dienste:bytecluster0001

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
dienste:bytecluster0001 [21.12.2016 00:56] – Padliste mape2kdienste:bytecluster0001 [03.05.2020 17:51] (aktuell) – Limit auf 20MB angehoben mape2k
Zeile 1: Zeile 1:
-====== bytecluster0001 ======+======= bytecluster0001 =======
  
-bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt.+bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt.
  
-===== Administratoren =====+====== Administratoren ======
  
   * [[user:mape2k]]   * [[user:mape2k]]
   * [[user:mkzero:]]   * [[user:mkzero:]]
   * [[user:suicider]]   * [[user:suicider]]
 +  * [[user:hipposen:start|hipposen]]
  
-===== Benutzer =====+====== Benutzer ======
  
   * Bernd (Webseiten)   * Bernd (Webseiten)
  
-===== IPs /DNS =====+====== IPs /DNS ======
  
   * bytecluster0001.bytespeicher.org   * bytecluster0001.bytespeicher.org
Zeile 19: Zeile 20:
     * 2a01:4f8:c17:1214::2     * 2a01:4f8:c17:1214::2
  
-===== Installation =====+====== Installation ======
  
   * Debian 8.2 minimal   * Debian 8.2 minimal
  
-==== User / Gruppen ====+===== User / Gruppen =====
  
   * mkzero -> sudo   * mkzero -> sudo
   * marcel -> sudo   * marcel -> sudo
 +  * maddi -> sudo
   * stephan -> sudo   * stephan -> sudo
   * bernd -> sudo für www-data   * bernd -> sudo für www-data
   * bytebot   * bytebot
   * twitterstatus   * twitterstatus
 +  * twitterstatus-ms
   * spacestatus   * spacestatus
   * redmine   * redmine
   * ffapi   * ffapi
- +  * synapse 
-==== Pakete ====+===== Pakete =====
  
   * zsh   * zsh
Zeile 44: Zeile 47:
   * mc   * mc
   * debian-goodies   * debian-goodies
-==== Konfiguration SSH ====+ 
 +===== Netzwerk ===== 
 +==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ==== 
 +<file|/usr/local/bin/manage_ipv6_addresses.sh> 
 +#!/bin/bash 
 + 
 +ACTION=$1 
 +BASEADDR=$2 
 +NETMASK=$3 
 +COUNT=$4 
 +INTERFACE=$5 
 + 
 +for i in $(seq 1 $COUNT); do 
 +  ip -6 address $ACTION $(printf "%s:%04x/%s" $BASEADDR $i $NETMASK) dev $INTERFACE 
 +done 
 +</file> 
 + 
 +  * //**chmod +x /usr/local/bin/manage_ipv6_addresses.sh**// 
 + 
 +==== Konfiguration ==== 
 + 
 +<file|/etc/network/interfaces> 
 +# Loopback device: 
 +auto lo 
 +iface lo inet loopback 
 + 
 +# device: eth0 
 +auto  eth0 
 +iface eth0 inet dhcp 
 + 
 +iface eth0 inet6 static 
 +  address 2a01:4f8:c17:1214::
 +  netmask 64 
 +  gateway fe80::1 
 +  # 128 IPv6-Addressen mit Prefix "2a01:4f8:c17:1214::1:/64" anlegen 
 +  post-up /usr/local/bin/manage_ipv6_addresses.sh add 2a01:4f8:c17:1214::1 64 128 eth0 
 +  pre-down /usr/local/bin/manage_ipv6_addresses.sh delete 2a01:4f8:c17:1214::1 64 128 eth0 
 +</file> 
 + 
 +===== Konfiguration SSH =====
  
   * HostKey DSA entfernt   * HostKey DSA entfernt
Zeile 61: Zeile 103:
 </file> </file>
  
-==== SUDO ====+===== SUDO =====
  
   * Administrative Benutzer sind Mitglied der Gruppe "sudo"   * Administrative Benutzer sind Mitglied der Gruppe "sudo"
  
-==== IPTABLES ====+===== IPTABLES =====
  
   * iptables-persistent   * iptables-persistent
Zeile 86: Zeile 128:
 # Localhorst # Localhorst
 -A INPUT -s 127.0.0.0/8 -j ACCEPT -A INPUT -s 127.0.0.0/8 -j ACCEPT
 +
 +# Turnserver
 +-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
  
 # SSH / mosh # SSH / mosh
Zeile 106: Zeile 153:
 -A INPUT -p tcp --dport 4190 -j ACCEPT -A INPUT -p tcp --dport 4190 -j ACCEPT
  
 +# Matrix
 +-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
 +-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT COMMIT
 </file> </file>
Zeile 125: Zeile 175:
 # Garbage # Garbage
 -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state INVALID -j DROP
 +
 +# Turnserver
 +-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
 +-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
  
 # SSH / mosh # SSH / mosh
Zeile 145: Zeile 200:
 -A INPUT -p tcp --dport 4190 -j ACCEPT -A INPUT -p tcp --dport 4190 -j ACCEPT
  
 +# Matrix
 +-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
 +-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT COMMIT
 </file> </file>
  
-==== MySQL/MariaDB ====+===== MySQL/MariaDB =====
  
   * mariadb-server   * mariadb-server
Zeile 190: Zeile 248:
 </file> </file>
  
-==== NGINX ====+===== NGINX =====
  
   * nginx   * nginx
  
 +<file|/etc/nginx/conf.d/ssl.conf>
 +ssl_protocols TLSv1.2;
 +ssl_prefer_server_ciphers on;
 +
 +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
 +ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
 +
 +ssl_session_cache shared:SSL:10m;
 +ssl_session_timeout 10m;
 +
 +ssl_session_tickets off; # Requires nginx >= 1.5.9
 +ssl_stapling on; # Requires nginx >= 1.3.7
 +ssl_stapling_verify on; # Requires nginx => 1.3.7
 +
 +#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 +add_header X-Frame-Options DENY;
 +add_header X-Content-Type-Options nosniff;
 +
 +resolver 213.133.98.98 213.133.99.99 valid=300s;
 +resolver_timeout 5s;
 +</file>
 <file|/etc/nginx/patch> <file|/etc/nginx/patch>
-diff -Naur /etc/nginx.dist/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf 
---- /etc/nginx.dist/conf.d/ssl.conf 1970-01-01 01:00:00.000000000 +0100 
-+++ /etc/nginx/conf.d/ssl.conf 2015-11-04 22:41:34.269315957 +0100 
-@@ -0,0 +1,12 @@ 
-+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; 
-+ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-+ssl_prefer_server_ciphers on; 
-+ssl_session_cache shared:SSL:10m; 
-+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 
-+add_header X-Frame-Options DENY; 
-+add_header X-Content-Type-Options nosniff; 
-+ssl_session_tickets off; # Requires nginx >= 1.5.9 
-+ssl_stapling on; # Requires nginx >= 1.3.7 
-+ssl_stapling_verify on; # Requires nginx => 1.3.7 
-+resolver 213.133.98.98 213.133.99.99 valid=300s; 
-+resolver_timeout 5s; 
 diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf
 --- /etc/nginx.dist/nginx.conf 2014-12-01 12:12:00.000000000 +0100 --- /etc/nginx.dist/nginx.conf 2014-12-01 12:12:00.000000000 +0100
Zeile 236: Zeile 299:
 </file> </file>
  
-==== Let's Encrypt (SSL-Zertifikate) ====+===== Let's Encrypt (SSL-Zertifikate) =====
  
 === Installation === === Installation ===
Zeile 280: Zeile 343:
     # Reload NGINX     # Reload NGINX
     sudo /bin/systemctl reload nginx.service     sudo /bin/systemctl reload nginx.service
 +
 +    # Copy erfurt.chat-Certificate/Key to synapse-directory
 +    if [ ${DOMAIN} = "erfurt.chat" ]; then
 +      cp -L ${KEYFILE} /home/synapse/ssl/
 +      cp -L ${CERTFILE} /home/synapse/ssl/
 +      cp -L ${FULLCHAINFILE} /home/synapse/ssl/
 +      chgrp synapse /home/synapse/ssl/*.pem
 +      chmod 640 /home/synapse/ssl/*.pem
 +    fi
  
     # Restart Postfix/Dovecot     # Restart Postfix/Dovecot
Zeile 305: Zeile 377:
 23 4 * * *     letsencrypt  /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1 23 4 * * *     letsencrypt  /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1
 </file> </file>
-=== Verwendung des Let'sEncrypt Client für eine neue Domain ===+=== Verwendung des LetsEncrypt Client für eine neue Domain ===
  
 Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen. Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen.
Zeile 331: Zeile 403:
   ...   ...
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; 
  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
Zeile 347: Zeile 411:
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
   ...   ...
Zeile 356: Zeile 418:
     * **//systemctl reload nginx.service//**     * **//systemctl reload nginx.service//**
  
-==== PHP ====+===== User-Agent-Filter ===== 
 +<file|/etc/nginx/snippets/filter_useragents.conf> 
 +### Block Mastodon 
 +if ($http_user_agent ~* (Mastodon)) { 
 +    return 403; 
 +
 +</file> 
 +===== PHP =====
  
   * php5-fpm   * php5-fpm
Zeile 377: Zeile 446:
 post_max_size = 64M post_max_size = 64M
 </file> </file>
-==== Ruby ====+===== Ruby =====
  
   * ruby   * ruby
  
-==== Bytebot ====+===== Bytebot =====
  
 Pakete: Pakete:
Zeile 425: Zeile 494:
   * //**systemctl start bytebot.service**//   * //**systemctl start bytebot.service**//
  
-==== Twitterstatus ====+===== Twitterstatus / Twitterstatus Makerspace ===== 
 + 
 +Die Anleitung ist für "twitterstatus". Die Einrichtung von "twitterstatus-ms" erfolgt
  
 Pakete: Pakete:
Zeile 433: Zeile 504:
  
 Installation: Installation:
 +
 +  * //**useradd -m twitterstatus**//
 +  * //**sudo -u twitterstatus /bin/bash**//
 +  * //**cd /home/twitterstatus**//
 +  * //**mkdir tmp**//
 +  * //**git clone https://github.com/Bytespeicher/twitterstatus**//
 +  * //**cd twitterstatus**//
 +  * //**cp config.py{.example,}**//
 +  * //**nano config.py**//
 +
 +<file|~/twitterstatus/config.py>
 +OAUTH_TOKEN     = '...'
 +OAUTH_SECRET    = '...'
 +CONSUMER_KEY    = '...'
 +CONSUMER_SECRET = '...'
 +ADMIN_NAME      = 'TWITTER_ACCOUNT_NAME_OF_ADMIN'
 +STATUS_FILE     = '/home/twitterstatus/tmp/twitter_old_status'
 +CURRENT_STATUS  = '/home/twitterstatus/tmp/status.json'
 +</file>
 +
 +  * //**virtualenv env**//
 +  * //**. env/bin/activate**//
 +  * //**pip install Twitter**//
 +  * //**exit**//
 +
 <file|/etc/systemd/system/twitterstatus.service> <file|/etc/systemd/system/twitterstatus.service>
 [Unit] [Unit]
-Description=Bytespeicher IRC bot+Description=Bytespeicher Twitter status bot
 After=network-online.target After=network-online.target
 After=syslog.service After=syslog.service
Zeile 445: Zeile 541:
 Group=twitterstatus Group=twitterstatus
 Restart=always Restart=always
-RestartSec=30+RestartSec=60
 ExecStart=/home/twitterstatus/twitterstatus/env/bin/python /home/twitterstatus/twitterstatus/bytebot.py ExecStart=/home/twitterstatus/twitterstatus/env/bin/python /home/twitterstatus/twitterstatus/bytebot.py
 MemoryLimit=64M MemoryLimit=64M
Zeile 453: Zeile 549:
 </file> </file>
  
- 
-  * //**sudo -u twitterstatus /bin/bash**// 
-  * //**cd /home/twitterstatus**// 
-  * //**git clone https://github.com/Bytespeicher/twitterstatus**// 
-  * //**cd twitterstatus**// 
-  * //**cp config.py{.example,}**// 
-  * //**nano config.py**// 
-  * //**virtualenv env**// 
-  * //**. env/bin/activate**// 
-  * //**pip install Twitter**// 
   * //**systemctl enable twitterstatus.service**//   * //**systemctl enable twitterstatus.service**//
   * //**systemctl start twitterstatus.service**//   * //**systemctl start twitterstatus.service**//
 +  * //**crontab -u twitterstatus -e**//
 +
 +<code|crontab -u twitterstatus -e>
 +MAILTO=""
 +* * * * * /usr/bin/wget http://status.bytespeicher.org/status.json -O /home/twitterstatus/tmp/status.json
 +</code>
  
-==== Freifunk-API ====+===== Freifunk-API =====
  
 === Pakete === === Pakete ===
Zeile 518: Zeile 610:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; 
  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
Zeile 534: Zeile 618:
   ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;   ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
  
Zeile 572: Zeile 654:
   * //**systemctl reload nginx**//   * //**systemctl reload nginx**//
  
-==== paste.bytespeicher.org ====+===== paste.bytespeicher.org =====
  
   * Datenbank: bs_paste   * Datenbank: bs_paste
Zeile 593: Zeile 675:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 607: Zeile 682:
   ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;
  
Zeile 637: Zeile 710:
 </file> </file>
  
-==== bytespeicher.org ====+===== bytespeicher.org =====
  
   * Datenbank: wp_bs   * Datenbank: wp_bs
Zeile 649: Zeile 722:
  server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;  server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;
  
 + include snippets/filter_useragents.conf;
  include snippets/letsencrypt.conf;  include snippets/letsencrypt.conf;
  
Zeile 666: Zeile 740:
  
  server_name www.bytespeicher.org;  server_name www.bytespeicher.org;
 +
 + include snippets/filter_useragents.conf;
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; 
  
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
Zeile 684: Zeile 752:
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  
Zeile 701: Zeile 767:
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; + 
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  
Zeile 774: Zeile 830:
 </file> </file>
  
-==== status.bytespeicher.org ====+===== status.bytespeicher.org =====
  
   * **//useradd spacestatus -m -G www-data//**   * **//useradd spacestatus -m -G www-data//**
   * **//sudo -u spacestatus /bin/bash//**   * **//sudo -u spacestatus /bin/bash//**
   * **//cd ~//**   * **//cd ~//**
-  * **//git clone https:/ /github.com/Bytespeicher/space-status//**+  * **//<nowiki>git clone https://github.com/Bytespeicher/space-status</nowiki>//**
   * **//mkdir www//**   * **//mkdir www//**
   * **//virtualenv env//**   * **//virtualenv env//**
Zeile 838: Zeile 894:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff+  add_header Access-Control-Allow-Origin *
 +  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
 } }
 </file> </file>
  
-==== makerspace-erfurt.de / fablab-erfurt.de ====+===== makerspace-erfurt.de / fablab-erfurt.de =====
  
   * Datenbank: makerspace_wp   * Datenbank: makerspace_wp
Zeile 883: Zeile 930:
  
  ssl on;  ssl on;
- 
- ssl_session_cache shared:SSL:10m; 
- ssl_session_timeout 10m; 
- 
- ssl_prefer_server_ciphers on; 
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
  add_header Strict-Transport-Security "max-age=31536000";  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff; + 
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;
  ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;  ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;
  
- ssl_stapling on; 
- ssl_stapling_verify on; 
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
  
Zeile 941: Zeile 978:
 </file> </file>
  
-==== oc.makerspace-erfurt.de (Owncloud) ====+===== cloud.technikkultur-erfurt.de (Nextcloud=====
  
   * Datenbank: makerspace_oc   * Datenbank: makerspace_oc
   * Config: /var/www/oc.makerspace-erfurt.de/public_html/config/config.php   * Config: /var/www/oc.makerspace-erfurt.de/public_html/config/config.php
    
-<file|/etc/nginx/sites-available/oc.makerspace-erfurt.de>+<file|/etc/nginx/sites-available/cloud.technikkultur-erfurt.de>
 server { server {
  listen 80;  listen 80;
Zeile 953: Zeile 990:
  listen [::]:443 ssl;  listen [::]:443 ssl;
  
- server_name oc.makerspace-erfurt.de;+ server_name cloud.technikkultur-erfurt.de oc.makerspace-erfurt.de;
  
  include snippets/letsencrypt.conf;  include snippets/letsencrypt.conf;
  
  if ($scheme != "https") {  if ($scheme != "https") {
-   rewrite ^(.*)$ https://oc.makerspace-erfurt.de$1 permanent;+    return 301 https://$host$request_uri;
  }  }
  
  ssl on;  ssl on;
  
- ssl_session_cache shared:SSL:10m+ ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem
- ssl_session_timeout 10m;+ ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/privkey.pem; 
 + ssl_dhparam /etc/ssl/cloud.technikkultur-erfurt.de/dhparam.pem;
  
- ssl_prefer_server_ciphers on; + ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; +
- +
- ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/oc.makerspace-erfurt.de/fullchain.pem; +
- ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/oc.makerspace-erfurt.de/privkey.pem; +
- ssl_dhparam /etc/ssl/oc.makerspace-erfurt.de/dhparam.pem; +
- +
- ssl_stapling on; +
- ssl_stapling_verify on; +
- ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/oc.makerspace-erfurt.de/fullchain.pem;+
  
  # Add headers to serve security related headers  # Add headers to serve security related headers
Zeile 987: Zeile 1015:
  add_header X-Download-Options noopen;  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;  add_header X-Permitted-Cross-Domain-Policies none;
- add_header X-Content-Type-Options nosniff; 
  
  # The following 2 rules are only needed for the user_webfinger app.  # The following 2 rules are only needed for the user_webfinger app.
Zeile 1085: Zeile 1112:
 </file> </file>
  
-==== Redmine ====+===== Redmine =====
  
   * Datenbank: redmine   * Datenbank: redmine
Zeile 1137: Zeile 1164:
 User=redmine User=redmine
 Group=redmine Group=redmine
 +Environment="GEM_HOME=~/redmine/vendor/bundle/"
 WorkingDirectory=/home/redmine/redmine WorkingDirectory=/home/redmine/redmine
 ExecStart=/usr/bin/bundle exec thin start --config /etc/thin/redmine.yml ExecStart=/usr/bin/bundle exec thin start --config /etc/thin/redmine.yml
Zeile 1149: Zeile 1177:
   * //**cd ~/redmine**//   * //**cd ~/redmine**//
   * Redmine-Archiv auspacken   * Redmine-Archiv auspacken
-  * //**export GEM_HOME='~/vendor/bundle/'**//+  * //**export GEM_HOME='~/redmine/vendor/bundle/'**//
   * //**cp ~/redmine/config/configuration.yml.example ~/redmine/config/configuration.yml**//   * //**cp ~/redmine/config/configuration.yml.example ~/redmine/config/configuration.yml**//
   * //**cp ~/redmine/config/database.yml.example ~/redmine/config/database.yml**//   * //**cp ~/redmine/config/database.yml.example ~/redmine/config/database.yml**//
Zeile 1205: Zeile 1233:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1219: Zeile 1240:
   ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;
  
Zeile 1239: Zeile 1258:
 </file> </file>
  
-==== Dokuwiki ====+===== Dokuwiki =====
  
   * DocumentRoot: /var/www/technikkultur-erfurt.de/public_html   * DocumentRoot: /var/www/technikkultur-erfurt.de/public_html
Zeile 1252: Zeile 1271:
   listen [::]:443 ssl;   listen [::]:443 ssl;
  
 +  include snippets/filter_useragents.conf;
   include snippets/letsencrypt.conf;   include snippets/letsencrypt.conf;
  
Zeile 1265: Zeile 1285:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1279: Zeile 1292:
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
  
-  # Maximum file upload size is 4MB - change accordingly if needed +  # Maximum file upload size is 20MB - change accordingly if needed 
-  client_max_body_size 4M;+  client_max_body_size 20M;
   client_body_buffer_size 128k;   client_body_buffer_size 128k;
    
Zeile 1315: Zeile 1326:
 </file> </file>
  
-==== Pad ====+===== Pad =====
  
   * Software: Etherpad-lite   * Software: Etherpad-lite
Zeile 1327: Zeile 1338:
 Plugins: Plugins:
  
-  * ep_padlist+  * ep_pad-lister
  
 Installation: Installation:
Zeile 1360: Zeile 1371:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
Zeile 1374: Zeile 1378:
   ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;   ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;   ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;
  
Zeile 1410: Zeile 1412:
   * //**sudo -u etherpad /bin/bash**//   * //**sudo -u etherpad /bin/bash**//
   * //**cd ~/etherpad/**//   * //**cd ~/etherpad/**//
-  * //**npm install ep_padlist**//+  * //**npm install ep_pad-lister**//
  
 Konfiguration Konfiguration
Zeile 1439: Zeile 1441:
   * https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database   * https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database
  
-==== wall.technikkultur-erfurt.de ====+===== wall.technikkultur-erfurt.de =====
  
   * Config: /var/www/wall.technikkultur-erfurt.de/config.php   * Config: /var/www/wall.technikkultur-erfurt.de/config.php
Zeile 1462: Zeile 1464:
 </file> </file>
  
-==== Piwik ====+===== opendata.bytespeicher.org ===== 
 + 
 +  * Webspace: /var/www/opendata.bytepseicher.org/public_html 
 +  
 +<file|/etc/nginx/sites-available/opendata.bytespeicher.org> 
 +server { 
 +  listen 80; 
 +  listen [::]:80; 
 + 
 +  listen 443 ssl; 
 +  listen [::]:443 ssl; 
 + 
 +  include snippets/letsencrypt.conf; 
 + 
 +  root /var/www/opendata.bytespeicher.org/public_html; 
 + 
 +  index index.html; 
 + 
 +  server_name opendata.bytespeicher.org; 
 + 
 +  location / { 
 +    try_files $uri $uri/ =404; 
 +  } 
 + 
 +  # PHP 
 +  location ~ \.php$ { 
 +    fastcgi_pass   unix:/var/run/php5-fpm.sock; 
 +    include         fastcgi_params; 
 +    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; 
 +    fastcgi_param REDIRECT_STATUS 200; 
 +  } 
 + 
 +  ssl on; 
 + 
 +  # Use SSL as default 
 +  # if ($scheme != "https") { 
 +  #   rewrite ^ https://$host$uri permanent; 
 +  # } 
 +  # add_header Strict-Transport-Security "max-age=31536000"; 
 + 
 +  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem; 
 +  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/privkey.pem; 
 + 
 +  ssl_dhparam /etc/ssl/opendata.bytespeicher.org/dhparam.pem; 
 + 
 +  ssl_stapling on; 
 +  ssl_stapling_verify on; 
 +  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem; 
 + 
 +  # Security options 
 +  add_header X-Frame-Options SAMEORIGIN; 
 +  add_header X-Content-Type-Options nosniff; 
 +  add_header Access-Control-Allow-Origin *; 
 +
 +</file> 
 + 
 +===== Piwik =====
  
   * Datenbank: bs_piwik   * Datenbank: bs_piwik
Zeile 1486: Zeile 1544:
 </file> </file>
  
-==== Roundcube ====+===== Roundcube =====
  
   * Datenbank: roundcubemail   * Datenbank: roundcubemail
Zeile 1544: Zeile 1602:
  
   ssl on;   ssl on;
- 
-  ssl_session_cache shared:SSL:10m; 
-  ssl_session_timeout 10m; 
- 
-  ssl_prefer_server_ciphers on; 
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; 
  
   add_header Strict-Transport-Security "max-age=31536000";   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff; +  
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;   ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;
  
-  ssl_stapling on; 
-  ssl_stapling_verify on; 
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
  
   root /var/www/mail.bytespeicher.org/;   root /var/www/mail.bytespeicher.org/;
 +
 +  client_max_body_size 64m;
  
   index index.php index.html;   index index.php index.html;
Zeile 1611: Zeile 1661:
   * //**rm -rf /var/www/mail.bytespeicher.org/installer/**//   * //**rm -rf /var/www/mail.bytespeicher.org/installer/**//
  
-==== users.bytespeicher.org ====+===== Matrix/Synapse ===== 
 + 
 +  * useradd -m synapse 
 +  * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn 
 + 
 +  * mkdir /home/synapse/ssl 
 +  * chown synapse:synapse /home/synapse/ssl 
 +  * chmod 770 /home/synapse/ssl 
 +  * usermod -G synapse letsencrypt 
 + 
 +<file|/etc/nginx/sites-enabled/erfurt.chat> 
 +server { 
 +  listen      80; 
 +  listen [::]:80; 
 +  listen      443 ssl; 
 +  listen [::]:443 ssl; 
 + 
 +  server_name erfurt.chat www.erfurt.chat; 
 + 
 +  include snippets/letsencrypt.conf; 
 + 
 +  if ($scheme != "https") { 
 +    rewrite ^ https://$host$uri permanent; 
 +  } 
 +  if ($host = "www.erfurt.chat") { 
 +    rewrite ^ https://erfurt.chat$uri permanent; 
 +  } 
 +  root /var/www/erfurt.chat; 
 + 
 +  client_max_body_size 32m; 
 + 
 +  location /_matrix { 
 +    proxy_pass http://127.0.0.1:8008; 
 +    proxy_set_header X-Forwarded-For $remote_addr; 
 +  } 
 + 
 +  ssl on; 
 + 
 +  # add_header Strict-Transport-Security "max-age=31536000"; 
 +  add_header X-Frame-Options SAMEORIGIN; 
 +   
 +  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem; 
 +  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem; 
 +  ssl_dhparam /etc/ssl/erfurt.chat/dhparam.pem; 
 + 
 +  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem; 
 + 
 +  access_log /var/log/nginx/erfurt.chat-access.log; 
 +  error_log /var/log/nginx/erfurt.chat-error.log; 
 +
 +</file> 
 + 
 +<file|/etc/default/coturn> 
 +TURNSERVER_ENABLED=1 
 +</file> 
 + 
 +<file|/etc/turnserver.conf> 
 +external-ip=88.198.111.196 
 +min-port=49152 
 +max-port=59999 
 +lt-cred-mech 
 +use-auth-secret 
 +static-auth-secret=[your secret key here] 
 +realm=erfurt.chat 
 +no-tcp 
 +no-tls 
 +no-tcp-relay 
 +cert=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/cert.pem 
 +pkey=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem 
 +cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128" 
 +syslog 
 +denied-peer-ip=10.0.0.0-10.255.255.255 
 +denied-peer-ip=192.168.0.0-192.168.255.255 
 +denied-peer-ip=172.16.0.0-172.31.255.255 
 +allowed-peer-ip=172.31.1.100 
 +no-sslv2 
 +no-sslv3 
 +</file> 
 + 
 +  * service coturn restart 
 +  * sudo -u synapse /bin/bash 
 +  * cd 
 +  * virtualenv -p python2.7 ~/.synapse 
 +  * source ~/.synapse/bin/activate 
 +  * pip install --upgrade pip 
 +  * pip install --upgrade setuptools 
 +  * pip install lxml 
 +  * pip install https://github.com/matrix-org/synapse/tarball/master 
 +  * cd ~/.synapse 
 +  * python -m synapse.app.homeserver --server-name erfurt.chat --config-path homeserver.yaml --generate-config --report-stats=no 
 + 
 +<file|/home/synapse/.synapse/homeserver.yaml> 
 +--- homeserver.yaml.orig 2017-06-05 12:56:46.729514635 +0200 
 ++++ homeserver.yaml 2018-04-17 13:40:25.760622831 +0200 
 +@@ -4,10 +4,10 @@ 
 + # autogenerates on launch with your own SSL certificate + key pair 
 + # if you like.  Any required intermediary certificates can be 
 + # appended after the primary certificate in hierarchical order. 
 +-tls_certificate_path: "/home/synapse/.synapse/erfurt.chat.tls.crt" 
 ++tls_certificate_path: "/home/synapse/ssl/fullchain.pem" 
 + 
 + # PEM encoded private key for TLS 
 +-tls_private_key_path: "/home/synapse/.synapse/erfurt.chat.tls.key" 
 ++tls_private_key_path: "/home/synapse/ssl/privkey.pem" 
 + 
 + # PEM dh parameters for ephemeral keys 
 + tls_dh_params_path: "/home/synapse/.synapse/erfurt.chat.tls.dh" 
 +@@ -50,7 +50,7 @@ 
 + pid_file: /home/synapse/.synapse/homeserver.pid 
 + 
 + # Whether to serve a web client from the HTTP/HTTPS root resource. 
 +-web_client: True 
 ++web_client: False 
 + 
 + # The root directory to server for the above web client. 
 + # If left undefined, synapse will serve the matrix-angular-sdk web client. 
 +@@ -59,7 +59,7 @@ 
 + # web_client_location: "/path/to/web/root" 
 + 
 + # The public-facing base URL for the client API (not including _matrix/...) 
 +-# public_baseurl: https://example.com:8448/ 
 ++public_baseurl: https://erfurt.chat:8448/ 
 + 
 + # Set the soft limit on the number of file descriptors synapse can use 
 + # Zero is used to indicate synapse should set the soft limit to the 
 +@@ -71,7 +71,9 @@ 
 + 
 + # Set the limit on the returned events in the timeline in the get 
 + # and sync operations. The default value is -1, means no upper limit. 
 +-# filter_timeline_limit: 5000 
 +
 ++## activated by maddi 
 ++filter_timeline_limit: 500 
 + 
 + # List of ports that Synapse should listen on, their purpose and their 
 + # configuration. 
 +@@ -85,11 +87,11 @@ 
 +     # Local addresses to listen on. 
 +     # This will listen on all IPv4 addresses by default. 
 +     bind_addresses: 
 +-      - '0.0.0.0' 
 ++      #- '0.0.0.0' 
 +       # Uncomment to listen on all IPv6 interfaces 
 +       # N.B: On at least Linux this will also listen on all IPv4 
 +       # addresses, so you will need to comment out the line above. 
 +-      # - '::' 
 ++      - '::' 
 + 
 +     # This is a 'http' listener, allows us to specify 'resources'
 +     type: http 
 +@@ -123,7 +125,7 @@ 
 +     bind_addresses: ['0.0.0.0'
 +     type: http 
 + 
 +-    x_forwarded: false 
 ++    x_forwarded: True 
 + 
 +     resources: 
 +       - names: [client, webclient] 
 +@@ -141,14 +143,18 @@ 
 + # Database configuration 
 + database: 
 +   # The database engine name 
 +-  name: "sqlite3" 
 ++  name: "psycopg2" 
 +   # Arguments to pass to the engine 
 +   args: 
 +-    # Path to the database 
 +-    database: "/home/synapse/.synapse/homeserver.db" 
 ++    #user: synapse 
 ++    database: synapse 
 ++    #host: localhost 
 ++    #password: 
 ++    cp_min: 5 
 ++    cp_max: 25 
 + 
 + # Number of events to cache in memory. 
 +-event_cache_size: "10K" 
 ++event_cache_size: "1K" 
 + 
 + 
 + 
 +@@ -156,7 +162,7 @@ 
 + verbose:
 + 
 + # File to write logging to. Ignored if log_config is specified. 
 +-log_file: "/home/synapse/.synapse/homeserver.log" 
 ++log_file: "/home/synapse/.synapse/log/homeserver.log" 
 + 
 + # A yaml python logging config file 
 + log_config: "/home/synapse/.synapse/erfurt.chat.log.config" 
 +@@ -171,7 +177,9 @@ 
 + rc_message_burst_count: 10.0 
 + 
 + # The federation window size in milliseconds 
 +-federation_rc_window_size: 1000 
 ++## edit by maddi 
 ++# federation_rc_window_size: 2000 
 ++federation_rc_window_size: 2000 
 + 
 + # The number of federation requests from a single server in a window 
 + # before the server will delay processing the request. 
 +@@ -183,14 +191,19 @@ 
 + 
 + # The maximum number of concurrent federation requests allowed 
 + # from a single server 
 +-federation_rc_reject_limit: 50 
 ++## edit by maddi 
 ++# federation_rc_reject_limit: 50 
 ++federation_rc_reject_limit: 10 
 + 
 + # The number of federation requests to concurrently process from a 
 + # single server 
 +-federation_rc_concurrent:
 +
 +
 +
 ++#federation_rc_concurrent:
 ++## edit by maddi 
 ++federation_rc_concurrent:
 +
 ++## add by maddi 
 ++federation_domain_whitelist: ['erfurt.chat','matrix.ffggrz.de','bau-ha.us','zner0l.de','byteschmeisser.de'
 +
 + # Directory where uploaded images and attachments are stored. 
 + media_store_path: "/home/synapse/.synapse/media_store" 
 + 
 +@@ -231,7 +244,7 @@ 
 + # Is the preview URL API enabled?  If enabled, you *must* specify 
 + # an explicit url_preview_ip_range_blacklist of IPs that the spider is 
 + # denied from accessing. 
 +-url_preview_enabled: False 
 ++url_preview_enabled: True 
 + 
 + # List of IP address CIDR ranges that the URL preview spider is denied 
 + # from accessing.  There are no defaults: you must explicitly 
 +@@ -241,14 +254,14 @@ 
 + # synapse to issue arbitrary GET requests to your internal services, 
 + # causing serious security issues. 
 + # 
 +-# url_preview_ip_range_blacklist: 
 +-# - '127.0.0.0/8' 
 +-# - '10.0.0.0/8' 
 +-# - '172.16.0.0/12' 
 +-# - '192.168.0.0/16' 
 +-# - '100.64.0.0/10' 
 +-# - '169.254.0.0/16' 
 +-# 
 ++url_preview_ip_range_blacklist: 
 ++ - '127.0.0.0/8' 
 ++ - '10.0.0.0/8' 
 ++ - '172.16.0.0/12' 
 ++ - '192.168.0.0/16' 
 ++ - '100.64.0.0/10' 
 ++ - '169.254.0.0/16' 
 +
 + # List of IP address CIDR ranges that the URL preview spider is allowed 
 + # to access even if they are specified in url_preview_ip_range_blacklist. 
 + # This is useful for specifying exceptions to wide-ranging blacklisted 
 +@@ -322,10 +335,10 @@ 
 + ## Turn ## 
 + 
 + # The public URIs of the TURN server to give to clients 
 +-turn_uris: [] 
 ++turn_uris: [ "turn:erfurt.chat:3478?transport=udp", "turn:erfurt.chat:3478?transport=tcp"
 + 
 + # The shared secret used to compute passwords for the TURN server 
 +-turn_shared_secret: "YOUR_SHARED_SECRET" 
 ++turn_shared_secret: "$$$SECRET$$$" 
 + 
 + # The Username and password if the TURN server needs them and 
 + # does not use a token 
 +@@ -346,7 +359,7 @@ 
 + ## Registration ## 
 + 
 + # Enable registration for new users. 
 +-enable_registration: False 
 ++enable_registration: True 
 + 
 + # If set, allows registration by anyone who also has the shared 
 + # secret, even if registration is otherwise disabled. 
 +@@ -360,7 +373,7 @@ 
 + # Allows users to register as guests without a password/email/etc, and 
 + # participate in rooms hosted on this server which have been made 
 + # accessible to anonymous users. 
 +-allow_guest_access: False 
 ++allow_guest_access: True 
 + 
 + # The list of identity servers trusted to verify third party 
 + # identifiers by this server. 
 +@@ -388,7 +401,9 @@ 
 + 
 + 
 + # A list of application service config file to use 
 +-app_service_config_files: [] 
 ++#app_service_config_files: [ "ircbridge_registration.yaml"
 ++## deactivated by maddi 
 ++app_service_config_files: [ ] 
 + 
 + 
 + macaroon_secret_key: "$$$SECRET$$$" 
 +@@ -402,7 +417,7 @@ 
 + signing_key_path: "/home/synapse/.synapse/erfurt.chat.signing.key" 
 + 
 + # The keys that the server used to sign messages with but won't use 
 +-# to sign new messages. E.g. it has lost its private key 
 ++# to sign new messages. dE.g. it has lost its private key 
 + old_signing_keys: {} 
 + #  "ed25519:auto": 
 + #    # Base64 encoded public key 
 +@@ -461,7 +476,8 @@ 
 +    enabled: true 
 +    # Uncomment and change to a secret random string for extra security. 
 +    # DO NOT CHANGE THIS AFTER INITIAL SETUP! 
 +-   #pepper: "" 
 ++   pepper: "$$$SECRET$$$" 
 +
 + 
 + 
 + 
 +@@ -473,20 +489,20 @@ 
 + # If your SMTP server requires authentication, the optional smtp_user & 
 + # smtp_pass variables should be used 
 + # 
 +-#email: 
 +-#   enable_notifs: false 
 +-#   smtp_host: "localhost" 
 +-#   smtp_port: 25 
 +-#   smtp_user: "exampleusername" 
 +-#   smtp_pass: "examplepassword" 
 +-#   require_transport_security: False 
 +-#   notif_from: "Your Friendly %(app)s Home Server <noreply@example.com>" 
 +-#   app_name: Matrix 
 +-#   template_dir: res/templates 
 +-#   notif_template_html: notif_mail.html 
 +-#   notif_template_text: notif_mail.txt 
 +-#   notif_for_new_users: True 
 +-#   riot_base_url: "http://localhost/riot" 
 ++email: 
 ++   enable_notifs: True 
 ++   smtp_host: "localhost" 
 ++   smtp_port: 587 
 ++   smtp_user: "synapse@erfurt.chat" 
 ++   smtp_pass: "$$$SECRET$$$" 
 ++   require_transport_security: True 
 ++   notif_from: "Your Friendly %(app)s Home Server <noreply@erfurt.chat>" 
 ++   app_name: Matrix 
 ++   template_dir: /home/synapse/.synapse/res/templates/ 
 ++   notif_template_html: notif_mail.html 
 ++   notif_template_text: notif_mail.txt 
 ++   notif_for_new_users: True 
 ++   riot_base_url: "https://erfurt.chat/riot" 
 + 
 + 
 + # password_providers: 
 +</file> 
 + 
 +<file|/home/synapse/.synapse/erfurt.chat.log.config> 
 + 
 +version: 1 
 + 
 +formatters: 
 +  precise: 
 +   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s' 
 + 
 +filters: 
 +  context: 
 +    (): synapse.util.logcontext.LoggingContextFilter 
 +    request: "" 
 + 
 +handlers: 
 +  file: 
 +    class: logging.handlers.RotatingFileHandler 
 +    formatter: precise 
 +    filename: /home/synapse/.synapse/log/homeserver.log 
 +    maxBytes: 104857600 
 +    backupCount: 10 
 +    filters: [context] 
 +  console: 
 +    class: logging.StreamHandler 
 +    formatter: precise 
 +    filters: [context] 
 + 
 +loggers: 
 +    synapse: 
 +        level: INFO 
 + 
 +    synapse.storage.SQL: 
 +        # beware: increasing this to DEBUG will make synapse log sensitive 
 +        # information such as access tokens. 
 +        level: INFO 
 + 
 +root: 
 +    level: INFO 
 +    handlers: [file] 
 +#    handlers: [file, console] 
 +</file> 
 +<file|/etc/systemd/system/synapse.service> 
 +[Unit] 
 +Description=Synapse Matrix homeserver 
 + 
 +[Service] 
 +Type=simple 
 +User=synapse 
 +Group=synapse 
 +#EnvironmentFile=-/etc/sysconfig/synapse 
 +WorkingDirectory=/home/synapse/.synapse 
 +ExecStart=/home/synapse/.synapse/bin/python2.7 -m synapse.app.homeserver --config-path=/home/synapse/.synapse/homeserver.yaml 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</file> 
 + 
 +  * systemctl enable synapse 
 +  * systemctl start synapse 
 +  * wget -O /usr/src/vector-im-v0.10.1.tar.gz https://github.com/vector-im/riot-web/releases/download/v0.10.1/riot-v0.10.1.tar.gz 
 +  * mkdir /var/www/erfurt.chat/ 
 +  * tar --strip-components=1 -xf /usr/src/vector-im-v0.10.1.tar.gz -C /var/www/erfurt.chat/ 
 + 
 +<file|/var/www/erfurt.chat/config.json> 
 +
 +    "default_hs_url": "https://erfurt.chat", 
 +    "default_is_url": "https://vector.im", 
 +    "brand": "erfurt.chat", 
 +    "integrations_ui_url": "https://scalar.vector.im/", 
 +    "integrations_rest_url": "https://scalar.vector.im/api", 
 +    "bug_report_endpoint_url": "https://riot.im/bugreports/submit", 
 +    "enableLabs": true, 
 +    "roomDirectory":
 +        "servers":
 +            "erfurt.chat", 
 +            "matrix.org" 
 +        ] 
 +    }, 
 +
 +</file> 
 + 
 +==== Matrix IRC Bridge ==== 
 + 
 +  * curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash - 
 +  * apt-get install -y nodejs   
 +  * npm install matrix-appservice-irc --global 
 + 
 +<file|/home/synapse/.synapse/ircbridge_config.yaml> 
 +homeserver: 
 +  url: "https://erfurt.chat" 
 + 
 +  # CAUTION: This is a very coarse heuristic. Federated homeservers may have different 
 +  # clock times and hence produce different origin_server_ts values, which may be old 
 +  # enough to cause *all* events from the homeserver to be dropped. 
 +  # Default: 0 (don't ever drop) 
 +  # dropMatrixMessagesAfterSecs: 300 # 5 minutes 
 + 
 +  domain: "erfurt.chat" 
 + 
 +ircService: 
 +  servers: 
 +    "irc.hackint.org": 
 +      name: "Hackint" 
 +      networkId: "hackint" 
 +      port: 9999 
 +      ssl: true 
 +      sslselfsign: true 
 +      ca: | 
 +         -----BEGIN CERTIFICATE----- 
 +         MIIGBzCCA++gAwIBAgIJAKZfNgKecw1WMA0GCSqGSIb3DQEBCwUAMIGEMRwwGgYD 
 +         VQQKExNIYWNraW50IElSQyBOZXR3b3JrMR8wHQYDVQQLExZodHRwOi8vd3d3Lmhh 
 +         Y2tpbnQub3JnMSQwIgYDVQQDExtIYWNraW50IElSQyBOZXR3b3JrIFJvb3QgQ0Ex 
 +         HTAbBgkqhkiG9w0BCQEWDmNhQGhhY2tpbnQub3JnMB4XDTE1MDcwMTAwMDAwMFoX 
 +         DTM1MTIzMTIzNTk1OVowgYQxHDAaBgNVBAoTE0hhY2tpbnQgSVJDIE5ldHdvcmsx 
 +         HzAdBgNVBAsTFmh0dHA6Ly93d3cuaGFja2ludC5vcmcxJDAiBgNVBAMTG0hhY2tp 
 +         bnQgSVJDIE5ldHdvcmsgUm9vdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAaGFja2lu 
 +         dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDi57PWGLHMfxlN 
 +         yjtXUS4oYK77+C1ByJtziDWYbEiamrmYbOZ3ukzfH4nHHOLuAiQIT8Tw8gVXMw6w 
 +         CNplAUN0mAIQhhu10PwsBLjf638F/NTPzBmziMZyyuSrvyAkZp6Ktv5DAXymIV6C 
 +         7LmVwhJiqC5+YFC1JbZJt8wGrew/YLrroYUJm0n7FpW/EkUrl3cQOHIV5xFl9LxR 
 +         4xh/lC1AuAsawv8vaxQFGiun25F4jd6l/Evf0tr628kpEXH4hspkeNsQh9uUUpjx 
 +         CpNQqh7Wyi1M/QhiK9GFuODd0wsU77iOfccJl3FVf/bjLcO9COMLOBWaJgEpJMNw 
 +         j2uBk7pMKScw3S2qvtqBxf7VtfvlyPeX5C7+XCXXViBFcYubzmNlNq5n3qEbMG4t 
 +         qwdxR4Mhbhy4BhOGkFNdURsf4N47TvPV6eglHPLc05uYvL5VIddNxH1jrpxVYX76 
 +         KXvpR4+vUTYYVi8m2A4Rf+JMI5CELfie2chghhiojAuKDuKfmW3v+fkuGkjEC5A8 
 +         NfzD7EOGJB2osAbKP6rx77tVuAo0eMPLHijpgYciXIGoprwqFrjttvRaMkGywwLq 
 +         6JDyfB8hMvMvmVPnqx4zbmOaS/Ut2irVwU0k9jiDN29dTvc3ySHwW0bd+Lt5fWJD 
 +         DL/lb2it8Z8pJYmZwt1e7vl4LNdm2QIDAQABo3oweDAPBgNVHRMBAf8EBTADAQH/ 
 +         MB0GA1UdDgQWBBQVmc++GVicHQ7I4FDpPkZdr3nNCzAOBgNVHQ8BAf8EBAMCAQYw 
 +         NgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRwOi8vaGFja2ludC5vcmcv 
 +         Y2EuaHRtbDANBgkqhkiG9w0BAQsFAAOCAgEAG82hdmLpfvG7RYbtCb6F4u8FBFxv 
 +         zR4Ye5nOPBKaA+CHA+KGScnBFg/E+aMI+IQ3j4Sgar0MZKwu5fI3ETdYReXWtSuE 
 +         3/UnT9U1ffUTTNuKwkFM3p5byrVzgmF3fI7aSAFyoa88xl6R/fzjXrXCp+eCy/tE 
 +         LTma2WRh+VORCX397h+FFVux3JtfBD+6uW53MOmNvSd2hndi8RpVbgklMfUWxcwK 
 +         z+R97QXhNopH33J1rmRm9/RUadKjChiIe+zM/eZJUPObIqiCaCP/qVAxruwHTi8E 
 +         tpNFNTCOxe0lwZ6lVNLWun7zY3+vk0Puk6KqnfBlNGK1QDxkTQLILdgGo5WQ11YN 
 +         oMmHGztLgZtiWLGLNhTrtAIRNKuc3sw0BOlv+osiH+KvDNvRKufc2eNkaGfLq7TJ 
 +         dhiAK2gKkYYAQ5zfDBwSspbtCsszYgEAin3PqoQUdG8f+4I49E0xS7PWQE75e7J9 
 +         MCnElQxAPWk9xuZhtkeWUHskpCjrNO7k3dshV0frn2OxPtSgQjjtZxQKQZYzQfPk 
 +         j/eVuFwWxQY9pZdOku7fRGbaLEyTbQHZW802rgmaLxxItWQKqZxG1Za7RlKo4Wur 
 +         9ZGuYKMAEnPmhJj2KlmXJAaIdQF6LA3NS0KvpWtOfrjaaroHHOUnrxBxCBlfoBpw 
 +         w3r7JBQGOVK95Sw= 
 +         -----END CERTIFICATE----- 
 + 
 +      # The connection password to send for all clients as a PASS command. Optional. 
 +      # password: 'pa$$w0rd' 
 + 
 +      sendConnectionMessages: false 
 + 
 +      quitDebounce: 
 +        # Whether parts due to net-splits are debounced for delayMs, to allow 
 +        # time for the netsplit to resolve itself. A netsplit is detected as being 
 +        # a QUIT rate higher than quitsPerSecond. Default: false. 
 +        enabled: false 
 +        # The maximum number of quits per second acceptable above which a netsplit is 
 +        # considered ongoing. Default: 5. 
 +        quitsPerSecond:
 +        # The ti 
 +        # a net 
 +        # is not sent many requests to leave rooms all at once if a netsplit occurs and many 
 +        # people to not rejoin. 
 +        # If the user with the same IRC nick as the one who sent the quit rejoins a channel 
 +        # they are considered back online and the quit is not bridged, so long as the rejoin 
 +        # occurs before the randomly-jittered timeout is not reached. 
 +        # Default: 3600000, = 1h 
 +        delayMinMs: 3600000 # 1h 
 +        # Default: 7200000, = 2h 
 +        delayMaxMs: 7200000 # 2h 
 + 
 +      modePowerMap: 
 +        o: 50 
 + 
 +      botConfig: 
 +        enabled: true 
 +        nick: "MatrixBot" 
 +        password: "$$$$SECRET$$$$" 
 + 
 +        joinChannelsIfNoUsers: true 
 + 
 +      privateMessages: 
 +        enabled: true 
 +        # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED 
 +        federate: true 
 + 
 +      # Configuration for mappings not explicitly listed in the 'mappings' 
 +      # section. 
 +      dynamicChannels: 
 +        # Enable the ability for Matrix users to join *any* channel on this IRC 
 +        # network. 
 +        # Default: false. 
 +        enabled: true 
 +        # Should the AS create a room alias for the new Matrix room? The form of 
 +        # the alias can be modified via 'aliasTemplate'. Default: true. 
 +        createAlias: true 
 +        # Should the AS publish the new Matrix room to the public room list so 
 +        # anyone can see it? Default: true. 
 +        published: true 
 +        # What should the join_rule be for the new Matrix room? If 'public', 
 +        # anyone can join the room. If 'invite', only users with an invite can 
 +        # join the room. Note that if an IRC channel has +k or +i set on it, 
 +        # join_rules will be set to 'invite' until these modes are removed. 
 +        # Default: "public"
 +        joinRule: public 
 +        # Should created Matrix rooms be federated? If false, only users on the 
 +        # HS attached to this AS will be able to interact with this room. 
 +        # Default: true. 
 +        federate: true 
 +        # The room alias template to apply when creating new aliases. This only 
 +        # applies if createAlias is 'true'. The following variables are exposed: 
 +        # $SERVER => The IRC server address (e.g. "irc.example.com"
 +        # $CHANNEL => The IRC channel (e.g. "#python"
 +        # This MUST have $CHANNEL somewhere in it. 
 +        # Default: '#irc_$SERVER_$CHANNEL' 
 +        #aliasTemplate: "#irc_$CHANNEL" 
 +        # A list of user IDs which the AS bot will send invites to in response 
 +        # to a !join. Only applies if joinRule is 'invite'. Default: [] 
 +        # whitelist: 
 +        #   - "@foo:example.com" 
 +        #   - "@bar:example.com" 
 +        # 
 +        # Prevent the given list of channels from being mapped under any 
 +        # circumstances. 
 +        # exclude: ["#foo", "#bar"
 + 
 +      # Configuration for controlling how Matrix and IRC membership lists are 
 +      # synced. 
 +      membershipLists: 
 +        # Enable the syncing of membership lists between IRC and Matrix. This 
 +        # can have a significant effect on performance on startup as the lists are 
 +        # synced. This must be enabled for anything else in this section to take 
 +        # effect. Default: false. 
 +        enabled: true 
 + 
 +        # Syncing membership lists at startup can result in hundreds of members to 
 +        # process all at once. This timer drip feeds membership entries at the 
 +        # specified rate. Default: 10000. (10s) 
 +        floodDelayMs: 10000 
 + 
 +        global: 
 +          ircToMatrix: 
 +            # Get a snapshot of all real IRC users on a channel (via NAMES) and 
 +            # join their virtual matrix clients to the room. 
 +            initial: true 
 +            # Make virtual matrix clients join and leave rooms as their real IRC 
 +            # counterparts join/part channels. Default: false. 
 +            incremental: true 
 + 
 +          matrixToIrc: 
 +            # Get a snapshot of all real Matrix users in the room and join all of 
 +            # them to the mapped IRC channel on startup. Default: false. 
 +            initial: true 
 +            # Make virtual IRC clients join and leave channels as their real Matrix 
 +            # counterparts join/leave rooms. Make sure your 'maxClients' value is 
 +            # high enough! Default: false. 
 +            incremental: true 
 + 
 +        # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. 
 +        rooms: 
 +          - room: "!fuasirouddJoxtwfge:localhost" 
 +            matrixToIrc: 
 +              initial: false 
 +              incremental: false 
 + 
 +        # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. 
 +        channels: 
 +          - channel: "#foo" 
 +            ircToMatrix: 
 +              initial: false 
 +              incremental: false 
 + 
 +      mappings: 
 +        # 1:many mappings from IRC channels to room IDs on this IRC server. 
 +        # The matrix room must already exist. Your matrix client should expose 
 +        # the room ID in a "settings" page for the room. 
 +        #"#bytespeicher-testing": ["", "!SUxMWVVxsKCFfBsKrR:unikorn.me"
 +        "#bytespeicher": ["!bGHdpETBTpNZzPzIDo:erfurt.chat"
 + 
 +      # Configuration for virtual matrix users. The following variables are 
 +      # exposed: 
 +      # $NICK => The IRC nick 
 +      # $SERVER => The IRC server address (e.g. "irc.example.com"
 +      matrixClients: 
 +        # The user ID template to use when creating virtual matrix users. This 
 +        # MUST have $NICK somewhere in it. 
 +        # Optional. Default: "@$SERVER_$NICK"
 +        # Example: "@irc.example.com_Alice:example.com" 
 +        userTemplate: "@irc_$NICK" 
 +        # The display name to use for created matrix clients. This should have 
 +        # $NICK somewhere in it if it is specified. Can also use $SERVER to 
 +        # insert the IRC domain. 
 +        # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" 
 +        displayName: "$NICK (IRC)" 
 + 
 +      # Configuration for virtual IRC users. The following variables are exposed: 
 +      # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) 
 +      # $USERID => The user ID 
 +      # $DISPLAY => The display name of this user, with excluded characters 
 +      #             (e.g. space) removed. If the user has no display name, this 
 +      #             falls back to $LOCALPART. 
 +      ircClients: 
 +        # The template to apply to every IRC client nick. This MUST have either 
 +        # $DISPLAY or $USERID or $LOCALPART somewhere in it. 
 +        # Optional. Default: "M-$DISPLAY". Example: "M-Alice"
 +        nickTemplate: "$DISPLAY[m]" 
 +        # True to allow virtual IRC clients to change their nick on this server 
 +        # by issuing !nick <server> <nick> commands to the IRC AS bot. 
 +        # This is completely freeform: it will NOT follow the nickTemplate. 
 +        allowNickChanges: true 
 +        # The max number of IRC clients that will connect. If the limit is 
 +        # reached, the client that spoke the longest time ago will be 
 +        # disconnected and replaced. 
 +        # Optional. Default: 30. 
 +        maxClients: 30 
 +        # IPv6 configuration. 
 +        ipv6: 
 +          # Optional. Set to true to force IPv6 for outgoing connections. 
 +          only: false 
 +          # Optional. The IPv6 prefix to use for generating unique addresses for each 
 +          # connected user. If not specified, all users will connect from the same 
 +          # (default) address. This may require additional OS-specific work to allow 
 +          # for the node process to bind to multiple different source addresses 
 +          # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library 
 +          # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. 
 +          prefix: "2a01:4f8:c17:1214::1:"  # modify appropriately 
 +        # 
 +        # The maximum amount of time in seconds that the client can exist 
 +        # without sending another message before being disconnected. Use 0 to 
 +        # not apply an idle timeout. This value is ignored if this IRC server is 
 +        # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) 
 +        idleTimeout: 10800 
 +        # The number of millseconds to wait between consecutive reconnections if a 
 +        # client gets disconnected. Setting to 0 will cause the scheduling to be 
 +        # disabled, i.e. it will be scheduled immediately (with jitter. 
 +        # Otherwise, the scheduling interval will be used such that one client 
 +        # reconnect for this server will be handled every reconnectIntervalMs ms using 
 +        # a FIFO queue. 
 +        # Default: 5000 (5 seconds) 
 +        reconnectIntervalMs: 5000 
 +        # The number of lines to allow being sent by the IRC client that has received 
 +        # a large block of text to send from matrix. If the number of lines that would 
 +        # be sent is > lineLimit, the text will instead be uploaded to matrix and the 
 +        # resulting URI is treated as a file. As such, a link will be sent to the IRC 
 +        # side instead of potentially spamming IRC and getting the IRC client kicked. 
 +        # Default: 3. 
 +        lineLimit: 3 
 +        # A list of user modes to set on every IRC client. For example, "RiG" would set 
 +        # +R, +i and +G on every IRC connection when they have successfully connected. 
 +        # User modes vary wildly depending on the IRC network you're connecting to, 
 +        # so check before setting this value. Some modes may not work as intended 
 +        # through the bridge e.g. caller ID as there is no way to /ACCEPT. 
 +        # Default: "" (no user modes) 
 +        # userModes: "R" 
 + 
 +  # Configuration for an ident server. If you are running a public bridge it is 
 +  # advised you setup an ident server so IRC mods can ban specific matrix users 
 +  # rather than the application service itself. 
 +  ident: 
 +    # True to listen for Ident requests and respond with the 
 +    # matrix user's user_id (converted to ASCII, respecting RFC 1413). 
 +    # Default: false. 
 +    enabled: false 
 +    # The port to listen on for incoming ident requests. 
 +    # Ports below 1024 require root to listen on, and you may not want this to 
 +    # run as root. Instead, you can get something like an Apache to yank up 
 +    # incoming requests to 113 to a high numbered port. Set the port to listen 
 +    # on instead of 113 here. 
 +    # Default: 113. 
 +    port: 1113 
 + 
 +  # Configuration for logging. Optional. Default: console debug level logging 
 +  # only. 
 +  logging: 
 +    # Level to log on console/logfile. One of error|warn|info|debug 
 +    level: "debug" 
 +    # The file location to log to. This is relative to the project directory. 
 +    logfile: "debug.log" 
 +    # The file location to log errors to. This is relative to the project 
 +    # directory. 
 +    errfile: "errors.log" 
 +    # Whether to log to the console or not. 
 +    toConsole: true 
 +    # The max size each file can get to in bytes before a new file is created. 
 +    maxFileSizeBytes: 134217728 # 128 MB 
 +    # The max number of files to keep. Files will be overwritten eventually due 
 +    # to rotations. 
 +    maxFiles: 5 
 + 
 +  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: 
 +  #   $ npm install prom-client@6.3.0 
 +  # Metrics will then be available via GET /metrics on the bridge listening port (-p). 
 +  # metrics: 
 +  #   enabled: true 
 + 
 +  # The nedb database URI to connect to. This is the name of the directory to 
 +  # dump .db files to. This is relative to the project directory. 
 +  # Required. 
 +  databaseUri: "nedb://data" 
 + 
 +  # Configuration options for the debug HTTP API. To access this API, you must 
 +  # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. 
 +  # 
 +  # The debug API exposes the following endpoints: 
 +  # 
 +  #   GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. 
 +  # 
 +  #   POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. 
 +  #                                      Format: new line delimited commands as per IRC protocol. 
 +  # 
 +  debugApi: 
 +    # True to enable the HTTP API endpoint. Default: false. 
 +    enabled: false 
 +    # The port to host the HTTP API. 
 +    port: 11100 
 + 
 +  # Configuration for the provisioning API. 
 +  # 
 +  # GET /_matrix/provision/link 
 +  # GET /_matrix/provision/unlink 
 +  # GET /_matrix/provision/listlinks 
 +  # 
 +  provisioning: 
 +    # True to enable the provisioning HTTP endpoint. Default: false. 
 +    enabled: false 
 +    # The number of seconds to wait before giving up on getting a response from 
 +    # an IRC channel operator. If the channel operator does not respond within the 
 +    # allotted time period, the provisioning request will fail. 
 +    # Default: 300 seconds (5 mins) 
 +    requestTimeoutSeconds: 300 
 + 
 +  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot 
 +  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in 
 +  # the database. 
 +  # 
 +  # To generate a .pem file: 
 +  # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 
 +  # 
 +  # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords 
 +  # for storage in the database. Passwords are stored by using the admin room command 
 +  # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of 
 +  # the Matrix user, this password will be sent as the server password (PASS command). 
 +  passwordEncryptionKeyPath: "passkey.pem" 
 +</file> 
 + 
 +<file|/etc/systemd/system/matrix-irc-bridge.service> 
 +[Unit] 
 +Description=Matrix IRC Bridge 
 + 
 +[Service] 
 +Type=simple 
 +User=synapse 
 +Group=synapse 
 +#EnvironmentFile=-/etc/sysconfig/synapse 
 +WorkingDirectory=/home/synapse/.synapse 
 +ExecStart=/usr/local/bin/matrix-appservice-irc -c ircbridge_config.yaml -f ircbridge.yaml -p 9999 
 + 
 +[Install] 
 +WantedBy=multi-user.target 
 +</file> 
 + 
 +  * matrix-appservice-irc -r -f ircbridge_registration.yaml -u "http://erfurt.chat:9999" -c ircbridge_config.yaml -l ircbridge 
 +  * systemctl enable matrix-irc-bridge.service 
 +  * systemctl start matrix-irc-bridge.service 
 + 
 +==== Upgrade zu Postgres ==== 
 +  * wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add - 
 +  * echo deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main > /etc/apt/sources.list.d/pgdg.list 
 +  * apt update 
 +  * apt install postgresql-10 postgresql-client-10 libpq-dev 
 +  * sudo -u postgres createuser -e  synapse 
 +  * sudo -u postgres psql -c "CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse_user;" 
 +  * service synapse stop 
 +  * cp -a /home/synapse/.synapse/homeserver.db{,.snapshot} 
 +  * cp -a /home/synapse/.synapse/homeserver{,-postgres}.yaml 
 + 
 +<file|/home/synapse/.synapse/homeserver-postgres.yaml> 
 +[...] 
 + 
 +# Database configuration 
 +database: 
 +  # The database engine name 
 +  name: "psycopg2" 
 +  # Arguments to pass to the engine 
 +  args: 
 +    database: synapse 
 +    cp_min: 5  
 +    cp_max: 25 
 +     
 +[...] 
 +</file> 
 + 
 +  * service synapse start 
 +  * sudo -u synapse bash 
 +  * source ~/.synapse/bin/activate 
 +  * pip install psycopg2 
 +  * cd ~/.synapse 
 +  * synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml 
 +  * (as root) service synapse stop 
 +  * synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml 
 +  * mv homeserver.yaml{,.old-sqlite} 
 +  * mv homeserver{-postgres,}.yaml 
 +  * mv homeserver.db{,.unused} 
 +  * exit 
 +  * service synapse start 
 + 
 + 
 +Es wurde https://github.com/matrix-org/synapse/pull/3099 mit eingspielt. 
 + 
 +==== Externe Synapse Dokumentation ==== 
 +  * https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation 
 +  * https://github.com/matrix-org/synapse/blob/master/README.rst#setting-up-federation 
 +  * https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst 
 +===== users.bytespeicher.org =====
  
 <file|/etc/nginx/sites-available/users.bytespeicher.org> <file|/etc/nginx/sites-available/users.bytespeicher.org>
Zeile 1634: Zeile 2551:
 </file> </file>
  
-===== Datensicherung =====+====== Datensicherung ======
  
 Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]: Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]:
Zeile 1760: Zeile 2677:
 30 2   * * *   root    HOME=/root && duply mkzero-backup backup 30 2   * * *   root    HOME=/root && duply mkzero-backup backup
 </file> </file>
 +
 +====== Postfächer und Forward-Konten ======
 +
 +Als Mailserver wird Postfix eingesetzt. 
 +Aliase für Forwarding-Postfächer werden in der Datei ''/etc/postfix/virtual gepeichert.'' Änderungen werden erst durch Ausführen von ''postmap /etc/postfix/virtual'' übernommen.
 +
 +[mehr Dokumentation nötig…] 
 +
 +
 +=====  Postfach anlegen ====
 +
 +mit ''doveadm pw -s ssha'' Passwort erzeugen.
 +
 +Passwort-Hash mit FQDN-Mail in /etc/dovecot/users eintragen
 +
 +
 +in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen
 +
 +
 +''chown vmail:vmail postfach''
 +
 +''chmod 700 postfach''
 +
 +''systemctl restart dovecot''
 +
 +
 +
 +
  • dienste/bytecluster0001.1482278211.txt.gz
  • Zuletzt geändert: 21.12.2016 00:56
  • von mape2k