This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
projectinsanity:server_setup [2020/05/14 10:29] – [PI ArchLinux Repository] 10.25.0.1 | projectinsanity:server_setup [2022/07/19 15:24] – revert bot fuckup 10.25.0.100 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== host.pi ====== | ||
+ | |||
+ | ===== Specs ===== | ||
+ | 1 x Dedicated Root Server SB32 (hetzner) | ||
+ | * Intel Core i7-3770 | ||
+ | * 2x HDD SATA 3,0 TB Enterprise | ||
+ | * 4x RAM 8192 MB DDR3 | ||
+ | * Location: FSN1 | ||
+ | ===== Payment ===== | ||
+ | Serverkosten pro Montat: 26,89€ + 5,11€ Steuer: 32,00€ | ||
+ | ^ ^ Arne ^ Jonas ^ ST ^ Krischi | ||
+ | | Juni 18 | 6, | ||
+ | | Juli 18 | 6, | ||
+ | | August 18 | 6, | ||
+ | | September 18 | 6, | ||
+ | | Oktober 18 | 6, | ||
+ | | November 18 | 6, | ||
+ | | Dezember 18 | 6, | ||
+ | | Januar 19 | 0/ | ||
+ | | Juli 21 (vorausgezahlt) | ||
+ | Zu überweisen an Jonas | ||
+ | ===== Überblick ===== | ||
+ | ^ Name ^ IP ^ IPv6 ^ Space ^ Last backup | ||
+ | | host | 10.25.0.1 | ||
+ | | http | 10.25.0.100 | ||
+ | | http-pub | ||
+ | | mail | 10.25.0.102 | ||
+ | | mysql | 10.25.0.103 | ||
+ | | playground | ||
+ | | storage | ||
+ | ===== Setup ===== | ||
+ | * IPv4: 144.76.16.40 | ||
+ | * IPv6: 2a01: | ||
+ | Im Rescue system: | ||
+ | <code bash> | ||
+ | installimage -a -n project-insanity -b grub -r yes -l 0 -i root/ | ||
+ | </ | ||
+ | ==== systemd-networkd ==== | ||
+ | on the installed host machine, had to change '' | ||
+ | <file - / | ||
+ | ### Hetzner Online GmbH installimage | ||
+ | [Match] | ||
+ | Name=enp3s0 | ||
+ | |||
+ | [Network] | ||
+ | Address=2a01: | ||
+ | Gateway=144.76.16.33 | ||
+ | Gateway=fe80:: | ||
+ | |||
+ | [Address] | ||
+ | Address=144.76.16.40/ | ||
+ | Peer=144.76.16.33/ | ||
+ | IPForward=ipv4 | ||
+ | </ | ||
+ | <file - / | ||
+ | [NetDev] | ||
+ | Name=br-internal | ||
+ | Kind=bridge | ||
+ | </ | ||
+ | <file - / | ||
+ | [Match] | ||
+ | Name=br-internal | ||
+ | |||
+ | [Network] | ||
+ | Address=2a01: | ||
+ | Address=10.25.0.1/ | ||
+ | ConfigureWithoutCarrier=true | ||
+ | </ | ||
+ | ==== core system ==== | ||
+ | <code bash> | ||
+ | pacman -S mosh tmux htop dmidecode fail2ban openvpn qemu openbsd-netcat openssh easy-rsa fish pacman-contrib | ||
+ | chsh -s $(which fish) | ||
+ | wget https:// | ||
+ | chown qemu:qemu / | ||
+ | useradd -m onny -s /bin/fish | ||
+ | passwd onny | ||
+ | gpasswd -a onny sudo | ||
+ | gpasswd -a onny libvirt | ||
+ | sudo -u onny mkdir / | ||
+ | sudo -u onny vim / | ||
+ | sed -i ' | ||
+ | sed -i ' | ||
+ | systemctl enable --now sshd fail2ban systemd-networkd systemd-resolved | ||
+ | </ | ||
+ | dnsmasq settings, ready to listen on wireguard subnet | ||
+ | <file - / | ||
+ | [...] | ||
+ | listen-address=127.0.0.1, | ||
+ | |||
+ | no-resolv | ||
+ | |||
+ | # Google' | ||
+ | server=8.8.8.8 | ||
+ | server=8.8.4.4 | ||
+ | </ | ||
+ | systemd resolved dns resolver settings | ||
+ | <file - / | ||
+ | [...] | ||
+ | [resolve] | ||
+ | DNSStubListener=no | ||
+ | </ | ||
+ | <file - / | ||
+ | [Resolve] | ||
+ | DNSOverTLS=opportunistic | ||
+ | </ | ||
+ | <file - / | ||
+ | [Resolve] | ||
+ | DNSSEC=true | ||
+ | </ | ||
+ | <file - / | ||
+ | [Resolve] | ||
+ | DNS=2620: | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | 10.25.0.1 host.pi | ||
+ | 10.25.0.100 http.pi | ||
+ | 10.25.0.101 http-pub.pi | ||
+ | 10.25.0.102 mail.pi | ||
+ | 10.25.0.103 mysql.pi | ||
+ | 10.25.0.104 playground.pi | ||
+ | 10.25.0.105 storage.pi | ||
+ | |||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | |||
+ | #vpn clients | ||
+ | 10.25.0.200 | ||
+ | 10.25.0.201 | ||
+ | 10.25.0.202 | ||
+ | 10.25.0.203 | ||
+ | |||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | 2a01: | ||
+ | </ | ||
+ | custom pi archlinux repo | ||
+ | <file - / | ||
+ | ... | ||
+ | [projectinsanity] | ||
+ | SigLevel = PackageOptional | ||
+ | Server = https:// | ||
+ | </ | ||
+ | archlinux auto update | ||
+ | <file - / | ||
+ | ... | ||
+ | [projectinsanity] | ||
+ | SigLevel = PackageOptional | ||
+ | Server = https:// | ||
+ | </ | ||
+ | <file - / | ||
+ | Description=Automatic Update | ||
+ | After=network-online.target | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/ | ||
+ | TimeoutStopSec=180 | ||
+ | KillMode=process | ||
+ | KillSignal=SIGINT | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | | ||
+ | |||
+ | [Timer] | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [Install] | ||
+ | | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now autoupdate.timer | ||
+ | </ | ||
+ | automatic timed reboot after kernel upgrade | ||
+ | <file - / | ||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = linux | ||
+ | |||
+ | [Action] | ||
+ | Description = Enable timer for reboot after kernel upgrade | ||
+ | When = PostTransaction | ||
+ | Exec = / | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Reboot in the morning after kernel upgrade | ||
+ | |||
+ | [Timer] | ||
+ | OnCalendar=*-*-* 06:00:00 | ||
+ | Unit=kernel-upgrade.service | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Reboot after kernel upgrade | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | ==== nftables ==== | ||
+ | nftables firewall & routing | ||
+ | <file - / | ||
+ | define TCP_PORT_QUAKEJS_DS = 27960 | ||
+ | define TCP_PORT_IMAPS = 993 | ||
+ | define TCP_PORT_SMTPS = 587 | ||
+ | define TCP_PORT_SMTP = 25 | ||
+ | define TCP_PORT_SSH = 22 | ||
+ | define TCP_PORT_HTTP = 80 | ||
+ | define TCP_PORT_HTTPS = 443 | ||
+ | define UDP_PORT_WIREGUARD = 51820 | ||
+ | define UDP_PORT_MOSH = 60000-61000 | ||
+ | define HOST_HTTP_PI = 10.25.0.100 | ||
+ | define HOST_MAIL_PI = 10.25.0.102 | ||
+ | define HOST_PLAYGROUND_PI = 10.25.0.104 | ||
+ | |||
+ | table inet filter { | ||
+ | set tcp_accepted { | ||
+ | type inet_service | ||
+ | flags interval | ||
+ | elements = { $TCP_PORT_SSH, | ||
+ | } | ||
+ | |||
+ | set udp_accepted { | ||
+ | type inet_service | ||
+ | flags interval | ||
+ | elements = { $UDP_PORT_WIREGUARD, | ||
+ | } | ||
+ | |||
+ | chain base_checks { | ||
+ | ct state { established, | ||
+ | ct state invalid drop | ||
+ | } | ||
+ | |||
+ | chain input { | ||
+ | type filter hook input priority filter; policy drop; | ||
+ | jump base_checks | ||
+ | iifname " | ||
+ | ip protocol icmp icmp type { echo-reply, destination-unreachable, | ||
+ | ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, | ||
+ | tcp dport @tcp_accepted accept | ||
+ | udp dport @udp_accepted accept | ||
+ | ip saddr 10.25.0.1/ | ||
+ | ip saddr 10.25.40.1/ | ||
+ | reject | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority filter; policy drop; | ||
+ | jump base_checks | ||
+ | ip daddr 10.25.0.100 ct status dnat accept | ||
+ | ip saddr {10.25.0.1/ | ||
+ | ip daddr {10.25.0.1/ | ||
+ | oif br-internal accept | ||
+ | iif br-internal accept | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority filter; policy accept; | ||
+ | } | ||
+ | } | ||
+ | table ip nat { | ||
+ | chain prerouting { | ||
+ | type nat hook prerouting priority filter; policy accept; | ||
+ | |||
+ | iif " | ||
+ | |||
+ | # Forward web traffic to http.pi | ||
+ | ip daddr { 10.25.0.1/ | ||
+ | |||
+ | # Forward mail traffic to mail.pi | ||
+ | iif " | ||
+ | |||
+ | iif " | ||
+ | } | ||
+ | |||
+ | chain postrouting { | ||
+ | type nat hook postrouting priority srcnat; policy accept; | ||
+ | ip saddr 10.25.0.0/ | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | <file - nftables.service.d/ | ||
+ | [Unit] | ||
+ | Wants= | ||
+ | Wants=libvirtd.service | ||
+ | Before= | ||
+ | After=libvirtd.service | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | Restart=always | ||
+ | RestartSec=5 | ||
+ | </ | ||
+ | <code bash> | ||
+ | pacman -S nftables | ||
+ | systemctl enable --now nftables | ||
+ | </ | ||
+ | ==== libvirtd ==== | ||
+ | libvirt network configuration file | ||
+ | <file - / | ||
+ | network connections=' | ||
+ | < | ||
+ | < | ||
+ | <forward mode=' | ||
+ | <bridge name=' | ||
+ | </ | ||
+ | </ | ||
+ | libvirt qemu hook | ||
+ | <code bash> | ||
+ | pacman -S libvirt virt-install dnsmasq glusterfs | ||
+ | virsh pool-define-as --name ' | ||
+ | virsh pool-autostart vg0 | ||
+ | virsh pool-start vg0 | ||
+ | virsh net-define / | ||
+ | virsh net-start internal | ||
+ | virsh net-autostart internal | ||
+ | systemctl enable --now libvirtd | ||
+ | </ | ||
+ | |||
+ | ==== wireguard ==== | ||
+ | <code bash> | ||
+ | pacman -S wireguard-tools | ||
+ | cd / | ||
+ | wg genkey | tee privatekey | wg pubkey > publickey | ||
+ | chmod 600 privatekey | ||
+ | chown root:root privatekey | ||
+ | </ | ||
+ | <file - / | ||
+ | [NetDev] | ||
+ | Name = wg0 | ||
+ | Kind = wireguard | ||
+ | Description = Wireguard | ||
+ | |||
+ | [WireGuard] | ||
+ | ListenPort = 51820 | ||
+ | PrivateKey = [PI_SERVER_PRIVKEY] | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | # onny | ||
+ | PublicKey = [ONNY_PUBKEY] | ||
+ | AllowedIPs = 10.25.40.2/ | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | # st | ||
+ | PublicKey = [ST_PUBKEY] | ||
+ | AllowedIPs = 10.25.40.3/ | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | # neutrino | ||
+ | PublicKey = [NEUTRINO_PUBKEY] | ||
+ | AllowedIPs = 10.25.40.4/ | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | # jolla (neutrino) | ||
+ | PublicKey = [JOLLA_PUBKEY] | ||
+ | AllowedIPs = 10.25.40.5/ | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | # picloud (onny) | ||
+ | PublicKey = [PICLOUD_PUBKEY] | ||
+ | AllowedIPs = 10.25.40.6/ | ||
+ | </ | ||
+ | <file - / | ||
+ | [Match] | ||
+ | Name = wg0 | ||
+ | |||
+ | [Network] | ||
+ | Address = 10.25.40.1/ | ||
+ | DNS=10.25.0.1 | ||
+ | DNSSEC=false | ||
+ | IPForward=ipv4 | ||
+ | </ | ||
+ | === client === | ||
+ | <code bash> | ||
+ | pacman -S wireguard-tools | ||
+ | cd / | ||
+ | wg genkey | tee privatekey | wg pubkey > publickey | ||
+ | chmod 600 privatekey | ||
+ | chown root:root privatekey | ||
+ | </ | ||
+ | <file - / | ||
+ | [NetDev] | ||
+ | Name = wg0 | ||
+ | Kind = wireguard | ||
+ | Description = Wireguard | ||
+ | |||
+ | [WireGuard] | ||
+ | PrivateKey = [ONNY' | ||
+ | |||
+ | [WireGuardPeer] | ||
+ | PublicKey = [SERVER PUBLICKEY] | ||
+ | AllowedIPs = 10.25.0.0/ | ||
+ | Endpoint = 2a01: | ||
+ | Endpoint = 144.76.16.40: | ||
+ | PersistentKeepalive = 25 | ||
+ | </ | ||
+ | <file - / | ||
+ | [Match] | ||
+ | Name = wg0 | ||
+ | |||
+ | [Network] | ||
+ | Address = 10.25.40.2/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl restart systemd-networkd | ||
+ | </ | ||
+ | ==== systemd-journal logging server ==== | ||
+ | <file - / | ||
+ | [Remote] | ||
+ | SplitMode=host | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Journal Remote Sink Service | ||
+ | Documentation=man: | ||
+ | Requires=systemd-journal-remote.socket | ||
+ | |||
+ | [Service] | ||
+ | ExecStart=/ | ||
+ | User=systemd-journal-remote | ||
+ | Group=systemd-journal-remote | ||
+ | PrivateTmp=yes | ||
+ | PrivateDevices=yes | ||
+ | PrivateNetwork=yes | ||
+ | WatchdogSec=3min | ||
+ | |||
+ | [Install] | ||
+ | Also=systemd-journal-remote.socket | ||
+ | </ | ||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | chown -R systemd-journal-remote: | ||
+ | pacman -S libmicrohttpd | ||
+ | ufw allow from 10.25.0.0/ | ||
+ | systemctl enable --now systemd-journal-remote | ||
+ | </ | ||
+ | ===== ArchLinux Gastsystem ===== | ||
+ | ==== Erstellen ==== | ||
+ | <code bash> | ||
+ | virt-install --video qxl --channel spicevmc --graphics spice, | ||
+ | </ | ||
+ | ==== Löschen ==== | ||
+ | <code bash> | ||
+ | virsh destroy http | ||
+ | virsh undefine http | ||
+ | lvremove / | ||
+ | </ | ||
+ | ==== Speicher vergrößern ==== | ||
+ | <code bash> | ||
+ | lvresize -L +20G vg0/http | ||
+ | virsh start http</ | ||
+ | Auf dem Gastsystem ausführen: | ||
+ | <code bash> | ||
+ | sgdisk -n2:2048:0 -c2:" | ||
+ | shutdown -h now # then start again after that | ||
+ | btrfs filesystem resize max /</ | ||
+ | Bei neueren Version von libguestfs-tools (> | ||
+ | |||
+ | ==== Backup ==== | ||
+ | Raw backup logical volume to picloud (homeserver onnuex) | ||
+ | <code bash> | ||
+ | lvcreate -s -n playground_snap -L 20G / | ||
+ | dd if=/ | ||
+ | lvremove / | ||
+ | </ | ||
+ | Recover backup | ||
+ | <code bash> | ||
+ | gpg -o / | ||
+ | </ | ||
+ | Unfinished backup script: | ||
+ | <code bash> | ||
+ | sas=" | ||
+ | password=" | ||
+ | |||
+ | for vol in `lvs | cut -f3 -d " " | tail -n+2` | ||
+ | do echo " | ||
+ | lvcreate -s -n " | ||
+ | pv -cN source "/ | ||
+ | lvremove "/ | ||
+ | done | ||
+ | </ | ||
+ | ==== Einrichten ==== | ||
+ | <code bash> | ||
+ | mkfs.btrfs /dev/sda | ||
+ | ifconfig eth0 10.25.0.120 up | ||
+ | route add default gw 10.25.0.1 | ||
+ | mount /dev/sda /mnt | ||
+ | ln -sf / | ||
+ | pacstrap /mnt base base-devel tmux mosh yajl wipe rsync procps neovim lsof strace htop net-tools pkgfile dnsutils iotop aria2 tcpdump nload grub btrfs-progs gptfdisk ntp wget rxvt-unicode-terminfo pwgen mlocate fail2ban pv expac openssh git devtools fish nftables ripgrep bat fd pacman-contrib | ||
+ | genfstab -p /mnt >> / | ||
+ | arch-chroot /mnt | ||
+ | chsh -s $(which fish) | ||
+ | sed -i ' | ||
+ | sed -i ' | ||
+ | sed -i ' | ||
+ | sed -i ' | ||
+ | mkdir / | ||
+ | ln -s / | ||
+ | echo " | ||
+ | ln -sf / | ||
+ | sed -i ' | ||
+ | locale-gen | ||
+ | echo ' | ||
+ | echo " | ||
+ | mkinitcpio -p linux | ||
+ | sed -i '/ | ||
+ | grub-mkconfig -o / | ||
+ | grub-install /dev/sda | ||
+ | passwd | ||
+ | useradd -m onny -s / | ||
+ | passwd onny | ||
+ | usermod -a -G sudo onny | ||
+ | sudo -u onny mkdir / | ||
+ | sudo -u onny vim / | ||
+ | chown -R onny:onny /home/onny | ||
+ | updatedb | ||
+ | pkgfile --update | ||
+ | echo " | ||
+ | sed -i ' | ||
+ | systemctl enable --now sshd systemd-networkd nftables fail2ban systemd-resolved | ||
+ | timedatectl set-ntp true | ||
+ | exit | ||
+ | reboot | ||
+ | </ | ||
+ | === nftables === | ||
+ | <file - / | ||
+ | table inet filter { | ||
+ | set tcp_accepted { | ||
+ | type inet_service | ||
+ | flags interval | ||
+ | elements = { 22 } | ||
+ | } | ||
+ | |||
+ | set udp_accepted { | ||
+ | type inet_service | ||
+ | flags interval | ||
+ | elements = { 60000-61000 } | ||
+ | } | ||
+ | |||
+ | chain base_checks { | ||
+ | ct state { established, | ||
+ | ct state invalid drop | ||
+ | } | ||
+ | |||
+ | chain input { | ||
+ | type filter hook input priority filter; policy drop; | ||
+ | jump base_checks | ||
+ | iifname " | ||
+ | ip protocol icmp icmp type { echo-reply, destination-unreachable, | ||
+ | ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, | ||
+ | tcp dport @tcp_accepted accept | ||
+ | udp dport @udp_accepted accept | ||
+ | reject | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority filter; policy drop; | ||
+ | jump base_checks | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority filter; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | === systemd-networkd === | ||
+ | <file - / | ||
+ | [Match] | ||
+ | Name=ens3 | ||
+ | |||
+ | [Network] | ||
+ | Address=2a01: | ||
+ | Address=10.25.0.100/ | ||
+ | Gateway=10.25.0.1 | ||
+ | Gateway=2a01: | ||
+ | DNS=10.25.0.1 | ||
+ | DNSSEC=false | ||
+ | |||
+ | LinkLocalAddressing = no | ||
+ | IPv6AcceptRA = no | ||
+ | </ | ||
+ | === pacman === | ||
+ | project-insanity build server repo | ||
+ | <file - / | ||
+ | [...] | ||
+ | |||
+ | [projectinsanity] | ||
+ | SigLevel = PackageOptional | ||
+ | Server = https:// | ||
+ | </ | ||
+ | archlinux auto update | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | | ||
+ | | ||
+ | |||
+ | [Service] | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [Install] | ||
+ | | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | | ||
+ | |||
+ | [Timer] | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [Install] | ||
+ | | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now autoupdate.timer | ||
+ | </ | ||
+ | === systemd-journald === | ||
+ | systemd logging upload | ||
+ | <file - / | ||
+ | [Upload] | ||
+ | URL=http:// | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Journal Remote Upload Service | ||
+ | Documentation=man: | ||
+ | After=network.target | ||
+ | |||
+ | [Service] | ||
+ | ExecStart=/ | ||
+ | User=systemd-journal-upload | ||
+ | SupplementaryGroups=systemd-journal | ||
+ | PrivateTmp=yes | ||
+ | PrivateDevices=yes | ||
+ | WatchdogSec=3min | ||
+ | |||
+ | # Add reset/ | ||
+ | TimeoutSec=120 | ||
+ | Restart=on-failure | ||
+ | RestartSec=2 | ||
+ | |||
+ | # Add accounting options | ||
+ | CPUAccounting=true | ||
+ | BlockIOAccounting=true | ||
+ | MemoryAccounting=false | ||
+ | TasksAccounting=true | ||
+ | |||
+ | # If there are many splits up journal files we need a lot of file descriptors to access them all and combine | ||
+ | LimitNOFILE=16384 | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <code bash> | ||
+ | useradd systemd-journal-upload | ||
+ | mkdir / | ||
+ | chown -R systemd-journal-upload: | ||
+ | systemctl enable --now systemd-journal-upload | ||
+ | </ | ||
+ | |||
+ | ==== Maintainance ==== | ||
+ | Update configs | ||
+ | <code bash> | ||
+ | sudo pacdiff | ||
+ | </ | ||
+ | ====== mail.pi ====== | ||
+ | on mail.pi | ||
+ | <code bash> | ||
+ | pacman -S maddy | ||
+ | systemctl enable --now maddy | ||
+ | nft add rule inet filter input position 17 tcp dport smtps accept | ||
+ | nft add rule inet filter input position 17 tcp dport smtp accept | ||
+ | nft add rule inet filter input position 17 tcp dport imaps accept | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | ... | ||
+ | $(hostname) = turbotux.de | ||
+ | ... | ||
+ | $(primary_domain) = turbotux.de | ||
+ | ... | ||
+ | tls / | ||
+ | ... | ||
+ | </ | ||
+ | <code bash> | ||
+ | maddyctl users create postmaster | ||
+ | maddyctl users create onny@turbotux.de | ||
+ | </ | ||
+ | turbotux.de dns record. get dkim key in ''/ | ||
+ | < | ||
+ | turbotux.de. | ||
+ | turbotux.de. | ||
+ | turbotux.de. | ||
+ | turbotux.de. | ||
+ | _dmarc.turbotux.de. | ||
+ | default._domainkey.turbotux.de | ||
+ | </ | ||
+ | forwarding/ | ||
+ | <code bash> | ||
+ | nft add rule inet filter input position 19 tcp dport smtps accept | ||
+ | nft add rule inet filter input position 19 tcp dport smtp accept | ||
+ | nft add rule inet filter input position 19 tcp dport imaps accept | ||
+ | nft add rule ip nat prerouting position 4 iifname " | ||
+ | nft add rule ip nat prerouting position 4 iifname " | ||
+ | nft add rule ip nat prerouting position 4 iifname " | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | tls. on mail.pi | ||
+ | <code bash> | ||
+ | chmod +x / | ||
+ | sudo -u maddy ssh-keygen # all default values | ||
+ | cat / | ||
+ | </ | ||
+ | on http.pi | ||
+ | <code bash> | ||
+ | useradd -m maddy | ||
+ | mkdir / | ||
+ | vim / | ||
+ | setfacl -R -d -m u:maddy:rx / | ||
+ | urbotux.de/ | ||
+ | .de.key # this does not work so well yet :( | ||
+ | </ | ||
+ | ====== mysql.pi ====== | ||
+ | ===== mariadb ===== | ||
+ | <code bash> | ||
+ | pacman -S mariadb | ||
+ | mysql_install_db --user=mysql --basedir=/ | ||
+ | mysqladmin -u root password ' | ||
+ | mysql_secure_installation | ||
+ | systemctl enable --now mariadb | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.0.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | # Restart mariadb service | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = mariadb | ||
+ | |||
+ | [Action] | ||
+ | Description = Restarting mariadb service | ||
+ | When = PostTransaction | ||
+ | Exec = /usr/bin/sh -c "/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | chmod 600 / | ||
+ | </ | ||
+ | temporary workaround to get nextcloud to work, see: https:// | ||
+ | <file - / | ||
+ | [...] | ||
+ | [server] | ||
+ | |||
+ | innodb_read_only_compressed=0 | ||
+ | [...] | ||
+ | </ | ||
+ | ===== postgresql ===== | ||
+ | <code bash> | ||
+ | pacman -S postgresql postgresql-old-upgrade | ||
+ | sudo su - postgres -c " | ||
+ | systemctl enable --now postgresql | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.0.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | listen_addresses = ' | ||
+ | [...] | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | host all | ||
+ | host all | ||
+ | </ | ||
+ | <file - / | ||
+ | # Restart postgresql service | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = postgresql | ||
+ | |||
+ | [Action] | ||
+ | Description = Restarting postgresql service | ||
+ | When = PostTransaction | ||
+ | Exec = / | ||
+ | </ | ||
+ | ====== http.pi ====== | ||
+ | <code bash> | ||
+ | pacman -S caddy dokuwiki gitlab php-fpm php-apcu phpmyadmin wordpress nginx | ||
+ | systemctl enable --now caddy php-fpm | ||
+ | nft add rule inet filter input position 17 tcp dport " | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | # Restart php service | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = php | ||
+ | Target = php-fpm | ||
+ | |||
+ | [Action] | ||
+ | Description = Restarting php service | ||
+ | When = PostTransaction | ||
+ | Exec = / | ||
+ | </ | ||
+ | custom caddy installation | ||
+ | <code bash> | ||
+ | pacaur -d caddy | ||
+ | </ | ||
+ | <file - ~/ | ||
+ | [...] | ||
+ | # ' | ||
+ | ' | ||
+ | # ' | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | cd ~/ | ||
+ | makepkg -i --skipinteg | ||
+ | </ | ||
+ | <file - / | ||
+ | [Service] | ||
+ | ProtectHome=false | ||
+ | </ | ||
+ | ===== caddy ===== | ||
+ | <code bash> | ||
+ | pacman -S caddy | ||
+ | gpasswd -a caddy http | ||
+ | </ | ||
+ | <file - / | ||
+ | import / | ||
+ | </ | ||
+ | <file - / | ||
+ | www.ausstellung-virtuell.de ausstellung-virtuell.de { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | reverse_proxy http:// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | blog.project-insanity.org { | ||
+ | |||
+ | root * / | ||
+ | file_server | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | php_fastcgi unix// | ||
+ | |||
+ | @uploads { | ||
+ | path_regexp path / | ||
+ | } | ||
+ | rewrite @uploads / | ||
+ | |||
+ | @wp-admin { | ||
+ | path not ^\/ | ||
+ | } | ||
+ | rewrite @wp-admin {path}/ | ||
+ | |||
+ | } | ||
+ | |||
+ | </ | ||
+ | <file - / | ||
+ | git.project-insanity.org { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | reverse_proxy unix// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | jhartung.sinewell.de { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | reverse_proxy https:// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | nextcloud.project-insanity.org { | ||
+ | |||
+ | root * / | ||
+ | file_server | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | php_fastcgi unix// | ||
+ | env front_controller_active true | ||
+ | } | ||
+ | |||
+ | header { | ||
+ | # enable HSTS | ||
+ | Strict-Transport-Security max-age=31536000; | ||
+ | } | ||
+ | |||
+ | redir / | ||
+ | redir / | ||
+ | |||
+ | # .htaccess / data / config / ... shouldn' | ||
+ | @forbidden { | ||
+ | path /.htaccess | ||
+ | path /data/* | ||
+ | path /config/* | ||
+ | path / | ||
+ | path /.xml | ||
+ | path /README | ||
+ | path /3rdparty/* | ||
+ | path /lib/* | ||
+ | path / | ||
+ | path /occ | ||
+ | path / | ||
+ | } | ||
+ | |||
+ | respond @forbidden 404 | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | onny.project-insanity.org { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | reverse_proxy http:// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | wiki.project-insanity.org { | ||
+ | |||
+ | root * / | ||
+ | file_server | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | encode zstd gzip | ||
+ | php_fastcgi unix// | ||
+ | |||
+ | @restrict_files { | ||
+ | path /data/* /conf/* /bin/* /inc/* /vendor/* / | ||
+ | } | ||
+ | respond @restrict_files 404 | ||
+ | |||
+ | @allow_media { | ||
+ | path_regexp path ^/ | ||
+ | } | ||
+ | rewrite @allow_media / | ||
+ | |||
+ | @allow_detail | ||
+ | path /_detail* | ||
+ | } | ||
+ | rewrite @allow_detail / | ||
+ | |||
+ | @allow_export | ||
+ | path /_export* | ||
+ | path_regexp export / | ||
+ | } | ||
+ | rewrite @allow_export / | ||
+ | |||
+ | try_files {path} {path}/ / | ||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | http:// | ||
+ | |||
+ | root * /var/www | ||
+ | file_server * browse | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | php_fastcgi unix// | ||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | beta.saai.digital { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | reverse_proxy http:// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | office.project-insanity.org { | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | # Routing Onlyoffice Spellchecker | ||
+ | route / | ||
+ | uri strip_prefix / | ||
+ | reverse_proxy localhost: | ||
+ | } | ||
+ | |||
+ | # Routing Onlyoffice Documentserver etc. | ||
+ | @onlyoffice { | ||
+ | path_regexp path ^/ | ||
+ | } | ||
+ | rewrite @onlyoffice / | ||
+ | route /proxy/* { | ||
+ | uri strip_prefix /proxy/ | ||
+ | reverse_proxy localhost: | ||
+ | } | ||
+ | |||
+ | # Route to Officepad | ||
+ | reverse_proxy / http:// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | need to convert | ||
+ | <file - / | ||
+ | www.turbotux.de turbotux.de { | ||
+ | log / | ||
+ | errors / | ||
+ | gzip | ||
+ | tls onny@project-insanity.org | ||
+ | proxy / http:// | ||
+ | websocket | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | ===== php-fpm ===== | ||
+ | <code bash> | ||
+ | cp / | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | pm.max_children = 16 | ||
+ | [...] | ||
+ | pm.start_servers = 9 | ||
+ | [...] | ||
+ | pm.max_spare_servers = 10 | ||
+ | [...] | ||
+ | ; | ||
+ | env[PATH] = / | ||
+ | env[TMP] = /tmp | ||
+ | env[TMPDIR] = /tmp | ||
+ | env[TEMP] = /tmp | ||
+ | [...] | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | [http.pi] | ||
+ | [...] | ||
+ | listen = / | ||
+ | [...] | ||
+ | </ | ||
+ | <file - / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | </ | ||
+ | |||
+ | ===== wordpress ===== | ||
+ | <code bash> | ||
+ | pacman -S wordpress wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics wordpress-plugin-co-authors-plus wordpress-theme-geist wordpress-plugin-wp-user-avatar wordpress-plugin-opengraph wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media | ||
+ | chown -R http:http / | ||
+ | </ | ||
+ | <file - / | ||
+ | extension=mysqli | ||
+ | </ | ||
+ | <file php / | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | [...] | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | define(' | ||
+ | [...] | ||
+ | define(' | ||
+ | define(' | ||
+ | define( ' | ||
+ | define( ' | ||
+ | $_SERVER[' | ||
+ | define( ' | ||
+ | </ | ||
+ | <file - / | ||
+ | # Update Wordpress when core or plugins get updated | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = wordpress | ||
+ | Target = wordpress-plugin-* | ||
+ | |||
+ | [Action] | ||
+ | Description = Updating Wordpress installation | ||
+ | When = PostTransaction | ||
+ | Exec = /usr/bin/sh -c "/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | sudo -u http wp plugin activate --path=/ | ||
+ | sudo -u http wp theme activate --path=/ | ||
+ | </ | ||
+ | Additional CSS for Geist theme | ||
+ | <code css> | ||
+ | @media (max-width: 1400px) { | ||
+ | .single-post .post-content > p: | ||
+ | font-size: | ||
+ | } | ||
+ | |||
+ | .single-post .post-content > p, ul { | ||
+ | font-size: | ||
+ | } | ||
+ | |||
+ | .single-post .post-content > h3 { | ||
+ | padding-bottom: | ||
+ | } | ||
+ | </ | ||
+ | Misc settings | ||
+ | * WP Statistics | ||
+ | * Settings -> privacy: "Hash IP Addresses" | ||
+ | * Lightbox with PhotoSwipe | ||
+ | * Enable "Show caption if available" | ||
+ | * Enable "Get image captions from the database" | ||
+ | * Spacing between pictures: 12% | ||
+ | * Settings -> Permalinks -> Custom structure: ''/ | ||
+ | * Settings -> General -> 8 posts per page | ||
+ | * Settings -> Discussion -> Show avatar | ||
+ | * Default Avatar -> Mytery Man | ||
+ | * Users -> Your Profile -> Avatar: Choose picture | ||
+ | * Dark mode is not enabled by default. To enable this feature go to Appearance > Customize > Dark Mode. | ||
+ | Additional CSS for Ghost theme: | ||
+ | <code css> | ||
+ | @media (max-width: 1400px) { | ||
+ | .single-post .post-content > p: | ||
+ | font-size: | ||
+ | } | ||
+ | |||
+ | .single-post .post-content > p, ul { | ||
+ | font-size: | ||
+ | } | ||
+ | |||
+ | .single-post .post-content > h3 { | ||
+ | padding-bottom: | ||
+ | } | ||
+ | } | ||
+ | |||
+ | .post-full-content h2 { | ||
+ | margin-bottom: | ||
+ | } | ||
+ | </ | ||
+ | ==== co-authors-plus plugin ==== | ||
+ | template-Anpassung \\ | ||
+ | [[https:// | ||
+ | <file php / | ||
+ | if ( function_exists( ' | ||
+ | coauthors_posts_links(); | ||
+ | } else { | ||
+ | the_author_posts_link(); | ||
+ | } | ||
+ | </ | ||
+ | ===== invoiceninja ===== | ||
+ | on mysql.pi | ||
+ | <code sql> | ||
+ | CREATE SCHEMA `ninja` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; | ||
+ | CREATE USER ' | ||
+ | GRANT ALL PRIVILEGES ON `ninja`.* TO ' | ||
+ | FLUSH PRIVILEGES; | ||
+ | </ | ||
+ | on http.pi | ||
+ | <code bash> | ||
+ | pacman -S invoiceninja | ||
+ | </ | ||
+ | <file - / | ||
+ | extension=gmp | ||
+ | </ | ||
+ | <code bash> | ||
+ | cd / | ||
+ | sudo chown -R http:http storage public/logo bootstrap | ||
+ | sudo chown http:http . | ||
+ | sudo -u http composer install | ||
+ | </ | ||
+ | <file - / | ||
+ | http:// | ||
+ | log / | ||
+ | errors / | ||
+ | gzip | ||
+ | |||
+ | tls off | ||
+ | root / | ||
+ | browse | ||
+ | |||
+ | rewrite { | ||
+ | r .* | ||
+ | ext / | ||
+ | to / | ||
+ | } | ||
+ | |||
+ | fastcgi / / | ||
+ | index index.php index.htm index.html | ||
+ | } | ||
+ | } | ||
+ | [...] | ||
+ | </ | ||
+ | Settings | ||
+ | * Localization | ||
+ | * Currency: Euro | ||
+ | * Timezone: Berlin | ||
+ | * Date Format: 31.12.2019 | ||
+ | * Date/Time Format: 31.12.2019 12:00 am | ||
+ | * 24 Hour Time: Enabled | ||
+ | * First Day of the Week: Monday | ||
+ | * First Month of the Year: January | ||
+ | ===== invoiceplane ===== | ||
+ | <code bash> | ||
+ | pacman -S invoiceplane composer grunt-cli | ||
+ | cd / | ||
+ | chown -R http:http . | ||
+ | sudo -u http composer install | ||
+ | sudo -u http npm install | ||
+ | sudo -u http grunt build | ||
+ | cp ipconfig.php.example ipconfig.php | ||
+ | wget " | ||
+ | </ | ||
+ | Visit installation wizard at http:// | ||
+ | <file - / | ||
+ | [...] | ||
+ | SETUP_COMPLETED=true | ||
+ | DB_HOSTNAME=mysql.pi | ||
+ | DB_USERNAME=invoiceplane | ||
+ | DB_PASSWORD=**** | ||
+ | DB_DATABASE=invoiceplane | ||
+ | DISABLE_SETUP=true | ||
+ | </ | ||
+ | <file - / | ||
+ | [Service] | ||
+ | [...] | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | </ | ||
+ | Custom settings | ||
+ | * Products -> Product units | ||
+ | * Add: '' | ||
+ | * System-Einstellungen -> Rechnungen | ||
+ | * Standard PDF Vorlage: vtdirektmarketing | ||
+ | ===== firefox account server ===== | ||
+ | <code bash> | ||
+ | pacaur -S mozilla-firefox-account-server | ||
+ | </ | ||
+ | ===== podcasttune ===== | ||
+ | not yet stable | ||
+ | ===== dokuwiki ===== | ||
+ | <code bash> | ||
+ | pacman -S dokuwiki dokuwiki-plugin-dw2pdf dokuwiki-template-argon | ||
+ | </ | ||
+ | <file php / | ||
+ | <?php | ||
+ | $conf[' | ||
+ | $conf[' | ||
+ | $conf[' | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | $conf[' | ||
+ | [...] | ||
+ | </ | ||
+ | <file - / | ||
+ | @page { | ||
+ | margin-left: | ||
+ | } | ||
+ | |||
+ | [...] | ||
+ | </ | ||
+ | usage: '' | ||
+ | * Todo | ||
+ | * DSGVO complience | ||
+ | ===== gitlab ===== | ||
+ | <code bash> | ||
+ | pacman -S yarn sendmail gitlab | ||
+ | ln -s / | ||
+ | </ | ||
+ | disable backups | ||
+ | <file - / | ||
+ | [...] | ||
+ | gitlab: | ||
+ | ## Web server settings (note: host is the FQDN, do not include http://) | ||
+ | host: git.project-insanity.org | ||
+ | port: 443 # Set to 443 if using HTTPS, see installation.md# | ||
+ | https: true # Set to true if using HTTPS, see installation.md# | ||
+ | [...] | ||
+ | #backup: | ||
+ | # path: "/ | ||
+ | </ | ||
+ | configure database connection | ||
+ | <file - / | ||
+ | production: | ||
+ | adapter: postgresql | ||
+ | encoding: unicode | ||
+ | database: gitlabhq_production | ||
+ | pool: 10 | ||
+ | username: gitlab | ||
+ | password: " | ||
+ | host: mysql.pi | ||
+ | </ | ||
+ | on mysql.pi | ||
+ | <code bash> | ||
+ | sudo -u postgres psql -d template1 -c " | ||
+ | sudo -u postgres psql -d template1 -c " | ||
+ | sudo -u postgres psql -d template1 -c " | ||
+ | sudo -u postgres psql -d template1 -c "ALTER USER gitlab WITH SUPERUSER;" | ||
+ | </ | ||
+ | on http.pi | ||
+ | <code bash> | ||
+ | cd / | ||
+ | sudo -u gitlab -H bundle exec rake assets: | ||
+ | sudo -u gitlab -H bundle exec rake gitlab: | ||
+ | | ||
+ | </ | ||
+ | Enable smtp, mail delivery | ||
+ | <file ruby / | ||
+ | # To enable smtp email delivery for your GitLab instance do the following: | ||
+ | # 1. Rename this file to smtp_settings.rb | ||
+ | # 2. Edit settings inside this file | ||
+ | # 3. Restart GitLab instance | ||
+ | # | ||
+ | # For full list of options and their values see http:// | ||
+ | # | ||
+ | # If you change this file in a Merge Request, please also create a Merge Request on https:// | ||
+ | |||
+ | if Rails.env.production? | ||
+ | Rails.application.config.action_mailer.delivery_method = :smtp | ||
+ | |||
+ | ActionMailer:: | ||
+ | ActionMailer:: | ||
+ | address: " | ||
+ | port: 25, | ||
+ | user_name: " | ||
+ | password: " | ||
+ | domain: " | ||
+ | authentication: | ||
+ | enable_starttls_auto: | ||
+ | openssl_verify_mode: | ||
+ | } | ||
+ | end | ||
+ | </ | ||
+ | further general mail settings | ||
+ | <file - / | ||
+ | ## Email settings | ||
+ | # Uncomment and set to false if you need to disable email sending from GitLab (default: true) | ||
+ | email_enabled: | ||
+ | # Email address used in the " | ||
+ | email_from: noreply@project-insanity.org | ||
+ | email_display_name: | ||
+ | email_reply_to: | ||
+ | email_subject_suffix: | ||
+ | </ | ||
+ | Auto migrate on pacman update | ||
+ | <file - / | ||
+ | # Update Gitlab when core or other Gitlab daemons are touched | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = gitlab | ||
+ | Target = gitlab-* | ||
+ | |||
+ | [Action] | ||
+ | Description = Updating Gitlab installation | ||
+ | When = PostTransaction | ||
+ | Exec = /usr/bin/sh -c "/ | ||
+ | </ | ||
+ | <file - / | ||
+ | **** | ||
+ | </ | ||
+ | <code bash> | ||
+ | hexdump -v -n 64 -e '1/1 " | ||
+ | hexdump -v -n 64 -e '1/1 " | ||
+ | chown root:gitlab / | ||
+ | chmod 640 / | ||
+ | </ | ||
+ | misc settings: | ||
+ | * enable recaptcha for registration https:// | ||
+ | * disable ssh git protocol: Admin -> Settings -> Expand " | ||
+ | ===== onlyoffice documentserver ===== | ||
+ | <code bash> | ||
+ | pacman -S npm nodejs rabbitmq redis onlyoffice-documentserver | ||
+ | ln -s / | ||
+ | </ | ||
+ | on mysql.pi | ||
+ | <code bash> | ||
+ | sudo -i -u postgres psql -c " | ||
+ | sudo -i -u postgres psql -c " | ||
+ | sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;" | ||
+ | psql -hmysql.pi -Uonlyoffice -d onlyoffice -f / | ||
+ | </ | ||
+ | <file - / | ||
+ | office.project-insanity.org { | ||
+ | log / | ||
+ | errors / | ||
+ | |||
+ | proxy / | ||
+ | transparent | ||
+ | websocket | ||
+ | without / | ||
+ | } | ||
+ | |||
+ | rewrite { | ||
+ | r ^/ | ||
+ | to / | ||
+ | } | ||
+ | |||
+ | proxy /proxy/ http:// | ||
+ | websocket | ||
+ | transparent | ||
+ | without /proxy/ | ||
+ | } | ||
+ | |||
+ | proxy / http:// | ||
+ | transparent | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }, | ||
+ | [...] | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | 10.25.0.100 nextcloud.project-insanity.org | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now rabbitmq redis onlyoffice-docservice onlyoffice-fileconverter onlyoffice-spellchecker | ||
+ | </ | ||
+ | ==== officepad ==== | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Documentserver integration example | ||
+ | |||
+ | [Service] | ||
+ | User=http | ||
+ | WorkingDirectory=/ | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=basic.target | ||
+ | </ | ||
+ | <code bash> | ||
+ | sudo git clone git clone https:// | ||
+ | sudo chown -R http:http / | ||
+ | systemd daemon-reload | ||
+ | systemctl enable --now officepad | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | siteUrl": | ||
+ | [...] | ||
+ | </ | ||
+ | ===== nextcloud ===== | ||
+ | <code bash> | ||
+ | pacman -S php-imagick php-intl nextcloud nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud nextcloud-app-mail nextcloud-app-news nextcloud-app-calendar nextcloud-app-contacts nextcloud-app-keeweb nextcloud-app-deck nextcloud-app-onlyoffice nextcloud-app-bookmarks nextcloud-app-notes nextcloud-app-talk nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse nextcloud-app-radio nextcloud-app-podcast | ||
+ | </ | ||
+ | <file - / | ||
+ | env[PATH] = / | ||
+ | env[TMP] = /tmp | ||
+ | env[TMPDIR] = /tmp | ||
+ | env[TEMP] = /tmp | ||
+ | </ | ||
+ | php performance optimizations | ||
+ | <file - / | ||
+ | memory_limit = 512M | ||
+ | |||
+ | extension=gd | ||
+ | extension=pdo_mysql | ||
+ | extension=apcu | ||
+ | extension=intl | ||
+ | extension=iconv | ||
+ | extension=imagick | ||
+ | extension=bcmath | ||
+ | |||
+ | # Nextcloud recommended performance settings | ||
+ | zend_extension=opcache.so | ||
+ | opcache.enable=1 | ||
+ | opcache.enable_cli=1 | ||
+ | opcache.interned_strings_buffer=8 | ||
+ | opcache.max_accelerated_files=10000 | ||
+ | opcache.memory_consumption=128 | ||
+ | opcache.save_comments=1 | ||
+ | opcache.revalidate_freq=1 | ||
+ | |||
+ | apc.enable_cli=1 | ||
+ | </ | ||
+ | <file - / | ||
+ | <?php | ||
+ | $CONFIG = array ( | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | array ( | ||
+ | 0 => ' | ||
+ | 1 => ' | ||
+ | 2 => ' | ||
+ | ), | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | ' | ||
+ | array ( | ||
+ | 0 => ' | ||
+ | 1 => ' | ||
+ | 2 => ' | ||
+ | 3 => ' | ||
+ | 4 => ' | ||
+ | 5 => ' | ||
+ | 6 => ' | ||
+ | 7 => ' | ||
+ | 8 => ' | ||
+ | 9 => ' | ||
+ | ), | ||
+ | ); | ||
+ | </ | ||
+ | Due to [[https:// | ||
+ | <file - / | ||
+ | [Service] | ||
+ | [...] | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | ReadWritePaths = / | ||
+ | </ | ||
+ | Auto upgrade on pacman update | ||
+ | <code bash> | ||
+ | ln -sv / | ||
+ | </ | ||
+ | <file - / | ||
+ | # Update Nextcloud when core or -apps are touched | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = nextcloud | ||
+ | Target = nextcloud-app-* | ||
+ | |||
+ | [Action] | ||
+ | Description = Updating Nextcloud installation | ||
+ | When = PostTransaction | ||
+ | Exec = /usr/bin/sh -c "/ | ||
+ | </ | ||
+ | Nextcloud background job (cron) | ||
+ | <file -/ | ||
+ | [Unit] | ||
+ | Description=Nextcloud cron.php job | ||
+ | |||
+ | [Service] | ||
+ | User=nextcloud | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=basic.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Run Nextcloud cron.php every 15 minutes | ||
+ | |||
+ | [Timer] | ||
+ | OnBootSec=5min | ||
+ | OnUnitActiveSec=15min | ||
+ | Unit=nextcloudcron.service | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=timers.target | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now nextcloudcron.timer | ||
+ | </ | ||
+ | Add additional mimetype for keeweb app | ||
+ | <code bash> | ||
+ | cd / | ||
+ | cp resources/ | ||
+ | </ | ||
+ | add kdbx line to json config | ||
+ | <file - / | ||
+ | [...] | ||
+ | " | ||
+ | " | ||
+ | |||
+ | " | ||
+ | " | ||
+ | " | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | occ app:enable twofactor_gateway audioplayer polls extract suspicious_login mail news calendar contacts keeweb deck onlyoffice bookmarks notes talk integration_github integration_twitter integration_reddit integration_discourse radio podcast | ||
+ | </ | ||
+ | ==== mail ==== | ||
+ | disable ssl verification of imap/smpt host | ||
+ | <file - / | ||
+ | [...] | ||
+ | ' | ||
+ | [...] | ||
+ | </ | ||
+ | ==== twofactor_gateway ==== | ||
+ | disposible phone number registration http:// | ||
+ | <file - / | ||
+ | [...] | ||
+ | tel: " | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | cd / | ||
+ | sudo -u http ./occ twofactorauth: | ||
+ | cd / | ||
+ | sudo -u signal signal-web-gateway # enter verification | ||
+ | systemctl enable --now signal-web-gateway | ||
+ | </ | ||
+ | * Activate 2FA in '' | ||
+ | * Enter your phone number and press verify | ||
+ | |||
+ | ==== onlyoffice ==== | ||
+ | * Paste in '' | ||
+ | ==== mantainance ==== | ||
+ | Run file integrity checks | ||
+ | <code bash> | ||
+ | sudo -u http / | ||
+ | sudo -u http / | ||
+ | sudo -u http / | ||
+ | </ | ||
+ | ===== phpmyadmin ===== | ||
+ | <file - / | ||
+ | [...] | ||
+ | /* Server parameters */ | ||
+ | $cfg[' | ||
+ | $cfg[' | ||
+ | [...] | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== cockpit ===== | ||
+ | <code bash> | ||
+ | pacman -S cockpit | ||
+ | systemctl enable --now cockpit pmcd | ||
+ | useradd -m cockpit | ||
+ | passwd cockpit | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.40.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | cockpit ALL=(ALL) ALL | ||
+ | [...] | ||
+ | </ | ||
+ | <file - / | ||
+ | #%PAM-1.0 | ||
+ | |||
+ | auth required | ||
+ | auth optional | ||
+ | auth required | ||
+ | |||
+ | account | ||
+ | account | ||
+ | account | ||
+ | |||
+ | password | ||
+ | password | ||
+ | |||
+ | session | ||
+ | session | ||
+ | session | ||
+ | </ | ||
+ | |||
+ | ===== outline ===== | ||
+ | on http.pi | ||
+ | <code bash> | ||
+ | pacman -S outline | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | SECRET_KEY=**** | ||
+ | DATABASE_URL=postgres:// | ||
+ | REDIS_URL=redis:// | ||
+ | URL=http:// | ||
+ | FORCE_HTTPS=false | ||
+ | </ | ||
+ | on mysql.pi | ||
+ | <code bash> | ||
+ | sudo -i -u postgres psql -c " | ||
+ | sudo -i -u postgres psql -c " | ||
+ | sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE outline TO outline;" | ||
+ | </ | ||
+ | on http.pi | ||
+ | <code bash> | ||
+ | cd / | ||
+ | npm run sequelize: | ||
+ | systemctl enable --now outline | ||
+ | </ | ||
+ | |||
+ | ====== storage.pi ====== | ||
+ | ===== kol ha campus archive radio stream ===== | ||
+ | <code bash> | ||
+ | pacman -S vlc pulseaudio | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=160fm.co.il archive radio stream server | ||
+ | After=network-online.target | ||
+ | |||
+ | [Service] | ||
+ | User=onny | ||
+ | Type=simple | ||
+ | ExecStart=/ | ||
+ | Restart=on-abort | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=PulseAudio system server | ||
+ | |||
+ | [Service] | ||
+ | ExecStart=/ | ||
+ | ExecReload=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | <?xml version=" | ||
+ | < | ||
+ | " | ||
+ | < | ||
+ | <policy group=" | ||
+ | <allow own=" | ||
+ | </ | ||
+ | |||
+ | <policy context=" | ||
+ | <allow send_destination=" | ||
+ | <allow receive_sender=" | ||
+ | </ | ||
+ | </ | ||
+ | </ | ||
+ | <code bash> | ||
+ | echo " | ||
+ | echo " | ||
+ | systemctl daemon-reload | ||
+ | groupadd --system pulse | ||
+ | groupadd --system pulse-access | ||
+ | useradd --system -g pulse -G audio -d / | ||
+ | gpasswd -a onny audio, | ||
+ | systemctl enable --now pulseaudio 106fm_archive_stream | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.0.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | also added a caddy rule on http.pi for the url: https:// | ||
+ | ===== bitcoind ===== | ||
+ | <code bash> | ||
+ | pacman -S bitcoin-daemon | ||
+ | systemctl start bitcoind | ||
+ | systemctl enable bitcoind | ||
+ | ufw allow from 10.25.0.0/ | ||
+ | </ | ||
+ | https:// | ||
+ | ====== playground.pi ====== | ||
+ | <code bash> | ||
+ | pacman -S devtools | ||
+ | </ | ||
+ | ===== beta.saai.digital ===== | ||
+ | <code bash> | ||
+ | pacman -S iptables-nft | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | chain forward { | ||
+ | type filter hook forward priority security; policy drop; | ||
+ | mark 1 accept | ||
+ | [...] | ||
+ | table ip filter { | ||
+ | chain DOCKER-USER { | ||
+ | mark set 1 | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now docker | ||
+ | </ | ||
+ | ===== QuakeJS ===== | ||
+ | <code bash> | ||
+ | pacman -S quakejs-git | ||
+ | cd / | ||
+ | chown -R quakejs: | ||
+ | sudo -u quakejs node build/ | ||
+ | </ | ||
+ | <file - / | ||
+ | QUAKEJS_DS_PARAMS=" | ||
+ | </ | ||
+ | <file - / | ||
+ | seta sv_hostname " | ||
+ | seta sv_maxclients 12 | ||
+ | seta g_motd " | ||
+ | seta g_quadfactor 3 | ||
+ | seta g_gametype 0 | ||
+ | seta timelimit 15 | ||
+ | seta fraglimit 25 | ||
+ | seta g_weaponrespawn 3 | ||
+ | seta g_inactivity 3000 | ||
+ | seta g_forcerespawn 0 | ||
+ | seta rconpassword " | ||
+ | set d1 "map q3dm17 ; set nextmap vstr d2" | ||
+ | set d2 "map q3tourney3 ; set nextmap vstr d3" | ||
+ | set d3 "map q3tourney1 ; set nextmap vstr d1" | ||
+ | vstr d1 | ||
+ | </ | ||
+ | <file - / | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now quakejs-ds quakejs quakejs-cdn | ||
+ | </ | ||
+ | ===== PI ArchLinux Repository ===== | ||
+ | build and install auruitls from source | ||
+ | <code bash> | ||
+ | cd /tmp | ||
+ | curl " | ||
+ | cd aurutils | ||
+ | gpg --recv-keys DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A | ||
+ | makepkg -i | ||
+ | pacman --root=/ | ||
+ | pacman --root=/ | ||
+ | pacman --root=/ | ||
+ | sudo / | ||
+ | </ | ||
+ | configure custom repository | ||
+ | <file - / | ||
+ | [...] | ||
+ | Include = / | ||
+ | </ | ||
+ | <file - / | ||
+ | [options] | ||
+ | CacheDir = / | ||
+ | CacheDir = / | ||
+ | CleanMethod = KeepCurrent | ||
+ | |||
+ | [aur] | ||
+ | SigLevel = Optional TrustAll | ||
+ | Server = file:/// | ||
+ | </ | ||
+ | <file - / | ||
+ | [...] | ||
+ | aur ALL = NOPASSWD: SETENV: / | ||
+ | aur ALL = NOPASSWD: / | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | sudo useradd -m aur | ||
+ | sudo install -d / | ||
+ | sudo repo-add / | ||
+ | sudo chown -R aur:aur / | ||
+ | sudo -u aur gpg --recv-keys 6BC26A17B9B7018A | ||
+ | sudo -u aur gpg --recv-keys 1D1F0DC78F173680 | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | | ||
+ | | ||
+ | |||
+ | [Service] | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [Install] | ||
+ | | ||
+ | </ | ||
+ | <file - / | ||
+ | #!/bin/bash | ||
+ | for package in $(pacman -Sql projectinsanity) | ||
+ | do | ||
+ | aur sync --no-view -c $package | ||
+ | done | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | | ||
+ | |||
+ | [Timer] | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | [Install] | ||
+ | | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now aurupdate.timer | ||
+ | </ | ||
+ | <code bash> | ||
+ | sudo -u aur gpg --recv-keys 2A349DD577D586A5 | ||
+ | sudo -u aur aur sync -d projectinsanity -c librewolf pkgbuild-introspection tor-browser-en r128gain split2flac id3ted redshift-wlr-gamma-control-git krop wcalc anbox-git ocenaudio-bin smloadr soulseekqt aurutils downgrade maddy wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics jellyfin onlyoffice-documentserver nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud-app-keeweb nextcloud-app-radio nextcloud-app-onlyoffice fdroidserver android-sdk android-sdk-build-tools gplaycli vlc-bittorrent qlcplus signal-web-gateway-git invoiceninja invoiceplane python-gspread-git etcher zeronet teamviewer scrcpy ttyd wdisplays-git dmenu-wayland-git python-soundcard python-soundfile pacaur archivemount micro python-rpi.gpio python-pad4pi python-pulse-control python-rplcd python-vlc python-mpv pmbootstrap wordpress-theme-geist linux-libre opensnitch-git powerpill osmctools tilemaker nextcloud-app-talk xerox-phaser-6000-6010 dokuwiki-plugin-captcha dokuwiki-plugin-dw2pdf dokuwiki-template-argon nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse wordpress-plugin-opengraph nextcloud-app-podcast wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media | ||
+ | pacman -S caddy | ||
+ | gpasswd -a caddy http | ||
+ | systemctl enable --now caddy | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.0.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | caddy configuration | ||
+ | <file - / | ||
+ | import conf.d/ | ||
+ | </ | ||
+ | <file - / | ||
+ | http:// | ||
+ | |||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | handle /archlinux { | ||
+ | redir https:// | ||
+ | } | ||
+ | |||
+ | handle / | ||
+ | root * / | ||
+ | uri strip_prefix /archlinux | ||
+ | file_server browse | ||
+ | } | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl restart caddy | ||
+ | </ | ||
+ | caddy configuration on http-pub.pi: | ||
+ | <file - / | ||
+ | [...] | ||
+ | proxy /archlinux playground.pi { | ||
+ | transparent | ||
+ | } | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl restart caddy | ||
+ | </ | ||
+ | ====== http-pub.pi ====== | ||
+ | <code bash> | ||
+ | pacman -S caddy php-fpm | ||
+ | systemctl enable --now caddy php-fpm | ||
+ | nft add rule inet filter input position 17 ip saddr 10.25.0.0/ | ||
+ | nft add rule inet filter input position 17 ip6 saddr 2a01: | ||
+ | nft list ruleset > / | ||
+ | </ | ||
+ | <file - / | ||
+ | # Restart php service | ||
+ | |||
+ | [Trigger] | ||
+ | Operation = Install | ||
+ | Operation = Upgrade | ||
+ | Type = Package | ||
+ | Target = php | ||
+ | Target = php-fpm | ||
+ | |||
+ | [Action] | ||
+ | Description = Restarting php service | ||
+ | When = PostTransaction | ||
+ | Exec = / | ||
+ | </ | ||
+ | custom caddy installation | ||
+ | <code bash> | ||
+ | pacaur -d caddy | ||
+ | </ | ||
+ | <file - ~/ | ||
+ | [...] | ||
+ | # ' | ||
+ | ' | ||
+ | # ' | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | cd ~/ | ||
+ | makepkg -i --skipinteg | ||
+ | </ | ||
+ | ===== caddy ===== | ||
+ | <code bash> | ||
+ | pacman -S caddy | ||
+ | gpasswd -a caddy http | ||
+ | </ | ||
+ | <file - / | ||
+ | import / | ||
+ | </ | ||
+ | <file - / | ||
+ | http:// | ||
+ | redir https:// | ||
+ | } | ||
+ | |||
+ | http:// | ||
+ | |||
+ | root * / | ||
+ | file_server | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | php_fastcgi unix// | ||
+ | |||
+ | @mainpage { | ||
+ | path_regexp path ^/([^.]+)$ | ||
+ | } | ||
+ | rewrite @mainpage / | ||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | http:// | ||
+ | |||
+ | reverse_proxy /archlinux* playground.pi: | ||
+ | | ||
+ | root * / | ||
+ | file_server | ||
+ | log { | ||
+ | output file / | ||
+ | format single_field common_log | ||
+ | } | ||
+ | |||
+ | php_fastcgi unix// | ||
+ | |||
+ | } | ||
+ | </ | ||
+ | <file - / | ||
+ | [Service] | ||
+ | ProtectHome=false | ||
+ | LimitNOFILE=infinity | ||
+ | LimitNPROC=infinity | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl daemon-reload | ||
+ | systemctl restart caddy | ||
+ | </ | ||
+ | Overwrite php-fpm.service configuration, | ||
+ | <file - php-fpm.service.d/ | ||
+ | [Service] | ||
+ | ProtectHome=false | ||
+ | </ | ||
+ | |||
+ | ===== wordpress ===== | ||
+ | <file - / | ||
+ | extension=mysqli | ||
+ | |||
+ | upload_max_filesize = 64M | ||
+ | post_max_size = 64M | ||
+ | </ | ||
+ | |||
+ | ===== uwsgi ===== | ||
+ | <code bash> | ||
+ | pacman -S uwsgi-plugin-python python-bottle | ||
+ | mkdir / | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=uWSGI service unit | ||
+ | After=syslog.target | ||
+ | |||
+ | [Service] | ||
+ | ExecStart=/ | ||
+ | Type=notify | ||
+ | SuccessExitStatus=15 17 29 30 | ||
+ | NotifyAccess=all | ||
+ | KillSignal=SIGQUIT | ||
+ | PrivateDevices=yes | ||
+ | PrivateTmp=yes | ||
+ | ProtectSystem=full | ||
+ | CapabilityBoundingSet=CAP_SETGID CAP_SETUID | ||
+ | ReadWriteDirectories=${rw_directory} | ||
+ | ProtectHome=yes | ||
+ | NoNewPrivileges=yes | ||
+ | EnvironmentFile=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Socket for uWSGI %I | ||
+ | |||
+ | [Socket] | ||
+ | # Change this to your uwsgi application port or unix socket location | ||
+ | ListenStream=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=sockets.target | ||
+ | </ | ||
+ | ==== getmetadata ==== | ||
+ | <code bash> | ||
+ | pacman -S python-requests | ||
+ | </ | ||
+ | <file - / | ||
+ | [uwsgi] | ||
+ | http-socket = / | ||
+ | uid = http | ||
+ | gid = http | ||
+ | chdir = / | ||
+ | master = true | ||
+ | plugins = python | ||
+ | file = streammetadata-api.py | ||
+ | </ | ||
+ | <file - / | ||
+ | rw_directory="/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable uwsgi-private@getmetadata | ||
+ | systemctl start uwsgi-private@getmetadata | ||
+ | </ | ||
+ | ==== biolaedle-etiketten-generator ==== | ||
+ | <code bash> | ||
+ | pacman -S python-pandas python-reportlab python-xlrd python-bottle | ||
+ | </ | ||
+ | <file - / | ||
+ | [uwsgi] | ||
+ | http-socket = / | ||
+ | uid = http | ||
+ | gid = http | ||
+ | chdir = / | ||
+ | master = true | ||
+ | plugins = python | ||
+ | file = label.py | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable --now uwsgi@biolaedle\\x2detiketten\\x2dgenerator | ||
+ | </ | ||
+ | |||
+ | ==== feeds ==== | ||
+ | <code bash> | ||
+ | pacman -S python-feedparser python-beautifulsoup4 python-pyrss2gen python-dateutil python-lxml | ||
+ | </ | ||
+ | <file - / | ||
+ | [uwsgi] | ||
+ | http-socket = / | ||
+ | uid = http | ||
+ | gid = http | ||
+ | chdir = / | ||
+ | master = true | ||
+ | plugins = python | ||
+ | file = app.py | ||
+ | </ | ||
+ | <file - / | ||
+ | rw_directory="/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable uwsgi-private@feeds | ||
+ | systemctl start uwsgi-private@feeds | ||
+ | </ | ||
+ | ==== pishare ==== | ||
+ | <code bash> | ||
+ | pacman -S nodejs | ||
+ | </ | ||
+ | <file - / | ||
+ | [uwsgi] | ||
+ | httpsocket = / | ||
+ | uid = http | ||
+ | gid = http | ||
+ | chdir = / | ||
+ | master = true | ||
+ | threads = true | ||
+ | plugins = python | ||
+ | file = pishare.py | ||
+ | lazy-apps = true | ||
+ | </ | ||
+ | <code bash> | ||
+ | systenmctl enable --now uwsgi@pishare | ||
+ | </ | ||
+ | |||
+ | ===== arch-upstream ===== | ||
+ | <code bash> | ||
+ | pacman -S python-progressbar python-jinja | ||
+ | ln -s / | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Arch-Upstream | ||
+ | |||
+ | [Service] | ||
+ | Type=simp | ||
+ | User=http | ||
+ | Group=http | ||
+ | PrivateDevices=yes | ||
+ | PrivateTmp=yes | ||
+ | ProtectSystem=full | ||
+ | CapabilityBoundingSet= | ||
+ | ReadWriteDirectories=/ | ||
+ | ProtectHome=yes | ||
+ | NoNewPrivileges=yes | ||
+ | WorkingDirectory=/ | ||
+ | ExecStart=/ | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Run arch-upstream every 12 hours | ||
+ | |||
+ | [Timer] | ||
+ | # Time to wait after booting before we run first time | ||
+ | OnBootSec=10min | ||
+ | # Time between running each consecutive time | ||
+ | OnUnitActiveSec=12h | ||
+ | Unit=arch-upstream.service | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl enable arch-upstream.timer | ||
+ | systemctl start arch-upstream.timer | ||
+ | </ | ||
+ | ===== fdroid repo gplay mirror ===== | ||
+ | http-pub.pi | ||
+ | |||
+ | enable multilib | ||
+ | <file - / | ||
+ | [...] | ||
+ | # | ||
+ | #Include = / | ||
+ | |||
+ | [multilib] | ||
+ | Include = / | ||
+ | |||
+ | # An example of a custom package repository. | ||
+ | # tips on creating your own repositories. | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | pacman -S fdroidserver android-sdk android-sdk-build-tools gplaycli | ||
+ | cd www | ||
+ | mkdir fdroid | ||
+ | cd fdroid | ||
+ | env ANDROID_HOME=/ | ||
+ | </ | ||
+ | <file - www/ | ||
+ | [...] | ||
+ | repo_url = " | ||
+ | repo_name = " | ||
+ | repo_icon = " | ||
+ | repo_description = "This is a private F-Droid repository for the PI-crew :)" | ||
+ | [...] | ||
+ | </ | ||
+ | <code bash> | ||
+ | env ANDROID_HOME=/ | ||
+ | </ | ||
+ | <code bash> | ||
+ | mkdir ~/ | ||
+ | </ | ||
+ | <file - ~/ | ||
+ | [Credentials] | ||
+ | gmail_address=****@gmail.com | ||
+ | gmail_password=**** | ||
+ | token=False | ||
+ | </ | ||
+ | <file - ~/ | ||
+ | org.thoughtcrime.securesms | ||
+ | de.nextbike | ||
+ | com.spotify.music | ||
+ | com.mobiledirection.GPSRepairFix | ||
+ | com.melodis.midomiMusicIdentifier.freemium | ||
+ | com.whatsapp | ||
+ | de.hafas.android.db | ||
+ | de.regiorad.stuttgart | ||
+ | com.ebay.mobile | ||
+ | com.ebay.kleinanzeigen | ||
+ | com.comuto | ||
+ | org.jellyfin.mobile | ||
+ | com.bandcamp.android | ||
+ | com.cubic.cumo.android.kvv | ||
+ | com.moovel.kvv | ||
+ | com.supercell.boombeach | ||
+ | com.wahoofitness.boltcompanion | ||
+ | io.voiapp.voi | ||
+ | de.sdvrz.ihb.mobile.secureapp.sparda.produktion | ||
+ | com.valvesoftware.android.steam.community | ||
+ | com.aspiro.tidal | ||
+ | com.google.android.inputmethod.latin | ||
+ | deezer.android.app | ||
+ | org.mozilla.firefox | ||
+ | com.myunibo | ||
+ | de.thomastreyer.beonbike | ||
+ | de.gls.pure | ||
+ | de.gls.pure | ||
+ | org.lichess.mobileapp | ||
+ | com.zhiliaoapp.musically | ||
+ | com.lynxspa.prontotreno | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Gplaycli automatic APK mirror | ||
+ | After=network-online.target | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | User=onny | ||
+ | ExecStart=/ | ||
+ | TimeoutStopSec=180 | ||
+ | KillMode=process | ||
+ | KillSignal=SIGINT | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <file - / | ||
+ | [Unit] | ||
+ | Description=Gplaycli automatic APK mirror | ||
+ | |||
+ | [Timer] | ||
+ | OnBootSec=5min | ||
+ | OnUnitActiveSec=12h | ||
+ | Unit=gplaycli.service | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | <code bash> | ||
+ | systemctl daemon-reload | ||
+ | systemctl --now enable gplaycli.timer | ||
+ | </ | ||
+ | Notes: | ||
+ | * Manually put Threema apk into repo folder | ||
+ | ===== public hosting ===== | ||
+ | Create user for hosting site | ||
+ | <code bash> | ||
+ | useradd -m example | ||
+ | mkdir / | ||
+ | ln -s / | ||
+ | chmod +x / | ||
+ | </ | ||
+ | Copy php-fpm profile | ||
+ | <code bash> | ||
+ | cp / | ||
+ | </ | ||
+ | Replace all occurences from the domain ('' | ||
+ | <code bash> | ||
+ | systemctl restart php-fpm | ||
+ | </ | ||
+ | Create nginx webserver configuration: | ||
+ | <file - / | ||
+ | server { | ||
+ | server_name example.de www.example.de; | ||
+ | access_log / | ||
+ | error_log / | ||
+ | root / | ||
+ | |||
+ | location / { | ||
+ | index index.php index.htm index.html; | ||
+ | } | ||
+ | |||
+ | location ~ \.php$ { | ||
+ | include fastcgi_params; | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | fastcgi_pass unix:/ | ||
+ | fastcgi_index index.php; | ||
+ | # | ||
+ | fastcgi_intercept_errors on; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | Enable webserver configuration: | ||
+ | <code bash> | ||
+ | ln -s / | ||
+ | systemctl restart nginx | ||
+ | </ | ||
+ | Enable SSL caddy proxy on '' | ||
+ | <file - / | ||
+ | www.example.de example.de { | ||
+ | log / | ||
+ | gzip | ||
+ | tls crux@project-insanity.org | ||
+ | proxy / http:// | ||
+ | header_upstream Host {host} | ||
+ | header_upstream X-Real-IP {remote} | ||
+ | header_upstream X-Forwarded-Proto {scheme} | ||
+ | header_downstream -Server "" | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | Restart caddy process after that. Depending on the permissions of your webroot, you can run: | ||
+ | <code bash> | ||
+ | sudo gpasswd -a example http | ||
+ | </ | ||
+ | Mysql database creation on '' | ||
+ | <code sql> | ||
+ | CREATE DATABASE IF NOT EXISTS sexypump; | ||
+ | GRANT ALL PRIVILEGES ON sexypump.* TO ' | ||
+ | FLUSH PRIVILEGES; | ||
+ | </ | ||
+ | <file - / | ||
+ | upload_max_filesize = 1000M | ||
+ | post_max_size = 1000M | ||
+ | </ | ||
+ | ===== podcast feeds ===== | ||
+ | <code bash> | ||
+ | sudo cp / | ||
+ | sudo cp / | ||
+ | systemctl enable --now bounce_feed.timer laboumdeluxe_feed.timer kampus_hakatze_feed.timer | ||
+ | |||
+ | </ | ||