Setup (user)

From d00d3
Revision as of 12:49, 16 October 2013 by Andrenarchy (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Initial Configuration: Debian Lenny 5.0.6 netinst

  • Language: English / United States
  • Keymap: American English
  • IP: 78.46.110.206
  • Netmask: 255.255.255.240
  • Gateway: 78.46.110.193
  • DNS: 213.133.99.99 213.133.100.100 213.133.98.98
  • Hostname: user
  • Domain: d00d3.net
  • Guided partitioning using entire disk (this takes a while!)
  • Software selection: nothing
  • GRUB: Install in MBR
  • Reboot!

Edit /etc/apt/sources.list:

#deb     http://ftp.de.debian.org/debian  lenny  main non-free contrib
#deb-src http://ftp.de.debian.org/debian  lenny  main non-free contrib

#deb     http://security.debian.org/  lenny/updates  main contrib non-free
#deb-src http://security.debian.org/  lenny/updates  main contrib non-free

deb     ftp://mirror.hetzner.de/debian/packages  lenny          main contrib non-free
deb     ftp://mirror.hetzner.de/debian/security  lenny/updates  main contrib non-free

deb     http://ftp.de.debian.org/debian-backports lenny-backports main
deb     http://ftp.de.debian.org/debian-volatile/ lenny/volatile main

Edit /etc/apt/preferences:

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

And run:

apt-get update
apt-get upgrade

2010-12-01

dpkg-reconfigure tzdata

Select correct timezone.

apt-get install openssh-server sudo less
groupadd --system admin
usermod -G admin -a USER
visudo

Then add:

%admin ALL=(ALL) ALL

Exim4

apt-get install exim4
dpkg-reconfigure exim4-config
  • general type: internet site
  • system mail name: user.d00d3.net
  • IP for incoming SMTP: 127.0.0.1
  • other destinations: user.d00d3.net
  • domains to relay: (empty)
  • machines to relay: (empty)
  • DNS-queries minimal: no
  • delivery-method: mbox
  • split: no

forwards

If you wish, configure forwards as the user who receives root's mail in HOME/.forward .

apticron

apt-get install apticron

comment the cron entry in /etc/cron.d/apticron (it will still be called via /etc/cron.daily/apticron, the doubled entry is a bug in the debian package Debian bug, Ubuntu bug)

2010-12-02

LDAP

apt-get install ldap-utils ca-certificates

Edit /etc/ldap/ldap.conf to contain

BASE dc=d00d3,dc=net
URI ldaps://production.d00d3.net
TLS_CACERT /usr/share/ca-certificates/cacert.org/cacert.org.crt

NSS+PAM LDAP

apt-get install libnss-ldapd

Für libnss-ldap:

  • URI: ldaps://production.d00d3.net
  • Base: dc=d00d3,dc=net
  • User: cn=reader,dc=d00d3,dc=net
  • Pass: LDAPREADERPASS
  • Name services: group, passwd

Für libpam-ldap:

  • URI: ldaps://production.d00d3.net
  • Base: dc=d00d3,dc=net
  • Version: 3
  • local root admin: yes
  • login: yes
  • account root:
  • pass root: LDAPADMINPASS
  • account unpriv: cn=reader,dc=d00d3,dc=net
  • pass unpriv: LDAPREADERPASS
  • local crypt: md5

Check if NSS is working by issuing:

getent passwd

You should be able to see the LDAP accounts.

Now configure PAM by editing the following files accordingly.

  • /etc/pam.d/common-account
account required      pam_unix.so
account sufficient    pam_succeed_if.so uid < 2000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required      pam_permit.so
  • /etc/pam.d/common-auth
auth    sufficient      pam_unix.so nullok_secure
auth    requisite       pam_succeed_if.so uid >= 2000 quiet
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so
  • /etc/pam.d/common-passwd
password    sufficient    pam_unix.so md5 obscure min=4 max=8 nullok try_first_pass
password    sufficient    pam_ldap.so
password    required      pam_deny.so
  • /etc/pam.d/common-session
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=0076

Then do (otherwise booting will be delayed!):

update-rc.d -f nslcd remove
update-rc.d -f nscd remove
update-rc.d nslcd defaults 15 80
update-rc.d nscd defaults 15 80

2010-12-05

OpenVPN

apt-get install openvpn
cd /etc/openvpn/
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
gunzip server.conf.gz
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 easy-rsa
cd easy-rsa

Edit the variables in the file 'vars', for example:

export KEY_COUNTRY="NA"
export KEY_PROVINCE="NA"
export KEY_CITY="N/A"
export KEY_ORG="d00d3"
export KEY_EMAIL="root@d00d3.net"

Then run:

. ./vars
./clean-all
./build-ca

And create the server certificate (enter server's DNS name in field common name):

./build-key-server server
./build-dh

Edit /etc/openvpn/server.conf

port 1194
proto udp
dev tap
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key
dh easy-rsa/keys/dh1024.pem
server 10.73.31.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin openvpn-auth-pam.so "login"
client-cert-not-required
push "route-gateway 10.73.31.1"
push "route 0.0.0.0"

2010-12-07

IP forward

Edit /etc/sysctl.conf and uncomment:

net.ipv4.ip_forward=1

Then issue:

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables

Create a file /etc/network/iptables_eth0.sh with the following content:

#!/bin/sh
IF="eth0"
CHIN="CHECK${IF}" 

ALLOW_TCP_IN="1:1023 5222 5223 5269 5280"
ALLOW_UDP_IN="1:1023 1194"

case "$1" in
	up)
		#INPUT
		iptables -N $CHIN
		iptables -A INPUT -i $IF -j $CHIN
		for PROTO in TCP UDP; do
			TYPE="ALLOW_${PROTO}_IN"
			for PORT in ${!TYPE}; do
				echo $PORT
				iptables -A $CHIN -p $PROTO --dport $PORT -j ACCEPT
			done
		done
		iptables -A $CHIN -p ICMP -j ACCEPT
		iptables -A $CHIN -m state --state ESTABLISHED,RELATED -j ACCEPT
		iptables -A $CHIN -j DROP

		#NAT
		iptables -t nat -A POSTROUTING -o $IF -j MASQUERADE
		;;
	down)
		iptables -D INPUT -i $IF -j $CHIN
		iptables -F $CHIN
		iptables -X $CHIN
		
		#NAT
		iptables -t nat -D POSTROUTING -o $IF -j MASQUERADE
		;;
	*)
		echo "Error! Specify up or down!"
		exit 1
		;;
esac

And make it executable:

chmod +x /etc/network/iptables_eth0.sh

Then modify the eth0 entry in /etc/network/interfaces accordingly:

auto eth0
iface eth0 inet static
        address 78.46.110.206
        netmask 255.255.255.240
        gateway 78.46.110.193
        pre-up /etc/network/iptables_eth0.sh up
        post-down /etc/network/iptables_eth0.sh down

2010-12-21

SSL certificates

Compare Setup (production)#SSL certificates.

We create a certificate signed by CAcert.org like this:

groupadd --system sslusers
apt-get install openssl
wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
sh csr

Fill in the forms, e.g. like this

Short Hostname (ie. imap big_srv www2): user
FQDN/CommonName (ie. www.example.com) : user.d00d3.net
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:user.d00d3.net
SubjectAltName: DNS:*.user.d00d3.net
SubjectAltName: DNS:mmpong.net
SubjectAltName: DNS:*.mmpong.net
SubjectAltName: DNS:

Then paste the CSR to CAcert.org or sign it as you like and paste the public server certificate into a file user_publiccert.pem. Now we'll do some corrections and move the files

cat user_publiccert.pem user_privatekey.pem > user_pubpriv.pem
chmod 640 user_pubpriv.pem user_privatekey.pem
chown root:sslusers user_pubpriv.pem user_privatekey.pem
mv user_* /etc/

lighttpd

apt-get install lighttpd php5-cgi
lighty-enable-mod ssl fastcgi userdir
mkdir /var/wwws

Modify /etc/lighttpd/conf-enabled/10-ssl.conf:

$SERVER["socket"] == "0.0.0.0:443" {
                  ssl.engine                  = "enable"
                  ssl.pemfile                 = "/etc/user_pubpriv.pem"
                  server.document-root        = "/var/wwws"
}

Modify /etc/lighttpd/conf-enabled/10-userdir.conf to contain:

userdir.path         = "www"

In /etc/lighttpd/lighttpd.conf activate mod_rewrite and mod_redirect and add the following at the end of the file:

#redirect http to https
$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ "(.*)" {
                url.redirect = ( "^/(.*)$" => "https://%1/$1" )
        }
}

Then issue

/etc/init.d/lighttpd force-reload

2010-12-22

MySQL

apt-get install mysql-server phpmyadmin
  • Enter MYSQLROOTPASS
  • Configure lighttpd automatically

PowerDNS

Install PowerDNS:

apt-get install pdns-backend-mysql

Visit https://user.d00d3.net/phpmyadmin and create user "powerdns" with pass MYSQLPDNSPASS and create database "powerdns". Then execute (you will need MYSQLROOTPASS)

mysql -u root -p powerdns < /usr/share/doc/pdns-backend-mysql/mysql.sql

Edit /etc/powerdns/pdns.d/pdns.local:

launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns
gmysql-password=MYSQLPDNSPASS
gmysql-dbname=powerdns

Now initialize the database in phpmyadmin and create priv table:

INSERT INTO `domains` (`id`, `name`, `master`, `last_check`, `type`, `notified_serial`, `account`) VALUES
   (1, 'ddns.d00d3.net', NULL, NULL, 'NATIVE', NULL, NULL);
INSERT INTO `records` (`id`, `domain_id`, `name`, `type`, `content`, `ttl`, `prio`, `change_date`) VALUES
   (1, 1, 'ddns.d00d3.net', 'SOA', 'user.d00d3.net. andre.d00d3.net. 1293123996 10800 3600 604800 60', 60, NULL, 1293123996),
   (2, 1, 'ddns.d00d3.net', 'NS', 'user.d00d3.net', 60, NULL, 1293057967);
CREATE TABLE IF NOT EXISTS `priv` (
   `domain` varchar(255) NOT NULL,
   `pass` varchar(255) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
CREATE TRIGGER newdom AFTER INSERT ON priv
   FOR EACH ROW INSERT INTO records SET domain_id=1, type='A', name=NEW.domain, ttl=60;

Now inserting a new row into the 'priv' table will also insert a new 'A' record. Attention: always use full domain name for the 'domain' field (without trailing dot)!

ddns update

mkdir /var/wwws/ddns

Create a script /var/wwws/ddns/update.php with the following content (make sure to replace MYSQLPDNSPASS!):

<?
$connection = mysql_connect( "127.0.0.1", "powerdns", "MYSQLPDNSPASS");
mysql_select_db ("powerdns");
$result = mysql_query("SELECT domain FROM priv WHERE domain='".$_GET['domain']."' AND pass=ENCRYPT('".$_GET['pass']."',LEFT(pass,2))");

if (mysql_num_rows($result)>0) {
        if (isset($_GET['ip']))
                $ip=$_GET['ip'];
        else
                $ip=$_SERVER['REMOTE_ADDR'];
        mysql_query("UPDATE records SET content='".$ip."', change_date=UNIX_TIMESTAMP() WHERE name='".$_GET['domain']."'");
        mysql_query("UPDATE records SET content='user.d00d3.net. andre.d00d3.net. ".time()." 10800 3600 604800 60', change_date=UNIX_TIMESTAMP() WHERE type='SOA'");
        echo "Updated!";
} else {
        sleep(2);
        echo "Not authorized!";
}
?>

Adjust permissions and link it to non-ssl document root (if your clients do not support ssl):

chown www-data:root /var/wwws/ddns/update.php
chmod 600 /var/wwws/ddns/update.php
ln -s /var/wwws/ddns /var/www/

The update link now has the form:

https://user.d00d3.net/ddns/update.php?domain=PRIVDOMAIN&pass=PRIVPASS&ip=NEWIP

or

http://user.d00d3.net/ddns/update.php?domain=PRIVDOMAIN&pass=PRIVPASS&ip=NEWIP

where PRIVDOMAIN and PRIVPASS are set in the 'priv' table like this:

INSERT INTO priv (domain, pass) VALUES ('PRIVDOMAIN', ENCRYPT('PRIVPASS'));

2010-12-28

git / gitolite

https://github.com/sitaramc/gitolite/blob/pu/doc/1-INSTALL.mkd

apt-get install gitolite git -t lenny-backports
dpkg-reconfigure gitolite

Paste ssh public key of the admin machine to corresponding field. Edit /var/lib/gitolite/.gitolite.rc and set

$REPO_UMASK = 0022;

The following commands should be executed on the admin machine!

git clone gitolite@user.d00d3.net:gitolite-admin
cd gitolite-admin

Place keys in keydir, i.e.:

$ ls -al keydir/
insgesamt 20
drwxr-xr-x 2 andre andre 4096 2010-12-28 18:29 .
drwxr-xr-x 5 andre andre 4096 2010-12-28 18:23 ..
-rw-r--r-- 1 andre andre  397 2010-12-28 18:23 admin.pub
-rw-r--r-- 1 andre andre  396 2010-12-28 18:27 andre_multitude.pub
-rw-r--r-- 1 andre andre  735 2010-12-28 18:28 corny_xps.pub

Edit conf/gitolite.conf, i.e.:

@andre = andre_multitude admin
@corny = corny_xps

repo    gitolite-admin
	RW+     =   @andre

repo    mmpong
	RW+     =   @andre @corny

Then issue

git add keydir/*.pub conf/gitolite.conf
git commit
git push

And your repo is ready to go!

2010-12-31

trac

apt-get install trac-git trac-spamfilter -t lenny-backports
mkdir /var/trac
cd /var/trac
trac-admin mmpong initenv
  • Name: mmpong
  • Database: (default)
  • Repo type: git
  • Repo: /var/lib/gitolite/repositories/mmpong.git/

2011-01-02

gitweb / git-daemon

apt-get install gitweb git-daemon-run -t lenny-backports

Upgrade to Debian 6.0 squeeze

Configure apt

/etc/apt/sources.list

deb     ftp://mirror.hetzner.de/debian/packages  squeeze          main contrib non-free
deb     ftp://mirror.hetzner.de/debian/security  squeeze/updates  main contrib non-free

deb     http://ftp.de.debian.org/debian-backports squeeze-backports main
#deb     http://ftp.de.debian.org/debian-volatile/ squeeze/volatile main

/etc/apt/preferences

Package: *
Pin: release a=squeeze-backports
Pin-Priority: 200

upgrade

apt-get update
aptitude install apt dpkg aptitude
aptitude full-upgrade

nslcd

  • LDAP URI: ldaps://production.d00d3.net
  • LDAP base: dc=d00d3,dc=net
  • allow
  • dash as /bin/shh: yes

grub2

  • chainload: yes
  • cmd line: (empty)

sysv-rc

  • migrate: yes

libpam-runtime

  • override: no

/etc/mysql/my.cnf: N

base-passwd update: Y

sysctl: N

linux-base update dev IDs: yes

/etc/console-tools/config: Y

apticron: keep

ejabberd: keep

lighttpd: keep

/etc/phpmyadmin/lighttpd.conf: Y

phpmyadmin configure: no


2011-02-15

Calendar Server

apt-get install calendarserver

2011-08-07

I changed the kvm network from a libvirt-managed bridge to kvmbr0 (see Setup (r00t)).

Here's /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
	address 78.46.110.206
	netmask 255.255.255.240
	gateway 78.46.110.193
	pre-up /etc/network/iptables_eth0.sh up
	post-down /etc/network/iptables_eth0.sh down

iface eth0 inet6 static
	address 2a01:4f8:120:4024:1337::4
	netmask 80
	up ip route add default via 2a01:4f8:120:4024:1337::2

2012-02-18

owncloud

See also owncloud website.

apt-get install php5 php5-sqlite php5-json php5-gd php5-ldap mp3info curl libcurl3 php5-curl zip bzip2

As user web_user logged in via ssh, execute in ~/www/

wget http://owncloud.org/go/owncloud-download -O /tmp/owncloud.tar.bz2
tar -jxvf /tmp/owncloud.tar.bz2

Create mysql user 'owncloud' with password OWNCLOUDPASSWORD and create database 'owncloud'. Then visit http://user.d00d3.net/owncloud and finish installation. Then activate the 'LDAP user backend' app (user_ldap) and configure it:

Host: ldaps://production.d00d3.net/
Port: 636
User: cn=reader,dc=d00d3,dc=net
Pass: LDAPREADERPASS
Base: dc=d00d3,dc=net
Filter: (uid=%uid)
Disp: uid
TLS: No
Case insensitive: No

Insert into lighttpd config in $HTTP["host"] =~ "^user.d00d3.net$" {...}:

$HTTP["url"] =~ "^/owncloud/data/" {
    url.access-deny = ("")
}
$HTTP["url"] =~ "^/owncloud($|/)" {
    dir-listing.activate = "disable"
}

Set the following php options in /etc/php5/cgi/php.ini:

upload_max_filesize 512M
post_max_size 512M
memory_limit 512M

2012-04-01

ejabberd

apt-get install ejabberd
dpkg-reconfigure ejabberd
  • host: user.d00d3.net
  • admin: admin
  • pass: XMPPADMINPASS

Add the user ejabberd to the sslusers group. Then edit /etc/ejabberd/ejabberd.cfg to contain:

{hosts, ["user.d00d3.net", "d00d3.net", 
    "example1.tld", 
    %...,
    "exampleN.tld"
   ]}.

Also add one line for each of the above hosts:

{host_config, "HOST", [{ldap_uids, [{"mail", "%u@HOST"}]}]}.

Configure the listening ports:

{listen,
 [
  {5222, ejabberd_c2s, [
                         {access, c2s},
                         {shaper, c2s_shaper},
                         {max_stanza_size, 65536},
                         starttls, {certfile, "/etc/user_pubpriv.pem"}, starttls_required
                        ]},

  {5269, ejabberd_s2s_in, [
                           {shaper, s2s_shaper},
                           {max_stanza_size, 131072}
                          ]},

  {5280, ejabberd_http, [ web_admin, tls, {certfile, "/etc/user_pubpriv.pem"}] }
]}.
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/user_pubpriv.pem"}.

Configure authentication:

{auth_method, ldap}.
{ldap_servers, ["production.d00d3.net"]}.
{ldap_encrypt, tls}.
{ldap_port, 636}.
{ldap_rootdn, "cn=reader,dc=d00d3,dc=net"}.
{ldap_password, "LDAPREADERPASS"}.
{ldap_base, "dc=d00d3,dc=net"}.
{ldap_filter, "(objectClass=inetOrgPerson)"}.

Set traffic limits:

{shaper, normal, {maxrate, 10000}}.
{shaper, fast, {maxrate, 500000}}.

Now it's time to add some DNS records New Domain#XMPP/Jabber!

2013-08-01

CouchDB

From https://wiki.apache.org/couchdb/Installing_on_Debian:

sudo apt-get install help2man make gcc zlib1g-dev libssl-dev rake texinfo flex dctrl-tools libsctp-dev libxslt1-dev libcap2-bin ed g++ automake autoconf

python2.7 aus wheezy installiert!

User/group web_yesorno added. Then as web_yesorno:

git clone git://github.com/iriscouch/build-couchdb
cd build-couchdb
git submodule init
git submodule update
rake plugin="git://github.com/couchbase/geocouch origin/couchdb1.3.x"

Lighttpd Proxy

mod_proxy added in /etc/lighttpd/lighttpd.conf.

In /etc/lighttpd/conf-enabled/80-vhosts.conf:

$HTTP["host"] =~ "^(.*\.)?yesorno.it$" {
        proxy.server = (
                "" => (
                        ( "host" => "127.0.0.1", "port" => "5984" )
                )
        )
}

2013-10-16 Upgrade to Debian 7.2 wheezy

Configure apt

/etc/apt/sources.list

deb     ftp://mirror.hetzner.de/debian/packages  wheezy main contrib non-free
deb     ftp://mirror.hetzner.de/debian/security  wheezy/updates  main contrib non-free

Remove content of /etc/apt/preferences.

apt-get update
apt-get upgrade
apt-get dist-upgrade
Personal tools