/usr/web/sources/contrib/mospak/misc/setup_notes

Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/misc/setup_notes

# Plan 9 CPU/Auth/Web Server Setup

# Hardware

Server:    Supermicro X7SPA-H-D525
Terminal:  ThinkPad X61 (with Docking Station) or ThinkPad T61
Router:    MikroTik mAP 2nD (RBmAP2nD)
Bridges:   MikroTik mAP lite (RBmAPL-2nD) x2
           — ethernet-to-wireless bridges for server and terminal

# Install Plan 9 (9legacy — Plan 9 from Bell Labs with the most useful patches).
# Reference: [The Plan 9 Cpu/Auth Server Installation and Basic Setup Howto](http://mirror.9grid.fr/mirror.9grid.fr/plan9-cpu-auth-server-howto.html)

# Refer to plan9.ini, cpurc, and /lib/ndb/local as example configurations

# Create file server user

cube# con -l /srv/fscons
uname mospak mospak
uname sys +mospak
uname adm +mospak
ctrl-\, q

# Create auth credentials

cube# auth/changeuser -p mospak
cube# auth/secuser -v bootes
cube# auth/secuser -v mospak
cube# echo 'key proto=p9sk1 dom=baddcafe.com user=mospak !password=yourpassword' > /mnt/factotum/ctl

# Edit /rc/bin/termrc on gnot

before:
    if(! test -e /net/ipifc/0/ctl)
        ip/ipconfig

after:
    eval `{ndb/ipquery sys $sysname ip ipgw ipmask}
    if(! test -e /net/ipifc/0/ctl)
        ip/ipconfig -g $ipgw ether /net/ether0 add $ip $ipmask

# First login from terminal (gnot), as mospak

cpu -h cube
user[glenda]: mospak
password: yourpassword
% /sys/lib/newuser
% ramfs
% cd /tmp
% echo 'key proto=p9sk1 dom=baddcafe.com user=mospak !password=yourpassword' > factotum
% auth/secstore -p factotum
% rm factotum

# Enable secstore in /cfg/$sysname/cpurc

...
auth/secstored
auth/secstore -n -G factotum | read -m >>/mnt/factotum/ctl
...

# Create web user

cube# lc -l /usr
cube# con -l /srv/fscons
uname web web
uname web +mospak
ctrl-\, q

# Edit /sys/lib/mimetype, add:

.xml  application  xml  -  m
.xslt  application  xml  -  m

# Create index page
% touch /usr/web/index.html

<html>
<head><title>BADDCAFE.COM</title></head>
<body bgcolor=white>
<h1>BADDCAFE.COM</h1>
</body>
</html>

# Add to /cfg/$sysname/cpustart

ip/httpd/httpd

# Reboot, then verify:

cube# ps | grep httpd
cube# cat /net/tcp/*/local | grep '!80'
cube# netstat -n | grep 80
cube# cat /sys/log/httpd/log

# Router config (MikroTik example)

# Find your public IP:
WAN IP address (IP/DHCP Client/IP Address)
203.0.113.10

IP/DHCP Server/Leases
192.168.88.11	SERVER_MAC
192.168.88.12	TERMINAL_MAC
192.168.88.13 server ether-wlan bridge (optional)
192.168.88.14 terminal ether-wlan bridge (optional)

NAT rules (IP/Firewall/NAT):
Chain dstnat, proto tcp, dst port 80,  in WAN  →  dst-nat 192.168.88.11:80
Chain dstnat, proto tcp, dst port 443, in WAN  →  dst-nat 192.168.88.11:443

Move router admin to port 8080 (IP/Services: www, port 8080).
Router panel now at 192.168.88.1:8080.

# In your registrar's DNS panel add DNS A records

A Record      @      203.0.113.10  # (your public IP)
CNAME Record  www    baddcafe.com.  # ( -- with dot, points to bare domain)

# Verify on a Unix machine

% dig baddcafe.com +short
% dig www.baddcafe.com +short
# Both should return your public IP. 

# TLS certificate (certbot, on a Unix machine)

% brew install certbot
% certbot certonly --manual \
  --config-dir ~/certbot/config \          
  --work-dir ~/certbot/work \
  --logs-dir ~/certbot/logs \
  --key-type rsa \
  --rsa-key-size 2048 \
  -d baddcafe.com \
  -d www.baddcafe.com

Complete the ACME challenge on the server when prompted.
...
Successfully received certificate.

# Go to /Users/user/certbot/config/archive/baddcafe.com/

# Convert private key to PKCS#1:

% openssl rsa -in privkey.pem -traditional -out privkey.pkcs1.pem

# Copy certs to server via USB
cube# usbfat:
/n/sdU0.0
cube# cp /n/sdU0.0/baddcafe.com/cert.pem /sys/lib/tls/cert.pem
cube# cp /n/sdU0.0/baddcafe.com/chain.pem /sys/lib/tls/chain.pem
cube# cp /n/sdU0.0/baddcafe.com/privkey.pkcs1.pem privkey.pem

cube# auth/pemdecode 'RSA PRIVATE KEY' privkey.pem |  auth/asn12rsa -t 'service=tls role=client owner=*' > key

# Store TLS key in secstore

cube# auth/secstore -g factotum
cube# cat key >> factotum
cube# auth/secstore -p factotum
cube# rm factotum key privkey.pem

# Enable HTTPS in /cfg/$sysname/cpustart

ip/httpd/httpd -c /sys/lib/tls/cert.pem -C /sys/lib/tls/chain.pem

# Reboot, then verify:

cube# cat /sys/log/httpd/log
cube# ps -a | grep httpd

# Sources:
http://mirror.9grid.fr/mirror.9grid.fr/plan9-cpu-auth-server-howto.html
https://lufia.org/plan9/doc/adm/httpd.html
https://lufia.org/plan9/doc/adm/lego.html
(Return to Plan 9 Home Page)