riegel02

To share more with the community I think it's essential to have more guides and how to install Waterhole on different panels. This is going to be in-depth guide and I hope to record a video one day, if I have enough time and resources.

Feedback is very appreciated in case I have done something wrong.

HestiaCP setup:

1. Purchase VPS/dedicated servers and deploy Debian 12. Aim for 4 CPU and 4GB ram for production.
2. Update and remove old junk (use this command weekly to keep your server up to date). From this point you should use root by default. Later on we will switch to normal user wtih sudo rights.

sudo apt update && sudo apt upgrade -y && sudo apt-get autoremove -y && sudo apt-get remove --purge -y software-properties-common

3. Enable automatic security updates for Debian. You want to keep it secure.

apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades

3. Download and modify HestiaCP installation script, to have latest MySQL. Notice that I left many services like email and antivirus out from the HestiaCP, because I don't use it.

wget https://raw.githubusercontent.com/hestiacp/hestiacp/release/install/hst-install-debian.sh

nano hst-install-debian.sh

Modify script so you can install the latest MySQL version https://forum.hestiacp.com/t/how-to-install-mysql-8-4-lts-on-debian-12/16582

bash hst-install-debian.sh --port 2083 --named no --mysql no --mysql8 yes --exim no --dovecot no --clamav no --spamassassin no

4. In case you have issues with certificate (domain that you use for HestiaCP control panel)

v-add-letsencrypt-host

5. Add PHP 8.3

v-add-web-php 8.3
v-change-sys-php 8.3
sed -i '/^\t"php-8.2",/a \t"php-8.3",' /usr/local/hestia/web/edit/server/index.php

After that disable old PHP version in HestiaCP (inside control panel settings)

6. Add composer

v-add-user-composer

7. Use non-root user by default. From this point you should mainly use separate user.

adduser example_user
adduser example_user sudo

8. Create and export SSH keys to the new use (it's better to use SSH keys, but this optional)

/home/username/.ssh/

9. Remove root auth and auth with password

sudo nano /etc/ssh/sshd_config.d/custom.conf

PasswordAuthentication no
PermitRootLogin no

sudo systemctl restart ssh

P.S You might have to "sudo rm /etc/ssh/sshd_config.d/50-cloud-init.conf

Waterhole setup starts here.

1. Create separate user in HestiaCP and add your domain
2. Add SSH rights in HestiaCP for this user and composer
3. Open your website directory, to be more specific folder /public_html

cd web/your-domain.com/public_html/
composer create-project waterhole/waterhole

4. Open domain settings in HestiaCP and set this as a custom path waterhole/public. You will need to open this directory most of the times if you want to make any changes to Waterhole. Down below I run most of the commands under this directory.

5. Create MySQL database in HestiaCP

6. Modify .env

7. Run installer, but before open /waterhole directory

cd web/your-domain.com/public_html/waterhole
php artisan waterhole:install
composer update

8. Change FILESYSTEM_DISK=local

php artisan queue:table
php artisan migrate

update .env to QUEUE_CONNECTION=database

sudo apt-get install supervisor

add worker.log

create and edit laravel-worker.conf

only disable next things in PHP.ini
disable_functions = exec,system,passthru,shell_exec,proc_open,popen

Follow https://laravel.com/docs/10.x/queues#supervisor-configuration

9. Cache Configuration

cd config/cache.php
change 'CACHE_DRIVER', 'file' to 'CACHE_DRIVER', 'database'
modify .env to CACHE_DRIVER=database
run php artisan cache:table to start migration

10. Run optimizer + icons cache

composer install --optimize-autoloader --no-dev
php artisan config:cache
php artisan route:cache
php artisan view:cache
php artisan icons:cache

11. Setup Mailgun

Whitelist IP's in Mailgun's IP Access Management
Change .env with Mailgun creds
composer require symfony/mailgun-mailer symfony/http-client

modify config/mail.php and set it to mailgun
double check config/services.php (most likely not needed)

12. Modify php.ini for Laravel app for Queue worker/Supervisor

This enables pcntl functionality while still disabling potentially dangerous functions like exec and shell_exec.
disable_functions = exec,system,passthru,shell_exec,proc_open,popen

13. Add waterhole's nginix conf

remove from waterhole.nginix.conf next:
location / { try_files $uri $uri/ /index.php?$query_string; }

cd /usr/local/hestia/data/templates/web/nginx/

sudo cp default.tpl custom.tpl
sudo cp default.stpl custom.stpl

include %home%/%user%/web/%domain%/public_html/waterhole/.nginx.conf;

(ask chatgpt where to put it)
change template + [v-rebuild-user](https://hestiacp.com/docs/reference/cli.html#v-rebuild-user)

14. Now if you do any changes to Waterhole you need to run:

php artisan config:clear && php artisan config:cache && php artisan cache:clear && php artisan route:cache && php artisan optimize

This is more or less the notes I been making during the installation and testing. You need some basic understanding on how to manage servers, but this guide will be enough if you want someone with skill to help you.

If enough people ask I can make super dummy video with step-by-step guide and setting up everything from server, domain, HestiaCP and Waterhole.

P.S @Toby can we get better options for command lines formatting and button to copy the code?

We know what this will come one day, but I through it would be a good idea to go through more advanced features and share them from my perspective and experience running forums.

1. Groups

Every new user should be by default in "Quarantine" group. This group does not allow user to change avatar, profile information, or any other information expect email/password. User can post, but posts won't be visible unless admin/mod approves it. It should be possible to define how many approved posts user needs to move away from "Quarantine" group to the normal one.

2. Moderation feed

Admins/mods should have separate moderation feed to simplify and make quick approvals/bans for new posts/threads. Nice option would be to have browser/email notifications. Perhaps even direct links to approve/ban posts in the email. This tool should also show approved posts.

Bonus points: Send automatically "Edited posts" back to the moderation feed.

3. Freeze inactive accounts after X time

This is big problem in big communities. Many people re-use same passwords, they get leaked and after that spammers might use to bruteforce it and try to get access to the user account. If user was inactive for long time, Waterhole should send verification link to the email that will approve authorization.

Alternative option would be to implement 2FA and have an option to force it on all the new users accounts.

4. Lock "edit post" after X time

Each community can decided itself what is a fair amount of time to edit the post. To make this even better there should be exception depending on the user group. Some groups might not be mods, but still manage some pinned posts that require frequent updates. This feature is important so spammers won't replace legit posts with spam later on.

5. Ban and warning system

I think it is enough to have 2 options permanent and temporary ban and possibility to specify why user got banned, so the person who broke the rules knows what he did wrong. Additionally it would be a nice to send warning first to the user, instead of doing instant bans. Hopefully Waterhole won't implement IP ban, because I find them ineffective and it can hurt users who use VPN/proxies. People can bypass it easily.

We should be able to warn users first, instead of doing instant bans. If user is banned he should have a visible message with reason of the ban. Could be canned options or custom message. Same goes for warning messages. There should be two type of ban options: permanent and temporary.

Hopefully Waterhole won't implement IP ban, because I find them ineffective and it can hurt users who use VPN/proxies. People can bypass it easily. Same goes with trying to fight temporary email services.

... I think that's it. I probably missed something, but that's a good start.

This idea came into my mind after this topic.

Right now Waterhole embeds automatically all media (handy) files as far as I know and this does create potential security issues. External images/videos can be replaced with malicious files or NSFW content. There is no way to control this. Vulnerabilities risk is low, but still there was incidents before such as CVE-2015-8126 and hopefully modern browsers handle it better.

Easiest option would be to have toggle in admin to restrict auto/load embed of external images/videos. On the other hand there can be a more complex solution like screenshot down below (external image as well :P). That will show external content only if user agrees to and it could be used for NSFW content as well.

This is less "Idea" and more open discussion, because there is more important features in the roadmap and perhaps this could be achieved with the plugin instead?