├── LICENSE ├── README.md ├── backup-server-sytem ├── jeans-routine.md ├── pika-to-server-via-sftp.md └── readme.md ├── basic-security-for-server └── readme.md ├── cinny └── readme.md ├── collabora-code-instance-for-nextcloud └── readme.md ├── docker-on-ubuntu-server └── readme.md ├── dolibarr └── readme.md ├── elasticsearch └── README.md ├── erpnext-with-docker └── readme.md ├── freeipa-alma-linux-9 └── readme.md ├── freeipa-on-podman └── readme.md ├── gitlab └── readme.md ├── guacamole └── readme.md ├── jitsi-docker └── readme.md ├── join-samba-dc-as-client └── readme.md ├── kivitendo └── readme.md ├── ldap-server └── readme.md ├── libre-workspace └── readme.md ├── linkstack └── readme.md ├── local-dns-server-with-real-https └── readme.md ├── mail-sending-for-scripts └── readme.md ├── maintenance └── readme.md ├── matomo └── readme.md ├── matrix-server-synapse └── readme.md ├── mattermost-server-docker └── readme.md ├── monitoring-with-kuma └── readme.md ├── n8n └── readme.md ├── nextcloud-with-caddy └── readme.md ├── nocodb-server └── readme.md ├── odoo-server └── readme.md ├── onlyoffice-for-nextcloud └── readme.md ├── openproject └── readme.md ├── podman-on-ubuntu └── readme.md ├── postgreql-server └── readme.md ├── rocketchat-on-docker └── readme.md ├── samba-dc └── readme.md ├── samba-server └── readme.md ├── security-check └── README.md ├── smartstore └── readme.md ├── thunderbird └── readme.md ├── vaultwarden-on-docker └── readme.md ├── watchtower └── README.md ├── windows_on_linux_domain └── readme.md ├── wordpress_docker └── Readme.md └── xrdp-on-ubuntu-server └── readme.md /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # linux-guides 2 | Instructions around Linux and Open Source 3 | 4 | Feedback, improvements and suggestions are explicitly welcome! 5 | -------------------------------------------------------------------------------- /backup-server-sytem/jeans-routine.md: -------------------------------------------------------------------------------- 1 | # BackUp System Borg (mit Jeans Optimierungen) 2 | 3 | In dieser Anleitung wird gezeigt, wie man auf einem Debian oder Ubuntu Server mit Borg ein vollautomatisches, sicheres und inkrementelles BackUp-System einrichtet. Als darunterliegende Technologie wird Borg verwendet. 4 | 5 | ## Vorbereitungen 6 | 7 | * Debian oder Ubuntu Server als BackUp Server einrichten 8 | * Am besten diesen Server bei einem anderen Serveranbieter mieten, oder bei sich Zuhause haben. Auf jeden Fall an einem anderen pyhsischen Ort. 9 | 10 | ## Source Server 11 | 12 | ```bash 13 | sudo -i 14 | cd && ssh-keygen && cat ~/.ssh/id_rsa.pub 15 | apt install borgbackup vim ncdu -y 16 | ``` 17 | 18 | ## BackUp Server 19 | 20 | ### Linux-Server 21 | 22 | ```bash 23 | sudo apt install borgbackup vim ncdu -y && sudo adduser borg # Keine Root Rechte! 24 | 25 | su borg 26 | cd && mkdir .ssh 27 | 28 | vim ~/.ssh/authorized_keys # Den Public key vom Source Server hinzufügen 29 | command="borg serve --restrict-to-path /home/borg/backups/Server1 --append-only" # Das vor dem eben eingefügten Public Key einfügen 30 | 31 | mkdir -p ~/backups/Server1 32 | 33 | 34 | borg init --encryption=none ~/backups/Server1 35 | borg config ~/backups/Server1 additional_free_space 10G 36 | ``` 37 | 38 | ### Hetzner Storage Box 39 | 40 | * enable SSH Support on your Hetzner Storage Box 41 | * run on the source server: 42 | 43 | ```bash 44 | ssh-copy-id -i .ssh/id_rsa -p 23 -s USER@SERVERADRESS 45 | borg init --encryption=repokey ssh://USER@SERVERADRESS:23/./borg-SERVERNAME 46 | # Create a strong password WITHOUT special characters and save it safe! 47 | borg key export ssh://USER@SERVERADRESS:23/./borg-SERVERNAME 48 | # Save this repokey securely! 49 | # You will need both parts to recover borg-backup 50 | 51 | # Set additional_free_space 52 | sftp -P 23 -i .ssh/id_rsa uxx@uxx.your-storagebox.de 53 | cd ./borg-SERVERNAME 54 | get config 55 | # In another session edit this file locally: 56 | vim config 57 | additional_free_space = 2G 58 | 59 | # Then upload the file again 60 | put config 61 | exit 62 | rm config 63 | ``` 64 | 65 | ### Synology 66 | 67 | * create group called 'borg' 68 | * create user called 'borg' in synology admin interface, add him to borg and administrator groups 69 | * add SynoCommunity repo `https://packages.synocommunity.com/` 70 | * intall Borg from Synco Community Repo 71 | * enable ssh in the system settings under 'Terminal & SNMP' 72 | * connect to ssh with the borg user. 73 | * ensure that the borg user can write in his home directory and the home directory points to a volume. You can become root by typing 'sudo -i' and entering the password of the borg user: 74 | 75 | ```bash 76 | sudo -i 77 | mkdir -p /volume1/borgbackup/home-borg/ 78 | chown borg:borg /volume1/borgbackup/home-borg/ 79 | vi /etc/passwd 80 | # Set the home path of borg to /volume1/borgbackup/home-borg/ 81 | su borg 82 | ``` 83 | 84 | ``` 85 | mkdir -p ~/backups/Server1 86 | 87 | 88 | borg init --encryption=none ~/backups/Server1 89 | borg config ~/backups/Server1 additional_free_space 10G 90 | ``` 91 | 92 | #### Add SSH-Key 93 | 94 | ```bash 95 | mkdir -p /volume1/borgbackup/home-borg/.ssh 96 | chmod 0700 /volume1/borgbackup/home-borg/ 97 | chmod 0700 /volume1/borgbackup/home-borg/.ssh 98 | echo "FULL_PUBKEY" > /volume1/borgbackup/home-borg/.ssh/authorized_keys 99 | chmod 0600 /volume1/borgbackup/home-borg/.ssh/authorized_keys 100 | ``` 101 | 102 | On the source server add an special ssh config file 103 | 104 | ```bash 105 | vim ~/.ssh/config 106 | 107 | # Paste this into: 108 | Host * 109 | SendEnv LANG LC_* 110 | Ciphers +aes256-cbc 111 | ``` 112 | 113 | Now the ssh key should work properly. 114 | 115 | ## Source Serer 116 | 117 | ```bash 118 | vim ~/backup.sh 119 | ``` 120 | 121 | ### backup.sh 122 | 123 | ```bash 124 | #!/bin/bash 125 | HOSTNAME=$(hostname) 126 | RECEPIENT=mail@int.de 127 | 128 | # Dump all databases 129 | # --default-character-set=utf8mb4: For emojis and similar, otherwise its broken 130 | mysqldump -u root --all-databases --default-character-set=utf8mb4 > all_databases.sql 131 | # To restore a Single MySQL Database from a Full MySQL Dump: 132 | # mysql -p -o database_name < all_databases.sql 133 | 134 | # Get apt selection of packages: 135 | /usr/bin/dpkg --get-selections | /usr/bin/awk '!/deinstall|purge|hold/'|/usr/bin/cut -f1 |/usr/bin/tr '\n' ' ' > installed-packages.txt 2>&1 136 | # To restore apt packages: 137 | # sudo apt update && sudo xargs apt install backup_errors.txt 153 | 154 | # Alternative run, if server says "Connection closed by remote host. Is borg working on the server?" but borg is definitely installed at the target server. 155 | #borg create --remote-path /usr/local/bin/borg --exclude-caches $REPOSITORY::$DATE / -e /dev -e /proc -e /sys -e /tmp -e /run -e /media -e /mnt -e /var/log 2> backup_errors.txt 156 | 157 | # Send Mail 158 | if [ $? -eq 0 ]; then 159 | echo -e "Backup for $HOSTNAME was successful." | mail -a 'From: SERVERNAME ' -s "💾✅ $HOSTNAME: Backup Success" $RECEPIENT -A backup_errors.txt 160 | else 161 | echo -e "Backup for $HOSTNAME was not successful. The attachement file should explain why." | mail -a 'From: SERVERNAME ' -s "💾❌ $HOSTNAME: Backup ERROR❌" $RECEPIENT -A backup_errors.txt 162 | fi 163 | 164 | 165 | borg prune -v $REPOSITORY \ 166 | --keep-daily=14 \ 167 | --keep-weekly=12 \ 168 | --keep-monthly=24 169 | 170 | # MAINTENANCE ############################### 171 | 172 | # Update system after backup 173 | export DEBIAN_FRONTEND="noninteractive" 174 | apt update 175 | apt dist-upgrade -y 176 | 177 | # Reboot server 178 | /sbin/reboot 179 | ``` 180 | 181 | ```bash 182 | chmod 700 ~/backup.sh && ~/backup.sh # Austesten 183 | 184 | crontab -e 185 | 0 2 * * * /root/backup.sh # daily at 2 am 186 | ``` 187 | 188 | ### Create restore files 189 | 190 | ```bash 191 | vim ~/mount_backup.sh && chmod 700 ~/mount_backup.sh && vim ~/umount_backup.sh && chmod 700 ~/umount_backup.sh 192 | ``` 193 | 194 | ```bash 195 | #!/bin/bash 196 | 197 | REPOSITORY="ssh://borg@1.2.3.4:22/~/backups/Server1" 198 | #REPOSITORY="ssh://USER@SERVERADRESS:23/./borg-SERVERNAME" 199 | #export BORG_PASSPHRASE="XXXXX" 200 | 201 | borg info $REPOSITORY 202 | borg mount $REPOSITORY /mnt 203 | 204 | # Alternative run, if server says "Connection closed by remote host. Is borg working on the server?" but borg is definitely installed at the target server. 205 | #borg mount --remote-path /usr/local/bin/borg $REPOSITORY /mnt 206 | 207 | echo "You can find your backups in /mnt. To copy files execute e.g. 'cp -ra /mnt/1970-01-01/var/* /var'" 208 | echo "Please don't forget to umount your backups with '~/umount_backup.sh' afterwards." 209 | ``` 210 | 211 | ```bash 212 | #!/bin/bash 213 | 214 | borg umount /mnt 215 | ``` 216 | 217 | ## How to restore a complete server 218 | 219 | ```bash 220 | # Start on a fresh server as root 221 | apt update && apt dist-upgrade 222 | apt install borgbackup 223 | borg mount ssh://borg@1.2.3.4:22/~/backups/Server1 /mnt 224 | cp /mnt/1970-01-01/root/installed-packages.txt /root/ 225 | xargs apt install 8 | 9 | ## Vorbereitungen: 10 | 11 | * Debian oder Ubuntu Server als BackUp Server einrichten 12 | * Am besten diesen Server bei einem anderen Serveranbieter mieten, oder bei sich Zuhause haben. Auf jeden Fall an einem anderen pyhsischen Ort. 13 | 14 | ## Source Server: 15 | 16 | ```bash 17 | ssh-keygen 18 | cat ~/.ssh/id_rsa.pub 19 | ``` 20 | 21 | ## BackUp Server: 22 | 23 | ```bash 24 | sudo adduser serverbackup # Dem Nutzer keine Root Rechte erteilen! 25 | 26 | su serverbackup 27 | mkdir .ssh && nano ~/.ssh/authorized_keys 28 | 29 | sudo nano ~/.ssh/authorized_keys # Den Public key vom Source Server hinzufügen 30 | command="borg serve --restrict-to-path /home/serverbackup/backups/Server --append-only" # Das vor dem eben eingefügten Public Key einfügen 31 | 32 | sudo apt install borgbackup 33 | mkdir -p ~/backups/Server1 34 | 35 | borg init --encryption=repokey ~/backups/Server1 36 | borg key export ~/backups/Server1 ~/key-export # Diesen Schlüssel sicher aufbewahren und die Datei danach vom Server löschen. 37 | ``` 38 | 39 | ## Source Serer: 40 | 41 | ```bash 42 | sudo apt install borgbackup -y 43 | nano ~/backup.sh 44 | ``` 45 | ##### backup.sh: 46 | ```bash 47 | #!/bin/bash 48 | 49 | # Dump all databases 50 | mysqldump -u root --all-databases > all_databases.sql 51 | # To restore a Single MySQL Database from a Full MySQL Dump: 52 | # mysql -p -o database_name < mysql_all_databases.sql 53 | # Otherwise e.g.: 54 | # mysql -u nextcloud -p nextcloud 55 | # MariaDB [nextcloud]> source mysql_export.sql 56 | 57 | # Get apt selection of packages: 58 | /usr/bin/dpkg --get-selections | /usr/bin/awk '!/deinstall|purge|hold/'|/usr/bin/cut -f1 |/usr/bin/tr '\n' ' ' > installed-packages.txt 2>&1 59 | # To restore apt packages: 60 | # sudo apt install > /etc/fail2ban/paths-debian.conf && sudo systemctl restart fail2ban 28 | ``` 29 | 30 | ## Setup unattended upgrades: 31 | ```bash 32 | sudo apt install unattended-upgrades apt-listchanges -y && sudo dpkg-reconfigure -plow unattended-upgrades 33 | ``` 34 | 35 | ## Setup firewall 36 | ```bash 37 | sudo ufw allow ssh 38 | sudo ufw allow # The ports/services which should be accesible from the outside 39 | sudo ufw enable 40 | ``` 41 | 42 | ## Setup automatic restart 43 | ```bash 44 | sudo crontab -e 45 | 50 1 * * 0 reboot # sunday at 1:50 am 46 | 47 | # Or 48 | 50 1 * * * reboot # daily at 1:50 am 49 | 50 | ``` 51 | 52 | ## Set log limit: 53 | 54 | ``` 55 | sudo echo "SystemMaxUse=1G" >> /etc/systemd/journald.conf && sudo systemctl restart systemd-journald.service 56 | ``` 57 | 58 | ### Syslog Limit: 59 | 60 | ```bash 61 | #!/bin/bash 62 | 63 | # Define the log file to rotate 64 | LOG_FILE="/var/log/syslog" 65 | 66 | # Define the logrotate configuration file path 67 | LOGROTATE_CONF="/etc/logrotate.d/syslog_custom" 68 | 69 | # Check if the log file exists 70 | if [ ! -f "$LOG_FILE" ]; then 71 | echo "Error: Log file '$LOG_FILE' not found. Exiting." 72 | exit 1 73 | fi 74 | 75 | # Create the logrotate configuration 76 | cat << EOF | sudo tee "$LOGROTATE_CONF" > /dev/null 77 | $LOG_FILE { 78 | size 1G 79 | rotate 5 80 | compress 81 | delaycompress 82 | missingok 83 | notifempty 84 | daily 85 | create 0640 root adm 86 | postrotate 87 | /usr/lib/rsyslog/rsyslog-rotate 88 | endscript 89 | } 90 | EOF 91 | 92 | # Set appropriate permissions for the logrotate configuration file 93 | sudo chmod 644 "$LOGROTATE_CONF" 94 | 95 | echo "Logrotate configuration for '$LOG_FILE' has been set up successfully." 96 | echo "Configuration file: '$LOGROTATE_CONF'" 97 | echo "The syslog will now be rotated when it reaches 1GB in size." 98 | echo "It will keep 5 compressed rotated logs. Logrotate will run every daiy automatically." 99 | echo "To test the configuration (without actually rotating unless needed), run: sudo logrotate -d $LOGROTATE_CONF" 100 | echo "To run now logrotate, run: sudo logrotate -f $LOGROTATE_CONF" 101 | ``` 102 | 103 | ## Setup automatic backup system 104 | 105 | 106 | 107 | -------------------------------------------------------------------------------- /cinny/readme.md: -------------------------------------------------------------------------------- 1 | # Cinny 2 | 3 | Yet another matrix client. At the current time only in english. 4 | 5 | ```bash 6 | vim docker-compose.yml 7 | version: "3.7" 8 | services: 9 | cinny: 10 | container_name: cinny 11 | image: ajbura/cinny:latest 12 | restart: unless-stopped 13 | ports: 14 | - 50224:80 15 | 16 | 17 | docker-compose up -d 18 | 19 | 20 | docker cp cinny:/app/config.json ./config.json 21 | vim config.json 22 | { 23 | "defaultHomeserver": 0, 24 | "homeserverList": [ 25 | "matrix.int.de" 26 | ], 27 | "allowCustomHomeservers": false 28 | } 29 | docker cp ./config.json cinny:/app/config.json 30 | 31 | docker-compose restart 32 | 33 | 34 | 35 | ``` 36 | -------------------------------------------------------------------------------- /collabora-code-instance-for-nextcloud/readme.md: -------------------------------------------------------------------------------- 1 | # Setup Collabora CODE Document Server for nextcloud 2 | 3 | In this we create a docker container and a reverse proxy. 4 | Instructions from: 5 | 6 | - Auf den Server als root einloggen und folgende Befehle ausführen: 7 | 8 | ```bash 9 | apt update && apt upgrade 10 | sudo apt install docker.io docker 11 | cd && mkdir collabora && cd collabora && vim run.sh 12 | 13 | # (https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html) 14 | # Der username und das passwort sind für die Admin-Konsole dann erreichbar unter: https://office.int.de/browser/dist/admin/admin.html 15 | # Nur domains, die in einer aliasgroup sind, werden akzeptiert. Wichtig ist bei den domains vor einem Punkt zwei '\' anzugeben. 16 | # Wenn eine nextcloud unter mehreren domains erreichbar sein soll, trennt man die domains in der aliasgroup1 mit einem ',' 17 | # Also: aliasgroup1=https://cloud\\.int\\.de:443,https://my\\.int\\.de:443 18 | 19 | # Insert 20 | docker pull collabora/code:latest 21 | docker run -t -d -p 9980:9980 -e "aliasgroup1=https://cloud\\.int\\.de:443" -e "username=admin" -e "password=eeJ0beil" --restart unless-stopped --name collabora collabora/code:latest 22 | 23 | 24 | bash run.sh 25 | ``` 26 | 27 | ## Caddy Reverse Proxy 28 | 29 | ```caddyfile 30 | office.int.de { 31 | encode gzip 32 | reverse_proxy https://127.0.0.1:9980 { 33 | transport http { 34 | tls_insecure_skip_verify 35 | } 36 | } 37 | } 38 | ``` 39 | 40 | ## Nginx Reverse Proxy 41 | 42 | ```bash 43 | sudo apt install certbot nginx 44 | certbot certonly 45 | ``` 46 | 47 | - (1: Spin up a temporary webserver) 48 | - E-Mail angeben 49 | - ... 50 | - Domain: bspw. 'office.int.de' angeben 51 | 52 | `vim /etc/nginx/nginx.conf` 53 | 54 | Dann folgendes eintragen, und `office.int.de` mit der eigenen domain ersetzen 55 | 56 | ```nginx 57 | http { 58 | server { 59 | listen 443 ssl; 60 | server_name office.int.de; 61 | 62 | 63 | ssl_certificate /etc/letsencrypt/live/office.int.de/fullchain.pem; 64 | ssl_certificate_key /etc/letsencrypt/live/office.int.de/privkey.pem; 65 | 66 | 67 | # static files 68 | location ^~ /browser { 69 | proxy_pass https://127.0.0.1:9980; 70 | proxy_set_header Host $http_host; 71 | } 72 | 73 | 74 | # WOPI discovery URL 75 | location ^~ /hosting/discovery { 76 | proxy_pass https://127.0.0.1:9980; 77 | proxy_set_header Host $http_host; 78 | } 79 | 80 | 81 | # Capabilities 82 | location ^~ /hosting/capabilities { 83 | proxy_pass https://127.0.0.1:9980; 84 | proxy_set_header Host $http_host; 85 | } 86 | 87 | 88 | # main websocket 89 | location ~ ^/cool/(.*)/ws$ { 90 | proxy_pass https://127.0.0.1:9980; 91 | proxy_set_header Upgrade $http_upgrade; 92 | proxy_set_header Connection "Upgrade"; 93 | proxy_set_header Host $http_host; 94 | proxy_read_timeout 36000s; 95 | } 96 | 97 | 98 | # download, presentation and image upload 99 | location ~ ^/(c|l)ool { 100 | proxy_pass https://127.0.0.1:9980; 101 | proxy_set_header Host $http_host; 102 | } 103 | 104 | 105 | # Admin Console websocket 106 | location ^~ /cool/adminws { 107 | proxy_pass https://127.0.0.1:9980; 108 | proxy_set_header Upgrade $http_upgrade; 109 | proxy_set_header Connection "Upgrade"; 110 | proxy_set_header Host $http_host; 111 | proxy_read_timeout 36000s; 112 | } 113 | } 114 | } 115 | ``` 116 | 117 | `systemctl restart nginx` 118 | 119 | In der Nextcloud den integrierten CODE Server deinstallieren \ 120 | Dann "Nextcloud Office" installieren, und in den Einstellungen unter: Nextcloud Office: 121 | 122 | - `Verwenden Sie Ihren eigenen Server` auswählen 123 | - folgende Adresse eintragen:`https://office.int.de` 124 | 125 | ## Verbindungsprobleme? 126 | 127 | - Wenn sich die DNS-Einstellung geändert hat, kann dies bis zu einem Tag dauern, bis der neue Server wieder von Storage Share erreichbar ist 128 | - Verbindungstest schlägt immer noch fehl? Dann kann Collabora nicht erreicht werden 129 | - Verbingungstest ist grün, dennoch laden keine Dokumente? \ 130 | Sichergehen, dass beim Starten des Docker-Containers die aliasgroup1 richtig definiert wurde. Ansonsten den log des docker containers ansehen: `docker logs CONTAINERID` 131 | 132 | ### Erklärung aliasgroup 133 | 134 | Nur domains, die in einer aliasgroup sind, werden akzeptiert. Wichtig ist bei den domains vor einem Punkt zwei '\' anzugeben. 135 | Wenn eine nextcloud unter mehreren domains erreichbar sein soll, trennt man die domains in der aliasgroup1 mit einem ',' 136 | Also bspw heißt dann das docker Befehlsstück am Ende: 137 | 138 | ```bash 139 | -e "aliasgroup1=https://cloud\\.int\\.de:443,https://my\\.int\\.de:443" 140 | ``` 141 | 142 | ### Admin Konsole Collabora 143 | 144 | - URL: 145 | 146 | ## How to update 147 | 148 | ```bash 149 | docker ps # Get ID of container 150 | docker stop ID 151 | docker rm ID 152 | bash run.sh 153 | ``` 154 | -------------------------------------------------------------------------------- /docker-on-ubuntu-server/readme.md: -------------------------------------------------------------------------------- 1 | # Install docker 2 | 3 | ## Ubuntu 4 | 5 | 6 | 7 | ```bash 8 | sudo -i 9 | sudo snap remove docker && sudo apt remove docker* containerd runc && sudo apt install ca-certificates curl gnupg lsb-release && sudo mkdir -m 0755 -p /etc/apt/keyrings && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && sudo apt update && sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose && echo "{ 10 | \"iptables\": false 11 | }" > /etc/docker/daemon.json && sudo systemctl restart docker 12 | 13 | # Verify that everything is okay: 14 | # If something fails, try to reboot 15 | sudo docker run hello-world 16 | 17 | ``` 18 | 19 | ## Debian 20 | ```bash 21 | sudo apt install docker.io docker-compose apparmor 22 | ``` 23 | -------------------------------------------------------------------------------- /dolibarr/readme.md: -------------------------------------------------------------------------------- 1 | # Dolibarr 2 | 3 | On blank Debian 12. 4 | 5 | ```bash 6 | sudo -i 7 | apt update && apt upgrade -y 8 | # Let's install the required packages (LAMP stack). But with mariadb and caddy 9 | apt install mariadb-server mariadb-client php php-mysql php-curl php-gd php-intl php-mbstring php-xml php-zip php-apcu php-imagick php-ldap php-xmlrpc php-soap php-bcmath php-gmp caddy git php-fpm php-imap -y 10 | 11 | # Let's secure the mariadb installation 12 | mysql_secure_installation 13 | 14 | # Let's create the database and a user for dolibarr 15 | mysql 16 | CREATE DATABASE dolibarr; 17 | CREATE USER 'dolibarr'@'localhost' IDENTIFIED BY 'dolibarr'; 18 | GRANT ALL PRIVILEGES ON dolibarr.* TO 'dolibarr'@'localhost'; 19 | FLUSH PRIVILEGES; 20 | QUIT; 21 | 22 | # Let's download the latest version of dolibarr via git 23 | cd /var/www/ 24 | git clone https://github.com/Dolibarr/dolibarr.git 25 | cd dolibarr 26 | git config --global --add safe.directory /var/www/dolibarr 27 | git checkout 19.0 28 | touch /var/www/dolibarr/htdocs/conf/conf.php 29 | chown -R www-data:www-data /var/www/dolibarr 30 | 31 | 32 | # Let's configure caddy 33 | vim /etc/caddy/Caddyfile 34 | ``` 35 | 36 | ```caddy 37 | dolibarr.int.de { 38 | root * /var/www/dolibarr/htdocs 39 | file_server 40 | php_fastcgi unix//run/php/php8.2-fpm.sock 41 | encode zstd gzip 42 | header { 43 | Strict-Transport-Security max-age=31536000; 44 | X-Content-Type-Options nosniff 45 | X-Frame-Options DENY 46 | Referrer-Policy no-referrer-when-downgrade 47 | X-XSS-Protection 1; mode=block 48 | } 49 | } 50 | ``` 51 | 52 | ```bash 53 | systemctl restart caddy 54 | ``` 55 | 56 | - Go to: `http://dolibarr.int.de/install/` 57 | - Follow the installation wizard 58 | - In the mysql settings, use the following: 59 | - Database server: `localhost` 60 | - Database name: `dolibarr` 61 | - Database user: `dolibarr` 62 | - Database password: `dolibarr` 63 | - leave the rest unchanged 64 | 65 | ```bash 66 | # Let's set the install.lock file 67 | touch /var/www/dolibarr/documents/install.lock 68 | chown -R www-data:www-data /var/www/dolibarr 69 | # And let's secure the conf.php file 70 | chmod 400 /var/www/dolibarr/htdocs/conf/conf.php 71 | ``` 72 | -------------------------------------------------------------------------------- /elasticsearch/README.md: -------------------------------------------------------------------------------- 1 | # Elastic Search 2 | 3 | Very simple setup without proper authentication. For nextcloud single node instances this should be enough though if the network access is restricted. 4 | 5 | 6 | 7 | Tags: 8 | 9 | ```bash 10 | sudo -i 11 | cd && mkdir elasticsearch && cd elasticsearch && vim docker-compose.yml 12 | # Insert: 13 | services: 14 | elasticsearch: 15 | image: docker.elastic.co/elasticsearch/elasticsearch:8.17.1 16 | restart: unless-stopped 17 | labels: 18 | - elasticsearch 19 | ports: 20 | - "9200:9200" 21 | - "9300:9300" 22 | environment: 23 | - discovery.type=single-node 24 | - xpack.security.enabled=false # Disable security 25 | # The RAM Usage here is 8 GB: (only use the half of your server RAM here:) 26 | - "ES_JAVA_OPTS=-Xms8g -Xmx8g" 27 | 28 | 29 | 30 | docker-compose up -d 31 | 32 | # Only needed if xpack security is enabled. 33 | # docker cp elasticsearch-elasticsearch-1:/usr/share/elasticsearch/config/certs/http_ca.crt . 34 | # cp http_ca.crt /usr/local/share/ca-certificates/ 35 | # update-ca-certificates 36 | ``` 37 | 38 | ## How to use it with nextcloud: 39 | 40 | 41 | 16GB of RAM or more are recommended if you want to index more than 50GB of data. 42 | 43 | 44 | - In nextcloud install: `fulltextsearch` and `fulltextsearch_elasticsearch` 45 | - In the admin settings under full text search configure the server with address `http://localhost:9200` (if you disabled xpack.security) and with index e.g. `my_index`. 46 | - Then run `sudo -u www-data php /var/www/nextcloud/occ fulltextsearch:index` to start the index. This will take many minutes :) 47 | 48 | ### Enable continously file indexing: 49 | 50 | Initially posted at: https://www.allerstorfer.at/install-nextcloud-elasticsearch/ 51 | 52 | ```bash 53 | vim /etc/systemd/system/nextcloud-fulltext-elasticsearch-worker.service 54 | # Insert: 55 | [Unit] 56 | Description=Elasticsearch Worker for Nextcloud Fulltext Search 57 | After=network.target 58 | 59 | [Service] 60 | User=www-data 61 | Group=www-data 62 | WorkingDirectory=/var/www/nextcloud 63 | ExecStart=/usr/bin/php /var/www/nextcloud/occ fulltextsearch:live 64 | Nice=19 65 | Restart=always 66 | 67 | [Install] 68 | WantedBy=multi-user.target 69 | 70 | 71 | systemctl enable nextcloud-fulltext-elasticsearch-worker.service --now 72 | ``` 73 | 74 | 75 | -------------------------------------------------------------------------------- /erpnext-with-docker/readme.md: -------------------------------------------------------------------------------- 1 | # ERP Next 2 | 3 | 4 | 5 | ```bash 6 | cd && git clone https://github.com/frappe/frappe_docker.git && mv frappe_docker erp-next && cd erp-next && vim pwd.yml 7 | # Change Port 8080 to 29323 in the frontend service 8 | # The rest should be fine. 9 | # Change all restart policies unless-stopped (at the best in the graphical text editor) to: 10 | # restart: unless-stopped 11 | docker-compose -f pwd.yml up -d 12 | ``` 13 | 14 | ### Test instance 15 | 16 | ```bash 17 | git clone https://github.com/frappe/frappe_docker.git && mv frappe_docker erp-next-test && cd erp-next-test && vim pwd.yml 18 | # Change Port 8080 to 29324 in the frontend service 19 | # The rest should be fine. 20 | # Change all restart policies unless-stopped (at the best in the graphical text editor) to: 21 | # restart: unless-stopped 22 | docker-compose -f pwd.yml up -d 23 | ``` 24 | 25 | ## Caddyfile 26 | 27 | ```Caddyfile 28 | erp.int.de { 29 | reverse_proxy localhost:29323 30 | } 31 | 32 | erptest.int.de { 33 | reverse_proxy localhost:29324 34 | } 35 | ``` 36 | 37 | ## Access 38 | 39 | - Wait for about 5 to 10 Minutes. 40 | - Access your instance via webbrowser. 41 | - Your first login is: 42 | - Username: `Administrator` 43 | - Password: `admin` 44 | 45 | ## How to install additional Modules 46 | 47 | ```bash 48 | docker-compose -f pwd.yml exec backend bash 49 | bench get-app https://github.com/alyf-de/erpnext_germany.git 50 | bench --site frontend install-app erpnext_germany 51 | exit 52 | docker-compose -f pwd.yml restart 53 | ``` 54 | 55 | ## How to backup and restore 56 | 57 | ### ERPNext has error after upgrade? 58 | 59 | ```bash 60 | docker-compose -f pwd.yml exec backend bash 61 | /usr/local/bin/bench migrate 62 | exit 63 | ``` 64 | 65 | ### Backup 66 | 67 | ```bash 68 | sudo -i 69 | docker-compose -f pwd.yml exec backend bash 70 | /usr/local/bin/bench --verbose --site all backup --with-files 71 | exit 72 | cd && mkdir "backup_erp_$(date +'%Y-%m-%d_%H-%M-%S')" && mv /var/lib/docker/volumes/erp-next_sites/_data/frontend/private/backups/* "backup_erp_$(date +'%Y-%m-%d_%H-%M-%S')/" 73 | ``` 74 | 75 | ### Restore 76 | 77 | ```bash 78 | sudo -i 79 | # Change into folder where backed up files are 80 | 81 | cp -a * /var/lib/docker/volumes/erp-next_sites/_data/frontend/private/backups/ 82 | docker-compose exec backend bash 83 | /usr/local/bin/bench --force restore sites/frontend/private/backups/DATE_TIME-frontend-database.sql.gz --with-private-files sites/frontend/private/backups/DATE_TIME-frontend-private-files.tar --with-public-files sites/frontend/private/backups/DATE_TIME-frontend-files.tar 84 | # MySQL Password is: admin 85 | /usr/local/bin/bench migrate 86 | exit 87 | ``` 88 | 89 | ## Errors? 90 | 91 | ```bash 92 | docker-compose exec backend bench migrate 93 | ``` 94 | 95 | ## Update 96 | 97 | - Start with the update of the test instance 98 | - Update the tag of all images in `pwd.yml` to the latest one. (In vim you can do this with the command: `:%s/OLDTAG/NEWTAG/gc`) 99 | ```bash 100 | docker-compose -f pwd.yml up -d 101 | ``` 102 | 103 | ### Problems? 104 | 105 | Try to clear cache inside the backend container: 106 | 107 | ```bash 108 | bench clear-cache 109 | bench clear-website-cache 110 | ``` 111 | -------------------------------------------------------------------------------- /freeipa-alma-linux-9/readme.md: -------------------------------------------------------------------------------- 1 | # FreeIPA 2 | 3 | We will install it without DNS-Server-Module. 4 | 5 | Start on a fresh Alma Linux 9 installation. 6 | 7 | ```bash 8 | sudo hostnamectl set-hostname ipa.int.de 9 | sudo vim /etc/hosts 10 | # Insert an entry of your ip with ipa.int.de 11 | # Example: 192.168.178.20 ipa.int.de 12 | 13 | # Configure SELinux: 14 | sudo setenforce 0 15 | sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config 16 | sestatus 17 | sudo reboot 18 | 19 | # Install FreeIPA: 20 | sudo dnf install freeipa-server -y 21 | sudo ipa-server-install 22 | # Choose here the default except for the last question which is the confirmation. Choose yes here. 23 | # The configuration process takes a long time (ca. 5 minutes) 24 | 25 | # Configure Firewall: 26 | sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent 27 | sudo firewall-cmd --reload 28 | ``` 29 | 30 | Insert `192.168.178.20 ipa.int.de` into your DNS-Server. 31 | 32 | You can then log in at the browser interface with "admin" and your set password. 33 | 34 | ## Recommended settings 35 | 36 | - Rules -> Password Rules -> global_policy 37 | - Set max duration (days) to 0 (new passwords are valid forever) 38 | - Set min duration (hours) to 0 (passwords can be changed everytime, even if the current password is very new) 39 | 40 | ## Configure Custom DNS-Server for Alma Linux 41 | 42 | ```bash 43 | # Change enp0s3 to your specific connection name which you can see with 'ip a' 44 | nmcli connection modify enp0s3 ipv4.dns "192.168.178.84 8.8.8.8" 45 | service NetworkManager restart 46 | ``` 47 | 48 | ## Add Linux Client to FreeIPA Server 49 | 50 | Set a FQDN to the client via hostnamectl. The domain name should be in the same domain space like the freeipa server. In our example this is int.de. 51 | 52 | ```bash 53 | sudo hostnamectl set-hostname client001.int.de 54 | 55 | # Ensure that dns server holds the client address and the free-ipa-server and the linux client are beware of the client name. 56 | # On the Client and on the freeIPA Server this has to work: 57 | ping client001.int.de 58 | 59 | # Install freeipa-client on the linux client: 60 | sudo apt update 61 | sudo apt install freeipa-client oddjob-mkhomedir 62 | # In the Configuration: 63 | # - confirm INT.DE 64 | # leave the rest blank 65 | 66 | # Make sure that the ipa server is reachable under ipa.int.de: 67 | ping ipa.int.de 68 | sudo ipa-client-install --hostname=`client001.int.de` --mkhomedir --server=ipa.int.de --domain int.de 69 | --realm INT.DE 70 | # Type yes in the autodiscovery qeustion 71 | # Type no in the ntp question 72 | # Type yes in the confirmation question 73 | # The user authorized to enroll computers: admin 74 | # Password: Password of the freeipa admin. 75 | sudo pam-auth-update 76 | # Make sure that 'create home directory on login' is activated 77 | ``` 78 | 79 | ### Disable user list on gdm 80 | 81 | 82 | 83 | Create two files: 84 | 85 | ```bash 86 | sudo vim /etc/dconf/profile/gdm 87 | # Insert: 88 | user-db:user 89 | system-db:gdm 90 | file-db:/usr/share/gdm/greeter-dconf-defaults 91 | 92 | sudo mkdir -p /etc/dconf/db/gdm.d/ 93 | sudo vim /etc/dconf/db/gdm.d/00-login-screen 94 | # Insert: 95 | [org/gnome/login-screen] 96 | disable-user-list=true 97 | 98 | 99 | # Update dconf: 100 | sudo dconf update 101 | ``` 102 | 103 | ### Issues 104 | 105 | #### User sometimes is not able to log in because the FreeIPA server says "old password ..." 106 | 107 | - Try to reset the password in the admin interface 108 | - The user should log in to the ipa interface. There he is requested to change the password. 109 | 110 | #### Computer got locked out because too many wrong password attempts 111 | 112 | - Login as admin in the free ipa console, go to rules -> password rules 113 | - Change max duration (days) to 0 114 | - Changee min duration (hours) to 0 115 | - Save 116 | - Try to login at the computer again. 117 | 118 | #### Give freeipa user(s) sudo rights on computer(s) 119 | 120 | - Rules -> Sudo -> Sudo Rules 121 | - Add a new rule 122 | - You can leave sudo order, options blank. 123 | - Add users or groups which should have sudo access 124 | - Add hosts or host groups on which they should have sudo access 125 | - You can select "every command" in the command sections 126 | - you can leave "as who" to specific users groups while leaving the rest empty. 127 | - save the rule and restart the clients. 128 | 129 | ##### Examples for a sudo command 130 | 131 | Of course you can e.g. allow every user on every host to issue apt update. 132 | 133 | ```bash 134 | /usr/local/bin/apt update 135 | /bin/bash # <- sudo -i 136 | ``` 137 | 138 | ## Configure Nextcloud to use ldap of FreeIPA 139 | 140 | - Create a new user in the FreeIPA Interface called 'nextcloudsysuser' and assign it to the groups admins and ipausers. 141 | 142 | ```bash 143 | sudo apt install php-ldap 144 | # Also restart php service 145 | ``` 146 | 147 | - Install the LDAP App in Nextcloud 148 | - In the LDAP/AD Integration: 149 | - Server: ipa.int.de (localhost would also be fine) 150 | - Port: 389 151 | - User: `uid=nextcloudsysuser,cn=users,cn=accounts,dc=int,dc=de` (**not only the username, the whole string!!**) 152 | - Password: pw nextcloudsysuser 153 | - Base DN: dc=int,dc=de 154 | - In the Users Section of LDAP/AD Integration: 155 | - Expand the LDAP-Query and ensure: `(objectclass=*)` 156 | - In the Login Attributes change nothing and click on next 157 | - In the Groups tab expand the LDAP Query and ensure: `(|(cn=ipausers))` 158 | - No go back to the Login Attributes and ensure the ldap query: `(&(objectclass=*)(uid=%uid))` 159 | - Click on next so we are back into the groups settings 160 | - Click 'advanced' at the upper right corner 161 | - Under Folder/directory Settings ensure: 162 | - Base user tree: `cn=users,cn=accounts,dc=int,dc=de` 163 | - Group Display Name: `cn` 164 | - Base group tree: `cn=groups,cn=accounts,dc=int,dc=de` 165 | - Association between users and groups: Select 'uniqueMember' 166 | - Under Special Attributes: 167 | - email: `mail` 168 | - naming rule: `cn` 169 | - now click on 'test configuration'. 170 | - You are finished! 171 | 172 | *The user login may still not work. When this is the case for you, check the login credentials with the 'dc's in the end.* 173 | 174 | ## Configure Mattermost with LDAP 175 | 176 | **Warning:** In tests this progress deleted all messages of existing users, which are named equally. 177 | 178 | 179 | 180 | - Create a new User `mattermostsysuser` in FreeIPA and assign him to ipausers and admins 181 | - Switch to mattermost 182 | - Go to system settings -> Authentication -> AD/LDAP 183 | - AD/LDAP-Server: `ipa.int.de` 184 | - AD/LDAP Port: 389 185 | - Connection Security: STARTTLS 186 | - Skip Certificate Test: True 187 | - Bind username: `uid=mattermostsysuser,cn=users,cn=accounts,dc=int,dc=de` 188 | - (if you are unsure with the dc, pick the one of ) 189 | - Bind password: password of the mattermostsysuser 190 | - Base-DN: `dc=int,dc=de` 191 | - User filter: `(objectclass=*)` 192 | - Group filter: `(|(cn=ipausers))` 193 | - Attribute ID: `uid` 194 | - Attribute "Login ID": `uid` 195 | - Attribute Username: `cn` 196 | - E-Mail Attribute: `mail` 197 | - Keep the rest blank and click on 'Save'. 198 | - Then click 'Sync AD/LDAP now' at the very bottom. This takes some seconds. Reload the page and check the status. 199 | - You are finished! 200 | 201 | ### Automatic Team Join 202 | 203 | - Go to the team settings, enable joining for every user of the server 204 | - Go the the Authentication -> Signup settings and disable account creation 205 | 206 | ## Configure Rocket.Chat with LDAP 207 | 208 | - Create a new User `rocketchatsysuser` in FreeIPA and assign him to ipausers and admins 209 | - Administration -> Settings -> LDAP 210 | - Activate LDAP 211 | - Server type: Other 212 | - ldap host: ipa.int.de 213 | - LDAP-Port: 389 214 | - Enable reconnect 215 | - Enable login fallback 216 | - Enable Authentication 217 | - User-DN: `uid=rocketchatsysuser,cn=users,cn=accounts,dc=int,dc=de` 218 | - (if you are unsure with the dc, pick the one of ) 219 | - Password: password of the rocketchatsysuser. 220 | - Encryption: StartTLS 221 | - Disable reject unauthorized 222 | - Save the changes. Click on "test connection" 223 | - Go to the tab 'user search' 224 | - Base-DN: `cn=users,cn=accounts,dc=int,dc=de` 225 | - Save the changes and test the ldap search at the very top. A green message should appear in the top right corner. 226 | - LDAP is configured! 227 | 228 | ### Disable signup and two factor authentication via mail 229 | 230 | - Administration -> Settings -> Accounts ("Konten") 231 | - In the section Two Factor Authentication disable it 232 | - In the section registration form change 'registration form' from public to disabled. 233 | 234 | ## Configure ERP Next with LDAP 235 | 236 | - Create a new User `erpnextsysuser` in FreeIPA and assign him to ipausers and admins 237 | - Search for LDAP-Settings 238 | - Directory server: OpenLDAP 239 | - LDAP-Server URL: `ldap://ipa.int.de:389 240 | - LDAP Auth: (if you are unsure with the dc, pick the one of ) 241 | - `uid=erpnextsysuser,cn=users,cn=accounts,dc=int,dc=de` 242 | - Search path for users: `cn=users,cn=accounts,dc=int,dc=de` 243 | - Search path for groups: `cn=groups,cn=accounts,dc=int,dc=de` 244 | - LDAP search string: `(&(objectclass=*)(uid={0}))` 245 | - LDAP mail field: mail 246 | - LDAP field username: uid 247 | - LDAP Field first name: givenName 248 | - LDAP Fiield surname: sn 249 | - SSL/TLS Mode: StartTLS 250 | - Request trusted certufucate: nothing 251 | - Default User Type: System User 252 | - Default User Role: All 253 | - Click on "Activate" at the very top of the site 254 | - Then save the site. 255 | - You can now configure unter "users" the roles of the user. (You can also select all.) The message whith the id for employee is currently not fixed at our instance 256 | -------------------------------------------------------------------------------- /freeipa-on-podman/readme.md: -------------------------------------------------------------------------------- 1 | # FreeIPA with podman 2 | 3 | 4 | 5 | ```bash 6 | mkdir /var/lib/ipa-data/ && cd && mkdir freeipa && cd freeipa && vim run.sh 7 | 8 | # Insert the following text. 9 | podman run -d --name freeipa-server-container -ti \ 10 | --restart unless-stopped \ 11 | -h ipa.int.de --read-only \ 12 | -p 10080:80 -p 10443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \ 13 | -p 88:88/udp -p 464:464/udp -p 123:123/udp \ 14 | --sysctl net.ipv6.conf.all.disable_ipv6=0 \ 15 | -e PASSWORD=Fook5uef \ 16 | -v /var/lib/ipa-data:/data:Z docker.io/freeipa/freeipa-server:almalinux-9-4.10.1 \ 17 | ipa-server-install -U -r INT.DE --no-ntp 18 | 19 | # Inspect the latest tag here: https://hub.docker.com/r/freeipa/freeipa-server/tags 20 | # Change the hostname ipa.int.de to your needs 21 | 22 | sudo bash run.sh 23 | 24 | # The first startup takes a lot of time and needs **really** at least 2GB of free RAM. 25 | # Credentials on web ui are: 26 | # admin 27 | # Fook5uef 28 | # Warning: The web interface could be up and running but the login may fails for the first minutes. 29 | # Wait for about 10 minutes at a minimum. 30 | 31 | # Configure automatic start after reboot. 32 | sudo podman generate systemd --new --name freeipa-server-container > /etc/systemd/system/freeipa.service 33 | sudo systemctl enable freeipa.service 34 | # Test it out by rebooting the whole server. 35 | ``` 36 | 37 | ## Caddyfile entry 38 | 39 | ```caddyfile 40 | ipa.int.de { 41 | reverse_proxy https://localhost:10443 { 42 | transport http { 43 | tls_insecure_skip_verify 44 | } 45 | } 46 | } 47 | ``` 48 | 49 | ## Firewall 50 | 51 | ```bash 52 | ufw allow 389 # For LDAP 53 | ufw allow 636 # For LDAPS 54 | ufw allow 88 # For Keberos 55 | ufw allow 464 # For Kerberos 56 | ``` 57 | 58 | ## Further documentation 59 | 60 | 61 | 62 | ## How to update 63 | 64 | ```bash 65 | vim run.sh 66 | # Update the tag, comment out the last line 'ipa-server-install' 67 | systemctl disable freeipa --now 68 | 69 | podman ps -a 70 | podman rm ID # If the container is available 71 | 72 | # Now run the run.sh and regenerate and reactivate the systemctl as described in the setup. 73 | # Hint: The startup of freeipa takes five minute until it is reachable and fully working again. 74 | ``` 75 | -------------------------------------------------------------------------------- /gitlab/readme.md: -------------------------------------------------------------------------------- 1 | # Gitlab CE 2 | 3 | Based on 4 | 5 | ## Change SSH port of server itself 6 | 7 | Because Gitlab will use the default SSH port 22, we need to change the port of the server itself. 8 | 9 | ```bash 10 | vim /etc/ssh/sshd_config 11 | ``` 12 | 13 | ```ssh 14 | Port 23 15 | ``` 16 | 17 | ```bash 18 | ufw allow 23 19 | systemctl restart ssh 20 | # (Login with new port) 21 | ``` 22 | 23 | ## Install Gitlab CE 24 | 25 | ```bash 26 | mkdir -p /data/gitlab 27 | 28 | cd && mkdir gitlab && cd gitlab 29 | wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml 30 | # For Keys and Passwords 31 | pwgen -Bsv1 64 4 32 | 33 | vim docker-compose.yml 34 | # Change the following lines: 35 | ports: 36 | - '22824:80' 37 | - '22:22' 38 | volumes: 39 | -TZ=Europe/Berlin 40 | -GITLAB_TIMEZONE=Berlin 41 | 42 | - GITLAB_HOST=gitlab.int.de 43 | - GITLAB_PORT=22824 44 | - GITLAB_SSH_PORT=22 45 | 46 | - GITLAB_SECRETS_DB_KEY_BASE=... 47 | - GITLAB_SECRETS_SECRET_KEY_BASE=... 48 | - GITLAB_SECRETS_OTP_KEY_BASE=... 49 | 50 | - GITLAB_ROOT_PASSWORD=... 51 | - GITLAB_ROOT_EMAIL=... 52 | 53 | # Change not GITLAB_HTTPS=false 54 | ``` 55 | 56 | ```bash 57 | docker-compose up -d 58 | ``` 59 | 60 | ## Configure Caddy 61 | 62 | ```bash 63 | vim /etc/caddy/Caddyfile 64 | ``` 65 | 66 | ```caddy 67 | gitlab.int.de { 68 | reverse_proxy localhost:22824 69 | } 70 | ``` 71 | 72 | ```bash 73 | systemctl restart caddy 74 | ``` 75 | 76 | ## Wait for Gitlab to start 77 | 78 | ```bash 79 | # Wait a long time (5 Minutes): 80 | docker-compose logs -f 81 | ``` 82 | 83 | ## Configure Gitlab 84 | 85 | - Login with your mail and password 86 | - (Disable Sign-Up (Admin Area)) 87 | -------------------------------------------------------------------------------- /guacamole/readme.md: -------------------------------------------------------------------------------- 1 | # Guacamole 2 | 3 | We will do this with mysql. 4 | 5 | ```bash 6 | cd && mkdir guacamole && cd guacamole && vim docker-compose.yml 7 | ``` 8 | 9 | ```yaml 10 | services: 11 | guacamole: 12 | image: guacamole/guacamole 13 | container_name: guacamole 14 | restart: always 15 | ports: 16 | - 15824:8080 17 | environment: 18 | - MYSQL_HOSTNAME=mysql 19 | - MYSQL_DATABASE=guacamole 20 | - MYSQL_USER=guacamole 21 | - MYSQL_PASSWORD=guacamole 22 | - GUACD_HOSTNAME=guacd 23 | depends_on: 24 | - mysql 25 | mysql: 26 | image: mysql 27 | container_name: mysql 28 | restart: always 29 | environment: 30 | - MYSQL_DATABASE=guacamole 31 | - MYSQL_USER=guacamole 32 | - MYSQL_PASSWORD=guacamole 33 | - MYSQL_ROOT_PASSWORD=guacamole 34 | guacd: 35 | image: guacamole/guacd 36 | container_name: guacd 37 | restart: always 38 | ``` 39 | 40 | ```bash 41 | docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql 42 | docker-compose up -d 43 | docker cp initdb.sql mysql:/initdb.sql 44 | 45 | docker exec -it mysql bash 46 | mysql -u guacamole -p guacamole < /initdb.sql 47 | exit 48 | 49 | vim /etc/caddy/Caddyfile 50 | ``` 51 | 52 | ```caddy 53 | guacamole.int.de { 54 | rewrite * /guacamole{uri} 55 | reverse_proxy localhost:15824 56 | } 57 | ``` 58 | 59 | ```bash 60 | systemctl restart caddy 61 | ``` 62 | 63 | ```bash 64 | docker-compose up -d 65 | vim /etc/caddy/Caddyfile 66 | ``` 67 | 68 | ```caddy 69 | guacamole.int.de { 70 | reverse_proxy guacamole:15824 71 | } 72 | ``` 73 | 74 | ```bash 75 | systemctl restart caddy 76 | ``` 77 | 78 | The initial credentials are `guacadmin` and `guacadmin`. -------------------------------------------------------------------------------- /jitsi-docker/readme.md: -------------------------------------------------------------------------------- 1 | # Jitsi with docker 2 | 3 | Guide from: 4 | 5 | 6 | 7 | ```bash 8 | cd 9 | wget https://github.com/jitsi/docker-jitsi-meet/archive/refs/tags/stable-####.zip # Get the latest reelease zip archive 10 | unzip stable-####.zip 11 | mv docker-jitsi-meet-stable-#### jitsi 12 | cd jitsi 13 | 14 | cp env.example .env 15 | vim .env 16 | # Change HTTP_PORT to 30323 17 | # Comment out HTTPS_PORT 18 | # Comment out the PUBLIC_URL and change it to e.g. https://meet.int.de 19 | 20 | vim docker-compose.yml 21 | # Comment out the Port 443 22 | # Comment out all expose ports from the xmpp server 23 | # Comment out the Port expose 8080 at the videobridge 24 | 25 | ./gen-passwords.sh 26 | 27 | mkdir -p ~/.jitsi-meet-cfg/{web,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri} 28 | 29 | docker-compose up -d # Do not use sudo here or execute the mkdir command also with sudo. 30 | 31 | sudo ufw allow 10000/udp 32 | 33 | # Make sure your reverse proxy supports websockets (in nginx proxy manager you have to enable this at the entry) 34 | ``` 35 | 36 | ## Caddy configuration 37 | 38 | ```Caddyfile 39 | meet.int.de { 40 | reverse_proxy localhost:30323 41 | } 42 | ``` 43 | 44 | ## How to update 45 | 46 | Latest tag: 47 | 48 | 49 | ```bash 50 | vim .env 51 | # Set JITSI_IMAGE_VERSION at the very end to e.g. 'stable-8719' 52 | 53 | 54 | docker-compose up -d 55 | ``` 56 | -------------------------------------------------------------------------------- /join-samba-dc-as-client/readme.md: -------------------------------------------------------------------------------- 1 | # Join a AD Domain (Samba DC) 2 | 3 | ## Samba-DC-Server 4 | 5 | ```bash 6 | ufw allow 53 # DNS 7 | ufw allow 88 # Kerberos 8 | ufw allow 198 # Kerberos 9 | ufw allow 464 # Kerberos 10 | ufw allow 3629 # LDAPS-GC 11 | # There are still some port openings missing 12 | ``` 13 | 14 | ## Join Client 15 | 16 | $IP is the IP-Adress of the Samba DC Server 17 | $COMPUTER_NAME is the name of this client 18 | 19 | ```bash 20 | # Samba server IP address 21 | rm /etc/resolv.conf 22 | echo "nameserver $IP" >> /etc/resolv.conf 23 | echo "nameserver 208.67.222.222" >> /etc/resolv.conf 24 | 25 | realm discover INT.DE 26 | 27 | LDAPTLS_REQCERT=never LANG=C /usr/sbin/adcli join --verbose --domain int.de --domain-realm INT.DE --use-ldaps --domain-controller $IP --computer-name $COMPUTER_NAME --login-type user --login-user Administrator 28 | ``` 29 | -------------------------------------------------------------------------------- /kivitendo/readme.md: -------------------------------------------------------------------------------- 1 | # Kivitendo 3.8.0 2 | 3 | 4 | 5 | With Caddy as reverse proxy on ubuntu. 6 | 7 | ```bash 8 | sudo -i 9 | apt install apache2 libarchive-zip-perl libclone-perl \ 10 | libconfig-std-perl libdatetime-perl libdbd-pg-perl libdbi-perl \ 11 | libemail-address-perl libemail-mime-perl libfcgi-perl libjson-perl \ 12 | liblist-moreutils-perl libnet-smtp-ssl-perl libnet-sslglue-perl \ 13 | libparams-validate-perl libpdf-api2-perl librose-db-object-perl \ 14 | librose-db-perl librose-object-perl libsort-naturally-perl \ 15 | libstring-shellquote-perl libtemplate-perl libtext-csv-xs-perl \ 16 | libtext-iconv-perl liburi-perl libxml-writer-perl libyaml-perl \ 17 | libimage-info-perl libgd-gd2-perl libapache2-mod-fcgid \ 18 | libfile-copy-recursive-perl postgresql libalgorithm-checkdigits-perl \ 19 | libcrypt-pbkdf2-perl git libcgi-pm-perl libtext-unidecode-perl libwww-perl \ 20 | postgresql-contrib poppler-utils libhtml-restrict-perl \ 21 | libdatetime-set-perl libset-infinite-perl liblist-utilsby-perl \ 22 | libdaemon-generic-perl libfile-flock-perl libfile-slurp-perl \ 23 | libfile-mimeinfo-perl libpbkdf2-tiny-perl libregexp-ipv6-perl \ 24 | libdatetime-event-cron-perl libexception-class-perl libcam-pdf-perl \ 25 | libxml-libxml-perl libtry-tiny-perl libmath-round-perl \ 26 | libimager-perl libimager-qrcode-perl librest-client-perl libipc-run-perl postgresql-contrib poppler-utils 27 | 28 | # Download the newest kvitendo.zip source code from here: 29 | cd /var/www/ 30 | git clone https://github.com/kivitendo/kivitendo-erp.git 31 | cd kivitendo-erp/ 32 | # Checkout to the commit code of the latest realease: https://github.com/kivitendo/kivitendo-erp/tags 33 | git checkout ae23944 34 | 35 | mkdir webdav 36 | cp config/kivitendo.conf.default config/kivitendo.conf 37 | chown -R www-data /var/www/kivitendo-erp/ 38 | vim config/kivitendo.conf 39 | 40 | # Change the following variables: 41 | [authentication] 42 | admin_password = geheim 43 | 44 | [authentication/database] 45 | host = localhost 46 | port = 5432 47 | db = kivitendo 48 | user = kivitendo 49 | password = iXie1XaC 50 | 51 | [system] 52 | default_manager = german 53 | 54 | # Under [task_server] ensure: 55 | run_as = www-data 56 | 57 | sudo -u postgres createuser -P -d kivitendo # PW: iXie1XaC 58 | sudo -u postgres createdb -O kivitendo kivitendo 59 | vim /etc/postgresql/14/main/pg_hba.conf 60 | # Add: 61 | local all kivitendo password 62 | host all kivitendo 127.0.0.1 255.255.255.255 password 63 | 64 | # Set postgres admin user password (this is important, execute the commands one by one) 65 | su - postgres 66 | psql 67 | \password postgres 68 | # Enter iXie1XaC 69 | \q 70 | exit 71 | 72 | 73 | sudo systemctl restart postgresql 74 | 75 | vim /etc/apache2/ports.conf 76 | # Change Ports to 8080 and 8443 77 | 78 | 79 | vim /etc/apache2/apache2.conf 80 | # Add to the end: 81 | AliasMatch ^/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fcgi 82 | Alias / /var/www/kivitendo-erp/ 83 | 84 | 85 | AllowOverride All 86 | Options ExecCGI Includes FollowSymlinks 87 | Require all granted 88 | 89 | 90 | 91 | Require all denied 92 | 93 | 94 | 95 | Require all denied 96 | 97 | 98 | 99 | vim /etc/apache2/sites-enabled/000-default.conf 100 | # Ensure: 101 | 102 | 103 | DocumentRoot /var/www/kivitendo-erp 104 | Include conf-available/serve-cgi-bin.conf 105 | 106 | 107 | vim /etc/apache2/mods-available/fcgid.conf 108 | # Ensure: 109 | 110 | AddHandler fcgid-script .fcgi 111 | FcgidConnectTimeout 20 112 | FcgidBusyTimeout 3600 113 | FcgidIOTimeout 600 114 | FcgidMaxRequestLen 314572800 115 | 116 | 117 | 118 | a2enmod fcgid 119 | systemctl restart apache2 120 | 121 | cp scripts/boot/systemd/kivitendo-task-server.service /etc/systemd/system/ 122 | systemctl daemon-reload 123 | systemctl enable kivitendo-task-server.service --now 124 | # It is completely normal that the startup fails at this time. Just ignore it. 125 | # After we completed the first steps further down, the service works nomally. 126 | ``` 127 | 128 | ## Caddy configuration 129 | 130 | ```Caddyfile 131 | kivi.int.de { 132 | reverse_proxy localhost:8080 133 | } 134 | ``` 135 | 136 | ## First steps 137 | 138 | **You don't need to create a user if you want to use ldap.** 139 | 140 | - Open up the site. At the beginning an error ("Authentifizieruns Datenbank kann nicht erreicht werden") occurs. That's normal. Click on "Administration" at the bottom 141 | - Login with your Admin password. 142 | - Click on "Create table" 143 | - Head over to database administration, click on "create new database" 144 | - Insert "company1" into new database field 145 | - Insert "postgres" into the superuser field, and enter his password: iXie1XaC 146 | - Create a new user by hovering to "Benutzer, Mandanten und Benutzergruppen" -> "New user" (Username: lower case) 147 | - If you want, add the user to the group "Vollzugriff" in the end of the site. 148 | - Change the .css design to "design40.css" 149 | - Create a new "Mandant" 150 | - Name: company1 151 | - dbname: company1 152 | - Run taskserver as: username 153 | - Add the user with access to the "Mandant" 154 | - Add "Vollzugriff" 155 | - Now you can login as a normal user. And everything should work. 156 | -------------------------------------------------------------------------------- /ldap-server/readme.md: -------------------------------------------------------------------------------- 1 | # Open LDAP on ubuntu 2 | 3 | License of this file: 4 | Inspired by: 5 | 6 | ```bash 7 | sudo -i 8 | apt update && apt dist-upgrade -y 9 | hostnamectl set-hostname ldap.int.de 10 | sed -i "s/^127.0.1.1.*/127.0.1.1 ldap.int.de ldap.int.de/g" /etc/hosts 11 | bash 12 | 13 | basedn="dc=int,dc=de" 14 | admindn="cn=admin,$basedn" 15 | adminpwd="eeG4meth" 16 | echo -e "\$basedn:\t$basedn\n\$admindn:\t$admindn\n\$adminpwd:\t$adminpwd" 17 | 18 | apt install slapd 19 | 20 | systemctl stop slapd 21 | sed -i "s/SLAPD_CONF=.*/SLAPD_CONF=\/etc\/ldap\/slapd.conf/g" /etc/default/slapd 22 | cat /etc/default/slapd 23 | rm /var/lib/ldap/*.mdb 24 | 25 | adminpwdHash=$(slappasswd -h {SSHA} -s $adminpwd) 26 | cat </etc/ldap/slapd.conf 27 | ``` 28 | 29 | ```bash 30 | # Schemata und Objektklassen 31 | include /etc/ldap/schema/core.schema 32 | include /etc/ldap/schema/cosine.schema 33 | include /etc/ldap/schema/inetorgperson.schema 34 | include /etc/ldap/schema/nis.schema 35 | # Loglevel - 256 ist ein guter Mittelwert 36 | # NICHT auf 0 setzen, da sonst gar nichts geloggt wird! 37 | # https://www.openldap.org/doc/admin24/slapdconfig.html 38 | loglevel 256 39 | pidfile /var/run/slapd/slapd.pid 40 | argsfile /var/run/slapd/slapd.args 41 | modulepath /usr/lib/ldap 42 | moduleload back_mdb 43 | # Maximal 1000 Werte bei einer Suche zurück geben 44 | sizelimit 1000 45 | # Anzahl CPUs, die für das Indexing verwendet werden 46 | tool-threads 2 47 | ####################################################################### 48 | # Datenbank Nummer 1 49 | database mdb 50 | # Der Basis-DN 51 | suffix "$basedn" 52 | # Root-User 53 | rootdn "$admindn" 54 | rootpw "$adminpwdHash" 55 | # Ablageort der Datenbank 56 | directory "/var/lib/ldap" 57 | # Indices 58 | index objectClass eq 59 | # Letzte Modifikation der Datenbank schreiben 60 | lastmod on 61 | # Access Control Lists 62 | include /etc/ldap/acl.conf 63 | ``` 64 | 65 | ## ACL 66 | ```bash 67 | cat </etc/ldap/acl.conf 68 | access to dn.base="$basedn" by * read 69 | 70 | access to attrs=userPassword,shadowLastChange 71 | by anonymous auth 72 | by self write 73 | by group.exact="cn=administration,ou=groups,$basedn" write 74 | by * none 75 | 76 | access to dn.subtree="ou=binduser,$basedn" 77 | by group.exact="cn=administration,ou=groups,$basedn" write 78 | by * none 79 | 80 | access to dn.subtree="ou=groups,$basedn" 81 | by group.exact="cn=administration,ou=groups,$basedn" write 82 | by dn.one="ou=binduser,$basedn" read 83 | by * none 84 | 85 | access to dn.subtree="ou=users,$basedn" 86 | by group.exact="cn=administration,ou=groups,$basedn" write 87 | by dn.one="ou=binduser,$basedn" read 88 | by self read 89 | by * none 90 | 91 | access to * by * none 92 | EOF 93 | ``` 94 | 95 | ## RFC2307bis 96 | ```bash 97 | wget -P /etc/ldap/schema https://raw.githubusercontent.com/jtyr/rfc2307bis/master/rfc2307bis.schema 98 | sed -i "s/nis.schema/rfc2307bis.schema/" /etc/ldap/slapd.conf 99 | systemctl restart slapd 100 | systemctl status slapd 101 | ``` 102 | 103 | ## First data (Very basic but essential) 104 | ```bash 105 | cat </tmp/basic.ldif 106 | # Base erstellen 107 | dn: $basedn 108 | objectClass: dcObject 109 | objectClass: organization 110 | o: Organisation 111 | dc: int 112 | 113 | # Gruppen erstellen 114 | dn: ou=groups,$basedn 115 | ou: groups 116 | objectClass: top 117 | objectClass: organizationalUnit 118 | 119 | # User erstellen 120 | dn: ou=users,$basedn 121 | ou: users 122 | objectClass: top 123 | objectClass: organizationalUnit 124 | 125 | # posixGruppe anlegen 126 | dn: cn=posixGruppe,ou=groups,$basedn 127 | cn: posixGruppe 128 | objectClass: top 129 | objectClass: posixGroup 130 | gidNumber: 10000 131 | 132 | # binduser 133 | dn: ou=binduser,$basedn 134 | ou: binduser 135 | objectClass: top 136 | objectClass: organizationalUnit 137 | EOF 138 | 139 | ldapadd -x -H "ldap://ldap.int.de" -D "$admindn" -w $adminpwd -f /tmp/basic.ldif 140 | ``` 141 | 142 | ## Test LDAP: 143 | 144 | ```bash 145 | ldapsearch -x -LLL -H "ldap://ldap.int.de" -b $basedn -D "$admindn" -w $adminpwd 146 | ``` 147 | 148 | ## LDAPS (doesn't work at the moment) 149 | - We are using the root and key certificate of caddy at `/var/lib/caddy/.local/share/caddy/pki/authorities/` 150 | - Let's create a script which retrieves the certificates and perpares them for openldap. 151 | 152 | ```bash 153 | vim /root/retrieve_certificates.sh && chmod +x /root/retrieve_certificates.sh 154 | 155 | # Insert (adjust the paths suitable for the correct authority): 156 | KEYFILE=/var/lib/caddy/.local/share/caddy/pki/authorities/local/root.key 157 | CRTFILE=/var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt 158 | 159 | cp $KEYFILE /etc/ldap/ldapkey.pem 160 | cp $CRTFILE /etc/ldap/ldapcert.pem 161 | 162 | chmod 600 /etc/ldap/ldapkey.pem 163 | chmod 600 /etc/ldap/ldapcert.pem 164 | 165 | chown openldap /etc/ldap/ldapkey.pem 166 | chown openldap /etc/ldap/ldapcert.pem 167 | ``` 168 | 169 | 170 | ```bash 171 | sed -i '/^tool-threads*/a TLSCertificateKeyFile \/etc\/ldap\/ldapkey.pem' /etc/ldap/slapd.conf 172 | sed -i '/^tool-threads*/a TLSCertificateFile \/etc\/ldap\/ldapcert.pem' /etc/ldap/slapd.conf 173 | sed -i '/^tool-threads*/a # SSL Certs' /etc/ldap/slapd.conf 174 | sed -i 's/SLAPD_SERVICES=.*/SLAPD_SERVICES="ldapi:\/\/\/ ldaps:\/\/\/"/g' /etc/default/slapd 175 | systemctl restart slapd 176 | 177 | # Test ldaps: 178 | ldapsearch -x -LLL -H "ldaps://ldap.int.de" -b $basedn -D "$admindn" -w $adminpwd 179 | ``` 180 | 181 | ## Clear whole LDAP-Server: 182 | 183 | ```bash 184 | systemctl stop slapd 185 | rm /var/lib/ldap/*.mdb 186 | systemctl start slapd 187 | ``` 188 | 189 | You may now want to add the basic.ldif data again. 190 | -------------------------------------------------------------------------------- /libre-workspace/readme.md: -------------------------------------------------------------------------------- 1 | # Libre Workspace 2 | 3 | This instructions describe the manual install. Have a look to for further information and for an easy, automated install. 4 | 5 | - Start from a debian netinstall iso and install ssh server. Login as root per ssh. 6 | - 7 | - 8 | - 9 | - 10 | - 11 | - 12 | - Online office: 13 | - 14 | - -------------------------------------------------------------------------------- /linkstack/readme.md: -------------------------------------------------------------------------------- 1 | # Linkstack with Docker 2 | 3 | From: 4 | 5 | ```bash 6 | cd && mkdir linkstack && cd linkstack && vim run.sh 7 | # Paste: 8 | docker run --detach \ 9 | --name linkstack \ 10 | --publish 24105:443 \ 11 | --restart unless-stopped \ 12 | --mount source=linkstack,target=/htdocs \ 13 | linkstackorg/linkstack 14 | 15 | bash run.sh 16 | ``` 17 | 18 | ## Caddyfile 19 | 20 | ```yaml 21 | DOMAIN { 22 | reverse_proxy https://127.0.0.1:24105 { 23 | transport http { 24 | tls_insecure_skip_verify 25 | } 26 | } 27 | } 28 | ``` 29 | -------------------------------------------------------------------------------- /local-dns-server-with-real-https/readme.md: -------------------------------------------------------------------------------- 1 | # Setup local DNS Server on Ubuntu 2 | 3 | ```bash 4 | 5 | 6 | sudo apt install dnsmasq vim 7 | sudo rm /etc/resolv.conf # Remove symlink 8 | sudo vim /etc/resolv.conf 9 | ``` 10 | Insert the following content: 11 | ```bash 12 | nameserver 127.0.0.1 13 | nameserver 192.168.178.84 # The ip of the server itself, needed for dns for docker containers 14 | nameserver 192.168.178.1 15 | nameserver 208.67.222.222 # OpenDNS 16 | ``` 17 | 18 | ```bash 19 | sudo vim /etc/dnsmasq.conf 20 | ``` 21 | Append the following content to the very end: 22 | ```bash 23 | listen-address=127.0.0.1 24 | listen-address=192.168.178.84 # Ip of the server itself 25 | ``` 26 | 27 | ## Add DNS entries: 28 | These are stored in the /etc/hosts file. 29 | Here are some example entries: 30 | ``` 31 | 192.168.178.84 cert.int.de # Add this for the distribution of the cert file, which we will create in some steps 32 | 192.168.178.84 cloud.int.de 33 | 192.168.178.84 chat.int.de 34 | 192.168.178.84 int.de cert.int.de portal.int.de central.int.de cloud.int.de office.int.de chat.int.de meet.int.de 35 | ``` 36 | Please avoid .local adresses because they are used in another ways. A not existent domain but with an existant top level domain is recommended that the browsers don't open the search automatically. 37 | 38 | Finally switch the services 39 | ```bash 40 | # Disable resolv.conf 41 | sudo systemctl stop systemd-resolved.service 42 | sudo systemctl disable systemd-resolved.service 43 | 44 | sudo systemctl enable dnsmasq 45 | sudo systemctl restart dnsmasq 46 | sudo ufw allow 53 47 | ``` 48 | 49 | 50 | # Setup caddy to serve local, valid https: 51 | ```bash 52 | sudo apt install libnss3-tools 53 | sudo caddy trust 54 | 55 | # Distribute the ca certificate on an own webserver: 56 | sudo mkdir -p /var/www/cert/ 57 | sudo cp /etc/ssl/certs/Caddy_Local_Authority_* /var/www/cert/lan.crt 58 | 59 | vim /etc/caddy/Caddyfile 60 | ``` 61 | 1. add the following configuration for the distribution webserver: 62 | 63 | ``` 64 | cert.int.de { 65 | tls internal 66 | root * /var/www/cert/ 67 | file_server browse 68 | } 69 | ``` 70 | 71 | 2. On every other host add the apropriate dns entry 72 | 3. Add for every host the following line: 73 | 74 | ``` 75 | tls internal 76 | ``` 77 | A full example would be: 78 | ``` 79 | cloud.int.de 192.168.178.84 { 80 | tls internal 81 | reverse_proxy localhost:3000 82 | } 83 | ``` 84 | 85 | # Setup the devices to use the domains and the good https (also needed for docker containers): 86 | - Set the dns server of the system to the ip of the new dns server. 87 | - In docker containers the nameserver should be already configured. Check /etc/resolv.conf for that. 88 | - Reconnect to the network 89 | - Download the certificate of the server. (If you did everything right a valid address would be 'cert.int.de/lan.crt') 90 | - Add this certificate to your browsers (because they have their own certificate handling) 91 | - Settings -> Privady & Security -> Show certificates (-> Certificate Authorities) -> Add certificate 92 | - Add the certificate to your system by issuing the following commands 93 | - `sudo cp ~/Downloads/lan.crt /usr/local/share/ca-certificates/lan.crt` 94 | - `sudo update-ca-certificates` 95 | - repeat this on every device which should use it 96 | 97 | 98 | ## Set Fritz!Box DNS-Settings: 99 | - Internet -> Access Data -> DNS-Server 100 | - **Also disable for DNS-Rebind-Protection in: Local Network -> Network -> Network Settings:** 101 | - insert `int.de` into the DNS-Rebind-Protection field 102 | -------------------------------------------------------------------------------- /mail-sending-for-scripts/readme.md: -------------------------------------------------------------------------------- 1 | # Send mails from scripts in linux 2 | 3 | ```bash 4 | sudo -i 5 | apt install ssmtp mailutils -y 6 | vim /etc/ssmtp/ssmtp.conf 7 | 8 | # Config file for sSMTP sendmail 9 | root=USER@gmail.com 10 | mailhub=smtp.gmail.com:587 11 | rewriteDomain=gmail.com 12 | hostname=USER@gmail.com 13 | FromLineOverride=YES 14 | AuthUser=MYUSER 15 | AuthPass=MYPASSWORD 16 | UseSTARTTLS=YES 17 | UseTLS=NO 18 | 19 | 20 | # You can now send mails with (press Enter and Ctr+D in the end): 21 | mail -a 'From: Linux-Arbeitsplatz ' -s "Subject" recepient@address.com 22 | # For scripts: 23 | echo -e "\n\nThis is the body" | mail -a 'From: Linux-Arbeitsplatz ' -s "Subject" recepient@address.com 24 | 25 | # Attachment: 26 | # -A /path/to/file 27 | ``` 28 | -------------------------------------------------------------------------------- /maintenance/readme.md: -------------------------------------------------------------------------------- 1 | # Maintenance 2 | 3 | ```bash 4 | # Become root 5 | sudo -i 6 | 7 | # Check current processes and resource usage 8 | htop 9 | # - Check CPU Usage 10 | # - Check Load average 11 | # - Check Uptime 12 | # - Check Processes 13 | 14 | # Check available diskspace 15 | df -h 16 | # - Anywhere over 90% Usage? -> ncdu, check if we can clear something now (look at 'free diskspace' further down) 17 | 18 | # Check RAID Status 19 | cat /proc/mdstat 20 | 21 | ## CHECK, IF ENOUGH DISKSPACE IS AVAILABLE! 22 | 23 | # Check, if the backups are working 24 | sudo -i 25 | cd 26 | ./mount_backup.sh 27 | ls /mnt/ 28 | ./umount_backup.sh 29 | # Check the diskspace of the backup server 30 | 31 | ## ONLY RESUME IF A GOOD BACKUP IS AVAILABLE! 32 | ## (Because updates can have high fail potential) 33 | 34 | # Check, if the firewall is working and if all open ports are for a service 35 | ufw status numbered 36 | ss -tlpn 37 | ufw delete NUMBER && ufw status numbered 38 | # Note every service which could be upgradeable seperately!! 39 | 40 | # Some ports explained: 41 | # - 389: LDAP 42 | # - 636: LDAPS 43 | # - 88: Kerberos 44 | # - 464: kpasswd (used by FreeIPA) 45 | # - 10000: Jitsi UDP? 46 | 47 | # Update the machine 48 | apt update && apt dist-upgrade 49 | 50 | # Check the current OS Version: 51 | cat /etc/os-release 52 | 53 | # Check every service for updates and remove unused ones. 54 | docker ps 55 | docker-compose pull 56 | docker-compose up -d 57 | 58 | podman ps 59 | snap list 60 | pstree 61 | systemctl list-units --type=service --state=running --no-legend --no-pager 62 | 63 | # Any PHP sites ? 64 | # Nextcloud: 65 | # Check for big updates 66 | # Check for app updates 67 | # Are all apps really used? 68 | 69 | 70 | # Check the caddy file for active services: 71 | vim /etc/caddy/Caddyfile 72 | 73 | # Free diskspace: 74 | docker image prune -a 75 | podman system prune --all 76 | docker volume prune 77 | apt autoremove 78 | apt clean 79 | sudo journalctl --vacuum-size=100M 80 | ncdu / 81 | 82 | # Check all accesses - Are there old users on the services we could delete? 83 | # - on linux 84 | # - on nextcloud 85 | # - on all docker services 86 | 87 | reboot 88 | ``` 89 | 90 | **Check in the end the basic security of the server:** 91 | 92 | 93 | **Set next appointment for maintenance check!** 94 | 95 | ## Update your documentation accordinly 96 | 97 | - All Versions of installed software 98 | - Ensure that every software is documented and all old entries got deleted 99 | - Update the basic information about the server 100 | -------------------------------------------------------------------------------- /matomo/readme.md: -------------------------------------------------------------------------------- 1 | # Matomo 2 | 3 | ## docker-compose.yaml 4 | ```yaml 5 | version: "3" 6 | 7 | services: 8 | db: 9 | image: mariadb:10.11 10 | command: --max-allowed-packet=64MB 11 | restart: unless-stopped 12 | volumes: 13 | - ./db:/var/lib/mysql:Z 14 | environment: 15 | - MYSQL_ROOT_PASSWORD= 16 | - MARIADB_AUTO_UPGRADE=1 17 | - MARIADB_DISABLE_UPGRADE_BACKUP=1 18 | - MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 19 | 20 | app: 21 | image: matomo 22 | restart: unless-stopped 23 | volumes: 24 | - ./matomo:/var/www/html:z 25 | environment: 26 | - MATOMO_DATABASE_HOST=db 27 | ports: 28 | - 14524:80 29 | ``` 30 | 31 | ## Caddy 32 | ```caddy 33 | matomo.int.de { 34 | reverse_proxy localhost:14524 35 | } 36 | ``` 37 | 38 | -------------------------------------------------------------------------------- /matrix-server-synapse/readme.md: -------------------------------------------------------------------------------- 1 | # Matrix-Synapse auf Ubuntu 22.04 Server installieren 2 | 3 | ## Synapse installieren: 4 | https://matrix-org.github.io/synapse/latest/setup/installation.html 5 | 6 | ```bash 7 | sudo apt install -y lsb-release wget apt-transport-https 8 | sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg 9 | echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | 10 | sudo tee /etc/apt/sources.list.d/matrix-org.list 11 | sudo apt update 12 | sudo apt install matrix-synapse-py3 13 | ``` 14 | 15 | ## Postgresql installieren 16 | ```bash 17 | sudo apt install postgresql-14 18 | ``` 19 | in der config von postgresql den host auf localhost gesetzt (Kommentar entfernt) 20 | 21 | 22 | ```bash 23 | apt install libpq5 24 | ``` 25 | homeserver.yaml angepasst bzgl database 26 | 27 | pg-hba.conf: folgendes hinzugefügt 28 | ``` 29 | local synapse synapse_user scram-sha-256 30 | ``` 31 | 32 | ## Caddy installiert 33 | 34 | 35 | Caddfile: 36 | ``` 37 | server.linuxguides.de { 38 | reverse_proxy /_matrix/* localhost:8008 39 | reverse_proxy /_synapse/client/* localhost:8008 40 | reverse_proxy localhost:8008 41 | } 42 | 43 | server.linuxguides.de:8448 { 44 | reverse_proxy localhost:8008 45 | } 46 | ``` 47 | 48 | 49 | ## Alles neu starten (und starten) 50 | 51 | 52 | ## User hinzufügen 53 | ```bash 54 | register_new_matrix_user -u benuzter -c /etc/matrix-synapse/homeserver.yaml -a https://my.domain.com 55 | ``` 56 | -------------------------------------------------------------------------------- /mattermost-server-docker/readme.md: -------------------------------------------------------------------------------- 1 | # Mattermost server with docker 2 | 3 | We will install it with caddy as reverse proxy. 4 | 5 | Instructions from: 6 | 7 | ```bash 8 | sudo apt install git vim 9 | git clone https://github.com/mattermost/docker && mv docker mattermost && cd mattermost 10 | cp env.example .env 11 | vim .env 12 | # Change the Domain (this should be enough for us) 13 | # Also currently you need to manually replace the uesed variables. 14 | # I think that's currently a bug that mattermost doesn't translate bash variables in bash variables.. 15 | 16 | mkdir -p ./volumes/app/mattermost/{config,data,logs,plugins,client/plugins,bleve-indexes} && sudo chown -R 2000:2000 ./volumes/app/mattermost 17 | 18 | sudo docker-compose -f docker-compose.yml -f docker-compose.without-nginx.yml up -d 19 | ``` 20 | 21 | ## Caddy reverse proxy configuration 22 | 23 | Super easy.. 24 | 25 | ```Caddyfile 26 | mm.int.de { 27 | reverse_proxy localhost:8065 28 | } 29 | ``` 30 | 31 | ## How to update mattermost 32 | 33 | ```bash 34 | sudo docker-compose -f docker-compose.yml -f docker-compose.without-nginx.yml down 35 | 36 | vim .env 37 | # change the version tag in the .env file to the newest. 38 | # Example: 7.9 39 | # You can find the newest tag here: https://hub.docker.com/r/mattermost/mattermost-team-edition/tags 40 | sudo docker-compose -f docker-compose.yml -f docker-compose.without-nginx.yml up -d 41 | ``` 42 | -------------------------------------------------------------------------------- /monitoring-with-kuma/readme.md: -------------------------------------------------------------------------------- 1 | # Monitoring with Uptime Kuma 2 | 3 | 4 | 5 | ```bash 6 | cd && mkdir uptime-kuma && cd uptime-kuma && vim run.sh 7 | 8 | # Insert 9 | docker run -d --restart=unless-stopped -p 20623:3001 -v ./uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1 10 | 11 | bash run.sh 12 | ``` 13 | 14 | ## Caddyfile 15 | 16 | ```Caddyfile 17 | kuma.int.de { 18 | #tls internal 19 | reverse_proxy localhost:20623 20 | } 21 | ``` 22 | -------------------------------------------------------------------------------- /n8n/readme.md: -------------------------------------------------------------------------------- 1 | # N8N 2 | 3 | ```bash 4 | cd && mkdir n8n && cd n8n && vim run.sh 5 | 6 | # Insert 7 | docker run -it --restart=unless-stopped --name n8n -p 5678:5678 -v ~/.n8n:/home/node/.n8n docker.n8n.io/n8nio/n8n 8 | ``` 9 | 10 | ## Caddy 11 | 12 | ```Caddyfile 13 | n8n.int.de { 14 | reverse_proxy localhost:5678 15 | } 16 | ``` 17 | 18 | 19 | ## Altearntive installation method 20 | 21 | 22 | -------------------------------------------------------------------------------- /nextcloud-with-caddy/readme.md: -------------------------------------------------------------------------------- 1 | # Nextcloud with Caddy as Webserver 2 | 3 | Automation script: 4 | 5 | **Sources:** 6 | 7 | - 8 | - 9 | 10 | ## Install prerequisites 11 | 12 | ```bash 13 | # Install caddy: 14 | sudo apt update && sudo apt upgrade && sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list && sudo apt update && sudo apt install caddy 15 | 16 | # Install dbms, php and other tools 17 | sudo apt install mariadb-server php-gd php-mysql php-curl php-mbstring php-intl php-imap php-gmp php-bcmath php-xml php-imagick libmagickcore-6.q16-6-extra php-zip php-bz2 php-fpm php-redis php-apcu php-memcache unzip vim 18 | ``` 19 | 20 | ## Prepare database 21 | 22 | ```bash 23 | sudo mysql 24 | 25 | CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'phoo2Oot'; 26 | CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; 27 | GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost'; 28 | FLUSH PRIVILEGES; 29 | QUIT; 30 | ``` 31 | 32 | ## Installation 33 | 34 | ```bash 35 | wget https://download.nextcloud.com/server/releases/latest.zip 36 | wget https://download.nextcloud.com/server/releases/latest.zip.md5 37 | md5sum -c latest.zip.md5 < latest.zip 38 | unzip latest.zip 39 | sudo mkdir -p /var/www/ 40 | sudo cp -r nextcloud /var/www/ 41 | sudo chown -R www-data:www-data /var/www/nextcloud 42 | 43 | sudo vim /etc/caddy/Caddyfile 44 | ``` 45 | 46 | ```caddy 47 | IP_ADRESS_OR_DOMAIN { 48 | root * /var/www/nextcloud 49 | file_server 50 | 51 | php_fastcgi unix//var/run/php/php-fpm.sock { 52 | 53 | } 54 | 55 | header { 56 | Strict-Transport-Security max-age=31536000; # enable HSTS 57 | } 58 | 59 | redir /.well-known/carddav /remote.php/dav 301 60 | redir /.well-known/caldav /remote.php/dav 301 61 | 62 | @forbidden { 63 | path /.htaccess 64 | path /data/* 65 | path /config/* 66 | path /db_structure 67 | path /.xml 68 | path /README 69 | path /3rdparty/* 70 | path /lib/* 71 | path /templates/* 72 | path /occ 73 | path /console.php 74 | } 75 | 76 | respond @forbidden 404 77 | } 78 | ``` 79 | 80 | ```bash 81 | sudo ufw allow http 82 | sudo ufw allow https 83 | sudo systemctl restart caddy 84 | ``` 85 | 86 | Open webbrowser with the ip adress of the server, fill the setup dialog. 87 | Mysql PW: `phoo2Oot` 88 | 89 | ```bash 90 | # Alternative install command (Don't forget to replace 'PASSWORD': 91 | sudo -u www-data php /var/www/nextcloud/occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "nextcloud" --database-pass "phoo2Oot" --admin-user "Administrator" --admin-pass "PASSWORD" 92 | ``` 93 | 94 | ## Optimizations (recommended) 95 | 96 | ```bash 97 | cd /var/www/nextcloud 98 | sudo -u www-data php occ config:app:set dav system_addressbook_exposed --value="no" 99 | sudo -u www-data php /var/www/nextcloud/occ config:system:set maintenance_window_start --value=1 100 | 101 | sudo vim /etc/php/8.2/fpm/php.ini 102 | 103 | # Set 104 | # memory_limit = 1024M 105 | # upload_max_filesize = 10G 106 | # max_file_uploads = 1000 107 | 108 | # Add in the end: 109 | opcache.interned_strings_buffer = 128 110 | opcache.memory_consumption = 2048 111 | 112 | ``` 113 | 114 | ```bash 115 | sudo vim /var/www/nextcloud/config/config.php 116 | 117 | # Add the following setting: 118 | "default_phone_region" => 'DE', 119 | 'mail_smtptimeout' => '30', 120 | 121 | # Change the ip adress to the IPv4 adress of the nextcloud server itself. 122 | 'trusted_proxies' => ['192.168.178.10'], 123 | 'bulkupload.enabled' => false, 124 | ``` 125 | 126 | ```bash 127 | sudo vim /etc/php/8.2/fpm/pool.d/www.conf 128 | 129 | # uncomment following lines by removing ';' 130 | # ;env[HOSTNAME] = $HOSTNAME 131 | # ;env[PATH] = /usr/local/bin:/usr/bin:/bin 132 | # ;env[TMP] = /tmp 133 | # ;env[TMPDIR] = /tmp 134 | # ;env[TEMP] = /tmp 135 | ``` 136 | 137 | ```bash 138 | sudo systemctl restart php8.2-fpm.service 139 | 140 | sudo crontab -u www-data -e 141 | # Insert: 142 | */5 * * * * php -f /var/www/nextcloud/cron.php 143 | ``` 144 | 145 | Go to the nextcloud admin page and change 'background tasks' to "Cron (recommended)" 146 | 147 | ## Redis 148 | 149 | ```bash 150 | cd && mkdir redis-nextcloud && cd redis-nextcloud && vim docker-compose.yml 151 | 152 | # Create the following file: 153 | version: "3.9" 154 | services: 155 | redis: 156 | restart: unless-stopped 157 | image: "redis:alpine3.17" 158 | ports: 159 | - 17423:6379 160 | command: redis-server --requirepass rahBieF7 161 | 162 | docker-compose up -d 163 | 164 | vim /var/www/nextcloud/config/config.php 165 | # Add the following lines: 166 | 'memcache.distributed' => '\OC\Memcache\Redis', 167 | 'redis' => array( 168 | 'host' => 'localhost', 169 | 'port' => 17423, 170 | 'timeout' => 0.0, 171 | 'password' => 'rahBieF7' 172 | ), 173 | 'memcache.locking' => '\OC\Memcache\Redis', 174 | 'filelocking.enabled' => true, 175 | 'memcache.local' => '\OC\Memcache\APCu', 176 | 177 | 178 | PHP_VERSION=`php -v | head -n 1 | cut -d " " -f 2 | cut -d "." -f 1,2` 179 | echo "apc.enable_cli=1" >> /etc/php/$PHP_VERSION/fpm/php.ini 180 | echo "apc.enable_cli=1" >> /etc/php/$PHP_VERSION/cli/php.ini 181 | ``` 182 | 183 | ## Setup in Nextcloud itself 184 | 185 | - Install Groupfolders 186 | - (Install External sites) 187 | - (Install Deck) 188 | - (Install Tasks) 189 | - (Install Collectives) 190 | (Install Draw.io) 191 | - Uninstall Activities 192 | - Uninstall Collaborative Tags 193 | - Uninstall First run wizard 194 | - Uninstall Talk (and all other main apps which are not used) 195 | - Uninsstall Nextcloud Announcements 196 | - Uninstall Support 197 | - Uninstall Usage Survey 198 | - Change background: https://raw.githubusercontent.com/Jean28518/linux-arbeitsplatz-portal/main/images/background.webp 199 | 200 | ### External sites 201 | 202 | | Service | Name | Additional information | Activate forwarding | 203 | |-------------|----------|------------------------------------------------------------| ------------------- | 204 | | Jitsi | Meetings | | X | 205 | | NocoDB | NocoDB | | | 206 | | Rocket.Chat | Chat | Change X-Frame-Options to: sameorigin https://cloud.int.de | | 207 | | Videoportal | Videos | | | 208 | | IPA | Passwort ändern | Only upload dark key icon, position: settings menu | X | 209 | 210 | ## Quality Check: 211 | - All Nextcloud sites should be loaded in 2 seconds. 212 | - Enter every nextcloud site at the top (sometimes the activities app makes trouble) 213 | - Open a document for online editing (if collabora or only office are included) 214 | - Verify that the cron job is running 215 | - Check the administration messages (in administration overview) 216 | 217 | **You are finished!** 218 | 219 | ## Full text search with elasticsearch: 220 | 221 | Have a look [here](https://github.com/Jean28518/linux-guides/blob/main/elasticsearch/README.md#how-to-use-it-with-nextcloud). 222 | 223 | ## Move data directory to other partition 224 | 225 | In this example our partition is mounted under `/data` 226 | 227 | ```bash 228 | sudo -i 229 | mkdir -p /data/nextcloud 230 | chown -R www-data:www-data /data 231 | mv /var/www/nextcloud/data /data/nextcloud/ 232 | chown -R www-data:www-data /data 233 | vim /var/www/nextcloud/config/config.php 234 | # Change datadirectory to: /data/nextcloud/data/ 235 | ``` 236 | 237 | ## Set Refreshrate for subscribed calendars 238 | https://www.php.net/manual/de/dateinterval.construct.php 239 | ```bash 240 | sudo -u www-data php /var/www/nextcloud/occ config:app:set dav calendarSubscriptionRefreshRate --value "PT30M" 241 | ``` 242 | 243 | ## Import data from old machine 244 | 245 | ```bash 246 | ## On the new machine: 247 | mkdir /data/import # run this as user, not as root, if you have the option 248 | 249 | ## Start on the other machine: 250 | sftp user@newserver 251 | put -r /path/to/old/data/* /data/import/ 252 | 253 | ## Otherwise you can mount a backup and restore it like this: 254 | rsync -aP /mnt/1970-01-01/data/nextcloud/ /data/ 255 | 256 | ## On the new machine: 257 | sudo convmv -f utf-8 -t utf-8 -r --notest --nfc /data/import/* # Convert filenames to right name 258 | sudo mv /data/import/* /data/nextcloud/users/... 259 | sudo chown www-data:www-data -R /data/nextcloud 260 | sudo -u www-data php /var/www/nextcloud/occ files:scan --all 261 | ``` 262 | 263 | ## To many requests from your IP 264 | 265 | If you tried to login too many times: 266 | 267 | ```bash 268 | sudo -u www-data php /var/www/nextcloud/occ security:bruteforce:reset 269 | # You need only the '--define apc.enable_cli=1' if you have the redis module enabled. 270 | ``` 271 | 272 | ## On Nextcloud Updates 273 | 274 | Check before the update, if the installed php version is supported by the following nextcloud version!! 275 | 276 | - Nextcloud 25 needs php 8.0 or higher 277 | 278 | ### Update via terminal 279 | 280 | ```bash 281 | sudo -u www-data php /var/www/nextcloud/updater/updater.phar --no-interaction 282 | 283 | # Manuell: 284 | sudo -u www-data php /var/www/nextcloud/updater/updater.phar 285 | sudo -u www-data php /var/www/nextcloud/occ upgrade 286 | sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off 287 | ``` 288 | 289 | ### After update 290 | 291 | ```bash 292 | sudo -u www-data php /var/www/nextcloud/occ db:add-missing-indices # helps after update 293 | sudo -u www-data php /var/www/nextcloud/occ maintenance:repair --include-expensive 294 | ``` 295 | 296 | ## Reset password manually 297 | 298 | ```bash 299 | sudo -u www-data php /var/www/nextcloud/occ user:resetpassword USERNAME 300 | ``` 301 | 302 | ## Nextcloud down? Nothing works? 303 | 304 | Check, if a basic command runs. Otherwise it is printed a stack trace. 305 | 306 | ```bash 307 | sudo -u www-data php /var/www/nextcloud/occ -V 308 | 309 | # Sometimes it just helps to restart the mysql service 310 | 311 | # Other helpful commands: 312 | sudo -u www-data php /var/www/nextcloud/occ db:add-missing-columns 313 | sudo -u www-data php /var/www/nextcloud/occ db:add-missing-indices 314 | sudo -u www-data php /var/www/nextcloud/occ db:add-missing-primary-keys 315 | sudo -u www-data php /var/www/nextcloud/occ maintenance:repair --include-expensive 316 | 317 | systemctl restart mariadb.service php* redis 318 | 319 | 320 | ``` 321 | 322 | Good luck! 323 | 324 | ## Restore nextcloud from backup 325 | 326 | For example if an update went wrong... 327 | 328 | ```bash 329 | systemctl stop mariadb 330 | # If an update got wrong, then the next line could be useful to reset the updater: 331 | # rm -r /data/nextcloud/updater* 332 | rsync -aP /baclups/2024-04-25-system/var/www/nextcloud/ /var/www/nextcloud/ --exclude=/var/www/nextcloud/data/ --delete 333 | rsync -aP /baclups/2024-04-25-system/var/lib/mysql /var/lib/mysql --delete 334 | systemctl start mariadb 335 | sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --off 336 | ``` 337 | -------------------------------------------------------------------------------- /nocodb-server/readme.md: -------------------------------------------------------------------------------- 1 | # Nocodb Server 2 | 3 | Spreadsheets on steroids. Datafields and handling of data is very good. But when it comes to advanced forms it isn't recommended. If you want to automate something a custom python script is recommended. 4 | 5 | 6 | 7 | ## Instructions for installation with docker 8 | 9 | 10 | 11 | ```bash 12 | # For local machines (testing) 13 | mkdir nocodb && cd nocodb && nano docker-compose.yml 14 | # For Servers 15 | cd && mkdir nocodb && cd nocodb && vim docker-compose.yml 16 | ``` 17 | 18 | docker-compose.yml: 19 | 20 | ```yaml 21 | version: "2.1" 22 | services: 23 | nocodb: 24 | depends_on: 25 | root_db: 26 | condition: service_healthy 27 | environment: 28 | NC_DB: "mysql2://root_db:3306?u=noco&p=faiTh8ra&d=root_db" 29 | image: "nocodb/nocodb:latest" 30 | ports: 31 | - "23260:8080" 32 | restart: unless-stopped 33 | volumes: 34 | - "nc_data:/usr/app/data" 35 | root_db: 36 | environment: 37 | MYSQL_DATABASE: root_db 38 | MYSQL_PASSWORD: faiTh8ra 39 | MYSQL_ROOT_PASSWORD: faiTh8ra 40 | MYSQL_USER: noco 41 | healthcheck: 42 | retries: 10 43 | test: 44 | - CMD 45 | - mysqladmin 46 | - ping 47 | - "-h" 48 | - localhost 49 | timeout: 20s 50 | image: "mysql:8.0.32" 51 | restart: unless-stopped 52 | volumes: 53 | - "db_data:/var/lib/mysql" 54 | # below line shows how to change charset and collation 55 | # uncomment it if necessary 56 | # command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci 57 | volumes: 58 | db_data: {} 59 | nc_data: {} 60 | ``` 61 | 62 | ```bash 63 | sudo docker-compose up -d 64 | ``` 65 | 66 | 67 | (You will need a proxy reverse server for https and advanced stuff) 68 | 69 | Example caddy file: 70 | ``` 71 | DOMAIN { 72 | reverse_proxy localhost:23260 73 | } 74 | ``` 75 | 76 | 77 | 78 | ## How to call the nocodb API with python script and implement fully automatic workflows 79 | ```bash 80 | sudo pip3 install nocodb 81 | ``` 82 | This script is used to update single entries of a table every 10 seconds. 83 | ```python 84 | from nocodb.nocodb import NocoDBProject, APIToken, JWTAuthToken 85 | from nocodb.filters import InFilter, EqFilter 86 | from nocodb.infra.requests_client import NocoDBRequestsClient 87 | import time 88 | 89 | 90 | # Usage with API Token 91 | client = NocoDBRequestsClient( 92 | # Your API Token retrieved from NocoDB conf 93 | APIToken("###"), 94 | # Your nocodb root path 95 | "https://db.int.de" 96 | ) 97 | 98 | project = NocoDBProject( 99 | "noco", # org name. noco by default 100 | "r4_p17" # project name. Case sensitive!! 101 | ) 102 | 103 | def update_db(): 104 | print("Updating...") 105 | table_name = "Linux-Support" 106 | 107 | table_rows = client.table_row_list(project, table_name)["list"] 108 | 109 | for row in table_rows: 110 | id = row["Id"] 111 | if row["Title"] != f"Ticket {id}": 112 | client.table_row_update(project, table_name, id, {"Title": f"Ticket {id}"}) 113 | 114 | if row["Rechnung versendet"] == 1: 115 | client.table_row_update(project, table_name, id, {"Status": "Erledigt"}) 116 | 117 | # If you want you can also update the whole row but that isn't recommended because of too many unrequired api calls on big datasets 118 | # Also race conditions while editing in the webui are rarer if you don't use the line underneath 119 | # client.table_row_update(project, table_name, id, row) 120 | 121 | 122 | # print(table_rows) 123 | 124 | if __name__ == "__main__": 125 | while True: 126 | update_db() 127 | time.sleep(10) 128 | ``` 129 | -------------------------------------------------------------------------------- /odoo-server/readme.md: -------------------------------------------------------------------------------- 1 | ## Official Odoo ERP System 2 | 3 | 4 | ```bash 5 | cd && mkdir odoo && cd odoo && vim docker-compose.yml 6 | ``` 7 | 8 | ```yaml 9 | version: "3.7" 10 | 11 | services: 12 | db: 13 | image: postgres:13 14 | restart: unless-stopped 15 | environment: 16 | - POSTGRES_USER=odoo 17 | - POSTGRES_PASSWORD=odoo 18 | - POSTGRES_DB=postgres 19 | volumes: 20 | - postgres-data:/var/lib/postgresql/data 21 | odoo: 22 | image: odoo 23 | restart: unless-stopped 24 | volumes: 25 | - odoo-data:/opt/odoo/data 26 | ports: 27 | - 10824:8069 28 | depends_on: 29 | - db 30 | 31 | volumes: 32 | postgres-data: 33 | odoo-data: 34 | ``` 35 | 36 | ```bash 37 | docker-compose up -d 38 | vim /etc/caddy/Caddyfile 39 | ``` 40 | 41 | ```caddy 42 | odoo.int.de { 43 | reverse_proxy localhost:10824 44 | } 45 | ``` 46 | 47 | ```bash 48 | systemctl restart caddy 49 | ``` 50 | 51 | 52 | The masterpassword for the setup is `ownerp2021`. 53 | 54 | Caddy: 55 | 56 | 57 | ``` 58 | 59 | 60 | ## Odoo ERP System from Equitania 61 | 62 | 63 | ### docker-compose.yml 64 | version: "3.7" 65 | 66 | services: 67 | live-db: 68 | image: postgres:12.6-alpine 69 | restart: unless-stopped 70 | environment: 71 | - POSTGRES_USER=ownerp 72 | - POSTGRES_PASSWORD=ownerp2021 73 | - POSTGRES_DB=postgres 74 | volumes: 75 | - postgres-data:/var/lib/postgresql/data 76 | odoo: 77 | image: myodoo/myodoo-13-public:210206 78 | restart: unless-stopped 79 | command: start 80 | volumes: 81 | - odoo-data:/opt/odoo/data 82 | ports: 83 | - 5000:8069 84 | depends_on: 85 | - live-db 86 | 87 | volumes: 88 | postgres-data: 89 | odoo-data: 90 | ``` 91 | 92 | The masterpassword for the setup is `ownerp2021`. 93 | -------------------------------------------------------------------------------- /onlyoffice-for-nextcloud/readme.md: -------------------------------------------------------------------------------- 1 | # ONLYOFFICE for Nextcloud 2 | 3 | Script: 4 | 5 | ```bash 6 | sudo -i 7 | cd && mkdir onlyoffice && cd onlyoffice && vim run.sh 8 | 9 | # Add: 10 | docker run -i -t -d -p 10923:80 --restart=unless-stopped \ 11 | --name onlyoffice -e JWT_ENABLED='true' -e JWT_SECRET='Ohgeaf6scha7Iu9U' onlyoffice/documentserver 12 | 13 | 14 | bash run.sh 15 | # 1 minutes after start of the container (if you are using local https) 16 | docker exec onlyoffice sed -i 's/"rejectUnauthorized": true/"rejectUnauthorized": false/g' /etc/onlyoffice/documentserver/default.json 17 | docker exec onlyoffice echo "192.168.178.84 cloud.int.de" >> /etc/hosts # If the DNS in onlyoffice doesnt work, this could help. 18 | docker restart onlyoffice 19 | ``` 20 | 21 | ## Caddyfile 22 | 23 | ```Caddyfile 24 | office.int.de { 25 | header { 26 | X-Forwarded-Proto: https; 27 | access-control-allow-origin: *; 28 | } 29 | reverse_proxy http://localhost:10923 30 | } 31 | ``` 32 | 33 | Why the headers? -> look here: 34 | 35 | ## How to configure in Nectcloud 36 | 37 | - Deactivate and remove Nextcloud Office 38 | - Install ONLYOFFICE 39 | - In the administration settings go to OnlyOffice and enter the adress and the password `Ohgeaf6scha7Iu9U` (The start of the docker container takes about 1 min) 40 | - Disable document preview in the "OnlyOffice" Settings of Nextcloud 41 | - Don't forget to hit 'save' in the bottom of "editor settings" 42 | -------------------------------------------------------------------------------- /openproject/readme.md: -------------------------------------------------------------------------------- 1 | # Open Project 2 | 3 | https://www.openproject.org/de/docs/installation-and-operations/installation/docker/#one-container-per-process-recommended 4 | 5 | (Copy the .env.example to .env) 6 | ```bash 7 | TAG=14-slim 8 | OPENPROJECT_HTTPS=true 9 | OPENPROJECT_HOST__NAME=openproject.int.de 10 | PORT=127.0.0.1:8080 11 | OPENPROJECT_RAILS__RELATIVE__URL__ROOT= 12 | IMAP_ENABLED=false 13 | DATABASE_URL=postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true 14 | RAILS_MIN_THREADS=4 15 | RAILS_MAX_THREADS=16 16 | PGDATA="/var/lib/postgresql/data" 17 | OPDATA="/var/openproject/assets" 18 | PORT=19824 19 | ``` 20 | -------------------------------------------------------------------------------- /podman-on-ubuntu/readme.md: -------------------------------------------------------------------------------- 1 | # Podman on Ubuntu 2 | 3 | ```bash 4 | sudo apt install podman 5 | ``` 6 | 7 | To pull a specific image from docker hub, prepend `docker.io/` before the image. 8 | -------------------------------------------------------------------------------- /postgreql-server/readme.md: -------------------------------------------------------------------------------- 1 | # Postgresql server 2 | We will install it on ubuntu server 3 | 4 | ```bash 5 | sudo apt install postgresql 6 | 7 | # Change localhost to ip adress (needed, if docker containers want to connect) 8 | # Also remove the '#' from #password_encryption = scram-sha-256 9 | vim /etc/postgresql/15/main/postgresql.conf 10 | listen_addresses = '192.168.178.84' 11 | password_encryption = scram-sha-256 12 | 13 | sudo systemctl restart postgresql 14 | ``` 15 | 16 | ## Access Postgres Console: 17 | 18 | ```bash 19 | sudo -u postgres psql 20 | 21 | # List all databases inside shell: 22 | \l 23 | ``` 24 | 25 | ## Add user and database: 26 | In this case we add a user called nocodb. 27 | ```bash 28 | #sudo -u postgres createuser -P -d USERNAME 29 | sudo -u postgres createuser -P -d nocodb 30 | 31 | #sudo -u postgres createdb -O USERNAME DATABASE 32 | sudo -u postgres createdb -O nocodb nocodb 33 | 34 | 35 | # Set Authentication 36 | vim /etc/postgresql/15/main/pg_hba.conf 37 | # Change here the ip adress subnet from which connections are allowd 38 | # To allow all change it to 0.0.0.0/0 39 | host nocodb nocodb 192.168.178.0/24 scram-sha-256 40 | # For access from docker: 41 | # The best way is to add the specific ip adress of the docker container (docker inspect CONTAINER ID) 42 | host nocodb nocodb 172.22.0.3/24 scram-sha-256 43 | 44 | sudo systemctl restart postgresql 45 | ``` 46 | 47 | ## Connection issues? 48 | - Check the port in the postgresql.conf and the connecting application. These can slightly differ!!! The standard port in ubuntu postgresql is 5433. 49 | - Is SSL enabled? In this setup no ssl is used. 50 | -------------------------------------------------------------------------------- /rocketchat-on-docker/readme.md: -------------------------------------------------------------------------------- 1 | # Rocket.Chat with docker 2 | 3 | 4 | 5 | ```bash 6 | cd && mkdir rocket.chat && cd rocket.chat && vim docker-compose.yml 7 | 8 | # Insert: 9 | services: 10 | rocketchat: 11 | image: rocket.chat:TAG 12 | restart: unless-stopped 13 | environment: 14 | MONGO_URL: "mongodb://mongodb:27017/rocketchat?replicaSet=rs0" 15 | MONGO_OPLOG_URL: "mongodb://mongodb:27017/local?replicaSet=rs0" 16 | ROOT_URL: "https://chat.int.de" 17 | PORT: 3000 18 | DEPLOY_METHOD: "docker" 19 | OVERWRITE_SETTING_Show_Setup_Wizard: "completed" # You can uncomment this if you want to go through the setup wizard 20 | depends_on: 21 | - mongodb 22 | ports: 23 | - 18423:3000 24 | 25 | mongodb: 26 | image: docker.io/bitnami/mongodb:5.0 27 | restart: unless-stopped 28 | volumes: 29 | - mongodb_data:/bitnami/mongodb 30 | environment: 31 | MONGODB_REPLICA_SET_MODE: "primary" 32 | MONGODB_REPLICA_SET_NAME: "rs0" 33 | MONGODB_PORT_NUMBER: 27017 34 | MONGODB_INITIAL_PRIMARY_HOST: "mongodb" 35 | MONGODB_INITIAL_PRIMARY_PORT_NUMBER: 27017 36 | MONGODB_ADVERTISED_HOSTNAME: "mongodb" 37 | MONGODB_ENABLE_JOURNAL: "true" 38 | ALLOW_EMPTY_PASSWORD: "yes" 39 | 40 | volumes: 41 | mongodb_data: 42 | 43 | # Change the TAG and the root url 44 | 45 | 46 | docker-compose up -d 47 | ``` 48 | 49 | If mongodb says "illegal instructions" at beginning change the version of mongodb to `4.4`. 50 | 51 | ## Caddyfile 52 | 53 | ```caddyfile 54 | chat.int.de { 55 | reverse_proxy localhost:18423 56 | } 57 | ``` 58 | 59 | ## Disable signup and two factor authentication via mail 60 | 61 | - Administration -> Settings -> Accounts ("Konten") 62 | - In the section Two Factor Authentication disable it 63 | - In the section registration form change 'registration form' from public to disabled. 64 | 65 | ## Remove annoying buttons 66 | 67 | - In the settings open up "Layout": 68 | - In "customized css" insert this to hide the "free edition message" 69 | 70 | ```css 71 | .rcx-css-k29f7k { 72 | display: none; 73 | } 74 | ``` 75 | 76 | - In "customized script for logged in users" add this to remove the call button 77 | 78 | ```js 79 | var el1 = null; 80 | function hideCallButton() { 81 | console.log("run") 82 | el1 = document.querySelector('[data-qa-id="ToolBoxAction-phone"]'); 83 | if (el1 !== null) { 84 | console.log(el1); 85 | el1.style.display = "none"; 86 | } 87 | setTimeout(hideCallButton, 100); 88 | } 89 | setTimeout(hideCallButton, 100); 90 | ``` 91 | -------------------------------------------------------------------------------- /samba-dc/readme.md: -------------------------------------------------------------------------------- 1 | # Samba as Domain Controller 2 | 3 | Inspired by 4 | 5 | Chrony is not configured in this example. 6 | 7 | ```bash 8 | sudo -i 9 | hostnamectl set-hostname la 10 | 11 | echo "192.168.178.57 la.int.de la" >> /etc/hosts # IP of the server itself 12 | 13 | # Only on ubuntu: 14 | systemctl disable --now systemd-resolved 15 | unlink /etc/resolv.conf 16 | 17 | # Make sure you are not running any dns server 18 | sudo apt purge dnsmasq 19 | 20 | chattr -i -a /etc/resolv.conf 21 | vim /etc/resolv.conf 22 | # Insert: 23 | # OpenDNS 24 | nameserver 208.67.222.222 25 | # Samba server IP address 26 | nameserver 192.168.178.57 27 | # fallback 28 | nameserver 8.8.8.8 29 | # main domain for Samba 30 | search int.de 31 | 32 | 33 | # Make /etc/resolv.conf immutable because the system sometimes overwrites it. 34 | sudo chattr +i /etc/resolv.conf 35 | apt update && apt install -y acl attr samba samba-dsdb-modules samba-vfs-modules smbclient winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user dnsutils chrony net-tools samba-ad-provision 36 | # Default Keberos Realm: INT.DE 37 | # Kerberos Server for your realm: la.int.de 38 | # Administrations server for your realm: la.int.de 39 | 40 | systemctl disable --now smbd nmbd winbind 41 | systemctl unmask samba-ad-dc 42 | systemctl enable samba-ad-dc 43 | 44 | mv /etc/samba/smb.conf /etc/samba/smb.conf.bak 45 | samba-tool domain provision 46 | # Realm: INT.DE 47 | # Domain: INT 48 | # Server Role: dc 49 | # Backend: SAMBA_INTERNAL 50 | # DNS forwarder IP adress: 208.67.222.222 51 | # Administrator password: Gae7Eexo # Or take a password without bash special characters! 52 | 53 | mv /etc/krb5.conf /etc/krb5.conf.orig 54 | cp /var/lib/samba/private/krb5.conf /etc/krb5.conf 55 | 56 | systemctl start samba-ad-dc 57 | 58 | samba-tool domain passwordsettings set --complexity=off 59 | samba-tool domain passwordsettings set --history-length=0 60 | samba-tool domain passwordsettings set --min-pwd-age=0 61 | samba-tool domain passwordsettings set --max-pwd-age=0 62 | ``` 63 | 64 | ## Enable ldaps 65 | 66 | Currently they are self signed. 67 | 68 | ```bash 69 | cd /etc/samba/tls/ 70 | openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 3650 -out myCert.pem 71 | chmod 600 myKey.pem 72 | cp myCert.pem /var/www/cert/samba.crt 73 | 74 | vim /etc/samba/smb.conf 75 | # Add in [global] 76 | tls enabled = yes 77 | tls keyfile = /etc/samba/tls/myKey.pem 78 | tls certfile = /etc/samba/tls/myCert.pem 79 | tls cafile = 80 | 81 | systemctl restart samba-ad-dc.service 82 | ufw allow ldaps 83 | ``` 84 | 85 | ### Test 86 | 87 | ```bash 88 | LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://la.int.de -b "dc=int,dc=de" -v 89 | ``` 90 | 91 | ## Usermanagement 92 | 93 | ```bash 94 | sudo samba-tool user create USERNAME 95 | 96 | sudo samba-tool user edit USERNAME 97 | # Add for example the "mail" attribute 98 | 99 | sudo samba-tool user list 100 | sudo samba-tool user show USERNAME 101 | 102 | # Reset password 103 | sudo samba-tool user setpassword USERNAME 104 | 105 | samba-tool group addmembers GROUPNAME USERNAME 106 | ``` 107 | 108 | ### Disable /etc/nsswitch.conf entries 109 | (Because sometimes the unix user system is tricked) 110 | 111 | ```bash 112 | sudo vim /etc/nsswitch.conf 113 | # Remove "winbind" from the entries 114 | ``` 115 | 116 | ## Add/Remove/Update dns entry 117 | 118 | 119 | 120 | ```bash 121 | # Example to add chat.int.de DNS record 122 | samba-tool dns add la.int.de int.de chat A 192.168.178.57 -U administrator 123 | 124 | # Example to add a new zone (if we want to add different scnd level domains to our server) 125 | samba-tool dns zonecreate la.int.de int2.de -U administrator 126 | 127 | # Remove 128 | samba-tool dns delete la.int.de int.de chat A 192.168.178.57 -U administrator 129 | 130 | # Update 131 | samba-tool dns update la.int.de int.de chat A 192.168.0.55 192.168.0.66 -U administrator 132 | Old IP New IP 133 | ``` 134 | 135 | ```bash 136 | samba_dnsupdate --all-names 137 | ``` 138 | 139 | ## Add different apps 140 | 141 | ### Add nextcloud 142 | 143 | ```bash 144 | sudo apt install php-ldap 145 | sudo systemctl restart php8.2-fpm 146 | ``` 147 | - Enable the LDAP-App in Nextcloud 148 | - Server: `ldaps://localhost` Port: 636 149 | - Bind-DN `cn=Administrator,cn=users,dc=int,dc=de` 150 | - Password 151 | - Base-DN: `dc=int,dc=de` 152 | - In tab "Advanced" enable "Disable SSL-Check" 153 | - In tab "User": Custom LDAP-Request: `(objectclass=*)` 154 | - In tab "Login Atttributes": Custom LDAP-Request: `(&(&(|(objectclass=*)))(|(cn=%uid)(|(mail=%uid))))` 155 | - In tab "Groups": Custom LDAP-Request: `(|(cn=groups))` 156 | - In tab "Advanced": 157 | - Folder-Settings: 158 | - Base user tree: `cn=users,dc=int,dc=de` 159 | - Base group tree: `cn=users,dc=int,dc=de` 160 | - Group Member association: member (AD) 161 | - Special Properties: 162 | - Mail field: `mail` 163 | 164 | ```bash 165 | # Restart again 166 | sudo systemctl restart php8.2-fpm 167 | ``` 168 | 169 | ### Add Rocket.Chat 170 | 171 | - LDAP-Host: IP-Adress of the server 172 | - LDAP-Port: 636 173 | - Authentification: 174 | - Enable 175 | - `cn=Administrator,cn=users,dc=int,dc=de` 176 | - Password 177 | - Encryption 178 | - Encyption: SSL/LDAPS 179 | - Disable the certificate check 180 | - Click on save 181 | - Click on test connection 182 | - In User search: 183 | - Base-DN: `cn=users,dc=int,dc=de` 184 | - Searchfield: `cn,mail` 185 | -------------------------------------------------------------------------------- /samba-server/readme.md: -------------------------------------------------------------------------------- 1 | # Setup Samba Server for Windows and Linux Filesystem Share 2 | 3 | ## Server 4 | ```bash 5 | # Become root 6 | apt install samba 7 | 8 | # Prepare Storage space: 9 | mkdir /var/samba 10 | chmod 777 /var/samba 11 | 12 | cp /etc/samba/smb.conf /etc/samba/smb.conf.bak 13 | 14 | vim /etc/samba/smb.conf 15 | ``` 16 | 17 | **Content of smb.conf:** \ 18 | Configures a public file server at /media/samba/. 19 | ``` 20 | [global] 21 | workgroup = Fileserver 22 | security = user 23 | map to guest = Bad Password 24 | 25 | [homes] 26 | comment = Home Directories 27 | browsable = no 28 | read only = no 29 | create mode = 0750 30 | 31 | [public] 32 | path = /var/samba 33 | public = yes 34 | writable = yes 35 | comment = Fileserver 36 | printable = no 37 | guest ok = yes 38 | 39 | # For a specific user "laser" inside 40 | [laser-jobs] 41 | path = /data/samba_fs/laser-jobs 42 | read only = no 43 | writeable = yes 44 | browseable = yes 45 | valid users = laser 46 | create mask = 0644 47 | directory mask = 0755 48 | ; if you set this, all files get written as this user 49 | # force user = laser 50 | ``` 51 | 52 | ```bash 53 | # For the laser-jobs 54 | sudo smbpasswd -a laser 55 | sudo chown -R laser:laser /data/samba_fs/laser-jobs 56 | 57 | systemctl restart smbd.service samba* 58 | ufw allow 445 59 | ``` 60 | 61 | ### Add user 62 | 63 | Samba seems to have their own user management with password database 64 | 65 | ```bash 66 | sudo smbpasswd -a USERNAME 67 | ``` 68 | 69 | ## Linux Client: 70 | ### Nautilus: 71 | - select 'other' in the left bar 72 | - type `smb://IP-ADDRESS/public` into the server connection field 73 | - click on connect, and choose 'anoynmus' 74 | 75 | ### Nemo: 76 | - choose 'File -> connect with server' 77 | - choose 'windows share' 78 | - enter the ip adress of the fileserver into the server field 79 | - leave 'release' blank 80 | - as folder enter `/public` 81 | - click on 'Connect' 82 | - as username enter `nobody` 83 | - enter e.g. `x` into the password field. It is completely up to you what to choose. 84 | - finally click again on 'Connect' 85 | 86 | ### Mount 87 | ```bash 88 | sudo apt install cifs-utils -y 89 | 90 | # These two // in front of the ip address are correct and essential 91 | sudo mount -t cifs //IP-ADDRESS/public /mnt -o user=nobody 92 | # Leave password empty and just press enter 93 | ``` 94 | 95 | ## Windows Client: 96 | - Open explorer 97 | - rightclick network on the left side, select 'mount network filesystem' 98 | - write `\\IP-ADDRESS\public` into the text field and choose a network character, e.g. 'Z' 99 | -------------------------------------------------------------------------------- /security-check/README.md: -------------------------------------------------------------------------------- 1 | # Security Checks for Linux Server 2 | 3 | ## Software 4 | - Are Updates available? 5 | - Are PPAs or other sources activated? 6 | - Are automatic security updates activated? 7 | - Is log4j detected? 8 | - Is unused software installed? 9 | - Is wine installed? 10 | 11 | 12 | ## Network Security 13 | - Which ports are open? 14 | - Is a firewall installed and active? 15 | - Is root login over ssh deactivated? 16 | - Is password login over ssh activated? 17 | - Is the ssh port changed? 18 | - Is 2FA over ssh activated? 19 | - Is fail2ban activated? 20 | - Is sshguard activated and installed? 21 | - Is only https activated? 22 | 23 | ## Process Security 24 | - Are processes running as root? 25 | - Is a automatic backup system set up? 26 | - Is the system at the newest version? 27 | - Are the used passwords safe? 28 | - Are having mysql users the right to drop tables? https://stackoverflow.com/questions/64013450/how-to-remove-user-privileges-associated-with-the-dropped-table 29 | - Are suspicous processes running on your system? 30 | 31 | ## File security 32 | - Any passwords in plain files found? What do they reveal? 33 | - Are the owners/groups of the file correct? 34 | - Can others see the files? 35 | 36 | 37 | ## Checks with: 38 | - arachni-scanner 39 | -------------------------------------------------------------------------------- /smartstore/readme.md: -------------------------------------------------------------------------------- 1 | # Smartstore 2 | 3 | ```bash 4 | sudo -i 5 | cd && mkdir smartstore && cd smartstore && vim docker-compose.yml 6 | # Insert: 7 | version: '3.7' 8 | services: 9 | db: 10 | # We use a mariadb image which supports both amd64 & arm64 architecture 11 | image: mariadb:latest 12 | # If you really want to use MySQL, uncomment the following line 13 | #image: mysql:8.0.27 14 | command: '--default-authentication-plugin=mysql_native_password' 15 | volumes: 16 | - ./db_data:/var/lib/mysql 17 | restart: unless-stopped 18 | environment: 19 | - MYSQL_ROOT_PASSWORD=Thu8vee5 20 | - MYSQL_DATABASE=smartstore 21 | - MYSQL_USER=smartstore 22 | - MYSQL_PASSWORD=ohb5AwoF 23 | snmartstore: 24 | image: ghcr.io/smartstore/smartstore-linux:latest 25 | ports: 26 | - 40924:80 27 | restart: unless-stopped 28 | 29 | 30 | 31 | docker-compose up -d 32 | 33 | vim /etc/caddy/Caddyfile 34 | shop.int.de { 35 | reverse_proxy localhost:40924 36 | } 37 | 38 | 39 | systemctl restart caddy 40 | ``` 41 | 42 | - In the smartstore startup guide insert: 43 | - DB HOST: db 44 | - DB User: smartstore 45 | - DB Name: smartstore 46 | - DB User Password: ohb5AwoF 47 | -------------------------------------------------------------------------------- /thunderbird/readme.md: -------------------------------------------------------------------------------- 1 | # Thunderbird 2 | 3 | - Add mail accounts 4 | - Add cardbook and add CardDAV adress book 5 | - Add CalDAV calendars that the acceptance of appointments is possible 6 | - Install German dictionary and set it as default in spell check 7 | - Set the 3 column view 8 | - Grouped folders? 9 | - Fast filtering line 10 | -------------------------------------------------------------------------------- /vaultwarden-on-docker/readme.md: -------------------------------------------------------------------------------- 1 | # Vaultwarden with docker 2 | 3 | ```bash 4 | cd && mkdir vailtwarden && cd vaultwarden && vim docker-compose.yml 5 | 6 | # Insert: 7 | version: "2.1" 8 | services: 9 | vaultwarden: 10 | image: "vaultwarden/server:1.28.1" 11 | ports: 12 | - "14623:80" 13 | restart: unless-stopped 14 | volumes: 15 | - "./vw-data:/data" 16 | 17 | 18 | docker-compose up -d 19 | ``` 20 | 21 | Update the number to the latest version here: 22 | 23 | ## Caddyfile 24 | 25 | ```caddyfile 26 | DOMAIN { 27 | reverse_proxy localhost:14623 28 | } 29 | ``` 30 | -------------------------------------------------------------------------------- /watchtower/README.md: -------------------------------------------------------------------------------- 1 | # Watchtower 2 | 3 | To easily keep up to date your docker containers. 4 | 5 | ```bash 6 | cd && mkdir watchtower && cd watchtower && vim docker-compose.yml 7 | # Insert: 8 | services: 9 | watchtower: 10 | image: containrrr/watchtower 11 | restart: unless-stopped 12 | volumes: 13 | - /var/run/docker.sock:/var/run/docker.sock 14 | 15 | 16 | docker compose up -d 17 | ``` 18 | -------------------------------------------------------------------------------- /windows_on_linux_domain/readme.md: -------------------------------------------------------------------------------- 1 | # Connect Windows to Linux Workspace 2 | 3 | ## Prepare Virtual Machine 4 | 5 | - Start Download for Windows 10 6 | - Install the newest VirtualBox version from the official website 7 | - Download the extension pack for VirtualBox. 8 | - Install VirtualBox and the extension pack. 9 | - Run `sudo usermod -a -G vboxusers username` 10 | - Restart the computer 11 | - Create a new Virtual Machine and assign 4 to 8 GB of RAM and at least 2 CPU-Cores. 12 | - 3D acceleration is NOt recommended 13 | - Install Windows 10, you can call the user "Linux" 14 | - Install the VirtualBoxGuestAdditions in Windows. 15 | - Create a shared folder and activate the bidirectional copy buffer. 16 | - Create a desktop shortcut for the virtual machine and move it to .local/share/applications. 17 | - Create Snapshot 18 | 19 | ## Update DNS-Server 20 | 21 | - In the start menu search for "Network Connections" 22 | - Rightclick the Current Connection and select "Properties" 23 | - Select IPv4 and select Properties 24 | 25 | ## Install Root Certificate 26 | 27 | - Download lan.crt 28 | - In the windows explorer left and rightclick this file and select "install certifacte" 29 | - Select "local computer" 30 | - Select "All certificates in the following space" 31 | - Select "Trusted Root Certificate Issuers" ("Vertauenswürdige Stammzertifizierungstellen") 32 | - Click on okay, next and finish. 33 | - Restart Computer 34 | 35 | ## Add Nextcloud Drive 36 | 37 | - WebDAV doesn't work properly. Use the official nextcloud client with virtual sync instead. 38 | - Disable the server notifications in the nextcloud app settings. 39 | -------------------------------------------------------------------------------- /wordpress_docker/Readme.md: -------------------------------------------------------------------------------- 1 | # Wordporess (with docker) 2 | 3 | Docker-Compose 4 | 5 | ```docker-compose 6 | version: '3.7' 7 | 8 | services: 9 | db: 10 | # We use a mariadb image which supports both amd64 & arm64 architecture 11 | image: mariadb:latest 12 | # If you really want to use MySQL, uncomment the following line 13 | #image: mysql:8.0.27 14 | command: '--default-authentication-plugin=mysql_native_password' 15 | volumes: 16 | - ./db_data:/var/lib/mysql 17 | restart: unless-stopped 18 | environment: 19 | - MYSQL_ROOT_PASSWORD=Thu8vee5 20 | - MYSQL_DATABASE=wordpress 21 | - MYSQL_USER=wordpress 22 | - MYSQL_PASSWORD=Thu8vee5 23 | wordpress: 24 | image: wordpress:latest 25 | volumes: 26 | - ./html:/var/www/html 27 | ports: 28 | - 22122:80 29 | restart: unless-stopped 30 | environment: 31 | - WORDPRESS_DB_HOST=db 32 | - WORDPRESS_DB_USER=wordpress 33 | - WORDPRESS_DB_PASSWORD=Thu8vee5 34 | - WORDPRESS_DB_NAME=wordpress 35 | ``` 36 | 37 | ## Caddyfile 38 | 39 | ```ỳaml 40 | blog.int.de { 41 | reverse_proxy localhost:22122 42 | } 43 | ``` 44 | 45 | ## PHP Extensions 46 | 47 | Wordpress docker container is an extended php container: 48 | 49 | ```bash 50 | # Run inside the docker container 51 | docker-php-ext-install pdo_mysql 52 | 53 | # For e.g. redis run inside the container: 54 | pecl install redis 55 | docker-php-ext-enable redis 56 | ``` 57 | 58 | ## Change PHP-Values (e.g. upload sizce) 59 | 60 | ```bash 61 | vim html/.htaccess 62 | # Append: 63 | php_value upload_max_filesize 500M 64 | php_value post_max_size 500M 65 | 66 | 67 | docker-compose restart 68 | ``` 69 | -------------------------------------------------------------------------------- /xrdp-on-ubuntu-server/readme.md: -------------------------------------------------------------------------------- 1 | # Xrdp for ubuntu server 2 | 3 | ```bash 4 | sudo apt install xfce4 xrdp 5 | 6 | 7 | sudo vim /etc/xrdp/startwm.sh 8 | 9 | # Comment the following lines out and add startxfce4 10 | #test -x /etc/X11/Xsession && exec /etc/X11/Xsession 11 | #exec /bin/sh /etc/X11/Xsession 12 | startxfce4 13 | 14 | 15 | 16 | sudo systemctl restart xrdp 17 | ``` --------------------------------------------------------------------------------