# Installation
This file shows how to install and configure mollysocket **on your system using a systemd service**.
**This should be relevant if you use docker**
## Install the binary with a dedicated user
First of all, you need to install mollysocket on your system.
#### Create a dedicated account
The service will run with a dedicated account, so create it and switch to that user:
```
sudo useradd mollysocket -m -d /opt/mollysocket
sudo -su mollysocket
cd
```
#### Install the binary
You have 2 solutions to install the binary.
1. Use an already compiled binary: <https://github.com/mollyim/mollysocket/releases/>. To follow the systemd service, and for ease of use, link the executable (replace with the right version of the binary): `ln -s /opt/mollysocket/mollysocket-amd64-1.2.0 /opt/mollysocket/ms`
2. Use cargo. This method allows you to use cargo to maintain mollysocket up to date. First of all, you need to [install cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html) (you need at least version 1.59). Then, install mollysocket using cargo: `cargo install mollysocket`. *You probably need to install some system packages, like libssl-dev libsqlite3-dev*. To follow the systemd service, and for ease of use, link the executable: `ln -s /opt/mollysocket/.cargo/bin/mollysocket /opt/mollysocket/ms`.
#### Prepare the config file
Download a sample of the config file: `wget -O /opt/mollysocket/prod.toml https://github.com/mollyim/mollysocket/raw/main/config-sample.toml`.
#### Done
Switch back to your usual account: `exit`.
## App configuration
*If you host your own Push server*, then explicitly add it to the allowed endpoints. In `/opt/mollysocket/prod.toml`, edit `allowed_endpoints = ['*', 'https://push.mydomain.tld']` (remove `'*'` if you will use your push server only).
## Install systemd service
Download the [systemd unit file](https://github.com/mollyim/mollysocket/raw/main/mollysocket.service) and place it in the right direction `/etc/systemd/system/`.
### Add a VAPID key
#### Option 1. With systemd-creds (Recommended)
You can use [systemd-creds](https://systemd.io/CREDENTIALS/) to encrypt the vapid key. Run the following command as _root_ to get the systemd-creds parameters:
```console
# sudo -u mollysocket mollysocket vapid gen | systemd-creds encrypt --name=ms_vapid -p - -
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
```
This will output `SetCredentialEncrypted` you can use in your systemd unit file:
```ini
[Service]
SetCredentialEncrypted=ms_vapid: \
k6iUCUh0RJCQyvL8k8q1UyAAAAABAAAADAAAABAAAAC1lFmbWAqWZ8dCCQkAAAAAgAAAA \
AAAAAALACMA0AAAACAAAAAAfgAg9uNpGmj8LL2nHE0ixcycvM3XkpOCaf+9rwGscwmqRJ \
cAEO24kB08FMtd/hfkZBX8PqoHd/yPTzRxJQBoBsvo9VqolKdy9Wkvih0HQnQ6NkTKEdP \
HQ08+x8sv5sr+Mkv4ubp3YT1Jvv7CIPCbNhFtag1n5y9J7bTOKt2SQwBOAAgACwAAABIA \
ID8H3RbsT7rIBH02CIgm/Gv1ukSXO3DMHmVQkDG0wEciABAAII6LvrmL60uEZcp5qnEkx \
SuhUjsDoXrJs0rfSWX4QAx5PwfdFuxPusgE==
Environment=MOLLY_VAPID_KEY_FILE=%d/ms_vapid
```
#### Option 2. Plaintext
It is also possible to pass the value of the vapid key in plaintext to an environment variable in your unit file. Run the following command as _mollysocket_ user:
```console
$ mollysocket vapid gen
DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
```
And use the output of the command in your systemd unit file:
```ini
[Service]
Environment=MOLLY_VAPID_PRIVKEY=DSqYuWchrB6yIMYJtidvqANeRQic4uWy34afzZRsZnI
```
### Start the service
You should be able to see that service now `systemctl status mollysocket`.
You can enable it `systemctl enable --now mollysocket`, the service is now active (`systemctl status mollysocket`), and will be started on system boot.
## (Option A) Proxy server
You will need to proxy everything from `/` to `http://127.0.0.1:8020/` (8020 is the value define in the systemd unit file for `$ROCKET_PORT`, it can be changed if needed).
You also need to forward the `Host` header.
If you proxy from another path like `/molly/` instead of `/`, you also need to pass the original URL.
For Nginx, it looks like:
```
location / {
proxy_pass http://127.0.0.1:8020/;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $uri;
}
```
## (Option B) Air gapped mode
To find the MollySocket QR code:
- If you can use port-forwarding through SSH to your server, then run the following command: `ssh -L 8020:localhost:8020 your_server`, then open http://localhost:8020 on your machine. You can ignore alerts if there are any. Then click on _airgapped mode_.
- If you can't use port-forwarding, change `webserver` to `false` in your config file (_/opt/mollysocket/prod.toml_) and restart your service:
```console
# systemctl restart mollysocket
# journalctl -u mollysocket
# # This should show a QR code
```
After scanning the QR code, you will have a command to copy to run on your server. You must run this command as user `mollysocket` with `MOLLY_CONF=/opt/mollysocket/prod.toml`.
For instance `sudo -su mollysocket MOLLY_CONF=/opt/mollysocket/prod.toml /opt/mollysocket/ms connection add baab32b9-d60b-4c39-9e14-15d8f6e1527e 2 thisisrandom 'https://push.mydomain.tld/upthisisrandom?up'`.
## (Optional) More restrictive configuration
Once you have registered Molly (with option A or B), and you will be the only user using this service, you can restrict `allowed_uuids = ['baab32b9-d60b-4c39-9e14-15d8f6e1527e']` and `allowed_endpoints = ['https://push.mydomain.tld/upthisisrandom?up']` in the config file.