Linux Setup: Difference between revisions

From bibbleWiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
Line 106: Line 106:


=On time setups on 20.04 upwards=
=On time setups on 20.04 upwards=
== Mediwiki ==
==Mediwiki==
* Create database
===Create database===
 
<syntaxhighlight lang="sql">
  CREATE DATABASE my_wiki
  CREATE DATABASE my_wiki
  CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
  CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
  GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
  GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
 
</syntaxhighlight>
* Restore database
===Restore database===
<syntaxhighlight lang="bash">
  mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44
  mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44
 
</syntaxhighlight>
* Copy Wiki files
===Copy Wiki files===
<syntaxhighlight lang="bash">
  cp <backup>/mediawiki /var/lib/mediawiki
  cp <backup>/mediawiki /var/lib/mediawiki
</syntaxhighlight>


== Postfix ==
== Postfix ==

Revision as of 11:52, 25 December 2020

Zoom

You need to download the zoom.deb from the site 

apt install libgl1-mesa-glx libegl1-mesa libxcb-xtest0   libxcb-xinerama0
sudo apt install gdebi
sudo dpkg i ~/Download/zoom.deb

Making fakecam work Add this to /var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam 

@{PROC}/@{pid}/mounts r,
# and
/sys/fs/cgroup/cpuset/cpuset.cpus r,

Reload with 

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.fakecam.fakecam

Network Stuff

ip link list eno1
ip link set eno1 down
ip link set eno1 up
netplan apply

Set up Monitors

Change .config/monitor.xml, test and copy to 

sudo cp ~/.config/monitors.xml /var/lib/gdm3/.config/
sudo chown gdm:gdm /var/lib/gdm3/.config/monitors.xml

My monitor 2020-09-07 

<monitors version="2">
  <configuration>
    <logicalmonitor>
      <x>0</x>
      <y>0</y>
      <scale>1</scale>
      <transform>
        <rotation>left</rotation>
        <flipped>no</flipped>
      </transform>
      <monitor>
        <monitorspec>
          <connector>DVI-D-0</connector>
          <vendor>DEL</vendor>
          <product>DELL U2412M</product>
          <serial>9W5YH33E2ECS</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1200</height>
          <rate>59.950172424316406</rate>
        </mode>
      </monitor>
    </logicalmonitor>
    <logicalmonitor>
      <x>2400</x>
      <y>0</y>
      <scale>1.25</scale>
      <primary>yes</primary>
      <monitor>
        <monitorspec>
          <connector>HDMI-0</connector>
          <vendor>AOC</vendor>
          <product>V27t</product>
          <serial>0x01010101</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1080</height>
          <rate>60</rate>
        </mode>
      </monitor>
    </logicalmonitor>
  </configuration>
</monitors>

Set up Apache HSTS

In Apache 2 000-default.conf 

<VirtualHost *:80> 
ServerName example.com 
Redirect permanent / https://example.com/
</VirtualHost>

In Apache 2 default-ssl.conf 

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

On time setups on 19.04 upwards

To add scaling

gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"

Auto hide taskbar

Go to settings->dock->auto-hide the dock

Hide top bar

sudo apt install gnome-shell-extension-autohidetopbar
  • log out
  • log in
  • run gnome-tweak
  • extension->Hide to bar

On time setups on 20.04 upwards

Mediwiki

Create database

 CREATE DATABASE my_wiki
 CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';

Restore database

 mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44

Copy Wiki files

 cp <backup>/mediawiki /var/lib/mediawiki

Postfix

Create database

 CREATE DATABASE mail
 CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON mail.* TO 'newuser'@'localhost' WITH GRANT OPTION;
 mysql -u root -p XXXX < db_backup_my_XXXX_23_10_2019_04_21_44

Setup mail user and directory

 cd /var
 ln -s /mnt/<RAID ARRAY>/vmail .

 groupadd -g 5000 vmail
 useradd -m -d /var/vmail -s /bin/false -u 5000 -g vmail vmail

Setup Cetificates for SSL

 systemctl stop apache2
 apt-get install python3-certbot-apache

 certbot -n  --agree-tos --standalone certonly -d www.bibble.co.nz
 certbot -n  --agree-tos --standalone certonly -d mail.bibble.co.nz
 certbot -n  --agree-tos --standalone certonly -d imap.bibble.co.nz

Install postfix

 apt-get install postfix
 apt-get install postfix-mysql 
 apt-get install postfix-policyd-spf-python
 apt-get install postgrey 
 apt-get install sasl2-bin libsasl2.2 libsasl2-modules

Install opendkim

Install postfix

apt-get install opendkim

cp -r /tmp/fred/Backup20200606/etc/opendkim /etc

Change /etc/opendkim.conf
Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Change /etc/default/opendkim
Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Change /etc/postfix/main.cf
smtpd_milters = local:opendkim/opendkim.sock

</syntaxhighlight>

  • Install spamassasin
apt-get install spamassassin

Dovecot

apt install dovecot-imapd dovecot-pop3d
apt install dovecot-sieve dovecot-solr dovecot-antispam
apt-get install dovecot-mysql
apt-get install dovecot-lmtpd

Setting netplan to render through network manager

network:
    version: 2
    renderer: NetworkManager
    ethernets:
        enp4s0:
            addresses: [10.1.1.70/24]
            gateway4: 10.1.1.99
            nameservers:
                    search: [bibble.local] 
                    addresses: [10.10.1.2]
            dhcp4: no

Setting up repo for current packages on ubuntu

Get list of package installd 

$ apt list --installed > install.list

Then translate it into apt understandable format: 

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3=\2/g' > install.list.to.dl

Then download the current packages versions: 

$ xargs apt download < install.list.to.dl

You would need to create a Packages.gz file in order to add this folder as a source for apt. E.g. 

$ cd ~/deb_server/debs/
$ dpkg-scanpackages -m . /dev/null | gzip -9c >  Packages.gz

EDIT: path for dpkg-scanpackages must be relative, otherwise this will break the download process later (-m allows you to have multiple versions, if you want the most recent version, remove the -m) Now you have to bring up a file server for example apache2 and configure it to index files. 

/etc/apache2/sites-enabled/000-debserver.conf

Containing: 

DocumentRoot /var/www
  <Directory /var/www/>
    Options +Indexes +FollowSymLinks
    Require all granted
  </Directory>

And finally you need to symlink the deb folder to /var/www. (Or configure the server to the current deb download location) e.g. 

$ ln -s ~/deb_server/debs/ /var/www/repo

The last bit is to add the server machine as the only source for apt updates on each target machine. 

$ deb [trusted=yes] http://deb_server_ip/repo /

If you want to update the packages, you need to re-run apt download of the list, but without the version. 

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3/g' > install.list.for.update
$ apt update && xargs apt download < install.list.for.update

Setting up Iot Edge on 19.04

Not yet released so here is how to do it

Install docker

wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/i/iotedge/iotedge_1.0.8-2_amd64.deb
wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/libi/libiothsm-std/libiothsm-std_1.0.8-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5.3_amd64.deb

Fixing ubuntu 19.04 mouse

Install kernel 5.2.x

Cerificates

Initial

 apt-get install software-properties-common python-software-properties
 add-apt-repository ppa:certbot/certbot
 apt-get update
 apt-get install python-certbot-apache 

 certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
 certbot -n  --agree-tos --standalone certonly -d <site2.domain.com>

Renew

certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
systemctl restart dovecot
systemctl restart apache2

Building r8168

This is not necessary as you can use the command 

apt-get install r8168-dkms

Updating DNS

This script runs in crontab once every 15 minutes 

#!/bin/bash
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=denise.bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.bibble.co.nz' 
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=sync.bibble.co.nz'

Backup MySQL

I use the following script to back up the databases 

#!/bin/sh

myBackupFolder="/home/iwiseman/backups"
myBackupLogFileName="$myBackupFolder/"backup_log_"$(date +'%Y_%m')".txt

DoBackup()
{
        myDatabaseName=$1

        myCurrentDateTime="$(date +'%d_%m_%Y_%H_%M_%S')"
        myBackupFileName="db_backup_${myDatabaseName}_${myCurrentDateTime}".gz
        myFullyQualifieldBackupFileName="$myBackupFolder/$myBackupFileName"

        echo "mysqldump of $myDatabaseName started at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        mysqldump --user=root --password=xxxx --default-character-set=utf8 --single-transaction $myDatabaseName  | gzip > "$myFullyQualifieldBackupFileName"
        echo "mysqldump of $myDatabaseName finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
 
        chown iwiseman "$myFullyQualifieldBackupFileName"
        chown iwiseman "$myBackupLogFileName"
        echo "file permission changed" >> "$myBackupLogFileName"
 
        find "$myBackupFolder" -name db_backup_* -mtime +8 -exec rm {} \;
        echo "old files deleted" >> "$myBackupLogFileName"
 
        echo "operation finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        echo "*****************" >> "$myBackupLogFileName"
}


DoBackup mail
DoBackup wordpress424

exit 0

Fix Playstation

The works when enp1s0 is the interface of the second NIC and enp2s0 is the main NIC.

To fix the playstation create the following script 

 #!/bin/bash
 echo 1 > /proc/sys/net/ipv4/ip_forward
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 iptables -A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT

Put this into /etc/rc.local e.g 

 #!/bin/bash
 /usr/local/bin/fix_playstation.sh

Setting up L2TP VPN

You will need the following 

Connection Name: xxxxxx
Username: xxxxxxx
Password: xxxxxxx
ServerAddress: xxxxxxx
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: xxxxxx
Under IPSec Settings (Linux)
3des-sha1-modp1024 for phase 1 (Linux)
3des-sha1 for phase 2 (Linux)
Authentication Methods: Pap, MSChapV2, Chap (Windows only)
EncryptionLevel: Optional (Windows only)

 sudo apt-get install network-manager-l2tp
 sudo apt-get install network-manager-l2tp-gnome
 sudo service xl2tpd stop
 sudo update-rc.d xl2tpd disable

Install Jenkins

This was done on a 20.04 Ubuntu server
We need java. On the page it says it supports OpenJDK JDK / JRE 8 - 64 bits and OpenJDK JDK / JRE 11 - 64 bits so we need to make sure it uses the right one by creating a .profile.(Note bashrc does not run for this user)

Install java

apt install openjdk-11-jdk-headless

Change the default to 11

sudo update-alternatives --config java

Install Jenkins

wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb https://pkg.jenkins.io/debian-stable binary/ > \
    /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins

Create a startup script

cat /var/lib/jenkins/.profile 
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the startup script etc init.d/jenkins

PATH=
....
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the java back

sudo update-alternatives --config java

Open LDAP

Install software

sudo apt install slapd ldap-utils

Reconfigure to your Domain

sudo dpkg-reconfigure slapd

You can verify this has worked with (don't forget sudo) 

sudo ldapsearch -x -LLL -b "" -s base namingContexts

It should return your setup in my case 

dn:
namingContexts: dc=bibble,dc=co,dc=nz

And view the RootDN 

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:

It should return 

p olcRootDN:
olcRootDN: cn=admin,cn=config
olcRootDN: cn=admin,dc=bibble,dc=co,dc=nz

Configuring Logging

To view the log level 

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcLogLevel:

Which returns 

p olcLogLevel:
olcLogLevel: none

We can either use 

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -Q

To modify interactively or use LDIF files to update. Either way the contents are 

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

To perform using LDIF use 

sudo ldapmodify -Y EXTERNAL -H ldapi:///  -f /tmp/test.ldif

And verify with 

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q

Setting up log files

Lets put the logs into their own file 

sudo vi /etc/rsyslog.d/51-slapd.conf

Add the following 

local4.* /var/log/slapd.log

Restart 

sudo systemctl restart rsyslog slapd

Lets clean up the logs 

 sudo vi /etc/logrotate.d/slapd

Add the following 

 /var/log/slapd.log
 { 
         rotate 7
         daily
         missingok
         notifempty
         delaycompress
         compress
         postrotate
                 /usr/lib/rsyslog/rsyslog-rotate
         endscript
 }

Restart 

 sudo systemctl restart logrotate

Set up ssl

The are three certs to worry about 

rootCA
server cert
server key

I create these independently of this setup and these are place in 

/etc/ssl/openldap/certs/rootCA.pem
/etc/ssl/openldap/certs/server.crt
/etc/ssl/openldap/private/server.key

Set permissions on the directory 

chown -R openldap: /etc/ssl/openldap/

We need to allow apparmor to read the files so edit 

vi /etc/apparmor.d/usr.sbin.slapd

With 

...
  # Site-specific additions and overrides. See local/README for details.
  #include 

  #TLS
  /etc/ssl/openldap/certs/ r,
  /etc/ssl/openldap/certs/* r,
  /etc/ssl/openldap/private/ r,

  /etc/ssl/openldap/pri  /etc/letsencrypt/archive/ldap.bibble.co.nz/ r,
  /etc/letsencrypt/archive/ldap.bibble.co.nz/* r,vate/* r,

Reload 

apparmor_parser -r /etc/apparmor.d/usr.sbin.slapd

Create a ldif to reflect your cert names and locations 

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key

Had a lot of trouble getting the next bit to work thanks to no help from the product. Firstly add the ssl-cert to the openldap with 

usermod -aG ssl-cert openldap

Also found that the key was read only for letsencryt so 

chmod g+r  /etc/letsencrypt/archive/DOMAIN/privkey1.pem

The trick is to get the permissions right. I did this by looking at what others had done. Namely /etc/ssl. I checked the permisions on directories cert and private plus the contents and owner. Here is the end result 

root@oliver:/etc/ssl# ls -lR openldap/
openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 13:39 certs
d-wx--x--- 2 openldap ssl-cert 4096 Nov  4 13:39 private

openldap/certs:
total 8
-rw-r--r-- 1 openldap ssl-cert 1411 Nov  4 13:39 rootCA.pem
-rw-r--r-- 1 openldap ssl-cert 1501 Nov  4 13:39 server.crt

openldap/private:
total 4
-rw-r----- 1 openldap ssl-cert 1704 Nov  4 13:39 server.key

Now you should be able to add then TLS entries with 

 ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-tls.ldif

As ever you can verify this with 

slapcat -b "cn=config" | grep -E "olcTLS"

Which should show 

olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt

Let run a test before switching 

slaptest -u

Which should show 

config file testing succeeded

Add the certificate int /etc/ldap/ldap.conf 

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
TLS_CACERT	/etc/ssl/openldap/certs/rootCA.pem

Restart the server 

systemctl restart slapd

Finally, phew test the connectivity 

ldapwhoami -H ldapi:/// -x -ZZ

For lets encrypt I ended up with 

ls -lR  /etc/ssl/openldap/
/etc/ssl/openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 05:30 certs
drwxr-xr-x 2 openldap ssl-cert 4096 Nov  4 05:31 private

/etc/ssl/openldap/certs:
total 0
lrwxrwxrwx 1 openldap openldap 53 Nov  4 05:30 rootCA.pem -> /etc/letsencrypt/live/XXX/fullchain.pem
lrwxrwxrwx 1 openldap openldap 48 Nov  4 05:30 server.crt -> /etc/letsencrypt/live/XXX/cert.pem

/etc/ssl/openldap/private:
total 0
lrwxrwxrwx 1 openldap ssl-cert 51 Nov  4 05:31 server.key -> /etc/letsencrypt/live/XXX/privkey.pem

And the ldif 

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

You can test this with 

sudo ldapwhoami -H ldap://ldap.bibble.co.nz -x -ZZ

Add a user

Create a base dn 

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: group

And add a user as below creating first a password with slappasswd 

dn: uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mibeyam
cn: mibeyam
givenName: Amos
sn: Mibey
userPassword: {SSHA}sO8V/PZsGCta6098vs2qgX767AJF3Sw7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/mibeyam

dn: cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: mibeyam
gidNumber: 10000
memberUid: mibeyam

Set up client

You will need to know your base DN which is the first line of slapcat

I would recommend you test you user on the client prior to provisioning using you DN and account 

 ldapwhoami -vvv -h localhost -D "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -x -W

A good result will echo the user

Install software 

sudo apt-get update
sudo apt-get install libpam-ldapd libnss-ldapd

Change pam to create directory /etc/pam.d/common-session 

...
session required pam_mkhomedir.so umask=0022 skel=/etc/skel

Restart services sudo systemctl restart nslcd sudo systemctl restart nscd

Useful Commands

List users 

 ldapsearch -x -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com"

Delete user 

ldapdelete -x -W -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Reset password 

ldappasswd -H ldapi:/// -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -S "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=Linux_Setup&oldid=3061"