Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
projectinsanity:server_setup [2022/03/05 18:22] – old revision restored (2022/02/05 10:35) 2a01:4f8:190:826b::2 | projectinsanity:server_setup [2022/06/02 00:48] – [host.pi] 10.25.0.100 |
---|
* IPv6: 2a01:4f8:191:327::2 | * IPv6: 2a01:4f8:191:327::2 |
Im Rescue system: | Im Rescue system: |
<code bash> | <code bash> |
installimage -a -n project-insanity -b grub -r yes -l 0 -i root/.oldroot/nfs/images/archlinux-latest-64-minimal.tar.gz -p /boot:ext4:2G,lvm:vg0:all -v vg0:swap:swap:swap:3G,vg0:root:/:btrfs:40G -f yes -s en | installimage -a -n project-insanity -b grub -r yes -l 0 -i root/.oldroot/nfs/images/archlinux-latest-64-minimal.tar.gz -p /boot:ext4:2G,lvm:vg0:all -v vg0:swap:swap:swap:3G,vg0:root:/:btrfs:40G -f yes -s en |
</code> | </code> |
==== systemd-networkd ==== | ==== systemd-networkd ==== |
on the installed host machine, had to change ''2a01:4f8:191:327::2/64'' to ''2a01:4f8:191:327::2/128''. Also ''Address=144.76.16.40'' to ''Address=144.76.16.40/32'': | on the installed host machine, had to change ''2a01:4f8:191:327::2/64'' to ''2a01:4f8:191:327::2/128''. Also ''Address=144.76.16.40'' to ''Address=144.76.16.40/32'': |
<file - /etc/systemd/networkd/10-enp3s0.network> | <file - /etc/systemd/networkd/10-enp3s0.network> |
### Hetzner Online GmbH installimage | ### Hetzner Online GmbH installimage |
[Match] | [Match] |
Peer=144.76.16.33/32 | Peer=144.76.16.33/32 |
IPForward=ipv4 | IPForward=ipv4 |
</file> | </file> |
<file - /etc/systemd/networkd/25-bridge.netdev> | <file - /etc/systemd/networkd/25-bridge.netdev> |
[NetDev] | [NetDev] |
Name=br-internal | Name=br-internal |
Kind=bridge | Kind=bridge |
</file> | </file> |
<file - /etc/systemd/networkd/25-bridge.network> | <file - /etc/systemd/networkd/25-bridge.network> |
[Match] | [Match] |
Name=br-internal | Name=br-internal |
Address=10.25.0.1/24 | Address=10.25.0.1/24 |
ConfigureWithoutCarrier=true | ConfigureWithoutCarrier=true |
</file> | </file> |
==== core system ==== | ==== core system ==== |
<code bash> | <code bash> |
pacman -S mosh tmux htop dmidecode fail2ban openvpn qemu openbsd-netcat openssh easy-rsa fish pacman-contrib | pacman -S mosh tmux htop dmidecode fail2ban openvpn qemu openbsd-netcat openssh easy-rsa fish pacman-contrib |
chsh -s $(which fish) | chsh -s $(which fish) |
sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config |
systemctl enable --now sshd fail2ban systemd-networkd systemd-resolved | systemctl enable --now sshd fail2ban systemd-networkd systemd-resolved |
</code> | </code> |
dnsmasq settings, ready to listen on wireguard subnet | dnsmasq settings, ready to listen on wireguard subnet |
<file - /etc/dnsmasq.conf> | <file - /etc/dnsmasq.conf> |
[...] | [...] |
listen-address=127.0.0.1,10.25.0.1,10.25.40.1 | listen-address=127.0.0.1,10.25.0.1,10.25.40.1 |
server=8.8.8.8 | server=8.8.8.8 |
server=8.8.4.4 | server=8.8.4.4 |
</file> | </file> |
systemd resolved dns resolver settings | systemd resolved dns resolver settings |
<file - /etc/systemd/resolved.conf> | <file - /etc/systemd/resolved.conf> |
[...] | [...] |
[resolve] | [resolve] |
DNSStubListener=no | DNSStubListener=no |
</file> | </file> |
<file - /etc/systemd/resolved.conf.d/dns_over_tls.conf> | <file - /etc/systemd/resolved.conf.d/dns_over_tls.conf> |
[Resolve] | [Resolve] |
DNSOverTLS=opportunistic | DNSOverTLS=opportunistic |
</file> | </file> |
<file - /etc/systemd/resolved.conf.d/dnssec.conf> | <file - /etc/systemd/resolved.conf.d/dnssec.conf> |
[Resolve] | [Resolve] |
DNSSEC=true | DNSSEC=true |
</file> | </file> |
<file - /etc/systemd/resolved.conf.d/dns_servers.conf> | <file - /etc/systemd/resolved.conf.d/dns_servers.conf> |
[Resolve] | [Resolve] |
DNS=2620:fe::fe 9.9.9.9 | DNS=2620:fe::fe 9.9.9.9 |
</file> | </file> |
<file - /etc/hosts> | <file - /etc/hosts> |
[...] | [...] |
10.25.0.1 host.pi | 10.25.0.1 host.pi |
2a01:4f8:191:327::102 neutrino neutrino.pi | 2a01:4f8:191:327::102 neutrino neutrino.pi |
2a01:4f8:191:327::103 arne arne.pi | 2a01:4f8:191:327::103 arne arne.pi |
</file> | </file> |
custom pi archlinux repo | custom pi archlinux repo |
<file - /etc/pacman.conf> | <file - /etc/pacman.conf> |
... | ... |
[projectinsanity] | [projectinsanity] |
SigLevel = PackageOptional | SigLevel = PackageOptional |
Server = https://onny.project-insanity.org/archlinux | Server = https://onny.project-insanity.org/archlinux |
</file> | </file> |
archlinux auto update | archlinux auto update |
<file - /etc/pacman.conf> | <file - /etc/pacman.conf> |
... | ... |
[projectinsanity] | [projectinsanity] |
SigLevel = PackageOptional | SigLevel = PackageOptional |
Server = https://onny.project-insanity.org/archlinux | Server = https://onny.project-insanity.org/archlinux |
</file> | </file> |
<file - /etc/systemd/system/autoupdate.service>[Unit] | <file - /etc/systemd/system/autoupdate.service>[Unit] |
Description=Automatic Update | Description=Automatic Update |
After=network-online.target | After=network-online.target |
[Service] | [Service] |
Type=simple | Type=simple |
ExecStart=/usr/bin/sh -c "/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar && rm /var/cache/pacman/pkg/*.zst" | ExecStart=/usr/bin/sh -c "/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar && rm /var/cache/pacman/pkg/*.zst" |
TimeoutStopSec=180 | TimeoutStopSec=180 |
KillMode=process | KillMode=process |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /etc/systemd/system/autoupdate.timer> | <file - /etc/systemd/system/autoupdate.timer> |
[Unit] | [Unit] |
Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes | Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now autoupdate.timer | systemctl enable --now autoupdate.timer |
</code> | </code> |
automatic timed reboot after kernel upgrade | automatic timed reboot after kernel upgrade |
<file - /etc/pacman.d/hooks/linux.hook> | <file - /etc/pacman.d/hooks/linux.hook> |
[Trigger] | [Trigger] |
Operation = Install | Operation = Install |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/systemctl start kernel-upgrade.timer | Exec = /usr/bin/systemctl start kernel-upgrade.timer |
</file> | </file> |
<file - /etc/systemd/system/kernel-upgrade.timer> | <file - /etc/systemd/system/kernel-upgrade.timer> |
[Unit] | [Unit] |
Description=Reboot in the morning after kernel upgrade | Description=Reboot in the morning after kernel upgrade |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /etc/systemd/system/kernel-upgrade.service> | <file - /etc/systemd/system/kernel-upgrade.service> |
[Unit] | [Unit] |
Description=Reboot after kernel upgrade | Description=Reboot after kernel upgrade |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
==== nftables ==== | ==== nftables ==== |
nftables firewall & routing | nftables firewall & routing |
<file - /etc/nftables.conf> | <file - /etc/nftables.conf> |
define TCP_PORT_QUAKEJS_DS = 27960 | define TCP_PORT_QUAKEJS_DS = 27960 |
define TCP_PORT_IMAPS = 993 | define TCP_PORT_IMAPS = 993 |
type filter hook input priority filter; policy drop; | type filter hook input priority filter; policy drop; |
jump base_checks | jump base_checks |
iifname "lo" accept | iifname "lo" accept |
ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept | ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept |
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept | ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept |
type nat hook prerouting priority filter; policy accept; | type nat hook prerouting priority filter; policy accept; |
| |
iif "enp3s0" tcp dport { $TCP_PORT_HTTP, $TCP_PORT_HTTPS } dnat to $HOST_HTTP_PI | iif "enp3s0" tcp dport { $TCP_PORT_HTTP, $TCP_PORT_HTTPS } dnat to $HOST_HTTP_PI |
| |
# Forward web traffic to http.pi | # Forward web traffic to http.pi |
| |
# Forward mail traffic to mail.pi | # Forward mail traffic to mail.pi |
iif "enp3s0" tcp dport { $TCP_PORT_SMTP, $TCP_PORT_SMTPS, $TCP_PORT_IMAPS } dnat to $HOST_MAIL_PI | iif "enp3s0" tcp dport { $TCP_PORT_SMTP, $TCP_PORT_SMTPS, $TCP_PORT_IMAPS } dnat to $HOST_MAIL_PI |
| |
iif "enp3s0" tcp dport { $TCP_PORT_QUAKEJS_DS } dnat to $HOST_PLAYGROUND_PI | iif "enp3s0" tcp dport { $TCP_PORT_QUAKEJS_DS } dnat to $HOST_PLAYGROUND_PI |
} | } |
| |
chain postrouting { | chain postrouting { |
type nat hook postrouting priority srcnat; policy accept; | type nat hook postrouting priority srcnat; policy accept; |
ip saddr 10.25.0.0/24 oif {"enp3s0", "br-internal"} snat 144.76.16.40 | ip saddr 10.25.0.0/24 oif {"enp3s0", "br-internal"} snat 144.76.16.40 |
} | } |
} | } |
</file> | </file> |
<file - nftables.service.d/overwrite.conf> | <file - nftables.service.d/overwrite.conf> |
[Unit] | [Unit] |
Wants= | Wants= |
Restart=always | Restart=always |
RestartSec=5 | RestartSec=5 |
</file> | </file> |
<code bash> | <code bash> |
pacman -S nftables | pacman -S nftables |
systemctl enable --now nftables | systemctl enable --now nftables |
</code> | </code> |
==== libvirtd ==== | ==== libvirtd ==== |
libvirt network configuration file | libvirt network configuration file |
<file - /tmp/net-internal.xml> | <file - /tmp/net-internal.xml> |
network connections='6'> | network connections='6'> |
<name>internal</name> | <name>internal</name> |
<uuid>0a2dff47-afc7-4d27-91b0-5f61a1f5cbaa</uuid> | <uuid>0a2dff47-afc7-4d27-91b0-5f61a1f5cbaa</uuid> |
<forward mode='bridge'/> | <forward mode='bridge'/> |
<bridge name='br-internal'/> | <bridge name='br-internal'/> |
</network> | </network> |
</file> | </file> |
libvirt qemu hook | libvirt qemu hook |
<code bash> | <code bash> |
pacman -S libvirt virt-install dnsmasq glusterfs | pacman -S libvirt virt-install dnsmasq glusterfs |
virsh pool-define-as --name 'vg0' --type 'logical' --source-format 'lvm2' --target '/dev/vg0' | virsh pool-define-as --name 'vg0' --type 'logical' --source-format 'lvm2' --target '/dev/vg0' |
virsh net-autostart internal | virsh net-autostart internal |
systemctl enable --now libvirtd | systemctl enable --now libvirtd |
</code> | </code> |
| |
==== wireguard ==== | ==== wireguard ==== |
<code bash> | <code bash> |
pacman -S wireguard-tools | pacman -S wireguard-tools |
cd /etc/wireguard | cd /etc/wireguard |
wg genkey | tee privatekey | wg pubkey > publickey | wg genkey | tee privatekey | wg pubkey > publickey |
chmod 600 privatekey | chmod 600 privatekey |
chown root:root privatekey | chown root:root privatekey |
</code> | </code> |
<file - /etc/systemd/network/99-server.netdev> | <file - /etc/systemd/network/99-server.netdev> |
[NetDev] | [NetDev] |
Name = wg0 | Name = wg0 |
PublicKey = [PICLOUD_PUBKEY] | PublicKey = [PICLOUD_PUBKEY] |
AllowedIPs = 10.25.40.6/32 | AllowedIPs = 10.25.40.6/32 |
</file> | </file> |
<file - /etc/systemd/network/99-server.network> | <file - /etc/systemd/network/99-server.network> |
[Match] | [Match] |
Name = wg0 | Name = wg0 |
DNSSEC=false | DNSSEC=false |
IPForward=ipv4 | IPForward=ipv4 |
</file> | </file> |
=== client === | === client === |
<code bash> | <code bash> |
pacman -S wireguard-tools | pacman -S wireguard-tools |
cd /etc/wireguard | cd /etc/wireguard |
wg genkey | tee privatekey | wg pubkey > publickey | wg genkey | tee privatekey | wg pubkey > publickey |
chmod 600 privatekey | chmod 600 privatekey |
chown root:root privatekey | chown root:root privatekey |
</code> | </code> |
<file - /etc/systemd/network/99-client.netdev> | <file - /etc/systemd/network/99-client.netdev> |
[NetDev] | [NetDev] |
Name = wg0 | Name = wg0 |
Endpoint = 144.76.16.40:51820 | Endpoint = 144.76.16.40:51820 |
PersistentKeepalive = 25 | PersistentKeepalive = 25 |
</file> | </file> |
<file - /etc/systemd/network/99-client.network> | <file - /etc/systemd/network/99-client.network> |
[Match] | [Match] |
Name = wg0 | Name = wg0 |
[Network] | [Network] |
Address = 10.25.40.2/16 | Address = 10.25.40.2/16 |
</file> | </file> |
<code bash> | <code bash> |
systemctl restart systemd-networkd | systemctl restart systemd-networkd |
</code> | </code> |
==== systemd-journal logging server ==== | ==== systemd-journal logging server ==== |
<file - /etc/systemd/journal-remote.conf> | <file - /etc/systemd/journal-remote.conf> |
[Remote] | [Remote] |
SplitMode=host | SplitMode=host |
</file> | </file> |
<file - /etc/systemd/system/systemd-journal-remote.service> | <file - /etc/systemd/system/systemd-journal-remote.service> |
[Unit] | [Unit] |
Description=Journal Remote Sink Service | Description=Journal Remote Sink Service |
[Install] | [Install] |
Also=systemd-journal-remote.socket | Also=systemd-journal-remote.socket |
</file> | </file> |
<code bash> | <code bash> |
mkdir -p /var/log/journal/remote | mkdir -p /var/log/journal/remote |
chown -R systemd-journal-remote:systemd-journal-remote /var/log/journal/remote | chown -R systemd-journal-remote:systemd-journal-remote /var/log/journal/remote |
ufw allow from 10.25.0.0/24 to any proto tcp port 19532 | ufw allow from 10.25.0.0/24 to any proto tcp port 19532 |
systemctl enable --now systemd-journal-remote | systemctl enable --now systemd-journal-remote |
</code> | </code> |
===== ArchLinux Gastsystem ===== | ===== ArchLinux Gastsystem ===== |
==== Erstellen ==== | ==== Erstellen ==== |
<code bash> | <code bash> |
virt-install --video qxl --channel spicevmc --graphics spice,listen=127.0.0.1 --name=http --vcpus 4 --memory 8048 --disk pool=vg0,size=1000,bus=virtio --cdrom /var/lib/libvirt/images/archlinux-2018.06.01-x86_64.iso --network network:internal,model=virtio --virt-type kvm --autostart --noautoconsole | virt-install --video qxl --channel spicevmc --graphics spice,listen=127.0.0.1 --name=http --vcpus 4 --memory 8048 --disk pool=vg0,size=1000,bus=virtio --cdrom /var/lib/libvirt/images/archlinux-2018.06.01-x86_64.iso --network network:internal,model=virtio --virt-type kvm --autostart --noautoconsole |
</code> | </code> |
==== Löschen ==== | ==== Löschen ==== |
<code bash> | <code bash> |
virsh destroy http | virsh destroy http |
virsh undefine http | virsh undefine http |
lvremove /dev/vg0/http | lvremove /dev/vg0/http |
</code> | </code> |
==== Speicher vergrößern ==== | ==== Speicher vergrößern ==== |
<code bash>virsh shutdown http | <code bash>virsh shutdown http |
lvresize -L +20G vg0/http | lvresize -L +20G vg0/http |
virsh start http</code> | virsh start http</code> |
Auf dem Gastsystem ausführen: | Auf dem Gastsystem ausführen: |
<code bash>sgdisk -og -a 1024 -n 1:1024:2047 -c 1:"BIOS Boot Partition" -t 1:ef02 /dev/vda | <code bash>sgdisk -og -a 1024 -n 1:1024:2047 -c 1:"BIOS Boot Partition" -t 1:ef02 /dev/vda |
sgdisk -n2:2048:0 -c2:"ArchRoot" -p /dev/vda | sgdisk -n2:2048:0 -c2:"ArchRoot" -p /dev/vda |
shutdown -h now # then start again after that | shutdown -h now # then start again after that |
btrfs filesystem resize max /</code> | btrfs filesystem resize max /</code> |
Bei neueren Version von libguestfs-tools (>1.16.34) könnte man auch die Partitionstabelle und Dateisystem [[http://blog.oneiroi.co.uk/linux/kvm/virt-resize/RHEL/LVM/kvm-linux-expanding-a-lvm-guest-file-system-using-virt-resize/|von dem Host aus resizen]] und müsste dafür nicht das Gastsystem neustarten. | Bei neueren Version von libguestfs-tools (>1.16.34) könnte man auch die Partitionstabelle und Dateisystem [[http://blog.oneiroi.co.uk/linux/kvm/virt-resize/RHEL/LVM/kvm-linux-expanding-a-lvm-guest-file-system-using-virt-resize/|von dem Host aus resizen]] und müsste dafür nicht das Gastsystem neustarten. |
| |
==== Backup ==== | ==== Backup ==== |
Raw backup logical volume to picloud (homeserver onnuex) | Raw backup logical volume to picloud (homeserver onnuex) |
<code bash> | <code bash> |
lvcreate -s -n playground_snap -L 20G /dev/vg0/playground | lvcreate -s -n playground_snap -L 20G /dev/vg0/playground |
dd if=/dev/vg0/playground.img_snap bs=4096 | pv | gpg --batch --passphrase "my_secret_password" --symmetric --compress-algo zlib | ssh picloud@picloud.sexypump.de 'dd of=/mnt/backups/project-insanity/playground_$(date +"%Y-%m-%d").img.gpg bs=4096' | dd if=/dev/vg0/playground.img_snap bs=4096 | pv | gpg --batch --passphrase "my_secret_password" --symmetric --compress-algo zlib | ssh picloud@picloud.sexypump.de 'dd of=/mnt/backups/project-insanity/playground_$(date +"%Y-%m-%d").img.gpg bs=4096' |
lvremove /dev/vg0/playground_snap | lvremove /dev/vg0/playground_snap |
</code> | </code> |
Recover backup | Recover backup |
<code bash> | <code bash> |
gpg -o /mnt/playground.img -d /mnt/playground.img.gpg | gpg -o /mnt/playground.img -d /mnt/playground.img.gpg |
</code> | </code> |
Unfinished backup script: | Unfinished backup script: |
<code bash> | <code bash> |
sas="$1" | sas="$1" |
password="$2" | password="$2" |
| |
for vol in `lvs | cut -f3 -d " " | tail -n+2` | for vol in `lvs | cut -f3 -d " " | tail -n+2` |
do echo "Backing up $vol" | do echo "Backing up $vol" |
lvcreate -s -n "${vol}_snap" -L 20G "/dev/vg0/${vol}" | lvcreate -s -n "${vol}_snap" -L 20G "/dev/vg0/${vol}" |
pv -cN source "/dev/vg0/${vol}_snap" | gpg --batch --passphrase "${password}" --symmetric --compress-algo zlib | azcopy cp "https://myaccount.blob.core.windows.net/mycontainer/${vol}_$(date +"%Y-%m-%d").img.gpg?${sas}" | pv -cN source "/dev/vg0/${vol}_snap" | gpg --batch --passphrase "${password}" --symmetric --compress-algo zlib | azcopy cp "https://myaccount.blob.core.windows.net/mycontainer/${vol}_$(date +"%Y-%m-%d").img.gpg?${sas}" |
lvremove "/dev/vg0/${vol}_snap" | lvremove "/dev/vg0/${vol}_snap" |
done | done |
</code> | </code> |
==== Einrichten ==== | ==== Einrichten ==== |
<code bash> | <code bash> |
mkfs.btrfs /dev/sda | mkfs.btrfs /dev/sda |
ifconfig eth0 10.25.0.120 up | ifconfig eth0 10.25.0.120 up |
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf | ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf |
pacstrap /mnt base base-devel tmux mosh yajl wipe rsync procps neovim lsof strace htop net-tools pkgfile dnsutils iotop aria2 tcpdump nload grub btrfs-progs gptfdisk ntp wget rxvt-unicode-terminfo pwgen mlocate fail2ban pv expac openssh git devtools fish nftables ripgrep bat fd pacman-contrib | pacstrap /mnt base base-devel tmux mosh yajl wipe rsync procps neovim lsof strace htop net-tools pkgfile dnsutils iotop aria2 tcpdump nload grub btrfs-progs gptfdisk ntp wget rxvt-unicode-terminfo pwgen mlocate fail2ban pv expac openssh git devtools fish nftables ripgrep bat fd pacman-contrib |
genfstab -p /mnt >> /mnt/etc/fstab | genfstab -p /mnt >> /mnt/etc/fstab |
arch-chroot /mnt | arch-chroot /mnt |
chsh -s $(which fish) | chsh -s $(which fish) |
mkdir /etc/pacman.d/hooks | mkdir /etc/pacman.d/hooks |
ln -s /usr/share/libalpm/hooks/30-systemd-daemon-reload.hook /etc/pacman.d/hooks/ | ln -s /usr/share/libalpm/hooks/30-systemd-daemon-reload.hook /etc/pacman.d/hooks/ |
echo "http-pub2" >> /etc/hostname | echo "http-pub2" >> /etc/hostname |
ln -sf /usr/share/zoneinfo/UTC /etc/localtime | ln -sf /usr/share/zoneinfo/UTC /etc/localtime |
sed -i 's/#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen | sed -i 's/#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen |
locale-gen | locale-gen |
echo 'LANG="en_US.UTF-8"' > /etc/locale.conf | echo 'LANG="en_US.UTF-8"' > /etc/locale.conf |
echo "KEYMAP=de" > /etc/vconsole.conf | echo "KEYMAP=de" > /etc/vconsole.conf |
mkinitcpio -p linux | mkinitcpio -p linux |
sed -i '/GRUB_TIMEOUT/s/5/0/' /etc/default/grub | sed -i '/GRUB_TIMEOUT/s/5/0/' /etc/default/grub |
updatedb | updatedb |
pkgfile --update | pkgfile --update |
echo "UserParameter=archlinuxupdates,if [ -d /tmp/pacmandb ]; then fakeroot pacman -Syup --dbpath /tmp/pacmandb | grep "pkg.tar.xz" -c; else mkdir /tmp/pacmandb && ln -s /var/lib/pacman/local /tmp/pacmandb && fakeroot pacman -Syup --dbpath /tmp/pacmandb | grep "pkg.tar.xz" -c; fi" >> /etc/zabbix/zabbix_agentd.conf | echo "UserParameter=archlinuxupdates,if [ -d /tmp/pacmandb ]; then fakeroot pacman -Syup --dbpath /tmp/pacmandb | grep "pkg.tar.xz" -c; else mkdir /tmp/pacmandb && ln -s /var/lib/pacman/local /tmp/pacmandb && fakeroot pacman -Syup --dbpath /tmp/pacmandb | grep "pkg.tar.xz" -c; fi" >> /etc/zabbix/zabbix_agentd.conf |
sed -i 's/^Server=.*$/Server=http-new.pi/g' /etc/zabbix/zabbix_agentd.conf | sed -i 's/^Server=.*$/Server=http-new.pi/g' /etc/zabbix/zabbix_agentd.conf |
systemctl enable --now sshd systemd-networkd nftables fail2ban systemd-resolved | systemctl enable --now sshd systemd-networkd nftables fail2ban systemd-resolved |
exit | exit |
reboot | reboot |
</code> | </code> |
=== nftables === | === nftables === |
<file - /etc/nftables.conf> | <file - /etc/nftables.conf> |
table inet filter { | table inet filter { |
set tcp_accepted { | set tcp_accepted { |
type filter hook input priority filter; policy drop; | type filter hook input priority filter; policy drop; |
jump base_checks | jump base_checks |
iifname "lo" accept | iifname "lo" accept |
ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept | ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept |
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept | ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept |
} | } |
} | } |
</file> | </file> |
=== systemd-networkd === | === systemd-networkd === |
<file - /etc/systemd/network/ens3.network> | <file - /etc/systemd/network/ens3.network> |
[Match] | [Match] |
Name=ens3 | Name=ens3 |
LinkLocalAddressing = no | LinkLocalAddressing = no |
IPv6AcceptRA = no | IPv6AcceptRA = no |
</file> | </file> |
=== pacman === | === pacman === |
project-insanity build server repo | project-insanity build server repo |
<file - /etc/pacman.conf> | <file - /etc/pacman.conf> |
[...] | [...] |
| |
SigLevel = PackageOptional | SigLevel = PackageOptional |
Server = https://onny.project-insanity.org/archlinux | Server = https://onny.project-insanity.org/archlinux |
</file> | </file> |
archlinux auto update | archlinux auto update |
<file - /etc/systemd/system/autoupdate.service> | <file - /etc/systemd/system/autoupdate.service> |
[Unit] | [Unit] |
Description=Automatic Update | Description=Automatic Update |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /etc/systemd/system/autoupdate.timer> | <file - /etc/systemd/system/autoupdate.timer> |
[Unit] | [Unit] |
Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes | Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now autoupdate.timer | systemctl enable --now autoupdate.timer |
</code> | </code> |
=== systemd-journald === | === systemd-journald === |
systemd logging upload | systemd logging upload |
<file - /etc/systemd/journal-upload.conf> | <file - /etc/systemd/journal-upload.conf> |
[Upload] | [Upload] |
URL=http://10.25.0.1:19532 | URL=http://10.25.0.1:19532 |
</file> | </file> |
<file - /etc/systemd/system/systemd-journal-upload.service> | <file - /etc/systemd/system/systemd-journal-upload.service> |
[Unit] | [Unit] |
Description=Journal Remote Upload Service | Description=Journal Remote Upload Service |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
useradd systemd-journal-upload | useradd systemd-journal-upload |
mkdir /var/lib/systemd/journal-upload | mkdir /var/lib/systemd/journal-upload |
chown -R systemd-journal-upload:systemd-journal-upload /var/lib/systemd/journal-upload | chown -R systemd-journal-upload:systemd-journal-upload /var/lib/systemd/journal-upload |
systemctl enable --now systemd-journal-upload | systemctl enable --now systemd-journal-upload |
</code> | </code> |
| |
==== Maintainance ==== | ==== Maintainance ==== |
Update configs | Update configs |
<code bash> | <code bash> |
sudo pacdiff | sudo pacdiff |
</code> | </code> |
====== mail.pi ====== | ====== mail.pi ====== |
on mail.pi | on mail.pi |
<code bash> | <code bash> |
pacman -S maddy | pacman -S maddy |
systemctl enable --now maddy | systemctl enable --now maddy |
nft add rule inet filter input position 17 tcp dport smtp accept | nft add rule inet filter input position 17 tcp dport smtp accept |
nft add rule inet filter input position 17 tcp dport imaps accept | nft add rule inet filter input position 17 tcp dport imaps accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code>on | </code>on |
<file - /etc/maddy/maddy.conf> | <file - /etc/maddy/maddy.conf> |
... | ... |
$(hostname) = turbotux.de | $(hostname) = turbotux.de |
tls /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem | tls /etc/maddy/certs/$(hostname)/fullchain.pem /etc/maddy/certs/$(hostname)/privkey.pem |
... | ... |
</file> | </file> |
<code bash> | <code bash> |
maddyctl users create postmaster | maddyctl users create postmaster |
maddyctl users create onny@turbotux.de | maddyctl users create onny@turbotux.de |
</code> | </code> |
turbotux.de dns record. get dkim key in ''/var/lib/maddy/dkim-keys/turbotux.de-default.dns'' | turbotux.de dns record. get dkim key in ''/var/lib/maddy/dkim-keys/turbotux.de-default.dns'' |
<code> | <code> |
turbotux.de. A 144.76.16.40 | turbotux.de. A 144.76.16.40 |
turbotux.de. AAAA 2a01:4f8:191:327::10 | turbotux.de. AAAA 2a01:4f8:191:327::10 |
turbotux.de. MX 10 turbotux.de | turbotux.de. MX 10 turbotux.de |
turbotux.de. TXT "v=spf1 mx -all" | turbotux.de. TXT "v=spf1 mx -all" |
_dmarc.turbotux.de. TXT "v=DMARC1; p=none; ruf=postmaster@turbotux.de" | _dmarc.turbotux.de. TXT "v=DMARC1; p=none; ruf=postmaster@turbotux.de" |
default._domainkey.turbotux.de TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg=" | default._domainkey.turbotux.de TXT "v=DKIM1; k=ed25519; p=nAcUUozPlhc4VPhp7hZl+owES7j7OlEv0laaDEDBAqg=" |
</code> | </code> |
forwarding/nat on host.pi | forwarding/nat on host.pi |
<code bash> | <code bash> |
nft add rule inet filter input position 19 tcp dport smtps accept | nft add rule inet filter input position 19 tcp dport smtps accept |
nft add rule inet filter input position 19 tcp dport smtp accept | nft add rule inet filter input position 19 tcp dport smtp accept |
nft add rule inet filter input position 19 tcp dport imaps accept | nft add rule inet filter input position 19 tcp dport imaps accept |
nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport imaps dnat to 10.25.0.102 | nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport imaps dnat to 10.25.0.102 |
nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport smtp dnat to 10.25.0.102 | nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport smtp dnat to 10.25.0.102 |
nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport smtps dnat to 10.25.0.102 | nft add rule ip nat prerouting position 4 iifname "enp3s0" tcp dport smtps dnat to 10.25.0.102 |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
tls. on mail.pi | tls. on mail.pi |
<code bash> | <code bash> |
chmod +x /var/lib/private | chmod +x /var/lib/private |
sudo -u maddy ssh-keygen # all default values | sudo -u maddy ssh-keygen # all default values |
cat /var/lib/maddy/.ssh/id_rsa.pub | cat /var/lib/maddy/.ssh/id_rsa.pub |
</code> | </code> |
on http.pi | on http.pi |
<code bash> | <code bash> |
useradd -m maddy | useradd -m maddy |
mkdir /home/maddy/.ssh | mkdir /home/maddy/.ssh |
urbotux.de/turbotux.de.crt /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/turbotux.de/turbotux | urbotux.de/turbotux.de.crt /var/lib/caddy/acme/acme-v02.api.letsencrypt.org/sites/turbotux.de/turbotux |
.de.key # this does not work so well yet :( | .de.key # this does not work so well yet :( |
</code> | </code> |
====== mysql.pi ====== | ====== mysql.pi ====== |
===== mariadb ===== | ===== mariadb ===== |
<code bash> | <code bash> |
pacman -S mariadb | pacman -S mariadb |
mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql | mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql |
nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport mysql accept | nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport mysql accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport mysql accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport mysql accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
<file - /etc/pacman.d/hooks/40-mariadb.hook> | <file - /etc/pacman.d/hooks/40-mariadb.hook> |
# Restart mariadb service | # Restart mariadb service |
| |
Description = Restarting mariadb service | Description = Restarting mariadb service |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/sh -c "/usr/bin/mysql_upgrade -u root -p'****' && /usr/bin/systemctl restart mariadb" | Exec = /usr/bin/sh -c "/usr/bin/mysql_upgrade -u root -p'****' && /usr/bin/systemctl restart mariadb" |
</file> | </file> |
<code bash> | <code bash> |
chmod 600 /etc/pacman.d/hooks/40-mariadb.hook | chmod 600 /etc/pacman.d/hooks/40-mariadb.hook |
</code> | </code> |
temporary workaround to get nextcloud to work, see: https://github.com/nextcloud/server/issues/27085 | temporary workaround to get nextcloud to work, see: https://github.com/nextcloud/server/issues/27085 |
<file - /etc/my.cnf.d/server.cnf> | <file - /etc/my.cnf.d/server.cnf> |
[...] | [...] |
[server] | [server] |
innodb_read_only_compressed=0 | innodb_read_only_compressed=0 |
[...] | [...] |
</file> | </file> |
===== postgresql ===== | ===== postgresql ===== |
<code bash> | <code bash> |
pacman -S postgresql postgresql-old-upgrade | pacman -S postgresql postgresql-old-upgrade |
sudo su - postgres -c "initdb -D /var/lib/postgres/data" | sudo su - postgres -c "initdb -D /var/lib/postgres/data" |
systemctl enable --now postgresql | systemctl enable --now postgresql |
nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport postgresql accept | nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport postgresql accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport postgresql accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport postgresql accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
<file - /var/lib/postgres/data/postgresql.conf> | <file - /var/lib/postgres/data/postgresql.conf> |
[...] | [...] |
listen_addresses = '*' | listen_addresses = '*' |
[...] | [...] |
</file> | </file> |
<file - /var/lib/postgres/data/pg_hba.conf> | <file - /var/lib/postgres/data/pg_hba.conf> |
[...] | [...] |
host all all 10.25.0.0/24 md5 | host all all 10.25.0.0/24 md5 |
host all all 2a01:4f8:191:327::/64 md5 | host all all 2a01:4f8:191:327::/64 md5 |
</file> | </file> |
<file - /etc/pacman.d/hooks/postgresql.hook> | <file - /etc/pacman.d/hooks/postgresql.hook> |
# Restart postgresql service | # Restart postgresql service |
| |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/systemctl restart postgresql | Exec = /usr/bin/systemctl restart postgresql |
</file> | </file> |
====== http.pi ====== | ====== http.pi ====== |
<code bash> | <code bash> |
pacman -S caddy dokuwiki gitlab php-fpm php-apcu phpmyadmin wordpress nginx | pacman -S caddy dokuwiki gitlab php-fpm php-apcu phpmyadmin wordpress nginx |
systemctl enable --now caddy php-fpm | systemctl enable --now caddy php-fpm |
nft add rule inet filter input position 17 tcp dport "{http, https}" accept | nft add rule inet filter input position 17 tcp dport "{http, https}" accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
<file - /etc/pacman.d/hooks/php.hook> | <file - /etc/pacman.d/hooks/php.hook> |
# Restart php service | # Restart php service |
| |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/systemctl restart php-fpm | Exec = /usr/bin/systemctl restart php-fpm |
</file> | </file> |
custom caddy installation | custom caddy installation |
<code bash> | <code bash> |
pacaur -d caddy | pacaur -d caddy |
</code> | </code> |
<file - ~/.cache/pacaur/caddy/PKGBUILD> | <file - ~/.cache/pacaur/caddy/PKGBUILD> |
[...] | [...] |
# 'http.hugo' | # 'http.hugo' |
# 'http.jekyll' | # 'http.jekyll' |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
cd ~/.cache/pacaur/caddy | cd ~/.cache/pacaur/caddy |
makepkg -i --skipinteg | makepkg -i --skipinteg |
</code> | </code> |
<file - /etc/systemd/system/caddy.service.d/override.conf> | <file - /etc/systemd/system/caddy.service.d/override.conf> |
[Service] | [Service] |
ProtectHome=false | ProtectHome=false |
</file> | </file> |
===== caddy ===== | ===== caddy ===== |
<code bash> | <code bash> |
pacman -S caddy | pacman -S caddy |
gpasswd -a caddy http | gpasswd -a caddy http |
</code> | </code> |
<file - /etc/caddy/Caddyfile> | <file - /etc/caddy/Caddyfile> |
import /etc/caddy/conf.d/* | import /etc/caddy/conf.d/* |
</file> | </file> |
<file - /etc/caddy/conf.d/ausstellung-virtuell.de.conf> | <file - /etc/caddy/conf.d/ausstellung-virtuell.de.conf> |
www.ausstellung-virtuell.de ausstellung-virtuell.de { | www.ausstellung-virtuell.de ausstellung-virtuell.de { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/blog.project-insanity.org.conf> | <file - /etc/caddy/conf.d/blog.project-insanity.org.conf> |
blog.project-insanity.org { | blog.project-insanity.org { |
| |
} | } |
| |
</file> | </file> |
<file - /etc/caddy/conf.d/git.project-insanity.org.conf> | <file - /etc/caddy/conf.d/git.project-insanity.org.conf> |
git.project-insanity.org { | git.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/jhartung.sinewell.de.conf> | <file - /etc/caddy/conf.d/jhartung.sinewell.de.conf> |
jhartung.sinewell.de { | jhartung.sinewell.de { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/nextcloud.project-insanity.org.conf> | <file - /etc/caddy/conf.d/nextcloud.project-insanity.org.conf> |
nextcloud.project-insanity.org { | nextcloud.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/onny.project-insanity.org.conf> | <file - /etc/caddy/conf.d/onny.project-insanity.org.conf> |
onny.project-insanity.org { | onny.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/wiki.project-insanity.org.conf> | <file - /etc/caddy/conf.d/wiki.project-insanity.org.conf> |
wiki.project-insanity.org { | wiki.project-insanity.org { |
| |
path_regexp export /([^/]+)/(.*) | path_regexp export /([^/]+)/(.*) |
} | } |
rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} | rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} |
| |
try_files {path} {path}/ /doku.php?id={path}&{query} | try_files {path} {path}/ /doku.php?id={path}&{query} |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/http.pi.conf> | <file - /etc/caddy/conf.d/http.pi.conf> |
http://http.pi { | http://http.pi { |
| |
php_fastcgi unix//var/run/php-fpm/http.pi_php-fpm.sock | php_fastcgi unix//var/run/php-fpm/http.pi_php-fpm.sock |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/saai.digital> | <file - /etc/caddy/conf.d/saai.digital> |
beta.saai.digital { | beta.saai.digital { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/office.project-insanity.org.conf> | <file - /etc/caddy/conf.d/office.project-insanity.org.conf> |
office.project-insanity.org { | office.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
need to convert | need to convert |
<file - /etc/caddy/conf.d/turbotux.de.conf> | <file - /etc/caddy/conf.d/turbotux.de.conf> |
www.turbotux.de turbotux.de { | www.turbotux.de turbotux.de { |
log /var/log/caddy/turbotux.de_access.log | log /var/log/caddy/turbotux.de_access.log |
} | } |
} | } |
</file> | </file> |
===== php-fpm ===== | ===== php-fpm ===== |
<code bash> | <code bash> |
cp /etc/php/php-fpm.d/www.conf /etc/php/php-fpm.d/http.pi.conf | cp /etc/php/php-fpm.d/www.conf /etc/php/php-fpm.d/http.pi.conf |
</code> | </code> |
<file - /etc/php/php-fpm.d/www.conf> | <file - /etc/php/php-fpm.d/www.conf> |
[...] | [...] |
pm.max_children = 16 | pm.max_children = 16 |
env[TEMP] = /tmp | env[TEMP] = /tmp |
[...] | [...] |
</file> | </file> |
<file - /etc/php/php-fpm.d/http.pi.conf> | <file - /etc/php/php-fpm.d/http.pi.conf> |
[...] | [...] |
[http.pi] | [http.pi] |
listen = /run/php-fpm/http.pi_php-fpm.sock | listen = /run/php-fpm/http.pi_php-fpm.sock |
[...] | [...] |
</file> | </file> |
<file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf>[Service] | <file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf>[Service] |
ReadWritePaths = /usr/share/webapps/nextcloud/data | ReadWritePaths = /usr/share/webapps/nextcloud/data |
ReadWritePaths = /usr/share/webapps/nextcloud/apps | ReadWritePaths = /usr/share/webapps/nextcloud/apps |
ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/archive | ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/archive |
ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/customer_files | ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/customer_files |
</file> | </file> |
| |
===== wordpress ===== | ===== wordpress ===== |
<code bash> | <code bash> |
pacman -S wordpress wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics wordpress-plugin-co-authors-plus wordpress-theme-geist wordpress-plugin-wp-user-avatar wordpress-plugin-opengraph wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media | pacman -S wordpress wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics wordpress-plugin-co-authors-plus wordpress-theme-geist wordpress-plugin-wp-user-avatar wordpress-plugin-opengraph wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media |
chown -R http:http /usr/share/webapps/wordpress/wp-admin /usr/share/webapps/wordpress/wp-includes | chown -R http:http /usr/share/webapps/wordpress/wp-admin /usr/share/webapps/wordpress/wp-includes |
</code> | </code> |
<file - /etc/php/conf.d/wordpress.ini> | <file - /etc/php/conf.d/wordpress.ini> |
extension=mysqli | extension=mysqli |
</file> | </file> |
<file php /home/pi_wordpress/wordpress/wp-config.php> | <file php /home/pi_wordpress/wordpress/wp-config.php> |
define('DB_NAME', '****'); | define('DB_NAME', '****'); |
define('DB_USER', '****'); | define('DB_USER', '****'); |
$_SERVER['HTTPS']='on'; | $_SERVER['HTTPS']='on'; |
define( 'WP_AUTO_UPDATE_CORE', true ); | define( 'WP_AUTO_UPDATE_CORE', true ); |
</file> | </file> |
<file - /etc/pacman.d/hooks/wordpress.hook> | <file - /etc/pacman.d/hooks/wordpress.hook> |
# Update Wordpress when core or plugins get updated | # Update Wordpress when core or plugins get updated |
| |
Description = Updating Wordpress installation | Description = Updating Wordpress installation |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/sh -c "/usr/bin/sudo -u http /usr/bin/bash -c 'wp core update-db --path=/usr/share/webapps/wordpress; wp plugin activate --path=/usr/share/webapps/wordpress antispam-bee code-syntax-block jetpack jetpack-lite lightbox-photoswipe wp-gdpr-compliance wp-statistics co-authors-plus wp-user-avatar opengraph simple-login-captcha disable-xml-rpc async-javascript breeze webp-converter-for-media'" | Exec = /usr/bin/sh -c "/usr/bin/sudo -u http /usr/bin/bash -c 'wp core update-db --path=/usr/share/webapps/wordpress; wp plugin activate --path=/usr/share/webapps/wordpress antispam-bee code-syntax-block jetpack jetpack-lite lightbox-photoswipe wp-gdpr-compliance wp-statistics co-authors-plus wp-user-avatar opengraph simple-login-captcha disable-xml-rpc async-javascript breeze webp-converter-for-media'" |
</file> | </file> |
<code bash> | <code bash> |
sudo -u http wp plugin activate --path=/usr/share/webapps/wordpress antispam-bee code-syntax-block jetpack jetpack-lite lightbox-photoswipe wp-gdpr-compliance wp-statistics co-authors-plus wp-user-avatar opengraph simple-login-captcha disable-xml-rpc async-javascript breeze webp-converter-for-media | sudo -u http wp plugin activate --path=/usr/share/webapps/wordpress antispam-bee code-syntax-block jetpack jetpack-lite lightbox-photoswipe wp-gdpr-compliance wp-statistics co-authors-plus wp-user-avatar opengraph simple-login-captcha disable-xml-rpc async-javascript breeze webp-converter-for-media |
sudo -u http wp theme activate --path=/usr/share/webapps/wordpress geist | sudo -u http wp theme activate --path=/usr/share/webapps/wordpress geist |
</code> | </code> |
Additional CSS for Geist theme | Additional CSS for Geist theme |
<code css> | <code css> |
@media (max-width: 1400px) { | @media (max-width: 1400px) { |
.single-post .post-content > p:first-child { | .single-post .post-content > p:first-child { |
font-size: 1em; | font-size: 1em; |
} | } |
| |
.single-post .post-content > p, ul { | .single-post .post-content > p, ul { |
font-size: 0.8em; | font-size: 0.8em; |
} | } |
| |
.single-post .post-content > h3 { | .single-post .post-content > h3 { |
padding-bottom: 0.8em; | padding-bottom: 0.8em; |
} | } |
</code> | </code> |
Misc settings | Misc settings |
* WP Statistics | * WP Statistics |
* Settings -> privacy: "Hash IP Addresses" (GDPR) | * Settings -> privacy: "Hash IP Addresses" (GDPR) |
* Lightbox with PhotoSwipe | * Lightbox with PhotoSwipe |
* Enable "Show caption if available" | * Enable "Show caption if available" |
* Enable "Get image captions from the database" | * Enable "Get image captions from the database" |
* Spacing between pictures: 12% | * Spacing between pictures: 12% |
* Settings -> Permalinks -> Custom structure: ''/%year%/%monthnum%/%day%/%postname%/'' | * Settings -> Permalinks -> Custom structure: ''/%year%/%monthnum%/%day%/%postname%/'' |
* Settings -> General -> 8 posts per page | * Settings -> General -> 8 posts per page |
* Settings -> Discussion -> Show avatar | * Settings -> Discussion -> Show avatar |
* Default Avatar -> Mytery Man | * Default Avatar -> Mytery Man |
* Users -> Your Profile -> Avatar: Choose picture | * Users -> Your Profile -> Avatar: Choose picture |
* Dark mode is not enabled by default. To enable this feature go to Appearance > Customize > Dark Mode. | * Dark mode is not enabled by default. To enable this feature go to Appearance > Customize > Dark Mode. |
Additional CSS for Ghost theme: | Additional CSS for Ghost theme: |
<code css> | <code css> |
@media (max-width: 1400px) { | @media (max-width: 1400px) { |
.single-post .post-content > p:first-child { | .single-post .post-content > p:first-child { |
font-size: 1em; | font-size: 1em; |
} | } |
| |
.single-post .post-content > p, ul { | .single-post .post-content > p, ul { |
font-size: 0.8em; | font-size: 0.8em; |
} | } |
| |
.single-post .post-content > h3 { | .single-post .post-content > h3 { |
padding-bottom: 0.8em; | padding-bottom: 0.8em; |
} | } |
margin-bottom: 0.8em; | margin-bottom: 0.8em; |
} | } |
</code> | </code> |
==== co-authors-plus plugin ==== | ==== co-authors-plus plugin ==== |
template-Anpassung \\ | template-Anpassung \\ |
[[https://www.wpbeginner.com/plugins/allow-multiple-authors-to-be-associated-with-a-post-in-wordpress/|How to Add Multiple Authors (Co-Authors) for Posts in WordPress]] | [[https://www.wpbeginner.com/plugins/allow-multiple-authors-to-be-associated-with-a-post-in-wordpress/|How to Add Multiple Authors (Co-Authors) for Posts in WordPress]] |
<file php /home/pi_wordpress/wordpress/functions-content.php> | <file php /home/pi_wordpress/wordpress/functions-content.php> |
if ( function_exists( 'coauthors_posts_links' ) ) { | if ( function_exists( 'coauthors_posts_links' ) ) { |
coauthors_posts_links(); | coauthors_posts_links(); |
the_author_posts_link(); | the_author_posts_link(); |
} | } |
</file> | </file> |
===== invoiceninja ===== | ===== invoiceninja ===== |
on mysql.pi | on mysql.pi |
<code sql> | <code sql> |
CREATE SCHEMA `ninja` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; | CREATE SCHEMA `ninja` DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci; |
CREATE USER 'ninja'@'http.pi' IDENTIFIED BY '****'; | CREATE USER 'ninja'@'http.pi' IDENTIFIED BY '****'; |
GRANT ALL PRIVILEGES ON `ninja`.* TO 'ninja'@'http.pi'; | GRANT ALL PRIVILEGES ON `ninja`.* TO 'ninja'@'http.pi'; |
FLUSH PRIVILEGES; | FLUSH PRIVILEGES; |
</code> | </code> |
on http.pi | on http.pi |
<code bash> | <code bash> |
pacman -S invoiceninja | pacman -S invoiceninja |
</code> | </code> |
<file - /etc/php/conf.d/composer.ini> | <file - /etc/php/conf.d/composer.ini> |
extension=gmp | extension=gmp |
</file> | </file> |
<code bash> | <code bash> |
cd /usr/share/webapps/invoiceninja | cd /usr/share/webapps/invoiceninja |
sudo chown -R http:http storage public/logo bootstrap | sudo chown -R http:http storage public/logo bootstrap |
sudo chown http:http . | sudo chown http:http . |
sudo -u http composer install | sudo -u http composer install |
</code> | </code> |
<file - /etc/caddy/conf.d/http.pi.conf> | <file - /etc/caddy/conf.d/http.pi.conf> |
http://http.pi/invoiceninja { | http://http.pi/invoiceninja { |
log /var/log/caddy/http.pi_access.log | log /var/log/caddy/http.pi_access.log |
} | } |
[...] | [...] |
</file> | </file> |
Settings | Settings |
* Localization | * Localization |
* First Month of the Year: January | * First Month of the Year: January |
===== invoiceplane ===== | ===== invoiceplane ===== |
<code bash> | <code bash> |
pacman -S invoiceplane composer grunt-cli | pacman -S invoiceplane composer grunt-cli |
cd /usr/share/webapps/invoiceplane | cd /usr/share/webapps/invoiceplane |
sudo -u http grunt build | sudo -u http grunt build |
cp ipconfig.php.example ipconfig.php | cp ipconfig.php.example ipconfig.php |
wget "https://git.project-insanity.org/onny/invoiceplane-vtdirektmarketing/-/raw/master/vtdirektmarketing.php" -O /usr/share/webapps/invoiceplane/application/views/invoice_templates/pdf/vtdirektmarketing.php | wget "https://git.project-insanity.org/onny/invoiceplane-vtdirektmarketing/-/raw/master/vtdirektmarketing.php" -O /usr/share/webapps/invoiceplane/application/views/invoice_templates/pdf/vtdirektmarketing.php |
</code> | </code> |
Visit installation wizard at http://http.pi/invoiceplane/index.php/setup | Visit installation wizard at http://http.pi/invoiceplane/index.php/setup |
<file - /usr/share/webapps/invoiceplane/ipconfig.php> | <file - /usr/share/webapps/invoiceplane/ipconfig.php> |
[...] | [...] |
SETUP_COMPLETED=true | SETUP_COMPLETED=true |
DB_DATABASE=invoiceplane | DB_DATABASE=invoiceplane |
DISABLE_SETUP=true | DISABLE_SETUP=true |
</file> | </file> |
<file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf> | <file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf> |
[Service] | [Service] |
[...] | [...] |
ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/archive | ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/archive |
ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/customer_files | ReadWritePaths = /usr/share/webapps/invoiceplane/uploads/customer_files |
</file> | </file> |
Custom settings | Custom settings |
* Products -> Product units | * Products -> Product units |
* Add: ''Stk.'', ''Std.'' | * Add: ''Stk.'', ''Std.'' |
* System-Einstellungen -> Rechnungen | * System-Einstellungen -> Rechnungen |
* Standard PDF Vorlage: vtdirektmarketing | * Standard PDF Vorlage: vtdirektmarketing |
===== firefox account server ===== | ===== firefox account server ===== |
<code bash> | <code bash> |
pacaur -S mozilla-firefox-account-server | pacaur -S mozilla-firefox-account-server |
</code> | </code> |
===== podcasttune ===== | ===== podcasttune ===== |
not yet stable | not yet stable |
===== dokuwiki ===== | ===== dokuwiki ===== |
<code bash> | <code bash> |
pacman -S dokuwiki dokuwiki-plugin-dw2pdf dokuwiki-template-argon | pacman -S dokuwiki dokuwiki-plugin-dw2pdf dokuwiki-template-argon |
</code> | </code> |
<file php /etc/webapps/dokuwiki/local.php> | <file php /etc/webapps/dokuwiki/local.php> |
<?php | <?php |
$conf['title'] = 'Project-Insanity'; | $conf['title'] = 'Project-Insanity'; |
$conf['userewrite'] = 1; | $conf['userewrite'] = 1; |
$conf['template'] = 'argon'; | $conf['template'] = 'argon'; |
</file> | </file> |
<file - /usr/lib/dokuwiki/plugins/dw2pdf/conf/default.php> | <file - /usr/lib/dokuwiki/plugins/dw2pdf/conf/default.php> |
[...] | [...] |
$conf['doublesided'] = 0; | $conf['doublesided'] = 0; |
[...] | [...] |
</file> | </file> |
<file - /usr/lib/dokuwiki/plugins/dw2pdf/tpl/default/style.css> | <file - /usr/lib/dokuwiki/plugins/dw2pdf/tpl/default/style.css> |
@page { | @page { |
margin-left: 100px; | margin-left: 100px; |
| |
[...] | [...] |
</file> | </file> |
usage: ''https://wiki.project-insanity.org/onny?do=export_pdf'' | usage: ''https://wiki.project-insanity.org/onny?do=export_pdf'' |
* Todo | * Todo |
* DSGVO complience | * DSGVO complience |
===== gitlab ===== | ===== gitlab ===== |
<code bash> | <code bash> |
pacman -S yarn sendmail gitlab | pacman -S yarn sendmail gitlab |
ln -s /usr/bin/vendor_perl/exiftool /usr/bin/exiftool # fix for https://gitlab.com/gitlab-org/gitlab-foss/-/issues/60853 | ln -s /usr/bin/vendor_perl/exiftool /usr/bin/exiftool # fix for https://gitlab.com/gitlab-org/gitlab-foss/-/issues/60853 |
</code> | </code> |
disable backups | disable backups |
<file - /etc/webapps/gitlab/gitlab.yml> | <file - /etc/webapps/gitlab/gitlab.yml> |
[...] | [...] |
gitlab: | gitlab: |
[...] | [...] |
#backup: | #backup: |
# path: "/var/lib/gitlab/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) | # path: "/var/lib/gitlab/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) |
</file> | </file> |
configure database connection | configure database connection |
<file - /etc/webapps/gitlab/database.yml> | <file - /etc/webapps/gitlab/database.yml> |
production: | production: |
adapter: postgresql | adapter: postgresql |
pool: 10 | pool: 10 |
username: gitlab | username: gitlab |
password: "****" | password: "****" |
host: mysql.pi | host: mysql.pi |
</file> | </file> |
on mysql.pi | on mysql.pi |
<code bash> | <code bash> |
sudo -u postgres psql -d template1 -c "CREATE USER gitlab CREATEDB;" | sudo -u postgres psql -d template1 -c "CREATE USER gitlab CREATEDB;" |
sudo -u postgres psql -d template1 -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;" | sudo -u postgres psql -d template1 -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;" |
sudo -u postgres psql -d template1 -c "CREATE DATABASE gitlabhq_production OWNER gitlab;" | sudo -u postgres psql -d template1 -c "CREATE DATABASE gitlabhq_production OWNER gitlab;" |
sudo -u postgres psql -d template1 -c "ALTER USER gitlab WITH SUPERUSER;" | sudo -u postgres psql -d template1 -c "ALTER USER gitlab WITH SUPERUSER;" |
</code> | </code> |
on http.pi | on http.pi |
<code bash> | <code bash> |
cd /usr/share/webapps/gitlab | cd /usr/share/webapps/gitlab |
sudo -u gitlab -H bundle exec rake assets:precompile RAILS_ENV=production | sudo -u gitlab -H bundle exec rake assets:precompile RAILS_ENV=production |
sudo -u gitlab -H bundle exec rake gitlab:setup RAILS_ENV=production | sudo -u gitlab -H bundle exec rake gitlab:setup RAILS_ENV=production |
systemctl enable --now gitlab-workhorse redis gitlab-puma gitlab-sidekiq gitlab-gitaly | systemctl enable --now gitlab-workhorse redis gitlab-puma gitlab-sidekiq gitlab-gitaly |
</code> | </code> |
Enable smtp, mail delivery | Enable smtp, mail delivery |
<file ruby /etc/webapps/gitlab/smtp_settings.rb> | <file ruby /etc/webapps/gitlab/smtp_settings.rb> |
# To enable smtp email delivery for your GitLab instance do the following: | # To enable smtp email delivery for your GitLab instance do the following: |
# 1. Rename this file to smtp_settings.rb | # 1. Rename this file to smtp_settings.rb |
ActionMailer::Base.delivery_method = :smtp | ActionMailer::Base.delivery_method = :smtp |
ActionMailer::Base.smtp_settings = { | ActionMailer::Base.smtp_settings = { |
address: "mail.pi", | address: "mail.pi", |
port: 25, | port: 25, |
user_name: "git@project-insanity.org", | user_name: "git@project-insanity.org", |
password: "****", | password: "****", |
domain: "project-insanity.org", | domain: "project-insanity.org", |
authentication: :login, | authentication: :login, |
enable_starttls_auto: false, | enable_starttls_auto: false, |
} | } |
end | end |
</file> | </file> |
further general mail settings | further general mail settings |
<file - /etc/webapps/gitlab/gitlab.yml> | <file - /etc/webapps/gitlab/gitlab.yml> |
## Email settings | ## Email settings |
# Uncomment and set to false if you need to disable email sending from GitLab (default: true) | # Uncomment and set to false if you need to disable email sending from GitLab (default: true) |
email_enabled: true | email_enabled: true |
# Email address used in the "From" field in mails sent by GitLab | # Email address used in the "From" field in mails sent by GitLab |
email_from: noreply@project-insanity.org | email_from: noreply@project-insanity.org |
email_display_name: GitLab | email_display_name: GitLab |
email_reply_to: noreply@project-insanity.org | email_reply_to: noreply@project-insanity.org |
email_subject_suffix: '' | email_subject_suffix: '' |
</file> | </file> |
Auto migrate on pacman update | Auto migrate on pacman update |
<file - /etc/pacman.d/hooks/gitlab.hook> | <file - /etc/pacman.d/hooks/gitlab.hook> |
# Update Gitlab when core or other Gitlab daemons are touched | # Update Gitlab when core or other Gitlab daemons are touched |
| |
Description = Updating Gitlab installation | Description = Updating Gitlab installation |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/sh -c "/usr/bin/systemctl restart gitlab-workhorse gitlab-puma gitlab-sidekiq gitlab-gitaly && cd /usr/share/webapps/gitlab && /usr/bin/sudo -u gitlab $(cat /usr/share/webapps/gitlab/environment | xargs) /usr/bin/bash -c 'cd /usr/share/webapps/gitlab; bundle-2.7 exec rake db:migrate'" | Exec = /usr/bin/sh -c "/usr/bin/systemctl restart gitlab-workhorse gitlab-puma gitlab-sidekiq gitlab-gitaly && cd /usr/share/webapps/gitlab && /usr/bin/sudo -u gitlab $(cat /usr/share/webapps/gitlab/environment | xargs) /usr/bin/bash -c 'cd /usr/share/webapps/gitlab; bundle-2.7 exec rake db:migrate'" |
</file> | </file> |
<file - /etc/webapps/gitlab/secrets.yml> | <file - /etc/webapps/gitlab/secrets.yml> |
**** | **** |
</file> | </file> |
<code bash> | <code bash> |
hexdump -v -n 64 -e '1/1 "%02x"' /dev/urandom > /etc/webapps/gitlab/secret | hexdump -v -n 64 -e '1/1 "%02x"' /dev/urandom > /etc/webapps/gitlab/secret |
hexdump -v -n 64 -e '1/1 "%02x"' /dev/urandom > /etc/webapps/gitlab-shell/secret | hexdump -v -n 64 -e '1/1 "%02x"' /dev/urandom > /etc/webapps/gitlab-shell/secret |
chown root:gitlab /etc/webapps/gitlab/secret /etc/webapps/gitlab-shell/secret | chown root:gitlab /etc/webapps/gitlab/secret /etc/webapps/gitlab-shell/secret |
chmod 640 /etc/webapps/gitlab/secret /etc/webapps/gitlab-shell/secret | chmod 640 /etc/webapps/gitlab/secret /etc/webapps/gitlab-shell/secret |
</code> | </code> |
misc settings: | misc settings: |
* enable recaptcha for registration https://docs.gitlab.com/ee/integration/recaptcha.html | * enable recaptcha for registration https://docs.gitlab.com/ee/integration/recaptcha.html |
* disable ssh git protocol: Admin -> Settings -> Expand "Visibility and access controls" -> For "Enabled Git access protocols" select "Only HTTP(S)" | * disable ssh git protocol: Admin -> Settings -> Expand "Visibility and access controls" -> For "Enabled Git access protocols" select "Only HTTP(S)" |
===== onlyoffice documentserver ===== | ===== onlyoffice documentserver ===== |
<code bash> | <code bash> |
pacman -S npm nodejs rabbitmq redis onlyoffice-documentserver | pacman -S npm nodejs rabbitmq redis onlyoffice-documentserver |
ln -s /usr/share/libalpm/hooks/onlyoffice-documentserver.hook /etc/pacman.d/hooks/ | ln -s /usr/share/libalpm/hooks/onlyoffice-documentserver.hook /etc/pacman.d/hooks/ |
</code> | </code> |
on mysql.pi | on mysql.pi |
<code bash> | <code bash> |
sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice;" | sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice;" |
sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" | sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" |
sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;" | sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;" |
psql -hmysql.pi -Uonlyoffice -d onlyoffice -f /usr/share/webapps/onlyoffice/documentserver/server/schema/postgresql/createdb.sql | psql -hmysql.pi -Uonlyoffice -d onlyoffice -f /usr/share/webapps/onlyoffice/documentserver/server/schema/postgresql/createdb.sql |
</code> | </code> |
<file - /etc/caddy/conf.d/office.project-insanity.org.conf> | <file - /etc/caddy/conf.d/office.project-insanity.org.conf> |
office.project-insanity.org { | office.project-insanity.org { |
log /var/log/caddy/office.project-insanity.org_access.log | log /var/log/caddy/office.project-insanity.org_access.log |
} | } |
} | } |
</file> | </file> |
<file - /etc/webapps/onlyoffice/documentserver/default.json> | <file - /etc/webapps/onlyoffice/documentserver/default.json> |
[...] | [...] |
"sql": { | "sql": { |
"type": "postgres", | "type": "postgres", |
"tableChanges": "doc_changes", | "tableChanges": "doc_changes", |
"tableResult": "task_result", | "tableResult": "task_result", |
"dbHost": "mysql.pi", | "dbHost": "mysql.pi", |
"dbPort": 5432, | "dbPort": 5432, |
"dbName": "onlyoffice", | "dbName": "onlyoffice", |
"dbUser": "onlyoffice", | "dbUser": "onlyoffice", |
"dbPass": "onlyoffice", | "dbPass": "onlyoffice", |
"charset": "utf8", | "charset": "utf8", |
"connectionlimit": 10, | "connectionlimit": 10, |
"max_allowed_packet": 1048575 | "max_allowed_packet": 1048575 |
}, | }, |
[...] | [...] |
"SpellChecker": { | "SpellChecker": { |
"server": { | "server": { |
"port": 8081, | "port": 8081, |
"mode": "development" | "mode": "development" |
} | } |
} | } |
</file> | </file> |
<file - /etc/hosts> | <file - /etc/hosts> |
10.25.0.100 nextcloud.project-insanity.org | 10.25.0.100 nextcloud.project-insanity.org |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now rabbitmq redis onlyoffice-docservice onlyoffice-fileconverter onlyoffice-spellchecker | systemctl enable --now rabbitmq redis onlyoffice-docservice onlyoffice-fileconverter onlyoffice-spellchecker |
</code> | </code> |
==== officepad ==== | ==== officepad ==== |
<file - /etc/systemd/system/officepad.service> | <file - /etc/systemd/system/officepad.service> |
[Unit] | [Unit] |
Description=Documentserver integration example | Description=Documentserver integration example |
[Install] | [Install] |
WantedBy=basic.target | WantedBy=basic.target |
</file> | </file> |
<code bash> | <code bash> |
sudo git clone git clone https://git.project-insanity.org/onny/officepad.git /usr/share/webapps/officepad | sudo git clone git clone https://git.project-insanity.org/onny/officepad.git /usr/share/webapps/officepad |
sudo chown -R http:http /usr/share/webapps/officepad | sudo chown -R http:http /usr/share/webapps/officepad |
systemd daemon-reload | systemd daemon-reload |
systemctl enable --now officepad | systemctl enable --now officepad |
</code> | </code> |
<file - /usr/share/webapps/officepad/config/default.json> | <file - /usr/share/webapps/officepad/config/default.json> |
[...] | [...] |
siteUrl": "https://bwsas-prod-oo-02.lsdf.kit.edu/" | siteUrl": "https://bwsas-prod-oo-02.lsdf.kit.edu/" |
[...] | [...] |
</file> | </file> |
===== nextcloud ===== | ===== nextcloud ===== |
<code bash> | <code bash> |
pacman -S php-imagick php-intl nextcloud nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud nextcloud-app-mail nextcloud-app-news nextcloud-app-calendar nextcloud-app-contacts nextcloud-app-keeweb nextcloud-app-deck nextcloud-app-onlyoffice nextcloud-app-bookmarks nextcloud-app-notes nextcloud-app-talk nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse nextcloud-app-radio nextcloud-app-podcast | pacman -S php-imagick php-intl nextcloud nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud nextcloud-app-mail nextcloud-app-news nextcloud-app-calendar nextcloud-app-contacts nextcloud-app-keeweb nextcloud-app-deck nextcloud-app-onlyoffice nextcloud-app-bookmarks nextcloud-app-notes nextcloud-app-talk nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse nextcloud-app-radio nextcloud-app-podcast |
</code> | </code> |
<file - /etc/php/php-fpm.d/www.conf> | <file - /etc/php/php-fpm.d/www.conf> |
env[PATH] = /usr/local/bin:/usr/bin:/bin | env[PATH] = /usr/local/bin:/usr/bin:/bin |
env[TMP] = /tmp | env[TMP] = /tmp |
env[TMPDIR] = /tmp | env[TMPDIR] = /tmp |
env[TEMP] = /tmp | env[TEMP] = /tmp |
</file> | </file> |
php performance optimizations | php performance optimizations |
<file - /etc/php/conf.d/nextcloud.ini> | <file - /etc/php/conf.d/nextcloud.ini> |
memory_limit = 512M | memory_limit = 512M |
| |
| |
apc.enable_cli=1 | apc.enable_cli=1 |
</file> | </file> |
<file - /usr/share/webapps/nextcloud/conf/config.php> | <file - /usr/share/webapps/nextcloud/conf/config.php> |
<?php | <?php |
$CONFIG = array ( | $CONFIG = array ( |
'instanceid' => '****', | 'instanceid' => '****', |
'passwordsalt' => '****', | 'passwordsalt' => '****', |
'datadirectory' => '/usr/share/webapps/nextcloud/data', | 'datadirectory' => '/usr/share/webapps/nextcloud/data', |
'dbtype' => 'mysql', | 'dbtype' => 'mysql', |
'version' => '19.0.0.12', | 'version' => '19.0.0.12', |
'dbname' => 'nextcloud', | 'dbname' => 'nextcloud', |
'dbhost' => 'mysql.pi', | 'dbhost' => 'mysql.pi', |
'dbtableprefix' => 'oc_', | 'dbtableprefix' => 'oc_', |
'mysql.utf8mb4' => true, | 'mysql.utf8mb4' => true, |
'dbuser' => 'nextcloud', | 'dbuser' => 'nextcloud', |
'dbpassword' => '****', | 'dbpassword' => '****', |
'installed' => true, | 'installed' => true, |
'theme' => '', | 'theme' => '', |
'maintenance' => false, | 'maintenance' => false, |
'loglevel' => 0, | 'loglevel' => 0, |
'cron_log' => true, | 'cron_log' => true, |
'maxZipInputSize' => 5145728000, | 'maxZipInputSize' => 5145728000, |
'allowZipDownload' => true, | 'allowZipDownload' => true, |
'memcache.local' => '\\OC\\Memcache\\APCu', | 'memcache.local' => '\\OC\\Memcache\\APCu', |
'allow_local_remote_servers' => true, | 'allow_local_remote_servers' => true, |
'trusted_domains' => | 'trusted_domains' => |
array ( | array ( |
0 => 'nextcloud.project-insanity.org', | 0 => 'nextcloud.project-insanity.org', |
1 => 'http.pi', | 1 => 'http.pi', |
2 => 'office.project-insanity.org', | 2 => 'office.project-insanity.org', |
), | ), |
'secret' => '****', | 'secret' => '****', |
'mail_domain' => 'project-insanity.org', | 'mail_domain' => 'project-insanity.org', |
'mail_smtpmode' => 'php', | 'mail_smtpmode' => 'php', |
'mail_from_address' => 'nextcloud', | 'mail_from_address' => 'nextcloud', |
'trashbin_retention_obligation' => 'auto', | 'trashbin_retention_obligation' => 'auto', |
'updatechecker' => false, | 'updatechecker' => false, |
'has_internet_connection' => false, | 'has_internet_connection' => false, |
'app.mail.verify-tls-peer' => false, | 'app.mail.verify-tls-peer' => false, |
'app_install_overwrite' => | 'app_install_overwrite' => |
array ( | array ( |
0 => 'apporder', | 0 => 'apporder', |
1 => 'keeweb', | 1 => 'keeweb', |
2 => 'tasks', | 2 => 'tasks', |
3 => 'weather', | 3 => 'weather', |
4 => 'audioplayer', | 4 => 'audioplayer', |
5 => 'files_ebookreader', | 5 => 'files_ebookreader', |
6 => 'extract', | 6 => 'extract', |
7 => 'polls', | 7 => 'polls', |
8 => 'onlyoffice', | 8 => 'onlyoffice', |
9 => 'drawio', | 9 => 'drawio', |
), | ), |
); | ); |
</file> | </file> |
Due to [[https://bugs.archlinux.org/task/64689?project=5&string=nextcloud|packaging bug]] and hardened php-fpm.service file, an unit file overwrite is required: | Due to [[https://bugs.archlinux.org/task/64689?project=5&string=nextcloud|packaging bug]] and hardened php-fpm.service file, an unit file overwrite is required: |
<file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf> | <file - /etc/systemd/system/php-fpm.service.d/overwrite-rw-path.conf> |
[Service] | [Service] |
[...] | [...] |
ReadWritePaths = /etc/webapps/nextcloud/config/ | ReadWritePaths = /etc/webapps/nextcloud/config/ |
ReadWritePaths = /usr/share/webapps/wordpress/wp-content | ReadWritePaths = /usr/share/webapps/wordpress/wp-content |
</file> | </file> |
Auto upgrade on pacman update | Auto upgrade on pacman update |
<code bash> | <code bash> |
ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/ | ln -sv /usr/share/doc/nextcloud/nextcloud.hook /etc/pacman.d/hooks/ |
</code> | </code> |
<file - /etc/pacman.d/hooks/nextcloud-enable-apps.hook> | <file - /etc/pacman.d/hooks/nextcloud-enable-apps.hook> |
# Update Nextcloud when core or -apps are touched | # Update Nextcloud when core or -apps are touched |
| |
Description = Updating Nextcloud installation | Description = Updating Nextcloud installation |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/sh -c "/usr/bin/chown -R nextcloud:nextcloud /usr/share/webapps/nextcloud/apps && /usr/bin/sudo -u nextcloud /usr/bin/php /usr/share/webapps/nextcloud/occ app:enable twofactor_gateway audioplayer polls extract suspicious_login mail news calendar contacts keeweb deck onlyoffice bookmarks notes talk integration_github integration_twitter integration_reddit integration_discourse radio podcast" | Exec = /usr/bin/sh -c "/usr/bin/chown -R nextcloud:nextcloud /usr/share/webapps/nextcloud/apps && /usr/bin/sudo -u nextcloud /usr/bin/php /usr/share/webapps/nextcloud/occ app:enable twofactor_gateway audioplayer polls extract suspicious_login mail news calendar contacts keeweb deck onlyoffice bookmarks notes talk integration_github integration_twitter integration_reddit integration_discourse radio podcast" |
</file> | </file> |
Nextcloud background job (cron) | Nextcloud background job (cron) |
<file -/etc/systemd/system/nextcloudcron.service> | <file -/etc/systemd/system/nextcloudcron.service> |
[Unit] | [Unit] |
Description=Nextcloud cron.php job | Description=Nextcloud cron.php job |
[Install] | [Install] |
WantedBy=basic.target | WantedBy=basic.target |
</file> | </file> |
<file - /etc/systemd/system/nextcloudcron.timer> | <file - /etc/systemd/system/nextcloudcron.timer> |
[Unit] | [Unit] |
Description=Run Nextcloud cron.php every 15 minutes | Description=Run Nextcloud cron.php every 15 minutes |
[Install] | [Install] |
WantedBy=timers.target | WantedBy=timers.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now nextcloudcron.timer | systemctl enable --now nextcloudcron.timer |
</code> | </code> |
Add additional mimetype for keeweb app | Add additional mimetype for keeweb app |
<code bash> | <code bash> |
cd /usr/share/webapps/nextcloud | cd /usr/share/webapps/nextcloud |
cp resources/config/mimetypemapping.dist.json config/mimetypemapping.json | cp resources/config/mimetypemapping.dist.json config/mimetypemapping.json |
</code> | </code> |
add kdbx line to json config | add kdbx line to json config |
<file - /usr/share/webapps/nextcloud/config/mimetypemapping.json> | <file - /usr/share/webapps/nextcloud/config/mimetypemapping.json> |
[...] | [...] |
"_comment4": "Any changes you make here will be overwritten on an update of Nextcloud", | "_comment4": "Any changes you make here will be overwritten on an update of Nextcloud", |
"_comment5": "Put any custom mappings in a new file mimetypemapping.json in the config/ folder of Nextcloud", | "_comment5": "Put any custom mappings in a new file mimetypemapping.json in the config/ folder of Nextcloud", |
| |
"kdbx": ["x-application/kdbx"], | "kdbx": ["x-application/kdbx"], |
"3gp": ["video/3gpp"], | "3gp": ["video/3gpp"], |
"7z": ["application/x-7z-compressed"], | "7z": ["application/x-7z-compressed"], |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
occ app:enable twofactor_gateway audioplayer polls extract suspicious_login mail news calendar contacts keeweb deck onlyoffice bookmarks notes talk integration_github integration_twitter integration_reddit integration_discourse radio podcast | occ app:enable twofactor_gateway audioplayer polls extract suspicious_login mail news calendar contacts keeweb deck onlyoffice bookmarks notes talk integration_github integration_twitter integration_reddit integration_discourse radio podcast |
</code> | </code> |
==== mail ==== | ==== mail ==== |
disable ssl verification of imap/smpt host | disable ssl verification of imap/smpt host |
<file - /usr/share/webapps/nextcloud/config/config.php> | <file - /usr/share/webapps/nextcloud/config/config.php> |
[...] | [...] |
'app.mail.verify-tls-peer' => false, | 'app.mail.verify-tls-peer' => false, |
[...] | [...] |
</file> | </file> |
==== twofactor_gateway ==== | ==== twofactor_gateway ==== |
disposible phone number registration http://www.getsmscode.com | disposible phone number registration http://www.getsmscode.com |
<file - /etc/webapps/signal-web-gateway/config.yml> | <file - /etc/webapps/signal-web-gateway/config.yml> |
[...] | [...] |
tel: "+1774****" | tel: "+1774****" |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
cd /usr/share/webapps/nextcloud | cd /usr/share/webapps/nextcloud |
sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return) | sudo -u http ./occ twofactorauth:gateway:configure signal # leave default options (press return) |
sudo -u signal signal-web-gateway # enter verification | sudo -u signal signal-web-gateway # enter verification |
systemctl enable --now signal-web-gateway | systemctl enable --now signal-web-gateway |
</code> | </code> |
* Activate 2FA in ''Settings -> Security (User)'' | * Activate 2FA in ''Settings -> Security (User)'' |
* Enter your phone number and press verify | * Enter your phone number and press verify |
| |
==== onlyoffice ==== | ==== onlyoffice ==== |
* Paste in ''Settings -> ONLYOFFICE'' the ''Document Editing Service address'' to ''https://office.project-insanity.org'' | * Paste in ''Settings -> ONLYOFFICE'' the ''Document Editing Service address'' to ''https://office.project-insanity.org'' |
==== mantainance ==== | ==== mantainance ==== |
Run file integrity checks | Run file integrity checks |
<code bash> | <code bash> |
sudo -u http /usr/share/webapps/nextcloud/occ integrity:check-app | sudo -u http /usr/share/webapps/nextcloud/occ integrity:check-app |
sudo -u http /usr/share/webapps/nextcloud/occ integrity:check-core | sudo -u http /usr/share/webapps/nextcloud/occ integrity:check-core |
sudo -u http /usr/share/webapps/nextcloud/occ files:scan --all | sudo -u http /usr/share/webapps/nextcloud/occ files:scan --all |
</code> | </code> |
===== phpmyadmin ===== | ===== phpmyadmin ===== |
<file - /etc/webapps/phpmyadmin/config.inc.php> | <file - /etc/webapps/phpmyadmin/config.inc.php> |
[...] | [...] |
/* Server parameters */ | /* Server parameters */ |
$cfg['Servers'][$i]['compress'] = false; | $cfg['Servers'][$i]['compress'] = false; |
[...] | [...] |
</file> | </file> |
| |
| |
===== cockpit ===== | ===== cockpit ===== |
<code bash> | <code bash> |
pacman -S cockpit | pacman -S cockpit |
systemctl enable --now cockpit pmcd | systemctl enable --now cockpit pmcd |
nft add rule inet filter input position 17 ip saddr 10.25.40.0/24 tcp dport 9090 accept | nft add rule inet filter input position 17 ip saddr 10.25.40.0/24 tcp dport 9090 accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport 9090 accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport 9090 accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
<file - /etc/sudoers> | <file - /etc/sudoers> |
[...] | [...] |
cockpit ALL=(ALL) ALL | cockpit ALL=(ALL) ALL |
[...] | [...] |
</file> | </file> |
<file - /etc/pam.d/cockpit> | <file - /etc/pam.d/cockpit> |
#%PAM-1.0 | #%PAM-1.0 |
| |
session required pam_unix.so | session required pam_unix.so |
session optional pam_permit.so | session optional pam_permit.so |
</file> | </file> |
| |
===== outline ===== | ===== outline ===== |
on http.pi | on http.pi |
<code bash> | <code bash> |
pacman -S outline | pacman -S outline |
</code> | </code> |
<file - /etc/webapps/outline/.env> | <file - /etc/webapps/outline/.env> |
[...] | [...] |
SECRET_KEY=**** | SECRET_KEY=**** |
URL=http://playground.pi:3000 | URL=http://playground.pi:3000 |
FORCE_HTTPS=false | FORCE_HTTPS=false |
</file> | </file> |
on mysql.pi | on mysql.pi |
<code bash> | <code bash> |
sudo -i -u postgres psql -c "CREATE DATABASE outline;" | sudo -i -u postgres psql -c "CREATE DATABASE outline;" |
sudo -i -u postgres psql -c "CREATE USER outline WITH password 'outline';" | sudo -i -u postgres psql -c "CREATE USER outline WITH password 'outline';" |
sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE outline TO outline;" | sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE outline TO outline;" |
</code> | </code> |
on http.pi | on http.pi |
<code bash> | <code bash> |
cd /usr/share/webapps/outline | cd /usr/share/webapps/outline |
npm run sequelize:migrate | npm run sequelize:migrate |
systemctl enable --now outline | systemctl enable --now outline |
</code> | </code> |
| |
====== storage.pi ====== | ====== storage.pi ====== |
===== kol ha campus archive radio stream ===== | ===== kol ha campus archive radio stream ===== |
<code bash> | <code bash> |
pacman -S vlc pulseaudio | pacman -S vlc pulseaudio |
</code> | </code> |
<file - /etc/systemd/system/106fm_archive_stream.service> | <file - /etc/systemd/system/106fm_archive_stream.service> |
[Unit] | [Unit] |
Description=160fm.co.il archive radio stream server | Description=160fm.co.il archive radio stream server |
User=onny | User=onny |
Type=simple | Type=simple |
ExecStart=/usr/bin/cvlc -A pulse,none /home/onny/bash-kolhaas-archive/archived --loop --random --sout-keep --sout '#transcode{acodec=opus}:duplicate{dst=display{delay=6000},dst=gather:std{mux=ffmpeg{mux=opus},dst=:8080,access=http},select="novideo"}' | ExecStart=/usr/bin/cvlc -A pulse,none /home/onny/bash-kolhaas-archive/archived --loop --random --sout-keep --sout '#transcode{acodec=opus}:duplicate{dst=display{delay=6000},dst=gather:std{mux=ffmpeg{mux=opus},dst=:8080,access=http},select="novideo"}' |
Restart=on-abort | Restart=on-abort |
| |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /usr/lib/systemd/system/pulseaudio.service> | <file - /usr/lib/systemd/system/pulseaudio.service> |
[Unit] | [Unit] |
Description=PulseAudio system server | Description=PulseAudio system server |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /usr/share/dbus-1/system.d/pulseaudio.conf> | <file - /usr/share/dbus-1/system.d/pulseaudio.conf> |
<?xml version="1.0"?> <!--*-nxml-*--> | <?xml version="1.0"?> <!--*-nxml-*--> |
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" | <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" |
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> | "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> |
<busconfig> | <busconfig> |
<policy group="pulse"> | <policy group="pulse"> |
<allow own="org.pulseaudio.Server"/> | <allow own="org.pulseaudio.Server"/> |
</policy> | </policy> |
| |
<policy context="default"> | <policy context="default"> |
<allow send_destination="org.pulseaudio.Server"/> | <allow send_destination="org.pulseaudio.Server"/> |
<allow receive_sender="org.pulseaudio.Server"/> | <allow receive_sender="org.pulseaudio.Server"/> |
</policy> | </policy> |
</busconfig> | </busconfig> |
</file> | </file> |
<code bash> | <code bash> |
echo "default-server = /var/run/pulse/native" >> /etc/pulse/client.conf | echo "default-server = /var/run/pulse/native" >> /etc/pulse/client.conf |
echo "autospawn = no" >> /etc/pulse/client.conf | echo "autospawn = no" >> /etc/pulse/client.conf |
systemctl daemon-reload | systemctl daemon-reload |
groupadd --system pulse | groupadd --system pulse |
nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport 8080 accept | nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport 8080 accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport 8080 accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport 8080 accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
also added a caddy rule on http.pi for the url: https://blog.project-insanity.org/106fm | also added a caddy rule on http.pi for the url: https://blog.project-insanity.org/106fm |
===== bitcoind ===== | ===== bitcoind ===== |
<code bash> | <code bash> |
pacman -S bitcoin-daemon | pacman -S bitcoin-daemon |
systemctl start bitcoind | systemctl start bitcoind |
systemctl enable bitcoind | systemctl enable bitcoind |
ufw allow from 10.25.0.0/24 to any port 8333 | ufw allow from 10.25.0.0/24 to any port 8333 |
</code> | </code> |
https://bitcoin.stackexchange.com/a/75312 | https://bitcoin.stackexchange.com/a/75312 |
====== playground.pi ====== | ====== playground.pi ====== |
<code bash> | <code bash> |
pacman -S devtools | pacman -S devtools |
</code> | </code> |
===== beta.saai.digital ===== | ===== beta.saai.digital ===== |
<code bash> | <code bash> |
pacman -S iptables-nft | pacman -S iptables-nft |
</code> | </code> |
<file - /etc/nftables.conf> | <file - /etc/nftables.conf> |
[...] | [...] |
chain forward { | chain forward { |
} | } |
} | } |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now docker | systemctl enable --now docker |
</code> | </code> |
===== QuakeJS ===== | ===== QuakeJS ===== |
<code bash> | <code bash> |
pacman -S quakejs-git | pacman -S quakejs-git |
cd /usr/share/webapps/quakejs | cd /usr/share/webapps/quakejs |
chown -R quakejs:quakejs . | chown -R quakejs:quakejs . |
sudo -u quakejs node build/ioq3ded.js +set fs_game baseq3 +set dedicated 2 | sudo -u quakejs node build/ioq3ded.js +set fs_game baseq3 +set dedicated 2 |
</code> | </code> |
<file - /etc/conf.d/quakejs> | <file - /etc/conf.d/quakejs> |
QUAKEJS_DS_PARAMS="+set fs_cdn cdn.quake.turbotux.de +set fs_game baseq3 +set dedicated 1 +exec server.cfg" | QUAKEJS_DS_PARAMS="+set fs_cdn cdn.quake.turbotux.de +set fs_game baseq3 +set dedicated 1 +exec server.cfg" |
</file> | </file> |
<file - /usr/share/webapps/quakejs/base/baseq3/server.cfg> | <file - /usr/share/webapps/quakejs/base/baseq3/server.cfg> |
seta sv_hostname "Project-Insanity.org QuakeJS" | seta sv_hostname "Project-Insanity.org QuakeJS" |
seta sv_maxclients 12 | seta sv_maxclients 12 |
seta g_motd "Welcome to PI Quake 3 battleground" | seta g_motd "Welcome to PI Quake 3 battleground" |
seta g_quadfactor 3 | seta g_quadfactor 3 |
seta g_gametype 0 | seta g_gametype 0 |
seta g_inactivity 3000 | seta g_inactivity 3000 |
seta g_forcerespawn 0 | seta g_forcerespawn 0 |
seta rconpassword "CHANGE_ME" | seta rconpassword "CHANGE_ME" |
set d1 "map q3dm17 ; set nextmap vstr d2" | set d1 "map q3dm17 ; set nextmap vstr d2" |
set d2 "map q3tourney3 ; set nextmap vstr d3" | set d2 "map q3tourney3 ; set nextmap vstr d3" |
set d3 "map q3tourney1 ; set nextmap vstr d1" | set d3 "map q3tourney1 ; set nextmap vstr d1" |
vstr d1 | vstr d1 |
</file> | </file> |
<file - /etc/webapps/quakejs/web.json> | <file - /etc/webapps/quakejs/web.json> |
{ | { |
"content": "cdn.quake.turbotux.de", | "content": "cdn.quake.turbotux.de", |
"port": 8081 | "port": 8081 |
} | } |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now quakejs-ds quakejs quakejs-cdn | systemctl enable --now quakejs-ds quakejs quakejs-cdn |
</code> | </code> |
===== PI ArchLinux Repository ===== | ===== PI ArchLinux Repository ===== |
build and install auruitls from source | build and install auruitls from source |
<code bash> | <code bash> |
cd /tmp | cd /tmp |
curl "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz" | tar xz | curl "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz" | tar xz |
cd aurutils | cd aurutils |
gpg --recv-keys DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A | gpg --recv-keys DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A |
makepkg -i | makepkg -i |
pacman --root=/var/lib/aurbuild/x86_64/root -S git | pacman --root=/var/lib/aurbuild/x86_64/root -S git |
pacman --root=/var/lib/aurbuild/x86_64/root -S python2-setuptools # workaround for zeronet -> python-pyelliptic | pacman --root=/var/lib/aurbuild/x86_64/root -S python2-setuptools # workaround for zeronet -> python-pyelliptic |
pacman --root=/var/lib/aurbuild/x86_64/root -S wayland # workaround for dmenu-wayland-git | pacman --root=/var/lib/aurbuild/x86_64/root -S wayland # workaround for dmenu-wayland-git |
sudo /usr/share/devtools/pacman-extra.conf /etc/aurutils/pacman-projectinsanity.conf | sudo /usr/share/devtools/pacman-extra.conf /etc/aurutils/pacman-projectinsanity.conf |
</code> | </code> |
configure custom repository | configure custom repository |
<file - /etc/pacman.conf> | <file - /etc/pacman.conf> |
[...] | [...] |
Include = /etc/pacman.d/projectinsanity | Include = /etc/pacman.d/projectinsanity |
</file> | </file> |
<file - /etc/pacman.d/projectinsanity> | <file - /etc/pacman.d/projectinsanity> |
[options] | [options] |
CacheDir = /var/cache/pacman/pkgwf | CacheDir = /var/cache/pacman/pkgwf |
SigLevel = Optional TrustAll | SigLevel = Optional TrustAll |
Server = file:///var/cache/pacman/projectinsanity | Server = file:///var/cache/pacman/projectinsanity |
</file> | </file> |
<file - /etc/suders> | <file - /etc/suders> |
[...] | [...] |
aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg | aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg |
aur ALL = NOPASSWD: /usr/bin/arch-nspawn | aur ALL = NOPASSWD: /usr/bin/arch-nspawn |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
sudo useradd -m aur | sudo useradd -m aur |
sudo install -d /var/cache/pacman/projectinsanity -o aur | sudo install -d /var/cache/pacman/projectinsanity -o aur |
sudo -u aur gpg --recv-keys 6BC26A17B9B7018A | sudo -u aur gpg --recv-keys 6BC26A17B9B7018A |
sudo -u aur gpg --recv-keys 1D1F0DC78F173680 | sudo -u aur gpg --recv-keys 1D1F0DC78F173680 |
</code> | </code> |
<file - /etc/systemd/system/aurupdate.service> | <file - /etc/systemd/system/aurupdate.service> |
[Unit] | [Unit] |
Description=Automatic update AUR repository. | Description=Automatic update AUR repository. |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /usr/bin/pi-archlinuxrepo-update.sh> | <file - /usr/bin/pi-archlinuxrepo-update.sh> |
#!/bin/bash | #!/bin/bash |
for package in $(pacman -Sql projectinsanity) | for package in $(pacman -Sql projectinsanity) |
aur sync --no-view -c $package | aur sync --no-view -c $package |
done | done |
</file> | </file> |
<file - /etc/systemd/system/aurupdate.timer> | <file - /etc/systemd/system/aurupdate.timer> |
[Unit] | [Unit] |
Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes. | Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes. |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now aurupdate.timer | systemctl enable --now aurupdate.timer |
</code> | </code> |
<code bash> | <code bash> |
sudo -u aur gpg --recv-keys 2A349DD577D586A5 | sudo -u aur gpg --recv-keys 2A349DD577D586A5 |
sudo -u aur aur sync -d projectinsanity -c librewolf pkgbuild-introspection tor-browser-en r128gain split2flac id3ted redshift-wlr-gamma-control-git krop wcalc anbox-git ocenaudio-bin smloadr soulseekqt aurutils downgrade maddy wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics jellyfin onlyoffice-documentserver nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud-app-keeweb nextcloud-app-radio nextcloud-app-onlyoffice fdroidserver android-sdk android-sdk-build-tools gplaycli vlc-bittorrent qlcplus signal-web-gateway-git invoiceninja invoiceplane python-gspread-git etcher zeronet teamviewer scrcpy ttyd wdisplays-git dmenu-wayland-git python-soundcard python-soundfile pacaur archivemount micro python-rpi.gpio python-pad4pi python-pulse-control python-rplcd python-vlc python-mpv pmbootstrap wordpress-theme-geist linux-libre opensnitch-git powerpill osmctools tilemaker nextcloud-app-talk xerox-phaser-6000-6010 dokuwiki-plugin-captcha dokuwiki-plugin-dw2pdf dokuwiki-template-argon nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse wordpress-plugin-opengraph nextcloud-app-podcast wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media | sudo -u aur aur sync -d projectinsanity -c librewolf pkgbuild-introspection tor-browser-en r128gain split2flac id3ted redshift-wlr-gamma-control-git krop wcalc anbox-git ocenaudio-bin smloadr soulseekqt aurutils downgrade maddy wp-cli wordpress-plugin-antispam-bee wordpress-plugin-code-syntax-block wordpress-plugin-jetpack-lite wordpress-plugin-lightbox-photoswipe wordpress-plugin-wp-gdpr-compliance wordpress-plugin-wp-statistics jellyfin onlyoffice-documentserver nextcloud-app-twofactor-gateway nextcloud-app-audioplayer nextcloud-app-polls nextcloud-app-extract nextcloud-app-suspicious-login nextcloud-app-keeweb nextcloud-app-radio nextcloud-app-onlyoffice fdroidserver android-sdk android-sdk-build-tools gplaycli vlc-bittorrent qlcplus signal-web-gateway-git invoiceninja invoiceplane python-gspread-git etcher zeronet teamviewer scrcpy ttyd wdisplays-git dmenu-wayland-git python-soundcard python-soundfile pacaur archivemount micro python-rpi.gpio python-pad4pi python-pulse-control python-rplcd python-vlc python-mpv pmbootstrap wordpress-theme-geist linux-libre opensnitch-git powerpill osmctools tilemaker nextcloud-app-talk xerox-phaser-6000-6010 dokuwiki-plugin-captcha dokuwiki-plugin-dw2pdf dokuwiki-template-argon nextcloud-integration-github nextcloud-integration-twitter nextcloud-integration-reddit nextcloud-integration-discourse wordpress-plugin-opengraph nextcloud-app-podcast wordpress-plugin-simple-login-captcha wordpress-plugin-disable-xml-rpc wordpress-plugin-async-javascript wordpress-plugin-breeze wordpress-plugin-webp-converter-for-media |
nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport http accept | nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport http accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport http accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport http accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
caddy configuration | caddy configuration |
<file - /etc/caddy/Caddyfile | <file - /etc/caddy/Caddyfile |
import conf.d/*.conf | import conf.d/*.conf |
</file> | </file> |
<file - /etc/caddy/conf.d/onny.project-insanity.org.conf> | <file - /etc/caddy/conf.d/onny.project-insanity.org.conf> |
http://onny.project-insanity.org { | http://onny.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
<code bash> | <code bash> |
systemctl restart caddy | systemctl restart caddy |
</code> | </code> |
caddy configuration on http-pub.pi: | caddy configuration on http-pub.pi: |
<file - /etc/caddy/conf.d/onny.project-insanity.org.conf> | <file - /etc/caddy/conf.d/onny.project-insanity.org.conf> |
[...] | [...] |
proxy /archlinux playground.pi { | proxy /archlinux playground.pi { |
} | } |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
systemctl restart caddy | systemctl restart caddy |
</code> | </code> |
====== http-pub.pi ====== | ====== http-pub.pi ====== |
<code bash> | <code bash> |
pacman -S caddy php-fpm | pacman -S caddy php-fpm |
systemctl enable --now caddy php-fpm | systemctl enable --now caddy php-fpm |
nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport http accept | nft add rule inet filter input position 17 ip saddr 10.25.0.0/24 tcp dport http accept |
nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport http accept | nft add rule inet filter input position 17 ip6 saddr 2a01:4f8:191:327::0/64 tcp dport http accept |
nft list ruleset > /etc/nftables.conf | nft list ruleset > /etc/nftables.conf |
</code> | </code> |
<file - /etc/pacman.d/hooks/php.hook> | <file - /etc/pacman.d/hooks/php.hook> |
# Restart php service | # Restart php service |
| |
When = PostTransaction | When = PostTransaction |
Exec = /usr/bin/systemctl restart php-fpm | Exec = /usr/bin/systemctl restart php-fpm |
</file> | </file> |
custom caddy installation | custom caddy installation |
<code bash> | <code bash> |
pacaur -d caddy | pacaur -d caddy |
</code> | </code> |
<file - ~/.cache/pacaur/caddy/PKGBUILD> | <file - ~/.cache/pacaur/caddy/PKGBUILD> |
[...] | [...] |
# 'http.expires' | # 'http.expires' |
# 'http.filter' | # 'http.filter' |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
cd ~/.cache/pacaur/caddy | cd ~/.cache/pacaur/caddy |
makepkg -i --skipinteg | makepkg -i --skipinteg |
</code> | </code> |
===== caddy ===== | ===== caddy ===== |
<code bash> | <code bash> |
pacman -S caddy | pacman -S caddy |
gpasswd -a caddy http | gpasswd -a caddy http |
</code> | </code> |
<file - /etc/caddy/Caddyfile> | <file - /etc/caddy/Caddyfile> |
import /etc/caddy/conf.d/* | import /etc/caddy/conf.d/* |
</file> | </file> |
<file - /etc/caddy/conf.d/ausstellung-virtuell.de.conf> | <file - /etc/caddy/conf.d/ausstellung-virtuell.de.conf> |
http://ausstellung-virtuell.de { | http://ausstellung-virtuell.de { |
redir https://www.ausstellung-virtuell.de{uri} | redir https://www.ausstellung-virtuell.de{uri} |
rewrite @mainpage /index.php?page={http.regexp.path.1} | rewrite @mainpage /index.php?page={http.regexp.path.1} |
} | } |
</file> | </file> |
<file - /etc/caddy/conf.d/onny.project-insanity.org.conf> | <file - /etc/caddy/conf.d/onny.project-insanity.org.conf> |
http://onny.project-insanity.org { | http://onny.project-insanity.org { |
| |
| |
} | } |
</file> | </file> |
<file - /etc/systemd/system/caddy.service.d/overwride.conf> | <file - /etc/systemd/system/caddy.service.d/overwride.conf> |
[Service] | [Service] |
ProtectHome=false | ProtectHome=false |
LimitNOFILE=infinity | LimitNOFILE=infinity |
LimitNPROC=infinity | LimitNPROC=infinity |
</file> | </file> |
<code bash> | <code bash> |
systemctl daemon-reload | systemctl daemon-reload |
systemctl restart caddy | systemctl restart caddy |
</code> | </code> |
Overwrite php-fpm.service configuration, allow access to home directories: | Overwrite php-fpm.service configuration, allow access to home directories: |
<file - php-fpm.service.d/overwrite.conf> | <file - php-fpm.service.d/overwrite.conf> |
[Service] | [Service] |
ProtectHome=false | ProtectHome=false |
</file> | </file> |
| |
===== wordpress ===== | ===== wordpress ===== |
<file - /etc/php/conf.d/wordpress.ini> | <file - /etc/php/conf.d/wordpress.ini> |
extension=mysqli | extension=mysqli |
| |
upload_max_filesize = 64M | upload_max_filesize = 64M |
post_max_size = 64M | post_max_size = 64M |
</file> | </file> |
| |
===== uwsgi ===== | ===== uwsgi ===== |
<code bash> | <code bash> |
pacman -S uwsgi-plugin-python python-bottle | pacman -S uwsgi-plugin-python python-bottle |
mkdir /etc/uwsgi/systemd | mkdir /etc/uwsgi/systemd |
</code> | </code> |
<file - /etc/systemd/system/uwsgi-private@.service> | <file - /etc/systemd/system/uwsgi-private@.service> |
[Unit] | [Unit] |
Description=uWSGI service unit | Description=uWSGI service unit |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /etc/systemd/system/uwsgi-private@.socket> | <file - /etc/systemd/system/uwsgi-private@.socket> |
[Unit] | [Unit] |
Description=Socket for uWSGI %I | Description=Socket for uWSGI %I |
[Install] | [Install] |
WantedBy=sockets.target | WantedBy=sockets.target |
</file> | </file> |
==== getmetadata ==== | ==== getmetadata ==== |
<code bash> | <code bash> |
pacman -S python-requests | pacman -S python-requests |
</code> | </code> |
<file - /etc/uwsgi/getmetadata.ini> | <file - /etc/uwsgi/getmetadata.ini> |
[uwsgi] | [uwsgi] |
http-socket = /run/uwsgi/%n.sock | http-socket = /run/uwsgi/%n.sock |
plugins = python | plugins = python |
file = streammetadata-api.py | file = streammetadata-api.py |
</file> | </file> |
<file - /etc/uwsgi/systemd/getmetadata.conf> | <file - /etc/uwsgi/systemd/getmetadata.conf> |
rw_directory="/usr/share/webapps/getmetadata" | rw_directory="/usr/share/webapps/getmetadata" |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable uwsgi-private@getmetadata | systemctl enable uwsgi-private@getmetadata |
systemctl start uwsgi-private@getmetadata | systemctl start uwsgi-private@getmetadata |
</code> | </code> |
==== biolaedle-etiketten-generator ==== | ==== biolaedle-etiketten-generator ==== |
<code bash> | <code bash> |
pacman -S python-pandas python-reportlab python-xlrd python-bottle | pacman -S python-pandas python-reportlab python-xlrd python-bottle |
</code> | </code> |
<file - /etc/uwsgi/biolaedle-etiketten-generator.ini> | <file - /etc/uwsgi/biolaedle-etiketten-generator.ini> |
[uwsgi] | [uwsgi] |
http-socket = /run/uwsgi/%n.sock | http-socket = /run/uwsgi/%n.sock |
plugins = python | plugins = python |
file = label.py | file = label.py |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable --now uwsgi@biolaedle\\x2detiketten\\x2dgenerator | systemctl enable --now uwsgi@biolaedle\\x2detiketten\\x2dgenerator |
</code> | </code> |
| |
==== feeds ==== | ==== feeds ==== |
<code bash> | <code bash> |
pacman -S python-feedparser python-beautifulsoup4 python-pyrss2gen python-dateutil python-lxml | pacman -S python-feedparser python-beautifulsoup4 python-pyrss2gen python-dateutil python-lxml |
</code> | </code> |
<file - /etc/uwsgi/feeds.ini> | <file - /etc/uwsgi/feeds.ini> |
[uwsgi] | [uwsgi] |
http-socket = /run/uwsgi/%n.sock | http-socket = /run/uwsgi/%n.sock |
plugins = python | plugins = python |
file = app.py | file = app.py |
</file> | </file> |
<file - /etc/uwsgi/systemd/feeds.conf> | <file - /etc/uwsgi/systemd/feeds.conf> |
rw_directory="/usr/share/webapps/feeds" | rw_directory="/usr/share/webapps/feeds" |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable uwsgi-private@feeds | systemctl enable uwsgi-private@feeds |
systemctl start uwsgi-private@feeds | systemctl start uwsgi-private@feeds |
</code> | </code> |
==== pishare ==== | ==== pishare ==== |
<code bash> | <code bash> |
pacman -S nodejs | pacman -S nodejs |
</code> | </code> |
<file - /etc/uwsgi/pishare.ini> | <file - /etc/uwsgi/pishare.ini> |
[uwsgi] | [uwsgi] |
httpsocket = /run/uwsgi/%n.sock | httpsocket = /run/uwsgi/%n.sock |
file = pishare.py | file = pishare.py |
lazy-apps = true | lazy-apps = true |
</file> | </file> |
<code bash> | <code bash> |
systenmctl enable --now uwsgi@pishare | systenmctl enable --now uwsgi@pishare |
</code> | </code> |
| |
===== arch-upstream ===== | ===== arch-upstream ===== |
<code bash> | <code bash> |
pacman -S python-progressbar python-jinja | pacman -S python-progressbar python-jinja |
ln -s /usr/share/webapps/arch-upstream /var/www/onny.sexypump.de/ | ln -s /usr/share/webapps/arch-upstream /var/www/onny.sexypump.de/ |
</code> | </code> |
<file - /etc/systemd/system/arch-upstream.service> | <file - /etc/systemd/system/arch-upstream.service> |
[Unit] | [Unit] |
Description=Arch-Upstream | Description=Arch-Upstream |
WorkingDirectory=/usr/share/webapps/arch-upstream | WorkingDirectory=/usr/share/webapps/arch-upstream |
ExecStart=/usr/share/webapps/arch-upstream/main.py | ExecStart=/usr/share/webapps/arch-upstream/main.py |
</file> | </file> |
<file - /etc/systemd/system/arch-upstream.timer> | <file - /etc/systemd/system/arch-upstream.timer> |
[Unit] | [Unit] |
Description=Run arch-upstream every 12 hours | Description=Run arch-upstream every 12 hours |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl enable arch-upstream.timer | systemctl enable arch-upstream.timer |
systemctl start arch-upstream.timer | systemctl start arch-upstream.timer |
</code> | </code> |
===== fdroid repo gplay mirror ===== | ===== fdroid repo gplay mirror ===== |
http-pub.pi | http-pub.pi |
| |
enable multilib | enable multilib |
<file - /etc/pacman.conf> | <file - /etc/pacman.conf> |
[...] | [...] |
#[multilib-testing] | #[multilib-testing] |
# tips on creating your own repositories. | # tips on creating your own repositories. |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
pacman -S fdroidserver android-sdk android-sdk-build-tools gplaycli | pacman -S fdroidserver android-sdk android-sdk-build-tools gplaycli |
cd www | cd www |
cd fdroid | cd fdroid |
env ANDROID_HOME=/opt/android-sdk fdroid init | env ANDROID_HOME=/opt/android-sdk fdroid init |
</code> | </code> |
<file - www/fdroid/config.py> | <file - www/fdroid/config.py> |
[...] | [...] |
repo_url = "https://onny.project-insanity.org/fdroid/repo" | repo_url = "https://onny.project-insanity.org/fdroid/repo" |
repo_name = "Project-Insanity F-Droid repo" | repo_name = "Project-Insanity F-Droid repo" |
repo_icon = "fdroid-icon.png" | repo_icon = "fdroid-icon.png" |
repo_description = "This is a private F-Droid repository for the PI-crew :)" | repo_description = "This is a private F-Droid repository for the PI-crew :)" |
[...] | [...] |
</file> | </file> |
<code bash> | <code bash> |
env ANDROID_HOME=/opt/android-sdk fdroid update --create-metadata | env ANDROID_HOME=/opt/android-sdk fdroid update --create-metadata |
</code> | </code> |
<code bash> | <code bash> |
mkdir ~/.config/gplaycli | mkdir ~/.config/gplaycli |
</code> | </code> |
<file - ~/.config/gplaycli/gplaycli.conf> | <file - ~/.config/gplaycli/gplaycli.conf> |
[Credentials] | [Credentials] |
gmail_address=****@gmail.com | gmail_address=****@gmail.com |
gmail_password=**** | gmail_password=**** |
token=False | token=False |
</file> | </file> |
<file - ~/.config/gplaycli/apk.list> | <file - ~/.config/gplaycli/apk.list> |
org.thoughtcrime.securesms | org.thoughtcrime.securesms |
de.nextbike | de.nextbike |
com.zhiliaoapp.musically | com.zhiliaoapp.musically |
com.lynxspa.prontotreno | com.lynxspa.prontotreno |
</file> | </file> |
<file - /etc/systemd/system/gplaycli.service> | <file - /etc/systemd/system/gplaycli.service> |
[Unit] | [Unit] |
Description=Gplaycli automatic APK mirror | Description=Gplaycli automatic APK mirror |
Type=simple | Type=simple |
User=onny | User=onny |
ExecStart=/usr/bin/sh -c "rm -f /home/onny/.cache/gplaycli/token && /usr/bin/gplaycli -v -dc shamu --file /home/onny/.config/gplaycli/apk.list --folder /home/onny/www/fdroid/repo/ -c /home/onny/.config/gplaycli/gplaycli.conf && cd /home/onny/www/fdroid && env ANDROID_HOME=/opt/android-sdk fdroid update --create-metadata" | ExecStart=/usr/bin/sh -c "rm -f /home/onny/.cache/gplaycli/token && /usr/bin/gplaycli -v -dc shamu --file /home/onny/.config/gplaycli/apk.list --folder /home/onny/www/fdroid/repo/ -c /home/onny/.config/gplaycli/gplaycli.conf && cd /home/onny/www/fdroid && env ANDROID_HOME=/opt/android-sdk fdroid update --create-metadata" |
TimeoutStopSec=180 | TimeoutStopSec=180 |
KillMode=process | KillMode=process |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<file - /etc/systemd/system/gplaycli.timer> | <file - /etc/systemd/system/gplaycli.timer> |
[Unit] | [Unit] |
Description=Gplaycli automatic APK mirror | Description=Gplaycli automatic APK mirror |
[Install] | [Install] |
WantedBy=multi-user.target | WantedBy=multi-user.target |
</file> | </file> |
<code bash> | <code bash> |
systemctl daemon-reload | systemctl daemon-reload |
systemctl --now enable gplaycli.timer | systemctl --now enable gplaycli.timer |
</code> | </code> |
Notes: | Notes: |
* Manually put Threema apk into repo folder | * Manually put Threema apk into repo folder |
===== public hosting ===== | ===== public hosting ===== |
Create user for hosting site | Create user for hosting site |
<code bash> | <code bash> |
useradd -m example | useradd -m example |
mkdir /home/example/www | mkdir /home/example/www |
ln -s /home/example/www /var/www/example.de | ln -s /home/example/www /var/www/example.de |
chmod +x /home/example | chmod +x /home/example |
</code> | </code> |
Copy php-fpm profile | Copy php-fpm profile |
<code bash> | <code bash> |
cp /etc/php/php-fpm.d/sexypump.de.conf /etc/php/php-fpm.d/example.com | cp /etc/php/php-fpm.d/sexypump.de.conf /etc/php/php-fpm.d/example.com |
</code> | </code> |
Replace all occurences from the domain (''sexypump.de'') and the user (''sexypump'') with your domain and user. Now restart ''php-fpm'': | Replace all occurences from the domain (''sexypump.de'') and the user (''sexypump'') with your domain and user. Now restart ''php-fpm'': |
<code bash> | <code bash> |
systemctl restart php-fpm | systemctl restart php-fpm |
</code> | </code> |
Create nginx webserver configuration: | Create nginx webserver configuration: |
<file - /etc/nginx/sites-available/example.de> | <file - /etc/nginx/sites-available/example.de> |
server { | server { |
server_name example.de www.example.de; | server_name example.de www.example.de; |
} | } |
} | } |
</file> | </file> |
Enable webserver configuration: | Enable webserver configuration: |
<code bash> | <code bash> |
ln -s /etc/nginx/sites-available/example.de /etc/nginx/sites-enabled/ | ln -s /etc/nginx/sites-available/example.de /etc/nginx/sites-enabled/ |
systemctl restart nginx | systemctl restart nginx |
</code> | </code> |
Enable SSL caddy proxy on ''http.pi''. Edit as user ''caddy'' and append following part: | Enable SSL caddy proxy on ''http.pi''. Edit as user ''caddy'' and append following part: |
<file - /opt/caddy/Caddyfile> | <file - /opt/caddy/Caddyfile> |
www.example.de example.de { | www.example.de example.de { |
log /var/log/caddy/example.de_access.log | log /var/log/caddy/example.de_access.log |
header_upstream X-Real-IP {remote} | header_upstream X-Real-IP {remote} |
header_upstream X-Forwarded-Proto {scheme} | header_upstream X-Forwarded-Proto {scheme} |
header_downstream -Server "" | header_downstream -Server "" |
} | } |
} | } |
</file> | </file> |
Restart caddy process after that. Depending on the permissions of your webroot, you can run: | Restart caddy process after that. Depending on the permissions of your webroot, you can run: |
<code bash> | <code bash> |
sudo gpasswd -a example http | sudo gpasswd -a example http |
</code> | </code> |
Mysql database creation on ''mysql.pi'': | Mysql database creation on ''mysql.pi'': |
<code sql> | <code sql> |
CREATE DATABASE IF NOT EXISTS sexypump; | CREATE DATABASE IF NOT EXISTS sexypump; |
GRANT ALL PRIVILEGES ON sexypump.* TO 'sexypump'@'http-pub' IDENTIFIED BY '****'; | GRANT ALL PRIVILEGES ON sexypump.* TO 'sexypump'@'http-pub' IDENTIFIED BY '****'; |
FLUSH PRIVILEGES; | FLUSH PRIVILEGES; |
</code> | </code> |
<file - /etc/conf.d/ballisticc.de.ini> | <file - /etc/conf.d/ballisticc.de.ini> |
upload_max_filesize = 1000M | upload_max_filesize = 1000M |
post_max_size = 1000M | post_max_size = 1000M |
</file> | </file> |
===== podcast feeds ===== | ===== podcast feeds ===== |
<code bash> | <code bash> |
sudo cp /home/onny/www/laboumdeluxe/laboumdeluxe_* /etc/systemd/system/ | sudo cp /home/onny/www/laboumdeluxe/laboumdeluxe_* /etc/systemd/system/ |
sudo cp /home/onny/www/bounce/bounce_* /etc/systemd/system/ | sudo cp /home/onny/www/bounce/bounce_* /etc/systemd/system/ |
systemctl enable --now bounce_feed.timer laboumdeluxe_feed.timer kampus_hakatze_feed.timer | systemctl enable --now bounce_feed.timer laboumdeluxe_feed.timer kampus_hakatze_feed.timer |
| |
</code> | </code> |
| |