======= bytecluster0001 =======
bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt.
====== Administratoren ======
* [[user:mape2k]]
* [[user:mkzero:]]
* [[user:suicider]]
* [[user:hipposen:start|hipposen]]
====== Benutzer ======
* Bernd (Webseiten)
====== IPs /DNS ======
* bytecluster0001.bytespeicher.org
* 88.198.111.196
* 2a01:4f8:c17:1214::2
====== Installation ======
* Debian 8.2 minimal
===== User / Gruppen =====
* mkzero -> sudo
* marcel -> sudo
* maddi -> sudo
* stephan -> sudo
* bernd -> sudo für www-data
* bytebot
* twitterstatus
* twitterstatus-ms
* spacestatus
* redmine
* ffapi
* synapse
===== Pakete =====
* zsh
* git
* screen
* mosh (SSH via UDP)
* python
* mc
* debian-goodies
===== Netzwerk =====
==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ====
#!/bin/bash
ACTION=$1
BASEADDR=$2
NETMASK=$3
COUNT=$4
INTERFACE=$5
for i in $(seq 1 $COUNT); do
ip -6 address $ACTION $(printf "%s:%04x/%s" $BASEADDR $i $NETMASK) dev $INTERFACE
done
* //**chmod +x /usr/local/bin/manage_ipv6_addresses.sh**//
==== Konfiguration ====
# Loopback device:
auto lo
iface lo inet loopback
# device: eth0
auto eth0
iface eth0 inet dhcp
iface eth0 inet6 static
address 2a01:4f8:c17:1214::2
netmask 64
gateway fe80::1
# 128 IPv6-Addressen mit Prefix "2a01:4f8:c17:1214::1:/64" anlegen
post-up /usr/local/bin/manage_ipv6_addresses.sh add 2a01:4f8:c17:1214::1 64 128 eth0
pre-down /usr/local/bin/manage_ipv6_addresses.sh delete 2a01:4f8:c17:1214::1 64 128 eth0
===== Konfiguration SSH =====
* HostKey DSA entfernt
* PermitRootLogin no
* PasswordAuthentication no
______ _______ _____ ____ ____ _____ ___ ____ _ _ _____ ____
| __ ) \ / /_ _| ____/ ___|| _ \| ____|_ _/ ___| | | | ____| _ \
| _ \\ V / | | | _| \___ \| |_) | _| | | | | |_| | _| | |_) |
| |_) || | | | | |___ ___) | __/| |___ | | |___| _ | |___| _ <
|____/ |_| |_| |_____|____/|_| |_____|___\____|_| |_|_____|_| \_\
> BYTECLUSTER0001
===== SUDO =====
* Administrative Benutzer sind Mitglied der Gruppe "sudo"
===== IPTABLES =====
* iptables-persistent
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Already opened connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Garbage
-A INPUT -m state --state INVALID -j DROP
# Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Localhorst
-A INPUT -s 127.0.0.0/8 -j ACCEPT
# Turnserver
-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
# SSH / mosh
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 60000:60008 -j ACCEPT
# Webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Mail
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 2000 -j ACCEPT
-A INPUT -p tcp --dport 4190 -j ACCEPT
# Matrix
-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Localhorst
-A INPUT -i lo -j ACCEPT
# Piing
-A INPUT -p ipv6-icmp -j ACCEPT
# Already opened connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Garbage
-A INPUT -m state --state INVALID -j DROP
# Turnserver
-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
# SSH / mosh
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 60000:60008 -j ACCEPT
# Webserver
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Mail
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 2000 -j ACCEPT
-A INPUT -p tcp --dport 4190 -j ACCEPT
# Matrix
-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
COMMIT
===== MySQL/MariaDB =====
* mariadb-server
--- /etc/mysql/my.cnf.dist 2015-11-04 22:19:31.589007928 +0100
+++ /etc/mysql/my.cnf 2015-11-04 22:19:31.577007958 +0100
@@ -36,6 +36,9 @@
skip-external-locking
bind-address = 127.0.0.1
+
+default_storage_engine = InnoDB
+
#
# * Fine Tuning
#
@@ -68,6 +71,22 @@
#long_query_time = 2
#log_queries_not_using_indexes
+table_cache = 500
+query_cache_limit = 4M
+query_cache_size = 128M
+
+# INNODB PERFORMANCE
+innodb_buffer_pool_size = 256M
+innodb_log_buffer_size = 8M
+innodb_log_file_size = 128M
+
+innodb_log_files_in_group = 2
+innodb_flush_log_at_trx_commit = 2
+innodb_flush_method = O_DIRECT
+innodb_file_per_table
+
+innodb_thread_concurrency = 8
+
[mysqldump]
quick
quote-names
===== NGINX =====
* nginx
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
resolver 213.133.98.98 213.133.99.99 valid=300s;
resolver_timeout 5s;
diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf
--- /etc/nginx.dist/nginx.conf 2014-12-01 12:12:00.000000000 +0100
+++ /etc/nginx/nginx.conf 2015-11-04 22:42:03.837950276 +0100
@@ -30,8 +30,8 @@
# SSL Settings
##
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
- ssl_prefer_server_ciphers on;
+ #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ #ssl_prefer_server_ciphers on;
##
# Logging Settings
@@ -45,7 +45,7 @@
##
gzip on;
- gzip_disable "msie6";
+ #gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
===== Let's Encrypt (SSL-Zertifikate) =====
=== Installation ===
* //**useradd letsencrypt -m -G www-data**//
* //**su - letsencrypt**//
* //**git clone https://github.com/lukas2511/letsencrypt.sh.git**//
* //**cd letsencrypt.sh**//
* //**cp docs/examples/* ./**//
* //**chmod ug+x hook.sh**//
* //**mkdir /home/letsencrypt/letsencrypt.sh/.acme-challenges**//
# Allow reload of NGINX
letsencrypt ALL=NOPASSWD: /bin/systemctl reload nginx.service
# Allow restart of Postfix/Dovecot
letsencrypt ALL=NOPASSWD: /bin/systemctl restart postfix.service
letsencrypt ALL=NOPASSWD: /bin/systemctl restart dovecot.service
=== Konfiguration Let's Encrypt-Client ===
CA="https://acme-v01.api.letsencrypt.org/directory"
...
CHALLENGETYPE="http-01"
...
KEYSIZE="4096"
...
HOOK=${SCRIPTDIR}/hook.sh
...
RENEW_DAYS="60"
...
PRIVATE_KEY_RENEW="yes"
...
KEY_ALGO=rsa
...
CONTACT_EMAIL=hostmaster@bytespeicher.org
function deploy_cert {
# Reload NGINX
sudo /bin/systemctl reload nginx.service
# Copy erfurt.chat-Certificate/Key to synapse-directory
if [ ${DOMAIN} = "erfurt.chat" ]; then
cp -L ${KEYFILE} /home/synapse/ssl/
cp -L ${CERTFILE} /home/synapse/ssl/
cp -L ${FULLCHAINFILE} /home/synapse/ssl/
chgrp synapse /home/synapse/ssl/*.pem
chmod 640 /home/synapse/ssl/*.pem
fi
# Restart Postfix/Dovecot
[ ${DOMAIN} = "mail.bytespeicher.org" ] && (sudo /bin/systemctl restart postfix.service; sudo /bin/systemctl restart dovecot.service)
}
=== Konfiguration NGINX ===
# Use acme-challenge directory from letsencrypt.sh
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
alias /home/letsencrypt/letsencrypt.sh/.acme-challenges/;
}
# Hide using ACME-Client
location = /.well-known/acme-challenge/ {
return 404;
}
# Let's Encrypt
23 4 * * * letsencrypt /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1
=== Verwendung des LetsEncrypt Client für eine neue Domain ===
Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen.
- Let's Encrypt ACME-Challenge-Verifikation im VHost aktivieren
server {
...
include snippets/letsencrypt.conf;
...
}
- Domain eintragen und Zertifikat erzeugen
example.org www.example.org
* **//su - letsencrypt//**
* **//cd letsencrypt.sh//**
* **//./letsencrypt.sh -c//**
- Verbindung als Nutzer beenden
* **//exit//**
- DH-Parameter erstellen
* **//mkdir /etc/ssl/example.org//**
* **//openssl dhparam -out /etc/ssl/example.org/dhparam.pem 4096//**
- SSL mit HSTS aktivieren und SSL-Zertifikate im NGINX einbinden
server {
...
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/example.org/privkey.pem;
ssl_dhparam /etc/ssl/example.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
...
}
- NGINX neuladen
* **//systemctl reload nginx.service//**
===== User-Agent-Filter =====
### Block Mastodon
if ($http_user_agent ~* (Mastodon)) {
return 403;
}
===== PHP =====
* php5-fpm
* php5-curl
* php5-imap
* php5-gd
* php5-intl
* php5-mcrypt
* php5-json
* php5-mysqlnd
* php5-memcached
* php5-xmlrpc
[Date]
date.timezone = "Europe/Berlin"
[PHP]
upload_max_filesize = 64M
post_max_size = 64M
===== Ruby =====
* ruby
===== Bytebot =====
Pakete:
* python-pip
* virtualenv
* python-dev (virtualenv build dep)
* libjpeg-dev (virtualenv build dep)
* zlib1g-dev (virtualenv build dep)
* libffi-dev (virtualenv build dep)
* libssl-dev (virtualenv build dep)
Installation:
[Unit]
Description=Bytespeicher IRC bot
After=network-online.target
After=syslog.service
Requires=network-online.target
Requires=syslog.service
[Service]
User=bytebot
Group=bytebot
Restart=always
RestartSec=30
ExecStart=/home/bytebot/Bytebot/env/bin/python /home/bytebot/Bytebot/bytebot.py
MemoryLimit=256M
[Install]
WantedBy=multi-user.target
* //**sudo -u bytebot /bin/bash**//
* //**cd /home/bytebot**//
* //**git clone https://github.com/Bytespeicher/Bytebot**//
* //**cd Bytebot**//
* //**virtualenv env**//
* //**. env/bin/activate**//
* //**pip install -r contrib/requirements.txt**//
* //**systemctl enable bytebot.service**//
* //**systemctl start bytebot.service**//
===== Twitterstatus / Twitterstatus Makerspace =====
Die Anleitung ist für "twitterstatus". Die Einrichtung von "twitterstatus-ms" erfolgt
Pakete:
* python-pip
* virtualenv
Installation:
* //**useradd -m twitterstatus**//
* //**sudo -u twitterstatus /bin/bash**//
* //**cd /home/twitterstatus**//
* //**mkdir tmp**//
* //**git clone https://github.com/Bytespeicher/twitterstatus**//
* //**cd twitterstatus**//
* //**cp config.py{.example,}**//
* //**nano config.py**//
OAUTH_TOKEN = '...'
OAUTH_SECRET = '...'
CONSUMER_KEY = '...'
CONSUMER_SECRET = '...'
ADMIN_NAME = 'TWITTER_ACCOUNT_NAME_OF_ADMIN'
STATUS_FILE = '/home/twitterstatus/tmp/twitter_old_status'
CURRENT_STATUS = '/home/twitterstatus/tmp/status.json'
* //**virtualenv env**//
* //**. env/bin/activate**//
* //**pip install Twitter**//
* //**exit**//
[Unit]
Description=Bytespeicher Twitter status bot
After=network-online.target
After=syslog.service
Requires=network-online.target
Requires=syslog.service
[Service]
User=twitterstatus
Group=twitterstatus
Restart=always
RestartSec=60
ExecStart=/home/twitterstatus/twitterstatus/env/bin/python /home/twitterstatus/twitterstatus/bytebot.py
MemoryLimit=64M
[Install]
WantedBy=multi-user.target
* //**systemctl enable twitterstatus.service**//
* //**systemctl start twitterstatus.service**//
* //**crontab -u twitterstatus -e**//
MAILTO=""
* * * * * /usr/bin/wget http://status.bytespeicher.org/status.json -O /home/twitterstatus/tmp/status.json
===== Freifunk-API =====
=== Pakete ===
* python
=== Installation ===
* //**mkdir -p /var/www/api.erfurt.freifunk.net/public_html/**//
* //**touch /var/www/api.erfurt.freifunk.net/public_html/freifunk-api.json**//
* //**chown -R www-data:www-data /var/www/api.erfurt.freifunk.net/**//
* //**chmod -R g+w /var/www/api.erfurt.freifunk.net/**//
* //**useradd -m -G www-data ffapi**//
* //**sudo -u ffapi /bin/bash**//
* //**cd /home/ffapi**//
* //**git clone https://github.com/FreifunkErfurt/ffapi**//
* //**git clone https://github.com/FreifunkErfurt/scripts/ ffapi-update**//
* //**cp ffapi-update/ffapi/config.py.example ffapi-update/ffapi/config.py**//
=== Konfiguration ===
BASE_URL = 'http://map.erfurt.freifunk.net'
API_FILE_TEMPLATE = "/home/ffapi/ffapi/ff-erfurt.json"
API_FILE = "/var/www/api.erfurt.freifunk.net/public_html/freifunk-api.json"
=== Test ===
* //**ffapi-update/ffapi/ffapi-update.py**//
Update of /var/www/api.erfurt.freifunk.net/public_html/freifunk-api.json successful.
We now have 146 Nodes
* //**logout**//
=== Konfiguration Webserver ===
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name api.erfurt.freifunk.net;
include snippets/letsencrypt.conf;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/privkey.pem;
ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_max_body_size 16m;
location / {
root /var/www/api.erfurt.freifunk.net/public_html/;
index index.php index.html index.htm;
autoindex on;
}
access_log /var/log/nginx/api.erfurt.freifunk.net-access.log;
error_log /var/log/nginx/api.erfurt.freifunk.net-error.log;
}
* //**cd /etc/nginx/sites-enabled/**//
* //**ln -s ../sites-available/api.erfurt.freifunk.net api.erfurt.freifunk.net**//
=== Aktivierung Webserver ===
* alle SSL-Direktiven in der Konfiguration müssen kommentiert werden
* //**systemctl reload nginx**//
* nun muss das Let's Encrypt-Zertifikat nach Anleitung generiert werden
* alle SSL-Direktiven in der Konfiguration müssen wieder entkommentiert werden
* //**systemctl reload nginx**//
===== paste.bytespeicher.org =====
* Datenbank: bs_paste
* Config: /var/www/paste.bytespeicher.org/classes/Config.php
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/letsencrypt.conf;
server_name paste.bytespeicher.org;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;
root /var/www/paste.bytespeicher.org/;
index index.php;
location / {
try_files $uri $uri/ index.php;
if ( !-e $request_filename ) {
rewrite ^/(.*)$ /index.php;
}
}
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/paste.bytespeicher.org/index.php;
#fastcgi_param QUERY_STRING $query_string;
include fastcgi_params;
}
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
access_log off;
}
}
===== bytespeicher.org =====
* Datenbank: wp_bs
* Config: /var/www/bytespeicher.org/wp-config.php
server {
listen 80;
listen [::]:80;
server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;
include snippets/filter_useragents.conf;
include snippets/letsencrypt.conf;
if ($host = "radio.bytespeicher.org") {
rewrite ^ https://bytespeicher.org/category/radio-bytespeicher/ permanent;
}
location / {
rewrite /lpd https://bytespeicher.org/2015/linux-presentation-day-2015/ permanent;
rewrite ^(.*)$ https://bytespeicher.org$1 permanent;
}
}
server {
listen 443;
listen [::]:443;
server_name www.bytespeicher.org;
include snippets/filter_useragents.conf;
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
location / {
rewrite /lpd https://bytespeicher.org/2015/linux-presentation-day-2015/ permanent;
rewrite ^(.*)$ https://bytespeicher.org$1 permanent;
}
}
server {
listen 443;
listen [::]:443;
server_name bytespeicher.org;
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_max_body_size 64m;
location / {
root /var/www/bytespeicher.org; # absolute path to your WordPress installation
index index.php index.html index.htm;
rewrite /lpd https://bytespeicher.org/2015/linux-presentation-day-2015/ permanent;
# this serves static files that exist without running other rewrite tests
if (-f $request_filename) {
expires 30d;
break;
}
# this sends all non-existing file or directory requests to index.php
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
}
location /piwik/ {
proxy_pass http://stats.technikkultur-erfurt.de/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host stats.technikkultur-erfurt.de;
}
location /status/ {
proxy_pass http://status.bytespeicher.org/;
}
location ~ .php$ {
root /var/www/bytespeicher.org;
fastcgi_keep_conn off;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/bytespeicher.org$fastcgi_script_name;
include fastcgi_params;
}
}
===== status.bytespeicher.org =====
* **//useradd spacestatus -m -G www-data//**
* **//sudo -u spacestatus /bin/bash//**
* **//cd ~//**
* **//git clone https://github.com/Bytespeicher/space-status//**
* **//mkdir www//**
* **//virtualenv env//**
* **//. env/bin/activate//**
* **//pip install jinja2//**
* **//crontab -e//**
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
* * * * * /home/spacestatus/space-status/generate_status 1>/dev/null 2>&1
* * * * * /home/spacestatus/space-status/generate_status_html 1>/dev/null 2>&1
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/letsencrypt.conf;
root /home/spacestatus/www;
index index.html;
server_name status.bytespeicher.org;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
location / {
try_files $uri $uri/ =404;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
add_header Access-Control-Allow-Origin *;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
}
===== makerspace-erfurt.de / fablab-erfurt.de =====
* Datenbank: makerspace_wp
* Config: /var/www/makerspace-erfurt.de/public_html/wp-config.php
server {
listen 80;
listen [::]:80;
listen 443;
listen [::]:443;
server_name makerspace-erfurt.de www.makerspace-erfurt.de fablab-erfurt.de www.fablab-erfurt.de;
include snippets/letsencrypt.conf;
if ($host != "makerspace-erfurt.de") {
rewrite ^ https://makerspace-erfurt.de$uri permanent;
}
if ($scheme != "https") {
rewrite ^(.*)$ https://makerspace-erfurt.de$1 permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;
ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_max_body_size 64m;
location / {
root /var/www/makerspace-erfurt.de/public_html; # absolute path to your WordPress installation
index index.php index.html index.htm;
# this serves static files that exist without running other rewrite tests
if (-f $request_filename) {
expires 30d;
break;
}
# this sends all non-existing file or directory requests to index.php
if (!-e $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
}
location ~ .php$ {
root /var/www/makerspace-erfurt.de/public_html;
fastcgi_keep_conn off;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/makerspace-erfurt.de/public_html/$fastcgi_script_name;
include fastcgi_params;
}
===== cloud.technikkultur-erfurt.de (Nextcloud) =====
* Datenbank: makerspace_oc
* Config: /var/www/oc.makerspace-erfurt.de/public_html/config/config.php
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name cloud.technikkultur-erfurt.de oc.makerspace-erfurt.de;
include snippets/letsencrypt.conf;
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
ssl on;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/privkey.pem;
ssl_dhparam /etc/ssl/cloud.technikkultur-erfurt.de/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
root /var/www/oc.makerspace-erfurt.de/public_html/;
index index.php;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on;
#fastcgi_request_buffering off;
fastcgi_keep_conn off;
include fastcgi_params;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
#access_log /var/log/nginx/oc.makerspace-erfurt.de-access.log;
# error_log /var/log/nginx/oc.makerspace-erfurt.de-error.log;
}
===== Redmine =====
* Datenbank: redmine
Pakete:
* thin
* ruby
* rake
* rubygems
* ruby-mysql2
* ruby-dev
* libmysqlclient-dev
* curl
* rails
* ruby-sass
* ruby-compass
Installation:
D /run/thin 0755 redmine redmine -
---
chdir: /home/redmine/redmine
environment: production
timeout: 30
log: /var/log/thin/redmine.log
pid: /var/run/thin/redmine.pid
max_conns: 1024
max_persistent_conns: 512
require: []
wait: 30
socket: /var/run/thin/redmine.sock
daemonize: true
user: redmine
group: redmine
servers: 1
prefix: /
[Unit]
Description=A fast and very simple Ruby web server
After=syslog.target network.target
[Service]
Type=forking
User=redmine
Group=redmine
Environment="GEM_HOME=~/redmine/vendor/bundle/"
WorkingDirectory=/home/redmine/redmine
ExecStart=/usr/bin/bundle exec thin start --config /etc/thin/redmine.yml
ExecReload=/usr/bin/bundle exec thin restart --config /etc/thin/redmine.yml
ExecStop=/usr/bin/bundle exec thin stop --config /etc/thin/redmine.yml
[Install]
WantedBy=multi-user.target
* //**mkdir ~/redmine**//
* //**cd ~/redmine**//
* Redmine-Archiv auspacken
* //**export GEM_HOME='~/redmine/vendor/bundle/'**//
* //**cp ~/redmine/config/configuration.yml.example ~/redmine/config/configuration.yml**//
* //**cp ~/redmine/config/database.yml.example ~/redmine/config/database.yml**//
...
production:
adapter: mysql2
database: redmine
host: localhost
username: redmine
password: "XXXX"
encoding: utf8
...
...
production:
email_delivery:
delivery_method: :smtp
smtp_settings:
address: mail.bytespeicher.org
port: 587
authentication: :plain
user_name: 'XXXX'
password: 'XXXX'
...
* //**bundle install --without development test rmagick**//
* //**bundle exec rake generate_secret_token**//
* //**bundle exec rake db:migrate RAILS_ENV="production"**//
* //**RAILS_ENV=production REDMINE_LANG=de bundle exec rake redmine:load_default_data**//
* //**mkdir /run/thin**//
* //**chmod 755 /run/thin**//
* //**chown redmine:redmine /run/thin**//
* //**systemctl enable redmine.service**//
* //**systemctl start redmine.service**//
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/letsencrypt.conf;
server_name redmine.bytespeicher.org;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;
root /home/redmine/redmine/public;
client_max_body_size 20m;
try_files $uri/index.html $uri.html $uri @app;
location @app {
include /etc/nginx/proxy_params;
proxy_pass http://unix:/run/thin/redmine.0.sock;
proxy_redirect off;
}
error_page 500 502 503 504 /500.html;
error_page 404 /404.html;
}
===== Dokuwiki =====
* DocumentRoot: /var/www/technikkultur-erfurt.de/public_html
* Datenverzeichnis: /var/www/technikkultur-erfurt.de/data
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/filter_useragents.conf;
include snippets/letsencrypt.conf;
server_name technikkultur-erfurt.de www.technikkultur-erfurt.de;
if ($host = "www.technikkultur-erfurt.de") {
rewrite ^ https://technikkultur-erfurt.de$uri permanent;
}
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/example.org/privkey.pem;
ssl_dhparam /etc/ssl/example.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
# Maximum file upload size is 20MB - change accordingly if needed
client_max_body_size 20M;
client_body_buffer_size 128k;
root /var/www/technikkultur-erfurt.de/public_html;
index doku.php;
#Remember to comment the below out when you're installing, and uncomment it when done.
location ~ /(data/|conf/|bin/|inc/|install.php) {
deny all;
}
location / {
try_files $uri $uri/ @dokuwiki;
}
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
}
}
===== Pad =====
* Software: Etherpad-lite
* Datenbank: etherpad-lite
Pakete:
* nodejs
* npm
Plugins:
* ep_pad-lister
Installation:
[Unit]
Description=etherpad-lite (real-time collaborative document editing)
After=syslog.target network.target
[Service]
Type=simple
User=etherpad
Group=etherpad
ExecStart=/home/etherpad/etherpad/bin/run.sh
[Install]
WantedBy=multi-user.target
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name pad.technikkultur-erfurt.de;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;
ssl_certificate_key /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.key;
ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;
ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;
location / {
include /etc/nginx/proxy_params;
proxy_pass http://localhost:13378/;
proxy_set_header Host $host;
proxy_pass_header Server;
# be carefull, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_buffering off;
proxy_http_version 1.1; # recommended with keepalive connections
# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
Das Start-Skript für etherpad-lite sucht nach "node" als nodejs-Server-Binary. Unter Debian lautet es nodejs:
* //**cd /usr/bin/**//
* //**ln -s nodejs node**//
Plugin-Installation
* //**sudo -u etherpad /bin/bash**//
* //**cd ~/etherpad/**//
* //**npm install ep_pad-lister**//
Konfiguration
{
...
//IP and port which etherpad should bind at
"ip": "127.0.0.1",
"port" : 13378,
...
...
"dbType" : "mysql",
"dbSettings" : {
"user" : "etherpad-lite",
"host" : "localhost",
"password": "XXX",
"database": "etherpad-lite"
},
...
}
* //**systemctl enable etherpad-lite.service**//
* //**systemctl start etherpad-lite.service**//
Migration dirty.db zu MySQL:
* https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database
===== wall.technikkultur-erfurt.de =====
* Config: /var/www/wall.technikkultur-erfurt.de/config.php
server {
listen 80;
listen [::]:80;
server_name wall.technikkultur-erfurt.de;
root /var/www/wall.technikkultur-erfurt.de/;
index index.php;
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
}
}
===== opendata.bytespeicher.org =====
* Webspace: /var/www/opendata.bytepseicher.org/public_html
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/letsencrypt.conf;
root /var/www/opendata.bytespeicher.org/public_html;
index index.html;
server_name opendata.bytespeicher.org;
location / {
try_files $uri $uri/ =404;
}
# PHP
location ~ \.php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
}
ssl on;
# Use SSL as default
# if ($scheme != "https") {
# rewrite ^ https://$host$uri permanent;
# }
# add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/opendata.bytespeicher.org/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem;
# Security options
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Access-Control-Allow-Origin *;
}
===== Piwik =====
* Datenbank: bs_piwik
* Config: /var/www/stats.technikkultur-erfurt.de/config/config.ini.php
server {
listen 80;
listen [::]:80;
server_name stats.technikkultur-erfurt.de;
root /var/www/stats.technikkultur-erfurt.de/;
index index.php;
location ~ .php$ {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
}
}
===== Roundcube =====
* Datenbank: roundcubemail
* Config: /var/www/mail.bytespeicher.org/config/config.inc.php
* //**mkdir /var/www/mail.bytespeicher.org/**//
* //**cd /var/www/mail.bytespeicher.org/**//
* //**wget -O /tmp/roundcube.tar.gz https://downloads.sourceforge.net/project/roundcubemail/roundcubemail/1.1.3/roundcubemail-1.1.3-complete.tar.gz**//
* //**tar -C /var/www/mail.bytespeicher.org/ --strip 1 -tf /tmp/roundcubemail-1.1.3-complete.tar.gz**//
* //**curl -sS https://getcomposer.org/installer | php**//
* //**mv composer.json{-dist,}**//
* //**php composer.phar install --no-dev**//
* //**chown www-data.www-data -R /var/www/mail.bytespeicher.org**//
* mysql $> //**CREATE DATABASE roundcubemail;**//
* mysql $> //**GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcubemail@localhost IDENTIFIED BY '$$password$$';**//
* mysql $> //**FLUSH PRIVILEGES;**//
[...]
$config['db_dsnw'] = 'mysql://roundcubemail:$$password$$/roundcubemail';
$config['default_host'] = array('bytespeicher.org', 'technikkultur-erfurt.de');
$config['product_name'] = 'Bytespeicher Webmail';
$config['des_key'] = '$$random-24-char-des-key$$";
$config['plugins'] = array(
'archive',
'zipdownload',
'managesieve',
'additional_message_headers',
'attachment_reminder',
'emoticons',
'hide_blockquote',
'jqueryui',
'markasjunk',
'newmail_notifier',
'show_additional_headers',
'subscriptions_option',
'userinfo'
);
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
include snippets/letsencrypt.conf;
server_name mail.bytespeicher.org;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
ssl on;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;
ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
root /var/www/mail.bytespeicher.org/;
client_max_body_size 64m;
index index.php index.html;
location ~ ^/favicon.ico$ {
root /var/www/mail.bytespeicher.org/skins/default/images;
log_not_found off;
access_log off;
expires max;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
}
location ~ ^/(bin|SQL)/ {
deny all;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.php$ {
try_files $uri =404;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
expires 30d;
access_log off;
}
}
* -> Browser -> https://mail.bytespeicher.org/install
* //**rm -rf /var/www/mail.bytespeicher.org/installer/**//
===== Matrix/Synapse =====
* useradd -m synapse
* apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn
* mkdir /home/synapse/ssl
* chown synapse:synapse /home/synapse/ssl
* chmod 770 /home/synapse/ssl
* usermod -G synapse letsencrypt
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name erfurt.chat www.erfurt.chat;
include snippets/letsencrypt.conf;
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
if ($host = "www.erfurt.chat") {
rewrite ^ https://erfurt.chat$uri permanent;
}
root /var/www/erfurt.chat;
client_max_body_size 32m;
location /_matrix {
proxy_pass http://127.0.0.1:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
ssl on;
# add_header Strict-Transport-Security "max-age=31536000";
add_header X-Frame-Options SAMEORIGIN;
ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem;
ssl_dhparam /etc/ssl/erfurt.chat/dhparam.pem;
ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
access_log /var/log/nginx/erfurt.chat-access.log;
error_log /var/log/nginx/erfurt.chat-error.log;
}
TURNSERVER_ENABLED=1
external-ip=88.198.111.196
min-port=49152
max-port=59999
lt-cred-mech
use-auth-secret
static-auth-secret=[your secret key here]
realm=erfurt.chat
no-tcp
no-tls
no-tcp-relay
cert=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/cert.pem
pkey=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem
cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128"
syslog
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=172.31.1.100
no-sslv2
no-sslv3
* service coturn restart
* sudo -u synapse /bin/bash
* cd
* virtualenv -p python2.7 ~/.synapse
* source ~/.synapse/bin/activate
* pip install --upgrade pip
* pip install --upgrade setuptools
* pip install lxml
* pip install https://github.com/matrix-org/synapse/tarball/master
* cd ~/.synapse
* python -m synapse.app.homeserver --server-name erfurt.chat --config-path homeserver.yaml --generate-config --report-stats=no
--- homeserver.yaml.orig 2017-06-05 12:56:46.729514635 +0200
+++ homeserver.yaml 2018-04-17 13:40:25.760622831 +0200
@@ -4,10 +4,10 @@
# autogenerates on launch with your own SSL certificate + key pair
# if you like. Any required intermediary certificates can be
# appended after the primary certificate in hierarchical order.
-tls_certificate_path: "/home/synapse/.synapse/erfurt.chat.tls.crt"
+tls_certificate_path: "/home/synapse/ssl/fullchain.pem"
# PEM encoded private key for TLS
-tls_private_key_path: "/home/synapse/.synapse/erfurt.chat.tls.key"
+tls_private_key_path: "/home/synapse/ssl/privkey.pem"
# PEM dh parameters for ephemeral keys
tls_dh_params_path: "/home/synapse/.synapse/erfurt.chat.tls.dh"
@@ -50,7 +50,7 @@
pid_file: /home/synapse/.synapse/homeserver.pid
# Whether to serve a web client from the HTTP/HTTPS root resource.
-web_client: True
+web_client: False
# The root directory to server for the above web client.
# If left undefined, synapse will serve the matrix-angular-sdk web client.
@@ -59,7 +59,7 @@
# web_client_location: "/path/to/web/root"
# The public-facing base URL for the client API (not including _matrix/...)
-# public_baseurl: https://example.com:8448/
+public_baseurl: https://erfurt.chat:8448/
# Set the soft limit on the number of file descriptors synapse can use
# Zero is used to indicate synapse should set the soft limit to the
@@ -71,7 +71,9 @@
# Set the limit on the returned events in the timeline in the get
# and sync operations. The default value is -1, means no upper limit.
-# filter_timeline_limit: 5000
+
+## activated by maddi
+filter_timeline_limit: 500
# List of ports that Synapse should listen on, their purpose and their
# configuration.
@@ -85,11 +87,11 @@
# Local addresses to listen on.
# This will listen on all IPv4 addresses by default.
bind_addresses:
- - '0.0.0.0'
+ #- '0.0.0.0'
# Uncomment to listen on all IPv6 interfaces
# N.B: On at least Linux this will also listen on all IPv4
# addresses, so you will need to comment out the line above.
- # - '::'
+ - '::'
# This is a 'http' listener, allows us to specify 'resources'.
type: http
@@ -123,7 +125,7 @@
bind_addresses: ['0.0.0.0']
type: http
- x_forwarded: false
+ x_forwarded: True
resources:
- names: [client, webclient]
@@ -141,14 +143,18 @@
# Database configuration
database:
# The database engine name
- name: "sqlite3"
+ name: "psycopg2"
# Arguments to pass to the engine
args:
- # Path to the database
- database: "/home/synapse/.synapse/homeserver.db"
+ #user: synapse
+ database: synapse
+ #host: localhost
+ #password:
+ cp_min: 5
+ cp_max: 25
# Number of events to cache in memory.
-event_cache_size: "10K"
+event_cache_size: "1K"
@@ -156,7 +162,7 @@
verbose: 0
# File to write logging to. Ignored if log_config is specified.
-log_file: "/home/synapse/.synapse/homeserver.log"
+log_file: "/home/synapse/.synapse/log/homeserver.log"
# A yaml python logging config file
log_config: "/home/synapse/.synapse/erfurt.chat.log.config"
@@ -171,7 +177,9 @@
rc_message_burst_count: 10.0
# The federation window size in milliseconds
-federation_rc_window_size: 1000
+## edit by maddi
+# federation_rc_window_size: 2000
+federation_rc_window_size: 2000
# The number of federation requests from a single server in a window
# before the server will delay processing the request.
@@ -183,14 +191,19 @@
# The maximum number of concurrent federation requests allowed
# from a single server
-federation_rc_reject_limit: 50
+## edit by maddi
+# federation_rc_reject_limit: 50
+federation_rc_reject_limit: 10
# The number of federation requests to concurrently process from a
# single server
-federation_rc_concurrent: 3
-
-
-
+#federation_rc_concurrent: 3
+## edit by maddi
+federation_rc_concurrent: 1
+
+## add by maddi
+federation_domain_whitelist: ['erfurt.chat','matrix.ffggrz.de','bau-ha.us','zner0l.de','byteschmeisser.de']
+
# Directory where uploaded images and attachments are stored.
media_store_path: "/home/synapse/.synapse/media_store"
@@ -231,7 +244,7 @@
# Is the preview URL API enabled? If enabled, you *must* specify
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
-url_preview_enabled: False
+url_preview_enabled: True
# List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly
@@ -241,14 +254,14 @@
# synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues.
#
-# url_preview_ip_range_blacklist:
-# - '127.0.0.0/8'
-# - '10.0.0.0/8'
-# - '172.16.0.0/12'
-# - '192.168.0.0/16'
-# - '100.64.0.0/10'
-# - '169.254.0.0/16'
-#
+url_preview_ip_range_blacklist:
+ - '127.0.0.0/8'
+ - '10.0.0.0/8'
+ - '172.16.0.0/12'
+ - '192.168.0.0/16'
+ - '100.64.0.0/10'
+ - '169.254.0.0/16'
+
# List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted
@@ -322,10 +335,10 @@
## Turn ##
# The public URIs of the TURN server to give to clients
-turn_uris: []
+turn_uris: [ "turn:erfurt.chat:3478?transport=udp", "turn:erfurt.chat:3478?transport=tcp" ]
# The shared secret used to compute passwords for the TURN server
-turn_shared_secret: "YOUR_SHARED_SECRET"
+turn_shared_secret: "$$$SECRET$$$"
# The Username and password if the TURN server needs them and
# does not use a token
@@ -346,7 +359,7 @@
## Registration ##
# Enable registration for new users.
-enable_registration: False
+enable_registration: True
# If set, allows registration by anyone who also has the shared
# secret, even if registration is otherwise disabled.
@@ -360,7 +373,7 @@
# Allows users to register as guests without a password/email/etc, and
# participate in rooms hosted on this server which have been made
# accessible to anonymous users.
-allow_guest_access: False
+allow_guest_access: True
# The list of identity servers trusted to verify third party
# identifiers by this server.
@@ -388,7 +401,9 @@
# A list of application service config file to use
-app_service_config_files: []
+#app_service_config_files: [ "ircbridge_registration.yaml" ]
+## deactivated by maddi
+app_service_config_files: [ ]
macaroon_secret_key: "$$$SECRET$$$"
@@ -402,7 +417,7 @@
signing_key_path: "/home/synapse/.synapse/erfurt.chat.signing.key"
# The keys that the server used to sign messages with but won't use
-# to sign new messages. E.g. it has lost its private key
+# to sign new messages. dE.g. it has lost its private key
old_signing_keys: {}
# "ed25519:auto":
# # Base64 encoded public key
@@ -461,7 +476,8 @@
enabled: true
# Uncomment and change to a secret random string for extra security.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
- #pepper: ""
+ pepper: "$$$SECRET$$$"
+
@@ -473,20 +489,20 @@
# If your SMTP server requires authentication, the optional smtp_user &
# smtp_pass variables should be used
#
-#email:
-# enable_notifs: false
-# smtp_host: "localhost"
-# smtp_port: 25
-# smtp_user: "exampleusername"
-# smtp_pass: "examplepassword"
-# require_transport_security: False
-# notif_from: "Your Friendly %(app)s Home Server "
-# app_name: Matrix
-# template_dir: res/templates
-# notif_template_html: notif_mail.html
-# notif_template_text: notif_mail.txt
-# notif_for_new_users: True
-# riot_base_url: "http://localhost/riot"
+email:
+ enable_notifs: True
+ smtp_host: "localhost"
+ smtp_port: 587
+ smtp_user: "synapse@erfurt.chat"
+ smtp_pass: "$$$SECRET$$$"
+ require_transport_security: True
+ notif_from: "Your Friendly %(app)s Home Server "
+ app_name: Matrix
+ template_dir: /home/synapse/.synapse/res/templates/
+ notif_template_html: notif_mail.html
+ notif_template_text: notif_mail.txt
+ notif_for_new_users: True
+ riot_base_url: "https://erfurt.chat/riot"
# password_providers:
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
filters:
context:
(): synapse.util.logcontext.LoggingContextFilter
request: ""
handlers:
file:
class: logging.handlers.RotatingFileHandler
formatter: precise
filename: /home/synapse/.synapse/log/homeserver.log
maxBytes: 104857600
backupCount: 10
filters: [context]
console:
class: logging.StreamHandler
formatter: precise
filters: [context]
loggers:
synapse:
level: INFO
synapse.storage.SQL:
# beware: increasing this to DEBUG will make synapse log sensitive
# information such as access tokens.
level: INFO
root:
level: INFO
handlers: [file]
# handlers: [file, console]
[Unit]
Description=Synapse Matrix homeserver
[Service]
Type=simple
User=synapse
Group=synapse
#EnvironmentFile=-/etc/sysconfig/synapse
WorkingDirectory=/home/synapse/.synapse
ExecStart=/home/synapse/.synapse/bin/python2.7 -m synapse.app.homeserver --config-path=/home/synapse/.synapse/homeserver.yaml
[Install]
WantedBy=multi-user.target
* systemctl enable synapse
* systemctl start synapse
* wget -O /usr/src/vector-im-v0.10.1.tar.gz https://github.com/vector-im/riot-web/releases/download/v0.10.1/riot-v0.10.1.tar.gz
* mkdir /var/www/erfurt.chat/
* tar --strip-components=1 -xf /usr/src/vector-im-v0.10.1.tar.gz -C /var/www/erfurt.chat/
{
"default_hs_url": "https://erfurt.chat",
"default_is_url": "https://vector.im",
"brand": "erfurt.chat",
"integrations_ui_url": "https://scalar.vector.im/",
"integrations_rest_url": "https://scalar.vector.im/api",
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"enableLabs": true,
"roomDirectory": {
"servers": [
"erfurt.chat",
"matrix.org"
]
},
}
==== Matrix IRC Bridge ====
* curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
* apt-get install -y nodejs
* npm install matrix-appservice-irc --global
homeserver:
url: "https://erfurt.chat"
# CAUTION: This is a very coarse heuristic. Federated homeservers may have different
# clock times and hence produce different origin_server_ts values, which may be old
# enough to cause *all* events from the homeserver to be dropped.
# Default: 0 (don't ever drop)
# dropMatrixMessagesAfterSecs: 300 # 5 minutes
domain: "erfurt.chat"
ircService:
servers:
"irc.hackint.org":
name: "Hackint"
networkId: "hackint"
port: 9999
ssl: true
sslselfsign: true
ca: |
-----BEGIN CERTIFICATE-----
MIIGBzCCA++gAwIBAgIJAKZfNgKecw1WMA0GCSqGSIb3DQEBCwUAMIGEMRwwGgYD
VQQKExNIYWNraW50IElSQyBOZXR3b3JrMR8wHQYDVQQLExZodHRwOi8vd3d3Lmhh
Y2tpbnQub3JnMSQwIgYDVQQDExtIYWNraW50IElSQyBOZXR3b3JrIFJvb3QgQ0Ex
HTAbBgkqhkiG9w0BCQEWDmNhQGhhY2tpbnQub3JnMB4XDTE1MDcwMTAwMDAwMFoX
DTM1MTIzMTIzNTk1OVowgYQxHDAaBgNVBAoTE0hhY2tpbnQgSVJDIE5ldHdvcmsx
HzAdBgNVBAsTFmh0dHA6Ly93d3cuaGFja2ludC5vcmcxJDAiBgNVBAMTG0hhY2tp
bnQgSVJDIE5ldHdvcmsgUm9vdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAaGFja2lu
dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDi57PWGLHMfxlN
yjtXUS4oYK77+C1ByJtziDWYbEiamrmYbOZ3ukzfH4nHHOLuAiQIT8Tw8gVXMw6w
CNplAUN0mAIQhhu10PwsBLjf638F/NTPzBmziMZyyuSrvyAkZp6Ktv5DAXymIV6C
7LmVwhJiqC5+YFC1JbZJt8wGrew/YLrroYUJm0n7FpW/EkUrl3cQOHIV5xFl9LxR
4xh/lC1AuAsawv8vaxQFGiun25F4jd6l/Evf0tr628kpEXH4hspkeNsQh9uUUpjx
CpNQqh7Wyi1M/QhiK9GFuODd0wsU77iOfccJl3FVf/bjLcO9COMLOBWaJgEpJMNw
j2uBk7pMKScw3S2qvtqBxf7VtfvlyPeX5C7+XCXXViBFcYubzmNlNq5n3qEbMG4t
qwdxR4Mhbhy4BhOGkFNdURsf4N47TvPV6eglHPLc05uYvL5VIddNxH1jrpxVYX76
KXvpR4+vUTYYVi8m2A4Rf+JMI5CELfie2chghhiojAuKDuKfmW3v+fkuGkjEC5A8
NfzD7EOGJB2osAbKP6rx77tVuAo0eMPLHijpgYciXIGoprwqFrjttvRaMkGywwLq
6JDyfB8hMvMvmVPnqx4zbmOaS/Ut2irVwU0k9jiDN29dTvc3ySHwW0bd+Lt5fWJD
DL/lb2it8Z8pJYmZwt1e7vl4LNdm2QIDAQABo3oweDAPBgNVHRMBAf8EBTADAQH/
MB0GA1UdDgQWBBQVmc++GVicHQ7I4FDpPkZdr3nNCzAOBgNVHQ8BAf8EBAMCAQYw
NgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRwOi8vaGFja2ludC5vcmcv
Y2EuaHRtbDANBgkqhkiG9w0BAQsFAAOCAgEAG82hdmLpfvG7RYbtCb6F4u8FBFxv
zR4Ye5nOPBKaA+CHA+KGScnBFg/E+aMI+IQ3j4Sgar0MZKwu5fI3ETdYReXWtSuE
3/UnT9U1ffUTTNuKwkFM3p5byrVzgmF3fI7aSAFyoa88xl6R/fzjXrXCp+eCy/tE
LTma2WRh+VORCX397h+FFVux3JtfBD+6uW53MOmNvSd2hndi8RpVbgklMfUWxcwK
z+R97QXhNopH33J1rmRm9/RUadKjChiIe+zM/eZJUPObIqiCaCP/qVAxruwHTi8E
tpNFNTCOxe0lwZ6lVNLWun7zY3+vk0Puk6KqnfBlNGK1QDxkTQLILdgGo5WQ11YN
oMmHGztLgZtiWLGLNhTrtAIRNKuc3sw0BOlv+osiH+KvDNvRKufc2eNkaGfLq7TJ
dhiAK2gKkYYAQ5zfDBwSspbtCsszYgEAin3PqoQUdG8f+4I49E0xS7PWQE75e7J9
MCnElQxAPWk9xuZhtkeWUHskpCjrNO7k3dshV0frn2OxPtSgQjjtZxQKQZYzQfPk
j/eVuFwWxQY9pZdOku7fRGbaLEyTbQHZW802rgmaLxxItWQKqZxG1Za7RlKo4Wur
9ZGuYKMAEnPmhJj2KlmXJAaIdQF6LA3NS0KvpWtOfrjaaroHHOUnrxBxCBlfoBpw
w3r7JBQGOVK95Sw=
-----END CERTIFICATE-----
# The connection password to send for all clients as a PASS command. Optional.
# password: 'pa$$w0rd'
sendConnectionMessages: false
quitDebounce:
# Whether parts due to net-splits are debounced for delayMs, to allow
# time for the netsplit to resolve itself. A netsplit is detected as being
# a QUIT rate higher than quitsPerSecond. Default: false.
enabled: false
# The maximum number of quits per second acceptable above which a netsplit is
# considered ongoing. Default: 5.
quitsPerSecond: 5
# The ti
# a net
# is not sent many requests to leave rooms all at once if a netsplit occurs and many
# people to not rejoin.
# If the user with the same IRC nick as the one who sent the quit rejoins a channel
# they are considered back online and the quit is not bridged, so long as the rejoin
# occurs before the randomly-jittered timeout is not reached.
# Default: 3600000, = 1h
delayMinMs: 3600000 # 1h
# Default: 7200000, = 2h
delayMaxMs: 7200000 # 2h
modePowerMap:
o: 50
botConfig:
enabled: true
nick: "MatrixBot"
password: "$$$$SECRET$$$$"
joinChannelsIfNoUsers: true
privateMessages:
enabled: true
# exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
federate: true
# Configuration for mappings not explicitly listed in the 'mappings'
# section.
dynamicChannels:
# Enable the ability for Matrix users to join *any* channel on this IRC
# network.
# Default: false.
enabled: true
# Should the AS create a room alias for the new Matrix room? The form of
# the alias can be modified via 'aliasTemplate'. Default: true.
createAlias: true
# Should the AS publish the new Matrix room to the public room list so
# anyone can see it? Default: true.
published: true
# What should the join_rule be for the new Matrix room? If 'public',
# anyone can join the room. If 'invite', only users with an invite can
# join the room. Note that if an IRC channel has +k or +i set on it,
# join_rules will be set to 'invite' until these modes are removed.
# Default: "public".
joinRule: public
# Should created Matrix rooms be federated? If false, only users on the
# HS attached to this AS will be able to interact with this room.
# Default: true.
federate: true
# The room alias template to apply when creating new aliases. This only
# applies if createAlias is 'true'. The following variables are exposed:
# $SERVER => The IRC server address (e.g. "irc.example.com")
# $CHANNEL => The IRC channel (e.g. "#python")
# This MUST have $CHANNEL somewhere in it.
# Default: '#irc_$SERVER_$CHANNEL'
#aliasTemplate: "#irc_$CHANNEL"
# A list of user IDs which the AS bot will send invites to in response
# to a !join. Only applies if joinRule is 'invite'. Default: []
# whitelist:
# - "@foo:example.com"
# - "@bar:example.com"
#
# Prevent the given list of channels from being mapped under any
# circumstances.
# exclude: ["#foo", "#bar"]
# Configuration for controlling how Matrix and IRC membership lists are
# synced.
membershipLists:
# Enable the syncing of membership lists between IRC and Matrix. This
# can have a significant effect on performance on startup as the lists are
# synced. This must be enabled for anything else in this section to take
# effect. Default: false.
enabled: true
# Syncing membership lists at startup can result in hundreds of members to
# process all at once. This timer drip feeds membership entries at the
# specified rate. Default: 10000. (10s)
floodDelayMs: 10000
global:
ircToMatrix:
# Get a snapshot of all real IRC users on a channel (via NAMES) and
# join their virtual matrix clients to the room.
initial: true
# Make virtual matrix clients join and leave rooms as their real IRC
# counterparts join/part channels. Default: false.
incremental: true
matrixToIrc:
# Get a snapshot of all real Matrix users in the room and join all of
# them to the mapped IRC channel on startup. Default: false.
initial: true
# Make virtual IRC clients join and leave channels as their real Matrix
# counterparts join/leave rooms. Make sure your 'maxClients' value is
# high enough! Default: false.
incremental: true
# Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
rooms:
- room: "!fuasirouddJoxtwfge:localhost"
matrixToIrc:
initial: false
incremental: false
# Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
channels:
- channel: "#foo"
ircToMatrix:
initial: false
incremental: false
mappings:
# 1:many mappings from IRC channels to room IDs on this IRC server.
# The matrix room must already exist. Your matrix client should expose
# the room ID in a "settings" page for the room.
#"#bytespeicher-testing": ["", "!SUxMWVVxsKCFfBsKrR:unikorn.me"]
"#bytespeicher": ["!bGHdpETBTpNZzPzIDo:erfurt.chat"]
# Configuration for virtual matrix users. The following variables are
# exposed:
# $NICK => The IRC nick
# $SERVER => The IRC server address (e.g. "irc.example.com")
matrixClients:
# The user ID template to use when creating virtual matrix users. This
# MUST have $NICK somewhere in it.
# Optional. Default: "@$SERVER_$NICK".
# Example: "@irc.example.com_Alice:example.com"
userTemplate: "@irc_$NICK"
# The display name to use for created matrix clients. This should have
# $NICK somewhere in it if it is specified. Can also use $SERVER to
# insert the IRC domain.
# Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
displayName: "$NICK (IRC)"
# Configuration for virtual IRC users. The following variables are exposed:
# $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
# $USERID => The user ID
# $DISPLAY => The display name of this user, with excluded characters
# (e.g. space) removed. If the user has no display name, this
# falls back to $LOCALPART.
ircClients:
# The template to apply to every IRC client nick. This MUST have either
# $DISPLAY or $USERID or $LOCALPART somewhere in it.
# Optional. Default: "M-$DISPLAY". Example: "M-Alice".
nickTemplate: "$DISPLAY[m]"
# True to allow virtual IRC clients to change their nick on this server
# by issuing !nick commands to the IRC AS bot.
# This is completely freeform: it will NOT follow the nickTemplate.
allowNickChanges: true
# The max number of IRC clients that will connect. If the limit is
# reached, the client that spoke the longest time ago will be
# disconnected and replaced.
# Optional. Default: 30.
maxClients: 30
# IPv6 configuration.
ipv6:
# Optional. Set to true to force IPv6 for outgoing connections.
only: false
# Optional. The IPv6 prefix to use for generating unique addresses for each
# connected user. If not specified, all users will connect from the same
# (default) address. This may require additional OS-specific work to allow
# for the node process to bind to multiple different source addresses
# e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
# https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
prefix: "2a01:4f8:c17:1214::1:" # modify appropriately
#
# The maximum amount of time in seconds that the client can exist
# without sending another message before being disconnected. Use 0 to
# not apply an idle timeout. This value is ignored if this IRC server is
# mirroring matrix membership lists to IRC. Default: 172800 (48 hours)
idleTimeout: 10800
# The number of millseconds to wait between consecutive reconnections if a
# client gets disconnected. Setting to 0 will cause the scheduling to be
# disabled, i.e. it will be scheduled immediately (with jitter.
# Otherwise, the scheduling interval will be used such that one client
# reconnect for this server will be handled every reconnectIntervalMs ms using
# a FIFO queue.
# Default: 5000 (5 seconds)
reconnectIntervalMs: 5000
# The number of lines to allow being sent by the IRC client that has received
# a large block of text to send from matrix. If the number of lines that would
# be sent is > lineLimit, the text will instead be uploaded to matrix and the
# resulting URI is treated as a file. As such, a link will be sent to the IRC
# side instead of potentially spamming IRC and getting the IRC client kicked.
# Default: 3.
lineLimit: 3
# A list of user modes to set on every IRC client. For example, "RiG" would set
# +R, +i and +G on every IRC connection when they have successfully connected.
# User modes vary wildly depending on the IRC network you're connecting to,
# so check before setting this value. Some modes may not work as intended
# through the bridge e.g. caller ID as there is no way to /ACCEPT.
# Default: "" (no user modes)
# userModes: "R"
# Configuration for an ident server. If you are running a public bridge it is
# advised you setup an ident server so IRC mods can ban specific matrix users
# rather than the application service itself.
ident:
# True to listen for Ident requests and respond with the
# matrix user's user_id (converted to ASCII, respecting RFC 1413).
# Default: false.
enabled: false
# The port to listen on for incoming ident requests.
# Ports below 1024 require root to listen on, and you may not want this to
# run as root. Instead, you can get something like an Apache to yank up
# incoming requests to 113 to a high numbered port. Set the port to listen
# on instead of 113 here.
# Default: 113.
port: 1113
# Configuration for logging. Optional. Default: console debug level logging
# only.
logging:
# Level to log on console/logfile. One of error|warn|info|debug
level: "debug"
# The file location to log to. This is relative to the project directory.
logfile: "debug.log"
# The file location to log errors to. This is relative to the project
# directory.
errfile: "errors.log"
# Whether to log to the console or not.
toConsole: true
# The max size each file can get to in bytes before a new file is created.
maxFileSizeBytes: 134217728 # 128 MB
# The max number of files to keep. Files will be overwritten eventually due
# to rotations.
maxFiles: 5
# Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
# $ npm install prom-client@6.3.0
# Metrics will then be available via GET /metrics on the bridge listening port (-p).
# metrics:
# enabled: true
# The nedb database URI to connect to. This is the name of the directory to
# dump .db files to. This is relative to the project directory.
# Required.
databaseUri: "nedb://data"
# Configuration options for the debug HTTP API. To access this API, you must
# append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests.
#
# The debug API exposes the following endpoints:
#
# GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID.
#
# POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection.
# Format: new line delimited commands as per IRC protocol.
#
debugApi:
# True to enable the HTTP API endpoint. Default: false.
enabled: false
# The port to host the HTTP API.
port: 11100
# Configuration for the provisioning API.
#
# GET /_matrix/provision/link
# GET /_matrix/provision/unlink
# GET /_matrix/provision/listlinks
#
provisioning:
# True to enable the provisioning HTTP endpoint. Default: false.
enabled: false
# The number of seconds to wait before giving up on getting a response from
# an IRC channel operator. If the channel operator does not respond within the
# allotted time period, the provisioning request will fail.
# Default: 300 seconds (5 mins)
requestTimeoutSeconds: 300
# WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
# send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
# the database.
#
# To generate a .pem file:
# $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
#
# The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
# for storage in the database. Passwords are stored by using the admin room command
# `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
# the Matrix user, this password will be sent as the server password (PASS command).
passwordEncryptionKeyPath: "passkey.pem"
[Unit]
Description=Matrix IRC Bridge
[Service]
Type=simple
User=synapse
Group=synapse
#EnvironmentFile=-/etc/sysconfig/synapse
WorkingDirectory=/home/synapse/.synapse
ExecStart=/usr/local/bin/matrix-appservice-irc -c ircbridge_config.yaml -f ircbridge.yaml -p 9999
[Install]
WantedBy=multi-user.target
* matrix-appservice-irc -r -f ircbridge_registration.yaml -u "http://erfurt.chat:9999" -c ircbridge_config.yaml -l ircbridge
* systemctl enable matrix-irc-bridge.service
* systemctl start matrix-irc-bridge.service
==== Upgrade zu Postgres ====
* wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
* echo deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main > /etc/apt/sources.list.d/pgdg.list
* apt update
* apt install postgresql-10 postgresql-client-10 libpq-dev
* sudo -u postgres createuser -e synapse
* sudo -u postgres psql -c "CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse_user;"
* service synapse stop
* cp -a /home/synapse/.synapse/homeserver.db{,.snapshot}
* cp -a /home/synapse/.synapse/homeserver{,-postgres}.yaml
[...]
# Database configuration
database:
# The database engine name
name: "psycopg2"
# Arguments to pass to the engine
args:
database: synapse
cp_min: 5
cp_max: 25
[...]
* service synapse start
* sudo -u synapse bash
* source ~/.synapse/bin/activate
* pip install psycopg2
* cd ~/.synapse
* synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml
* (as root) service synapse stop
* synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml
* mv homeserver.yaml{,.old-sqlite}
* mv homeserver{-postgres,}.yaml
* mv homeserver.db{,.unused}
* exit
* service synapse start
Es wurde https://github.com/matrix-org/synapse/pull/3099 mit eingspielt.
==== Externe Synapse Dokumentation ====
* https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation
* https://github.com/matrix-org/synapse/blob/master/README.rst#setting-up-federation
* https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst
===== users.bytespeicher.org =====
server {
listen 80;
listen [::]:80;
index index.html;
server_name users.bytespeicher.org;
location / {
try_files $uri $uri/ =404;
}
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
}
}
====== Datensicherung ======
Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]:
* 1 Full-Backup je Woche
* Inkrementelle Backups täglich
* Vorhaltezeit: 4 Wochen
Pakete:
* duply
* duplicity
* lftp
Installation nach folgender Anleitung: [[https://wiki.fem.tu-ilmenau.de/public/technik/howto/duply]]
* MySQL-Dump-Skript unter /usr/local/bin/mysql-dump einrichten
* duply mape2k-backup create
Konfiguration:
# GPG_KEY='_KEY_ID_'
GPG_PW=''
GPG_KEY_SIGN='58252DC6'
GPG_KEYS_ENC='DD379EDC'
GPG_PW_SIGN='XXXXXXXXXXXXXXX'
TARGET='ftps://XXXXX.YYY.ZZ/'
TARGET_USER='bytecluster0001.bytespeicher.org'
TARGET_PASS='XXXXXX'
# base directory to backup
SOURCE='/'
MAX_AGE=4W
MAX_FULL_BACKUPS=4
MAX_FULLBKP_AGE=1W
DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
VOLSIZE=250
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
#VERBOSITY=5
# GPG_KEY='_KEY_ID_'
GPG_PW=''
GPG_KEY_SIGN='58252DC6'
GPG_KEYS_ENC='DD379EDC'
GPG_PW_SIGN='XXXXXXXXXXXXXXX'
TARGET='sftp://XXXXX.YYY.ZZ/'
TARGET_USER='bytespeicher'
TARGET_PASS='XXXXXX'
# base directory to backup
SOURCE='/'
MAX_AGE=4W
MAX_FULL_BACKUPS=4
MAX_FULLBKP_AGE=1W
DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
VOLSIZE=250
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
#VERBOSITY=5
Verzeichnisausnahmen:
+ /tmp/mysqldump
- /dev
- /sys
- /proc
- /run
- /tmp
- /var/tmp
- /root/.cache
- /root/backup
Benutzer für Sicherung der Datenbank einrichten:
CREATE USER 'backup'@'localhost' IDENTIFIED BY 'PASSWORT';
GRANT USAGE ON * . * TO 'backup'@'localhost' IDENTIFIED BY 'PASSWORT' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
REVOKE ALL PRIVILEGES ON * . * FROM 'backup'@'localhost';
REVOKE GRANT OPTION ON * . * FROM 'backup'@'localhost';
GRANT SELECT, SHOW DATABASES, LOCK TABLES, SHOW VIEW ON * . * TO 'backup'@'localhost' WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
FLUSH PRIVILEGES;
Zusätzliche Sicherung der Datenbanken _vor_ der Datensicherung:
mkdir -p /tmp/mysqldump
/usr/local/bin/mysql-dump
/bin/rm -rf /tmp/mysqldump
[client]
user=backup
password="PASSWORT"
host=localhost
Sicherung per Cronjob:
# Backup (mape2k)
0 4 * * 1 root HOME=/root && duply mape2k-backup cleanup_purge_purge-full --extra-clean --force
30 4 * * * root HOME=/root && duply mape2k-backup backup
# Backup (mkzero)
0 2 * * 1 root HOME=/root && duply mkzero-backup cleanup_purge_purge-full --extra-clean --force
30 2 * * * root HOME=/root && duply mkzero-backup backup
====== Postfächer und Forward-Konten ======
Als Mailserver wird Postfix eingesetzt.
Aliase für Forwarding-Postfächer werden in der Datei ''/etc/postfix/virtual gepeichert.'' Änderungen werden erst durch Ausführen von ''postmap /etc/postfix/virtual'' übernommen.
[mehr Dokumentation nötig…]
===== Postfach anlegen ====
mit ''doveadm pw -s ssha'' Passwort erzeugen.
Passwort-Hash mit FQDN-Mail in /etc/dovecot/users eintragen
in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen
''chown vmail:vmail postfach''
''chmod 700 postfach''
''systemctl restart dovecot''