Install WriteFreely on Ubuntu 19.04

This guide will walk you through the process of installing WriteFreely on Ubuntu 19.04 Disco Dingo.

We will run WriteFreely behind nginx , so we can run other applications on the same server.

In this guide we will setup the application for multiple user's and with registrations open. You can adjust to your use case, details will be provided.

I will give instructions assuming your are logged into your server are root for the duration of this guide. If you prefer to login with the user created in the guide you will need to use sudo. i.e. sudo ufw allow ssh

Server Set Up

Start by provisioning a new Ubuntu 19.04 VPS, or get an image and install Ubuntu on an old computer.

Without a VPS you will likely need to find another method of obtaining and using a static IP address, which is outside the scope of this article.

I like to use Vultr *affiliate link, you get $50 free credit and I get $25.

Basic Security Hardening

I'm going to cheat here and just give an overview and some links.

There are a few basic things you should have in place to protect your new server from curious third parties.

Create Another User

This will be the user account you use when administering the server, it should have sudo privileges. guide

Restrict SSH

Before you make any changes make sure you have generated an SSH key on your local machine. Then copy the ID up to the server. ssh-copy-id username@server-ip, assuming you created the standard ./ssh/id_rsa.pub.

Then disallow root login over SSH, as well as password based logins.

Some people prefer to change the default port, which doesn't stop potential intrusions but does reduce the logging and attempts.

My own guide here.

Firewall

A basic firewall goes a long way. Using UFW makes this easy.

Allow ssh, so we can come back and don't lose our connection when we restart the SSH daemon. ufw allow ssh

Then enable it with ufw enable, you can see the status with ufw status.

Fail2Ban

Fail2Ban helps filter out and ban failed login attempts, as well as provide some insights as to the current volume and origin of attempts. guide

Database

In this guide we will set up the open source mysql implementation, MariaDB.

Follow the set up here and remember to store your secure admin password somewhere safe. *The tutorial is for 18.04 but should work the same.

NGINX

Follow the guide here *Again for 18.04 but nothing has changed here.

Install and Configure WriteFreely

Now we will go over the installation and configuration of the WriteFreely application itself. This includes setting up our database and NGINX configuration.

Installation

Download and install the latest version of WriteFreely from here.

Then follow the production guide.

During writefreely --config you need to chose the following, most are default: * Server setup: * Production, behind reverse proxy * Local port: 8080 * Database setup: * MySQL * Username: pick a mysql username * Password: pick a mysql password * Host: localhost * Port: 3360 * App Setup: * Multi-user instance * Instance name: chose an instance name * Public URL: enter a public domain you own * Registration: you pick * Max blogs per user: you pick * Federation: enabled * Federation usage stats privacy: public * Metadata privacy: public

You can just copy the NGINX config from that guide and use it to replace the contents of your /etc/nginx/sites-available/default. Make sure to edit the parts in bold.

Do the same for the systemd service making necessary changes.

Let's Encrypt

Before starting this, make sure to update your domain's DNS settings to point at the new server, unfortunately outside the scope of this guide.

Now add the certbot ppa:

$ apt-add-repository ppa:/certbot/certbot

Press enter to confirm when prompted. Then update the cache and install cerbot with it's dependencies:

$ apt update
...
$ apt install certbot python-certbot-nginx

Then have certbot setup and provision some certificates for you. Follow the prompts provided.

$ certbot --nginx

That's it for certificates. The email entered during this step will be notified when expiry is getting close. It should take care of that automatically with a cron job though, to test if it's working run certbot renew --dry-run.

First Run

On the first run, the user you sign up with becomes the admin. Then you can adjust some of the settings from within the admin panel.

Backups

Database

Coming soon. I promise, as soon as I figure it out.

Storage Off-Site

I use a home server that is not exposed to the internet to sync backups from my cloud VPS. It's just a cron job and a simple script that runs rsync. The home server has it's own ssh key for authentication.