了所有比较出名的 VPS 服务提供商,筛出支持 Arch Linux 的部分,最后选择了 DigitalOcean 。由于我想要完全切断和 Bluehost 的联系,我把自己的域名也转移到了 Google Domains 。
+
+** 安装 Arch Linux
+注意 Arch Linux 其实并不适合用作服务器操作系统。如果一切以系统稳定性为优先,那么选择一个非滚动更新的 Linux 发行版比较合适。我在服务器上用 Arch Linux 主要是因为我在我的所有其他电脑上也都运行 Arch Linux。如果你选择使用 Arch Linux 作为服务器操作系统,最好勤于备份:虽然我还没遇到这种情况,但是常有人抱怨 Arch Linux 很容易被玩坏。
+
+*** 安装系统
+显然我得到的关于 DigitalOcean 支持 Arch Linux 的情报已经过时了,他们已经停止支持 Arch Linux 有一阵子了。好在有 [[https://github.com/gh2o/digitalocean-debian-to-arch][digitalocean-debian-to-arch]] ,使得在水滴( droplet , DigitalOcean 对每个服务器的称呼)上安装 Arch Linux 并不困难。我只需要 [[https://www.digitalocean.com/community/tutorials/how-to-create-your-first-digitalocean-droplet][新建一个 droplet]] ,通过 =ssh= 登录服务器,并执行:
+
+#+BEGIN_SRC sh
+# wget https://raw.githubusercontent.com/gh2o/digitalocean-debian-to-arch/debian9/install.sh -O install.sh
+# bash install.sh
+#+END_SRC
+
+*** 系统设置
+上述安装完成后,我的 droplet 上就有了带有网络的 Arch Linux 。绝大部分的额外设置都可以在 [[https://wiki.archlinux.org/index.php/Installation_guide][Arch Wiki]] 找到。我并没有想把这篇日志写成完整的教程,所以细节部分最好参考 Arch Wiki。记录在这篇日志里的指令只是做个人记录之用。
+
+**** 系统时钟
+同步系统时钟并设置时区。
+#+BEGIN_SRC sh
+# timedatectl set-ntp true
+# timedatectl settimezone <Region>/<City>
+#+END_SRC
+
+**** 安装基础软件包
+安装/升级 =base= 和 =base-devel= 软件包。
+#+BEGIN_SRC sh
+# pacman -S base base-devel
+#+END_SRC
+
+**** Fstab
+
+生成 =fstab= 。
+#+BEGIN_SRC sh
+# genfstab -U / >> /etc/fstab
+#+END_SRC
+
+**** 设置系统语言环境
+在 =/etc/locale.conf= 里去掉 =en_US.UTF-8 UTF-8= 的注释,然后运行:
+#+BEGIN_SRC sh
+locale-gen
+#+END_SRC
+
+在 =/etc/locale.conf= 里设置 =LANG=en_US.UTF-8= 。
+
+**** 主机名
+编辑 =/etc/hosts= 以加入水滴的主机名:
+#+BEGIN_SRC sh
+127.0.1.1 <hostname>.localdomain <hostname>
+#+END_SRC
+
+**** 引导加载程序和 Initramfs
+针对英特尔处理器的优化:
+#+BEGIN_SRC
+# pacman -S intel-ucode
+# grub-mkconfig -o /boot/grub/grub.cfg
+#+END_SRC
+
+在 initramfs 里加入 =crc32= 模组,不然可能导致水滴无法启动。编辑 =/etc/mkinitcpio.conf= :
+#+BEGIN_SRC sh
+MODULES= "crc32 libcrc32c crc32c_generic crc32c-intel crc32-pclmul"
+#+END_SRC
+
+重新生成 initramfs 镜像。
+#+BEGIN_SRC sh
+# mkinitcpio -p linux
+#+END_SRC
+
+**** Root 用户密码
+你懂的。
+#+BEGIN_SRC sh
+# passwd
+#+END_SRC
+
+*** 用户设置
+这是一些让 Arch Linux 使用起来更加友好的设置。
+
+**** 创建用户帐号
+显然只使用 root 帐号不是什么好主意:
+#+BEGIN_SRC sh
+# useradd -m -G wheel -s /bin/bash <username>
+# passwd <username>
+#+END_SRC
+
+**** 把用户加入 Sudoer
+编辑 =/etc/sudoers= 并加入:
+#+BEGIN_SRC sh
+<username> ALL=(ALL) ALL
+#+END_SRC
+
+**** 以用户身份登录
+剩下的设置都会以用户身份执行:
+#+BEGIN_SRC
+# su <username>
+#+END_SRC
+
+**** 软件包管理器
+我一开始使用 =packer= 来同时使用 =pacman= 和安装 AUR 软件包。但是在我了解到其软件安装过程有 [[https://wiki.archlinux.org/index.php/AUR_helpers#Comparison_table][诸多安全隐患]] 后,我开始改用 =trizen= ( =pacaur= 是另一个较为稳妥的选择,而且在 reddit 上有一个机器人会在所有提到 =yaourt= 的帖子下面安利 =pacaur= ): =trizen= 会提示用户在安装前检查 =PKGBUILD= , =*.install= 以及其他代码,而且 =trizen= 是用 Perl 而不是 Bash 写的。想要安装 =trizen= ,先根据 [[https://aur.archlinux.org/packages/trizen/][AUR 页面]] 通过 =pacman= 安装 =trizen= 所依赖的软件包,然后克隆其 [[https://github.com/trizen/trizen][git 仓库]] 到本地。进入包含 =PKGBUILD= 的文件夹并运行:
+#+BEGIN_SRC sh
+$ makepkg
+#+END_SRC
+来编译软件包,
+#+BEGIN_SRC sh
+$ pacman -U trizen-*.pkg.tzr.xz
+#+END_SRC
+来安装 =trizen=.
+
+**** 常用软件包
+在设置完软件包管理器后,就可以大肆安装各种软件了!我的一些必备软件包括 =emacs= (在服务器上我只安装了命令行版本, =emacs-nox=), =tmux= (可以使用同一个命令行窗口来同时运行多个指令,非常有用), =zsh= , =vim= (作快速编辑之用)。
+
+** 安全相关
+Arch Linux 安装完成之后,我在把网站搬进去之前进行了一些安全方面的设置。
+
+*** 使用 =ssh= 安全登录
+在本地机器上生成 ssh 密匙:
+#+BEGIN_SRC sh
+$ ssh-keygen -t rsa
+#+END_SRC
+
+把 ssh 密匙发送到服务器:
+#+BEGIN_SRC sh
+$ ssh-copy-id <username>@<server>
+#+END_SRC
+
+接下来再服务器上编辑 =/etc/ssh/sshd_config= :
+#+BEGIN_SRC sh
+PermitRootLogin no
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+AllowUsers <username>
+#+END_SRC
+这些改动会禁止 root 账户登录,禁止使用密码登录,并只允许特定用户通过 ssh 登录。
+
+除此之外,把用于 ssh 的端口(默认为22)改掉也是一个很棒的安全措施。继续编辑同一个文件(请记牢所选择的端口):
+#+BEGIN_SRC sh
+port <non-std-port>
+#+END_SRC
+
+为了让这些改动生效,重启 =ssh= 进程:
+#+BEGIN_SRC sh
+$ sudo systemctl restart sshd.service
+#+END_SRC
+
+接下来保留目前的 =ssh= 链接不变并在一个新窗口内尝试建立新链接以确认一切正常(保留原有链接以防设置出错):
+#+BEGIN_SRC sh
+$ ssh -p <non-std-port> <username>@<server>
+#+END_SRC
+
+*** 防火墙设置
+
+ =ufw= 作为防火墙非常方便易用。使用 =trizen= 来安装 =ufw= 并开放允许连接的端口:
+#+BEGIN_SRC sh
+$ trizen -S ufw
+$ sudo ufw allow <port>/<protocol>
+#+END_SRC
+
+如果想要允许 =ssh= 链接,开放 =22/tcp= 或 =ssh= (如果你改掉了默认端口,开放 =<non-std-port>/tcp= )。其他一些常用的端口有:
+
+| Port | Usage |
+|-----------+-------------------------------|
+| =80/tcp= | =http= |
+| =443/tcp= | =https= |
+| =143= | imap 通信 |
+| =993= | imap =ssl= 通信 |
+| =25= | 收取外界来的邮件 |
+| =587= | smtp 通信 (不论有无 =ssl= ) |
+
+回顾已开放的端口并开启防火墙:
+#+BEGIN_SRC sh
+$ sudo ufw show added
+$ sudo ufw enable
+#+END_SRC
+
+设置自动启动:
+#+BEGIN_SRC sh
+$ sudo systemctl enable ufw.service
+#+END_SRC
+
+*** 同步服务器时间
+使用 =ntp= 同步服务器时间:
+#+BEGIN_SRC sh
+$ trizen -S ntp
+$ sudo systemctl enable ntpd.service
+#+END_SRC
+
+检查时间服务器的状态:
+#+BEGIN_SRC sh
+$ ntpq -p
+#+END_SRC
+
+** 正式启动服务器
+在完成以上设置后,就可以为服务器托管网站做准备了。
+
+*** 建立网页文件夹
+创建一个网页文件夹来放网页文件,一个比较普遍的选择是:
+#+BEGIN_SRC sh
+$ mkdir ~/public_html
+#+END_SRC
+
+确认该文件夹(以及用户的 =home= 文件夹)有合适的权限设置。权限设置可以用 =chmod= 修改(一般设成 =755= 就好)。可以在网页文件夹中放一个简单的 =index.html= 来方便测试。
+
+*** 安装 =nginx=
+
+用 =trizen= 安装 =nginx= ,并编辑 =/etc/nginx/nginx.conf= 来设立 =http= 服务器(带有 =listen 80 default_server= 设置的部分):
+#+BEGIN_SRC
+server_name www.<domainname> <domainname>
+root /path/to/public_html
+#+END_SRC
+
+在 =server_name= 这一行可以多列一些网址。如果你想一并架设邮箱服务器的话,一并将邮箱服务器地址列入网址就免去了生成额外的 ssl 证书的麻烦。在这些设置完成后,(重新)开始 =nginx= 并将其设为开机启动:
+#+BEGIN_SRC sh
+$ sudo systemctl restart nginx.service
+$ sudo systemctl enable nginx.service
+#+END_SRC
+
+*** DNS 设置
+
+下一步是为服务器完成 DNS 记录的设置。一开始必须设置的记录有三种: =NS= , =A= ,和 =CNAME= 。我记下了一些比较常用的记录:
+
+| 记录种类 | 主机名 | 数值 | 用法 |
+| =NS= | @ | DNS 服务器的地址 | 确认用于解析域名的服务器 |
+| =A= | @ | 水滴的 IPv4 地址 | 将主机名重定向到 IP 地址 |
+| =CNAME= | www (可以是任何东西) | @ | 将 =www.<hostname>= 设为主机名的 |
+| =MX= | @ | 邮箱服务器地址 | 指定邮箱服务器 |
+| =CAA= | @ | 标明 SSL 证书的授权机构 | 阻止其他授权机构为本站发行 SSL 证书 |
+
+我的域名托管在 Google Domains ,但我的网站用的是 DigitalOcean 的 DNS ,所以我需要在 DigitalOcean 上完成设置并在 Google Domains 里加入 =NS= 记录。
+
+在完成这些设置后,我就可以通过我的域名访问所架设的网站了,不过 DNS 记录通常需要数小时才会完全生效。
+
+*** SSL 证书
+[[https://letsencrypt.org][Let's Encrypt]] 是个非常棒的项目。使用 [[https://certbot.eff.org/][=certbot=]] 这个工具就可以很方便的生成 SSL 证书。这里向 EFF 和 Linux 基金会的人们致以谢意。生成证书只需要运行 [[https://certbot.eff.org/#arch-nginx][EFF 网站]] 上所记载的命令即可:
+
+#+BEGIN_SRC sh
+$ sudo pacman -S certbot-nginx
+$ sudo certbot --nginx
+#+END_SRC
+
+为了给证书增加一点可信度,我还在 DNS 记录中加了一条 =CAA= 记录,标明 =letsencrypt.org= 是唯一允许给本站 SSL 证书授权的机构。目前 Let's Encrypt 还不支持通配符证书,不过会在 [[https://letsencrypt.org/2017/07/06/wildcard-certificates-coming-jan-2018.html][2018年1月]] 添加这一支持。由于没有通配符证书,我只好在 =nginx.config= 里加上所有二级域名(这样生成证书的才能够为这些域名提供验证)。
+
+** 下一步?
+在鼓捣了几个小时后(其实大部分时间是在等 DNS 记录扩散),我的新站就上线了。既然选择了运行 VPS,我打算好好发挥它的潜能并架设了自己的电子邮箱。我正在考虑把架设邮箱过程中从各个网站七拼八凑其来的命令行笔记也整理成一篇日志。目前我仍在试图寻找使用 =org-mode= 在 =hugo= 里写多语言日志的最优工作流程。当我确信已经找到一套可以接受的解决方案的时候我会一并写成日志。
diff --git a/i18n/en.toml b/i18n/en.toml
@@ -12,7 +12,13 @@ other = "Categories"
# Translation for tags
[Hugo]
-other = "Hugo"
+other = "hugo"
+
+[Arch\ Linux]
+other = "Arch Linux"
+
+[Server]
+other = "server"
# Translation for categories
[Site\ Related]
diff --git a/i18n/zh.toml b/i18n/zh.toml
@@ -12,7 +12,13 @@ other = "分类"
# Translation for tags
[Hugo]
-other = "Hugo"
+other = "hugo"
+
+[Arch\ Linux]
+other = "Arch Linux"
+
+[Server]
+other = "服务器"
# Translation for categories
[Site\ Related]