oxeo0/opsec-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git synced 2025-05-16 10:47:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix alot of shit, post-mkdocs contribute guides fixed

Browse source
This commit is contained in:
nihilist 2025-05-08 21:51:34 +02:00
parent abc95a5139
commit d43e7a15b1
41 changed files with 452 additions and 553 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
runtheblog/0.5.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
runtheblog/0.png
View file

Binary file not shown.
Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.8 KiB

After

Width:  |  Height:  |  Size: 23 KiB

Before After
Before After

BIN
runtheblog/26.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 264 KiB

414
runtheblog/index.md
View file

@ -20,338 +20,137 @@ The entire blog is meant to remain available for free, for everyone, over clearn
## **Clearnet Setup**
## **How to run an instance of the Blog**
Now if you are interested in helping me get the word accross, you can run the blog yourself like so:
On a debian server (VPS or not), install the following packages:
[ Datura ] [ /dev/pts/23 ] [~]
→ sudo apt install nginx wget curl tor torsocks -y
```
[ Wonderland ] [ /dev/pts/4 ] [~]
→ sudo apt install nginx nginx-extras wget curl tor torsocks docker.io docker-compose -y
[ Wonderland ] [ /dev/pts/4 ] [~]
→ cd /srv/
Then, you need to download the blog somewhere, you can simply git clone it from the blog-contributions forgejo repository into the /srv/ directory:
[ Datura ] [ /dev/pts/23 ] [~]
→ torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions /srv/blog/
[ Wonderland ] [ /dev/pts/4 ] [/srv]
→ torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-deploy
_Optional:_ if you want to also host the archived blog sections i wrote in the past (the hacking and selfhosting categories) you can do so as follows:
[ Wonderland ] [ /dev/pts/9 ] [/srv/blog-archive]
→ torsocks git clone http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-archive /srv/blog-archive
[ Wonderland ] [ /dev/pts/4 ] [~]
→ cd blog-deploy
Then we need to make sure that the blog repository stays updated regularly:
[ Wonderland ] [ /dev/pts/11 ] [/srv]
→ crontab -e
#blog
@hourly /usr/bin/torsocks /usr/bin/git -C /srv/blog/ pull
@hourly /usr/bin/torsocks /usr/bin/git -C /srv/blog-archive/ pull
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ docker-compose up -d
[+] Running 2/0
✔ Container blogmk_server Running 0.0s
✔ Container blogmk_puller Running
```
then you can use this nginx configuration (and dont forget to enable it with a symlink to sites-enabled):
[ Datura ] [ /dev/pts/23 ] [~]
→ rm /etc/nginx/sites-*/default
[ Datura ] [ /dev/pts/23 ] [~]
→ vim /etc/nginx/sites-available/blog.nowhere.moe
[ Datura ] [ /dev/pts/23 ] [~]
→ ln -s /etc/nginx/sites-available/blog.nowhere.moe /etc/nginx/sites-enabled/
[ Datura ] [ /dev/pts/23 ] [~]
→ cat /etc/nginx/sites-available/blog.nowhere.moe
server {
listen 80;
listen [::]:80;
server_name blog.nowhere.moe;
return 301 https://$server_name$request_uri;
}
server {
######## TOR CHANGES ########
listen 4443;
listen [::]:4443;
server_name blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
add_header Onion-Location "http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion$request_uri" always;
######## TOR CHANGES ########
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.nowhere.moe;
########################################## HARDENING SSL #############################################
ssl_certificate /root/.acme.sh/blog.nowhere.moe/fullchain.cer;
ssl_certificate_key /root/.acme.sh/blog.nowhere.moe/blog.nowhere.moe.key;
ssl_dhparam /root/.acme.sh/dhparam.pem;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_ecdh_curve auto;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /root/.acme.sh/blog.nowhere.moe/fullchain.cer;
resolver 1.1.1.1 208.67.222.222;
add_header Strict-Transport-Security "max-age=63072000" always;
access_log off;
error_log off;
###################################END OF HARDENING SSL###########################################
rewrite ^/servers/anon.html http://$server_name/opsec/index.md permanent;
rewrite ^/servers/(.*)$ http://$server_name/opsec/$1 permanent;
index index.html;
root /srv/blog/;
#optional selfhosting + HTB locations in /srv/blog-archive:
location ~ ^/(selfhosting|HTB)/ {
root /srv/blog-archive/;
}
}
From there, the blog will start to git clone the [blog-contributions](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions) repository and the submodules containing the opsec, productivity, selfhosting and hacking blogposts.
but as you can see we're missing the TLS certificates, so let's get them using acme.sh:
[ Datura ] [ /dev/pts/23 ] [~]
→ wget -O - https://get.acme.sh | sh -s email=nihilist@contact.nowhere.moe
[ Datura ] [ /dev/pts/23 ] [~]
→ systemctl stop nginx ; acme.sh --issue --standalone -d blog.nowhere.moe -k 4096; systemctl start nginx
![](0.5.png)
And now that we have them, let's see if the nginx config is correct:
[ Datura ] [ /dev/pts/23 ] [~]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
give it some time to git clone it, as it's rather massive to download through Tor.
Now that the nginx config is correct let's restart nginx to load in the new config:
[ Datura ] [ /dev/pts/23 ] [~]
→ systemctl restart nginx
```sh
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ cat docker-compose.yml
services:
blogmk-puller:
image: alpine:latest
container_name: blogmk_puller
environment:
- SITE_URL=http://blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion
- BRANCH=main
- REPO_URL=http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions
- REFRESH_SEC=900
volumes:
- ./repo:/repo
- ./servable:/servable
- ./entry.sh:/entry.sh:ro
extra_hosts:
- "host.docker.internal:host-gateway"
entrypoint: ["sh", "/entry.sh"]
network_mode: "host"
restart: unless-stopped
And then we can see that the website is up and reachable at the clearnet domain:
blogmk-server:
image: nginx:alpine
container_name: blogmk_server
volumes:
- ./nginx.conf:/etc/nginx/sites-enabled/default:ro
- ./servable:/usr/share/nginx/html:ro
ports:
- "127.0.0.1:7080:80"
restart: unless-stopped
![](1.png)
## **Tor Hidden Service Setup**
```
Since clearnet websites are easily censorable nowadays, let's make sure it is censorship-resistant by making it available over Tor. Let's first install Tor:
[ Datura ] [ /dev/pts/23 ] [~]
→ apt install tor -y
Afterward however, the blog will be reachable via the local port 7080 on the server, so you can make the following reverse nginx proxy config to make sure that it is reachable via a .onion mirror:
Then we git clone the mkp repository to be able to generate an onion hidden service address:
[ Datura ] [ /dev/pts/23 ] [~]
→ apt install gcc libc6-dev libsodium-dev make autoconf tor
[ Datura ] [ /dev/pts/23 ] [~]
→ git clone https://github.com/cathugger/mkp224o /srv/mkp224o
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ cd /srv/mkp224o ; ./autogen.sh ; ./configure ; make
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ ./mkp224o datura
sorting filters... done.
filters:
datura
in total, 1 filter
using 12 threads
daturacccspczuluj2hbgqfcpkjo75hn7bzmuzsm5zys3az6k3su45ad.onion
daturaxnp7x4ubwlslgyeaft5dabaxotmsaxanayocnpxarc7wi36kid.onion
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ mkdir /var/lib/tor/onions
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ mv daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion /var/lib/tor/onions
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ ls -lash
total 16K
4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 .
4.0K drwx--S--- 8 debian-tor debian-tor 4.0K Feb 1 15:08 ..
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jan 27 15:48 nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ ls -lash daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
total 24K
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12 2023 .
4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 ..
4.0K drwx------ 2 debian-tor debian-tor 4.0K Jul 12 2023 authorized_clients
4.0K -r-------- 1 debian-tor debian-tor 63 Jul 12 2023 hostname
4.0K -r-------- 1 debian-tor debian-tor 64 Jul 12 2023 hs_ed25519_public_key
4.0K -r-------- 1 debian-tor debian-tor 96 Jul 12 2023 hs_ed25519_secret_key
```sh
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ vim /etc/nginx/sites-available/blog.conf
Then after copying the hidden service files where they belong we change the directory rights accordingly:
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 400 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/*
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/authorized_clients -R
[ Datura ] [ /dev/pts/11 ] [lib/tor/onions]
→ chown debian-tor: /var/lib/tor/onions -R
[ Wonderland ] [ /dev/pts/23 ] [~]
→ ln -s /etc/nginx/sites-available/blog.conf /etc/nginx/sites-enabled/
Then we edit the torrc config file to make sure it uses the correct hidden service directory, along with a port to be used to access the website:
[ Datura ] [ /dev/pts/11 ] [/srv/mkp224o]
→ cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 80 127.0.0.1:4443 # for web service HTTP (recommended!)
HiddenServicePort 443 127.0.0.1:4444 # for web service HTTPS (but not recommended!)
HiddenServicePort 18080 127.0.0.1:18080 # for monero nodes
HiddenServicePort 18081 127.0.0.1:18081 # for monero nodes
# to have another hidden service, you can append it afterward like so; but you need to use different ports:
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 80 127.0.0.1:4445
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ cat /etc/nginx/sites-available/blog.conf
upstream blogbackend {
server 127.0.0.1:7080;
}
Then we restart Tor to refresh the configuration:
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ systemctl restart tor@default
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled)
Active: active (running) since Sun 2024-11-10 21:39:43 CET; 2 days ago
Main PID: 2790923 (tor)
Tasks: 13 (limit: 77002)
Memory: 1.5G
CPU: 1d 12h 17min 42.199s
CGroup: /system.slice/system-tor.slice/tor@default.service
└─2790923 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
And from there, we edit the nginx configuration to make sure the website is reachable over the tor domain aswell along with having the header set so that the user's tor browser mentions that there is a .onion link available:
[ Datura ] [ /dev/pts/23 ] [~]
→ vim /etc/nginx/sites-available/blog.nowhere.moe
[ Datura ] [ /dev/pts/23 ] [/srv/mkp224o]
→ cat /etc/nginx/sites-available/blog.nowhere.moe
server {
listen 80;
listen [::]:80;
server_name blog.nowhere.moe;
return 301 https://$server_name$request_uri;
}
server {
**######## TOR CHANGES ########
listen 4443;
listen [::]:4443;
server_name blog.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
add_header Onion-Location "http://blog.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
######## TOR CHANGES ########**
[...]
}
server {
listen 4443;
listen [::]:4443;
server_name blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
And then we refresh nginx and we see that the website can be reached over the .onion link aswell:
[ Datura ] [ /dev/pts/23 ] [~]
→ systemctl restart nginx
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
![](2.png) ![](3.png)
location / {
proxy_pass http://blogbackend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
And that's it! you now have made your own copy of the blog available over clearnet and Tor.
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ systemctl restart nginx
_Sidenote:_ if you want to only have an onion mirror of the blog (and no clearnet at all), you can use this nginx config:
[ Wonderland ] [ /dev/pts/9 ] [/etc/nginx/sites-available]
→ cat blog.conf
server {
######## TOR WEBSITE ########
listen 4443;
listen [::]:4443;
server_name blog.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion;
rewrite ^/servers/anon.html http://$server_name/opsec/index.md permanent;
rewrite ^/servers/(.*)$ http://$server_name/opsec/$1 permanent;
index index.html;
root /srv/blog/;
#optional selfhosting + HTB locations in /srv/blog-archive:
location ~ ^/(selfhosting|HTB)/ {
root /srv/blog-archive/;
}
}
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ nginx -t
2025/05/08 21:08:41 [info] 359817#359817: Using 116KiB of shared memory for nchan in /etc/nginx/nginx.conf:61
2025/05/08 21:08:41 [info] 359817#359817: Using 131072KiB of shared memory for nchan in /etc/nginx/nginx.conf:61
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ nginx -s reload
```
From there you just need to make sure that the website is reachable via it's onion mirror: (for more details on how to run hidden services with custom .onion vanity v3 domains, check out [this tutorial](../torwebsite/index.md))
```sh
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/
HiddenServicePort 80 127.0.0.1:4443
[ Wonderland ] [ /dev/pts/4 ] [/srv/blog-deploy]
→ systemctl restart tor@default
```
and then just check if you can reach it:
![](26.png)
## **Setting up Collaboration**
@ -399,3 +198,4 @@ And then to make sure the nihilism blog remains resistant to takedowns, you can
![](25.png)
And that's it! you now know how to run the blog yourself, and also how to make sure you can make sure the project keeps going if something were to happen to me in the future.