Linux Setup
Network Stuff
ip link list eno1
ip link set eno1 down
ip link set eno1 up
netplan apply
Set up Monitors
Change .config/monitor.xml, test and copy to
sudo cp ~/.config/monitors.xml /var/lib/gdm3/.config/
sudo chown gdm:gdm /var/lib/gdm3/.config/monitors.xml
My monitor 2020-09-07
<monitors version="2">
<configuration>
<logicalmonitor>
<x>0</x>
<y>0</y>
<scale>1</scale>
<transform>
<rotation>left</rotation>
<flipped>no</flipped>
</transform>
<monitor>
<monitorspec>
<connector>DVI-D-0</connector>
<vendor>DEL</vendor>
<product>DELL U2412M</product>
<serial>9W5YH33E2ECS</serial>
</monitorspec>
<mode>
<width>1920</width>
<height>1200</height>
<rate>59.950172424316406</rate>
</mode>
</monitor>
</logicalmonitor>
<logicalmonitor>
<x>1200</x>
<y>0</y>
<scale>1</scale>
<primary>yes</primary>
<monitor>
<monitorspec>
<connector>HDMI-0</connector>
<vendor>AOC</vendor>
<product>V27t</product>
<serial>0x01010101</serial>
</monitorspec>
<mode>
<width>1920</width>
<height>1080</height>
<rate>60</rate>
</mode>
</monitor>
</logicalmonitor>
</configuration>
</monitors>
Set up Apache HSTS
In Apache 2 000-default.conf
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
In Apache 2 default-ssl.conf
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
On time setups on 19.04 upwards
To add scaling
gsettings set org.gnome.mutter experimental-features "['x11-randr-fractional-scaling']"
Auto hide taskbar
Go to settings->dock->auto-hide the dock
Hide top bar
sudo apt install gnome-shell-extension-autohidetopbar
- log out
- log in
- run gnome-tweak
- extension->Hide to bar
On time setups on 20.04 upwards
Mediwiki
- Create database
CREATE DATABASE my_wiki CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON * . * TO 'newuser'@'localhost';
- Restore database
mysql -u root -p XXXX < db_backup_XXXX_23_10_2019_04_21_44
- Copy Wiki files
cp <backup>/mediawiki /var/lib/mediawiki
Postfix
- Create database
CREATE DATABASE mail CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'newuser'@'localhost'; mysql -u root -p XXXX < db_backup_my_XXXX_23_10_2019_04_21_44
- Setup mail user and directory
cd /var ln -s /mnt/<RAID ARRAY>/vmail .
groupadd -g 5000 vmail useradd -m -d /var/vmail -s /bin/false -u 5000 -g vmail vmail
- Setup SSL
systemctl stop apache2 apt-get install python3-certbot-apache
certbot -n --agree-tos --standalone certonly -d www.bibble.co.nz certbot -n --agree-tos --standalone certonly -d mail.bibble.co.nz certbot -n --agree-tos --standalone certonly -d imap.bibble.co.nz
- Install postfix
apt-get install postfix apt-get install postfix-mysql apt-get install postfix-policyd-spf-python apt-get install postgrey apt-get install sasl2-bin libsasl2.2 libsasl2-modules
- Install opendkim
apt-get install opendkim
cp -r /tmp/fred/Backup20200606/etc/opendkim /etc
Change /etc/opendkim.conf Socket local:/var/spool/postfix/opendkim/opendkim.sock
Change /etc/default/opendkim Socket local:/var/spool/postfix/opendkim/opendkim.sock
Change /etc/postfix/main.cf smtpd_milters = local:opendkim/opendkim.sock
- Install spamassasin
apt-get install spamassassin
Dovecot
apt install dovecot-imapd dovecot-pop3d apt install dovecot-sieve dovecot-solr dovecot-antispam apt-get install dovecot-mysql apt-get install dovecot-lmtpd
Setting netplan to render through network manager
network:
version: 2
renderer: NetworkManager
ethernets:
enp4s0:
addresses: [10.1.1.70/24]
gateway4: 10.1.1.99
nameservers:
search: [bibble.local]
addresses: [10.10.1.2]
dhcp4: noSetting up repo for current packages on ubuntu
Get list of package installd
$ apt list --installed > install.list
Then translate it into apt understandable format:
$ sed -r 's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3=\2/g' > install.list.to.dl
Then download the current packages versions:
$ xargs apt download < install.list.to.dl
You would need to create a Packages.gz file in order to add this folder as a source for apt. E.g.
$ cd ~/deb_server/debs/ $ dpkg-scanpackages -m . /dev/null | gzip -9c > Packages.gz
EDIT: path for dpkg-scanpackages must be relative, otherwise this will break the download process later (-m allows you to have multiple versions, if you want the most recent version, remove the -m) Now you have to bring up a file server for example apache2 and configure it to index files.
/etc/apache2/sites-enabled/000-debserver.conf
Containing:
DocumentRoot /var/www
<Directory /var/www/>
Options +Indexes +FollowSymLinks
Require all granted
</Directory>
And finally you need to symlink the deb folder to /var/www. (Or configure the server to the current deb download location) e.g.
$ ln -s ~/deb_server/debs/ /var/www/repo
The last bit is to add the server machine as the only source for apt updates on each target machine.
$ deb [trusted=yes] http://deb_server_ip/repo /
If you want to update the packages, you need to re-run apt download of the list, but without the version.
$ sed -r 's/ \[.*?\]//g' install.list | sed -r 's/(^.*?)\/.*?[ ](.*?)[ ](.*?)$/\1:\3/g' > install.list.for.update $ apt update && xargs apt download < install.list.for.update
Setting up Iot Edge on 19.04
Not yet released so here is how to do it
Install docker
wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/i/iotedge/iotedge_1.0.8-2_amd64.deb wget https://packages.microsoft.com/ubuntu/18.04/multiarch/prod/pool/main/libi/libiothsm-std/libiothsm-std_1.0.8-1_amd64.deb wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl1.0/libssl1.0.0_1.0.2n-1ubuntu5.3_amd64.deb
Fixing ubuntu 19.04 mouse
Install kernel 5.2.x
Cerificates
Initial
apt-get install software-properties-common python-software-properties
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache
certbot -n --agree-tos --standalone certonly -d <site1.domain.com>
certbot -n --agree-tos --standalone certonly -d <site2.domain.com>
Renew
certbot -n --agree-tos --standalone certonly -d <site1.domain.com>
systemctl restart dovecot
systemctl restart apache2
Building r8168
This is not necessary as you can use the command
apt-get install r8168-dkms
Updating DNS
This script runs in crontab once every 15 minutes
#!/bin/bash lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=bibble.co.nz' lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=denise.bibble.co.nz' lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=www.bibble.co.nz' lynx -source -auth=user_xxx:pass_xxxx 'http://dynamic.zoneedit.com/auth/dynamic.html?host=sync.bibble.co.nz'
Backup MySQL
I use the following script to back up the databases
#!/bin/sh
myBackupFolder="/home/iwiseman/backups"
myBackupLogFileName="$myBackupFolder/"backup_log_"$(date +'%Y_%m')".txt
DoBackup()
{
myDatabaseName=$1
myCurrentDateTime="$(date +'%d_%m_%Y_%H_%M_%S')"
myBackupFileName="db_backup_${myDatabaseName}_${myCurrentDateTime}".gz
myFullyQualifieldBackupFileName="$myBackupFolder/$myBackupFileName"
echo "mysqldump of $myDatabaseName started at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
mysqldump --user=root --password=xxxx --default-character-set=utf8 --single-transaction $myDatabaseName | gzip > "$myFullyQualifieldBackupFileName"
echo "mysqldump of $myDatabaseName finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
chown iwiseman "$myFullyQualifieldBackupFileName"
chown iwiseman "$myBackupLogFileName"
echo "file permission changed" >> "$myBackupLogFileName"
find "$myBackupFolder" -name db_backup_* -mtime +8 -exec rm {} \;
echo "old files deleted" >> "$myBackupLogFileName"
echo "operation finished at $(date +'%d-%m-%Y %H:%M:%S')" >> "$myBackupLogFileName"
echo "*****************" >> "$myBackupLogFileName"
}
DoBackup mail
DoBackup wordpress424
exit 0
Fix Playstation
The works when enp1s0 is the interface of the second NIC and enp2s0 is the main NIC.
To fix the playstation create the following script
#!/bin/bash echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i enp1s0 -o enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i enp2s0 -o enp1s0 -j ACCEPT
Put this into /etc/rc.local e.g
#!/bin/bash /usr/local/bin/fix_playstation.sh
Setting up L2TP VPN
You will need the following
Connection Name: xxxxxx Username: xxxxxxx Password: xxxxxxx ServerAddress: xxxxxxx VPN Type: L2TP/IPsec with pre-shared key Pre-shared key: xxxxxx Under IPSec Settings (Linux) 3des-sha1-modp1024 for phase 1 (Linux) 3des-sha1 for phase 2 (Linux) Authentication Methods: Pap, MSChapV2, Chap (Windows only) EncryptionLevel: Optional (Windows only)
sudo apt-get install network-manager-l2tp
sudo apt-get install network-manager-l2tp-gnome
sudo service xl2tpd stop
sudo update-rc.d xl2tpd disable
Install Jenkins
This was done on a 20.04 Ubuntu server
We need java. On the page it says it supports OpenJDK JDK / JRE 8 - 64 bits and OpenJDK JDK / JRE 11 - 64 bits so we need to make sure it uses the right one by creating a .profile.(Note bashrc does not run for this user)
Install java
apt install openjdk-11-jdk-headless
Change the default to 11
sudo update-alternatives --config java
Install Jenkins
wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -
sudo sh -c 'echo deb https://pkg.jenkins.io/debian-stable binary/ > \
/etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins
Create a startup script
cat /var/lib/jenkins/.profile
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH
Change the startup script etc init.d/jenkins
PATH=
....
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
echo $JAVA_HOME
export PATH=$JAVA_HOME/bin:$PATH
Change the java back
sudo update-alternatives --config java
Open LDAP
Install software
sudo apt install slapd ldap-utils
Reconfigure to your Domain
sudo dpkg-reconfigure slapd
You can verify this has worked with (don't forget sudo)
sudo ldapsearch -x -LLL -b "" -s base namingContexts
It should return your setup in my case
dn: namingContexts: dc=bibble,dc=co,dc=nz
And view the RootDN
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcRootDN:
It should return
p olcRootDN: olcRootDN: cn=admin,cn=config olcRootDN: cn=admin,dc=bibble,dc=co,dc=nz
Configuring Logging
To view the log level
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" -LLL -Q | grep olcLogLevel:
Which returns
p olcLogLevel: olcLogLevel: none
We can either use
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -Q
To modify interactively or use LDIF files to update. Either way the contents are
dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: stats
To perform using LDIF use
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/test.ldif
And verify with
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL -Q
Setting up log files
Lets put the logs into their own file
sudo vi /etc/rsyslog.d/51-slapd.conf
Add the following
local4.* /var/log/slapd.log
Restart
sudo systemctl restart rsyslog slapd
Lets clean up the logs
sudo vi /etc/logrotate.d/slapd
Add the following
/var/log/slapd.log
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}Restart
sudo systemctl restart logrotate
Set up ssl
The are three certs to worry about
rootCA server cert server key
I create these independently of this setup and these are place in
/etc/ssl/openldap/certs/rootCA.pem /etc/ssl/openldap/certs/server.crt /etc/ssl/openldap/private/server.key
Set permissions on the directory
chown -R openldap: /etc/ssl/openldap/
We need to allow apparmor to read the files so edit
vi /etc/apparmor.d/usr.sbin.slapdWith
...
# Site-specific additions and overrides. See local/README for details.
#include
#TLS
/etc/ssl/openldap/certs/ r,
/etc/ssl/openldap/certs/* r,
/etc/ssl/openldap/private/ r,
/etc/ssl/openldap/private/* r,Reload
apparmor_parser -r /etc/apparmor.d/usr.sbin.slapdCreate a ldif to reflect your cert names and locations
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/ldapserver-cert.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/ldapserver-key.key
Had a lot of trouble getting the next bit to work thanks to no help from the product. Firstly add the ssl-cert to the openldap with
usermod -aG ssl-cert openldapThe trick is to get the permissions right. I did this by looking at what others had done. Namely /etc/ssl. I checked the permisions on directories cert and private plus the contents and owner. Here is the end result
root@oliver:/etc/ssl# ls -lR openldap/
openldap/:
total 8
drwxr-xr-x 2 openldap openldap 4096 Nov 4 13:39 certs
d-wx--x--- 2 openldap ssl-cert 4096 Nov 4 13:39 private
openldap/certs:
total 8
-rw-r--r-- 1 openldap ssl-cert 1411 Nov 4 13:39 rootCA.pem
-rw-r--r-- 1 openldap ssl-cert 1501 Nov 4 13:39 server.crt
openldap/private:
total 4
-rw-r----- 1 openldap ssl-cert 1704 Nov 4 13:39 server.keyNow you should be able to add then TLS entries with
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-tls.ldifAs ever you can verify this with
slapcat -b "cn=config" | grep -E "olcTLS"Which should show
olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crtLet run a test before switching
slaptest -uWhich should show
config file testing succeededAdd the certificate int /etc/ldap/ldap.conf
...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_CACERT /etc/ssl/openldap/certs/rootCA.pemRestart the server
systemctl restart slapdFinally, phew test the connectivity </syntaxhighlight> ldapwhoami -H ldapi:/// -x -ZZ </syntaxhighlight> For lets encrypt I ended up with
dn: cn=config
changetype: modify
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/openldap/certs/rootCA.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/openldap/private/server.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/openldap/certs/server.crt
-
add: olcTLSProtocolMin
olcTLSProtocolMin: 3.3