Network Stuff

ip link list eno1
ip link set eno1 down
ip link set eno1 up
netplan apply

Set up Monitors

Change .config/monitor.xml, test and copy to

sudo cp ~/.config/monitors.xml /var/lib/gdm3/.config/
sudo chown gdm:gdm /var/lib/gdm3/.config/monitors.xml

My monitor 2020-09-07

<monitors version="2">
  <configuration>
    <logicalmonitor>
      <x>0</x>
      <y>0</y>
      <scale>1</scale>
      <transform>
        <rotation>left</rotation>
        <flipped>no</flipped>
      </transform>
      <monitor>
        <monitorspec>
          <connector>DVI-D-0</connector>
          <vendor>DEL</vendor>
          <product>DELL U2412M</product>
          <serial>9W5YH33E2ECS</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1200</height>
          <rate>59.950172424316406</rate>
        </mode>
      </monitor>
    </logicalmonitor>
    <logicalmonitor>
      <x>1200</x>
      <y>0</y>
      <scale>1</scale>
      <primary>yes</primary>
      <monitor>
        <monitorspec>
          <connector>HDMI-0</connector>
          <vendor>AOC</vendor>
          <product>V27t</product>
          <serial>0x01010101</serial>
        </monitorspec>
        <mode>
          <width>1920</width>
          <height>1080</height>
          <rate>60</rate>
        </mode>
      </monitor>
    </logicalmonitor>
  </configuration>
</monitors>

Set up Apache HSTS

In Apache 2 000-default.conf

<VirtualHost *:80> 
ServerName example.com 
Redirect permanent / https://example.com/
</VirtualHost>

In Apache 2 default-ssl.conf

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

On time setups on 19.04 upwards

To add scaling

gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"

Auto hide taskbar

Go to settings->dock->auto-hide the dock

Hide top bar

sudo apt install gnome-shell-extension-autohidetopbar

• log out
• log in
• run gnome-tweak
• extension->Hide to bar

On time setups on 20.04 upwards

Mediwiki

• Create database

CREATE DATABASE my_wiki
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';

• Restore database

mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44

• Copy Wiki files

cp <backup>/mediawiki /var/lib/mediawiki

Postfix

• Create database

CREATE DATABASE mail
CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'newuser'@'localhost';
mysql -u root -p XXXX < db_backup_my_XXXX_23_10_2019_04_21_44

• Setup mail user and directory

cd /var
ln -s /mnt/<RAID ARRAY>/vmail .

groupadd -g 5000 vmail
useradd -m -d /var/vmail -s /bin/false -u 5000 -g vmail vmail

• Setup SSL

systemctl stop apache2
apt-get install python3-certbot-apache

certbot -n  --agree-tos --standalone certonly -d www.bibble.co.nz
certbot -n  --agree-tos --standalone certonly -d mail.bibble.co.nz
certbot -n  --agree-tos --standalone certonly -d imap.bibble.co.nz

• Install postfix

apt-get install postfix
apt-get install postfix-mysql 
apt-get install postfix-policyd-spf-python
apt-get install postgrey 
apt-get install sasl2-bin libsasl2.2 libsasl2-modules

• Install opendkim

apt-get install opendkim

cp -r /tmp/fred/Backup20200606/etc/opendkim /etc

Change /etc/opendkim.conf
Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Change /etc/default/opendkim
Socket    local:/var/spool/postfix/opendkim/opendkim.sock

Change /etc/postfix/main.cf
smtpd_milters = local:opendkim/opendkim.sock

• Install spamassasin

apt-get install spamassassin

Dovecot

apt install dovecot-imapd dovecot-pop3d
apt install dovecot-sieve dovecot-solr dovecot-antispam
apt-get install dovecot-mysql
apt-get install dovecot-lmtpd

Setting netplan to render through network manager

network:
    version: 2
    renderer: NetworkManager
    ethernets:
        enp4s0:
            addresses: [10.1.1.70/24]
            gateway4: 10.1.1.99
            nameservers:
                    search: [bibble.local] 
                    addresses: [10.10.1.2]
            dhcp4: no

Setting up repo for current packages on ubuntu

Get list of package installd

$ apt list --installed > install.list

Then translate it into apt understandable format:

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3=\2/g' > install.list.to.dl

Then download the current packages versions:

$ xargs apt download < install.list.to.dl

You would need to create a Packages.gz file in order to add this folder as a source for apt. E.g.

$ cd ~/deb_server/debs/
$ dpkg-scanpackages -m . /dev/null | gzip -9c >  Packages.gz  

EDIT: path for dpkg-scanpackages must be relative, otherwise this will break the download process later (-m allows you to have multiple versions, if you want the most recent version, remove the -m) Now you have to bring up a file server for example apache2 and configure it to index files.

/etc/apache2/sites-enabled/000-debserver.conf

Containing:

DocumentRoot /var/www
  <Directory /var/www/>
    Options +Indexes +FollowSymLinks
    Require all granted
  </Directory>

And finally you need to symlink the deb folder to /var/www. (Or configure the server to the current deb download location) e.g.

$ ln -s ~/deb_server/debs/ /var/www/repo

The last bit is to add the server machine as the only source for apt updates on each target machine.

$ deb [trusted=yes] http://deb_server_ip/repo /

If you want to update the packages, you need to re-run apt download of the list, but without the version.

$ sed -r  's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3/g' > install.list.for.update
$ apt update && xargs apt download < install.list.for.update

Setting up Iot Edge on 19.04

Not yet released so here is how to do it

Install docker

wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/i/iotedge/iotedge_1.0.8-2_amd64.deb
wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/libi/libiothsm-std/libiothsm-std_1.0.8-1_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5.3_amd64.deb

Fixing ubuntu 19.04 mouse

Install kernel 5.2.x

Cerificates

Initial

 apt-get install software-properties-common python-software-properties
 add-apt-repository ppa:certbot/certbot
 apt-get update
 apt-get install python-certbot-apache 

 certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
 certbot -n  --agree-tos --standalone certonly -d <site2.domain.com>

Renew

certbot -n  --agree-tos --standalone certonly -d <site1.domain.com>
systemctl restart dovecot
systemctl restart apache2

Building r8168

This is not necessary as you can use the command

apt-get install r8168-dkms

Updating DNS

This script runs in crontab once every 15 minutes

#!/bin/bash
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=denise.bibble.co.nz'
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.bibble.co.nz' 
lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=sync.bibble.co.nz'

Backup MySQL

I use the following script to back up the databases

#!/bin/sh

myBackupFolder="/home/iwiseman/backups"
myBackupLogFileName="$myBackupFolder/"backup_log_"$(date +'%Y_%m')".txt

DoBackup()
{
        myDatabaseName=$1

        myCurrentDateTime="$(date +'%d_%m_%Y_%H_%M_%S')"
        myBackupFileName="db_backup_${myDatabaseName}_${myCurrentDateTime}".gz
        myFullyQualifieldBackupFileName="$myBackupFolder/$myBackupFileName"

        echo "mysqldump of $myDatabaseName started at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        mysqldump --user=root --password=xxxx --default-character-set=utf8 --single-transaction $myDatabaseName  | gzip > "$myFullyQualifieldBackupFileName"
        echo "mysqldump of $myDatabaseName finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
 
        chown iwiseman "$myFullyQualifieldBackupFileName"
        chown iwiseman "$myBackupLogFileName"
        echo "file permission changed" >> "$myBackupLogFileName"
 
        find "$myBackupFolder" -name db_backup_* -mtime +8 -exec rm {} \;
        echo "old files deleted" >> "$myBackupLogFileName"
 
        echo "operation finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
        echo "*****************" >> "$myBackupLogFileName"
}


DoBackup mail
DoBackup wordpress424

exit 0

Fix Playstation

The works when enp1s0 is the interface of the second NIC and enp2s0 is the main NIC.

To fix the playstation create the following script

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT

Put this into /etc/rc.local e.g

#!/bin/bash
/usr/local/bin/fix_playstation.sh

Setting up L2TP VPN

You will need the following

Connection Name: xxxxxx
Username: xxxxxxx
Password: xxxxxxx
ServerAddress: xxxxxxx
VPN Type: L2TP/IPsec with pre-shared key
Pre-shared key: xxxxxx
Under IPSec Settings (Linux)
3des-sha1-modp1024 for phase 1 (Linux)
3des-sha1 for phase 2 (Linux)
Authentication Methods: Pap, MSChapV2, Chap (Windows only)
EncryptionLevel: Optional (Windows only)

 sudo apt-get install network-manager-l2tp
 sudo apt-get install network-manager-l2tp-gnome
 sudo service xl2tpd stop
 sudo update-rc.d xl2tpd disable

Install Jenkins

This was done on a 20.04 Ubuntu server
We need java. On the page it says it supports OpenJDK JDK / JRE 8 - 64 bits and OpenJDK JDK / JRE 11 - 64 bits so we need to make sure it uses the right one by creating a .profile.(Note bashrc does not run for this user)

Install java

apt install openjdk-11-jdk-headless

Change the default to 11

sudo update-alternatives --config java

Install Jenkins

wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb https://pkg.jenkins.io/debian-stable binary/ > \
    /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins

Create a startup script

cat /var/lib/jenkins/.profile 
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the startup script etc init.d/jenkins

PATH=
....
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH

Change the java back

sudo update-alternatives --config java

Open LDAP

Install software

sudo apt install slapd ldap-utils

Reconfigure to your Domain

sudo dpkg-reconfigure slapd

You can verify this has worked with (don't forget sudo)

sudo ldapsearch -x -LLL -b "" -s base namingContexts

It should return your setup in my case

dn:
namingContexts: dc=bibble,dc=co,dc=nz

And view the RootDN

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:

It should return

p olcRootDN:
olcRootDN: cn=admin,cn=config
olcRootDN: cn=admin,dc=bibble,dc=co,dc=nz

Configuring Logging

To view the log level

sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcLogLevel:

Which returns

p olcLogLevel:
olcLogLevel: none

We can either use

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -Q

To modify interactively or use LDIF files to update. Either way the contents are

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

To perform using LDIF use

sudo ldapmodify -Y EXTERNAL -H ldapi:///  -f /tmp/test.ldif

And verify with

sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q

Setting up log files

Lets put the logs into their own file

sudo vi /etc/rsyslog.d/51-slapd.conf

Add the following

local4.* /var/log/slapd.log

Restart

sudo systemctl restart rsyslog slapd

Lets clean up the logs

 sudo vi /etc/logrotate.d/slapd

Add the following

 /var/log/slapd.log
 { 
         rotate 7
         daily
         missingok
         notifempty
         delaycompress
         compress
         postrotate
                 /usr/lib/rsyslog/rsyslog-rotate
         endscript
 }

Restart

 sudo systemctl restart logrotate

Set up ssl

The are three certs to worry about

rootCA
server cert
server key

I create these independently of this setup and these are place in

/etc/ssl/openldap/certs/rootCA.pem
/etc/ssl/openldap/certs/server.crt
/etc/ssl/openldap/private/server.key

Set permissions on the directory

chown -R openldap: /etc/ssl/openldap/

We need to allow apparmor to read the files so edit

vi /etc/apparmor.d/usr.sbin.slapd

With

...
  # Site-specific additions and overrides. See local/README for details.
  #include 

  #TLS
  /etc/ssl/openldap/certs/ r,
  /etc/ssl/openldap/certs/* r,
  /etc/ssl/openldap/private/ r,

  /etc/ssl/openldap/pri  /etc/letsencrypt/archive/ldap.bibble.co.nz/ r,
  /etc/letsencrypt/archive/ldap.bibble.co.nz/* r,vate/* r,

Reload

apparmor_parser -r /etc/apparmor.d/usr.sbin.slapd

Create a ldif to reflect your cert names and locations

dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key

Had a lot of trouble getting the next bit to work thanks to no help from the product. Firstly add the ssl-cert to the openldap with

usermod -aG ssl-cert openldap

Also found that the key was read only for letsencryt so

chmod g+r  /etc/letsencrypt/archive/DOMAIN/privkey1.pem

The trick is to get the permissions right. I did this by looking at what others had done. Namely /etc/ssl. I checked the permisions on directories cert and private plus the contents and owner. Here is the end result

root@oliver:/etc/ssl# ls -lR openldap/
openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 13:39 certs
d-wx--x--- 2 openldap ssl-cert 4096 Nov  4 13:39 private

openldap/certs:
total 8
-rw-r--r-- 1 openldap ssl-cert 1411 Nov  4 13:39 rootCA.pem
-rw-r--r-- 1 openldap ssl-cert 1501 Nov  4 13:39 server.crt

openldap/private:
total 4
-rw-r----- 1 openldap ssl-cert 1704 Nov  4 13:39 server.key

Now you should be able to add then TLS entries with

 ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-tls.ldif

As ever you can verify this with

slapcat -b "cn=config" | grep -E "olcTLS"

Which should show

olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt

Let run a test before switching

slaptest -u

Which should show

config file testing succeeded

Add the certificate int /etc/ldap/ldap.conf

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
TLS_CACERT	/etc/ssl/openldap/certs/rootCA.pem

Restart the server

systemctl restart slapd

Finally, phew test the connectivity

ldapwhoami -H ldapi:/// -x -ZZ

For lets encrypt I ended up with

ls -lR  /etc/ssl/openldap/
/etc/ssl/openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov  4 05:30 certs
drwxr-xr-x 2 openldap ssl-cert 4096 Nov  4 05:31 private

/etc/ssl/openldap/certs:
total 0
lrwxrwxrwx 1 openldap openldap 53 Nov  4 05:30 rootCA.pem -> /etc/letsencrypt/live/XXX/fullchain.pem
lrwxrwxrwx 1 openldap openldap 48 Nov  4 05:30 server.crt -> /etc/letsencrypt/live/XXX/cert.pem

/etc/ssl/openldap/private:
total 0
lrwxrwxrwx 1 openldap ssl-cert 51 Nov  4 05:31 server.key -> /etc/letsencrypt/live/XXX/privkey.pem

And the ldif

dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3

You can test this with

sudo ldapwhoami -H ldap://ldap.bibble.co.nz -x -ZZ

Add a user

Create a base dn

dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
ou: group

And add a user as below creating first a password with slappasswd

dn: uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: mibeyam
cn: mibeyam
givenName: Amos
sn: Mibey
userPassword: {SSHA}sO8V/PZsGCta6098vs2qgX767AJF3Sw7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/mibeyam

dn: cn=mibeyam,ou=group,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: posixGroup
cn: mibeyam
gidNumber: 10000
memberUid: mibeyam

Useful Commands

List users

 ldapsearch -x -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com"

Delete user

ldapdelete -x -W -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Reset password

ldappasswd -H ldapi:/// -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -S "uid=mibeyam,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"