Pleroma Server Setup

This guide attempts to define a secure, high quality baseline for a Pleroma install. This assumes a completely bare machine. If your machine is not bare, then you need to take care with every step, especially the firewall, to make sure you are not going to break anything. Instructions will probably work on Ubuntu as well, however you will probably want to use the native firewall ufw on that system. This guide will not teach you in detail how to use a Linux/*nix system, in particular how to use a text editor. Just how to set things up the best.

When you are finished, the Pleroma install guide is here.

Install Debian 12 Bookworm

1. Follow the instructions to set up Debian 12 Bookworm. For setup specifics, if you know how I recommend doing a manual partition setup, and making a 1GB log partition at /var/log. If the logs fill up this will prevent the server from dying.

   Remember what the non-root user you set up was. For this guide I will call it user1.

2. Login as root.

3. Install sudo: apt update && apt install sudo

4. Add your non-root user to sudo: usermod -a -G sudo user1

Firewall

As mentioned, this is Debian-specific. It will work on Ubuntu but Ubuntu already has a firewall.

1. Install the firewall: apt install -y nftables

2. Configure the firewall to allow only SSH and web. Use vi or nano to edit: /etc/nftables.conf

   #!/usr/sbin/nft -f
   table inet filter {
       chain input {
           type filter hook input priority 0;
   
           # Accept established connections
           ct state established,related accept
   
           # Allow SSH, HTTP, and HTTPS
           tcp dport {ssh, http, https} accept
   
           # Default drop policy
           drop
       }
       chain forward {
           type filter hook forward priority filter;
       }
       chain output {
           type filter hook output priority filter;
       }
   }
   

3. Verify there are no errors: nft -c -f /etc/nftables.conf if there is no output, then there were no errors.

4. Flush the existing rules, in case there are any. This will leave your machine open until we enable the new rules:

   iptables -F
   nft flush ruleset
   

5. Restart nftables: systemctl restart nftables

6. Verify the rules are in place: nft list ruleset Now your firewall is set up.

SSH keys

To make our machine as secure as possible, we want to require logging in via SSH using a key instead of a password. If you already have a key then you know how to use it so set it up and skip to the next section. I recommend a Yubikey or Nitrokey but this guide will explain how to do it without hardware. This is less secure but doesn't require buying anything.

1. On your DESKTOP machine NOT your server, go to the console and do: ssh-keygen -t ed25519 and enter a new password to encrypt your key (or just press enter, but this is less secure.) You should get output like:

   Generating public/private ed25519 key pair.
   Enter file in which to save the key (/root/.ssh/id_ed25519):
   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   Your identification has been saved in /root/.ssh/id_ed25519
   Your public key has been saved in /root/.ssh/id_ed25519.pub
   The key fingerprint is:
   SHA256:KRftpjMHxwaDggoKh1RD7Yljy2MkHE7+nTzmMb/IUyo root@pleroma
   The key's randomart image is:
   +--[ED25519 256]--+
   | .o+.            |
   |.+ ... . .       |
   |O + + o + .      |
   |+B = +   B       |
   |o * = o S *      |
   |   * O + *       |
   |  . + B + .      |
   |   E.+.. +       |
   |    .o...        |
   +----[SHA256]-----+
   

Keep track of where the keys are because you will need both.

2. Dump out the contents of the public key listed above: cat /root/.ssh/id_ed25519.pub you should get something similar to:

   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtNJsfpB33LnswA9YRLsH4NrZq+V4cY+LJVVmDVemIP root@pleroma
   

3. Switch back to your new server. On the server, do the following steps:

   cd ~
   mkdir .ssh
   chmod 700 .ssh
   touch .ssh/authorized_keys
   chmod 600 .ssh/authorized_keys
   

then using vi or nano, you need to open .ssh/authorized_keys and paste in the text from step 2.

4. now using vi or nano, edit /etc/ssh/sshd_config and look for a line that looks like: PasswordAuthentication yes it might be commented out using a # or it might have no or it might not exist. Make it say no or add PasswordAuthentication no to the bottom of the file. Save and exit the editor.

5. Restart SSH: systemctl restart ssh and DO NOT CLOSE YOUR CURRENT WINDOW.

6. Open another terminal on your desktop and try to connect again using the private key from step 10 (it calls it "identification"):

   ssh -i whateverkeylocation whateveruser@whateverdomain
   

   For example:

   ssh -i /root/.ssh/id_ed25519 root@banana.example.net
   

   Make sure you can connect! If you can, then you are safe and can continue. If it fails, then undo the change you made.

Fail2ban

todo.