├── FreeNAS ├── README.md ├── akaunting │ └── 1.md ├── bitcoin │ ├── README.md │ ├── extras.md │ ├── extras │ │ ├── compile_bitcoind.md │ │ ├── lnaddress.md │ │ └── torrelay.md │ ├── freenas_1_jail_creation.md │ ├── freenas_2_bitcoin.md │ ├── freenas_3_tor.md │ ├── freenas_4_electrum.md │ ├── freenas_5_lnd.md │ ├── freenas_5a_loopd.md │ ├── freenas_6_rtl.md │ ├── freenas_8_mempool.md │ ├── images │ │ ├── BSDBTC100.png │ │ ├── BSDBTC300.png │ │ ├── BSDBTC60.png │ │ ├── jail_create.png │ │ └── jail_port_forward.png │ └── wallets │ │ ├── bluewallet.md │ │ ├── green.md │ │ ├── img │ │ ├── spectersmall.png │ │ └── test.md │ │ ├── joule.md │ │ ├── specter.md │ │ ├── zap.md │ │ ├── zapandroid.md │ │ └── zeusln.md ├── jellyfin │ ├── 1_jail.md │ ├── 2_jellyfin.md │ ├── 3_aria2.md │ ├── 4_medusa.md │ └── README.md ├── matrix-synapse │ ├── 1_jail.md │ ├── 2_postgresql.md │ ├── 3_synapse.md │ ├── 4_nginx.md │ ├── 5_registration.md │ ├── 7_coturn.md │ ├── 8_call.md │ ├── 9_bridges.md │ ├── README.md │ ├── bridges │ │ ├── email.md │ │ ├── facebook.md │ │ ├── groupme.md │ │ ├── instagram.md │ │ └── twitter.md │ └── images │ │ └── matrix60.png ├── mumble │ ├── 1_jail_creation.md │ ├── 2_murmur.md │ ├── 3_ssl_domain.md │ ├── 4_acl.md │ ├── README.md │ └── images │ │ ├── jailmumble.png │ │ ├── mumble.jpg │ │ ├── mumble60.png │ │ ├── mumbleportforward.png │ │ ├── mumbleportforwardcomplete.png │ │ ├── saveapply.png │ │ └── unsavedchanges.png ├── nextcloud │ ├── 1_jail.md │ ├── 2_mariadb.md │ ├── 3_php.md │ ├── 4_apache.md │ ├── 5_nextcloud.md │ ├── 6_reverseproxy.md │ ├── 7_collabora.md │ ├── README.md │ └── images │ │ ├── nc60.png │ │ └── temp ├── plex │ └── README.md ├── tor_relay │ ├── README.md │ └── images │ │ ├── test.md │ │ └── tor60.png ├── transmission │ ├── flaresolverr.md │ └── tdarr.md └── webserver │ ├── 1_jail_creation.md │ ├── 2_nginx.md │ ├── 3_mysql.md │ ├── 4_php.md │ ├── 5_wordpress.md │ ├── 6_reverse_proxy.md │ ├── README.md │ └── images │ ├── jailblog.png │ ├── reverseproxyjail.png │ ├── reverseproxyportforwardrouter.png │ ├── routerhostname.png │ └── wordpress60.png ├── HomeAssistant ├── LZW31.md └── shelly_plus_1.md ├── LICENSE.md └── LICENSE.md ├── OpenWRT ├── README.md ├── security │ ├── 1_install_client.md │ ├── 2_install_openssh.md │ ├── 3_keys.md │ ├── 4_bastion.md │ ├── 5_hardening.md │ ├── README.md │ └── images │ │ ├── ssh60.png │ │ └── temp.md └── upnp_natpmp.md └── README.md /FreeNAS/README.md: -------------------------------------------------------------------------------- 1 | Seth586😈guides 2 | 3 | I am not a professional programmer or unix adminsitrator, use at your own risk! 4 | Contributions are welcome! 5 | 6 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 7 | 8 | 9 | 10 | | **FreeNAS / TrueNAS Guides:** | | 11 | | --------------- | --------------- | 12 | | ![BSDBTC60.png](bitcoin/images/BSDBTC60.png) | [TrueNASnode](bitcoin/README.md) - Full bitcoin stack deployment guide | 13 | | ![BSDBTC60.png](tor_relay/images/tor60.png) | [TOR Relay](tor_relay/README.md) | 14 | | ![mumble60.png](mumble/images/mumble60.png) | [Mumble Server](mumble/README.md) | 15 | | ![wordpress60.png](webserver/images/wordpress60.png) | [Wordpress Website with Reverse Proxy](webserver/README.md) | 16 | | ![nc60.png](nextcloud/images/nc60.png) | [Nextcloud Server](nextcloud/README.md) | 17 | 18 | | **OpenWRT Guides:** | | 19 | | --------------- | --------------- | 20 | | ![ssh60.png](OpenWRT/security/images/ssh60.png) | [SSH PublicKey Authentication thru Bastion](https://github.com/seth586/guides/blob/master/OpenWRT/security/README.md) | 21 | -------------------------------------------------------------------------------- /FreeNAS/akaunting/1.md: -------------------------------------------------------------------------------- 1 | ### PHP Mail 2 | ``` 3 | # sysrc sendmail_enable="YES" 4 | sendmail_enable: NO -> YES 5 | # sysrc sendmail_msp_queue_enable="YES" 6 | sendmail_msp_queue_enable: NO -> YES 7 | service sendmail start 8 | ``` 9 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Intro 10 | 11 | I have been running a TrueNAS server for a few years now, and have come to appreciate what it offers as a personal home server. It is infamous for media streaming & aggregation, and file hosting. 12 | 13 | ## Why TrueNAS? Raspberri Pis are much cheaper! 14 | 15 | Answer: [TrueNAS](https://github.com/lightningnetwork/lnd/issues/1214)[ fixes](https://github.com/lightningnetwork/lnd/issues/3760)[ this](https://github.com/lightningnetwork/lnd/issues/3861). Drive failure and power loss are the most common ways your lightning database can become corrupt. TrueNAS protects you from both scenarios. 16 | 17 | Raspberri pis are awesome, they are cheap, consume tiny amounts of electricity, and a ton of documentation exists for so many projects, including bitcoin and lightning. The problem with Raspberri Pis are the hard drives on these setups. These drives are 1 spinning platter or 1 SSD away from catastrophic failure due to power loss corruption or drive degradation. 18 | 19 | TrueNAS is special because of the hard drive redundancy features. TrueNAS utilizes the resilient and modern ZFS file system, which not only adds redundancy, but hashes data on your drives to detect and automatically fix errors. ZFS is better than hardware RAID, which is [obsolete](http://newsvideo.su/tech/video/102062)! If you follow the [TrueNAS documentation](https://www.truenas.com/docs/core/), you will be set up to automatically run SMART tests on your hard drives, scrub data to verify & fix disk errors, and receive email alerts if a drive begins failing on you, allowing you to insert a new drive and resliver without any downtime. Add a battery backup, set up UPS monitoring & controlled shutdowns on power loss & emails and you are running an enterprise grade environment at home, protecting your lightning database from corruption from the most common scenarios. 20 | 21 | TrueNAS is based on FreeBSD, a UNIX style operating system similar to Linux. FreeBSD utilizes a jail system to seperate operating environments, similar to how virturalization works. Except jails are much more efficient and less resource intensive than virturalizing. For example, my server has seperate jails for plex, medusa, transmission, SoftEther, bitcoin core&electrum-personal-server&lnd, nextcloud, etc. If I 'mess up', its easy to nuke the jail and start over, without ever damaging the host system or other jails. 22 | 23 | ### What is the build cost of a TrueNAS system? 24 | You can buy older generation servers on ebay for dirt cheap! If you want something "price is not a problem" new for bitcoin, nextcloud, plex + transcoding, here is a buy list: 25 | Latest Generation: 26 | 27 | $230 Motherboard: [SUPERMICRO MBD-X11SSM-F-O Micro ATX Server Motherboard LGA 1151 Intel C236](https://www.newegg.com/Product/Product.aspx?Item=N82E16813183013) 28 | 29 | $208 ECC RAM(x2): [Supermicro MEM-DR480L-SL01-EU24 8GB (1x8GB) DDR4 2400 (PC4 19200) ECC Unbuffered Memory RAM](https://www.newegg.com/Product/Product.aspx?Item=9SIA7S67Y98853) 30 | 31 | $215 CPU: [Intel Xeon E3-1220 V6](https://www.newegg.com/Product/Product.aspx?Item=N82E16819117790) 32 | $440 Mass Storage(2+raidz2=4 or 4+raidz2=6): [WD Red 4TB NAS Hard Disk Drive](https://www.newegg.com/Product/Product.aspx?item=N82E16822236599) 33 | 34 | $80 Power Supply: [Any Seasonic Brand with 8 or more SATA power cables.](https://www.newegg.com/Product/Product.aspx?Item=9SIADZJ5W07067) 35 | 36 | $110 Case: [Fractal Design Node 804](https://www.newegg.com/Product/Product.aspx?Item=N82E16811352047) 37 | 38 | Total: $1283 39 | 40 | #### Whoa, I don't want to spend that much! 41 | Thanks to our 21st century craving for all things digital, last generation hardware is being sold for pennies on the dollar! Just search ebay for "server Xeon E3 V3" and you can find fully equipped systems for $200-300, such as the HP Proliant ML310e Gen8 V2 or Dell T20 series. 42 | 43 | Now compare the performance between a V3 and a V6 Xeon: 44 | https://www.cpubenchmark.net/compare/Intel-Xeon-E3-1220-v3-vs-Intel-Xeon-E3-1220-v6/2022vs3131 45 | 46 | Yeah, you can save a lot of $ running last gen used server gear! 47 | 48 | ### Requirements 49 | So, at this point we can assume that you built your home server. Hopefully you were smart enough to follow the [hardware recommendation guide](https://forums.freenas.org/index.php?resources/hardware-recommendations-guide.12/). My basic recommendation is this: Make sure you get a server class motherboard that has Internet Protocol Management Interface (IPMI) & have Error Code Correcting (ECC) ram. I highly recommend 6 hard drives in RAIDZ2 configuration, it is the best space and redundancy for the money. Any amount of drives in RAIDZ1 loses redundancy the moment you have a hard drive failure, and 4 drives in RAIDZ2 only has half the storage capacity of 6 drives in RAIDZ2. If the value proposition is getting pricey, start with smaller hard drives. You can’t add drives to a volume once its setup, however you can replace drives with larger drives, and once all 6 drives are the larger size, you get to increase the size of the volume. 50 | 51 | ### Assumptions 52 | I am assuming you know your way around your router. My example router is a Linksys WRT1900ACv1 running OpenWRT. Your router configuration user interface may be different than explained here. 53 | 54 | Lets also assume that you installed TrueNAS on your home server (Version 11.2), navigated the [TrueNAS forums](https://www.truenas.com/community/), read the [TrueNAS documentation](https://www.ixsystems.com/documentation/freenas/), and set up a ZFS volume. Make sure you set up your SMART test, scrub schedule, email alerts, and UPS shutdown at low battery level! 55 | 56 | Within this guide, any time a command line is represented by a single `#` hash, that represents the command line as root user inside your bitcoin jail. Any commands outside this definition are represented by their full path, which may differ from what you see see based on how you named your server. Hopefully the guide is clear enough. If not, PLEASE reach out to me! 57 | 58 | ### Goal 59 | By the end of this guide, we will have bitcoin core compiled, serving connections over IP and tor. We will install electrum-personal-server, so we can use a hardware wallet to cold store our bitcoin savings, verified with our own node. We will have lightning lab's lnd implementation to onbard the lightning network, and we will use Ride The Lightning web user interface to manage our lnd server, as well as install the joule browser extension and connect it to our lnd server. Electrum, Joule, and Ride The Lightning will be usable remotely over tor hidden services. 60 | 61 | ### Methodology 62 | There is more than 1 way to skin a cat. These are the preferred methods followed in this guide that may differ from other guides: 63 | 64 | 1. Minimize software requirements. This guide does not use systemd, which is a monolithic layer that acts between the kernel and the user space. It has its place, but we don't need it. I don't have an [opinion](https://muchweb.me/systemd-nsa-attempt/) on the matter, but FreeBSD's own daemon has enough functionality to act as our process monitors. 65 | 66 | 2. Minimal configuration. This guide is a baseline to get setup. Whenever a configuration file is referenced, follow the supporting docs to explore further configuration options. 67 | 68 | ### Recommendations 69 | Use a password manager to keep track of all the passwords required to run TrueNAS and your software. It's good cypherpunk habit to use unique strong passwords with 3rd parties, too. KeePassDX is an encrypted open source password manager that runs on android. It can generate strong passwords for you. 70 | 71 | ### Personal Notes 72 | This guide is written not only to benefit others, but myself as well. Sometimes I don't touch my server for months on end, and forget how I set things up or did things. This guide is my attempt to act on my belief in the [Cypherpunk Manifesto](https://www.activism.net/cypherpunk/manifesto.html). If cypherpunks can't write code, then cypherpunks deploy code. 73 | 74 | This guide will be kept up to date. 75 | 76 | ### Contact me 77 | If you have any trouble with this guide, or want to share something to improve the guide, contact me! No question is too dumb! I'd rather help people deploy code than waste time browsing social media! 78 | 79 | Matrix: [#TrueNASnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 80 | 81 | Email: seth586@protonmail.com 82 | 83 | Tip jar: https://strike.me/seth 84 | 85 | Nostr NIP05: seth586@nym.im 86 | 87 | Nostr NIP19 pubkey: npub1seth586kfq48s004fa2uudm03kxssx9cjjnrk8alxlv379ct9f5qgsqe0t 88 | 89 | Nostr hex pubkey: 86577a1f56482a783df54f55ce376f8d8d0818b894a63b1fbf37d91f170b2a68 90 | 91 | ### Shout outs 92 | Special thanks to the Stadicus Raspberry pi guide for inspiring this freebsd guide, check it out here: 93 | https://github.com/Stadicus/guides/blob/master/raspibolt/README.md 94 | 95 | Next: [ [Jail Creation](freenas_1_jail_creation.md) ] 96 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/extras.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - **[Extras]** 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### My Extras 10 | 11 | #### [Lightning Address](extras/lnaddress.md) 12 | Receive lightning payments to a static internet identifier `you@example.com` powered by LN-URL 13 | 14 | #### [Run LND on clearnet](https://github.com/seth586/guides/blob/master/OpenWRT/upnp_natpmp.md) 15 | Don't have a static IP address? `lnd` will loose peer connections unless you configure `nat=true` and have a working UPnP implementation. This is a process to ensure your UPnP implementation is secure. 16 | 17 | #### [Manually compile bitcoind](extras/compile_bitcoind.md) 18 | Some situations require you to compile directly from source code. 19 | 20 | ### Mobile Wallets for Android over Tor Hidden Service 21 | Connect securely, privately, and anonymously to your home node wherever you are in the world! 22 | 23 | 24 | #### [Zeus LN](wallets/zeusln.md) 25 | 26 | #### [Blockstream Green](wallets/green.md) 27 | 28 | #### [BlueWallet](wallets/bluewallet.md) 29 | 30 | ### Mobile Wallets for iOS over Tor Hidden Service 31 | 32 | #### [Zap iOS](wallets/zap.md) 33 | 34 | ### Browser Enabled Wallets 35 | 36 | #### [Joule](wallets/joule.md) 37 | 38 | #### [Specter](wallets/specter.md) - A new electrum alternative 39 | 40 | ### External guides 41 | 42 | #### [SoftEther VPN in a FreeNAS jail](https://forums.freenas.org/index.php?threads/alternative-to-openvpn-softether-vpn.47395/) 43 | Want to use a mobile lightning wallet away from your home network? Set up a VPN server at home, so you can securely connect to your `lnd` on the road! SoftEther offers a free DNS service, great option if your ISP changes your home IP address on you! 44 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/extras/lnaddress.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 4 | 5 | # Extra: Lightning Address 6 | 7 | [Lightning Address](https://lightningaddress.com/), part of the LNURL spec [LUD16](https://github.com/lnurl/luds/blob/luds/16.md), allows you to receive payments to a static internet identifier ex: `you@domain.com`. While this is outside the LN spec & relies on traditional webserver infastructure (TLS, DNS, webserver, etc), [BOLT12](https://bolt12.org/) offers a potential native solution for static identifiers. We will use [ligess](https://github.com/Dolu89/ligess/) as our personal lightningaddress server. 8 | 9 | ## 1. Requirements: 10 | 11 | A DNS resolved domain & TLS terminated webserver, such as the [reverse proxy](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) guide. 12 | 13 | Lets get started! 14 | 15 | ## 2. Convert `invoice.macaroon` to hex in your `bitcoin` jail: 16 | ``` 17 | # hexdump -ve '1/1 "%.2x"' /var/db/lnd/data/chain/bitcoin/mainnet/invoice.macaroon 18 | ``` 19 | 20 | ## 3. Create `lnaddress` jail 21 | 22 | In this example I used static address `192.168.84.22` for my jail. SSH in: 23 | ``` 24 | # pkg install nginx yarn-node18 git nano 25 | # git clone https://github.com/dolu89/ligess 26 | # cd ligess && yarn install 27 | # cp .env.example .env 28 | # nano .env 29 | ``` 30 | Edit .env: (adjust to your settings) 31 | ``` 32 | LIGESS_USERNAME=seth586 33 | LIGESS_DOMAIN=example.com 34 | 35 | LIGESS_LN_BACKEND=LND 36 | 37 | LIGESS_LND_REST=https://192.168.84.21:8080 38 | LIGESS_LND_MACAROON=INVOICEMACAROONHEXFORMATABC123ETC... 39 | ``` 40 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 41 | 42 | ## 4. Set up nginx 43 | ``` 44 | # sysrc nginx_enable=yes 45 | # nano /usr/local/etc/nginx/nginx.conf 46 | ``` 47 | Add the following location block to your server{} block and remove any other location {} blocks: 48 | ``` 49 | location /.well-known/lnurlp/seth586 { 50 | proxy_pass http://127.0.0.1:3000; 51 | } 52 | ``` 53 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 54 | 55 | Start nginx ` service nginx start` 56 | 57 | ## 5. Test ligess 58 | ``` 59 | # cd /root/ligess && yarn dev 60 | ``` 61 | Open a web browser, and goto your jail `lnaddress` IP address: 62 | ``` 63 | http://192.168.84.22/.well-known/lnurlp/seth586 64 | ``` 65 | You should see a JSON response with the following details: 66 | ``` 67 | {"status":"OK","callback":"https://example.com/.well-known/lnurlp/seth586","tag":"payRequest","maxSendable":100000000,"minSendable":1000,"metadata":"[[\"text/identifier\",\"seth586@example.com\"],[\"text/plain\",\"Satoshis to seth586@example.com\"]]","commentAllowed":0} 68 | ``` 69 | Press Ctrl+C to terminate the process 70 | 71 | ## 6. rc.d script 72 | `nano /usr/local/etc/rc.d/ligess`: 73 | ``` 74 | #!/bin/sh 75 | # 76 | # PROVIDE: ligess 77 | # REQUIRE: 78 | # KEYWORD: 79 | 80 | . /etc/rc.subr 81 | 82 | name="ligess" 83 | rcvar="ligess_enable" 84 | ligess_chdir="/root/ligess" 85 | ligess_command="/usr/local/bin/node /root/ligess/index.js" 86 | pidfile="/var/run/${name}.pid" 87 | command="/usr/sbin/daemon" 88 | command_args="-P ${pidfile} -r -f ${ligess_command}" 89 | 90 | load_rc_config $name 91 | : ${ligess_enable:=no} 92 | 93 | run_rc_command "$1" 94 | ``` 95 | Save (CTRL+O, ENTER) and exit (CTRL+X) 96 | ``` 97 | # chmod +x /usr/local/etc/rc.d/ligess 98 | # sysrc ligess_enable=yes 99 | # service ligess start 100 | ``` 101 | Test again. Should work! 102 | 103 | ## 7. DNS resolve & TLS terminate 104 | Lets make this reachable to the public internet and secure it with TLS to prevent man-in-the-middle attacks. 105 | 106 | SSH into your `reverseproxy` jail, create the following entry if you followed the [reverseproxy](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) guide 107 | 108 | `nano /usr/local/etc/nginx/vdomains/example.com.conf`: 109 | 110 | Add the following to your server{} block: 111 | ``` 112 | location /.well-known/lnurlp/seth586 { 113 | proxy_pass http://192.168.84.22:80; 114 | add_header "Access-Control-Allow-Origin" *; 115 | } 116 | ``` 117 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 118 | 119 | Restart nginx `service nginx restart` and attempt over TLS connection: 120 | ``` 121 | https://example.com/.well-known/lnurlp/seth586 122 | ``` 123 | 124 | Try it out, send a tip to: `seth586@nym.im` 125 | 126 | Note: if you want to receive, inbound liquidity on a private channel will not work. As of right now, ligess does [not support](https://github.com/Dolu89/ligess/issues/7) adding private routing hints. 127 | 128 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 129 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/extras/torrelay.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ## Tor Relay 4 | 5 | While it is safe and realtively anonymous to run a relay and a hidden service from the same internet connection, it isn't perfect. Do not run a relay from the same internet connection as your bitcoin & lightning jail if you require *absolute* anonymity! See [this](https://research.kudelskisecurity.com/2013/09/04/dont-run-a-tor-router-and-a-hidden-service-from-the-same-connection/) for details. Your home router shold be beefy enough to handle 7,000+ connections and the tor preject recommends a minimum of 16 Mbit download and upload speed for relays. 6 | 7 | Create a new jail, forward TCP port 9001 to this jail's IP address, and ssh in. 8 | 9 | ### Install and configure tor: 10 | ``` 11 | # pkg install tor ca_root_nss nano nyx 12 | # rm /usr/local/etc/tor/torrc 13 | # nano /usr/local/etc/tor/torrc 14 | ``` 15 | Edit the configuration files for tor (I recommend setting up a burner email you can check once in a while): 16 | ``` 17 | #change the nickname "myNiceRelay" to a name that you like 18 | Nickname myNiceRelay 19 | ORPort 9001 20 | ControlPort 9051 21 | CookieAuthentication 1 22 | ExitRelay 0 23 | SocksPort 0 24 | BandwidthRate 16 Mbits 25 | BandwidthBurst 64 Mbits 26 | MaxAdvertisedBandwidth 16 Mbits 27 | # Change the email address bellow and be aware that it will be published 28 | ContactInfo tor-operator@your-emailaddress-domain 29 | Log notice syslog 30 | ``` 31 | Set `bandwidthrate` below the lower value of your download and upload speed. So if your ISP provides 500 Mbit download and 32 | 250 Mbit upload, do not use any value over 250 Mbit. Check your speed [here](https://beta.speedtest.net/). 33 | 34 | Save (Ctrl+o, ENTER) and exit (Ctrl+x) 35 | 36 | ### Set up auto updates: 37 | ``` 38 | # nano /root/pkg_upgrade.sh 39 | ``` 40 | Enter the following script: 41 | ``` 42 | #!/usr/bin/env sh 43 | PATH="/bin:/usr/bin:/sbin:/usr/sbin" 44 | RAND=$(jot -r 1 300) 45 | sleep ${RAND} 46 | env AUTOCLEAN=YES ASSUME_ALWAYS_YES=YES HANDLE_RC_SCRIPTS=YES pkg upgrade 47 | ``` 48 | Save (Ctrl+o, ENTER) and exit (Ctrl+x) 49 | 50 | ### Make executable and schedule the job to run: 51 | ``` 52 | # chmod +x /root/pkg_upgrade.sh 53 | # echo "0 0 * * * root /bin/sh /root/pkg_upgrade.sh >/dev/null" >> /etc/crontab 54 | # service cron restart 55 | ``` 56 | ### Enable random IP_IDs (see [this](https://mebsd.com/freebsd-security-hardening/protecting-freebsd-with-sysctl-101.html)) 57 | ``` 58 | # echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf 59 | ``` 60 | 61 | Reboot your jail and ssh back in. `ps aux` should show tor running! 62 | 63 | ### Nyx 64 | 65 | Lets use a terminal UI to monitor the useage of our relay! 66 | 67 | ``` 68 | # nyx 69 | ``` 70 | To exit, press (Ctrl+C) 71 | 72 | It will take about ~3 hours for your relay to propogate through the network. Search for your node here: https://metrics.torproject.org/rs.html 73 | 74 | It takes about a good two weeks before you will see steady traffic, see this tor project blog post [here](https://blog.torproject.org/lifecycle-new-relay). 75 | 76 | 77 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 78 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_1_jail_creation.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [**Jail Creation**] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC100.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Jail Creation 10 | 11 | Think of jails as more efficient virtual machines (VMs). You could just install a bunch of VMs on TrueNAS, run linux on them, and pick your choice on the many varieties of linux guides available online. But running a VM requires a lot more resources than jails, allocating memory just for that VM, etc. Plus, if we mess up, we can delete the jail and start over. Anything we do in the jail should not mess up anything on the host machine. After all, we built a computer with server grade hardware for the uptime! 12 | 13 | TrueNAS uses iocage to manage jails. Previous versions used warden, which is now considered deprecated. To create a jail, log in to your TrueNAS user interface, and select Jails on the left hand menu. Click the ‘ADD’ button on the top right, and select 'advanced jail creation'. 14 | 15 | ![TrueNAS_Jail](images/jail_create.png) 16 | 17 | Give the jail a name, such as `bitcoin`. Select release `11.2-RELEASE`, select `DHCP Autoconfigure IPv4` and select `Auto-start` as shown. Click `SAVE`. 18 | 19 | It would be a good idea to log into your router and give your bitcoin jail a static IP address. Also forward port 8333 from your WAN to your jail's LAN IP address. For example, my internal IP address assigned to my bitcoin jail is 192.168.84.123 20 | 21 | ![TrueNAS_Jail_Port_Forward](images/jail_port_forward.png) 22 | 23 | *Your router's firmware may look different. This is how it looks on OpenWRT.* 24 | ``` 25 | Name : bitcoin 26 | Protocol: TCP 27 | External Zone: WAN 28 | External Port: 8333 29 | Internal Zone: LAN 30 | Internal IP address: (inset your jail IP here) 31 | Internal Port: 8333 32 | ``` 33 | 34 | 35 | Next: [ [Install Bitcoin](freenas_2_bitcoin.md) ] 36 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_2_bitcoin.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [**Bitcoin**] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Bitcoin Install 10 | 11 | View the [Extras](extras.md) page if you want to manually compile bitcoind. 12 | 13 | Secure Socket Shell into your truenas server. SSH is a way to manage your server remotely over a network. When you don’t plug in a monitor & keyboard directly into the server, it’s called a ‘headless’ server. The most popular SSH client is called [PuTTY, download it here](https://www.putty.org/). Connect to your trueNAS’ IP address, and log in with your root credentials. 14 | 15 | ``` 16 | # iocage list 17 | ``` 18 | 19 | You should see your bitcoin jail listed. Lets switch our console from our base system to our jail. 20 | 21 | ``` 22 | # iocage console bitcoin 23 | ``` 24 | 25 | You're in! Install `bitcoin-daemon` 26 | ``` 27 | # pkg install -y bitcoin-daemon bitcoin-utils nano 28 | # sysrc bitcoind_enable="YES" 29 | # cat <> /usr/local/etc/bitcoin.conf 30 | server=1 31 | txindex=1 32 | zmqpubrawblock=tcp://127.0.0.1:28332 33 | zmqpubrawtx=tcp://127.0.0.1:28333 34 | EOT 35 | # nano /usr/local/etc/rc.d/bitcoind 36 | ``` 37 | 38 | Change the pid file in the rc.d startup script. 39 | 40 | Remove the `#` comment before `pidfile="/var/run/${name}.pid"` 41 | 42 | Delete the entire line: `pidfile="${bitcoind_data_dir}/bitcoind.pid"` 43 | 44 | Save (Ctrl+O, ENTER) and exit (Ctrl+X) 45 | 46 | Some apps, like `lnd`, look for the config file in the bitcoin data directory. It is FreeBSD tradition to keep config files in `/usr/local/etc`. So lets make a hard link so the config file exists in both spots. Changing one will change the other. Then start bitcoind and check sync progress: 47 | 48 | ``` 49 | # ln /usr/local/etc/bitcoin.conf /var/db/bitcoin/bitcoin.conf 50 | # service bitcoind start 51 | # bitcoin-cli -datadir=/var/db/bitcoin getblockchaininfo 52 | ``` 53 | 54 | Wait until sync is complete, once blocks=headers you're good to go. Let this run overnight. 55 | 56 | ### Shell Alias 57 | Typing in `-datadir=/var/db/bitcoin` everytime we want to run a bitcoin-cli command is cumbersome, lets make a shell alias. 58 | ``` 59 | # alias bitcoin-cli bitcoin-cli -datadir=/var/db/bitcoin 60 | # bitcoin-cli getnetworkinfo 61 | ``` 62 | Success! Now lets make this survive a reboot, `nano ~/.cshrc` and add the following line: 63 | ``` 64 | alias bitcoin-cli bitcoin-cli -datadir=/var/db/bitcoin 65 | ``` 66 | Save (Ctrl+O, ENTER) and exit (Ctrl +X) 67 | 68 | ### How to upgrade bitcoind: 69 | ``` 70 | # service bitcoind stop 71 | # pkg update && pkg upgrade bitcoin-daemon bitcoin-utils 72 | # nano /usr/local/etc/rc.d/bitcoind 73 | ``` 74 | Remove the `#` comment before `pidfile="/var/run/${name}.pid"` 75 | Delete the entire line `pidfile="${bitcoind_data_dir}/bitcoind.pid"` 76 | 77 | Save (Ctrl+O, ENTER) and exit (Ctrl+X) 78 | 79 | Start bitcoin: 80 | ``` 81 | # service bitcoind start 82 | ``` 83 | 84 | Next: [ [Install Tor](freenas_3_tor.md) ] 85 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_3_tor.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [**Tor & i2p**] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Why use privacy networks? 10 | 11 | Tor is a communications protocol that encrypts and anonymizes communications by bouncing encrypted data between relays. It's like using several different VPNs between client and server. TOR also allows you to securely and privately remote connect to your home server with a static address and zero router configuration! Hidden Service Version 3 is not discoverable, so you don't have to worry about exposing ports to the public, as long as you don't share your hidden service onion address! 12 | 13 | i2p is similar to tor, however runs as a distributed systyem instead of a curated one. i2p was recently [supported](https://i2pd.readthedocs.io/en/latest/user-guide/FAQ/#how-is-i2p-different-from-tor) by bitcoin core 0.22. We will use the c++ version, [i2pd](https://www.freshports.org/security/i2pd/) 14 | 15 | ## Install & Configure Tor 16 | ``` 17 | root@bitcoin:~ # pkg install tor nano 18 | root@bitcoin:~ # nano /usr/local/etc/tor/torrc 19 | ``` 20 | Uncomment (remove the #) from the following lines: 21 | ``` 22 | DataDirectory /var/db/tor 23 | ControlPort 9051 24 | CookieAuthentication 1 25 | ``` 26 | Add the following lines: 27 | ``` 28 | CookieAuthFile /var/db/tor/control_auth_cookie 29 | CookieAuthFileGroupReadable 1 30 | CacheDirectoryGroupReadable 1 31 | ``` 32 | 33 | Add the following lines to privately serve your remote clients for mobile lightning wallets (`8080`) and (`10009`), and electrum (`50001`): 34 | 35 | ``` 36 | HiddenServiceDir /var/db/tor/remote_connections 37 | HiddenServiceVersion 3 38 | HiddenServicePort 50001 127.0.0.1:50001 39 | HiddenServicePort 8080 127.0.0.1:8080 40 | HiddenServicePort 10009 127.0.0.1:10009 41 | ``` 42 | Save (CTRL+O, ENTER), then exit (CTRL+X) 43 | 44 | Enable autostart by adding `tor_enable="YES"` to `/etc/rc.conf`. 45 | ``` 46 | # sysrc tor_enable="YES" 47 | ``` 48 | Save (Ctrl+O,ENTER) and exit (CTRL+X) 49 | 50 | Add user `bitcoin` to the` _tor` group so that bitcoin can read the cookie authentication file in `/var/db/tor`, then stop and start the tor and bitcoin service: 51 | ``` 52 | # pw usermod bitcoin -G _tor 53 | # service bitcoind stop 54 | # service tor start 55 | # service bitcoind start 56 | # bitcoin-cli -datadir=/var/db/bitcoin getnetworkinfo 57 | ``` 58 | You should see a .onion address listed! 59 | 60 | View the private onion address of your new hidden service: 61 | ``` 62 | # cat /var/db/tor/remote_connections/hostname 63 | myprivateonionaddressocyn4rixm632jid.onion 64 | ``` 65 | 66 | Bootstrap your tor peer discovery by manually adding known tor peers (public list available [here](https://github.com/bitcoin/bitcoin/blob/master/contrib/seeds/nodes_main.txt)) & other informational commands: 67 | ``` 68 | # bitcoin-cli -datadir=/var/db/bitcoin addnode 2g5qfdkn2vvcbqhzcyvyiitg4ceukybxklraxjnu7atlhd22gdwywaid.onion:8333 add 69 | # bitcoin-cli -datadir=/var/db/bitcoin -addrinfo 70 | # bitcoin-cli -datadir=/var/db/bitcoin -netinfo 4 71 | ``` 72 | 73 | ### How to upgrade tor: 74 | ``` 75 | # service tor stop 76 | # pkg update && pkg upgrade tor 77 | # service tor start 78 | ``` 79 | 80 | ## Install & Configure i2pd 81 | 82 | Bitcoind's use of i2pd is well documented [here](https://github.com/bitcoin/bitcoin/blob/master/doc/i2p.md) 83 | ``` 84 | # pkg install i2pd 85 | # sysrc i2pd_enable="YES" 86 | # nano /usr/local/etc/i2pd/i2pd.conf 87 | ``` 88 | The following configuration changes enables SAM protocol hidden service for bitcoind & turns on the web-ui for monitoring. This is not the complete configuration file, these are just the fields that you should change. the [http] `address =` field should be your jail IP. This is the web-ui to monitor your i2pd session. 89 | ``` 90 | ... 91 | loglevel = none 92 | [http] 93 | enabled = true 94 | address = 192.168.84.21 95 | port = 7070 96 | [httpproxy] 97 | enabled = false 98 | [socksproxy] 99 | enabled = false 100 | [sam] 101 | enabled = true 102 | [bob] 103 | enabled = false 104 | [i2cp] 105 | enabled = false 106 | [i2pcontrol] 107 | enabled = false 108 | [upnp] 109 | enabled = false 110 | ``` 111 | Save (CTRL+O, ENTER) and exit (CTRL+X). 112 | 113 | Edit bitcoin.conf `nano /usr/local/etc/bitcoin.conf` and add the following lines: 114 | 115 | ``` 116 | i2psam=127.0.0.1:7656 117 | i2pacceptincoming=1 118 | ``` 119 | Save (CTRL+O, ENTER) and exit (CTRL+X). 120 | 121 | ### Optional: Relay 122 | 123 | If you want to donate bandwidth as a i2p relay, add the following, pick a random `port =` between 10000 and 65000 to share 256KB/s: 124 | 125 | `nano /usr/local/etc/i2pd/i2pd.conf`: 126 | ``` 127 | port = 12345 128 | bandwidth = o 129 | ``` 130 | Port forward TCP+UDP `port =` from your router to your bitcoin jail `port =`. 131 | 132 | ### Start & verify 133 | ``` 134 | # service bitcoind stop 135 | # service i2pd start 136 | # service bitcoind start 137 | # bitcoin-cli getnetworkinfo 138 | ``` 139 | Open a browser and navigate to your bitcoin jail and port 7070, ex: `http://192.168.84.21:7070/`. Network status should read: Firewalled if you are not running a relay, and OK if you are running a relay. Click `SAM Sessions`. You shoud see bitcoind's SAM session! You can go back and disable the [http] section in `/usr/local/etc/i2pd/i2pd.conf` if you dont want to monitor, or add password credentials to secure the monitoring & configuration interface. 140 | 141 | ### Bootstrap i2p peers 142 | Find a list of publically maintained addresses [here](https://github.com/bitcoin/bitcoin/blob/master/contrib/seeds/nodes_main.txt) 143 | ``` 144 | # bitcoin-cli -datadir=/var/db/bitcoin addnode 4hllr6w55mbtemb3ebvlzl4zj6qke4si7zcob5qdyg63mjgq624a.b32.i2p:0 add 145 | # bitcoin-cli -datadir=/var/db/bitcoin -addrinfo 146 | # bitcoin-cli -datadir=/var/db/bitcoin -netinfo 4 147 | ``` 148 | 149 | ### How to upgrade i2p: 150 | ``` 151 | # service i2pd stop 152 | # pkg update && pkg upgrade i2pd -y 153 | # service i2pd start 154 | ``` 155 | 156 | Next: [ [Electrum](freenas_4_electrum.md) ] 157 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_4_electrum.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [**Electrum**] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Electrs: Electrum In Rust 10 | 11 | Read up more on electrs at its github page [here](https://github.com/romanz/electrs) 12 | 13 | ### 1. Set up environment 14 | ``` 15 | # pkg install rust llvm14 nano 16 | ``` 17 | 18 | ### 2. Compile & Install 19 | Check for the latest releases [here](https://github.com/romanz/electrs/releases) 20 | ``` 21 | # cd ~ 22 | # fetch https://github.com/romanz/electrs/archive/refs/tags/v0.10.2.tar.gz 23 | # tar -xvf v0.10.2.tar.gz 24 | # cd electrs* 25 | # cargo build --release 26 | ``` 27 | 28 | If you get an error, see this [issue for FreeBSD systems](https://github.com/romanz/electrs/issues/132#issuecomment-481870879) to fix. Rerun `cargo build --release` 29 | 30 | Install and cleanup: 31 | ``` 32 | # install -m 0755 -o root -g wheel /root/electrs*/target/release/electrs /usr/local/bin 33 | # rm -r ~/electrs* 34 | # mkdir /var/db/electrs 35 | ``` 36 | ### 3. Create RPC credentials for Bitcoin Core 37 | 38 | Download the rpcauth tool as documented [here](https://github.com/bitcoin/bitcoin/tree/master/share/rpcauth). Save this information. 39 | 40 | ``` 41 | # pkg install python39 42 | # fetch https://raw.githubusercontent.com/bitcoin/bitcoin/master/share/rpcauth/rpcauth.py 43 | # python3.9 ./rpcauth.py electrs 44 | String to be appended to bitcoin.conf: 45 | rpcauth=electrs:5d0d70936350d0a79b588a9bb2906ea1$82afc2d29dfcfd808acd98f855cf47989564d8f1cd55b515f23fb10ace0dd75a 46 | Your password: 47 | 2tm5NiN8wZVyjx_hgUL5O8it68WfoadHDEZ-v6w_RhQ= 48 | ``` 49 | 50 | Add the `rpcauth=` string above to `bitcoin.conf` and configure rpc access. Make sure that the `rcpallowip=` coorelates to your local subnet address range. 51 | ``` 52 | # nano /usr/local/etc/bitcoin.conf 53 | rpcauth=electrs:5d0d70936350d0a79b588a9bb2906ea1$82afc2d29dfcfd808acd98f855cf47989564d8f1cd55b515f23fb10ace0dd75a 54 | rpcallowip=192.168.84.0/24 55 | rpcbind=0.0.0.0 56 | ``` 57 | Save (CTRL+O,ENTER) and exit (CTRL+X) 58 | 59 | Reboot bitcoin core, make sure bitcoind is running sucessfuly after the reboot by running `ps aux`. 60 | ``` 61 | # service bitcoind restart 62 | # ps aux 63 | USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND 64 | bitcoin 76206 4.4 2.2 4551716 1449288 - SJ Wed23 426:49.66 /usr/local/bin/bitcoind -conf=/usr/local/etc/bitcoin.conf -datadir=/var/db/bitcoin 65 | ... 66 | 67 | ``` 68 | ### 4. Create user & config 69 | See config notes [[here]](https://github.com/romanz/electrs/blob/master/doc/config_example.toml) 70 | ``` 71 | # pw adduser electrs -d /nonexistent -s /usr/sbin/nologin 72 | # mkdir /var/db/electrs 73 | # mkdir /usr/local/etc/electrs 74 | # nano /usr/local/etc/electrs/config.toml 75 | ``` 76 | 77 | Use the `username:password` generated by `rpcauth.py` for the `auth =` field: 78 | 79 | If you want to serve local home network connctions in addition to tor connections, replace `electrum-rpc-addr=` with your bitcoin jail's IP. You will need to change your tor `/usr/local/etc/tor/torrc` config `HiddenServicePort` IP address to your bitcoin jail's IP address as well 80 | 81 | ``` 82 | daemon_rpc_addr = "127.0.0.1:8332" 83 | auth = "electrs:2tm5NiN8wZVyjx_hgUL5O8it68WfoadHDEZ-v6w_RhQ=" 84 | db_dir = "/var/db/electrs" 85 | network = "bitcoin" 86 | electrum_rpc_addr = "127.0.0.1:50001" 87 | log_filters = "INFO" 88 | ``` 89 | Save (CTRL+O,ENTER) and exit (CTRL+X) 90 | 91 | ### 5. Create permissions & test run 92 | ``` 93 | # chown -R electrs:electrs /var/db/electrs 94 | # chown -R electrs:electrs /usr/local/etc/electrs 95 | # chmod -R 500 /usr/local/etc/electrs 96 | # su -m electrs -c 'electrs --conf=/usr/local/etc/electrs/config.toml --skip-default-conf-files' 97 | ``` 98 | 99 | Electrs should begin to index the blockchain into its own database. Stop the app with Ctrl+C. 100 | 101 | ### 6. rc.d script 102 | 103 | ``` 104 | # nano /usr/local/etc/rc.d/electrs 105 | ``` 106 | 107 | Paste the following script: 108 | ``` 109 | #!/bin/sh 110 | # 111 | # PROVIDE: electrs 112 | # REQUIRE: bitcoind 113 | # KEYWORD: 114 | 115 | . /etc/rc.subr 116 | 117 | name="electrs" 118 | rcvar="electrs_enable" 119 | electrs_command="/usr/local/bin/electrs --conf=/usr/local/etc/electrs/config.toml" 120 | pidfile="/var/run/${name}.pid" 121 | command="/usr/sbin/daemon" 122 | command_args="-P ${pidfile} -u electrs -r -f ${electrs_command}" 123 | 124 | load_rc_config $name 125 | : ${electrs_enable:=no} 126 | 127 | run_rc_command "$1" 128 | ``` 129 | Save, (ctrl+o,enter) and exit (ctrl+x) 130 | 131 | Make the script executable: 132 | ``` 133 | # chmod +x /usr/local/etc/rc.d/electrs 134 | ``` 135 | And enable on startup: 136 | ``` 137 | # sysrc electrs_enable="YES" 138 | ``` 139 | Give it a whir: 140 | ``` 141 | # service electrs start 142 | ``` 143 | 144 | Electrs will begin to index the blockchain into its own database. This can take a few hours, depending on your CPU and disk IO. When its done indexing, it will start to serve connections. 145 | 146 | ### 7. Client Setup 147 | Right click on your windows electrum client, select properties, and modify the shortcut (use your .onion address or bitcoin jail ip, if configured in step 4) 148 | ``` 149 | "C:\Program Files (x86)\Electrum\electrum-3.3.4.exe" -1 -s myprivateonionaddressocyn4rixm632jid.onion:50001:t 150 | ``` 151 | Start your tor browser to connect to the tor network. Start electrum, select /tools/network/proxy and enable `use tor proxy at port 9150`. You should connect! 152 | 153 | 154 | ### How to update electrs 155 | ``` 156 | # service electrs stop 157 | # pkg update && pkg upgrade rust 158 | # cd ~ 159 | # rm -r electrs* 160 | # fetch https://github.com/romanz/electrs/archive/refs/tags/v0.10.2.tar.gz 161 | # cd electrs* 162 | # cargo build --release 163 | # install -m 0755 -o root -g wheel /root/electrs*/target/release/electrs /usr/local/bin 164 | # rm -r ~/electrs* 165 | # service electrs start && tail -f /var/db/electrs/bitcoin/LOG 166 | ``` 167 | 168 | ### Bonus: Reverse proxy configuration for domain & SSL certificate access 169 | If you want to access electrum without using a VPN or TOR, you can have a SSL encrypted connection by configuring your [reverse proxy](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) config file by appending the data below to the bottom of `/usr/local/etc/nginx/nginx.conf` in your reverseproxy jail: 170 | ``` 171 | ### ELECTRUM.EXAMPLE.COM 172 | stream { 173 | upstream electrs { 174 | server 192.168.84.21:50001; 175 | } 176 | 177 | server { 178 | listen 50002 ssl; 179 | proxy_pass electrs; 180 | ssl_certificate /usr/local/etc/letsencrypt/live/example.com/fullchain.pem; 181 | ssl_certificate_key /usr/local/etc/letsencrypt/live/example.com/privkey.pem; 182 | ssl_session_cache shared:SSL:1m; 183 | ssl_session_timeout 4h; 184 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; 185 | ssl_prefer_server_ciphers on; 186 | } 187 | } 188 | ### / ELECTRUM 189 | ``` 190 | 191 | Change `192.168.84.21` with the jail hosting electrum. Then add `load_module /usr/local/libexec/nginx/ngx_stream_module.so;` to the very first line of `nginx.conf`. Save (CTRL+O, ENTER) and exit (CTRL+X), and refresh nginx with `service nginx restart` 192 | 193 | Next: [ [lnd](freenas_5_lnd.md) ] 194 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_5_lnd.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [**lnd**] - [ [loopd ](freenas_5a_loopd.md)] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Install Lightning Lab's LND 10 | 11 | If not already there, SSH into your freenas box as root, then switch to your bitcoin jail: 12 | ``` 13 | root@freenas[~] # iocage console bitcoin 14 | ``` 15 | 16 | Check [LND's github repo](https://github.com/lightningnetwork/lnd/releases) for the latest release, make sure you select the correct binaries for your processor and operating system. (amd64 is for amd and intel processors) 17 | ``` 18 | # pkg install wget ca_root_nss 19 | # cd ~ 20 | # wget https://github.com/lightningnetwork/lnd/releases/download/v0.16.4-beta/lnd-freebsd-amd64-v0.16.4-beta.tar.gz 21 | # tar -xvf lnd-freebsd-amd64* 22 | # install -m 0755 -o root -g wheel ~/lnd-freebsd-amd64*/* /usr/local/bin 23 | # rm -r /lnd-freebsd-amd64* lnd-freebsd-amd64* 24 | ``` 25 | ### LND Configuration 26 | Read up on configuration options [here](https://github.com/lightningnetwork/lnd/blob/master/sample-lnd.conf). 27 | Edit your lnd config file with command `nano /usr/local/etc/lnd.conf`: 28 | ``` 29 | [Application Options] 30 | lnddir=/var/db/lnd 31 | alias=insert_something_catchy_here 32 | listen=localhost 33 | restlisten=127.0.0.1:8080 34 | rpclisten=127.0.0.1:10009 35 | tlsextraip=0.0.0.0 36 | minchansize=900000 37 | maxlogfiles=1 38 | maxlogfilesize=10 39 | accept-keysend=true 40 | accept-amp=true 41 | protocol.wumbo-channels=1 42 | 43 | [Bitcoin] 44 | bitcoin.active=1 45 | bitcoin.mainnet=1 46 | bitcoin.node=bitcoind 47 | bitcoin.basefee=1000 48 | bitcoin.feerate=100 49 | bitcoin.timelockdelta=40 50 | 51 | [Bitcoind] 52 | bitcoind.dir=/var/db/bitcoin 53 | 54 | [tor] 55 | tor.active=true 56 | tor.socks=localhost:9050 57 | tor.dns=nodes.lightning.directory 58 | tor.control=localhost:9051 59 | tor.v3=1 60 | ``` 61 | Save (CTRL+O, ENTER) and exit (CTRL+X) 62 | 63 | ### Configuration Notes 64 | This configuration uses tor for the benefit of a static address, NAT traversal, and to prevent doxing your home IP address. Don't tell the world "this house has bitcoins!"! If you want to run on clearnet and advertise your home IP address, check out the [Extras](extras.md) page to set up `nat=true` in a secure fashion. 65 | 66 | Fees. You may have to pay fees to other nodes when you rebalance channels, and you may have to close and reopen channels to disconected nodes, which will require on-chain fees. Don't operate at a loss! Do NOT make a 0 fee node, this will leave you vulnerable to denial of service attacks! 67 | 68 | `bitcoin.basefee=1000` = Fee of 1 satoshi per payment forwarded 69 | 70 | `bitcoin.feerate=100` = Fee of 100 satoshis per million forwarded (0.01% fee) 71 | 72 | Save (CTRL+O), then exit (CTRL+X) 73 | 74 | ### LND Startup and initialization 75 | Start `lnd`: 76 | ``` 77 | # pw adduser lnd -d /nonexistent -s /usr/sbin/nologin 78 | # pw usermod lnd -G lnd,_tor,bitcoin 79 | # mkdir /var/db/lnd && chown lnd:lnd /var/db/lnd && chmod -R 700 /var/db/lnd 80 | # su -m lnd -c 'lnd --configfile=/usr/local/etc/lnd.conf' 81 | ``` 82 | If it works, you should see the following message: 83 | ``` 84 | Attempting automatic RPC configuration to bitcoind 85 | Automatically obtained bitcoind's RPC credentials 86 | 2019-02-07 22:00:34.994 [INF] LTND: Version: 0.5.2-beta commit=v0.5.2-beta, build=production, logging=default 87 | 2019-02-07 22:00:34.994 [INF] LTND: Active chain: Bitcoin (network=mainnet) 88 | 2019-02-07 22:00:35.013 [INF] CHDB: Checking for schema update: latest_version=7, db_version=7 89 | 2019-02-07 22:00:35.054 [INF] RPCS: password gRPC proxy started at [::]:8080 90 | 2019-02-07 22:00:35.054 [INF] RPCS: password RPC server listening on 127.0.0.1:10009 91 | 2019-02-07 22:00:35.054 [INF] LTND: Waiting for wallet encryption password. Use `lncli create` to create a wallet, `lncli unlock` to unlock an existing wallet, or `lncli changepassword` to change the password of an existing wallet and unlock it. 92 | ``` 93 | Open another SSH terminal window, log into to your TrueNAS server, and switch to your bitcoin jail. We will use `lncli` to create a wallet and store the recovery key. 94 | ``` 95 | # lncli -lnddir "/var/db/lnd" create 96 | ``` 97 | Follow the prompt to create a wallet. Pick a strong wallet password. Write down your 24 word seed on paper, and store it somewhere safe! 98 | 99 | We are done with this terminal, close it. 100 | 101 | In your other terminal window, `lnd` will begin its sync. Once the sync is complete, you will see a bunch of "New channel disocvered" nessages, exit `lnd` (CTRL+C). 102 | 103 | ### Configure start on boot & restart 104 | 105 | We will again use [daemon](https://www.freebsd.org/cgi/man.cgi?query=daemon) to run our `lnd` process at bootup, and restart the process should it fail. 106 | 107 | Lets make the [rc.d script](https://www.freebsd.org/doc/en/articles/rc-scripting/). Edit the script with `nano /usr/local/etc/rc.d/lnd`: 108 | ``` 109 | #!/bin/sh 110 | # 111 | # PROVIDE: lnd 112 | # REQUIRE: bitcoind tor 113 | # KEYWORD: shutdown 114 | 115 | . /etc/rc.subr 116 | 117 | name="lnd" 118 | rcvar="lnd_enable" 119 | lnd_user="lnd" 120 | 121 | start_cmd="lnd_start" 122 | status_cmd="lnd_status" 123 | stop_cmd="lnd_stop" 124 | stop_postcmd="lnd_wait" 125 | command="/usr/local/bin/lnd" 126 | daemon_command="/usr/sbin/daemon" 127 | pidfile="/var/run/${name}.pid" 128 | 129 | load_rc_config $name 130 | : ${lnd_enable:=no} 131 | 132 | : ${lnd_config_file:="/usr/local/etc/lnd.conf"} 133 | 134 | # set up dependant variables 135 | procname="${command}" 136 | required_files="${lnd_config_file}" 137 | 138 | lnd_status() 139 | { 140 | local pid 141 | pid=$(check_pidfile "${pidfile}" "${procname}") 142 | if [ -z "${pid}" ] 143 | then 144 | echo "LND is not running" 145 | return 1 146 | else 147 | echo "LND running, pid: ${pid}" 148 | fi 149 | } 150 | 151 | lnd_start() 152 | { 153 | echo "Starting lnd:" 154 | ${daemon_command} -u "${lnd_user}" -p "${pidfile}" -f \ 155 | ${command} \ 156 | --configfile="${lnd_config_file}" 157 | } 158 | 159 | lnd_stop() 160 | { 161 | echo "Stopping LND:" 162 | pid=$(check_pidfile "${pidfile}" "${procname}") 163 | if [ -z "${pid}" ] 164 | then 165 | echo "LND is not running" 166 | return 1 167 | else 168 | kill ${pid} 169 | fi 170 | } 171 | 172 | lnd_wait() 173 | { 174 | local n=60 175 | echo "Waiting for LND shutdown:" 176 | while : 177 | do 178 | printf '.' 179 | pid=$(check_pidfile "${pidfile}" "${procname}") 180 | if [ -z "${pid}" ] 181 | then 182 | printf '\n' 183 | break 184 | fi 185 | sleep 1 186 | n=$((${n} - 1)) 187 | if [ ${n} -eq 0 -a -f "${pidfile}" ] 188 | then 189 | printf "\nForce shutdown" 190 | kill -9 $(cat "${pidfile}") 191 | for n in 1 2 3 192 | do 193 | printf '.' 194 | sleep 1 195 | done 196 | printf '\n' 197 | break 198 | fi 199 | done 200 | rm -f "${pidfile}" 201 | echo "Shutdown complete" 202 | } 203 | 204 | run_rc_command "$1" 205 | ``` 206 | Save (CTRL+O,ENTER) and exit (CTRL+X) 207 | 208 | Make the startup script executable: 209 | ``` 210 | # chmod +x /usr/local/etc/rc.d/lnd 211 | ``` 212 | 213 | Enable our service with `nano /etc/rc.conf` and append the following line: 214 | ``` 215 | lnd_enable="YES" 216 | ``` 217 | Save, (CTRL+O,ENTER) then exit (CTRL+O) 218 | 219 | Lets verify lnd auto boots on startup: 220 | ``` 221 | # exit 222 | root@freenas[~]# iocage restart bitcoin 223 | root@freenas[~]# iocage console bitcoin 224 | # ps aux 225 | ``` 226 | ### Unlock wallet on `lnd` reboot or restart 227 | Note: Any time `lnd` reboots, you will need to unlock the wallet again. 228 | ``` 229 | # lncli -lnddir "/var/db/lnd" unlock 230 | ``` 231 | Type in the password to unlock your wallet. This is a security function in case someone steals your server! In the next guide, you will install a web user interface called `RTL`, which makes unlocking your wallet much easier. 232 | 233 | ### Upgrade LND 234 | Read the release notes, if a lot changed, you may have to close channels or do something to prepare for the upgrade! 235 | ``` 236 | # service lnd stop 237 | # cd ~ 238 | # wget https://github.com/lightningnetwork/lnd/releases/download/v0.17.1-beta/lnd-freebsd-amd64-v0.17.1-beta.tar.gz 239 | # tar -xvf lnd-freebsd-amd64* 240 | # install -m 0755 -o root -g wheel ~/lnd-freebsd-amd64*/* /usr/local/bin 241 | # rm -r /lnd-freebsd-amd64* lnd-freebsd-amd64* 242 | # service lnd start && tail -f /var/db/lnd/logs/bitcoin/mainnet/lnd.log 243 | ``` 244 | 245 | Unlock lnd with RTL. Watch the logs to make sure that the database migration is sucessful with the following command: 246 | ``` 247 | tail -f /var/db/lnd/logs/bitcoin/mainnet/lnd.log 248 | ``` 249 | 250 | Next: { [Install Lightning Lab's Loop client](freenas_5a_loopd.md) ] 251 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_5a_loopd.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd ](freenas_5_lnd.md)] - [**loopd**] - [ [RTL](freenas_6_rtl.md) ] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Install Lightning Lab's Loop client 10 | 11 | If not already there, SSH into your freenas box as root, then switch to your bitcoin jail: 12 | ``` 13 | root@freenas[~] # iocage console bitcoin 14 | ``` 15 | 16 | Check [lightning lab's loop github repo](https://github.com/lightninglabs/loop/releases) for the latest release, make sure you select the correct binaries for your processor and operating system. (amd64 is for amd and intel processors) 17 | ``` 18 | # cd ~ 19 | # wget https://github.com/lightninglabs/loop/releases/download/v0.23.0-beta/loop-freebsd-amd64-v0.23.0-beta.tar.gz 20 | # tar -xvf loop-freebsd-amd64* 21 | # install -m 0755 -o root -g wheel loop-freebsd-amd64*/* /usr/local/bin 22 | # rm -r /loop-freebsd-amd64* loop-freebsd-amd64* 23 | ``` 24 | 25 | ### Configure start on boot & restart 26 | 27 | We will again use [daemon](https://www.freebsd.org/cgi/man.cgi?query=daemon) to run our `loopd` process at bootup, and restart the process should it fail. 28 | 29 | Lets make the [rc.d script](https://www.freebsd.org/doc/en/articles/rc-scripting/): 30 | ``` 31 | # nano /usr/local/etc/rc.d/loopd 32 | ``` 33 | Paste the following service script into nano: 34 | ``` 35 | #!/bin/sh 36 | # 37 | # PROVIDE: loopd 38 | # REQUIRE: bitcoind tor lnd 39 | # KEYWORD: 40 | 41 | . /etc/rc.subr 42 | 43 | name="loopd" 44 | rcvar="loopd_enable" 45 | 46 | loopd_command="/usr/local/bin/loopd --configfile=/usr/local/etc/loopd.conf" 47 | pidfile="/var/run/${name}.pid" 48 | command="/usr/sbin/daemon" 49 | command_args="-P ${pidfile} -u lnd -r -f ${loopd_command}" 50 | 51 | load_rc_config $name 52 | : ${loopd_enable:=no} 53 | 54 | run_rc_command "$1" 55 | ``` 56 | Save (CTRL+O,ENTER) and exit (CTRL+X) 57 | 58 | Make the startup script executable: 59 | ``` 60 | # chmod +x /usr/local/etc/rc.d/loopd 61 | ``` 62 | 63 | Enable our service with `nano /etc/rc.conf` and appent the following line: 64 | ``` 65 | loopd_enable="YES" 66 | ``` 67 | Save, (CTRL+O,ENTER) then exit (CTRL+X) 68 | 69 | Set permissions and create config file: 70 | ``` 71 | mkdir /var/db/loopd && chown lnd:lnd /var/db/loopd 72 | cd /usr/local/etc 73 | touch loopd.conf && chown lnd:lnd loopd.conf && chmod 600 loopd.conf && nano loopd.conf 74 | ``` 75 | ``` 76 | [Application Options] 77 | loopdir=/var/db/loopd 78 | configfile=/usr/local/etc/loopd.conf 79 | 80 | [lnd] 81 | lnd.macaroonpath=/var/db/lnd/data/chain/bitcoin/mainnet/admin.macaroon 82 | lnd.tlspath=/var/db/lnd/tls.cert 83 | 84 | [server] 85 | server.proxy=localhost:9050 86 | ``` 87 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 88 | 89 | Now start the service: 90 | ``` 91 | # service loopd start && tail -f /var/db/loopd/logs/mainnet/loopd.log 92 | ``` 93 | Logs should appear normal, press CTRL+C to stop following the logs 94 | 95 | ### loopd liquidity 96 | loopd uses a liquidity provider that you send off-chain funds to receive an on-chain transaction (loop out). Make sure you have an adequate liquidity path (or open a channel directly) with their node: 97 | ``` 98 | 021c97a90a411ff2b10dc2a8e32de2f29d2fa49d41bfbb52bd416e460db0747d0d@18.224.56.146:9735 99 | ``` 100 | 101 | ### Upgrade loopd 102 | ``` 103 | # service loopd stop 104 | # cd ~ 105 | # wget https://github.com/lightninglabs/loop/releases/download/v0.23.0-beta/loop-freebsd-amd64-v0.23.0-beta.tar.gz 106 | # tar -xvf loop-freebsd-amd64* 107 | # install -m 0755 -o root -g wheel loop-freebsd-amd64*/* /usr/local/bin 108 | # rm -r /loop-freebsd-amd64* loop-freebsd-amd64* 109 | # service loopd start && tail -f /var/db/loopd/logs/mainnet/loopd.log 110 | ``` 111 | 112 | Verify the logs show the service started sucessfully, kill `tail` with CTRL+C 113 | 114 | Next: { [Install Ride The Lightning web UI](freenas_6_rtl.md) ] 115 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/freenas_6_rtl.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](freenas_1_jail_creation.md) ] - [ [Bitcoin](freenas_2_bitcoin.md) ] - [ [Tor & i2p](freenas_3_tor.md) ] - [ [Electrum](freenas_4_electrum.md) ] - [ [lnd](freenas_5_lnd.md) ] - [ [loopd ](freenas_5a_loopd.md)] - [**RTL**] - [ [mempool](freenas_8_mempool.md) ] - [ [Extras](extras.md) ] 4 | 5 | ## TrueNASnode - full bitcoin stack deployment guide ![BSDBTC60.png](images/BSDBTC60.png) 6 | 7 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 8 | 9 | ### Install RTL 10 | Read up on RTL [here](https://github.com/ShahanaFarooqui/RTL). Find the latest RTL release [here](https://github.com/ShahanaFarooqui/RTL/releases) 11 | 12 | If not already there, SSH into your freenas box and switch to your bitcoin jail. 13 | 14 | ``` 15 | # pkg install node npm python cairo 16 | # cd ~ 17 | # wget https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v0.13.4.tar.gz 18 | # tar -xvf v0.13.4.tar.gz 19 | # rm v0.13.4.tar.gz 20 | # mv ~/RTL-0.13.4 ~/rtl 21 | # cd rtl 22 | # npm install --omit=dev --legacy-peer-deps 23 | ``` 24 | Once the install is complete, create RTL-Config.json [configuration options](https://github.com/Ride-The-Lightning/RTL/tree/master?tab=readme-ov-file#prep): 25 | ``` 26 | # nano ~/rtl/RTL-Config.json 27 | ``` 28 | Edit the following lines, make sure to set `multiPass`: 29 | ``` 30 | { 31 | "multiPass": "enteryourownpasswordhere", 32 | "port": "3000", 33 | "defaultNodeIndex": 1, 34 | "SSO": { 35 | "rtlSSO": 0, 36 | "rtlCookiePath": "", 37 | "logoutRedirectLink": "" 38 | }, 39 | "nodes": [ 40 | { 41 | "index": 1, 42 | "lnNode": "My BSD Node", 43 | "lnImplementation": "LND", 44 | "Authentication": { 45 | "macaroonPath": "/var/db/lnd/data/chain/bitcoin/mainnet", 46 | "swapMacaroonPath": "/var/db/loopd/mainnet", 47 | "configPath": "/usr/local/etc/lnd.conf" 48 | }, 49 | "Settings": { 50 | "userPersona": "OPERATOR", 51 | "themeMode": "NIGHT", 52 | "themeColor": "PURPLE", 53 | "currencyUnit": "USD", 54 | "bitcoindConfigPath": "/usr/local/etc/bitcoin.conf", 55 | "channelBackupPath": "/root/rtl", 56 | "enableLogging": false, 57 | "lnServerUrl": "https://localhost:8080/v1", 58 | "swapServerUrl": "https://localhost:8081/v1", 59 | "fiatConversion": false 60 | } 61 | } 62 | ] 63 | } 64 | 65 | 66 | ``` 67 | Save (CTRL+O,ENTER) then exit (CTRL+X) 68 | 69 | ### Configure Autostart 70 | ``` 71 | # nano /usr/local/etc/rc.d/rtl 72 | ``` 73 | Add the following lines: 74 | ``` 75 | #!/bin/sh 76 | # 77 | # PROVIDE: rtl 78 | # REQUIRE: bitcoind lnd loopd 79 | # KEYWORD: 80 | 81 | . /etc/rc.subr 82 | name="rtl" 83 | rcvar="rtl_enable" 84 | rtl_command="/usr/local/bin/node /root/rtl/rtl" 85 | pidfile="/var/run/${name}.pid" 86 | command="/usr/sbin/daemon" 87 | command_args="-P ${pidfile} -r -f ${rtl_command}" 88 | 89 | load_rc_config $name 90 | : ${rtl_enable:=no} 91 | 92 | run_rc_command "$1" 93 | ``` 94 | Save (CTRL+O,ENTER) then exit (CTRL+X) 95 | 96 | Make the service script executable: 97 | ``` 98 | # chmod +x /usr/local/etc/rc.d/rtl 99 | ``` 100 | Enable in `etc/rc.conf' 101 | ``` 102 | # nano /etc/rc.conf 103 | ``` 104 | Append the following line: 105 | ``` 106 | rtl_enable="YES" 107 | ``` 108 | Save (CTRL+O,ENTER) then exit (CTRL+X) 109 | 110 | Give it a run! 111 | ``` 112 | # service rtl start 113 | ``` 114 | 115 | Now connect on your web browser at the jail ip:3000 or myprivateonionaddressocyn4rixm632jid.onion:3000 for remote connections. 116 | 117 | ### Set loop macaroon path in RTL 118 | 119 | In the RTL web UI go to: Node Config > Services > Loop 120 | Enter Loop Macaroon Path 121 | ``` 122 | /root/.loop/mainnet 123 | ``` 124 | Click Update 125 | 126 | ### Upgrade RTL 127 | 128 | ``` 129 | # service rtl stop 130 | # wget https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v0.14.1.tar.gz 131 | # tar -xvf v0.14.1.tar.gz 132 | # cp ~/rtl/RTL-Config.json ~/RTL-0.14.1/RTL-Config.json 133 | # rm -r ~/rtl 134 | # mv ~/RTL-0.14.1 ~/rtl 135 | # rm v0.14.1.tar.gz 136 | # cd rtl 137 | # npm install --omit=dev --legacy-peer-deps 138 | # service rtl start 139 | ``` 140 | 141 | 142 | Next: [ [mempool](freenas_8_mempool.md) ] 143 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/images/BSDBTC100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/images/BSDBTC100.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/images/BSDBTC300.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/images/BSDBTC300.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/images/BSDBTC60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/images/BSDBTC60.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/images/jail_create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/images/jail_create.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/images/jail_port_forward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/images/jail_port_forward.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/bluewallet.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ### BlueWallet 4 | 5 | BlueWallet for android serves layer 1 on-chain transactions over the electrum protocol, which is more data efficient compared to SPV (such as Blockstream Green). We can serve this function with our own electrum server! The BlueWallet roadmap plans future support for BIP174, which would allow a hardware wallet like the coldcard to be utilized on android! 6 | 7 | BlueWallet serves layer 2 lightning transactions with a wrapper called [lndhub](https://github.com/BlueWallet/LndHub) which is designed to share an LND node in a trusted environment. Read up on the technical tradeoffs bluewallet employs with lndhub [here](https://medium.com/bluewallet/bluewallet-brings-zero-configuration-lightning-payments-to-ios-and-android-30137a69f071). This guide does not explain how to set up your own lndhub. 8 | 9 | Download and install Orbot for android: https://play.google.com/store/apps/details?id=org.torproject.android 10 | 11 | Download the BlueWallet app: https://bluewallet.io/ 12 | 13 | Open orbot, and select the gear icon under "Tor-Enabled Apps". Select BlueWallet, then back. Turn on VPN Mode. Wait until the app is bootstrapped and connected to the tor network. 14 | 15 | Remember your electrum onion address? If not, SSH into your bitcoin jail, and run 16 | ``` 17 | # cat /var/db/tor/remote_connections/hostname 18 | ``` 19 | 20 | Open BlueWallet on your android device. Click on the hamburger menu for settings `☰`. Click `Electrum server >`, set the address to your onion address and port to '50002'. 21 | 22 | You should get a sucessful connection! Now import your electrum & hardware wallet ypub for a watch / receive only wallet on android verified by your own electrum server, or use it as a full wallet! 23 | 24 | 25 | 26 | 27 | 28 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 29 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/green.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ### Blockstream Green Wallet 4 | 5 | This isn't a lightning app (yet), but you can connect it to your bitcoind node via SPV over tor! (SPV is more data intensive than the electrum protocol, I recommend using [BlueWallet](https://github.com/seth586/guides/blob/master/FreeNAS/wallets/bluewallet.md) as an android electrum client) 6 | 7 | Download the Blockstream Green app: https://play.google.com/store/apps/details?id=com.greenaddress.greenbits_android_wallet 8 | 9 | Open Green Wallet. Click on `Bitcoin ⯆`. Check `Connect with Tor`. Click `Save`. 10 | 11 | Create a new wallet. Once you're done, Click the gear ⚙️ icon on the lower left. Under `Advanced` click `SPV synchronization`. Check `Enable SPV`. 12 | Select `Only connect to trusted node(s) for SPV`. Remember your bitcoind onion address? If not, SSH into your bitcoin jail, and run 13 | ``` 14 | # bitcoin-cli -datadir=/var/db/bitcoin getnetworkinfo 15 | ``` 16 | Take that address, and put it in the trailing port number, `6aslkjdhfitshouldlooklikethis.onion:8333` 17 | Finally, tap 'Reset SPV' and it will sync from your node. It may take a while to catch up. But this will privately connect to your home node, wherever you are! 18 | 19 | 20 | 21 | 22 | 23 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 24 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/img/spectersmall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/bitcoin/wallets/img/spectersmall.png -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/img/test.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/joule.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ## Guide to ₿itcoin & ⚡Lightning️⚡ on 🦈FreeNAS🦈 4 | 5 | ## Joule Browser Extension 6 | 7 | ### Install WinSCP 8 | https://winscp.net/eng/download.php 9 | 10 | With WinSCP, log into your freenas server using your root privileges, and navigate to the following folder (change as necessary): 11 | ``` 12 | /mnt/volume0/iocage/jails/bitcoin/root/var/db/lnd/data/chain/bitcoin/mainnet 13 | ``` 14 | Note: If you are unable to navigate to the `.lnd` folder, enable hidden folders by pressing (CTRL+ALT+H) 15 | 16 | Download `admin.macaroon` and `readonly.macaroon` 17 | 18 | ### Install Joule 19 | 20 | Goto Joule's website at https://lightningjoule.com/ 21 | 22 | Install the firefox extension on the [Tor Browser](https://www.torproject.org/download/). Click on the tor browser `3 line icon` on the top right, select `options`, and select privacy & `security`. Under `History` enable `remember hsitory`, otherwise the browser will not remember Joule's configuration. 23 | 24 | Click on the joule extension button on the top right of your browser, and select `get started`. 25 | 26 | Select `remote node` 27 | 28 | Type in your private onion address, port 8080: 29 | ``` 30 | https://myprivateonionaddressocyn4rixm632jid.onion:8080 31 | ``` 32 | 33 | You may have to follow the link since the browser does not trust lnd's TLS certificate by default. Once you follow the link, go back to joule's tab and it should work. 34 | 35 | Upload `admin.macaroon` and `readonly.macaroon`, Make sure to delete these files, they give the bearer of these credentials the ability to spend your funds! 36 | 37 | Set a password, and enjoy in-browser lighting payments, even away from your local home network! Try out a small tip here: 38 | https://tippin.me/@seth586 39 | 40 | If you want to try sending / receiving invoices, reach out to me. Contact info on the [ [Intro](README.md) ] page. 41 | 42 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 43 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/specter.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ## Guide to ₿itcoin & ⚡Lightning️⚡ on 🦈FreeNAS🦈 4 | 5 | 6 | ![Specter](img/spectersmall.png) 7 | ## Specter Daemon 8 | [Specter](https://github.com/cryptoadvance/specter-desktop) is an electrum alternative that connects directly to bitcoin core. By hosting the daemon version on freenas, you can remotely generate, sign with coldcard, and broadcast PSBT transactions without having to install client side software. 9 | 10 | If you want USB connectivity for a trezor or ledger type of device, you will need to run specter desktop on the client machine as well to create the USB bridge. 11 | 12 | Note: if you manually compiled bitcoind with the `--disable-wallet`, you will need to recompile with wallet functionality for specter to work. 13 | 14 | Minimizing the amount of software that has file access to your lightning hot wallet is considered a security best practice, so lets [spin up a new jail](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/freenas_1_jail_creation.md). I will name this jail `specter` and assign it an ip address of `192.168.84.11`. SSH in and lets begin! 15 | 16 | ``` 17 | root@freenas:~ # iocage console specter 18 | root@specter:~ # pkg install python3 py37-pip nano 19 | root@specter:~ # fetch https://github.com/cryptoadvance/specter-desktop/archive/v0.7.1.tar.gz 20 | root@specter:~ # tar -xvf v0.7.1.tar.gz 21 | root@specter:~ # pip-3.7 install -e specter-desktop*/. 22 | ``` 23 | 24 | Lets create a service, `mkdir /usr/local/etc/rc.d && nano /usr/local/etc/rc.d/specter`: 25 | ``` 26 | #!/bin/sh 27 | # 28 | # PROVIDE: specter 29 | # REQUIRE: bitcoind tor 30 | # KEYWORD: 31 | 32 | . /etc/rc.subr 33 | 34 | name="specter" 35 | rcvar="specter_enable" 36 | 37 | specter_command="/usr/local/bin/python3 -m cryptoadvance.specter server --host 0.0.0.0" 38 | pidfile="/var/run/${name}.pid" 39 | command="/usr/sbin/daemon" 40 | command_args="-P ${pidfile} -r -f ${specter_command}" 41 | 42 | load_rc_config $name 43 | : ${lnd_enable:=no} 44 | 45 | run_rc_command "$1" 46 | ``` 47 | Save (CTRL+O, ENTER) and exit (CTRL+X). Make the rc.d script executable, enable our service, and start the daemon: 48 | 49 | ``` 50 | root@specter:~ # chmod +x /usr/local/etc/rc.d/specter 51 | root@specter:~ # sysrc specter_enable="YES" 52 | root@specter:~ # service specter start 53 | ``` 54 | 55 | Point a web browser to http://192.168.84.11:25441/, success! Notice that specter is not connected to bitcoin core yet, so lets create RPC credentials and configure. 56 | 57 | ## Bitcoind RPC authentication 58 | Switch to your bitcoin jail and generate RPC credentials. Download the rpcauth tool as documented [here](https://github.com/bitcoin/bitcoin/tree/master/share/rpcauth). Save this information. 59 | ``` 60 | root@specter:~ # exit 61 | root@freenas[~]# iocage console bitcoin 62 | root@bitcoin:~ # fetch https://raw.githubusercontent.com/bitcoin/bitcoin/master/share/rpcauth/rpcauth.py 63 | root@bitcoin:~ # python3 ./rpcauth.py specter 64 | String to be appended to bitcoin.conf: 65 | rpcauth=specter:5d0d70936350d0a79b588a9bb2906ea1$82afc2d29dfcfd808acd98f855cf47989564d8f1cd55b515f23fb10ace0dd75a 66 | Your password: 67 | 2tm5NiN8wZVyjx_hgUL5O8it68WfoadHDEZ-v6w_RhQ= 68 | ``` 69 | 70 | Add the following lines to bitcoin config with `nano /usr/local/etc/bitcoin.conf`: 71 | ``` 72 | rpcauth=specter:5d0d70936350d0a79b588a9bb2906ea1$82afc2d29dfcfd808acd98f855cf47989564d8f1cd55b515f23fb10ace0dd75a 73 | rpcallowip=192.168.84.0/24 74 | rpcbind=0.0.0.0 75 | blockfilterindex=1 76 | ``` 77 | Save (CTRL+O, ENTER) and exit (CTRL+X). Restart bitcoind & verify it is running: 78 | ``` 79 | root@bitcoin:~ # service bitcoind restart 80 | root@bitcoin:~ # ps aux 81 | ``` 82 | 83 | ## Specter web configuration 84 | Navigate to the specter website http://192.168.84.11:25441/, and click on "Bitcoin Core Unavailable. Click to configure", add the following information: 85 | 86 | `auto detect` = off 87 | 88 | `username` = `specter` 89 | 90 | `password` = `2tm5NiN8wZVyjx_hgUL5O8it68WfoadHDEZ-v6w_RhQ=` (as previously generated by `rpcauth.py`) 91 | 92 | `host` = `http://192.168.84.208` (whatever your bitcoin jail is) 93 | 94 | `port` = `8332` 95 | 96 | Click "test", you should get green checkmarks. Click "save". 97 | 98 | Read the docuemntation to get started! 99 | 100 | ## upgrade specter 101 | ``` 102 | root@specter:~ # service specter stop 103 | root@specter:~ # rm -r specter-desktop* 104 | root@specter:~ # fetch https://github.com/cryptoadvance/specter-desktop/archive/v0.7.1.tar.gz 105 | root@specter:~ # tar -xvf v0.7.1.tar.gz 106 | root@specter:~ # pip-3.7 install -e specter-desktop*/. --upgrade 107 | root@specter:~ # service specter start 108 | ``` 109 | 110 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 111 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/zap.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | Download the Zap wallet on the Apple store: https://apps.apple.com/us/app/zap-bitcoin-lightning-wallet/id1406311960 4 | 5 | Make sure the following line exists in your `lnd.conf` configuration file, if not, add and restart lnd (remmeber to unlock your wallet!): 6 | ``` 7 | restlisten=127.0.0.1:8080 8 | ``` 9 | 10 | Link your lnd.conf to lnd's data dir: 11 | ``` 12 | ln /usr/local/etc/lnd.conf /var/db/lnd/lnd.conf 13 | ``` 14 | 15 | View the private onion address of your tor hidden service: 16 | ``` 17 | # cat /var/db/tor/remote_connections/hostname 18 | whateveryouronionaddressis.onion 19 | ``` 20 | 21 | Install `go`, compile [lndconnect](https://github.com/LN-Zap/lndconnect), change `--host=` to the jails local IP, and generate a LND connect URL QR code: 22 | ``` 23 | # pkg install go 24 | # cd ~ 25 | # go get -d github.com/LN-Zap/lndconnect 26 | # cd ~/go/src/github.com/LN-Zap/lndconnect 27 | # gmake 28 | # cd ~/go/bin 29 | # ./lndconnect --lnddir=/var/db/lnd --image --host=whateveryouronionaddressis.onion --port=8080 30 | ``` 31 | A png file will be generated. Use WinSCP to download the image (path should be something like this: `/mnt/volume0/iocage/jails/bitcoin/root/root/go/bin`)to your PC and scan it with the zap app! 32 | 33 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 34 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/zapandroid.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | Note: As of 0.2.5 Zap Android can not translate .onion addresses. For remote connections, use a vpn. 4 | 5 | Download the Zap wallet on google play: https://play.google.com/store/apps/details?id=zapsolutions.zap or build from source: https://github.com/LN-Zap/zap-android/releases 6 | 7 | ``` 8 | # nano /usr/local/etc/lnd.conf 9 | ``` 10 | Add the following line to your `lnd.conf` configuration file: 11 | ``` 12 | rpclisten=0.0.0.0:10009 13 | ``` 14 | Restart LND 15 | ``` 16 | # service lnd stop 17 | # service lnd start 18 | ``` 19 | Remember to unlock your wallet, use RTL's web-ui. 20 | 21 | Link your lnd.conf to lnd's data dir: 22 | ``` 23 | ln /usr/local/etc/lnd.conf /var/db/lnd/lnd.conf 24 | ``` 25 | 26 | Install `go`, compile [lndconnect](https://github.com/LN-Zap/lndconnect), change `--host=` to the jails local IP, and generate a LND connect URL QR code: 27 | ``` 28 | # pkg install go 29 | # cd ~ 30 | # go get -d github.com/LN-Zap/lndconnect 31 | # cd ~/go/src/github.com/LN-Zap/lndconnect 32 | # gmake 33 | # cd ~/go/bin 34 | # ./lndconnect --lnddir=/var/db/lnd --image --host=192.168.84.123 35 | ``` 36 | A png file will be generated. Use WinSCP to download the image to your PC and scan it with the zap app! 37 | 38 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 39 | -------------------------------------------------------------------------------- /FreeNAS/bitcoin/wallets/zeusln.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | 3 | ## Zeus Lightning Wallet over Tor for Android 4 | 5 | ZeusLN has tor built in, orbot isnt required! 6 | 7 | Download the Zeus app, APKs available here: https://github.com/ZeusLN/zeus/releases 8 | 9 | View the private onion address of your tor hidden service [that you set up on this step!](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/freenas_3_tor.md): 10 | ``` 11 | # cat /var/db/tor/remote_connections/hostname 12 | myprivateonionaddressocyn4rixm632jid.onion 13 | ``` 14 | 15 | If you followed the guide, your port should be `8080` 16 | 17 | ### Create lndconnect qr in-terminal 18 | Replace the IP address with your `*.onion` address, or use local IP if you have a VPN to your home network: 19 | ``` 20 | echo 'lndconnect://192.168.84.21:8080?macaroon='"`base64 /var/db/lnd/data/chain/bitcoin/mainnet/admin.macaroon | tr -d '=' | tr '/+' '_-'`" | tr -d '\n' | qrencode -m 2 -t utf8 21 | ``` 22 | Or dump the admin.macaroon hex and copy into your app: 23 | ``` 24 | hexdump -ve '1/1 "%.2x"' /var/db/lnd/data/chain/bitcoin/mainnet/admin.macaroon 25 | ``` 26 | 27 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 28 | -------------------------------------------------------------------------------- /FreeNAS/jellyfin/1_jail.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - **[Jail Creation]** - [ [Jellyfin](2_jellyfin.md) ] - [ [aria2](3_aria2.md) ] - [ [Medusa](4_medusa.md) ] 4 | 5 | ``` 6 | allow_raw_sockets 7 | allow_mlock 8 | ``` 9 | -------------------------------------------------------------------------------- /FreeNAS/jellyfin/2_jellyfin.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - **[Jellyfin]** - [ [aria2](3_aria2.md) ] - [ [Medusa](4_medusa.md) ] 4 | 5 | ### Create User:Group, Dataset, and apply permissions: 6 | Goto your freenas UI, and create new group `jellyfin` under `Accounts / Groups / Add`: 7 | ``` 8 | GID = 710 9 | name = jellyfin 10 | ``` 11 | Click `SUBMIT` 12 | 13 | Create new user `jellyfin` under `Accounts / Users / Add`: 14 | ``` 15 | Full Name = jellyfin 16 | Username = jellyfin 17 | User ID = 710 18 | New Primary Group = N 19 | Primary Group = jellyfin 20 | Home Directory = /nonexistent 21 | Disable Password = Yes 22 | Shell = nologin 23 | ``` 24 | Click `SUBMIT`. It is important that your uid & id are `710`, so go back and make sure they are correct! 25 | 26 | Create your media dataset, and apply `jellyfin:jellyfin` as `user:group` recursively for your dataset 27 | 28 | SSH into your `jellyfin` jail: 29 | ``` 30 | iocage console jellyfin 31 | pw group add jellyfin -g 710 32 | pw user add jellyfin -c jellyfin -u 710 -d /nonexistent -s /usr/bin/nologin 33 | pw group mod jellyfin -m jellyfin 34 | cat /etc/passwd 35 | cat /etc/group 36 | ``` 37 | 38 | https://github.com/Thefrank/jellyfin-server-freebsd/blob/main/Installation_TrueNAS_GUI.md 39 | 40 | [jailip]:8096 ! 41 | -------------------------------------------------------------------------------- /FreeNAS/jellyfin/3_aria2.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Jellyfin](2_jellyfin.md) ] - **[aria2]** - [ [Medusa](4_medusa.md) ] 4 | 5 | ``` 6 | pkg install nano aria2 lighttpd ca_root_nss git 7 | sysrc lighttpd_enable=YES 8 | sysrc aria2_enable=YES 9 | sysrc aria2_user=jellyfin 10 | sysrc aria2_group=jellyfin 11 | mkdir /var/db/aria2 12 | touch /var/db/aira2/aria2.txt 13 | chown -R jellyfin:jellyfin /var/db/aria2 14 | chmod -R 770 /var/db/aria2 15 | nano /usr/local/etc/aria2.conf 16 | ``` 17 | Configure: (See configuration options [here](https://aria2.github.io/manual/en/html/aria2c.html#aria2-conf)) 18 | ``` 19 | continue=true 20 | daemon=true 21 | dir=/media/downloads 22 | file-allocation=none 23 | log-level=warn 24 | disable-ipv6=true 25 | log-level=warn 26 | max-connection-per-server=4 27 | max-concurrent-downloads=3 28 | max-overall-download-limit=0 29 | min-split-size=5M 30 | rpc-listen-all=true 31 | enable-rpc=true 32 | rpc-secret=t2150cdt! 33 | ca-certificate=/etc/ssl/cert.pem 34 | save-session=/var/db/aria2/aria2.txt 35 | input-file=/var/db/aria2/aria2.txt 36 | save-session-interval=10 37 | dht-file-path=/var/db/aria2/dht.dat 38 | dht-file-path6=/var/db/aria2/dht6.dat 39 | max-overall-upload-limit=125K 40 | seed-ratio=1.0 41 | seed-time=1440 42 | ``` 43 | Save (Ctrl+O, ENTER) and exit (Ctrl + X) 44 | ``` 45 | service aria2 start 46 | ``` 47 | Point your Aria2 front end to `http://your.Jail.I.P:6800/jsonrpc` 48 | -------------------------------------------------------------------------------- /FreeNAS/jellyfin/4_medusa.md: -------------------------------------------------------------------------------- 1 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Jellyfin](2_jellyfin.md) ] - [ [aria2](3_aria2.md) ] - **[Medusa]** 2 | 3 | 4 | ``` 5 | cat /etc/passwd 6 | pw groupshow -a 7 | pw adduser medusa -d /nonexistent -s /usr/sbin/nologin 8 | pw usermod medusa -G jellyfin 9 | ``` 10 | 11 | 12 | ``` 13 | pkg update && pkg upgrade 14 | pkg install python39 py39-sqlite3 unrar git openssl 15 | 16 | 17 | git clone https://github.com/pymedusa/Medusa.git /usr/local/medusa 18 | cp /usr/local/medusa/runscripts/init.freebsd /usr/local/etc/rc.d/medusa 19 | chmod 755 /usr/local/etc/rc.d/medusa 20 | chown -Rf medusa:medusa /usr/local/medusa 21 | sysrc "medusa_enable=YES" 22 | service medusa start 23 | ``` 24 | -------------------------------------------------------------------------------- /FreeNAS/jellyfin/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [Jail Creation](1_jail.md) ] - [ [Jellyfin](2_jellyfin.md) ] - [ [aria2](3_aria2.md) ] - [ [Medusa](4_medusa.md) ] 4 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/1_jail.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ **Jail Creation** ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 4 | 5 | ## Jail & Dataset Plan 6 | 7 | Before we start installing stuff, lets make a few datasets to keep important files in case you need to nuke and rebuild the jail. This is also useful to backup critical components should you decide to take advantage of OpenZFS snapshotting and back these up to another machine. 8 | 9 | 10 | ### Create datasets 11 | I have two [pools](https://www.truenas.com/docs/core/storage/pools/poolcreate/), `volume0`, a RAIDZ2 pool of several HDDs and `volume1`, a mirrored pool of two high performance SSDs (Samsung PM1725b HHHL NVMe x8). [Datasets](https://www.truenas.com/docs/core/storage/pools/datasets/) will be created to store important data that needs to be backed up. 12 | 13 | I highly recommend the following dataset folder structure, as it will make sense as you deploy more software, example on my system: 14 | ``` 15 | ─── volume0 16 | ├── apps 17 | │ ├── nextcloud 18 | │ │ ├── files 19 | │ ├── synapse 20 | │ │ ├── mediastore 21 | 22 | ─── volume1 23 | ├── apps 24 | │ ├── nextcloud 25 | │ │ ├── config 26 | │ │ ├── themes 27 | │ │ ├── db 28 | | ├── synapse 29 | │ │ ├── config 30 | │ │ ├── signingkey 31 | │ │ ├── db 32 | ... and so on 33 | ``` 34 | ### Create Jails 35 | 36 | Create two jails: 37 | 38 | database jail - synapsedb - 192.168.84.78 39 | 40 | synapse jail - synapse - 192.168.84.79 41 | 42 | ### Mount datasets to jail 43 | ``` 44 | synapse: /mnt/volume1/apps/synapse/config -> /mnt/volume1/iocage/jails/synapse/root/usr/local/etc/matrix-synapse 45 | synapse: /mnt/volume0/apps/synapse/media_store -> /mnt/volume1/iocage/jails/synapse/root/var/db/matrix-synapse/media_store 46 | synapsedb: /mnt/volume1/apps/synapse/db -> /mnt/volume1/iocage/jails/synapsedb/root/var/db/postgres/data16 47 | ``` 48 | ### Start Jails 49 | 50 | ### Files that need backup to sucessfully restore your homeserver 51 | These locations may vary from the default installation & configuration locations to streamline your dataset backups 52 | #### 1. Config files: 53 | ``` 54 | /usr/local/etc/matrix-synapse/homeserver.yaml 55 | /usr/local/etc/matrix-synapse/domain.tld.log.config 56 | /usr/local/etc/matrix-synapse/domain.tld.signing.key 57 | ``` 58 | How to verify locations: 59 | ``` 60 | # cat /usr/local/etc/rc.d/synapse | grep synapse_conf 61 | # cat /usr/local/etc/matrix-synapse/homeserver.yaml | grep domain.tld.log.config 62 | # cat /usr/local/etc/matrix-synapse/homeserver.yaml | grep signing_key_path 63 | ``` 64 | #### 2. Database folder: 65 | ``` 66 | /var/db/postgres/data16 67 | ``` 68 | How to verify database location: 69 | ``` 70 | # sudo -i -u postgres 71 | # psql 72 | # show data_directory; 73 | # exit 74 | # exit 75 | ``` 76 | #### 3. Media Repo folder: 77 | ``` 78 | /var/db/matrix-synapse/media_store 79 | ```` 80 | Non critical, worst case scenario historical chats will loose uploaded media & files 81 | 82 | How to verify media repo location: `cat /usr/local/etc/matrix-synapse/homeserver.yaml | grep media_store_path:` 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/2_postgresql.md: -------------------------------------------------------------------------------- 1 | 2 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ **Postgresql** ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 3 | 4 | ## Postgresql 5 | 6 | ### Create a seperate jail for Postgresql 7 | pkg dependancies between [py39-matrix-synapse](https://www.freshports.org/net-im/py-matrix-synapse/) and postgresql can conflict between versions, so to keep things clean lets put our database in its own jail. Minor version upgrades are fine (Such as Postgresql 13.1 to 13.2), but major upgrades require a migration procedure (such as postgresql 13.2 to 14.0). `pkg upgrade -y` is a dangerous move when it comes to databases, be sure you are properly briefed and backed-up before making the attempt! 8 | 9 | ### Create database dataset & mount to jail 10 | 11 | This will allow you to snapshot & backup the database, and keep the data safe if you nuke the jail. 12 | ``` 13 | /mnt/volume1/apps/synapse/db -> /mnt/volume1/iocage/jails/synapse/root/var/db/postgres/data16 14 | ``` 15 | Then start the jail 16 | 17 | ### Switch pkg repo to latest & install 18 | ``` 19 | # pkg install nano 20 | # mkdir -p /usr/local/etc/pkg/repos/ 21 | # nano /usr/local/etc/pkg/repos/FreeBSD.conf 22 | ``` 23 | ``` 24 | FreeBSD: { 25 | url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" 26 | } 27 | ``` 28 | ``` 29 | # pkg update && pkg upgrade 30 | # pkg install postgresql16-server sudo 31 | # sysrc postgresql_enable="YES" 32 | # chown -R postgres:postgres /var/db/postgres 33 | ``` 34 | 35 | ### Initialize database 36 | Official documentation [here](https://matrix-org.github.io/synapse/latest/postgres.html) 37 | ``` 38 | # /usr/local/etc/rc.d/postgresql initdb 39 | # service postgresql start 40 | # sudo -i -u postgres 41 | $ psql 42 | postgres=# CREATE USER "synapse" WITH PASSWORD 'password'; 43 | postgres=# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER "synapse"; 44 | postgres=# \q 45 | $ exit 46 | # 47 | ``` 48 | 49 | ### Set database access permission 50 | ``` 51 | # nano /var/db/postgres/data16/pg_hba.conf 52 | ``` 53 | ``` 54 | host synapse synapse 192.168.84.79/32 md5 55 | ``` 56 | ### Allow remote connections 57 | ``` 58 | # nano /var/db/postgres/data16/postgresql.conf 59 | ``` 60 | ``` 61 | ... 62 | listen_addresses = '*' 63 | port = 5432 64 | ... 65 | ``` 66 | ### Reload configuration changes 67 | ``` 68 | # su -m postgres -c 'pg_ctl reload -D /var/db/postgres/data16' 69 | # service postgresql restart 70 | ``` 71 | 72 | ### Upgrade to a minor version 73 | Example: Upgrading postgresql14-server-14.7 to postgresql14-server-14.9 74 | 75 | In your synapse jail: 76 | ``` 77 | # service service synapse stop 78 | ``` 79 | 80 | In your database jail: 81 | ``` 82 | # service postgresql stop 83 | # pkg update && pkg upgrade 84 | # service postgresql start 85 | ``` 86 | 87 | In your synapse jail: 88 | ``` 89 | # service synapse start 90 | ``` 91 | 92 | ### Upgrade to a major version 93 | Example: Upgrading postgresql14-server-14.9 to postgresql14-server-16.1 94 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/3_synapse.md: -------------------------------------------------------------------------------- 1 | 2 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [postgresql](2_postgresql.md) ] - [ **synapse** ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 3 | 4 | ## Synapse 5 | 6 | Official & up to date install instructions are maintained [here](https://matrix-org.github.io/synapse/latest/setup/installation.html) 7 | 8 | ### Switch jails and set permissions for mount points: 9 | ``` 10 | # exit 11 | root@truenas[~]# iocage console synapse 12 | # pw adduser synapse -d /nonexistent -s /usr/sbin/nologin 13 | # pw usermod synapse -G wheel 14 | # chown -R synapse /usr/local/etc/matrix-synapse 15 | # chown -R synapse /var/db/matrix-synapse 16 | ``` 17 | 18 | ### Install 19 | ``` 20 | # pkg install rust nano py39-virtualenv py39-pip py39-pillow postgresql16-client 21 | # mkdir -p ~/synapse 22 | # virtualenv -p python3 ~/synapse/env 23 | # source ~/synapse/env/bin/activate.csh 24 | pip install --upgrade pip 25 | pip install --upgrade setuptools 26 | pip index versions matrix-synapse 27 | pip install "matrix-synapse[postgres]"==1.95.0 28 | ``` 29 | ### Create config 30 | Full config instructions are maintained [here](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html) 31 | ``` 32 | cd ~/synapse 33 | python3.9 -m synapse.app.homeserver \ 34 | --server-name mydomain.com \ 35 | --config-path /usr/local/etc/matrix-synapse/homeserver.yaml \ 36 | --generate-config \ 37 | --data-directory /var/db/matrix-synapse \ 38 | --report-stats=no 39 | deactivate 40 | ``` 41 | `nano /usr/local/etc/matrix-synapse/homeserver.yaml`: 42 | ``` 43 | server_name: "mydomain.com" 44 | public_baseurl: "https://mydomain.com>" 45 | pid_file: /var/run/matrix-synapse/homeserver.pid 46 | 47 | bind_addresses: ['::1', '192.168.84.79'] 48 | 49 | database: 50 | name: psycopg2 51 | txn_limit: 10000 52 | args: 53 | user: synapse 54 | password: password 55 | database: synapse 56 | host: 192.168.84.78 57 | port: 5432 58 | cp_min: 5 59 | cp_max: 10 60 | 61 | enable_registration: true 62 | registration_requires_token: true 63 | ``` 64 | 65 | 66 | `nano /usr/local/etc/matrix-synapse/mydomain.com.log.config`: 67 | ``` 68 | filename: /var/log/matrix-synapse/homeserver.log 69 | ``` 70 | 71 | 72 | ### Autostart 73 | ``` 74 | # mkdir /usr/local/etc/rc.d && touch /usr/local/etc/rc.d/synapse && chmod +x /usr/local/etc/rc.d/synapse && nano /usr/local/etc/rc.d/synapse 75 | ``` 76 | 77 | ``` 78 | #!/bin/sh 79 | # 80 | # Created by: Mark Felder 81 | 82 | # PROVIDE: synapse 83 | # REQUIRE: LOGIN postgresql 84 | # KEYWORD: shutdown 85 | 86 | # 87 | # Add the following line to /etc/rc.conf to enable `synapse': 88 | # 89 | # synapse_enable="YES" 90 | 91 | . /etc/rc.subr 92 | name=synapse 93 | 94 | rcvar=synapse_enable 95 | load_rc_config ${name} 96 | 97 | : ${synapse_enable:=NO} 98 | : ${synapse_user:=synapse} 99 | : ${synapse_conf:=/usr/local/etc/matrix-synapse/homeserver.yaml} 100 | : ${synapse_dbdir:=/var/db/matrix-synapse} 101 | : ${synapse_logdir:=/var/log/matrix-synapse} 102 | : ${synapse_pidfile:=/var/run/matrix-synapse/homeserver.pid} 103 | 104 | pidfile="${synapse_pidfile}" 105 | procname=/root/synapse/env/bin/python3.9 106 | command=/root/synapse/env/bin/python3.9 107 | command_args="-m synapse.app.homeserver --daemonize -c ${synapse_conf}" 108 | start_precmd=start_precmd 109 | 110 | start_precmd() 111 | { 112 | if [ ! -d ${synapse_pidfile%/*} ] ; then 113 | install -d -o ${synapse_user} -g wheel ${synapse_pidfile%/*}; 114 | fi 115 | 116 | if [ ! -d ${synapse_dbdir} ] ; then 117 | install -d -o ${synapse_user} -g wheel ${synapse_dbdir}; 118 | fi 119 | 120 | if [ ! -d ${synapse_logdir} ] ; then 121 | install -d -o ${synapse_user} -g wheel ${synapse_logdir}; 122 | fi 123 | } 124 | 125 | run_rc_command "$1" 126 | ``` 127 | ``` 128 | sysrc synapse_enable="YES" 129 | ``` 130 | 131 | 132 | 133 | 134 | ### start the service 135 | ``` 136 | # service synapse start && tail -f /var/log/matrix-synapse/homeserver.log 137 | ``` 138 | CTRL+C to end tail 139 | 140 | ### Create Admin account 141 | Use this account to log in to synapse with your client for the first time. We will use the registration bot in the "token registration" step to create normal users. 142 | ``` 143 | /root/synapse/env/bin/register_new_matrix_user -c /usr/local/etc/matrix-synapse/homeserver.yaml http://localhost:8008 144 | ``` 145 | 146 | ### To Upgrade: 147 | Read release notes [here](https://element-hq.github.io/synapse/develop/upgrade.html) 148 | ``` 149 | # service synapse stop 150 | # source ~/synapse/env/bin/activate.csh 151 | pip install --upgrade pip 152 | pip install --upgrade setuptools 153 | pip install -U "matrix-synapse[postgres]"==1.95.1 154 | deactivate 155 | # service synapse start 156 | ``` 157 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/4_nginx.md: -------------------------------------------------------------------------------- 1 | 2 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ **reverse proxy** ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 3 | 4 | ## Reverse Proxy 5 | 6 | Official reverse proxy documentation [here](https://matrix-org.github.io/synapse/latest/reverse_proxy.html). Enter your `reverseproxy` jail and add the following file: 7 | ``` 8 | # nano /usr/local/etc/nginx/vdomains/domain.tld.conf 9 | ``` 10 | 11 | Remember to replace `domain.tld` with your own domain and `onion.onion` with your hidden service address for clients: 12 | ``` 13 | server { 14 | listen 443 ssl http2; 15 | listen [::]:443 ssl http2; 16 | 17 | server_name domain.tld; 18 | 19 | include snippets/domain.tld.cert.conf; 20 | include snippets/ssl-params.conf; 21 | 22 | location ~ ^/(_matrix|_synapse/client)/ { 23 | proxy_pass http://192.168.84.79:8008; 24 | proxy_set_header X-Forwarded-For $remote_addr; 25 | proxy_set_header X-Forwarded-Proto $scheme; 26 | proxy_set_header Host $host; 27 | # Nginx by default only allows file uploads up to 1M in size 28 | # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml 29 | client_max_body_size 50M; 30 | proxy_http_version 1.1; 31 | } 32 | 33 | location /.well-known/matrix/server { 34 | return 200 '{"m.server": "domain.tld:443"}'; 35 | default_type application/json; 36 | } 37 | 38 | location /.well-known/matrix/client { 39 | return 200 '{"m.homeserver": {"base_url": "https://domain.tld"},"m.identity_server": {"base_url": "https://vector.im"}}'; 40 | default_type application/json; 41 | add_header "Access-Control-Allow-Origin" *; 42 | } 43 | 44 | } 45 | 46 | # TOR HIDDEN SERVICE FOR CLIENTS 47 | server { 48 | listen 80 http2; 49 | 50 | server_name onion.onion; 51 | 52 | location /_synapse/client { 53 | proxy_pass http://192.168.84.79:8008; 54 | proxy_set_header X-Forwarded-For $remote_addr; 55 | proxy_set_header X-Forwarded-Proto $scheme; 56 | proxy_set_header Host $host; 57 | client_max_body_size 50M; 58 | } 59 | 60 | location /.well-known/matrix/client { 61 | return 200 '{"m.homeserver": {"base_url": "http://onion.onion"},"m.identity_server": {"base_url": "https://vector.im"}}'; 62 | default_type application/json; 63 | add_header "Access-Control-Allow-Origin" *; 64 | } 65 | 66 | } 67 | ``` 68 | Save (CTRL+o, ENTER) and exit (CTRL+x) 69 | 70 | Restart nginx 71 | ``` 72 | # service nginx restart 73 | ``` 74 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/5_registration.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - **[ token registration ]** - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ]- [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 4 | 5 | ## Guide to matrix-synapse server on TrueNAS ![BSDBTC60.png](images/matrix60.png) 6 | 7 | ### Token based registration bot 8 | https://github.com/moan0s/matrix-registration-bot 9 | 10 | #### Enable token registrations on your homeserver 11 | `nano /usr/local/etc/matrix-synapse/homeserver.yaml`: 12 | ``` 13 | enable_registration: true 14 | registration_requires_token: true 15 | ``` 16 | Save and exit 17 | 18 | #### Create registration-bot user on homeserver & install 19 | ``` 20 | # /root/synapse/env/bin/register_new_matrix_user -c /usr/local/etc/matrix-synapse/homeserver.yaml http://localhost:8008 21 | New user localpart [root]: registration-bot 22 | Password: (enter a strong password here) 23 | Make admin [no]: no 24 | 25 | # pkg install gmake py39-sqlite3 26 | # pip install matrix-registration-bot 27 | # pip install simplematrixbotlib 28 | # mkdir /usr/local/etc/matrix-registration-bot 29 | ``` 30 | #### Create access token 31 | get an admin token from your admin account 32 | ``` 33 | # curl -X POST --header 'Content-Type: application/json' -d '{"identifier": { "type": "m.id.user", "user": "admin" },"password": "mypassword","type": "m.login.password"}' 'https://mydomain.com/_matrix/client/r0/login' 34 | ``` 35 | 36 | #### Configure 37 | `nano /usr/local/etc/matrix-registration-bot/config.yml`: 38 | ``` 39 | bot: 40 | server: "https://synapse.example.com" 41 | username: "registration-bot" 42 | # access_token: "verysecret" 43 | # It is also possible to use a password based login by commenting out the access token line and adjusting the line below 44 | password: "secretpassword" 45 | api: 46 | # API endpoint of the registration tokens 47 | base_url: 'http://192.168.84.79:8008' 48 | # Access token of an administrator on the server 49 | token: "syt_GyVtmQblahblahblahsupersecretchangethis" 50 | logging: 51 | level: DEBUG|INFO|ERROR 52 | ``` 53 | Save and exit 54 | 55 | #### Test 56 | ``` 57 | # python3.9 -m matrix_registration_bot.bot --config=/usr/local/etc/matrix-registration-bot/config.yml 58 | ``` 59 | It should work, try it out! Press Ctrl+C to stop when done testing 60 | 61 | #### Create system user & permissions 62 | ``` 63 | # pw adduser mrb -d /nonexistent -s /usr/sbin/nologin -c "matrix-registration-bot" 64 | # chown -R mrb:mrb /usr/local/etc/matrix-registration-bot 65 | ``` 66 | 67 | #### Startup script 68 | `touch /usr/local/etc/rc.d/mrb && chmod +x /usr/local/etc/rc.d/mrb && nano /usr/local/etc/rc.d/mrb`: 69 | ``` 70 | #!/bin/sh 71 | # 72 | # PROVIDE: mrb 73 | # REQUIRE: synapse 74 | # KEYWORD: 75 | 76 | . /etc/rc.subr 77 | name="mrb" 78 | rcvar="mrb_enable" 79 | mrb_command="/usr/local/bin/python3.9 -m matrix_registration_bot.bot" 80 | pidfile="/var/run/${name}.pid" 81 | mrb_chdir="/usr/local/etc/matrix-registration-bot" 82 | command="/usr/sbin/daemon" 83 | command_args="-P ${pidfile} -u mrb -r -f ${mrb_command}" 84 | 85 | load_rc_config $name 86 | : ${mrb_enable:=no} 87 | 88 | run_rc_command "$1" 89 | ``` 90 | Save and exit. 91 | 92 | ``` 93 | # sysrc mrb_enable="YES" 94 | # service mrb start 95 | ``` 96 | 97 | ## Future admin panel: 98 | https://github.com/Awesome-Technologies/synapse-admin 99 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/7_coturn.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - **[coturn]** - [ [jitsi](8_jitsi.md) ] - [ [bridges](9_bridges.md) ] 4 | 5 | ## Guide to matrix-synapse server on TrueNAS ![BSDBTC60.png](images/matrix60.png) 6 | 7 | ### Coturn 8 | 9 | #### Poor mans ddns 10 | coturn is designed to be utilized without a NAT and with a static IP address. You and I are likely using a NAT (router) and a dynamic ip address. This script will be called every 5 minutes as a cronjob, ask the router's upnp daemon for the WAN ip address, and if its different than whats it reads in `turnserver.conf`, will edit `turnserver.conf` with the new IP and restart coturn. 11 | 12 | Install `miniupnpd` on your router, and enable the service. Or, if you're not using an open source operating system on your router, pray to the retail router gods that the manufacturer set up upnp correctly... 13 | 14 | `root@turnserver:~ #` `pkg install miniupnpc` 15 | 16 | `root@turnserver:~ #` `touch /usr/local/etc/coturn_ext_ip.sh && chmod +x /usr/local/etc/coturn_ext_ip.sh && nano /usr/local/etc/coturn_ext_ip.sh`: 17 | ``` 18 | #!/bin/csh 19 | set current_external_ip_config = `cat /usr/local/etc/turnserver.conf | grep "^external-ip" | cut -d'=' -f2` 20 | set current_external_ip = `upnpc -s | grep "^ExternalIPAddress" | cut -d'=' -f2 | cut -d' ' -f2` 21 | 22 | if ( "$current_external_ip_config" != "$current_external_ip" ) then 23 | sed -i '' "s/^external-ip=.*/external-ip="$current_external_ip"/" /usr/local/etc/turnserver.conf 24 | service turnserver restart 25 | endif 26 | ``` 27 | 28 | `root@turnserver:~ #` `crontab -e`: 29 | ``` 30 | */5 * * * * /usr/local/etc/coturn_ext_ip.sh 31 | ``` 32 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/8_call.md: -------------------------------------------------------------------------------- 1 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ **call** ] - [ [bridges](9_bridges.md) ] 2 | 3 | Beta: 4 | 5 | Native mesh webcalling on the matrix protocol: 6 | https://github.com/vector-im/element-call 7 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/9_bridges.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [jitsi](8_jitsi.md) ] - **[bridges]** 4 | 5 | ## Guide to matrix-synapse server on TrueNAS ![BSDBTC60.png](images/matrix60.png) 6 | 7 | ### Bridges 8 | 9 | [Twitter](bridges/twitter.md) 10 | 11 | [Instagram](bridges/instagram.md) 12 | 13 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [Jail Creation](1_jail.md) ] - [ [Postgresql](2_postgresql.md) ] - [ [synapse](3_synapse.md) ] - [ [reverse proxy](4_nginx.md) ] - [ [token registration](5_registration.md) ] - [ [tor ](6_tor.md)] - [ [coturn](7_coturn.md) ] - [ [call](8_call.md) ] - [ [bridges](9_bridges.md) ] 4 | 5 | ## Guide to matrix-synapse server on TrueNAS ![BSDBTC60.png](images/matrix60.png) 6 | 7 | ### Intro 8 | 9 | [Matrix](https://matrix.org/) is a protocol for secure, decentralised, real-time communication. [Synapse](https://github.com/element-hq/synapse) is the reference server implementation of the matrix protocol and [Element](https://element.io/) is the reference client implementation of the matrix protocol. Other servers and clients exist, but are usually forks of the main projects. 10 | 11 | ### What makes the Matrix protocol so special? 12 | 13 | Remember email? You can send an email from 1 email provider to another! So how come all modern chat apps lack this fundemental interoperability? Why cant people on telegram chat with people on wechat? The matrix protocol specifies a server software implementation that communicates not just with clients, but with other servers, too, allowing interoperability in communication between chat hosts. 14 | 15 | ### Can't servers just censor other servers? 16 | Sure, gmail could in theory block all communication with hotmail. In the same way, one matrix server could block their users from connecting to another matrix server. 17 | 18 | Censorship only works on centralized networks. Consider the following network topologies: 19 | 20 | #### The centralized server: 21 | One monolithic sever - Twitter - decides who you can and can't talk to on their platform. Complete centralized control rules with tyrrany. Absolute power corrupts absolutely. The individual has no choice in moderation policies. 22 | 23 | #### The federated network: 24 | gnu/social server mastodon.social server blocks the gnu/social gab.com server. Individual adminstrators decide who their members can and can't talk to. Power structure is moved closer to the individual. This increases the freedom for individuals as they can now choose their servers and moderators. 25 | 26 | #### The decentralized network: 27 | Every individual runs their own [dendrite](https://github.com/matrix-org/dendrite) matrix server and chat client on the same device. Completely decentralized network. The individual decides who to block and who to voluntarily associate with. 28 | 29 | Eventually, with enough engineering, the matrix protocol can reach a completely decentralized state. Until then, the best we can do is run a federated network topology for like minded individuals. 30 | 31 | ### Goal 32 | By the end of this guide, you will be running a matrix-synapse server in a TrueNAS / FreeBSD jail. 33 | 34 | You will be able to connect a chat client to your server. I personally like [Element Secure Messenger](https://element.io/get-started). 35 | 36 | Your server will be able to federate with other matrix servers. Send me a message at [@seth586:nym.im](https://matrix.to/#/@seth586:nym.im) to test your federation, and let me know how it went! 37 | 38 | Public signups will be disabled, however you will have a token generator to give permissioned signups to friends. 39 | 40 | You will have a stun/turn server running, to help 1-on-1 WebRTC voice and video calls connections find each other (stun) or act as a relay to punch through various NAT & network topologies (turn). 41 | 42 | You will have a jitsi server running to serve group voice and video calls. 43 | 44 | We will also allow clients to connect over tor, allowing them to stay anonymous. Unfortunately, the matrix-synapse server can not federate with other servers over tor, but it is on the development roadmap. 45 | 46 | Optionally, you can set up [bridges](https://matrix.org/bridges/), to communicate with other popular chat services. 47 | 48 | ### Target Versions 49 | 50 | This guide was written and tested to work with FreeBSD 12.2 and Synapse 1.40. If installing a newer version (likely) catch up on the [upgrade notes](https://element-hq.github.io/synapse/develop/upgrade.html) to ensure these instructions and configurations are still accurate. 51 | 52 | Next: [ [Jail Creation](1_jail.md) ] 53 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/bridges/email.md: -------------------------------------------------------------------------------- 1 | email bridge 2 | 3 | ``` 4 | git clone https://github.com/JojiiOfficial/Matrix-EmailBridge 5 | cd Matrix-EmailBridge/main 6 | go get -v -u 7 | go build -o emailbridge 8 | ./emailbridge 9 | chmod 600 cfg.json data.db 10 | mkdir ./temp 11 | chmod -R 770 ./temp 12 | ``` 13 | `nano cfg.json` 14 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/bridges/facebook.md: -------------------------------------------------------------------------------- 1 | ## Create new database 2 | ``` 3 | # nano /var/db/postgres/data13/pg_hba.conf 4 | 5 | host mautrix-facebook mautrix-facebook 127.0.0.1/32 password 6 | ``` 7 | 8 | ``` 9 | root@synapse:~ # sudo -i -u postgres 10 | $ psql 11 | postgres=# CREATE USER "mautrix-facebook" WITH PASSWORD 'password'; 12 | postgres=# CREATE DATABASE "mautrix-facebook" OWNER "mautrix-facebook"; 13 | postgres=# \q 14 | $ pg_ctl reload -D /var/db/postgres/data13 15 | $ exit 16 | root@synapse:~ # 17 | ``` 18 | 19 | ## Install mautrix-facebook 20 | ``` 21 | pkg install py37-virtualenv olm rust py37-pillow nano 22 | 23 | pw adduser mautrix-facebook -d /nonexistent -s /usr/sbin/nologin -c "User for mautrix-facebook bridge" 24 | 25 | mkdir /var/db/mautrix-facebook && chown -R mautrix-facebook:mautrix-facebook /var/db/mautrix-facebook 26 | 27 | cd /var/db/mautrix-facebook 28 | 29 | virtualenv -p /usr/local/bin/python3.7 . 30 | 31 | source /var/db/mautrix-facebook/bin/activate.csh 32 | 33 | pip install --global-option=build_ext --global-option="-I/usr/local/include" --upgrade python-olm 34 | 35 | pip install --upgrade 'mautrix-facebook[all]' 36 | 37 | cp example-config.yaml config.yaml 38 | ``` 39 | 40 | Configure mautrix-facebook: `nano config.yaml`: 41 | ``` 42 | homeserver: 43 | address: https://exmaple.tld 44 | domain: example.tld 45 | appservice: 46 | database: postgres://mautrix-facebook:password@localhost/mautrix-facebook 47 | bridge: 48 | permissions: 49 | example.tld: user 50 | `@admin:example.tld`: admin 51 | logging: 52 | handlers: 53 | file: 54 | filename: /var/db/mautrix-facebook/mautrix-facebook.log 55 | ``` 56 | 57 | Generate `registration.yaml`: 58 | ``` 59 | # mkdir /usr/local/etc/mautrix-facebook 60 | # mv config.yaml /usr/local/etc/mautrix-facebook/config.yaml 61 | # chown -R mautrix-facebook:mautrix-facebook /var/db/mautrix-facebook 62 | # chown -R mautrix-facebook:mautrix-facebook /usr/local/etc/mautrix-facebook 63 | # sudo -u mautrix-facebook /var/db/mautrix-facebook/bin/python -m mautrix_facebook -g -c /usr/local/etc/mautrix-facebook/config.yaml -r /usr/local/etc/mautrix-facebook/registration.yaml 64 | ``` 65 | Add mautrix-facebook to synapse config `nano /usr/local/etc/matrix-synapse/homeserver.yaml`: 66 | ``` 67 | app_service_config_files: 68 | - /usr/local/etc/mautrix-facebook/registration.yaml 69 | ``` 70 | restart synapse: 71 | ``` 72 | service synapse restart 73 | ``` 74 | ## Create startup script 75 | `touch /usr/local/etc/rc.d/mautrix-facebook && chmod +x /usr/local/etc/rc.d/mautrix-facebook && nano /usr/local/etc/rc.d/mautrix-facebook`: 76 | ``` 77 | #!/bin/sh 78 | # 79 | # PROVIDE: mautrix_facebook 80 | # REQUIRE: 81 | # KEYWORD: 82 | 83 | . /etc/rc.subr 84 | name="mautrix_facebook" 85 | rcvar="mautrix_facebook_enable" 86 | mautrix_facebook_command="/var/db/mautrix-facebook/bin/python -m mautrix_facebook -c /usr/local/etc/mautrix-facebook/config.yaml -r /usr/local/etc/mautrix-facebook/registration.yaml" 87 | pidfile="/var/run/${name}.pid" 88 | command="/usr/sbin/daemon" 89 | command_args="-P ${pidfile} -u mautrix-facebook -r -f ${mautrix_facebook_command}" 90 | 91 | load_rc_config $name 92 | : ${mautrix_facebook_enable:=no} 93 | 94 | run_rc_command "$1" 95 | ``` 96 | Enable service: `sysrc mautrix_facebook_enable="YES"` 97 | 98 | ## Dry run verbose mode 99 | ``` 100 | sudo -u mautrix-facebook /var/db/mautrix-facebook/bin/python -m mautrix_facebook -c /usr/local/etc/mautrix-facebook/config.yaml -r /usr/local/etc/mautrix-facebook/registration.yaml 101 | ``` 102 | (Ctrl+C to stop) 103 | ## Start Service 104 | ``` 105 | # service mautrix-facebook start 106 | # ps aux 107 | mautrix-facebook 10193 50.4 0.1 110020 66508 - SJ 00:59 0:00.93 /var/db/mautrix-facebook/bin/python -m mautrix_facebook -c /usr/local/etc/mautrix-facebook/config.yaml -r /usr/local/etc/mautrix-facebook/registration.yaml (python3.7) 108 | root 10192 0.0 0.0 10844 2292 - SsJ 00:59 0:00.00 daemon: /var/db/mautrix-facebook/bin/python[10193] (daemon) 109 | ``` 110 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/bridges/groupme.md: -------------------------------------------------------------------------------- 1 | ## Groupme 2 | 3 | Refer to official documentation: https://gitlab.com/robintown/mx-puppet-groupme 4 | 5 | ``` 6 | git clone https://gitlab.com/robintown/mx-puppet-groupme 7 | 8 | cd mx-puppet-groupme 9 | 10 | npm install groupme 11 | 12 | cp sample.config.yaml config.yaml 13 | 14 | nano config.yaml 15 | 16 | npm run start -- --register 17 | ``` 18 | 19 | `touch /usr/local/etc/rc.d/groupme && chmox +x /usr/local/etc/rc.d/groupme && nano /usr/local/etc/rc.d/groupme`: 20 | ``` 21 | #!/bin/sh 22 | # 23 | # PROVIDE: groupme 24 | # REQUIRE: 25 | # KEYWORD: 26 | 27 | . /etc/rc.subr 28 | name="groupme" 29 | rcvar="groupme_enable" 30 | groupme_command="/usr/local/bin/node /root/mx-puppet-groupme/build/index.js --config=/root/mx-puppet-groupme/config.yaml --registration-file=/root/mx-puppet-groupme/groupme-registration.yaml" 31 | pidfile="/var/run/${name}.pid" 32 | command="/usr/sbin/daemon" 33 | command_args="-P ${pidfile} -r -f ${groupme_command}" 34 | 35 | load_rc_config $name 36 | : ${groupme_enable:=no} 37 | 38 | run_rc_command "$1" 39 | ``` 40 | 41 | ``` 42 | # sysrc groupme_enable="YES" 43 | # service groupme start 44 | ps aux 45 | ``` 46 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/bridges/instagram.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/FreeNAS/matrix-synapse/9_bridges.md) ] 2 | 3 | ## Instagram bridge 4 | 5 | ### Configure database 6 | Allow connection to database `# nano /var/db/postgres/data13/pg_hba.conf`: 7 | ``` 8 | host mautrix-instagram mautrix-instagram 127.0.0.1/32 password 9 | ``` 10 | 11 | ### Create database: 12 | ``` 13 | root@synapse:~ # sudo -i -u postgres 14 | $ psql 15 | postgres=# CREATE USER "mautrix-instagram" WITH PASSWORD 'password'; 16 | postgres=# CREATE DATABASE "mautrix-instagram" OWNER "mautrix-instagram"; 17 | postgres=# \q 18 | $ pg_ctl reload -D /var/db/postgres/data13 19 | $ exit 20 | root@synapse:~ # 21 | ``` 22 | 23 | ### Install mautrix-instagram 24 | ``` 25 | # pkg install py37-virtualenv olm rust py37-pillow nano 26 | 27 | # pw adduser mautrix-instagram -d /nonexistent -s /usr/sbin/nologin -c "User for mautrix-instagram bridge" 28 | 29 | # mkdir /var/db/mautrix-instagram && chown -R mautrix-instagram:mautrix-instagram /var/db/mautrix-instagram 30 | 31 | # cd /var/db/mautrix-instagram 32 | 33 | # virtualenv -p /usr/local/bin/python3.7 . 34 | 35 | # source /var/db/mautrix-instagram/bin/activate.csh 36 | 37 | # pip install --global-option=build_ext --global-option="-I/usr/local/include" --upgrade python-olm 38 | 39 | # pip install --upgrade 'https://github.com/tulir/mautrix-instagram/tarball/master#egg=mautrix-instagram[all]' 40 | 41 | # cp example-config.yaml config.yaml 42 | ``` 43 | 44 | ### Configure mautrix-instagram: 45 | 46 | At minimum change these values `# nano config.yaml`: 47 | ``` 48 | homeserver: 49 | address: https://example.tld 50 | domain: example.tld 51 | appservice: 52 | database: postgres://mautrix-instagram:password@localhost/mautrix-instagram 53 | bridge: 54 | permissions: 55 | example.tld: user 56 | `@admin:example.tld`: admin 57 | logging: 58 | handlers: 59 | file: 60 | filename: /var/db/mautrix-instagram/mautrix-instagram.log 61 | ``` 62 | 63 | Generate `registration.yaml`: 64 | ``` 65 | # mkdir /usr/local/etc/mautrix-instagram 66 | # mv config.yaml /usr/local/etc/mautrix-instagram/config.yaml 67 | # chown -R mautrix-instagram:mautrix-instagram /var/db/mautrix-instagram 68 | # chown -R mautrix-instagram:mautrix-instagram /usr/local/etc/mautrix-instagram 69 | # sudo -u mautrix-instagram /var/db/mautrix-instagram/bin/python -m mautrix_instagram -g -c /usr/local/etc/mautrix-instagram/config.yaml -r /usr/local/etc/mautrix-instagram/registration.yaml 70 | ``` 71 | Add mautrix-instagram to synapse config `nano /usr/local/etc/matrix-synapse/homeserver.yaml`: 72 | ``` 73 | app_service_config_files: 74 | - /usr/local/etc/mautrix-instagram/registration.yaml 75 | ``` 76 | restart synapse: 77 | ``` 78 | service synapse restart 79 | ``` 80 | ### Create startup script 81 | `touch /usr/local/etc/rc.d/mautrix-instagram && chmod +x /usr/local/etc/rc.d/mautrix-instagram && nano /usr/local/etc/rc.d/mautrix-instagram`: 82 | ``` 83 | #!/bin/sh 84 | # 85 | # PROVIDE: mautrix_instagram 86 | # REQUIRE: 87 | # KEYWORD: 88 | 89 | . /etc/rc.subr 90 | name="mautrix_instagram" 91 | rcvar="mautrix_instagram_enable" 92 | mautrix_instagram_command="/var/db/mautrix-instagram/bin/python -m mautrix_instagram -c /usr/local/etc/mautrix-instagram/config.yaml -r /usr/local/etc/mautrix-instagram/registration.yaml" 93 | pidfile="/var/run/${name}.pid" 94 | command="/usr/sbin/daemon" 95 | command_args="-P ${pidfile} -u mautrix-instagram -r -f ${mautrix_instagram_command}" 96 | 97 | load_rc_config $name 98 | : ${mautrix_instagram_enable:=no} 99 | 100 | run_rc_command "$1" 101 | ``` 102 | Enable service: `sysrc mautrix_instagram_enable="YES"` 103 | 104 | ### Dry run verbose mode 105 | ``` 106 | sudo -u mautrix-instagram /var/db/mautrix-instagram/bin/python -m mautrix_instagram -c /usr/local/etc/mautrix-instagram/config.yaml -r /usr/local/etc/mautrix-instagram/registration.yaml 107 | ``` 108 | (Ctrl+C to stop) 109 | ### Start Service 110 | ``` 111 | # service mautrix-instagram start 112 | # ps aux 113 | mautrix-instagram 10193 50.4 0.1 110020 66508 - SJ 00:59 0:00.93 /var/db/mautrix-instagram/bin/python -m mautrix_instagram -c /usr/local/etc/mautrix-instagram/config.yaml -r /usr/local/etc/mautrix-instagram/registration.yaml (python3.7) 114 | root 10192 0.0 0.0 10844 2292 - SsJ 00:59 0:00.00 daemon: /var/db/mautrix-instagram/bin/python[10193] (daemon) 115 | ``` 116 | 117 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/FreeNAS/matrix-synapse/9_bridges.md) ] 118 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/bridges/twitter.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/FreeNAS/matrix-synapse/9_bridges.md) ] 2 | 3 | ## Twitter bridge 4 | 5 | ### Configure database 6 | Allow connection to database `# nano /var/db/postgres/data13/pg_hba.conf`: 7 | ``` 8 | host mautrix-twitter mautrix-twitter 127.0.0.1/32 password 9 | ``` 10 | 11 | ### Create database: 12 | ``` 13 | root@synapse:~ # sudo -i -u postgres 14 | $ psql 15 | postgres=# CREATE USER "mautrix-twitter" WITH PASSWORD 'password'; 16 | postgres=# CREATE DATABASE "mautrix-twitter" OWNER "mautrix-twitter"; 17 | postgres=# \q 18 | $ pg_ctl reload -D /var/db/postgres/data13 19 | $ exit 20 | root@synapse:~ # 21 | ``` 22 | 23 | ### Install mautrix-twitter 24 | ``` 25 | # pkg install py37-virtualenv olm rust py37-pillow nano 26 | 27 | # pw adduser mautrix-twitter -d /nonexistent -s /usr/sbin/nologin -c "User for mautrix-twitter bridge" 28 | 29 | # mkdir /var/db/mautrix-twitter && chown -R mautrix-twitter:mautrix-twitter /var/db/mautrix-twitter 30 | 31 | # cd /var/db/mautrix-twitter 32 | 33 | # virtualenv -p /usr/local/bin/python3.7 . 34 | 35 | # source /var/db/mautrix-twitter/bin/activate.csh 36 | 37 | # pip install --global-option=build_ext --global-option="-I/usr/local/include" --upgrade python-olm 38 | 39 | # pip install --upgrade 'mautrix-twitter[all]' 40 | 41 | # cp example-config.yaml config.yaml 42 | ``` 43 | 44 | ### Configure mautrix-twitter: 45 | 46 | At minimum change these values `# nano config.yaml`: 47 | ``` 48 | homeserver: 49 | address: https://example.tld 50 | domain: example.tld 51 | appservice: 52 | database: postgres://mautrix-twitter:password@localhost/mautrix-twitter 53 | bridge: 54 | permissions: 55 | example.tld: user 56 | `@admin:example.tld`: admin 57 | logging: 58 | handlers: 59 | file: 60 | filename: /var/db/mautrix-twitter/mautrix-twitter.log 61 | ``` 62 | 63 | Generate `registration.yaml`: 64 | ``` 65 | # mkdir /usr/local/etc/mautrix-twitter 66 | # mv config.yaml /usr/local/etc/mautrix-twitter/config.yaml 67 | # chown -R mautrix-twitter:mautrix-twitter /var/db/mautrix-twitter 68 | # chown -R mautrix-twitter:mautrix-twitter /usr/local/etc/mautrix-twitter 69 | # sudo -u mautrix-twitter /var/db/mautrix-twitter/bin/python -m mautrix_twitter -g -c /usr/local/etc/mautrix-twitter/config.yaml -r /usr/local/etc/mautrix-twitter/registration.yaml 70 | ``` 71 | Add mautrix-twitter to synapse config `nano /usr/local/etc/matrix-synapse/homeserver.yaml`: 72 | ``` 73 | app_service_config_files: 74 | - /usr/local/etc/mautrix-twitter/registration.yaml 75 | ``` 76 | restart synapse: 77 | ``` 78 | service synapse restart 79 | ``` 80 | ### Create startup script 81 | `touch /usr/local/etc/rc.d/mautrix-twitter && chmod +x /usr/local/etc/rc.d/mautrix-twitter && nano /usr/local/etc/rc.d/mautrix-twitter`: 82 | ``` 83 | #!/bin/sh 84 | # 85 | # PROVIDE: mautrix_twitter 86 | # REQUIRE: 87 | # KEYWORD: 88 | 89 | . /etc/rc.subr 90 | name="mautrix_twitter" 91 | rcvar="mautrix_twitter_enable" 92 | mautrix_twitter_command="/var/db/mautrix-twitter/bin/python -m mautrix_twitter -c /usr/local/etc/mautrix-twitter/config.yaml -r /usr/local/etc/mautrix-twitter/registration.yaml" 93 | pidfile="/var/run/${name}.pid" 94 | command="/usr/sbin/daemon" 95 | command_args="-P ${pidfile} -u mautrix-twitter -r -f ${mautrix_twitter_command}" 96 | 97 | load_rc_config $name 98 | : ${mautrix_twitter_enable:=no} 99 | 100 | run_rc_command "$1" 101 | ``` 102 | Enable service: `sysrc mautrix_twitter_enable="YES"` 103 | 104 | ### Dry run verbose mode 105 | ``` 106 | sudo -u mautrix-twitter /var/db/mautrix-twitter/bin/python -m mautrix_twitter -c /usr/local/etc/mautrix-twitter/config.yaml -r /usr/local/etc/mautrix-twitter/registration.yaml 107 | ``` 108 | (Ctrl+C to stop) 109 | ### Start Service 110 | ``` 111 | # service mautrix-twitter start 112 | # ps aux 113 | mautrix-twitter 10193 50.4 0.1 110020 66508 - SJ 00:59 0:00.93 /var/db/mautrix-twitter/bin/python -m mautrix_twitter -c /usr/local/etc/mautrix-twitter/config.yaml -r /usr/local/etc/mautrix-twitter/registration.yaml (python3.7) 114 | root 10192 0.0 0.0 10844 2292 - SsJ 00:59 0:00.00 daemon: /var/db/mautrix-twitter/bin/python[10193] (daemon) 115 | ``` 116 | 117 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/FreeNAS/matrix-synapse/9_bridges.md) ] 118 | -------------------------------------------------------------------------------- /FreeNAS/matrix-synapse/images/matrix60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/matrix-synapse/images/matrix60.png -------------------------------------------------------------------------------- /FreeNAS/mumble/1_jail_creation.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ **Jail Creation** ] - [ [murmur](2_murmur.md) ] - [ [SSL & Domain](3_ssl_domain.md) ] - [ [Basic ACL Config](4_acl.md) ] 4 | 5 | ## Guide to Mumble server (murmur) on FreeNAS/TrueNAS ![mumble60.png](images/mumble60.png) 6 | ### Jail Creation 7 | 8 | Jails are a way to seperate computing environments. Since we are exposing murmur to the internet, we wouldn't want our whole system compromised if our murmur server got compromised. It also helps us partition software on our system. Make a mistake? No worries, just nuke the jail and start over! 9 | 10 | Login to the TrueNAS web-ui. Create a new jail with a static IP address outside the range of your router's DHCP IP range. The default DHCP range on openwrt is 192.168.0.100 thru 192.168.0.254, I will use 192.168.84.99 as an example and call the jail 'blog'. 11 | 12 | ![JailBlog](images/jailmumble.png) 13 | 14 | ## Port forward rules for your router 15 | 16 | Log in to your OpenWRT web-ui and configure UDP and TCP forwarding for port 64738: 17 | 18 | Click "Network ▼", "Firewall". Click the "Port Forwards" tab, then click "Add". 19 | 20 | ![mumbleportforward](images/mumbleportforward.png) 21 | 22 | Click "Save". Notice the ![unsavedchanges](images/unsavedchanges.png) icon. The configuration will not work until you click ![saveapply](images/saveapply.png). You should now see the following configuration: 23 | 24 | ![mumbleportforwardcomplete](images/mumbleportforwardcomplete.png) 25 | 26 | Log out of your OpenWRT web-ui. 27 | 28 | Next: [ [murmur](2_murmur.md) ] >> 29 | -------------------------------------------------------------------------------- /FreeNAS/mumble/2_murmur.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ **Murmur** ] - [ [SSL & Domain](3_ssl_domain.md) ] - [ [Basic ACL Config](4_acl.md) ] 4 | 5 | ## Guide to Mumble server (murmur) on FreeNAS/TrueNAS ![mumble60.png](images/mumble60.png) 6 | ### Murmur 7 | 8 | SSH into TrueNAS and switch to your blog jail. 9 | ``` 10 | # iocage console mumble 11 | ``` 12 | 13 | Lets get installing the server [murmur](https://wiki.mumble.info/wiki/Running_Murmur)! 14 | ``` 15 | # pkg install -y murmur nano 16 | # sysrc murmur_enable=yes 17 | ``` 18 | 19 | ### Configure Murmur 20 | ``` 21 | # nano /usr/local/etc/murmur.ini 22 | ``` 23 | You can read up on configuration options [here](https://wiki.mumble.info/wiki/Murmur.ini). Edit the following lines: 24 | 25 | Uncomment the autoban lines so that your server can not be "denial of service" attacked. Remove the ";" before each item: 26 | ``` 27 | autobanAttempts = 10 28 | autobanTimeframe = 120 29 | autobanTime = 300 30 | ``` 31 | Save (CTRL+O, ENTER) and exit (CTRL+X). 32 | 33 | ### Start the server 34 | ``` 35 | # service murmur start && tail -f /var/log/murmur/murmur.log 36 | ``` 37 | Notice the log line `2020-06-30 00:06:38.398 1 => Password for 'SuperUser' set to 'cHxBymvuygMy'` that sets the SuperUser password: We will use these account credentials to configure the Access Control List, then hopefully never use the superuser account again! To exit the live logging, press CTRL+C. 38 | 39 | ### Connect a mumble client 40 | On a client machine, download the mumble client [here](https://www.mumble.info/). Open the program and click "Add New...". For a username use `SuperUser`, for the password use 41 | what the server logs revealed on the previous step, such as `cHxBymvuygMy` in our example. For the address, use your local jail ip, `192.168.84.99`. Now click "connect". 42 | 43 | You will be prompted with a self-signed certificate warning. Click "yes" for now. 44 | 45 | You should get a connected message. Congradulations, you're up and running! 46 | 47 | ### About that warning... 48 | 49 | To avoid the self-signed certificate warning popup for yourself and other users in the future, we can configure a domain and SSL/TLS certificate signed by a certificate authority, which is outlined in the next step of this guide. 50 | 51 | You can skip the SSL/TLS step if you want, and your communications will still be end to end encrypted. Just hand out your public IP address to friends and family if you have a static IP address. Or you could even set up a static tor address to forward to your mumble jail ip and port 64738. 52 | 53 | Next: [ [SSL & Domain](3_ssl_domain.md) ] >> 54 | -------------------------------------------------------------------------------- /FreeNAS/mumble/3_ssl_domain.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ [murmur](2_murmur.md) ] - [ **SSL & Domain** ] - [ [Basic ACL Config](4_acl.md) ] 4 | 5 | ## Guide to Mumble server (murmur) on FreeNAS/TrueNAS ![mumble60.png](images/mumble60.png) 6 | ### SSL & Domain Configuration 7 | In the [Guide to a self hosted wordpress website on FreeNAS/TrueNAS](https://github.com/seth586/guides/tree/master/FreeNAS/webserver), I specify in detail how to create a [reverse proxy](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) to serve multiple websites. On this `reverse-proxy` jail, nginx monitors website requests on the default port 80 for http and 443 for https, and sends those requests to the appropriate jail for our multiple websites we are hosting now or in the future. 8 | 9 | Murmur is not using a shared port like websites use on 80 and 443 by default, so we will not need nginx to reverse proxy port 64738, the firewall rule we created during [Jail Creation](1_jail_creation.md) will forward TCP and UDP requests on `(public IP address):64738` to our `(mumble jail IP address):64738`. 10 | 11 | However the [reverse-proxy jail guide](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) also handles dynamic dns & our domain certificate request and renewals, so for the sake of configuring and maintaining a domain and SSL/TLS certificates for mumble, and for future website projects on our server, this mumble guide will require the `reverse-proxy` jail to be created and utilized. 12 | 13 | ## 1. Configure Dynamic DNS & Certbot 14 | Please complete steps 1-5 (minimum!) on the [reverse-proxy tutorial](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) if you have not already done so, then come back here. 15 | 16 | ## 2. Mount Points for SSL/TLS keys 17 | ``` 18 | # mkdir /usr/local/etc/certs 19 | ``` 20 | 21 | We need to share the public and private SSL/TLS keys in our `reverse-proxy` jail with our `mumble` jail, so log in to FreeNAS' web-ui and "stop" the `mumble` jail. With the `mumble` jail still selected, click "mount points". Click "Actions ▼", "Add". 22 | 23 | Remember to replace `example.com` with your own domain. 24 | 25 | Source: `/mnt/volume0/iocage/jails/reverse-proxy/root/usr/local/etc/letsencrypt` 26 | 27 | Destination: `/mnt/volume0/iocage/jails/mumble/root/usr/local/etc/certs` 28 | 29 | Check the "Read Only" box. Click "Save". 30 | 31 | Start the `mumble` jail and SSH in. 32 | 33 | ``` 34 | # cd /usr/local/etc/certs 35 | # ll 36 | drwxr-xr-x 3 root wheel 3 Feb 17 05:23 accounts/ 37 | drwxr-xr-x 3 root certs 3 Jun 30 02:14 archive/ 38 | drwxr-xr-x 2 root wheel 12 Jun 20 01:09 csr/ 39 | drwx------ 2 root wheel 12 Jun 20 01:09 keys/ 40 | drwxr-xr-x 3 root certs 4 May 11 21:16 live/ 41 | drwxr-xr-x 2 root wheel 5 Jun 20 01:10 renewal/ 42 | drwxr-xr-x 5 root wheel 5 Feb 17 05:23 renewal-hooks/ 43 | ``` 44 | The `reverse-proxy` jail path `/usr/local/etc/letsencrypt` is now accessible in our `mumble` jail at `/usr/local/etc/certs`! 45 | 46 | ## Add certs group and add murmur to certs group 47 | ``` 48 | # pw groupadd certs 49 | # pw groupmod certs -M murmur 50 | # pw groupshow certs 51 | certs:*:1001:murmur 52 | # id murmur 53 | uid=338(murmur) gid=338(murmur) groups=338(murmur),1001(certs) 54 | ``` 55 | 56 | ## Configure murmur for SSL/TLS certificates 57 | ``` 58 | nano /usr/local/etc/murmur.ini 59 | ``` 60 | Edit the following lines: 61 | ``` 62 | sslCert=/usr/local/etc/certs/live/example.com/fullchain.pem 63 | sslKey=/usr/local/etc/certs/live/example.com/privkey.pem 64 | ``` 65 | Save (CTRL+O, ENTER) and exit (CTRL+X) 66 | 67 | Now start murmur: 68 | ``` 69 | # service murmur start && tail -f /var/log/murmur/murmur.log 70 | Starting murmur. 71 | ``` 72 | 73 | Next: [ [Basic ACL Config](4_acl.md) ] >> 74 | -------------------------------------------------------------------------------- /FreeNAS/mumble/4_acl.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ [murmur](2_murmur.md) ] - [ [SSL & Domain](3_ssl_domain.md) ] - [ **Basic ACL Config** ] 4 | 5 | ## Guide to Mumble server (murmur) on FreeNAS/TrueNAS ![mumble60.png](images/mumble60.png) 6 | ### Access Control List Configuration 7 | -------------------------------------------------------------------------------- /FreeNAS/mumble/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [Jail Creation](1_jail_creation.md) ] - [ [murmur](2_murmur.md) ] - [ [SSL & Domain](3_ssl_domain.md) ] - [ [Basic ACL Config](4_acl.md) ] 4 | 5 | ## Guide to Mumble server (murmur) on FreeNAS/TrueNAS ![mumble60.png](images/mumble60.png) 6 | ### Intro 7 | 8 | Discord is currently the most popular voice chat system among many communities, however they are a closed source platform, do not offer end to end encryption, and frequently engage in censorship. 9 | 10 | The mumble server, [called murmur](https://wiki.mumble.info/wiki/Running_Murmur) offers us complete, uncensorable control of our voice chat community. Mumble offers end to end encryption, and a very powerful Access Control List ruleset that allows you to give special permissions to your users. ACLs are a little hard to udnerstand at first, so at the end of the guide there is a basic ACL configuration example to get you started. 11 | 12 | ### Objective 13 | By the end of this guide, we will have a mumble server configured to a domain name that you can hand out to friends and strangers alike. A basic access control list will be configured into a three tier privilege system of: 14 | 15 | Anonymous User - upon connnecting to the server they will be in the root lobby with no privileges to talk, type, or move to a lobby. 16 | Registered User - (for your friends) will have privileges to talk, type, and move themselves and anonymous users between lobbys. 17 | Adminsitrator User - (for your trusted friends and family) will have privileges to promote a user to registered user, as well as kick, ban and unban privileges. 18 | 19 | Next: [ [Jail Creation](1_jail_creation.md) ] >> 20 | -------------------------------------------------------------------------------- /FreeNAS/mumble/images/jailmumble.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/jailmumble.png -------------------------------------------------------------------------------- /FreeNAS/mumble/images/mumble.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/mumble.jpg -------------------------------------------------------------------------------- /FreeNAS/mumble/images/mumble60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/mumble60.png -------------------------------------------------------------------------------- /FreeNAS/mumble/images/mumbleportforward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/mumbleportforward.png -------------------------------------------------------------------------------- /FreeNAS/mumble/images/mumbleportforwardcomplete.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/mumbleportforwardcomplete.png -------------------------------------------------------------------------------- /FreeNAS/mumble/images/saveapply.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/saveapply.png -------------------------------------------------------------------------------- /FreeNAS/mumble/images/unsavedchanges.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/mumble/images/unsavedchanges.png -------------------------------------------------------------------------------- /FreeNAS/nextcloud/1_jail.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ **Jail Creation** ] - [ [apache](4_apache.md) ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Jail & Dataset Plan 8 | 9 | Before we start installing stuff, lets make a few datasets to keep important files in case you need to nuke and rebuild the jail. This is also useful to backup critical components should you decide to take advantage of OpenZFS snapshotting and back these up to another machine. 10 | 11 | ### Create users 12 | Users in the dataset outside the jail need to match user permissions inside the jail, so they must have matching username user ID (UID). 13 | 14 | In TrueNAS' web-ui, click `accounts -> users -> add`, and create the following: 15 | ``` 16 | Username: mysql 17 | Full Name: MySQL User 18 | User ID: 88 19 | New Primary Group: Checked 20 | Enable Password login: No 21 | ``` 22 | When finished, click `Submit` 23 | 24 | ### Create datasets 25 | I have two [pools](https://www.truenas.com/docs/core/storage/pools/poolcreate/), `volume0`, a RAIDZ2 pool of several HDDs and `volume1`, a mirrored pool of two high performance SSDs (Samsung PM1725b HHHL NVMe x8). [Datasets](https://www.truenas.com/docs/core/storage/pools/datasets/) will be created to store important data that needs to be backed up. 26 | 27 | I highly recommend the following dataset folder structure, as it will make sense as you deploy more software, example on my system: 28 | ``` 29 | ─── volume0 30 | ├── apps 31 | │ ├── nextcloud 32 | │ │ ├── files 33 | │ ├── synapse 34 | │ │ ├── mediastore 35 | 36 | ─── volume1 37 | ├── apps 38 | │ ├── nextcloud 39 | │ │ ├── config 40 | │ │ ├── themes 41 | │ │ ├── db 42 | | ├── synapse 43 | │ │ ├── config 44 | │ │ ├── signingkey 45 | │ │ ├── db 46 | ... and so on 47 | ``` 48 | 49 | Login to TrueNAS' web-ui, click `storage -> pools`, and create the following datasets based on your own pool configuration: 50 | ``` 51 | volume0/apps/nextcloud/files 52 | Enable atime: Off 53 | 54 | volume1/apps/nextcloud/db 55 | Enable atime: Off 56 | 57 | volume1/apps/nextcloud/config 58 | Enable atime: On 59 | 60 | volume1/apps/nextcloud/config/themes 61 | Enable atime: On 62 | ``` 63 | 64 | ### Assign dataset permissions 65 | In TrueNAS' web-ui, click the `three-dot icon` next to each dataset you created, click `permissions` and assign the following permissions, clicking `apply user checkmark` and `apply group checkmark`, type in the user/group, then click `save`: 66 | ``` 67 | db 68 | User: mysql 69 | Group: mysql 70 | 71 | config 72 | User: www 73 | Group: www 74 | 75 | themes 76 | User: www 77 | Group: www 78 | ``` 79 | 80 | ### Create Jail 81 | In TrueNAS' web-ui, click `Jails > Add`. Create a jail with `VNET`, `allow_raw_sockets`, set `name` to `nextcloud`, `release`, and `IPv4 address`. Click `autostart` and click `SAVE`. 82 | 83 | ### Mount datasets to jail 84 | ssh into TrueNAS. 85 | ``` 86 | $ iocage stop nextcloud 87 | $ iocage exec nextcloud mkdir -p /mnt/data 88 | $ iocage exec nextcloud mkdir -p /var/db/mysql 89 | $ iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/config 90 | $ iocage exec nextcloud mkdir -p /usr/local/www/nextcloud/themes 91 | $ iocage fstab -a nextcloud /mnt/volume0/apps/nextcloud/files /mnt/data nullfs rw 0 0 92 | $ iocage fstab -a nextcloud /mnt/volume1/apps/nextcloud/db /var/db/mysql nullfs rw 0 0 93 | $ iocage fstab -a nextcloud /mnt/volume1/apps/nextcloud/config /usr/local/www/nextcloud/config nullfs rw 0 0 94 | $ iocage fstab -a nextcloud /mnt/volume1/apps/nextcloud/themes /usr/local/www/nextcloud/themes nullfs rw 0 0 95 | $ zfs set primarycache=metadata volume1/apps/nextcloud/db 96 | $ iocage start nextcloud 97 | $ iocage console nextcloud 98 | ``` 99 | 100 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/2_mariadb.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [apache](4_apache.md) ] - [ [PHP](3_php.md) ] - [ **mariadb** ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Install 8 | 9 | ``` 10 | # pkg install mariadb106-server 11 | # sysrc mysql_enable=yes 12 | # service mysql-server start 13 | ``` 14 | 15 | ### Required configuration parameters 16 | See [here](https://docs.nextcloud.com/server/latest/admin_manual/configuration_database/linux_database_configuration.html) for official documentation required config paramters: 17 | 18 | `nano /usr/local/etc/mysql/conf.d/server.cnf`: 19 | ``` 20 | [mysqld] 21 | ... 22 | character_set_server = utf8mb4 23 | collation_server = utf8mb4_general_ci 24 | transaction_isolation = READ-COMMITTED 25 | binlog_format = ROW 26 | innodb_large_prefix=on 27 | innodb_file_format=barracuda 28 | innodb_file_per_table=1 29 | ... 30 | ``` 31 | ### Setup 32 | ``` 33 | # mysql_secure_installation 34 | Enter current password for root (enter for none): 35 | Switch to unix_socket authentication [Y/n] y 36 | Set root password? [Y/n] y 37 | New password: 38 | Re-enter new password: 39 | Remove anonymous users? [Y/n] y 40 | Disallow root login remotely? [Y/n] y 41 | Remove test database and access to it? [Y/n] y 42 | Reload privilege tables now? [Y/n] y 43 | ``` 44 | 45 | ### Create Database 46 | ``` 47 | # mysql -u root -p 48 | CREATE DATABASE IF NOT EXISTS nextcloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; 49 | GRANT ALL PRIVILEGES ON nextcloud.* TO 'nextcloud'@'localhost' IDENTIFIED BY 'insert_password_here'; 50 | FLUSH PRIVILEGES; 51 | exit 52 | ``` 53 | 54 | ### Configure PHP for mysql unix sockets 55 | 56 | `nano /usr/local/etc/php/ext-30-pdo_mysql.ini`: 57 | ``` 58 | extension=pdo_mysql.so 59 | 60 | [mysql] 61 | mysql.default_socket=/var/run/mysql/mysql.sock 62 | ``` 63 | `service php-fpm restart` 64 | 65 | ### Upgrade MariaDB 66 | Make sure to read the [backup](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/backup.html#mysql-mariadb) and [restoration](https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html) procedure before attempting an upgrade! 67 | ``` 68 | # service apache24 stop 69 | # cd ~ 70 | # mysqldump --single-transaction --default-character-set=utf8mb4 -u nextcloud -pinsert_password_here nextcloud > nextcloud-sqlbkp_`date +"%Y%m%d"`.bak 71 | # service mysql-server stop 72 | # pkg remove mariadb105-server 73 | # pkg install mariadb106-server 74 | # service mysql-server start 75 | # mariadb-upgrade 76 | # service apache24 start 77 | ``` 78 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/3_php.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [apache](4_apache.md) ] - [ **PHP** ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Install prerequisites: 8 | ``` 9 | # pkg install php83 php83-bcmath php83-bz2 php83-ctype php83-curl php83-dom php83-exif php83-fileinfo php83-filter php83-gd php83-gmp php83-intl php83-mbstring php83-opcache php83-pcntl php83-pdo php83-pdo_mysql php83-pecl-imagick php83-pecl-redis php83-phar php83-posix php83-session php83-simplexml php83-sodium php83-sysvsem php83-xml php83-xmlreader php83-xmlwriter php83-zip php83-zlib 10 | # sysrc php_fpm_enable=yes 11 | 12 | ``` 13 | 14 | ### Configure `php.ini` 15 | ``` 16 | # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 17 | # nano /usr/local/etc/php.ini 18 | ``` 19 | 20 | Uncomment and adjust the folllowing: 21 | 22 | Note: http://php.net/manual/en/timezones.php for the timezone relevant to you. An example would be Australia/Sydney 23 | ``` 24 | ... 25 | cgi.fix_pathinfo=1 26 | date.timezone=Country/City 27 | 28 | post_max_size = 1999M 29 | upload_max_filesize = 1999M 30 | memory_limit = 512M 31 | 32 | opcache.enable=1 33 | opcache.enable_cli=1 34 | opcache.memory_consumption=128 35 | opcache.interned_strings_buffer=8 36 | opcache.max_accelerated_files=10000 37 | opcache.revalidate_freq=1 38 | opcache.save_comments=1 39 | ... 40 | ``` 41 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 42 | 43 | ### Change TCP listener to unix socket 44 | `nano /usr/local/etc/php-fpm.d/www.conf` 45 | ``` 46 | listen = /var/run/php-fpm.sock 47 | listen.owner = www 48 | listen.group = www 49 | listen.mode = 0660 50 | ``` 51 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 52 | ``` 53 | # service php_fpm start 54 | # apachectl graceful 55 | ``` 56 | 57 | ### Test your php installation 58 | Naigate to `your.jail.ip.address/info.php` 59 | 60 | Remove once you confirmed it works `rm /usr/local/www/apache24/data/info.php` 61 | 62 | ### Upgrade PHP 63 | Make sure to upgrade to Nextcloud 24 before upgrading to PHP 8.1! 64 | Make sure to upgrade to Nextcloud 26 before upgrading to PHP 8.2! 65 | ``` 66 | # service apache24 stop 67 | # service php-fpm stop 68 | # pkg remove php81 69 | # pkg install php83 php83-bcmath php83-bz2 php83-ctype php83-curl php83-dom php83-exif php83-fileinfo php83-filter php83-gd php83-gmp php83-intl php83-mbstring php83-opcache php83-pcntl php83-pdo php83-pdo_mysql php83-pecl-imagick php83-pecl-redis php83-phar php83-posix php83-session php83-simplexml php83-sodium php83-sysvsem php83-xml php83-xmlreader php83-xmlwriter php83-zip php83-zlib 70 | # service php_fpm start 71 | # service apache24 start 72 | ``` 73 | 74 | 75 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/4_apache.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ **apache** ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Install apache 8 | ``` 9 | # pkg install apache24 redis nano wget ca_root_nss 10 | # sysrc apache24_enable=yes 11 | # service apache24 start 12 | # sysrc redis_enable=yes 13 | # nano /usr/local/etc/apache24/httpd.conf 14 | ``` 15 | Search for and uncomment the following lines (CTRL+W, paste, ENTER) 16 | ``` 17 | LoadModule proxy_module libexec/apache24/mod_proxy.so 18 | LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so 19 | LoadModule rewrite_module libexec/apache24/mod_rewrite.so 20 | ``` 21 | Save (CTRL+O, ENTER) and exit (CTRL+X) 22 | 23 | Restart the service 24 | ``` 25 | # apachectl graceful 26 | ``` 27 | 28 | ### Test apache & set up test pages 29 | navigate to `your.jail.ip.address` in a browser, you should see the apache "It works!" message. 30 | 31 | `nano /usr/local/etc/apache24/Includes/test.conf`: Change server name to jail IP: 32 | ``` 33 | 34 | DocumentRoot "/usr/local/www/apache24/data" 35 | ServerName 192.168.0.10 36 | ProxyPassMatch ^/(.*.php(/.*)?)$ unix:/var/run/php-fpm.sock|fcgi://localhost/usr/local/www/apache24/data/$1 37 | DirectoryIndex /index.php index.php 38 | 39 | ``` 40 | Save (CTRL+O, ENTER) and exit (CTRL+X) 41 | 42 | `nano /usr/local/www/apache24/data/info.php`: 43 | ``` 44 | 47 | ``` 48 | 49 | ### Configure redis 50 | `nano /usr/local/etc/redis.conf`: 51 | ``` 52 | port 0 53 | unixsocket /var/run/redis/redis.sock 54 | unixsocketperm 770 55 | bind 127.0.0.1 56 | ``` 57 | Save (CTRL+O, ENTER) and exit (CTRL+X) 58 | ``` 59 | # pw usermod www -G redis 60 | # service redis start 61 | ``` 62 | 63 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/5_nextcloud.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [apache](4_apache.md) ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ **nextcloud** ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Install Nextcloud 8 | ``` 9 | # cd /tmp 10 | # wget https://download.nextcloud.com/server/releases/latest.tar.bz2 11 | # wget https://download.nextcloud.com/server/releases/latest.tar.bz2.sha512 12 | # shasum -a 512 -c latest.tar.bz2.sha512 13 | # tar -xf latest.tar.bz2 -C /usr/local/www 14 | # rm latest.tar.bz2 15 | # rm latest.tar.bz2.sha512 16 | # chown -R www:www /usr/local/www/nextcloud 17 | ``` 18 | 19 | ### Configure apache 20 | `nano /usr/local/etc/apache24/httpd.conf` and edit the directory block below: 21 | ``` 22 | DocumentRoot "/usr/local/www/nextcloud" 23 | 24 | # 25 | # Possible values for the Options directive are "None", "All", 26 | # or any combination of: 27 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 28 | # 29 | # Note that "MultiViews" must be named *explicitly* --- "Options All" 30 | # doesn't give it to you. 31 | # 32 | # The Options directive is both complicated and important. Please see 33 | # http://httpd.apache.org/docs/2.4/mod/core.html#options 34 | # for more information. 35 | # 36 | Options Indexes FollowSymLinks 37 | 38 | # 39 | # AllowOverride controls what directives may be placed in .htaccess files. 40 | # It can be "All", "None", or any combination of the keywords: 41 | # AllowOverride FileInfo AuthConfig Limit 42 | # 43 | AllowOverride All 44 | 45 | # 46 | # Controls who can get stuff from this server. 47 | # 48 | Require all granted 49 | 50 | ``` 51 | Save (CTRL+O, ENTER) and exit (CTRL+X) 52 | 53 | `nano /usr/local/etc/apache24/Includes/cloud.mydomain.com.conf`: 54 | ``` 55 | 56 | DocumentRoot "/usr/local/www/nextcloud" 57 | ServerName cloud.mydomain.com 58 | 59 | SetHandler "proxy:unix:/var/run/php-fpm.sock|fcgi://localhost" 60 | 61 | DirectoryIndex /index.php index.php 62 | 63 | ``` 64 | Restart apache `service apache24 restart` 65 | 66 | Navigate to your jail IP and configure nextcloud. 67 | 68 | Create an admin `username` and `password`. 69 | 70 | datafolder = `/mnt/data` 71 | 72 | Database user = `nextcloud` 73 | 74 | Database password = `your_database_password` 75 | 76 | Database name = `nextcloud` 77 | 78 | Database host = `localhost:/var/run/mysql/mysql.sock` 79 | 80 | ### Nextcloud: enable redis cacheing 81 | ``` 82 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis host --value="/var/run/redis/redis.sock"' 83 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer' 84 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\Redis"' 85 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis"' 86 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set filelocking.enabled --value="true"' 87 | # service apache24 restart 88 | ``` 89 | 90 | ### Optional: shell alias for `occ` 91 | `occ` is a powerful tool you should get familiar with to administer your nextcloud server. Typing in `su -m www -c 'php /usr/local/www/nextcloud/occ command'` sucks, lets make a shell alias so we can run occ globally: 92 | ``` 93 | nano /root/.cshrc 94 | ``` 95 | Add the alias: 96 | ``` 97 | alias occ 'su -m www -c '\''php /usr/local/www/nextcloud/occ "$1"'\''' 98 | ``` 99 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 100 | 101 | Refresh your shell and try it out: 102 | ``` 103 | source ~/.cshrc 104 | occ status 105 | ``` 106 | 107 | ### Upgrade Nextcloud 108 | ``` 109 | su -m www -c 'php /usr/local/www/nextcloud/updater/updater.phar' 110 | ``` 111 | 112 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/6_reverseproxy.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [nginx](4_apache.md) ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ **reverseproxy** ] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | Create your reverse proxy jail as outlined in the wordpress guide [here](https://github.com/seth586/guides/blob/master/FreeNAS/webserver/6_reverse_proxy.md) 8 | 9 | Enter your `reverseproxy` jail and add the following file, replace `mydomain` with yours and `proxy_pass` IP with `nextcloud` jail IP: 10 | ``` 11 | # nano /usr/local/etc/nginx/vdomains/cloud.mydomain.com.conf 12 | ``` 13 | ``` 14 | server { 15 | listen 443 ssl http2; 16 | 17 | server_name cloud.mydomain.com; 18 | access_log /var/log/nginx/cloud.access.log main; 19 | #server_tokens off; 20 | 21 | include snippets/mydomain.com.cert.conf; 22 | include snippets/ssl-params.conf; 23 | 24 | location / { 25 | include snippets/proxy-params.conf; 26 | proxy_pass http://192.168.84.73; 27 | client_max_body_size 2G; 28 | } 29 | location /.well-known/carddav { 30 | return 301 $scheme://$host/remote.php/dav; 31 | } 32 | 33 | location /.well-known/caldav { 34 | return 301 $scheme://$host/remote.php/dav; 35 | } 36 | } 37 | 38 | ``` 39 | Save (CTRL+O, ENTER) and exit (CTRL+X) 40 | 41 | Restart nginx `service nginx restart` 42 | 43 | ### nextcloud jail configuration 44 | 45 | Exit the `reverseproxy` jail and ssh into your `nextcloud` jail. Set the jail ip of your `reverseproxy`: 46 | ``` 47 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_proxies 0 --value="192.168.84.8"' 48 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_domains 0 --value="localhost"' 49 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value="cloud.mydomain.com"' 50 | # su -m www -c 'php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value="https"' 51 | ``` 52 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/7_collabora.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail.md) ] - [ [nginx](4_apache.md) ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ **collabora** ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | Spin up ubuntu VM 8 | 9 | https://docs.nextcloud.com/server/latest/admin_manual/office/example-ubuntu.html 10 | https://www.collaboraoffice.com/code/linux-packages/ 11 | 12 | ``` 13 | sudo apt update -y 14 | sudo apt install coolwsd code-brand -y 15 | sudo systemctl start coolwsd && sudo systemctl enable coolwsd 16 | sudo systemctl status coolwsd 17 | 18 | sudo coolconfig set ssl.enable false 19 | sudo coolconfig set ssl.termination true 20 | sudo coolconfig set storage.wopi.host cloud.example.com 21 | sudo coolconfig set-admin-password 22 | sudo systemctl restart coolwsd 23 | 24 | sudo netstat -tunlp | grep 9980 25 | ``` 26 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [Jail Creation](1_jail.md) ] - [ [apache](4_apache.md) ] - [ [PHP](3_php.md) ] - [ [mariadb](2_mariadb.md) ] - [ [nextcloud](5_nextcloud.md) ] - [ [reverseproxy ](6_reverseproxy.md)] - [ [collabora](7_collabora.md) ] 4 | 5 | ## Guide to Nextcloud server on TrueNAS 6 | 7 | ### Official Documentation 8 | Refer to the official documentation at [https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html](https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html) 9 | 10 | 11 | -------------------------------------------------------------------------------- /FreeNAS/nextcloud/images/nc60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/nextcloud/images/nc60.png -------------------------------------------------------------------------------- /FreeNAS/nextcloud/images/temp: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /FreeNAS/plex/README.md: -------------------------------------------------------------------------------- 1 | ### Create an SSH tunnel to the Plex Jail (only necessary for the initial setup) 2 | Source: https://www.ixsystems.com/community/threads/plex-cannot-find-a-server.58954/page-2 3 | 4 | Open a shell for the jail through the FreeNAS Web GUI 5 | 6 | Edit `/etc/rc.conf` (you can use ee (easy editor) or vi if you're a psychopath), and add the following line anywhere in the file: 7 | `sshd_enable="YES"` 8 | 9 | Start SSH with the command: `service sshd start` 10 | 11 | Add a user by typing `adduser` and following the prompts 12 | 13 | When you get to the prompt to add your new user to any additional groups, add it to wheel: 14 | Login group is NewUserThatYouJustCreated. Invite NewUserThatYouJustCreated into other groups? [ ]: wheel 15 | 16 | Set the root password so that the new user will be able to use the su command to gain superuser privilege. To set the password, type in passwd and entire your desired password. 17 | 18 | Create your tunnel 19 | 7.a) On OSX or Linux, run the command `ssh IP.address.of.server -L 8888:localhost:32400` 20 | 21 | pw addgroup jellyfin -g 710 22 | pw adduser jellyfin -u 710 -d /nonexistent -s /usr/sbin/nologin 23 | pw usermod jellyfin -G jellyfin,plex 24 | -------------------------------------------------------------------------------- /FreeNAS/tor_relay/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Tor Relay ![tor60.png](images/tor60.png) 4 | 5 | While it is safe and realtively anonymous to run a relay and a hidden service from the same internet connection, it isn't perfect. Do not run a relay from the same internet connection as your bitcoin & lightning jail if you require *absolute* anonymity! See [this](https://research.kudelskisecurity.com/2013/09/04/dont-run-a-tor-router-and-a-hidden-service-from-the-same-connection/) for details. Your home router shold be beefy enough to handle 7,000+ connections and the tor preject recommends a minimum of 16 Mbit download and upload speed for relays. 6 | 7 | Create a new jail, forward TCP port 9001 to this jail's IP address, and ssh in. 8 | 9 | ### Update package repository to latest 10 | ``` 11 | # pkg install nano 12 | # mkdir -p /usr/local/etc/pkg/repos 13 | ``` 14 | Code: `# nano /usr/local/etc/pkg/repos/FreeBSD.conf` : 15 | ``` 16 | FreeBSD: { 17 | url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest" 18 | } 19 | ``` 20 | 21 | ### Install and configure tor: 22 | ``` 23 | # pkg install tor ca_root_nss nano nyx 24 | # sysrc tor_enable="YES" 25 | # rm /usr/local/etc/tor/torrc 26 | # nano /usr/local/etc/tor/torrc 27 | ``` 28 | Edit the configuration files for tor (I recommend setting up a burner email you can check once in a while): 29 | ``` 30 | #change the nickname "myNiceRelay" to a name that you like 31 | Nickname myNiceRelay 32 | ORPort 9001 33 | ControlPort 9051 34 | CookieAuthentication 1 35 | ExitRelay 0 36 | SocksPort 0 37 | BandwidthRate 16 Mbits 38 | BandwidthBurst 64 Mbits 39 | MaxAdvertisedBandwidth 16 Mbits 40 | # Change the email address bellow and be aware that it will be published 41 | ContactInfo tor-operator@your-emailaddress-domain 42 | Log notice syslog 43 | ``` 44 | Set `bandwidthrate` below the lower value of your download and upload speed. So if your ISP provides 500 Mbit download and 45 | 250 Mbit upload, do not use any value over 250 Mbit. Check your speed [here](https://beta.speedtest.net/). 46 | 47 | Save (Ctrl+o, ENTER) and exit (Ctrl+x) 48 | 49 | ### Set up auto updates [[info]](https://community.torproject.org/relay/setup/guard/freebsd/updates/): 50 | ``` 51 | # nano /root/pkg_upgrade.sh 52 | ``` 53 | Enter the following script: 54 | ``` 55 | #!/bin/sh 56 | PATH="/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin" 57 | RAND=$(jot -r 1 900) 58 | ENV="BATCH=yes IGNORE_OSVERSION=yes" 59 | sleep ${RAND} 60 | env ${ENV} pkg update -q -f && \ 61 | env ${ENV} pkg upgrade -q -U -y --fetch-only && \ 62 | env ${ENV} HANDLE_RC_SCRIPTS=yes pkg upgrade -q -U -y 63 | ``` 64 | Save (Ctrl+o, ENTER) and exit (Ctrl+x) 65 | 66 | ### Make executable and schedule the job to run: 67 | ``` 68 | # chmod +x /root/pkg_upgrade.sh 69 | # echo "0 0 * * * root /bin/sh /root/pkg_upgrade.sh >/dev/null" >> /etc/crontab 70 | # service cron restart 71 | ``` 72 | ### Enable random IP_IDs (see [this](https://mebsd.com/freebsd-security-hardening/protecting-freebsd-with-sysctl-101.html)) 73 | ``` 74 | # echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf 75 | ``` 76 | 77 | Reboot your jail and ssh back in. `ps aux` should show tor running! 78 | 79 | ### Nyx 80 | 81 | Lets use a terminal UI to monitor the useage of our relay! 82 | 83 | ``` 84 | # nyx 85 | ``` 86 | To exit, press (Ctrl+C) 87 | 88 | It will take about ~3 hours for your relay to propogate through the network. Search for your node here: https://metrics.torproject.org/rs.html 89 | 90 | It takes about a good two weeks before you will see steady traffic, see this tor project blog post [here](https://blog.torproject.org/lifecycle-new-relay). 91 | 92 | ### Useful stuff for low power devices 93 | Useful info to make sure FreeBSD loads AES-NI drivers to hardware accelerate OpenSSL, especially important for low power platforms: 94 | https://manuth.life/enable-aes-ni-freebsd/ 95 | 96 | https://forums.freebsd.org/threads/openssl-and-hardware-acceleration-aes-ni.69167/ 97 | 98 | If system doesnt have a cmos battery, set `sysrc ntpd_sync_on_start=YES` to update time on boot. Verify with `date` 99 | 100 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 101 | 102 | -------------------------------------------------------------------------------- /FreeNAS/tor_relay/images/test.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /FreeNAS/tor_relay/images/tor60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/tor_relay/images/tor60.png -------------------------------------------------------------------------------- /FreeNAS/transmission/flaresolverr.md: -------------------------------------------------------------------------------- 1 | ### FlareSolverr 2 | https://github.com/FlareSolverr/FlareSolverr 3 | 4 | ``` 5 | pkg install chromium python39 py39-pip xorg-vfbserver git-tiny 6 | cd /usr/local/share 7 | git clone https://github.com/FlareSolverr/FlareSolverr.git 8 | cd /usr/local/share/FlareSolverr 9 | python3.9 -m pip install -r requirements.txt 10 | pw adduser lnd -d /home/flaresolverr -s /usr/sbin/nologin 11 | mkdir -p /home/flaresolverr && chown flaresolverr:flaresolverr /home/flaresolverr 12 | mkdir /var/run/flaresolverr && chown flaresolverr:flaresolverr /var/run/flaresolverr 13 | ``` 14 | 15 | 16 | 17 | 18 | 19 | `nano /usr/local/etc/rc.d/flaresolverr`: 20 | ``` 21 | #!/bin/sh 22 | # 23 | # PROVIDE: flaresolverr 24 | # REQUIRE: networking openvpn 25 | # KEYWORD: 26 | 27 | . /etc/rc.subr 28 | 29 | name="flaresolverr" 30 | rcvar="${name}_enable" 31 | flaresolverr_user="flaresolverr" 32 | flaresolverr_chdir="/usr/local/share/FlareSolverr 33 | load_rc_config ${name} 34 | : ${flaresolverr_enable:="NO"} 35 | 36 | pidfile="/var/run/flaresolverr/flaresolverr.pid" 37 | 38 | command="/usr/sbin/daemon" 39 | command_args="-u "${flaresolverr_user}" -p ${pidfile} -f /usr/local/bin/python3.9 /usr/local/share/FlareSolverr/src/flaresolverr.py" 40 | 41 | run_rc_command "$1" 42 | ``` 43 | 44 | ``` 45 | chmod +x /usr/local/etc/rc.d/flaresolverr 46 | sysrc flaresolverr_enable=TRUE 47 | service flaresolverr start 48 | ``` 49 | -------------------------------------------------------------------------------- /FreeNAS/transmission/tdarr.md: -------------------------------------------------------------------------------- 1 | To run Tdarr, we need a bhyve VM running ubuntu. 2 | 3 | NFS security notes: 4 | https://nfs.sourceforge.net/nfs-howto/ar01s06.html 5 | 6 | Set up a NFS share of your media folder, and limit access to your ubuntu server ip address. SSH into your ubuntu server. 7 | ``` 8 | $ sudo apt install nfs-common 9 | $ showmount --exports 192.168.84.85 # <-- your NFS server IP address 10 | $ sudo mkdir /mnt/nfs/media 11 | $ sudo mount 192.168.84.85:/mnt/volume/media /mnt/nfs/media 12 | $ sudo ls -lh /mnt/nfs/media # <-- permission should be denied, this is good! Lets create a user with access 13 | $ sudo ls -lh /mnt/nfs # <-- note the UID and GID of the media folder, these need to match our new user and group, example 810 810 14 | $ sudo groupadd -g 810 mediausers 15 | $ sudo useradd mediauser -M -u 810 -g 810 # <-- '-M' prevents login 16 | $ ls -lh /mnt/nfs # <-- you should now see mediauser mediausers as user and group owners! 17 | $ sudo nano /etc/pam.d/su # <-- allow your default admin user to access mediauser owned filesystems 18 | auth sufficient pam_rootok.so 19 | auth [success=ignore default=1] pam_succeed_if.so user = mediauser 20 | auth sufficient pam_succeed_if.so use_uid user = seth 21 | $ sudo nano /etc/fstab # <-- lets make the mount persist on reboots 22 | 192.168.84.85:/mnt/volume/media /mnt/nfs/media nfs defaults 0 0 23 | ``` 24 | 25 | create docker compose yaml: 26 | ``` 27 | mkdir $HOME/tdarr 28 | mkdir $HOME/tdarr/server 29 | mkdir $HOME/tdarr/configs 30 | mkdir $HOME/tdarr/temp 31 | nano $HOME/tdarr/docker-compose.yaml 32 | ``` 33 | Configuration notes: https://docs.docker.com/compose/compose-file/05-services/#environment 34 | 35 | Whenever you see a `:`, left is host, right is docker container 36 | 37 | When configured, start! 38 | ``` 39 | $ docker-compose up -d 40 | ``` 41 | Open your browser to your TrueNAS bhyve VM ubuntu's ip_address:8265 42 | -------------------------------------------------------------------------------- /FreeNAS/webserver/1_jail_creation.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | [ [Intro](README.md) ] - **[Jail Creation]** - [ [nginx](2_nginx.md) ] - [ [mysql](3_mysql.md) ] - [ [PHP](4_php.md) ] - [ [wordpress](5_wordpress.md) ] - [ [reverse proxy](6_reverse_proxy.md) ] 5 | 6 | ## Create new jail 7 | Jails are a way to seperate computing environments. Since we are exposing a web server to the internet, we wouldn't want our whole system compromised if our webserver got compromised. 8 | 9 | Login to the TrueNAS web-ui. Create a new jail with a static IP address outside the range of your router's DHCP IP range. The default DHCP range on openwrt is 192.168.0.100 thru 192.168.0.254, I will use 192.168.84.80 as an example and call the jail 'blog'. 10 | 11 | ![JailBlog](images/jailblog.png) 12 | 13 | ## SSH into your new jail 14 | SSH into TrueNAS and switch to your blog jail. 15 | ``` 16 | # iocage console blog 17 | ``` 18 | 19 | Next: [ [nginx](2_nginx.md) ] >> 20 | -------------------------------------------------------------------------------- /FreeNAS/webserver/2_nginx.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - **[nginx]** - [ [mysql](3_mysql.md) ] - [ [PHP](4_php.md) ] - [ [wordpress](5_wordpress.md) ] - [ [reverse proxy](6_reverse_proxy.md) ] 5 | 6 | nginx (pronounced engine-x) is the web server. It redirects appropriate requests for PHP processing if required and then responds to http requests from your users with requested data. 7 | 8 | SSH into your new webserver jail. 9 | ``` 10 | root@TrueNAS[~]# iocage list 11 | +-----+---------------+-------+--------------+---------------+ 12 | | JID | NAME | STATE | RELEASE | IP4 | 13 | +=====+===============+=======+==============+===============+ 14 | | 1 | bitcoin | up | 11.3-RELEASE | DHCP | 15 | +-----+---------------+-------+--------------+---------------+ 16 | | 2 | blog | up | 11.3-RELEASE | 192.168.84.80 | 17 | +-----+---------------+-------+--------------+---------------+ 18 | root@TrueNAS[~]# iocage console blog 19 | ... 20 | root@blog:~ # 21 | ``` 22 | ### Install & configure nginx 23 | ``` 24 | # pkg install -y nano nginx 25 | # sysrc nginx_enable=yes 26 | # rm /usr/local/etc/nginx/nginx.conf 27 | # nano /usr/local/etc/nginx/nginx.conf 28 | ``` 29 | Paste the following recomended configuration for a wordpress webserver. Change the `server_name` to the appropriate static ip for the webserver jail for now. Remmeber to change this to your `domain.tld` address once your reverse proxy is working. 30 | ``` 31 | user www; 32 | worker_processes 1; 33 | 34 | #error_log /var/log/nginx/error.log; 35 | 36 | #pid logs/nginx.pid; 37 | 38 | 39 | events { 40 | worker_connections 1024; 41 | } 42 | 43 | 44 | http { 45 | include mime.types; 46 | default_type application/octet-stream; 47 | 48 | sendfile on; 49 | client_max_body_size 8M; 50 | keepalive_timeout 65; 51 | 52 | server { 53 | listen 80; 54 | server_name 192.168.84.80; 55 | root /usr/local/www/nginx; 56 | index index.php index.html index.htm; 57 | error_page 500 502 503 504 /50x.html; 58 | location = /50x.html { 59 | root /usr/local/www/nginx-dist; 60 | } 61 | 62 | # This is cool because no php is touched for static content. 63 | # include the "?$args" part so non-default permalinks doesn't break when using query string 64 | location / { 65 | try_files $uri $uri/ /index.php?$args; 66 | } 67 | 68 | # pass the PHP scripts to FastCGI server listening on unix socket 69 | location ~ \.php$ { 70 | try_files $uri =404; 71 | fastcgi_split_path_info ^(.+\.php)(/.+)$; 72 | fastcgi_pass unix:/var/run/php-fpm.sock; 73 | fastcgi_index index.php; 74 | fastcgi_param SCRIPT_FILENAME $request_filename; 75 | include fastcgi_params; 76 | } 77 | 78 | # deny access to .htaccess files 79 | location ~ /\.ht { 80 | deny all; 81 | } 82 | # cache images 83 | location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { 84 | expires max; 85 | log_not_found off; 86 | } 87 | } 88 | } 89 | ``` 90 | Save (CTRL+O,ENTER) and exit (CTRL+X) 91 | 92 | ## Test nginx config file and start service 93 | 94 | ``` 95 | # nginx -t 96 | nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok 97 | nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful 98 | # service nginx start 99 | ``` 100 | Open a web browser and navigate to the jail IP address, you should see a basic "welcome to nginx!" website. 101 | 102 | Next: [ [mysql](3_mysql.md) ] >> 103 | 104 | -------------------------------------------------------------------------------- /FreeNAS/webserver/3_mysql.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ [nginx](2_nginx.md) ] - **[mysql]** - [ [PHP](4_php.md) ] - [ [wordpress](5_wordpress.md) ] - [ [reverse proxy](6_reverse_proxy.md) ] 5 | 6 | MySQL is a database structure for storing and recalling information. When you use wordpress to make a blog post, or allow users to comment, or create a transaction, this data is stored and retreived from the database. There are several MySQL clones out there, and my personal favorite is MariaDB. 7 | 8 | ## Install MariaDB 9 | ``` 10 | # pkg search mariadb 11 | # pkg install -y mariadb106-server 12 | # sysrc mysql_enable=yes 13 | # service mysql-server start 14 | # ps aux 15 | ``` 16 | Verify thhat mysql is running. 17 | ``` 18 | mysql 56864 0.0 0.0 7068 2776 - IsJ 20:32 0:00.01 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/var/db/mysql/my.cnf --user=mysql --datadir=/var/db/mysql --pid-file=/var/db/mysql/blog.pid 19 | mysql 56933 0.0 0.1 583512 91640 - IJ 20:32 0:00.15 /usr/local/libexec/mysqld --defaults-extra-file=/var/db/mysql/my.cnf --basedir=/usr/local --datadir=/var/db/mysql --plugin-dir=/usr/local/lib/mysql/plugin --log-error=/var/db/mysql/blog.err --pid-file=/var/db/mysql/blog.pid 20 | ``` 21 | 22 | ## Secure the database installation 23 | ``` 24 | $ mysql_secure_installation 25 | Enter current password for root (enter for none): 26 | Switch to unix_socket authentication [Y/n] Y 27 | Change the root password? [Y/n] n 28 | Remove anonymous users? [Y/n] Y 29 | Disallow root login remotely? [Y/n] Y 30 | Remove test database and access to it? [Y/n] Y 31 | Reload privilege tables now? [Y/n] Y 32 | ``` 33 | 34 | ## Create your website database 35 | Press ENTER since there is no root password required. (It is secured by SSH login) Replace `database_name_here`, `username_here`, and `password_here`. Do not lose this information! 36 | ``` 37 | # mysql -u root -p 38 | Enter password: 39 | > CREATE DATABASE database_name_here; 40 | > GRANT ALL PRIVILEGES ON database_name_here.* TO 'username_here'@'localhost' IDENTIFIED BY 'password_here'; 41 | > FLUSH PRIVILEGES; 42 | > exit 43 | ``` 44 | 45 | ## Upgrade mariadb 46 | Make sure to back up your database prior to an upgrade attempt! 47 | ``` 48 | # pkg update 49 | # pkg upgrade mariadb105-server 50 | # service mariadb-server restart 51 | # pkg upgrade mariadb105-client 52 | # mariadb-upgrade --datadir=/var/db/mysql 53 | ``` 54 | 55 | Next: [ [PHP](4_php.md) ] >> 56 | -------------------------------------------------------------------------------- /FreeNAS/webserver/4_php.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ [nginx](2_nginx.md) ] - [ [mysql](3_mysql.md) ] - **[PHP]** - [ [wordpress](5_wordpress.md) ] - [ [reverse proxy](6_reverse_proxy.md) ] 5 | 6 | PHP is a programming language designed for interactive web content. Numerous PHP modules exist to increase the capability of this language. These PHP modules can be individually installed depending on what your plugins and themes require and isntalled with seperate packages. To see what modules are activated, type `php -m`. 7 | 8 | As of writing the latest branch of PHP is version 8.2. Check out this website to see what the latest version is: https://www.php.net/supported-versions.php 9 | 10 | ### Install prerequisites: 11 | ``` 12 | # pkg install php81 php81-mysqli php81-mbstring php81-zlib php81-curl php81-gd php81-exif php81-fileinfo php81-pecl-imagick php81-zip php81-filter php81-iconv php81-xmlwriter php81-opcache php81-simplexml php81-session php81-dom php81-phar 13 | # sysrc php_fpm_enable=yes 14 | 15 | ``` 16 | 17 | ### Configure `php.ini` 18 | ``` 19 | # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 20 | # nano /usr/local/etc/php.ini 21 | ``` 22 | 23 | Uncomment and adjust the folllowing: 24 | 25 | Note: http://php.net/manual/en/timezones.php for the timezone relevant to you. An example would be Australia/Sydney 26 | ``` 27 | ... 28 | cgi.fix_pathinfo=1 29 | date.timezone=Country/City 30 | 31 | post_max_size = 512M 32 | upload_max_filesize = 512M 33 | memory_limit = 512M 34 | 35 | opcache.enable=1 36 | opcache.enable_cli=1 37 | opcache.memory_consumption=128 38 | opcache.interned_strings_buffer=8 39 | opcache.max_accelerated_files=10000 40 | opcache.revalidate_freq=1 41 | opcache.save_comments=1 42 | ... 43 | ``` 44 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 45 | 46 | ### Change TCP listener to unix socket 47 | `nano /usr/local/etc/php-fpm.d/www.conf` 48 | ``` 49 | listen = /var/run/php-fpm.sock 50 | listen.owner = www 51 | listen.group = www 52 | listen.mode = 0660 53 | ``` 54 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 55 | ``` 56 | # service php-fpm start 57 | ``` 58 | ## Test PHP installation 59 | ``` 60 | # nano /usr/local/www/nginx/test.php 61 | ``` 62 | Add the following line: 63 | ``` 64 | 65 | ``` 66 | Save (CTRL+O, ENTER) and exit (CTRL+X) 67 | 68 | Navigate to your jail IP on a web browser: ( example `http://192.168.84.80/test.php` ), you should see a website summary of your PHP installation. PHP and nginx are communicating, congradulations! Now lets delete this test file, since leaking your php info can expose you to hackers that may become aware of specific php version vulnerabilities in the future: 69 | ``` 70 | # rm /usr/local/www/nginx/test.php 71 | ``` 72 | 73 | Next: [ [wordpress](5_wordpress.md) ] >> 74 | -------------------------------------------------------------------------------- /FreeNAS/webserver/5_wordpress.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | [ [Intro](README.md) ] - [ [Jail Creation](1_jail_creation.md) ] - [ [nginx](2_nginx.md) ] - [ [mysql](3_mysql.md) ] - [ [PHP](4_php.md) ] - **[wordpress]** - [ [reverse proxy](6_reverse_proxy.md) ] 5 | 6 | ## Configure & Install Wordpress 7 | Now that we have our FEMP stack up and running, lets install wordpress! 8 | ``` 9 | # pkg install redis 10 | # sysrc redis_enable=yes 11 | ``` 12 | `nano /usr/local/etc/redis.conf`: 13 | ``` 14 | port 0 15 | unixsocket /var/run/redis/redis.sock 16 | unixsocketperm 770 17 | ``` 18 | Save (CTRL+O, ENTER) and exit (CTRL+X) 19 | ``` 20 | # pw usermod www -G redis 21 | # service redis start 22 | # cd ~ 23 | # fetch https://wordpress.org/latest.tar.gz 24 | # tar -zxvf latest.tar.gz 25 | # rm latest.tar.gz 26 | # cp wordpress/wp-config-sample.php wordpress/wp-config.php 27 | # nano wordpress/wp-config.php 28 | ``` 29 | Add the first three commented out `//` lines right above the `// ** MySQL settings` comment. We will use this later to upgrade our connection to HTTPS once the reverse proxy is working. Then change `WP_HOME` and `WP_SITEURL` to your jail IP. This will also change to your domain name once the reverse proxy is in place. Change `database_name_here`, `username_here` and `password_here` with the values you used when setting up the mysql database. Change `localhost` to the unix socket created by `mariadb-server`. 30 | ``` 31 | // if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { 32 | // $_SERVER['HTTPS'] = 'on'; 33 | //} 34 | /** REDIS SOCKET */ 35 | define( 'WP_REDIS_SCHEME', 'unix' ); 36 | 37 | /** REDIS PATH TO SOCKET */ 38 | define( 'WP_REDIS_PATH', '/var/run/redis/redis.sock' ); 39 | 40 | define( 'WP_HOME', 'http://192.168.84.80' ); 41 | define( 'WP_SITEURL', 'http://192.168.84.80' ); 42 | define( 'DB_NAME', 'database_name_here' ); 43 | define( 'DB_USER', 'username_here' ); 44 | define( 'DB_PASSWORD', 'password_here' ); 45 | define( 'DB_HOST', 'localhost:/var/run/mysql/mysql.sock' ); 46 | ``` 47 | In a browser, navigate to https://api.wordpress.org/secret-key/1.1/salt/ . This will generate salt to create unique cookies for your site visitors. Cookies are used to remember login activity, shopping carts, etc. Copy and replace the lines generated. 48 | 49 | Save (CTRL+O, ENTER) and exit (CTRL+X) 50 | ``` 51 | # cd ~ 52 | # cp -r wordpress/* /usr/local/www/nginx 53 | # rm -r wordpress 54 | # chown -R www:www /usr/local/www/nginx/ 55 | # service nginx restart 56 | ``` 57 | 58 | Install wp-cli (optional) 59 | ``` 60 | # cd /tmp 61 | # curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar 62 | # chmod +x wp-cli.phar 63 | # mv wp-cli.phar /usr/local/bin/wp 64 | ``` 65 | 66 | Navigate to your jail IP, you should be greeted with the wordpress installation! If you ever lose the login URL, its `http://192.168.84.58/wp-login.php` 67 | 68 | Next: [ [reverse proxy](6_reverse_proxy.md) ] >> 69 | -------------------------------------------------------------------------------- /FreeNAS/webserver/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | ## Guide to a self hosted wordpress website on FreeNAS/TrueNAS ![wordpress60.png](images/wordpress60.png) 4 | 5 | **[Intro]** - [ [Jail Creation](1_jail_creation.md) ] - [ [nginx](2_nginx.md) ] - [ [mysql](3_mysql.md) ] - [ [PHP](4_php.md) ] - [ [wordpress](5_wordpress.md) ] - [ [reverse proxy](6_reverse_proxy.md) ] 6 | 7 | As commercial, government & social pressures for censorship continue to increase, self sovreignity on the internet is becoming more and more important. This guide will help you configure a wordpress webserver on FreeNAS & TrueNAS flavors of FreeBSD. The internet is still relatively permissioned around centralized domain name service providers, so make sure to select a provider that will not censor you based on your character, beliefs, or content. 8 | 9 | To prevent domain censorship you can use tor. If you need to additionally hide your home IP address, do not use tor with wordpress, use a static website generator instead. 10 | 11 | Wordpress is the single most popular web structure online. Countless free and premium plugins and themes are available to start your own user interactive blog, business, resume, you name it. Do be aware that using a domain directed to your home IP address will still dox your location. If you can not dox your location, consider using a VPS tor redirect or a tor only address for your website or host on a VPS. 12 | 13 | When you are finished with this guide, you will have a working FEMP (FreeBSD, nginx, mysql database, php) stack running a wordpress website hosted in an iocage jail, with a seperate reverse proxy jail that redirects domain requests from your home IP to the approprite jail, allowing you to host multiple websites and domains. The reverse proxy will also terminate SSL / TLS https requests, giving your readers or customers a nice padlock in their browser confirming that their connection is encrypted. 14 | 15 | Your server is only secure as its firewall. For home use I highly recommend using a capable router running OpenWRT. 16 | 17 | Next: [ [Jail Creation](1_jail_creation.md) ] 18 | -------------------------------------------------------------------------------- /FreeNAS/webserver/images/jailblog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/webserver/images/jailblog.png -------------------------------------------------------------------------------- /FreeNAS/webserver/images/reverseproxyjail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/webserver/images/reverseproxyjail.png -------------------------------------------------------------------------------- /FreeNAS/webserver/images/reverseproxyportforwardrouter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/webserver/images/reverseproxyportforwardrouter.png -------------------------------------------------------------------------------- /FreeNAS/webserver/images/routerhostname.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/webserver/images/routerhostname.png -------------------------------------------------------------------------------- /FreeNAS/webserver/images/wordpress60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/FreeNAS/webserver/images/wordpress60.png -------------------------------------------------------------------------------- /HomeAssistant/LZW31.md: -------------------------------------------------------------------------------- 1 | # Home Assistant Guides: Inovelli Black Dimmer Switch - LZW31 - Z-Wave 500 Series 2 | 3 | Setup instructions for the [LZW31 Black Series](https://help.inovelli.com/en/collections/5651190-black-series-dimmer-switch) Z-wave dimmer switch 4 | 5 | The beauty of Z-Wave is that it creates its own 900Mhz mesh network. Each device is a "node" that can use other "nodes" for range extension and determine the best signal quality path for routing data. The "hub controller", which in this setup is a [USB stick](https://www.getzooz.com/zooz-zst39-z-wave-long-range-usb-stick/) attached to home assistant, is only required to initialize the network. Once your z-wave system is set up, your z-wave nodes can talk directly to each other without the need for the "hub controller". 6 | 7 | ### Defintions: 8 | `Z-Wave JS` and `Z-Wave JS UI` are two seperate `add-ons`, we want to use the latter! They will conflict with each other if both are installed! 9 | 10 | `Z-Wave Integration` is an `integration` that acts as a communication bridge between Home Assistant and `Z-Wave JS` OR `Z-Wave JS UI`. Its defaults will install `Z-Wave JS`. We do not want this! 11 | 12 | 13 | ### 1. Remove Z-Wave JS add-on & Z-Wave Integration 14 | 15 | 1. If you previously installed Z-Wave JS, we can not simply uninstall it, because Z-Wave Integration will see it missing and automatically re-install it when it goes missing. Uninstall Z-Wave integration, then uninstall Z-Wave JS add-on. 16 | 17 | 18 | 19 | ### 2. Initialize Z-Wave on home assistant 20 | ``` 21 | 1. Install add-on "Z-Wave JS UI" and start it 22 | 2. Install integration "Z-Wave" 23 | 3. A dialog box will show, asking to use the add-on: UNCHECK that box! 24 | 4. In the next dialog it will ask for the server. Enter: ws://a0d7b954-zwavejs2mqtt:3000 25 | ``` 26 | 27 | ### 3. Install and update firmware 28 | 29 | [wiring documentation](https://help.inovelli.com/en/articles/8478836-black-series-dimmer-switch-wiring-schematics) [firmware notes](https://help.inovelli.com/en/articles/8506118-black-series-dimmer-switch-firmware-changelog) 30 | Use Firmware 1.52 for scene controls, use firmware 1.57 for your slave 3 way dimming switch 31 | ``` 32 | 4. Wire-in LZW31 according to official wiring documentation. 33 | 5. Load Z-Wave JS UI / hamburger menu ☰ / manage nodes ∞ / Inclusion 34 | 6. Triple click the switch config button 35 | 7. The device will sync, but not securely. Update firmware to 1.52 (most feature rich, 3 scene controls), check if you need version 1.57) 36 | 8. Load Z-Wave JS UI / hamburger menu ☰ / manage nodes ∞ / Exclusion 37 | 9. Triple click the switch config button 38 | 10. You should now be able to start the sync process again and sync securely. 39 | ``` 40 | 41 | ### 4. Sync Dimming with Smart Bulb Mode + Adaptive Lighting 42 | 43 | My goal is to change color temperature with time of day. Bright cool lihgt during the day (600k temperature), dimmed warm light (1500k temperature) at night. 44 | ``` 45 | ENABLE detect_non_ha_changes: Detects and halts adaptations for non-light.turn_on state changes. Needs take_over_control enabled. Caution: Some lights might falsely indicate an ‘on’ state, which could result in lights turning on unexpectedly. Disable this feature if you encounter such issues. 46 | ``` 47 | Automation: 48 | ``` 49 | alias: Light Bedroom Mirror Switch On 50 | description: '' 51 | trigger: 52 | - platform: state 53 | entity_id: light.bedroom_wall_switch 54 | condition: 55 | - condition: template 56 | value_template: >- 57 | {{ states.light.bedroom_wall_switch.last_updated > 58 | states.light.bedroom_fan.last_changed }} 59 | action: 60 | - service: light.turn_on 61 | entity_id: light.bedroom_fan 62 | data_template: 63 | brightness: > 64 | {{ state_attr('light.bedroom_wall_switch', 'brightness') | default(0, 65 | true) }} 66 | mode: single 67 | ``` 68 | -------------------------------------------------------------------------------- /HomeAssistant/shelly_plus_1.md: -------------------------------------------------------------------------------- 1 | https://community.home-assistant.io/t/control-smart-lights-with-shelly-with-automated-detached-mode/576881/20 2 | -------------------------------------------------------------------------------- /LICENSE.md/LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Seth586 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /OpenWRT/README.md: -------------------------------------------------------------------------------- 1 | Seth586😈guides 2 | 3 | I am not a professional programmer or unix adminsitrator, use at your own risk! 4 | Contributions are welcome! 5 | 6 | Contact me on the matrix chat protocol: [@seth586:nym.im](https://matrix.to/#/@seth586:nym.im) 7 | 8 | **FreeNAS / TrueNAS Guides:** 9 | 10 | [₿itcoin & Lightning️](FreeNAS/bitcoin/README.md) 11 | 12 | [TOR Relay](FreeNAS/tor_relay/README.md) 13 | 14 | [Mumble Server](FreeNAS/mumble/README.md) 15 | 16 | [Wordpress Website with Reverse Proxy](FreeNAS/webserver/README.md) 17 | 18 | **OpenWRT Guides:** 19 | 20 | [SSH PublicKey Authentication thru Bastion](security/README.md) 21 | -------------------------------------------------------------------------------- /OpenWRT/security/1_install_client.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - **[OpenSSH Client]** - [ [OpenSSH on OpenWRT](2_install_openssh.md) ] - [ [Generate Keys](3_keys.md) ] - [ [Bastion](4_bastion.md) ] - [ [Hardening](5_hardening.md) ] 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### OpenSSH Clients 7 | Before we begin changing our servers, we need to make sure our clients have up to date versions of OpenSSH to utilize the full featureset of security in this guide. 8 | To utilize the most modern cryptographic function ed25519, OpenSSH version 6.5 or newer is required. To utilize a FIDO/U2F device (such as yubikey, trezor or ledger nano) you need a minimum OpenSSH version 8.1 on the server and 8.2 on the client to support ed25519-sk interactive signature types. 9 | 10 | #### Open SSH Client - Windows 11 | As of writing, Putty does not support the interactive ed25519-sk signature types, so if you wan't to use a FIDO/U2F device, you will need something else. For now I recommend `cygwin64`, download on [www.cygwin.com](https://www.cygwin.com) 12 | 13 | The `cygwin64` installer is where you add or remove pre-compiled packages. Use default installation options. When you get to the "select a mirror" page, click any mirror you wish to use, then press next. You will be greeted with a "select Packages" window. Under "view", click "full". Search for `OpenSSH`. Under the "New" column, select the OpenSSH version you would like to install, make sure to use version 8.2 or newer. 14 | 15 | Now search for `nano` & `nc`, and under the "New" column, select the latest version. Finish the installation with default options. The installation will create a "Cygwin64 Terminal" shortcut on your desktop. To read your FIDO/U2F USB device, we will need to run `cygwin64` as an administrator. Right click on the shortcut, select "Properties", click the "Compatibility" tab, and select the "Run this program as an administrator" box. Click "OK". 16 | 17 | Now launch `cygwin64`, and check the OpenSSH version installed: 18 | ``` 19 | User@Desktop ~ $ ssh -V 20 | OpenSSH_8.3p1, OpenSSL 1.1.1f 31 Mar 2020 21 | ``` 22 | 23 | Success! Now verify your current SSH session works, replace `192.168.84.85` with your FreeNAS' local IP address: 24 | ``` 25 | User@Desktop ~ $ ssh root@192.168.84.85 26 | ``` 27 | Type in your password, you should be able to sucessfully SSH in using password based authentication. 28 | 29 | #### OpenSSH Client - Linux 30 | ``` 31 | User@Desktop ~ $ sudo apt-get update 32 | User@Desktop ~ $ sudo apt-get install openssh 33 | User@Desktop ~ $ ssh -V 34 | OpenSSH_8.3p1, OpenSSL 1.1.1g, 21 Apr 2020 35 | ``` 36 | 37 | #### OpenSSH Client - Android 38 | 39 | I don't believe interactive FIDO/U2F works with android, but you can still securely log in using a password protected public/private key authentication! Download Termux at [https://termux.com/](https://termux.com/) 40 | 41 | ``` 42 | $ pkg install openssh netcat-openbsd 43 | $ ssh -V 44 | OpenSSH_8.3p1, OpenSSL 1.1.1g, 21 Apr 2020 45 | ``` 46 | 47 | #### OpenSSH Client - Mac 48 | 49 | You're on your own, buddy! Maybe start your search at https://brew.sh/ 50 | 51 | Next: [ [OpenSSH on OpenWRT](2_install_openssh.md) ] >> 52 | -------------------------------------------------------------------------------- /OpenWRT/security/2_install_openssh.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [OpenSSH Client](1_install_client.md) ] - **[OpenSSH on OpenWRT]** - [ [Generate Keys](3_keys.md) ] - [ [Bastion](4_bastion.md) ] - [ [Hardening](5_hardening.md) ] 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### Install OpenSSH on OpenWRT 7 | By default OpenWRT comes installed with a lite SSH server called `dropbear`. However if we want to use more advanced features like FIDO/U2F, we will need the heavier & full featured `OpenSSH`. Don't worry, if you're running a modern OpenWRT enabled router you'll be just fine! 8 | 9 | ### Reconfigure dropbear 10 | Lets start with changing the default listening port of `dropbear` from port 22 to 2222. That way we can make sure our OpenWRT public key authentication works before we remove our password based authentication. 11 | 12 | SSH into your router. 13 | ``` 14 | User@Desktop ~ $ SSH root@192.168.84.1 15 | root@OpenWrt:~# opkg update 16 | ... 17 | root@OpenWrt:~# opkg install nano 18 | ... 19 | root@OpenWrt:~# nano /etc/config/dropbear 20 | ``` 21 | Change `option port '22'` to `option port '2222'`. Save (CTRL+O,ENTER) and Exit (CTRL+X). Restart dropbear and exit ssh session: 22 | ``` 23 | root@OpenWrt:~# /etc/init.d/dropbear restart 24 | root@OpenWrt:~# exit 25 | Connection to 192.168.84.1 closed. 26 | User@DESKTOP ~ $ 27 | ``` 28 | Relogin using password authentication and the new port to verify dropbear still works: 29 | ``` 30 | User@Desktop ~ $ ssh root@192.168.84.1 -p 2222 31 | root@OpenWrt:~# 32 | ``` 33 | 34 | ### Install & Configure OpenSSH Server on OpenWRT 35 | Lets search to see what versions are avialble with our default package repository: 36 | ``` 37 | root@OpenWrt:~# opkg list | grep openssh 38 | ``` 39 | What versions do you see? As of writing, Version 8.0. Not good enough! We need at minimum version 8.1 to support interactive ed25519-sk signature types! Fortunately someone has been compiling newer software versions for the Linksys WRT line, check out [Davidc502 OpenWrt snapshots](https://dc502wrt.org/). Specifically, the website owner has a repository at https://dc502wrt.org/snapshots/. Click on the latest release (r13342 as of writing)->(packages)->(arm_cortex-a9_vfpv3-d16)->(Packages). Scroll down to the openssh packages. Looks like version 8.2 compiled for our hardware, excellent! Copy the URL and paste using the `curl -O` command and install: 40 | ``` 41 | root@OpenWrt:~# curl -O https://dc502wrt.org/snapshots/r13342/packages/arm_cortex-a9_vfpv3-d16/packages/openssh 42 | -server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 43 | root@OpenWrt:~# opkg install openssh-server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 44 | root@OpenWrt:~# rm openssh-server_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 45 | root@OpenWrt:~# nano /etc/ssh/sshd_config 46 | ``` 47 | Change & add the following lines to below: 48 | ``` 49 | PermitRootLogin yes 50 | PubkeyAuthentication yes 51 | PasswordAuthentication no 52 | AuthenticationMethods publickey 53 | ``` 54 | Save (CTRL+O, ENTER) and Exit (CTRL+X). Now enable and start the OpenSSH server 55 | ``` 56 | root@OpenWrt:~# /etc/init.d/sshd enable 57 | root@OpenWrt:~# /etc/init.d/sshd start 58 | root@OpenWrt:~# sshd -v 59 | OpenSSH_8.2p1, OpenSSL 1.1.1g 21 Apr 2020 60 | ``` 61 | Success! 62 | 63 | Now lets create the `~/.ssh` folder which will hold our public keys and set [permissions](https://www.freebsd.org/doc/handbook/permissions.html). You can view file permissions of a directory with the `ls -la` command: 64 | ``` 65 | root@OpenWrt:~# mkdir ~/.ssh 66 | root@OpenWrt:~# touch ~/.ssh/authorized_keys 67 | root@OpenWrt:~# chmod 700 ~/.ssh 68 | root@OpenWrt:~# chmod 600 ~/.ssh/* 69 | root@OpenWrt:~# ls -la ~/.ssh 70 | ``` 71 | ### Install OpenSSH Client on OpenWRT 72 | Since it is our goal to use our router as a SSH bastion, we will install the OpenSSH client on OpenWRT so that we must authenticate on our OpenWRT bastion before making further connections to our servers such as FreeNAS / TrueNAS. 73 | ``` 74 | root@OpenWrt:~# curl -O https://dc502wrt.org/snapshots/r13342/packages/arm_cortex-a9_vfpv3-d16/packages/openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 75 | root@OpenWrt:~# opkg install openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 76 | root@OpenWrt:~# rm openssh-client_8.2p1-3_arm_cortex-a9_vfpv3-d16.ipk 77 | ``` 78 | Verify our ssh client works by attempting a password authentication to our FreeNAS server (replace `192.168.84.85` with your freenas server local IP address): 79 | ``` 80 | root@OpenWrt:~# ssh root@192.168.84.85 81 | Password: 82 | root@Freenas:~# exit 83 | root@OpenWrt:~# exit 84 | User@Desktop ~ $ 85 | ``` 86 | ^Insert [Inception](https://en.wikipedia.org/wiki/Inception) meme here! 87 | 88 | 89 | Next: [ [Generate Keys](3_keys.md) ] >> 90 | -------------------------------------------------------------------------------- /OpenWRT/security/3_keys.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [OpenSSH Client](1_install_client.md) ] - [ [OpenSSH on OpenWRT](2_install_openssh.md) ] - **[Generate Keys]** - [ [Bastion](4_bastion.md) ] - [ [Hardening](5_hardening.md) ] 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### Step 1a: Generate Keys without a FIDO2 device 7 | Log in to your client device and generate a key with [ssh-keygen](https://man.openbsd.org/OpenBSD-current/man1/ssh-keygen.1#NAME): 8 | ``` 9 | User@Desktop ~ $ ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')" -f ~/.ssh/openwrt 10 | Generating public/private ed25519 key pair. 11 | Enter passphrase (empty for no passphrase): 12 | Enter same passphrase again: 13 | Your identification has been saved in openwrt 14 | Your public key has been saved in openwrt.pub 15 | The key fingerprint is: 16 | SHA256:rrMD+qPUmwwuSgXqP2vKuJAzzz1NI+Vypen0+RCbeqA DESKTOP-PCJ779K-27-07-2020 17 | The key's randomart image is: 18 | +--[ED25519 256]--+ 19 | | | 20 | | | 21 | | . | 22 | |. . . . | 23 | |. . o +S | 24 | |....+ X. + | 25 | |=oo..@ +=. | 26 | |*Bo*Eo=o+. | 27 | |==B=Oo+= .. | 28 | +----[SHA256]-----+ 29 | User@Desktop ~ $ cat ~/.ssh/openwrt.pub 30 | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLBdhdBaIlmBUAoVGT2PsGQyl5kTv1r+IJYIz1pVZsa DESKTOP-PCJ779K-27-07-2020 31 | User@Desktop ~ $ 32 | ``` 33 | `openwrt` is your private key and `openwrt.pub` is your public key. the `-a` flag requires 256 hash iterations to process your passphrase, this exponentially increases the processing power required to brute force your passphrase should your private key be compromised. 34 | 35 | Repeat this step to create another keypair for your FreeNAS box, 36 | ``` 37 | User@Desktop ~ $ ssh-keygen -o -a 256 -t ed25519 -C "$(hostname)-$(date +'%d-%m-%Y')" -f ~/.ssh/freenas 38 | ``` 39 | You should now have the following files in `~/.ssh`: 40 | ``` 41 | User@Desktop ~ $ ls -la ~/.ssh 42 | drwx------+ 1 Seth None 0 Jul 27 23:42 . 43 | drwxr-xr-x+ 1 Seth None 0 Jul 2 21:27 .. 44 | -rw------- 1 Seth None 464 Jul 27 23:25 openwrt 45 | -rw-r--r-- 1 Seth None 108 Jul 27 23:25 openwrt.pub 46 | -rw------- 1 Seth None 464 Jul 27 23:25 freenas 47 | -rw-r--r-- 1 Seth None 108 Jul 27 23:25 freenas.pub 48 | ``` 49 | 50 | ### Step 1b: Generate Keys with a FIDO2 device 51 | Your OpenWRT router should be running the latest version of openssh, however FreeNAS runs an older version, so use Step 1a for your freenas keypair. But definately use this step for generating your OpenWRT keypair! On the next page, we will set the router up as a bastion host, requiring you to authenticate on the router before being able to connect to your freenas machine, effectively requiring FIDO2 device authentication to access freenas! 52 | 53 | It is highly recommended you have two or more FIDO2 devices, you dont want a single point of failure! Run this command for each FIDO2 device, and set the `-f` filename uniquely per device: 54 | ``` 55 | User@Desktop ~ $ ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-yubikey_description" -f ~/.ssh/openwrt_yubi 56 | ``` 57 | 58 | All other steps are the same as 1a. 59 | 60 | ### Step 2: Add public keys to your OpenWRT Router 61 | Highlight the output of your public key from the command `cat openwrt.pub` from Step 1a to copy it. We will paste it in the router's `~/.ssh/authorized-keys` file. 62 | ``` 63 | User@Desktop ~ $ ssh root@192.168.84.1 -p 2222 64 | Password: 65 | root@OpenWrt:~# nano ~/.ssh/authorized_keys 66 | ``` 67 | Paste each public key in a new line, save (CTRL+O, ENTER) and exit (CTRL+X). Now lets try to login using our new public private key authentication: 68 | ``` 69 | root@OpenWrt:~# exit 70 | User@Desktop ~ $ ssh root@192.168.84.1 -p 22 -i ~/.ssh/openwrt 71 | Enter passphrase for key '/home/User/.ssh/openwrt': 72 | root@OpenWrt:~# 73 | ``` 74 | Success! Make sure to test all keypairs you created, and backup all private key files. 75 | 76 | ### Step 3: Add public key to your FreeNAS server: 77 | Login to your freenas web-ui. Click "accounts", "users", "root", "edit". Paste the `cat freenas.pub` you copied to your clipboard from step 1a to the "SSH Public Key" field. Click "Save". Now attempt a SSH key based login, replace `192.168.84.85` with your freenas local IP address: 78 | ``` 79 | User@Desktop ~ $ ssh root@192.168.84.85 -p 22 -i ~/.ssh/freenas 80 | Enter passphrase for key '/home/User/.ssh/freenas': 81 | root@freenas:~# exit 82 | User@Desktop ~ $ 83 | ``` 84 | Success! 85 | 86 | ### Step 4: Create config file on client 87 | Typing in `ssh root@192.168.84.1 -p 22 -i openwrt` is a lot of work, lets make things easier and set up a config file: 88 | ``` 89 | User@Desktop ~ $ touch ~/.ssh/config && chmod 600 ~/.ssh/config && nano ~/.ssh/config 90 | ``` 91 | Add the following info: 92 | ``` 93 | ### The Bastion Host 94 | Host openwrt 95 | HostName 192.168.84.1 96 | IdentityFile ~/.ssh/openwrt 97 | IdentityFile ~/.ssh/openwrt_yubi5_nano 98 | User root 99 | Port 22 100 | ### The Remote Host FreeNAS 101 | Host freenas 102 | HostName 192.168.84.85 103 | IdentityFile ~/.ssh/freenas 104 | User root 105 | Port 22 106 | ``` 107 | Note: You can add multiple `IdentityFile` lines for multiple keys for multiple FIDO2 devices. Save (CTRL+O, ENTER) and exit (CTRL+X). Test the config file: 108 | ``` 109 | User@Desktop ~/.ssh $ cd ~ 110 | User@Desktop ~ $ ssh openwrt 111 | Enter passphrase for key '/home/User/.ssh/openwrt': 112 | root@OpenWrt:~# exit 113 | User@Desktop ~ $ ssh freenas 114 | Enter passphrase for key '/home/User/.ssh/freenas': 115 | root@freenas:~# exit 116 | ``` 117 | Success! 118 | 119 | ### Step 5: Disable and remove Dropbear on OpenWRT 120 | Remove dropbear: 121 | ``` 122 | root@OpenWrt:~# /etc/init.d/dropbear disable 123 | root@OpenWrt:~# /etc/init.d/dropbear stop 124 | root@OpenWrt:~# opkg remove dropbear 125 | ``` 126 | 127 | ### Step 6: Disable SSH password authentication on FreeNAS 128 | Login to your freenas web-ui. Click "accounts", "users", "root", "edit". Under "Disable Password", select "Yes". Click "Save". Now try a password based login: 129 | ``` 130 | User@Desktop ~ $ ssh root@192.168.84.85 131 | root@192.168.84.85: Permission denied (publickey). 132 | ``` 133 | Success! 134 | 135 | Next: [ [Bastion](4_bastion.md) ] >> 136 | -------------------------------------------------------------------------------- /OpenWRT/security/4_bastion.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [OpenSSH Client](1_install_client.md) ] - [ [OpenSSH on OpenWRT](2_install_openssh.md) ] - [ [Generate Keys](3_keys.md) ] - **[Bastion]** - [ [Hardening](5_hardening.md) ] 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### Bastion 7 | `User@Desktop ~ $ nano ~/.ssh/config` on client to ProxyJump thru our router bastion: 8 | ``` 9 | ### The Bastion Host 10 | Host openwrt 11 | HostName 192.168.84.1 12 | IdentityFile ~/.ssh/openwrt 13 | User root 14 | Port 22 15 | ### The Remote Host 16 | Host freenas 17 | HostName 192.168.84.85 18 | IdentityFile ~/.ssh/openwrt 19 | User root 20 | ProxyJump openwrt 21 | ``` 22 | Save (CTRL+O, ENTER) and exit (CTRL+X). Verify the new configuration works: 23 | ``` 24 | User@Desktop ~ $ ssh freenas 25 | ``` 26 | It should ask you to authenticate to openwrt first! 27 | 28 | ### Configure FreeNAS to only accept connecitons thru the bastion 29 | Log in to the freenas web-ui, click "services", and click the "configure" icon on the SSH line. Click "advanced mode". Add the following line to "extra options": 30 | ``` 31 | AllowUsers root@192.168.84.1 32 | ``` 33 | FreeNAS will now only accept incoming SSH requests from your openwrt bastion, effectively requiring a sucessful ssh login to your router first! 34 | 35 | If your router goes up in flames, no worries. Your router is not storing any private keys! A new router with the same IP address configuration, your backup private keys & FIDO2 devices are all you need to SSH back in to freenas. 36 | 37 | -------------------------------------------------------------------------------- /OpenWRT/security/5_hardening.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | [ [Intro](README.md) ] - [ [OpenSSH Client](1_install_client.md) ] - [ [OpenSSH on OpenWRT](2_install_openssh.md) ] - [ [Generate Keys](3_keys.md) ] - [ [Bastion](4_bastion.md) ] - **[Hardening]** 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### Upgrade opkg to https connections 7 | ``` 8 | root@OpenWrt:~# opkg update 9 | root@OpenWrt:~# opkg install wget 10 | root@OpenWrt:~# opkg install ca-certificates 11 | root@OpenWrt:~# opkg install libustream-openssl 12 | root@OpenWrt:~# nano /etc/opkg/distfeeds.conf 13 | ``` 14 | Replace all `http` urls with `https`. Save (CTRL+O, ENTER) and exit (CTRL+X) 15 | ``` 16 | root@OpenWrt:~# opkg update 17 | ``` 18 | You should see update lists download from https addresses and see `signature check passed`. 19 | 20 | ### Require SSH tunnel to access OpenWRT's Luci web-ui 21 | OpenWRT's web user interface, called Luci, has nearly all privileges as a root user on the command line. Upgrading our SSH authentication to public key cryptography doesn't do us any good if the web-ui is accessible with password authentication. So lets only allow luci to be accessed from an authenticated SSH tunnel. 22 | 23 | ``` 24 | root@OpenWrt:~# nano /etc/ssh/sshd_config 25 | ``` 26 | Uncomment the following line and enable `AllowTcpForwarding` 27 | ``` 28 | AllowTcpForwarding yes 29 | ``` 30 | Save (CTRL+X, ENTER) and exit (CTRL+X). Restart `sshd` with: 31 | ``` 32 | root@OpenWrt:~# /etc/init.d/sshd restart 33 | ``` 34 | 35 | Now lets configure the client 36 | ``` 37 | User@Desktop ~ $ nano ~/.ssh/config 38 | ``` 39 | Add `LocalForward 127.0.0.1:8000 127.0.0.1:80` to your `host openwrt` block to securely tunnel client side requests on 127.0.0.1:8000 to server side 127.0.0.1:80. It should look something like this: 40 | ``` 41 | ### The Bastion Host 42 | Host openwrt 43 | HostName 192.168.84.1 44 | IdentityFile ~/.ssh/openwrt 45 | IdentityFile ~/.ssh/openwrt_yubi5_nano 46 | User root 47 | Port 22 48 | LocalForward 127.0.0.1:8000 127.0.0.1:80 49 | ### The Remote Host 50 | Host freenas 51 | HostName 192.168.84.85 52 | IdentityFile ~/.ssh/freenas 53 | User root 54 | ProxyJump router 55 | ``` 56 | Save (CTRL+O, ENTER) and exit (CTRL+X). Now open a web browser on the client and type in `127.0.0.1:8000`. The luci web-ui should appear. Now close the SSH session, and the address should fail. Success! 57 | 58 | Now lets restrict luci's web-ui to localhost so the only connection path is thru the SSH tunnel: 59 | ``` 60 | root@OpenWrt:~# /etc/config/uhttpd 61 | ``` 62 | Change the `http` ipv4 listen address to `127.0.0.1:80` and comment out all other listen addresses. It should look like this: 63 | ``` 64 | # HTTP listen addresses, multiple allowed 65 | list listen_http 127.0.0.1:80 66 | #list listen_http [::]:80 67 | 68 | # HTTPS listen addresses, multiple allowed 69 | #list listen_https 0.0.0.0:443 70 | #list listen_https [::]:443 71 | ``` 72 | Save (CTRL+O, ENTER) and exit (CTRL+X). Restart the service: 73 | ``` 74 | root@OpenWrt:~# /etc/init.d/uhttpd restart 75 | ``` 76 | Now try the old address for logging in to luci (such as `192.168.84.1`) in a web browser. You should get a 'refused to connect error'. 77 | 78 | Now SSH into openwrt, then open a browser to `127.0.0.1:8000`. You should see the luci web-ui. Success! This process can be replicated for any web-ui that needs securing, such as RTL in the bitcoin guide! 79 | 80 | ### Require SSH tunnel to access FreeNAS WebGUI 81 | #### Client Config 82 | ``` 83 | User@Desktop ~ $ nano ~/.ssh/config 84 | ``` 85 | Add the `localforward` rule to your `host freenas` block: 86 | ``` 87 | Host freenas 88 | HostName 192.168.84.85 89 | IdentityFile ~/.ssh/freenas 90 | User root 91 | ProxyJump router 92 | LocalForward 127.0.0.1:8080 127.0.0.1:80 93 | ``` 94 | Save (CTRL+O, ENTER) and Exit (CTRL+X) 95 | 96 | #### Router Config 97 | Make sure `TcpPortForwarding yes` is in your router's `/etc/ssh/sshd_config`. 98 | 99 | #### FreeNAS Config 100 | Log in to your FreeNAS WebGUI. Click "Services", "Configure" adjacent to the SSH line, click "Allow TCP Port Forwarding". Click "Save". 101 | 102 | SSH into your freenas server: 103 | ``` 104 | root@freenas[~]# service sshd onestart 105 | root@freenas[~]# nano /usr/local/etc/nginx/nginx.conf 106 | ``` 107 | In the `server {` block comment out and chenge the following lines: 108 | ``` 109 | #listen 0.0.0.0:443 default_server ssl http2; 110 | #listen [::]:443 default_server ssl http2; 111 | 112 | listen 127.0.0.1:80; 113 | #listen [::]:80; 114 | ``` 115 | Save (CTRL+O, ENTER) and exit (CTRL+X). Now restart nginx: 116 | ``` 117 | root@freenas[~]# nginx restart 118 | ``` 119 | Try entering your FreeNAS IP address, it should fail. Now on your client machine, SSH into freenas, then open a browser to 127.0.0.1:8080, you should see the FreeNAS WebGUI! 120 | 121 | Note: Until FreeNAS allows redirecting the WebGUI to `127.0.0.1` from the WebGUI's "System" > "General" settings, this configuration will likely not survive an upgrade. If you want this feature, make sure to add your voice to the issue here: https://jira.ixsystems.com/browse/NAS-104177 122 | 123 | 124 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 125 | -------------------------------------------------------------------------------- /OpenWRT/security/README.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Main Menu](https://github.com/seth586/guides/blob/master/README.md) ] 2 | 3 | **[Intro]** - [ [OpenSSH Client](1_install_client.md) ] - [ [OpenSSH on OpenWRT](2_install_openssh.md) ] - [ [Generate Keys](3_keys.md) ] - [ [Bastion](4_bastion.md) ] - [ [Hardening](5_hardening.md) ] 4 | 5 | ## SSH Bastion & Security Hardening Guide 6 | ### Intro 7 | Password authenticated SSH sessions are not secure. This guide will configure your home router and freenas server to utilize public key cryptography for authentication, further encrypted with optional passphrase and FIDO2 device. 8 | 9 | ### Threat Model - Passwords 10 | Up to this point you have probably been authenticating your SSH sessions for your router and freenas with a password. Lets go over the threat models you currently face with this configuration: 11 | 12 | 1. Passwords can be brute forced. 13 | 14 | 2. Passwords can be keylogged. 15 | 16 | Does your daily driver laptop have malware? Did you ever copy/paste a password on your phone? Guess what, apps on your phone can monitor the clipboard! 17 | 18 | 3. Passwords can be leaked. 19 | 20 | Are you using unique passwords for every single password based service you use? If not, database breaches will dump used passwords onto the internet, giving brute force attackers a much smaller range of passwords to try. If an attacker is smart, they can target your router and freenas server with passwords credited to your use on other services. 21 | 22 | 4. Passwords can be intercepted or phished 23 | 24 | A man in the middle atack is where a comprimised system can intercept your password. Similarly, a phishing attempt utilizes a legitimate looking email or website in an attempt that you type in your legitimate credentials. Since public key cryptography sends a unique signature for every authentication, an phished signed public key is worthless. 25 | 26 | 5. Every device behind your firewall is a liability. 27 | 28 | *"But wait!"* You say, *"None of this matters because my router blocks port 22 from the public internet!"* This is true, no one from **outside** your router's firewall can attempt to enter a password for your SSH session (unless you are a complete fool and publically forward port 22). But can we truly trust every device inside our firewall? What about the numerous internet of things inside your home? By default, every internet connected device has LAN access to your home server and router. Your amazon echo or smart light bulb or internet connected coffee machine could be attempting brute force attacks on your router right now! 29 | 30 | ### Mitigation with Public/Private Key Cryptography 31 | 32 | 1. Public Key cryptography can not be brute forced. 33 | 34 | 2. Keylogging the public key is useless, since authentication is based on proving that you know the private key without ever revealing the private key. 35 | 36 | 3. Leaking or posting your public keys are safe! Post them on twitter for the world to see! 37 | 38 | 4. Just like your bitcoin private keys, you never have to send your authentication private keys over the internet. For increased protection of your authentication private keys, this guide will show you how to use a Yubikey or trezor or ledger nano (or any FIDO/U2F device) as your private key! 39 | 40 | 5. If configured correctly, you could forward port 22 safely utilizing public key authentication. 41 | 42 | ### Basic overview on how it works 43 | 44 | Lets define the three devices that you are going to use in a common home server management scenario: 45 | 46 | Server #1: Your home router 47 | 48 | This guide will refer to all console commands on your home router with a proceeding `root@OpenWrt:~#`. 49 | 50 | Server #2: Your FreeNAS server 51 | 52 | This guide will refer to all console commands on your home FreeNAS server with a proceeding `root@freenas:~#` 53 | 54 | Client: Your home desktop, laptop, cell phone, tablet, etc. 55 | 56 | This guide will refer to all console commands on your client with a proceeding `User@Desktop ~ $` 57 | 58 | There are two files you must manage when utilizing public key cryptography: a **Public Key** and a **Private Key**. Your servers only need the public key on them. Your clients only needs the Private key. You can recreate a public key from a private key, but you can not create a private key from a public key. Hence it is important to not lose your private key! **If you lose your private key, you lose all ability to SSH into your devices!** 59 | 60 | Brain exercise: You can theoretically give your bank your public key, and authenticate using your private key on your client device. If your bank experiences a data breach and your public key is now revealed to the whole internet, your accounts are still secure! Logging in proves you own the private key without ever revealing the private key to your bank! Pretty cool, huh? 61 | 62 | This is called 'passwordless login', and this is how FIDO/U2F devices (such as the yubikey or trezor or ledger nano) work: They give your bank, email, social media accounts a public key, and the device safely stores the private key to create signatures to authenticate without ever revealing the private key. 63 | 64 | **It is paramount that we secure this private key**, so lets look at the threat model in this scenario: 65 | 66 | ### Threat Model - Stolen Private Key 67 | 68 | A private key can be stolen since its just a computer file. Perhaps your laptop was stolen and you have your private key on the laptop. Lets discuss how we might mitigate this security threat: 69 | 70 | 1. Have multiple private keys 71 | 72 | We can configure our servers with multiple public keys corresponding to multiple private keys. If our laptop is stolen, we can use a different private key to authenticate, then remove the public key corresponding to our stolen private key. But what if we don't know the private key is stolen? Perhaps malware scanned our hard drive and phoned home our private key. There is a better way to secure a private key: 73 | 74 | 2. Derive a private key with multiple inputs 75 | 76 | We can derive a private key requiring more input to fully decrypt it, such as also requiring a password and/or a FIDO/U2F device! By combining something we **HAVE** (private key file) with something we **KNOW** (password) and something **PHYSICAL** (FIDO/U2F or yubikey), we encrypt the private keys with multiple layers of security. If our private key is stolen, its still secure because its encrypted with a password and/or a FIDO/U2F device. 77 | 78 | 3. Secure your laptop's file system with full disk encryption. 79 | Always a good idea, encrypt your computers hard drive! 80 | 81 | So now that we know how we can secure the private key, what threat models remain? 82 | 83 | ### Threat Model - Losing a private key 84 | 85 | Make multiple backups on multiple devices, such as USB thumb drives. Use an offline QR code generator, print out the private key, and store it in a fireproof box. Use an old-school printer, modern wifi or network-enabled printers are extremely unsecure! Always have a private key backed up in a geographically seperated location! 86 | 87 | If you are adding a third layer of protection with a FIDO/U2F device, buy two or three of them, and create private public key pairs for each of them. If you lose or break your FIDO/U2F device, the other two will save your butt! 88 | 89 | ### Threat Model - the Web User Interface 90 | Securing SSH is half the battle. Your OpenWRT and FreeNAS web user interfaces are also privileged entrances to your system. Are you running the [bitcoin & lightning guide](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/README.md)? RTL's web ui gives unrestricted access to your funds! Imagine a smart light bulb trying to brute force RTL's password authentication inside your home noetwork, scary and plausible scenario if we don't upgrade to public key authentication! 91 | 92 | In the guide we wil redirect web based interfaces to only work over an authenticated SSH session. Hopefully in the near future these web-UIs can integrate second factor authentication like TOTP or FIDO/U2F so we don't have to worry about this step. 93 | 94 | ### Prerequisites 95 | 1. A router running OpenWRT. THis guide works verbatim if you are running a LinksysWRT 1200 or newer (1900, 3200) Now would be a good time to update your firmare to the latest patch level! 96 | 2. A SSH client, such as FreeNAS 97 | 3. (Optional) A FIDO/U2F device to secure your authentication private keys. Not necessary, but an additional layer of security! 98 | 99 | ### Summary 100 | We briefly discussed the threats we face using passwords and why public key cryptography is more secure. We also touched on the importance of not losing your private key, and how to adequately secure your private key. So lets set up your client machines first! 101 | 102 | 103 | Next: [ [OpenSSH Client](1_install_client.md) ] >> 104 | 105 | -------------------------------------------------------------------------------- /OpenWRT/security/images/ssh60.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/seth586/guides/522c5090618acfe3ce28cfbe0fd0c00112c18204/OpenWRT/security/images/ssh60.png -------------------------------------------------------------------------------- /OpenWRT/security/images/temp.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /OpenWRT/upnp_natpmp.md: -------------------------------------------------------------------------------- 1 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 2 | ## Run LND on clearnet 3 | To run LND on clearnet, we need to advertise our IP address. But what if our ISP changes our IP address? This guide explains how to set up your router and LND to use `nat=true` so LND will detect our public IP and broadcast changes to the network. 4 | 5 | ### Universal Plug & Play / Network Address Translation - Port Mapping Protocol 6 | 7 | Universal Plug and Play is a standard to allow clients to configure the router's port mapping. It is a tradeoff of security for convenience. It is much more secure to manually set up port forwards in your router. For example, video game consoles may need to open and close ports on the fly, depending on the multiplayer game. 8 | 9 | Most commercial grade routers with manufacturer firmware use a very [insecure implementation](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/), letting anyone that requests a port forward to do so! Imagine torjan software on your desktop, or your kids computer, reconfiguring your router! 10 | 11 | There are a few scenarios where a safe implementation of upnp can be reasonably secure, if we can control what has access to it. Lightning Lab's `lnd` queries upnp or NAT-PMP for a current ip address assigned by your ISP. If a change is detected, your peers are notified and you can maintain connectivity with your inbound channels. 12 | 13 | ### So how can we securely use upnp or NAT-PMP? 14 | 15 | If we can control what IP addresses can use upnp/NAT-PMP, we can minimize the vulnerability surface. 16 | 17 | So log in to your router, and see if your router's upnp or NAT-PMP implementation has an `access control list` to limit what client IP addresses can request a port mapping and what port ranges can be opened. If it doesn't, then disable upnp/NAT-PMP! 18 | 19 | I highly, highly, recommend you buy a router than can run OpenWRT, an open source router firmware. Its software is kept up to date, and can be installed on a large number of [consumer devices](https://openwrt.org/supported_devices). Many manufacturers do not offer continued support for their routers firmware, allowing security vulnerabilities to live on, unpatched. 20 | 21 | ### Goal 22 | 23 | This guide is to help you install `miniupnpd` daemon with the `luci-app-upnp` user interface, configured to serve `lnd`'s requests for the external IP address on an OpenWRT compatible router. Fortunately `lnd` only queries the `miniupnpd` daemon for the external IP address, so we will set permissions to deny any upnp port forward request, and manually set up port forwards. 24 | 25 | ### Install miniupnpd 26 | 27 | Log in to your OpenWRT router's web interface, typically at `192.168.X.1`, where `X` is unique to your local area network subnet. 28 | 29 | Click `System`, then `Software`. Click `Update Lists`, then type in `luci-app-upnp`. Click `install` next to `luci-app-upnp`. The package and dependencies will install. 30 | 31 | You may have to manually enable autostart. Click on `System`, then `Startup`. Make sure `miniupnpd` is enabled. 32 | 33 | Click `services` and `UPnP`. 34 | 35 | Check the `Start UPNP and NAT-PMP service` box, `Enable NAT-PMP functionality`, `enable secure mode`. 36 | 37 | Delete the `default allow` rule under the `MiniUPnP ACLs`. 38 | 39 | Make sure there is a `default deny` rule: External ports `0-65535`, Internal Addresses `0.0.0.0/0`, Internal Ports `0-65535` Action `deny`. 40 | 41 | Rules are read top to bottom, so if you have a game console or another service that requires upnp or nat-pmp, put the rule above the deny rule. 42 | 43 | Click `save and apply`. 44 | 45 | Now would also be a good time to port forward 9735 for lnd: 46 | ``` 47 | Name : lnd 48 | Protocol: TCP+UDP 49 | External Zone: WAN 50 | External Port: 9735 51 | Internal Zone: LAN 52 | Internal IP address: (inset your jail IP here) 53 | Internal Port: 9735 54 | ``` 55 | 56 | Reboot your router. 57 | 58 | ### Configure `lnd` for `NAT-PMP` 59 | SSH in to your FreeNAS box, and switch consoles to your bitcoin jail. 60 | ``` 61 | root@freenas:~# iocage console bitcoin 62 | ``` 63 | 64 | Edit your `lnd.conf` file: 65 | ``` 66 | # nano /home/bitcoin/.lnd/lnd.conf 67 | ``` 68 | Remove all tor entries except for outbound connections with `tor.active=1` and `tor.socks=localhost:9050`. Add `nat=true` under `[Application Options]` 69 | Save (CTRL+O,ENTER) and exit (CTRL+X) 70 | 71 | Stop the lnd service, and manually start it to read the verbose messages: 72 | ``` 73 | # service lnd stop 74 | # lnd --configfile=/usr/local/etc/lnd.conf 75 | ``` 76 | Unlock your wallet (If you installed RTL, you can do it there, otherwise start a new SSH session, switch to user bitcoin `su bitcoin` and run `lncli unlock` 77 | 78 | Look for the following lines, you may have to grab the scroll bar on the right side of your SSH window, the messages move fast: 79 | ``` 80 | 2019-02-12 18:11:02.150 [ERR] SRVR: Unable to discover a UPnP enabled device on the local network: context canceled 81 | 2019-02-12 18:11:02.150 [INF] SRVR: Scanning local network for a NAT-PMP enabled device 82 | 2019-02-12 18:11:02.183 [INF] SRVR: Automatically set up port forwarding using NAT-PMP to advertise external IP 83 | 84 | ``` 85 | Sucess! 86 | 87 | If it fails, `lnd` will exit. Double check on your router that `miniupnpd` is running under `status` / `processes`. 88 | 89 | Press (CTRL+C) to stop the lnd process. Exit the `bitcoin` user shell, and start the `lnd` service. 90 | ``` 91 | bitcoin@bitcoin:~% exit 92 | # service lnd start 93 | ``` 94 | 95 | [ [Back to LND setup guide](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/freenas_5_lnd.md) ] 96 | 97 | [ [<< Back to Extras](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/extras.md) ] 98 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Seth586😈guides 2 | 3 | I am not a professional programmer or unix adminsitrator, use at your own risk! 4 | Contributions are welcome! 5 | 6 | Join the chatroom on the matrix chat protocol: [#truenasnode:nym.im](https://matrix.to/#/#truenasnode:nym.im) 7 | 8 | 9 | 10 | | **FreeNAS / TrueNAS Guides:** | | 11 | | --------------- | --------------- | 12 | | ![BSDBTC60.png](FreeNAS/bitcoin/images/BSDBTC60.png) | [TrueNASnode](FreeNAS/bitcoin/README.md) - Full bitcoin stack deployment guide | 13 | | ![BSDBTC60.png](FreeNAS/tor_relay/images/tor60.png) | [TOR Relay](FreeNAS/tor_relay/README.md) | 14 | | ![mumble60.png](FreeNAS/mumble/images/mumble60.png) | [Mumble Server](FreeNAS/mumble/README.md) | 15 | | ![wordpress60.png](FreeNAS/webserver/images/wordpress60.png) | [Wordpress Website with Reverse Proxy](FreeNAS/webserver/README.md) | 16 | | ![nc60.png](FreeNAS/nextcloud/images/nc60.png) | [Nextcloud Server](FreeNAS/nextcloud/README.md) | 17 | 18 | | **OpenWRT Guides:** | | 19 | | --------------- | --------------- | 20 | | ![ssh60.png](OpenWRT/security/images/ssh60.png) | [SSH PublicKey Authentication thru Bastion](OpenWRT/security/README.md) | 21 | 22 | 23 | 24 | 25 | 26 | --------------------------------------------------------------------------------