This document summarizes current "best practices" for setting up and running a Passcrow Server.
The document is written with Debian derived Linux distributions in mind, but the steps and processes should translate easily to other Unix-like operating systems.
Contents:
- Installation
- Configure gunicorn+passcrow to start on boot
- Install and configure nginx
- Configuring letsencrypt (certbot)
- Configuring a remote mail server
- Configuring local e-mail
- Install Passcrow maintenance cron-job
- Updating to the latest versions
- Monitoring your Server
See the Getting Started - As a Server Admin section of the main project README.
Once this is complete you should have:
- Installed Passcrow and its dependencies
- Created a user named
passcrow - Created
/etc/passcrow/server_config.pyfor settings - Created
/var/spool/passcrowfor data
Install gunicorn:
apt install gunicorn
Create /etc/systemd/system/passcrow.service with the following contents:
[Unit]
Description=passcrow gunicorn daemon
After=network.target
[Service]
Type=notify
User=passcrow
Group=passcrow
RuntimeDirectory=passcrow
WorkingDirectory=/home/passcrow
ExecStart=/usr/bin/gunicorn --workers=1 \
passcrow.integration.flask_app:app /etc/passcrow/server_config.py
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=mixed
TimeoutStopSec=5
[Install]
WantedBy=multi-user.target
Then enable it and (re)start it:
systemctl enable passcrow
systemctl restart passcrow
Install nginx:
apt install nginx
Create /etc/nginx/sites-enabled/passcrow with the following content:
# Passcrow server configuration
# These are global rate limits for the Passcrow API.
#
# These should be set to conservative values; people spamming
# our servers with garbage is risk we cannot do much else about
# since all the content is anonymous and encrypted.
#
limit_req_zone $binary_remote_addr zone=passcrow:20m rate=1r/m;
server {
listen 443 ssl;
listen [::]:443 ssl;
# Replace with your Passcrow Server DNS name
server_name passcrow.example.org;
# Replace with proper certificates
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Put static content here, if you like.
root /home/passcrow/www;
index index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
client_max_body_size 4096; # Should match server_config.py
keepalive_timeout 5;
# Proxy to gunicorn/passcrow. Make sure the ports match!
location /passcrow/ {
limit_req zone=passcrow burst=5 nodelay;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass http://127.0.0.1:8000;
}
}
server {
listen 80;
listen [::]:80;
server_name passcrow.example.org;
return 301 https://$host$request_uri;
}
Make sure nginx is running and configured to start on boot:
systemctl enable nginx
systemctl restart nginx
Install certbot:
apt install certbot python3-certbot-nginx
Run certbot:
certbot certonly --nginx
Finally, edit /etc/nginx/sites-enabled/passcrow and update the SSL settings
to use the files generated by certbot, probably something like:
ssl_certificate /etc/letsencrypt/live/passcrow.example.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/passcrow.example.org/privkey.pem;
Restart nginx to make sure everything is up to date:
systemctl restart nginx
Edit /etc/passcrow/server_config.py so it includes the following lines,
adjusted to match your setup:
email_handler = EmailHandler(
smtp_server = 'smtp.example.org:465',
smtp_login = 'username',
smtp_password = 'password',
mail_from = 'Passcrow <[email protected]>')
handlers = {
'email': email_handler}
Remember to restart the passcrow gunicorn process after editing the settings.
Configuring an entire local e-mail server is beyond the scope of this document, but doing so will improve performance somewhat compared to using SMTP as described above.
If you have a local mail server up and running, you can configure the
passcrow server to use it, by editing /etc/passcrow/server_config.py so
it includes the following (edit to taste):
email_handler = EmailHandler(
sendmail_binary = '/usr/sbin/sendmail',
mail_from = 'Passcrow <[email protected]>')
handlers = {
'email': email_handler}
To make sure old data gets flushed from the underlying storage in a timely fashion:
su - passcrow
crontab -e
Then add the following as a single line (it is split below for clarity)
to the end of the user's crontab:
5,20,35,50 * * * * python3 -m passcrow.server cleanup
/etc/passcrow/server_config.py
>/home/passcrow/www/storage-stats.json
If you would rather not publish the storage stats, redirect the output
to /dev/null instead. Note that https://passcrow.org/ will expect the
stats to be published for health monitoring/reporting.
Updates are important for security. You should periodically update your system!
To update passcrow's dependencies to the latest versions (we have taken care not do depend on anything unsupported by mainstream distros):
apt update
apt upgrade
To update your server's python-passcrow to the latest version:
pip3 install passcrow==0.0.7
Note: replace 0.0.7 with whatever is actually the
latest release on PyPI.
Finally, be sure to restart the passcrow server after any updates.
service passcrow restart
There will be a public monitoring facility for public servers at https://passcrow.org/.
It's not live yet, but when it is, the code it uses will be publicly available for people who want to DIY or run private servers.