Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0001 [13.04.2018 23:27] – [Administratoren] mkzero | dienste:bytecluster0001 [03.05.2020 17:51] (aktuell) – Limit auf 20MB angehoben mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== bytecluster0001 ====== | + | ======= bytecluster0001 |
- | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt. | + | bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. |
- | ===== Administratoren ===== | + | ====== Administratoren |
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
* [[user: | * [[user: | ||
- | * [[user: | + | * [[user: |
- | ===== Benutzer ===== | + | ====== Benutzer |
* Bernd (Webseiten) | * Bernd (Webseiten) | ||
- | ===== IPs /DNS ===== | + | ====== IPs /DNS ====== |
* bytecluster0001.bytespeicher.org | * bytecluster0001.bytespeicher.org | ||
Zeile 20: | Zeile 20: | ||
* 2a01: | * 2a01: | ||
- | ===== Installation ===== | + | ====== Installation |
* Debian 8.2 minimal | * Debian 8.2 minimal | ||
- | ==== User / Gruppen ==== | + | ===== User / Gruppen |
* mkzero -> sudo | * mkzero -> sudo | ||
* marcel -> sudo | * marcel -> sudo | ||
+ | * maddi -> sudo | ||
* stephan -> sudo | * stephan -> sudo | ||
* bernd -> sudo für www-data | * bernd -> sudo für www-data | ||
Zeile 37: | Zeile 38: | ||
* ffapi | * ffapi | ||
* synapse | * synapse | ||
- | ==== Pakete ==== | + | ===== Pakete |
* zsh | * zsh | ||
Zeile 47: | Zeile 48: | ||
* debian-goodies | * debian-goodies | ||
- | ==== Netzwerk ==== | + | ===== Netzwerk |
- | === Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) === | + | ==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
Zeile 65: | Zeile 66: | ||
* //**chmod +x / | * //**chmod +x / | ||
- | === Konfiguration === | + | ==== Konfiguration |
< | < | ||
Zeile 85: | Zeile 86: | ||
</ | </ | ||
- | ==== Konfiguration SSH ==== | + | ===== Konfiguration SSH ===== |
* HostKey DSA entfernt | * HostKey DSA entfernt | ||
Zeile 102: | Zeile 103: | ||
</ | </ | ||
- | ==== SUDO ==== | + | ===== SUDO ===== |
* Administrative Benutzer sind Mitglied der Gruppe " | * Administrative Benutzer sind Mitglied der Gruppe " | ||
- | ==== IPTABLES ==== | + | ===== IPTABLES |
* iptables-persistent | * iptables-persistent | ||
Zeile 205: | Zeile 206: | ||
</ | </ | ||
- | ==== MySQL/ | + | ===== MySQL/ |
* mariadb-server | * mariadb-server | ||
Zeile 247: | Zeile 248: | ||
</ | </ | ||
- | ==== NGINX ==== | + | ===== NGINX ===== |
* nginx | * nginx | ||
Zeile 298: | Zeile 299: | ||
</ | </ | ||
- | ==== Let's Encrypt (SSL-Zertifikate) ==== | + | ===== Let's Encrypt (SSL-Zertifikate) |
=== Installation === | === Installation === | ||
Zeile 376: | Zeile 377: | ||
23 4 * * * | 23 4 * * * | ||
</ | </ | ||
- | === Verwendung des Let' | + | === Verwendung des LetsEncrypt |
Pro Zertifikat können mehrere Domains/ | Pro Zertifikat können mehrere Domains/ | ||
Zeile 417: | Zeile 418: | ||
* **// | * **// | ||
- | ==== PHP ==== | + | ===== User-Agent-Filter ===== |
+ | < | ||
+ | ### Block Mastodon | ||
+ | if ($http_user_agent ~* (Mastodon)) { | ||
+ | return 403; | ||
+ | } | ||
+ | </ | ||
+ | ===== PHP ===== | ||
* php5-fpm | * php5-fpm | ||
Zeile 438: | Zeile 446: | ||
post_max_size = 64M | post_max_size = 64M | ||
</ | </ | ||
- | ==== Ruby ==== | + | ===== Ruby ===== |
* ruby | * ruby | ||
- | ==== Bytebot ==== | + | ===== Bytebot |
Pakete: | Pakete: | ||
Zeile 486: | Zeile 494: | ||
* // | * // | ||
- | ==== Twitterstatus / Twitterstatus Makerspace ==== | + | ===== Twitterstatus / Twitterstatus Makerspace |
Die Anleitung ist für " | Die Anleitung ist für " | ||
Zeile 550: | Zeile 558: | ||
</ | </ | ||
- | ==== Freifunk-API ==== | + | ===== Freifunk-API |
=== Pakete === | === Pakete === | ||
Zeile 646: | Zeile 654: | ||
* // | * // | ||
- | ==== paste.bytespeicher.org ==== | + | ===== paste.bytespeicher.org |
* Datenbank: bs_paste | * Datenbank: bs_paste | ||
Zeile 702: | Zeile 710: | ||
</ | </ | ||
- | ==== bytespeicher.org ==== | + | ===== bytespeicher.org |
* Datenbank: wp_bs | * Datenbank: wp_bs | ||
Zeile 714: | Zeile 722: | ||
| | ||
+ | | ||
| | ||
Zeile 731: | Zeile 740: | ||
| | ||
+ | |||
+ | | ||
ssl on; | ssl on; | ||
Zeile 819: | Zeile 830: | ||
</ | </ | ||
- | ==== status.bytespeicher.org ==== | + | ===== status.bytespeicher.org |
* **//useradd spacestatus -m -G www-data// | * **//useradd spacestatus -m -G www-data// | ||
Zeile 896: | Zeile 907: | ||
</ | </ | ||
- | ==== makerspace-erfurt.de / fablab-erfurt.de ==== | + | ===== makerspace-erfurt.de / fablab-erfurt.de |
* Datenbank: makerspace_wp | * Datenbank: makerspace_wp | ||
Zeile 967: | Zeile 978: | ||
</ | </ | ||
- | ==== cloud.technikkultur-erfurt.de (Nextcloud) ==== | + | ===== cloud.technikkultur-erfurt.de (Nextcloud) |
* Datenbank: makerspace_oc | * Datenbank: makerspace_oc | ||
Zeile 1101: | Zeile 1112: | ||
</ | </ | ||
- | ==== Redmine ==== | + | ===== Redmine |
* Datenbank: redmine | * Datenbank: redmine | ||
Zeile 1247: | Zeile 1258: | ||
</ | </ | ||
- | ==== Dokuwiki ==== | + | ===== Dokuwiki |
* DocumentRoot: | * DocumentRoot: | ||
Zeile 1260: | Zeile 1271: | ||
listen [::]:443 ssl; | listen [::]:443 ssl; | ||
+ | include snippets/ | ||
include snippets/ | include snippets/ | ||
Zeile 1282: | Zeile 1294: | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
- | # Maximum file upload size is 4MB - change accordingly if needed | + | # Maximum file upload size is 20MB - change accordingly if needed |
- | client_max_body_size | + | client_max_body_size |
client_body_buffer_size 128k; | client_body_buffer_size 128k; | ||
Zeile 1314: | Zeile 1326: | ||
</ | </ | ||
- | ==== Pad ==== | + | ===== Pad ===== |
* Software: Etherpad-lite | * Software: Etherpad-lite | ||
Zeile 1429: | Zeile 1441: | ||
* https:// | * https:// | ||
- | ==== wall.technikkultur-erfurt.de ==== | + | ===== wall.technikkultur-erfurt.de |
* Config: / | * Config: / | ||
Zeile 1452: | Zeile 1464: | ||
</ | </ | ||
- | ==== opendata.bytespeicher.org ==== | + | ===== opendata.bytespeicher.org |
* Webspace: / | * Webspace: / | ||
Zeile 1508: | Zeile 1520: | ||
</ | </ | ||
- | ==== Piwik ==== | + | ===== Piwik ===== |
* Datenbank: bs_piwik | * Datenbank: bs_piwik | ||
Zeile 1532: | Zeile 1544: | ||
</ | </ | ||
- | ==== Roundcube ==== | + | ===== Roundcube |
* Datenbank: roundcubemail | * Datenbank: roundcubemail | ||
Zeile 1649: | Zeile 1661: | ||
* //**rm -rf / | * //**rm -rf / | ||
- | ==== Matrix/ | + | ===== Matrix/ |
* useradd -m synapse | * useradd -m synapse | ||
Zeile 1742: | Zeile 1754: | ||
< | < | ||
--- homeserver.yaml.orig 2017-06-05 12: | --- homeserver.yaml.orig 2017-06-05 12: | ||
- | +++ homeserver.yaml 2017-06-05 18:44:13.546761068 | + | +++ homeserver.yaml 2018-04-17 13:40:25.760622831 |
@@ -4,10 +4,10 @@ | @@ -4,10 +4,10 @@ | ||
# autogenerates on launch with your own SSL certificate + key pair | # autogenerates on launch with your own SSL certificate + key pair | ||
Zeile 1749: | Zeile 1761: | ||
-tls_certificate_path: | -tls_certificate_path: | ||
+tls_certificate_path: | +tls_certificate_path: | ||
- | + | ||
# PEM encoded private key for TLS | # PEM encoded private key for TLS | ||
-tls_private_key_path: | -tls_private_key_path: | ||
+tls_private_key_path: | +tls_private_key_path: | ||
- | + | ||
# PEM dh parameters for ephemeral keys | # PEM dh parameters for ephemeral keys | ||
| | ||
@@ -50,7 +50,7 @@ | @@ -50,7 +50,7 @@ | ||
| | ||
- | + | ||
# Whether to serve a web client from the HTTP/HTTPS root resource. | # Whether to serve a web client from the HTTP/HTTPS root resource. | ||
-web_client: | -web_client: | ||
+web_client: | +web_client: | ||
- | + | ||
# The root directory to server for the above web client. | # The root directory to server for the above web client. | ||
# If left undefined, synapse will serve the matrix-angular-sdk web client. | # If left undefined, synapse will serve the matrix-angular-sdk web client. | ||
@@ -59,7 +59,7 @@ | @@ -59,7 +59,7 @@ | ||
# web_client_location: | # web_client_location: | ||
- | + | ||
# The public-facing base URL for the client API (not including _matrix/ | # The public-facing base URL for the client API (not including _matrix/ | ||
-# public_baseurl: | -# public_baseurl: | ||
+public_baseurl: | +public_baseurl: | ||
- | + | ||
# Set the soft limit on the number of file descriptors synapse can use | # Set the soft limit on the number of file descriptors synapse can use | ||
# Zero is used to indicate synapse should set the soft limit to the | # Zero is used to indicate synapse should set the soft limit to the | ||
- | @@ -123,7 +123,7 @@ | + | @@ -71,7 +71,9 @@ |
+ | |||
+ | # Set the limit on the returned events in the timeline in the get | ||
+ | # and sync operations. The default value is -1, means no upper limit. | ||
+ | -# filter_timeline_limit: | ||
+ | + | ||
+ | +## activated by maddi | ||
+ | +filter_timeline_limit: | ||
+ | |||
+ | # List of ports that Synapse should listen on, their purpose and their | ||
+ | # configuration. | ||
+ | @@ -85,11 +87,11 @@ | ||
+ | # Local addresses to listen on. | ||
+ | # This will listen on all IPv4 addresses by default. | ||
+ | | ||
+ | - - ' | ||
+ | + #- ' | ||
+ | # Uncomment to listen on all IPv6 interfaces | ||
+ | # N.B: On at least Linux this will also listen on all IPv4 | ||
+ | # addresses, so you will need to comment out the line above. | ||
+ | - # - '::' | ||
+ | + - '::' | ||
+ | |||
+ | # This is a ' | ||
+ | type: http | ||
+ | @@ -123,7 +125,7 @@ | ||
| | ||
type: http | type: http | ||
- | + | ||
- x_forwarded: | - x_forwarded: | ||
+ x_forwarded: | + x_forwarded: | ||
- | + | ||
| | ||
- names: [client, webclient] | - names: [client, webclient] | ||
- | @@ -231,7 +231,7 @@ | + | @@ -141,14 +143,18 @@ |
+ | # Database configuration | ||
+ | | ||
+ | # The database engine name | ||
+ | - name: " | ||
+ | + name: " | ||
+ | # Arguments to pass to the engine | ||
+ | | ||
+ | - # Path to the database | ||
+ | - database: "/ | ||
+ | + #user: synapse | ||
+ | + database: synapse | ||
+ | + #host: localhost | ||
+ | + # | ||
+ | + cp_min: 5 | ||
+ | + cp_max: 25 | ||
+ | |||
+ | # Number of events to cache in memory. | ||
+ | -event_cache_size: | ||
+ | +event_cache_size: | ||
+ | |||
+ | |||
+ | |||
+ | @@ -156,7 +162,7 @@ | ||
+ | | ||
+ | |||
+ | # File to write logging to. Ignored if log_config is specified. | ||
+ | -log_file: "/ | ||
+ | +log_file: "/ | ||
+ | |||
+ | # A yaml python logging config file | ||
+ | | ||
+ | @@ -171,7 +177,9 @@ | ||
+ | | ||
+ | |||
+ | # The federation window size in milliseconds | ||
+ | -federation_rc_window_size: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_window_size: | ||
+ | +federation_rc_window_size: | ||
+ | |||
+ | # The number of federation requests from a single server in a window | ||
+ | # before the server will delay processing the request. | ||
+ | @@ -183,14 +191,19 @@ | ||
+ | |||
+ | # The maximum number of concurrent federation requests allowed | ||
+ | # from a single server | ||
+ | -federation_rc_reject_limit: | ||
+ | +## edit by maddi | ||
+ | +# federation_rc_reject_limit: | ||
+ | +federation_rc_reject_limit: | ||
+ | |||
+ | # The number of federation requests to concurrently process from a | ||
+ | # single server | ||
+ | -federation_rc_concurrent: | ||
+ | - | ||
+ | - | ||
+ | - | ||
+ | +# | ||
+ | +## edit by maddi | ||
+ | +federation_rc_concurrent: | ||
+ | + | ||
+ | +## add by maddi | ||
+ | +federation_domain_whitelist: | ||
+ | + | ||
+ | # Directory where uploaded images and attachments are stored. | ||
+ | | ||
+ | |||
+ | @@ -231,7 +244,7 @@ | ||
# Is the preview URL API enabled? | # Is the preview URL API enabled? | ||
# an explicit url_preview_ip_range_blacklist of IPs that the spider is | # an explicit url_preview_ip_range_blacklist of IPs that the spider is | ||
Zeile 1789: | Zeile 1894: | ||
-url_preview_enabled: | -url_preview_enabled: | ||
+url_preview_enabled: | +url_preview_enabled: | ||
- | + | ||
# List of IP address CIDR ranges that the URL preview spider is denied | # List of IP address CIDR ranges that the URL preview spider is denied | ||
# from accessing. | # from accessing. | ||
- | @@ -241,14 +241,14 @@ | + | @@ -241,14 +254,14 @@ |
# synapse to issue arbitrary GET requests to your internal services, | # synapse to issue arbitrary GET requests to your internal services, | ||
# causing serious security issues. | # causing serious security issues. | ||
Zeile 1815: | Zeile 1920: | ||
# to access even if they are specified in url_preview_ip_range_blacklist. | # to access even if they are specified in url_preview_ip_range_blacklist. | ||
# This is useful for specifying exceptions to wide-ranging blacklisted | # This is useful for specifying exceptions to wide-ranging blacklisted | ||
- | @@ -322,10 +322,10 @@ | + | @@ -322,10 +335,10 @@ |
## Turn ## | ## Turn ## | ||
- | + | ||
# The public URIs of the TURN server to give to clients | # The public URIs of the TURN server to give to clients | ||
-turn_uris: [] | -turn_uris: [] | ||
+turn_uris: [ " | +turn_uris: [ " | ||
- | + | ||
# The shared secret used to compute passwords for the TURN server | # The shared secret used to compute passwords for the TURN server | ||
-turn_shared_secret: | -turn_shared_secret: | ||
+turn_shared_secret: | +turn_shared_secret: | ||
- | + | ||
# The Username and password if the TURN server needs them and | # The Username and password if the TURN server needs them and | ||
# does not use a token | # does not use a token | ||
- | @@ -346,7 +346,7 @@ | + | @@ -346,7 +359,7 @@ |
## Registration ## | ## Registration ## | ||
- | + | ||
# Enable registration for new users. | # Enable registration for new users. | ||
-enable_registration: | -enable_registration: | ||
+enable_registration: | +enable_registration: | ||
- | + | ||
# If set, allows registration by anyone who also has the shared | # If set, allows registration by anyone who also has the shared | ||
# secret, even if registration is otherwise disabled. | # secret, even if registration is otherwise disabled. | ||
- | @@ -360,7 +360,7 @@ | + | @@ -360,7 +373,7 @@ |
# Allows users to register as guests without a password/ | # Allows users to register as guests without a password/ | ||
# participate in rooms hosted on this server which have been made | # participate in rooms hosted on this server which have been made | ||
Zeile 1843: | Zeile 1948: | ||
-allow_guest_access: | -allow_guest_access: | ||
+allow_guest_access: | +allow_guest_access: | ||
- | + | ||
# The list of identity servers trusted to verify third party | # The list of identity servers trusted to verify third party | ||
# identifiers by this server. | # identifiers by this server. | ||
- | @@ -388,7 +388,7 @@ | + | @@ -388,7 +401,9 @@ |
- | + | ||
- | + | ||
# A list of application service config file to use | # A list of application service config file to use | ||
-app_service_config_files: | -app_service_config_files: | ||
- | +app_service_config_files: | + | +#app_service_config_files: |
- | + | +## deactivated by maddi | |
- | + | +app_service_config_files: | |
+ | |||
| | ||
- | @@ -461,7 +461,8 @@ | + | @@ -402,7 +417,7 @@ |
+ | | ||
+ | |||
+ | # The keys that the server used to sign messages with but won't use | ||
+ | -# to sign new messages. E.g. it has lost its private key | ||
+ | +# to sign new messages. dE.g. it has lost its private key | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | @@ -461,7 +476,8 @@ | ||
enabled: true | enabled: true | ||
# Uncomment and change to a secret random string for extra security. | # Uncomment and change to a secret random string for extra security. | ||
Zeile 1862: | Zeile 1978: | ||
+ | + | ||
+ | + | ||
- | + | ||
- | + | ||
- | + | ||
- | @@ -473,20 +474,20 @@ | + | @@ -473,20 +489,20 @@ |
# If your SMTP server requires authentication, | # If your SMTP server requires authentication, | ||
# smtp_pass variables should be used | # smtp_pass variables should be used | ||
Zeile 1892: | Zeile 2008: | ||
+ | + | ||
+ | + | ||
- | + | + | + |
+ | + | ||
+ | + | ||
+ | + | ||
+ | + | ||
- | + | ||
- | + | ||
# password_providers: | # password_providers: | ||
</ | </ | ||
+ | < | ||
+ | |||
+ | version: 1 | ||
+ | |||
+ | formatters: | ||
+ | precise: | ||
+ | | ||
+ | |||
+ | filters: | ||
+ | context: | ||
+ | (): synapse.util.logcontext.LoggingContextFilter | ||
+ | request: "" | ||
+ | |||
+ | handlers: | ||
+ | file: | ||
+ | class: logging.handlers.RotatingFileHandler | ||
+ | formatter: precise | ||
+ | filename: / | ||
+ | maxBytes: 104857600 | ||
+ | backupCount: | ||
+ | filters: [context] | ||
+ | console: | ||
+ | class: logging.StreamHandler | ||
+ | formatter: precise | ||
+ | filters: [context] | ||
+ | |||
+ | loggers: | ||
+ | synapse: | ||
+ | level: INFO | ||
+ | |||
+ | synapse.storage.SQL: | ||
+ | # beware: increasing this to DEBUG will make synapse log sensitive | ||
+ | # information such as access tokens. | ||
+ | level: INFO | ||
+ | |||
+ | root: | ||
+ | level: INFO | ||
+ | handlers: [file] | ||
+ | # handlers: [file, console] | ||
+ | </ | ||
< | < | ||
[Unit] | [Unit] | ||
Zeile 1942: | Zeile 2098: | ||
</ | </ | ||
- | === Matrix IRC Bridge === | + | ==== Matrix IRC Bridge |
* curl -sL https:// | * curl -sL https:// | ||
Zeile 2324: | Zeile 2480: | ||
* systemctl start matrix-irc-bridge.service | * systemctl start matrix-irc-bridge.service | ||
- | === Upgrade zu Postgres === | + | ==== Upgrade zu Postgres |
* wget -q https:// | * wget -q https:// | ||
* echo deb http:// | * echo deb http:// | ||
Zeile 2365: | Zeile 2521: | ||
* service synapse start | * service synapse start | ||
- | === Externe Synapse Dokumentation === | + | |
+ | Es wurde https:// | ||
+ | |||
+ | ==== Externe Synapse Dokumentation | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
- | ==== users.bytespeicher.org ==== | + | ===== users.bytespeicher.org |
< | < | ||
Zeile 2392: | Zeile 2551: | ||
</ | </ | ||
- | ===== Datensicherung ===== | + | ====== Datensicherung |
Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user: | ||
Zeile 2518: | Zeile 2677: | ||
30 2 * * * | 30 2 * * * | ||
</ | </ | ||
+ | |||
+ | ====== Postfächer und Forward-Konten ====== | ||
+ | |||
+ | Als Mailserver wird Postfix eingesetzt. | ||
+ | Aliase für Forwarding-Postfächer werden in der Datei ''/ | ||
+ | |||
+ | [mehr Dokumentation nötig…] | ||
+ | |||
+ | |||
+ | ===== Postfach anlegen ==== | ||
+ | |||
+ | mit '' | ||
+ | |||
+ | Passwort-Hash mit FQDN-Mail in / | ||
+ | |||
+ | |||
+ | in den mail-ordner Wechsel und Postfach-Ordner anlegen und Besitzer sowie Rechte anpassen | ||
+ | |||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | '' | ||
+ | |||
+ | |||
+ | |||
+ |