blog: site to site wireguard part 4 draft (#33)

* blog: site to site wireguard part 4 draft

* blog/site-to-site-wireguard-part-4: typo fixes

* don't curl2bash

* release it today yolo

* show permissions here

* oops

* what

5 files changed, 349 insertions, 0 deletions

diff --git a/blog/site-to-site-wireguard-part-1-2019-04-02.markdown b/blog/site-to-site-wireguard-part-1-2019-04-02.markdown
index 21be021..7fa5471 100644
--- a/blog/site-to-site-wireguard-part-1-2019-04-02.markdown
+++ b/blog/site-to-site-wireguard-part-1-2019-04-02.markdown
@@ -12,6 +12,7 @@ This series is going to be broken up into multiple posts about as follows:
 - Part 1 - Names and Numbers (this post)
 - [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07)
 - [Part 3 - Custom TLS Certificate Authority](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11)
+- [Part 4 - HTTPS](https://christine.website/blog/site-to-site-wireguard-part-4-2019-04-16)
 - Setting up additional iOS, macOS, Android and Linux clients
 - Other future fun things (seamless tor2web routing, etc)
 
diff --git a/blog/site-to-site-wireguard-part-2-2019-04-07.markdown b/blog/site-to-site-wireguard-part-2-2019-04-07.markdown
index c0dd1ee..beeabfd 100644
--- a/blog/site-to-site-wireguard-part-2-2019-04-07.markdown
+++ b/blog/site-to-site-wireguard-part-2-2019-04-07.markdown
@@ -10,6 +10,7 @@ This is the second in my Site to Site WireGuard VPN series. You can read the oth
 - [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02)
 - Part 2 - DNS (this post)
 - [Part 3 - Custom TLS Certificate Authority](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11)
+- [Part 4 - HTTPS](https://christine.website/blog/site-to-site-wireguard-part-4-2019-04-16)
 - Setting up additional iOS, macOS, Android and Linux clients
 - Other future fun things (seamless tor2web routing, etc)
 
diff --git a/blog/site-to-site-wireguard-part-3-2019-04-11.markdown b/blog/site-to-site-wireguard-part-3-2019-04-11.markdown
index 40e9364..ec37d8b 100644
--- a/blog/site-to-site-wireguard-part-3-2019-04-11.markdown
+++ b/blog/site-to-site-wireguard-part-3-2019-04-11.markdown
@@ -10,6 +10,7 @@ This is the third in my Site to Site WireGuard VPN series. You can read the othe
 - [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02)
 - [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07)
 - Part 3 - Custom TLS Certificate Authority (this post)
+- [Part 4 - HTTPS](https://christine.website/blog/site-to-site-wireguard-part-4-2019-04-16)
 - Setting up additional iOS, macOS, Android and Linux clients
 - Other future fun things (seamless tor2web routing, etc)
 
diff --git a/blog/site-to-site-wireguard-part-4-2019-04-16.markdown b/blog/site-to-site-wireguard-part-4-2019-04-16.markdown
new file mode 100644
index 0000000..5862cc0
--- /dev/null
+++ b/blog/site-to-site-wireguard-part-4-2019-04-16.markdown
@@ -0,0 +1,346 @@
+---
+title: "Site to Site WireGuard: Part 4 - HTTPS"
+date: 2019-04-16
+series: site-to-site-wireguard
+---
+
+# Site to Site WireGuard: Part 4 - HTTPS
+
+This is the fourth post in my Site to Site WireGuard VPN series. You can read the other articles here:
+
+- [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02)
+- [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07)
+- [Part 3 - Custom TLS Certificate Authority](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11)
+- Part 4 - HTTPS (this post)
+- Setting up additional iOS, macOS, Android and Linux clients
+- Other future fun things (seamless tor2web routing, etc)
+
+In this article, we are going to install [Caddy](https://caddyserver.com) and set up the following:
+
+- A plaintext markdown site to demonstrate the process
+- A URL shortener at https://g.o/ (with DNS and TLS certificates too)
+
+## HTTPS and Caddy
+
+[Caddy](https://caddyserver.com) is a general-purpose HTTP server. One of its main features is automatic [Let's Encrypt](https://letsencrypt.org) support. We are using it here to serve HTTPS because it has a very, very simple configuration file format.
+
+Caddy doesn't have a stable package in Ubuntu yet, but it is fairly simple to install it by hand.
+
+## Installing Caddy
+
+One of the first things you should do when installing Caddy is picking the list of extra plugins you want in addition to the core ones. I generally suggest the following plugins:
+
+- [`http.cors`](https://caddyserver.com/docs/http.cors) - [Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), because we can't trust browsers
+- [`http.git`](https://caddyserver.com/docs/http.git) - it facilitates automatic deployment
+- [`http.supervisor`](https://caddyserver.com/docs/http.supervisor) - run background processes
+
+First we are going to need to download Caddy (please do this as root):
+
+```console
+curl https://getcaddy.com > install_caddy.sh
+bash install_caddy.sh -s personal http.cors,http.git,http.supervisor
+chown root:root /usr/local/bin/caddy
+chmod 755 /usr/local/bin/caddy
+```
+
+These permissions are set as such:
+
+| Facet            | Read | Write | Directory Listing |
+| :--------------- | :--- | :---- | :---------------- |
+| User (root) | Yes  | Yes   | Yes               |
+| Group (root) | Yes  | No    | Yes               |
+| Others           | Yes  | No    | Yes               |
+
+In order for Caddy to bind to the standard HTTP and HTTPS ports as non-root (this is a workaround for the fact that [Go can't currently drop permissions with suid() cleanly](https://github.com/golang/go/issues/1435)), run the following:
+
+```console
+setcap 'cap_net_bind_service=+eip' /usr/local/bin/caddy
+```
+
+Caddy expects configuration file/s to exist at `/etc/caddy`, so let's create the folders for them:
+
+```console
+mkdir -p /etc/caddy
+touch /etc/caddy/Caddyfile
+chown -R root:www-data /etc/caddy
+```
+
+### Let's Encrypt Certificate Permissions
+
+Caddy's systemd unit expects to be able to create new certificates at `/etc/ssl/caddy`:
+
+```console
+mkdir -p /etc/ssl/caddy
+chown -R www-data:root /etc/ssl/caddy
+chmod 770 /etc/ssl/caddy
+```
+
+These permissions are set as such:
+
+| Facet            | Read | Write | Directory Listing |
+| :--------------- | :--- | :---- | :---------------- |
+| User (www-data)  | Yes  | Yes   | Yes               |
+| Group (root)     | Yes  | Yes   | Yes               |
+| Others           | No   | No    | No                |
+
+This will allow only Caddy and root to manage certificates in that folder.
+
+### Custom CA Certificate Permissions
+
+In the [last post](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11), custom certificates were created at `/srv/within/certs`. Caddy is going to need to have the correct permissions in order to be able to read them.
+
+```shell
+#!/bin/sh
+chmod -R 750 .
+chown -R root:www-data .
+chmod 600 minica-key.pem
+```
+
+Then mark it executable:
+
+```
+chmod +x fixperms.sh
+```
+
+These permissions are set as such:
+
+| Facet            | Read | Write | Execute/Directory Listing |
+| :--------------- | :--- | :---- | :------------------------ |
+| User (root)      | Yes  | Yes   | Yes                       |
+| Group (www-data) | Yes  | No    | Yes                       |
+| Others           | No   | No    | No                        |
+
+This will allow Caddy to be able to read the certificates later in the post. Run this after certificates are created.
+
+```
+cd /srv/within/certs
+./fixperms.sh
+```
+
+### HTTP Root Permissions
+
+I dypically store all of my websites under `/srv/http/domain.name.here`. To create a folder like this:
+
+```console
+mkdir -p /srv/http
+chown www-data:www-data /srv/http
+chmod 755 /srv/http
+```
+
+These permissions are set as such:
+
+| Facet            | Read | Write | Directory Listing |
+| :--------------- | :--- | :---- | :---------------- |
+| User (www-data)  | Yes  | Yes   | Yes               |
+| Group (www-data) | Yes  | No    | Yes               |
+| Others           | Yes  | No    | Yes               |
+
+### Systemd
+
+To install the [upstream systemd unit](https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service), run the following:
+
+```console
+curl -L https://github.com/mholt/caddy/raw/master/dist/init/linux-systemd/caddy.service \
+      | sed "s/;CapabilityBoundingSet/CapabilityBoundingSet/" \
+      | sed "s/;AmbientCapabilities/AmbientCapabilities/" \
+      | sed "s/;NoNewPrivileges/NoNewPrivileges/" \
+      | tee /etc/systemd/system/caddy.service
+chown root:root /etc/systemd/system/caddy.service
+chmod 744 /etc/systemd/system/caddy.service
+systemctl daemon-reload
+systemctl enable caddy.service
+```
+
+These permissions are set as such:
+
+| Facet        | Read | Write | Execute |
+| :----------- | :--- | :---- | :------ |
+| User (root)  | Yes  | Yes   | Yes     |
+| Group (root) | Yes  | No    | No      |
+| Others       | Yes  | No    | No      |
+
+This will also configure Caddy to start on boot.
+        
+    * Configure Caddy for static file serving for aloha.pele
+        * root directive
+        * browse directive
+    * Link to Caddy documentation
+    
+## Configure aloha.pele
+
+In the last post, we created the domain and TLS certificates for `aloha.pele`. Let's create a website for it.
+
+Open `/etc/caddy/Caddyfile` and add the following:
+
+```
+# /etc/caddy/Caddyfile
+
+aloha.pele:80 {
+  tls off
+  redir / https://aloha.pele:443
+}
+
+aloha.pele:443 {
+  tls /srv/within/certs/aloha.pele/cert.pem /srv/within/certs/aloha.pele/key.pem
+  
+  internal /templates
+  
+  markdown / {
+    template templates/page.html
+  }
+  
+  ext .md
+  browse /
+  
+  root /srv/http/aloha.pele
+}
+```
+
+And create `/srv/http/aloha.pele/templates`:
+
+```console
+mkdir -p /srv/http/aloha.pele/templates
+chown -R www-data:www-data /srv/http/aloha.pele/templates
+```
+
+And open `/srv/http/aloha.pele/templates/page.html`:
+
+```html
+<!-- /srv/http/aloha.pele/templates/page.html -->
+
+<html>
+  <head>
+    <title>{{ .Doc.title }}</title>
+    <style>
+      main {
+        max-width: 38rem;
+        padding: 2rem;
+        margin: auto;
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <nav>
+        <a href="/">Aloha</a>
+      </nav>
+      
+      {{ .Doc.body }}
+    </main>
+  </body>
+</html>
+```
+
+This will give a nice [simple style kind of like this](https://jrl.ninja/etc/1/) using [Caddy's built-in markdown templating support](https://caddyserver.com/docs/markdown). Now create `/srv/http/aloha.pele/index.md`:
+
+```markdown
+<!-- /srv/http/aloha.pele/index.md -->
+
+# Aloha!
+
+This is an example page, but it doesn't have anything yet. If you see me, HTTPS is probably working.
+```
+
+Now let's enable and test it:
+
+```
+systemctl restart caddy
+systemctl status caddy
+```
+
+If Caddy shows as running, then testing it via [LibTerm](https://itunes.apple.com/us/app/libterm/id1380911705?ls=1&mt=8) should work:
+
+```
+curl -v https://aloha.pele
+```
+
+## URL Shortener
+
+I have created a simple [URL shortener backend](https://github.com/Xe/surl) on my GitHub. I personally have it accessible at https://g.o for my internal network. It is very simple to configure:
+
+| Environment Variable | Value                              |
+| :------------------- | :--------------------------------- |
+| `DOMAIN`             | `g.o`                              |
+| `THEME`              | `solarized.css` (or `gruvbox.css`) |
+
+surl requires a SQLite database to function. To store it, create a docker volume:
+
+```console
+docker volume create surl
+```
+
+And to create the surl container and register it for automatic restarts:
+
+```console
+docker run --name surl -dit -p 10.55.0.1:5000 \
+  --restart=always \
+  -e DOMAIN=g.o \
+  -e THEME=solarized.css \
+  -v surl:/data xena/surl:v0.4.0
+```
+
+Now create a DNS record for `g.o.`:
+
+```
+; pele.zone
+
+;; URL shortener
+g.o. IN CNAME oho.pele.
+```
+
+And a TLS certificate:
+
+```console
+cd /srv/within/certs
+minica -domains g.o
+./fixperms.sh
+```
+
+And add Caddy configuration for it:
+
+```
+# /etc/caddy/Caddyfile
+
+g.o:80 {
+  tls off
+  
+  redir / https://g.o
+}
+
+g.o:443 {
+  tls /srv/within/certs/g.o/cert.pem /srv/within/certs/g.o/key.pem
+  
+  proxy / http://10.55.0.1:5000
+}
+```
+
+Now restart Caddy to load the configuration and make sure it works:
+
+```console
+systemctl restart caddy
+systemctl status caddy
+```
+
+And open [https://g.o](https://g.o) on your iOS device:
+
+<style>
+img {
+  max-width: 400px;
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+</style>
+
+![An image of the URL shortener in action](/static/img/site-to-site-part-4-gdoto.jpg)
+
+You can use the other [directives](https://caddyserver.com/docs) in the Caddy documentation to do more elaborate things. [When Then Zen](https://when-then-zen.christine.website) is hosted completely with [Caddy using the markdown directive](https://github.com/Xe/when-then-zen/blob/master/Caddyfile); but even this is ultimately a simple configuration.
+
+---
+
+This seems like enough for this time. Next time we are going to approach adding other devices of yours to this network: iOS, Android, macOS and Linux.
+
+Please give me [feedback](/contact) on my approach to this. I also have a [Patreon](https://www.patreon.com/cadey) and a [Ko-Fi](https://ko-fi.com/A265JE0) in case you want to support this series. I hope this is useful to you all in some way. Stay tuned for the future parts of this series as I build up the network infrastructure from scratch. If you would like to give feedback on the posts as they are written, please watch [this page](https://github.com/Xe/site/pulls) for new pull requests.
+
+Be well. The sky is the limit, Creator!
+
diff --git a/static/img/site-to-site-part-4-gdoto.jpg b/static/img/site-to-site-part-4-gdoto.jpg
new file mode 100644
index 0000000..4ca61a6
--- /dev/null
+++ b/static/img/site-to-site-part-4-gdoto.jpg