diff --git a/4get/0.png b/4get/0.png new file mode 100644 index 0000000..b85f972 Binary files /dev/null and b/4get/0.png differ diff --git a/4get/1.png b/4get/1.png new file mode 100644 index 0000000..470a9d9 Binary files /dev/null and b/4get/1.png differ diff --git a/4get/index.md b/4get/index.md new file mode 100644 index 0000000..c1596f0 --- /dev/null +++ b/4get/index.md @@ -0,0 +1,129 @@ +# 4get Setup + +![](0.png) + +In this tutorial we'll setup 4get, a privacy front-end to browse the web: + +## **Initial Setup** + +Clone the repository and edit the docker-compose file before running it: + + + [ Datura ] [ /dev/pts/8 ] [/srv] + → apt install nginx docker.io docker-compose + + [ Datura ] [ /dev/pts/8 ] [/srv] + → git clone https://git.lolcat.ca/lolcat/4get + Cloning into '4get'... + remote: Enumerating objects: 772, done. + remote: Counting objects: 100% (772/772), done. + remote: Compressing objects: 100% (639/639), done. + remote: Total 772 (delta 410), reused 275 (delta 117), pack-reused 0 + Receiving objects: 100% (772/772), 2.19 MiB | 22.00 MiB/s, done. + Resolving deltas: 100% (410/410), done. + + [ Datura ] [ /dev/pts/8 ] [/srv] + → cd 4get + + [ Datura ] [ /dev/pts/8 ] [/srv/4get] + → vim docker-compose.yaml + + [ Datura ] [ /dev/pts/8 ] [/srv/4get] + → vim ../invidious/docker-compose.yml + + [ Datura ] [ /dev/pts/8 ] [/srv/4get] + → vim docker-compose.yaml + + [ Datura ] [ /dev/pts/8 ] [/srv/4get] + → cat docker-compose.yaml + version: "3.7" + + services: + fourget: + image: luuul/4get:latest + restart: always + environment: + - FOURGET_SERVER_NAME=4get.nowhere.moe + - FOURGET_SERVER_ADMIN_EMAIL="you@example.com" + + ports: + - "127.0.0.1:8080:80" + #- "127.0.0.1:4443:443" + + volumes: + #- /root/.acme.sh/4get.nowhere.moe/:/etc/4get/certs + - ./banners:/var/www/html/4get/banner + - ./captchas:/var/www/html/4get/data/captcha + + [ Datura ] [ /dev/pts/8 ] [/srv/4get] + → docker-compose up -d + + + + +Then use the following nginx configuration : + + + [ Datura ] [ /dev/pts/9 ] [~] + → vim /etc/nginx/sites-available/4get.nowhere.moe.conf + + [ Datura ] [ /dev/pts/9 ] [~] + → cat /etc/nginx/sites-available/4get.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name 4get.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + + ######## TOR CHANGES ######## + #listen 4443; + #listen [::]:4443; + #server_name 4get.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://4get.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + server_name 4get.nowhere.moe; + + access_log off; + error_log /var/log/nginx/error.log crit; + + ssl_certificate /root/.acme.sh/4get.nowhere.moe/fullchain.cer; + ssl_certificate_key /root/.acme.sh/4get.nowhere.moe/4get.nowhere.moe.key; + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + } + + if ($https = '') { return 301 https://$host$request_uri; } # if not connected to HTTPS, perma-redirect to HTTPS + } + + + [ Datura ] [ /dev/pts/9 ] [~] + → systemctl stop nginx ; acme.sh --issue --standalone -d 4get.nowhere.moe -k 4096 ; systemctl start nginx + + + [ Datura ] [ /dev/pts/9 ] [~] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ Datura ] [ /dev/pts/9 ] [~] + → nginx -s reload + + + +Then simply browse to the URL: + +![](1.png) + diff --git a/Gitea/1.png b/Gitea/1.png new file mode 100644 index 0000000..50b96f8 Binary files /dev/null and b/Gitea/1.png differ diff --git a/Gitea/10.png b/Gitea/10.png new file mode 100644 index 0000000..a9b8c38 Binary files /dev/null and b/Gitea/10.png differ diff --git a/Gitea/11.png b/Gitea/11.png new file mode 100644 index 0000000..825fd12 Binary files /dev/null and b/Gitea/11.png differ diff --git a/Gitea/2.png b/Gitea/2.png new file mode 100644 index 0000000..315df60 Binary files /dev/null and b/Gitea/2.png differ diff --git a/Gitea/3.png b/Gitea/3.png new file mode 100644 index 0000000..5a7d23b Binary files /dev/null and b/Gitea/3.png differ diff --git a/Gitea/4.png b/Gitea/4.png new file mode 100644 index 0000000..711793d Binary files /dev/null and b/Gitea/4.png differ diff --git a/Gitea/5.png b/Gitea/5.png new file mode 100644 index 0000000..3a75f4f Binary files /dev/null and b/Gitea/5.png differ diff --git a/Gitea/6.png b/Gitea/6.png new file mode 100644 index 0000000..af22c00 Binary files /dev/null and b/Gitea/6.png differ diff --git a/Gitea/7.png b/Gitea/7.png new file mode 100644 index 0000000..85abede Binary files /dev/null and b/Gitea/7.png differ diff --git a/Gitea/8.png b/Gitea/8.png new file mode 100644 index 0000000..89dfb89 Binary files /dev/null and b/Gitea/8.png differ diff --git a/Gitea/9.png b/Gitea/9.png new file mode 100644 index 0000000..8164c78 Binary files /dev/null and b/Gitea/9.png differ diff --git a/Gitea/Logo.png b/Gitea/Logo.png new file mode 100644 index 0000000..472f944 Binary files /dev/null and b/Gitea/Logo.png differ diff --git a/Gitea/index.md b/Gitea/index.md new file mode 100644 index 0000000..b1a7ffd --- /dev/null +++ b/Gitea/index.md @@ -0,0 +1,286 @@ +# Gitea Setup (nginx, postgresql, debian10) + +![](Logo.png) + +Before we start, you will need a Debian 10 VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial Setup** + + + adduser --system --shell /bin/bash --group --disabled-password --home /home/git git + wget -O /usr/local/bin/gitea https://dl.gitea.io/gitea/1.12.5/gitea-1.12.5-linux-amd64 + chmod +x /usr/local/bin/gitea + ./gitea + + mkdir -p /var/lib/gitea/{custom,data,indexers,public,log} + chown git:git /var/lib/gitea/{data,indexers,log} + chmod 750 /var/lib/gitea/{data,indexers,log} + mkdir /etc/gitea + chown root:git /etc/gitea + chmod 770 /etc/gitea + + wget https://raw.githubusercontent.com/go-gitea/gitea/master/contrib/systemd/gitea.service + nano gitea.service + + + +Now in nano, you need to add the **After=postgresql.service** line, once that's done, hit CTRL+S to save, and CTRL+X to exit. + +![](1.png) + + + cp gitea.service /etc/systemd/system/ + systemctl enable gitea + + + +Next we'll setup postgresql: + + + apt-get -y install apt-transport-https lsb-release ca-certificates curl gnupg -y + sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' + wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - + + apt update -y + apt install postgresql-13 -y + + su -c "psql" - postgres + CREATE ROLE gitea WITH LOGIN PASSWORD 'gitea'; + CREATE DATABASE giteadb WITH OWNER gitea TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8'; + exit + + +Next we'll configure Nginx: + + + apt install nginx -y + + + +Here we're going to use [DuckDNS](https://www.duckdns.org/) because it is a free way to get a domain name, but if you have your own paid domain name, you can use it too. + +![](3.png) ![](2.png) + +Once that's done, we will setup acme.sh to get a free letsencrypt certificate: + + + apt install socat -y + wget -O - https://get.acme.sh | sh + source ~/.bashrc + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + + +![](4.png) + +Once this is done, download the nginx configuration for gitea: + + + wget https://blog.nowhere.moe/servers/Gitea/gitea.conf -O /etc/nginx/sites-enabled/gitea.conf + nano /etc/nginx/sites-enabled/gitea.conf + cat /etc/nginx/sites-enabled/gitea.conf + + #if you're doing a gitea setup behind a reverse nginx proxy, it would look like so: + server { + listen 80; + listen [::]:80; + server_name git.nowhere.moe; + + location / { + client_max_body_size 1000m; + proxy_pass http://localhost:3000; + } + + + proxy_set_header X-Real-IP $remote_addr; + client_max_body_size 5000m; + } + + # and then on the main reverse nginx proxy you would edit the ssl certificates: + + +![](5.png) + +Once you're done editing your domain name inside the config, hit CTRL+S to save, and CTRL+X to exit nano and reload nginx: + + + nginx -t + nginx -s reload + apt install git + systemctl start postgresql gitea + + + +Once that's done simply browse to your website and set it up after clicking the "register button": + +![](6.png) ![](7.png) + +Here in this example i intend to use gitea for my own use, but if you want to have multiple users here, you can untick "disable self registration", If it is for only one user, tick it and create the administrator user at the bottom of the page: + +![](8.png) + +Once that's done, hit "install gitea" and then we go back into the ssh root shell to change the directories permissions: + + + chmod 750 /etc/gitea + chmod 644 /etc/gitea/app.ini + + + +![](9.png) + +And there you have it! + +## **Creating your first gitea repository** + +Just like in github, click the "+" at the top right corner: + +![](10.png) + +From here you can clone the repository on your local machine: + + + [ 192.168.100.1/24 ] [ /dev/pts/10 ] [~/Documents/Github] + → git clone https://ech2.duckdns.org/nothing/mycoolrepo + + + +Use the administrator's gitea credentials to clone the repository if you set it to private, and you're done! You can now start editing your self-hosted repository. + +To customise the default gitea theme you can do the following, it comes up with arc-green as an alternative dark theme out of the box, or you can just use your own: + + + echo '[ui]' >> /etc/gitea/app.ini + echo 'THEMES = gitea,arc-green,lain' >> /etc/gitea/app.ini + echo 'DEFAULT_THEME = lain' >> /etc/gitea/app.ini # put 'arc-green' there instead for the default dark theme + + cd /var/lib/gitea/custom + git clone https://git.void.yt/nothing/gitea-lain-template . + + + chown git:git /var/lib/gitea/{data,indexers,log} + chmod 750 /var/lib/gitea/{data,indexers,log} + + chown root:git /etc/gitea + chmod 770 /etc/gitea + + chmod 750 /etc/gitea + chmod 644 /etc/gitea/app.ini + + systemctl restart postgresql gitea + + + +To automatically update gitea: + + + root@gitea:~# apt install python3-pip + root@gitea:~# apt install mlocate -y ; updatedb ; locate settings.ini + root@gitea:~# pip3 install gitea-auto-update + + root@gitea:/etc/gitea# vim settings.ini + root@gitea:/etc/gitea# cat settings.ini + [Gitea] + site=https://git.nowhere.moe/api/v1/version + apiUrl=https://api.github.com/repos/go-gitea/gitea/releases/latest + system=linux-amd64 + file=/usr/local/bin/gitea + tmpDir=/tmp/ + buildFromSource= + sourceDir= + logFile=update.log + root@gitea:/etc/gitea# gitea-auto-update --settings=/etc/gitea/settings.ini + update successfully + root@gitea:/etc/gitea# crontab -e + + # m h dom mon dow command + 0 0 * * * /usr/local/bin/gitea-auto-update --settings=/etc/gitea/settings.ini + + :wq + + + +With this setup, gitea will upgrade itself everyday at midnight. Here is my final **/etc/gitea/app.ini** file: + + + APP_NAME = Nihilism Gitea: Git with a cup of tea + RUN_USER = git + RUN_MODE = prod + + [oauth2] + JWT_SECRET = dasljdashdaslhdas + + [security] + INTERNAL_TOKEN = daojpoawdjpoaj + INSTALL_LOCK = true + SECRET_KEY = dapijpsadpdsajpodasj + + [database] + DB_TYPE = postgres + HOST = 127.0.0.1:5432 + NAME = giteadb + USER = kljdhaslhjkdas + PASSWD = jahsdhdshjsadl + SCHEMA = + SSL_MODE = disable + CHARSET = utf8 + PATH = /var/lib/gitea/data/gitea.db + + [repository] + ROOT = /home/git/gitea-repositories + + [repository.upload] + ; Max number of files per upload. Defaults to 5 + MAX_FILES = 500000000000 + + [server] + SSH_DOMAIN = localhost + DOMAIN = git.nowhere.moe + HTTP_ADDR = 127.0.0.1 + HTTP_PORT = 3000 + ROOT_URL = https://git.nowhere.moe/ + DISABLE_SSH = false + SSH_PORT = 22 + LFS_START_SERVER = true + LFS_CONTENT_PATH = /var/lib/gitea/data/lfs + LFS_JWT_SECRET = aidsjisajdlasjildsa + OFFLINE_MODE = true + + [mailer] + ENABLED = false + + [service] + REGISTER_EMAIL_CONFIRM = false + ENABLE_NOTIFY_MAIL = false + DISABLE_REGISTRATION = false + ALLOW_ONLY_EXTERNAL_REGISTRATION = false + ENABLE_CAPTCHA = false + REQUIRE_SIGNIN_VIEW = true + DEFAULT_KEEP_EMAIL_PRIVATE = true + DEFAULT_ALLOW_CREATE_ORGANIZATION = true + DEFAULT_ENABLE_TIMETRACKING = true + NO_REPLY_ADDRESS = noreply.nowhere.moe + + [picture] + DISABLE_GRAVATAR = true + ENABLE_FEDERATED_AVATAR = false + + [openid] + ENABLE_OPENID_SIGNIN = true + ENABLE_OPENID_SIGNUP = false + + [session] + PROVIDER = file + + [log] + MODE = file + LEVEL = info + ROOT_PATH = /var/lib/gitea/log + + [ui] + THEMES = gitea,arc-green + DEFAULT_THEME = arc-green + + diff --git a/PCIPASSTHROUGH/0.png b/PCIPASSTHROUGH/0.png new file mode 100644 index 0000000..696f713 Binary files /dev/null and b/PCIPASSTHROUGH/0.png differ diff --git a/PCIPASSTHROUGH/1.png b/PCIPASSTHROUGH/1.png new file mode 100644 index 0000000..a0b6b59 Binary files /dev/null and b/PCIPASSTHROUGH/1.png differ diff --git a/PCIPASSTHROUGH/10.png b/PCIPASSTHROUGH/10.png new file mode 100644 index 0000000..8b402e8 Binary files /dev/null and b/PCIPASSTHROUGH/10.png differ diff --git a/PCIPASSTHROUGH/11.png b/PCIPASSTHROUGH/11.png new file mode 100644 index 0000000..12dc128 Binary files /dev/null and b/PCIPASSTHROUGH/11.png differ diff --git a/PCIPASSTHROUGH/12.png b/PCIPASSTHROUGH/12.png new file mode 100644 index 0000000..81c7ffe Binary files /dev/null and b/PCIPASSTHROUGH/12.png differ diff --git a/PCIPASSTHROUGH/13.png b/PCIPASSTHROUGH/13.png new file mode 100644 index 0000000..744fcd4 Binary files /dev/null and b/PCIPASSTHROUGH/13.png differ diff --git a/PCIPASSTHROUGH/14.png b/PCIPASSTHROUGH/14.png new file mode 100644 index 0000000..e5420dd Binary files /dev/null and b/PCIPASSTHROUGH/14.png differ diff --git a/PCIPASSTHROUGH/15.png b/PCIPASSTHROUGH/15.png new file mode 100644 index 0000000..b339de6 Binary files /dev/null and b/PCIPASSTHROUGH/15.png differ diff --git a/PCIPASSTHROUGH/16.png b/PCIPASSTHROUGH/16.png new file mode 100644 index 0000000..a9a8401 Binary files /dev/null and b/PCIPASSTHROUGH/16.png differ diff --git a/PCIPASSTHROUGH/17.png b/PCIPASSTHROUGH/17.png new file mode 100644 index 0000000..e0c6db3 Binary files /dev/null and b/PCIPASSTHROUGH/17.png differ diff --git a/PCIPASSTHROUGH/18.png b/PCIPASSTHROUGH/18.png new file mode 100644 index 0000000..54a47c1 Binary files /dev/null and b/PCIPASSTHROUGH/18.png differ diff --git a/PCIPASSTHROUGH/19.png b/PCIPASSTHROUGH/19.png new file mode 100644 index 0000000..2054b75 Binary files /dev/null and b/PCIPASSTHROUGH/19.png differ diff --git a/PCIPASSTHROUGH/2.png b/PCIPASSTHROUGH/2.png new file mode 100644 index 0000000..b30a88a Binary files /dev/null and b/PCIPASSTHROUGH/2.png differ diff --git a/PCIPASSTHROUGH/20.png b/PCIPASSTHROUGH/20.png new file mode 100644 index 0000000..6153467 Binary files /dev/null and b/PCIPASSTHROUGH/20.png differ diff --git a/PCIPASSTHROUGH/21.png b/PCIPASSTHROUGH/21.png new file mode 100644 index 0000000..e780155 Binary files /dev/null and b/PCIPASSTHROUGH/21.png differ diff --git a/PCIPASSTHROUGH/22.png b/PCIPASSTHROUGH/22.png new file mode 100644 index 0000000..e3ca043 Binary files /dev/null and b/PCIPASSTHROUGH/22.png differ diff --git a/PCIPASSTHROUGH/23.png b/PCIPASSTHROUGH/23.png new file mode 100644 index 0000000..2490743 Binary files /dev/null and b/PCIPASSTHROUGH/23.png differ diff --git a/PCIPASSTHROUGH/24.png b/PCIPASSTHROUGH/24.png new file mode 100644 index 0000000..a7a9570 Binary files /dev/null and b/PCIPASSTHROUGH/24.png differ diff --git a/PCIPASSTHROUGH/25.png b/PCIPASSTHROUGH/25.png new file mode 100644 index 0000000..e54c067 Binary files /dev/null and b/PCIPASSTHROUGH/25.png differ diff --git a/PCIPASSTHROUGH/26.png b/PCIPASSTHROUGH/26.png new file mode 100644 index 0000000..cd43609 Binary files /dev/null and b/PCIPASSTHROUGH/26.png differ diff --git a/PCIPASSTHROUGH/27.png b/PCIPASSTHROUGH/27.png new file mode 100644 index 0000000..10cacff Binary files /dev/null and b/PCIPASSTHROUGH/27.png differ diff --git a/PCIPASSTHROUGH/28.png b/PCIPASSTHROUGH/28.png new file mode 100644 index 0000000..9804bdf Binary files /dev/null and b/PCIPASSTHROUGH/28.png differ diff --git a/PCIPASSTHROUGH/29.png b/PCIPASSTHROUGH/29.png new file mode 100644 index 0000000..269ccdd Binary files /dev/null and b/PCIPASSTHROUGH/29.png differ diff --git a/PCIPASSTHROUGH/3.png b/PCIPASSTHROUGH/3.png new file mode 100644 index 0000000..fff194e Binary files /dev/null and b/PCIPASSTHROUGH/3.png differ diff --git a/PCIPASSTHROUGH/30.png b/PCIPASSTHROUGH/30.png new file mode 100644 index 0000000..e3a6723 Binary files /dev/null and b/PCIPASSTHROUGH/30.png differ diff --git a/PCIPASSTHROUGH/31.png b/PCIPASSTHROUGH/31.png new file mode 100644 index 0000000..37e1062 Binary files /dev/null and b/PCIPASSTHROUGH/31.png differ diff --git a/PCIPASSTHROUGH/32.png b/PCIPASSTHROUGH/32.png new file mode 100644 index 0000000..2a1bce7 Binary files /dev/null and b/PCIPASSTHROUGH/32.png differ diff --git a/PCIPASSTHROUGH/33.png b/PCIPASSTHROUGH/33.png new file mode 100644 index 0000000..51d7a2e Binary files /dev/null and b/PCIPASSTHROUGH/33.png differ diff --git a/PCIPASSTHROUGH/34.png b/PCIPASSTHROUGH/34.png new file mode 100644 index 0000000..dbab17e Binary files /dev/null and b/PCIPASSTHROUGH/34.png differ diff --git a/PCIPASSTHROUGH/35.png b/PCIPASSTHROUGH/35.png new file mode 100644 index 0000000..e01d05d Binary files /dev/null and b/PCIPASSTHROUGH/35.png differ diff --git a/PCIPASSTHROUGH/36png.png b/PCIPASSTHROUGH/36png.png new file mode 100644 index 0000000..924c2aa Binary files /dev/null and b/PCIPASSTHROUGH/36png.png differ diff --git a/PCIPASSTHROUGH/37.png b/PCIPASSTHROUGH/37.png new file mode 100644 index 0000000..ff25255 Binary files /dev/null and b/PCIPASSTHROUGH/37.png differ diff --git a/PCIPASSTHROUGH/38.png b/PCIPASSTHROUGH/38.png new file mode 100644 index 0000000..cc65ad9 Binary files /dev/null and b/PCIPASSTHROUGH/38.png differ diff --git a/PCIPASSTHROUGH/39.png b/PCIPASSTHROUGH/39.png new file mode 100644 index 0000000..6368760 Binary files /dev/null and b/PCIPASSTHROUGH/39.png differ diff --git a/PCIPASSTHROUGH/4.png b/PCIPASSTHROUGH/4.png new file mode 100644 index 0000000..c2faf2a Binary files /dev/null and b/PCIPASSTHROUGH/4.png differ diff --git a/PCIPASSTHROUGH/42.png b/PCIPASSTHROUGH/42.png new file mode 100644 index 0000000..9e05564 Binary files /dev/null and b/PCIPASSTHROUGH/42.png differ diff --git a/PCIPASSTHROUGH/43.png b/PCIPASSTHROUGH/43.png new file mode 100644 index 0000000..236ca10 Binary files /dev/null and b/PCIPASSTHROUGH/43.png differ diff --git a/PCIPASSTHROUGH/44.png b/PCIPASSTHROUGH/44.png new file mode 100644 index 0000000..5850622 Binary files /dev/null and b/PCIPASSTHROUGH/44.png differ diff --git a/PCIPASSTHROUGH/45.png b/PCIPASSTHROUGH/45.png new file mode 100644 index 0000000..ed6e195 Binary files /dev/null and b/PCIPASSTHROUGH/45.png differ diff --git a/PCIPASSTHROUGH/46.png b/PCIPASSTHROUGH/46.png new file mode 100644 index 0000000..0586b32 Binary files /dev/null and b/PCIPASSTHROUGH/46.png differ diff --git a/PCIPASSTHROUGH/47.png b/PCIPASSTHROUGH/47.png new file mode 100644 index 0000000..1bde497 Binary files /dev/null and b/PCIPASSTHROUGH/47.png differ diff --git a/PCIPASSTHROUGH/48.png b/PCIPASSTHROUGH/48.png new file mode 100644 index 0000000..b04a82b Binary files /dev/null and b/PCIPASSTHROUGH/48.png differ diff --git a/PCIPASSTHROUGH/49.png b/PCIPASSTHROUGH/49.png new file mode 100644 index 0000000..a0cd20b Binary files /dev/null and b/PCIPASSTHROUGH/49.png differ diff --git a/PCIPASSTHROUGH/5.png b/PCIPASSTHROUGH/5.png new file mode 100644 index 0000000..31b1184 Binary files /dev/null and b/PCIPASSTHROUGH/5.png differ diff --git a/PCIPASSTHROUGH/50.png b/PCIPASSTHROUGH/50.png new file mode 100644 index 0000000..0a578a3 Binary files /dev/null and b/PCIPASSTHROUGH/50.png differ diff --git a/PCIPASSTHROUGH/51.png b/PCIPASSTHROUGH/51.png new file mode 100644 index 0000000..4782e71 Binary files /dev/null and b/PCIPASSTHROUGH/51.png differ diff --git a/PCIPASSTHROUGH/52.png b/PCIPASSTHROUGH/52.png new file mode 100644 index 0000000..fcb4d1d Binary files /dev/null and b/PCIPASSTHROUGH/52.png differ diff --git a/PCIPASSTHROUGH/53.png b/PCIPASSTHROUGH/53.png new file mode 100644 index 0000000..90b85d5 Binary files /dev/null and b/PCIPASSTHROUGH/53.png differ diff --git a/PCIPASSTHROUGH/54.png b/PCIPASSTHROUGH/54.png new file mode 100644 index 0000000..b7d20a8 Binary files /dev/null and b/PCIPASSTHROUGH/54.png differ diff --git a/PCIPASSTHROUGH/55.png b/PCIPASSTHROUGH/55.png new file mode 100644 index 0000000..1c9b12f Binary files /dev/null and b/PCIPASSTHROUGH/55.png differ diff --git a/PCIPASSTHROUGH/56.png b/PCIPASSTHROUGH/56.png new file mode 100644 index 0000000..f3053d1 Binary files /dev/null and b/PCIPASSTHROUGH/56.png differ diff --git a/PCIPASSTHROUGH/57.png b/PCIPASSTHROUGH/57.png new file mode 100644 index 0000000..cbcb7c8 Binary files /dev/null and b/PCIPASSTHROUGH/57.png differ diff --git a/PCIPASSTHROUGH/58.png b/PCIPASSTHROUGH/58.png new file mode 100644 index 0000000..3d2b4ee Binary files /dev/null and b/PCIPASSTHROUGH/58.png differ diff --git a/PCIPASSTHROUGH/59.png b/PCIPASSTHROUGH/59.png new file mode 100644 index 0000000..11c0b93 Binary files /dev/null and b/PCIPASSTHROUGH/59.png differ diff --git a/PCIPASSTHROUGH/6.png b/PCIPASSTHROUGH/6.png new file mode 100644 index 0000000..edb084c Binary files /dev/null and b/PCIPASSTHROUGH/6.png differ diff --git a/PCIPASSTHROUGH/60.png b/PCIPASSTHROUGH/60.png new file mode 100644 index 0000000..561f3a2 Binary files /dev/null and b/PCIPASSTHROUGH/60.png differ diff --git a/PCIPASSTHROUGH/61.png b/PCIPASSTHROUGH/61.png new file mode 100644 index 0000000..058aa5b Binary files /dev/null and b/PCIPASSTHROUGH/61.png differ diff --git a/PCIPASSTHROUGH/62.png b/PCIPASSTHROUGH/62.png new file mode 100644 index 0000000..ce8c730 Binary files /dev/null and b/PCIPASSTHROUGH/62.png differ diff --git a/PCIPASSTHROUGH/63.png b/PCIPASSTHROUGH/63.png new file mode 100644 index 0000000..502ec4c Binary files /dev/null and b/PCIPASSTHROUGH/63.png differ diff --git a/PCIPASSTHROUGH/64.png b/PCIPASSTHROUGH/64.png new file mode 100644 index 0000000..ee92eed Binary files /dev/null and b/PCIPASSTHROUGH/64.png differ diff --git a/PCIPASSTHROUGH/65.png b/PCIPASSTHROUGH/65.png new file mode 100644 index 0000000..c7debe3 Binary files /dev/null and b/PCIPASSTHROUGH/65.png differ diff --git a/PCIPASSTHROUGH/66.png b/PCIPASSTHROUGH/66.png new file mode 100644 index 0000000..ebf0f0b Binary files /dev/null and b/PCIPASSTHROUGH/66.png differ diff --git a/PCIPASSTHROUGH/67.png b/PCIPASSTHROUGH/67.png new file mode 100644 index 0000000..cf3ba1b Binary files /dev/null and b/PCIPASSTHROUGH/67.png differ diff --git a/PCIPASSTHROUGH/68.png b/PCIPASSTHROUGH/68.png new file mode 100644 index 0000000..0441f51 Binary files /dev/null and b/PCIPASSTHROUGH/68.png differ diff --git a/PCIPASSTHROUGH/69.png b/PCIPASSTHROUGH/69.png new file mode 100644 index 0000000..c04d810 Binary files /dev/null and b/PCIPASSTHROUGH/69.png differ diff --git a/PCIPASSTHROUGH/7.png b/PCIPASSTHROUGH/7.png new file mode 100644 index 0000000..d6ee627 Binary files /dev/null and b/PCIPASSTHROUGH/7.png differ diff --git a/PCIPASSTHROUGH/70.png b/PCIPASSTHROUGH/70.png new file mode 100644 index 0000000..3614619 Binary files /dev/null and b/PCIPASSTHROUGH/70.png differ diff --git a/PCIPASSTHROUGH/71.png b/PCIPASSTHROUGH/71.png new file mode 100644 index 0000000..bc2b720 Binary files /dev/null and b/PCIPASSTHROUGH/71.png differ diff --git a/PCIPASSTHROUGH/72.png b/PCIPASSTHROUGH/72.png new file mode 100644 index 0000000..6230436 Binary files /dev/null and b/PCIPASSTHROUGH/72.png differ diff --git a/PCIPASSTHROUGH/73.png b/PCIPASSTHROUGH/73.png new file mode 100644 index 0000000..3465f5f Binary files /dev/null and b/PCIPASSTHROUGH/73.png differ diff --git a/PCIPASSTHROUGH/74.png b/PCIPASSTHROUGH/74.png new file mode 100644 index 0000000..5314201 Binary files /dev/null and b/PCIPASSTHROUGH/74.png differ diff --git a/PCIPASSTHROUGH/75.png b/PCIPASSTHROUGH/75.png new file mode 100644 index 0000000..c11c573 Binary files /dev/null and b/PCIPASSTHROUGH/75.png differ diff --git a/PCIPASSTHROUGH/76.png b/PCIPASSTHROUGH/76.png new file mode 100644 index 0000000..15c8bb3 Binary files /dev/null and b/PCIPASSTHROUGH/76.png differ diff --git a/PCIPASSTHROUGH/77.png b/PCIPASSTHROUGH/77.png new file mode 100644 index 0000000..4b32b26 Binary files /dev/null and b/PCIPASSTHROUGH/77.png differ diff --git a/PCIPASSTHROUGH/8.png b/PCIPASSTHROUGH/8.png new file mode 100644 index 0000000..66f4a53 Binary files /dev/null and b/PCIPASSTHROUGH/8.png differ diff --git a/PCIPASSTHROUGH/80.png b/PCIPASSTHROUGH/80.png new file mode 100644 index 0000000..e9ec5a8 Binary files /dev/null and b/PCIPASSTHROUGH/80.png differ diff --git a/PCIPASSTHROUGH/81.png b/PCIPASSTHROUGH/81.png new file mode 100644 index 0000000..a6e081e Binary files /dev/null and b/PCIPASSTHROUGH/81.png differ diff --git a/PCIPASSTHROUGH/82.png b/PCIPASSTHROUGH/82.png new file mode 100644 index 0000000..29a62d1 Binary files /dev/null and b/PCIPASSTHROUGH/82.png differ diff --git a/PCIPASSTHROUGH/83.png b/PCIPASSTHROUGH/83.png new file mode 100644 index 0000000..26d4c30 Binary files /dev/null and b/PCIPASSTHROUGH/83.png differ diff --git a/PCIPASSTHROUGH/84.png b/PCIPASSTHROUGH/84.png new file mode 100644 index 0000000..55c93ab Binary files /dev/null and b/PCIPASSTHROUGH/84.png differ diff --git a/PCIPASSTHROUGH/85.png b/PCIPASSTHROUGH/85.png new file mode 100644 index 0000000..71eb9af Binary files /dev/null and b/PCIPASSTHROUGH/85.png differ diff --git a/PCIPASSTHROUGH/86.png b/PCIPASSTHROUGH/86.png new file mode 100644 index 0000000..12e7bc3 Binary files /dev/null and b/PCIPASSTHROUGH/86.png differ diff --git a/PCIPASSTHROUGH/87.png b/PCIPASSTHROUGH/87.png new file mode 100644 index 0000000..1cb677c Binary files /dev/null and b/PCIPASSTHROUGH/87.png differ diff --git a/PCIPASSTHROUGH/88.png b/PCIPASSTHROUGH/88.png new file mode 100644 index 0000000..f0d1fd2 Binary files /dev/null and b/PCIPASSTHROUGH/88.png differ diff --git a/PCIPASSTHROUGH/89.png b/PCIPASSTHROUGH/89.png new file mode 100644 index 0000000..893f2d7 Binary files /dev/null and b/PCIPASSTHROUGH/89.png differ diff --git a/PCIPASSTHROUGH/9.png b/PCIPASSTHROUGH/9.png new file mode 100644 index 0000000..b584756 Binary files /dev/null and b/PCIPASSTHROUGH/9.png differ diff --git a/PCIPASSTHROUGH/90.png b/PCIPASSTHROUGH/90.png new file mode 100644 index 0000000..456d744 Binary files /dev/null and b/PCIPASSTHROUGH/90.png differ diff --git a/RustDesk/0.png b/RustDesk/0.png new file mode 100644 index 0000000..c8dcbf5 Binary files /dev/null and b/RustDesk/0.png differ diff --git a/RustDesk/1.png b/RustDesk/1.png new file mode 100644 index 0000000..07975d7 Binary files /dev/null and b/RustDesk/1.png differ diff --git a/RustDesk/2.png b/RustDesk/2.png new file mode 100644 index 0000000..3c176aa Binary files /dev/null and b/RustDesk/2.png differ diff --git a/RustDesk/3.png b/RustDesk/3.png new file mode 100644 index 0000000..1390493 Binary files /dev/null and b/RustDesk/3.png differ diff --git a/RustDesk/4.png b/RustDesk/4.png new file mode 100644 index 0000000..afe1c40 Binary files /dev/null and b/RustDesk/4.png differ diff --git a/RustDesk/5.png b/RustDesk/5.png new file mode 100644 index 0000000..1d5f004 Binary files /dev/null and b/RustDesk/5.png differ diff --git a/RustDesk/6.png b/RustDesk/6.png new file mode 100644 index 0000000..ca49ab2 Binary files /dev/null and b/RustDesk/6.png differ diff --git a/RustDesk/index.md b/RustDesk/index.md new file mode 100644 index 0000000..48da320 --- /dev/null +++ b/RustDesk/index.md @@ -0,0 +1,279 @@ +# RustDesk Setup + +![](0.png) + +Today we're going to install and configure RustDesk, an opensource alternative to TeamViewer that lets you connect remotely to an instance. This involves installing and configuring a RustDesk server that will act as a connection relay between our client and our local workstation. + +## **Initial Setup** + +Please setup your firewall on your server prior to running the script. Make sure you have got access via ssh or otherwise setup prior setting up the firewall, command for UFW is: + + + ufw allow 22 + ufw allow 21115:21119/tcp + ufw allow 8000/tcp + ufw allow 21116/udp + sudo ufw reload + + +Please remember to forward all the following ports, respecting the protocol used from your instance to the web + + + 21115/tcp + 21116/tcp + 21116/udp + 21117/tcp + 21118/tcp + 21119/tcp + + +Setup directory tree + + + sudo mkdir /opt/rustdesk + sudo mkdir -p /var/cache/apt/archives + sudo chown -R _apt: /var/cache/apt/archives + + +## **Server Setup** + +To install rustdesk, we'll use a script that will fully automate its deployment. You'll need a domain name or a static public IP address to which the rustdesk instance can be reached. + + + #Download the installation script + wget https://raw.githubusercontent.com/techahold/rustdeskinstall/master/install.sh + + #Make it executable + chmod +x install.sh + + #Run the script + ./install.sh + + +When running the script, you will be asked the following questions: First, select the option corresponding to your needs, depending on whether you want to reach your instance by its domain name or by its public IP address. Secondly, choose whether you want to install the goHTTP service to provide a web server that we can join to download the installation scripts for our clients, preconfigured to match our RustDesk server configurations. + + + root@rrd:~# ./install.sh + Installing prerequisites + Get:1 http://security.debian.org bookworm-security InRelease [48.0 kB] + Hit:2 http://deb.debian.org/debian bookworm InRelease + Get:3 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] + Get:4 http://security.debian.org bookworm-security/main amd64 Packages [86.2 kB] + Get:5 http://security.debian.org bookworm-security/main Translation-en [48.8 kB] + Get:6 http://security.debian.org bookworm-security/contrib amd64 Packages [644 B] + Get:7 http://security.debian.org bookworm-security/contrib Translation-en [372 B] + Fetched 236 kB in 2s (120 kB/s) + Reading package lists... Done + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + wget is already the newest version (1.21.3-1+b2). + tar is already the newest version (1.34+dfsg-1.2). + The following additional packages will be installed: + libcurl4 + Suggested packages: + zip + The following NEW packages will be installed: + curl dnsutils libcurl4 unzip + 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. + Need to get 1130 kB of archives. + After this operation, 2021 kB of additional disk space will be used. + Get:1 http://deb.debian.org/debian bookworm/main amd64 dnsutils all 1:9.18.19-1~deb12u1 [259 kB] + Get:2 http://security.debian.org bookworm-security/main amd64 libcurl4 amd64 7.88.1-10+deb12u4 [390 kB] + Get:3 http://security.debian.org bookworm-security/main amd64 curl amd64 7.88.1-10+deb12u4 [315 kB] + Get:4 http://deb.debian.org/debian bookworm/main amd64 unzip amd64 6.0-28 [166 kB] + Fetched 1130 kB in 0s (13.8 MB/s) + Selecting previously unselected package libcurl4:amd64. + (Reading database ... 21375 files and directories currently installed.) + Preparing to unpack .../libcurl4_7.88.1-10+deb12u4_amd64.deb ... + Unpacking libcurl4:amd64 (7.88.1-10+deb12u4) ... + Selecting previously unselected package curl. + Preparing to unpack .../curl_7.88.1-10+deb12u4_amd64.deb ... + Unpacking curl (7.88.1-10+deb12u4) ... + Selecting previously unselected package dnsutils. + Preparing to unpack .../dnsutils_1%3a9.18.19-1~deb12u1_all.deb ... + Unpacking dnsutils (1:9.18.19-1~deb12u1) ... + Selecting previously unselected package unzip. + Preparing to unpack .../unzip_6.0-28_amd64.deb ... + Unpacking unzip (6.0-28) ... + Setting up unzip (6.0-28) ... + Setting up dnsutils (1:9.18.19-1~deb12u1) ... + Setting up libcurl4:amd64 (7.88.1-10+deb12u4) ... + Setting up curl (7.88.1-10+deb12u4) ... + Processing triggers for libc-bin (2.36-9+deb12u3) ... + Processing triggers for man-db (2.11.2-2) ... + Processing triggers for mailcap (3.70+nmu1) ... + **1) IP + 2) DNS/Domain + Choose your preferred option, IP or DNS/Domain:2 + Enter your preferred domain/dns address : mydomain.co** + Creating /opt/rustdesk + Installing Rustdesk Server + --2023-10-19 12:32:34-- https://github.com/rustdesk/rustdesk-server/releases/download/1.1.8-2/rustdesk-server-linux-amd64.zip + Resolving github.com (github.com)... 140.82.121.4 + Connecting to github.com (github.com)|140.82.121.4|:443... connected. + HTTP request sent, awaiting response... 302 Found + Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/299354666/afce0804-6c91-4e20-8b1c-1c49a4d12eaf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20231019%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20231019T123234Z&X-Amz-Expires;=300&X-Amz-Signature;=1020540b41d6f5a074ef0d59509c879c851b032f06859c2af6f051498ccd54fa&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=299354666&response-content-disposition;=attachment%3B%20filename%3Drustdesk-server-linux-amd64.zip&response-content-type;=application%2Foctet-stream [following] + --2023-10-19 12:32:34-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/299354666/afce0804-6c91-4e20-8b1c-1c49a4d12eaf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20231019%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20231019T123234Z&X-Amz-Expires;=300&X-Amz-Signature;=1020540b41d6f5a074ef0d59509c879c851b032f06859c2af6f051498ccd54fa&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=299354666&response-content-disposition;=attachment%3B%20filename%3Drustdesk-server-linux-amd64.zip&response-content-type;=application%2Foctet-stream + Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ... + Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 8528063 (8.1M) [application/octet-stream] + Saving to: 'rustdesk-server-linux-amd64.zip' + + rustdesk-server-linux-amd64.z 100%[=================================================>] 8.13M 18.6MB/s in 0.4s + + 2023-10-19 12:32:34 (18.6 MB/s) - 'rustdesk-server-linux-amd64.zip' saved [8528063/8528063] + + Archive: rustdesk-server-linux-amd64.zip + inflating: amd64/hbbr + inflating: amd64/hbbs + inflating: amd64/rustdesk-utils + Creating /var/log/rustdesk + Created symlink /etc/systemd/system/multi-user.target.wants/rustdesksignal.service -> /etc/systemd/system/rustdesksignal.service. + Created symlink /etc/systemd/system/multi-user.target.wants/rustdeskrelay.service -> /etc/systemd/system/rustdeskrelay.service. + Rustdesk Relay not ready yet... + Tidying up install + **1) Yes + 2) No + Please choose if you want to download configs and install HTTP server:1** + --2023-10-19 12:32:45-- https://raw.githubusercontent.com/dinger1986/rustdeskinstall/master/WindowsAgentAIOInstall.ps1 + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 3337 (3.3K) [text/plain] + Saving to: 'WindowsAgentAIOInstall.ps1' + + WindowsAgentAIOInstall.ps1 100%[=================================================>] 3.26K --.-KB/s in 0s + + 2023-10-19 12:32:45 (47.0 MB/s) - 'WindowsAgentAIOInstall.ps1' saved [3337/3337] + + --2023-10-19 12:32:45-- https://raw.githubusercontent.com/dinger1986/rustdeskinstall/master/linuxclientinstall.sh + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 4682 (4.6K) [text/plain] + Saving to: 'linuxclientinstall.sh' + + linuxclientinstall.sh 100%[=================================================>] 4.57K --.-KB/s in 0s + + 2023-10-19 12:32:45 (53.3 MB/s) - 'linuxclientinstall.sh' saved [4682/4682] + + Creating /opt/gohttp + Installing Go HTTP Server + --2023-10-19 12:32:46-- https://github.com/codeskyblue/gohttpserver/releases/download/1.1.4/gohttpserver_1.1.4_linux_amd64.tar.gz + Resolving github.com (github.com)... 140.82.121.4 + Connecting to github.com (github.com)|140.82.121.4|:443... connected. + HTTP request sent, awaiting response... 302 Found + Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/63852314/3b4f8927-1e46-46b6-873c-6407b36d0f92?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20231019%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20231019T123246Z&X-Amz-Expires;=300&X-Amz-Signature;=7da01a41539e3e1e3307687dcaa5769d13eca4d42134a21b5a0ac6d021122a7b&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=63852314&response-content-disposition;=attachment%3B%20filename%3Dgohttpserver_1.1.4_linux_amd64.tar.gz&response-content-type;=application%2Foctet-stream [following] + --2023-10-19 12:32:46-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/63852314/3b4f8927-1e46-46b6-873c-6407b36d0f92?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20231019%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20231019T123246Z&X-Amz-Expires;=300&X-Amz-Signature;=7da01a41539e3e1e3307687dcaa5769d13eca4d42134a21b5a0ac6d021122a7b&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=63852314&response-content-disposition;=attachment%3B%20filename%3Dgohttpserver_1.1.4_linux_amd64.tar.gz&response-content-type;=application%2Foctet-stream + Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.108.133, ... + Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 4864160 (4.6M) [application/octet-stream] + Saving to: 'gohttpserver_1.1.4_linux_amd64.tar.gz' + + gohttpserver_1.1.4_linux_amd6 100%[=================================================>] 4.64M 20.2MB/s in 0.2s + + 2023-10-19 12:32:46 (20.2 MB/s) - 'gohttpserver_1.1.4_linux_amd64.tar.gz' saved [4864160/4864160] + + Creating /var/log/gohttp + Tidying up Go HTTP Server Install + Created symlink /etc/systemd/system/multi-user.target.wants/gohttpserver.service -> /etc/systemd/system/gohttpserver.service. + **Your IP/DNS Address is mydomain.co + Your public key is mypubkey + Install Rustdesk on your machines and change your public key and IP/DNS name to the above + You can access your install scripts for clients by going to http://mydomain.co:8000 + Username is admin and password is myPasswd** + + +If you "lose" the public key given at the end of script execution, you will be able to find it in the tree below + + + root@rrd:/opt/rustdesk# ls -la + total 27692 + drwxr-xr-x 2 root root 4096 Oct 19 08:37 . + drwxr-xr-x 4 root root 4096 Oct 19 08:37 .. + -rw-r--r-- 1 root root 4096 Oct 19 08:37 db_v2.sqlite3 + -rw-r--r-- 1 root root 32768 Oct 19 08:52 db_v2.sqlite3-shm + -rw-r--r-- 1 root root 70072 Oct 19 08:52 db_v2.sqlite3-wal + -rwxr-xr-x 1 root root 9171176 Jul 25 07:48 hbbr + -rwxr-xr-x 1 root root 14314024 Jul 25 07:48 hbbs + -rw-r--r-- 1 root root 88 Oct 19 08:37 id_ed25519 + **-rw-r--r-- 1 root root 44 Oct 19 08:37 id_ed25519.pub** <-- cat this + -rwxr-xr-x 1 root root 4734912 Jul 25 07:48 rustdesk-utils + + +## **Manual Client configuration** + +Click on the 3 dots to go in the rustdesk client settings + +![](1.png) + +After that you can go to the network section, and put your rustdesk domain in the ID server and Relay Server section. Put the previous public key in the key section and the url of your api in the API server box. + +![](2.png) + +Once you have configured your client to use your rustDesk server by filling in the various information, click on apply to save the configuration and test the connection on your client. + +![](4.png) + +Once the client has been configured, simply enter its id to see it appear on the rust desk interface, then double-click on it to launch the connection to the client. + +![](5.png) + +Enter your password + +![](6.png) + +Well done, we are now connected to our remote host through our RustDesk instance. + +## **Auto deploy client with generated scripts** + +If you choose to setup an HTTP server during the installation, you can join it in your web browser to get an automatic client already configured to match your RustDesk server settings. + +![](3.png) + +After dl the scripts juste make it executables and run it on your client Careful the initial setup set a basic auth password for access to the gui. If you loose or you want to change them you can recover or modify it in the rustdesk service file + + + #Edit the service file + vim /etc/systemd/system/gohttpserver.service + + +Here you can see your Basic Auth credentials + + + [Unit] + Description=Go HTTP Server + [Service] + Type=simple + LimitNOFILE=1000000 + **ExecStart=/opt/gohttp/gohttpserver -r ./public --port 8000 --auth-type http --auth-http admin:myPasswd** + WorkingDirectory=/opt/gohttp/ + User=root + Group=root + Restart=always + StandardOutput=append:/var/log/gohttp/gohttpserver.log + StandardError=append:/var/log/gohttp/gohttpserver.error + # Restart service after 10 seconds if node service crashes + RestartSec=10 + [Install] + WantedBy=multi-user.target + + +## **Upgrade your Server** + +Run the following commands: + + + #Download update script + wget https://raw.githubusercontent.com/techahold/rustdeskinstall/master/update.sh + + #Make it executables + chmod +x update.sh + + #Run it + ./update.sh + + diff --git a/Zabbix/0.png b/Zabbix/0.png new file mode 100644 index 0000000..fb76bd8 Binary files /dev/null and b/Zabbix/0.png differ diff --git a/Zabbix/1.png b/Zabbix/1.png new file mode 100644 index 0000000..827fad2 Binary files /dev/null and b/Zabbix/1.png differ diff --git a/Zabbix/10.png b/Zabbix/10.png new file mode 100644 index 0000000..b830b3a Binary files /dev/null and b/Zabbix/10.png differ diff --git a/Zabbix/11.png b/Zabbix/11.png new file mode 100644 index 0000000..9038dfd Binary files /dev/null and b/Zabbix/11.png differ diff --git a/Zabbix/12.png b/Zabbix/12.png new file mode 100644 index 0000000..d18f4f5 Binary files /dev/null and b/Zabbix/12.png differ diff --git a/Zabbix/13.png b/Zabbix/13.png new file mode 100644 index 0000000..24f6d85 Binary files /dev/null and b/Zabbix/13.png differ diff --git a/Zabbix/14.png b/Zabbix/14.png new file mode 100644 index 0000000..18cef2b Binary files /dev/null and b/Zabbix/14.png differ diff --git a/Zabbix/15.png b/Zabbix/15.png new file mode 100644 index 0000000..365372f Binary files /dev/null and b/Zabbix/15.png differ diff --git a/Zabbix/16.png b/Zabbix/16.png new file mode 100644 index 0000000..06ccb19 Binary files /dev/null and b/Zabbix/16.png differ diff --git a/Zabbix/17.png b/Zabbix/17.png new file mode 100644 index 0000000..dd40334 Binary files /dev/null and b/Zabbix/17.png differ diff --git a/Zabbix/18.png b/Zabbix/18.png new file mode 100644 index 0000000..7f75e2d Binary files /dev/null and b/Zabbix/18.png differ diff --git a/Zabbix/19.png b/Zabbix/19.png new file mode 100644 index 0000000..6ed8f7b Binary files /dev/null and b/Zabbix/19.png differ diff --git a/Zabbix/2.png b/Zabbix/2.png new file mode 100644 index 0000000..9751c19 Binary files /dev/null and b/Zabbix/2.png differ diff --git a/Zabbix/20.png b/Zabbix/20.png new file mode 100644 index 0000000..35596ee Binary files /dev/null and b/Zabbix/20.png differ diff --git a/Zabbix/21.png b/Zabbix/21.png new file mode 100644 index 0000000..02bdc1c Binary files /dev/null and b/Zabbix/21.png differ diff --git a/Zabbix/22.png b/Zabbix/22.png new file mode 100644 index 0000000..f892347 Binary files /dev/null and b/Zabbix/22.png differ diff --git a/Zabbix/23.png b/Zabbix/23.png new file mode 100644 index 0000000..97e94f4 Binary files /dev/null and b/Zabbix/23.png differ diff --git a/Zabbix/24.png b/Zabbix/24.png new file mode 100644 index 0000000..969edd5 Binary files /dev/null and b/Zabbix/24.png differ diff --git a/Zabbix/25.png b/Zabbix/25.png new file mode 100644 index 0000000..84ee395 Binary files /dev/null and b/Zabbix/25.png differ diff --git a/Zabbix/26.png b/Zabbix/26.png new file mode 100644 index 0000000..a9e0cfe Binary files /dev/null and b/Zabbix/26.png differ diff --git a/Zabbix/27.png b/Zabbix/27.png new file mode 100644 index 0000000..8f75ff3 Binary files /dev/null and b/Zabbix/27.png differ diff --git a/Zabbix/28.png b/Zabbix/28.png new file mode 100644 index 0000000..15aeb88 Binary files /dev/null and b/Zabbix/28.png differ diff --git a/Zabbix/29.png b/Zabbix/29.png new file mode 100644 index 0000000..d438cbc Binary files /dev/null and b/Zabbix/29.png differ diff --git a/Zabbix/3.png b/Zabbix/3.png new file mode 100644 index 0000000..5dfe1a9 Binary files /dev/null and b/Zabbix/3.png differ diff --git a/Zabbix/30.png b/Zabbix/30.png new file mode 100644 index 0000000..463ba85 Binary files /dev/null and b/Zabbix/30.png differ diff --git a/Zabbix/31.png b/Zabbix/31.png new file mode 100644 index 0000000..2192aa0 Binary files /dev/null and b/Zabbix/31.png differ diff --git a/Zabbix/32.png b/Zabbix/32.png new file mode 100644 index 0000000..9a6e0da Binary files /dev/null and b/Zabbix/32.png differ diff --git a/Zabbix/33.png b/Zabbix/33.png new file mode 100644 index 0000000..aa5da15 Binary files /dev/null and b/Zabbix/33.png differ diff --git a/Zabbix/34.png b/Zabbix/34.png new file mode 100644 index 0000000..c44b168 Binary files /dev/null and b/Zabbix/34.png differ diff --git a/Zabbix/35.png b/Zabbix/35.png new file mode 100644 index 0000000..a192d86 Binary files /dev/null and b/Zabbix/35.png differ diff --git a/Zabbix/36.png b/Zabbix/36.png new file mode 100644 index 0000000..b158cb6 Binary files /dev/null and b/Zabbix/36.png differ diff --git a/Zabbix/37.png b/Zabbix/37.png new file mode 100644 index 0000000..52327c6 Binary files /dev/null and b/Zabbix/37.png differ diff --git a/Zabbix/38.png b/Zabbix/38.png new file mode 100644 index 0000000..77a79fc Binary files /dev/null and b/Zabbix/38.png differ diff --git a/Zabbix/39.png b/Zabbix/39.png new file mode 100644 index 0000000..207bda9 Binary files /dev/null and b/Zabbix/39.png differ diff --git a/Zabbix/4.png b/Zabbix/4.png new file mode 100644 index 0000000..ad43296 Binary files /dev/null and b/Zabbix/4.png differ diff --git a/Zabbix/40.png b/Zabbix/40.png new file mode 100644 index 0000000..c897a50 Binary files /dev/null and b/Zabbix/40.png differ diff --git a/Zabbix/41.png b/Zabbix/41.png new file mode 100644 index 0000000..9c20669 Binary files /dev/null and b/Zabbix/41.png differ diff --git a/Zabbix/42.png b/Zabbix/42.png new file mode 100644 index 0000000..da73f21 Binary files /dev/null and b/Zabbix/42.png differ diff --git a/Zabbix/43.png b/Zabbix/43.png new file mode 100644 index 0000000..461b023 Binary files /dev/null and b/Zabbix/43.png differ diff --git a/Zabbix/44.png b/Zabbix/44.png new file mode 100644 index 0000000..58aae6e Binary files /dev/null and b/Zabbix/44.png differ diff --git a/Zabbix/45.png b/Zabbix/45.png new file mode 100644 index 0000000..345d2bd Binary files /dev/null and b/Zabbix/45.png differ diff --git a/Zabbix/46.png b/Zabbix/46.png new file mode 100644 index 0000000..4d5a6d1 Binary files /dev/null and b/Zabbix/46.png differ diff --git a/Zabbix/47.png b/Zabbix/47.png new file mode 100644 index 0000000..f2b66a3 Binary files /dev/null and b/Zabbix/47.png differ diff --git a/Zabbix/48.png b/Zabbix/48.png new file mode 100644 index 0000000..d806133 Binary files /dev/null and b/Zabbix/48.png differ diff --git a/Zabbix/49.png b/Zabbix/49.png new file mode 100644 index 0000000..0219de7 Binary files /dev/null and b/Zabbix/49.png differ diff --git a/Zabbix/5.png b/Zabbix/5.png new file mode 100644 index 0000000..a57b036 Binary files /dev/null and b/Zabbix/5.png differ diff --git a/Zabbix/50.png b/Zabbix/50.png new file mode 100644 index 0000000..35aee2b Binary files /dev/null and b/Zabbix/50.png differ diff --git a/Zabbix/51.png b/Zabbix/51.png new file mode 100644 index 0000000..6f833e8 Binary files /dev/null and b/Zabbix/51.png differ diff --git a/Zabbix/52.png b/Zabbix/52.png new file mode 100644 index 0000000..144b77c Binary files /dev/null and b/Zabbix/52.png differ diff --git a/Zabbix/53.png b/Zabbix/53.png new file mode 100644 index 0000000..060c24d Binary files /dev/null and b/Zabbix/53.png differ diff --git a/Zabbix/54.png b/Zabbix/54.png new file mode 100644 index 0000000..92aab33 Binary files /dev/null and b/Zabbix/54.png differ diff --git a/Zabbix/55.png b/Zabbix/55.png new file mode 100644 index 0000000..68551eb Binary files /dev/null and b/Zabbix/55.png differ diff --git a/Zabbix/56.png b/Zabbix/56.png new file mode 100644 index 0000000..867c1ce Binary files /dev/null and b/Zabbix/56.png differ diff --git a/Zabbix/57.png b/Zabbix/57.png new file mode 100644 index 0000000..83cf58f Binary files /dev/null and b/Zabbix/57.png differ diff --git a/Zabbix/58.png b/Zabbix/58.png new file mode 100644 index 0000000..6d04e56 Binary files /dev/null and b/Zabbix/58.png differ diff --git a/Zabbix/59.png b/Zabbix/59.png new file mode 100644 index 0000000..1f38b59 Binary files /dev/null and b/Zabbix/59.png differ diff --git a/Zabbix/6.png b/Zabbix/6.png new file mode 100644 index 0000000..a865054 Binary files /dev/null and b/Zabbix/6.png differ diff --git a/Zabbix/60.png b/Zabbix/60.png new file mode 100644 index 0000000..981b5da Binary files /dev/null and b/Zabbix/60.png differ diff --git a/Zabbix/61.png b/Zabbix/61.png new file mode 100644 index 0000000..d6dd54e Binary files /dev/null and b/Zabbix/61.png differ diff --git a/Zabbix/62.png b/Zabbix/62.png new file mode 100644 index 0000000..dc5e8ad Binary files /dev/null and b/Zabbix/62.png differ diff --git a/Zabbix/63.png b/Zabbix/63.png new file mode 100644 index 0000000..318da1b Binary files /dev/null and b/Zabbix/63.png differ diff --git a/Zabbix/64.png b/Zabbix/64.png new file mode 100644 index 0000000..d2912e7 Binary files /dev/null and b/Zabbix/64.png differ diff --git a/Zabbix/65.png b/Zabbix/65.png new file mode 100644 index 0000000..a8aee29 Binary files /dev/null and b/Zabbix/65.png differ diff --git a/Zabbix/66.png b/Zabbix/66.png new file mode 100644 index 0000000..7756a56 Binary files /dev/null and b/Zabbix/66.png differ diff --git a/Zabbix/67.png b/Zabbix/67.png new file mode 100644 index 0000000..8a219f2 Binary files /dev/null and b/Zabbix/67.png differ diff --git a/Zabbix/68.png b/Zabbix/68.png new file mode 100644 index 0000000..7a12bbd Binary files /dev/null and b/Zabbix/68.png differ diff --git a/Zabbix/69.png b/Zabbix/69.png new file mode 100644 index 0000000..fa603ed Binary files /dev/null and b/Zabbix/69.png differ diff --git a/Zabbix/7.png b/Zabbix/7.png new file mode 100644 index 0000000..2f4e290 Binary files /dev/null and b/Zabbix/7.png differ diff --git a/Zabbix/8.png b/Zabbix/8.png new file mode 100644 index 0000000..b2914d0 Binary files /dev/null and b/Zabbix/8.png differ diff --git a/Zabbix/9.png b/Zabbix/9.png new file mode 100644 index 0000000..97f06d5 Binary files /dev/null and b/Zabbix/9.png differ diff --git a/Zabbix/index.md b/Zabbix/index.md new file mode 100644 index 0000000..86dd5c2 --- /dev/null +++ b/Zabbix/index.md @@ -0,0 +1,1011 @@ +# Zabbix setup with Nginx HTTPS + +![](logo.png) + +Before we start, you will need a Debian 10 VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial setup** + +First of all, SSH into your server and install the dependencies: + + + dpkg-reconfigure locales + + + +Tick en_US UTF8, then you choose en_US UTF8 as default locale, and only after do we install postgres and other dependencies: + +![](6.png) ![](7.png) + + + apt-get -y install apt-transport-https lsb-release ca-certificates curl gnupg -y + + + + root@zabbix:~# apt install apache2 php php-mysql php-mysqlnd php-ldap php-bcmath php-mbstring php-gd php-pdo php-xml libapache2-mod-php + + +Then configure mysql: + + + root@zabbix:~# apt install mariadb-server mariadb-client + root@zabbix:~# mysql_secure_installation + + NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB + SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! + + In order to log into MariaDB to secure it, we'll need the current + password for the root user. If you've just installed MariaDB, and + haven't set the root password yet, you should just press enter here. + + Enter current password for root (enter for none): + OK, successfully used password, moving on... + + Setting the root password or using the unix_socket ensures that nobody + can log into the MariaDB root user without the proper authorisation. + + You already have your root account protected, so you can safely answer 'n'. + + Switch to unix_socket authentication [Y/n] n + ... skipping. + + You already have your root account protected, so you can safely answer 'n'. + + Change the root password? [Y/n] n + ... skipping. + + By default, a MariaDB installation has an anonymous user, allowing anyone + to log into MariaDB without having to have a user account created for + them. This is intended only for testing, and to make the installation + go a bit smoother. You should remove them before moving into a + production environment. + + Remove anonymous users? [Y/n] y + ... Success! + + Normally, root should only be allowed to connect from 'localhost'. This + ensures that someone cannot guess at the root password from the network. + + Disallow root login remotely? [Y/n] y + ... Success! + + By default, MariaDB comes with a database named 'test' that anyone can + access. This is also intended only for testing, and should be removed + before moving into a production environment. + + Remove test database and access to it? [Y/n] y + - Dropping test database... + ... Success! + - Removing privileges on test database... + ... Success! + + Reloading the privilege tables will ensure that all changes made so far + will take effect immediately. + + Reload privilege tables now? [Y/n] y + ... Success! + + Cleaning up... + + All done! If you've completed all of the above steps, your MariaDB + installation should now be secure. + + Thanks for using MariaDB! + + root@zabbix:~# mysql -u root -p + Enter password: + Welcome to the MariaDB monitor. Commands end with ; or \g. + Your MariaDB connection id is 36 + Server version: 10.5.18-MariaDB-0+deb11u1 Debian 11 + + Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. + + Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + + MariaDB [(none)]> create database zabbix character set utf8 collate utf8_bin; + Query OK, 1 row affected (0.001 sec) + + MariaDB [(none)]> grant all privileges on zabbix.* to zabbix@localhost identified by 'PASSWORD'; + Query OK, 0 rows affected (0.003 sec) + + MariaDB [(none)]> quit; + Bye + + + +Then we install zabbix itself ( browse zabbix's repository [here](https://repo.zabbix.com/zabbix) and choose the latest version: + + + root@zabbix:~# wget https://repo.zabbix.com/zabbix/6.3/debian/pool/main/z/zabbix-release/zabbix-release_6.3-1%2Bdebian11_all.deb + --2022-12-24 09:35:45-- https://repo.zabbix.com/zabbix/6.3/debian/pool/main/z/zabbix-release/zabbix-release_6.3-1%2Bdebian11_all.deb + Resolving repo.zabbix.com (repo.zabbix.com)... 178.128.6.101, 2604:a880:2:d0::2062:d001 + Connecting to repo.zabbix.com (repo.zabbix.com)|178.128.6.101|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 3672 (3.6K) [application/octet-stream] + Saving to: ‘zabbix-release_6.3-1+debian11_all.deb’ + + zabbix-release_6.3-1+debian11_all 100%[============================================================>] 3.59K --.-KB/s in 0s + + 2022-12-24 09:35:45 (26.9 MB/s) - ‘zabbix-release_6.3-1+debian11_all.deb’ saved [3672/3672] + + root@zabbix:~# dpkg -i zabbix-release_6.3-1+debian11_all.deb + Selecting previously unselected package zabbix-release. + (Reading database ... 35659 files and directories currently installed.) + Preparing to unpack zabbix-release_6.3-1+debian11_all.deb ... + Unpacking zabbix-release (1:6.3-1+debian11) ... + Setting up zabbix-release (1:6.3-1+debian11) ... + root@zabbix:~# apt update + + root@zabbix:~# apt -y install zabbix-server-mysql zabbix-frontend-php zabbix-agent zabbix-sql-scripts + + root@zabbix:/usr/share/zabbix-sql-scripts/mysql# ls -lash + total 3.9M + 4.0K drwxr-xr-x 2 root root 4.0K Dec 24 09:39 . + 4.0K drwxr-xr-x 5 root root 4.0K Dec 24 09:39 .. + 4.0K -rw-r--r-- 1 root root 282 Nov 21 10:18 double.sql + 4.0K -rw-r--r-- 1 root root 1.5K Dec 20 10:57 history_pk_prepare.sql + 180K -rw-r--r-- 1 root root 179K Dec 20 10:57 proxy.sql + 3.7M -rw-r--r-- 1 root root 3.7M Dec 20 11:38 server.sql.gz + + root@zabbix:/usr/share/zabbix-sql-scripts/mysql# zcat /usr/share/zabbix-sql-scripts/mysql/server.sql.gz | mysql -u zabbix -p zabbix + Enter password: + + + +Wait a bit for the schema to be added, then edit /etc/zabbix/zabbix_server.conf for the db connection: + + + root@zabbix:~# vim /etc/zabbix/zabbix_server.conf + + [...] + + DBHost=localhost + DBName=zabbix + DBUser=zabbix + DBPassword=PASSWORD + + [...] + + :wq + + root@zabbix:~# systemctl restart zabbix-server zabbix-agent + root@zabbix:~# systemctl enable zabbix-server zabbix-agent + Synchronizing state of zabbix-server.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable zabbix-server + Synchronizing state of zabbix-agent.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable zabbix-agent + Created symlink /etc/systemd/system/multi-user.target.wants/zabbix-server.service → /lib/systemd/system/zabbix-server.service. + + + root@zabbix:~# apt install zabbix-apache-conf + + + +` ![](52.png) + +Then restart apache2 and proceed to the gui to complete the installation at http://10.0.0.190/zabbix/setup.php: + + + root@zabbix:~# ln -s /etc/zabbix/apache.conf /etc/apache2/conf-enabled/zabbix.conf + ln: failed to create symbolic link '/etc/apache2/conf-enabled/zabbix.conf': File exists + root@zabbix:~# systemctl restart apache2 + + + +` ![](53.png) ![](54.png) ![](55.png) ![](56.png) ![](57.png) + +Then to login you need to use the "Admin:zabbix" default credentials: + +![](59.png) ![](60.png) + +And there you go! We managed to install zabbix. + +## **HTTPS Configuration** + +Next we're going to use acme.sh to get the free letsencrypt TLS certificate: + + + wget -O - https://get.acme.sh | sh + cd + source .bashrc + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + + +![](2.png) + +From here enable the other services: + + + systemctl enable zabbix-server zabbix-agent --now + + + + +## **adding Hosts** + +![](16.png) + +Now here you may get the **'Zabbix server is not running: the information displayed may not be current.'** error message at the bottom, so let's fix this by editing the **/etc/zabbix/zabbix_server.conf** file:**** + + + root@Zabbix:~# tail -f /var/log/zabbix/zabbix_server.log + 20777:20210501:184150.043 database is down: reconnecting in 10 seconds + 20777:20210501:184200.060 [Z3001] connection to database 'zabbix' failed: [0] fe_sendauth: no password supplied + + 20777:20210501:184200.061 database is down: reconnecting in 10 seconds + 20777:20210501:184210.079 [Z3001] connection to database 'zabbix' failed: [0] fe_sendauth: no password supplied + + 20777:20210501:184210.079 database is down: reconnecting in 10 seconds + 20777:20210501:184220.096 [Z3001] connection to database 'zabbix' failed: [0] fe_sendauth: no password supplied + + 20777:20210501:184220.096 database is down: reconnecting in 10 seconds + + root@Zabbix:~# vim /etc/zabbix/zabbix_server.conf + + [...] + + DBPassword=zabbix + + [...] + + :wq + + root@Zabbix:~# systemctl restart zabbix-server + + + +And that's it! That's what you need to do if the zabbix-server is not running, you need to check what's happening from the error log **/var/log/zabbix/zabbix_server.log** , and then edit /etc/zabbix/zabbix_server.conf accordingly. + +Now before moving forward let's make sure snmp is configured on our debian zabbix host: + + + root@Zabbix:~# apt install snmp snmpd php7.3-snmp -y + root@Zabbix:~# systemctl restart zabbix-server + + + +Once that's done, you will be able to add hosts with [snmp](../snmp/index.md): + +![](17.png) + +We're going to use a macro that will contain our 'secret' snmp community string, obviously if you are using a public host you want this snmp community string to be complex and hard to guess to be secure. + +![](18.png) ![](23.png) + +Save the new host and enable it: + +![](19.png) + +here you can see that the snmp queries are working, since we have access to graphs about our host: + +![](24.png) ![](25.png) + +Now that we know it's working, we're going to edit the main zabbix dashboard, and we will add a Widget containing one of the graphs of our SNMP host: + +![](26.png) ![](27.png) ![](28.png) ![](29.png) + +And there you go ! We managed to add a customized graph containing ICMP response time. + +![](30.png) + +Now let's try to add Hosts using the Zabbix Agent: + + + root@Zabbix:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.220/16 brd 10.0.255.255 scope global ens18 + inet6 fe80::20f6:74ff:fe83:4fa3/64 scope link + + root@Zabbix:~# apt install zabbix-agent + Reading package lists... Done + Building dependency tree + Reading state information... Done + zabbix-agent is already the newest version (1:5.2.6-1+debian10). + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + root@Zabbix:~# systemctl enable --now zabbix-agent + + + +Another example for the 10.0.0.101 host: + + + root@home:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.101/16 brd 10.0.255.255 scope global ens18 + inet6 fe80::94b0:53ff:fe08:49a6/64 scope link + + root@home:~# apt install zabbix-agent -y + Reading package lists... Done + Building dependency tree + Reading state information... Done + zabbix-agent is already the newest version (1:4.0.4+dfsg-1). + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + root@home:~# vim /etc/zabbix/zabbix_agentd.conf + + [...] + + Server=0.0.0.0/0 + + ListenPort=10050 + + [...] + + :wq + + root@home:~# systemctl enable --now zabbix-agent + + root@home:~# systemctl status zabbix-agent + ● zabbix-agent.service - Zabbix Agent + Loaded: loaded (/lib/systemd/system/zabbix-agent.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2021-05-01 18:18:08 CEST; 5s ago + Docs: man:zabbix_agentd + Main PID: 30420 (zabbix_agentd) + Tasks: 6 (limit: 4915) + Memory: 3.1M + CGroup: /system.slice/zabbix-agent.service + ├─30420 /usr/sbin/zabbix_agentd --foreground + ├─30421 /usr/sbin/zabbix_agentd: collector [idle 1 sec] + ├─30422 /usr/sbin/zabbix_agentd: listener #1 [waiting for connection] + ├─30423 /usr/sbin/zabbix_agentd: listener #2 [waiting for connection] + ├─30424 /usr/sbin/zabbix_agentd: listener #3 [waiting for connection] + └─30425 /usr/sbin/zabbix_agentd: active checks #1 [idle 1 sec] + + May 01 18:18:08 home systemd[1]: Started Zabbix Agent. + May 01 18:18:08 home zabbix_agentd[30420]: Starting Zabbix Agent [home]. Zabbix 4.0.4 (revision 89349). + May 01 18:18:08 home zabbix_agentd[30420]: Press Ctrl+C to exit. + + + +Now just add the 2 Hosts: + +![](39.png) ![](40.png) + +And with this we can add for example their CPU utilization: + +![](41.png) ![](42.png) + +If you want to monitor hosts by ICMP only do the following: + + + root@Zabbix:~# apt install fping -y + Reading package lists... Done + Building dependency tree + Reading state information... Done + fping is already the newest version (4.2-1). + fping set to manually installed. + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + root@Zabbix:~# which fping + /usr/bin/fping + + + root@Zabbix:~# vim /etc/zabbix/zabbix_server.conf + + [...] + FpingLocation=/usr/bin/fping + + StartPingers=100 + + Timeout=4 + [...] + + :wq + + root@Zabbix:~# systemctl restart zabbix-server + + + +Then add the host itself: + +![](31.png) ![](32.png) + +Once you created the host with the ICMP Ping template, you can check it's new items: + +![](33.png) ![](34.png) + +ANd now that's done, we can add it to our dashboard: + +![](35.png) + +Here's an example with 3 hosts: + +![](37.png) ![](38.png) + +After using zabbix for approximately 3 months, here's what it ends up like: + +![](43.png) + +Right now i have a VPS with a monthly 1TB bandwidth limit, so i need to monitor it. To do so i use [snmp](../snmp/index.md) and vnstat: + + + [ 10.66.66.2/32 ] [ /dev/pts/27 ] [~/Documents/Github] + → ssh temple + + root@Temple:~# apt install vnstat -y + + root@Temple:~# systemctl enable vnstat + Synchronizing state of vnstat.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable vnstat + + root@Temple:~# systemctl status vnstat + ● vnstat.service - vnStat network traffic monitor + Loaded: loaded (/lib/systemd/system/vnstat.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-06-14 08:37:10 UTC; 2min 50s ago + Docs: man:vnstatd(8) + man:vnstat(1) + man:vnstat.conf(5) + Main PID: 13780 (vnstatd) + Tasks: 1 (limit: 1040) + Memory: 864.0K + CGroup: /system.slice/vnstat.service + └─13780 /usr/sbin/vnstatd -n + + Jun 14 08:37:10 Temple systemd[1]: Started vnStat network traffic monitor. + Jun 14 08:37:10 Temple vnstatd[13780]: No interfaces found in database, adding available interfaces... + Jun 14 08:37:10 Temple vnstatd[13780]: Interface "enp1s0" added with 1000 Mbit bandwidth limit. + Jun 14 08:37:10 Temple vnstatd[13780]: Interface "wg0" added with 1000 Mbit bandwidth limit. + Jun 14 08:37:10 Temple vnstatd[13780]: -> 2 new interfaces found. + Jun 14 08:37:10 Temple vnstatd[13780]: Limits can be modified using the configuration file. See "man vnstat.conf". + Jun 14 08:37:10 Temple vnstatd[13780]: Unwanted interfaces can be removed from monitoring with "vnstat --remove". + Jun 14 08:37:10 Temple vnstatd[13780]: Info: vnStat daemon 2.6 started. (pid:13780 uid:114 gid:119 64-bit) + Jun 14 08:37:10 Temple vnstatd[13780]: Info: Monitoring (2): wg0 (1000 Mbit) enp1s0 (1000 Mbit) + + +Now that we enabled the vnstat service, we can monitor our bandwidth usage from the commandline and as you can see from the service status output, it is monitoring the enp1s0 and wg0 interfaces: + + + root@Temple:~# vnstat -i wg0 + Database updated: 2021-06-14 08:42:20 + + wg0 since 2021-06-14 + + rx: 23.83 MiB tx: 25.43 MiB total: 49.26 MiB + + monthly + rx | tx | total | avg. rate + ------------------------+-------------+-------------+--------------- + 2021-06 23.83 MiB | 25.43 MiB | 49.26 MiB | 357 bit/s + ------------------------+-------------+-------------+--------------- + estimated 51.91 MiB | 56.85 MiB | 108.76 MiB | + + daily + rx | tx | total | avg. rate + ------------------------+-------------+-------------+--------------- + today 23.83 MiB | 25.43 MiB | 49.26 MiB | 13.19 kbit/s + ------------------------+-------------+-------------+--------------- + estimated 65.75 MiB | 70.15 MiB | 135.90 MiB | + + root@Temple:~# vnstat -i enp1s0 + Database updated: 2021-06-14 08:42:20 + + enp1s0 since 2021-06-14 + + rx: 25.02 MiB tx: 26.66 MiB total: 51.68 MiB + + monthly + rx | tx | total | avg. rate + ------------------------+-------------+-------------+--------------- + 2021-06 25.02 MiB | 26.66 MiB | 51.68 MiB | 375 bit/s + ------------------------+-------------+-------------+--------------- + estimated 54.38 MiB | 59.33 MiB | 113.71 MiB | + + daily + rx | tx | total | avg. rate + ------------------------+-------------+-------------+--------------- + today 25.02 MiB | 26.66 MiB | 51.68 MiB | 13.83 kbit/s + ------------------------+-------------+-------------+--------------- + estimated 69.03 MiB | 73.54 MiB | 142.57 MiB | + + + +Currently i have 2 network interfaces i want to monitor: **enp1s0** and **wg0**. Now the goal for me is to monitor the monthly total bandwidth usage, so that i can monitor if i'm going to hit the limit or not. + + + root@Temple:~# vnstat + + rx / tx / total / estimated + enp1s0: + 2021-06 66.75 MiB / 70.79 MiB / 137.54 MiB / 306.52 MiB + today 66.75 MiB / 70.79 MiB / 137.54 MiB / 373.70 MiB + + wg0: + 2021-06 59.36 MiB / 67.49 MiB / 126.86 MiB / 281.80 MiB + today 59.36 MiB / 67.49 MiB / 126.86 MiB / 344.66 MiB + + root@Temple:~# vnstat --oneline + 1;enp1s0;2021-06-14;66.75 MiB;70.79 MiB;137.54 MiB;36.28 kbit/s;2021-06;66.75 MiB;70.79 MiB;137.54 MiB;998 bit/s;66.75 MiB;70.79 MiB;137.54 MiB + + root@Temple:~# vnstat --oneline | awk -F\; '{ print $11 }' + 137.54 MiB + + + +Basically for me the **wg0** bandwidth usage is included in the **enp1s0** bandwidth usage. Therefore i only need to monitor the **enp1s0** interface, so i end up with the following bashscript: + + + root@Temple:~# vim bandwidth.sh + + #!/bin/bash + # Current month total bandwidth in MB + + i=$(vnstat --oneline | awk -F\; '{ print $11 }') + + bandwidth_number=$(echo $i | awk '{ print $1 }') + bandwidth_unit=$(echo $i | awk '{ print $2 }') + + #echo "$i " + #echo "$bandwidth_number" + #echo "$bandwidth_unit" + + case "$bandwidth_unit" in + KiB) bandwidth_number_MB=$(echo "$bandwidth_number/1024" | bc) + ;; + MiB) bandwidth_number_MB=$bandwidth_number + ;; + GiB) bandwidth_number_MB=$(echo "$bandwidth_number*1024" | bc) + ;; + TiB) bandwidth_number_MB=$(echo "$bandwidth_number*1024*1024" | bc) + ;; + esac + + + echo $bandwidth_number_MB + + :wq + + root@Temple:~# chmod +x bandwidth.sh + + root@Temple:~# ./bandwidth.sh + + root@Temple:~# ./bandwidth.sh + 195.35 + + root@Temple:~# cp bandwidth.sh /usr/local/bin/bandwidth + root@Temple:~# chmod +x /usr/local/bin/bandwidth + root@Temple:~# /usr/local/bin/bandwidth + 314.77 + + +Now we have a script which gives us the bandwidth usage in MiB. Now we need to make sure that zabbix can retrieve that information and use it in the graphs. We will modify our **snmpd.conf** file: + + + root@Temple:~# vim /etc/snmp/snmpd.conf + + [...] + + # This line allows Observium to detect the host OS if the distro script is installed + extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/bin/distro + + # check bandwidth usage + extend .1.3.6.1.4.1.53864.1.1 bandwidth /usr/local/bin/bandwidth + + [...] + + :wq + + root@Temple:~# systemctl restart snmpd + + + +Now that you modified the snmpd config and restarted the service, you should be able to use the OID that corresponds to the bandwidth script from snmpwalk: + + + [ 10.66.66.2/32 ] [ /dev/pts/28 ] [~/Documents/Github] + → snmpwalk -v2c temple.void.yt -c void.yt .1.3.6.1.4.1.53864.1.1 + iso.3.6.1.4.1.53864.1.1.1.0 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.2.9.98.97.110.100.119.105.100.116.104 = STRING: "/usr/local/bin/bandwidth" + iso.3.6.1.4.1.53864.1.1.2.1.3.9.98.97.110.100.119.105.100.116.104 = "" + iso.3.6.1.4.1.53864.1.1.2.1.4.9.98.97.110.100.119.105.100.116.104 = "" + iso.3.6.1.4.1.53864.1.1.2.1.5.9.98.97.110.100.119.105.100.116.104 = INTEGER: 5 + iso.3.6.1.4.1.53864.1.1.2.1.6.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.7.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.20.9.98.97.110.100.119.105.100.116.104 = INTEGER: 4 + iso.3.6.1.4.1.53864.1.1.2.1.21.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.3.1.1.9.98.97.110.100.119.105.100.116.104 = STRING: "364.55" + iso.3.6.1.4.1.53864.1.1.3.1.2.9.98.97.110.100.119.105.100.116.104 = STRING: "364.55" + iso.3.6.1.4.1.53864.1.1.3.1.3.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.3.1.4.9.98.97.110.100.119.105.100.116.104 = INTEGER: 0 + iso.3.6.1.4.1.53864.1.1.4.1.2.9.98.97.110.100.119.105.100.116.104.1 = STRING: "364.55" + + + +And there you go! We have been able to query our monthly bandwidth usage integer. So now we need to get zabbix to query that specific oid aswell. + +![](44.png) + +Here we're basically going to create an **iten** for our current snmp host called **Temple** : + + + [ 10.66.66.2/32 ] [ /dev/pts/29 ] [~/Documents/Github] + → snmpget -v 2c -c void.yt temple.void.yt .1.3.6.1.4.1.53864.1.1 + iso.3.6.1.4.1.53864.1.1 = No Such Object available on this agent at this OID + + [ 10.66.66.2/32 ] [ /dev/pts/29 ] [~/Documents/Github] + → snmpwalk -v2c temple.void.yt -c void.yt .1.3.6.1.4.1.53864.1.1 + iso.3.6.1.4.1.53864.1.1.1.0 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.2.9.98.97.110.100.119.105.100.116.104 = STRING: "/usr/local/bin/bandwidth" + iso.3.6.1.4.1.53864.1.1.2.1.3.9.98.97.110.100.119.105.100.116.104 = "" + iso.3.6.1.4.1.53864.1.1.2.1.4.9.98.97.110.100.119.105.100.116.104 = "" + iso.3.6.1.4.1.53864.1.1.2.1.5.9.98.97.110.100.119.105.100.116.104 = INTEGER: 5 + iso.3.6.1.4.1.53864.1.1.2.1.6.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.7.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.2.1.20.9.98.97.110.100.119.105.100.116.104 = INTEGER: 4 + iso.3.6.1.4.1.53864.1.1.2.1.21.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.3.1.1.9.98.97.110.100.119.105.100.116.104 = STRING: "699.06" + iso.3.6.1.4.1.53864.1.1.3.1.2.9.98.97.110.100.119.105.100.116.104 = STRING: "699.06" + iso.3.6.1.4.1.53864.1.1.3.1.3.9.98.97.110.100.119.105.100.116.104 = INTEGER: 1 + iso.3.6.1.4.1.53864.1.1.3.1.4.9.98.97.110.100.119.105.100.116.104 = INTEGER: 0 + iso.3.6.1.4.1.53864.1.1.4.1.2.9.98.97.110.100.119.105.100.116.104.1 = STRING: "699.06" + + [ 10.66.66.2/32 ] [ /dev/pts/29 ] [~/Documents/Github] + → snmpget -v 2c -c void.yt temple.void.yt iso.3.6.1.4.1.53864.1.1.3.1.1.9.98.97.110.100.119.105.100.116.104 + iso.3.6.1.4.1.53864.1.1.3.1.1.9.98.97.110.100.119.105.100.116.104 = STRING: "699.06" + + +If you pick the oid ending in **.1.1** you will get the 'No such Object available on this agent at this OID' error. So when we do snmpwalk we see that the full OID is **iso.3.6.1.4.1.53864.1.1.3.1.1.9.98.97.110.100.119.105.100.116.104**. So we add it accordingly to our custom zabbix item: + +![](45.png) + +We can test the OID here aswell: + +![](46.png) + +And here we see that it is getting the right value ! So we can add it to our graphs: + +![](47.png) + +Now here we see a problem with the units of the graph, we see that zabbix wants the base unit to be in **iB** because it will add the **K M G T** behind it. so let's simply edit our bandwidth script: + +![](48.png) + + + root@Temple:~# vim /usr/local/bin/bandwidth + + #echo "$i " + #echo "$bandwidth_number" + #echo "$bandwidth_unit" + + case "$bandwidth_unit" in + KiB) bandwidth_number_B=$(echo "$bandwidth_number*1024" | bc) + ;; + MiB) bandwidth_number_B=$(echo "$bandwidth_number*1024*1024" | bc) + ;; + GiB) bandwidth_number_B=$(echo "$bandwidth_number*1024*1024*1024" | bc) + ;; + TiB) bandwidth_number_B=$(echo "$bandwidth_number*1024*1024*1024*1024" | bc) + ;; + esac + + + echo $bandwidth_number_B + + :wq + + root@Temple:~# /usr/local/bin/bandwidth + 1621350154.24 + + +Now we have the Bytes instead of MegaBytes, so we clear the zabbix data for the bandwidth item and then check our graph again: + +![](49.png) ![](51.png) + +And here you see we have the correct units to monitor monthly bandwidth usage. + +EDIT: apparently Vultr measures bandwidth in a weird way. They basically take the **inbound traffic** and the **outbound traffic** independently, and only take into account **the higher of the 2** not the total of the 2. So here's my updated script: + + + #!/bin/bash + # Current month total bandwidth in MB + + #i=$(vnstat --oneline | awk -F\; '{ print $11 }') + + #DAILY + #i=$(vnstat --oneline | awk -F\; '{ print $4 }') + #j=$(vnstat --oneline | awk -F\; '{ print $5 }') + + #MONTHLY + i=$(vnstat --oneline | awk -F\; '{ print $9 }') + j=$(vnstat --oneline | awk -F\; '{ print $10 }') + + bn1=$(echo $i | awk '{ print $1 }') + bn2=$(echo $j | awk '{ print $1 }') + + + bunit1=$(echo $i | awk '{ print $2 }') + bunit2=$(echo $j | awk '{ print $2 }') + + case "$bunit1" in + KiB) bnB1=$(echo "$bn1*1024" | bc) + ;; + MiB) bnB1=$(echo "$bn1*1024*1024" | bc) + ;; + GiB) bnB1=$(echo "$bn1*1024*1024*1024" | bc) + ;; + TiB) bnB1=$(echo "$bn1*1024*1024*1024*1024" | bc) + ;; + esac + + case "$bunit2" in + KiB) bnB2=$(echo "$bn2*1024" | bc) + ;; + MiB) bnB2=$(echo "$bn2*1024*1024" | bc) + ;; + GiB) bnB2=$(echo "$bn2*1024*1024*1024" | bc) + ;; + TiB) bnB2=$(echo "$bn2*1024*1024*1024*1024" | bc) + ;; + esac + + if (( $(echo "$bnB1 > $bnB2" |bc -l) )); then + bandwidth_number=$bnB1 + else + bandwidth_number=$bnB2 + fi + + #convert gibibytes into gigabyte (*1.073742) + final=$(echo "$bandwidth_number * 1.073742" | bc) + + echo $final + + + +2022: Now let's try to add SNMPv3 Hosts. Lets' first set it up on the zabbix server itself: + + + root@zabbix:~# apt install snmp snmpd libsnmp-dev + root@zabbix:~# systemctl stop snmpd + + root@zabbix:~# vim /etc/snmp/snmpd.conf + root@zabbix:~# cat /etc/snmp/snmpd.conf + sysLocation Nowhere + sysContact Nihilist <****nihilist@nowhere.moe> + + sysServices 72 + master agentx + + agentaddress 0.0.0.0,[::] + + + view systemonly included .1 + view systemonly included .1.3.6.1.2.1.1 + view systemonly included .1.3.6.1.2.1.25.1 + + rocommunity public default -V systemonly + rocommunity6 public default -V systemonly + + rouser nihilist authpriv -V systemonly + + root@zabbix:~# systemctl stop snmpd + root@zabbix:~# mkdir /snmp + + root@zabbix:~# net-snmp-config --create-snmpv3-user -ro -a SHA-512 -A "AEFB9DWADWAW630B38A9B1F61183" -x AES -X "AEFB9DWADWAW630B38A9B1F61183" nihilist + adding the following line to /var/lib/snmp/snmpd.conf: + createUser authPrivUser SHA-512 "myauthphrase" AES "myprivphrase" + adding the following line to /snmp/snmpd.conf: + rouser authPrivUser + + root@zabbix:~# systemctl restart snmpd + root@zabbix:~# systemctl status snmpd + ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-12-24 10:51:15 CET; 4s ago + Process: 23239 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS) + Main PID: 23240 (snmpd) + Tasks: 1 (limit: 4670) + Memory: 4.9M + CPU: 262ms + CGroup: /system.slice/snmpd.service + └─23240 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid + + root@zabbix:~# snmpget -v 3 -u nihilist -l authpriv -a SHA-512 -A AEFB9DWADWAW630B38A9B1F61183 -x AES -X AEFB9DWADWAW630B38A9B1F61183 127.0.0.1 1.3.6.1.2.1.1.1.0 + MIB search path: /root/.snmp/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf + Cannot find module (SNMPv2-MIB): At line 1 in (none) + Cannot find module (IF-MIB): At line 1 in (none) + Cannot find module (IP-MIB): At line 1 in (none) + Cannot find module (TCP-MIB): At line 1 in (none) + + [...] + + + Cannot adopt OID in UCD-SNMP-MIB: laLoadInt ::= { laEntry 5 } + Cannot adopt OID in UCD-SNMP-MIB: laConfig ::= { laEntry 4 } + Cannot adopt OID in UCD-SNMP-MIB: laLoad ::= { laEntry 3 } + Cannot adopt OID in UCD-SNMP-MIB: laNames ::= { laEntry 2 } + Cannot adopt OID in UCD-SNMP-MIB: laIndex ::= { laEntry 1 } + iso.3.6.1.2.1.1.1.0 = STRING: "Linux zabbix 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64" + + + + + +Then test it from another host: + + + [ 10.8.0.3/24 ] [ nowhere ] [~/HTB] + → sudo pacman -S net-snmp + [sudo] password for nothing: + resolving dependencies... + looking for conflicting packages... + + Packages (1) net-snmp-5.9.1-5 + + Total Download Size: 1.75 MiB + Total Installed Size: 7.79 MiB + + :: Proceed with installation? [Y/n] y + + [ 10.8.0.3/24 ] [ nowhere ] [~/HTB] + → snmpget -v 3 -u nihilist -l authpriv -a SHA-512 -A AEFB9DWADWAW630B38A9B1F61183 -x AES -X AEFB9DWADWAW630B38A9B1F61183 10.0.0.190 1.3.6.1.2.1.1.1.0 + SNMPv2-MIB::sysDescr.0 = STRING: Linux zabbix 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 + + + +Then add it in zabbix: + +![](61.png) ![](62.png) + +If it doesnt display the server's disk space, make sure you set the IPMI from "user" to "admin", that way you will collect more data: + +![](68.png) + +Then you also make sure that the Discovery Rules are all tested, and enabled: + +![](69.png) + +If it doesn't display in zabbix, its possible that restarting zabbix-server may fix the issue. This is due to the fact that snmpEngineIDs are not checked by snmp tools like snmpwalk, but Zabbix uses it to differentiate between packets from different devices. If these are not unique then it can create issues like authentifiaction failing via snmp. So just restart zabbix-server. (source: [here](https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/48840-snmpv3-do-not-work-in-zabbix/page2)) + + + root@zabbix:~# systemctl status snmpd + ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-12-24 10:51:15 CET; 6min ago + Process: 23239 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS) + Main PID: 23240 (snmpd) + Tasks: 1 (limit: 4670) + Memory: 4.9M + CPU: 643ms + CGroup: /system.slice/snmpd.service + └─23240 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid + + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:15 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:16 zabbix snmpd[23240]: Authentication failed for nihilist + Dec 24 10:57:16 zabbix snmpd[23240]: Authentication failed for nihilist + + root@zabbix:~# systemctl restart zabbix-server + + + +Then see that the data gets populated in zabbix: + +![](63.png) + +To speedup the snmpv3 setup on hosts, i have the following script: + + + root@zabbix:~# cat snmpsetup.sh + #!/bin/bash + + systemctl stop snmpd + + + echo "[+] ADD THE NON-FREE REPOS IN /etc/apt/sources.list !!!" + apt install snmp-mibs-downloader + + rm -rf /etc/snmp + rm -rf /snmp/ + + apt purge snmp snmpd libsnmp-dev -y + apt install snmp snmpd libsnmp-dev vnstat bc wget -y + wget https://nowhere.moe/snmp/snmpd.conf -O /etc/snmp/snmpd.conf + systemctl restart snmpd + + wget https://nowhere.moe/snmp/distro -O /usr/local/bin/distro + chmod +x /usr/local/bin/distro + /usr/local/bin/distro + + wget https://nowhere.moe/snmp/bandwidth.sh -O /usr/local/bin/bandwidth + chmod +x /usr/local/bin/bandwidth + /usr/local/bin/bandwidth + + mkdir /snmp/ + + systemctl stop snmpd + kill -9 $(pidof snmpd) + net-snmp-config --create-snmpv3-user -ro -a SHA-512 -A "YOURPASSWORD" -x AES -X "YOURPASSWORD" nihilist + snmpget -v 3 -u nihilist -l authpriv -a SHA-512 -A "YOURPASSWORD" -x AES -X "YOURPASSWORD" 127.0.0.1 1.3.6.1.2.1.1.1.0 + + systemctl enable --now vnstat snmpd + systemctl restart vnstat snmpd + systemctl status vnstat snmpd + + + +If you get the following error on a host you want to monitor via SNMP: + + + root@pve:~# systemctl status snmpd + ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-12-24 12:26:48 CET; 6s ago + Process: 4049199 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS) + Main PID: 4049200 (snmpd) + Tasks: 1 (limit: 115830) + Memory: 5.4M + CPU: 63ms + CGroup: /system.slice/snmpd.service + └─4049200 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid + + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in NET-SNMP-AGENT-MIB: nsNotifyShutdown ::= { netSnmpNotifications 2 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in NET-SNMP-AGENT-MIB: nsNotifyRestart ::= { netSnmpNotifications 3 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laErrMessage ::= { laEntry 101 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laErrorFlag ::= { laEntry 100 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laLoadFloat ::= { laEntry 6 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laLoadInt ::= { laEntry 5 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laConfig ::= { laEntry 4 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laLoad ::= { laEntry 3 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laNames ::= { laEntry 2 } + Dec 24 12:26:48 pve snmpd[4049200]: Cannot adopt OID in UCD-SNMP-MIB: laIndex ::= { laEntry 1 } + + + +Then you need to install snmp-mibs-downloader after enabling the non-free repos in /etc/apt/sources.list + + + root@pve:~# cat /etc/apt/sources.list + deb http://ftp.debian.org/debian bullseye main contrib non-free + deb http://ftp.debian.org/debian bullseye-updates main contrib non-free + + # security updates + deb http://security.debian.org/debian-security bullseye-security main contrib non-free + + root@pve:~# apt update -y + + root@pve:~# apt-get install snmp-mibs-downloader + root@pve:~# systemctl restart snmpd + root@pve:~# systemctl status snmpd + ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-12-24 12:30:38 CET; 3s ago + Process: 4054749 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS) + Main PID: 4054750 (snmpd) + Tasks: 1 (limit: 115830) + Memory: 5.8M + CPU: 73ms + CGroup: /system.slice/snmpd.service + └─4054750 /usr/sbin/snmpd -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid + + Dec 24 12:30:38 pve systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... + Dec 24 12:30:38 pve systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon.. + + + +If you get this timeout error It most likely means that the server is blocking 161/udp traffic, so you need to allow it via iptables or ufw: + + + [term1] + snmpget -v 3 -u nihilist -l authpriv -a SHA-512 -A PASSWORD -x AES128 -X PASSWORD 10.0.0.1 1.3 + Timeout: No Response from 10.0.0.1. + + [term2] + ufw allow 161 + ufw allow snmp + + #or with iptables + iptables -A INPUT -p udp -m udp -s 10.0.0.0/24 --dport 161 -j ACCEPT + + + diff --git a/Zabbix/logo.png b/Zabbix/logo.png new file mode 100644 index 0000000..4a6b729 Binary files /dev/null and b/Zabbix/logo.png differ diff --git a/anonymousoverflow/0.png b/anonymousoverflow/0.png new file mode 100644 index 0000000..34712e8 Binary files /dev/null and b/anonymousoverflow/0.png differ diff --git a/anonymousoverflow/1.png b/anonymousoverflow/1.png new file mode 100644 index 0000000..db78d99 Binary files /dev/null and b/anonymousoverflow/1.png differ diff --git a/anonymousoverflow/2.png b/anonymousoverflow/2.png new file mode 100644 index 0000000..d28c4f6 Binary files /dev/null and b/anonymousoverflow/2.png differ diff --git a/anonymousoverflow/index.md b/anonymousoverflow/index.md new file mode 100644 index 0000000..b7f8f4c --- /dev/null +++ b/anonymousoverflow/index.md @@ -0,0 +1,117 @@ +# anonymousoverflow Setup + +![](0.png) + +In this tutorial we're going to look at how to setup AnonymousOverflow, a privacy front-end for StackOverflow. + +## **Initial Setup** + +First git-clone it and run it via docker-compose: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → git clone https://github.com/httpjamesm/AnonymousOverflow + Cloning into 'AnonymousOverflow'... + remote: Enumerating objects: 778, done. + remote: Counting objects: 100% (287/287), done. + remote: Compressing objects: 100% (92/92), done. + remote: Total 778 (delta 197), reused 255 (delta 177), pack-reused 491 + Receiving objects: 100% (778/778), 133.76 KiB | 7.04 MiB/s, done. + Resolving deltas: 100% (432/432), done. + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → cd AnonymousOverflow + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/AnonymousOverflow] + → ls + config docker-compose.example.yml Dockerfile env go.mod go.sum LICENSE main.go public README.md src templates + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/AnonymousOverflow] + → cat docker-compose.yml + version: '3' + + services: + anonymousoverflow: + container_name: 'app' + build: + context: . + environment: + - APP_URL=https://overflow.nowhere.moe + - JWT_SIGNING_SECRET=nlkdwadwawwadwawa + ports: + - '8081:8080' + restart: 'always' + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/AnonymousOverflow] + → docker-compose up -d + Recreating app ... done + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/AnonymousOverflow] + → docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + fd597c0798ca anonymousoverflow_anonymousoverflow "/anonymousoverflow" 16 seconds ago Up 15 seconds 0.0.0.0:8081->8080/tcp, :::8081->8080/tcp app + + + +then we setup a reverse nginx proxy on it: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → vim overflow.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → cat overflow.nowhere.moe.conf + server { + listen 443 ssl; + server_name overflow.nowhere.moe; + + ssl_certificate /etc/acme/certs/overflow.nowhere.moe/overflow.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/overflow.nowhere.moe/overflow.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name overflow.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://overflow.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8081; + } + + } + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/overflow.nowhere.moe.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nginx -t + 2023/07/16 00:10:22 [warn] 200694#200694: "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/acme/certs/nitter.nowhere.moe/nitter.nowhere.moe.cer" + 2023/07/16 00:10:22 [emerg] 200694#200694: cannot load certificate "/etc/acme/certs/overflow.nowhere.moe/overflow.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/overflow.nowhere.moe/overflow.nowhere.moe.cer, r) error:10000080:BIO routines::no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → systemctl stop nginx + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → bash + root@Datura /etc/nginx/sites-available # history | grep acme | tail -n2 + 299 acme.sh --issue --standalone -d whoogle.nowhere.moe -k 4096 + 315 history | grep acme | tail -n2 + root@Datura /etc/nginx/sites-available # acme.sh --issue --standalone -d overflow.nowhere.moe -k 4096 + + root@Datura /etc/nginx/sites-available # nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@Datura /etc/nginx/sites-available # systemctl start nginx + + + +Then check if your instance is accessible: + +![](1.png) ![](2.png) + +Then contribute to the project by [listing your instance for other users](https://github.com/httpjamesm/AnonymousOverflow#clearnet-instances) like [so](https://github.com/httpjamesm/AnonymousOverflow/issues/43) + diff --git a/ansible/0.png b/ansible/0.png new file mode 100644 index 0000000..3addca6 Binary files /dev/null and b/ansible/0.png differ diff --git a/ansible/1.png b/ansible/1.png new file mode 100644 index 0000000..e06247e Binary files /dev/null and b/ansible/1.png differ diff --git a/ansible/2.png b/ansible/2.png new file mode 100644 index 0000000..d12e078 Binary files /dev/null and b/ansible/2.png differ diff --git a/ansible/3.png b/ansible/3.png new file mode 100644 index 0000000..4c4fcc8 Binary files /dev/null and b/ansible/3.png differ diff --git a/ansible/4.png b/ansible/4.png new file mode 100644 index 0000000..f00067b Binary files /dev/null and b/ansible/4.png differ diff --git a/ansible/ansible.png b/ansible/ansible.png new file mode 100644 index 0000000..098d35a Binary files /dev/null and b/ansible/ansible.png differ diff --git a/ansible/index.md b/ansible/index.md new file mode 100644 index 0000000..b46810e --- /dev/null +++ b/ansible/index.md @@ -0,0 +1,1148 @@ +# Ansible + +![](ansible.png) + +In this tutorial we're going to take a look at how Ansible can be used. + +## **Initial SSH Setup** + +One fundamental requirement for ansible to work is to have a working SSH connection. we can setup key-based ssh authentication connections or we can just setup a regular ssh connection using passwords. let's first take a look at how you can setup a regular ssh connection: + +![](0.png) + +We're going to show an example using a debian LXC container (CT) from a proxmox server. Once the CT is launched get into it's console: + +![](1.png) + +We're going to edit the ssh config as follows: + + + PermitRootLogin yes + + + +inside vim, press **i** to enter the insert mode, then make your text changes, then press **ESC** to exit out of insert mode, and type **:wq** to save and quit vim. After that, restart the sshd service: + +![](2.png) + +Once you have a working SSH connection, that's the bare minimum requirement you need to be able to use ansible. If you want to skip the password prompt you can use key-based authentication SSH connection as follows: + + + [ 10.0.0.10/16 ] [ /dev/pts/10 ] [~] + → ssh root@10.0.0.102 + root@10.0.0.102's password: + Linux test 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Tue Apr 6 15:55:31 2021 + root@test:~# id + uid=0(root) gid=0(root) groups=0(root) + root@test:~# mkdir ~/.ssh + root@test:~# cd ~/.ssh + root@test:~/.ssh# ssh-keygen -t ed25519 + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:9SovHVeK8XlycaJDGzHsukb0CvIv9qaNspSZRCV3kn8 root@test + The key's randomart image is: + +--[ED25519 256]--+ + | . +... | + | +.o + | + | . ... o | + | . .+.E + .| + | . S. O.B + | + | ..+. =.@ o | + | =o.+.= = | + | .. ==* | + | .+oO= | + +----[SHA256]-----+ + root@test:~/.ssh# cat id_ed25519.pub >> authorized_keys + root@test:~/.ssh# python3 -m http.server 8080 + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +With the **ssh-keygen** command we generated the private key **id_ed25519** and the public key **id_ed25519.pub**. the private key is a file we need to give to the client that is going to connect to the SSH server, and we permit it's use by making sure the public key that is associated with it is referenced in the authorized_keys file on the server. Now how do we transfer the private key to the client ? I think the easiest method is to temporarily use python3's http module to transfer the ssh key somewhere else on the network. Our last command opened a http server in the server's /root/.ssh directory, as you can see here: + + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → curl 10.0.0.102:8080 + + + + + + + # Directory listing for / + + + + + * * * + + + + + + + * [authorized_keys](authorized_keys) + + + * [id_ed25519](id_ed25519) + + + * [id_ed25519.pub](id_ed25519.pub) + + + + + + * * * + + + + + + + + +And especially here: + + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → curl 10.0.0.102:8080/id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDY0+xVKpBv9IhRkRH4C55/SaF+FJsd7vTJq7IvX6/RlgAAAJCwK2ycsCts + nAAAAAtzc2gtZWQyNTUxOQAAACDY0+xVKpBv9IhRkRH4C55/SaF+FJsd7vTJq7IvX6/Rlg + AAAEDELHAkjN/D62SUBd7QYQ6tKQ3RZV192RKP5xLz9BZ1itjT7FUqkG/0iFGREfgLnn9J + oX4Umx3u9Mmrsi9fr9GWAAAACXJvb3RAdGVzdAECAwQ= + -----END OPENSSH PRIVATE KEY----- + + + +This is how you can transfer a file from a host to another on the same network. Now that we know we can access it, let's retrieve the ssh key: + +![]() + + + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → curl http://10.0.0.102:8080/id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDY0+xVKpBv9IhRkRH4C55/SaF+FJsd7vTJq7IvX6/RlgAAAJCwK2ycsCts + nAAAAAtzc2gtZWQyNTUxOQAAACDY0+xVKpBv9IhRkRH4C55/SaF+FJsd7vTJq7IvX6/Rlg + AAAEDELHAkjN/D62SUBd7QYQ6tKQ3RZV192RKP5xLz9BZ1itjT7FUqkG/0iFGREfgLnn9J + oX4Umx3u9Mmrsi9fr9GWAAAACXJvb3RAdGVzdAECAwQ= + -----END OPENSSH PRIVATE KEY----- + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → curl http://10.0.0.102:8080/id_ed25519 > ~/.ssh/test.pkey + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 399 100 399 0 0 129k 0 --:--:-- --:--:-- --:--:-- 129k + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → ssh root@10.0.0.102 -i ~/.ssh/test.pkey + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + Permissions 0644 for '/home/nothing/.ssh/test.pkey' are too open. + It is required that your private key files are NOT accessible by others. + This private key will be ignored. + Load key "/home/nothing/.ssh/test.pkey": bad permissions + root@10.0.0.102's password: + + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → chmod 600 ~/.ssh/test.pkey + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [blog/servers/ansible] + → ssh root@10.0.0.102 -i ~/.ssh/test.pkey + Linux test 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Tue Apr 6 16:01:04 2021 from 10.0.0.10 + root@test:~# + + + + +We saved the private key in our client's ~/.ssh folder, we gave it the 600 permissions with chmod, and in the end we have been able to ssh into the server as the root user using that private key, and we didn't get prompted for a password, this is ideal for ansible to work best, but you can settle for the basic password-based authentication and ansible should work fine that way aswell. + +## **Setting up Ansible** + +We're going to follow this network graph: + +![](3.png) + +Now we have our main node at 10.0.0.101, and we want each of our other nodes to be ran a specific command. normally what you would do is to login via ssh into each node one by one to run your set of specific commands one after the other. This is fine if you have 5 or less nodes, but when you end up with 20 or 50 linux nodes it starts to get tedious running these commands one after the other. This is why ansible. All you need is ssh access to your linux cluster to be able to run those commands via ssh for each of them in one go thanks to ansible. Let's setup ansible on our main node: + + + [ 10.0.0.10/16 ] [ /dev/pts/10 ] [~] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Tue Apr 6 18:31:43 2021 from 10.0.0.10 + root@home:~# apt install ansible -y + + + +ansible is there by default in debian10's repositories, next we're going to need to set it up. The first config file we need to edit is **/etc/ansible/hosts** : + + + root@home:~# vim /etc/ansible/hosts + + + +In here we're going to list the ips or hostnames of our other nodes, for this tutorial i'm going to include every LXC container in my proxmox server: + +![](4.png) + + + # Ex 3: A collection of database servers in the 'dbservers' group + + #[dbservers] + # + #db01.intranet.mydomain.net + #db02.intranet.mydomain.net + #10.25.1.56 + #10.25.1.57 + + # Here's another example of host ranges, this time there are no + # leading 0s: + + #db-[99:101]-node.example.com + 10.0.0.102 + 10.0.0.103 + 10.0.0.104 + 10.0.0.105 + 10.0.0.108 + 10.0.0.109 + 10.0.0.110 + 10.0.0.111 + 10.0.0.112 + 10.0.0.113 + 10.0.0.114 + 10.0.0.159 + 10.0.0.160 + 10.0.0.161 + 10.0.0.162 + 10.0.0.164 + 10.0.0.165 + 10.0.0.198 + 10.0.0.199 + + + +In here i listed the ip addresses of my other nodes i know i can access via SSH, hit :wq to save and quit out of vim. Next step is to test if each of these ips are reachable. + + + root@home:~# ansible all -a "/bin/echo hello" -K --ask-pass + SSH password: + SUDO password[defaults to SSH password]: + 10.0.0.103 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.102 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.104 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.105 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.108 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.109 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.110 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.111 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.112 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.113 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.114 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.160 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.159 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.161 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.162 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.164 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.165 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.198 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + 10.0.0.199 | FAILED | rc=-1 >> + to use the 'ssh' connection type with passwords, you must install the sshpass program + + + +We forgot to install sshpass, so let's do it again: + + + root@home:~# apt install sshpass -y + + root@home:~# ansible all -a "/bin/echo hello" -K --ask-pass + SSH password: + SUDO password[defaults to SSH password]: + 10.0.0.102 | CHANGED | rc=0 >> + hello + + 10.0.0.103 | CHANGED | rc=0 >> + hello + + 10.0.0.105 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.104 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.108 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.109 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.110 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.111 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.112 | CHANGED | rc=0 >> + hello + + 10.0.0.113 | CHANGED | rc=0 >> + hello + + 10.0.0.114 | CHANGED | rc=0 >> + hello + + 10.0.0.161 | CHANGED | rc=0 >> + hello + + 10.0.0.162 | CHANGED | rc=0 >> + hello + + 10.0.0.164 | CHANGED | rc=0 >> + hello + + 10.0.0.165 | CHANGED | rc=0 >> + hello + + 10.0.0.159 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.160 | UNREACHABLE! => { + "changed": false, + "msg": "Invalid/incorrect password: Permission denied, please try again.", + "unreachable": true + } + 10.0.0.198 | UNREACHABLE! => { + "changed": false, + "msg": "Failed to connect to the host via ssh: ssh: connect to host 10.0.0.198 port 22: No route to host", + "unreachable": true + } + 10.0.0.199 | UNREACHABLE! => { + "changed": false, + "msg": "Failed to connect to the host via ssh: ssh: connect to host 10.0.0.199 port 22: No route to host", + "unreachable": true + } + + + + +And here we see that there are some nodes i forgot to setup to have root access. But we managed to make ansible run a simple hello command on the ones that had ssh activated on them! Before hitting the next part of this tutorial, i'm going to setup key-based authentication on all of my nodes and then configure ssh to use them automatically. The idea here is that my main node 10.0.0.101 is in fact the client, and all of the other nodes will be accessed by the main node with their respective private ssh key which will be stored on the main node, therefore the main node has to collect them all. + + + root@home:~# cd ~/.ssh + root@home:~/.ssh# ls -lash + total 16K + 4.0K drwx------ 2 root root 4.0K Oct 29 21:40 . + 4.0K drwx------ 7 root root 4.0K Apr 6 18:52 .. + 8.0K -rw-r--r-- 1 root root 4.2K Apr 6 18:40 known_hosts + + + +As i've already explained how to setup SSH with key based authentication, we can now use a script to automate that: + + + [ 10.0.0.10/16 ] [ /dev/pts/12 ] [blog/servers/ansible] + → curl https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh + #!/bin/bash + if [ "$EUID" -ne 0 ] + then + echo 'MUST RUN AS ROOT!' + exit + fi + + apt update -y + apt install openssh-server rsync -y + systemctl status ssh + cd /etc/ssh + rm sshd_config + wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/sshd_config + systemctl restart ssh + + #WE ARE ON THE SERVER !!! + #So we generate the public ssh key + mkdir ~/.ssh/ + cd ~/.ssh/ + ssh-keygen -t ed25519 + cat id_ed25519.pub >> authorized_keys + + #ssh server has the public key + #we give the private key to the user somehow + #the user puts id_ed25519 into his own ~/.ssh/ + #and he does "chmod 600 ~/.ssh/id_ed25519" + #and only after he can login + + systemctl status ssh + + + + +Let's use that script on each node one by one starting with my test node (10.0.0.102): + + + root@test:~# wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh + --2021-04-06 17:05:16-- https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 652 [text/plain] + Saving to: 'ssh.sh' + + ssh.sh 100%[==================================================================================================>] 652 --.-KB/s in 0s + + 2021-04-06 17:05:16 (12.0 MB/s) - 'ssh.sh' saved [652/652] + + root@test:~# chmod +X ssh.sh + root@test:~# chmod +x ssh.sh + root@test:~# ./ssh.sh + Hit:1 http://security.debian.org buster/updates InRelease + Hit:2 http://ftp.debian.org/debian buster InRelease + Hit:3 http://ftp.debian.org/debian buster-updates InRelease + Reading package lists... Done + Building dependency tree + Reading state information... Done + All packages are up to date. + Reading package lists... Done + Building dependency tree + Reading state information... Done + openssh-server is already the newest version (1:7.9p1-10+deb10u2). + rsync is already the newest version (3.1.3-6). + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Tue 2021-04-06 17:04:07 UTC; 1min 26s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9646 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9647 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/ssh.service + `-9647 /usr/sbin/sshd -D + + Apr 06 17:04:07 test systemd[1]: Starting OpenBSD Secure Shell server... + Apr 06 17:04:07 test sshd[9647]: Server listening on 0.0.0.0 port 22. + Apr 06 17:04:07 test sshd[9647]: Server listening on :: port 22. + Apr 06 17:04:07 test systemd[1]: Started OpenBSD Secure Shell server. + --2021-04-06 17:05:34-- https://raw.githubusercontent.com/ech1/serverside/master/ssh/sshd_config + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 3307 (3.2K) [text/plain] + Saving to: 'sshd_config' + + sshd_config 100%[==================================================================================================>] 3.23K --.-KB/s in 0s + + 2021-04-06 17:05:34 (13.2 MB/s) - 'sshd_config' saved [3307/3307] + + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:qZBD/lo/RULWgbmOS+gajCCtcmnACP24FHKd3RL4C3w root@test + The key's randomart image is: + +--[ED25519 256]--+ + | .. +.. | + | . ..o o= . | + |o +.+.oo.. | + |++ *o.E.o.. | + |=.+ *+ +So | + |o* o.++.. . | + |+ B. .+. . | + |.o ..o... | + | ... .. | + +----[SHA256]-----+ + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Tue 2021-04-06 17:05:34 UTC; 2s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9912 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9913 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/ssh.service + `-9913 /usr/sbin/sshd -D + + Apr 06 17:05:34 test systemd[1]: Starting OpenBSD Secure Shell server... + Apr 06 17:05:34 test sshd[9913]: Server listening on 0.0.0.0 port 22. + Apr 06 17:05:34 test sshd[9913]: Server listening on :: port 22. + Apr 06 17:05:34 test systemd[1]: Started OpenBSD Secure Shell server. + + + + +once it finished running, check the ~/.ssh directory: + + + root@test:~# ls -lash ~/.ssh/ + total 20K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 6 17:05 . + 4.0K drwx------ 4 root root 4.0K Apr 6 17:05 .. + 4.0K -rw-r--r-- 1 root root 91 Apr 6 17:05 authorized_keys + 4.0K -rw------- 1 root root 399 Apr 6 17:05 id_ed25519 + 4.0K -rw-r--r-- 1 root root 91 Apr 6 17:05 id_ed25519.pub + + + +And what we want from here is the id_ed25519 file which is our test node's private key. + + + root@test:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.102/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::b847:2bff:fe85:4dd3/64 scope link + root@test:~# python3 -m http.server 8080 + + + +and retrieve the ssh key on the main node: + + + root@home:~# wget 10.0.0.102:8080/.ssh/id_ed25519 -O ~/.ssh/test.pkey + --2021-04-06 19:08:33-- http://10.0.0.102:8080/.ssh/id_ed25519 + Connecting to 10.0.0.102:8080... connected. + HTTP request sent, awaiting response... 200 OK + Length: 399 [application/octet-stream] + Saving to: ‘/root/.ssh/test.pkey’ + + /root/.ssh/test.pkey 100%[===============================>] 399 --.-KB/s in 0s + + 2021-04-06 19:08:33 (22.0 MB/s) - ‘/root/.ssh/test.pkey’ saved [399/399] + + + +Easy! Now after doing the same on the other nodes we end up with the following: + + + root@home:~/.ssh# ls -l + total 84 + -rw------- 1 root root 411 Apr 6 20:07 cyber-160.pkey + -rw------- 1 root root 399 Apr 6 20:16 dns198.pkey + -rw------- 1 root root 399 Apr 6 20:16 dns199.pkey + -rw------- 1 root root 399 Apr 6 19:58 etherpad-111.pkey + -rw------- 1 root root 399 Apr 6 19:56 gitea-110.pkey + -rw------- 1 root root 399 Apr 6 19:54 hastebin-109.pkey + -rw------- 1 root root 399 Apr 6 19:52 kanboard-105.pkey + -rw-r--r-- 1 root root 4662 Apr 6 20:17 known_hosts + -rw------- 1 root root 411 Oct 11 12:29 nextcloud-103.pkey + -rw------- 1 root root 411 Apr 6 19:59 pgadmin-112.pkey + -rw------- 1 root root 411 Apr 6 20:02 pgadmin4-114.pkey + -rw------- 1 root root 411 Apr 6 20:13 pgbouncer-165.pkey + -rw------- 1 root root 419 Apr 6 20:01 phpmyadmin-113.pkey + -rw------- 1 root root 411 Apr 6 19:50 privatebin-104.pkey + -rw------- 1 root root 411 Apr 6 20:10 psql1-161.pkey + -rw------- 1 root root 411 Apr 6 20:10 psql1-162.pkey + -rw------- 1 root root 411 Apr 6 20:10 psql1-163.pkey + -rw------- 1 root root 411 Apr 6 20:10 psql1-164.pkey + -rw------- 1 root root 411 Apr 6 20:05 rev-159.pkey + -rw------- 1 root root 399 Apr 6 19:18 test-102.pkey + + + +Basically i have a bunch of private ssh keys and i want my ssh client to automatically associate them with their corresponding IPs to make sure that this is an automatic connection + + + root@home:~/.ssh# vim ~/.ssh/config + + + + + Host nextcloud + Hostname 10.0.0.103 + IdentityFile ~/.ssh/nextcloud-103.pkey + User root + + Host privatebin + Hostname 10.0.0.104 + IdentityFile ~/.ssh/privatebin-104.pkey + User root + + Host kanboard + Hostname 10.0.0.105 + IdentityFile ~/.ssh/kanboard-105.pkey + User root + + Host hastebin + Hostname 10.0.0.109 + IdentityFile ~/.ssh/hastebin-109.pkey + User root + + Host gitea + Hostname 10.0.0.110 + IdentityFile ~/.ssh/gitea-110.pkey + User root + + Host etherpad + Hostname 10.0.0.111 + IdentityFile ~/.ssh/etherpad-111.pkey + User root + + Host pgadmin + Hostname 10.0.0.112 + IdentityFile ~/.ssh/pgadmin-112.pkey + User root + + Host phpmyadmin + Hostname 10.0.0.113 + IdentityFile ~/.ssh/phpmyadmin-113.pkey + User root + + Host pgadmin4 + Hostname 10.0.0.114 + IdentityFile ~/.ssh/pgadmin4-114.pkey + User root + Host revshells + Hostname 10.0.0.159 + IdentityFile ~/.ssh/rev-159.pkey + User root + Host cyberchef + Hostname 10.0.0.160 + IdentityFile ~/.ssh/cyber-160.pkey + User root + + + +Each of the hosts defined in here can be re-used in ansible's config file: + + + root@home:~# cat ~/.ssh/config | grep 'Host\ ' + Host nextcloud + Host privatebin + Host kanboard + Host hastebin + Host gitea + Host etherpad + Host pgadmin + Host phpmyadmin + Host pgadmin4 + Host revshells + Host cyberchef + Host psql1 + Host psql2 + Host psql3 + Host psql4 + Host pgbouncer + Host pihole1 + Host pihole2 + + root@home:~/.ssh# vim /etc/ansible/hosts + + root@home:~/.ssh# cat /etc/ansible/hosts | tail -n20 + + nextcloud + privatebin + kanboard + hastebin + gitea + etherpad + pgadmin + phpmyadmin + pgadmin4 + revshells + cyberchef + psql1 + psql2 + psql3 + psql4 + pgbouncer + pihole1 + pihole2 + + + +Once added run ansible to test the changes: + + + root@home:~/.ssh# ansible all -a "/bin/echo hello" + gitea | CHANGED | rc=0 >> + hello + + hastebin | CHANGED | rc=0 >> + hello + + nextcloud | CHANGED | rc=0 >> + hello + + privatebin | CHANGED | rc=0 >> + hello + + kanboard | CHANGED | rc=0 >> + hello + + pgadmin | CHANGED | rc=0 >> + hello + + phpmyadmin | CHANGED | rc=0 >> + hello + + etherpad | CHANGED | rc=0 >> + hello + + pgadmin4 | CHANGED | rc=0 >> + hello + + revshells | CHANGED | rc=0 >> + hello + + cyberchef | CHANGED | rc=0 >> + hello + + psql2 | CHANGED | rc=0 >> + hello + + psql4 | CHANGED | rc=0 >> + hello + + psql1 | CHANGED | rc=0 >> + hello + + psql3 | CHANGED | rc=0 >> + hello + + pgbouncer | CHANGED | rc=0 >> + hello + + pihole1 | CHANGED | rc=0 >> + hello + + pihole2 | CHANGED | rc=0 >> + hello + + + +Another way of testing it is by using the ping module: + + + root@home:~/.ssh# ansible all -m ping + kanboard | SUCCESS => { + "changed": false, + "ping": "pong" + } + nextcloud | SUCCESS => { + "changed": false, + "ping": "pong" + } + gitea | SUCCESS => { + "changed": false, + "ping": "pong" + } + hastebin | SUCCESS => { + "changed": false, + "ping": "pong" + } + privatebin | SUCCESS => { + "changed": false, + "ping": "pong" + } + pgadmin | SUCCESS => { + "changed": false, + "ping": "pong" + } + phpmyadmin | SUCCESS => { + "changed": false, + "ping": "pong" + } + pgadmin4 | SUCCESS => { + "changed": false, + "ping": "pong" + } + + [...] + + + +That's the correct way of using ansible.To summarize, you first setup key-based authentication ssh connections on all hosts (you can run a script to do that), then you retrieve the private ssh keys to the master node, and create the **~/.ssh/config** file to associate the private keys with their corresponding ips which gives you **SSH Host aliases (private key + ip pairs)** to give to ansible via **/etc/ansible/hosts** and from there, ansible is going to run what you want on the hosts without requiring a password. + +## **Ansible Playbooks** + + + root@home:~# mkdir playbooks + root@home:~# cd playbooks/ + root@home:~/playbooks# vim update.yml + + + +Be careful when you do .yml files, you need to watch out for indentations, just like for python programs. + + + root@home:~/playbooks# vim update.yml + --- + - name: Playbook + hosts: all + become: yes + tasks: + - name: Update and upgrade apt packages + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 86400 #One day + + + + +ansible has an apt module to run apt updates, the 'become' line means that we want to run our commands as the root user (become root = yes) + +:wq to save and quit out of vim, and then run the playbook like so: + + + + root@home:~/playbooks# ansible-playbook update.yml + + PLAY [Playbook] *********************************************************************************************************************************************** + + TASK [Gathering Facts] **************************************************************************************************************************************** + ok: [hastebin] + ok: [kanboard] + ok: [privatebin] + ok: [gitea] + ok: [nextcloud] + ok: [etherpad] + ok: [phpmyadmin] + ok: [revshells] + ok: [pgadmin] + ok: [pgadmin4] + ok: [cyberchef] + ok: [psql2] + ok: [psql3] + ok: [psql4] + ok: [psql1] + ok: [pgbouncer] + ok: [pihole1] + ok: [pihole2] + + TASK [Update and upgrade apt packages] ************************************************************************************************************************ + + + +At this point it's going to take a bit of time to effectively run on all hosts, but when it finishes it looks like that: + + + + TASK [Update and upgrade apt packages] ************************************************************************************************************************ + [WARNING]: Could not find aptitude. Using apt-get instead. + + changed: [hastebin] + changed: [gitea] + ok: [pgadmin] + changed: [etherpad] + ok: [pgadmin4] + changed: [phpmyadmin] + changed: [kanboard] + changed: [nextcloud] + changed: [privatebin] + ok: [psql2] + ok: [psql1] + ok: [psql3] + ok: [psql4] + ok: [pgbouncer] + changed: [revshells] + changed: [cyberchef] + changed: [pihole1] + changed: [pihole2] + + PLAY RECAP **************************************************************************************************************************************************** + cyberchef : ok=2 changed=1 unreachable=0 failed=0 + etherpad : ok=2 changed=1 unreachable=0 failed=0 + gitea : ok=2 changed=1 unreachable=0 failed=0 + hastebin : ok=2 changed=1 unreachable=0 failed=0 + kanboard : ok=2 changed=1 unreachable=0 failed=0 + nextcloud : ok=2 changed=1 unreachable=0 failed=0 + pgadmin : ok=2 changed=0 unreachable=0 failed=0 + pgadmin4 : ok=2 changed=0 unreachable=0 failed=0 + pgbouncer : ok=2 changed=0 unreachable=0 failed=0 + phpmyadmin : ok=2 changed=1 unreachable=0 failed=0 + pihole1 : ok=2 changed=1 unreachable=0 failed=0 + pihole2 : ok=2 changed=1 unreachable=0 failed=0 + privatebin : ok=2 changed=1 unreachable=0 failed=0 + psql1 : ok=2 changed=0 unreachable=0 failed=0 + psql2 : ok=2 changed=0 unreachable=0 failed=0 + psql3 : ok=2 changed=0 unreachable=0 failed=0 + psql4 : ok=2 changed=0 unreachable=0 failed=0 + revshells : ok=2 changed=1 unreachable=0 failed=0 + + root@home:~/playbooks# + + + +So from that we see that i had to run apt update and apt upgrade on 11 of my LXC containers. If we run the same playbook again we see that it shouldn't need to change anything: + + + root@home:~/playbooks# ansible-playbook update.yml + + PLAY [Playbook] *********************************************************************************************************************************************** + + TASK [Gathering Facts] **************************************************************************************************************************************** + ok: [hastebin] + ok: [gitea] + ok: [privatebin] + ok: [nextcloud] + ok: [kanboard] + ok: [phpmyadmin] + ok: [pgadmin] + ok: [revshells] + ok: [pgadmin4] + ok: [etherpad] + ok: [cyberchef] + ok: [psql2] + ok: [psql4] + ok: [psql1] + ok: [psql3] + ok: [pgbouncer] + ok: [pihole1] + ok: [pihole2] + + TASK [Update and upgrade apt packages] ************************************************************************************************************************ + [WARNING]: Could not find aptitude. Using apt-get instead. + + ok: [gitea] + ok: [nextcloud] + ok: [privatebin] + ok: [kanboard] + ok: [hastebin] + ok: [phpmyadmin] + ok: [pgadmin] + ok: [pgadmin4] + ok: [revshells] + ok: [cyberchef] + ok: [etherpad] + ok: [psql2] + ok: [pihole1] + ok: [pgbouncer] + ok: [psql1] + ok: [psql4] + ok: [psql3] + ok: [pihole2] + + PLAY RECAP **************************************************************************************************************************************************** + cyberchef : ok=2 changed=0 unreachable=0 failed=0 + etherpad : ok=2 changed=0 unreachable=0 failed=0 + gitea : ok=2 changed=0 unreachable=0 failed=0 + hastebin : ok=2 changed=0 unreachable=0 failed=0 + kanboard : ok=2 changed=0 unreachable=0 failed=0 + nextcloud : ok=2 changed=0 unreachable=0 failed=0 + pgadmin : ok=2 changed=0 unreachable=0 failed=0 + pgadmin4 : ok=2 changed=0 unreachable=0 failed=0 + pgbouncer : ok=2 changed=0 unreachable=0 failed=0 + phpmyadmin : ok=2 changed=0 unreachable=0 failed=0 + pihole1 : ok=2 changed=0 unreachable=0 failed=0 + pihole2 : ok=2 changed=0 unreachable=0 failed=0 + privatebin : ok=2 changed=0 unreachable=0 failed=0 + psql1 : ok=2 changed=0 unreachable=0 failed=0 + psql2 : ok=2 changed=0 unreachable=0 failed=0 + psql3 : ok=2 changed=0 unreachable=0 failed=0 + psql4 : ok=2 changed=0 unreachable=0 failed=0 + revshells : ok=2 changed=0 unreachable=0 failed=0 + + root@home:~/playbooks# + + + +As expected, our playbook didn't need to change anything this time.For our next part, although not recommended, we can also bypass the need for playbooks: + + + root@home:~/playbooks# ansible all -m apt -a "upgrade=yes update_cache=yes cache_valid_time=86400" --become + [WARNING]: Could not find aptitude. Using apt-get instead. + + privatebin | SUCCESS => { + "changed": false, + "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nCalculating upgrade...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", + "stderr": "", + "stderr_lines": [], + "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nCalculating upgrade...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", + "stdout_lines": [ + "Reading package lists...", + "Building dependency tree...", + "Reading state information...", + "Calculating upgrade...", + "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded." + ] + } + gitea | SUCCESS => { + "changed": false, + "msg": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nCalculating upgrade...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", + "stderr": "", + "stderr_lines": [], + "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nCalculating upgrade...\n0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.\n", + "stdout_lines": [ + "Reading package lists...", + "Building dependency tree...", + "Reading state information...", + "Calculating upgrade...", + "0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded." + ] + } + + [...] + + root@home:~/playbooks# ansible all -m shell -a "ping -c1 1.1.1.1" + privatebin | CHANGED | rc=0 >> + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=21.9 ms + + --- 1.1.1.1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 21.889/21.889/21.889/0.000 ms + + hastebin | CHANGED | rc=0 >> + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=27.9 ms + + --- 1.1.1.1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 27.925/27.925/27.925/0.000 ms + + nextcloud | CHANGED | rc=0 >> + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=26.6 ms + + --- 1.1.1.1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 26.642/26.642/26.642/0.000 ms + + gitea | CHANGED | rc=0 >> + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=25.7 ms + + --- 1.1.1.1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 25.708/25.708/25.708/0.000 ms + + kanboard | CHANGED | rc=0 >> + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=22.0 ms + + [...] + + +Like this you can run any commands you want. But ideally we want to use playbooks. Now let's make sure this ansible playbook runs daily, we're going to use crontab to do that: + + + root@home:~/playbooks# which ansible-playbook + /usr/bin/ansible-playbook + root@home:~/playbooks# /usr/bin/ansible-playbook /root/playbooks/update.yml + + PLAY [Playbook] *********************************************************************************************************************************************** + + TASK [Gathering Facts] **************************************************************************************************************************************** + ok: [hastebin] + ok: [privatebin] + ok: [gitea] + ok: [kanboard] + ok: [nextcloud] + ok: [pgadmin] + ok: [pgadmin4] + ok: [phpmyadmin] + ok: [revshells] + ok: [etherpad] + ok: [cyberchef] + ok: [psql2] + ok: [psql4] + ok: [psql1] + ok: [psql3] + ok: [pgbouncer] + ok: [pihole2] + + + +Cron needs the absolute paths so now we know we can do it: + + + root@home:~/playbooks# crontab -e + + 0 3 * * * "/usr/bin/ansible-playbook /root/playbooks/update.yml" + + :wq + + +Now with this, cron is going to run our playbook every night at 3 am. + diff --git a/apt-cacher/0.png b/apt-cacher/0.png new file mode 100644 index 0000000..7abf2b3 Binary files /dev/null and b/apt-cacher/0.png differ diff --git a/apt-cacher/1.png b/apt-cacher/1.png new file mode 100644 index 0000000..d35c969 Binary files /dev/null and b/apt-cacher/1.png differ diff --git a/apt-cacher/index.md b/apt-cacher/index.md new file mode 100644 index 0000000..2d6d299 --- /dev/null +++ b/apt-cacher/index.md @@ -0,0 +1,195 @@ +# Apt-Cacher Setup + +![](0.png) + +For a whole host of reasons, it can be useful to have a locally-hosted server to redistribute updates to the whole park. That's what we're going to do today with apt-cacher, which will fetch packages from the official repositories when a client requests them, before making them available on the local LAN. This applies to all downloaded packages, so whether you're installing an application or simply updating your system, the proxy will fetch the packages for us. + +## **Initial Setup** + +Install Apt-Cacher-NG by using the below command + + + #Install the service + apt install apt-cacher-ng -y + + +Once the Apt-Cacher-NG package is installed, start the Apt-Cacher-NG service and enable it to start at system reboot and check his current status. + + + #Start, enable at boot and check the status of the service + systemctl start apt-cacher-ng + systemctl enable apt-cacher-ng + systemctl status apt-cacher-ng + + +Apt-Cacher-NG listens on port 3142. Now check if the service is correctly running by using the below command + + + ss -ntlp| grep apt + + +## **Configuration** + +Now we need to configure it by editing the configuration file + + + vim /etc/apt-cacher-ng/acng.conf + + +Example of configuration + + + # Letter case in directive names does not matter. Must be separated with colons. + # Valid boolean values are a zero number for false, non-zero numbers for true. + CacheDir: /var/cache/apt-cacher-ng + # set empty to disable logging + LogDir: /var/log/apt-cacher-ng + # TCP (http) port + # Set to 9999 to emulate apt-proxy + Port: 3142 + # Addresses or hostnames to listen on. Multiple addresses must be separated by + # spaces. Each entry must be associated with a local interface. DNS resolution + # is performed using getaddrinfo(3) for all available protocols (i.e. IPv4 and + # IPv6 if available). + # + # Default: not set, will listen on all interfaces. + # + # BindAddress: localhost 192.168.7.254 publicNameOnMainInterface + #Proxy: http://www-proxy.example.net:80 + #proxy: http://username:proxypassword@proxy.example.net:3128 + # Repository remapping. See manual for details. + # In this example, backends file is generated during package installation. + #Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian + Remap-debrep: file:deb_mirrors*.gz /debian ; file:backends_debian + Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu + Remap-debvol: file:debvol_mirror*.gz /debian-volatile ; file:backends_debvol + # Virtual page accessible in a web browser to see statistics and status + # information, i.e. under http://localhost:3142/acng-report.html + ReportPage: acng-report.html + # Socket file for accessing through local UNIX socket instead of TCP/IP. Can be + # used with inetd bridge or cron client. + # SocketPath:/var/run/apt-cacher-ng/socket + # Forces log file to be written to disk after every line when set to 1. Default + # is 0, buffer flush happens after client disconnects. + # + # (technically, this is an alias to the Debug option provided for convenience) + # + #Allow HTTPS tunnels + PassThroughPattern: .* + # + # UnbufferLogs: 0 + # Set to 0 to store only type, time and transfer sizes. + # 1 -> client IP and relative local path are logged too + VerboseLog: 0 + # Don't detach from the console + # ForeGround: 0 + # Store the pid of the daemon process therein + PidFile: /var/run/apt-cacher-ng/pid + # Forbid outgoing connections, work around them or respond with 503 error + # offlinemode:0 + # Forbid all downloads that don't run through preconfigured backends (.where) + #ForceManaged: 0 + # Days before considering an unreferenced file expired (to be deleted). + # Warning: if the value is set too low and particular index files are not + # available for some days (mirror downtime) there is a risk of deletion of + # still usefull package files. + ExTreshold: 4 + # Stop expiration when a critical problem appeared. Currently only failed + # refresh of an index file is considered as critical. + # + # WARNING: don't touch this option or set to a non-zero number. + # Anything else is DANGEROUS and may cause data loss. + # + # ExAbortOnProblems: 1 + # Replace some Windows/DOS-FS incompatible chars when storing + # StupidFs: 0 + # Experimental feature for apt-listbugs: pass-through SOAP requests and + # responses to/from bugs.debian.org. If not set, default is true if + # ForceManaged is enabled and false otherwise. + # ForwardBtsSoap: 1 + # The daemon has a small cache for DNS data, to speed up resolution. The + # expiration time of the DNS entries can be configured in seconds. + # DnsCacheSeconds: 3600 + # Don't touch the following values without good consideration! + # + # Max. count of connection threads kept ready (for faster response in the + # future). Should be a sane value between 0 and average number of connections, + # and depend on the amount of spare RAM. + # MaxStandbyConThreads: 8 + # + # Hard limit of active thread count for incomming connections, i.e. operation + # is refused when this value is reached (below zero = unlimited). + # MaxConThreads: -1 + # + #VfilePattern = (^|.*?/)(Index|Packages\.bz2|Packages\.gz|Packages|Release|Release\.gpg|Sources\.bz2|Sources\.gz|Sources|release|index\.db-.*\.gz|Contents-[^/]*\.gz|pkglist[^/]*\.bz2|rclist[^/]*\.bz2|/meta-release[^/]*|Translation[^/]*\.bz2)$ + #PfilePattern = .*(\.deb|\.rpm|\.dsc|\.tar\.gz\.gpg|\.tar\.gz|\.diff\.gz|\.diff\.bz2|\.jigdo|\.template|changelog|copyright|\.udeb|\.diff/.*\.gz|vmlinuz|initrd\.gz|ReleaseAnnouncement)$ + # Whitelist for expiration, file types not to be removed even when being + # unreferenced. Default: same as VfilePattern which is a safe bed. When and + # only when the only used mirrors are official repositories (with working + # Release files) then it might be set to something more restrictive, like + # (^|.*?/)(Release|Release\.gpg|release|meta-release|Translation[^/]*\.bz2)$ + #WfilePattern = (^|.*?/)(Index|Packages\.bz2|Packages\.gz|Packages|Release|Release\.gpg|Sources\.bz2|Sources\.gz|Sources|release|index\.db-.*\.gz|Contents-[^/]*\.gz|pkglist[^/]*\.bz2|rclist[^/]*\.bz2|/meta-release[^/]*|Translation[^/]*\.bz2)$ + # Higher modes only working with the debug version + # Warning, writes a lot into apt-cacher.err logfile + # Value overwrites UnbufferLogs setting (aliased) + Debug:2 + # Usually, general purpose proxies like Squid expose the IP adress of the + # client user to the remote server using the X-Forwarded-For HTTP header. This + # behaviour can be optionally turned on with the Expose-Origin option. + # ExposeOrigin: 0 + # When logging the originating IP address, trust the information supplied by + # the client in the X-Forwarded-For header. + # LogSubmittedOrigin: 0 + # The version string reported to the peer, to be displayed as HTTP client (and + # version) in the logs of the mirror. + # WARNING: some archives use this header to detect/guess capabilities of the + # client (i.e. redirection support) and change the behaviour accordingly, while + # ACNG might not support the expected features. Expect side effects. + # + # UserAgent: Yet Another HTTP Client/1.2.3p4 + # In some cases the Import and Expiration tasks might create fresh volatile + # data for internal use by reconstructing them using patch files. This + # by-product might be recompressed with bzip2 and with some luck the resulting + # file becomes identical to the *.bz2 file on the server, usable for APT + # clients trying to fetch the full .bz2 compressed version. Injection of the + # generated files into the cache has however a disadvantage on underpowered + # servers: bzip2 compession can create high load on the server system and the + # visible download of the busy .bz2 files also becomes slower. + # + # RecompBz2: 0 + # Network timeout for outgoing connections. + # NetworkTimeout: 60 + + +Now restart Apt-Cacher-NG + + + systemctl restart apt-cacher-ng + + +## **Client Configuration** + +For Configure Client System to use Apt-Cacher NG. Create a new proxy configuration file on your host + + + #Conf file to edit + vim /etc/apt/apt.conf.d/00aptproxy + + #Add the following Lines: + Acquire::http::Proxy "http://MyAptCacherIP:3142"; + + +Once apt-cacher has been installed on a server and your clients configured to use it, you can run an apt-update for example. When the command is executed, it will ask your apt-cacher server to retrieve the data before making it available to the client making the request. Via the apt-hide web page, we can check the status of the apt-hide server, the amount of data downloaded by the apt-hide server and redistributed on the local LAN, etc. + +![](1.png) + +## **Troubleshoot** + +It can happen that after some time, some of your machines, especially if you're using specific repositories different from the base ones, encounter issues when fetching the latest updates. This may be caused by the package cache on the apt-cacher. To resolve this issue, here is how to clear it. + + + sudo /etc/init.d/apt-cacher-ng stop + sudo rm -r /var/cache/apt-cacher-ng/* + sudo /etc/init.d/apt-cacher-ng start + + diff --git a/asciinema/0.png b/asciinema/0.png new file mode 100644 index 0000000..966312a Binary files /dev/null and b/asciinema/0.png differ diff --git a/asciinema/1.png b/asciinema/1.png new file mode 100644 index 0000000..86b70c9 Binary files /dev/null and b/asciinema/1.png differ diff --git a/asciinema/2.png b/asciinema/2.png new file mode 100644 index 0000000..1029d5c Binary files /dev/null and b/asciinema/2.png differ diff --git a/asciinema/3.png b/asciinema/3.png new file mode 100644 index 0000000..a786a85 Binary files /dev/null and b/asciinema/3.png differ diff --git a/asciinema/4.png b/asciinema/4.png new file mode 100644 index 0000000..f4d7ecc Binary files /dev/null and b/asciinema/4.png differ diff --git a/asciinema/5.png b/asciinema/5.png new file mode 100644 index 0000000..937e8df Binary files /dev/null and b/asciinema/5.png differ diff --git a/asciinema/6.png b/asciinema/6.png new file mode 100644 index 0000000..3976b51 Binary files /dev/null and b/asciinema/6.png differ diff --git a/asciinema/7.png b/asciinema/7.png new file mode 100644 index 0000000..9c6d022 Binary files /dev/null and b/asciinema/7.png differ diff --git a/asciinema/8.png b/asciinema/8.png new file mode 100644 index 0000000..47ae4db Binary files /dev/null and b/asciinema/8.png differ diff --git a/asciinema/index.md b/asciinema/index.md new file mode 100644 index 0000000..98fba29 --- /dev/null +++ b/asciinema/index.md @@ -0,0 +1,509 @@ +# Asciinema server setup + +![](0.png) + +In this tutorial we're going to look at how to setup an asciinema server and how to use the commandline utility itself. + +## **Initial Setup** + +Make sure you have docker installed: + + + root@docker0:~# apt install docker.io -y + + + +Then you can get the official docker-compose.yml file provided by asciinema on their official github repository: + + + root@docker0:~# ls -lsh + total 32K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 19:16 codimd + 4.0K drwxr-xr-x 11 root root 4.0K Apr 18 08:03 dillinger + 4.0K drwxr-xr-x 7 root root 4.0K Apr 18 08:03 kutt + 4.0K drwxr-xr-x 4 systemd-coredump root 4.0K Apr 18 21:57 mongo_data + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 08:56 neko + 4.0K drwxr-xr-x 2 systemd-coredump root 4.0K Apr 19 17:31 redis_data + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 21:01 sharelatex + 4.0K drwxr-xr-x 5 root root 4.0K Apr 18 20:46 sharelatex_data + + root@docker0:~# git clone --recursive https://github.com/asciinema/asciinema-server.git + Cloning into 'asciinema-server'... + remote: Enumerating objects: 20182, done. + remote: Counting objects: 100% (83/83), done. + remote: Compressing objects: 100% (63/63), done. + remote: Total 20182 (delta 26), reused 42 (delta 19), pack-reused 20099 + Receiving objects: 100% (20182/20182), 9.66 MiB | 6.91 MiB/s, done. + Resolving deltas: 100% (11987/11987), done. + Submodule 'native/vt' (https://github.com/asciinema/vt-rs.git) registered for path 'native/vt' + Cloning into '/root/asciinema-server/native/vt'... + remote: Enumerating objects: 253, done. + remote: Total 253 (delta 0), reused 0 (delta 0), pack-reused 253 + Receiving objects: 100% (253/253), 44.38 KiB | 826.00 KiB/s, done. + Resolving deltas: 100% (116/116), done. + Submodule path 'native/vt': checked out 'ee2a4640569c1ab0c64eae44c0804a4f59f8a9f1' + + root@docker0:~# cd asciinema-server/ + + root@docker0:~/asciinema-server# git checkout master + M docker-compose.yml + Branch 'master' set up to track remote branch 'master' from 'origin'. + Switched to a new branch 'master' + + root@docker0:~/asciinema-server# git checkout -b void.yt master + M docker-compose.yml + Switched to a new branch 'void.yt' + + root@docker0:~/asciinema-server# ls + assets config CONTRIBUTING.md dev docker docker-compose.yml Dockerfile lib LICENSE mix.exs mix.lock native priv README.md rel test uploads + + root@docker0:~/asciinema-server# vim docker-compose.yml + + + +Let's see what the docker-compose.yml file contains: + + + version: '2' + + services: + postgres: + image: postgres:10.6-alpine + container_name: asciinema_postgres + restart: unless-stopped + volumes: + - ./volumes/postgres:/var/lib/postgresql/data + ### See https://hub.docker.com/_/postgres/ for more + ### configuration options for this image. + + redis: + image: redis:4.0-alpine + container_name: asciinema_redis + restart: unless-stopped + volumes: + - ./volumes/redis:/data + ### See https://hub.docker.com/_/redis/ for more + ### configuration options for this image. + + smtp: + image: namshi/smtp + container_name: asciinema_smtp + restart: unless-stopped + env_file: .env.production + ### See https://github.com/namshi/docker-smtp for more SMTP configuration + ### options for this image. + + nginx: + image: nginx:1.15-alpine + container_name: asciinema_nginx + restart: unless-stopped + links: + - phoenix + ports: + - "8091:80" + ### Uncomment for HTTPS: + # - "443:443" + volumes: + - ./docker/nginx/asciinema.conf:/etc/nginx/conf.d/default.conf:ro + - ./volumes/cache:/cache + ### Uncomment for HTTPS (make sure to add your cert and private key to ./certs): + # - ./certs:/app/priv/certs + ### See https://hub.docker.com/_/nginx/ for more configuration options for + ### this image. + + phoenix: + image: asciinema/asciinema-server + container_name: asciinema_phoenix + restart: unless-stopped + links: + - redis + - postgres + - smtp + env_file: .env.production + volumes: + - ./volumes/uploads:/opt/app/uploads + + + +In here i simply changed the default **80:80** port redirection to **8091:80**. That's because i already have a service running on port 80 on that debian node, so i will use port 8091 instead. I leave the rest as default, **:wq** to save and quit out of vim, then edit the **env.production** file: + + + root@docker0:~/asciinema-server# cp .env.production.sample .env.production + root@docker0:~/asciinema-server# vim .env.production + + + + + ### asciinema web app config file + + ## Settings below that are un-commented are required, the rest is optional. + ## Values after "=" sign are taken as-is, so don't use double quotes for strings. + + ## Base URL of your asciinema web app instance + URL_SCHEME=http + URL_HOST=asciinema.void.yt + URL_PORT=8091 + + ## Base secret key for signing cookies etc. + ## Run `docker-compose run --rm phoenix asciinema gen_secret` + ## and copy generated secret here. + SECRET_KEY_BASE='X3gqVydBRANDOMSTRING0aWc0WUxX' + + [...] + + + +Edit those to fit your own asciinema instance of course, we will use a separate reverse nginx proxy later on. Once that's done save and quit out of vim, then let's first pull asciinema's official docker container image: + + + root@docker0:~/asciinema-server# docker pull asciinema/asciinema-server:latest + latest: Pulling from asciinema/asciinema-server + cbdbe7a5bc2a: Already exists + 852302012d76: Pull complete + c10f35f5e38e: Pull complete + 54c64cbd1686: Pull complete + adbcd5d252bd: Pull complete + Digest: sha256:0e0a517a638da72a3dff54d2f4caacd1457e02a607a9edddb17f6aec6ae240d0 + Status: Downloaded newer image for asciinema/asciinema-server:latest + + + +Next we're going to start the PostgreSQL container: + + + root@docker0:~/asciinema-server# docker-compose up -d postgres + Creating network "asciinema-server_default" with the default driver + Pulling postgres (postgres:10.6-alpine)... + 10.6-alpine: Pulling from library/postgres + 6c40cc604d8e: Pull complete + 3ea5fa93d025: Pull complete + 146f5c88cacb: Pull complete + 9fc5bfa5813c: Pull complete + 99fdb8e79d37: Pull complete + d0ec5819b579: Pull complete + 4c673b065000: Pull complete + 4436822af9f8: Pull complete + 733c47ccf44e: Pull complete + Digest: sha256:113562a23ed3912f0c35fd9c437c007865aec009feccc6b750d74baf46d70551 + Status: Downloaded newer image for postgres:10.6-alpine + Creating asciinema_postgres ... done + + + +Now create the database schema and seed it with initial data: + + + root@docker0:~/asciinema-server# docker-compose run --rm phoenix setup + Pulling redis (redis:4.0-alpine)... + 4.0-alpine: Pulling from library/redis + cbdbe7a5bc2a: Already exists + dc0373118a0d: Pull complete + cfd369fe6256: Pull complete + 152ffd6a3b24: Pull complete + 7c01860f13a3: Pull complete + aa6ecacd3bee: Pull complete + Digest: sha256:aaf7c123077a5e45ab2328b5ef7e201b5720616efac498d55e65a7afbb96ae20 + Status: Downloaded newer image for redis:4.0-alpine + Pulling smtp (namshi/smtp:)... + latest: Pulling from namshi/smtp + 376057ac6fa1: Pull complete + 4f41e210c366: Pull complete + c6481c5521ee: Pull complete + be585e548f6c: Pull complete + 430c23e8d992: Pull complete + Digest: sha256:aa63b8de68ce63dfcf848c56f3c1a16d81354f4accd4242a0086c57dd5a91d77 + Status: Downloaded newer image for namshi/smtp:latest + Creating asciinema_redis ... done + Starting asciinema_postgres ... done + Creating asciinema_smtp ... done + + [...] + + 17:04:21.590 [info] == Migrated 20200831195118 in 0.0s + 17:04:21.599 [info] == Running 20200901164454 Asciinema.Repo.Migrations.ConvertFileToPath.change/0 forward + 17:04:21.600 [info] rename column file to filename on table asciicasts + 17:04:21.601 [info] alter table asciicasts + 17:04:21.607 [info] execute "UPDATE asciicasts SET path=concat('asciicast/file/', id, '/', filename) WHERE filename IS NOT NULL" + 17:04:21.611 [info] == Migrated 20200901164454 in 0.0s + Running seed script.. + + + +Once that's done, create the containers: + + + root@docker0:~/asciinema-server# docker-compose up -d + Pulling nginx (nginx:1.15-alpine)... + 1.15-alpine: Pulling from library/nginx + e7c96db7181b: Pull complete + 264026bbe255: Pull complete + a71634c55d29: Pull complete + 5595887beb81: Pull complete + Digest: sha256:57a226fb6ab6823027c0704a9346a890ffb0cacde06bc19bbc234c8720673555 + Status: Downloaded newer image for nginx:1.15-alpine + asciinema_redis is up-to-date + asciinema_smtp is up-to-date + asciinema_postgres is up-to-date + Creating asciinema_phoenix ... done + Creating asciinema_nginx ... done + + + +And then just check the status of the containers: + + + + root@docker0:~/asciinema-server# docker ps -f 'name=asciinema_' + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 56e0da8221d2 nginx:1.15-alpine "nginx -g 'daemon of…" 34 seconds ago Up 32 seconds 0.0.0.0:8091->80/tcp asciinema_nginx + 2fd74f43d7d4 asciinema/asciinema-server "/sbin/tini -- /opt/…" 35 seconds ago Up 34 seconds 4000/tcp asciinema_phoenix + a7804b544bee redis:4.0-alpine "docker-entrypoint.s…" 2 minutes ago Up 2 minutes 6379/tcp asciinema_redis + 3a3cf6fd58b3 namshi/smtp "/bin/entrypoint.sh …" 2 minutes ago Up 2 minutes 25/tcp asciinema_smtp + b78623063995 postgres:10.6-alpine "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 5432/tcp asciinema_postgres + + + +Since that's done, let's checkout the service at port 8091: + +![](1.png) + +And that's it ! We managed to install a local instance of asciinema server: + +## **Reverse Nginx Proxy** + +Now we want to make sure that our local asciinema server is accessible from the internet thanks to a nginx proxy, i'm going to use my main nginx node at 10.0.0.101 because i know it's ports 80 and 443 are publicly accessible: + + + root@home:/var/www/void.yt/config# vim /etc/nginx/sites-available/asciinema.void.yt.conf + + upstream asciibackend { + server 192.168.0.200:8091; + } + + server { + listen 80; + listen [::]:80; + server_name asciinema.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name asciinema.void.yt; + + ssl_certificate /root/.acme.sh/asciinema.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/asciinema.void.yt/asciinema.void.yt.cer; + ssl_certificate_key /root/.acme.sh/asciinema.void.yt/asciinema.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://asciibackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + :wq + + root@home:/var/www/void.yt/config# ln -s /etc/nginx/sites-available/asciinema.void.yt.conf /etc/nginx/sites-enabled/ + + root@home:/var/www/void.yt/config# nginx -t + nginx: [emerg] BIO_new_file("/root/.acme.sh/asciinema.void.yt/fullchain.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/asciinema.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + + +Now when you test the reverse proxy site config, you see that nginx doesn't like it, that's because we don't have the TLS certificates from LetsEncrypt yet, so let's get them: + + + root@home:/var/www/void.yt/config# systemctl stop nginx + + root@home:/var/www/void.yt/config# acme.sh --issue --standalone -d asciinema.void.yt -k 4096 + + root@home:/var/www/void.yt/config# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Once that's done, start nginx again, and check the result: + +![](2.png) + +That's it! you managed to install a public asciiserver instance. Now let's use it: + +## **Using the CLI Utility** + +On nearly all Linux-Based distros, asciiserver is available in the repositories, for example in debian-based and arch-based distros:: + + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → pacman -Ss asciinema ; pacman -S asciinema + community/asciinema 2.0.2-5 [installed] + Record and share terminal sessions + + root@home:~# apt search asciinema ; apt install asciinema -y + Sorting... Done + Full Text Search... Done + asciinema/stable 2.0.2-1 all + Record and share your terminal sessions, the right way + + + +Before we start using asciinema, we need to make sure we use our asciinema instance. By default, asciinema uses [ https://asciinema.org](https://asciinema.org) to send the recorded terminal files to. So we can either change the **ASCIINEMA_API_URL** environnement variable OR we can just edit the **~/.config/asciinema/config** + + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → echo $ASCIINEMA_API_URL + + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → ASCIINEMA_API_URL=https://asciinema.void.yt + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → echo $ASCIINEMA_API_URL + https://asciinema.void.yt + + OR + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → echo '[api]' > ~/.config/asciinema/config + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → echo 'url = https://asciinema.void.yt' >> ~/.config/asciinema/config + + + +Once that's done, you can start the recording : + + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → asciinema rec + asciinema: recording asciicast to /tmp/tmpnjcc_g63-ascii.cast + asciinema: press <****ctrl-d> or type "exit" when you're done + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → exit + asciinema: recording finished + asciinema: press <****enter> to upload to asciinema.void.yt, <****ctrl-c> to save locally + + View the recording at: + + http://asciinema.void.yt:8091/a/FTLJyGAlLi6TKVSEf9JYiisA4 + +Now we're not done just yet! as you can see the end URL isn't correct, we need to edit the **.env.production** file we edited earlier to fix this, and rebuild the containers: + + + root@docker0:~/asciinema-server# vim .env.production + + URL_SCHEME=https + URL_HOST=asciinema.void.yt + URL_PORT=443 + + [...] + + :wq + + + +Once we're done editing the file, we restart the phoenix container and then use docker-compose to make sure the containers are up then check the result: + + + root@docker0:~/asciinema-server# docker-compose stop phoenix + + root@docker0:~/asciinema-server# docker-compose up -d phoenix + + root@docker0:~/asciinema-server# docker-compose up -d + asciinema_redis is up-to-date + asciinema_smtp is up-to-date + asciinema_postgres is up-to-date + asciinema_phoenix is up-to-date + Starting asciinema_nginx ... done + + root@docker0:~/asciinema-server# docker ps -f 'name=asciinema_' + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + e037d2364879 nginx:1.15-alpine "nginx -g 'daemon of…" 7 minutes ago Up About a minute 0.0.0.0:8091->80/tcp asciinema_nginx + b513c2c6894e asciinema/asciinema-server "/sbin/tini -- /opt/…" 7 minutes ago Up 3 minutes 4000/tcp asciinema_phoenix + 4dbb7e9c7588 namshi/smtp "/bin/entrypoint.sh …" 7 minutes ago Up 3 minutes 25/tcp asciinema_smtp + a7804b544bee redis:4.0-alpine "docker-entrypoint.s…" 45 minutes ago Up 4 minutes 6379/tcp asciinema_redis + b78623063995 postgres:10.6-alpine "docker-entrypoint.s…" About an hour ago Up 3 minutes 5432/tcp asciinema_postgres + + + +Now let's test the asciinema recording once more: + + + [ 10.0.0.10/16 ] [ /dev/pts/16 ] [blog/servers/asciinema] + → asciinema rec + asciinema: recording asciicast to /tmp/tmpob7b68vm-ascii.cast + asciinema: press <****ctrl-d> or type "exit" when you're done + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → ls + 0.png 1.png 2.png index.html + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/asciinema] + → exit + asciinema: recording finished + asciinema: press <****enter> to upload to asciinema.void.yt, <****ctrl-c> to save locally + + View the recording at: + + https://asciinema.void.yt/a/DvUyM1xdyysk7MQv30Vl1ACzR + +That's better! Now let's view the result: + +![](3.png) + +And that's it! Now let's share it: + +![](4.png) + +You can also embed it in HTML: + +[![](https://asciinema.void.yt/a/DvUyM1xdyysk7MQv30Vl1ACzR.svg)](https://asciinema.void.yt/a/DvUyM1xdyysk7MQv30Vl1ACzR) + +You can sign up, and get the one-time login link sent to the email address: + +![](7.png) ![](5.png) ![](6.png) ![](8.png) + +And that's it ! We have successfully tested that our asciinema instance works. + diff --git a/bedrock/0.png b/bedrock/0.png new file mode 100644 index 0000000..c097852 Binary files /dev/null and b/bedrock/0.png differ diff --git a/bedrock/1.png b/bedrock/1.png new file mode 100644 index 0000000..60aa137 Binary files /dev/null and b/bedrock/1.png differ diff --git a/bedrock/2.png b/bedrock/2.png new file mode 100644 index 0000000..1f85545 Binary files /dev/null and b/bedrock/2.png differ diff --git a/bedrock/3.png b/bedrock/3.png new file mode 100644 index 0000000..7e31a76 Binary files /dev/null and b/bedrock/3.png differ diff --git a/bedrock/4.png b/bedrock/4.png new file mode 100644 index 0000000..597034b Binary files /dev/null and b/bedrock/4.png differ diff --git a/bedrock/5.png b/bedrock/5.png new file mode 100644 index 0000000..8ae5e64 Binary files /dev/null and b/bedrock/5.png differ diff --git a/bedrock/6.png b/bedrock/6.png new file mode 100644 index 0000000..5eed0a6 Binary files /dev/null and b/bedrock/6.png differ diff --git a/bedrock/7.png b/bedrock/7.png new file mode 100644 index 0000000..2451c2c Binary files /dev/null and b/bedrock/7.png differ diff --git a/bedrock/index.md b/bedrock/index.md new file mode 100644 index 0000000..3e2c1b8 --- /dev/null +++ b/bedrock/index.md @@ -0,0 +1,607 @@ +# bedrock Setup + +![](0.png) + +Bedrock Linux is a meta Linux distribution which allows users to mix-and-match components from other, typically incompatible distributions. Bedrock integrates these components into one largely cohesive system. + +## **Initial Setup** + +first step is to run the script, i will run it on an arch linux server: + + + [ nihilism ] [ /dev/pts/13 ] [~] + → wget https://github.com/bedrocklinux/bedrocklinux-userland/releases/download/0.7.27/bedrock-linux-0.7.27-x86_64.sh + --2022-06-26 15:45:17-- https://github.com/bedrocklinux/bedrocklinux-userland/releases/download/0.7.27/bedrock-linux-0.7.27-x86_64.sh + Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' + Resolving github.com (github.com)... 140.82.113.3 + Connecting to github.com (github.com)|140.82.113.3|:443... connected. + HTTP request sent, awaiting response... 302 Found + Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/20029106/6571ebbf-ac43-4935-ba42-6b05d4e70a19?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220626%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220626T154515Z&X-Amz-Expires;=300&X-Amz-Signature;=482dbbad1755b9b03c3f3837db96d9ae5000bfee82f8551dcba09058e4755f10&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=20029106&response-content-disposition;=attachment%3B%20filename%3Dbedrock-linux-0.7.27-x86_64.sh&response-content-type;=application%2Foctet-stream [following] + --2022-06-26 15:45:17-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/20029106/6571ebbf-ac43-4935-ba42-6b05d4e70a19?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20220626%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20220626T154515Z&X-Amz-Expires;=300&X-Amz-Signature;=482dbbad1755b9b03c3f3837db96d9ae5000bfee82f8551dcba09058e4755f10&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=20029106&response-content-disposition;=attachment%3B%20filename%3Dbedrock-linux-0.7.27-x86_64.sh&response-content-type;=application%2Foctet-stream + Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ... + Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 5092835 (4.9M) [application/octet-stream] + Saving to: ‘bedrock-linux-0.7.27-x86_64.sh’ + + bedrock-linux-0.7.27-x86_64.sh 100%[========================================================================================================================================>] 4.86M 20.3MB/s in 0.2s + + 2022-06-26 15:45:18 (20.3 MB/s) - ‘bedrock-linux-0.7.27-x86_64.sh’ saved [5092835/5092835] + + + [ nihilism ] [ /dev/pts/13 ] [~] + → chmod +x bedrock-linux-0.7.27-x86_64.sh + + [ nihilism ] [ /dev/pts/13 ] [~] + → vim bedrock-linux-0.7.27-x86_64.sh + + [ nihilism ] [ /dev/pts/13 ] [~] + → ./bedrock-linux-0.7.27-x86_64.sh + Usage: ./bedrock-linux-0.7.27-x86_64.sh + + Install or update a Bedrock Linux system. + + Operations: + --hijack [name] convert current installation to Bedrock Linux. + this operation is not intended to be reversible! + optionally specify initial stratum name. + --update update current Bedrock Linux system. + --force-update update current system, ignoring warnings. + -h, --help print this message + + [ nihilism ] [ /dev/pts/13 ] [~] + → ./bedrock-linux-0.7.27-x86_64.sh --hijack + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + * * + * Continuing will: * + * - Move the existing install to a temporary location * + * - Install Bedrock Linux on the root of the filesystem * + * - Add the previous install as a new Bedrock Linux stratum * + * * + * YOU ARE ABOUT TO REPLACE YOUR EXISTING LINUX INSTALL WITH A * + * BEDROCK LINUX INSTALL! THIS IS NOT INTENDED TO BE REVERSIBLE! * + * * + * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * + + Please type "Not reversible!" without quotes at the prompt to continue: + > Not reversible! + + + __ __ __ + \ \_________\ \____________\ \___ + \ _ \ _\ _ \ _\ __ \ __\ / + \___/\__/\__/ \_\ \___/\__/\_\_\ + Bedrock Linux 0.7.27 Poki + + [1/6 ( 16%)] Performing sanity checks + [2/6 ( 33%)] Gathering information + * Using arch for initial stratum + * Using arch:/sbin/init as default init selection + * Using yay as pmm user interface + * Using en_US.UTF-8 UTF-8 for locale.gen language + * Using en_US.UTF-8 for $LANG + * Using UTC for timezone + [3/6 ( 50%)] Hijacking init system + [4/6 ( 66%)] Extracting /bedrock + [5/6 ( 83%)] Configuring + * Configuring bedrock stratum + * Configuring arch stratum + * Configuring bedrock.conf + * Configuring /etc/fstab + [6/6 (100%)] Finalizing + * Reboot to complete installation + * After reboot consider trying the Bedrock Linux basics tutorial command: brl tutorial basics + + [ nihilism ] [ /dev/pts/13 ] [~] + → reboot now + + + +Now on that server i setup LUKS so i unlock it: + +![](1.png) + +Then you can see bedrock linux is setup: + +![](2.png) + +After rebooting we see the following: + + + [ nihilism ] [ /dev/pts/0 ] [~] + → neofetch + -------------------------------------- root@nihilism + -------------------------------------- ------------- + -------------------------------------- OS: Bedrock Linux 0.7.27 Poki x86_64 + ---\\\\\\\\\\\\----------------------- Host: KVM RHEL 7.6.0 PC (i440FX + PIIX, 1996) + ----\\\ \\\---------------------- Kernel: 5.18.5-arch1-1 + -----\\\ \\\--------------------- Uptime: 18 mins + ------\\\ \\\\\\\\\\\\\\\\\------ Packages: 472 (pacman) + -------\\\ \\\----- Shell: zsh 5.9 + --------\\\ \\\---- Resolution: 1024x768 + ---------\\\ ______ \\\--- Terminal: /dev/pts/0 + ----------\\\ ///--- CPU: Intel Xeon E5-2680 v3 (8) @ 2.497GHz + -----------\\\ ///---- GPU: 00:02.0 Cirrus Logic GD 5446 + ------------\\\ ///----- Memory: 2554MiB / 9953MiB + -------------\\\////////////////------ + -------------------------------------- + -------------------------------------- + -------------------------------------- + + [ nihilism ] [ /dev/pts/3 ] [~] + → cat /etc/resolv.conf + cat: /etc/resolv.conf: No such file or directory + + [ nihilism ] [ /dev/pts/3 ] [~] + → sudo rm /etc/resolv.conf + + [ nihilism ] [ /dev/pts/3 ] [~] + → rm /etc/resolv.conf + rm: cannot remove '/etc/resolv.conf': No such file or directory + + [ nihilism ] [ /dev/pts/3 ] [~] + → vim /etc/resolv.conf + + [ nihilism ] [ /dev/pts/3 ] [~] + → cat /etc/resolv.conf ; chattr +i /etc/resolv.conf + nameserver 1.1.1.1 + nameserver 1.0.0.1 + + [ nihilism ] [ /dev/pts/3 ] [~] + → brl update + * Checking for updates + Checking https://raw.githubusercontent.com/bedrocklinux/bedrocklinux-userland/0.7/releases... done + * No updates + + [ nihilism ] [ /dev/pts/3 ] [~] + → brl help + Usage: brl [arguments] + + Bedrock Linux system management and introspection. + + Common commands: + strat Run specified stratum's executable + Note: `strat` is available without the `brl` prefix + list List strata + which Query which stratum provides object + + Strata management commands: + fetch Fetch new strata + import Import new strata + remove Remove strata (or aliases) + rename Rename a stratum + copy Copy a stratum + + Strata status management commands: + status Query stratum status + enable Enable strata + disable Disable strata + repair Repairs broken strata + + Strata visibility management commands: + hide Hide strata + show Show strata + + Alias management commands: + alias Create a stratum alias + deref Dereference stratum aliases + + Miscellaneous commands: + apply Apply configuration changes + update Update Bedrock Linux system + version Query Bedrock Linux version + report Generate report + tutorial Run interactive Bedrock Linux tutorial + + See `brl --help` for further details per command. + + + +let's install an ubuntu 22 strata: + + + [ nihilism ] [ /dev/pts/3 ] [~] + → brl fetch --list + alpine + arch + centos + debian + devuan + exherbo + exherbo-musl + fedora + gentoo + ubuntu + void + void-musl + + [ nihilism ] [ /dev/pts/3 ] [~] + → brl fetch -n ubuntu ubuntu + [ 1/18 ( 5%)] Determining name + * Using ubuntu + [ 2/18 ( 11%)] Determining CPU architecture + * Using x86_64 + [ 3/18 ( 16%)] Determining release + * Using jammy + [ 4/18 ( 22%)] Determining mirror + * Checking bedrock.conf [brl-fetch-mirror] items + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Fast filtering 744 to top 10 + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Finding fastest mirror from 10 + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Using http://ubuntu.mirror.iweb.ca/ + [ 5/18 ( 27%)] Making bootstrap directory structure + [ 6/18 ( 33%)] Downloading package information database + Downloading http://ubuntu.mirror.iweb.ca//dists/jammy/main/binary-amd64/Packages.gz + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 1750k 100 1750k 0 0 13.2M 0 --:--:-- --:--:-- --:--:-- 13.2M + [ 7/18 ( 38%)] Converting distro package information database to brl format + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [ 8/18 ( 44%)] Calculating required bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [ 9/18 ( 50%)] Downloading bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [10/18 ( 55%)] Extracting bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [11/18 ( 61%)] Running bootstrap software + I: Retrieving InRelease + I: Checking Release signature + I: Valid Release signature (key id F6ECB3762474EDA9D21B7022871920D1991BC93C) + I: Retrieving Packages + I: Validating Packages + I: Resolving dependencies of required packages... + I: Resolving dependencies of base packages... + I: Checking component main on http://ubuntu.mirror.iweb.ca... + I: Validating adduser 3.118ubuntu5 + I: Validating apt 2.4.5 + I: Validating base-files 12ubuntu4 + I: Retrieving base-passwd 3.5.52build1 + I: Validating base-passwd 3.5.52build1 + I: Validating bash 5.1-6ubuntu1 + I: Retrieving bsdutils 1:2.37.2-4ubuntu3 + I: Validating bsdutils 1:2.37.2-4ubuntu3 + I: Validating coreutils 8.32-4.1ubuntu1 + I: Validating dash 0.5.11+git20210903+057cd650a4ed-3build1 + I: Validating debconf 1.5.79ubuntu1 + I: Validating debianutils 5.5-1ubuntu2 + I: Retrieving diffutils 1:3.8-0ubuntu2 + I: Validating diffutils 1:3.8-0ubuntu2 + I: Validating dpkg 1.21.1ubuntu2 + I: Retrieving e2fsprogs 1.46.5-2ubuntu1 + I: Validating e2fsprogs 1.46.5-2ubuntu1 + I: Retrieving findutils 4.8.0-1ubuntu3 + I: Validating findutils 4.8.0-1ubuntu3 + I: Validating gcc-12-base 12-20220319-1ubuntu1 + I: Validating gpgv 2.2.27-3ubuntu2 + I: Validating grep 3.7-1build1 + + [...] + + zlib1g set to automatically installed. + Hit:1 http://ubuntu.mirror.iweb.ca jammy InRelease + Get:2 http://archive.ubuntu.com/ubuntu jammy-security InRelease [110 kB] + Get:3 http://ubuntu.mirror.iweb.ca jammy/main Translation-en [510 kB] + Get:4 http://ubuntu.mirror.iweb.ca jammy/universe amd64 Packages [14.1 MB] + Get:5 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages [191 kB] + Get:6 http://archive.ubuntu.com/ubuntu jammy-security/main Translation-en [45.9 kB] + Get:7 http://archive.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [78.1 kB] + Get:8 http://archive.ubuntu.com/ubuntu jammy-security/universe Translation-en [27.7 kB] + Get:9 http://ubuntu.mirror.iweb.ca jammy/universe Translation-en [5652 kB] + Fetched 20.7 MB in 3s (6485 kB/s) + Reading package lists... Done + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + The following NEW packages will be installed: + locales-all + 0 upgraded, 1 newly installed, 0 to remove and 8 not upgraded. + Need to get 10.8 MB of archives. + After this operation, 233 MB of additional disk space will be used. + Get:1 http://ubuntu.mirror.iweb.ca jammy/universe amd64 locales-all amd64 2.35-0ubuntu3 [10.8 MB] + Fetched 10.8 MB in 0s (24.5 MB/s) + debconf: delaying package configuration, since apt-utils is not installed + Selecting previously unselected package locales-all. + (Reading database ... 4391 files and directories currently installed.) + Preparing to unpack .../locales-all_2.35-0ubuntu3_amd64.deb ... + Unpacking locales-all (2.35-0ubuntu3) ... + Setting up locales-all (2.35-0ubuntu3) ... + [13/18 ( 72%)] Setting locale + [14/18 ( 77%)] Cleaning up + [15/18 ( 83%)] Importing users and groups + [16/18 ( 88%)] Preparing symlinks + [17/18 ( 94%)] Showing + [18/18 (100%)] Enabling + * Successfully fetched a new ubuntu stratum with name ubuntu + + + +Now let's try to install packages from ubuntu: + + + [ nihilism ] [ /dev/pts/3 ] [~] + → apt install php8.1-fpm php8.1 + + [ nihilism ] [ /dev/pts/3 ] [~] + → strat -r ubuntu php -version + PHP 8.1.2 (cli) (built: Jun 13 2022 13:52:54) (NTS) + Copyright (c) The PHP Group + Zend Engine v4.1.2, Copyright (c) Zend Technologies + with Zend OPcache v8.1.2, Copyright (c), by Zend Technologies + + [ nihilism ] [ /dev/pts/3 ] [~] + → strat -r ubuntu systemctl start php8.1-fpm + Running in chroot, ignoring command 'start' + + + +## **Arch linux with kali linux tools Setup** + +Since kali is not a supported OS by bedrock linux, we have to use a debian strata instead, we see [here](https://bedrocklinux.org/0.7/distro-compatibility.html) that bedrock supports very well arch linux and debian stratas, so let's trust it and use them: + +First install Arch, and then hijack it with bedrock, then install the debian strata on it after rebooting: + + + [nothing@anarchy:etc/apt]$ neofetch (12-17 21:33) + -------------------------------------- nothing@anarchy + -------------------------------------- --------------- + -------------------------------------- OS: Bedrock Linux 0.7.27 Poki x86_64 + ---\\\\\\\\\\\\----------------------- Host: KVM/QEMU (Standard PC (Q35 + ICH9, 2009) pc-q35-7.1) + ----\\\ \\\---------------------- Kernel: 6.0.12-arch1-1 + -----\\\ \\\--------------------- Uptime: 4 mins + ------\\\ \\\\\\\\\\\\\\\\\------ Packages: 634 (pacman), 98 (dpkg) + -------\\\ \\\----- Shell: zsh 5.9 + --------\\\ \\\---- Resolution: 1280x800 + ---------\\\ ______ \\\--- Terminal: /dev/pts/0 + ----------\\\ ///--- CPU: 11th Gen Intel i7-11700K (2) @ 3.600GHz + -----------\\\ ///---- GPU: 00:01.0 Red Hat, Inc. Virtio GPU + ------------\\\ ///----- Memory: 120MiB / 1974MiB + -------------\\\////////////////------ + -------------------------------------- + -------------------------------------- + -------------------------------------- + + [nothing@anarchy:~]$ brl fetch --list (12-17 21:29) + alpine + arch + centos + debian + devuan + exherbo + exherbo-musl + fedora + gentoo + ubuntu + void + void-musl + [nothing@anarchy:~]$ brl fetch debian (12-17 21:29) + ERROR: Operation requires root. + [nothing@anarchy:~][1]$ sudo !! (12-17 21:29) + sudo brl fetch debian + [sudo] password for nothing: + [ 1/18 ( 5%)] Determining name + * Using debian + [ 2/18 ( 11%)] Determining CPU architecture + * Using x86_64 + [ 3/18 ( 16%)] Determining release + * Using bullseye + [ 4/18 ( 22%)] Determining mirror + * Checking bedrock.conf [brl-fetch-mirror] items + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Fast filtering 371 to top 10 + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Finding fastest mirror from 10 + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + * Using http://ftp.fr.debian.org/debian/ + [ 5/18 ( 27%)] Making bootstrap directory structure + [ 6/18 ( 33%)] Downloading package information database + Downloading http://ftp.fr.debian.org/debian//dists/bullseye/main/binary-amd64/Packages.gz + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 10.5M 100 10.5M 0 0 6791k 0 0:00:01 0:00:01 --:--:-- 6794k + [ 7/18 ( 38%)] Converting distro package information database to brl format + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [ 8/18 ( 44%)] Calculating required bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [ 9/18 ( 50%)] Downloading bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [10/18 ( 55%)] Extracting bootstrap packages + [\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\] 100% + [11/18 ( 61%)] Running bootstrap software + + [...] + + [nothing@anarchy:~]$ which apt (12-17 21:31) + /bedrock/cross/bin/apt + [nothing@anarchy:~]$ cd /bedrock/strata/debian/etc/apt (12-17 21:32) + [nothing@anarchy:etc/apt]$ ls (12-17 21:32) + apt.conf.d/ auth.conf.d/ preferences.d/ sources.list sources.list.d/ trusted.gpg.d/ + + + +Then take a default kali VM and add the repositories: + + + ┌──(nothing㉿kali)-[~] + └─$ neofetch + .............. nothing@kali + ..,;:ccc,. ------------ + ......''';lxO. OS: Kali GNU/Linux Rolling x86_64 + .....''''..........,:ld; Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-6.2) + .';;;:::;,,.x, Kernel: 6.0.0-kali3-amd64 + ..'''. 0Xxoc:,. ... Uptime: 12 days, 15 hours, 18 mins + .... ,ONkc;,;cokOdc',. Packages: 3165 (dpkg) + . OMo ':ddo. Shell: zsh 5.9 + dMc :OO; Resolution: 1024x768 + 0M. .:o. Terminal: /dev/pts/2 + ;Wd CPU: Common KVM (8) @ 1.799GHz + ;XO, GPU: 00:02.0 Red Hat, Inc. QXL paravirtual graphic card + ,d0Odlc;,.. Memory: 784MiB / 7953MiB + + ┌──(nothing㉿kali)-[~] + └─$ cat /etc/apt/sources.list + deb http://http.kali.org/kali kali-rolling main non-free contrib + + + +Then add it over to the debian strata: + + + [nothing@anarchy:etc/apt][130]$ pwd (12-17 21:35) + /bedrock/strata/debian/etc/apt + [nothing@anarchy:etc/apt]$ sudo vim sources.list + + [nothing@anarchy:etc/apt][100]$ cat sources.list (12-17 21:35) + deb http://ftp.fr.debian.org/debian bullseye main + deb http://security.debian.org/debian-security bullseye-security main + **deb http://http.kali.org/kali kali-rolling main non-free contrib** + + [nothing@anarchy:etc/apt]$ sudo apt update -y (12-17 21:36) + Hit:1 http://security.debian.org/debian-security bullseye-security InRelease + Hit:2 http://ftp.fr.debian.org/debian bullseye InRelease + Get:3 http://ftp.free.fr/pub/kali kali-rolling InRelease [30.6 kB] + Err:3 http://ftp.free.fr/pub/kali kali-rolling InRelease + The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED444FF07D8D0BF6 + Reading package lists... Done + W: GPG error: http://ftp.free.fr/pub/kali kali-rolling InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ED444FF07D8D0BF6 + E: The repository 'http://http.kali.org/kali kali-rolling InRelease' is not signed. + N: Updating from such a repository can't be done securely, and is therefore disabled by default. + N: See apt-secure(8) manpage for repository creation and user configuration details. + + + +And here you see we have an error, we need to have the kali repository's PGP public key, so let's import it from the blank Kali VM: + + + [term1] + ┌──(nothing㉿kali)-[/etc/apt/trusted.gpg.d] + └─$ ls + debian-archive-bullseye-automatic.gpg debian-archive-bullseye-stable.gpg debian-archive-buster-security-automatic.gpg debian-archive-stretch-automatic.gpg debian-archive-stretch-stable.gpg + debian-archive-bullseye-security-automatic.gpg debian-archive-buster-automatic.gpg debian-archive-buster-stable.gpg debian-archive-stretch-security-automatic.gpg kali-archive-keyring.gpg + + ┌──(nothing㉿kali)-[/etc/apt/trusted.gpg.d] + └─$ file kali-archive-keyring.gpg + kali-archive-keyring.gpg: symbolic link to /usr/share/keyrings/kali-archive-keyring.gpg + + ┌──(nothing㉿kali)-[/etc/apt/trusted.gpg.d] + └─$ file /usr/share/keyrings/kali-archive-keyring.gpg + /usr/share/keyrings/kali-archive-keyring.gpg: OpenPGP Public Key Version 4, Created Mon Mar 5 14:56:40 2012, RSA (Encrypt or Sign, 4096 bits); User ID; Signature; OpenPGP Certificate + + ┌──(nothing㉿kali)-[/etc/apt/trusted.gpg.d] + └─$ ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.100/16 brd 10.0.255.255 scope global dynamic noprefixroute eth0 + inet6 fe80::20db:32ff:fe9b:f283/64 scope link noprefixroute + + [term2] + [nothing@anarchy:etc/apt]$ sudo scp nothing@10.0.0.100:/etc/apt/trusted.gpg.d/kali-archive-keyring.gpg /bedrock/strata/debian/etc/apt/trusted.gpg.d/kali-archive-keyring.gpg + + The authenticity of host '10.0.0.100 (10.0.0.100)' can't be established. + ED25519 key fingerprint is SHA256:R3qDHuozDAfj6GPiKwaBfdOsZZctuM4AA5hqbmnMxpk. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '10.0.0.100' (ED25519) to the list of known hosts. + nothing@10.0.0.100's password: + kali-archive-keyring.gpg 100% 2271 263.7KB/s 00:00 + [nothing@anarchy:etc/apt]$ ls trusted.gpg.d (12-17 21:38) + debian-archive-bullseye-automatic.gpg debian-archive-bullseye-stable.gpg debian-archive-buster-security-automatic.gpg debian-archive-stretch-automatic.gpg debian-archive-stretch-stable.gpg + debian-archive-bullseye-security-automatic.gpg debian-archive-buster-automatic.gpg debian-archive-buster-stable.gpg debian-archive-stretch-security-automatic.gpg kali-archive-keyring.gpg + [nothing@anarchy:etc/apt]$ + + + +Now that we migrated the trusted gpg key, we can do apt update -y: + + + [nothing@anarchy:etc/apt]$ sudo apt update -y (12-17 21:38) + Hit:1 http://security.debian.org/debian-security bullseye-security InRelease + Hit:2 http://ftp.fr.debian.org/debian bullseye InRelease + Get:3 http://ftp.free.fr/pub/kali kali-rolling InRelease [30.6 kB] + Get:4 http://ftp.free.fr/pub/kali kali-rolling/main amd64 Packages [19.0 MB] + Get:5 http://ftp.free.fr/pub/kali kali-rolling/non-free amd64 Packages [239 kB] + Get:6 http://ftp.free.fr/pub/kali kali-rolling/contrib amd64 Packages [113 kB] + Fetched 19.3 MB in 3s (5,865 kB/s) + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + 90 packages can be upgraded. Run 'apt list --upgradable' to see them. + + + [nothing@anarchy:~]$ apt search kali-linux (12-17 21:45) + Sorting... Done + Full Text Search... Done + kali-linux-core/kali-rolling 2023.1.0 amd64 + Kali Linux base system (core packages) + + kali-linux-default/kali-rolling 2023.1.0 amd64 + Kali Linux's default packages (headless & GUI) + + kali-linux-everything/kali-rolling 2023.1.0 amd64 + Every tool in Kali Linux + + kali-linux-firmware/kali-rolling 2023.1.0 amd64 + Default firmware files for Kali Linux systems + + kali-linux-headless/kali-rolling 2023.1.0 amd64 + Kali Linux's default packages (headless) + + kali-linux-labs/kali-rolling 2023.1.0 amd64 + Environments for learning and practising on. + + kali-linux-large/kali-rolling 2023.1.0 amd64 + Kali Linux extended default tool selection + + kali-linux-nethunter/kali-rolling 2023.1.0 amd64 + Kali NetHunter devices default packages + + [nothing@anarchy:~]$ **apt upgrade -y** + + +And thats it! We managed to make an Arch system, put it in a strata using bedrock, install a debian strata there, and install the kali linux tools on that debian strata! + +**WARNING: If you get this error while trying to apt upgrade after installing kali tools, DO NOT LEAVE THE DEFAULT CHOICE "yes" from the package update-passwd, otherwise it will completely break your system !, you need to put "no" to everything update-passwd asks you !** + +![](3.png) + +If you type yes to all of it: + +![](4.png) + +you would be unable to boot on your system at all. So instead you type "no" for any system changes it tries to do: + +![](5.png) + +Then you can actually reboot your system, unlike in the previous example: + + + [nothing@anarchy:~]$ **sudo reboot now** + + + +One particular thing you will see is that you won't be able to boot into your debian strata, however in this setup we want our arch linux sytem to be able to use the kali linux tools, not boot on a kali strata. + +![](6.png) + +After rebooting you can install the kali-linux-core package: + + + [nothing@anarchy:~]$ **sudo apt install kali-linux-core** + [nothing@anarchy:~]$ **sudo reboot now** + + + +Upon rebooting, the debian strata will reappear for some reason, but still we don't want to boot there. + +![](7.png) + +Then we manage to boot again into our arch strata, then you can go ahead and install other kali linux tools, for example i will install the **kali-linux-default** metapackage: + + + [nothing@anarchy:~]$ **sudo apt install kali-linux-default** + + + +While installing it, make sure you type "no" to most of the things it ask you, so that you're sure it doesn't break your system. + diff --git a/borg/0.png b/borg/0.png new file mode 100644 index 0000000..d4dbe42 Binary files /dev/null and b/borg/0.png differ diff --git a/borg/1.png b/borg/1.png new file mode 100644 index 0000000..95c39f7 Binary files /dev/null and b/borg/1.png differ diff --git a/borg/2.png b/borg/2.png new file mode 100644 index 0000000..8b493bc Binary files /dev/null and b/borg/2.png differ diff --git a/borg/index.md b/borg/index.md new file mode 100644 index 0000000..f082cb3 --- /dev/null +++ b/borg/index.md @@ -0,0 +1,648 @@ +# Borg Backups + +![]() + +In this tutorial we will look at how we can use borgbackup which is a fantastic alternative to the rsync utility we previously covered: + +## **Local Backups** + +Let's look at a basic usage of borgbackup: + + + root@debian-nginx1:~# apt search borgbackup + Sorting... Done + Full Text Search... Done + backupninja/stable 1.1.0-2.1 all + lightweight, extensible meta-backup system + + borgbackup/stable 1.1.9-2+deb10u1 amd64 + deduplicating and compressing backup program + + borgbackup-doc/stable 1.1.9-2+deb10u1 all + deduplicating and compressing backup program (documentation) + + borgmatic/stable 1.2.11-1 amd64 + automatically create, prune and verify backups with borgbackup + + root@debian-nginx1:~# apt install borgbackup + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following additional packages will be installed: + fuse libb2-1 libfuse2 libgomp1 python3-llfuse python3-msgpack + Suggested packages: + borgbackup-doc python-llfuse-doc + The following NEW packages will be installed: + borgbackup fuse libb2-1 libfuse2 libgomp1 python3-llfuse python3-msgpack + 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. + Need to get 1267 kB of archives. + After this operation, 4612 kB of additional disk space will be used. + Do you want to continue? [Y/n] y + + + +Now that borg has been installed, we will use the 'borg' executable: + + + root@debian-nginx1:~# which borg + /usr/bin/borg + root@debian-nginx1:~# borg -V + borg 1.1.9 + + + +We can always get some help from borg itself: + + + root@debian-nginx1:~# borg help + usage: borg [-V] [-h] [--critical] [--error] [--warning] [--info] [--debug] + [--debug-topic TOPIC] [-p] [--log-json] [--lock-wait SECONDS] + [--show-version] [--show-rc] [--umask M] [--remote-path PATH] + [--remote-ratelimit RATE] [--consider-part-files] + [--debug-profile FILE] [--rsh RSH] + <****command> ... + + required arguments: <****command> + mount mount repository + serve start repository server process + init initialize empty repository + check verify repository + key manage repository key + change-passphrase change repository passphrase + create create backup + extract extract archive contents + export-tar create tarball from archive + diff find differences in archive contents + rename rename archive + delete delete archive + list list archive or repository contents + umount umount repository + info show repository or archive information + break-lock break repository and cache locks + prune prune archives + upgrade upgrade repository format + recreate Re-create archives + with-lock run user command with lock held + config get and set configuration values + debug debugging command (not intended for normal use) + benchmark benchmark command + +Now let's first create a directory we want to put our backups into, and let's choose where our important data is: + +![](0.png) + + + root@debian-nginx1:~# cd /media/ + root@debian-nginx1:/media# mkdir myimportantfiles/ + root@debian-nginx1:/media# cd myimportantfiles/ + root@debian-nginx1:/media/myimportantfiles# cat /dev/urandom > importantfile1.raw + ^C + root@debian-nginx1:/media/myimportantfiles# cat /dev/urandom > importantfile2.raw + ^C + root@debian-nginx1:/media/myimportantfiles# cat /dev/urandom > importantfile3.raw + ^C + root@debian-nginx1:/media/myimportantfiles# cat /dev/urandom > importantfile4.raw + ^C + root@debian-nginx1:/media/myimportantfiles# cat /dev/urandom > importantfile5.raw + ^C + + root@debian-nginx1:/media/myimportantfiles# ls -lash + total 437M + 4.0K drwxr-xr-x 2 root root 4.0K Apr 2 09:05 . + 4.0K drwxr-xr-x 3 root root 4.0K Apr 2 09:04 .. + 41M -rw-r--r-- 1 root root 41M Apr 2 09:04 importantfile1.raw + 44M -rw-r--r-- 1 root root 44M Apr 2 09:04 importantfile2.raw + 120M -rw-r--r-- 1 root root 120M Apr 2 09:04 importantfile3.raw + 103M -rw-r--r-- 1 root root 103M Apr 2 09:04 importantfile4.raw + 130M -rw-r--r-- 1 root root 130M Apr 2 09:05 importantfile5.raw + + + +So right now we have some important files totalling 437 Mb in **/media/importantfiles/** and we want to make a backup of it in **/media/backups/** : + + + root@debian-nginx1:/media/myimportantfiles# cd .. + root@debian-nginx1:/media# mkdir backups + root@debian-nginx1:/media# ls -l + total 8 + drwxr-xr-x 2 root root 4096 Apr 2 09:07 backups + drwxr-xr-x 2 root root 4096 Apr 2 09:05 myimportantfiles + + + +So we now init a borg repo with a passphrase + + + root@debian-nginx1:/media# borg init --encryption=repokey /media/backups/borgtest + Enter new passphrase: + Enter same passphrase again: + Do you want your passphrase to be displayed for verification? [yN]: n + + By default repositories initialized with this version will produce security + errors if written to with an older version (up to and including Borg 1.0.8). + + If you want to use these older versions, you can disable the check by running: + borg upgrade --disable-tam /media/backups/borgtest + + See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications. + + IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo! + Use "borg key export" to export the key, optionally in printable format. + Write down the passphrase. Store both at safe place(s). + + root@debian-nginx1:/media# ls -lash backups/ + total 12K + 4.0K drwxr-xr-x 3 root root 4.0K Apr 2 09:11 . + 4.0K drwxr-xr-x 4 root root 4.0K Apr 2 09:07 .. + 4.0K drwx------ 3 root root 4.0K Apr 2 09:11 borgtest + + + +Now that's been initialized we will create our first compressed backup: + + + root@debian-nginx1:/media# borg create --stats --progress --compression lz4 /media/backups/borgtest::backup1 /media/myimportantfiles/ + Enter passphrase for key /media/backups/borgtest: + ------------------------------------------------------------------------------ + Archive name: backup1 + Archive fingerprint: 471fe9af1851ad679484fe12eef99afa5eb9f73be3272d57d866af12f2185b9e + Time (start): Fri, 2021-04-02 09:17:39 + Time (end): Fri, 2021-04-02 09:17:48 + Duration: 9.39 seconds + Number of files: 5 + Utilization of max. archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 457.35 MB 459.15 MB 459.15 MB + All archives: 457.35 MB 459.15 MB 459.15 MB + + Unique chunks Total chunks + Chunk index: 189 189 + ------------------------------------------------------------------------------ + + + +And here we have a basic backup of our important files, however let's check out what happens when we add in a new file: + + + root@debian-nginx1:/media# cat /dev/urandom > /media/myimportantfiles/VERYIMPORTANTFILE.RAW + ^C + root@debian-nginx1:/media# ls -lash myimportantfiles/ + total 481M + 4.0K drwxr-xr-x 2 root root 4.0K Apr 2 09:22 . + 4.0K drwxr-xr-x 4 root root 4.0K Apr 2 09:07 .. + 45M -rw-r--r-- 1 root root 45M Apr 2 09:22 VERYIMPORTANTFILE.RAW + 41M -rw-r--r-- 1 root root 41M Apr 2 09:04 importantfile1.raw + 44M -rw-r--r-- 1 root root 44M Apr 2 09:04 importantfile2.raw + 120M -rw-r--r-- 1 root root 120M Apr 2 09:04 importantfile3.raw + 103M -rw-r--r-- 1 root root 103M Apr 2 09:04 importantfile4.raw + 130M -rw-r--r-- 1 root root 130M Apr 2 09:05 importantfile5.raw + + + +Now we create a second backup of it and check out the Duration: + + + + root@debian-nginx1:/media# borg create --stats --progress --compression lz4 /media/backups/borgtest::backup2 /media/myimportantfiles/ + Enter passphrase for key /media/backups/borgtest: + ------------------------------------------------------------------------------ + Archive name: backup2 + Archive fingerprint: a522d92d01e078f30a2b331dfe595926fc9e33400236a6def931d06fe2136704 + Time (start): Fri, 2021-04-02 09:23:47 + Time (end): Fri, 2021-04-02 09:23:51 + Duration: 4.07 seconds + Number of files: 6 + Utilization of max. archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 504.31 MB 506.29 MB 47.15 MB + All archives: 961.66 MB 965.44 MB 506.30 MB + + Unique chunks Total chunks + Chunk index: 214 401 + ------------------------------------------------------------------------------ + + + +Basically what happened here was that borg noticed that most files didn't change, and deduplicated them.i This is also true if you move/rename directories, borg will still recognize the files recursively and deduplicate them accordingly. Now let's take a look at our borg repo: + + + + root@debian-nginx1:/media# borg list /media/backups/borgtest/ + README config data/ hints.8 index.8 integrity.8 nonce + root@debian-nginx1:/media# borg list /media/backups/borgtest/ + Enter passphrase for key /media/backups/borgtest: + backup1 Fri, 2021-04-02 09:17:39 [471fe9af1851ad679484fe12eef99afa5eb9f73be3272d57d866af12f2185b9e] + backup2 Fri, 2021-04-02 09:23:47 [a522d92d01e078f30a2b331dfe595926fc9e33400236a6def931d06fe2136704] + + + +Here we see our 2 backups, but let's use the same command to look at what is INSIDE of our backups: + + + root@debian-nginx1:/media# borg list /media/backups/borgtest/::backup1 + Enter passphrase for key /media/backups/borgtest: + drwxr-xr-x root root 0 Fri, 2021-04-02 09:05:28 media/myimportantfiles + -rw-r--r-- root root 42889216 Fri, 2021-04-02 09:04:45 media/myimportantfiles/importantfile1.raw + -rw-r--r-- root root 46006272 Fri, 2021-04-02 09:04:48 media/myimportantfiles/importantfile2.raw + -rw-r--r-- root root 125173760 Fri, 2021-04-02 09:04:51 media/myimportantfiles/importantfile3.raw + -rw-r--r-- root root 107610112 Fri, 2021-04-02 09:04:59 media/myimportantfiles/importantfile4.raw + -rw-r--r-- root root 135659520 Fri, 2021-04-02 09:05:02 media/myimportantfiles/importantfile5.raw + + root@debian-nginx1:/media# borg list /media/backups/borgtest/::backup2 + Enter passphrase for key /media/backups/borgtest: + drwxr-xr-x root root 0 Fri, 2021-04-02 09:22:21 media/myimportantfiles + -rw-r--r-- root root 42889216 Fri, 2021-04-02 09:04:45 media/myimportantfiles/importantfile1.raw + -rw-r--r-- root root 46006272 Fri, 2021-04-02 09:04:48 media/myimportantfiles/importantfile2.raw + -rw-r--r-- root root 125173760 Fri, 2021-04-02 09:04:51 media/myimportantfiles/importantfile3.raw + -rw-r--r-- root root 107610112 Fri, 2021-04-02 09:04:59 media/myimportantfiles/importantfile4.raw + -rw-r--r-- root root 135659520 Fri, 2021-04-02 09:05:02 media/myimportantfiles/importantfile5.raw + -rw-r--r-- root root 46956544 Fri, 2021-04-02 09:22:22 media/myimportantfiles/VERYIMPORTANTFILE.RAW + + + +And here we visually see the difference, our second backup contains our new important file. Now let's change the name of our importantfile, and then use borg to export our importantfile and then compare the 2: + + + root@debian-nginx1:/media/myimportantfiles# mv VERYIMPORTANTFILE.RAW VERYIMPORTANTFILE_COPY.RAW + + root@debian-nginx1:/media/myimportantfiles# cd .. + + root@debian-nginx1:/media# borg extract /media/backups/borgtest/::backup2 media/myimportantfiles/VERYIMPORTANTFILE.RAW + Enter passphrase for key /media/backups/borgtest: + root@debian-nginx1:/media# ls + backups media myimportantfiles + root@debian-nginx1:/media# ls -lash myimportantfiles/ + total 481M + 4.0K drwxr-xr-x 2 root root 4.0K Apr 2 09:32 . + 4.0K drwxr-xr-x 5 root root 4.0K Apr 2 09:35 .. + 45M -rw-r--r-- 1 root root 45M Apr 2 09:22 VERYIMPORTANTFILE_COPY.RAW + 41M -rw-r--r-- 1 root root 41M Apr 2 09:04 importantfile1.raw + 44M -rw-r--r-- 1 root root 44M Apr 2 09:04 importantfile2.raw + 120M -rw-r--r-- 1 root root 120M Apr 2 09:04 importantfile3.raw + 103M -rw-r--r-- 1 root root 103M Apr 2 09:04 importantfile4.raw + 130M -rw-r--r-- 1 root root 130M Apr 2 09:05 importantfile5.raw + + root@debian-nginx1:/media# md5sum media/myimportantfiles/VERYIMPORTANTFILE.RAW myimportantfiles/VERYIMPORTANTFILE_COPY.RAW + 9223c91edef81e0118082e077066ea1e media/myimportantfiles/VERYIMPORTANTFILE.RAW + 9223c91edef81e0118082e077066ea1e myimportantfiles/VERYIMPORTANTFILE_COPY.RAW + + + +And here we see that our backup'd very important file got exported out, and it is the same as our copy. Now what if we want to create backups but remotely ? + +![]() + +## **Remote Borg backups via SSH** + +As the title implies, we want to have a working SSH connection to make our backups regularly: + + + + root@debian-nginx1:/media# apt install openssh-server + Reading package lists... Done + Building dependency tree + Reading state information... Done + openssh-server is already the newest version (1:7.9p1-10+deb10u2). + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + rm /etc/ssh/sshd_config + wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/sshd_config -O /etc/ssh/sshd_config + systemctl restart sshd + + + +Here my config will basically enable root login and allow the ssh client to use the ssh key to login. + + + root@debian-nginx1:~# cd ~/.ssh + root@debian-nginx1:~/.ssh# ssh-keygen -t ed25519 + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): id2_ed25519 + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in id2_ed25519. + Your public key has been saved in id2_ed25519.pub. + The key fingerprint is: + SHA256:YDvJ5BcAxWdVrAJaOez4k97x8c42OO9wtyl4PsmN5Lc root@debian-nginx1 + The key's randomart image is: + +--[ED25519 256]--+ + | .=o. ..o. | + | B.o . | + | =+=. . | + | o=.+... | + | .*.S. | + | +o. . . | + | . o o.O.+. | + | . . =+%.oo | + | O*=E. | + +----[SHA256]-----+ + + + +Now the idea here is to move the private ssh key called 'id2_ed25519' to the ssh client's ~/.ssh directory: + +![](1.png) + +Now that we're able to login via ssh, we can do our remote backups from debian2 to debian1: + +![](2.png) + + + Last login: Fri Apr 2 09:43:34 2021 from 192.168.0.99 + root@debian-nginx1:~# exit + logout + Connection to 192.168.0.150 closed. + root@debian-nginx2:~/.ssh# apt install borgbackup -y + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following additional packages will be installed: + fuse libb2-1 libfuse2 libgomp1 python3-llfuse python3-msgpack + Suggested packages: + borgbackup-doc python-llfuse-doc + The following NEW packages will be installed: + borgbackup fuse libb2-1 libfuse2 libgomp1 python3-llfuse python3-msgpack + 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. + + root@debian-nginx2:~/.ssh# borg -V + borg 1.1.9 + + + +Now we create our remote borg backup repository on our remote host (debian1) into /media/backups/ + + + root@debian-nginx2:~/.ssh# borg init --encryption=repokey root@192.168.0.150:/media/backups/remoteborgtest + Enter new passphrase: + Enter same passphrase again: + Do you want your passphrase to be displayed for verification? [yN]: n + + By default repositories initialized with this version will produce security + errors if written to with an older version (up to and including Borg 1.0.8). + + If you want to use these older versions, you can disable the check by running: + borg upgrade --disable-tam ssh://root@192.168.0.150/media/backups/remoteborgtest + + See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications. + + IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo! + Use "borg key export" to export the key, optionally in printable format. + Write down the passphrase. Store both at safe place(s). + + + +Now with this we created our remote borg backup repository remotely through our previously setup SSH connection. So let's actually make a few backups + + + root@debian-nginx2:~# borg create --stats --progress --compression lz4 root@192.168.0.150:/media/backups/remoteborgtest::backup1 /root/ + Enter passphrase for key ssh://root@192.168.0.150/media/backups/remoteborgtest: + ------------------------------------------------------------------------------ + Archive name: backup1 + Archive fingerprint: 0e46814dc791d5b0ab7755680288528bfb4a46bce8b6d4e0d9cd2b2b26a5d1ab + Time (start): Fri, 2021-04-02 10:30:31 + Time (end): Fri, 2021-04-02 10:30:31 + Duration: 0.21 seconds + Number of files: 16 + Utilization of max. archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 501.56 kB 223.19 kB 223.19 kB + All archives: 501.56 kB 223.19 kB 223.19 kB + + Unique chunks Total chunks + Chunk index: 17 17 + ------------------------------------------------------------------------------ + + root@debian-nginx2:~# borg list root@192.168.0.150:/media/backups/remoteborgtest + Enter passphrase for key ssh://root@192.168.0.150/media/backups/remoteborgtest: + backup1 Fri, 2021-04-02 10:30:31 [0e46814dc791d5b0ab7755680288528bfb4a46bce8b6d4e0d9cd2b2b26a5d1ab] + + root@debian-nginx2:~# borg list root@192.168.0.150:/media/backups/remoteborgtest::backup1 + Enter passphrase for key ssh://root@192.168.0.150/media/backups/remoteborgtest: + drwx------ root root 0 Fri, 2021-04-02 10:27:01 root + -rw-r--r-- root root 570 Sun, 2010-01-31 11:52:26 root/.bashrc + -rw-r--r-- root root 148 Mon, 2015-08-17 15:30:33 root/.profile + -rw------- root root 9584 Fri, 2021-04-02 09:56:15 root/.viminfo + -rw------- root root 2900 Fri, 2021-04-02 09:43:31 root/.bash_history + -rwxr-xr-x root root 344 Fri, 2021-04-02 08:10:31 root/backup.sh + -rw------- root root 1944 Sat, 2021-03-20 12:46:21 root/.mysql_history + -rw-r--r-- root root 480150 Sat, 2021-03-20 10:29:39 root/masterdump.sql + drwx------ root root 0 Fri, 2021-04-02 10:27:00 root/.config + drwx------ root root 0 Fri, 2021-04-02 10:27:00 root/.config/borg + drwx------ root root 0 Fri, 2021-04-02 10:27:00 root/.config/borg/security + drwx------ root root 0 Fri, 2021-04-02 10:30:31 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42 + -rw------- root root 0 Fri, 2021-04-02 10:27:01 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42/tam_required + -rw------- root root 1 Fri, 2021-04-02 10:27:01 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42/key-type + -rw------- root root 26 Fri, 2021-04-02 10:27:01 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42/manifest-timestamp + -rw------- root root 53 Fri, 2021-04-02 10:27:01 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42/location + -rw------- root root 16 Fri, 2021-04-02 10:30:31 root/.config/borg/security/3d40bd9e90f347db8e1d23cbaa37afc4a6ce1f0e3fa8d1599e80b64d55ef0b42/nonce + drwx------ root root 0 Fri, 2021-04-02 10:27:01 root/.cache + drwxr-xr-x root root 0 Fri, 2021-04-02 10:08:55 root/.ssh + -rw------- root root 411 Fri, 2021-04-02 07:20:42 root/.ssh/id_ed25519 + -rw-r--r-- root root 222 Fri, 2021-04-02 07:27:57 root/.ssh/known_hosts + -rw------- root root 411 Fri, 2021-04-02 09:45:10 root/.ssh/id2_ed25519 + drwxr-xr-x root root 0 Fri, 2021-04-02 07:42:13 root/myveryimportantdirectory + -rw-r--r-- root root 21 Fri, 2021-04-02 07:42:13 root/myveryimportantdirectory/myveryimportanttext.txt + + + + +And that's it! we have been able to create remote backups thanks to our SSH Connection + +## **Advanced Borg usage:** + +First of all we can setup environnement variables for borg, as well as use name placeholders in the backup name: + + + root@debian-nginx1:/media/backups# export BORG_REPO='/media/backups/borgtest' + root@debian-nginx1:/media/backups# export BORG_PASSPHRASE='myverysecretpassword' + + root@debian-nginx1:/media/backups# borg create --stats --progress --compression lz4 ::{user}-{now} /tmp/ + Enter passphrase for key /media/backups/borgtest: + ------------------------------------------------------------------------------ + Archive name: root-2021-04-02T14:32:42 + Archive fingerprint: 7e0547c76922aab5429d3114a41ed355fd068884fefcbcd068e9cfd134979a5b + Time (start): Fri, 2021-04-02 14:32:45 + Time (end): Fri, 2021-04-02 14:32:45 + Duration: 0.09 seconds + Number of files: 0 + Utilization of max. archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 1.09 kB 699 B 699 B + All archives: 961.66 MB 965.44 MB 506.30 MB + + Unique chunks Total chunks + Chunk index: 216 403 + ------------------------------------------------------------------------------ + + + + +Here you can see the backup name **root-2021-04-02T14:32:42** so this means that our placeholders got replaced correctly. + +Another cool usecase is that we can even backup an entire device (/dev/sda for example) via stdin thanks to the dd binary: + + + root@debian-nginx1:/media/backups# dd if=/dev/sda1 bs=10M | borg create --progress --stats ::sda1-backup2 - + dd: failed to open '/dev/sda1': No such file or directory + Enter passphrase for key /media/backups/borgtest: + ------------------------------------------------------------------------------ + Archive name: sda1-backup2 + Archive fingerprint: 7e2381b63ec212a5d94fab07206f88e438593fb44cbfcfaa8564d2c0cf9cc3b0 + Time (start): Fri, 2021-04-02 14:39:57 + Time (end): Fri, 2021-04-02 14:39:57 + Duration: 0.02 seconds + Number of files: 1 + Utilization of max. archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 553 B 598 B 598 B + All archives: 961.66 MB 965.44 MB 506.30 MB + + Unique chunks Total chunks + Chunk index: 220 407 + ------------------------------------------------------------------------------ + + + +we can also display the last backup info: + + + root@debian-nginx1:/media/backups# borg info :: --last 1 + Enter passphrase for key /media/backups/borgtest: + Archive name: sda1-backup2 + Archive fingerprint: 7e2381b63ec212a5d94fab07206f88e438593fb44cbfcfaa8564d2c0cf9cc3b0 + Comment: + Hostname: debian-nginx1 + Username: root + Time (start): Fri, 2021-04-02 14:39:57 + Time (end): Fri, 2021-04-02 14:39:57 + Duration: 0.02 seconds + Number of files: 1 + Command line: /usr/bin/borg create --progress --stats ::sda1-backup2 - + Utilization of maximum supported archive size: 0% + ------------------------------------------------------------------------------ + Original size Compressed size Deduplicated size + This archive: 0 B 0 B 598 B + All archives: 961.66 MB 965.44 MB 506.30 MB + + Unique chunks Total chunks + Chunk index: 220 407 + + + +We can rename our last backup like so: + + + root@debian-nginx1:/media/backups# borg rename ::sda1-backup2 backup-sda1 + Enter passphrase for key /media/backups/borgtest: + root@debian-nginx1:/media/backups# borg list + Enter passphrase for key /media/backups/borgtest: + backup1 Fri, 2021-04-02 09:17:39 [471fe9af1851ad679484fe12eef99afa5eb9f73be3272d57d866af12f2185b9e] + backup2 Fri, 2021-04-02 09:23:47 [a522d92d01e078f30a2b331dfe595926fc9e33400236a6def931d06fe2136704] + root-2021-04-02T14:32:42 Fri, 2021-04-02 14:32:45 [7e0547c76922aab5429d3114a41ed355fd068884fefcbcd068e9cfd134979a5b] + sda1-backup Fri, 2021-04-02 14:39:01 [77b606adbc7e922837c9221239889c51ad65cbc8a6d5bb02849779061e0c27c9] + **backup-sda1 Fri, 2021-04-02 14:39:57 [6dcee1382b20b3dffeaa28c6cb5dfd9a84da47b0489342755564fdadc6ad8cfc]** + + + +And as you can see, our backup got renamed. If you choose keyfile mode (where the keyfile is only saved locally) you can export your keyfile like so: + + + root@debian-nginx1:/media/backups# borg key export :: --paper + To restore key use borg key import --paper /path/to/repo + + BORG PAPER KEY v1 + id: 20 / a7f01e 1ca46b a824f6 / d17fc3 81f204 - fe + 1: 86a961 6c676f 726974 686da6 736861 323536 - 14 + 2: a46461 7461da 00de49 e8ea93 465aab 15b198 - d2 + 3: 65c814 5d7578 e0b139 a0eba9 a410e2 ac836a - 2c + 4: 221068 e8133b a34960 f83c08 f9ef43 b8093a - 16 + 5: b09b12 603e82 0ecb19 283cf4 fbb27b 33b697 - ab + 6: ba3abe a85324 131410 16bc73 e7213f 978eb4 - 9a + 7: 33f39f 24b0e8 bade94 ec5466 c11ce0 8f55d8 - 65 + 8: 9b7b70 27b88d f42a4b 445106 016499 a19166 - ab + 9: d4a49a 03c2e9 b9fd89 be6f08 d87ff0 8d9a6e - 3f + 10: 7030aa 578b3d db42f3 30f69b 259729 a943e7 - fb + 11: 28595b 8e49dd 7bb9ef 5a42a6 6e9def 8d2e35 - 07 + 12: a3a387 d39140 7232a1 a56d1f 20e31a 54e579 - 3e + 13: 2b2adc 1048cf d2508b 760fe3 8828a0 2d5d2a - ea + 14: eda9bc 8de122 406245 51590f 11faa4 686173 - db + 15: 68da00 20093b 541707 0374c7 7d5d41 1453e0 - 93 + 16: 3151b0 081588 c4fe9c 763c99 6b7b8b 2e08d1 - e5 + 17: aa6974 657261 74696f 6e73ce 000186 a0a473 - 15 + 18: 616c74 da0020 e3859c ea8c8b a59485 cea65f - c7 + 19: 36ad5b df0ba0 8d4584 85c535 4b71f3 43e8ad - 38 + 20: 5ffaa7 766572 73696f 6e01 - c6 + + + +With this you can do a manual input only backup. If you want to check if your backups are fine, use the following: + + + root@debian-nginx1:/media/backups# borg check -v :: + Starting repository check + Starting repository index check + Completed repository check, no problems found. + Starting archive consistency check... + Enter passphrase for key /media/backups/borgtest: + Analyzing archive backup1 (1/5) + Analyzing archive backup2 (2/5) + Analyzing archive root-2021-04-02T14:32:42 (3/5) + Analyzing archive sda1-backup (4/5) + Analyzing archive backup-sda1 (5/5) + Archive consistency check complete, no problems found. + + + +Here you can also check the difference between 2 backups, what got added or deleted: + + + root@debian-nginx1:/media/backups# borg list + Enter passphrase for key /media/backups/borgtest: + backup1 Fri, 2021-04-02 09:17:39 [471fe9af1851ad679484fe12eef99afa5eb9f73be3272d57d866af12f2185b9e] + backup2 Fri, 2021-04-02 09:23:47 [a522d92d01e078f30a2b331dfe595926fc9e33400236a6def931d06fe2136704] + root-2021-04-02T14:32:42 Fri, 2021-04-02 14:32:45 [7e0547c76922aab5429d3114a41ed355fd068884fefcbcd068e9cfd134979a5b] + sda1-backup Fri, 2021-04-02 14:39:01 [77b606adbc7e922837c9221239889c51ad65cbc8a6d5bb02849779061e0c27c9] + backup-sda1 Fri, 2021-04-02 14:39:57 [6dcee1382b20b3dffeaa28c6cb5dfd9a84da47b0489342755564fdadc6ad8cfc] + root@debian-nginx1:/media/backups# borg diff ::backup-sda1 sda1-backup + Enter passphrase for key /media/backups/borgtest: + + root@debian-nginx1:/media/backups# borg diff ::backup1 backup2 + Enter passphrase for key /media/backups/borgtest: + added 46.96 MB media/myimportantfiles/VERYIMPORTANTFILE.RAW + + + + +Here we see that the **backup-sda1** and **sda1-backup** backups are the same, however **backup1** and **backup2** have our veryimportantfile.raw file that got added as the difference. + +You can either export the data from a backup as a whole or you can also just export it as a tar file like so: + + + root@debian-nginx1:/media/backups# borg export-tar --progress ::backup2 backup.tar.gz + Enter passphrase for key /media/backups/borgtest: + root@debian-nginx1:/media/backups# ls -lash + total 482M + 4.0K drwxr-xr-x 4 root root 4.0K Apr 2 15:05 . + 4.0K drwxr-xr-x 5 root root 4.0K Apr 2 09:35 .. + 482M -rw------- 1 root root 482M Apr 2 15:06 backup.tar.gz + 4.0K drwx------ 3 root root 4.0K Apr 2 15:06 borgtest + 4.0K drwx------ 3 root root 4.0K Apr 2 10:31 remoteborgtest + + + +Now from there you can also mount a backup or even the whole repository: + + + root@debian-nginx1:/media/backups# mkdir /tmp/mount + root@debian-nginx1:/media/backups# borg mount :: /tmp/mount + root@debian-nginx1:/media/backups# borg umount /tmp/mount + + + +To do that however you need access to the host OS, a LXC container isn't going to do it. For more information, check out borgbackup's [documentation](https://borgbackup.readthedocs.io/en/stable/). + diff --git a/borg_auto/0.png b/borg_auto/0.png new file mode 100644 index 0000000..05d8946 Binary files /dev/null and b/borg_auto/0.png differ diff --git a/borg_auto/index.md b/borg_auto/index.md new file mode 100644 index 0000000..a7ef4b1 --- /dev/null +++ b/borg_auto/index.md @@ -0,0 +1,257 @@ +# borg_auto Setup + +![](0.png) + +## **Initial Setup** + +![]() + + + [ Temple ] [ /dev/pts/1 ] [/backups] + → useradd borg + + [ Temple ] [ /dev/pts/1 ] [/backups] + → passwd borg + New password: + Retype new password: + passwd: password updated successfully + + [ Temple ] [ /dev/pts/1 ] [/backups] + → mkdir /backups + + [ Temple ] [ /dev/pts/1 ] [/backups] + → mkdir /backups + mkdir: cannot create directory ‘/backups’: File exists + + [ Temple ] [ /dev/pts/1 ] [/backups] + → chown -R borg:borg /backups + + [ Temple ] [ /dev/pts/1 ] [/backups] + → tree /backups + /backups + ├── gitea + ├── kanboard + ├── lain + ├── tf2 + ├── void.yt + └── zabbix + + 6 directories, 0 files + + [ Temple ] [ /dev/pts/1 ] [/backups] + → apt update -y ; apt upgrade -y ; apt install borgbackup openssh-server -y + + + + + [ Temple ] [ /dev/pts/1 ] [~borg/.ssh] + → wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/sshd_config -O /etc/ssh/sshd_config + + [ Temple ] [ /dev/pts/1 ] [~borg/.ssh] + → systemctl restart ssh + + [ Temple ] [ /dev/pts/1 ] [/backups] + → mkdir -p /home/borg/.ssh/ + + [ Temple ] [ /dev/pts/1 ] [/backups] + → cd /home/borg/.ssh/ + + + +Then simply create ssh keys of the clients that need to connect to the server: + + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → ssh-keygen -t ed25519 + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → cat /root/.ssh/id_ed25519.pub + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHiRId0rF7zyfZGNHqck7vm8yLzhlPyHDEOvERxLGDfb root@home + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → vim config + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → cat config | head -n4 + Host backup + Hostname backup.void.yt + IdentityFile ~/.ssh/id_ed25519 + User borg + + + +Then add it to the server and test the connection: + + + [ Temple ] [ /dev/pts/1 ] [~borg/.ssh] + → echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHiRId0rF7zyfZGNHqck7vm8yLzhlPyHDEOvERxLGDfb root@home" >> authorized_keys + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → apt install borgbackup -y + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → ssh backup + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + $ pwd + /home/borg + + + +Now that's done, we can start backuping what we need: + +## **Setup** + + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → borg init --encryption=repokey backup:/backups/void.yt/ + Enter new passphrase: + Enter same passphrase again: + Do you want your passphrase to be displayed for verification? [yN]: N + + By default repositories initialized with this version will produce security + errors if written to with an older version (up to and including Borg 1.0.8). + + If you want to use these older versions, you can disable the check by running: + borg upgrade --disable-tam ssh://backup/backups/void.yt + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → borg create --progress --stats backup:/backups/void.yt::backup-name /var/www/nextcloud/data/nothing/files + Enter passphrase for key ssh://backup/backups/void.yt: + 17.88 MB O 14.88 MB C 13.58 MB D 82 N var/www/nextcloud/data/nothing/files + + + +Now that is a manual backup done, however we want it to be non-interactive: + + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → export BORG_PASSPHRASE='your repository password' + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~/.ssh] + → export BORG_REPO='backup:/backups/void.yt/' + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → cat borg.sh + #!/bin/bash + # Backup a folder to a remote address using borg. + # Usage: backup-borg.sh + # To restore: borg extract $BORG_REPO::computer-and-date + + set -eu + export BORG_REPO='backup:/backups/void.yt/' + export BORG_PASSPHRASE='password' + + PATH_TO_BACKUP="/var/www/nextcloud/data/nothing/files/" + + /usr/bin/borg create ::$(hostname)-$(date --iso-8601) $PATH_TO_BACKUP --stats --progress + /usr/bin/borg prune --keep-daily=7 + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → chmod +x borg.sh + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → ./borg.sh + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → borg list + home-2022-03-19 Sat, 2022-03-19 23:34:08 [f98c23b6e90e4d35937891e07f0f45c6e870248cb5ef18bebd7857c83a36ff80] + + + +Now to automate it, to make it run every day at night: + + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → crontab -e + + 0 3 * * * "/root/borg.sh" + + :wq + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → cronitor select + + ✔ "/root/borg.sh" + ----► Running command: "/root/borg.sh" + + + +Now we write a script to check the backups automatically from the server: + + + [ Temple ] [ /dev/pts/1 ] [~] + → vim check_backups.sh + + [ Temple ] [ /dev/pts/1 ] [~] + → cat check_backups.sh + #!/bin/bash + + GREEN="\033[0;32m" + RED="\033[0;31m" + ORANGE="\033[0;33m" + NC="\033[0m" + + export BORG_PASSPHRASE='password' + echo -en "\n${GREEN}[+]${NC} Gitea Backups:\n" + borg list /backups/gitea + + echo -en "\n${GREEN}[+]${NC} Kanboard Backups:\n" + borg list /backups/kanboard + + echo -en "\n${GREEN}[+]${NC} Lain Backups:\n" + borg list /backups/lain + + echo -en "\n${GREEN}[+]${NC} Mainpc Backups:\n" + borg list /backups/mainpc + + echo -en "\n${GREEN}[+]${NC} TF2 Backups:\n" + borg list /backups/tf2 + + echo -en "\n${GREEN}[+]${NC} void.yt Backups:\n" + borg list /backups/void.yt + + + +Then we test it: + + + [ Temple ] [ /dev/pts/1 ] [~] + → ./check_backups.sh + + [+] Gitea Backups: + gitea-2022-03-28 Mon, 2022-03-28 20:22:20 [28866dd3b0597ac2d9e51eaac4bc637348a0f60e217983501dd517fbe482ab29] + gitea-2022-03-29 Tue, 2022-03-29 05:00:03 [1bdaa05b398f373df4eeeb383d57069d8d31e9270a444f8c2af2ad3745c69b59] + + [+] Kanboard Backups: + kanboard-2022-03-28 Mon, 2022-03-28 19:01:31 [fa5f11ded525a779b3766260c2dc9a87296227b7790c0d9d46fc2cb90e91247e] + kanboard-2022-03-29 Tue, 2022-03-29 05:00:03 [a03049fc5ccc71be524377d80c8c314b67945b133b1869b9a69763167cfafc98] + + [+] Lain Backups: + lain-2022-03-28 Mon, 2022-03-28 20:24:46 [37a09d909525ebd4be4d7eb198ee9d3dc1c4e07748535e0d3ebec646be81f565] + lain-2022-03-29 Tue, 2022-03-29 03:00:04 [188d8d588cd636de8abbd18ce110d437b0e585cc322956dd84fdb67ba888d490] + + [+] Mainpc Backups: + Failed to create/acquire the lock /backups/mainpc/lock.exclusive (timeout). + + [+] TF2 Backups: + tf2-2022-03-28 Mon, 2022-03-28 20:26:16 [ae3eeb3de9daa59118fc3f891497c6b97ac9ffec8c7c22592d13c2f5e4996d89] + tf2-2022-03-29 Tue, 2022-03-29 05:00:03 [fb2e5f00a129e7d452cdae9f3531209fc750d19ebda8549cbfe304442252a956] + + [+] void.yt Backups: + home-2022-03-28 Mon, 2022-03-28 20:22:30 [e29ddefecd16999446220de76258b80674d398e6d24c116ab7c5fa7e2a394985] + home-2022-03-29 Tue, 2022-03-29 03:00:03 [f5b0e21c131a3ce885177e009e6864cb1dbfebb1953266e26509336ebfa815bd] + + + diff --git a/checkmk/1.png b/checkmk/1.png new file mode 100644 index 0000000..1809fff Binary files /dev/null and b/checkmk/1.png differ diff --git a/checkmk/10.png b/checkmk/10.png new file mode 100644 index 0000000..e82dd26 Binary files /dev/null and b/checkmk/10.png differ diff --git a/checkmk/11.png b/checkmk/11.png new file mode 100644 index 0000000..cf9340e Binary files /dev/null and b/checkmk/11.png differ diff --git a/checkmk/12.png b/checkmk/12.png new file mode 100644 index 0000000..209c140 Binary files /dev/null and b/checkmk/12.png differ diff --git a/checkmk/13.png b/checkmk/13.png new file mode 100644 index 0000000..0b771a9 Binary files /dev/null and b/checkmk/13.png differ diff --git a/checkmk/14.png b/checkmk/14.png new file mode 100644 index 0000000..cd76385 Binary files /dev/null and b/checkmk/14.png differ diff --git a/checkmk/15.png b/checkmk/15.png new file mode 100644 index 0000000..6de00a4 Binary files /dev/null and b/checkmk/15.png differ diff --git a/checkmk/16.png b/checkmk/16.png new file mode 100644 index 0000000..63ba740 Binary files /dev/null and b/checkmk/16.png differ diff --git a/checkmk/17.png b/checkmk/17.png new file mode 100644 index 0000000..663f326 Binary files /dev/null and b/checkmk/17.png differ diff --git a/checkmk/18.png b/checkmk/18.png new file mode 100644 index 0000000..36de9e8 Binary files /dev/null and b/checkmk/18.png differ diff --git a/checkmk/19.png b/checkmk/19.png new file mode 100644 index 0000000..eebd701 Binary files /dev/null and b/checkmk/19.png differ diff --git a/checkmk/2.png b/checkmk/2.png new file mode 100644 index 0000000..b2ae18a Binary files /dev/null and b/checkmk/2.png differ diff --git a/checkmk/20.png b/checkmk/20.png new file mode 100644 index 0000000..3c1dac2 Binary files /dev/null and b/checkmk/20.png differ diff --git a/checkmk/21.png b/checkmk/21.png new file mode 100644 index 0000000..2594b63 Binary files /dev/null and b/checkmk/21.png differ diff --git a/checkmk/22.png b/checkmk/22.png new file mode 100644 index 0000000..bc7a2e1 Binary files /dev/null and b/checkmk/22.png differ diff --git a/checkmk/23.png b/checkmk/23.png new file mode 100644 index 0000000..62956ae Binary files /dev/null and b/checkmk/23.png differ diff --git a/checkmk/24.png b/checkmk/24.png new file mode 100644 index 0000000..9708466 Binary files /dev/null and b/checkmk/24.png differ diff --git a/checkmk/25.png b/checkmk/25.png new file mode 100644 index 0000000..c598bb5 Binary files /dev/null and b/checkmk/25.png differ diff --git a/checkmk/26.png b/checkmk/26.png new file mode 100644 index 0000000..7cba621 Binary files /dev/null and b/checkmk/26.png differ diff --git a/checkmk/27.png b/checkmk/27.png new file mode 100644 index 0000000..05754d0 Binary files /dev/null and b/checkmk/27.png differ diff --git a/checkmk/28.png b/checkmk/28.png new file mode 100644 index 0000000..0e5b41a Binary files /dev/null and b/checkmk/28.png differ diff --git a/checkmk/29.png b/checkmk/29.png new file mode 100644 index 0000000..123bd24 Binary files /dev/null and b/checkmk/29.png differ diff --git a/checkmk/3.png b/checkmk/3.png new file mode 100644 index 0000000..a7efe11 Binary files /dev/null and b/checkmk/3.png differ diff --git a/checkmk/30.png b/checkmk/30.png new file mode 100644 index 0000000..1d077f8 Binary files /dev/null and b/checkmk/30.png differ diff --git a/checkmk/31.png b/checkmk/31.png new file mode 100644 index 0000000..72a8566 Binary files /dev/null and b/checkmk/31.png differ diff --git a/checkmk/32.png b/checkmk/32.png new file mode 100644 index 0000000..90f9d55 Binary files /dev/null and b/checkmk/32.png differ diff --git a/checkmk/33.png b/checkmk/33.png new file mode 100644 index 0000000..a4925d9 Binary files /dev/null and b/checkmk/33.png differ diff --git a/checkmk/34.png b/checkmk/34.png new file mode 100644 index 0000000..18f1229 Binary files /dev/null and b/checkmk/34.png differ diff --git a/checkmk/35.png b/checkmk/35.png new file mode 100644 index 0000000..fdf0dae Binary files /dev/null and b/checkmk/35.png differ diff --git a/checkmk/36.png b/checkmk/36.png new file mode 100644 index 0000000..08d5190 Binary files /dev/null and b/checkmk/36.png differ diff --git a/checkmk/4.png b/checkmk/4.png new file mode 100644 index 0000000..8ac27d1 Binary files /dev/null and b/checkmk/4.png differ diff --git a/checkmk/5.png b/checkmk/5.png new file mode 100644 index 0000000..c1a4367 Binary files /dev/null and b/checkmk/5.png differ diff --git a/checkmk/6.png b/checkmk/6.png new file mode 100644 index 0000000..08c6041 Binary files /dev/null and b/checkmk/6.png differ diff --git a/checkmk/7.png b/checkmk/7.png new file mode 100644 index 0000000..d8460ba Binary files /dev/null and b/checkmk/7.png differ diff --git a/checkmk/8.png b/checkmk/8.png new file mode 100644 index 0000000..477502e Binary files /dev/null and b/checkmk/8.png differ diff --git a/checkmk/9.png b/checkmk/9.png new file mode 100644 index 0000000..26a17fe Binary files /dev/null and b/checkmk/9.png differ diff --git a/checkmk/index.md b/checkmk/index.md new file mode 100644 index 0000000..fb6734a --- /dev/null +++ b/checkmk/index.md @@ -0,0 +1,219 @@ +# CheckMK Setup + +![]() + +## **Initial Setup:** + + + root@Monitoring:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.201/16 brd 10.0.255.255 scope global ens18 + inet6 fe80::dc3e:91ff:feff:21c3/64 scope link + root@Monitoring:~# apt update -y ; apt upgrade -y + + + +![](1.png) + + + root@Monitoring:~# wget https://download.checkmk.com/checkmk/2.0.0p3/check-mk-raw-2.0.0p3_0.buster_amd64.deb + --2021-04-25 16:30:48-- https://download.checkmk.com/checkmk/2.0.0p3/check-mk-raw-2.0.0p3_0.buster_amd64.deb + Resolving download.checkmk.com (download.checkmk.com)... 116.202.64.85 + Connecting to download.checkmk.com (download.checkmk.com)|116.202.64.85|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 120673662 (115M) [application/x-debian-package] + Saving to: ‘check-mk-raw-2.0.0p3_0.buster_amd64.deb’ + + check-mk-raw-2.0.0p3_0.buster_amd64 100%[=================================================================>] 115.08M 4.60MB/s in 26s + + 2021-04-25 16:31:14 (4.50 MB/s) - ‘check-mk-raw-2.0.0p3_0.buster_amd64.deb’ saved [120673662/120673662] + + root@Monitoring:~# dpkg -i check-mk-raw-2.0.0p3_0.buster_amd64.deb + root@Monitoring:~# apt install -f + root@Monitoring:~# dpkg -i check-mk-raw-2.0.0p3_0.buster_amd64.deb + + + + + root@Monitoring:~# omd version + OMD - Open Monitoring Distribution Version 2.0.0p3.cre + + root@Monitoring:~# omd create -u 6100 -g 180 mysite + Adding /opt/omd/sites/mysite/tmp to /etc/fstab. + Creating temporary filesystem /omd/sites/mysite/tmp...OK + Updating core configuration... + Generating configuration for core (type nagios)...Precompiling host checks...OK + OK + Restarting Apache...OK + Created new site mysite with version 2.0.0p3.cre. + + The site can be started with omd start mysite. + The default web UI is available at http://Monitoring/mysite/ + + The admin user for the web applications is cmkadmin with password: CVnpP7xt + For command line administration of the site, log in with 'omd su mysite'. + After logging in, you can change the password for cmkadmin with 'htpasswd etc/htpasswd cmkadmin'. + + + + + + + root@Monitoring:~# su - mysite + OMD[mysite]:~$ omd start + Temporary filesystem already mounted + Starting mkeventd...OK + Starting rrdcached...OK + Starting npcd...OK + Starting nagios...OK + Starting apache...OK + Starting redis...OK + Initializing Crontab...OK + + OMD[mysite]:~$ omd status + mkeventd: running + rrdcached: running + npcd: running + nagios: running + apache: running + redis: running + crontab: running + ----------------------- + Overall state: running + + OMD[mysite]:~$ omd config show + ADMIN_MAIL: + APACHE_MODE: own + APACHE_TCP_ADDR: 127.0.0.1 + APACHE_TCP_PORT: 5000 + AUTOSTART: on + CORE: nagios + LIVESTATUS_TCP: off + MKEVENTD: on + MKEVENTD_SNMPTRAP: off + MKEVENTD_SYSLOG: off + MKEVENTD_SYSLOG_TCP: off + MULTISITE_AUTHORISATION: on + MULTISITE_COOKIE_AUTH: on + NAGIOS_THEME: classicui + NSCA: off + PNP4NAGIOS: on + TMPFS: on + + + +![](2.png) ![](3.png) ![](4.png) + + + + [ 10.0.0.10/16 ] [ /dev/pts/105 ] [~] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Sun Apr 25 17:55:05 2021 from 10.0.0.10 + root@home:~# cd /tmp + root@home:/tmp# wget http://10.0.0.201/mysite/check_mk/agents/check-mk-agent_2.0.0p3-1_all.deb + --2021-04-25 17:55:35-- http://10.0.0.201/mysite/check_mk/agents/check-mk-agent_2.0.0p3-1_all.deb + Connecting to 10.0.0.201:80... connected. + HTTP request sent, awaiting response... 200 OK + Length: 30166 (29K) [application/x-debian-package] + Saving to: ‘check-mk-agent_2.0.0p3-1_all.deb’ + + check-mk-agent_2.0.0p3-1_all.deb 100%[=================================================================>] 29.46K --.-KB/s in 0.001s + + 2021-04-25 17:55:35 (42.3 MB/s) - ‘check-mk-agent_2.0.0p3-1_all.deb’ saved [30166/30166] + + root@home:/tmp# dpkg -i check-mk-agent_2.0.0p3-1_all.deb + Selecting previously unselected package check-mk-agent. + (Reading database ... 54845 files and directories currently installed.) + Preparing to unpack check-mk-agent_2.0.0p3-1_all.deb ... + Unpacking check-mk-agent (2.0.0p3-1) ... + Setting up check-mk-agent (2.0.0p3-1) ... + Enable Checkmk Agent in systemd... + Created symlink /etc/systemd/system/sockets.target.wants/check_mk.socket → /etc/systemd/system/check_mk.socket. + + + + +![](5.png) ![](6.png) ![](7.png) ![](8.png) ![](9.png) ![](10.png) ![](11.png) + +Adding a windows host: + +![](12.png) ![](13.png) ![](14.png) ![](15.png) ![](16.png) ![](17.png) ![](18.png) ![](19.png) ![](20.png) ![](21.png) ![](22.png) ![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) + + + root@Monitoring:~# ping 10.0.0.203 + PING 10.0.0.203 (10.0.0.203) 56(84) bytes of data. + 64 bytes from 10.0.0.203: icmp_seq=1 ttl=128 time=8.28 ms + 64 bytes from 10.0.0.203: icmp_seq=2 ttl=128 time=0.718 ms + 64 bytes from 10.0.0.203: icmp_seq=3 ttl=128 time=0.878 ms + 64 bytes from 10.0.0.203: icmp_seq=4 ttl=128 time=11.3 ms + 64 bytes from 10.0.0.203: icmp_seq=5 ttl=128 time=0.953 ms + 64 bytes from 10.0.0.203: icmp_seq=6 ttl=128 time=10.5 ms + + + +![](31.png) ![](32.png) + +Here you can see that my Windows 10 VM has a few problems, and now i know them thanks to my checkmk instance. Now for a non-standard linux system like Arch Linux: + +![](33.png) ![]() + + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → ls -lash | grep check + 32K -rw-r--r-- 1 nothing nothing 30K Apr 27 17:10 check-mk-agent_2.0.0p3-1_all + 56K -rw-r--r-- 1 nothing nothing 56K Apr 27 18:46 check_mk_agent.linux + 4.0K -rw-r--r-- 1 nothing nothing 256 Apr 27 18:46 check_mk@.service + 4.0K -rw-r--r-- 1 nothing nothing 510 Apr 27 18:46 check_mk.socket + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → sudo mv check_mk@.service /etc/systemd/system/ + [sudo] password for nothing: + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → sudo mv check_mk.socket /etc/systemd/system/ + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → sudo systemctl daemon-reload + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → sudo mv check_mk_agent.linux /usr/bin/check_mk_agent + + [ 10.0.0.10/16 ] [ /dev/pts/127 ] [~/Downloads] + → chmod +x /usr/bin/check_mk_agent + + [ 10.0.0.10/16 ] [ /dev/pts/130 ] [/etc/systemd/system] + → systemctl enable --now check_mk.socket + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== + Authentication is required to start 'check_mk.socket'. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + Created symlink /etc/systemd/system/sockets.target.wants/check_mk.socket → /etc/systemd/system/check_mk.socket. + + [ 10.0.0.10/16 ] [ /dev/pts/130 ] [/etc/systemd/system] + → systemctl status check_mk.socket + ● check_mk.socket - Check_MK Agent Socket + Loaded: loaded (/etc/systemd/system/check_mk.socket; disabled; vendor preset: disabled) + Active: active (listening) since Tue 2021-04-27 18:55:53 CEST; 5s ago + Listen: [::]:6556 (Stream) + Accepted: 0; Connected: 0; + Tasks: 0 (limit: 38425) + Memory: 8.0K + CPU: 542us + CGroup: /system.slice/check_mk.socket + + Apr 27 18:55:53 nowhere systemd[1]: Listening on Check_MK Agent Socket. + + +And then simply add the host itself to your checkmk instance just like we did previously. + diff --git a/codimd/1.png b/codimd/1.png new file mode 100644 index 0000000..1ce7a94 Binary files /dev/null and b/codimd/1.png differ diff --git a/codimd/2.png b/codimd/2.png new file mode 100644 index 0000000..5c89a19 Binary files /dev/null and b/codimd/2.png differ diff --git a/codimd/3.png b/codimd/3.png new file mode 100644 index 0000000..b8bc18b Binary files /dev/null and b/codimd/3.png differ diff --git a/codimd/4.png b/codimd/4.png new file mode 100644 index 0000000..3b6c76c Binary files /dev/null and b/codimd/4.png differ diff --git a/codimd/5.png b/codimd/5.png new file mode 100644 index 0000000..798bc6f Binary files /dev/null and b/codimd/5.png differ diff --git a/codimd/6.png b/codimd/6.png new file mode 100644 index 0000000..1f06733 Binary files /dev/null and b/codimd/6.png differ diff --git a/codimd/7.png b/codimd/7.png new file mode 100644 index 0000000..9c3a354 Binary files /dev/null and b/codimd/7.png differ diff --git a/codimd/8.png b/codimd/8.png new file mode 100644 index 0000000..b895a2e Binary files /dev/null and b/codimd/8.png differ diff --git a/codimd/9.png b/codimd/9.png new file mode 100644 index 0000000..751b2bc Binary files /dev/null and b/codimd/9.png differ diff --git a/codimd/index.md b/codimd/index.md new file mode 100644 index 0000000..52b4a7b --- /dev/null +++ b/codimd/index.md @@ -0,0 +1,250 @@ +# CodiMD Installation + +![]() + +In this tutorial we're going to setup a CodiMD instance behind a reverse NGINX proxy: + +## **Initial Setup** + +We're going to setup codimd via Docker, so install it like that: + + + root@docker0:~# apt search docker.io + Sorting... Done + Full Text Search... Done + docker-doc/stable,stable 18.09.1+dfsg1-7.1+deb10u2 all + Linux container runtime -- documentation + + docker.io/stable,stable,now 18.09.1+dfsg1-7.1+deb10u2 amd64 [installed] + Linux container runtime + + python-docker/stable 3.4.1-4 all + Python wrapper to access docker.io's control socket + + python3-docker/stable,now 3.4.1-4 all [installed,automatic] + Python 3 wrapper to access docker.io's control socket + + ruby-docker-api/stable 1.22.2-1 all + Ruby gem to interact with docker.io remote API + + root@docker0:~# apt install docker.io -y + OR + root@docker0:~# curl -sSL https://get.docker.com/ | CHANNEL=stable bash + + + +Once that's done, you can use docker from the commandline: + + + root@docker0:~# docker search codimd + NAME DESCRIPTION STARS OFFICIAL AUTOMATED + linuxserver/codimd 27 + fabiodcorreia/codimd A custom CodiMD image build with Alpine Linux 1 + hachikoapp/codimd 0 + perspectivedaily/codimd 0 + rwthacs/codimd 0 + proelbtn/codimd-exporter 0 + mbergent/codimd-pandoc Docker Images to transform codimd-Notes with… 0 + liquidinvestigations/codimd-server 0 + chouhongming/codimd Forked from hackmdio/codimd and build some n… 0 + tarlety/codimd codimd/feature-metrics 0 + freitagsrunde/codimd 0 + jinetes/codimd A codimd's image with arm support and non ro… 0 + kishitat/codimd containerized codimd. Thank you, codiMD comu… 0 + lsiodev/codimd 0 + eoleteam/codimd Adaptation pour apps.education.fr 0 + zknt/codimd 0 + lspipepr/codimd 0 + luzifer/codimd 0 + jbonjean/codimd 0 + azyobuzin/codimd https://hackmd.azyobuzi.net/ 0 + hitochan777/codimd4growi CodiMD image for Growi integration 0 + jokebox90/codimd 0 + vinado/codimd CodiMD Dockerfile 0 + indiehosters/codimd 0 + renefritze/codimd_cli docker image for https://github.com/codimd/c… 0 + + + +We're going to pick the first one, but instead of pulling the containers with **docker pull containername** we will use the docker-compose yaml file: + + + root@docker0:~# ls -lsh + total 12K + 4.0K drwxr-xr-x 11 root root 4.0K Apr 18 08:03 dillinger + 4.0K drwxr-xr-x 7 root root 4.0K Apr 18 08:03 kutt + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 08:56 neko + root@docker0:~# mkdir codimd + root@docker0:~# cd codimd/ + root@docker0:~/codimd# vim docker-compose.yaml + + + +Edit the passwords if you want: + + + version: "3" + services: + database: + image: postgres:11.6-alpine + environment: + - POSTGRES_USER=codimd + - POSTGRES_PASSWORD=change_password + - POSTGRES_DB=codimd + volumes: + - "database-data:/var/lib/postgresql/data" + restart: always + codimd: + image: hackmdio/hackmd:2.3.2 + environment: + - CMD_DB_URL=postgres://codimd:change_password@database/codimd + - CMD_USECDN=false + depends_on: + - database + ports: + - "3333:3000" + volumes: + - upload-data:/home/hackmd/app/public/uploads + restart: always + volumes: + database-data: {} + upload-data: {} + + + +Here i just changed the 3000 port to be 3333 because i already have another container using port 30000**:wq** to save and quit out of vim, then simply run the **docker-compose up -d** command to get the container running: + + + root@docker0:~/codimd# docker-compose up -d + codimd_database_1 is up-to-date + Recreating codimd_codimd_1 ... done + + root@docker0:~/codimd# docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 8120b1a3503e hackmdio/hackmd:2.3.2 "/home/hackmd/app/do…" 6 seconds ago Up 4 seconds 0.0.0.0:3333->3000/tcp codimd_codimd_1 + cf01b3f17b03 postgres:11.6-alpine "docker-entrypoint.s…" About a minute ago Up About a minute 5432/tcp codimd_database_1 + + + +And there you go! We have been able to start a codimd docker instance, let's check it out at port 3333: + +![](1.png) ![](2.png) ![](3.png) + +Once you've registered and signed in, click 'New Note' + +![](4.png) ![](5.png) + +And there you go! you can now share the above link to another local coworker, if you want to use this publicly, you will need to setup a reverse nginx proxy to serve this service (192.168.0.200:3333) publicly, ideally behind a domain name and free TLS1.3 Certificates. + +## **Reverse NGINX proxy setup** + +Right now i'm going to setup a reverse nginx proxy to my codimd docker instance on my main debian node at 10.0.0.101/16 (where port 80 and 443 are publicly accessible): + + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [blog/servers/codimd] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Sun Apr 18 18:20:35 2021 from 10.0.0.10 + root@home:~# vim /etc/nginx/sites-available/codimd.void.yt.conf + + +Doing a reverse nginx proxy is going to make the previously http only service have HTTPS and we can choose to force TLS1.2 or 1.3: + + + upstream codibackend { + server 192.168.0.200:3333; + } + + server { + listen 80; + listen [::]:80; + server_name codimd.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name codimd.void.yt; + + ssl_certificate /root/.acme.sh/codimd.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/codimd.void.yt/codimd.void.yt.cer; + ssl_certificate_key /root/.acme.sh/codimd.void.yt/codimd.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://codibackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + + + +**:wq** to save and quit out of vim, then enable the website like so: + + + root@home:/var/www/void.yt/config# ln -s /etc/nginx/sites-available/codimd.void.yt.conf /etc/nginx/sites-enabled/ + root@home:/var/www/void.yt/config# nginx -t + nginx: [emerg] BIO_new_file("/root/.acme.sh/codimd.void.yt/fullchain.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/codimd.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + + +Here you see nginx fail. That's because we need the TLS certificates, and we can use acme.sh to get them: + + + root@home:/var/www/void.yt/config# systemctl stop nginx + root@home:/var/www/void.yt/config# acme.sh --issue --standalone -d codimd.void.yt -k 4096 + + root@home:/var/www/void.yt/config# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Once you got the TLS certificates, enable nginx once again and see the result: + + + root@home:/var/www/void.yt/config# systemctl start nginx + + + +## **Testing CodiMD** + +See the result: we have TLS encryption! and this time we can collaborate our .md file with other people publicly: + +![](7.png) + +simply give them the URL from where you can collaborate with them: + +![](8.png) ![](9.png) + +And that's it! We have been able to get users to collaborate on .md files online thanks to our codimd instance. + diff --git a/composite/0.png b/composite/0.png new file mode 100644 index 0000000..b2b3f65 Binary files /dev/null and b/composite/0.png differ diff --git a/composite/1.png b/composite/1.png new file mode 100644 index 0000000..ab4958a Binary files /dev/null and b/composite/1.png differ diff --git a/composite/10.png b/composite/10.png new file mode 100644 index 0000000..71c78c4 Binary files /dev/null and b/composite/10.png differ diff --git a/composite/100.png b/composite/100.png new file mode 100644 index 0000000..af42128 Binary files /dev/null and b/composite/100.png differ diff --git a/composite/101.png b/composite/101.png new file mode 100644 index 0000000..392abb1 Binary files /dev/null and b/composite/101.png differ diff --git a/composite/102.png b/composite/102.png new file mode 100644 index 0000000..fb7421f Binary files /dev/null and b/composite/102.png differ diff --git a/composite/103.png b/composite/103.png new file mode 100644 index 0000000..66bbebd Binary files /dev/null and b/composite/103.png differ diff --git a/composite/104.png b/composite/104.png new file mode 100644 index 0000000..5bab00e Binary files /dev/null and b/composite/104.png differ diff --git a/composite/105.png b/composite/105.png new file mode 100644 index 0000000..3b40aa1 Binary files /dev/null and b/composite/105.png differ diff --git a/composite/106.png b/composite/106.png new file mode 100644 index 0000000..260b15a Binary files /dev/null and b/composite/106.png differ diff --git a/composite/107.png b/composite/107.png new file mode 100644 index 0000000..007948a Binary files /dev/null and b/composite/107.png differ diff --git a/composite/108.png b/composite/108.png new file mode 100644 index 0000000..9124a4d Binary files /dev/null and b/composite/108.png differ diff --git a/composite/109.png b/composite/109.png new file mode 100644 index 0000000..2fde864 Binary files /dev/null and b/composite/109.png differ diff --git a/composite/11.png b/composite/11.png new file mode 100644 index 0000000..726aaab Binary files /dev/null and b/composite/11.png differ diff --git a/composite/110.png b/composite/110.png new file mode 100644 index 0000000..a06c75e Binary files /dev/null and b/composite/110.png differ diff --git a/composite/111.png b/composite/111.png new file mode 100644 index 0000000..9a3fd27 Binary files /dev/null and b/composite/111.png differ diff --git a/composite/112.png b/composite/112.png new file mode 100644 index 0000000..7bfbaff Binary files /dev/null and b/composite/112.png differ diff --git a/composite/113.png b/composite/113.png new file mode 100644 index 0000000..88a6ea1 Binary files /dev/null and b/composite/113.png differ diff --git a/composite/114.png b/composite/114.png new file mode 100644 index 0000000..c56a3c0 Binary files /dev/null and b/composite/114.png differ diff --git a/composite/115.png b/composite/115.png new file mode 100644 index 0000000..8b045a0 Binary files /dev/null and b/composite/115.png differ diff --git a/composite/116.png b/composite/116.png new file mode 100644 index 0000000..0358ad0 Binary files /dev/null and b/composite/116.png differ diff --git a/composite/117.png b/composite/117.png new file mode 100644 index 0000000..52002fa Binary files /dev/null and b/composite/117.png differ diff --git a/composite/118.png b/composite/118.png new file mode 100644 index 0000000..362187e Binary files /dev/null and b/composite/118.png differ diff --git a/composite/119.png b/composite/119.png new file mode 100644 index 0000000..171156c Binary files /dev/null and b/composite/119.png differ diff --git a/composite/12.png b/composite/12.png new file mode 100644 index 0000000..b9ababd Binary files /dev/null and b/composite/12.png differ diff --git a/composite/120.png b/composite/120.png new file mode 100644 index 0000000..554c365 Binary files /dev/null and b/composite/120.png differ diff --git a/composite/121.png b/composite/121.png new file mode 100644 index 0000000..63cfbff Binary files /dev/null and b/composite/121.png differ diff --git a/composite/122.png b/composite/122.png new file mode 100644 index 0000000..f786e07 Binary files /dev/null and b/composite/122.png differ diff --git a/composite/123.png b/composite/123.png new file mode 100644 index 0000000..ceac50c Binary files /dev/null and b/composite/123.png differ diff --git a/composite/124.png b/composite/124.png new file mode 100644 index 0000000..0da13ac Binary files /dev/null and b/composite/124.png differ diff --git a/composite/125.png b/composite/125.png new file mode 100644 index 0000000..cf8ede4 Binary files /dev/null and b/composite/125.png differ diff --git a/composite/126.png b/composite/126.png new file mode 100644 index 0000000..22dfab8 Binary files /dev/null and b/composite/126.png differ diff --git a/composite/127.png b/composite/127.png new file mode 100644 index 0000000..61c9020 Binary files /dev/null and b/composite/127.png differ diff --git a/composite/128.png b/composite/128.png new file mode 100644 index 0000000..8209d94 Binary files /dev/null and b/composite/128.png differ diff --git a/composite/129.png b/composite/129.png new file mode 100644 index 0000000..0aafe5d Binary files /dev/null and b/composite/129.png differ diff --git a/composite/13.png b/composite/13.png new file mode 100644 index 0000000..86c6219 Binary files /dev/null and b/composite/13.png differ diff --git a/composite/130.png b/composite/130.png new file mode 100644 index 0000000..dd6960c Binary files /dev/null and b/composite/130.png differ diff --git a/composite/131.png b/composite/131.png new file mode 100644 index 0000000..994cf83 Binary files /dev/null and b/composite/131.png differ diff --git a/composite/132.png b/composite/132.png new file mode 100644 index 0000000..b9f1322 Binary files /dev/null and b/composite/132.png differ diff --git a/composite/133.png b/composite/133.png new file mode 100644 index 0000000..81b9fed Binary files /dev/null and b/composite/133.png differ diff --git a/composite/134.png b/composite/134.png new file mode 100644 index 0000000..12783a8 Binary files /dev/null and b/composite/134.png differ diff --git a/composite/135.png b/composite/135.png new file mode 100644 index 0000000..bf0a36f Binary files /dev/null and b/composite/135.png differ diff --git a/composite/136.png b/composite/136.png new file mode 100644 index 0000000..5d627fc Binary files /dev/null and b/composite/136.png differ diff --git a/composite/137.png b/composite/137.png new file mode 100644 index 0000000..49e611e Binary files /dev/null and b/composite/137.png differ diff --git a/composite/138.png b/composite/138.png new file mode 100644 index 0000000..e1f4480 Binary files /dev/null and b/composite/138.png differ diff --git a/composite/139.png b/composite/139.png new file mode 100644 index 0000000..739f33b Binary files /dev/null and b/composite/139.png differ diff --git a/composite/14.png b/composite/14.png new file mode 100644 index 0000000..9e2b5ad Binary files /dev/null and b/composite/14.png differ diff --git a/composite/140.png b/composite/140.png new file mode 100644 index 0000000..1ead53e Binary files /dev/null and b/composite/140.png differ diff --git a/composite/141.png b/composite/141.png new file mode 100644 index 0000000..25d9bd2 Binary files /dev/null and b/composite/141.png differ diff --git a/composite/142.png b/composite/142.png new file mode 100644 index 0000000..d365eaa Binary files /dev/null and b/composite/142.png differ diff --git a/composite/143.png b/composite/143.png new file mode 100644 index 0000000..859b2bc Binary files /dev/null and b/composite/143.png differ diff --git a/composite/144.png b/composite/144.png new file mode 100644 index 0000000..db15f8e Binary files /dev/null and b/composite/144.png differ diff --git a/composite/145.png b/composite/145.png new file mode 100644 index 0000000..9cf2f6d Binary files /dev/null and b/composite/145.png differ diff --git a/composite/146.png b/composite/146.png new file mode 100644 index 0000000..8146f88 Binary files /dev/null and b/composite/146.png differ diff --git a/composite/147.png b/composite/147.png new file mode 100644 index 0000000..1f6a19d Binary files /dev/null and b/composite/147.png differ diff --git a/composite/148.png b/composite/148.png new file mode 100644 index 0000000..320ec24 Binary files /dev/null and b/composite/148.png differ diff --git a/composite/149.png b/composite/149.png new file mode 100644 index 0000000..71f2ae9 Binary files /dev/null and b/composite/149.png differ diff --git a/composite/15.png b/composite/15.png new file mode 100644 index 0000000..af639d9 Binary files /dev/null and b/composite/15.png differ diff --git a/composite/150.png b/composite/150.png new file mode 100644 index 0000000..96911e6 Binary files /dev/null and b/composite/150.png differ diff --git a/composite/151.png b/composite/151.png new file mode 100644 index 0000000..9a80ee9 Binary files /dev/null and b/composite/151.png differ diff --git a/composite/152.png b/composite/152.png new file mode 100644 index 0000000..477e87d Binary files /dev/null and b/composite/152.png differ diff --git a/composite/153.png b/composite/153.png new file mode 100644 index 0000000..b430345 Binary files /dev/null and b/composite/153.png differ diff --git a/composite/154.png b/composite/154.png new file mode 100644 index 0000000..ebc2f36 Binary files /dev/null and b/composite/154.png differ diff --git a/composite/155.png b/composite/155.png new file mode 100644 index 0000000..e71cd3e Binary files /dev/null and b/composite/155.png differ diff --git a/composite/156.png b/composite/156.png new file mode 100644 index 0000000..21c250b Binary files /dev/null and b/composite/156.png differ diff --git a/composite/157.png b/composite/157.png new file mode 100644 index 0000000..3d26fb6 Binary files /dev/null and b/composite/157.png differ diff --git a/composite/158.png b/composite/158.png new file mode 100644 index 0000000..6075e8f Binary files /dev/null and b/composite/158.png differ diff --git a/composite/16.png b/composite/16.png new file mode 100644 index 0000000..bd1c016 Binary files /dev/null and b/composite/16.png differ diff --git a/composite/17.png b/composite/17.png new file mode 100644 index 0000000..48c872c Binary files /dev/null and b/composite/17.png differ diff --git a/composite/18.png b/composite/18.png new file mode 100644 index 0000000..dfdc02a Binary files /dev/null and b/composite/18.png differ diff --git a/composite/19.png b/composite/19.png new file mode 100644 index 0000000..ce32006 Binary files /dev/null and b/composite/19.png differ diff --git a/composite/2.png b/composite/2.png new file mode 100644 index 0000000..2a62e32 Binary files /dev/null and b/composite/2.png differ diff --git a/composite/20.png b/composite/20.png new file mode 100644 index 0000000..62ba7f5 Binary files /dev/null and b/composite/20.png differ diff --git a/composite/21.png b/composite/21.png new file mode 100644 index 0000000..3cee875 Binary files /dev/null and b/composite/21.png differ diff --git a/composite/22.png b/composite/22.png new file mode 100644 index 0000000..fe0c30a Binary files /dev/null and b/composite/22.png differ diff --git a/composite/23.png b/composite/23.png new file mode 100644 index 0000000..829a4a5 Binary files /dev/null and b/composite/23.png differ diff --git a/composite/24.png b/composite/24.png new file mode 100644 index 0000000..53399fd Binary files /dev/null and b/composite/24.png differ diff --git a/composite/25.png b/composite/25.png new file mode 100644 index 0000000..2277ace Binary files /dev/null and b/composite/25.png differ diff --git a/composite/26.png b/composite/26.png new file mode 100644 index 0000000..2067a1e Binary files /dev/null and b/composite/26.png differ diff --git a/composite/27.png b/composite/27.png new file mode 100644 index 0000000..eff0ab3 Binary files /dev/null and b/composite/27.png differ diff --git a/composite/28.png b/composite/28.png new file mode 100644 index 0000000..ba22617 Binary files /dev/null and b/composite/28.png differ diff --git a/composite/29.png b/composite/29.png new file mode 100644 index 0000000..98d030b Binary files /dev/null and b/composite/29.png differ diff --git a/composite/3.png b/composite/3.png new file mode 100644 index 0000000..6a4ad6b Binary files /dev/null and b/composite/3.png differ diff --git a/composite/30.png b/composite/30.png new file mode 100644 index 0000000..6693837 Binary files /dev/null and b/composite/30.png differ diff --git a/composite/31.png b/composite/31.png new file mode 100644 index 0000000..d1f32d9 Binary files /dev/null and b/composite/31.png differ diff --git a/composite/32.png b/composite/32.png new file mode 100644 index 0000000..6caac5c Binary files /dev/null and b/composite/32.png differ diff --git a/composite/33.png b/composite/33.png new file mode 100644 index 0000000..5ba2b91 Binary files /dev/null and b/composite/33.png differ diff --git a/composite/34.png b/composite/34.png new file mode 100644 index 0000000..57de18e Binary files /dev/null and b/composite/34.png differ diff --git a/composite/35.png b/composite/35.png new file mode 100644 index 0000000..5c0f6b6 Binary files /dev/null and b/composite/35.png differ diff --git a/composite/36.png b/composite/36.png new file mode 100644 index 0000000..b28b300 Binary files /dev/null and b/composite/36.png differ diff --git a/composite/37.png b/composite/37.png new file mode 100644 index 0000000..b7d766a Binary files /dev/null and b/composite/37.png differ diff --git a/composite/38.png b/composite/38.png new file mode 100644 index 0000000..f644b5d Binary files /dev/null and b/composite/38.png differ diff --git a/composite/39.png b/composite/39.png new file mode 100644 index 0000000..02d70f4 Binary files /dev/null and b/composite/39.png differ diff --git a/composite/4.png b/composite/4.png new file mode 100644 index 0000000..cbac547 Binary files /dev/null and b/composite/4.png differ diff --git a/composite/40.png b/composite/40.png new file mode 100644 index 0000000..3d43a99 Binary files /dev/null and b/composite/40.png differ diff --git a/composite/41.png b/composite/41.png new file mode 100644 index 0000000..705356c Binary files /dev/null and b/composite/41.png differ diff --git a/composite/42.png b/composite/42.png new file mode 100644 index 0000000..d576440 Binary files /dev/null and b/composite/42.png differ diff --git a/composite/43.png b/composite/43.png new file mode 100644 index 0000000..e913d75 Binary files /dev/null and b/composite/43.png differ diff --git a/composite/44.png b/composite/44.png new file mode 100644 index 0000000..4316bce Binary files /dev/null and b/composite/44.png differ diff --git a/composite/45.png b/composite/45.png new file mode 100644 index 0000000..2d13f5f Binary files /dev/null and b/composite/45.png differ diff --git a/composite/46.png b/composite/46.png new file mode 100644 index 0000000..d7a29ea Binary files /dev/null and b/composite/46.png differ diff --git a/composite/47.png b/composite/47.png new file mode 100644 index 0000000..b019bf2 Binary files /dev/null and b/composite/47.png differ diff --git a/composite/48.png b/composite/48.png new file mode 100644 index 0000000..900aa8d Binary files /dev/null and b/composite/48.png differ diff --git a/composite/49.png b/composite/49.png new file mode 100644 index 0000000..2995bc2 Binary files /dev/null and b/composite/49.png differ diff --git a/composite/5.png b/composite/5.png new file mode 100644 index 0000000..9205881 Binary files /dev/null and b/composite/5.png differ diff --git a/composite/50.png b/composite/50.png new file mode 100644 index 0000000..2062395 Binary files /dev/null and b/composite/50.png differ diff --git a/composite/51.png b/composite/51.png new file mode 100644 index 0000000..731fe30 Binary files /dev/null and b/composite/51.png differ diff --git a/composite/52.png b/composite/52.png new file mode 100644 index 0000000..c10e955 Binary files /dev/null and b/composite/52.png differ diff --git a/composite/53.png b/composite/53.png new file mode 100644 index 0000000..cf3684d Binary files /dev/null and b/composite/53.png differ diff --git a/composite/54.png b/composite/54.png new file mode 100644 index 0000000..fc296c7 Binary files /dev/null and b/composite/54.png differ diff --git a/composite/55.png b/composite/55.png new file mode 100644 index 0000000..de0ca1a Binary files /dev/null and b/composite/55.png differ diff --git a/composite/56.png b/composite/56.png new file mode 100644 index 0000000..cdbcfea Binary files /dev/null and b/composite/56.png differ diff --git a/composite/57.png b/composite/57.png new file mode 100644 index 0000000..a106e3f Binary files /dev/null and b/composite/57.png differ diff --git a/composite/58.png b/composite/58.png new file mode 100644 index 0000000..b5dae99 Binary files /dev/null and b/composite/58.png differ diff --git a/composite/59.png b/composite/59.png new file mode 100644 index 0000000..a3f4687 Binary files /dev/null and b/composite/59.png differ diff --git a/composite/6.png b/composite/6.png new file mode 100644 index 0000000..b269c38 Binary files /dev/null and b/composite/6.png differ diff --git a/composite/60.png b/composite/60.png new file mode 100644 index 0000000..1823e6e Binary files /dev/null and b/composite/60.png differ diff --git a/composite/61.png b/composite/61.png new file mode 100644 index 0000000..d4793ee Binary files /dev/null and b/composite/61.png differ diff --git a/composite/62.png b/composite/62.png new file mode 100644 index 0000000..fa40505 Binary files /dev/null and b/composite/62.png differ diff --git a/composite/63.png b/composite/63.png new file mode 100644 index 0000000..acefc90 Binary files /dev/null and b/composite/63.png differ diff --git a/composite/64.png b/composite/64.png new file mode 100644 index 0000000..887611a Binary files /dev/null and b/composite/64.png differ diff --git a/composite/65.png b/composite/65.png new file mode 100644 index 0000000..65c211f Binary files /dev/null and b/composite/65.png differ diff --git a/composite/66.png b/composite/66.png new file mode 100644 index 0000000..ce31935 Binary files /dev/null and b/composite/66.png differ diff --git a/composite/67.png b/composite/67.png new file mode 100644 index 0000000..b2bdd18 Binary files /dev/null and b/composite/67.png differ diff --git a/composite/68.png b/composite/68.png new file mode 100644 index 0000000..cb9d923 Binary files /dev/null and b/composite/68.png differ diff --git a/composite/69.png b/composite/69.png new file mode 100644 index 0000000..948ed7f Binary files /dev/null and b/composite/69.png differ diff --git a/composite/7.png b/composite/7.png new file mode 100644 index 0000000..0831686 Binary files /dev/null and b/composite/7.png differ diff --git a/composite/70.png b/composite/70.png new file mode 100644 index 0000000..91b6142 Binary files /dev/null and b/composite/70.png differ diff --git a/composite/71.png b/composite/71.png new file mode 100644 index 0000000..5564264 Binary files /dev/null and b/composite/71.png differ diff --git a/composite/72.png b/composite/72.png new file mode 100644 index 0000000..95feb24 Binary files /dev/null and b/composite/72.png differ diff --git a/composite/73.png b/composite/73.png new file mode 100644 index 0000000..1ca9888 Binary files /dev/null and b/composite/73.png differ diff --git a/composite/74.png b/composite/74.png new file mode 100644 index 0000000..6161c86 Binary files /dev/null and b/composite/74.png differ diff --git a/composite/75.png b/composite/75.png new file mode 100644 index 0000000..9d6ac06 Binary files /dev/null and b/composite/75.png differ diff --git a/composite/76.png b/composite/76.png new file mode 100644 index 0000000..6ce2786 Binary files /dev/null and b/composite/76.png differ diff --git a/composite/77.png b/composite/77.png new file mode 100644 index 0000000..0a1bdd2 Binary files /dev/null and b/composite/77.png differ diff --git a/composite/78.png b/composite/78.png new file mode 100644 index 0000000..d85a0ca Binary files /dev/null and b/composite/78.png differ diff --git a/composite/79.png b/composite/79.png new file mode 100644 index 0000000..a85d10a Binary files /dev/null and b/composite/79.png differ diff --git a/composite/8.png b/composite/8.png new file mode 100644 index 0000000..ab4fa70 Binary files /dev/null and b/composite/8.png differ diff --git a/composite/80.png b/composite/80.png new file mode 100644 index 0000000..d9e2a9a Binary files /dev/null and b/composite/80.png differ diff --git a/composite/81.png b/composite/81.png new file mode 100644 index 0000000..26e505a Binary files /dev/null and b/composite/81.png differ diff --git a/composite/82.png b/composite/82.png new file mode 100644 index 0000000..ddc8fd6 Binary files /dev/null and b/composite/82.png differ diff --git a/composite/83.png b/composite/83.png new file mode 100644 index 0000000..3d3980f Binary files /dev/null and b/composite/83.png differ diff --git a/composite/84.png b/composite/84.png new file mode 100644 index 0000000..68e8ae7 Binary files /dev/null and b/composite/84.png differ diff --git a/composite/85.png b/composite/85.png new file mode 100644 index 0000000..31e712d Binary files /dev/null and b/composite/85.png differ diff --git a/composite/86.png b/composite/86.png new file mode 100644 index 0000000..baa6550 Binary files /dev/null and b/composite/86.png differ diff --git a/composite/87.png b/composite/87.png new file mode 100644 index 0000000..3edcd58 Binary files /dev/null and b/composite/87.png differ diff --git a/composite/88.png b/composite/88.png new file mode 100644 index 0000000..f08b989 Binary files /dev/null and b/composite/88.png differ diff --git a/composite/89.png b/composite/89.png new file mode 100644 index 0000000..a9ac10b Binary files /dev/null and b/composite/89.png differ diff --git a/composite/9.png b/composite/9.png new file mode 100644 index 0000000..988cb52 Binary files /dev/null and b/composite/9.png differ diff --git a/composite/90.png b/composite/90.png new file mode 100644 index 0000000..a8d2a95 Binary files /dev/null and b/composite/90.png differ diff --git a/composite/91.png b/composite/91.png new file mode 100644 index 0000000..9db1a85 Binary files /dev/null and b/composite/91.png differ diff --git a/composite/92.png b/composite/92.png new file mode 100644 index 0000000..f69f97f Binary files /dev/null and b/composite/92.png differ diff --git a/composite/93.png b/composite/93.png new file mode 100644 index 0000000..20f8b47 Binary files /dev/null and b/composite/93.png differ diff --git a/composite/94.png b/composite/94.png new file mode 100644 index 0000000..fd46667 Binary files /dev/null and b/composite/94.png differ diff --git a/composite/95.png b/composite/95.png new file mode 100644 index 0000000..980ff5d Binary files /dev/null and b/composite/95.png differ diff --git a/composite/96.png b/composite/96.png new file mode 100644 index 0000000..ff139ef Binary files /dev/null and b/composite/96.png differ diff --git a/composite/97.png b/composite/97.png new file mode 100644 index 0000000..e8dfd03 Binary files /dev/null and b/composite/97.png differ diff --git a/composite/98.png b/composite/98.png new file mode 100644 index 0000000..f030102 Binary files /dev/null and b/composite/98.png differ diff --git a/composite/99.png b/composite/99.png new file mode 100644 index 0000000..ccbdb9a Binary files /dev/null and b/composite/99.png differ diff --git a/composite/index.md b/composite/index.md new file mode 100644 index 0000000..f6cb131 --- /dev/null +++ b/composite/index.md @@ -0,0 +1,1035 @@ +# E4 Composite Project + +At networking school, one of our final exams is to replicate a professional situation using VMs in a virtual environment such as proxmox or virt-manager or virtualbox. For instance this is the typical network we have to virtualize and then in turn we get asked to change specific parts of it to evaluate how we adapt to what we get asked. Below you will find the network graph of what we're going to setup in this tutorial: + +![](0.png) + +So we get a total of 4 VMs (a total of 7 to 11 Gb of RAM) and we are going to install them in the following order: + + 1. [Win10](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise) (2-4Gb RAM) + 2. [Pfsense](https://www.pfsense.org/download/) (1Gb RAM) + 3. [WS2019](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019) (2-4Gb RAM) + 4. [Debian10](https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.9.0-amd64-netinst.iso) (2Gb RAM) + + + +Go to the links above to download each of the ISOs. Then upload them to your proxmox server if you plan to use it like i do, or just store them somewhere on your PC for Virt-Manager/VirtualBox/VMWare to use so we can get started. + +![](1.png) + +## **Win10 + Pfsense + WS2019** + +Before creating anything fancy let's install a simple Windows 10 VM on the default network: + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +Right now my vmbr0 bridge is the **192.168.0.0/24** interface on my proxmox server, we want to first install our Win10 VM on a network we know works fine. Finish the VM creation and open virt-viewer since we chose to use the SPICE display: + +![](8.png) ![](9.png) ![](10.png) + +Once in virt-manager, setup Win10 on the whole virtual hard drive: + +![](11.png) + +Then let Win10 complete the installation and reboot automatically, then get back in the SPICE display via virt-viewer: + +![](12.png) ![](13.png) ![](14.png) + +Then we're going to setup RDP and Firefox on Win10: + +![](15.png) + +Do so from MS Edge (declining their terms of use as you do so) + +![](16.png) + +Once you're done setting up a non-default win10 web browser, setup RDP to get rid of the need of using SPICE to connect to your VM: + +![](17.png) ![](18.png) + +Once that's done you can verify that the VM has it's RDP port opened: + +![](19.png) + +And you can connect to it via RDP, you can use remmina for that: + + + apt install remmina -y + pacman -S remmina + + + +` ![](20.png) ![](21.png) ![](22.png) + +And from here you have properly setup your Win10 VM ! Now we're going to create a LAN network and create our pfsense VM: + +![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) + +Here make sure you don't setup any network device because we're going to set them up later on + +![](31.png) + +Make sure you don't tick 'Start after created' And then manually edit the VM's NICs: + +![](32.png) ![](33.png) ![](34.png) + +We make sure that our pfsense VM has 2 NICs (one for the WAN network 192.168.0.0/24 and one for the LAN network 10.2.0.0/16) and once you have the 2 Network interfaces properly added you can start the pfsense VM: + +![](35.png) ![](36.png) ![](37.png) + +Once that's done, let pfsense install: + +![](38.png) ![](39.png) ![](40.png) ![](41.png) + +Here, be careful to set the vtnet0 and vtnet1 interfaces correctly. You can only know which one is the WAN and LAN thanks to their MAC addresses from the Hardware tab in proxmox. Next step is to set the ip addresses: + +![](42.png) ![](43.png) + +Next setup the LAN ip address and DHCP range: + +![](44.png) ![](45.png) + +Now from here we know that in order to setup our pfsense properly we need to set it up via the web interface from inside the LAN network. To do so we will simply move our Win10 Host inside of the LAN network: + +![](46.png) ![](47.png) + +Here we make sure that our Win10 VM is in the 10.2.0.0/16 LAN network, reboot it and then get in the SPICE console (yes, you won't reach it via RDP from the WAN) to view the changes: + +![](49.png) ![](50.png) ![](51.png) + +Now that we know our Win10 VM is in the LAN network, and that it can reach it's new gateway (10.2.0.1/16) we can open firefox and log in the pfsense Web Interface with the **admin:pfsense** credentials: + +![](52.png) ![](53.png) ![](54.png) + +Leave the rest as default except the changes above since we already did most of them from pfsense's TTY shell. Next step is setting the pfsense router password and then let it reload: + +![](55.png) + +Now from here we are finished with the pfsense VM setup. However let's make sure our Win10 VM has a static DHCP ip address so that we can be able to RDP into it easily: + +![](56.png) ![](57.png) ![](58.png) ![](59.png) + +From here go in Powershell (Win+X i) and type in **ipconfig /renew** : + +![](60.png) + +Now that's done, we're going to setup our Windows Server 2019 VM: + +![](66.png) ![](67.png) ![](68.png) ![](69.png) ![](70.png) ![](71.png) ![](72.png) ![](73.png) + +Once the VM is created, access it via SPICE just like for our Win10 VM: + +![](74.png) + +Here let WS2019 install and automatically reboot: + +![](75.png) + +Now from here we're going to install firefox and enable RDP just like for our previous Win10 VM, however the difference here is that for some reason there isn't MS Edge installed, and i won't use Internet Explorer due to how stupid that browser is, so we're going to just get the firefox executable onto the machine manually: + +![](76.png) ![](77.png) + +Basically we use python3's http.server module to transfer our firefox.exe binary over to our Windows Server VM: + +![](78.png) ![](79.png) + +Once that's done enable RDP and make sure the WS2019 Server has a static ip: + +![](80.png) ![](81.png) + +Note that the primary DNS is set to be 127.0.0.1 (The WS2019 server itself) that's because we intend to use this Windows Server's Active Directory, which also requires DNS. Once that's done, you have now setup RDP, firefox and a static ip to your WS2019 VM, so let's RDP into it: + +![](82.png) ![](83.png) ![](84.png) + +Once in your RDP session on WS2019, add the DNS and Active Directory Roles: + +![](85.png) + +Click next to everything and then hit 'Install': + +![](86.png) ![](87.png) ![](88.png) + +We setup DNS records on it, following this DNS setup: + + 1. **192.168.0.211** /24 - e4.local + 2. **192.168.0.211** /24 - ns.e4.local + 3. **192.168.0.98** /24 - pf.e4.local + 4. **192.168.0.212** /24 - glpi.e4.local observium.e4.local + + + +Of course if the IPs differ from your setup, change them accordingly. + +![](89.png) ![](90.png) ![](91.png) ![](92.png) ![](93.png) ![](94.png) + +We add the first 2 DNS entries like so: + +![](95.png) ![](96.png) + +And with the same manner we add the other 3, and we get this result: + +![](97.png) + +Now that's done let's promote our WS2019 server to a domain controller for our Active Directory. We're going to add it to a new 'Forest': + +![](98.png) + +The WS2019 Server must be able to resolve e4.local, if it doesn't that means you didn't set it to use it's own dns (127.0.0.1) as we said earlier, so do it and proceed: + +![](99.png) ![](100.png) ![](101.png) ![](103.png) + +Once it passes the prerequisite checks, hit 'install' and let it reboot automatically: + +![](102.png) + +Then log back in via RDP after updating the domain field: + +![](104.png) ![](105.png) ![](106.png) + +And that's it! We have been able to install WS2019 with Active Directory support. + +![](107.png) + +Now that our Windows Server2019 is properly setup, let's make sure that our Windows10 VM client can access it: + +![](113.png) + +Now with this we know that there is a problem with the DNS being used by pfsense. so let's update it accordingly: + +![](108.png) + +Here it's apparent that pfsense is not using the WS2019 VM as it's primary dns: + +![](109.png) ![](110.png) + +Hit 'Save' and then setup the ip of our win10 client to be dynamic (via DHCP): + +![](111.png) + +Then check if the correct DNS servers are being used: + +![](112.png) + +And that's it! Now let's move on to the Debian server part: + +## **Debian10 (Observium + SNMP)** + +First let's create our debian10 local server at the ip adress we specified earlier, to do so we will create a LXC container from proxmox to speed up the installation process: + +![](122.png) ![](123.png) ![](124.png) ![](125.png) ![](126.png) ![](127.png) ![](128.png) ![](129.png) + +Once in the TTY, setup SSH properly with private key-based authentication: + + + Debian GNU/Linux 10 deb10-e4 tty1 + + deb10-e4 login: root + Password: + Linux deb10-e4 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + + root@deb10-e4:~# apt update -y ; apt upgrade -y ; apt install vim -y ; wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh + + + +This will download my script to automatically setup SSH with private key authentication: + + + + [...] + + --2021-04-12 11:02:35-- https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 856 [text/plain] + Saving to: 'ssh.sh' + + ssh.sh 100%[========================================================>] 856 --.-KB/s in 0s + + 2021-04-12 11:02:36 (13.7 MB/s) - 'ssh.sh' saved [856/856] + + root@deb10-e4:~# chmod +x ssh.sh + root@deb10-e4:~# ./ssh.sh + + +Now hit enter to leave the default values for the ssh keygen: + + + [...] + + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:BdhdNOe2EkA2ufqqWNIrgtziXX2iPMlDE8yMtNRo3MA root@deb10-e4 + The key's randomart image is: + +--[ED25519 256]--+ + | o.= o.o=++ . | + | E o. .ooo + | + | + * ... o | + | o = .. o . | + | . S. . . | + | +. . . | + |... +.=o o | + |.oo.+O..o . | + |...o.+=... | + +----[SHA256]-----+ + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 11:03:12 UTC; 18s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9257 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9258 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/ssh.service + `-9258 /usr/sbin/sshd -D + + Apr 12 11:03:12 deb10-e4 systemd[1]: Starting OpenBSD Secure Shell server... + Apr 12 11:03:12 deb10-e4 sshd[9258]: Server listening on 0.0.0.0 port 22. + Apr 12 11:03:12 deb10-e4 sshd[9258]: Server listening on :: port 22. + Apr 12 11:03:12 deb10-e4 systemd[1]: Started OpenBSD Secure Shell server. + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 192.168.0.212/24 brd 192.168.0.255 scope global eth0 + inet6 fe80::8063:4ff:fe15:254f/64 scope link + [+] ON A REMOTE HOST RUN THE FOLLOWING: + [+] wget http://ip:8080/id25519 -O ~/.ssh/node.pkey + [+] chmod 600 ~/.ssh/node.pkey + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +Now basically what it did was download a custom sshd config file to allow the root user to be logged on remotely via the SSH keys, and said ssh private key got allowed thanks to the public key that was generated with it. All that's left is getting the private key onto the client host's (your pc) **~/.ssh/** folder: + + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [blog/servers/composite] + → cd ~/.ssh + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → curl http://192.168.0.212:8080/ + + + + + + + # Directory listing for / + + + + + * * * + + + + + + + * [authorized_keys](authorized_keys) + + + * [id_ed25519](id_ed25519) + + + * [id_ed25519.pub](id_ed25519.pub) + + + + + + * * * + + + + + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → curl http://192.168.0.212:8080/id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACDPz5NAMpIsXCZpGMsDMp2avTOj5lBUxx1sWmKYYRT+xgAAAJDqnuZZ6p7m + WQAAAAtzc2gtZWQyNTUxOQAAACDPz5NAMpIsXCZpGMsDMp2avTOj5lBUxx1sWmKYYRT+xg + AAAECR5TTugtOGK2D4L48DjFiV9mCJapCVC7fg2wh4T4n9Ws/Pk0AykixcJmkYywMynZq9 + M6PmUFTHHWxaYphhFP7GAAAADXJvb3RAZGViMTAtZTQ= + -----END OPENSSH PRIVATE KEY----- + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → curl http://192.168.0.212:8080/id_ed25519 > deb10-e4 + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 399 100 399 0 0 39900 0 --:--:-- --:--:-- --:--:-- 39900 + + + +Once you downloaded the private ssh key, shut down the python3 http server by hitting CTRL+C in the debian10 TTY: + + + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + 192.168.0.99 - - [12/Apr/2021 11:05:56] "GET / HTTP/1.1" 200 - + 192.168.0.99 - - [12/Apr/2021 11:06:05] "GET /id_ed25519 HTTP/1.1" 200 - + 192.168.0.99 - - [12/Apr/2021 11:06:17] "GET /id_ed25519 HTTP/1.1" 200 - + ^C + Keyboard interrupt received, exiting. + + + +Now make sure that the private ssh key has the correct permissions, and use it to log onto the server via ssh: + + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → chmod 600 deb10-e4 + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → ssh root@192.168.0.212 -i deb10-e4 + The authenticity of host '192.168.0.212 (192.168.0.212)' can't be established. + ED25519 key fingerprint is SHA256:nxl7VKgV/WUrm6WrSI6KvWuDBB6T+ssYqmuIAhmH6zY. + This key is not known by any other names + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '192.168.0.212' (ED25519) to the list of known hosts. + Last login: Mon Apr 12 10:58:01 2021 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@deb10-e4:~# + + + +And that's it! Now we can get started on installing observium. First install the required dependencies: + + + root@deb10-e4:~# apt install -y sudo nginx wget curl mariadb-server mariadb-client rrdtool whois fping imagemagick graphviz mtr-tiny nmap python-mysqldb snmp snmpd python-memcache mtr-tiny acl php php-pear php7.3-{cgi,common,curl,mbstring,gd,mysql,gettext,bcmath,imap,json,xml,snmp,fpm,zip} + + + +Next edit php's timezone and start the php7.3-fpm and nginx services: + + + root@deb10-e4:~# cd /etc/php/7.3/ + root@deb10-e4:/etc/php/7.3# echo 'date.timezone = Europe/Paris' >> fpm/php.ini + root@deb10-e4:/etc/php/7.3# echo 'date.timezone = Europe/Paris' >> cli/php.ini + root@deb10-e4:/etc/php/7.3# service php7.3-fpm restart + root@deb10-e4:/etc/php/7.3# systemctl enable nginx + Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable nginx + + root@deb10-e4:/etc/php/7.3# systemctl status nginx php7.3-fpm + ● nginx.service - A high performance web server and a reverse proxy server + Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 11:15:56 UTC; 2min 0s ago + Docs: man:nginx(8) + Main PID: 21837 (nginx) + Tasks: 3 (limit: 7372) + Memory: 4.4M + CGroup: /system.slice/nginx.service + ├─21837 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; + ├─21838 nginx: worker process + └─21839 nginx: worker process + + Apr 12 11:15:56 deb10-e4 systemd[1]: Starting A high performance web server and a reverse proxy server... + Apr 12 11:15:56 deb10-e4 systemd[1]: Started A high performance web server and a reverse proxy server. + + ● php7.3-fpm.service - The PHP 7.3 FastCGI Process Manager + Loaded: loaded (/lib/systemd/system/php7.3-fpm.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 11:17:04 UTC; 52s ago + Docs: man:php-fpm7.3(8) + Main PID: 28387 (php-fpm7.3) + Status: "Processes active: 0, idle: 2, Requests: 0, slow: 0, Traffic: 0req/sec" + Tasks: 3 (limit: 7372) + Memory: 9.8M + CGroup: /system.slice/php7.3-fpm.service + ├─28387 php-fpm: master process (/etc/php/7.3/fpm/php-fpm.conf) + ├─28388 php-fpm: pool www + └─28389 php-fpm: pool www + + Apr 12 11:17:04 deb10-e4 systemd[1]: Starting The PHP 7.3 FastCGI Process Manager... + Apr 12 11:17:04 deb10-e4 systemd[1]: Started The PHP 7.3 FastCGI Process Manager. + + + +Next step is to setup MariaDB: + + + root@deb10-e4:/etc/php/7.3# rm /etc/mysql/mariadb.cnf + root@deb10-e4:/etc/php/7.3# wget https://blog.nowhere.moe/servers/observium/mariadb.cnf -O /etc/mysql/mariadb.cnf + --2021-04-12 11:18:46-- https://blog.nowhere.moe/servers/observium/mariadb.cnf + Resolving blog.nowhere.moe (blog.nowhere.moe)... 3.125.252.47, 159.65.118.56, 2a03:b0c0:3:d0::d23:d001, ... + Connecting to blog.nowhere.moe (blog.nowhere.moe)|3.125.252.47|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 939 [application/octet-stream] + Saving to: '/etc/mysql/mariadb.cnf' + + /etc/mysql/mariadb.cnf 100%[===============================================================================>] 939 --.-KB/s in 0s + + 2021-04-12 11:18:47 (10.1 MB/s) - '/etc/mysql/mariadb.cnf' saved [939/939] + + root@deb10-e4:/etc/php/7.3# sudo systemctl restart mysql + Job for mariadb.service failed because the control process exited with error code. + root@deb10-e4:/etc/php/7.3# systemctl status mysql + ● mariadb.service - MariaDB 10.3.27 database server + Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled) + Active: failed (Result: exit-code) since Mon 2021-04-12 11:19:05 UTC; 4s ago + Docs: man:mysqld(8) + https://mariadb.com/kb/en/library/systemd/ + Process: 28458 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=226/NAMESPACE) + + Apr 12 11:19:05 deb10-e4 systemd[1]: Starting MariaDB 10.3.27 database server... + Apr 12 11:19:05 deb10-e4 systemd[28458]: mariadb.service: Failed to set up mount namespacing: Permission denied + Apr 12 11:19:05 deb10-e4 systemd[28458]: mariadb.service: Failed at step NAMESPACE spawning /usr/bin/install: Permission denied + Apr 12 11:19:05 deb10-e4 systemd[1]: mariadb.service: Control process exited, code=exited, status=226/NAMESPACE + Apr 12 11:19:05 deb10-e4 systemd[1]: mariadb.service: Failed with result 'exit-code'. + Apr 12 11:19:05 deb10-e4 systemd[1]: Failed to start MariaDB 10.3.27 database server. + + + +If you get this error, this means that you're using a LXC container and forgot to set the 'nested' option, so let's do it: + +![](130.png) + + + Apr 12 11:19:05 deb10-e4 systemd[1]: Failed to start MariaDB 10.3.27 database server. + root@deb10-e4:/etc/php/7.3# Connection to 192.168.0.212 closed. + + [ 10.0.0.10/16 ] [ /dev/pts/17 ] [~/.ssh] + → ssh root@192.168.0.212 -i deb10-e4 + Last login: Mon Apr 12 11:08:30 2021 from 192.168.0.99 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@deb10-e4:~# systemctl restart mysql + root@deb10-e4:~# systemctl status mysql + ● mariadb.service - MariaDB 10.3.27 database server + Loaded: loaded (/lib/systemd/system/mariadb.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 11:21:38 UTC; 3s ago + Docs: man:mysqld(8) + https://mariadb.com/kb/en/library/systemd/ + Process: 457 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d /var/run/mysqld (code=exited, status=0/SUCCESS) + Process: 458 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS) + Process: 460 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] && VAR= || VAR=`cd /usr/bin/..; /usr/bin/galera_recovery`; [ $? -eq 0 ] && systemct + Process: 547 ExecStartPost=/bin/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0/SUCCESS) + Process: 549 ExecStartPost=/etc/mysql/debian-start (code=exited, status=0/SUCCESS) + Main PID: 516 (mysqld) + Status: "Taking your SQL requests now..." + Tasks: 31 (limit: 7372) + Memory: 63.8M + CGroup: /system.slice/mariadb.service + └─516 /usr/sbin/mysqld + + Apr 12 11:21:38 deb10-e4 systemd[1]: Starting MariaDB 10.3.27 database server... + Apr 12 11:21:38 deb10-e4 mysqld[516]: 2021-04-12 11:21:38 0 [Note] /usr/sbin/mysqld (mysqld 10.3.27-MariaDB-0+deb10u1) starting as process 516 ... + Apr 12 11:21:38 deb10-e4 mysqld[516]: 2021-04-12 11:21:38 0 [Warning] Could not increase number of max_open_files to more than 16384 (request: 32184) + Apr 12 11:21:38 deb10-e4 systemd[1]: Started MariaDB 10.3.27 database server. + root@deb10-e4:~# + + + +And we see that we solved the problem. Next step is to configure the observium databse itself: + + + root@deb10-e4:~# mysql -u root -p + Enter password: + Welcome to the MariaDB monitor. Commands end with ; or \g. + Your MariaDB connection id is 36 + Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10 + + Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. + + Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + + MariaDB [(none)]> + MariaDB [(none)]> create database observium; + Query OK, 1 row affected (0.001 sec) + + MariaDB [(none)]> grant all privileges on observium.* to observium@localhost IDENTIFIED by "P@SSW0RD"; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> flush privileges; + Query OK, 0 rows affected (0.000 sec) + + MariaDB [(none)]> quit + Bye + root@deb10-e4:~# + + + +Then install observium itself: + + + root@deb10-e4:~# sudo useradd -r -M -d /opt/observium observium + root@deb10-e4:~# sudo usermod -a -G observium www-data + root@deb10-e4:~# cd /opt + root@deb10-e4:/opt# wget http://www.observium.org/observium-community-latest.tar.gz + --2021-04-12 11:23:35-- http://www.observium.org/observium-community-latest.tar.gz + Resolving www.observium.org (www.observium.org)... 185.94.140.56 + Connecting to www.observium.org (www.observium.org)|185.94.140.56|:80... connected. + HTTP request sent, awaiting response... 301 Moved Permanently + Location: https://www.observium.org/observium-community-latest.tar.gz [following] + --2021-04-12 11:23:35-- https://www.observium.org/observium-community-latest.tar.gz + Connecting to www.observium.org (www.observium.org)|185.94.140.56|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 107967482 (103M) [application/x-gzip] + Saving to: 'observium-community-latest.tar.gz' + + observium-community-latest.tar.gz 100%[===============================================================================>] 102.96M 2.13MB/s in 36s + + 2021-04-12 11:24:12 (2.87 MB/s) - 'observium-community-latest.tar.gz' saved [107967482/107967482] + + root@deb10-e4:/opt# tar xvf observium-community-latest.tar.gz + root@deb10-e4:/opt# rm observium-community-latest.tar.gz + root@deb10-e4:/opt# cp /opt/observium/config.php.default /opt/observium/config.php + root@deb10-e4:/opt# vim /opt/observium/config.php + + [...] + + $config['db_user'] = 'observium'; + $config['db_pass'] = 'P@SSW0RD'; + + [...] + + :wq + + + +Now that's done, we finish observium's install with the file permissions, and the snmp configuration: + + + root@deb10-e4:/opt# mkdir /opt/observium/{rrd,logs} + root@deb10-e4:/opt# + root@deb10-e4:/opt# chown -R observium:observium /opt/observium/ + root@deb10-e4:/opt# chmod -R 775 /opt/observium/ + root@deb10-e4:/opt# cp /opt/observium/snmpd.conf.example /etc/snmp/snmpd.conf + root@deb10-e4:/opt# vim /etc/snmp/snmpd.conf + + + +Here make sure you're using a community string that you chose, this acts as a password for SNMP services: + + + [...] + + # Default access to full view + rocommunity e4_c0mmun1ty_str1ng default -V all + + [...] + + :wq + + +you can also setup other infos in that files such as email address, the location of the server itself, etc. Now append this line at the end of the config file: + + + root@deb10-e4:/opt# echo 'com2sec readonly default e4_c0mmun1ty_str1ng_ro' >> /etc/snmp/snmpd.conf + + + +Then finally restart the snmp daemon: + + + root@deb10-e4:/opt# systemctl restart snmpd + root@deb10-e4:/opt# systemctl status snmpd + ● snmpd.service - Simple Network Management Protocol (SNMP) Daemon. + Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 11:39:03 UTC; 3s ago + Process: 695 ExecStartPre=/bin/mkdir -p /var/run/agentx (code=exited, status=0/SUCCESS) + Main PID: 696 (snmpd) + Tasks: 1 (limit: 7372) + Memory: 3.8M + CGroup: /system.slice/snmpd.service + └─696 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid + + Apr 12 11:39:03 deb10-e4 systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon.... + Apr 12 11:39:03 deb10-e4 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon.. + Apr 12 11:39:03 deb10-e4 snmpd[696]: NET-SNMP version 5.7.3 + + + +Now since it's a local nginx site, we're going to edit the nginx config accordingly, and : + + + root@deb10-e4:/opt# wget https://blog.nowhere.moe/servers/observium/observium.conf -O /etc/nginx/sites-available/observium.conf + root@deb10-e4:/opt# vim /etc/nginx/sites-available/observium.conf + + + +Now by default you will get this: + +![](131.png) + +Since this is a local install of observium, we can't have real TLS encryption since it requires a public ip address to be validated by let'sencrypt, Once you deleted the excessive lines you get the following nginx site config: + + + server { + listen 80; + listen [::]:80; + server_name observium.e4.local; + + root /opt/observium/html; + index index.php; + + charset utf-8; + gzip on; + gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon; + location / { + try_files $uri $uri/ /index.php?$query_string; + } + location /api/v0 { + try_files $uri $uri/ /api_v0.php?$query_string; + } + location ~ \.php { + include fastcgi.conf; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + } + location ~ /\.ht { + deny all; + } + } + + + +:wq to save and quit out of vim, then delete the default nginx site config and enable the observium site config file: + + + root@deb10-e4:/opt# vim /etc/nginx/sites-available/observium.conf + root@deb10-e4:/opt# rm /etc/nginx/sites-available/default + root@deb10-e4:/opt# rm /etc/nginx/sites-enabled/default + root@deb10-e4:/opt# ln -s /etc/nginx/sites-available/observium.conf /etc/nginx/sites-enabled/ + root@deb10-e4:/opt# nginx -s reload + root@deb10-e4:/opt# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Once that's done, we're going to finish observium's installation by making it discover the database and by creating the users: + + + root@deb10-e4:~# cd /opt/observium/ + root@deb10-e4:/opt/observium# ./discovery.php -u + + ___ _ _ + / _ \ | |__ ___ ___ _ __ __ __(_) _ _ _ __ ___ + | | | || '_ \ / __| / _ \| '__|\ \ / /| || | | || '_ ` _ \ + | |_| || |_) |\__ \| __/| | \ V / | || |_| || | | | | | + \___/ |_.__/ |___/ \___||_| \_/ |_| \__,_||_| |_| |_| + Observium Community Edition 20.9.10731 + https://www.observium.org + + Install initial database schema ... done. + -- Updating database/file schema + 416 -> 417 # (db) .. Done (1s). + 417 -> 418 # (db) . Done (0s). + 418 -> 419 # (db) .... Done (0s). + 419 -> 420 # (db) .. Done (0s). + 420 -> 421 # (db) ... Done (0s). + 421 -> 422 # (db) .. Done (0s). + 422 -> 423 # (db) ...... Done (0s). + 423 -> 424 # (php) Done (0s). + 424 -> 425 # (db) . Done (0s). + 425 -> 426 # (db) ............... Done (0s). + 426 -> 427 # (db) ... Done (0s). + 427 -> 428 # (db) ... Done (0s). + 428 -> 429 # (db) ... Done (0s). + 429 -> 430 # (db) (WARNING! Required MySQL version 5.6+ or MariaDB 10.0+).... Done (0s). + 430 -> 431 # (db) ..... Done (0s). + 431 -> 432 # (php) Done (0s). + 432 -> 433 # (db) ......... Done (1s). + 433 -> 434 # (db) ... Done (0s). + 434 -> 435 # (db) . Done (0s). + -- Done. + root@deb10-e4:/opt/observium# ./adduser.php admin P@SSW0RD 10 + Observium CE 20.9.10731 + Add User + + User admin added successfully. + root@deb10-e4:/opt/observium# ./adduser.php user1 P@SSW0RD 10 + Observium CE 20.9.10731 + Add User + + User user1 added successfully. + + + +Once that's done, move over to your observium web interface and login: + +![](132.png) ![](134.png) ![](135.png) + +Once you've added the device, you need to wait a bit for the snmp routine to collect informations on the device in order to populate the graphs. + +![](136.png) + +In the meantime we're going to setup snmp on our WS2019 machine, which comes in the form of a 'feature' you can download from the server manager: + +![](137.png) ![](138.png) ![](139.png) ![](140.png) + +Once that's done, click apply and ok, then go back to observium to add the WS2019 Host: + +![](141.png) ![](142.png) + +And that's it! We managed to add a Debian10 and a WS2019 Host to our Observium SNMP monitoring. Or did we ? Because you can wait forever here you won't get any graphs, you need to setup observium's cronjobs as follows: + + + root@deb10-e4:~# vim /etc/cron.d/observium + + + + + # Run a complete discovery of all devices once every 6 hours + 33 */6 * * * root /opt/observium/discovery.php -h all >> /dev/null 2>&1 + + # Run automated discovery of newly added devices every 5 minutes + */5 * * * * root /opt/observium/discovery.php -h new >> /dev/null 2>&1 + + # Run multithreaded poller wrapper every 5 minutes + */5 * * * * root /opt/observium/poller-wrapper.py >> /dev/null 2>&1 + + # Run housekeeping script daily for syslog, eventlog and alert log + 13 5 * * * root /opt/observium/housekeeping.php -ysel + + # Run housekeeping script daily for rrds, ports, orphaned entries in the database and performance data + 47 4 * * * root /opt/observium/housekeeping.php -yrptb + + + +:wq to save and quit out of vim, then reload crond: + + + + root@deb10-e4:~# systemctl restart cron + root@deb10-e4:~# systemctl status cron + ● cron.service - Regular background program processing daemon + Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 14:12:35 UTC; 3s ago + Docs: man:cron(8) + Main PID: 2688 (cron) + Tasks: 1 (limit: 7372) + Memory: 592.0K + CGroup: /system.slice/cron.service + └─2688 /usr/sbin/cron -f + + Apr 12 14:12:35 deb10-e4 systemd[1]: Started Regular background program processing daemon. + Apr 12 14:12:35 deb10-e4 cron[2688]: (CRON) INFO (pidfile fd = 3) + Apr 12 14:12:35 deb10-e4 cron[2688]: (CRON) INFO (Skipping @reboot jobs -- not system startup) + + + +Now with this, wait 5-10 mins for observium to pickup infos and draw graphs + +![](143.png) + +And there you go! now let's add pfsense via snmp aswell (don't forget to add the firewall rule to allow the snmp connections): + +![](144.png) ![](146.png) + +once you're done on pfsense after clicking 'Save', setup the host on observium, same as before: + +![](147.png) ![](148.png) + +And there you go! We managed to setup snmp checks for Debian, Windows Server 2019, and pfsense. + +## **GLPI + Fusion Inventory** + +Now it's time to install GLPI. Just like for observium we start by installing the dependencies we need: + + + apt install -y socat git nginx mariadb-server php7.3-fpm php7.3 php7.3-curl php7.3-zip php7.3-gd php7.3-intl php-pear php-imagick php7.3-imap php-memcache php7.3-pspell php7.3-recode php7.3-tidy php7.3-xmlrpc php7.3-xsl php7.3-mbstring php-gettext php7.3-ldap php-cas php-apcu php7.3-mysql + + + +Then configure glpi's mysql database: + + + root@deb10-e4:~# mysql -u root -p + Enter password: + Welcome to the MariaDB monitor. Commands end with ; or \g. + Your MariaDB connection id is 1145 + Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10 + + Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. + + Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. + + MariaDB [(none)]> CREATE DATABASE glpidb; + Query OK, 1 row affected (0.001 sec) + + MariaDB [(none)]> GRANT ALL PRIVILEGES ON glpidb.* TO 'glpiuser'@'localhost' IDENTIFIED BY 'P@SSW0RD'; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> FLUSH PRIVILEGES; + Query OK, 0 rows affected (0.001 sec) + + MariaDB [(none)]> EXIT; + Bye + + + +Then we download the latest release of glpi inside of /tmp: + + + root@deb10-e4:/tmp# cd /tmp + root@deb10-e4:/tmp# wget -c https://github.com/glpi-project/glpi/releases/download/9.5.4/glpi-9.5.4.tgz + root@deb10-e4:/tmp# tar -xvf glpi-9.5.4.tgz + root@deb10-e4:/tmp# mv glpi /var/www/html/ + root@deb10-e4:/tmp# chmod 755 -R /var/www/html/ + root@deb10-e4:/tmp# chown www-data:www-data -R /var/www/html/ + + + +Then get the nginx configuration, and edit it accordingly: + + + root@deb10-e4:/tmp# wget https://blog.nowhere.moe/servers/glpi/glpi.conf -O /etc/nginx/sites-available/glpi.conf + --2021-04-12 15:26:00-- https://blog.nowhere.moe/servers/glpi/glpi.conf + Resolving ech1.github.io (ech1.github.io)... 185.199.108.153, 185.199.109.153, 185.199.110.153, ... + Connecting to ech1.github.io (ech1.github.io)|185.199.108.153|:443... connected. + HTTP request sent, awaiting response... 301 Moved Permanently + Location: https://blog.nowhere.moe/servers/glpi/glpi.conf [following] + --2021-04-12 15:26:00-- https://blog.nowhere.moe/servers/glpi/glpi.conf + Resolving blog.nowhere.moe (blog.nowhere.moe)... 185.199.109.153, 185.199.111.153, 185.199.110.153, ... + Connecting to blog.nowhere.moe (blog.nowhere.moe)|185.199.109.153|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1811 (1.8K) [text/plain] + Saving to: '/etc/nginx/sites-available/glpi.conf' + + /etc/nginx/sites-available/glpi.con 100%[=================================================================>] 1.77K --.-KB/s in 0s + + 2021-04-12 15:26:01 (14.3 MB/s) - '/etc/nginx/sites-available/glpi.conf' saved [1811/1811] + + root@deb10-e4:/tmp# vim /etc/nginx/sites-available/glpi.conf + + + +Here's the end result of my editing, of course edit it to fit your install: + + + server { + listen 80; + listen [::]:80; + server_name glpi.e4.local; + root /var/www/html/glpi; + index index.php; + location / {try_files $uri $uri/ index.php;} + location ~ \.php$ { + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + fastcgi_param SERVER_NAME $host; + } + location ~ /files{ + deny all; + } + } + + + +:wq to save and quit out of vim, enable the glpi nginx website, and then edit php: + + + root@deb10-e4:/tmp# cd /etc/php/7.3/ + + root@deb10-e4:/etc/php/7.3# ln -s /etc/nginx/sites-available/glpi.conf /etc/nginx/sites-enabled/ + + root@deb10-e4:/etc/php/7.3# echo 'memory_limit = 64M ; // Minimum + Valuefile_uploads = on ; + max_execution_time = 600 ; // Optional but not mandatory + register_globals = off ; // Optional but not mandatory + magic_quotes_sybase = off ; + session.auto_start = off ; + session.use_trans_sid = 0 ; // Optional but not mandatory' >> fpm/php.ini + + root@deb10-e4:/etc/php/7.3# echo 'memory_limit = 64M ; // Minimum + Valuefile_uploads = on ; + max_execution_time = 600 ; // Optional but not mandatory + register_globals = off ; // Optional but not mandatory + magic_quotes_sybase = off ; + session.auto_start = off ; + session.use_trans_sid = 0 ; // Optional but not mandatory' >> cli/php.ini + + root@deb10-e4:/etc/php/7.3# sed -i "s/^listen.*sock/listen\ =\ 127.0.0.1:9000/gi" /etc/php/7.3/fpm/pool.d/www.conf + + root@deb10-e4:/etc/php/7.3# systemctl restart nginx php7.3-fpm mysql + + root@deb10-e4:/etc/php/7.3# systemctl status nginx php7.3-fpm mysql + + + +you can run systemctl status to check that the 3 services are active and working, if they are not, then return to the configuration files above and edit them correctly before restarting the services again. Once that's done, you can setup glpi from the web interface: + +![](149.png) ![](150.png) + +Here we see that the bz2 extension is missing, we download it and then proceed with the installation: + + + root@deb10-e4:/etc/php/7.3# apt install php7.3-bz2 + + + +![](151.png) + +Put in the mysql credentials we used before, and use the glpidb database: + +![](152.png) + +After that let it initialize the database, and login with the **glpi:glpi** credentials: + +![](153.png) ![](154.png) + +Now that GLPI is installed, we're going to install the fusioninventory plugin on it from the commandline: + + + root@deb10-e4:~# cd /var/www/html/glpi/plugins + root@deb10-e4:/var/www/html/glpi/plugins# ls -l + total 4 + -rwxr-xr-x 1 www-data www-data 80 Mar 2 13:22 remove.txt + root@deb10-e4:/var/www/html/glpi/plugins# wget https://github.com/fusioninventory/fusioninventory-for-glpi/releases/download/glpi9.5%2B3.0/fusioninventory-9.5+3.0.tar.bz2 + + [...] + + 2021-04-12 15:52:17 (8.30 MB/s) - 'fusioninventory-9.5+3.0.tar.bz2' saved [3520305/3520305] + + root@deb10-e4:/var/www/html/glpi/plugins# file fusioninventory-9.5+3.0.tar.bz2 + fusioninventory-9.5+3.0.tar.bz2: bzip2 compressed data, block size = 900k + + root@deb10-e4:/var/www/html/glpi/plugins# tar -xvf fusioninventory-9.5+3.0.tar.bz2 + root@deb10-e4:/var/www/html/glpi/plugins# rm fusioninventory-9.5+3.0.tar.bz2 + + root@deb10-e4:/var/www/html/glpi/plugins# ls -l + total 8 + drwxr-xr-x 16 root root 4096 Mar 21 19:47 fusioninventory + -rwxr-xr-x 1 www-data www-data 80 Mar 2 13:22 remove.txt + + + +![](155.png) ![](156.png) + +And in here we see the plugin we just installed, click the install logo on the right to set it up: + +![](157.png) + +After you install it, enable it and then we can see this result: + +![](158.png) + +And that's it! here you see that we installed the fusionInventory plugin on GLPI. All that's left is to install the fusionInventory Agent on the hosts you want to monitor: + diff --git a/cron/0.png b/cron/0.png new file mode 100644 index 0000000..e65d29d Binary files /dev/null and b/cron/0.png differ diff --git a/cron/index.md b/cron/index.md new file mode 100644 index 0000000..82020bd --- /dev/null +++ b/cron/index.md @@ -0,0 +1,411 @@ +# Cron Jobs Setup + +![](0.png) + +The software utility cron also known as cron job is a time-based job scheduler in Unix-like computer operating systems. Users who set up and maintain software environments use cron to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals. + +On this tutorial we're going to cover how to automatically update our linux-based system: + +## **Debian** + +Among the most popular linux distros is debian, or debian-based systems. Cron should always be there by default: + + + root@home:~# apt search cron + + cron/stable,now 3.0pl1-134+deb10u1 amd64 [installed] + process scheduling daemon + + root@home:~# apt install cron + + +So what are the commands that we want to run ? + + + root@home:~# apt update -y + root@home:~# apt upgrade -y + root@home:~# apt autoremove -y + + +The first one updates the packages, the second one upgrades the distribution, and the last one removes the unused packages, let's add a cronjob for it: + + + root@home:~# crontab -e + + 0 3 * * * "/var/www/nextcloud/data/nothing/files/backup.sh" + 0 2 * * * root (apt update -y && apt -y upgrade && apt autoremove -y) > /dev/null + + :wq + + +Here you see that i'm executing a backup bashscript everyday at 3 am, and running apt update , upgrade and autoremove at 2 am. + +## **Testing Cronjobs** + + + wget https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz + sudo tar xvf linux_amd64.tar.gz -C /usr/bin/ + sudo cronitor configure --api-key 1234567890 + + + +To debug cronjobs i use cronitor + + + root@home:~# cronitor list + + ----► Checking user "root" crontab + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 20 0 * * * | "/root/.acme.sh/acme.sh" | + | | --cron --home "/root/.acme.sh" | + | | > /dev/null | + | 0 3 * * * | /usr/bin/ansible-playbook | + | | /root/playbooks/update.yml | + | 0 3 * * * | "/var/www/nextcloud/data/nothing/files/backup.sh" | + | 0 2 * * * | (apt-get update && apt-get -y | + | | upgrade && apt autoremove) > | + | | /dev/null | + +-------------------+------------------------------------------------------------------------------------------------------+ + + ----► Checking /etc/crontab + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 17 * * * * | cd / && run-parts --report | + | | /etc/cron.hourly | + | 25 6 * * * | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.daily ) | + | 47 6 * * 7 | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.weekly ) | + | 52 6 1 * * | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.monthly ) | + +-------------------+------------------------------------------------------------------------------------------------------+ + + ----► Checking /etc/cron.d/php + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 09,39 * * * * | [ -x /usr/lib/php/sessionclean | + | | ] && if [ ! -d | + | | /run/systemd/system ]; then | + | | /usr/lib/php/sessionclean; fi | + +-------------------+------------------------------------------------------------------------------------------------------+ + + ----► Checking /etc/cron.d/sysstat + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 5-55/10 * * * * | command -v debian-sa1 > | + | | /dev/null && debian-sa1 1 1 | + | 59 23 * * * | command -v debian-sa1 > | + | | /dev/null && debian-sa1 60 2 | + +-------------------+------------------------------------------------------------------------------------------------------+ + + + + +Here i removed the >/dev/null to be able to see the output of our cronjob, selecting it with cronitor: + + + root@home:~# crontab -e + crontab: installing new crontab + root@home:~# cronitor select + + ✔ (apt-get update && apt-get -y upgrade && apt autoremove) + ----► Running command: (apt-get update && apt-get -y upgrade && apt autoremove) + + Hit:1 http://deb.debian.org/debian buster InRelease + Hit:2 http://apt.postgresql.org/pub/repos/apt buster-pgdg InRelease + Reading package lists... + Reading package lists... + Building dependency tree... + Reading state information... + Calculating upgrade... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + WARNING: apt does not have a stable CLI interface. Use with caution in scripts. + + Reading package lists... + Building dependency tree... + Reading state information... + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + ----► ✔ Command successful Elapsed time 4.145s + + + +And there you have it! We have been able to test update the repos, upgrade the distro and remove the unused packages with our cronjob, which will run everyday at 2 AM. + +## **Arch-Based Distros** + +Arch linux distributions require daily upgrades because it is a rolling release, so one way to do it is to manually upgrade your system like so: + + + [ 10.0.0.10/16 ] [ /dev/pts/51 ] [Nextcloud/blog] + → sudo pacman -Syu + [sudo] password for nothing: + :: Synchronizing package databases... + core 132.9 KiB 1384 KiB/s 00:00 [--------------------------------------------------------] 100% + extra 1557.9 KiB 3.22 MiB/s 00:00 [--------------------------------------------------------] 100% + community 5.6 MiB 4.27 MiB/s 00:01 [--------------------------------------------------------] 100% + multilib 149.1 KiB 4.85 MiB/s 00:00 [--------------------------------------------------------] 100% + :: Starting full system upgrade... + resolving dependencies... + looking for conflicting packages... + + Package (8) Old Version New Version Net Change Download Size + + community/arandr 0.1.10-5 0.1.10-6 0.00 MiB 0.08 MiB + multilib/lib32-systemd 248.2-1 248.3-1 0.00 MiB 0.56 MiB + extra/libidn 1.36-1 1.37-1 -0.03 MiB 0.21 MiB + extra/perl-http-message 6.30-1 6.31-1 0.00 MiB 0.07 MiB + core/systemd 248.2-2 248.3-1 0.00 MiB 6.31 MiB + core/systemd-libs 248.2-2 248.3-1 0.00 MiB 0.54 MiB + core/systemd-sysvcompat 248.2-2 248.3-1 0.00 MiB 0.01 MiB + community/tpm2-tss 3.0.3-1 3.1.0-1 0.13 MiB 0.81 MiB + + Total Download Size: 8.59 MiB + Total Installed Size: 32.46 MiB + Net Upgrade Size: 0.10 MiB + + :: Proceed with installation? [Y/n] y + + + +If you want to do cronjobs to automate arch linux updates, be very careful because pacman may need to do drastic updates from time to time, like the /lib -> /usr/lib transitioning, So let's make sure that pacman gives enough verbose to at least say what went wrong just in case if it does: + + + [ 10.0.0.10/16 ] [ /dev/pts/70 ] [~] + → sudo pacman -Syu --noconfirm + + + +That's the command we want to run, if we want to automatically update arch. This may break your install so make sure that it functions properly and do so regularly, checking pacman's logs in **/var/log/pacman.log** + + + [ 10.0.0.10/16 ] [ /dev/pts/72 ] [~] + → tail -f /var/log/pacman.log + [2021-05-18T14:51:02+0200] [ALPM] running '30-systemd-daemon-reload.hook'... + [2021-05-18T14:51:02+0200] [ALPM] running '30-systemd-update.hook'... + [2021-05-18T14:58:39+0200] [PACMAN] Running 'pacman -Syu --noconfirm' + [2021-05-18T14:58:39+0200] [PACMAN] synchronizing package lists + [2021-05-18T14:58:42+0200] [PACMAN] starting full system upgrade + [2021-05-18T14:58:43+0200] [ALPM] transaction started + [2021-05-18T14:58:43+0200] [ALPM] upgraded libimagequant (2.15.0-1 -> 2.15.1-1) + [2021-05-18T14:58:43+0200] [ALPM] upgraded svt-hevc (1.5.0-1 -> 1.5.1-1) + [2021-05-18T14:58:43+0200] [ALPM] transaction completed + [2021-05-18T14:58:43+0200] [ALPM] running '30-systemd-update.hook'... + [2021-05-18T15:00:35+0200] [PACMAN] Running 'pacman -Syu --noconfirm' + [2021-05-18T15:00:35+0200] [PACMAN] synchronizing package lists + [2021-05-18T15:00:35+0200] [PACMAN] starting full system upgrade + [2021-05-18T15:00:39+0200] [PACMAN] Running 'pacman -Syu --noconfirm' + [2021-05-18T15:00:39+0200] [PACMAN] synchronizing package lists + [2021-05-18T15:00:40+0200] [PACMAN] starting full system upgrade + + + +Now let's setup our cronjob using cronie: + + + [ 10.0.0.10/16 ] [ /dev/pts/70 ] [~] + → sudo pacman -S cronie + + [ 10.0.0.10/16 ] [ /dev/pts/70 ] [~] + → systemctl status cronie + ○ cronie.service - Periodic Command Scheduler + Loaded: loaded (/usr/lib/systemd/system/cronie.service; disabled; vendor preset: disabled) + Active: inactive (dead) + + [ 10.0.0.10/16 ] [ /dev/pts/70 ] [~] + → systemctl enable --now cronie + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ==== + Authentication is required to manage system service or unit files. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + Created symlink /etc/systemd/system/multi-user.target.wants/cronie.service → /usr/lib/systemd/system/cronie.service. + + [ 10.0.0.10/16 ] [ /dev/pts/70 ] [~] + → systemctl status cronie + ● cronie.service - Periodic Command Scheduler + Loaded: loaded (/usr/lib/systemd/system/cronie.service; enabled; vendor preset: disabled) + Active: active (running) since Tue 2021-05-18 14:51:30 CEST; 1s ago + Main PID: 1926934 (crond) + Tasks: 1 (limit: 38425) + Memory: 448.0K + CPU: 1ms + CGroup: /system.slice/cronie.service + └─1926934 /usr/bin/crond -n + + May 18 14:51:30 nowhere systemd[1]: Started Periodic Command Scheduler. + May 18 14:51:30 nowhere crond[1926934]: (CRON) STARTUP (1.5.7) + May 18 14:51:30 nowhere crond[1926934]: (CRON) INFO (Syslog will be used instead of sendmail.) + May 18 14:51:30 nowhere crond[1926934]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 6% if used.) + May 18 14:51:30 nowhere crond[1926934]: (CRON) INFO (running with inotify support) + + [ 10.0.0.10/16 ] [ /dev/pts/76 ] [/tmp] + → sudo -i + [sudo] password for nothing: + + root@nowhere: ~ # crontab -e + crontab: installing new crontab + + 0 2 * * * /usr/bin/pacman -Syu --noconfirm + + :wq + + root@nowhere: ~ # exit + logout + + + +Now let's use cronitor to test our cronjob: + + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → curl -sOL https://cronitor.io/dl/cronitor-stable-linux-amd64.tgz + + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → sudo tar xvf cronitor-stable-linux-amd64.tgz -C /usr/bin/ + + [sudo] password for nothing: + cronitor + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → sudo cronitor configure --api-key 1234567890 + + Error: Problem with config file at : Config File "cronitor" Not Found in "[/etc/cronitor]" + + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → sudo cronitor configure --api-key 1234567890 + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → which cronitor + /usr/bin/cronitor + + [ 10.0.0.10/16 ] [ /dev/pts/75 ] [/tmp] + → cronitor select + + root@nowhere: ~ # cronitor select + + ✔ /usr/bin/pacman -Syu --noconfirm + ----► Running command: /usr/bin/pacman -Syu --noconfirm + + :: Synchronizing package databases... + core is up to date + extra is up to date + community is up to date + multilib is up to date + :: Starting full system upgrade... + there is nothing to do + + ----► ✔ Command successful Elapsed time 0.893s + + root@nowhere: ~ # + + + +Again, make sure that you check pacman.log regularly like so, just in case any package breaks the arch installation: + + + [ 10.0.0.10/16 ] [ /dev/pts/73 ] [~] + → tail -f /var/log/pacman.log + [2021-05-18T15:00:40+0200] [PACMAN] starting full system upgrade + [2021-05-18T15:16:17+0200] [PACMAN] Running 'pacman -Syu --noconfirm' + [2021-05-18T15:16:17+0200] [PACMAN] synchronizing package lists + [2021-05-18T15:16:18+0200] [PACMAN] starting full system upgrade + [2021-05-18T15:19:40+0200] [PACMAN] Running '/usr/bin/pacman -Syu --noconfirm' + [2021-05-18T15:19:40+0200] [PACMAN] synchronizing package lists + [2021-05-18T15:19:40+0200] [PACMAN] starting full system upgrade + [2021-05-18T15:20:38+0200] [PACMAN] Running '/usr/bin/pacman -Syu --noconfirm' + [2021-05-18T15:20:38+0200] [PACMAN] synchronizing package lists + [2021-05-18T15:20:38+0200] [PACMAN] starting full system upgrade + + + +Or here's the way i like to do it: + + + [ 10.0.0.10/16 ] [ /dev/pts/68 ] [~/Videos] + → cat /var/log/pacman.log | grep $(date --iso-8601) + [2021-05-19T02:00:01+0200] [PACMAN] Running '/usr/bin/pacman -Syu --noconfirm' + [2021-05-19T02:00:01+0200] [PACMAN] synchronizing package lists + [2021-05-19T02:00:03+0200] [PACMAN] starting full system upgrade + [2021-05-19T02:00:54+0200] [ALPM] transaction started + [2021-05-19T02:00:54+0200] [ALPM] upgraded ca-certificates-mozilla (3.64-1 -> 3.65-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded libx11 (1.7.0-4 -> 1.7.1-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded pango (1:1.48.4-1 -> 1:1.48.5-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded nvidia-utils (465.27-1 -> 465.31-1) + [2021-05-19T02:00:54+0200] [ALPM-SCRIPTLET] If you run into trouble with CUDA not being available, run nvidia-modprobe first. + [2021-05-19T02:00:54+0200] [ALPM] upgraded nss (3.64-1 -> 3.65-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded gnome-shell (1:40.1-1 -> 1:40.1-2) + [2021-05-19T02:00:54+0200] [ALPM] upgraded imagemagick (7.0.11.12-1 -> 7.0.11.13-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded nvidia (465.27-10 -> 465.31-1) + [2021-05-19T02:00:55+0200] [ALPM] upgraded opencl-nvidia (465.27-1 -> 465.31-1) + [2021-05-19T02:00:55+0200] [ALPM] transaction completed + [2021-05-19T02:00:55+0200] [ALPM] running '20-systemd-sysusers.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '30-systemd-daemon-reload.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '30-systemd-update.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '40-update-ca-trust.hook'... + [2021-05-19T02:00:56+0200] [ALPM] running '60-depmod.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'detect-old-perl-modules.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'glib-compile-schemas.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'gtk-update-icon-cache.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'update-desktop-database.hook'... + + + +you can make a bashrc / zshrc alias for it: + + + [ 10.0.0.10/16 ] [ /dev/pts/68 ] [~/Videos] + → vim ~/.zshrc + + checkpac(){ + cat /var/log/pacman.log | grep $(date --iso-8601) + } + + :wq + + + [ 10.0.0.10/16 ] [ /dev/pts/68 ] [~/Videos] + → zsh + + [ 10.0.0.10/16 ] [ /dev/pts/68 ] [~/Videos] + → checkpac + [2021-05-19T02:00:01+0200] [PACMAN] Running '/usr/bin/pacman -Syu --noconfirm' + [2021-05-19T02:00:01+0200] [PACMAN] synchronizing package lists + [2021-05-19T02:00:03+0200] [PACMAN] starting full system upgrade + [2021-05-19T02:00:54+0200] [ALPM] transaction started + [2021-05-19T02:00:54+0200] [ALPM] upgraded ca-certificates-mozilla (3.64-1 -> 3.65-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded libx11 (1.7.0-4 -> 1.7.1-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded pango (1:1.48.4-1 -> 1:1.48.5-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded nvidia-utils (465.27-1 -> 465.31-1) + [2021-05-19T02:00:54+0200] [ALPM-SCRIPTLET] If you run into trouble with CUDA not being available, run nvidia-modprobe first. + [2021-05-19T02:00:54+0200] [ALPM] upgraded nss (3.64-1 -> 3.65-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded gnome-shell (1:40.1-1 -> 1:40.1-2) + [2021-05-19T02:00:54+0200] [ALPM] upgraded imagemagick (7.0.11.12-1 -> 7.0.11.13-1) + [2021-05-19T02:00:54+0200] [ALPM] upgraded nvidia (465.27-10 -> 465.31-1) + [2021-05-19T02:00:55+0200] [ALPM] upgraded opencl-nvidia (465.27-1 -> 465.31-1) + [2021-05-19T02:00:55+0200] [ALPM] transaction completed + [2021-05-19T02:00:55+0200] [ALPM] running '20-systemd-sysusers.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '30-systemd-daemon-reload.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '30-systemd-update.hook'... + [2021-05-19T02:00:55+0200] [ALPM] running '40-update-ca-trust.hook'... + [2021-05-19T02:00:56+0200] [ALPM] running '60-depmod.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'detect-old-perl-modules.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'glib-compile-schemas.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'gtk-update-icon-cache.hook'... + [2021-05-19T02:01:06+0200] [ALPM] running 'update-desktop-database.hook'... + + + +And that's it! We have covered the vast majority of linux distros being debian-based and arch-based to be able to automatically update thanks to cronjobs. + diff --git a/cryptpad/1.png b/cryptpad/1.png new file mode 100644 index 0000000..f375177 Binary files /dev/null and b/cryptpad/1.png differ diff --git a/cryptpad/10.png b/cryptpad/10.png new file mode 100644 index 0000000..ef03c08 Binary files /dev/null and b/cryptpad/10.png differ diff --git a/cryptpad/11.png b/cryptpad/11.png new file mode 100644 index 0000000..8586c59 Binary files /dev/null and b/cryptpad/11.png differ diff --git a/cryptpad/12.png b/cryptpad/12.png new file mode 100644 index 0000000..d45d16a Binary files /dev/null and b/cryptpad/12.png differ diff --git a/cryptpad/13.png b/cryptpad/13.png new file mode 100644 index 0000000..e5ae853 Binary files /dev/null and b/cryptpad/13.png differ diff --git a/cryptpad/14.png b/cryptpad/14.png new file mode 100644 index 0000000..e1647d5 Binary files /dev/null and b/cryptpad/14.png differ diff --git a/cryptpad/15.png b/cryptpad/15.png new file mode 100644 index 0000000..997fb17 Binary files /dev/null and b/cryptpad/15.png differ diff --git a/cryptpad/16.png b/cryptpad/16.png new file mode 100644 index 0000000..ce38b18 Binary files /dev/null and b/cryptpad/16.png differ diff --git a/cryptpad/2.png b/cryptpad/2.png new file mode 100644 index 0000000..a40be1b Binary files /dev/null and b/cryptpad/2.png differ diff --git a/cryptpad/3.png b/cryptpad/3.png new file mode 100644 index 0000000..a33184c Binary files /dev/null and b/cryptpad/3.png differ diff --git a/cryptpad/4.png b/cryptpad/4.png new file mode 100644 index 0000000..f8072ba Binary files /dev/null and b/cryptpad/4.png differ diff --git a/cryptpad/5.png b/cryptpad/5.png new file mode 100644 index 0000000..c58eb04 Binary files /dev/null and b/cryptpad/5.png differ diff --git a/cryptpad/6.png b/cryptpad/6.png new file mode 100644 index 0000000..d2e55b9 Binary files /dev/null and b/cryptpad/6.png differ diff --git a/cryptpad/7.png b/cryptpad/7.png new file mode 100644 index 0000000..bb35a60 Binary files /dev/null and b/cryptpad/7.png differ diff --git a/cryptpad/8.png b/cryptpad/8.png new file mode 100644 index 0000000..c831cba Binary files /dev/null and b/cryptpad/8.png differ diff --git a/cryptpad/9.png b/cryptpad/9.png new file mode 100644 index 0000000..60a7d64 Binary files /dev/null and b/cryptpad/9.png differ diff --git a/cryptpad/index.md b/cryptpad/index.md new file mode 100644 index 0000000..00ae52f --- /dev/null +++ b/cryptpad/index.md @@ -0,0 +1,582 @@ +# CryptPad + +![](0.svg) + +CryptPad is the Zero Knowledge realtime collaborative editor. Encryption carried out in your web browser protects the data from the server, it relies on the ChainPad realtime engine. + +## **Initial Setup** + +We're going to install cryptpad inside of Proxmox as a debian10 CT: + +![](1.png) ![](2.png) + +Once here, start the CT and go into the Web-based TTY console to setup key-based SSH authentication: + +![](3.png) + +We're going to use my SSH setup script as follows: + + + Debian GNU/Linux 10 cryptpad tty1 + + cryptpad login: root + Password: + Linux cryptpad 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@cryptpad:~# apt update -y ; apt upgrade -y ; apt install vim -y ; wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh ; chmod +x ssh.sh ; ./ssh.sh + + + +Generate the SSH Keys and then go get the private SSH key from port 8080: + + + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:+5Jkmpo4NBcJBCRU48jkdYReSRzspMLW4Hp/4IHYX3Y root@cryptpad + The key's randomart image is: + +--[ED25519 256]--+ + |=*o+*=o | + |=.=.o* | + |o++o=. | + | = +o. | + |oo.. . S | + |o * + o E. | + | o * = *.. | + | ..+.+ o. | + | ..oo .. | + +----[SHA256]-----+ + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-04-15 09:40:04 UTC; 33s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9255 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9256 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.4M + CGroup: /system.slice/ssh.service + `-9256 /usr/sbin/sshd -D + + Apr 15 09:40:04 cryptpad systemd[1]: Starting OpenBSD Secure Shell server... + Apr 15 09:40:04 cryptpad sshd[9256]: Server listening on 0.0.0.0 port 22. + Apr 15 09:40:04 cryptpad sshd[9256]: Server listening on :: port 22. + Apr 15 09:40:04 cryptpad systemd[1]: Started OpenBSD Secure Shell server. + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.172/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::3800:77ff:fe37:7b68/64 scope link + [+] ON A REMOTE HOST RUN THE FOLLOWING: + [+] wget http://ip:8080/id25519 -O ~/.ssh/node.pkey + [+] chmod 600 ~/.ssh/node.pkey + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +From here you just get the private key to your local machine and ssh into the CT with it: + + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → curl 10.0.0.172:8080 + + + + + + + # Directory listing for / + + + + + * * * + + + + + + + * [authorized_keys](authorized_keys) + + + * [id_ed25519](id_ed25519) + + + * [id_ed25519.pub](id_ed25519.pub) + + + + + + * * * + + + + + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → curl 10.0.0.172:8080/id_ed25519 > ~/.ssh/cryptpad + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 399 100 399 0 0 30692 0 --:--:-- --:--:-- --:--:-- 30692 + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → chmod 600 ~/.ssh/cryptpad + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → ssh root@10.0.0.172 -i ~/.ssh/cryptpad + The authenticity of host '10.0.0.172 (10.0.0.172)' can't be established. + ED25519 key fingerprint is SHA256:WEQgq9oY+vNObJlpEPo+TEnABfrNhxrryDo4ZZy1xl0. + This key is not known by any other names + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '10.0.0.172' (ED25519) to the list of known hosts. + Last login: Thu Apr 15 09:37:01 2021 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@cryptpad:~# + + + +Now we can get started after you CTRL+C'd the python http server running from the CT's Webconsole TTY. Let's first install the dependencies required by cryptpad: + + + root@cryptpad:~# apt install nginx npm nodejs git curl -y + + root@cryptpad:~# cd /var/www/html/ + + root@cryptpad:/var/www/html# git clone https://github.com/xwiki-labs/cryptpad.git + Cloning into 'cryptpad'... + remote: Enumerating objects: 97167, done. + remote: Counting objects: 100% (1695/1695), done. + remote: Compressing objects: 100% (601/601), done. + remote: Total 97167 (delta 1249), reused 1524 (delta 1091), pack-reused 95472 + Receiving objects: 100% (97167/97167), 268.59 MiB | 4.94 MiB/s, done. + Resolving deltas: 100% (63585/63585), done. + Checking out files: 100% (39440/39440), done. + + root@cryptpad:/var/www/html# cd cryptpad/ + + root@cryptpad:/var/www/html/cryptpad# ls -l + total 828 + -rw-r--r-- 1 root root 272014 Apr 15 10:06 CHANGELOG.md + -rw-r--r-- 1 root root 3351 Apr 15 10:06 CODE_OF_CONDUCT.md + -rw-r--r-- 1 root root 34520 Apr 15 10:06 LICENSE + -rw-r--r-- 1 root root 44825 Apr 15 10:06 and_so_it_begins.png + -rw-r--r-- 1 root root 1441 Apr 15 10:06 bower.json + drwxr-xr-x 2 root root 4096 Apr 15 10:06 config + -rw-r--r-- 1 root root 202130 Apr 15 10:06 cryptofist.png + drwxr-xr-x 9 root root 4096 Apr 15 10:06 customize.dist + drwxr-xr-x 2 root root 4096 Apr 15 10:06 docs + drwxr-xr-x 6 root root 4096 Apr 15 10:06 lib + -rw-r--r-- 1 root root 103852 Apr 15 10:06 package-lock.json + -rw-r--r-- 1 root root 2111 Apr 15 10:06 package.json + -rw-r--r-- 1 root root 4457 Apr 15 10:06 readme.md + -rw-r--r-- 1 root root 118292 Apr 15 10:06 screenshot.png + drwxr-xr-x 4 root root 4096 Apr 15 10:06 scripts + -rw-r--r-- 1 root root 12576 Apr 15 10:06 server.js + drwxr-xr-x 33 root root 4096 Apr 15 10:06 www + + + +once in here install bower with npm as well as the cryptpad dependencies: + + + root@cryptpad:/var/www/html/cryptpad# npm install -g bower + + root@cryptpad:/var/www/html/cryptpad# npm install + + + +Let it run, and once it is finished, run bower to install the other dependencies: + + + root@cryptpad:/var/www/html/cryptpad# bower install + root@cryptpad:/var/www/html/cryptpad# bower install + + + +If bower fails run it again, then proceed: + + + root@cryptpad:/var/www/html/cryptpad# cd config + root@cryptpad:/var/www/html/cryptpad/config# ls -l + total 16 + -rw-r--r-- 1 root root 13988 Apr 15 10:06 config.example.js + root@cryptpad:/var/www/html/cryptpad/config# cp config.example.js config.js + root@cryptpad:/var/www/html/cryptpad/config# vim config.js + + + +This is the file you're going to edit later on, but for now let's simply run the server itself with node: + + + root@cryptpad:/var/www/html/cryptpad# node server + You can configure the administrator email (adminEmail) in your config/config.js file + + m m mm mmmmm mm m mmmmm mm m mmm m + # # # ## # "# #"m # # #"m # m" " # + " #"# # # # #mmmm" # #m # # # #m # # mm # + ## ##" #mm# # "m # # # # # # # # # + # # # # # " # ## mm#mm # ## "mmm" # + + + No 'httpSafeOrigin' provided. + Your configuration probably isn't taking advantage of all of CryptPad's security features! + This is acceptable for development, otherwise your users may be at risk. + + Serving sandboxed content via port 3001. + This is probably not what you want for a production instance! + + Cryptpad is customizable, see customize.dist/readme.md for details + [2021-04-15T10:36:43.125Z] server available http://127.0.0.1:3000 + + + +Now here we have a problem because the cryptpad npm server is only available on 127.0.0.1 on port 3000: + + + [ 10.0.0.10/16 ] [ /dev/pts/28 ] [~] + → curl 10.0.0.172:3000 + curl: (7) Failed to connect to 10.0.0.172 port 3000: Connection refused + + [ 10.0.0.10/16 ] [ /dev/pts/28 ] [~] + → ssh root@10.0.0.172 -i ~/.ssh/cryptpad + Last login: Thu Apr 15 10:00:19 2021 from 10.0.0.10 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + + root@cryptpad:~# curl 127.0.0.1:3000 2>/dev/null | wc -l + 16 + + + +Here you see the problem, so let's setup a nginx reverse proxy to access it on the network: + + + root@cryptpad:~# rm /etc/nginx/sites-available/default + root@cryptpad:~# rm /etc/nginx/sites-enabled/default + root@cryptpad:~# vim /etc/nginx/sites-available/cryptpad.conf + + upstream backend { + server 127.0.0.1:3000; + } + server { + listen 80; + listen [::]:80; + location / { + proxy_pass http://backend; + proxy_http_version 1.1; + } + } + + :wq + + root@cryptpad:~# ln -s /etc/nginx/sites-available/cryptpad.conf /etc/nginx/sites-enabled/ + + root@cryptpad:~# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@cryptpad:~# nginx -s reload + + root@cryptpad:~# cd /var/www/html/cryptpad/ + root@cryptpad:/var/www/html/cryptpad# ls + CHANGELOG.md and_so_it_begins.png config data lib package.json scripts + CODE_OF_CONDUCT.md blob cryptofist.png datastore node_modules readme.md server.js + LICENSE bower.json customize.dist docs package-lock.json screenshot.png www + root@cryptpad:/var/www/html/cryptpad# node server + + + +now try to access your website again, this time through nginx's port 80: + +![](4.png) + +And that's it! We have installed a default instance of cryptpad. + +## **Configuring cryptpad and systemd** + +First things first, let's configure our cryptpad instance: + + + [ 10.0.0.10/16 ] [ /dev/pts/28 ] [~] + → base64 /dev/urandom + QEGWX7d7xoFZVTXhPpqc0hBOhgsH4Sh8+s5GTrOVLLWYWAreu8HQ7AfieS0o+mD3JqffsIpaxjPH + LsaMHvAf3Tlvw44DIMCu7TnLpGhMZOcAnfKQ6I7xWxC7PPJAj9qGsSHqxhTsOx29U1tJaFNZgsnF + + root@cryptpad:/var/www/html/cryptpad/config# vim config.js + + [...] + + httpUnsafeOrigin: 'http://localhost:3000', + + [...] + + httpSafeOrigin: "https://cryptpad.void.yt", + + [...] + + adminKeys: [ + "[nothing@cryptpad.void.yt/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbRANDOMx1vVOo=]", + ], + + [...] + + adminEmail: 'nothing@void.yt', + + defaultStorageLimit: 50 * 1024 * 1024, + + inactiveTime: 90, // days + + archiveRetentionTime: 15, + + accountRetentionTime: 365, + + disableIntegratedEviction: true, + + [...] + + :wq + + + +Now once that's done, we're going to create the systemd service file that is going to run the **node server** command for us + + + root@cryptpad:/var/www/html/cryptpad/config# vim /etc/systemd/system/cryptpad.service + + [Unit] + Description=Cryptpad service + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + WorkingDirectory=/var/www/html/cryptpad/ + ExecStart=node server + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + + :wq + + root@cryptpad:/var/www/html/cryptpad/config# systemctl daemon-reload + root@cryptpad:/var/www/html/cryptpad/config# systemctl enable --now cryptpad + Created symlink /etc/systemd/system/multi-user.target.wants/cryptpad.service → /etc/systemd/system/cryptpad.service. + + + +Once that's done, we should be able to access our cryptpad instance as we did earlier: + + + root@cryptpad:/var/www/html/cryptpad/config# systemctl status cryptpad + ● cryptpad.service - Cryptpad service + Loaded: loaded (/etc/systemd/system/cryptpad.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-04-15 11:57:08 UTC; 1min 7s ago + Main PID: 19351 (node) + Tasks: 55 (limit: 7372) + Memory: 88.6M + CGroup: /system.slice/cryptpad.service + ├─19351 /usr/bin/node server + ├─19363 /usr/bin/node lib/workers/db-worker + ├─19364 /usr/bin/node lib/workers/db-worker + ├─19365 /usr/bin/node lib/workers/db-worker + └─19366 /usr/bin/node lib/workers/db-worker + + Apr 15 11:57:08 cryptpad systemd[1]: Started Cryptpad service. + Apr 15 11:57:10 cryptpad node[19351]: Cryptpad is customizable, see customize.dist/readme.md for details + Apr 15 11:57:10 cryptpad node[19351]: [2021-04-15T11:57:10.177Z] server available http://127.0.0.1:3000 + + root@cryptpad:/var/www/html/cryptpad/config# curl 10.0.0.172 2>/dev/null | wc -l + 16 + + + +Now that's done and we know it's working, we're going to setup the reverse nginx proxy instance at 10.0.0.101 to make sure we are able to reach our cryptpad node 10.0.0.172:3000 via the domain name cryptpad.void.yt. Let's first edit the config.js file to be able to access it: + + + root@cryptpad:/var/www/html/cryptpad# cd config/ + root@cryptpad:/var/www/html/cryptpad/config# vim config.js + + [...] + + httpUnsafeOrigin: 'http://10.0.0.172:3000', + + [...] + + httpAddress: '10.0.0.172', + + [...] + + :wq + + root@cryptpad:/var/www/html/cryptpad/config# systemctl stop nginx + root@cryptpad:/var/www/html/cryptpad/config# systemctl disable nginx + Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install disable nginx + Removed /etc/systemd/system/multi-user.target.wants/nginx.service. + + root@cryptpad:/var/www/html/cryptpad/config# systemctl restart cryptpad + root@cryptpad:/var/www/html/cryptpad/config# systemctl status cryptpad + ● cryptpad.service - Cryptpad service + Loaded: loaded (/etc/systemd/system/cryptpad.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-04-15 12:39:41 UTC; 5s ago + Main PID: 19761 (node) + Tasks: 55 (limit: 7372) + Memory: 85.4M + CGroup: /system.slice/cryptpad.service + ├─19761 /usr/bin/node server + ├─19773 /usr/bin/node lib/workers/db-worker + ├─19774 /usr/bin/node lib/workers/db-worker + ├─19775 /usr/bin/node lib/workers/db-worker + └─19781 /usr/bin/node lib/workers/db-worker + + Apr 15 12:39:41 cryptpad systemd[1]: Started Cryptpad service. + Apr 15 12:39:43 cryptpad node[19761]: Cryptpad is customizable, see customize.dist/readme.md for details + Apr 15 12:39:43 cryptpad node[19761]: [2021-04-15T12:39:43.460Z] server available http://10.0.0.172:3000 + + + +Then we're going to setup the reverse nginx proxy file following cryptpad's documentation: + + + [ 10.0.0.10/16 ] [ /dev/pts/33 ] [~] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Thu Apr 15 11:10:38 2021 from 10.0.0.10 + root@home:~# cd /var/www/void.yt/config/ + root@home:/var/www/void.yt/config# cp test.void.yt.conf cryptpad.void.yt + root@home:/var/www/void.yt/config# vim cryptpad.void.yt + root@home:/var/www/void.yt/config# cp cryptpad.void.yt /etc/nginx/sites-available/cryptpad.void.yt + root@home:/var/www/void.yt/config# vim /etc/nginx/sites-available/cryptpad.void.yt + + upstream cryptbackend { + server 10.0.0.172:3000; + } + + server { + listen 80; + listen [::]:80; + server_name cryptpad.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cryptpad.void.yt; + + ssl_certificate /root/.acme.sh/cryptpad.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/cryptpad.void.yt/cryptpad.void.yt.cer; + ssl_certificate_key /root/.acme.sh/cryptpad.void.yt/cryptpad.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + add_header Access-Control-Allow-Origin "*"; + + location / { + proxy_pass http://cryptbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + :wq + + + +Once that's done, disable nginx and use acme.sh to get your LetsEncrypt TLS certificates + + + + root@home:/var/www/void.yt/config# ln -s /etc/nginx/sites-available/cryptpad.void.yt /etc/nginx/sites-enabled/ + + root@home:/var/www/void.yt/config# systemctl stop nginx + + root@home:/var/www/void.yt/config# acme.sh --issue --standalone -d cryptpad.void.yt -k 4096 + + root@home:/var/www/void.yt/config# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@home:/var/www/void.yt/config# systemctl start nginx + + + +Once that's done, go to your web browser and see the following result: + +![](8.png) + +Here you can see that we get HTTPS with LetsEncrypt's TLS1.3 Certificates. Let's create an account: + +## **Testing Cryptpad** + +Let's create an account: + +![](9.png) ![](10.png) + +Once your account is created, you can create any type of documents you want: + +![](11.png) + +So for instance let's create a Slide that expires in 1 hours and has a password: + +![](12.png) ![](13.png) + +One of cryptpad's coolest features is to be able to collaborate on the same files thanks to the sharing feature: + +![](14.png) + +You can just give the link to someone and they will be able to view or edit your file after clicking on your link. If you set a pssword like i did, they will need to type in the password (here it's 123) to be able to enter. If you disconnect however, you need to clear the cache from your browser (CTRL+F5) because Cryptpad stores data in the browser cache. Only after clearing your cache can you use cryptpad as the anonymous user once again. + +![](15.png) ![](16.png) + +And there you go! You can also collaborate on a cryptpad instance as 2 anonymous users. + diff --git a/cyberchef/0.png b/cyberchef/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/cyberchef/0.png differ diff --git a/cyberchef/index.md b/cyberchef/index.md new file mode 100644 index 0000000..86b4f6a --- /dev/null +++ b/cyberchef/index.md @@ -0,0 +1,56 @@ +# cyberchef (npm) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial setup** + + + apt update -y && apt upgrade -y + apt install git nodejs npm -y + npm install -g grunt-cli + git clone https://github.com/gchq/CyberChef.git + cd CyberChef + npm install + + grunt prod + cp -r build/ /var/www/build/ + cd /var/www/ + chown -R www-data: . + + #/root/CyberChef/build/prod + + apt install nginx -y + wget https://blog.nowhere.moe/servers/cyberchef/cyberchef.conf -O /etc/nginx/sites-available/cyberchef.conf + ln -s /etc/nginx/sites-available/cyberchef.conf /etc/nginx/sites-enabled/cyberchef.conf + + rm /etc/nginx/sites-available/default + rm /etc/nginx/sites-enabled/default + + systemctl enable nginx + systemctl restart nginx + + + diff --git a/db/0.png b/db/0.png new file mode 100644 index 0000000..3bfdbea Binary files /dev/null and b/db/0.png differ diff --git a/db/1.png b/db/1.png new file mode 100644 index 0000000..70a1302 Binary files /dev/null and b/db/1.png differ diff --git a/db/10.png b/db/10.png new file mode 100644 index 0000000..1fdff7e Binary files /dev/null and b/db/10.png differ diff --git a/db/11.png b/db/11.png new file mode 100644 index 0000000..eb70361 Binary files /dev/null and b/db/11.png differ diff --git a/db/12.png b/db/12.png new file mode 100644 index 0000000..faa4862 Binary files /dev/null and b/db/12.png differ diff --git a/db/13.png b/db/13.png new file mode 100644 index 0000000..49d7e75 Binary files /dev/null and b/db/13.png differ diff --git a/db/14.png b/db/14.png new file mode 100644 index 0000000..55e2cf6 Binary files /dev/null and b/db/14.png differ diff --git a/db/15.png b/db/15.png new file mode 100644 index 0000000..bcf2f61 Binary files /dev/null and b/db/15.png differ diff --git a/db/16.png b/db/16.png new file mode 100644 index 0000000..27106b2 Binary files /dev/null and b/db/16.png differ diff --git a/db/17.png b/db/17.png new file mode 100644 index 0000000..3ac0850 Binary files /dev/null and b/db/17.png differ diff --git a/db/18.png b/db/18.png new file mode 100644 index 0000000..34bf002 Binary files /dev/null and b/db/18.png differ diff --git a/db/19.png b/db/19.png new file mode 100644 index 0000000..7ec7ede Binary files /dev/null and b/db/19.png differ diff --git a/db/2.png b/db/2.png new file mode 100644 index 0000000..37d3e9b Binary files /dev/null and b/db/2.png differ diff --git a/db/20.png b/db/20.png new file mode 100644 index 0000000..c643d77 Binary files /dev/null and b/db/20.png differ diff --git a/db/21.png b/db/21.png new file mode 100644 index 0000000..ff14372 Binary files /dev/null and b/db/21.png differ diff --git a/db/22.png b/db/22.png new file mode 100644 index 0000000..c40e28d Binary files /dev/null and b/db/22.png differ diff --git a/db/23.png b/db/23.png new file mode 100644 index 0000000..674e902 Binary files /dev/null and b/db/23.png differ diff --git a/db/24.png b/db/24.png new file mode 100644 index 0000000..0b17ab8 Binary files /dev/null and b/db/24.png differ diff --git a/db/25.png b/db/25.png new file mode 100644 index 0000000..1dfe15c Binary files /dev/null and b/db/25.png differ diff --git a/db/26.png b/db/26.png new file mode 100644 index 0000000..155e4db Binary files /dev/null and b/db/26.png differ diff --git a/db/27.png b/db/27.png new file mode 100644 index 0000000..5a9722d Binary files /dev/null and b/db/27.png differ diff --git a/db/28.png b/db/28.png new file mode 100644 index 0000000..7d103e4 Binary files /dev/null and b/db/28.png differ diff --git a/db/29.png b/db/29.png new file mode 100644 index 0000000..9e4f2b8 Binary files /dev/null and b/db/29.png differ diff --git a/db/3.png b/db/3.png new file mode 100644 index 0000000..75ed9d0 Binary files /dev/null and b/db/3.png differ diff --git a/db/30.png b/db/30.png new file mode 100644 index 0000000..7b7e8bb Binary files /dev/null and b/db/30.png differ diff --git a/db/31.png b/db/31.png new file mode 100644 index 0000000..a8cc511 Binary files /dev/null and b/db/31.png differ diff --git a/db/32.png b/db/32.png new file mode 100644 index 0000000..4adb454 Binary files /dev/null and b/db/32.png differ diff --git a/db/33.png b/db/33.png new file mode 100644 index 0000000..243ea04 Binary files /dev/null and b/db/33.png differ diff --git a/db/34.png b/db/34.png new file mode 100644 index 0000000..169d678 Binary files /dev/null and b/db/34.png differ diff --git a/db/35.png b/db/35.png new file mode 100644 index 0000000..9877a02 Binary files /dev/null and b/db/35.png differ diff --git a/db/36.png b/db/36.png new file mode 100644 index 0000000..c6bccc9 Binary files /dev/null and b/db/36.png differ diff --git a/db/37.png b/db/37.png new file mode 100644 index 0000000..9cafd0c Binary files /dev/null and b/db/37.png differ diff --git a/db/38.png b/db/38.png new file mode 100644 index 0000000..fa9264b Binary files /dev/null and b/db/38.png differ diff --git a/db/39.png b/db/39.png new file mode 100644 index 0000000..6bf545f Binary files /dev/null and b/db/39.png differ diff --git a/db/4.png b/db/4.png new file mode 100644 index 0000000..7c75620 Binary files /dev/null and b/db/4.png differ diff --git a/db/40.png b/db/40.png new file mode 100644 index 0000000..ddeaf96 Binary files /dev/null and b/db/40.png differ diff --git a/db/41.png b/db/41.png new file mode 100644 index 0000000..c19048f Binary files /dev/null and b/db/41.png differ diff --git a/db/42.png b/db/42.png new file mode 100644 index 0000000..7830e4f Binary files /dev/null and b/db/42.png differ diff --git a/db/43.png b/db/43.png new file mode 100644 index 0000000..2b79128 Binary files /dev/null and b/db/43.png differ diff --git a/db/44.png b/db/44.png new file mode 100644 index 0000000..f08b137 Binary files /dev/null and b/db/44.png differ diff --git a/db/45.png b/db/45.png new file mode 100644 index 0000000..c47e2f5 Binary files /dev/null and b/db/45.png differ diff --git a/db/46.png b/db/46.png new file mode 100644 index 0000000..d0220de Binary files /dev/null and b/db/46.png differ diff --git a/db/47.png b/db/47.png new file mode 100644 index 0000000..07e7c9e Binary files /dev/null and b/db/47.png differ diff --git a/db/48.png b/db/48.png new file mode 100644 index 0000000..a2fefec Binary files /dev/null and b/db/48.png differ diff --git a/db/49.png b/db/49.png new file mode 100644 index 0000000..8efee2f Binary files /dev/null and b/db/49.png differ diff --git a/db/5.png b/db/5.png new file mode 100644 index 0000000..cc51681 Binary files /dev/null and b/db/5.png differ diff --git a/db/50.png b/db/50.png new file mode 100644 index 0000000..9d42984 Binary files /dev/null and b/db/50.png differ diff --git a/db/51.png b/db/51.png new file mode 100644 index 0000000..014cc26 Binary files /dev/null and b/db/51.png differ diff --git a/db/52.png b/db/52.png new file mode 100644 index 0000000..4b35b9d Binary files /dev/null and b/db/52.png differ diff --git a/db/53.png b/db/53.png new file mode 100644 index 0000000..bc20420 Binary files /dev/null and b/db/53.png differ diff --git a/db/54.png b/db/54.png new file mode 100644 index 0000000..6329341 Binary files /dev/null and b/db/54.png differ diff --git a/db/55.png b/db/55.png new file mode 100644 index 0000000..fea6d68 Binary files /dev/null and b/db/55.png differ diff --git a/db/56.png b/db/56.png new file mode 100644 index 0000000..61f3d9a Binary files /dev/null and b/db/56.png differ diff --git a/db/57.png b/db/57.png new file mode 100644 index 0000000..6346bdc Binary files /dev/null and b/db/57.png differ diff --git a/db/58.png b/db/58.png new file mode 100644 index 0000000..9407b65 Binary files /dev/null and b/db/58.png differ diff --git a/db/59.png b/db/59.png new file mode 100644 index 0000000..c651a6e Binary files /dev/null and b/db/59.png differ diff --git a/db/6.png b/db/6.png new file mode 100644 index 0000000..0747fd9 Binary files /dev/null and b/db/6.png differ diff --git a/db/7.png b/db/7.png new file mode 100644 index 0000000..eac5b96 Binary files /dev/null and b/db/7.png differ diff --git a/db/8.png b/db/8.png new file mode 100644 index 0000000..6e2ffd3 Binary files /dev/null and b/db/8.png differ diff --git a/db/9.png b/db/9.png new file mode 100644 index 0000000..4c24305 Binary files /dev/null and b/db/9.png differ diff --git a/db/index.md b/db/index.md new file mode 100644 index 0000000..71df5d6 --- /dev/null +++ b/db/index.md @@ -0,0 +1,363 @@ +# PostgreSQL Master-Slave repmgr triple Replication + +In this tutorial we're going to setup a triple master-slave postgreSQL replication using repmgr: + +The idea of using the aforementionned full mesh topology is in case the master node fails, the slave nodes would elect a new master node amongst themselves. We will first setup our first debian CT on proxmox, setup the latest postgresql version on it and then configure it accordingly to act as the master node.::: + +s + +## **Initial setup** + +![](51.png) + +Once the CT is created, get in it's console to setup SSH properly: + + + Debian GNU/Linux 10 debian-psql-1 tty1 + + debian-psql-1 login: root + Password: + Linux debian-psql-1 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-psql-1:~# apt update -y ; apt upgrade -y ; apt install vim -y ; vim /etc/ssh/sshd_config + + + PermitRootLogin yes + + :wq + root@debian-psql-1:~# systemctl restart sshd ; exit + + + +Once that's done login via ssh: + + + [ 10.0.0.10/16 ] [ /dev/pts/58 ] [~] + → ssh root@10.0.0.161 + The authenticity of host '10.0.0.161 (10.0.0.161)' can't be established. + ED25519 key fingerprint is SHA256:s6HbZSbkMR4DSr8AnFn/owHl82+gQvuomQ++Oe8S6cw. + This key is not known by any other names + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '10.0.0.161' (ED25519) to the list of known hosts. + root@10.0.0.161's password: + Linux debian-psql-1 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Mon Apr 5 10:28:43 2021 + root@debian-psql-1:~# + + + +Now from here we're going to install the latest postgresql: + + + root@debian-psql-1:~# apt install lsb-release gnupg2 -y + root@debian-psql-1:~# sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' + root@debian-psql-1:~# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - + OK + root@debian-psql-1:~# apt update -y + Hit:1 http://security.debian.org buster/updates InRelease + Hit:2 http://ftp.debian.org/debian buster InRelease + Hit:3 http://ftp.debian.org/debian buster-updates InRelease + Get:4 http://apt.postgresql.org/pub/repos/apt buster-pgdg InRelease [104 kB] + Get:5 http://apt.postgresql.org/pub/repos/apt buster-pgdg/main amd64 Packages [219 kB] + Fetched 322 kB in 2s (181 kB/s) + Reading package lists... Done + Building dependency tree + Reading state information... Done + All packages are up to date. + root@debian-psql-1:~# apt install postgresql-13 postgresql-13-repmgr -y + root@debian-psql-1:~# systemctl stop postgresql + + + +Once that's done we're going to clone this CT 4 times to end up with the following topology: + +![](mesh.png) + +Basically, each of the database server nodes are going to send queries to the pgpooler node and the pgpooler node is going to send them to the master node. So let's first clone our debian machine after we shut it down: + + + root@debian-psql-1:~# shutdown now + root@debian-psql-1:~# Connection to 10.0.0.161 closed by remote host. + Connection to 10.0.0.161 closed. + + [ 10.0.0.10/16 ] [ /dev/pts/58 ] [~] + → + + + +and clone it 4 times: + +![](57.png) + +Once cloned, make sure you set their local IP correctly: + +![](58.png) + +Once that's done, start them all and connect to them via SSH: + +![](59.png) + +Now we want to create a .ssh directory owned by the postgres user, and we will do so FROM THE PGBOUNCER node, the other nodes won't communicate to each other by themselves, it will anyway happen through the pgbouncer node. Before we do that, we're going to install pgbouncer: + + + root@debian-pgbouncer:~# apt search pgbouncer + Sorting... Done + Full Text Search... Done + hobbit-plugins/stable 20190129 all + plugins for the Xymon network monitor + + pgbouncer/buster-pgdg 1.15.0-1.pgdg100+1 amd64 + lightweight connection pooler for PostgreSQL + + pgbouncer-dbgsym/buster-pgdg 1.15.0-1.pgdg100+1 amd64 + debug symbols for pgbouncer + + pgstat/buster-pgdg 1.0.1-1.pgdg100+1 amd64 + Collects PostgreSQL statistics the same way as a vmstat tool + + prometheus-pgbouncer-exporter/stable 1.7-1 all + Export metrics from pgbouncer to Prometheus + + root@debian-pgbouncer:~# apt install pgbouncer -y + + + +Once that's done, create pgbouncer's ~/.ssh directory + + + root@debian-pgbouncer:~# su - postgres + postgres@debian-pgbouncer:~$ ls -lash + total 16K + 4.0K drwxr-xr-x 3 postgres postgres 4.0K Apr 5 11:43 . + 4.0K drwxr-xr-x 21 root root 4.0K Apr 5 10:50 .. + 4.0K -rw------- 1 postgres postgres 32 Apr 5 11:43 .bash_history + 4.0K drwxr-xr-x 3 postgres postgres 4.0K Apr 5 10:38 13 + + postgres@debian-pgbouncer:~$ mkdir ~/.ssh + + postgres@debian-pgbouncer:~$ cd ~/.ssh + + postgres@debian-pgbouncer:~/.ssh$ ssh-keygen + Generating public/private rsa key pair. + Enter file in which to save the key (/var/lib/postgresql/.ssh/id_rsa): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /var/lib/postgresql/.ssh/id_rsa. + Your public key has been saved in /var/lib/postgresql/.ssh/id_rsa.pub. + The key fingerprint is: + SHA256:jkRXPz3sIgIfhefwluU4HKLzRPBwI0jnxCq0nWQkwhY postgres@debian-pgbouncer + The key's randomart image is: + +---[RSA 2048]----+ + |oEoooo*.o.o | + | +..++.==+o..o | + |.. = o+o+B *o + | + | o +.o+..O .o . | + | . .+S.... . | + | . o.. . . | + | . . | + | | + | | + +----[SHA256]-----+ + + postgres@debian-pgbouncer:~/.ssh$ + + + +and we will do the same for the other nodes but from our pgbouncer node: + + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo ${i}; done + 1 + 2 + 3 + 4 + 5 + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i}; done + 10.0.0.161 + 10.0.0.162 + 10.0.0.163 + 10.0.0.164 + 10.0.0.165 + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i} ; ssh root@10.0.0.16${i} ; done + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i} ; ssh root@10.0.0.16${i} "mkdir /var/lib/postgresql/.ssh && chown postgres:postgres /var/lib/postgresql/.ssh" ; done + 10.0.0.161 + root@10.0.0.161's password: + 10.0.0.162 + root@10.0.0.162's password: + 10.0.0.163 + root@10.0.0.163's password: + 10.0.0.164 + root@10.0.0.164's password: + 10.0.0.165 + root@10.0.0.165's password: + mkdir: cannot create directory '/var/lib/postgresql/.ssh': File exists + postgres@debian-pgbouncer:~/.ssh$ + + + +Now that's done, we're going to make sure each of the 4 servers can be accessed by the pgbouncer node: + + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i} ; scp id_rsa* root@10.0.0.16${i}:/var/lib/postgresql/.ssh/ ; done + 10.0.0.161 + root@10.0.0.161's password: + id_rsa 100% 1831 1.3MB/s 00:00 + id_rsa.pub 100% 407 590.4KB/s 00:00 + 10.0.0.162 + root@10.0.0.162's password: + id_rsa 100% 1831 1.7MB/s 00:00 + id_rsa.pub 100% 407 593.3KB/s 00:00 + 10.0.0.163 + root@10.0.0.163's password: + id_rsa 100% 1831 758.0KB/s 00:00 + id_rsa.pub 100% 407 375.6KB/s 00:00 + 10.0.0.164 + root@10.0.0.164's password: + id_rsa 100% 1831 1.2MB/s 00:00 + id_rsa.pub 100% 407 541.9KB/s 00:00 + 10.0.0.165 + root@10.0.0.165's password: + id_rsa 100% 1831 1.8MB/s 00:00 + id_rsa.pub 100% 407 579.9KB/s 00:00 + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i} ; scp id_rsa.pub root@10.0.0.16${i}:/var/lib/postgresql/.ssh/authorized_keys ; done + 10.0.0.161 + root@10.0.0.161's password: + id_rsa.pub 100% 407 512.1KB/s 00:00 + 10.0.0.162 + root@10.0.0.162's password: + id_rsa.pub 100% 407 306.8KB/s 00:00 + 10.0.0.163 + root@10.0.0.163's password: + id_rsa.pub 100% 407 455.7KB/s 00:00 + 10.0.0.164 + root@10.0.0.164's password: + id_rsa.pub 100% 407 357.0KB/s 00:00 + 10.0.0.165 + root@10.0.0.165's password: + id_rsa.pub 100% 407 221.5KB/s 00:00 + postgres@debian-pgbouncer:~/.ssh$ + + + + +Now that's done we can see that the postgres user from the pgbouncer node can log in via ssh to all the other 4 nodes as the postgres user without needing a password: + + + postgres@debian-pgbouncer:~/.ssh$ for i in {1..5} ; do echo 10.0.0.16${i} ; ssh postgres@10.0.0.16${i} "id" ; done + 10.0.0.161 + uid=107(postgres) gid=115(postgres) groups=115(postgres),102(ssl-cert) + 10.0.0.162 + uid=107(postgres) gid=115(postgres) groups=115(postgres),102(ssl-cert) + 10.0.0.163 + uid=107(postgres) gid=115(postgres) groups=115(postgres),102(ssl-cert) + 10.0.0.164 + uid=107(postgres) gid=115(postgres) groups=115(postgres),102(ssl-cert) + 10.0.0.165 + uid=107(postgres) gid=115(postgres) groups=115(postgres),102(ssl-cert) + + + +Now this means that we have passwordless connectivity between all of the machines for the postgres user. Now for our next steps, we will need to apply the following changes primary host (node1 at 10.0.0.161) + + + root@debian-psql-1:~# apt install sudo -y ; usermod -aG sudo postgres ; echo "postgres ALL = NOPASSWD: /usr/bin/pg_ctlcluster" > /etc/sudoers.d/postgres + root@debian-psql-2:~# apt install sudo -y ; usermod -aG sudo postgres ; echo "postgres ALL = NOPASSWD: /usr/bin/pg_ctlcluster" > /etc/sudoers.d/postgres + root@debian-psql-3:~# apt install sudo -y ; usermod -aG sudo postgres ; echo "postgres ALL = NOPASSWD: /usr/bin/pg_ctlcluster" > /etc/sudoers.d/postgres + root@debian-psql-4:~# apt install sudo -y ; usermod -aG sudo postgres ; echo "postgres ALL = NOPASSWD: /usr/bin/pg_ctlcluster" > /etc/sudoers.d/postgres + + + +once that's done, we're going to edit the **postgresql.conf** config file for our 4 hosts: + + + root@debian-psql-1:~# su - postgres + postgres@debian-psql-1:~$ vim /etc/postgresql/13/main/postgresql.conf + + + + + [...] + + listen_addresses = '*' + + [...] + + shared_preload_libraries = 'repmgr' + + [...] + + include 'postgresql.replication.conf' + + + +:wq to save and quit, then create the file /etc/postgresql/13/main/postgresql.replication.conf with this: + + + postgres@debian-psql-1:~$ vim /etc/postgresql/13/main/postgresql.replication.conf + + + + + max_wal_senders = 15 + max_replication_slots = 15 + wal_level = 'replica' + hot_standby = on + archive_mode = on + archive_command = '/bin/true' + wal_keep_segments = 500 + + + +:wq to save and quit out of vim, then edit pg_hba.conf: + + + postgres@debian-psql-1:~$ vim /etc/postgresql/13/main/pg_hba.conf + + + + local replication repmgr trust + host replication repmgr 127.0.0.1/32 trust + host replication repmgr 10.0.0.0/16 trust + + local repmgr repmgr trust + host repmgr repmgr 127.0.0.1/32 trust + host repmgr repmgr 10.0.0.0/16 trust + + + +once that's done for all of the 4 hosts, restart postgresql: + + + postgres@debian-psql-2:~$ vim /etc/postgresql/13/main/pg_hba.conf + postgres@debian-psql-2:~$ exit + logout + root@debian-psql-2:~# systemctl restart postgresql ; systemctl status postgresql + * postgresql.service - PostgreSQL RDBMS + Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; v + Active: active (exited) since Mon 2021-04-05 15:20:27 UTC; 38ms ag + Process: 1001 ExecStart=/bin/true (code=exited, status=0/SUCCESS) + Main PID: 1001 (code=exited, status=0/SUCCESS) + + Apr 05 15:20:27 debian-psql-2 systemd[1]: Starting PostgreSQL RDBMS.. + Apr 05 15:20:27 debian-psql-2 systemd[1]: Started PostgreSQL RDBMS. + + + + diff --git a/db/mesh.png b/db/mesh.png new file mode 100644 index 0000000..d69b146 Binary files /dev/null and b/db/mesh.png differ diff --git a/db/repmgr.png b/db/repmgr.png new file mode 100644 index 0000000..03d94eb Binary files /dev/null and b/db/repmgr.png differ diff --git a/debianupgrade/0.png b/debianupgrade/0.png new file mode 100644 index 0000000..8c46fbe Binary files /dev/null and b/debianupgrade/0.png differ diff --git a/debianupgrade/index.md b/debianupgrade/index.md new file mode 100644 index 0000000..6af6a49 --- /dev/null +++ b/debianupgrade/index.md @@ -0,0 +1,52 @@ +# Debian 12 Bookworm Upgrade + +![](0.png) + +## **Initial Setup** + +First change the repos in the sources.list config file: + + + [ 10.8.0.2/24 ] [ home ] [~] + → vim /etc/apt/sources.list + + :%s/bullseye/bookworm/gi + :wq + + + +and upgrade the system with this one liner: + + + [ 10.8.0.2/24 ] [ home ] [~] + → apt update -y ; apt upgrade -y ; apt dist-upgrade -y ; apt autoremove -y + + + +and once done, reboot the system: + + + [ 10.8.0.2/24 ] [ home ] [~] + → reboot now + + [ 10.8.0.2/24 ] [ home ] [~] + → neofetch + _,met$$$$$gg. root@home + ,g$$$$$$$$$$$$$$$P. -------------- + ,g$$P" """Y$$.". OS: Debian GNU/Linux 12 (bookworm) x86_64 + ,$$P' `$$$. Kernel: 6.1.0-9-amd64 + ',$$P ,ggs. `$$b: Uptime: 1 min + `d$$' ,$P"' . $$$ Packages: 547 (dpkg), 3 (snap) + $$P d$' , $$P Shell: bash 5.2.15 + $$: $$. - ,d$$' CPU: Intel Atom N2800 (4) @ 1.862GHz + $$; Y$b._ _,d$P' GPU: Intel Atom Processor D2xxx/N2xxx + Y$$. `.`"Y$$$$P"' Memory: 147MiB / 3898MiB + `$$b "-.__ + `Y$$ + `Y$$. + `$$b. + `Y$$b. + `"Y$b._ + `""" + + diff --git a/dillinger/0.png b/dillinger/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/dillinger/0.png differ diff --git a/dillinger/1.png b/dillinger/1.png new file mode 100644 index 0000000..2d6fb8b Binary files /dev/null and b/dillinger/1.png differ diff --git a/dillinger/2.png b/dillinger/2.png new file mode 100644 index 0000000..26e1705 Binary files /dev/null and b/dillinger/2.png differ diff --git a/dillinger/3.png b/dillinger/3.png new file mode 100644 index 0000000..7cf08ff Binary files /dev/null and b/dillinger/3.png differ diff --git a/dillinger/index.md b/dillinger/index.md new file mode 100644 index 0000000..04be5da --- /dev/null +++ b/dillinger/index.md @@ -0,0 +1,67 @@ +# dillinger + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y && apt upgrade -y + apt install git npm nodejs -y + git clone https://github.com/joemccann/dillinger + cd dillinger + npm install -d + npm install --production + NODE_ENV=production node app + + + +This is going to open port 8080: + +![](1.png) + +just select everything on the left (CTRL+A) and erase it and you can make your own custom note: + +![](2.png) + +You can also do it from docker: + + + cd + git clone https://github.com/joemccann/dillinger + cd dillinger + cat package.json | grep version + #v3.37.2 currently + docker build -t nihilist666/dillinger:3.37.2 . + docker run -d -p 8000:8080 --restart=always --cap-add=SYS_ADMIN --name=dillinger nihilist666/dillinger:3.37.2 + + + +in this example we're going to switch the port from 8080 to 8000: + +![](3.png) + +This is a container which will persist even after restarting the VM. + diff --git a/dozzle/1.png b/dozzle/1.png new file mode 100644 index 0000000..37f2236 Binary files /dev/null and b/dozzle/1.png differ diff --git a/dozzle/2.png b/dozzle/2.png new file mode 100644 index 0000000..10f4a7a Binary files /dev/null and b/dozzle/2.png differ diff --git a/dozzle/3.png b/dozzle/3.png new file mode 100644 index 0000000..b2ebef0 Binary files /dev/null and b/dozzle/3.png differ diff --git a/dozzle/index.md b/dozzle/index.md new file mode 100644 index 0000000..5b961ed --- /dev/null +++ b/dozzle/index.md @@ -0,0 +1,64 @@ +# Dozzle Setup + +![](0.gif) + +Dozzle is a small and lightweight application with a web-based interface to monitor docker logs. It doesn't store any log files. It is for live monitoring of your container logs. + +## **Initial Setup** + +Dozzle's installation is very simple, i will install it on my current debian VM that i use to run my docker containers: + + + root@docker0:~# docker container ls -a --format "table {{.ID}} \t {{.Names}} \t {{.Size}}" + CONTAINER ID NAMES SIZE + e037d2364879 asciinema_nginx 2B (virtual 16.1MB) + b513c2c6894e asciinema_phoenix 3.89MB (virtual 97.2MB) + 4dbb7e9c7588 asciinema_smtp 272kB (virtual 210MB) + a7804b544bee asciinema_redis 0B (virtual 20.4MB) + b78623063995 asciinema_postgres 63B (virtual 70.7MB) + 831a57e1a4b6 sharelatex 2.15MB (virtual 3.95GB) + d9f12a3b40f3 mongo 14kB (virtual 428MB) + 73817b58274a redis 0B (virtual 98.4MB) + 8120b1a3503e codimd_codimd_1 0B (virtual 820MB) + cf01b3f17b03 codimd_database_1 63B (virtual 152MB) + 2aca6086627a neko_neko3_1 162MB (virtual 703MB) + 876c5cf199bf neko_neko1_1 136MB (virtual 678MB) + 7de701fd022e neko_neko2_1 80.3MB (virtual 622MB) + c6a5c7daf4dd kutt_kutt_1 132kB (virtual 643MB) + 5411baddadcf kutt_postgres_1 63B (virtual 158MB) + a685c6747987 kutt_redis_1 0B (virtual 31.2MB) + f33ae4911086 searx2 25.1kB (virtual 164MB) + 0ab72043d028 searx 0B (virtual 164MB) + + + +So in order to monitor them, we can use dozzle, let's install it: + + + root@docker0:~# docker pull amir20/dozzle:latest + latest: Pulling from amir20/dozzle + 70551b8344a5: Pull complete + bcec85df9694: Pull complete + Digest: sha256:21d6ea215277b2d5b901d0690aa36af4035a09f51dec07f24e487860ff18ec17 + Status: Downloaded newer image for amir20/dozzle:latest + root@docker0:~# $ docker run --name dozzle -d --volume=/var/run/docker.sock:/var/run/docker.sock -p 8888:8080 amir20/dozzle:latest + -bash: $: command not found + root@docker0:~# docker run --name dozzle -d --volume=/var/run/docker.sock:/var/run/docker.sock -p 8888:8080 amir20/dozzle:latest + 42fae462820311a0e32fd6e829156c36b3de61bd003b04b086ad0a0ba864da76 + + + +And from here, we have access to our Dozzle instance from port 8888: + +![](1.png) + +## **Usage** + +One of dozzle's great features is the regex / Find feature, to use it just type CTRL+F and type in the pattern you want to match in the logs: + +![](2.png) + +you can also change the default settings: + +![](3.png) + diff --git a/e4/0.png b/e4/0.png new file mode 100644 index 0000000..861e3e1 Binary files /dev/null and b/e4/0.png differ diff --git a/e4/1.png b/e4/1.png new file mode 100644 index 0000000..4e00939 Binary files /dev/null and b/e4/1.png differ diff --git a/e4/10.png b/e4/10.png new file mode 100644 index 0000000..6f22794 Binary files /dev/null and b/e4/10.png differ diff --git a/e4/100.png b/e4/100.png new file mode 100644 index 0000000..17807f2 Binary files /dev/null and b/e4/100.png differ diff --git a/e4/101.png b/e4/101.png new file mode 100644 index 0000000..e425b4b Binary files /dev/null and b/e4/101.png differ diff --git a/e4/102.png b/e4/102.png new file mode 100644 index 0000000..3483c57 Binary files /dev/null and b/e4/102.png differ diff --git a/e4/103.png b/e4/103.png new file mode 100644 index 0000000..7cc61d2 Binary files /dev/null and b/e4/103.png differ diff --git a/e4/104.png b/e4/104.png new file mode 100644 index 0000000..169362f Binary files /dev/null and b/e4/104.png differ diff --git a/e4/105.png b/e4/105.png new file mode 100644 index 0000000..bc739bf Binary files /dev/null and b/e4/105.png differ diff --git a/e4/106.png b/e4/106.png new file mode 100644 index 0000000..a7aae47 Binary files /dev/null and b/e4/106.png differ diff --git a/e4/107.png b/e4/107.png new file mode 100644 index 0000000..1706738 Binary files /dev/null and b/e4/107.png differ diff --git a/e4/108.png b/e4/108.png new file mode 100644 index 0000000..f2a8bd8 Binary files /dev/null and b/e4/108.png differ diff --git a/e4/109.png b/e4/109.png new file mode 100644 index 0000000..32b1660 Binary files /dev/null and b/e4/109.png differ diff --git a/e4/11.png b/e4/11.png new file mode 100644 index 0000000..e142ac3 Binary files /dev/null and b/e4/11.png differ diff --git a/e4/110.png b/e4/110.png new file mode 100644 index 0000000..7832395 Binary files /dev/null and b/e4/110.png differ diff --git a/e4/12.png b/e4/12.png new file mode 100644 index 0000000..a1e1990 Binary files /dev/null and b/e4/12.png differ diff --git a/e4/120.png b/e4/120.png new file mode 100644 index 0000000..778205d Binary files /dev/null and b/e4/120.png differ diff --git a/e4/121.png b/e4/121.png new file mode 100644 index 0000000..0acd194 Binary files /dev/null and b/e4/121.png differ diff --git a/e4/122.png b/e4/122.png new file mode 100644 index 0000000..b9f71e9 Binary files /dev/null and b/e4/122.png differ diff --git a/e4/123.png b/e4/123.png new file mode 100644 index 0000000..85d49b4 Binary files /dev/null and b/e4/123.png differ diff --git a/e4/124.png b/e4/124.png new file mode 100644 index 0000000..6eceb73 Binary files /dev/null and b/e4/124.png differ diff --git a/e4/125.png b/e4/125.png new file mode 100644 index 0000000..4919854 Binary files /dev/null and b/e4/125.png differ diff --git a/e4/126.png b/e4/126.png new file mode 100644 index 0000000..e7c8a0c Binary files /dev/null and b/e4/126.png differ diff --git a/e4/127.png b/e4/127.png new file mode 100644 index 0000000..06861d5 Binary files /dev/null and b/e4/127.png differ diff --git a/e4/128.png b/e4/128.png new file mode 100644 index 0000000..76ee31f Binary files /dev/null and b/e4/128.png differ diff --git a/e4/129.png b/e4/129.png new file mode 100644 index 0000000..859931c Binary files /dev/null and b/e4/129.png differ diff --git a/e4/13.png b/e4/13.png new file mode 100644 index 0000000..91e05cb Binary files /dev/null and b/e4/13.png differ diff --git a/e4/130.png b/e4/130.png new file mode 100644 index 0000000..d097abf Binary files /dev/null and b/e4/130.png differ diff --git a/e4/131.png b/e4/131.png new file mode 100644 index 0000000..a646ea8 Binary files /dev/null and b/e4/131.png differ diff --git a/e4/132.png b/e4/132.png new file mode 100644 index 0000000..d89112c Binary files /dev/null and b/e4/132.png differ diff --git a/e4/133.png b/e4/133.png new file mode 100644 index 0000000..0f92b51 Binary files /dev/null and b/e4/133.png differ diff --git a/e4/134.png b/e4/134.png new file mode 100644 index 0000000..32db6bd Binary files /dev/null and b/e4/134.png differ diff --git a/e4/135.png b/e4/135.png new file mode 100644 index 0000000..bfbfcfc Binary files /dev/null and b/e4/135.png differ diff --git a/e4/136.png b/e4/136.png new file mode 100644 index 0000000..74a611b Binary files /dev/null and b/e4/136.png differ diff --git a/e4/137.png b/e4/137.png new file mode 100644 index 0000000..20b1583 Binary files /dev/null and b/e4/137.png differ diff --git a/e4/138.png b/e4/138.png new file mode 100644 index 0000000..89eb104 Binary files /dev/null and b/e4/138.png differ diff --git a/e4/139.png b/e4/139.png new file mode 100644 index 0000000..4c10ca5 Binary files /dev/null and b/e4/139.png differ diff --git a/e4/14.png b/e4/14.png new file mode 100644 index 0000000..dfdef20 Binary files /dev/null and b/e4/14.png differ diff --git a/e4/140.png b/e4/140.png new file mode 100644 index 0000000..f77a3e7 Binary files /dev/null and b/e4/140.png differ diff --git a/e4/141.png b/e4/141.png new file mode 100644 index 0000000..fde9160 Binary files /dev/null and b/e4/141.png differ diff --git a/e4/142.png b/e4/142.png new file mode 100644 index 0000000..bf472ba Binary files /dev/null and b/e4/142.png differ diff --git a/e4/143.png b/e4/143.png new file mode 100644 index 0000000..4e6af8a Binary files /dev/null and b/e4/143.png differ diff --git a/e4/144.png b/e4/144.png new file mode 100644 index 0000000..ee714b7 Binary files /dev/null and b/e4/144.png differ diff --git a/e4/145.png b/e4/145.png new file mode 100644 index 0000000..78cb6e1 Binary files /dev/null and b/e4/145.png differ diff --git a/e4/146.png b/e4/146.png new file mode 100644 index 0000000..e16009a Binary files /dev/null and b/e4/146.png differ diff --git a/e4/147.png b/e4/147.png new file mode 100644 index 0000000..56747ce Binary files /dev/null and b/e4/147.png differ diff --git a/e4/148.png b/e4/148.png new file mode 100644 index 0000000..52ec791 Binary files /dev/null and b/e4/148.png differ diff --git a/e4/149.png b/e4/149.png new file mode 100644 index 0000000..c0b3fe8 Binary files /dev/null and b/e4/149.png differ diff --git a/e4/15.png b/e4/15.png new file mode 100644 index 0000000..443f48f Binary files /dev/null and b/e4/15.png differ diff --git a/e4/150.png b/e4/150.png new file mode 100644 index 0000000..8da4cb3 Binary files /dev/null and b/e4/150.png differ diff --git a/e4/16.png b/e4/16.png new file mode 100644 index 0000000..0cc2063 Binary files /dev/null and b/e4/16.png differ diff --git a/e4/17.png b/e4/17.png new file mode 100644 index 0000000..40eeb0e Binary files /dev/null and b/e4/17.png differ diff --git a/e4/18.png b/e4/18.png new file mode 100644 index 0000000..b7bad62 Binary files /dev/null and b/e4/18.png differ diff --git a/e4/19.png b/e4/19.png new file mode 100644 index 0000000..5904b88 Binary files /dev/null and b/e4/19.png differ diff --git a/e4/2.png b/e4/2.png new file mode 100644 index 0000000..5d1c486 Binary files /dev/null and b/e4/2.png differ diff --git a/e4/20.png b/e4/20.png new file mode 100644 index 0000000..1d56194 Binary files /dev/null and b/e4/20.png differ diff --git a/e4/21.png b/e4/21.png new file mode 100644 index 0000000..718213e Binary files /dev/null and b/e4/21.png differ diff --git a/e4/22.png b/e4/22.png new file mode 100644 index 0000000..69e78b9 Binary files /dev/null and b/e4/22.png differ diff --git a/e4/23.png b/e4/23.png new file mode 100644 index 0000000..dffc212 Binary files /dev/null and b/e4/23.png differ diff --git a/e4/24.png b/e4/24.png new file mode 100644 index 0000000..7c66950 Binary files /dev/null and b/e4/24.png differ diff --git a/e4/25.png b/e4/25.png new file mode 100644 index 0000000..2a617cc Binary files /dev/null and b/e4/25.png differ diff --git a/e4/26.png b/e4/26.png new file mode 100644 index 0000000..3c4ac60 Binary files /dev/null and b/e4/26.png differ diff --git a/e4/27.png b/e4/27.png new file mode 100644 index 0000000..6c376b7 Binary files /dev/null and b/e4/27.png differ diff --git a/e4/28.png b/e4/28.png new file mode 100644 index 0000000..eeeb293 Binary files /dev/null and b/e4/28.png differ diff --git a/e4/29.png b/e4/29.png new file mode 100644 index 0000000..4dbeafe Binary files /dev/null and b/e4/29.png differ diff --git a/e4/3.png b/e4/3.png new file mode 100644 index 0000000..a3b29b9 Binary files /dev/null and b/e4/3.png differ diff --git a/e4/30.png b/e4/30.png new file mode 100644 index 0000000..8eb2cd5 Binary files /dev/null and b/e4/30.png differ diff --git a/e4/31.png b/e4/31.png new file mode 100644 index 0000000..b8df1ae Binary files /dev/null and b/e4/31.png differ diff --git a/e4/32.png b/e4/32.png new file mode 100644 index 0000000..a7a00c5 Binary files /dev/null and b/e4/32.png differ diff --git a/e4/33.png b/e4/33.png new file mode 100644 index 0000000..47e0d62 Binary files /dev/null and b/e4/33.png differ diff --git a/e4/34.png b/e4/34.png new file mode 100644 index 0000000..917fc00 Binary files /dev/null and b/e4/34.png differ diff --git a/e4/35.png b/e4/35.png new file mode 100644 index 0000000..c5d8c2e Binary files /dev/null and b/e4/35.png differ diff --git a/e4/36.png b/e4/36.png new file mode 100644 index 0000000..8499941 Binary files /dev/null and b/e4/36.png differ diff --git a/e4/37.png b/e4/37.png new file mode 100644 index 0000000..5868ab4 Binary files /dev/null and b/e4/37.png differ diff --git a/e4/38.png b/e4/38.png new file mode 100644 index 0000000..fea66e7 Binary files /dev/null and b/e4/38.png differ diff --git a/e4/39.png b/e4/39.png new file mode 100644 index 0000000..b3019a8 Binary files /dev/null and b/e4/39.png differ diff --git a/e4/4.png b/e4/4.png new file mode 100644 index 0000000..7ed2dea Binary files /dev/null and b/e4/4.png differ diff --git a/e4/40.png b/e4/40.png new file mode 100644 index 0000000..3b8fcd2 Binary files /dev/null and b/e4/40.png differ diff --git a/e4/41.png b/e4/41.png new file mode 100644 index 0000000..89e5ac6 Binary files /dev/null and b/e4/41.png differ diff --git a/e4/42.png b/e4/42.png new file mode 100644 index 0000000..d5e4376 Binary files /dev/null and b/e4/42.png differ diff --git a/e4/43.png b/e4/43.png new file mode 100644 index 0000000..0c92bef Binary files /dev/null and b/e4/43.png differ diff --git a/e4/44.png b/e4/44.png new file mode 100644 index 0000000..5a93d18 Binary files /dev/null and b/e4/44.png differ diff --git a/e4/45.png b/e4/45.png new file mode 100644 index 0000000..8f3ae59 Binary files /dev/null and b/e4/45.png differ diff --git a/e4/46.png b/e4/46.png new file mode 100644 index 0000000..35048dc Binary files /dev/null and b/e4/46.png differ diff --git a/e4/47.png b/e4/47.png new file mode 100644 index 0000000..9c0b04b Binary files /dev/null and b/e4/47.png differ diff --git a/e4/48.png b/e4/48.png new file mode 100644 index 0000000..55e32a4 Binary files /dev/null and b/e4/48.png differ diff --git a/e4/49.png b/e4/49.png new file mode 100644 index 0000000..12edfaa Binary files /dev/null and b/e4/49.png differ diff --git a/e4/5.png b/e4/5.png new file mode 100644 index 0000000..0b61f12 Binary files /dev/null and b/e4/5.png differ diff --git a/e4/50.png b/e4/50.png new file mode 100644 index 0000000..8ad2041 Binary files /dev/null and b/e4/50.png differ diff --git a/e4/51.png b/e4/51.png new file mode 100644 index 0000000..32f76d0 Binary files /dev/null and b/e4/51.png differ diff --git a/e4/52.png b/e4/52.png new file mode 100644 index 0000000..20cb936 Binary files /dev/null and b/e4/52.png differ diff --git a/e4/53.png b/e4/53.png new file mode 100644 index 0000000..01ba634 Binary files /dev/null and b/e4/53.png differ diff --git a/e4/54.png b/e4/54.png new file mode 100644 index 0000000..8bc8e42 Binary files /dev/null and b/e4/54.png differ diff --git a/e4/55.png b/e4/55.png new file mode 100644 index 0000000..f362983 Binary files /dev/null and b/e4/55.png differ diff --git a/e4/56.png b/e4/56.png new file mode 100644 index 0000000..78c1772 Binary files /dev/null and b/e4/56.png differ diff --git a/e4/57.png b/e4/57.png new file mode 100644 index 0000000..8d5db0e Binary files /dev/null and b/e4/57.png differ diff --git a/e4/58.png b/e4/58.png new file mode 100644 index 0000000..064fb40 Binary files /dev/null and b/e4/58.png differ diff --git a/e4/59.png b/e4/59.png new file mode 100644 index 0000000..8173e6d Binary files /dev/null and b/e4/59.png differ diff --git a/e4/6.png b/e4/6.png new file mode 100644 index 0000000..5c566c9 Binary files /dev/null and b/e4/6.png differ diff --git a/e4/60.png b/e4/60.png new file mode 100644 index 0000000..b12ac9e Binary files /dev/null and b/e4/60.png differ diff --git a/e4/61.png b/e4/61.png new file mode 100644 index 0000000..f2142b0 Binary files /dev/null and b/e4/61.png differ diff --git a/e4/62.png b/e4/62.png new file mode 100644 index 0000000..1aa0b15 Binary files /dev/null and b/e4/62.png differ diff --git a/e4/63.png b/e4/63.png new file mode 100644 index 0000000..9c6f1a4 Binary files /dev/null and b/e4/63.png differ diff --git a/e4/64.png b/e4/64.png new file mode 100644 index 0000000..384a3d9 Binary files /dev/null and b/e4/64.png differ diff --git a/e4/65.png b/e4/65.png new file mode 100644 index 0000000..c461aaa Binary files /dev/null and b/e4/65.png differ diff --git a/e4/66.png b/e4/66.png new file mode 100644 index 0000000..a39f506 Binary files /dev/null and b/e4/66.png differ diff --git a/e4/67.png b/e4/67.png new file mode 100644 index 0000000..4b86bc9 Binary files /dev/null and b/e4/67.png differ diff --git a/e4/68.png b/e4/68.png new file mode 100644 index 0000000..e9e97a0 Binary files /dev/null and b/e4/68.png differ diff --git a/e4/69.png b/e4/69.png new file mode 100644 index 0000000..8eaa8dd Binary files /dev/null and b/e4/69.png differ diff --git a/e4/7.png b/e4/7.png new file mode 100644 index 0000000..11e703c Binary files /dev/null and b/e4/7.png differ diff --git a/e4/70.png b/e4/70.png new file mode 100644 index 0000000..cfe3803 Binary files /dev/null and b/e4/70.png differ diff --git a/e4/71.png b/e4/71.png new file mode 100644 index 0000000..a08f5e1 Binary files /dev/null and b/e4/71.png differ diff --git a/e4/72.png b/e4/72.png new file mode 100644 index 0000000..56b795a Binary files /dev/null and b/e4/72.png differ diff --git a/e4/73.png b/e4/73.png new file mode 100644 index 0000000..6176098 Binary files /dev/null and b/e4/73.png differ diff --git a/e4/74.png b/e4/74.png new file mode 100644 index 0000000..974f65d Binary files /dev/null and b/e4/74.png differ diff --git a/e4/75.png b/e4/75.png new file mode 100644 index 0000000..17a1ed4 Binary files /dev/null and b/e4/75.png differ diff --git a/e4/76.png b/e4/76.png new file mode 100644 index 0000000..7f82415 Binary files /dev/null and b/e4/76.png differ diff --git a/e4/77.png b/e4/77.png new file mode 100644 index 0000000..13335dc Binary files /dev/null and b/e4/77.png differ diff --git a/e4/78.png b/e4/78.png new file mode 100644 index 0000000..f2da7d2 Binary files /dev/null and b/e4/78.png differ diff --git a/e4/79.png b/e4/79.png new file mode 100644 index 0000000..fb3b6b8 Binary files /dev/null and b/e4/79.png differ diff --git a/e4/8.png b/e4/8.png new file mode 100644 index 0000000..bf0d4ba Binary files /dev/null and b/e4/8.png differ diff --git a/e4/80.png b/e4/80.png new file mode 100644 index 0000000..70b68dc Binary files /dev/null and b/e4/80.png differ diff --git a/e4/81.png b/e4/81.png new file mode 100644 index 0000000..e910ad4 Binary files /dev/null and b/e4/81.png differ diff --git a/e4/82.png b/e4/82.png new file mode 100644 index 0000000..82b5087 Binary files /dev/null and b/e4/82.png differ diff --git a/e4/83.png b/e4/83.png new file mode 100644 index 0000000..6f46d22 Binary files /dev/null and b/e4/83.png differ diff --git a/e4/84.png b/e4/84.png new file mode 100644 index 0000000..64d35a2 Binary files /dev/null and b/e4/84.png differ diff --git a/e4/85.png b/e4/85.png new file mode 100644 index 0000000..926d515 Binary files /dev/null and b/e4/85.png differ diff --git a/e4/86.png b/e4/86.png new file mode 100644 index 0000000..ce886d2 Binary files /dev/null and b/e4/86.png differ diff --git a/e4/87.png b/e4/87.png new file mode 100644 index 0000000..f9c0c63 Binary files /dev/null and b/e4/87.png differ diff --git a/e4/88.png b/e4/88.png new file mode 100644 index 0000000..046a969 Binary files /dev/null and b/e4/88.png differ diff --git a/e4/89.png b/e4/89.png new file mode 100644 index 0000000..55df3d2 Binary files /dev/null and b/e4/89.png differ diff --git a/e4/9.png b/e4/9.png new file mode 100644 index 0000000..79d8cf7 Binary files /dev/null and b/e4/9.png differ diff --git a/e4/90.png b/e4/90.png new file mode 100644 index 0000000..86248d8 Binary files /dev/null and b/e4/90.png differ diff --git a/e4/91.png b/e4/91.png new file mode 100644 index 0000000..f7cc3ad Binary files /dev/null and b/e4/91.png differ diff --git a/e4/92.png b/e4/92.png new file mode 100644 index 0000000..e7a9dd0 Binary files /dev/null and b/e4/92.png differ diff --git a/e4/93.png b/e4/93.png new file mode 100644 index 0000000..1cd2f97 Binary files /dev/null and b/e4/93.png differ diff --git a/e4/94.png b/e4/94.png new file mode 100644 index 0000000..f6a14e9 Binary files /dev/null and b/e4/94.png differ diff --git a/e4/95.png b/e4/95.png new file mode 100644 index 0000000..fcc1f64 Binary files /dev/null and b/e4/95.png differ diff --git a/e4/96.png b/e4/96.png new file mode 100644 index 0000000..af06675 Binary files /dev/null and b/e4/96.png differ diff --git a/e4/97.png b/e4/97.png new file mode 100644 index 0000000..2b9cf3e Binary files /dev/null and b/e4/97.png differ diff --git a/e4/98.png b/e4/98.png new file mode 100644 index 0000000..269ceb6 Binary files /dev/null and b/e4/98.png differ diff --git a/e4/99.png b/e4/99.png new file mode 100644 index 0000000..2e7322d Binary files /dev/null and b/e4/99.png differ diff --git a/e4/index.md b/e4/index.md new file mode 100644 index 0000000..41bca6a --- /dev/null +++ b/e4/index.md @@ -0,0 +1,96 @@ +# E4 Situation Professionnelle 2 + +Dans ce guide je détaille comment j'ai installé l'infrastructure de ma Situation Professionnelle n°2 (VPN site à site pour pfsense) + +![](0.png) + +En effet, les 2 situations professionnelles dépendent l'une de l'autre. De ce fait j'ai intégré à la fin de ce tutoriel le lien vers l'autre Situation Professionnelle. + +_Disclaimer:_ Yes, my whole blog is in english, but there are french teachers/inspectors/professionals that are most probably going to read this specific installation guide because this is part of one of my final exams for my networking degree, so here's why i need to write it in french. + +The entirety of this guide has also been explained elsewhere on this same blog, although in smaller individual parts that you can choose if you don't understand french. + +## **Installation Initialle de Pfsense1+2 + Debian10** + +L'intégralité de cette installation a été faite sur **virt-manager** , sur mon PC portable. Les ISOs sont dans **/mnt/vault/ISOS** et mes VMs sont dans **/mnt/vault/VMs**. + +![]() ![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) ![](8.png) ![](9.png) ![](10.png) + +Donc on installe le premier routeur pfsense1 en suivant le schéma tout en haut: il faut que la VM ait 2 interfaces réseaux, une qui est dédiée au 'WAN' qui est tout simplement le réseau par défaut de virt-manager, et une seconde interface réseau dédiée au réseau local LAN lui correspondant. Ici c'est le LAN A, on ne veut pas que virt-manager ne touche à la configuration ipv4 des 2 réseaux locaux LAN A et LAN B, donc on suis les étapes suivantes: + +![](11.png) ![](12.png) ![](13.png) ![](14.png) ![](15.png) ![](16.png) ![](17.png) ![](18.png) ![](19.png) ![](20.png) + +Afin d'assigner les interfaces à leurs roles il faut qu'on puisse les distinguer, et on ne peut les distinguer que grâce à leurs addresses physiques, donc on vérifie laquelle correspond à l'interface connectée au réseau WAN et on en déduit que la seconde appartient au réseau LAN. Une fois que les interfaces ont été attribuées, on leur affecte leurs adresses IP en suivant le schéma réseau. + +![](21.png) ![](22.png) ![](23.png) ![](24.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) + +Le pool DHCP du réseau local n'a pas été choisie au hasard. J'ai laissé 18 addresses (10.1.0.2-19) non utilisées afin qu'elles puissent être utilisées en tant qu'adresses IPs statiques si besoin est. Pour la suite on ne va pas ré-installer un second pfsense, on va tout simplement cloner la VM existante et la configurer correctement comme notre premier routeur pfsense. + +![](30.png) ![](31.png) ![](32.png) ![](33.png) ![](34.png) ![](35.png) + +Maintenant qu'on est là on peut commencer l'installation de la VM debian10 sur le WAN car nous n'avons pas encore configuré les deux pfsense. (il faut qu'il y ait un hôte dans le LAN du pfsense en question, et qu'il accède à sa passerelle (10.2.0.1/16 ou 10.1.0.1/16) pour configurer cette dernière.) + +![](36.png) ![](37.png) ![](38.png) ![](39.png) ![](40.png) ![](41.png) ![](42.png) ![](43.png) ![](44.png) ![](45.png) ![](46.png) ![](47.png) ![](48.png) ![](49.png) ![](50.png) ![](51.png) ![](52.png) ![](53.png) + +Maintenant que les 2 routeurs pfsense ont étés configurés, on remet la VM debian dans le LAN A comme il a été indiqué dans le schéma réseau, et on lui affecte une IP statique: + +![](54.png) ![](55.png) ![](56.png) + +Ici on a la preuve que notre pfsense fonctionne, elle a attribué une adresse via DHCP à notre VM debian. Mais afin de suivre le schéma du réseau, nous voulons l'adresse IP 10.1.0.10/16 pour notre VM debian: + +![](57.png) ![](58.png) + +## **Installation de WS2019 et du client Win10** + +Maintenant que nous avons mis en place nos VMs pfsense ainsi que notre VM debian, nous mettons en place les 2 VMs du LAN B: + +![](59.png) ![](60.png) ![](61.png) ![](62.png) ![](63.png) ![](64.png) ![](65.png) ![](66.png) ![](67.png) ![](68.png) ![](69.png) ![](70.png) ![](71.png) ![](72.png) ![](73.png) ![](74.png) ![](75.png) ![](76.png) ![](77.png) ![](78.png) ![](79.png) ![](80.png) ![](81.png) ![](82.png) ![](83.png) ![](84.png) ![](85.png) ![](86.png) ![](87.png) + +Maintenant qu'on a installé notre VM WS2019 et qu'on a ajouté nos 2 OUs avec nos 4 Administrateurs et nos 4 Utilisateurs, nous allons installer notre VM client Windows 10: + +![](88.png) ![](89.png) ![](90.png) ![](91.png) ![](92.png) ![](93.png) ![](94.png) ![](95.png) ![](96.png) + +Une fois que notre client sur windows 10 a redémarré, il est intégré à l'Active Directory de notre WS2019, nous avons donc complété l'installation de notre infrastructure, il ne manque plus que les deux situations professionnelles. Dans cette situation professionnelle, nous allons mettre en place une connection VPN Site-a-Site: + +## **Situation Professionnelle 2** + +La seconde Situation Professionnelle consiste à installer un VPN site à site liant les deux lans séparés par les 2 routeurs pfsense entre eux, grâce à l'implémentation d'OpenVPN dans pfsense: + +![](120.png) ![](121.png) ![](122.png) + +On laisse le reste par défaut et on clique sur 'sauvegarder': + +![](123.png) ![](124.png) ![](125.png) ![](126.png) + +On permet les traffics openvpn sur l'interface WAN puis on permet les traffics sur l'interface OpenVPN: + +![](127.png) ![](128.png) ![](129.png) + +Une fois qu'on a permis le traffic sur l'interface OpenVPN on peut continuer: + +![](130.png) + +Ici on a besoin de copier la shared key pour notre second pfsense, et on va la faire passer sur l'autre machine par un pastebin: + +![](131.png) + +Donc maintenant on a notre pastebin comportant la clée [ici](https://haste.void.yt/uzadyluwuc.vala), et nous allons donc configurer notre second routeur pfsense avec cette clée: + +![](132.png) ![](133.png) ![](134.png) ![](135.png) + +![](136.png) ![](137.png) ![](138.png) ![](139.png) ![](140.png) + +![](141.png) ![](142.png) ![](143.png) ![](144.png) + +Et voila ! On a réussi à mettre en place un VPN Site-à-Site permettant de relier les 2 réseaux locaux entre eux. On peut donc par exemple accéder au serveur Nextcloud (10.1.0.10) depuis le LAN B (10.2.0.0/16): + +![](145.png) + +Nous avons donc terminé notre mise en place de la seconde Situation Professionnelle. + +On va ensuite récupérer la clée privée SSH sur notre hote windows server 2019 afin de pouvoir nous connecter via SSH au serveur debian10: + +![](149.png) ![](150.png) + +Et voila ! On a pu vérifier que la connection SSH par clé privée est possible depuis un hôte du LAN B jusqu'au serveur debian10. + diff --git a/etherpad/0.png b/etherpad/0.png new file mode 100644 index 0000000..d4ed4b2 Binary files /dev/null and b/etherpad/0.png differ diff --git a/etherpad/1.png b/etherpad/1.png new file mode 100644 index 0000000..d59c3ac Binary files /dev/null and b/etherpad/1.png differ diff --git a/etherpad/2.png b/etherpad/2.png new file mode 100644 index 0000000..5b8cc4b Binary files /dev/null and b/etherpad/2.png differ diff --git a/etherpad/3.png b/etherpad/3.png new file mode 100644 index 0000000..92e2105 Binary files /dev/null and b/etherpad/3.png differ diff --git a/etherpad/index.md b/etherpad/index.md new file mode 100644 index 0000000..f32355f --- /dev/null +++ b/etherpad/index.md @@ -0,0 +1,156 @@ +# Installing Etherpad behind a nginx reverse proxy + +![](2.png) + +## **Initial Setup** + + + + apt install nodejs git npm -y + cd /srv + git clone --branch master https://github.com/ether/etherpad-lite.git + cd etherpad-lite + + wget https://blog.nowhere.moe/servers/etherpad/etherpad.service -O /etc/systemd/system/etherpad.service + + + + +now since you can't run the server as root for the first time, we create an etherpad user: + + + adduser etherpad + cd /srv/etherpad-lite + chown etherpad. -R . + + apt install sudo -y + usermod -aG sudo etherpad + sudo -u etherpad /srv/etherpad-lite/src/bin/run.sh + + systemctl daemon-reload + systemctl enable --now etherpad + systemctl status etherpad + + + +And that's it ! you should be able to access your etherpad instance on port 9001. + +![]() ![]() ![]() + +## **Nginx Reverse Proxy with HTTPS** + +From there, you can setup your reverse nginx proxy, it can either be on the server itself or it can be on another machine in the same network: + + + root@etherpad:/srv/etherpad-lite# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.111/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::44ed:6ff:fef6:77a/64 scope link + + + +For example here my debian host is in 10.0.0.0/16 so we can use another debian host with nginx on it in the same subnet: + + + root@home:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.101/8 brd 10.255.255.255 scope global ens18 + inet6 fe80::94b0:53ff:fe08:49a6/64 scope link + inet6 2001:470:1f12:141::2/64 scope global deprecated + inet6 fe80::c0a8:65/64 scope link + + + +Right now my other debian host is at 10.0.0.101, so we can configure nginx accordingly: + + + apt install nginx -y + rm /etc/nginx/sites-available/default + rm /etc/nginx/sites-enabled/default + + vim /etc/nginx/sites-available/pad.void.yt.conf + + +Right now i named my nginx config as pad.domain.yt because i intend to host it with a TLS 1.3 certificate from letsencrypt. It doesn't matter that the previous debian host with etherpad on it only runs on http, the reverse proxying nginx will turn it into https: + + + upstream padbackend { + server 10.0.0.111:9001; + } + + server { + listen 80; + listen [::]:80; + server_name pad.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pad.void.yt; + + ssl_certificate /root/.acme.sh/pad.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/pad.void.yt/pad.void.yt.cer; + ssl_certificate_key /root/.acme.sh/pad.void.yt/pad.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://padbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + + +With this we are able to connect to our etherpad http service on port 9001, and make it so that for the end user he is connecting through port 443 (https) regardless of the initial http protocol and the weird port number. Next step is to install acme.sh to get the certificates: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + #make sure that the domain name is actually working + curl ifconfig.me + ping pad.void.yt + + systemctl stop nginx + acme.sh --issue --standalone -d pad.void.yt -k 4096 + + ln -s /etc/nginx/sites-available/pad.void.yt.conf /etc/nginx/sites-enabled/ + nginx -t + + systemctl start nginx + + +## **Testing the end result** + +And now all that's left to do is to go and check if it is working properly: + +![](0.png) + +All that's needed from here is to just create a notepad (here i named it tarace) + +![](1.png) + +And if we give it to other people, we can let them write on it as we are writing on it. + diff --git a/fail2banssh/index.md b/fail2banssh/index.md new file mode 100644 index 0000000..7445d00 --- /dev/null +++ b/fail2banssh/index.md @@ -0,0 +1,171 @@ +# fail2banssh Setup + +In this tutorial we're going to look at how to install fail2ban to protect the ssh service from bruteforce attacks. + +## **Initial Setup** + +First we enable rsyslog on the server, to make sure that the ssh login attempts are logged. + + + [ Wonderland ] [ /dev/pts/5 ] [/var/log] + → sudo apt-get install rsyslog -y + + + [ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog] + → ssh root@192.168.0.100 -i ~/.ssh/torified + Enter passphrase for key '/home/nihilist/.ssh/torified': + + + [ mainpc ] [ /dev/pts/8 ] [~/Nextcloud/blog] + → ssh root@192.168.0.100 -i ~/.ssh/torified -p 2222 + Enter passphrase for key '/home/nihilist/.ssh/torified': + + [ Wonderland ] [ /dev/pts/5 ] [/var/log] + → tail -f auth.log | grep "port 22" + 2024-03-30T19:09:31.673606+01:00 wonderland sshd[252531]: Connection from 192.168.0.61 port 51258 on 192.168.0.100 port 22 rdomain "" + 2024-03-30T19:09:34.365325+01:00 wonderland sshd[252629]: Connection from 192.168.0.61 port 56804 on 192.168.0.100 port 2222 rdomain "" + + + +Then we install fail2ban to make sure that ssh can't be bruteforced: + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → apt install fail2ban + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → systemctl status fail2ban.service + ● fail2ban.service - Fail2Ban Service + Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled) + Active: active (running) since Mon 2023-07-10 21:15:03 CEST; 19s ago + Docs: man:fail2ban(1) + Main PID: 94740 (fail2ban-server) + Tasks: 5 (limit: 77000) + Memory: 31.7M + CPU: 174ms + CGroup: /system.slice/fail2ban.service + └─94740 /usr/bin/python3 /usr/bin/fail2ban-server -xf start + + Jul 10 21:15:03 Datura systemd[1]: Started fail2ban.service - Fail2Ban Service. + Jul 10 21:15:03 Datura fail2ban-server[94740]: 2023-07-10 21:15:03,092 fail2ban.configreader [94740]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' + Jul 10 21:15:03 Datura fail2ban-server[94740]: Server ready + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → vim /etc/fail2ban/jail.local + + [sshd] + enabled = true + port = ssh + filter = sshd + logpath = %(sshd_log)s + backend = %(sshd_backend)s + maxretry = 3 + findtime = 300 + bantime = 3600 + ignoreip = 127.0.0.1 + + + + +Then just restart your fail2ban service + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → systemctl restart fail2ban + + + +Then you can test if the ssh bruteforce attempts are being stopped or not: + + + root@web-gw:~# ssh root@116.202.216.190 + The authenticity of host '116.202.216.190 (116.202.216.190)' can't be established. + ED25519 key fingerprint is SHA256:63Qqh42ab1AnK9iN83ZQMfNDTeTjbFFvaUEZSm9OZQI. + This key is not known by any other names. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '116.202.216.190' (ED25519) to the list of known hosts. + root@116.202.216.190's password: + Permission denied, please try again. + root@116.202.216.190's password: + Permission denied, please try again. + root@116.202.216.190's password: + root@116.202.216.190: Permission denied (publickey,password). + root@web-gw:~# ssh root@116.202.216.190 + root@116.202.216.190's password: + Permission denied, please try again. + root@116.202.216.190's password: + Permission denied, please try again. + root@116.202.216.190's password: + root@116.202.216.190: Permission denied (publickey,password). + root@web-gw:~# + root@web-gw:~# + root@web-gw:~# ssh root@116.202.216.190 + ssh: connect to host 116.202.216.190 port 22: Connection refused + root@web-gw:~# + root@web-gw:~# + root@web-gw:~# + root@web-gw:~# + root@web-gw:~# ssh root@116.202.216.190 + ssh: connect to host 116.202.216.190 port 22: Connection refused + root@web-gw:~# + + + +And it does! and you can check that in the logs in /var/log/fail2ban.log: + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → tail -f /var/log/fail2ban.log -n50 + 2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO -------------------------------------------------- + 2023-07-10 21:15:03,108 fail2ban.server [94740]: INFO Starting Fail2ban v1.0.2 + 2023-07-10 21:15:03,108 fail2ban.observer [94740]: INFO Observer start... + 2023-07-10 21:15:03,110 fail2ban.database [94740]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' + 2023-07-10 21:15:03,112 fail2ban.database [94740]: WARNING New database created. Version '4' + 2023-07-10 21:15:03,112 fail2ban.jail [94740]: INFO Creating new jail 'sshd' + 2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Jail 'sshd' uses poller {} + 2023-07-10 21:15:03,227 fail2ban.jail [94740]: INFO Initiated 'polling' backend + 2023-07-10 21:15:03,228 fail2ban.filter [94740]: INFO maxLines: 1 + 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO maxRetry: 5 + 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO findtime: 600 + 2023-07-10 21:15:03,236 fail2ban.actions [94740]: INFO banTime: 600 + 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO encoding: UTF-8 + 2023-07-10 21:15:03,236 fail2ban.filter [94740]: INFO Added logfile: '/var/log/auth.log' (pos = 0, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f) + 2023-07-10 21:15:03,238 fail2ban.jail [94740]: INFO Jail 'sshd' started + 2023-07-10 21:15:03,342 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:51 + 2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 219.157.95.77 - 2023-07-10 21:05:53 + 2023-07-10 21:15:03,343 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:27 + 2023-07-10 21:15:03,344 fail2ban.filter [94740]: INFO [sshd] Found 141.98.11.113 - 2023-07-10 21:14:30 + 2023-07-10 21:21:38,514 fail2ban.server [94740]: INFO Shutdown in progress... + 2023-07-10 21:21:38,514 fail2ban.observer [94740]: INFO Observer stop ... try to end queue 5 seconds + 2023-07-10 21:21:38,534 fail2ban.observer [94740]: INFO Observer stopped, 0 events remaining. + 2023-07-10 21:21:38,574 fail2ban.server [94740]: INFO Stopping all jails + 2023-07-10 21:21:38,574 fail2ban.filter [94740]: INFO Removed logfile: '/var/log/auth.log' + 2023-07-10 21:21:39,300 fail2ban.actions [94740]: NOTICE [sshd] Flush ticket(s) with iptables-multiport + 2023-07-10 21:21:39,300 fail2ban.jail [94740]: INFO Jail 'sshd' stopped + 2023-07-10 21:21:39,300 fail2ban.database [94740]: INFO Connection to database closed. + 2023-07-10 21:21:39,300 fail2ban.server [94740]: INFO Exiting Fail2ban + 2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO -------------------------------------------------- + 2023-07-10 21:21:39,461 fail2ban.server [94842]: INFO Starting Fail2ban v1.0.2 + 2023-07-10 21:21:39,461 fail2ban.observer [94842]: INFO Observer start... + 2023-07-10 21:21:39,466 fail2ban.database [94842]: INFO Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3' + 2023-07-10 21:21:39,467 fail2ban.jail [94842]: INFO Creating new jail 'sshd' + 2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Jail 'sshd' uses poller {} + 2023-07-10 21:21:39,556 fail2ban.jail [94842]: INFO Initiated 'polling' backend + 2023-07-10 21:21:39,557 fail2ban.filter [94842]: INFO maxLines: 1 + 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO maxRetry: 3 + 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO findtime: 300 + 2023-07-10 21:21:39,565 fail2ban.actions [94842]: INFO banTime: 3600 + 2023-07-10 21:21:39,565 fail2ban.filter [94842]: INFO encoding: UTF-8 + 2023-07-10 21:21:39,566 fail2ban.filter [94842]: INFO Added logfile: '/var/log/auth.log' (pos = 378650, hash = 5d9bc59d7869511dcb6f77cfd4d2ac0f130c748f) + 2023-07-10 21:21:39,566 fail2ban.jail [94842]: INFO Jail 'sshd' started + 2023-07-10 21:25:29,417 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29 + 2023-07-10 21:25:29,418 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:29 + 2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30 + 2023-07-10 21:25:31,419 fail2ban.filter [94842]: INFO [sshd] Found 23.137.250.141 - 2023-07-10 21:25:30 + 2023-07-10 21:25:31,601 fail2ban.actions [94842]: NOTICE [sshd] Ban 23.137.250.141 + + + diff --git a/freshrss/0.png b/freshrss/0.png new file mode 100644 index 0000000..2d865c2 Binary files /dev/null and b/freshrss/0.png differ diff --git a/freshrss/1.png b/freshrss/1.png new file mode 100644 index 0000000..28e2a90 Binary files /dev/null and b/freshrss/1.png differ diff --git a/freshrss/10.png b/freshrss/10.png new file mode 100644 index 0000000..2f3f2ce Binary files /dev/null and b/freshrss/10.png differ diff --git a/freshrss/11.png b/freshrss/11.png new file mode 100644 index 0000000..48ad3cc Binary files /dev/null and b/freshrss/11.png differ diff --git a/freshrss/12.png b/freshrss/12.png new file mode 100644 index 0000000..a956e0d Binary files /dev/null and b/freshrss/12.png differ diff --git a/freshrss/13.png b/freshrss/13.png new file mode 100644 index 0000000..9859877 Binary files /dev/null and b/freshrss/13.png differ diff --git a/freshrss/14.png b/freshrss/14.png new file mode 100644 index 0000000..1b5f0f9 Binary files /dev/null and b/freshrss/14.png differ diff --git a/freshrss/15.png b/freshrss/15.png new file mode 100644 index 0000000..995f768 Binary files /dev/null and b/freshrss/15.png differ diff --git a/freshrss/16.png b/freshrss/16.png new file mode 100644 index 0000000..287fda0 Binary files /dev/null and b/freshrss/16.png differ diff --git a/freshrss/17.png b/freshrss/17.png new file mode 100644 index 0000000..c228a18 Binary files /dev/null and b/freshrss/17.png differ diff --git a/freshrss/18.png b/freshrss/18.png new file mode 100644 index 0000000..c31413e Binary files /dev/null and b/freshrss/18.png differ diff --git a/freshrss/2.png b/freshrss/2.png new file mode 100644 index 0000000..daf7f57 Binary files /dev/null and b/freshrss/2.png differ diff --git a/freshrss/3.png b/freshrss/3.png new file mode 100644 index 0000000..7bc0c25 Binary files /dev/null and b/freshrss/3.png differ diff --git a/freshrss/4.png b/freshrss/4.png new file mode 100644 index 0000000..ca50a39 Binary files /dev/null and b/freshrss/4.png differ diff --git a/freshrss/5.png b/freshrss/5.png new file mode 100644 index 0000000..e813ae0 Binary files /dev/null and b/freshrss/5.png differ diff --git a/freshrss/6.png b/freshrss/6.png new file mode 100644 index 0000000..f943d6e Binary files /dev/null and b/freshrss/6.png differ diff --git a/freshrss/7.png b/freshrss/7.png new file mode 100644 index 0000000..810f6d8 Binary files /dev/null and b/freshrss/7.png differ diff --git a/freshrss/8.png b/freshrss/8.png new file mode 100644 index 0000000..fc8b753 Binary files /dev/null and b/freshrss/8.png differ diff --git a/freshrss/9.png b/freshrss/9.png new file mode 100644 index 0000000..54519b4 Binary files /dev/null and b/freshrss/9.png differ diff --git a/freshrss/index.md b/freshrss/index.md new file mode 100644 index 0000000..ee22f41 --- /dev/null +++ b/freshrss/index.md @@ -0,0 +1,317 @@ +# FreshRSS Installation + +![](0.png) + +In this tutorial we're going to install FreshRSS which is a self hostable aggregator. + +## **Initial Setup** + +![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +Now here before we start our CT, let's make sure it has the nesting feature: + +![](8.png) + +Once that's done, start it and go into the console to setup the key-based SSH authentication: + + + root@freshrss:~# apt update -y ; apt upgrade -y ; apt install vim -y + + + +![](9.png) + +Once that's done, do the following: + + + wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh ; chmod +x ssh.sh ; ./ssh.sh + + + +This is going to setup a custom sshd config along with generating the private+public ssh keypair you're going to use: + + + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:nXNoHBUKek4RF1vf7zkriit7j0P7HvsdTfvmJuv7hhQ root@freshrss + The key's randomart image is: + +--[ED25519 256]--+ + | +.o.+. | + | . + = . . | + | . o + . .| + | + o + E .| + | S B . .o| + | o o .o+| + | . .. . *o| + | . +o o.+ O| + | .++**oo=%+| + +----[SHA256]-----+ + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Wed 2021-04-14 18:22:47 UTC; 42s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9261 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9262 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.4M + CGroup: /system.slice/ssh.service + `-9262 /usr/sbin/sshd -D + + Apr 14 18:22:47 freshrss systemd[1]: Starting OpenBSD Secure Shell server... + Apr 14 18:22:47 freshrss sshd[9262]: Server listening on 0.0.0.0 port 22. + Apr 14 18:22:47 freshrss sshd[9262]: Server listening on :: port 22. + Apr 14 18:22:47 freshrss systemd[1]: Started OpenBSD Secure Shell server. + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.170/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::d48c:1ff:fe59:81c3/64 scope link + [+] ON A REMOTE HOST RUN THE FOLLOWING: + [+] wget http://ip:8080/id25519 -O ~/.ssh/node.pkey + [+] chmod 600 ~/.ssh/node.pkey + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +Next just get the SSH key on your host: + +![]() + + + [ 10.0.0.10/16 ] [ /dev/pts/22 ] [~] + → curl http://10.0.0.170:8080 + + + + + + + # Directory listing for / + + + + + * * * + + + + + + + * [authorized_keys](authorized_keys) + + + * [id_ed25519](id_ed25519) + + + * [id_ed25519.pub](id_ed25519.pub) + + + + + + * * * + + + + + + [ 10.0.0.10/16 ] [ /dev/pts/22 ] [~] + → curl http://10.0.0.170:8080/id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBLSalP3AIC6HgRJAWHAfY5Yy+D+QO6Zp848PD7vsV38gAAAJDLltvqy5bb + 6gAAAAtzc2gtZWQyNTUxOQAAACBLSalP3AIC6HgRJAWHAfY5Yy+D+QO6Zp848PD7vsV38g + AAAEDRtm6dia8H7JWV3rngRvo4Aq/oiIe2ViQb6uSBzNRZsEtJqU/cAgLoeBEkBYcB9jlj + L4P5A7pmnzjw8Pu+xXfyAAAADXJvb3RAZnJlc2hyc3M= + -----END OPENSSH PRIVATE KEY----- + + [ 10.0.0.10/16 ] [ /dev/pts/22 ] [~] + → curl http://10.0.0.170:8080/id_ed25519 > ~/.ssh/freshrss + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 399 100 399 0 0 194k 0 --:--:-- --:--:-- --:--:-- 194k + + [ 10.0.0.10/16 ] [ /dev/pts/22 ] [~] + → chmod 600 ~/.ssh/freshrss + + [ 10.0.0.10/16 ] [ /dev/pts/22 ] [~] + → ssh root@10.0.0.170 -i ~/.ssh/freshrss + Last login: Wed Apr 14 18:19:07 2021 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@freshrss:~# id + uid=0(root) gid=0(root) groups=0(root) + + + +Now that's done, Hit CTRL+C on the proxmox CT TTY Console to end the python http server (where you got your private ssh keys). + +## **Configurations** + +Let's install the required dependencies: + + + root@freshrss:~# apt install php7.3-{curl,pgsql,dom,mysql,json,gmp,mbstring,iconv,zip,xml} php-dompdf nginx postgresql git -y + + + +First things first let's configure nginx and enable the site: + + + root@freshrss:~# vim /etc/nginx/sites-available/freshrss.conf + + server { + listen 80; + listen 443 ssl; + + # HTTPS configuration + #ssl on; + #ssl_certificate /etc/nginx/server.crt; + #ssl_certificate_key /etc/nginx/server.key; + + # your server’s URL(s) + #server_name rss.example.net; + + # the folder p of your FreshRSS installation + root /var/www/html/p/; + + index index.php index.html index.htm; + + # nginx log files + access_log /var/log/nginx/rss.access.log; + error_log /var/log/nginx/rss.error.log; + + # php files handling + # this regex is mandatory because of the API + location ~ ^.+?\.php(/.*)?$ { + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + # By default, the variable PATH_INFO is not set under PHP-FPM + # But FreshRSS API greader.php need it. If you have a “Bad Request” error, double check this var! + # NOTE: the separate $path_info variable is required. For more details, see: + # https://trac.nginx.org/nginx/ticket/321 + set $path_info $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + } + + location / { + try_files $uri $uri/ index.php; + } + } + + :wq + + root@freshrss:~# ln -s /etc/nginx/sites-available/freshrss.conf /etc/nginx/sites-enabled/ + root@freshrss:~# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Next go into /usr/share to clone the FreshRSS git repository: + + + root@freshrss:~# cd /usr/share/ + root@freshrss:/usr/share# git clone https://github.com/FreshRSS/FreshRSS.git + Cloning into 'FreshRSS'... + remote: Enumerating objects: 247, done. + remote: Counting objects: 100% (247/247), done. + remote: Compressing objects: 100% (172/172), done. + remote: Total 36720 (delta 111), reused 110 (delta 74), pack-reused 36473 + Receiving objects: 100% (36720/36720), 16.24 MiB | 3.38 MiB/s, done. + Resolving deltas: 100% (26161/26161), done. + + root@freshrss:/usr/share# cd FreshRSS/ + root@freshrss:/usr/share/FreshRSS# chown -R :www-data . + root@freshrss:/usr/share/FreshRSS# chmod -R g+r . + root@freshrss:/usr/share/FreshRSS# chmod -R g+w ./data/ + root@freshrss:/usr/share/FreshRSS# chmod -R g+w . + root@freshrss:/usr/share/FreshRSS# ln -s /usr/share/FreshRSS/p /var/www/html/ + + + root@freshrss:/usr/share/FreshRSS# ls -lash /var/www/html/ + total 24K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 14 18:48 . + 4.0K drwxr-xr-x 3 root root 4.0K Apr 14 18:34 .. + 12K -rw-r--r-- 1 root root 11K Apr 14 18:35 index.html + 4.0K -rw-r--r-- 1 root root 612 Apr 14 18:34 index.nginx-debian.html + 0 lrwxrwxrwx 1 root root 21 Apr 14 18:48 p -> /usr/share/FreshRSS/p + + + +Once that's done we're going to setup the PostgreSQL database for FreshRSS: + + + root@freshrss:/usr/share/FreshRSS# su - postgres + postgres@freshrss:~$ psql + psql (11.11 (Debian 11.11-0+deb10u1)) + Type "help" for help. + + postgres=# create user freshrss password 'P@SSW0RD'; + CREATE ROLE + postgres=# create database freshrss; + CREATE DATABASE + postgres=# alter database freshrss owner to freshrss; + ALTER DATABASE + postgres=# grant all privileges on database freshrss to freshrss; + GRANT + postgres=# \q + + + +Once that's done, start nginx (don't forget to remove the default config if you're only going to use http and no domain name) and go to your web brower to continue the installation via frehrss's webGUI + + + root@freshrss:/usr/share/FreshRSS# rm /etc/nginx/sites-available/default + + root@freshrss:/usr/share/FreshRSS# rm /etc/nginx/sites-enabled/default + + root@freshrss:/usr/share/FreshRSS# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@freshrss:/usr/share/FreshRSS# systemctl restart nginx + + root@freshrss:/usr/share/FreshRSS# systemctl status nginx + + root@freshrss:/usr/share/FreshRSS# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.170/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::d48c:1ff:fe59:81c3/64 scope link + + + +![](10.png) ![](11.png) ![](12.png) + +So here we login to the PostgreSQL database at localhost with the credentials we set earlier **freshrss:P@SSW0RD** + +![](13.png) ![](14.png) ![](15.png) ![](16.png) + +And there you have it! We have been able to setup a FreshRSS instance. + +## **Importing RSS Feeds** + +Let's add a few RSS feeds, for example the [Ubuntu]() RSS feeds: + +![](17.png) + +Paste the link in, and hit 'Add': + +![](18.png) + +And there you go! We have been able to import a RSS feed. + diff --git a/glpi/0.png b/glpi/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/glpi/0.png differ diff --git a/glpi/1.png b/glpi/1.png new file mode 100644 index 0000000..6bf31d4 Binary files /dev/null and b/glpi/1.png differ diff --git a/glpi/2.png b/glpi/2.png new file mode 100644 index 0000000..5d12412 Binary files /dev/null and b/glpi/2.png differ diff --git a/glpi/3.png b/glpi/3.png new file mode 100644 index 0000000..97796d5 Binary files /dev/null and b/glpi/3.png differ diff --git a/glpi/4.png b/glpi/4.png new file mode 100644 index 0000000..7461c2a Binary files /dev/null and b/glpi/4.png differ diff --git a/glpi/5.png b/glpi/5.png new file mode 100644 index 0000000..140ef35 Binary files /dev/null and b/glpi/5.png differ diff --git a/glpi/6.png b/glpi/6.png new file mode 100644 index 0000000..ad2a82e Binary files /dev/null and b/glpi/6.png differ diff --git a/glpi/7.png b/glpi/7.png new file mode 100644 index 0000000..63bb33b Binary files /dev/null and b/glpi/7.png differ diff --git a/glpi/8.png b/glpi/8.png new file mode 100644 index 0000000..2956afa Binary files /dev/null and b/glpi/8.png differ diff --git a/glpi/9.png b/glpi/9.png new file mode 100644 index 0000000..0cbfaf8 Binary files /dev/null and b/glpi/9.png differ diff --git a/glpi/index.md b/glpi/index.md new file mode 100644 index 0000000..eecab3a --- /dev/null +++ b/glpi/index.md @@ -0,0 +1,128 @@ +# GLPI debian10 + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup** + +First install the required dependencies: + + + apt update -y && apt upgrade -y + apt install -y socat git nginx mariadb-server php7.3-fpm php7.3 php7.3-curl php7.3-zip php7.3-gd php7.3-intl php-pear php-imagick php7.3-imap php-memcache php7.3-pspell php7.3-recode php7.3-tidy php7.3-xmlrpc php7.3-xsl php7.3-mbstring php-gettext php7.3-ldap php-cas php-apcu php7.3-mysql #libapache2-mod-php7.3 + + + + + mysql -u root -p + + + + + CREATE DATABASE glpidb; + GRANT ALL PRIVILEGES ON glpidb.* TO 'glpiuser'@'localhost' IDENTIFIED BY 'password'; + FLUSH PRIVILEGES; + EXIT; + + + + + cd /tmp/ + wget -c https://github.com/glpi-project/glpi/releases/download/9.4.3/glpi-9.4.3.tgz + tar -xvf glpi-9.4.3.tgz + mv glpi /var/www/html/ + chmod 755 -R /var/www/html/ + chown www-data:www-data -R /var/www/html/ + + + +Then get the nginx configuration: + + + wget https://blog.nowhere.moe/servers/glpi/glpi.conf -O /etc/nginx/sites-available/glpi.conf + ln -s /etc/nginx/sites-available/glpi.conf /etc/nginx/sites-enabled/glpi.conf + nano /etc/nginx/sites-available/glpi.conf + + + +![](2.png) + + + nginx -t + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + nginx -t + + + cd /etc/php/7.3/ + + echo 'date.timezone = Europe/Paris' >> fpm/php.ini + echo 'date.timezone = Europe/Paris' >> cli/php.ini + + echo 'cgi.fix_pathinfo=0' >> fpm/php.ini + echo 'cgi.fix_pathinfo=0' >> cli/php.ini + + echo 'memory_limit = 64M ; // Minimum + Valuefile_uploads = on ; + max_execution_time = 600 ; // Optional but not mandatory + register_globals = off ; // Optional but not mandatory + magic_quotes_sybase = off ; + session.auto_start = off ; + session.use_trans_sid = 0 ; // Optional but not mandatory' >> fpm/php.ini + + + echo 'memory_limit = 64M ; // Minimum + Valuefile_uploads = on ; + max_execution_time = 600 ; // Optional but not mandatory + register_globals = off ; // Optional but not mandatory + magic_quotes_sybase = off ; + session.auto_start = off ; + session.use_trans_sid = 0 ; // Optional but not mandatory' >> cli/php.ini + + sed -i "s/^listen.*sock/listen\ =\ 127.0.0.1:9000/gi" /etc/php/7.3/fpm/pool.d/www.conf + + systemctl restart nginx php7.3-fpm mysql + + + +Then goto your web interface: + +![](3.png) ![](4.png) ![](5.png) ![](6.png) + +Here we put our database credentials: + +![](7.png) + +localhost / glpiuser / password + +![](8.png) + +Then just hit "continue" at everything and login on the glpi login page: (credentials are glpi:glpi) + +![](9.png) ![](1.png) + diff --git a/gomez/0.png b/gomez/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/gomez/0.png differ diff --git a/gomez/1.png b/gomez/1.png new file mode 100644 index 0000000..2c0d446 Binary files /dev/null and b/gomez/1.png differ diff --git a/gomez/2.png b/gomez/2.png new file mode 100644 index 0000000..02b3ec5 Binary files /dev/null and b/gomez/2.png differ diff --git a/gomez/index.md b/gomez/index.md new file mode 100644 index 0000000..25f4913 --- /dev/null +++ b/gomez/index.md @@ -0,0 +1,52 @@ +# Gomez (npm) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Production Installation** + + + apt update -y && apt upgrade -y + apt install nodejs npm git brotli -y + cd ~ + git clone https://github.com/normanlol/gomez + cd gomez + + npm install -d + + wget https://blog.nowhere.moe/servers/gomez/gomez.service /etc/systemd/system/gomez.service + + systemctl daemon-reload + systemctl enable --now gomez + systemctl status gomez + + + +![](1.png) + +With the website up and running, you can search for torrents like this: + +![](2.png) + diff --git a/haproxy/0.png b/haproxy/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/haproxy/0.png differ diff --git a/haproxy/1.png b/haproxy/1.png new file mode 100644 index 0000000..31c5f2d Binary files /dev/null and b/haproxy/1.png differ diff --git a/haproxy/2.png b/haproxy/2.png new file mode 100644 index 0000000..3b6a349 Binary files /dev/null and b/haproxy/2.png differ diff --git a/haproxy/3.png b/haproxy/3.png new file mode 100644 index 0000000..b4c0309 Binary files /dev/null and b/haproxy/3.png differ diff --git a/haproxy/4.png b/haproxy/4.png new file mode 100644 index 0000000..d816321 Binary files /dev/null and b/haproxy/4.png differ diff --git a/haproxy/index.md b/haproxy/index.md new file mode 100644 index 0000000..2ec6cbf --- /dev/null +++ b/haproxy/index.md @@ -0,0 +1,53 @@ +# Haproxy setup + +This one is done from proxmox, i used a debian10+ CT template to create the machines i needed. + +## **Initial setup** + +To start with, get 2 identical debian hosts with nginx on them: + +![](1.png) + +My 2 servers will have the ips 192.168.0.151 and 192.168.0.150 meanwhile 192.168.0.152 is going to be our haproxy server. + +_First server:_ + + + apt update -y && apt upgrade -y + apt install nginx curl -y + echo 'server number 1' > /var/www/html/index.nginx-debian.html + ip a | grep inet #IP1 + + + +![](2.png) _Second server:_ + + + apt update -y && apt upgrade -y + apt install nginx curl -y + echo 'server number 2 ' > /var/www/html/index.nginx-debian.html + ip a | grep inet #IP2 + + + +![](3.png) + +Now that we have 2 servers running http, we're going to load balance them with a third debian machine with haproxy: + + + apt update -y && apt upgrade -y + apt install haproxy curl -y + wget https://blog.nowhere.moe/servers/haproxy/haproxy.cfg -O /etc/haproxy/haproxy.cfg + nano /etc/haproxy/haproxy.cfg + systemctl restart haproxy + ip a | grep inet #IP3 + curl 127.0.0.1 + + + +In nano, change the ips with the ips of your 2 debian servers (IP1 & IP2) and reload haproxy, then go and see if haproxy works (IP3) + +![](4.png) + +You can reload haproxy's webpage multiple times, and you'll see that sometimes it is going to switch from one server to the other, therefore we successfully setup a simple load balancing with haproxy. + diff --git a/hatsh/0.png b/hatsh/0.png new file mode 100644 index 0000000..4ac2401 Binary files /dev/null and b/hatsh/0.png differ diff --git a/hatsh/1.png b/hatsh/1.png new file mode 100644 index 0000000..66f3484 Binary files /dev/null and b/hatsh/1.png differ diff --git a/hatsh/2.png b/hatsh/2.png new file mode 100644 index 0000000..45528f7 Binary files /dev/null and b/hatsh/2.png differ diff --git a/hatsh/3.png b/hatsh/3.png new file mode 100644 index 0000000..c20f697 Binary files /dev/null and b/hatsh/3.png differ diff --git a/hatsh/4.png b/hatsh/4.png new file mode 100644 index 0000000..cfeceba Binary files /dev/null and b/hatsh/4.png differ diff --git a/hatsh/5.png b/hatsh/5.png new file mode 100644 index 0000000..0f10d3d Binary files /dev/null and b/hatsh/5.png differ diff --git a/hatsh/6.png b/hatsh/6.png new file mode 100644 index 0000000..faa965b Binary files /dev/null and b/hatsh/6.png differ diff --git a/hatsh/7.png b/hatsh/7.png new file mode 100644 index 0000000..b8a257e Binary files /dev/null and b/hatsh/7.png differ diff --git a/hatsh/index.md b/hatsh/index.md new file mode 100644 index 0000000..9774ae7 --- /dev/null +++ b/hatsh/index.md @@ -0,0 +1,96 @@ +# hatsh Setup + +![](0.png) + +In this tutorial we're going to setup a hat.sh instance, which is a web app that provides secure local file encryption in the browser. + +## **Initial Setup** + + + root@lainsafe:~# cd /var/www + root@lainsafe:/var/www# git clone https://github.com/sh-dv/hat.sh.git hat.sh + Cloning into 'hat.sh'... + remote: Enumerating objects: 2392, done. + remote: Counting objects: 100% (337/337), done. + remote: Compressing objects: 100% (91/91), done. + remote: Total 2392 (delta 273), reused 251 (delta 246), pack-reused 2055 + Receiving objects: 100% (2392/2392), 3.88 MiB | 3.95 MiB/s, done. + Resolving deltas: 100% (1324/1324), done. + + root@lainsafe:/var/www# cd hat.sh + root@lainsafe:/var/www/hat.sh# apt install npm -y + + root@lainsafe:/var/www/hat.sh# npm install + + root@lainsafe:/var/www/hat.sh# npm run build + + root@lainsafe:/var/www/hat.sh# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.108/24 brd 10.0.0.255 scope global eth0 + inet6 fe80::709a:74ff:fec2:47af/64 scope link1 + + root@lainsafe:/var/www/hat.sh# npm run start + + > hat.sh@2.3.6 start + > next start -p 3991 + + ready - started server on 0.0.0.0:3991, url: http://localhost:3991 + info - Loaded env from /var/www/hat.sh/.env + + + +From there we can encrypt files: + +![](1.png) ![](2.png) ![](3.png) ![](4.png) + +And we decrypt it like so: + +![](5.png) ![](6.png) ![](7.png) + +## **Automation Setup** + +We want it to start automatically with a systemd service: + + + root@lainsafe:/var/www/hat.sh# cat /etc/systemd/system/hatsh.service + [Unit] + Description=hat.sh local file encryption + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + WorkingDirectory=/var/www/hat.sh/ + ExecStart=/usr/bin/npm run start + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + + root@lainsafe:/var/www/hat.sh# systemctl daemon-reload + root@lainsafe:/var/www/hat.sh# systemctl enable --now hatsh + root@lainsafe:/var/www/hat.sh# systemctl status hatsh + * hatsh.service - hat.sh local file encryption + Loaded: loaded (/etc/systemd/system/hatsh.service; enabled; vendor preset: enabled) + Active: active (running) since Wed 2022-11-02 19:10:20 UTC; 6s ago + Main PID: 16508 (node) + Tasks: 23 (limit: 115830) + Memory: 106.5M + CPU: 3.601s + CGroup: /system.slice/hatsh.service + |-16508 npm run start + |-16520 sh -c next start -p 3991 + `-16521 node /var/www/hat.sh/node_modules/.bin/next start -p 3991 + + Nov 02 19:10:20 lainsafe systemd[1]: Started hat.sh local file encryption. + Nov 02 19:10:21 lainsafe npm[16508]: > hat.sh@2.3.6 start + Nov 02 19:10:21 lainsafe npm[16508]: > next start -p 3991 + Nov 02 19:10:22 lainsafe npm[16521]: ready - started server on 0.0.0.0:3991, url: http://localhost:3991 + Nov 02 19:10:22 lainsafe npm[16521]: info - Loaded env from /var/www/hat.sh/.env + + + diff --git a/hive/selfhosting/index.md b/hive/selfhosting/index.md new file mode 100644 index 0000000..b9f37c5 --- /dev/null +++ b/hive/selfhosting/index.md @@ -0,0 +1,292 @@ +# Self-Hosting (NO LONGER MAINTAINED) + +Showing how you can install any service yourself, where you can own your data, guaranteeing privacy. + +**DISCLAIMER:** these tutorials are meant to be used as a "how to get started on XYZ", these tutorials may miss some details here and there, they have a lower quality standard than the ones i maintain in [Privacy / Anonymity / Plausible Deniability](../servers/index.md) + +**CONTRIBUTORS** : + + 1. Nihilist + 2. Notorious + + + + + LEGAL DISCLAIMER: + Across the entirety of my blog, in all articles that I made, I advocate for the legal use of technologies, even when I am talking about Privacy-enhancing and Anonymity-enabling technologies. In no way am I advocating for any illegal use of any technology showcased in any article on my blog, as the goal of this blog is to remain stricly informative and educative. + + I decline any and all responsibility for any mis-use of any of the technology i showcase in the entirety of my blog. I also decline any and all responsibility for any physical, digital and psychological damage caused by the mis-use of any showcased technology, as the responsibility of such acts remains with the perpretating third-party. By reading this blog, you permanently, irrevocably and world-widely agree that I am in no way am responsible for any illegal action done by you or anyone that uses any of the showcased technology in my blog articles. + + + +## **Setting up Servers** + +📝 Security + + 1. [✅ Physical Surveillance (rpi + webcams)](surveillance/index.md) + + + +📝 Privacy Front-ends + + 1. [✅ SearxNG: privacy front-end for web-browsing](searxng/index.md) + 2. [✅ 4get: privacy front-end for web-browsing](4get/index.md) + 3. [✅ Whoogle: privacy front-end for Google](whoogle/index.md) + 4. [✅ Invidious: privacy front-end for Youtube](invidious/index.md) + 5. [✅ Nitter: privacy front-end for Twitter](nitter/index.md) + 6. [✅ AnonymousOverflow: privacy front-end for StackOverflow](anonymousoverflow/index.md) + 7. [✅ Teddit: (DISCONTINUED) privacy front-end for Reddit](teddit/index.md) + 8. [✅ SafeTwitch: privacy front-end for Twitch](safetwitch/index.md) + 9. [✅ Wikiless: privacy front-end for wikipedia](wikiless/index.md) + 10. [✅ Proxitok: privacy front-end for tiktok](proxitok/index.md) + 11. [✅ Librex: privacy front-end for google](librex/index.md) + + + +📝 Productivity + + 1. [✅ RSS Feeds](rss/index.md) + 2. [✅ RustDesk (open source teamviewer alternative)](RustDesk/index.md) + 3. [✅ Perlite (Obsidian Notes)](perlite/index.md) + 4. [✅ Gitea](Gitea/index.md) + 5. [ ✅ Nginx Nextcloud Server](nextcloud/index.md) + 6. [✅ Nginx Kanboard](kanboard/index.md) + 7. [✅ Privatebin](privatebin/index.md) + 8. [✅ Jitsi](jitsi/index.md) + 9. [✅ CyberChef](cyberchef/index.md) + 10. [✅ GLPI](glpi/index.md) + 11. [✅ FreshRSS](freshrss/index.md) + 12. [✅ PlainPad](plainpad/index.md) + 13. [✅ MyMind+Mindmaps](mymind/index.md) + 14. [✅ hat.sh file encryption](hatsh/index.md) + + + +💻 Collaborative Work + + 1. [✅ Matrix chat with VoIP support ](../servers/matrixnew/index.md) + 2. [✅ Etherpad ](etherpad/index.md) + 3. [✅ Cryptpad](cryptpad/index.md) + 4. [✅ CodiMD](codimd/index.md) + 5. [✅ ShareLateX](sharelatex/index.md) + + + +⭐ Personal Favorites + + 1. [✅ Anonymity Management (Whonix, Veracrypt Plausible Deniability)⭐](../servers/anonymity/index.md) + 2. [✅ Public Mail service over VPN over Tor ⭐](../servers/mailprivate/index.md) + 3. [✅ GTX 1050 PCI Passthrough to QEMU VM](pcipassthrough2/index.md) + 4. [✅ Lainon Radio (mpd, icecast, nginx)](lainradio/index.md) + 5. [✅ NGINX - RTMP HLS + HTTPS](hls/index.md) + 6. [✅ Perlite (Obsidian Notes)](perlite/index.md) + 7. [✅ Openvpn Over Tor Server Setup](ovpn_tor/index.md) + 8. [✅ HTTP Service over VPN over Tor](tor_ssh_tunnel_port_forwarding/index.md) + 9. [ ✅ Nginx Zabbix Server, with SNMPv3 Hosts](Zabbix/index.md) + 10. [ ✅ Nginx Nextcloud Server](nextcloud/index.md) + 11. [✅ Leela Chess Zero ](lc0/index.md) + + + +🪟 Windows Server + + 1. [✅ WS2019 QEMU setup](w0/index.md) + 2. [✅ DNS setup](w1_dns/index.md) + 3. [✅ Active Directory (AD) setup](w2_ad/index.md) + 4. [✅ AD + Users and Groups setup](w3_users/index.md) + 5. [✅ WS2019 DNS + AD Proxmox setup](w5/index.md) + 6. [✅ LDAP + SSL setup](w6_ldaps/index.md) + 7. [✅ WS2019 Triple DFS Share replication](w7/index.md) + + + +🎦 Media + + 1. [✅ Stable Diffusion (Easy Diffusion) AI text to image generation](stablediffusion2/index.md) + 2. [✅ NGINX - RTMP HLS + HTTPS](hls/index.md) + 3. [✅ Lainon Radio (mpd, icecast, nginx)](lainradio/index.md) + 4. [✅ Neko (rabb.it replacement)](neko/index.md) + 5. [✅ Hydrus Network Client](hydrus/index.md) + 6. [✅ Asciinema Server](asciinema/index.md) + + + +🟦 pfSense Administration + + 1. [✅ pfsense on virt-manager](../servers/pf_virt/index.md) + 2. [✅ pfsense on proxmox](pf_prox/index.md) + 3. [✅ pfsense Site to Site VPN](pf_vpn/index.md) + + + +🐐 Debian Server Administration + + 1. [✅ Debian 12 Bookworm Upgrade ](debianupgrade/index.md) + 2. [✅ Mdadm raid 1 setup ](raid1disks/index.md) + 3. [✅ External Drives with LUKS encryption ](luks/index.md) + 4. [✅ Simple NGINX setup with HTTPS ](nginx/index.md) + 5. [✅ NGINX + fail2ban ](nginx_fail/index.md) + 6. [✅ Protect SSH with fail2ban ](fail2banssh/index.md) + 7. [✅ Haproxy Load Balancing ](haproxy/index.md) + 8. [✅ NGINX Load Balancing ](nginx_loadb/index.md) + 9. [✅ XRDP ](xrdp/index.md) + 10. [✅ Apt-Cacher Linux Proxy](apt-cacher/index.md) + + + +🔁 Automation + + 1. [✅ Automatic Debian updates (via unattended upgrades)](unattendedupgrades/index.md) + 2. [✅ Automatic Debian / Arch Updates](cron/index.md) + 3. [✅ Updating Debian10 Clusters with Ansible](ansible/index.md) + + + +🖥️ Monitoring + + 1. [ ✅ Uptime Kuma](uptimekuma/index.md) + 2. [ ✅ SNMP (Debian, Windows, PfSense)](snmp/index.md) + 3. [ ✅ Nginx Zabbix Server](Zabbix/index.md) + 4. [ ✅ Nginx LibreNMS Server](librenms/index.md) + 5. [ ✅ Nginx Observium Server](observium/index.md) + 6. [✅ Prometheus Grafana Server](progra/index.md) + 7. [ ✅ CheckMK Server](checkmk/index.md) + 8. [ ✅ T-Pot Honeypot](tpot/index.md) + 9. []() + + + +📧 Mail + + 1. [✅ VPS PUBLIC Mailserver (postfix, dovecot, spamassassin, OpenDKIM)](mail2/index.md) + 2. [✅ Rainloop](rainloop/index.md) + 3. [✅ Local hMailServer + Thunderbird with self-signed SSL](hmail/index.md) + + + +📜 Scripted Setups: + + 1. [✅ Openvpn Server](openvpn/index.md) + 2. [✅ Wireguard Server](wireguard_auto/index.md) + 3. [✅ Simple SSH Server](https://git.nowhere.moe/nihilist/serverside/src/branch/master/ssh/ssh.sh) + 4. [✅ RDP Connections](rdp/index.md) + 5. [✅ Simple FTP server](https://git.nowhere.moe/nihilist/serverside/src/branch/master/ftp/vsftpd.sh) + 6. [✅ Simple WebDav server](https://git.nowhere.moe/nihilist/serverside/src/branch/master/webdav/webdav.sh) + 7. [ ✅ Snapd Nextcloud Server](nextcloud/lazy.html) + + + +🚧Complete Professionnal Projects + + 1. [✅ E4 Network Monitoring (SNMP + GLPI)](composite/e4.html) + 2. [✅ E4 - SP1 Nextcloud 🇫🇷](e4/sp1.html) + 3. [✅ E4 - SP2 pfSense VPN 🇫🇷](e4/sp2.html) + + + +🗄️ Databases + + 1. [✅ PostgreSQL Master-Slave Replication](db/psql_ms.html) + 2. [✅ PostgreSQL Master-Master (Bucardo)](db/psql_mm.html) + 3. [✅ PostgreSQL Front-End: PgAdmin4](db/pgadmin.html) + 4. [✅ MySQL Master-Slave Replication](db/msql_ms.html) + 5. [✅ MySQL Master-Master Replication](db/msql_mm.html) + 6. [✅ MySQL Front-End: PHPMyAdmin](db/phpmyadmin.html) + + + +🚢 Docker - Management + + 1. [✅ Docker automatic image updates setup](watchtower/index.md) + 2. [✅ Docker setup](virtual/docker.io.html) + 3. [✅ Dozzle (Docker Logs)](dozzle/index.md) + 4. [✅ Portainer.io](portainer/index.md) + 5. [✅ Nginx Proxy Manager](nginx_p_mngr/index.md) + + + +🚢 Docker - Containers + + 1. [✅ Dillinger](dillinger/index.md) + 2. [✅ Kutt URL Shortener](kutt/index.md) + 3. [✅ Searx](searx_docker/index.md) + + + +📦 Backups + + 1. [✅ Rsync Automation with SSH Keys (PUSH backups)](rsync/index.md) + 2. [✅ Borg Backup Usage (PUSH backups)](borg/index.md) + 3. [✅ Borg Backup Automation (PUSH backups)](borg_auto/index.md) + + + +🔍 Search Engines + + 1. [✅ Gomez (Torrents)](gomez/index.md) + + + +⚠️ Minimal / Experimental / Games + + 1. [✅ KVM/QEMU : Multiple displays per VM + clipboard copy paste](kvm/index.md) + 2. [✅ Port forward from local services to VPSes](portforwarding/index.md) + 3. [✅ Bedrock Linux: kali tools on arch linux](bedrock/index.md) + 4. [✅ GTX 1050 PCI Passthrough to QEMU VM](pcipassthrough2/index.md) + 5. [✅ PHP LainSafe](phpfilesafe/index.md) + 6. [✅ CGI LainSafe](lainsafe/index.md) + 7. [✅ Colored MOTDs ](motd/index.md) + 8. [✅ Leela Chess Zero ](lc0/index.md) + 9. [✅ TF2 Server (ubuntu)](tf2srv/index.md) + 10. [✅ Modded Minecraft Server](minecraft/index.md) + + + +📡 DNS + + 1. [✅ Bind9 dyndns + dnssec + slave master](../servers/dns/index.md) + 2. [✅ Tor Anonymous DNS](tordns/index.md) + 3. [✅ pihole DNS](pihole/index.md) + + + +📑 Blogging + + 1. [✅ Ghost](ghost/index.md) + + + +💬 Chat + + 1. [✅ Clearnet Matrix server (federated clearnet chatting)](matrixnew/index.md) + 2. [✅ XMPP Chat Server Setup (Clearnet + Onion + OMEMO E2EE)](xmpp2024/index.md) + 3. [✅ rocket.chat](rocketchat/index.md) + 4. [✅ TheLounge (with inspircd)](thelounge/index.md) + 5. [✅ inspIRCd (no ssl, with password)](irc/index.md) + + + +🧊 General Virtualisation + + 1. [✅ virt-manager with NAT setup](virtual/virtmanager.html) + 2. [✅ VMWare Workstation Pro](vmware/index.md) + + + +## **Anonymity-friendly VPS providers** + + 1. [ServersGuru (KYC-Free reseller of cloud providers like Hetzner)](https://kycnot.me/service/servers.guru) + 2. [nicevps.net (KYC-Free registrar)](https://kycnot.me/service/nicevps) + 3. [Other Non-KYC Cloud Providers](https://kycnot.me/?t=service&q=vps) + + + +## **Inspirations** + + 1. [awesomeopensource self-hosted](https://awesomeopensource.com/projects/self-hosted) + 2. [awesome self-hosted](https://github.com/awesome-selfhosted/awesome-selfhosted) + 3. [ awesome sysadmin](https://github.com/kahun/awesome-sysadmin) + 4. [ Awesome Self Hosted](https://selfhosted.libhunt.com/projects) + + + diff --git a/hls/0.png b/hls/0.png new file mode 100644 index 0000000..044edb3 Binary files /dev/null and b/hls/0.png differ diff --git a/hls/1.png b/hls/1.png new file mode 100644 index 0000000..7b92c86 Binary files /dev/null and b/hls/1.png differ diff --git a/hls/10.png b/hls/10.png new file mode 100644 index 0000000..c40c859 Binary files /dev/null and b/hls/10.png differ diff --git a/hls/11.png b/hls/11.png new file mode 100644 index 0000000..8ef1e69 Binary files /dev/null and b/hls/11.png differ diff --git a/hls/12.png b/hls/12.png new file mode 100644 index 0000000..4a144a8 Binary files /dev/null and b/hls/12.png differ diff --git a/hls/13.png b/hls/13.png new file mode 100644 index 0000000..23bb2a1 Binary files /dev/null and b/hls/13.png differ diff --git a/hls/14.png b/hls/14.png new file mode 100644 index 0000000..afac486 Binary files /dev/null and b/hls/14.png differ diff --git a/hls/15.png b/hls/15.png new file mode 100644 index 0000000..f5c2048 Binary files /dev/null and b/hls/15.png differ diff --git a/hls/16.png b/hls/16.png new file mode 100644 index 0000000..5e4488b Binary files /dev/null and b/hls/16.png differ diff --git a/hls/17.png b/hls/17.png new file mode 100644 index 0000000..4ad7aa6 Binary files /dev/null and b/hls/17.png differ diff --git a/hls/18.png b/hls/18.png new file mode 100644 index 0000000..d6d734c Binary files /dev/null and b/hls/18.png differ diff --git a/hls/19.png b/hls/19.png new file mode 100644 index 0000000..cdfded9 Binary files /dev/null and b/hls/19.png differ diff --git a/hls/2.png b/hls/2.png new file mode 100644 index 0000000..cb63dc0 Binary files /dev/null and b/hls/2.png differ diff --git a/hls/20.png b/hls/20.png new file mode 100644 index 0000000..54b062b Binary files /dev/null and b/hls/20.png differ diff --git a/hls/21.png b/hls/21.png new file mode 100644 index 0000000..54c4001 Binary files /dev/null and b/hls/21.png differ diff --git a/hls/22.png b/hls/22.png new file mode 100644 index 0000000..a103a4b Binary files /dev/null and b/hls/22.png differ diff --git a/hls/23.png b/hls/23.png new file mode 100644 index 0000000..70791c1 Binary files /dev/null and b/hls/23.png differ diff --git a/hls/24.png b/hls/24.png new file mode 100644 index 0000000..995fe9d Binary files /dev/null and b/hls/24.png differ diff --git a/hls/25.png b/hls/25.png new file mode 100644 index 0000000..c1eab03 Binary files /dev/null and b/hls/25.png differ diff --git a/hls/26.png b/hls/26.png new file mode 100644 index 0000000..4ab74eb Binary files /dev/null and b/hls/26.png differ diff --git a/hls/27.png b/hls/27.png new file mode 100644 index 0000000..63b8662 Binary files /dev/null and b/hls/27.png differ diff --git a/hls/28.png b/hls/28.png new file mode 100644 index 0000000..275d356 Binary files /dev/null and b/hls/28.png differ diff --git a/hls/3.png b/hls/3.png new file mode 100644 index 0000000..8af9458 Binary files /dev/null and b/hls/3.png differ diff --git a/hls/4.png b/hls/4.png new file mode 100644 index 0000000..a7d6989 Binary files /dev/null and b/hls/4.png differ diff --git a/hls/5.png b/hls/5.png new file mode 100644 index 0000000..ffd273a Binary files /dev/null and b/hls/5.png differ diff --git a/hls/6.png b/hls/6.png new file mode 100644 index 0000000..e566802 Binary files /dev/null and b/hls/6.png differ diff --git a/hls/7.png b/hls/7.png new file mode 100644 index 0000000..c1f66de Binary files /dev/null and b/hls/7.png differ diff --git a/hls/8.png b/hls/8.png new file mode 100644 index 0000000..0339f47 Binary files /dev/null and b/hls/8.png differ diff --git a/hls/9.png b/hls/9.png new file mode 100644 index 0000000..c3e98b9 Binary files /dev/null and b/hls/9.png differ diff --git a/hls/index.md b/hls/index.md new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/hls/index.md @@ -0,0 +1 @@ + diff --git a/hmail/0.png b/hmail/0.png new file mode 100644 index 0000000..911f17c Binary files /dev/null and b/hmail/0.png differ diff --git a/hmail/1.png b/hmail/1.png new file mode 100644 index 0000000..6fc9a80 Binary files /dev/null and b/hmail/1.png differ diff --git a/hmail/10.png b/hmail/10.png new file mode 100644 index 0000000..6b3609e Binary files /dev/null and b/hmail/10.png differ diff --git a/hmail/11.png b/hmail/11.png new file mode 100644 index 0000000..1c0606c Binary files /dev/null and b/hmail/11.png differ diff --git a/hmail/12.png b/hmail/12.png new file mode 100644 index 0000000..416cc45 Binary files /dev/null and b/hmail/12.png differ diff --git a/hmail/13.png b/hmail/13.png new file mode 100644 index 0000000..cb0c265 Binary files /dev/null and b/hmail/13.png differ diff --git a/hmail/14.png b/hmail/14.png new file mode 100644 index 0000000..b1836e6 Binary files /dev/null and b/hmail/14.png differ diff --git a/hmail/15.png b/hmail/15.png new file mode 100644 index 0000000..4c2711c Binary files /dev/null and b/hmail/15.png differ diff --git a/hmail/16.png b/hmail/16.png new file mode 100644 index 0000000..15b5b3e Binary files /dev/null and b/hmail/16.png differ diff --git a/hmail/17.png b/hmail/17.png new file mode 100644 index 0000000..5d625a8 Binary files /dev/null and b/hmail/17.png differ diff --git a/hmail/18.png b/hmail/18.png new file mode 100644 index 0000000..63200c7 Binary files /dev/null and b/hmail/18.png differ diff --git a/hmail/19.png b/hmail/19.png new file mode 100644 index 0000000..b036e01 Binary files /dev/null and b/hmail/19.png differ diff --git a/hmail/2.png b/hmail/2.png new file mode 100644 index 0000000..e3abf25 Binary files /dev/null and b/hmail/2.png differ diff --git a/hmail/20.png b/hmail/20.png new file mode 100644 index 0000000..1eeb3b4 Binary files /dev/null and b/hmail/20.png differ diff --git a/hmail/21.png b/hmail/21.png new file mode 100644 index 0000000..b9e725e Binary files /dev/null and b/hmail/21.png differ diff --git a/hmail/22.png b/hmail/22.png new file mode 100644 index 0000000..cacc799 Binary files /dev/null and b/hmail/22.png differ diff --git a/hmail/23.png b/hmail/23.png new file mode 100644 index 0000000..a6af2a9 Binary files /dev/null and b/hmail/23.png differ diff --git a/hmail/24.png b/hmail/24.png new file mode 100644 index 0000000..94c1e1e Binary files /dev/null and b/hmail/24.png differ diff --git a/hmail/25.png b/hmail/25.png new file mode 100644 index 0000000..24db3b9 Binary files /dev/null and b/hmail/25.png differ diff --git a/hmail/26.png b/hmail/26.png new file mode 100644 index 0000000..5fe1336 Binary files /dev/null and b/hmail/26.png differ diff --git a/hmail/27.png b/hmail/27.png new file mode 100644 index 0000000..3ed3014 Binary files /dev/null and b/hmail/27.png differ diff --git a/hmail/28.png b/hmail/28.png new file mode 100644 index 0000000..c9ec913 Binary files /dev/null and b/hmail/28.png differ diff --git a/hmail/29.png b/hmail/29.png new file mode 100644 index 0000000..0c8366c Binary files /dev/null and b/hmail/29.png differ diff --git a/hmail/3.png b/hmail/3.png new file mode 100644 index 0000000..6db7889 Binary files /dev/null and b/hmail/3.png differ diff --git a/hmail/30.png b/hmail/30.png new file mode 100644 index 0000000..946ccdb Binary files /dev/null and b/hmail/30.png differ diff --git a/hmail/31.png b/hmail/31.png new file mode 100644 index 0000000..2e6c97c Binary files /dev/null and b/hmail/31.png differ diff --git a/hmail/32.png b/hmail/32.png new file mode 100644 index 0000000..aeba433 Binary files /dev/null and b/hmail/32.png differ diff --git a/hmail/33.png b/hmail/33.png new file mode 100644 index 0000000..71ecba7 Binary files /dev/null and b/hmail/33.png differ diff --git a/hmail/34.png b/hmail/34.png new file mode 100644 index 0000000..3535834 Binary files /dev/null and b/hmail/34.png differ diff --git a/hmail/35.png b/hmail/35.png new file mode 100644 index 0000000..62a18b5 Binary files /dev/null and b/hmail/35.png differ diff --git a/hmail/36.png b/hmail/36.png new file mode 100644 index 0000000..f5e2dc8 Binary files /dev/null and b/hmail/36.png differ diff --git a/hmail/37.png b/hmail/37.png new file mode 100644 index 0000000..dab26d3 Binary files /dev/null and b/hmail/37.png differ diff --git a/hmail/38.png b/hmail/38.png new file mode 100644 index 0000000..75fbbfd Binary files /dev/null and b/hmail/38.png differ diff --git a/hmail/39.png b/hmail/39.png new file mode 100644 index 0000000..c432b5d Binary files /dev/null and b/hmail/39.png differ diff --git a/hmail/4.png b/hmail/4.png new file mode 100644 index 0000000..90cde8a Binary files /dev/null and b/hmail/4.png differ diff --git a/hmail/5.png b/hmail/5.png new file mode 100644 index 0000000..ea283ab Binary files /dev/null and b/hmail/5.png differ diff --git a/hmail/6.png b/hmail/6.png new file mode 100644 index 0000000..85fc7b5 Binary files /dev/null and b/hmail/6.png differ diff --git a/hmail/7.png b/hmail/7.png new file mode 100644 index 0000000..954c1b2 Binary files /dev/null and b/hmail/7.png differ diff --git a/hmail/8.png b/hmail/8.png new file mode 100644 index 0000000..59517da Binary files /dev/null and b/hmail/8.png differ diff --git a/hmail/9.png b/hmail/9.png new file mode 100644 index 0000000..ee39e10 Binary files /dev/null and b/hmail/9.png differ diff --git a/hmail/index.md b/hmail/index.md new file mode 100644 index 0000000..cb7f352 --- /dev/null +++ b/hmail/index.md @@ -0,0 +1,191 @@ +# hMailServer Setup + +![](0.png) + +In this tutorial we're going to setup hMailServer on a local WS2019 VM with AD-DNS on it, if you don't have it already, please check out [this](../w5/index.md) tutorial to get it, then proceed as follows: + +## **Initial setup** + +Start off from your WS2019 VM to which you connect to via RDP or via SPICE display, and go [there](https://www.hmailserver.com/download) to download the latest release of hMailServer: + +![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) ![](8.png) + +Just add the WS2019 server's local domain name: + +![](9.png) + +Then create your mail user account: + +![](10.png) ![](11.png) ![](12.png) + +You can click 'IP Ranges' to edit the ips you want to allow / restrict to access your hmail server + +![](13.png) ![](14.png) + +Above we see the one port that most providers refuse to allow publicly. If you try to use port 25 (SMTP) to send mails publicly, you will realize that not many ISPs allow it, why ? because most people use it to spam, and to battle against spam, most providers refuse to allow traffic coming from this port. Most commonly you have to ask the support services to allow your ip to use it's port 25 (SMTP). Unless if you're purely in a local network obviously. Now let's run the diagnostics checks: + +![](15.png) ![](16.png) + +And that's it! We ran the diagnostics, and it passed the outbound port SMTP test. Obviously since this is purely a local hMailServer it won't pass all the checks. Now let's try to connect to it with thunderbird: + +## **Mail Client** + +We're going to use thunderbird as the mail client, so download it and install it: + +![](17.png) ![](18.png) + +Use the following manual connection settings for now: + +![](19.png) + +For now the server doesn't use SSL encryption, so you get the following warning: + +![](20.png) + +Let's see if we can enable SSL encryption: + +## **Local SSL Encryption:** + +![](21.png) + +For this next part just follow the first part of [this](../w6_ldaps/index.md) tutorial to create the WS2019 certificate and then export it for hmailserver: + +![](22.png) + +hmail will need both the private key and the CA certificate: + +![](23.png) + +Now once that's done you will get a .p12 file and we want to extract the key and the CA from it: + +![](24.png) + +You could use C++ to use openssl on windows, but instead we're just going to get the file to a thanks to python3's http module to a linux host where we can use openssl natively and extract the CA and private key + +![](25.png) ![](26.png) ![](27.png) ![](28.png) + +Now here we need to disable the windows firewall temporarily to retrieve the file to our linux host: + +![](29.png) + +Then do the following from powershell: + +![](30.png) + +And retrieve it on your linux host in a temporary directory: + + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [Github/blog/servers] + → mkdir /tmp/CA/ + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [Github/blog/servers] + → cd /tmp/CA + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → wget 10.0.0.204/nowhere-CA.p12 + --2021-04-17 10:18:19-- http://10.0.0.204/nowhere-CA.p12 + Connecting to 10.0.0.204:80... connected. + HTTP request sent, awaiting response... 200 OK + Length: 4283 (4.2K) [application/x-pkcs12] + Saving to: ‘nowhere-CA.p12’ + + nowhere-CA.p12 100%[===================================>] 4.18K --.-KB/s in 0.002s + + 2021-04-17 10:18:19 (2.32 MB/s) - ‘nowhere-CA.p12’ saved [4283/4283] + + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → file nowhere-CA.p12 + nowhere-CA.p12: data + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → which openssl + /usr/bin/openssl + + + +Then use openssl to extract the CA and the pkey out of it: + + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → openssl pkcs12 -info -in nowhere-CA.p12 -nodes + Enter Import Password: + MAC: sha1, Iteration 2000 + MAC length: 20, salt length: 20 + PKCS7 Data + Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 + Bag Attributes + Microsoft Local Key set: + localKeyID: 01 00 00 00 + friendlyName: nowhere-CA + Microsoft CSP Name: Microsoft Software Key Storage Provider + Key Attributes + X509v3 Key Usage: 80 + -----BEGIN PRIVATE KEY----- + + + + +Here you can see the infos contained in the .p12 file, but let's extract them in a .key and .cer file: + + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → openssl pkcs12 -info -in nowhere-CA.p12 -nodes -nocerts > nowhere-CA.key + Enter Import Password: + MAC: sha1, Iteration 2000 + MAC length: 20, salt length: 20 + PKCS7 Data + Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 + PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 + Certificate bag + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → openssl pkcs12 -info -in nowhere-CA.p12 -nodes -nokeys > nowhere-CA.cer + Enter Import Password: + MAC: sha1, Iteration 2000 + MAC length: 20, salt length: 20 + PKCS7 Data + Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 + PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000 + Certificate bag + + + +And run python3's http module to get the 2 files back on the windows host: + + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → ls -l + total 16 + -rw-r--r-- 1 nothing nothing 2080 Apr 17 10:23 nowhere-CA.cer + -rw-r--r-- 1 nothing nothing 3491 Apr 17 10:23 nowhere-CA.key + -rw-r--r-- 1 nothing nothing 4283 Apr 17 2021 nowhere-CA.p12 + + [ 10.0.0.10/16 ] [ /dev/pts/5 ] [/tmp/CA] + → python3 -m http.server 8080 + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +![](31.png) ![](32.png) ![](33.png) + +Use the certificate as STARTTLS (Required) on all ports, then hit 'Save' and edit how Thunderbird connects back to the mail server: + +![](34.png) + +Now let's test if we can send and recieve mail on our local network: + +![](35.png) + +Now thunderbird by default doesn't allow self-signed certificates: + +![](36.png) ![](37.png) + +Once you allowed the security exception, hit 'Send' and 'Get Messages': + +![](38.png) + +And that's it! We managed to send and recieve mail on a local hMailServer, you can also click 'View Source' to get the following result: + +![](39.png) + diff --git a/hydrus/0.png b/hydrus/0.png new file mode 100644 index 0000000..3e012a8 Binary files /dev/null and b/hydrus/0.png differ diff --git a/hydrus/1.png b/hydrus/1.png new file mode 100644 index 0000000..ffd2492 Binary files /dev/null and b/hydrus/1.png differ diff --git a/hydrus/10.png b/hydrus/10.png new file mode 100644 index 0000000..df57b24 Binary files /dev/null and b/hydrus/10.png differ diff --git a/hydrus/11.png b/hydrus/11.png new file mode 100644 index 0000000..a856770 Binary files /dev/null and b/hydrus/11.png differ diff --git a/hydrus/12.png b/hydrus/12.png new file mode 100644 index 0000000..5ef8b2b Binary files /dev/null and b/hydrus/12.png differ diff --git a/hydrus/13.png b/hydrus/13.png new file mode 100644 index 0000000..1b1cd23 Binary files /dev/null and b/hydrus/13.png differ diff --git a/hydrus/14.png b/hydrus/14.png new file mode 100644 index 0000000..fd16a24 Binary files /dev/null and b/hydrus/14.png differ diff --git a/hydrus/15.png b/hydrus/15.png new file mode 100644 index 0000000..f48d2f5 Binary files /dev/null and b/hydrus/15.png differ diff --git a/hydrus/16.png b/hydrus/16.png new file mode 100644 index 0000000..69354fb Binary files /dev/null and b/hydrus/16.png differ diff --git a/hydrus/17.png b/hydrus/17.png new file mode 100644 index 0000000..a71465f Binary files /dev/null and b/hydrus/17.png differ diff --git a/hydrus/18.png b/hydrus/18.png new file mode 100644 index 0000000..15f4ce5 Binary files /dev/null and b/hydrus/18.png differ diff --git a/hydrus/2.png b/hydrus/2.png new file mode 100644 index 0000000..a7da208 Binary files /dev/null and b/hydrus/2.png differ diff --git a/hydrus/3.png b/hydrus/3.png new file mode 100644 index 0000000..4d3049a Binary files /dev/null and b/hydrus/3.png differ diff --git a/hydrus/4.png b/hydrus/4.png new file mode 100644 index 0000000..cf80180 Binary files /dev/null and b/hydrus/4.png differ diff --git a/hydrus/5.png b/hydrus/5.png new file mode 100644 index 0000000..7932e2b Binary files /dev/null and b/hydrus/5.png differ diff --git a/hydrus/6.png b/hydrus/6.png new file mode 100644 index 0000000..b50f01a Binary files /dev/null and b/hydrus/6.png differ diff --git a/hydrus/7.png b/hydrus/7.png new file mode 100644 index 0000000..7be1d2f Binary files /dev/null and b/hydrus/7.png differ diff --git a/hydrus/8.png b/hydrus/8.png new file mode 100644 index 0000000..725d4ec Binary files /dev/null and b/hydrus/8.png differ diff --git a/hydrus/9.png b/hydrus/9.png new file mode 100644 index 0000000..51ff1aa Binary files /dev/null and b/hydrus/9.png differ diff --git a/hydrus/index.md b/hydrus/index.md new file mode 100644 index 0000000..f146e64 --- /dev/null +++ b/hydrus/index.md @@ -0,0 +1,188 @@ +# Hydrus Network Setup + +![](0.png) + +In this tutorial we're going to see how to use Hydrus Network, which is a personal booru client used primarily to hoard as many images as possible from image posting boards like **4chan.org**. + +## **Initial Setup** + + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools] + → git clone https://github.com/hydrusnetwork/hydrus + Cloning into 'hydrus'... + remote: Enumerating objects: 16952, done. + remote: Counting objects: 100% (1094/1094), done. + remote: Compressing objects: 100% (431/431), done. + remote: Total 16952 (delta 695), reused 1011 (delta 649), pack-reused 15858 + Receiving objects: 100% (16952/16952), 101.25 MiB | 5.32 MiB/s, done. + Resolving deltas: 100% (14113/14113), done. + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → ls -l + total 88 + drwxr-xr-x 2 nothing nothing 4096 Jun 28 23:44 bin + -rw-r--r-- 1 nothing nothing 251 Jun 28 23:44 client.py + -rwxr-xr-x 1 nothing nothing 251 Jun 28 23:44 client.pyw + -rw-r--r-- 1 nothing nothing 484 Jun 28 23:44 COPYING + drwxr-xr-x 2 nothing nothing 4096 Jun 28 23:44 db + drwxr-xr-x 2 nothing nothing 12288 Jun 28 23:44 help + -rw-r--r-- 1 nothing nothing 2089 Jun 28 23:44 'help my client will not boot.txt' + drwxr-xr-x 7 nothing nothing 4096 Jun 28 23:44 hydrus + -rw-r--r-- 1 nothing nothing 884 Jun 28 23:44 license.txt + -rwxr-xr-x 1 nothing nothing 2066 Jun 28 23:44 README.md + -rw-r--r-- 1 nothing nothing 303 Jun 28 23:44 Readme.txt + -rw-r--r-- 1 nothing nothing 38 Jun 28 23:44 requirements_macos_build.txt + -rw-r--r-- 1 nothing nothing 376 Jun 28 23:44 requirements_macos.txt + -rw-r--r-- 1 nothing nothing 44 Jun 28 23:44 requirements_ubuntu_build.txt + -rw-r--r-- 1 nothing nothing 376 Jun 28 23:44 requirements_ubuntu.txt + -rw-r--r-- 1 nothing nothing 77 Jun 28 23:44 requirements_windows_build.txt + -rw-r--r-- 1 nothing nothing 376 Jun 28 23:44 requirements_windows.txt + -rw-r--r-- 1 nothing nothing 251 Jun 28 23:44 server.py + drwxr-xr-x 7 nothing nothing 4096 Jun 28 23:44 static + -rw-r--r-- 1 nothing nothing 247 Jun 28 23:44 test.py + + + +i'm on kali (debian based distro) so i get the required python dependencies for ubuntu (which is also debian based): + + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → pip3 install -r requirements_ubuntu.txt + Defaulting to user installation because normal site-packages is not writeable + Requirement already satisfied: beautifulsoup4>=4.0.0 in /usr/lib/python3/dist-packages (from -r requirements_ubuntu.txt (line 1)) (4.9.3) + Requirement already satisfied: chardet>=3.0.4 in /usr/lib/python3/dist-packages (from -r requirements_ubuntu.txt (line 2)) (4.0.0) + Collecting cloudscraper>=1.2.33 + Downloading cloudscraper-1.2.58-py2.py3-none-any.whl (96 kB) + |████████████████████████████████| 96 kB 264 kB/s + Requirement already satisfied: html5lib>=1.0.1 in /usr/lib/python3/dist-packages (from -r requirements_ubuntu.txt (line 4)) (1.1) + Requirement already satisfied: lxml>=4.5.0 in /usr/lib/python3/dist-packages (from -r requirements_ubuntu.txt (line 5)) (4.6.3) + Collecting lz4>=3.0.0 + Downloading lz4-3.1.3-cp39-cp39-manylinux2010_x86_64.whl (1.8 MB) + |████████████████████████████████| 1.8 MB 952 kB/s + Collecting nose>=1.3.0 + Downloading nose-1.3.7-py3-none-any.whl (154 kB) + |████████████████████████████████| 154 kB 2.6 MB/s + [...] + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → python3 client.py + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → chmod +x ./client.py + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → ./client.py + + + +Now we simply run client.py to open the hydrus client, so we can also create a shortcut (symbolic link) to it and add it into our PATH: + + + [ 10.66.66.2/32 ] [ /dev/pts/3 ] [~/Tools/hydrus] + → sudo ln -s /home/nothing/Tools/hydrus/client.py /usr/local/bin/hydrus_client.py + + + +Now simply launch it: + + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [~/Tools/hydrus] + → hydrus_client.py + + + +Now right off the bat hydrus is completely white themed so to fix this goto **file > options > style > Hydracula.qss and to colours > colourset > darkmode** + +![](1.png) + +Next step here is to change the bandwidth limits into **network > data > review bandwidth usage and rules** and in here we need to edit the **default bandwidth rules** , edit each of those depending on how much data you intend to download every day / hour: + +![](2.png) + +For simplicity's sake i just set them as MBps: + +![](3.png) + +## **Hoarding from chans** + +hydrus basically has a way of downloading every image from a thread on a 4chan board, there is also a feature to paste in multiple threads at once, so you can have the idea of downloading every image of every thread of a board, For example, to get every image from [/g/](https://boards.4channel.org/g/catalog) to do so you can do as follows: + + + F12 > console > allow paste + const links2 =[...new Set(Object.keys(window.catalog.threads))].map(id => `https://boards.4channel.org/g/thread/${id}`).join('\n') + console.log(links2) + + + +![](15.png) + +Now you have a list of links of all the threads of that one board, and so we can create a new download page to bulk download from them **pages > new download page > watcher** : + +![](16.png) + +And here you can see that we have the ability to copy in as many threads as we want, so get the previous links in your clipboard and click that logo: + +![](17.png) + +So now on this page hydrus is going to download /g/ basically. If you want to see every new image that gets downloaded, select all the watchers with **CTRL+A** and **right click > show all watchers' new files** : + +![](18.png) + +And that's it! That's basically how i use hydrus, i also hoarded a collection of wallpapers from **/wg/** with the following firefox console command: + + + F12 > console > allow paste + const links3 =[...new Set(Object.keys(window.catalog.threads))].map(id => `https://boards.4channel.org/wg/thread/${id}`).join('\n') + console.log(links2) + + + +Take note that i changed the variable to being **links3** and the string to **/wg/thread/$(id)** , and then same process we just send all the links from our clipboard to the watchers page in hydrus. + +## **Importing an existing database** + +Now if you're like me and you have multiple OSes to use, you will probably have to install hydrus more than once, and one particular problem can be to import a database, and it's not as simple as you might think: + +To explain this problem we're going to pick our database, which is basically a folder that we choose, i have an existing one in **/mnt/vault/DUMP/** , so you would think that i can import them by going to **database > migrate database > add new location for files** + +![](6.png) + +Next we remove the previous db location: + +![](7.png) ![](8.png) + +Basically we can't really move the database to a non empty location, nor discover it as an option, trying to do this will result in the following: + +![](10.png) ![](12.png) + +TLDR if you have an existing database you need to basically tell hydrus to pick the database path as you launch it, so we're going to do it using a bashscript after we remove the shortcut we did earlier: + + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [Github/blog/HTB] + → sudo rm /usr/local/bin/hydrus_client.py + [sudo] password for nothing: + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [Github/blog/HTB] + → sudo vim /usr/local/bin/hydrus_client.sh + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [Github/blog/HTB] + → cat /usr/local/bin/hydrus_client.sh + #!/bin/bash + + /home/nothing/Tools/hydrus/client.py -d="/mnt/vault/DUMP" + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [Github/blog/HTB] + → sudo chmod +x /usr/local/bin/hydrus_client.sh + + + +So we run hydrus once again, this time when we launch hydrus we need to repopulate the database since we know that it has the correct database location, you can check it by doing **file > open > database directory**. So we repair our database by discovering the files by going to **file > import files** + +![](13.png) + +Wait until the database gets completely parsed and then hit 'import now': + +![](14.png) + +And there you go, we managed to import our existing database. (be patient because importing takes a long time) + diff --git a/invidious/1.png b/invidious/1.png new file mode 100644 index 0000000..21331c9 Binary files /dev/null and b/invidious/1.png differ diff --git a/invidious/2.png b/invidious/2.png new file mode 100644 index 0000000..1f34f40 Binary files /dev/null and b/invidious/2.png differ diff --git a/invidious/3.png b/invidious/3.png new file mode 100644 index 0000000..9a0ec28 Binary files /dev/null and b/invidious/3.png differ diff --git a/invidious/4.png b/invidious/4.png new file mode 100644 index 0000000..9ba70e2 Binary files /dev/null and b/invidious/4.png differ diff --git a/invidious/5.png b/invidious/5.png new file mode 100644 index 0000000..5c1ab7b Binary files /dev/null and b/invidious/5.png differ diff --git a/invidious/6.png b/invidious/6.png new file mode 100644 index 0000000..051b798 Binary files /dev/null and b/invidious/6.png differ diff --git a/invidious/index.md b/invidious/index.md new file mode 100644 index 0000000..9fb7483 --- /dev/null +++ b/invidious/index.md @@ -0,0 +1,1088 @@ +# invidious Setup + +![](0.svg) + +In this tutorial we're going to setup an invidious instance that automatically updates itself. + +## **Initial Setup** + +We follow the documentation [here](https://docs.invidious.io/installation/#docker-compose-method-production): + + + [ nowhere.moe ] [ /dev/pts/0 ] [/home/invidious/invidious] + → cd /srv/ + + + [ nowhere.moe ] [ /dev/pts/0 ] [/home/invidious/invidious] + → git clone https://github.com/iv-org/invidious.git + + [ nowhere.moe ] [ /dev/pts/0 ] [/home/invidious/invidious] + → cd invidious + + [ nowhere.moe ] [ /dev/pts/0 ] [/home/invidious/invidious] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/invidious] + → cat docker-compose.yml + version: "3" + services: + + invidious: + image: quay.io/invidious/invidious:latest + # image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices + restart: unless-stopped + ports: + - "127.0.0.1:3000:3000" + environment: + # Please read the following file for a comprehensive list of all available + # configuration options and their associated syntax: + # https://github.com/iv-org/invidious/blob/master/config/config.example.yml + INVIDIOUS_CONFIG: | + db: + dbname: invidious + user: kemal + password: kemal + host: invidious-db + port: 5432 + check_tables: true + external_port: 443 + domain: iv.nowhere.moe + https_only: true + statistics_enabled: true + hmac_key: "adwwadwaadw5ree6ahB" # pwgen 20 1 + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 + interval: 30s + timeout: 5s + retries: 2 + logging: + options: + max-size: "1G" + max-file: "4" + depends_on: + - invidious-db + + invidious-db: + image: docker.io/library/postgres:14 + restart: unless-stopped + volumes: + - postgresdata:/var/lib/postgresql/data + - ./config/sql:/config/sql + - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh + environment: + POSTGRES_DB: invidious + POSTGRES_USER: kemal + POSTGRES_PASSWORD: kemal + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + + volumes: + postgresdata: + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker-compose down --remove-orphans + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker volume rm invidious_postgresdata + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker-compose up -d + + #or like so: + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + + + +Then make the reverse nginx proxy config: + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → wget -O - https://get.acme.sh | sh + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → bash + root@Datura ~ # acme.sh --set-default-ca --server letsencrypt + + root@Datura ~ # acme.sh --issue --standalone -d nowhere.moe -d iv.nowhere.moe -k 4096 + + [Sun Jul 9 05:25:32 PM CEST 2023] Your cert is in: /etc/acme/certs/iv.nowhere.moe/iv.nowhere.moe.cer + [Sun Jul 9 05:25:32 PM CEST 2023] Your cert key is in: /etc/acme/certs/iv.nowhere.moe/iv.nowhere.moe.key + [Sun Jul 9 05:25:32 PM CEST 2023] The intermediate CA cert is in: /etc/acme/certs/iv.nowhere.moe/ca.cer + [Sun Jul 9 05:25:32 PM CEST 2023] And the full chain certs is there: /etc/acme/certs/iv.nowhere.moe/fullchain.cer + + root@Datura ~ # exit + exit + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → vim /etc/nginx/sites-available/iv.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → cat /etc/nginx/sites-available/iv.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name iv.nowhere.moe; + + access_log off; + error_log /var/log/nginx/error.log crit; + + ssl_certificate /etc/acme/certs/iv.nowhere.moe/fullchain.cer; + ssl_certificate_key /etc/acme/certs/iv.nowhere.moe/iv.nowhere.moe.key; + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + } + + if ($https = '') { return 301 https://$host$request_uri; } # if not connected to HTTPS, perma-redirect to HTTPS + } + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → ln -s /etc/nginx/sites-available/iv.nowhere.moe.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → systemctl restart nginx + + + + +Then check if it works: + +![](1.png) + +And it does! + +## **Manual update Setup** + +Now let's make sure our invidious instance stays continuously updated and restarts hourly: + + + [ nowhere.moe ] [ /dev/pts/2 ] [~] + → crontab -e + + @hourly docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + @yearly docker-compose -f /srv/invidious/docker-compose.yml stop ; cp /srv/invidious/docker-compose.yml /srv/invidious.docker-compose.yml.backup ; git -C /srv/invidious pull ; docker-compose -f /srv/invidious/docker-compose.yml up -d # but must be done monthly to be on invidio.us! (need to manually edit the docker-compose.yml file again afterward) + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/invidious] + → cronitor select + + Use the arrow keys to navigate: ↓ ↑ → ← + Use the arrow keys to navigate: ↓ ↑ → ← + Use the arrow keys to navigate: ↓ ↑ → ← + Use the arrow keys to navigate: ↓ ↑ → ← + Use the arrow keys to navigate: ↓ ↑ → ← + Use the arrow keys to navigate: ↓ ↑ → ← + ✔ docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + + Stopping invidious_invidious_1 ... done + Stopping invidious_invidious-db_1 ... done + Recreating invidious_invidious-db_1 ... done + Recreating invidious_invidious_1 ... done + + ----► ✔ Command successful Elapsed time 1.692s + + + +once done go create an issue there to get your instance listed. mine is [here](https://github.com/iv-org/documentation/issues/423). + + + [ nowhere.moe ] [ /dev/pts/5 ] [/srv/invidious] + → ip a + 2: enp5s0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether a8:a1:59:10:31:bc brd ff:ff:ff:ff:ff:ff + inet 116.202.216.190/26 brd 116.202.216.191 scope global enp5s0 + valid_lft forever preferred_lft forever + inet6 **IPV6RANGE/64** scope global + valid_lft forever preferred_lft forever + inet6 IPV6LINK/64 scope link + valid_lft forever preferred_lft forever + + #so then edit the docker-compose.yml file like so: + + [ nowhere.moe ] [ /dev/pts/6 ] [/srv/invidious] + → cat docker-compose.yml + version: "3" + services: + + invidious: + image: quay.io/invidious/invidious:latest + # image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices + restart: unless-stopped + **networks: + - invidious** + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + ports: + - "127.0.0.1:3000:3000" + environment: + # Please read the following file for a comprehensive list of all available + # configuration options and their associated syntax: + # https://github.com/iv-org/invidious/blob/master/config/config.example.yml + INVIDIOUS_CONFIG: | + db: + dbname: invidious + user: kemal + password: kemal + host: invidious-db + port: 5432 + check_tables: true + external_port: 443 + domain: iv.nowhere.moe + https_only: true + statistics_enabled: true + hmac_key: "ahxuung0ceib5ree6ahB" + #you can put other arguements here for example: + default_home: Search + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 + interval: 30s + timeout: 5s + retries: 2 + logging: + options: + max-size: "1G" + max-file: "4" + depends_on: + - invidious-db + + invidious-db: + image: docker.io/library/postgres:14 + restart: unless-stopped + **networks: + - invidious** + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + volumes: + - postgresdata:/var/lib/postgresql/data + - ./config/sql:/config/sql + - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh + environment: + POSTGRES_DB: invidious + POSTGRES_USER: kemal + POSTGRES_PASSWORD: kemal + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + + volumes: + postgresdata: + + **networks: + invidious: + #enable_ipv6: true + ipam: + config: + - subnet:**IPV6RANGE/64**** + + + + +New crontab + new docker-compose.yml file: + + + crontab -e + + @hourly docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + @monthly docker-compose -f /srv/invidious/docker-compose.yml stop ; cp /srv/invidious/docker-compose.yml /srv/invidious.docker-compose.yml.backup ; git -C /srv/invidious pull ; cp /srv/invidious.docker-compose.yml.backup /srv/invidious/docker-compose.yml; docker-compose -f /srv/invidious/docker-compose.yml up -d # monthly invidious upgrade! + + + +# Youtube tries to block invidious instances, IPV6 is the way forward! + +We're going to follow what unixfox suggests [here](https://github.com/iv-org/invidious/issues/3822): + +Your invidious instance may get blocked once it becomes popular enough, so circumvent the youtube ipv4 blockage with ipv6 addresses: you need to enable ipv6 on your server and on docker too, so first step is to get an ipv6 range on your server if you didn't have one in the first place and once you get it, add it like so:: + + + /sbin/ip -6 addr add 2001:0db8:0:f101::1/56 dev enp5s0 + + #onwards i will refer to add 2001:0db8:0:f101::/56 as IPV6RANGE::/56 + + # if that ip gets blocked, do remove it and add the next one like so: + + /sbin/ip -6 addr del 2001:0db8:0:f101::1/56 dev enp5s0 + /sbin/ip -6 addr add 2001:0db8:0:f101::2/56 dev enp5s0 + + # if it also gets blocked: + + /sbin/ip -6 addr del 2001:0db8:0:f101::2/56 dev enp5s0 + /sbin/ip -6 addr add 2001:0db8:0:f101::3/56 dev enp5s0 + + + +Next make sure docker uses the whole IPv6 range (so it ends with ::/56) + + + + ##################3####### EDIT AS OF 24/02/2024 SHOULDNT BE REQUIRED!!!! ##################################### + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → vim /etc/docker/daemon.json + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → cat /etc/docker/daemon.json + { + "ipv6": true, + "fixed-cidr-v6": "IPV6RANGE::/56", + "experimental": true, + "ip6tables": true + } + + # OR you can do the following: (Thanks Arya from [Project Segfault](https://projectsegfau.lt/team)) + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → vim /etc/docker/daemon.json + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → cat /etc/docker/daemon.json + { + "ipv6": true, + "fixed-cidr-v6": "fd00:dead:beef::/48", + "default-address-pools": [ + { + "base": "172.80.0.0/16", + "size": 24 + } + ] + } + + ##################3####### EDIT AS OF 24/02/2024 SHOULDNT BE REQUIRED!!!! ##################################### + + +Then restart docker to make sure the change is there: + + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → systemctl stop docker + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → mv /var/lib/docker/network/files/local-kv.db /tmp/dn-bak + #required because docker may not start due to the ipv6 enabling, which will have conflicts with the default bridge network config (shouldn't be needed if you added te default-address-pools parameter above). + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → systemctl start docker + + + +Once docker is restarted it will have taken into account the new ipv6 subnet you've given it and you can check it here: + + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → docker network ls + NETWORK ID NAME DRIVER SCOPE + 559958b3d43c bridge bridge local + 2d71827848ba host host local + 80a671afbacd invidious bridge local + 1ad703b48dd0 none null local + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → docker network inspect bridge + [ + { + "Name": "bridge", + "Id": "559958b3d43c8ae942af6bb1dc21edeb295383258db8bd864b94ee9630badad2", + "Created": "2023-09-30T22:14:09.026433561+02:00", + "Scope": "local", + "Driver": "bridge", + "EnableIPv6": true, + "IPAM": { + "Driver": "default", + "Options": null, + "Config": [ + { + "Subnet": "172.17.0.0/16", + "Gateway": "172.17.0.1" + }, + { + "Subnet": "IPV6RANGE::/56" + } + ] + }, + "Internal": false, + "Attachable": false, + "Ingress": false, + "ConfigFrom": { + "Network": "" + }, + "ConfigOnly": false, + "Containers": {}, + "Options": { + "com.docker.network.bridge.default_bridge": "true", + "com.docker.network.bridge.enable_icc": "true", + "com.docker.network.bridge.enable_ip_masquerade": "true", + "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", + "com.docker.network.bridge.name": "docker0", + "com.docker.network.driver.mtu": "1500" + }, + "Labels": {} + } + ] + + + +Next, make sure that you route all traffic from that ipv6 range to go to the docker0 interface if its not added automatically by docker: + + + [ nowhere.moe ] [ /dev/pts/20 ] [~] + → ip -6 route ls dev docker0 + IPV6RANGE::/56 proto kernel metric 256 linkdown pref medium + fe80::/64 proto kernel metric 256 linkdown pref medium + + # to add it you do it as follows: + ip -6 route add IPV6RANGE::/56 dev docker0 + + + +And then you need to make sure that invidious uses ipv6 properly as follows: + + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/invidious] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/invidious] + → cat docker-compose.yml + version: "2.1" + services: + + ipv6nat: + container_name: ipv6nat + privileged: true + network_mode: host + restart: unless-stopped + volumes: + - '/var/run/docker.sock:/var/run/docker.sock:ro' + - '/lib/modules:/lib/modules:ro' + image: robbertkl/ipv6nat + + invidious: + image: quay.io/invidious/invidious:latest + # image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices + restart: unless-stopped + networks: + - invidious + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + ports: + - "127.0.0.1:3000:3000" + environment: + # Please read the following file for a comprehensive list of all available + # configuration options and their associated syntax: + # https://github.com/iv-org/invidious/blob/master/config/config.example.yml + INVIDIOUS_CONFIG: | + db: + dbname: invidious + user: kemal + password: kemal + host: invidious-db + port: 5432 + check_tables: true + external_port: 443 + domain: iv.nowhere.moe + https_only: true + statistics_enabled: true + hmac_key: "dawwaddwadwadwadwa" + force_resolve: ipv6 + default_user_preferences: + dark_mode: "dark" + default_home: "Search" + popular_enabled: true + feed_menu: ["Subscriptions", "Playlists"] + autoplay: true + continue: true + continue_autoplay: true + local: false + #quality: dash + #quality_dash: 720p + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 + interval: 30s + timeout: 5s + retries: 2 + logging: + options: + max-size: "1G" + max-file: "4" + depends_on: + - invidious-db + + invidious-db: + image: docker.io/library/postgres:14 + restart: unless-stopped + networks: + - invidious + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + volumes: + - postgresdata:/var/lib/postgresql/data + - ./config/sql:/config/sql + - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh + environment: + POSTGRES_DB: invidious + POSTGRES_USER: kemal + POSTGRES_PASSWORD: kemal + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + + volumes: + postgresdata: + + networks: + invidious: + name: invidious + enable_ipv6: true + #external: true + ipam: + config: + - subnet: fd00:dead:beec::/48 + + + +Commentary: first you have the ipv6nat service, then you have the local setting set to false as apparently it conflicts, then you have the ipv6 enabling in the invidious-db and invidious services, and finally the network invidious. take note that docker-compose version 2.1 is required because it can't have the "enable ipv6" setting otherwise at the bottom. Then once that's done just run it. At the bottom you have the INTERNAL subnet fd00:dead:beec::/48, this is intentional, don't put the external ipv6 range + + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/invidious] + → docker-compose down --remove-orphans ; docker-compose up -d + Stopping invidious_invidious_1 ... done + Stopping invidious_invidious-db_1 ... done + Stopping ipv6nat ... done + Removing invidious_invidious_1 ... done + Removing invidious_invidious-db_1 ... done + Removing ipv6nat ... done + Removing network invidious + Creating network "invidious" with the default driver + Creating ipv6nat ... done + Creating invidious_invidious-db_1 ... done + Creating invidious_invidious_1 ... done + + + +Then you can check that the instance has got ipv6 working like so: + + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/invidious] + → ip a + 1: lo: LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever + 2: enp5s0: BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether a8:a1:59:10:31:bc brd ff:ff:ff:ff:ff:ff + inet 116.202.216.190/26 brd 116.202.216.191 scope global enp5s0 + valid_lft forever preferred_lft forever + **inet6 IPV6RANGE::3/64 scope global** + valid_lft forever preferred_lft forever + inet6 fe80::aaa1:59ff:fe10:31bc/64 scope link + valid_lft forever preferred_lft forever + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → docker network inspect invidious + [ + { + "Name": "invidious", + "Id": "f1bca40b9d77dc8e21b9e2e433f7b89deb36630ae506fc32ea543adb809f091a", + "Created": "2023-09-30T23:06:35.21024565+02:00", + "Scope": "local", + "Driver": "bridge", + "EnableIPv6": true, + "IPAM": { + "Driver": "default", + "Options": null, + "Config": [ + { + "Subnet": "192.168.80.0/20", + "Gateway": "192.168.80.1" + }, + { + **"Subnet": "fd00:dead:beec::/48"** + } + ] + }, + "Internal": false, + "Attachable": true, + "Ingress": false, + "ConfigFrom": { + "Network": "" + }, + "ConfigOnly": false, + "Containers": { + "247dd2c35c1277bc030d5cfe176d01963611e8aa118c899bfe7d86e70abcf933": { + "Name": "invidious_invidious-db_1", + "EndpointID": "d0013abf14073b91be5a9da37e734a915fc6c77349bf67b3559890c712026c30", + "MacAddress": "02:42:c0:a8:50:02", + "IPv4Address": "192.168.80.2/20", + "IPv6Address": "fd00:dead:beec::2/48" + }, + "db397f8428cdca171046de25d0ce199fcc5902771c7d085763f9930b6d2fff0d": { + "Name": "invidious_invidious_1", + "EndpointID": "80ff47283bcbdc5ed1f8c14bd0c0a23997fe0b4ca072e0f86f909181ab38609d", + "MacAddress": "02:42:c0:a8:50:03", + "IPv4Address": "192.168.80.3/20", + "IPv6Address": "fd00:dead:beec::3/48" + } + }, + "Options": {}, + "Labels": { + "com.docker.compose.network": "invidious", + "com.docker.compose.project": "invidious", + "com.docker.compose.version": "1.25.0" + } + } + ] + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + db397f8428cd quay.io/invidious/invidious:latest "/sbin/tini -- /invi…" 26 minutes ago Up 26 minutes (healthy) 127.0.0.1:3000->3000/tcp invidious_invidious_1 + 247dd2c35c12 postgres:14 "docker-entrypoint.s…" 26 minutes ago Up 26 minutes (healthy) 5432/tcp invidious_invidious-db_1 + f57f3bd66a0a robbertkl/ipv6nat "/docker-ipv6nat-com…" 26 minutes ago Up 26 minutes ipv6nat + + + +Let's test if invidious has the correct ipv6 public IP and if we can ping google via ipv6: + + + #first check if it works on your server by default: + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → curl -6 icanhazip.com + IPV6RANGE::3 + + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → ping -6 ipv6.google.com + PING ipv6.google.com(fra24s05-in-x0e.1e100.net (2a00:1450:4001:828::200e)) 56 data bytes + 64 bytes from fra24s05-in-x0e.1e100.net (2a00:1450:4001:828::200e): icmp_seq=1 ttl=60 time=5.17 ms + ^C + --- ipv6.google.com ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 5.170/5.170/5.170/0.000 ms + + #then check if it's the same on the invidious docker container: + [ nowhere.moe ] [ /dev/pts/0 ] [~] + → docker exec -it -u root db39 sh + /invidious # apk add curl + fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz + fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz + (1/4) Installing ca-certificates (20230506-r0) + (2/4) Installing nghttp2-libs (1.47.0-r1) + (3/4) Installing libcurl (8.3.0-r0) + (4/4) Installing curl (8.3.0-r0) + Executing busybox-1.35.0-r17.trigger + Executing ca-certificates-20230506-r0.trigger + OK: 47 MiB in 59 packages + /invidious # curl -6 icanhazip.com + IPV6RANGE::3 + /invidious # ping -6 ipv6.google.com + PING ipv6.google.com (2a00:1450:4001:828::200e): 56 data bytes + 64 bytes from 2a00:1450:4001:828::200e: seq=0 ttl=59 time=5.137 ms + 64 bytes from 2a00:1450:4001:828::200e: seq=1 ttl=59 time=5.161 ms + ^C + + + +and it works! Now verify it on the invidious instance itself: + +![](3.png) + +If it doesnt work it may be because you have the "local: true" setting in your docker-compose.yml file, make sure to set it to false as it looks like it conflicts with the ipv6 setup. + +## Onion instance setup + +Now let's setup an invidious instance that works over tor with a .onion link. For the initial setup of a tor .onion website, check out [this](../torwebsite/index.md) tutorial. + + + [ nowhere.moe ] [ /dev/pts/21 ] [/srv/invidious] + → cat docker-compose.yml + version: "2.1" + services: + + ipv6nat: + container_name: ipv6nat + privileged: true + network_mode: host + restart: unless-stopped + volumes: + - '/var/run/docker.sock:/var/run/docker.sock:ro' + - '/lib/modules:/lib/modules:ro' + image: robbertkl/ipv6nat + + invidious: + image: quay.io/invidious/invidious:latest + # image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices + restart: unless-stopped + networks: + - invidious + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + #- net.ipv4.conf.all.disable_ipv4=1 + #volumes: + # - ./invidious_web:/invidious/ + ports: + - "127.0.0.1:3000:3000" + environment: + # Please read the following file for a comprehensive list of all available + # configuration options and their associated syntax: + # https://github.com/iv-org/invidious/blob/master/config/config.example.yml + INVIDIOUS_CONFIG: | + db: + dbname: invidious + user: kemal + password: kemal + host: invidious-db + port: 5432 + check_tables: true + external_port: 443 + domain: iv.nowhere.moe + https_only: true + statistics_enabled: true + hmac_key: "awdwdadwawadadw" + force_resolve: ipv6 + banner: ' + + **nowhere.moe** - Instance now has [ipv6 rotation](https://github.com/iv-org/smart-ipv6-rotator) and an [onion link!](http://iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/) (14/10/2023) + + + + Donate Monero: 82w95Xt27wfSLW1UzK48LrXDWngZr4FJ3gYqUVxQ9inQC2JReT81DesKmjcMWWbiBT4k517UwshY53aDPFuvE8AZ1EnYJZu + + ' + default_user_preferences: + dark_mode: "dark" + default_home: "Search" + popular_enabled: true + feed_menu: ["Subscriptions", "Playlists"] + autoplay: true + continue: true + continue_autoplay: true + local: true + quality: dash + quality_dash: 720p + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 + interval: 30s + timeout: 5s + retries: 2 + logging: + options: + max-size: "1G" + max-file: "4" + depends_on: + - invidious-db + + invidious-tor: + image: quay.io/invidious/invidious:latest + # image: quay.io/invidious/invidious:latest-arm64 # ARM64/AArch64 devices + restart: unless-stopped + networks: + - invidious + #ipv6_address: 2a01:4f8:241:f500::3 + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + #volumes: + # - ./invidious_web:/invidious/ + ports: + - "127.0.0.1:3002:3000" + environment: + # Please read the following file for a comprehensive list of all available + # configuration options and their associated syntax: + # https://github.com/iv-org/invidious/blob/master/config/config.example.yml + INVIDIOUS_CONFIG: | + db: + dbname: invidious + user: kemal + password: kemal + host: invidious-db + port: 5432 + check_tables: true + external_port: 80 + domain: iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion + https_only: false + statistics_enabled: true + hmac_key: "adwadwadwaadwdaw" + force_resolve: ipv6 + banner: ' + + **nowhere.moe** - Instance now has [ipv6 rotation](https://github.com/iv-org/smart-ipv6-rotator) and an [onion link!](http://iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/) (14/10/2023) + + + + Donate Monero: 82w95Xt27wfSLW1UzK48LrXDWngZr4FJ3gYqUVxQ9inQC2JReT81DesKmjcMWWbiBT4k517UwshY53aDPFuvE8AZ1EnYJZu + + ' + default_user_preferences: + dark_mode: "dark" + default_home: "Search" + popular_enabled: true + feed_menu: ["Subscriptions", "Playlists"] + autoplay: true + continue: true + continue_autoplay: true + local: true + quality: dash + quality_dash: 720p + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3002/api/v1/comments/jNQXAC9IVRw || exit 1 + interval: 30s + timeout: 5s + retries: 2 + logging: + options: + max-size: "1G" + max-file: "4" + depends_on: + - invidious-db + + invidious-db: + image: docker.io/library/postgres:14 + restart: unless-stopped + networks: + - invidious + sysctls: + - net.ipv6.conf.all.disable_ipv6=0 + volumes: + - postgresdata:/var/lib/postgresql/data + - ./config/sql:/config/sql + - ./docker/init-invidious-db.sh:/docker-entrypoint-initdb.d/init-invidious-db.sh + environment: + POSTGRES_DB: invidious + POSTGRES_USER: kemal + POSTGRES_PASSWORD: kemal + healthcheck: + test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"] + + volumes: + postgresdata: + + networks: + invidious: + name: invidious + enable_ipv6: true + ipam: + config: + - subnet: fd00:dead:beec::/48 + + + +Then with it you will need to re-run it via docker-compose: + + + [ nowhere.moe ] [ /dev/pts/20 ] [/srv/invidious] + → cronitor select + + Use the arrow keys to navigate: ↓ ↑ → ← + ? Select job to run: + ✔ docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/invidious/docker-compose.yml stop ; docker-compose -f /srv/invidious/docker-compose.yml up -d + + Stopping invidious_invidious_1 ... done + Stopping invidious_invidious-db_1 ... done + Stopping ipv6nat ... done + Starting ipv6nat ... done + Starting invidious_invidious-db_1 ... done + Starting invidious_invidious_1 ... done + Recreating invidious_invidious-tor_1 ... done + + ----► ✔ Command successful Elapsed time 2.939s + + + +Then once that's done, you need to make sure it can be accessed via the tor link, so you need to add that access in nginx: + + + [ nowhere.moe ] [ /dev/pts/19 ] [~] + → vim /etc/nginx/sites-available/iv.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → cat /etc/nginx/sites-available/iv.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + + ######## TOR CHANGES ######## + #listen 4443; + #listen [::]:4443; + #server_name iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + server_name iv.nowhere.moe; + + access_log off; + error_log /var/log/nginx/error.log crit; + + ssl_certificate /etc/acme/certs/iv.nowhere.moe/fullchain.cer; + ssl_certificate_key /etc/acme/certs/iv.nowhere.moe/iv.nowhere.moe.key; + + location / { + proxy_pass http://127.0.0.1:3000; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + } + + if ($https = '') { return 301 https://$host$request_uri; } # if not connected to HTTPS, perma-redirect to HTTPS + } + + + +In here you need the add_header option to make sure your default instance displays the onion instance when users browse to it via tor. Then once users click it they need to access it via the mentionned onion link, so let's set that up: + + + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → cat /etc/nginx/sites-available/iv.nowhere.moe.tor.conf + server { + listen 443; + listen [::]:443; + server_name iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + if ($https != '') { return 301 http://$host$request_uri; } # if not connected to HTTP, perma-redirect to HTTP + } + + server { + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://iv.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + access_log off; + error_log /var/log/nginx/error.log crit; + + location / { + proxy_pass http://127.0.0.1:3002; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; # so Invidious knows domain + proxy_http_version 1.1; # to keep alive + proxy_set_header Connection ""; # to keep alive + } + + if ($https != '') { return 301 http://$host$request_uri; } # if not connected to HTTP, perma-redirect to HTTP + } + + [ nowhere.moe ] [ /dev/pts/19 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/iv.nowhere.moe.tor.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/19 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/19 ] [/etc/nginx/sites-available] + → nginx -s reload + 2023/10/01 16:47:39 [notice] 1060069#1060069: signal process started + + + +Now you need the local proxying and DASH to work since youtube tries to block that also, so we'll use the ipv6 rotation script made by unifox: + + + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv] + → cd /srv/ + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv] + → git clone https://github.com/iv-org/smart-ipv6-rotator + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv] + → cd smart-ipv6-rotator + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/smart-ipv6-rotator] + → cp config.py.example config.py + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/smart-ipv6-rotator] + → vim config.py + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/smart-ipv6-rotator] + → cat config.py + ipv6_subnet = "IPV6RANGE::/64" + + [ nowhere.moe ] [ /dev/pts/19 ] [/srv/smart-ipv6-rotator] + → apt install python3-pyroute2 + + + +Then you can execute the script like so: + + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py clean ; /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range="IPV6RANGE::/64" + [INFO] No cleanup of previous setup needed. + [INFO] You have IPv6 connectivity. Continuing. + [INFO] No cleanup of previous setup needed. + [DEBUG] Debug info: + random_ipv6_address --> IPV6RANGE:7c39:d64d:274d:4a18 + random_ipv6_address_mask --> 64 + gateway --> fe80::1 + interface_index --> 2 + interface_name --> enp5s0 + ipv6_subnet --> IPV6RANGE::/64 + [INFO] Correctly using the new random IPv6 address, continuing. + [INFO] Correctly configured the IPv6 routes for Google IPv6 ranges. + [INFO] Successful setup. Waiting for the propagation in the Linux kernel. + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → curl -6 icanhazip.com + IPV6RANGE:7c39:d64d:274d:4a18 + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py clean ; /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range="IPV6RANGE::/64" + [INFO] Finished cleaning up previous setup. + [INFO] Waiting for the propagation in the Linux kernel. + [INFO] You have IPv6 connectivity. Continuing. + [INFO] No cleanup of previous setup needed. + [DEBUG] Debug info: + random_ipv6_address --> IPV6RANGE:25b8:6c57:56ef:67de + random_ipv6_address_mask --> 64 + gateway --> fe80::1 + interface_index --> 2 + interface_name --> enp5s0 + ipv6_subnet --> IPV6RANGE::/64 + [INFO] Correctly using the new random IPv6 address, continuing. + [INFO] Correctly configured the IPv6 routes for Google IPv6 ranges. + [INFO] Successful setup. Waiting for the propagation in the Linux kernel. + + [ nowhere.moe ] [ /dev/pts/21 ] [~] + → curl -6 icanhazip.com + IPV6RANGE:25b8:6c57:56ef:67de + + + +You can check if your ipv6 got changed each time with the **curl -6 icanhazip.com** command. Now let's add it as a cronjob to make sure the instance's ip changes once a day: + + + crontab -e + + @daily /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py clean ; /usr/bin/python3 /srv/smart-ipv6-rotator/smart-ipv6-rotator.py run --ipv6range="IPV6RANGE::/64" + + + +Now with that setup, youtube is going to need to block every single IPv6 in the mentionned subnet, should be preety resilient. + +Now you can just browse to it via the tor browser: + +![](5.png) + +Here you may need to click "enable media" as it may be blocked + +![](6.png) + +And that's it! Now our invidious instance is available to be browsed anonymously. + diff --git a/irc/0.png b/irc/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/irc/0.png differ diff --git a/irc/1.png b/irc/1.png new file mode 100644 index 0000000..603d15d Binary files /dev/null and b/irc/1.png differ diff --git a/irc/10.png b/irc/10.png new file mode 100644 index 0000000..2e1905e Binary files /dev/null and b/irc/10.png differ diff --git a/irc/11.png b/irc/11.png new file mode 100644 index 0000000..9ccbc9d Binary files /dev/null and b/irc/11.png differ diff --git a/irc/12.png b/irc/12.png new file mode 100644 index 0000000..ea9b70b Binary files /dev/null and b/irc/12.png differ diff --git a/irc/13.png b/irc/13.png new file mode 100644 index 0000000..e1e724a Binary files /dev/null and b/irc/13.png differ diff --git a/irc/14.png b/irc/14.png new file mode 100644 index 0000000..a089467 Binary files /dev/null and b/irc/14.png differ diff --git a/irc/15.png b/irc/15.png new file mode 100644 index 0000000..3464f29 Binary files /dev/null and b/irc/15.png differ diff --git a/irc/2.png b/irc/2.png new file mode 100644 index 0000000..9b7da46 Binary files /dev/null and b/irc/2.png differ diff --git a/irc/3.png b/irc/3.png new file mode 100644 index 0000000..ea2a0a9 Binary files /dev/null and b/irc/3.png differ diff --git a/irc/4.png b/irc/4.png new file mode 100644 index 0000000..4e4e221 Binary files /dev/null and b/irc/4.png differ diff --git a/irc/5.png b/irc/5.png new file mode 100644 index 0000000..f7eb665 Binary files /dev/null and b/irc/5.png differ diff --git a/irc/6.png b/irc/6.png new file mode 100644 index 0000000..628d7cb Binary files /dev/null and b/irc/6.png differ diff --git a/irc/7.png b/irc/7.png new file mode 100644 index 0000000..419e3bc Binary files /dev/null and b/irc/7.png differ diff --git a/irc/8.png b/irc/8.png new file mode 100644 index 0000000..be5fca5 Binary files /dev/null and b/irc/8.png differ diff --git a/irc/9.png b/irc/9.png new file mode 100644 index 0000000..847b5d5 Binary files /dev/null and b/irc/9.png differ diff --git a/irc/index.md b/irc/index.md new file mode 100644 index 0000000..36bc686 --- /dev/null +++ b/irc/index.md @@ -0,0 +1,146 @@ +# inspIRCd SSL Setup + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Installation (compiled)** + + + apt update -y && apt upgrade -y + apt install gnutls-bin pkg-config g++ cmake libssl-dev openssl pkg-config -y + + adduser --disabled-password inspircd + su inspircd + + cd + wget https://github.com/inspircd/inspircd/archive/v3.7.0.tar.gz + tar xvf v3.7.0.tar.gz + cd inspircd-3.7.0/ + ./configure --enable-extras ssl_openssl + + + +![](11.png) ![](12.png) ![](13.png) + +next just run the make command stated at the end, and wait for it to build (it takes a while): + + + make -j2 install + + + +![](10.png) + +... wait a long time + +![](14.png) + +Once it's done goto /inspircd-3.7.0/run/conf and download my config: + + + cd ~/inspircd-3.7.0/run/conf + + echo 'welcome to nihilists server!' > inspircd.motd + echo 'dont be bad!' > inspircd.conf + wget https:/blog.nowhere.moe/servers/irc/inspircd_ssl.conf -O inspircd.conf + nano inspircd.conf + + + + exit #back to the root shell + cp /home/inspircd/inspircd-3.7.0/run/inspircd.service /etc/systemd/system/inspircd.service + systemctl enable inspircd + + su inspircd + cd /home/inspircd/inspircd-3.7.0/run/ + ./inspircd start + + nestat -lntp + + +![](15.png) + +And here we can see that the server is running, now let's try to login: + +ssl login failed, very lazy to figure out why it doesn't let me connect, lol. Probably it is either in the irssi connection command (**/connect -ssl irc.ech4.duckdns.org 6667 123456**) or something very easy to overlook in the config file as usual. If you have the solution for this, don't hesitate to send me the solution. Instead i'll just move over to the TOR version which looks a trillion times easier to do. + +## **CLI IRC Client (expected)** + +Connect: irc.ech4.duckdns.org:6667: + + + apt install irssi -y + irssi + + #/connect IP PORT PASSWORD NICKNAME + + /connect -ssl 127.0.0.1 6667 123456 nihilist + /disconnect + + /connect -ssl 167.172.60.28 6667 123456 nihilist + /disconnect + + /connect -ssl ech4.duckdns.org 6667 123456 nihilist + + /LIST + #this will show you which channels are active + + /join #general + hello! + how are you? + bye! + /leave + /join #test + ahoy! + test? + goodbye! + /leave + /disconnect + + +![](4.png) ![](5.png) + +For extra details on how to configure your IRC server just look at that example [](https://blog.nowhere.moe/inspircd/inspircd.example.conf)file: + + + cd /usr/share/doc/inspircd/examples/ + gunzip -d inspircd.conf.example.gz + nano inspircd.conf.example + + + + +## **GUI IRC Client (expected)** + +If you don't like irssi, you can use hexchat (GUI) to connect aswell: + + + apt install hexchat -y + pacman -S hexchat -y + + + +![](6.png) + diff --git a/irc_tor/0.png b/irc_tor/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/irc_tor/0.png differ diff --git a/irc_tor/1.png b/irc_tor/1.png new file mode 100644 index 0000000..1025d54 Binary files /dev/null and b/irc_tor/1.png differ diff --git a/irc_tor/2.png b/irc_tor/2.png new file mode 100644 index 0000000..b7e6916 Binary files /dev/null and b/irc_tor/2.png differ diff --git a/irc_tor/3.png b/irc_tor/3.png new file mode 100644 index 0000000..5516b79 Binary files /dev/null and b/irc_tor/3.png differ diff --git a/irc_tor/4.png b/irc_tor/4.png new file mode 100644 index 0000000..d66890b Binary files /dev/null and b/irc_tor/4.png differ diff --git a/irc_tor/index.md b/irc_tor/index.md new file mode 100644 index 0000000..0179a01 --- /dev/null +++ b/irc_tor/index.md @@ -0,0 +1,83 @@ +# TOR IRC + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y && apt upgrade -y + apt install tor inspircd -y + + wget https://blog.nowhere.moe/servers/irc_tor/inspircd.conf -O /etc/inspircd/inspircd.conf + echo 'Welcome to nihilists TOR-hosted IRC!' > /etc/inspircd/inspircd.motd + nano /etc/inspircd/inspircd.conf + + + +![](1.png) + +Once finished, hit CTRL+S to save and CTRL+X to exit nano + + + nano /etc/tor/torrc + + + +goto location-hidden services + + + echo 'HiddenServiceDir /var/lib/tor/hidden_service/' >> /etc/tor/torrc + echo 'HiddenServicePort 6667 127.0.0.1:6667' >> /etc/tor/torrc + + systemctl restart tor + cat /var/lib/tor/hidden_service/hostname + dhbt7372zj43c5vmct4f4vikf7hxnlbxrj2ygjjaus6atbydhqsbpyqd.onion + + + +Now you can use that address to connect to your irc server, now restart inspircd: + + + systemctl status inspircd + systemctl restart inspircd + + + +client: + + + sudo apt install irssi hexchat tor + + sudo systemctl start tor + + + +hexchat + +![](3.png) ![](2.png) ![](4.png) + +And there you have it! we have been able to log onto our IRC via the tor network. + diff --git a/jitsi/0.png b/jitsi/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/jitsi/0.png differ diff --git a/jitsi/1.png b/jitsi/1.png new file mode 100644 index 0000000..14da090 Binary files /dev/null and b/jitsi/1.png differ diff --git a/jitsi/2.png b/jitsi/2.png new file mode 100644 index 0000000..7d8156a Binary files /dev/null and b/jitsi/2.png differ diff --git a/jitsi/3.png b/jitsi/3.png new file mode 100644 index 0000000..428fdaf Binary files /dev/null and b/jitsi/3.png differ diff --git a/jitsi/4.png b/jitsi/4.png new file mode 100644 index 0000000..ec15199 Binary files /dev/null and b/jitsi/4.png differ diff --git a/jitsi/5.png b/jitsi/5.png new file mode 100644 index 0000000..a1924e1 Binary files /dev/null and b/jitsi/5.png differ diff --git a/jitsi/6.png b/jitsi/6.png new file mode 100644 index 0000000..8094049 Binary files /dev/null and b/jitsi/6.png differ diff --git a/jitsi/7.png b/jitsi/7.png new file mode 100644 index 0000000..422bb6b Binary files /dev/null and b/jitsi/7.png differ diff --git a/jitsi/8.png b/jitsi/8.png new file mode 100644 index 0000000..d38dfee Binary files /dev/null and b/jitsi/8.png differ diff --git a/jitsi/index.md b/jitsi/index.md new file mode 100644 index 0000000..7078374 --- /dev/null +++ b/jitsi/index.md @@ -0,0 +1,130 @@ +# Jitsi + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y ; apt upgrade -y + #hostnamectl set-hostname jitsi.mydoma.in + #hostname + echo '127.0.0.1 jitsi-test.duckdns.org' >> /etc/hosts + + apt install gnupg -y + wget https://download.jitsi.org/jitsi-key.gpg.key + apt-key add jitsi-key.gpg.key + rm jitsi-key.gpg.key + + echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list + apt update -y ; apt upgrade -y + apt install jitsi-meet -y + + + +![](1.png) ![](2.png) + + + apt install certbot prosody -y + /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh + + nano /etc/prosody/conf.avail/jitsi.your_domain.cfg.lua + #CTRL+W to authentication = + #then edit it as follows to force registration: + authentication = "internal_plain" + #OR (risky) + authentication = "internal_anonymous" + + echo ' + VirtualHost "guest.your_domain" + authentication = "anonymous" + c2s_require_encryption = false + ' >> /etc/prosody/conf.avail/jitsi-test.duckdns.org.cfg.lua + #OR + echo ' + VirtualHost "guest.your_domain" + authentication = "plain" + c2s_require_encryption = false + ' >> /etc/prosody/conf.avail/jitsi-test.duckdns.org.cfg.lu + + + nano /etc/jitsi/meet/jitsi-test.duckdns.org-config.js + + #EDIT THE FOLLOWING LINE IF YOU CHOSE ANONYMOUS + #anonymousdomain: 'guest.your_domain', + + ![](3.png) + + + Then CTRL+S and CTRL+X to exit nano + + + + echo 'org.jitsi.jicofo.auth.URL=XMPP:jitsi-test.duckdns.org' >> /etc/jitsi/jicofo/sip-communicator.properties + + prosodyctl register User your_domain P@SSW0RD + + systemctl restart prosody.service jicofo.service jitsi-videobridge2.service nginx + + + +![](4.png) + +doesn't quite work yet. even through a nginx reverse proxy. + +Looks like it needs to be an actual signed certificate !!! + + + apt install socat -y + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + #GET THE CNAME RECORD jitsi-test.duckdns.org pointing to void.yt !!!! or an A RECORD jitsi-test.duckdns.org to the server's IP !!! + systemctl stop nginx + acme.sh --issue --standalone -d jitsi-test.duckdns.org -k 4096 + #then go replace the existing .cer , .key and ca.cer files + + cd /etc/jitsi/meet/ + cp /root/.acme.sh/jitsi-test.duckdns.org/jitsi-test.duckdns.org.cer jitsi-test.duckdns.org.crt + cp /root/.acme.sh/jitsi-test.duckdns.org/jitsi-test.duckdns.org.key jitsi-test.duckdns.org.key + + systemctl start nginx + + + +Then simply login : + +![](5.png) ![](6.png) + +Once you're done, hit "go" + +![](7.png) + +Once in the conference room you can just invite people and give them the private link: + +![](8.png) + +For instance, this current instance is the following link : https://jitsi-test.duckdns.org/ExceptionalGroundsGazeSecond + diff --git a/kanboard/1.png b/kanboard/1.png new file mode 100644 index 0000000..abb2881 Binary files /dev/null and b/kanboard/1.png differ diff --git a/kanboard/10.png b/kanboard/10.png new file mode 100644 index 0000000..1438ab6 Binary files /dev/null and b/kanboard/10.png differ diff --git a/kanboard/11.png b/kanboard/11.png new file mode 100644 index 0000000..e32d62d Binary files /dev/null and b/kanboard/11.png differ diff --git a/kanboard/12.png b/kanboard/12.png new file mode 100644 index 0000000..b803fc2 Binary files /dev/null and b/kanboard/12.png differ diff --git a/kanboard/2.png b/kanboard/2.png new file mode 100644 index 0000000..173862b Binary files /dev/null and b/kanboard/2.png differ diff --git a/kanboard/3.png b/kanboard/3.png new file mode 100644 index 0000000..d1ec81d Binary files /dev/null and b/kanboard/3.png differ diff --git a/kanboard/4.png b/kanboard/4.png new file mode 100644 index 0000000..c97c4a5 Binary files /dev/null and b/kanboard/4.png differ diff --git a/kanboard/5.png b/kanboard/5.png new file mode 100644 index 0000000..f8f7434 Binary files /dev/null and b/kanboard/5.png differ diff --git a/kanboard/6.png b/kanboard/6.png new file mode 100644 index 0000000..17a9f51 Binary files /dev/null and b/kanboard/6.png differ diff --git a/kanboard/7.png b/kanboard/7.png new file mode 100644 index 0000000..c1d1f9a Binary files /dev/null and b/kanboard/7.png differ diff --git a/kanboard/8.png b/kanboard/8.png new file mode 100644 index 0000000..ae9b2f8 Binary files /dev/null and b/kanboard/8.png differ diff --git a/kanboard/9.png b/kanboard/9.png new file mode 100644 index 0000000..ed22a42 Binary files /dev/null and b/kanboard/9.png differ diff --git a/kanboard/index.md b/kanboard/index.md new file mode 100644 index 0000000..514c401 --- /dev/null +++ b/kanboard/index.md @@ -0,0 +1,132 @@ +# Kanboard (nginx, mariadb, php7.4) + +![](logo.jpg) + +Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps). + +Once you have ssh'd into your debian server as root, we can start: + +## **Initial Setup** + + + apt update -y && apt upgrade -y + apt install nginx socat mariadb-server git php8.2-{fpm,mbstring,cli,opcache,zip,xml,gd,ldap,mysql,sqlite3} -y + mysql -u root -p + + + + + CREATE DATABASE kanboard CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;; + GRANT ALL PRIVILEGES ON kanboard.* TO 'kanboard'@'localhost' IDENTIFIED BY 'StrongPassword'; + FLUSH PRIVILEGES; + \q + + + +Next you'll need to get the [latest](https://github.com/kanboard/kanboard/releases) version of kanboard, currently it is version 1.2.16 + + + export VER=1.2.16 + wget https://github.com/kanboard/kanboard/archive/v${VER}.tar.gz + tar xvf v${VER}.tar.gz + rm -f v${VER}.tar.gz + mv kanboard-${VER}/ /var/www/kanboard + + + +Next we configure config.php: + + + wget https://blog.nowhere.moe/servers/kanboard/config.php -O /var/www/kanboard/config.php + nano /var/www/kanboard/config.php + + + +Edit the config file if you want, the important part being the following: + +![](1.png) + +Then hit CTRL+S to save and CTRL+X to exit nano. + +## **Configuring NGINX** + + + chown -R www-data:www-data /var/www/kanboard + wget https://blog.nowhere.moe/servers/kanboard/kanboard.conf -O /etc/nginx/sites-available/kanboard.conf + rm /etc/nginx/sites-available/default + rm /etc/nginx/sites-enabled/default + ln -s /etc/nginx/sites-available/kanboard.conf /etc/nginx/sites-enabled/kanboard.conf + + + +Now for this part we need a domain name, if you want the a free alternative just use [duckdns.org](https://www.duckdns.org/) + +![](2.png) + +Test if the domain name correctly points to your server's ip address: + +![](3.png) + +Once that's done use acme.sh to get your free letsencrypt certificate: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + nginx -t + + + +![](4.png) + + + nano /etc/nginx/conf.d/kanboard.conf + + + +next just change the domain name to yours: + +![](5.png) + +hit ctrl+S and ctrl+X when you're done, and then reload the nginx configuration: + + + systemctl restart php7.4-fpm nginx mysql + + + +BONUS: self registration plugin for public usage: + + + cd /var/www/kanboard/plugins + git clone https://github.com/kanboard/plugin-registration + mv plugin-registration Registration + chown -R www-data:www-data /var/www/kanboard + + +## **Configuring Kanboard** + +Once that's done just get to your website: + +![](6.png) + +The default credentials are **admin:admin** , you can change them here: + +![](7.png) ![](8.png) + +Next just create a new project: + +![](9.png) ![](10.png) + +Then add tasks to it: + +![](11.png) + +You can easily drag and drop tasks with your mouse around when you're finished with them + +![](12.png) + diff --git a/kanboard/logo.jpg b/kanboard/logo.jpg new file mode 100644 index 0000000..70a1fe6 Binary files /dev/null and b/kanboard/logo.jpg differ diff --git a/kutt/0.png b/kutt/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/kutt/0.png differ diff --git a/kutt/1.png b/kutt/1.png new file mode 100644 index 0000000..0e2a5ca Binary files /dev/null and b/kutt/1.png differ diff --git a/kutt/2.png b/kutt/2.png new file mode 100644 index 0000000..a881971 Binary files /dev/null and b/kutt/2.png differ diff --git a/kutt/3.png b/kutt/3.png new file mode 100644 index 0000000..6fa7431 Binary files /dev/null and b/kutt/3.png differ diff --git a/kutt/4.png b/kutt/4.png new file mode 100644 index 0000000..472d2f4 Binary files /dev/null and b/kutt/4.png differ diff --git a/kutt/index.md b/kutt/index.md new file mode 100644 index 0000000..db31c79 --- /dev/null +++ b/kutt/index.md @@ -0,0 +1,78 @@ +# Kutt URL Shortener + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y && apt upgrade -y + apt install docker.io docker-compose git -y + git clone https://github.com/thedevs-network/kutt + cd kutt + + cp .example.env .env + nano .env + + +![](2.png) + +Hit ctrl+S to save and ctrl+X to exit nano + + + docker-compose up -d + + + +Now we need to handle the nginx proxy: + +First get the CNAME dns record on your domain name (for example u.void.yt points to void.yt) if it were an external server it would be an A record (u.void.yt pointing to an external ip address) + + + cd /etc/nginx/sites-available/ + wget https://blog.nowhere.moe/servers/kutt/kutt.conf + ln -s /etc/nginx/sites-available/kutt.conf /etc/nginx/sites-enabled/kutt.conf + nano /etc/nginx/sites-available/kutt.conf + + #change the domain name to match yours + #ctrl +s to save ctrl +x to exit nano + + systemctl stop nginx + acme.sh --issue --standalone -d u.void.yt -k 4096 + systemctl start nginx + + nginx -t + + + + +Then just visit your website: + +![](3.png) + +then just create shortened links: + +![](4.png) + diff --git a/kvm/0.png b/kvm/0.png new file mode 100644 index 0000000..1e53b60 Binary files /dev/null and b/kvm/0.png differ diff --git a/kvm/1.png b/kvm/1.png new file mode 100644 index 0000000..7724679 Binary files /dev/null and b/kvm/1.png differ diff --git a/kvm/10.png b/kvm/10.png new file mode 100644 index 0000000..38f8cf7 Binary files /dev/null and b/kvm/10.png differ diff --git a/kvm/11.png b/kvm/11.png new file mode 100644 index 0000000..67b1fd8 Binary files /dev/null and b/kvm/11.png differ diff --git a/kvm/12.png b/kvm/12.png new file mode 100644 index 0000000..64bf3c9 Binary files /dev/null and b/kvm/12.png differ diff --git a/kvm/13.png b/kvm/13.png new file mode 100644 index 0000000..413bd32 Binary files /dev/null and b/kvm/13.png differ diff --git a/kvm/14.png b/kvm/14.png new file mode 100644 index 0000000..37d1fe9 Binary files /dev/null and b/kvm/14.png differ diff --git a/kvm/15.png b/kvm/15.png new file mode 100644 index 0000000..8c8d38e Binary files /dev/null and b/kvm/15.png differ diff --git a/kvm/16.png b/kvm/16.png new file mode 100644 index 0000000..79dcea1 Binary files /dev/null and b/kvm/16.png differ diff --git a/kvm/2.png b/kvm/2.png new file mode 100644 index 0000000..44fd1ae Binary files /dev/null and b/kvm/2.png differ diff --git a/kvm/3.png b/kvm/3.png new file mode 100644 index 0000000..2d9876e Binary files /dev/null and b/kvm/3.png differ diff --git a/kvm/4.png b/kvm/4.png new file mode 100644 index 0000000..2d8e81e Binary files /dev/null and b/kvm/4.png differ diff --git a/kvm/5.png b/kvm/5.png new file mode 100644 index 0000000..cbbf36b Binary files /dev/null and b/kvm/5.png differ diff --git a/kvm/6.png b/kvm/6.png new file mode 100644 index 0000000..0ba8789 Binary files /dev/null and b/kvm/6.png differ diff --git a/kvm/7.png b/kvm/7.png new file mode 100644 index 0000000..0e362c1 Binary files /dev/null and b/kvm/7.png differ diff --git a/kvm/8.png b/kvm/8.png new file mode 100644 index 0000000..8cebd9f Binary files /dev/null and b/kvm/8.png differ diff --git a/kvm/9.png b/kvm/9.png new file mode 100644 index 0000000..333ca77 Binary files /dev/null and b/kvm/9.png differ diff --git a/kvm/index.md b/kvm/index.md new file mode 100644 index 0000000..d484dca --- /dev/null +++ b/kvm/index.md @@ -0,0 +1,210 @@ +# Multiple kvm monitors Setup + +![](0.png) + +## **Initial Setup** + +First configure the VM in virt-manager: + + + sudo pacman -S virt-viewer + + + +` ![](1.png) ![](2.png) ![](3.png) + +Then connect to it via remote-viewer after launching it: + + + [ 10.0.2.2/24 ] [ nowhere ] [VAULT/ISOs/whonix] + → remote-viewer spice://localhost:5900 + + + +![](4.png) + +And that's it! You are now able to view KVMs via multiple screens. And that is otherwise impossible without specifically doing a gpu passthrough for just one VM. + +## **CLipboard Setup** + +As seen [here](https://askubuntu.com/questions/858649/how-can-i-copypaste-from-the-host-to-a-kvm-guest), we can install spice-guest-tools-latest.exe on the win10 VM [spice-guest-tools-latest.exe](https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe), after installing it on a win10 host, you will be able to copy and paste to and from the QEMU VM. (via virt-manager), however for linux VMs you can just install the **spice-vdagent** package: + +if you want the virtio display drivers, follow the proxmox tutorial for it: [here](https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers), you can download the latest virtio drivers [here](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso) + + + sudo apt install spice-vdagent -y + sudo reboot now + + + +With this setup for instance, you can copy to and from a qemu VM A and B, and to the host aswell. + +If you experience any crackling sound on a debian VM (wether through the default virt-manager window or through a passthrough USB headset device do the following: + + + vim /etc/pulse/daemon.conf + + [...] + default-sample-rate = 48000 + [...] + + :wq + + kill -9 $(pidof pulseaudio) + + pulseaudio + + + +You can also install cockpit to manage your KVMs remotely: + + + apt install cockpit cockpit-machines -y + + + +And make it easier to spin up vms anywhere in the system by not letting it use SELinux: + + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [lib/libvirt/images] + → cat /etc/libvirt/qemu.conf | grep none | grep security_driver + # value of security_driver cannot contain "dac". The value "none" is + security_driver = "none" + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [/etc/cockpit] + → cat cockpit.conf + [WebService] + Origins = https://pve2.nowhere.moe wss://pve2.nowhere.moe https://192.168.0.50:9090 https://pve2backend + ProtocolHeader = X-Forwarded-Proto + + #with this it should be ready to be put behind a local reverse nginx proxy^ + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [lib/libvirt/images] + → systemctl restart libvirtd + + + +Then put it behind a reverse nginx proxy if you want, and dont forget to make it password protected with a basic auth + + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → cat pve2.nowhere.moe + upstream pve2backend { + server 192.168.0.50:9090; + } + + server { + listen 80; + listen [::]:80; + server_name pve2.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name pve2.nowhere.moe; + + ssl_certificate /root/.acme.sh/pve2.nowhere.moe/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/pve2.nowhere.moe/pve2.nowhere.moe.cer; + ssl_certificate_key /root/.acme.sh/pve2.nowhere.moe/pve2.nowhere.moe.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + #apt install apache2-utils -y + #htpasswd -c /etc/nginx/auth/default.htpasswd nothing + + auth_basic "Password protection"; + auth_basic_user_file /etc/nginx/auth/default.htpasswd; + + proxy_pass https://pve2backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + + +To resize a qcow2 disk do the following: + + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [/media/veracrypt1/VMs] + → ls + debian_template.qcow2 home.qcow2 mc-1.16.5.qcow2 + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [/media/veracrypt1/VMs] + → which qemu-img + /usr/bin/qemu-img + + [ 192.168.0.50/24 ] [ /dev/pts/1 ] [/media/veracrypt1/VMs] + → qemu-img resize mc-1.16.5.qcow2 +30G + Image resized. + + + +then to resize the root partition you need to boot into a live OS that you mount on the VM, + +MAKE A SNAPSHOT OF THE VM TO BE SAFE + +then use gparted from the live iso to resize the / partition to be +30G + +![](5.png) ![](6.png) ![](7.png) ![](8.png) ![](9.png) ![](10.png) ![](11.png) ![](12.png) ![](13.png) ![](14.png) ![](15.png) ![](16.png) + +Then boot in the system again and see that the root partition has changed: + + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/Nextcloud/blog] + → ssh mclocal2 + Linux debian 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Thu Sep 7 18:45:05 2023 from 10.99.99.9 + root@debian:~# dfc + FILESYSTEM (=) USED FREE (-) %USED AVAILABLE TOTAL MOUNTED ON + udev [--------------------] 0.0% 3.9G 3.9G /dev + tmpfs [=-------------------] 0.1% 793.5M 794.1M /run + /dev/vda1 [===-----------------] 12.3% 59.4G 67.8G / + tmpfs [--------------------] 0.0% 3.9G 3.9G /dev/shm + tmpfs [--------------------] 0.0% 5.0M 5.0M /run/lock + tmpfs [--------------------] 0.0% 794.1M 794.1M /run/user/0 + + + +To have the CPU host-passthrough configuration, you need the following: + + + in bios: + advanced > cpu configuration > Intel virtualisation technology / SMX enabled + + enable IOMMU wherever it is + + then once rebooted + + go in your VM in virt-manager > preferences > edit XML + then VM > details > CPUs > XML > edit the first line to be "<****domain type="kvm">" + + + + diff --git a/lainradio/0.png b/lainradio/0.png new file mode 100644 index 0000000..b7dc9d2 Binary files /dev/null and b/lainradio/0.png differ diff --git a/lainradio/1.png b/lainradio/1.png new file mode 100644 index 0000000..15ff5c1 Binary files /dev/null and b/lainradio/1.png differ diff --git a/lainradio/10.png b/lainradio/10.png new file mode 100644 index 0000000..d125558 Binary files /dev/null and b/lainradio/10.png differ diff --git a/lainradio/11.png b/lainradio/11.png new file mode 100644 index 0000000..e9b0569 Binary files /dev/null and b/lainradio/11.png differ diff --git a/lainradio/12.png b/lainradio/12.png new file mode 100644 index 0000000..5d16f24 Binary files /dev/null and b/lainradio/12.png differ diff --git a/lainradio/13.png b/lainradio/13.png new file mode 100644 index 0000000..e2e27b6 Binary files /dev/null and b/lainradio/13.png differ diff --git a/lainradio/14.png b/lainradio/14.png new file mode 100644 index 0000000..12b0aa3 Binary files /dev/null and b/lainradio/14.png differ diff --git a/lainradio/15.png b/lainradio/15.png new file mode 100644 index 0000000..af73965 Binary files /dev/null and b/lainradio/15.png differ diff --git a/lainradio/16.png b/lainradio/16.png new file mode 100644 index 0000000..9a990d3 Binary files /dev/null and b/lainradio/16.png differ diff --git a/lainradio/17.png b/lainradio/17.png new file mode 100644 index 0000000..1ecf7e1 Binary files /dev/null and b/lainradio/17.png differ diff --git a/lainradio/18.png b/lainradio/18.png new file mode 100644 index 0000000..4ebeacb Binary files /dev/null and b/lainradio/18.png differ diff --git a/lainradio/19.png b/lainradio/19.png new file mode 100644 index 0000000..039f5f3 Binary files /dev/null and b/lainradio/19.png differ diff --git a/lainradio/2.png b/lainradio/2.png new file mode 100644 index 0000000..3d51090 Binary files /dev/null and b/lainradio/2.png differ diff --git a/lainradio/20.png b/lainradio/20.png new file mode 100644 index 0000000..289bcef Binary files /dev/null and b/lainradio/20.png differ diff --git a/lainradio/21.png b/lainradio/21.png new file mode 100644 index 0000000..d3477a0 Binary files /dev/null and b/lainradio/21.png differ diff --git a/lainradio/22.png b/lainradio/22.png new file mode 100644 index 0000000..c38199b Binary files /dev/null and b/lainradio/22.png differ diff --git a/lainradio/23.png b/lainradio/23.png new file mode 100644 index 0000000..0217058 Binary files /dev/null and b/lainradio/23.png differ diff --git a/lainradio/24.png b/lainradio/24.png new file mode 100644 index 0000000..9128541 Binary files /dev/null and b/lainradio/24.png differ diff --git a/lainradio/25.png b/lainradio/25.png new file mode 100644 index 0000000..11fa87c Binary files /dev/null and b/lainradio/25.png differ diff --git a/lainradio/26.png b/lainradio/26.png new file mode 100644 index 0000000..69833cd Binary files /dev/null and b/lainradio/26.png differ diff --git a/lainradio/27.png b/lainradio/27.png new file mode 100644 index 0000000..8cad8e7 Binary files /dev/null and b/lainradio/27.png differ diff --git a/lainradio/28.png b/lainradio/28.png new file mode 100644 index 0000000..424f7b7 Binary files /dev/null and b/lainradio/28.png differ diff --git a/lainradio/29.png b/lainradio/29.png new file mode 100644 index 0000000..35b92bf Binary files /dev/null and b/lainradio/29.png differ diff --git a/lainradio/3.png b/lainradio/3.png new file mode 100644 index 0000000..df7056c Binary files /dev/null and b/lainradio/3.png differ diff --git a/lainradio/30.png b/lainradio/30.png new file mode 100644 index 0000000..ea9de20 Binary files /dev/null and b/lainradio/30.png differ diff --git a/lainradio/31.png b/lainradio/31.png new file mode 100644 index 0000000..dc013b3 Binary files /dev/null and b/lainradio/31.png differ diff --git a/lainradio/32.png b/lainradio/32.png new file mode 100644 index 0000000..e7f3ec8 Binary files /dev/null and b/lainradio/32.png differ diff --git a/lainradio/33.png b/lainradio/33.png new file mode 100644 index 0000000..c9bbaf7 Binary files /dev/null and b/lainradio/33.png differ diff --git a/lainradio/34.png b/lainradio/34.png new file mode 100644 index 0000000..40b4179 Binary files /dev/null and b/lainradio/34.png differ diff --git a/lainradio/35.png b/lainradio/35.png new file mode 100644 index 0000000..57ee5a8 Binary files /dev/null and b/lainradio/35.png differ diff --git a/lainradio/36.png b/lainradio/36.png new file mode 100644 index 0000000..45176b5 Binary files /dev/null and b/lainradio/36.png differ diff --git a/lainradio/37.png b/lainradio/37.png new file mode 100644 index 0000000..ec422c1 Binary files /dev/null and b/lainradio/37.png differ diff --git a/lainradio/38.png b/lainradio/38.png new file mode 100644 index 0000000..e4c3e87 Binary files /dev/null and b/lainradio/38.png differ diff --git a/lainradio/39.png b/lainradio/39.png new file mode 100644 index 0000000..5f55619 Binary files /dev/null and b/lainradio/39.png differ diff --git a/lainradio/4.png b/lainradio/4.png new file mode 100644 index 0000000..13ed628 Binary files /dev/null and b/lainradio/4.png differ diff --git a/lainradio/40.png b/lainradio/40.png new file mode 100644 index 0000000..ba7615e Binary files /dev/null and b/lainradio/40.png differ diff --git a/lainradio/41.png b/lainradio/41.png new file mode 100644 index 0000000..63bd0fc Binary files /dev/null and b/lainradio/41.png differ diff --git a/lainradio/42.png b/lainradio/42.png new file mode 100644 index 0000000..ff0ea5c Binary files /dev/null and b/lainradio/42.png differ diff --git a/lainradio/43.png b/lainradio/43.png new file mode 100644 index 0000000..87a4aed Binary files /dev/null and b/lainradio/43.png differ diff --git a/lainradio/44.png b/lainradio/44.png new file mode 100644 index 0000000..caf6e2a Binary files /dev/null and b/lainradio/44.png differ diff --git a/lainradio/45.png b/lainradio/45.png new file mode 100644 index 0000000..237c8a7 Binary files /dev/null and b/lainradio/45.png differ diff --git a/lainradio/46.png b/lainradio/46.png new file mode 100644 index 0000000..e3aa92c Binary files /dev/null and b/lainradio/46.png differ diff --git a/lainradio/47.png b/lainradio/47.png new file mode 100644 index 0000000..357930e Binary files /dev/null and b/lainradio/47.png differ diff --git a/lainradio/48.png b/lainradio/48.png new file mode 100644 index 0000000..100dfc5 Binary files /dev/null and b/lainradio/48.png differ diff --git a/lainradio/49.png b/lainradio/49.png new file mode 100644 index 0000000..ab7238c Binary files /dev/null and b/lainradio/49.png differ diff --git a/lainradio/5.png b/lainradio/5.png new file mode 100644 index 0000000..89cb370 Binary files /dev/null and b/lainradio/5.png differ diff --git a/lainradio/50.png b/lainradio/50.png new file mode 100644 index 0000000..90b926e Binary files /dev/null and b/lainradio/50.png differ diff --git a/lainradio/51.png b/lainradio/51.png new file mode 100644 index 0000000..ec3d15a Binary files /dev/null and b/lainradio/51.png differ diff --git a/lainradio/52.png b/lainradio/52.png new file mode 100644 index 0000000..5c24750 Binary files /dev/null and b/lainradio/52.png differ diff --git a/lainradio/53.png b/lainradio/53.png new file mode 100644 index 0000000..90560d3 Binary files /dev/null and b/lainradio/53.png differ diff --git a/lainradio/6.png b/lainradio/6.png new file mode 100644 index 0000000..ca9696d Binary files /dev/null and b/lainradio/6.png differ diff --git a/lainradio/7.png b/lainradio/7.png new file mode 100644 index 0000000..e3f8dfb Binary files /dev/null and b/lainradio/7.png differ diff --git a/lainradio/8.png b/lainradio/8.png new file mode 100644 index 0000000..51a9ea1 Binary files /dev/null and b/lainradio/8.png differ diff --git a/lainradio/9.png b/lainradio/9.png new file mode 100644 index 0000000..092042c Binary files /dev/null and b/lainradio/9.png differ diff --git a/lainradio/index.md b/lainradio/index.md new file mode 100644 index 0000000..f71737e --- /dev/null +++ b/lainradio/index.md @@ -0,0 +1,2983 @@ +# Lainon Radio Setup + +![](0.png) + +In this tutorial we're going to setup a web radio for lainons on a debian server VM, figuring out how barrucadu installed [lainon.life](https://lainon.life) by looking at his github [repository](https://github.com/barrucadu/lainonlife). + +## **Initial Setup** + +First let's clone the repository into /srv + + + root@lain:/srv# apt update -y ; apt upgrade -y ; apt install git net-utils vim -y + + #for arch users: + root@lain:/srv# pacman -Syyuu ; pacman -S git vim + + root@lain:/srv# cd /srv + root@lain:/srv# git clone https://github.com/barrucadu/lainonlife + + + +Once that's done we start to install the required dependencies: + + + root@lain:/srv# apt install curl mpd mpc alsa-utils nginx -y + + #for arch users: + root@lain:/srv# pacman -S curl mpd mpc alsa-utils nginx -y + + + +We're going to start with the nginx configuration: + + + root@lain:/srv# ls + lainonlife + root@lain:/srv# cd lainonlife/examples/ + root@lain:/srv/lainonlife/examples# ls -l + total 12 + -rw-r--r-- 1 root root 1944 Jul 11 22:11 icecast.xml + -rw-r--r-- 1 root root 1136 Jul 11 22:11 mpd-cyberia.conf + -rw-r--r-- 1 root root 1161 Jul 11 22:11 nginx.conf + + + root@lain:/srv/lainonlife/examples# cp nginx.conf /etc/nginx/sites-available/lainon.conf + root@lain:/srv/lainonlife/examples# cd /etc/nginx/sites-available/ + root@lain:/etc/nginx/sites-available# rm default + root@lain:/etc/nginx/sites-available# rm ../sites-enabled/default + root@lain:/etc/nginx/sites-available# vim lain.conf + + root@lain:/etc/nginx/sites-available# cat lain.conf + server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name lain.void.yt; + root /srv/http; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header Accept-Encoding ""; + + # this is needed to let people ajax stuff from other sites. + add_header 'Access-Control-Allow-Origin' '*'; + + # this is very important! if you don't set it, nginx will buffer + # the proxied audio stream to disk and eat all your space! + proxy_max_temp_file_size 0; + + location / { + try_files $uri $uri/ @script; + } + + # icecast + location /radio/ { + proxy_pass http://localhost:8000/; + } + + # grafana + #location /graphs/ { + # proxy_pass http://localhost:8001/; + #} + + # backend + location @script { + proxy_pass http://localhost:8002; + } + } + + root@lain:/etc/nginx/sites-available# ln -s /etc/nginx/sites-available/lain.conf /etc/nginx/sites-enabled/ + root@lain:/etc/nginx/sites-available# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +So right here in the nginx config i changed the server_name to match the DNS i will give it, and i commented out the grafana block because i won't use it. Although we do need the @script backend and icecast. So now from here let's move on to [icecast](https://github.com/xiph/icecast-server), we're going to clone it in /srv too: + + + root@lain:/etc/nginx/sites-available# cd /srv + + root@lain:/srv/icecast-server# apt install vorbis-tools libvorbis-dev libxml2 libxml2-dev libxslt1.1 libxslt1-dev curl pkg-config dh-autoreconf -y + + root@lain:/srv/icecast-server# source ~/.bashrc + + + + [ lain ] [ /dev/pts/1 ] [/srv] + → git clone https://gitlab.xiph.org/xiph/icecast-server --recursive + Cloning into 'icecast-server'... + warning: redirecting to https://gitlab.xiph.org/xiph/icecast-server.git/ + remote: Enumerating objects: 18225, done. + remote: Counting objects: 100% (1985/1985), done. + remote: Compressing objects: 100% (432/432), done. + remote: Total 18225 (delta 1571), reused 1949 (delta 1545), pack-reused 16240 + Receiving objects: 100% (18225/18225), 6.78 MiB | 1.19 MiB/s, done. + Resolving deltas: 100% (14236/14236), done. + Submodule 'm4' (https://gitlab.xiph.org/xiph/icecast-m4.git) registered for path 'm4' + Submodule 'src/common' (https://gitlab.xiph.org/xiph/icecast-common.git) registered for path 'src/common' + Cloning into '/srv/icecast-server/m4'... + remote: Enumerating objects: 230, done. + remote: Counting objects: 100% (7/7), done. + remote: Compressing objects: 100% (5/5), done. + remote: Total 230 (delta 2), reused 7 (delta 2), pack-reused 223 + Receiving objects: 100% (230/230), 50.94 KiB | 145.00 KiB/s, done. + Resolving deltas: 100% (131/131), done. + Cloning into '/srv/icecast-server/src/common'... + remote: Enumerating objects: 2613, done. + remote: Counting objects: 100% (72/72), done. + remote: Compressing objects: 100% (34/34), done. + remote: Total 2613 (delta 37), reused 72 (delta 37), pack-reused 2541 + Receiving objects: 100% (2613/2613), 468.38 KiB | 587.00 KiB/s, done. + Resolving deltas: 100% (1828/1828), done. + Submodule path 'm4': checked out '2c950d5f44435b25fae36586f23ba98328adedfa' + Submodule path 'src/common': checked out '617d219021956706a6f664eba437f94bfdbde8b2' + + root@lain:/srv# cd icecast-server/ + + root@lain:/srv/icecast-server# ./autogen.sh + + root@lain:/srv/icecast-server# chmod +x configure + + #for arch users: + root@lain:/srv/icecast-server# pacman -S libxslt + + root@lain:/srv/icecast-server# ./configure + + [...] + + + config.status: executing libtool commands + + Icecast configuration + --------------------- + Version : 2.4.99.2 + cURL : no + TLS (openSSL) : no + + Format/Codec support: + Ogg : yes + Theora : no + Speex : no + + Features: + YP support : no + Client tests : no + + Development logging: no + + root@lain:/srv/icecast-server# make + root@lain:/srv/icecast-server# make install + + + +Once it's done we should be able to get the **icecast** binary added to our PATH, and a sample config file in **/usr/local/etc/** : + + + root@lain:/srv/icecast-server# which icecast + /usr/local/bin/icecast + + root@lain:/srv/icecast-server# ls /usr/local/etc + icecast.xml + + + +Although barrucadu also left a sample config for us to use, so let's test it after we modify it to match our Icecast install's directory paths for **/var/log/icecast** , **/srv/IcecastServer/admin/** , and **/srv/icecast-server/web/** : + + + root@lain:/srv/icecast-server# mkdir /var/log/icecast + root@lain:/srv/icecast-server# ls -l /var/log/icecast /srv/icecast-server/admin/ /srv/icecast-server/web/ + /srv/icecast-server/admin/: + total 88 + -rw-r--r-- 1 root root 834 Jul 11 22:36 error-html.xsl + -rw-r--r-- 1 root root 650 Jul 11 22:36 error-plaintext.xsl + drwxr-xr-x 2 root root 4096 Jul 11 22:36 includes + -rw-r--r-- 1 root root 1735 Jul 11 22:36 listclients.xsl + -rw-r--r-- 1 root root 2431 Jul 11 22:36 listmounts.xsl + -rw-r--r-- 1 root root 16245 Jul 11 22:55 Makefile + -rw-r--r-- 1 root root 495 Jul 11 22:36 Makefile.am + -rw-r--r-- 1 root root 16338 Jul 11 22:48 Makefile.in + -rw-r--r-- 1 root root 2556 Jul 11 22:36 manageauth.xsl + -rw-r--r-- 1 root root 1686 Jul 11 22:36 moveclients.xsl + -rw-r--r-- 1 root root 714 Jul 11 22:36 response.xsl + -rw-r--r-- 1 root root 4541 Jul 11 22:36 stats.xsl + -rw-r--r-- 1 root root 1227 Jul 11 22:36 updatemetadata.xsl + -rw-r--r-- 1 root root 2322 Jul 11 22:36 vclt.xsl + -rw-r--r-- 1 root root 2981 Jul 11 22:36 xspf.xsl + + /srv/icecast-server/web/: + total 108 + drwxr-xr-x 4 root root 4096 Jul 11 22:36 assets + -rw-r--r-- 1 root root 1432 Jul 11 22:36 auth.xsl + -rw-r--r-- 1 root root 1406 Jul 11 22:36 favicon.ico + -rw-r--r-- 1 root root 9124 Jul 11 22:36 icecast.png + -rw-r--r-- 1 root root 2228 Jul 11 22:36 key.png + -rw-r--r-- 1 root root 16426 Jul 11 22:55 Makefile + -rw-r--r-- 1 root root 811 Jul 11 22:36 Makefile.am + -rw-r--r-- 1 root root 16525 Jul 11 22:48 Makefile.in + -rw-r--r-- 1 root root 1632 Jul 11 22:36 server_version.xsl + -rw-r--r-- 1 root root 2009 Jul 11 22:36 status-json.xsl + -rw-r--r-- 1 root root 5387 Jul 11 22:36 status.xsl + -rw-r--r-- 1 root root 3879 Jul 11 22:36 style.css + -rw-r--r-- 1 root root 2042 Jul 11 22:36 tunein.png + -rw-r--r-- 1 root root 9450 Jul 11 22:36 xml2json.xslt + + /var/log/icecast: + total 0 + + root@lain:/srv/icecast-server# cd conf/ + root@lain:/srv/icecast-server/conf# cp /srv/lainonlife/examples/icecast.xml . + + root@lain:/srv/icecast-server/conf# vim icecast.xml + + + +Here i basically changed the hostname, the admin password and the icecast directory paths we mentionned earlier: + +![](1.png) + +Below those you can also see that we will need to setup the mpd mountpoints later on. We now change the ownership of /var/log/icecast to **nobody:nogroup** + + + root@lain:/srv/icecast-server/conf# ls -lash icecast.xml + 4.0K -rw-r--r-- 1 root root 1.9K Jul 11 23:20 icecast.xml + + root@lain:/srv/icecast-server/conf# mkdir /var/log/icecast/ + root@lain:/srv/icecast-server/conf# chown -R nobody:nogroup /var/log/icecast/ + root@lain:/srv/icecast-server/conf# ls -lash /var/log + total 760K + 4.0K drwxr-xr-x 10 root root 4.0K Jul 11 23:04 . + 4.0K drwxr-xr-x 12 root root 4.0K Jul 11 22:13 .. + 28K -rw-r--r-- 1 root root 24K Jul 11 22:45 alternatives.log + 4.0K drwxr-xr-x 2 root root 4.0K Jul 11 23:22 apt + 4.0K -rw-r----- 1 root adm 3.8K Jul 11 23:17 auth.log + 0 -rw-rw---- 1 root utmp 0 Jul 11 21:41 btmp + 4.0K drwxr-xr-x 2 root root 4.0K Jul 11 21:52 cups + 36K -rw-r----- 1 root adm 30K Jul 11 23:24 daemon.log + 12K -rw-r----- 1 root adm 9.3K Jul 11 21:52 debug + 408K -rw-r--r-- 1 root root 403K Jul 11 23:22 dpkg.log + 8.0K -rw-r--r-- 1 root root 32K Jul 11 22:13 faillog + 4.0K -rw-r--r-- 1 root root 2.1K Jul 11 22:13 fontconfig.log + 4.0K drwxr-xr-x 3 root root 4.0K Jul 11 21:48 hp + 4.0K drwxr-xr-x 2 nobody nogroup 4.0K Jul 11 23:04 icecast + 4.0K drwxr-xr-x 3 root root 4.0K Jul 11 21:52 installer + 60K -rw-r----- 1 root adm 60K Jul 11 21:59 kern.log + 12K -rw-rw-r-- 1 root utmp 286K Jul 11 22:13 lastlog + 52K -rw-r----- 1 root adm 51K Jul 11 21:59 messages + 4.0K drwxr-xr-x 2 mpd audio 4.0K Jul 11 22:13 mpd + 4.0K drwxr-xr-x 2 root adm 4.0K Jul 11 22:28 nginx + 4.0K drwx------ 2 root root 4.0K Jul 11 21:52 private + 92K -rw-r----- 1 root adm 90K Jul 11 23:24 syslog + 4.0K -rw-rw-r-- 1 root utmp 3.0K Jul 11 21:59 wtmp + + root@lain:/srv/icecast-server/conf# icecast -c /srv/icecast-server/conf/icecast.xml + [2021-07-11 23:24:33] WARN CONFIG/_parse_root Warning, <****location> not configured, using default value "Earth". + [2021-07-11 23:24:33] WARN CONFIG/_parse_root Warning, <****admin> contact not configured, using default value "icemaster@localhost". This breaks YP directory listings. YP directory support will be disabled. + Changed groupid to 65534. + Changed supplementary groups based on user: nobody. + Changed userid to 65534. + +We can check that our icecast server is running on port 8000: + +![](2.png) + +Now that's done, exit out of icecast with CTRL+C and let's configure mpd using barrucadu's sample config file: + + + root@lain:/srv/icecast-server/conf# cd ../.. + root@lain:/srv# cd lainonlife/ + root@lain:/srv/lainonlife# cd examples/ + root@lain:/srv/lainonlife/examples# vim mpd-cyberia.conf + + + +![](3.png) + +First we setup the root directory for our music files in **/srv/radio/music/cyberia/** and the **/srv/radio/data/cyberia/playlists** directory: + + + root@lain:/srv# mkdir -p /srv/radio/data/cyberia/playlists + root@lain:/srv# mkdir -p /srv/radio/music/cyberia/ + root@lain:/srv/radio# tree . + . + ├── data + │   └── cyberia + │   └── playlists + └── music + └── cyberia + + root@lain:/srv# mkdir -p ~/.config/mpd/ + + root@lain:/srv# kill $(pidof mpd) + root@lain:/srv# cp /srv/lainonlife/examples/mpd-cyberia.conf ~/.config/mpd/mpd.conf + root@lain:/srv# mpd + + + +Now basically we will put our music files into **/srv/radio/cyberia/** , and we can make playlists of it using **ncmpcpp** i will do it from my local machine since my debian VM is in the same local network as i am : + + + [ 10.10.14.8/23 ] [ /dev/pts/30 ] [~] + → vim ~/.config/ncmpcpp/config + + [ 10.10.14.8/23 ] [ /dev/pts/30 ] [~] + → cat ~/.config/ncmpcpp/config + ## + # Files + # mpd_music_dir = "~/Music" + lyrics_directory = ~/.ncmpcpp/lyrics + ncmpcpp_directory = ~/.ncmpcpp + + # mpd_host = "localhost" + **mpd_host = "10.0.0.201" + mpd_port = "6601"** + + + mpd_connection_timeout = "5" + mpd_crossfade_time = "5" + + # Playlist + playlist_disable_highlight_delay = "0" + playlist_display_mode = "columns" + playlist_show_remaining_time = "yes" + + browser_display_mode = "columns" + autocenter_mode = "yes" + fancy_scrolling = "yes" + follow_now_playing_lyrics = "yes" + display_screens_numbers_on_start = "yes" + ignore_leading_the = "yes" + lyrics_database = "1" + song_columns_list_format = "(10)[blue]{l} (30)[green]{a} (30)[magenta]{b} (50)[yellow]{t}" + colors_enabled = "yes" + main_window_color = "white" + main_window_highlight_color = "blue" + header_window_color = "cyan" + volume_color = "red" + progressbar_color = "cyan" + statusbar_color = "white" + active_column_color = "cyan" + active_window_border = "blue" + + alternative_header_first_line_format = "$0$aqqu$/a {$7%a - $9}{$5%t$9}|{$8%f$9} $0$atqq$/a$9" + alternative_header_second_line_format = "{{$6%b$9}{ [$6%y$9]}}|{%D}" + song_list_format = "{$3%n │ $9}{$7%a - $9}{$5%t$9}|{$8%f$9}$R{$6 │ %b$9}{$3 │ %l$9}" + user_interface = "alternative" + #user_interface = "classic" + default_place_to_search_in = "database" + + + # visualizer + #visualizer_fifo_path = "/tmp/mpd.fifo" + #visualizer_output_name = "my_fifo" + ##visualizer_sync_interval = "12" + ##visualizer_type = "wave" (spectrum/wave) + #visualizer_type = "spectrum" (spectrum/wave) + #visualizer_in_stereo = "yes" + #visualizer_look = "+|" + + + ## Navigation ## + cyclic_scrolling = "yes" + header_text_scrolling = "yes" + jump_to_now_playing_song_at_start = "yes" + lines_scrolled = "2" + + ## Other ## + system_encoding = "utf-8" + regular_expressions = "extended" + + + + ## Selected tracks ## + selected_item_prefix = "* " + discard_colors_if_item_is_selected = "no" + + ## Seeking ## + incremental_seeking = "yes" + seek_time = "1" + + ## Visivility ## + header_visibility = "yes" + statusbar_visibility = "yes" + titles_visibility = "yes" + + + progressbar_look = "=>-" + #progressbar_boldness = "yes" + progressbar_elapsed_color = "white" + + now_playing_prefix = "> " + song_status_format = " $2%a $4⟫$3⟫ $8%t $4⟫$3⟫ $5%b " + autocenter_mode = "yes" + centered_cursor = "yes" + + # Misc + display_bitrate = "yes" + # enable_window_title = "no" + follow_now_playing_lyrics = "yes" + ignore_leading_the = "yes" + empty_tag_marker = "" + + + +Now if we want to connec to the mpd server with ncmpcpp we need the mpd server to be bound to it's local ip address instead of it's localhost address, so let's change it and restart it: + + + root@lain:/srv/radio# vim ~/.config/mpd/mpd.conf + + root@lain:/srv/radio# cat ~/.config/mpd/mpd.conf + music_directory "/srv/radio/music/cyberia" + playlist_directory "/srv/radio/data/cyberia/playlists" + db_file "/srv/radio/data/cyberia/db" + state_file "/srv/radio/data/cyberia/state" + sticker_file "/srv/radio/data/cyberia/sticker.sql" + log_file "/srv/radio/data/syslog" + #bind_to_address "127.0.0.1" + **bind_to_address "10.0.0.201" + port "6601"** + + [...] + + root@lain:/srv/radio# mpd + Jul 12 00:13 : hybrid_dsd: The Hybrid DSD decoder is disabled because it was not explicitly enabled + Jul 12 00:13 : exception: Input plugin 'tidal' is unavailable: No Tidal application token configured + Jul 12 00:13 : exception: Input plugin 'qobuz' is unavailable: No Qobuz app_id configured + + root@lain:/srv/radio# pidof mpd + 23898 + + + +You can ignore the the stderr from mpd, mpd is anyway launched as you can see from the pidof command. Now that's done we can connect to it with ncmpcpp: + + + [ 10.10.14.8/23 ] [ /dev/pts/30 ] [~] + → nmap -sCV -p 6601 10.0.0.201 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-12 00:19 CEST + Nmap scan report for 10.0.0.201 + Host is up (0.0047s latency). + + PORT STATE SERVICE VERSION + **6601/tcp open mpd Music Player Daemon 0.21.4** + + Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . + Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds + + [ 10.10.14.8/23 ] [ /dev/pts/30 ] [~] + → ncmpcpp -h 10.0.0.201 -p 6601 + Reading configuration from /home/nothing/.config/ncmpcpp/config... + + + +![](4.png) + +Now obviously there are no music files to play yet, so we need to add them to the server's **/srv/radio/music/cyberia/** directory: + + + + + root@lain:/srv/radio/music/cyberia# apt purge youtube-dl -y #youtube-dl is severly outdated on debian's repositories + root@lain:/srv/radio/music/cyberia# apt install python3-pip -y + root@lain:/srv/radio/music/cyberia# pip3 install youtube-dl + root@lain:/srv/radio/music/cyberia# bash + root@lain:/srv/radio/music/cyberia# youtube-dl --version + 2021.06.06 + + root@lain:/srv/radio/music/cyberia# youtube-dl -x https://www.youtube.com/playlist?list=PLMR9WY6VV-0c0bv7MsYjudCxx0X1cXWBQ --audio-format mp3 + [youtube:tab] PLMR9WY6VV-0c0bv7MsYjudCxx0X1cXWBQ: Downloading webpage + [download] Downloading playlist: Serial Experiments Lain OST + [youtube:tab] playlist Serial Experiments Lain OST: Downloading 14 videos + [download] Downloading video 1 of 14 + [youtube] AsPLBQfZQ04: Downloading webpage + [download] Destination: Serial Experiment Lain - Infanity world-AsPLBQfZQ04.webm + [download] 5.3% of 4.98MiB at 54.61KiB/s ETA 01:28 + + + EDIT 2023: now you need to use yt-dlp! https://github.com/yt-dlp/yt-dlp/wiki/Installation + + sudo curl -L https://github.com/yt-dlp/yt-dlp/releases/latest/download/yt-dlp -o /usr/local/bin/yt-dlp + sudo chmod a+rx /usr/local/bin/yt-dlp # Make executable + yt-dlp -U + + [...] + + [download] Downloading video 14 of 14 + [youtube] 5dbi4N6NGn4: Downloading webpage + [download] Destination: Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.webm + [download] 100% of 2.57MiB in 00:37 + [ffmpeg] Destination: Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.mp3 + Deleting original file Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.webm (pass -k to keep) + [download] Finished downloading playlist: Serial Experiments Lain OST + + root@lain:/srv/radio/music/cyberia# ls -lash + total 62M + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 00:55 . + 4.0K drwxr-xr-x 3 root root 4.0K Jul 12 00:04 .. + 2.7M -rw-r--r-- 1 root root 2.7M Jun 9 2017 "Lain's Theme - Lain-o-cwuTmqz8c.mp3" + 5.7M -rw-r--r-- 1 root root 5.7M Dec 15 2019 'Serial Experiment Lain - Antidepressant 044-KaOsmUDMdaE.mp3' + 4.7M -rw-r--r-- 1 root root 4.7M Dec 24 2019 'Serial Experiment Lain - Cloudy with occasional rain-1TunrW7dRr0.mp3' + 4.8M -rw-r--r-- 1 root root 4.8M Dec 9 2019 'Serial Experiment Lain - Duvet (cyberia remix)-juDqDMlTfUg.mp3' + 1.5M -rw-r--r-- 1 root root 1.5M Mar 18 2015 'Serial Experiment Lain - Duvet (tv version)-EnEaNaqGMqU.mp3' + 5.0M -rw-r--r-- 1 root root 5.0M Oct 15 2017 'Serial Experiment Lain - Infanity world-AsPLBQfZQ04.mp3' + 4.6M -rw-r--r-- 1 root root 4.6M Jan 23 2020 'Serial Experiment Lain - Invisible file-32IlMQ8Bs6w.mp3' + 4.7M -rw-r--r-- 1 root root 4.7M Dec 9 2019 'Serial Experiment Lain - Island in video cassette-CCdyzUPrLpM.mp3' + 7.1M -rw-r--r-- 1 root root 7.1M Jul 9 2014 'Serial Experiment Lain - k.i.d.s-TvCJnW46ISo.mp3' + 6.1M -rw-r--r-- 1 root root 6.1M Dec 16 2019 'Serial Experiment Lain - Prayer-yyPMWWjzMG8.mp3' + 4.0M -rw-r--r-- 1 root root 4.0M Dec 25 2019 'Serial Experiment Lain - Professed intention and real-D4G97Xsc8PA.mp3' + 3.8M -rw-r--r-- 1 root root 3.8M Jan 23 2020 'Serial Experiment Lain - Psychedelic farm-XEGz6CJnY04.mp3' + 4.7M -rw-r--r-- 1 root root 4.7M Dec 17 2019 'Serial Experiment Lain - Speed-zFwQFdAsGGA.mp3' + 2.7M -rw-r--r-- 1 root root 2.7M Nov 7 2018 'Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.mp3' + + +Now that's done, let's go back into ncmpcpp to make our playlist: + + + [ 10.10.14.8/23 ] [ /dev/pts/30 ] [~] + → ncmpcpp -h 10.0.0.201 -p 6601 + + #once in ncmpcpp + #press 1 to get to the playlist tab + #press a to add + #if you can't connect to it, then use ncmpcpp on the remote host: + + root@lain:~# mkdir ~/.config/ncmpcpp + root@lain:~# which ncmpcpp + /usr/bin/ncmpcpp + root@lain:~# vim ~/.config/ncmpcpp/config + + #make sure that you have changed the 10.0.0.201 part to 127.0.0.1 + #same goes for mpd: + #also make mpd use alsa for now: + + root@lain:~# cat ~/.config/mpd/mpd.conf + music_directory "/srv/radio/music/cyberia" + playlist_directory "/srv/radio/data/cyberia/playlists" + db_file "/srv/radio/data/cyberia/db" + state_file "/srv/radio/data/cyberia/state" + sticker_file "/srv/radio/data/cyberia/sticker.sql" + log_file "/srv/radio/data/syslog" + bind_to_address "127.0.0.1" + #bind_to_address "10.0.0.201" + port "6601" + + audio_output { + name "[mpd] cyberia (ogg)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "vorbis" + host "localhost" + port "8000" + mount "/mpd-cyberia.ogg" + user "source" + password "password for icecast" + quality "3" + format "44100:16:2" + always_on "yes" + } + + audio_output { + name "[mpd] cyberia (mp3)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "lame" + host "localhost" + port "8000" + mount "/mpd-cyberia.mp3" + user "source" + password "password for icecast" + quality "3" + format "44100:16:2" + always_on "yes" + } + + audio_output { + type "null" + name "null" + } + + audio_output { + type "alsa" + name "alsa audio" + mixer_type "software" + } + + audio_output { + type "fifo" + name "my_fifo" + path "/tmp/mpd.fifo" + format "44100:16:2" + } + + + root@lain:~# mpd + Jul 12 08:29 : hybrid_dsd: The Hybrid DSD decoder is disabled because it was not explicitly enabled + Jul 12 08:29 : exception: Input plugin 'tidal' is unavailable: No Tidal application token configured + Jul 12 08:29 : exception: Input plugin 'qobuz' is unavailable: No Qobuz app_id configured + root@lain:~# pidof mpd + 29091 + + root@lain:~# netstat -alntup | grep 6601 + tcp 0 0 127.0.0.1:6601 0.0.0.0:* LISTEN 29091/mpd + + root@lain:~# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press 2 to go to the browsing tab and + #press u to update the mpd database + #select the songs you want to add to the playlist with INSERT + #then once you selected them press a to add to a playlist + #hit 'New playlist', choose the name you want for it: + ![](5.png) + + #press 5 to go to the playlist editor tab to check the result: + ![](6.png) + #now here you see we have a small cyberia playlist. + #press 8 to go to the visualizer to verify that it's working properly: + ![](7.png) + #now press 7 to go to the Outputs tab to enable the ogg and mp3 outputs: + ![](8.png) + #We're going to need those for icecast. Now that's done we can exit out of ncmpcpp and mpd: + #mpd is going to run in the background, so we can always return to it with # ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press q to exit ncmpcpp + + + +We can verify our cyberia ogg output exists on port 8000 by launching icecast and using it to verify it: + + + root@lain:~# icecast -c /srv/icecast-server/conf/icecast.xml + [2021-07-12 09:25:43] WARN CONFIG/_parse_root Warning, not configured, using default value "Earth". + [2021-07-12 09:25:43] WARN CONFIG/_parse_root Warning, contact not configured, using default value "icemaster@localhost". This breaks YP directory listings. YP directory support will be disabled. + Changed groupid to 65534. + Changed supplementary groups based on user: nobody. + Changed userid to 65534. + + + +We can log into icecast using the **admin:P@SSW0RD_FOR_ADM1N** credentials we used earlier in the config: + +![](9.png) + +Now we need to fix the fact that icecast doesn't detect our mountpoints: + +![](10.png) + +First we fix the passwords in the mpd and icecast config files: + + + root@lain:~# vim ~/.config/mpd/mpd.conf + root@lain:~# cat ~/.config/mpd/mpd.conf + music_directory "/srv/radio/music/cyberia" + playlist_directory "/srv/radio/data/cyberia/playlists" + db_file "/srv/radio/data/cyberia/db" + state_file "/srv/radio/data/cyberia/state" + sticker_file "/srv/radio/data/cyberia/sticker.sql" + log_file "/srv/radio/data/syslog" + bind_to_address "127.0.0.1" + #bind_to_address "10.0.0.201" + port "6601" + + audio_output { + name "[mpd] cyberia (ogg)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "vorbis" + host "localhost" + port "8000" + mount "/mpd-cyberia.ogg" + user "source" + **password "P@SSW0RD"** + quality "3" + format "44100:16:2" + always_on "yes" + } + + audio_output { + name "[mpd] cyberia (mp3)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "lame" + host "localhost" + port "8000" + mount "/mpd-cyberia.mp3" + user "source" + **password "P@SSW0RD"** + quality "3" + format "44100:16:2" + always_on "yes" + } + [...] + + root@lain:~# vim /srv/icecast-server/conf/icecast.xml + ![](11.png) + + + +Next we restart mpd and icecast: + + + root@lain:~# systemctl restart mpd + root@lain:~# icecast -c /srv/icecast-server/conf/icecast.xml + + + +Now icecast doesn't pick up our ogg stream, so let's try out the mp3 one: + + + root@lain:~# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + ![](12.png) + + + +And as you can see on icecast's admin page we see that the mp3 output does get picked up: + +![](13.png) + +You can also see it appear on icecast's public **/status.xsl** page: + +![](14.png) + +And we can play the direct **.m3u** link to our VLC player: + +![](15.png) + +And it works! now let's make sure that mpd is running on loop while shuffling the songs, from ncmpcpp you can press **r** for repeat mode, and **z** for random mode. After that's working, we need to setup the website itself. + + + root@lain:/srv/lainonlife# mkdir /srv/http/ + root@lain:/srv/lainonlife# cp config.json.example config.json + root@lain:/srv/lainonlife# vim config.json + root@lain:/srv/lainonlife# cat config.json + { "channels": + { "cyberia": { "mpd_host": "localhost", "mpd_port": 6601, "description": "classic lainchan radio: electronic, chiptune, weeb" } + } + + , "template": + { "default_channel": "cyberia" + , "icecast_status_url": "/radio/status-json.xsl" + , "icecast_stream_url_base": "https://lain.void.yt/" + , "server_cost": 10.00 + , "currency_symbol": "€" + } + } + + + +For now we only have one channel, but later on we can always add more. Now let's edit build.sh to use our new config json file: + + + root@lain:/srv/lainonlife#cd frontend + root@lain:/srv/lainonlife/frontend# vim build.sh + root@lain:/srv/lainonlife/frontend# cat build.sh + #!/usr/bin/env bash + + if [ -z "$1" ]; then + #./build.py ../config.json.example + ./build.py ../config.json.example + else + ./build.py "$1" + fi + + + +Now that's done we can build the frontend assets: + + + #debian users: + + apt install python3-pip virtualenv -y + + #arch users: + pacman -S python-pip python-virtualenv + pip3 install future ; pip install future + + root@lain:/srv/lainonlife/frontend# pip install jinja2 + root@lain:/srv/lainonlife/frontend# pip3 install jinja2 + root@lain:/srv/lainonlife/frontend# which virtualenv + /usr/bin/virtualenv + + root@lain:/srv/lainonlife/frontend# ./run.sh ../config.json + + root@lain:/srv/lainonlife/frontend# ./run.sh ../config.json + DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. + Requirement already satisfied: jinja2 in ./__venv__/lib/python2.7/site-packages (from -r requirements.txt (line 1)) (2.11.3) + Requirement already satisfied: MarkupSafe>=0.23 in ./__venv__/lib/python2.7/site-packages (from jinja2->-r requirements.txt (line 1)) (1.1.1) + + +Now that's done, we can see our frontend assets in the **_site** directory: + + + root@lain:/srv/lainonlife/frontend# cd _site/ + root@lain:/srv/lainonlife/frontend/_site# ls -lash + total 300K + 4.0K drwxr-xr-x 9 root root 4.0K Jul 12 10:16 . + 4.0K drwxr-xr-x 10 root root 4.0K Jul 12 10:16 .. + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 404 + 4.0K -rw-r--r-- 1 root root 1.2K Jul 12 10:16 404.html + 52K -rw-r--r-- 1 root root 52K Jul 12 10:16 android-chrome-192x192.png + 88K -rw-r--r-- 1 root root 88K Jul 12 10:16 android-chrome-256x256.png + 44K -rw-r--r-- 1 root root 41K Jul 12 10:16 apple-touch-icon.png + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 backgrounds + 4.0K -rw-r--r-- 1 root root 246 Jul 12 10:16 browserconfig.xml + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 bumps + 4.0K drwxr-xr-x 3 root root 4.0K Jul 12 10:16 css + 4.0K -rw-r--r-- 1 root root 1.2K Jul 12 10:16 https://blog.nowhere.moe/donate.html + 4.0K -rw-r--r-- 1 root root 1.4K Jul 12 10:16 favicon-16x16.png + 4.0K -rw-r--r-- 1 root root 2.9K Jul 12 10:16 favicon-32x32.png + 16K -rw-r--r-- 1 root root 15K Jul 12 10:16 favicon.ico + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 file-list + 8.0K -rw-r--r-- 1 root root 4.3K Jul 12 10:16 index.html + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 js + 4.0K -rw-r--r-- 1 root root 414 Jul 12 10:16 manifest.json + 28K -rw-r--r-- 1 root root 26K Jul 12 10:16 mstile-150x150.png + 4.0K -rw-r--r-- 1 root root 1.8K Jul 12 10:16 safari-pinned-tab.svg + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:16 upload + + + +And it's all here! so let's copy it to the root of our webserver at **/srv/http/** + + + root@lain:/srv/lainonlife/frontend/_site# cd .. + root@lain:/srv/lainonlife/frontend# cp -r _site/* /srv/http/ + + + +now that's done, we need to run the backend bashscript called **run.sh** and we need to pass it a few environment variables as we run it: + + + root@lain:/srv/lainonlife/frontend# cd .. + root@lain:/srv/lainonlife# cd backend/ + root@lain:/srv/lainonlife/backend# ls -lash + total 36K + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 10:00 . + 4.0K drwxr-xr-x 9 root root 4.0K Jul 12 10:05 .. + 4.0K -rwxr-xr-x 1 root root 1.5K Jul 11 22:11 backend.py + 4.0K -rw-r--r-- 1 root root 21 Jul 11 22:11 .gitignore + 4.0K -rw-r--r-- 1 root root 58 Jul 11 22:11 requirements.txt + **4.0K -rwxr-xr-x 1 root root 205 Jul 11 22:11 run.sh** + 8.0K -rw-r--r-- 1 root root 4.1K Jul 11 22:11 stream.py + 4.0K -rw-r--r-- 1 root root 3.2K Jul 11 22:11 web.py + + root@lain:/srv/lainonlife/backend# CONFIG=../config.json HTTP_DIR=/srv/http PORT=5000 ./run.sh + + EDIT 2024: + + DONT USE THE RUN.sh ANYMORE, USE BACKEND.PY DIRECTLY! + + [ lain ] [ /dev/pts/3 ] [/srv/lainonlife/backend] + → cat /etc/systemd/system/lainradio.service + [Unit] + Description=running the run.sh script with the correct arguements + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + WorkingDirectory=/srv/lainonlife/backend/ + Environment="CONFIG=../config.json" + Environment="HTTP_DIR=/srv/http" + Environment="PORT=8002" + #ExecStart=/srv/lainonlife/backend/run.sh ############################## DONT USE IT ANYMORE! + ExecStart=/srv/lainonlife/backend/backend.py ########################### USE IT DIRECTLY INSTEAD! + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + + + +Basically here it's going to (try to) install the required python dependencies, if it fails like for me you can install the missing dependencies: + + + + [...] + + Collecting MarkupSafe>=0.23 + Using cached MarkupSafe-1.1.1-cp27-cp27mu-manylinux1_x86_64.whl (24 kB) + Installing collected packages: itsdangerous, click, MarkupSafe, Jinja2, Werkzeug, Flask, python-mpd2, pytz, tzlocal, futures, funcsigs, six, apscheduler, chardet, certifi, urllib3, idna, requests + Successfully installed Flask-1.1.4 Jinja2-2.11.3 MarkupSafe-1.1.1 Werkzeug-1.0.1 apscheduler-3.7.0 certifi-2021.5.30 chardet-4.0.0 click-7.1.2 funcsigs-1.0.2 futures-3.3.0 idna-2.10 itsdangerous-1.1.0 python-mpd2-1.1.0 pytz-2021.1 requests-2.25.1 six-1.16.0 tzlocal-2.1 urllib3-1.26.6 + Traceback (most recent call last): + File "backend.py", line 7, in module> + import stream as stream + File "/srv/lainonlife/backend/stream.py", line 1, in module> + from apscheduler.schedulers.background import BackgroundScheduler + ModuleNotFoundError: No module named 'apscheduler' + + root@lain:/srv/lainonlife/backend# pip3 install apscheduler ; pip install apscheduler + root@lain:/srv/lainonlife/backend# pip install --upgrade pip setuptools + root@lain:/srv/lainonlife/backend# pip3 install --upgrade pip setuptools + root@lain:/srv/lainonlife/backend# pip install --upgrade virtualenv + root@lain:/srv/lainonlife/backend# apt install python-mpd python3-mpd + root@lain:/srv/lainonlife/backend# pip install flask ; pip3 install flask + + #2023 EDIT: on debian 12 it is like so: + + root@lain:/srv/lainonlife/backend# apt install python3-{apscheduler,setuptools,pip,mpd,flask,docopt} + root@lain:/srv/lainonlife/backend# + + + + root@lain:/srv/lainonlife/backend# CONFIG=../config.json HTTP_DIR=/srv/http PORT=5000 ./run.sh + DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. + Requirement already satisfied: Flask>=0.12.0 in ./__venv__/lib/python2.7/site-packages (from -r requirements.txt (line 1)) (1.1.4) + + [...] + + Requirement already satisfied: MarkupSafe>=0.23 in ./__venv__/lib/python2.7/site-packages (from Jinja2 3.0,>=2.10.1->Flask>=0.12.0->-r requirements.txt (line 1)) (1.1.1) + * Serving Flask app 'web' (lazy loading) + * Environment: production + WARNING: This is a development server. Do not use it in a production deployment. + Use a production WSGI server instead. + * Debug mode: off + * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) + error talking to prometheus: HTTPConnectionPool(host='localhost', port=9090): Max retries exceeded with url: /api/v1/query?query=sum%28listeners%29+by+%28channel%29 (Caused by NewConnectionError('<****urllib3.connection.HTTPConnection object at 0x7f82323eabe0>: Failed to establish a new connection: [Errno 111] Connection refused')) + +Now it seems we forgot to install prometheus on port 9090. So let's install it following a tutorial i already made [here](../progra/index.md), obviously use an up to date release version of prometheus from their release pages [here](https://github.com/prometheus/prometheus/releases) to this date, the latest version is **2-28.1** : + + + root@lain:/tmp# mkdir /srv/prometheus + root@lain:/tmp# cd /srv/prometheus + root@lain:/srv/prometheus# apt update -y ; apt upgrade -y + root@lain:/srv/prometheus# wget https://github.com/prometheus/prometheus/releases/download/v2.28.1/prometheus-2.28.1.linux-amd64.tar.gz + + root@lain:/srv/prometheus# tar -xvzf prometheus-2.28.1.linux-amd64.tar.gz + root@lain:/srv/prometheus# cd prometheus-2.28.1.linux-amd64 + + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# useradd -rs /bin/false prometheus + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# cp prometheus promtool /usr/local/bin/ + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# chown prometheus:prometheus /usr/local/bin/prometheus + + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# mkdir /etc/prometheus + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# cp -R consoles/ console_libraries/ prometheus.yml /etc/prometheus/ + + root@lain:/srv/prometheus/prometheus-2.28.1.linux-amd64# cd /lib/systemd/system + root@lain:/lib/systemd/system# wget https://blog.nowhere.moe/servers/progra/p.service -O /lib/systemd/system/prometheus.service + + + root@lain:/etc/prometheus# mkdir /data/prometheus -p + root@lain:/etc/prometheus# chown -R prometheus:prometheus /data/prometheus /etc/prometheus/* + + root@lain:/lib/systemd/system# systemctl enable --now prometheus + root@lain:/lib/systemd/system# systemctl enable --now prometheus + + root@lain:/etc/prometheus# systemctl status prometheus + ● prometheus.service - Prometheus + Loaded: loaded (/lib/systemd/system/prometheus.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-07-12 11:01:40 CEST; 1min 9s ago + Main PID: 545 (prometheus) + Tasks: 9 (limit: 4700) + Memory: 29.8M + CGroup: /system.slice/prometheus.service + └─545 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/data/prometheus --web.console.templates=/etc/prometheus/consoles --web.console.libraries=/etc/prometheus/ + + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.623Z caller=head.go:780 component=tsdb msg="Replaying on-disk memory mappable chunks if any" + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.624Z caller=head.go:794 component=tsdb msg="On-disk memory mappable chunks replay completed" duration=26.9µs + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.624Z caller=head.go:800 component=tsdb msg="Replaying WAL, this may take a while" + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.627Z caller=head.go:854 component=tsdb msg="WAL segment loaded" segment=0 maxSegment=0 + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.629Z caller=head.go:860 component=tsdb msg="WAL replay completed" checkpoint_replay_duration=143.441µs wal_replay_duration=3.876793ms total_re + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.632Z caller=main.go:851 fs_type=EXT4_SUPER_MAGIC + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.633Z caller=main.go:854 msg="TSDB started" + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.633Z caller=main.go:981 msg="Loading configuration file" filename=/etc/prometheus/prometheus.yml + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.636Z caller=main.go:1012 msg="Completed loading of configuration file" filename=/etc/prometheus/prometheus.yml totalDuration=2.953804ms remote + Jul 12 11:01:40 lain prometheus[545]: level=info ts=2021-07-12T09:01:40.636Z caller=main.go:796 msg="Server is ready to receive web requests." + + +And from here we can check if prometheus is running on the correct port: + +![](16.png) + +Now that prometheus is running on port 9090 we can also setup grafana but we commented it out earlier. Let's run run.sh to see if it works this time: + + + root@lain:/etc/prometheus# cd /srv/lainonlife/backend/ + + root@lain:/srv/lainonlife/backend# CONFIG=../config.json HTTP_DIR=/srv/http PORT=5000 ./run.sh + DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. + Requirement already satisfied: Flask>=0.12.0 in ./__venv__/lib/python2.7/site-packages (from -r requirements.txt (line 1)) (1.1.4) + + [...] + + Requirement already satisfied: MarkupSafe>=0.23 in ./__venv__/lib/python2.7/site-packages (from Jinja2<3.0,>=2.10.1->Flask>=0.12.0->-r requirements.txt (line 1)) (1.1.1) + * Serving Flask app 'web' (lazy loading) + * Environment: production + WARNING: This is a development server. Do not use it in a production deployment. + Use a production WSGI server instead. + * Debug mode: off + * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) + + + +This time around we don't have the missing prometheus errors, so let's check if the server is running properly, and let's restart it to run on port 8002 since we told nginx we would use it for the **@script** block: + + + root@lain:/srv/lainonlife/backend# CONFIG=../config.json HTTP_DIR=/srv/http PORT=8002 ./run.sh + DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality. + + Requirement already satisfied: MarkupSafe>=0.23 in ./__venv__/lib/python2.7/site-packages (from Jinja2<3.0,>=2.10.1->Flask>=0.12.0->-r requirements.txt (line 1)) (1.1.1) + * Serving Flask app 'web' (lazy loading) + * Environment: production + WARNING: This is a development server. Do not use it in a production deployment. + Use a production WSGI server instead. + * Debug mode: off + * Running on http://127.0.0.1:8002/ (Press CTRL+C to quit) + + #on debian 12 going through the bashscript doesnt seem to work, we need to run it with the python script directly: + + [ 10.0.0.201/16 ] [ lain ] [/srv/lainonlife/backend] + → CONFIG=/srv/lainonlife/config.json HTTP_DIR=/srv/http PORT=8002 python3 backend.py + * Serving Flask app 'web' + * Debug mode: off + WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. + * Running on http://127.0.0.1:8002 + Press CTRL+C to quit + 127.0.0.1 - - [05/Jul/2023 19:34:12] "GET /assets/css/style.css HTTP/1.0" 200 - + 127.0.0.1 - - [05/Jul/2023 19:34:13] "GET /assets/img/icecast.png HTTP/1.0" 200 - + 127.0.0.1 - - [05/Jul/2023 19:34:16] "GET /assets/img/icecast.png HTTP/1.0" 200 - + 127.0.0.1 - - [05/Jul/2023 19:34:19] "GET /background HTTP/1.0" 200 - + 127.0.0.1 - - [05/Jul/2023 19:34:20] "GET /playlist/focus.json HTTP/1.0" 200 - + 127.0.0.1 - - [05/Jul/2023 19:34:32] "GET /background HTTP/1.0" 200 - + + + +Now let's check if it works properly in the browser on port 80: + +![](18.png) + +We got some progress! However we need to correct a few things, first the background: + + + * Serving Flask app 'web' (lazy loading) + * Environment: production + WARNING: This is a development server. Do not use it in a production deployment. + Use a production WSGI server instead. + * Debug mode: off + * Running on http://127.0.0.1:8002/ (Press CTRL+C to quit) + 127.0.0.1 - - [12/Jul/2021 11:12:55] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:13:10] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:13:25] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:13:40] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:13:55] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:14:09] "GET /css/font-awesome.min.css HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:14:09] "GET /background HTTP/1.0" 404 - + 127.0.0.1 - - [12/Jul/2021 11:14:09] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:14:24] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:14:39] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:14:53] "GET /css/font-awesome.min.css HTTP/1.0" 304 - + 127.0.0.1 - - [12/Jul/2021 11:14:53] "GET /background HTTP/1.0" 404 - + 127.0.0.1 - - [12/Jul/2021 11:14:53] "GET /playlist/cyberia.json HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 11:15:08] "GET /playlist/cyberia.json HTTP/1.0" 200 - + + + +Let's upload a few backgrounds into **/srv/http/backgrounds/** : + + + root@lain:/srv/http# cd backgrounds/ + root@lain:/srv/http/backgrounds# ls -l + total 4 + -rw-r--r-- 1 root root 68 Jul 12 10:18 index.html + + root@lain:/srv/http/backgrounds# wget https://wallpapercave.com/wp/wp6600388.jpg + + root@lain:/srv/http/backgrounds# wget https://blog.nowhere.moe/wallpapers/joi1.png + + root@lain:/srv/http/backgrounds# wget https://blog.nowhere.moe/wallpapers/wallpaper_blue_original.png + + + +![](19.png) + +Now that we got some backgrounds we also need the missing **/css/font-awesome.min.css** in the root of the webdirectory: + + + root@lain:/srv/lainonlife/# cd /srv/http/css/ + root@lain:/srv/http/css# wget https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css + + + +Now we get some missing icons, however this is probably related to the fact that we're not accessing our lainradio server from the correct domain name **lain.void.yt** : + +![](20.png) + +Now i intend to run this lain radio behind a reverse nginx proxy, so i'll set it up from main debian node: + + + root@home:~# curl ifconfig.me ; echo; ping lain.void.yt + 86.243.158.34 + PING void.yt (86.243.158.34) 56(84) bytes of data. + + + +First we get the DNS to point to the right IP, i used a CNAME to point at my root domain's public IP, but you can also use an A record to specify which IP the subdomain / domain name should point to. Now on my main debian node i use acme.sh to get letsencrypt TLS 1.3 certificates, so let's get them after i make the reverse proxy nginx config: + + + root@home:/var/www/void.yt/config# cd /etc/nginx/sites-available/ + root@home:/etc/nginx/sites-available# vim lain.void.yt.conf + + root@home:/etc/nginx/sites-available# cat lain.void.yt.conf + upstream lainbackend { + server 10.0.0.201:80; + } + + server { + listen 80; + listen [::]:80; + server_name lain.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name lain.void.yt; + + ssl_certificate /root/.acme.sh/lain.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/lain.void.yt/lain.void.yt.cer; + ssl_certificate_key /root/.acme.sh/lain.void.yt/lain.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://lainbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + + +You can tweak it however you like it, then we enable the site and get the letsencrypt certificates: + + + root@home:/etc/nginx/sites-available# ln -s /etc/nginx/sites-available/lain.void.yt.conf /etc/nginx/sites-enabled/ + root@home:/etc/nginx/sites-available# nginx -t + nginx: [emerg] BIO_new_file("/root/.acme.sh/lain.void.yt/fullchain.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/lain.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + root@home:/etc/nginx/sites-available# systemctl stop nginx + root@home:/etc/nginx/sites-available# acme.sh --issue --standalone -d lain.void.yt -k 4096 + + [...] + + [Mon 12 Jul 2021 12:08:38 PM CEST] Your cert is in /root/.acme.sh/lain.void.yt/lain.void.yt.cer + [Mon 12 Jul 2021 12:08:38 PM CEST] Your cert key is in /root/.acme.sh/lain.void.yt/lain.void.yt.key + [Mon 12 Jul 2021 12:08:38 PM CEST] The intermediate CA cert is in /root/.acme.sh/lain.void.yt/ca.cer + [Mon 12 Jul 2021 12:08:38 PM CEST] And the full chain certs is there: /root/.acme.sh/lain.void.yt/fullchain.cer + + + +Once that's done we can reactivate nginx and see the result: + + + root@home:/etc/nginx/sites-available# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@home:/etc/nginx/sites-available# systemctl start nginx + + + +![](21.png) + +Now we access our webservice and we see that the domain has been verified by letsencrypt, but we're still missing the song names: so let's take a look into the **/srv/lainonlife/scripts/** directory: + + + + root@lain:/srv/lainonlife/scripts# ls -lash + total 24K + 4.0K drwxr-xr-x 2 root root 4.0K Jul 12 12:23 . + 4.0K drwxr-xr-x 9 root root 4.0K Jul 12 10:05 .. + 4.0K -rwxr-xr-x 1 root root 2.3K Jul 11 22:11 album_times.py + 4.0K -rwxr-xr-x 1 root root 943 Jul 11 22:11 file-list.sh + 8.0K -rwxr-xr-x 1 root root 4.5K Jul 11 22:11 schedule.py + + + +Here we have some scripts we should run. An easy one is **file-list.sh** : + + + root@lain:/srv/lainonlife/scripts# ./file-list.sh + + + +` ![](22.png) + +That script is there so we can get a list of files to use: + +![](23.png) + +Next we need to figure out **schedule.py** : + + + root@lain:/srv/lainonlife/scripts# pip3 install docopt + root@lain:/srv/lainonlife/scripts# python3 schedule.py --host=127.0.0.1 6601 + + + +Now if this schedule.py script errors out, that's because it's looking for the **Lainchan Radio Transitions** album, so to make this script work, we need the aforementionned album containing some songs, so let's create it with tracks we put into **/srv/radio/music/cyberia/transitions/** : + + + root@lain:/srv/radio/music/cyberia# mkdir transitions + root@lain:/srv/radio/music/cyberia/transitions# apt install ffmpeg + + root@lain:/srv/radio/music/cyberia/transitions# youtube-dl -x https://www.youtube.com/playlist?list=OLAK5uy_kBzNHyOb4LcpwQI-uca1LApynboNkEvAo --audio-format mp3 + [youtube:tab] OLAK5uy_kBzNHyOb4LcpwQI-uca1LApynboNkEvAo: Downloading webpage + [download] Downloading playlist: Coloris + [youtube:tab] playlist Coloris: Downloading 15 videos + [download] Downloading video 1 of 15 + [youtube] YTY7UV6GpkM: Downloading webpage + [download] Coloris-YTY7UV6GpkM.webm has already been downloaded + [download] 100% of 2.57MiB + [ffmpeg] Destination: Coloris-YTY7UV6GpkM.mp3 + + [...] + + + [youtube] 75yOApYoc6Y: Downloading webpage + [download] Destination: Traveling By Night-75yOApYoc6Y.webm + [download] 100% of 2.59MiB in 00:00 + [ffmpeg] Destination: Traveling By Night-75yOApYoc6Y.mp3 + Deleting original file Traveling By Night-75yOApYoc6Y.webm (pass -k to keep) + [download] Finished downloading playlist: Coloris + + + +Now that we have our transition tracks let's add them to the correct album via ncmpcpp: + + + root@lain:/srv/radio/music/cyberia/transitions# cd .. + root@lain:/srv/radio/music/cyberia# tree . + . + ├── Lain's Theme - Lain-o-cwuTmqz8c.mp3 + ├── Serial Experiment Lain - Antidepressant 044-KaOsmUDMdaE.mp3 + ├── Serial Experiment Lain - Cloudy with occasional rain-1TunrW7dRr0.mp3 + ├── Serial Experiment Lain - Duvet (cyberia remix)-juDqDMlTfUg.mp3 + ├── Serial Experiment Lain - Duvet (tv version)-EnEaNaqGMqU.mp3 + ├── Serial Experiment Lain - Infanity world-AsPLBQfZQ04.mp3 + ├── Serial Experiment Lain - Invisible file-32IlMQ8Bs6w.mp3 + ├── Serial Experiment Lain - Island in video cassette-CCdyzUPrLpM.mp3 + ├── Serial Experiment Lain - k.i.d.s-TvCJnW46ISo.mp3 + ├── Serial Experiment Lain - Prayer-yyPMWWjzMG8.mp3 + ├── Serial Experiment Lain - Professed intention and real-D4G97Xsc8PA.mp3 + ├── Serial Experiment Lain - Psychedelic farm-XEGz6CJnY04.mp3 + ├── Serial Experiment Lain - Speed-zFwQFdAsGGA.mp3 + ├── Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.mp3 + └── transitions + ├── Autumn In Space-nWqcLWxZOH0.mp3 + ├── Circuit Lover-zduKG8YUKxM.mp3 + ├── Coloris-YTY7UV6GpkM.mp3 + ├── Destination Luna4-VGaQwDylJPM.mp3 + ├── Distort Into Me-_zLINqJYH0U.mp3 + ├── Fuse-MhHshcp5tQs.mp3 + ├── Gum-tTGBo0Fmf4A.mp3 + ├── In Time-8PmEsQY5rq4.mp3 + ├── Monochrome-uFNppANT-Dk.mp3 + ├── Orbit-SHFmUt1Jit4.mp3 + ├── Reality-C0ybGDNZos8.mp3 + ├── Together-ohViqbZZnpE.mp3 + ├── Tokyo Nights-5fXc8aoF2eU.mp3 + ├── Touch and Go-gxfyax1IPdk.mp3 + └── Traveling By Night-75yOApYoc6Y.mp3 + + root@lain:/srv/radio/music/cyberia# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press 2 and u to update the database, and you will see the transitions directory appear: + ![](24.png) + #and in it we have our transition audio tracks: + ![](25.png) + #so let's add them to the correct playlist album: + #select the tracks with INSERT + #then press a to add them to the **Lainchan Radio Transitions** playlist: + ![](26.png) + #press 5 to go to the playlists and you should see that result: + ![](27.png) + #now add a few more albums just like we did previously + #so that schedule.py has a few albums to cycle through and to put transitions in between: + + root@lain:/srv/radio/music/cyberia# youtube-dl -x --audio-format mp3 https://www.youtube.com/playlist?list=PL9AnroPjNnk0ukW3RvRQlbxA6nsNjG_9k + root@lain:/srv/radio/music/cyberia# youtube-dl -x --audio-format mp3 https://www.youtube.com/playlist?list=PLEBA2CD188C3A8278 + root@lain:/srv/radio/music/cyberia# youtube-dl -x --audio-format mp3 https://www.youtube.com/playlist?list=PL4D3810FF245A180B + + #Each time make sure you add them to separate albums with ncmpcpp just like we previously did to keep things clean. + ![](28.png) + + + +So right now i have 3 albums (playlists) and a transition playlist, now let's use schedule.py: + + + root@lain:/srv/lainonlife/scripts# ls -l + total 16 + -rwxr-xr-x 1 root root 2334 Jul 11 22:11 album_times.py + -rwxr-xr-x 1 root root 943 Jul 11 22:11 file-list.sh + -rwxr-xr-x 1 root root 4631 Jul 12 12:48 schedule.py + root@lain:/srv/lainonlife/scripts# python3 schedule.py --host=127.0.0.1 6601 + Traceback (most recent call last): + File "schedule.py", line 168, in <****module> + schedule_radio(client) + File "schedule.py", line 114, in schedule_radio + album, album_dur = pick_album(client, target_dur) + File "schedule.py", line 68, in pick_album + album = all_albums[0] + IndexError: list index out of range + +Apologies on my part, for MPD playlists are NOT albums, so we need to create albums for each artist: + +To do that we can add id3 tags: + + + root@lain:/srv/lainonlife/scripts# apt install libid3-tools -y + + #for arch users: + pacman -S id3lib id3v2 + + root@lain:/srv/lainonlife/scripts# which id3tag + /usr/bin/id3tag + + + +So with id3tag we're going to add the album tags to our mp3 files: + + + root@lain:/srv/radio/music# vim tagger.sh + + + +Now before running it we're going to add a tag to one track and see if it works as intended: + + + cd cyberia/transitions/ + root@lain:/srv/radio/music/cyberia/transitions# ls -lash Coloris-YTY7UV6GpkM.mp3 + 2.5M -rw-r--r-- 1 root root 2.5M Sep 15 2019 Coloris-YTY7UV6GpkM.mp3 + + + +Now since this is a Transition track let's add the **Lainchan Radio Transitions** album tag to it: + + + root@lain:/srv/radio/music/cyberia/transitions# id3tag --album "Lainchan Radio Transitions" Coloris-YTY7UV6GpkM.mp3 + +++ Album = Lainchan Radio Transitions + Tagging Coloris-YTY7UV6GpkM.mp3: attempting v1 and v2, tagged v1 and v2 + + + +And when we check it inside of ncmpcpp we see the following after updating the database with **u** : + + + root@lain:/srv/radio/music/cyberia/transitions# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press u to update the database + #press 4 to goto the Media Library + + + +![](29.png) + +So right here we have been able to create an album thanks to the **id3tag** tool, now if you're a masochist you can go ahead and do that manually for every song, if you're like me and want to make things simpler, we can use a script. i place it into **/srv/radio/music/** to tag the transition tracks: + + + root@lain:/srv/radio/music# vim tagger_transitions.sh + root@lain:/srv/radio/music# cat tagger_transitions.sh + #! /bin/bash + + GREEN="\033[0;32m" + ORANGE="\033[0;33m" + RED="\033[0;31m" + NC="\033[0m" + + echo -en "${GREEN}[+]${NC} Type the name of the channel directory (ex: cyberia): " + read channel + echo -en "${GREEN}[+]${NC} default album name: ${GREEN} Lainchan Radio Transitions" + album="Lainchan Radio Transitions" + + + #### First list the songs and ask if the user wants to add the album tag to them: + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel/transitions + SONGS=* + + for SONG in $SONGS ; + do + echo -en "\n ${ORANGE}[+] $SONG${NC}" + done + cd ../.. + + #restore IFS + IFS=$SAVEIFS + + + + echo -en "\n\n${GREEN}[+]${NC} add the ${RED}$album${NC} ${ORANGE}album${NC} tag to these songs ? (y/n)" + read choice + + + ####### If user says 'y' then add the album tag to the selected songs: + + if [ "$choice" == "y" ]; + then + echo 'yes' + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel/transitions + SONGS=* + + for SONG in $SONGS ; + do + echo -en "\n ${GREEN}[+] $SONG${RED} ADDING TAG: ${ORANGE}$album${NC}" + id3tag --album="\"$album\"" $SONG + done + cd ../.. + + #restore IFS + IFS=$SAVEIFS + else + echo 'cancelling...' + fi + + echo + exit + + +So for me this script works, make sure you place it in **/srv/radio/music/** otherwise it will not work as intended. + + + root@lain:/srv/radio/music# ./tagger_transitions.sh + [+] Type the name of the channel directory (ex: cyberia): cyberia + [+] default album name: Lainchan Radio Transitions + [+] Autumn In Space-nWqcLWxZOH0.mp3 + [+] Circuit Lover-zduKG8YUKxM.mp3 + [+] Coloris-YTY7UV6GpkM.mp3 + [+] Destination Luna4-VGaQwDylJPM.mp3 + [+] Distort Into Me-_zLINqJYH0U.mp3 + [+] Fuse-MhHshcp5tQs.mp3 + [+] Gum-tTGBo0Fmf4A.mp3 + [+] In Time-8PmEsQY5rq4.mp3 + [+] Monochrome-uFNppANT-Dk.mp3 + [+] Orbit-SHFmUt1Jit4.mp3 + [+] Reality-C0ybGDNZos8.mp3 + [+] Together-ohViqbZZnpE.mp3 + [+] Tokyo Nights-5fXc8aoF2eU.mp3 + [+] Touch and Go-gxfyax1IPdk.mp3 + [+] Traveling By Night-75yOApYoc6Y.mp3 + + [+] add the Lainchan Radio Transitions album tag to these songs ? (y/n)y + yes + + [+] Autumn In Space-nWqcLWxZOH0.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Autumn In Space-nWqcLWxZOH0.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Circuit Lover-zduKG8YUKxM.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Circuit Lover-zduKG8YUKxM.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Coloris-YTY7UV6GpkM.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Coloris-YTY7UV6GpkM.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Destination Luna4-VGaQwDylJPM.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Destination Luna4-VGaQwDylJPM.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Distort Into Me-_zLINqJYH0U.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Distort Into Me-_zLINqJYH0U.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Fuse-MhHshcp5tQs.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Fuse-MhHshcp5tQs.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Gum-tTGBo0Fmf4A.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Gum-tTGBo0Fmf4A.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] In Time-8PmEsQY5rq4.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging In Time-8PmEsQY5rq4.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Monochrome-uFNppANT-Dk.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Monochrome-uFNppANT-Dk.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Orbit-SHFmUt1Jit4.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Orbit-SHFmUt1Jit4.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Reality-C0ybGDNZos8.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Reality-C0ybGDNZos8.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Together-ohViqbZZnpE.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Together-ohViqbZZnpE.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Tokyo Nights-5fXc8aoF2eU.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Tokyo Nights-5fXc8aoF2eU.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Touch and Go-gxfyax1IPdk.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Touch and Go-gxfyax1IPdk.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Traveling By Night-75yOApYoc6Y.mp3 ADDING TAG: Lainchan Radio Transitions+++ Album = "Lainchan Radio Transitions" + Tagging Traveling By Night-75yOApYoc6Y.mp3: attempting v1 and v2, tagged v1 and v2 + + + +Now to tag the mp3 files in **/channel/songname.mp3** with their album names i made a different script in **/srv/radio/music/tagger.sh** , again make sure the location is correct otherwise it won't work either : + + + root@lain:/srv/radio/music# cat tagger.sh + #! /bin/bash + + GREEN="\033[0;32m" + ORANGE="\033[0;33m" + RED="\033[0;31m" + NC="\033[0m" + + echo -en "${GREEN}[+]${NC} Type the name of the channel directory (ex: cyberia): " + read channel + echo -en "${GREEN}[+]${NC} Type the name of the album: " + read album + echo -en "${GREEN}[+]${NC} Type the name of the regex to match the album: " + read regex + + + #### First list the songs and ask if the user wants to add the album tag to them: + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel + SONGS=*$regex* + + for SONG in $SONGS ; + do + echo -en "\n ${ORANGE}[+] $SONG${NC}" + done + cd .. + + #restore IFS + IFS=$SAVEIFS + + + + echo -en "\n\n${GREEN}[+]${NC} add the ${RED}$album${NC} ${ORANGE}album${NC} tag to these songs ? (y/n)" + read choice + + + ####### If user says 'y' then add the album tag to the selected songs: + + if [ "$choice" == "y" ]; + then + echo 'yes' + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel + SONGS=*$regex* + + for SONG in $SONGS ; + do + echo -en "\n ${GREEN}[+] $SONG${RED} ADDING TAG: ${ORANGE}$album${NC}" + id3tag --album="\"$album\"" $SONG + done + cd .. + + #restore IFS + IFS=$SAVEIFS + else + echo 'cancelling....' + fi + + echo + exit + + + +This time we specify the **channel** , the **album** , and the **regex** that we will use to match the files to add the tag to: + + + root@lain:/srv/radio/music# ./tagger.sh + [+] Type the name of the channel directory (ex: cyberia): cyberia + [+] Type the name of the album: Pendulum - Hold your Color^C + root@lain:/srv/radio/music# ./tagger.sh + [+] Type the name of the channel directory (ex: cyberia): cyberia + [+] Type the name of the album: Infected Mushroom - Army Of Mushrooms + [+] Type the name of the regex to match the album: Infected + + [+] Infected Mushroom - (01) Nevermind [HQ] 2012-Fzj7BZeqVzk.mp3 + [+] Infected Mushroom - (02) Nothing to Say [HQ] 2012-fQcB8yo46eI.mp3 + [+] Infected Mushroom - (03) Send Me an Angel [HQ] 2012-W2Ks5AkCHow.mp3 + [+] Infected Mushroom - (04) U R So Fucked [HQ] 2012-62gm17b2bMI.mp3 + [+] Infected Mushroom - (05) The Rat [HQ] 2012-nHIWgbBDx0o.mp3 + [+] Infected Mushroom - (06) Nation of Wusses [HQ] 2012-L25QxK0Csg0.mp3 + [+] Infected Mushroom - (07) Wanted To [HQ] 2012-2PaSS6JFvXc.mp3 + [+] Infected Mushroom - (08) Serve My Thirst [HQ] 2012-_J6feIrbcEo.mp3 + [+] Infected Mushroom (09) - I Shine [HQ] 2012-OtbFUedy6Xs.mp3 + [+] Infected Mushroom - (10) Drum n Baasa [HQ] 2012-4IhPuiuYx30.mp3 + [+] Infected Mushroom - (11) The Pretender (Foo Fighters Cover) [HQ] 2012-boKAyiI-8WQ.mp3 + [+] Infected Mushroom - (12) The Messenger 2012 [HQ] 2012-x0lRqrID3i4.mp3 + [+] Infected Mushroom - (13) Swingish (Bonus Track) [HQ] 2012-7KwBE6XJbj4.mp3 + + [+] add the Infected Mushroom - Army Of Mushrooms album tag to these songs ? (y/n)y + yes + + [+] Infected Mushroom - (01) Nevermind [HQ] 2012-Fzj7BZeqVzk.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (01) Nevermind [HQ] 2012-Fzj7BZeqVzk.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (02) Nothing to Say [HQ] 2012-fQcB8yo46eI.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (02) Nothing to Say [HQ] 2012-fQcB8yo46eI.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (03) Send Me an Angel [HQ] 2012-W2Ks5AkCHow.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (03) Send Me an Angel [HQ] 2012-W2Ks5AkCHow.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (04) U R So Fucked [HQ] 2012-62gm17b2bMI.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (04) U R So Fucked [HQ] 2012-62gm17b2bMI.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (05) The Rat [HQ] 2012-nHIWgbBDx0o.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (05) The Rat [HQ] 2012-nHIWgbBDx0o.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (06) Nation of Wusses [HQ] 2012-L25QxK0Csg0.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (06) Nation of Wusses [HQ] 2012-L25QxK0Csg0.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (07) Wanted To [HQ] 2012-2PaSS6JFvXc.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (07) Wanted To [HQ] 2012-2PaSS6JFvXc.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (08) Serve My Thirst [HQ] 2012-_J6feIrbcEo.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (08) Serve My Thirst [HQ] 2012-_J6feIrbcEo.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom (09) - I Shine [HQ] 2012-OtbFUedy6Xs.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom (09) - I Shine [HQ] 2012-OtbFUedy6Xs.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (10) Drum n Baasa [HQ] 2012-4IhPuiuYx30.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (10) Drum n Baasa [HQ] 2012-4IhPuiuYx30.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (11) The Pretender (Foo Fighters Cover) [HQ] 2012-boKAyiI-8WQ.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (11) The Pretender (Foo Fighters Cover) [HQ] 2012-boKAyiI-8WQ.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (12) The Messenger 2012 [HQ] 2012-x0lRqrID3i4.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (12) The Messenger 2012 [HQ] 2012-x0lRqrID3i4.mp3: attempting v1 and v2, tagged v1 and v2 + + [+] Infected Mushroom - (13) Swingish (Bonus Track) [HQ] 2012-7KwBE6XJbj4.mp3 ADDING TAG: Infected Mushroom - Army Of Mushrooms+++ Album = "Infected Mushroom - Army Of Mushrooms" + Tagging Infected Mushroom - (13) Swingish (Bonus Track) [HQ] 2012-7KwBE6XJbj4.mp3: attempting v1 and v2, tagged v1 and v2 + + + +After adding the other albums we can check the result in ncmpcpp: + + + root@lain:/srv/radio/music# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press 2 to get to the browsing tab + #press u to update the database + #see the album tags appear: + ![](30.png) + #press 4 to get to the media library: + ![](31.png) + + + +We also fix the missing fonts in **/srv/http/fonts/** + + + + 127.0.0.1 - - [12/Jul/2021 14:55:14] "GET /fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 14:55:16] "GET /fonts/fontawesome-webfont.woff?v=4.7.0 HTTP/1.0" 200 - + 127.0.0.1 - - [12/Jul/2021 14:55:17] "GET /fonts/fontawesome-webfont.ttf?v=4.7.0 HTTP/1.0" 304 - + + root@lain:/srv/http# mkdir fonts + root@lain:/srv/http# cd fonts + root@lain:/srv/http/fonts# wget https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/fonts/fontawesome-webfont.woff2 + root@lain:/srv/http/fonts# wget https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/fonts/fontawesome-webfont.ttf + + + +Now the fonts are fixed once we check them in the browser: + +![](33.png) + +first edit : index.html had broken links to the radio: + + + + root@lain:/srv/http# cat index.html | grep void + lain.void.yt + const ICECAST_STREAM_URL_BASE = "https://lain.void.yt/radio/"; + <****source src="https://lain.void.yt//cyberia.ogg" type="audio/ogg"/> <****source src="https://lain.void.yt//cyberia.mp3" type="audio/mpeg"/> <****a id="ogglink" href="https://lain.void.yt//cyberia.ogg.m3u">ogg <****/a> / <****a id="mp3link" href="https://lain.void.yt//cyberia.mp3.m3u">mp3 <****/a> + + root@lain:/srv/http# vim index.html + root@lain:/srv/http# cat index.html | grep void lain.void.yt + const ICECAST_STREAM_URL_BASE = "https://lain.void.yt/radio/"; + <****source src="https://lain.void.yt/radio/cyberia.ogg" type="audio/ogg"/> <****source src="https://lain.void.yt/radio/cyberia.mp3" type="audio/mpeg"/> <****a id="ogglink" href="https://lain.void.yt/radio/cyberia.ogg.m3u">ogg <****/a> / <****a id="mp3link" href="https://lain.void.yt/radio/cyberia.mp3.m3u">mp3 <****/a> + +Now the radio actually plays from the browser : + +![](35.png) + +However the title of each track are still missing. + +EDIT 2: figured out how to go around the schedule.py errors + + + root@lain:/srv/lainonlife/scripts# cat schedule.py + #!/usr/bin/env python3 + + """Radio scheduling program. + + Usage: + schedule.py [--host=HOST] PORT + + Options: + --host=HOST Hostname of MPD [default: localhost] + -h --help Show this text + + Takes a port number, and does the following: + + 1. Sets the play order to normal, looping. + 2. Clears all music before the cursor position in the playlist. + 3. Appends a roughly three-hour block of music to the end of the playlist in this format: + a. A transition track + b. A full album + c. Enough random tracks to make up the difference. + + The new segment may be a little shorter if an exact fit is not possible, but in practice it will + be close. + + Why do this? Listening to entire albums in order is nice, as tracks in an album often build off + each other. On the other hand, variety is also nice! + + """ + + from docopt import docopt + from mpd import MPDClient + from random import shuffle + + + def duration_of(filterty, filterval): + """Get the combined duration of all tracks matching a filter.""" + + return int(client.count(filterty, filterval).get("playtime", "0")) + + + def pick_transition(client): + """Picks a transition track.""" + + all_transitions = list( + filter(lambda t: "directory" not in t, client.listall("transitions")) + ) + + shuffle(all_transitions) + + transition = all_transitions[0]["file"] + transition_dur = duration_of("file", transition) + + return transition, transition_dur + + + def pick_album(client, dur): + """Picks a random album which fits in the duration.""" + + # Get all albums + all_albums = [ + a["album"] + for a in client.list("album") + if "album" in a and a["album"] not in ["", "Lainchan Radio Transitions"] + ] + + for a in client.list("album"): + print(a) + all_albums.append(a) + + print(all_albums) + shuffle(all_albums) + + album = all_albums[0] + album_dur = duration_of("album", album) + return album, album_dur + + + def pick_tracks(client, chosen_album, dur): + """Attempts to pick a list of tracks to fill the given time. + + Radio transitions and the chosen album are excluded from the list. + + Because retrieving and operating over the list of all tracks is expensive, this does not try + more than once. It uses the simple greedy algorithm, and so may exceed the limit. + """ + + all_tracks = [] + for t in client.list("file"): + #print(t) + all_tracks.append(t) + #print(all_tracks) + #all_tracks = [ + # t["file"] + # for t in client.list("file") + # if "file" in t + #] + + shuffle(all_tracks) + + chosen = [] + remaining = dur + for t in all_tracks: + album = client.list("album", "file", t)[0] + duration = duration_of("file", t) + if album in [chosen_album, "Lainchan Radio Transitions"]: + continue + if duration > remaining: + continue + chosen.append(t) + remaining = remaining - duration + + return chosen, dur - remaining + + + def schedule_radio(client, target_dur= 3 * 60 * 60): + """Schedule music. + + Keyword arguments: + target_dur -- the target duration to fill. + """ + + # Pick a transition and two albums + transition, transition_dur = pick_transition(client) + album, album_dur = pick_album(client, target_dur) + + # Determine how much time is remaining in the two-hour slot + time_remaining = target_dur - transition_dur - album_dur + + # Pick a list of tracks to fill the gap + tracks, tracks_dur = pick_tracks(client, album, time_remaining) + + # Some stats first + print("Transition: {} ({}s)".format(transition, transition_dur)) + print("Album: {} ({}s)".format(album, album_dur)) + print("Tracks: #{} ({}s)".format(len(tracks), tracks_dur)) + print() + print("Target duration: {}s".format(target_dur)) + print("Actual duration: {}s".format(transition_dur + album_dur + tracks_dur)) + print("Difference: {}s".format(time_remaining - tracks_dur)) + + # Set playback to in-order repeat + client.random(0) + client.repeat(1) + + # Make sure it's playing + client.play() + + # Add tracks + client.add(transition) + client.findadd("album", album) + for t in tracks: + client.add(t) + + # Delete up to the current track, minus 10 tracks (for the web + # playlist) + status = client.status() + if "song" in status: + client.delete((0, max(0, int(status["song"]) - 10))) + + + if __name__ == "__main__": + args = docopt(__doc__) + + try: + args["PORT"] = int(args["PORT"]) + except ValueError: + print("PORT must be an integer") + exit(1) + + try: + client = MPDClient() + client.connect(args["--host"], args["PORT"]) + except Exception as e: + print(f"could not connect to MPD: {e.args[0]}") + exit(2) + + client.update() + schedule_radio(client) + + + +Editing schedule.py to fix the python errors now it can be used: + + + root@lain:/srv/lainonlife/scripts# python3 schedule.py --host=127.0.0.1 6601 + "Cyberia" + "Infected Mushroom - Army Of Mushrooms" + "Lainchan Radio Transitions" + "Pendulum" + ['"Cyberia"', '"Infected Mushroom - Army Of Mushrooms"', '"Lainchan Radio Transitions"', '"Pendulum"'] + Transition: transitions/Destination Luna4-VGaQwDylJPM.mp3 (142s) + Album: "Pendulum" (8631s) + Tracks: #0 (0s) + + Target duration: 1800s + Actual duration: 8773s + Difference: -6973s + + + +Now another guess for the 'undefined' song names problem, i assume that it's the missing tag titles, so let's see if that's the case: + + + root@lain:/srv/radio/music/cyberia# id3tag --song "Pendulum - The Tempest" The\ Tempest\ -\ Pendulum\ \[HQ\]-uy-3tWaKyg8.mp3 + +++ Song = Pendulum - The Tempest + Tagging The Tempest - Pendulum [HQ]-uy-3tWaKyg8.mp3: attempting v1 and v2, tagged v1 and v2 + + root@lain:/srv/radio/music/cyberia# id3tag --song "Pendulum - The Other Side" Pendulum\ \- The\ Other\ Side\ -\ Pendulum\ \[HQ\]-z0hwFJ1rbbU.mp3 + +++ Song = Pendulum - The Other Side + + root@lain:/srv/radio/music/cyberia# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press u to update database + + + +![](36.png) + +Looks like we were right! What we were missing here was the song/title tags for each mp3 file. so let's make a script to automatically add all of them: + + + root@lain:/srv/radio/music# vim tagger_titles.sh + root@lain:/srv/radio/music# cat tagger_titles.sh + #! /bin/bash + + GREEN="\033[0;32m" + ORANGE="\033[0;33m" + RED="\033[0;31m" + NC="\033[0m" + + echo -en "${GREEN}[+]${NC} Type the name of the channel directory (ex: cyberia): " + read channel + + #### First list the songs and ask if the user wants to add the album tag to them: + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel + SONGS=* + + for SONG in $SONGS ; + do + echo -en "\n ${ORANGE}[+] $SONG${NC}" + done + cd .. + + #restore IFS + IFS=$SAVEIFS + + + + echo -en "\n\n${GREEN}[+]${NC} add the filename as ${ORANGE}title${NC} tag to these songs ? (y/n)" + read choice + + + ####### If user says 'y' then add the album tag to the selected songs: + + if [ "$choice" == "y" ]; + then + echo 'yes' + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + cd $channel + SONGS=* + + for SONG in $SONGS ; + do + echo -en "\n ${GREEN}[+] $SONG${RED} ADDING TITLE TAG: ${ORANGE}$SONG${NC}" + id3tag --song="\"$SONG\"" $SONG + done + cd .. + + #restore IFS + IFS=$SAVEIFS + else + echo 'cancelling....' + fi + + echo + exit + ![](37.png) + + +Now that's done we update the database with ncmpcpp as usual: + + + root@lain:/srv/radio/music# ncmpcpp -h 127.0.0.1 -p 6601 -c ~/.config/ncmpcpp/config + #press u to update the database + + + +![](38.png) + +And there you go! We managed to make each file's name display. + +## **Automation** + +So now that we know our webserver is working as intended, let's write systemd services to handle automatically **mpd** , **icecast** and the **run.sh** bashscript: + + + + root@lain:~# icecast -c /srv/icecast-server/conf/icecast.xml + root@lain:~# CONFIG=../config.json HTTP_DIR=/srv/http PORT=8002 ./run.sh + root@lain:~# mpd ~/.config/mpd.conf + + + +In essence we need a systemd service to make the root user run these 3 commands so let's make them one by one. First the icecast systemd service: + + + root@lain:/srv/radio/music# cd /etc/systemd/system/ + + root@lain:/etc/systemd/system# vim icecast.service + + root@lain:/etc/systemd/system# cat icecast.service**[Unit] + Description=Icecast systemd service with config in /srv/icecast-server/conf/icecast.xml + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + ExecStart=icecast -c /srv/icecast-server/conf/icecast.xml + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + root@lain:/etc/systemd/system# systemctl daemon-reload** + root@lain:/etc/systemd/system# systemctl enable --now icecast + Created symlink /etc/systemd/system/multi-user.target.wants/icecast.service → /etc/systemd/system/icecast.service. + root@lain:/etc/systemd/system# systemctl status icecast + ● icecast.service - Icecast systemd service with config in /srv/icecast-server/conf/icecast.xml + Loaded: loaded (/etc/systemd/system/icecast.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-07-12 22:52:27 CEST; 5s ago + Main PID: 10092 (icecast) + Tasks: 4 (limit: 4700) + Memory: 1.0M + CGroup: /system.slice/icecast.service + └─10092 /usr/local/bin/icecast -c /srv/icecast-server/conf/icecast.xml + + Jul 12 22:52:27 lain systemd[1]: Started Icecast systemd service with config in /srv/icecast-server/conf/icecast.xml. + Jul 12 22:52:27 lain icecast[10092]: [2021-07-12 22:52:27] WARN CONFIG/_parse_root Warning, <****location> not configured, using default value "Earth". + Jul 12 22:52:27 lain icecast[10092]: [2021-07-12 22:52:27] WARN CONFIG/_parse_root Warning, <****admin> contact not configured, using default value "icemaster@localhost". + +We do the same for the backend script run.sh used to run the radio itself: + + + + root@lain:/etc/systemd/system# vim lainradio.service + root@lain:/etc/systemd/system# cat lainradio.service + **[Unit] + Description=running the run.sh script with the correct arguements + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + WorkingDirectory=/srv/lainonlife/backend/ + Environment="CONFIG=../config.json" + Environment="HTTP_DIR=/srv/http" + Environment="PORT=8002" + ExecStart=/srv/lainonlife/backend/backend.py + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target** + + root@lain:/etc/systemd/system# systemctl daemon-reload + root@lain:/etc/systemd/system# systemctl enable --now lainradio + root@lain:/etc/systemd/system# systemctl status lainradio + ● lainradio.service - running the run.sh script with the correct arguements + Loaded: loaded (/etc/systemd/system/lainradio.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-07-12 23:03:15 CEST; 2min 47s ago + Main PID: 10345 (bash) + Tasks: 13 (limit: 4700) + Memory: 30.8M + CGroup: /system.slice/lainradio.service + ├─10345 bash /srv/lainonlife/backend/run.sh + └─10354 python3 backend.py + + Jul 12 23:04:58 lain run.sh[10345]: 127.0.0.1 - - [12/Jul/2021 23:04:58] "GET /playlist/cyberia.json HTTP/1.0" 200 - + Jul 12 23:04:58 lain run.sh[10345]: 127.0.0.1 - - [12/Jul/2021 23:04:58] "GET /playlist/cyberia.json HTTP/1.0" 200 - + Jul 12 23:05:13 lain run.sh[10345]: 127.0.0.1 - - [12/Jul/2021 23:05:13] "GET /playlist/cyberia.json HTTP/1.0" 200 - + Jul 12 23:05:13 lain run.sh[10345]: 127.0.0.1 - - [12/Jul/2021 23:05:13] "GET /playlist/cyberia.json HTTP/1.0" 200 - + Jul 12 23:05:28 lain run.sh[10345]: 127.0.0.1 - - [12/Jul/2021 23:05:28] "GET /playlist/cyberia.json HTTP/1.0" 200 - + + + +Now that's done we're going to setup the systemd service for mpd, now i intend to make a multiple-channel setup so i will make mpd use the config file: + + + root@lain:/etc/systemd/system# vim mpd-cyberia.service + root@lain:/etc/systemd/system# cat mpd-cyberia.service + **[Unit] + Description=mpd systemd service with config in /root/.config/mpd/cyberia.conf + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + ExecStart=mpd --no-daemon /root/.config/mpd/cyberia.conf + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target** + root@lain:/etc/systemd/system# systemctl daemon-reload + root@lain:/etc/systemd/system# + + root@lain:/etc/systemd/system# cd ~/.config/mpd/ + root@lain:~/.config/mpd# ls -l + total 4 + -rw-r--r-- 1 root root 1773 Jul 12 09:32 mpd.conf + + root@lain:~/.config/mpd# cp mpd.conf cyberia.conf + + root@lain:~/.config/mpd# cd - + /etc/systemd/system + + root@lain:/etc/systemd/system# systemctl disable mpd + root@lain:/etc/systemd/system# kill $(pidof mpd) + root@lain:/etc/systemd/system# kill $(pidof mpd) + root@lain:/etc/systemd/system# kill $(pidof mpd) + root@lain:/etc/systemd/system# systemctl enable --now mpd-cyberia + + root@lain:/etc/systemd/system# systemctl status mpd-cyberia.service + ● mpd-cyberia.service - mpd systemd service with config in /root/.config/mpd/cyberia.conf + Loaded: loaded (/etc/systemd/system/mpd-cyberia.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-07-12 23:20:47 CEST; 3min 13s ago + Main PID: 10921 (mpd) + Tasks: 10 (limit: 4700) + Memory: 15.7M + CGroup: /system.slice/mpd-cyberia.service + └─10921 /usr/bin/mpd --no-daemon /root/.config/mpd/cyberia.conf + + Jul 12 23:20:47 lain systemd[1]: Started mpd systemd service with config in /root/.config/mpd/cyberia.conf. + Jul 12 23:20:48 lain mpd[10921]: Jul 12 23:20 : hybrid_dsd: The Hybrid DSD decoder is disabled because it was not explicitly enabled + Jul 12 23:20:48 lain mpd[10921]: Jul 12 23:20 : exception: Input plugin 'tidal' is unavailable: No Tidal application token configured + Jul 12 23:20:48 lain mpd[10921]: Jul 12 23:20 : exception: Input plugin 'qobuz' is unavailable: No Qobuz app_id configured + + + +And that's it! We managed to create 3 independent systemd services that will run everytime the host boots up, ensuring that the radio stays up and running from the start automatically. Now that should already be done but make sure that nginx and prometheus' systemd services are enabled too: + + + root@lain:/etc/systemd/system# systemctl enable --now nginx + root@lain:/etc/systemd/system# systemctl enable --now prometheus + + + +## **Multi-Channel + Album Ordering Setup** + +Before adding channels let's get a more organized music folder architecture: + +![](39.png) + +Basically, for each channel, we're going to have a folder for each album, and inside of each album folder we're going to have our song files. And also let's not forget that we have our transition files in the **transitions** folder, we want to tag them correctly with **Lainchan Radio Transitions** special album name. So from here we proceed: + +![](40.png) + +First i move all of my songs into folders: + + + mkdir "Serial Experiments Lain OST" + mkdir "Infected Mushroom - Army of Mushrooms" + mkdir "Pendulum - In Silico" + + mv Infec* Infected\ Mushroom\ -\ Army\ of\ Mushrooms/ + mv Serial* Serial\ Experiments\ Lain\ OST/ + mv *Pendulum* Pendulum\ -\ In\ Silico/ + mv *pendulum* Pendulum\ -\ In\ Silico/ + mv Lain\'s\ Theme\ -\ Lain-o-cwuTmqz8c.mp3 Serial\ Experiments\ Lain\ OST/ + + root@lain:/srv/radio/music/cyberia# ls -lash + total 24K + 4.0K drwxr-xr-x 6 root root 4.0K Jul 13 09:48 . + 4.0K drwxr-xr-x 3 root root 4.0K Jul 13 09:44 .. + 4.0K drwxr-xr-x 2 root root 4.0K Jul 13 09:47 'Infected Mushroom - Army of Mushrooms' + 4.0K drwxr-xr-x 2 root root 4.0K Jul 13 09:48 'Pendulum - In Silico' + 4.0K drwxr-xr-x 2 root root 4.0K Jul 13 09:48 'Serial Experiments Lain OST' + 4.0K drwxr-xr-x 2 root root 4.0K Jul 13 09:11 transitions + + root@lain:/srv/radio/music/cyberia# tree . + . + ├── Infected Mushroom - Army of Mushrooms + │   ├── Infected Mushroom - (01) Nevermind [HQ] 2012-Fzj7BZeqVzk.mp3 + │   ├── Infected Mushroom - (02) Nothing to Say [HQ] 2012-fQcB8yo46eI.mp3 + │   ├── Infected Mushroom - (03) Send Me an Angel [HQ] 2012-W2Ks5AkCHow.mp3 + │   ├── Infected Mushroom - (04) U R So Fucked [HQ] 2012-62gm17b2bMI.mp3 + │   ├── Infected Mushroom - (05) The Rat [HQ] 2012-nHIWgbBDx0o.mp3 + │   ├── Infected Mushroom - (06) Nation of Wusses [HQ] 2012-L25QxK0Csg0.mp3 + │   ├── Infected Mushroom - (07) Wanted To [HQ] 2012-2PaSS6JFvXc.mp3 + │   ├── Infected Mushroom - (08) Serve My Thirst [HQ] 2012-_J6feIrbcEo.mp3 + │   ├── Infected Mushroom (09) - I Shine [HQ] 2012-OtbFUedy6Xs.mp3 + │   ├── Infected Mushroom - (10) Drum n Baasa [HQ] 2012-4IhPuiuYx30.mp3 + │   ├── Infected Mushroom - (11) The Pretender (Foo Fighters Cover) [HQ] 2012-boKAyiI-8WQ.mp3 + │   ├── Infected Mushroom - (12) The Messenger 2012 [HQ] 2012-x0lRqrID3i4.mp3 + │   └── Infected Mushroom - (13) Swingish (Bonus Track) [HQ] 2012-7KwBE6XJbj4.mp3 + ├── Pendulum - In Silico + │   ├── 9,000 Miles - Pendulum [HQ]-9AudFoAMTik.mp3 + │   ├── Different - Pendulum [HQ]-3JUwQglYFig.mp3 + │   ├── Granite - Pendulum [HQ]-h17WaF6alVY.mp3 + │   ├── Midnight Runner - Pendulum [HQ]-oSbop6jmBS4.mp3 + │   ├── Mutiny - Pendulum [HQ]-ucchDCKCTTs.mp3 + │   ├── pendulum axle grinder-UiGJbBlsrqE.mp3 + │   ├── pendulum out here-SM3fWfBgyJk.mp3 + │   ├── pendulum-prelude-PYUHFPqI3Rw.mp3 + │   ├── Propane Nightmares - Pendulum [HQ]-SBohx23x0jw.mp3 + │   ├── Showdown - Pendulum [HQ]-mszCJSB02_8.mp3 + │   ├── The Other Side - Pendulum [HQ]-z0hwFJ1rbbU.mp3 + │   ├── The Tempest - Pendulum [HQ]-uy-3tWaKyg8.mp3 + │   └── Visions - Pendulum [HQ]-HXSfB-zQUAg.mp3 + ├── Serial Experiments Lain OST + │   ├── Lain's Theme - Lain-o-cwuTmqz8c.mp3 + │   ├── Serial Experiment Lain - Antidepressant 044-KaOsmUDMdaE.mp3 + │   ├── Serial Experiment Lain - Cloudy with occasional rain-1TunrW7dRr0.mp3 + │   ├── Serial Experiment Lain - Duvet (cyberia remix)-juDqDMlTfUg.mp3 + │   ├── Serial Experiment Lain - Duvet (tv version)-EnEaNaqGMqU.mp3 + │   ├── Serial Experiment Lain - Infanity world-AsPLBQfZQ04.mp3 + │   ├── Serial Experiment Lain - Invisible file-32IlMQ8Bs6w.mp3 + │   ├── Serial Experiment Lain - Island in video cassette-CCdyzUPrLpM.mp3 + │   ├── Serial Experiment Lain - k.i.d.s-TvCJnW46ISo.mp3 + │   ├── Serial Experiment Lain - Prayer-yyPMWWjzMG8.mp3 + │   ├── Serial Experiment Lain - Professed intention and real-D4G97Xsc8PA.mp3 + │   ├── Serial Experiment Lain - Psychedelic farm-XEGz6CJnY04.mp3 + │   ├── Serial Experiment Lain - Speed-zFwQFdAsGGA.mp3 + │   └── Serial Experiments Lain - Cyberia Theme-5dbi4N6NGn4.mp3 + └── transitions + ├── Autumn + ├── Autumn In Space-nWqcLWxZOH0.mp3 + ├── Circuit + ├── Circuit Lover-zduKG8YUKxM.mp3 + ├── Coloris-YTY7UV6GpkM.mp3 + ├── Destination + ├── Destination Luna4-VGaQwDylJPM.mp3 + ├── Distort + ├── Distort Into Me-_zLINqJYH0U.mp3 + ├── Fuse-MhHshcp5tQs.mp3 + ├── Gum-tTGBo0Fmf4A.mp3 + ├── In + ├── In Time-8PmEsQY5rq4.mp3 + ├── Monochrome-uFNppANT-Dk.mp3 + ├── Orbit-SHFmUt1Jit4.mp3 + ├── Reality-C0ybGDNZos8.mp3 + ├── Together-ohViqbZZnpE.mp3 + ├── Tokyo + ├── Tokyo Nights-5fXc8aoF2eU.mp3 + ├── Touch + ├── Touch and Go-gxfyax1IPdk.mp3 + ├── Traveling + └── Traveling By Night-75yOApYoc6Y.mp3 + + + +And now that's done we're going to change our tagger script as follows: + + + root@lain:/srv/radio/music# vim tagger.sh + root@lain:/srv/radio/music# cat tagger.sh + #! /bin/bash + + GREEN="\033[0;32m" + ORANGE="\033[0;33m" + RED="\033[0;31m" + NC="\033[0m" + + echo -en "${GREEN}[+]${NC} Type the name of the channel directory (ex: cyberia): " + read channel + + + #### First list the songs and ask if the user wants to add the album tag to them: + + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + + ALBUMS="*" + cd $channel + for ALBUM in $ALBUMS ; + do + echo -en "\n ${ORANGE}[+] $ALBUM${NC}" + cd $ALBUM + SONGS="*" + for SONG in $SONGS; + do + echo -en "\n ${GREEN} [+] $SONG${NC}" + done + cd .. + done + cd .. + + #restore IFS + IFS=$SAVEIFS + + + echo -en "\n\n${GREEN}[+]${NC} add the ${RED}$album${NC} ${ORANGE}album${NC} tag to these ${GREEN}songs ${NC}? (y/n)" + read choice + + + + + + + ####### If user says 'y' then add the album tag to the selected songs: + if [ "$choice" == "y" ]; + then + echo 'yes' + #change IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + + ALBUMS="*" + cd $channel + for ALBUM in $ALBUMS ; + do + echo -en "\n ${ORANGE}[+] $ALBUM${NC}" + cd $ALBUM + SONGS="*" + for SONG in $SONGS; + do + echo -en "\n ${GREEN} [+] $SONG${NC}" + if [ $ALBUM == "transitions" ]; + then + id3tag --album="Lainchan Radio Transitions" $SONG + id3tag --song="\"$SONG\"" $SONG + else + id3tag --album="\"$ALBUM\"" $SONG + id3tag --song="\"$SONG\"" $SONG + + fi + done + cd .. + done + cd .. + #restore IFS + IFS=$SAVEIFS + + else + echo 'cancelling....' + fi + + + echo + exit + + + +![](41.png) + +Basically, this script goes into the **channel/** directory, then goes into each **album/** directory, and then will add the tags as follows: the **filename.mp3** becomes the song's id3tag, and the song's **album/** directory becomes the song's album id3tag. Which fits how we want our service to function. Once that's done we simply run the **schedule.py** script to schedule our songs once again after updating the database: + + + root@lain:/srv/radio/music# ./tagger.sh + + root@lain:/srv/radio/music# ncmpcpp -h 127.0.0.1 -p 6601 + #press u to update database + #press q to quit + + root@lain:/srv/radio/music# python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6601 + "Infected Mushroom - Army of Mushrooms" + "Pendulum - In Silico" + "Serial Experiments Lain OST" + Lainchan Radio Transitions + ['"Infected Mushroom - Army of Mushrooms"', '"Pendulum - In Silico"', '"Serial Experiments Lain OST"', 'Lainchan Radio Transitions'] + Transition: transitions/In Time-8PmEsQY5rq4.mp3 (129s) + Album: "Serial Experiments Lain OST" (4057s) + Tracks: #18 (6581s) + + Target duration: 10800s + Actual duration: 10767s + Difference: 33s + + + +Now another thing we can do is run the schedule.py script automatically every 3 hours so that our songs are continuously being updated, we can do that with a cronjob: + + + root@lain:/srv/radio/music# crontab -e + no crontab for root - using an empty one + + Select an editor. To change later, run 'select-editor'. + 1. /bin/nano ---- easiest + 2. /usr/bin/vim.basic + 3. /usr/bin/vim.tiny + + Choose 1-3 [1]: 2 + + + # m h dom mon dow command + 0 */3 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6601 + + :wq + + + +Now in order to test our cronjob we can use cronitor: + + + + + [ lain ] [ /dev/pts/1 ] [~] + → wget https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz + + + [ lain ] [ /dev/pts/1 ] [~] + → sudo tar xvf linux_amd64.tar.gz -C /usr/bin/ + cronitor + + [ lain ] [ /dev/pts/1 ] [~] + → sudo cronitor configure --api-key 1234567890 + + Configuration File: + /etc/cronitor/cronitor.json + + Version: + 28.8 + + API Key: + 1234567890 + + Ping API Key: + Not Set + + Environment: + Not Set + + Hostname: + lain + + Timezone Location: + {Europe/Paris} + + Debug Log: + Off + + root@lain:/srv/radio/music# cronitor list + + ----► Checking user "root" crontab + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 0 */3 * * * | python3 | + | | /srv/lainonlife/scripts/schedule.py | + | | --host=127.0.0.1 6601 | + +-------------------+------------------------------------------------------------------------------------------------------+ + + ----► Checking /etc/crontab + +-------------------+------------------------------------------------------------------------------------------------------+ + | SCHEDULE | COMMAND | + +-------------------+------------------------------------------------------------------------------------------------------+ + | 17 * * * * | cd / && run-parts --report | + | | /etc/cron.hourly | + | 25 6 * * * | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.daily ) | + | 47 6 * * 7 | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.weekly ) | + | 52 6 1 * * | test -x /usr/sbin/anacron || | + | | ( cd / && run-parts --report | + | | /etc/cron.monthly ) | + +-------------------+------------------------------------------------------------------------------------------------------+ + + + + +Now to test the cronjob we run **cronitor select** + + + root@lain:/srv/radio/music# cronitor select + + ✔ python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6601 + ----► Running command: python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6601 + + "Infected Mushroom - Army of Mushrooms" + "Pendulum - In Silico" + "Serial Experiments Lain OST" + Lainchan Radio Transitions + ['"Infected Mushroom - Army of Mushrooms"', '"Pendulum - In Silico"', '"Serial Experiments Lain OST"', 'Lainchan Radio Transitions'] + Transition: transitions/Together-ohViqbZZnpE.mp3 (144s) + Album: "Serial Experiments Lain OST" (4057s) + Tracks: #19 (6506s) + + Target duration: 10800s + Actual duration: 10707s + Difference: 93s + + ----► ✔ Command successful Elapsed time 0.223s + + root@lain:/srv/radio/music# + + + +And here we see that we have been able to successfully run the script through our cronjob, and the way we set it up makes it so schedule.py is being ran every 3 hours, that way it matches the 3 hours of audio it tries to queue. Now let's add another channel. To do that we need 3 things, a **channel** directory in **/srv/radio/music/** , another **mpd** service running on another port (i'll do ports 6601, 6602, 6603, 6604, etc) and to edit the website configuration **config.json** to let the clients choose which channel they want to listen to: + + + root@lain:/srv/radio/music# mkdir metal + root@lain:/srv/radio/music# cd metal + root@lain:/srv/radio/music/metal# mkdir "Rivers of Nihil - Where Owls Know My Name" + root@lain:/srv/radio/music/metal# mkdir "Behemoth - The Satanist" + root@lain:/srv/radio/music/metal# mkdir "Carnifex - Slow Death" + root@lain:/srv/radio/music/metal# mkdir "Rivers of Nihil - Monarchy" + root@lain:/srv/radio/music/metal# cd Rivers\ of\ Nihil\ -\ Where\ Owls\ Know\ My\ Name/ + root@lain:/srv/radio/music/metal/Rivers of Nihil - Where Owls Know My Name# + root@lain:/srv/radio/music/metal/Rivers of Nihil - Where Owls Know My Name# youtube-dl https://www.youtube.com/playlist?list=PLEouLkiLHdSDIqsVoq7a9bJDifla6XNq9 -x --audio-format mp3 + [youtube:tab] PLEouLkiLHdSDIqsVoq7a9bJDifla6XNq9: Downloading webpage + [download] Downloading playlist: Rivers Of Nihil - Where Owls Know My Name + [youtube:tab] playlist Rivers Of Nihil - Where Owls Know My Name: Downloading 10 videos + + + +Now like this you can fill in each of your album folders just like we did for the cyberia channel, don't forget the transitions either: + + + root@lain:/srv/radio/music/metal# mkdir transitions + root@lain:/srv/radio/music/metal# youtube-dl LINK -x --audio-format mp3 + + + +once you filled up the channel directory with album directories, run the tagger: + + + root@lain:/srv/radio/music# ls -l metal/ + total 40 + drwxr-xr-x 2 root root 4096 Jul 13 11:34 'Behemoth - I Loved You At Your Darkest' + drwxr-xr-x 2 root root 4096 Jul 13 11:11 'Behemoth - The Satanist' + drwxr-xr-x 2 root root 4096 Jul 13 11:09 'Carnifex - Slow Death' + drwxr-xr-x 2 root root 4096 Jul 13 11:22 'Meshuggah - Obzen' + drwxr-xr-x 2 root root 4096 Jul 13 11:24 'Meshuggah - The Violent Sleep of Reason' + drwxr-xr-x 2 root root 4096 Jul 13 11:07 'Rivers of Nihil - Monarchy' + drwxr-xr-x 2 root root 4096 Jul 13 11:06 'Rivers of Nihil - Where Owls Know My Name' + drwxr-xr-x 2 root root 4096 Jul 13 11:27 'The Black Dahlia Murder - Abysmal' + drwxr-xr-x 2 root root 4096 Jul 13 11:26 'The Black Dahlia Murder - Deflorate' + drwxr-xr-x 2 root root 4096 Jul 13 11:20 transitions + root@lain:/srv/radio/music# ./tagger.sh + + + +![](42.png) ![](43.png) + +Once that's done we're going to make another mpd config for our second channel, my second channel's mpd config will be in **/root/.config/mpd/metal.conf** : + + + root@lain:~/.config/mpd# cat metal.conf + music_directory "/srv/radio/music/metal" + playlist_directory "/srv/radio/data/metal/playlists" + db_file "/srv/radio/data/metal/db" + state_file "/srv/radio/data/metal/state" + sticker_file "/srv/radio/data/metal/sticker.sql" + log_file "/srv/radio/data/syslog.metal" + bind_to_address "127.0.0.1" + #bind_to_address "10.0.0.201" + port "6602" + + audio_output { + name "[mpd] metal (ogg)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "vorbis" + host "localhost" + port "8000" + mount "/mpd-metal.ogg" + user "source" + password "P@SSWORD" + quality "3" + format "44100:16:2" + always_on "yes" + } + + audio_output { + name "[mpd] metal (mp3)" + description "classic lainchan radio: electronic, chiptune, weeb" + type "shout" + encoder "lame" + host "localhost" + port "8000" + mount "/mpd-metal.mp3" + user "source" + password "P@SSW0RD" + quality "3" + format "44100:16:2" + always_on "yes" + } + + audio_output { + type "null" + name "null" + } + + audio_output { + type "alsa" + name "alsa audio" + mixer_type "software" + } + + audio_output { + type "fifo" + name "my_fifo2" + path "/tmp/mpd.fifo2" + format "44100:16:2" + } + + +I also create the directories it requires for the playlists and database: + + + root@lain:~/.config/mpd# mkdir -p /srv/radio/data/metal/playlists/ + root@lain:~/.config/mpd# cd /srv/radio/data/ + root@lain:/srv/radio/data# tree . + . + ├── cyberia + │   ├── db + │   ├── playlists + │   │   ├── cyberia.m3u + │   │   ├── Infected Mushroom - Army of Mushrooms.m3u + │   │   ├── Lainchan Radio Transitions.m3u + │   │   └── pendulum.m3u + │   ├── state + │   └── sticker.sql + ├── metal + │   └── playlists + └── syslog + + 4 directories, 8 files + + + +Now since we already made a systemd service to run the cyberia mpd process, let's make another one for the second channel: + + + root@lain:/srv/radio/data# cd /etc/systemd/system/ + root@lain:/etc/systemd/system# ls -l | grep mpd + -rw-r--r-- 1 root root 334 Jul 12 23:19 mpd-cyberia.service + root@lain:/etc/systemd/system# cp mpd-cyberia.service mpd-metal.service + + root@lain:/etc/systemd/system# vim mpd-metal.service + root@lain:/etc/systemd/system# cat mpd-metal.service + [Unit] + Description=mpd systemd service with config in /root/.config/mpd/metal.conf + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + ExecStart=mpd --no-daemon /root/.config/mpd/metal.conf + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + root@lain:/etc/systemd/system# systemctl daemon-reload + root@lain:/etc/systemd/system# systemctl enable --now mpd-metal + Created symlink /etc/systemd/system/multi-user.target.wants/mpd-metal.service → /etc/systemd/system/mpd-metal.service. + + + +Now once that's done we can connect to it on port 6602: + + + root@lain:/srv/radio/data# ncmpcpp -h 127.0.0.1 -p 6602 + #press u to update database + #press 7 to go to the outputs + #press enter to activate the metal ogg and mp3 outputs + #press 4 to check the album tags + ![](44.png) + #press q to exit + + root@lain:/srv/radio/data# python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6602 + "Behemoth - I Loved You At Your Darkest" + "Behemoth - The Satanist" + "Carnifex - Slow Death" + "Meshuggah - Obzen" + "Meshuggah - The Violent Sleep of Reason" + "Rivers of Nihil - Monarchy" + "Rivers of Nihil - Where Owls Know My Name" + "The Black Dahlia Murder - Abysmal" + "The Black Dahlia Murder - Deflorate" + Lainchan Radio Transitions + ['"Behemoth - I Loved You At Your Darkest"', '"Behemoth - The Satanist"', '"Carnifex - Slow Death"', '"Meshuggah - Obzen"', '"Meshuggah - The Violent Sleep of Reason"', '"Rivers of Nihil - Monarchy"', '"Rivers of Nihil - Where Owls Know My Name"', '"The Black Dahlia Murder - Abysmal"', '"The Black Dahlia Murder - Deflorate"', 'Lainchan Radio Transitions'] + Transition: transitions/Buckethead - Asylum Of Glass (Song Only)-AgzzsbPj_1w.mp3 (278s) + Album: "Behemoth - The Satanist" (2671s) + Tracks: #29 (7762s) + + Target duration: 10800s + Actual duration: 10711s + Difference: 89s + + root@lain:/srv/radio/data# ncmpcpp -h 127.0.0.1 -p 6602 + #press enter to start playing the tracks + #press q to exit + + + +Now that's done let's add another cronjob to make sure the tracks are constantly added every 3 hours for our second channel: + + + root@lain:/srv/radio/data# crontab -e + + # m h dom mon dow command + 0 */3 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6601 + 0 */3 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6602 + + :wq + + root@lain:/srv/radio/data# cronitor select + + ✔ python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6602 + ----► Running command: python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6602 + + "Behemoth - I Loved You At Your Darkest" + "Behemoth - The Satanist" + "Carnifex - Slow Death" + "Meshuggah - Obzen" + "Meshuggah - The Violent Sleep of Reason" + "Rivers of Nihil - Monarchy" + "Rivers of Nihil - Where Owls Know My Name" + "The Black Dahlia Murder - Abysmal" + "The Black Dahlia Murder - Deflorate" + Lainchan Radio Transitions + ['"Behemoth - I Loved You At Your Darkest"', '"Behemoth - The Satanist"', '"Carnifex - Slow Death"', '"Meshuggah - Obzen"', '"Meshuggah - The Violent Sleep of Reason"', '"Rivers of Nihil - Monarchy"', '"Rivers of Nihil - Where Owls Know My Name"', '"The Black Dahlia Murder - Abysmal"', '"The Black Dahlia Murder - Deflorate"', 'Lainchan Radio Transitions'] + Transition: transitions/Buckethead - I love my parents-BwXlzy9k7jI.mp3 (253s) + Album: "The Black Dahlia Murder - Deflorate" (2041s) + Tracks: #27 (8418s) + + Target duration: 10800s + Actual duration: 10712s + Difference: 88s + + ----► ✔ Command successful Elapsed time 0.291s + + + +Now that we finished our cronitor job for our second channel, we need to edit icecast.xml: + + + root@lain:/srv/radio/data# vim /srv/icecast-server/conf/icecast.xml + ![](45.png) + + + +Once we add the following block we restart our icecast service: + + + root@lain:/srv/radio/data# systemctl restart icecast + root@lain:/srv/radio/data# systemctl status icecast + ● icecast.service - Icecast systemd service with config in /srv/icecast-server/conf/icecast.xml + Loaded: loaded (/etc/systemd/system/icecast.service; enabled; vendor preset: enabled) + Active: active (running) since Tue 2021-07-13 12:06:07 CEST; 1s ago + Main PID: 5283 (icecast) + Tasks: 4 (limit: 4915) + Memory: 1.2M + CGroup: /system.slice/icecast.service + └─5283 /usr/local/bin/icecast -c /srv/icecast-server/conf/icecast.xml + + Jul 13 12:06:07 lain systemd[1]: Started Icecast systemd service with config in /srv/icecast-server/conf/icecast.xml. + Jul 13 12:06:07 lain icecast[5283]: [2021-07-13 12:06:07] WARN CONFIG/_parse_root Warning, location> not configured, using default value "Earth". + Jul 13 12:06:07 lain icecast[5283]: [2021-07-13 12:06:07] WARN CONFIG/_parse_root Warning, admin> contact not configured, using default value "icemaster@localhost". This breaks YP + root@lain:/srv/radio/data# + + + +Now if you do this you will probably see that icecast doesnt detect the mountpoints anymore, to fix that restart the mpd channels: + + + root@lain:/srv/radio/data# systemctl restart mpd-cyberia + root@lain:/srv/radio/data# systemctl restart mpd-metal + + + +You can verify if it's working at **localip:8000/admin/listmounts.xsl** + +![](46.png) + +Now we need to change config.json to include our second channel: + + + root@lain:/srv/lainonlife# ls -l + total 36 + drwxr-xr-x 4 root root 4096 Jul 12 18:49 backend + drwxr-xr-x 2 root root 4096 Jul 12 16:34 concourse + -rw-r--r-- 1 root root 366 Jul 12 10:05 config.json + -rw-r--r-- 1 root root 695 Jul 11 22:11 config.json.example + drwxr-xr-x 2 root root 4096 Jul 11 23:32 examples + drwxr-xr-x 10 root root 4096 Jul 12 10:16 frontend + -rw-r--r-- 1 root root 1082 Jul 11 22:11 LICENSE + -rw-r--r-- 1 root root 2344 Jul 11 22:11 README.md + drwxr-xr-x 2 root root 4096 Jul 13 08:48 scripts + + root@lain:/srv/lainonlife# vim config.json + root@lain:/srv/lainonlife# cat config.json + + + { "channels": + { "cyberia": { "mpd_host": "localhost", "mpd_port": 6601, "description": "classic lainchan radio: electronic, chiptune, weeb" } + , "metal": { "mpd_host": "localhost", "mpd_port": 6602, "description": "Death Metal, Deathcore, Black Metal" }} + + , "template": + { "default_channel": "cyberia" + , "icecast_status_url": "/radio/status-json.xsl" + , "icecast_stream_url_base": "https://lain.void.yt/radio/" + , "server_cost": 10.00 + , "currency_symbol": "€" + } + } + + +Now since we modified the config file let's restart the lainradio service: + + + root@lain:/srv/lainonlife# systemctl restart lainradio.service + + [ lain ] [ /dev/pts/0 ] [~] + → vim /srv/lainonlife/scripts/restart-radio.sh + + [ lain ] [ /dev/pts/0 ] [~] + → cat /srv/lainonlife/scripts/restart-radio.sh + #!/bin/bash + + GREEN="\033[0;32m" + ORANGE="\033[0;33m" + RED="\033[0;31m" + NC="\033[0m" + + echo -en "${GREEN}[+]${NC} Stopping Lainradio and Icecast... \n" + systemctl stop lainradio + systemctl stop icecast + + echo -en "${GREEN}[+]${NC} Shutting down Lainradio backend ... \n" + kill $(pidof python3 backend.py) + + echo -en "${GREEN}[+]${NC} Restarting Lainradio and Icecast ... \n" + systemctl enable --now lainradio + systemctl enable --now icecast + + echo -en "${GREEN}[+]${NC} Waiting 5 seconds for icecast... \n" + sleep 5 + + echo -en "${GREEN}[+]${NC} Restarting the existing MPD channels and nginx... \n" + systemctl restart nginx + + + + #save IFS + SAVEIFS=$IFS + IFS=$(echo -en "\n\b") + + + CHANNELS="mpd*.service" + + cd /etc/systemd/system/ + for CHANNEL in $CHANNELS ; + do + echo -en "${ORANGE}[+]${NC} Restarting $CHANNEL ... \n" + systemctl restart $CHANNEL + done + cd - + + #restore IFS + IFS=$SAVEIFS + + + [ lain ] [ /dev/pts/0 ] [~] + → cronitor select + + ✔ /srv/lainonlife/scripts/restart-radio.sh + ----► Running command: /srv/lainonlife/scripts/restart-radio.sh + + [+] Stopping Lainradio and Icecast... + [+] Shutting down Lainradio backend ... + kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] + [+] Restarting Lainradio and Icecast ... + [+] Waiting 5 seconds for icecast... + [+] Restarting the existing MPD channels and nginx... + [+] Restarting mpd-focus.service ... + [+] Restarting mpd-nihilism.service ... + [+] Restarting mpd-temple.service ... + /root + + ----► ✔ Command successful Elapsed time 7.386s + + + +Now by default the radio.js file looks for the channel names by their ogg extention, so i modified it to look for mp3 instead, and we finally get the channels to be displayed: + + + root@lain:/srv/http/js# cat radio.js | grep mp3 + if(sname !== undefined && sname.startsWith("[mpd] ") && sname.endsWith(" (mp3)")) { + + + +I changed it from ogg to mp3 because for some reason i can't get my .ogg output streams to work, but the mp3 ones work fine so we're using them instead: + +![](48.png) + +And when we change channels we see that everything updates as intended: + +![](49.png) + +So with the same process we can add other channels, each of them have a systemd **mpd-channel.service** file to launch a **mpd** process on a specific port (ex: **6603** with a mpd config at **/root/.config/mpd/channel.conf** , with a directory at **/srv/radio/music/channel/** of their own. Of course you need to edit **/srv/lainonlife/config.json** and **icecast.xml** with your changes everytime. and make sure that you have a cronjob running **python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6603** every 3 hours after you added the **transition** tracks just like for our previous 2 channels in order to keep the radios constantly updated with new albums / songs to play for the listeners. + +here's the forked repository with all important files i edited [here](https://git.void.yt/nothing/lainonlife): + + + -icecast.service + -mpd-cyberia.service + -lainradio.service + + -schedule.py + -tagger.sh + -index.html + + -ncmpcpp.conf + -mpd-cyberia.conf + -js/player.js + + +Recap of crontab: + + + crontab -e + + 0 */12 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6603 # focus + 0 */12 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6606 # nihilism + 0 */12 * * * python3 /srv/lainonlife/scripts/schedule.py --host=127.0.0.1 6609 # temple + 0 0 * * * /srv/lainonlife/scripts/restart-radio.sh + 0 */24 * * * /srv/lainonlife/scripts/file-list.sh + 0 */12 * * * echo '' | tee /srv/radio/data/syslog* + + + diff --git a/lainsafe/1.png b/lainsafe/1.png new file mode 100644 index 0000000..f795d22 Binary files /dev/null and b/lainsafe/1.png differ diff --git a/lainsafe/10.png b/lainsafe/10.png new file mode 100644 index 0000000..db24f1b Binary files /dev/null and b/lainsafe/10.png differ diff --git a/lainsafe/2.png b/lainsafe/2.png new file mode 100644 index 0000000..3d850d1 Binary files /dev/null and b/lainsafe/2.png differ diff --git a/lainsafe/3.png b/lainsafe/3.png new file mode 100644 index 0000000..89b8252 Binary files /dev/null and b/lainsafe/3.png differ diff --git a/lainsafe/4.png b/lainsafe/4.png new file mode 100644 index 0000000..0b618d1 Binary files /dev/null and b/lainsafe/4.png differ diff --git a/lainsafe/5.png b/lainsafe/5.png new file mode 100644 index 0000000..5ed59fe Binary files /dev/null and b/lainsafe/5.png differ diff --git a/lainsafe/6.png b/lainsafe/6.png new file mode 100644 index 0000000..3a776bc Binary files /dev/null and b/lainsafe/6.png differ diff --git a/lainsafe/7.png b/lainsafe/7.png new file mode 100644 index 0000000..54061b1 Binary files /dev/null and b/lainsafe/7.png differ diff --git a/lainsafe/8.png b/lainsafe/8.png new file mode 100644 index 0000000..5682aa2 Binary files /dev/null and b/lainsafe/8.png differ diff --git a/lainsafe/9.png b/lainsafe/9.png new file mode 100644 index 0000000..b0cb49c Binary files /dev/null and b/lainsafe/9.png differ diff --git a/lainsafe/index.md b/lainsafe/index.md new file mode 100644 index 0000000..75c04d3 --- /dev/null +++ b/lainsafe/index.md @@ -0,0 +1,126 @@ +# CGI Lainsafe Setup + +![](logo.png) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial setup** + +First install the dependencies: + + + apt update -y + apt install socat libcgi-pm-perl nginx curl fcgiwrap -y + + + +Install acme.sh + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + + +get a domain name, you can use duckdns.org + +![](1.png) + +verify it is pointing to your server's ip: + +![](2.png) + +Then get your free letsencrypt certificate using acme.sh: + + + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + + +![](3.png) + +once that's done, configure nginx: + + + wget https://blog.nowhere.moe/servers/lainsafe/lainsafe.conf -O /etc/nginx/conf.d/lainsafe.conf + nano /etc/nginx/conf.d/lainsafe.conf + + + +In nano, make sure you edit the configuration to match your domain name: + +![](4.png) + +At the bottom you can change the maximum file upload size, by default it is 100mb. Once you're done, hit CTRL+S to save and CTRL+X to exit nano. + +next we reload nginx and install lainsafe files: + + + nginx -s reload + mkdir /var/www/lainsafe/ + + cd /var/www/lainsafe/ + mkdir .cgi + mkdir files + + wget https://raw.githubusercontent.com/qorg11/lainsafe/master/http/index.cgi + wget https://raw.githubusercontent.com/qorg11/lainsafe/master/http/upload.cgi + + chmod +x index.cgi + chmod +x upload.cgi + + + chown -R www-data: /var/www/lainsafe/ + + + +And from here just browse to your website: + +![](7.png) + +Then just upload a file, and it will give you the link to it: + +![](8.png) ![](9.png) + +And that's it! just do ALT+leftarrow to return to the homepage. Obviously this was meant to be very minimalistic by the [author](https://github.com/qorg11/) so i'll leave it to you as to how you customise the page with css and more. + +## **Uploading Files with Lainsafecli** + +_From Arch Linux: (AUR)_ + + + [ 192.168.100.1/24 ] [ /dev/pts/2 ] [~] + → yay -S lainsafecli + + + +_From Debian:_ + + + echo "deb http://repo.qorg11.net/debian stable main" >> /etc/apt/sources.list + wget http://repo.qorg11.net/repo.key -q -O - | sudo apt-key add + sudo apt updates + sudo apt install lainsafecli + + + +Syntax: + + + [ 192.168.100.1/24 ] [ /dev/pts/2 ] [~] + → lainsafecli --help + lainsafecli, a command line interface for lainsafe. + USAGE: lainsafecli [--tor | --i2p] [--server] FILE + + if --server not given, https://lainsafe.duckdns.org is used. + --tor and --i2p are unavailable, flag are ignored + + + + +You can use lainsafecli with your own server like so: + +![](10.png) + diff --git a/lainsafe/logo.png b/lainsafe/logo.png new file mode 100644 index 0000000..26ea40e Binary files /dev/null and b/lainsafe/logo.png differ diff --git a/lc0/0.png b/lc0/0.png new file mode 100644 index 0000000..f051af0 Binary files /dev/null and b/lc0/0.png differ diff --git a/lc0/1.png b/lc0/1.png new file mode 100644 index 0000000..feb83a2 Binary files /dev/null and b/lc0/1.png differ diff --git a/lc0/10.png b/lc0/10.png new file mode 100644 index 0000000..9e0d97b Binary files /dev/null and b/lc0/10.png differ diff --git a/lc0/11.png b/lc0/11.png new file mode 100644 index 0000000..e970504 Binary files /dev/null and b/lc0/11.png differ diff --git a/lc0/12.png b/lc0/12.png new file mode 100644 index 0000000..c5d54fd Binary files /dev/null and b/lc0/12.png differ diff --git a/lc0/13.png b/lc0/13.png new file mode 100644 index 0000000..6b45066 Binary files /dev/null and b/lc0/13.png differ diff --git a/lc0/14.png b/lc0/14.png new file mode 100644 index 0000000..7db0d4f Binary files /dev/null and b/lc0/14.png differ diff --git a/lc0/15.png b/lc0/15.png new file mode 100644 index 0000000..a16cd51 Binary files /dev/null and b/lc0/15.png differ diff --git a/lc0/16.png b/lc0/16.png new file mode 100644 index 0000000..8b2089f Binary files /dev/null and b/lc0/16.png differ diff --git a/lc0/2.png b/lc0/2.png new file mode 100644 index 0000000..9703d6a Binary files /dev/null and b/lc0/2.png differ diff --git a/lc0/21.png b/lc0/21.png new file mode 100644 index 0000000..feb7f1d Binary files /dev/null and b/lc0/21.png differ diff --git a/lc0/22.png b/lc0/22.png new file mode 100644 index 0000000..c3596a5 Binary files /dev/null and b/lc0/22.png differ diff --git a/lc0/23.png b/lc0/23.png new file mode 100644 index 0000000..858f3da Binary files /dev/null and b/lc0/23.png differ diff --git a/lc0/3.png b/lc0/3.png new file mode 100644 index 0000000..004d089 Binary files /dev/null and b/lc0/3.png differ diff --git a/lc0/4.png b/lc0/4.png new file mode 100644 index 0000000..9722df0 Binary files /dev/null and b/lc0/4.png differ diff --git a/lc0/5.png b/lc0/5.png new file mode 100644 index 0000000..4104937 Binary files /dev/null and b/lc0/5.png differ diff --git a/lc0/6.png b/lc0/6.png new file mode 100644 index 0000000..9dc2845 Binary files /dev/null and b/lc0/6.png differ diff --git a/lc0/7.png b/lc0/7.png new file mode 100644 index 0000000..26cab96 Binary files /dev/null and b/lc0/7.png differ diff --git a/lc0/8.png b/lc0/8.png new file mode 100644 index 0000000..24c214d Binary files /dev/null and b/lc0/8.png differ diff --git a/lc0/9.png b/lc0/9.png new file mode 100644 index 0000000..7b0595d Binary files /dev/null and b/lc0/9.png differ diff --git a/lc0/index.md b/lc0/index.md new file mode 100644 index 0000000..08095aa --- /dev/null +++ b/lc0/index.md @@ -0,0 +1,448 @@ +# Leela chess zero Setup + +![](0.png) + +In this tutorial we're going to setup leela chess zero on a debian-based system. + +## **Nibbler Frontend Setup** + +First let's install nibbler: + + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [~/Documents] + → mkdir Chess + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [~/Documents] + → cd Chess + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [~/Documents/Chess] + → git clone https://github.com/rooklift/nibbler + Cloning into 'nibbler'... + remote: Enumerating objects: 12569, done. + remote: Counting objects: 100% (1168/1168), done. + remote: Compressing objects: 100% (295/295), done. + remote: Total 12569 (delta 874), reused 1162 (delta 873), pack-reused 11401 + Receiving objects: 100% (12569/12569), 2.60 MiB | 1.40 MiB/s, done. + Resolving deltas: 100% (8986/8986), done. + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [~/Documents/Chess] + → cd nibbler/src + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → sudo apt install npm -y + #or sudo pacman -S npm + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → sudo npm install -g electron + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → pwd + /home/nothing/Documents/Chess/nibbler/src + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → vim nibbler.sh + + #!/bin/bash + electron /home/nothing/Documents/Chess/nibbler/src/ + + :wq + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → chmod +x nibbler.sh + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → ./nibbler.sh + + + + +Here you can see that you can run nibbler with that bashscript, so let's add it to our PATH: + + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → sudo ln -s $(pwd)/nibbler.sh /usr/local/bin/nibbler + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Chess/nibbler/src] + → nibbler + + + +![](1.png) + +And there you go ! We can now run nibbler easily from our PATH variable. + +## **Leela Chess Zero backend setup** + +I am currently on a debian-based system with a nvidia GTX 1050 graphics card, and following the instructions on the lc0 github [repository](https://github.com/LeelaChessZero/lc0/blob/v0.24.1/README.md#building-and-running-lc0), we see that i need to install the CUDA backend: + + + [ 10.10.14.13/23 ] [ /dev/pts/51 ] [Chess/nibbler/src] + → sudo apt install ninja-build libgtest-dev meson -y + + [ 10.10.14.13/23 ] [ /dev/pts/93 ] [Documents/Chess/lc0] + → sudo apt reboot now + + + +Now let's install both [CUDA](https://developer.nvidia.com/cuda-zone) and [CUDNN](https://developer.nvidia.com/cudnn) since i'm using a nvidia graphics card: + +![](2.png) + +Let's install CUDA: + + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo apt-key adv --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/debian10/x86_64/7fa2af80.pub + [sudo] password for nothing: + Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). + Executing: /tmp/apt-key-gpghome.A0PxT0WLxK/gpg.1.sh --fetch-keys https://developer.download.nvidia.com/compute/cuda/repos/debian10/x86_64/7fa2af80.pub + gpg: requesting key from 'https://developer.download.nvidia.com/compute/cuda/repos/debian10/x86_64/7fa2af80.pub' + gpg: key F60F4B3D7FA2AF80: "cudatools " not changed + gpg: Total number processed: 1 + gpg: unchanged: 1 + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo add-apt-repository "deb https://developer.download.nvidia.com/compute/cuda/repos/debian10/x86_64/ /" + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo add-apt-repository contrib + 'contrib' distribution component is already enabled for all sources. + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo apt update -y + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo apt install cuda -y + + +![](13.png) + +Hit OK and reboot the machine once apt install finished: + + + DKMS: install completed. + Setting up libgles-nvidia1:amd64 (465.19.01-1) ... + Setting up libegl-nvidia0:amd64 (465.19.01-1) ... + Setting up nvidia-settings (465.19.01-1) ... + Setting up libgles-nvidia2:amd64 (465.19.01-1) ... + Setting up libnvidia-ml1:amd64 (465.19.01-1) ... + Setting up libnvcuvid1:amd64 (465.19.01-1) ... + Setting up libnvidia-opticalflow1:amd64 (465.19.01-1) ... + Setting up nvidia-egl-icd:amd64 (465.19.01-1) ... + Setting up nvidia-smi (465.19.01-1) ... + Setting up nvidia-driver-bin (465.19.01-1) ... + Setting up libnvidia-encode1:amd64 (465.19.01-1) ... + Setting up nvidia-driver-libs:amd64 (465.19.01-1) ... + Processing triggers for nvidia-alternative (465.19.01-1) ... + update-alternatives: updating alternative /usr/lib/nvidia/current because link group nvidia has changed slave links + Setting up nvidia-driver (465.19.01-1) ... + Setting up cuda-drivers-465 (465.19.01-1) ... + Setting up cuda-drivers (465.19.01-1) ... + Setting up cuda-runtime-11-3 (11.3.1-1) ... + Setting up cuda-demo-suite-11-3 (11.3.58-1) ... + Setting up cuda-11-3 (11.3.1-1) ... + Setting up cuda (11.3.1-1) ... + Processing triggers for libc-bin (2.31-12) ... + Processing triggers for glx-alternative-nvidia (1.2.0) ... + Processing triggers for glx-alternative-mesa (1.2.0) ... + Processing triggers for update-glx (1.2.0) ... + Processing triggers for libc-bin (2.31-12) ... + Processing triggers for glx-alternative-nvidia (1.2.0) ... + update-alternatives: warning: forcing reinstallation of alternative /usr/lib/nvidia because link group glx is broken + Processing triggers for libc-bin (2.31-12) ... + Processing triggers for initramfs-tools (0.140) ... + update-initramfs: Generating /boot/initrd.img-5.10.0-kali8-amd64 + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → sudo reboot now + + + +After rebooting, make sure that cuda is on your system: + + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [~] + → cd /usr/local + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [/usr/local] + → ls -lash + total 48K + 4.0K drwxr-xr-x 12 root root 4.0K Jun 4 17:38 . + 4.0K drwxr-xr-x 14 root root 4.0K May 22 15:06 .. + 4.0K drwxr-xr-x 3 root root 4.0K Jun 4 17:38 bin + 0 lrwxrwxrwx 1 root root 22 Jun 4 17:38 cuda -> /etc/alternatives/cuda + 0 lrwxrwxrwx 1 root root 25 Jun 4 17:38 cuda-11 -> /etc/alternatives/cuda-11 + 4.0K drwxr-xr-x 15 root root 4.0K Jun 4 17:38 cuda-11.3 + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:06 etc + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:06 games + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:06 include + 4.0K drwxr-xr-x 5 root root 4.0K Jun 4 14:14 lib + 0 lrwxrwxrwx 1 root root 9 May 22 15:06 man -> share/man + 0 lrwxrwxrwx 1 root root 57 Jun 4 12:40 nibbler -> /home/nothing/Documents/Chess/nibbler-2.1.6-linux/nibbler + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:06 sbin + 4.0K drwxr-xr-x 9 root root 4.0K May 24 20:23 share + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:19 simple-cdd + 4.0K drwxr-xr-x 2 root root 4.0K May 22 15:06 src + + + +Now that cuda is installed, go install cuDNN + +![](3.png) ![](4.png) + +Even though i'm not on Ubuntu, this is still a debian-based distro, so it should be fine: + + + [ 10.10.14.13/23 ] [ /dev/pts/93 ] [~/Downloads] + → sudo dpkg -i libcudnn8_8.2.0.53-1+cuda11.3_amd64.deb + Selecting previously unselected package libcudnn8. + (Reading database ... 393803 files and directories currently installed.) + Preparing to unpack libcudnn8_8.2.0.53-1+cuda11.3_amd64.deb ... + Unpacking libcudnn8 (8.2.0.53-1+cuda11.3) ... + Setting up libcudnn8 (8.2.0.53-1+cuda11.3) ... + Processing triggers for libc-bin (2.31-12) ... + + + +Now that's done let's compile lc0 after cloning it: + + + [ 10.66.66.2/32 ] [ /dev/pts/8 ] [~/Documents/chess] + → git clone -b release/0.27 --recurse-submodules https://github.com/LeelaChessZero/lc0.git ; cd lc0 + Cloning into 'lc0'... + remote: Enumerating objects: 9590, done. + remote: Counting objects: 100% (206/206), done. + remote: Compressing objects: 100% (139/139), done. + remote: Total 9590 (delta 108), reused 119 (delta 67), pack-reused 9384 + Receiving objects: 100% (9590/9590), 37.90 MiB | 1.69 MiB/s, done. + Resolving deltas: 100% (6773/6773), done. + Submodule 'libs/lczero-common' (https://github.com/LeelaChessZero/lczero-common.git) registered for path 'libs/lczero-common' + Cloning into '/home/nothing/Documents/chess/lc0/libs/lczero-common'... + remote: Enumerating objects: 152, done. + remote: Counting objects: 100% (12/12), done. + remote: Compressing objects: 100% (8/8), done. + remote: Total 152 (delta 2), reused 6 (delta 1), pack-reused 140 + Receiving objects: 100% (152/152), 29.36 KiB | 2.10 MiB/s, done. + Resolving deltas: 100% (46/46), done. + Submodule path 'libs/lczero-common': checked out '00fd892e648160c294346c87449126d9bad80a16' + + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/lc0] + → ./build.sh + ~/Documents/Chess/lc0 ~/Documents/Chess/lc0 + The Meson build system + Version: 0.56.2 + Source dir: /home/nothing/Documents/Chess/lc0 + Build dir: /home/nothing/Documents/Chess/lc0/build/release + Build type: native build + Project name: lc0 + Project version: undefined + C++ compiler for the host machine: c++ (gcc 10.2.1 "c++ (Debian 10.2.1-6) 10.2.1 20210110") + C++ linker for the host machine: c++ ld.bfd 2.35.2 + Host machine cpu family: x86_64 + Host machine cpu: x86_64 + meson.build:27: WARNING: Consider using the built-in warning_level option instead of using "-Wextra". + Library libprotobuf found: NO + Found pkg-config: /usr/bin/pkg-config (0.29.2) + Found CMake: /usr/bin/cmake (3.18.4) + Run-time dependency protobuf found: NO (tried pkgconfig and cmake) + Program protoc found: NO + + |Executing subproject protobuf method meson + | + |Project name: protobuf + |Project version: 3.5.1 + |C++ compiler for the host machine: c++ (gcc 10.2.1 "c++ (Debian 10.2.1-6) 10.2.1 20210110") + |C++ linker for the host machine: c++ ld.bfd 2.35.2 + |Compiler for C++ supports arguments -DHAVE_PTHREAD: YES + |Compiler for C++ supports arguments -Wno-sign-compare: YES + |Compiler for C++ supports arguments -Wno-unused-parameter: YES + |Compiler for C++ supports arguments -Wno-ignored-qualifiers: YES + |Compiler for C++ supports arguments /wd4146: NO + |Compiler for C++ supports arguments /wd4244: NO + |Compiler for C++ supports arguments /wd4305: NO + |Compiler for C++ supports arguments /wd4506: NO + |Run-time dependency threads found: YES + |Build targets in project: 6 + |Subproject protobuf finished. + + Program git found: YES (/usr/bin/git) + Message: Using build identifier "git.29c15a4". + Library pthread found: YES + Library dl found: YES + Library libtensorflow_cc found: NO + Run-time dependency accelerate found: NO (tried pkgconfig and cmake) + Library mkl_rt found: NO + Library mklml found: NO + Library dnnl found: NO + Library openblas.dll found: NO + Library openblas found: NO + Program ispc found: NO + Library OpenCL found: YES + Run-time dependency opencl found: YES 2.2 + Library cublas found: YES + Library cudnn found: NO + Library cudart found: YES + Program /usr/local/cuda/bin/nvcc found: YES (/usr/local/cuda/bin/nvcc) + Run-time dependency zlib found: YES 1.2.11 + Run-time dependency GTest found: YES 1.10.0 + Build targets in project: 14 + + lc0 undefined + + Subprojects + protobuf: YES + + Found ninja-1.10.1 at /usr/bin/ninja + [52/298] Compiling C++ object subprojects/protobuf-3.5.1/libprotobuf.so.p/src_google_protobuf_descriptor.cc.o + ../../subprojects/protobuf-3.5.1/src/google/protobuf/descriptor.cc: In member function ‘google::protobuf::Symbol google::protobuf::DescriptorPool::NewPlaceholderWithMutexHeld(const string&, google::protobuf::DescriptorPool::PlaceholderType) const’: + ../../subprojects/protobuf-3.5.1/src/google/protobuf/descriptor.cc:3896:58: warning: ‘void* memset(void*, int, size_t)’ clearing an object of type ‘class google::protobuf::EnumDescriptor’ with no trivial copy-assignment; use assignment or value-initialization instead [-Wclass-memaccess] + 3896 | memset(placeholder_enum, 0, sizeof(*placeholder_enum)); + | + + [...] + + ../../src/mcts/stoppers/factory.cc:302:19: note: remove ‘std::move’ call + [265/298] Compiling C++ object liblc0_lib.so.p/src_selfplay_loop.cc.o + ../../src/selfplay/loop.cc: In member function ‘void lczero::SelfPlayLoop::SendTournament(const lczero::TournamentInfo&)’: + ../../src/selfplay/loop.cc:170:40: warning: ‘los.lczero::optional::value_’ may be used uninitialized in this function [-Wmaybe-uninitialized] + 170 | <<****(los.value_or(0.0f) * 100.0f) <<****"%"; + | ^ + [298/298] Linking target encoder_test + ~/Documents/Chess/lc0 + +Now that lc0 is done compiling, you will find the engine itself inside the cloned repository at **build/release** as the **lc0** binary file: + + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [Documents/Chess/lc0] + → cd build/release + + [ 10.10.14.13/23 ] [ /dev/pts/77 ] [lc0/build/release] + → ls -lash lc0 + 1.5M -rwxr-xr-x 1 nothing nothing 1.5M Jun 4 15:16 lc0 + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [lc0/build/release] + → ./lc0 + _ + | _ | | + |_ |_ |_| v0.23.3+git.29c15a4 built Jun 4 2021 + ^C + + + +So let's use lc0 inside of nibbler: + +![](5.png) ![](6.png) ![](7.png) + +Now as you can see just the lc0 binary itself isn't enough, we need the **Network weights file** , to get that let's go over to the lc0 training networks [here](http://lczero.org/play/networks/bestnets/): + +![](8.png) ![](9.png) + +Then import it in nibbler: + +![](10.png) ![](11.png) + +_Sidenote:_ When you first start nibbler, you should see that it picks up your cuda version and your GPU. If it doesn't, go back and compile CUDA properly. + +![](14.png) + +Then after setting a limit of threads, nodes, and eval per nodes, test the engine against yourself with **F9** or against itself with **F11** + +![](12.png) + +At first it takes a while to load the weights file, but once it's done loading, it will be ready to play as you can see above. + +## **Easier Weight Files** + +As you can guess, the trained weight files from lc0 are within the elo range of IM / GM with insane inhuman moves, if you want opponent that does human-like moves, you can look for the human-like chess weights from [maia chess](https://github.com/CSSLab/maia-chess/releases/tag/v1.0): + + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [~/Documents/Chess] + → cd Weights + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1100.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1200.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1300.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1400.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1500.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1600.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1700.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1800.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → wget https://github.com/CSSLab/maia-chess/releases/download/v1.0/maia-1900.pb.gz -q + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Documents/Chess/Weights] + → ls -l + total 54572 + -rw-r--r-- 1 nothing nothing 44289015 Jun 4 16:59 256x20-t40-1541.pb.gz + -rw-r--r-- 1 nothing nothing 1313193 Jan 14 06:25 maia-1100.pb.gz + -rw-r--r-- 1 nothing nothing 1249692 Jan 14 06:25 maia-1200.pb.gz + -rw-r--r-- 1 nothing nothing 1244431 Jan 14 06:25 maia-1300.pb.gz + -rw-r--r-- 1 nothing nothing 1328977 Jan 14 06:25 maia-1400.pb.gz + -rw-r--r-- 1 nothing nothing 1258199 Jan 14 06:25 maia-1500.pb.gz + -rw-r--r-- 1 nothing nothing 1313870 Jan 14 06:25 maia-1600.pb.gz + -rw-r--r-- 1 nothing nothing 1313415 Jan 14 06:25 maia-1700.pb.gz + -rw-r--r-- 1 nothing nothing 1289431 Jan 14 06:25 maia-1800.pb.gz + -rw-r--r-- 1 nothing nothing 1262607 Jan 14 06:25 maia-1900.pb.gz + + + +Edit: lc0 does not feel human at all with any of these weights lol, if you want leela to replicate human mistakes, this is handled by the Temperature setting. If the Temperature is set to 0, leela will always pick the evaluated best move. The higher the Temperature, the less likely leela will pick the best move. Nibbler currently sets the Temperature maximum to be at 1, however this is not the real maximum temperature we can pass to leela. If you want to train against leela (making leela do mistakes in games) you can set the temperature from 1 to 2+ where a temperature of 2 is the equivalent of a really bad 600 human player, a temperature of 1.5 is the equivalent of a 1000 elo player, and from there it's really exponential, Temperature set at 1.3 feels like an 1600+ elo player and so on. To set the temperature to higher values, you can use an external 'script' to pass to nibbler: + + + [ 10.10.14.8/23 ] [ /dev/pts/33 ] [.config/Nibbler/scripts] + → pwd + + /home/nothing/.config/Nibbler/scripts + [ 10.10.14.8/23 ] [ /dev/pts/33 ] [.config/Nibbler/scripts] + → ls -l + total 44 + -rw-r--r-- 1 nothing nothing 77 Jun 4 12:38 example.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:49 tmp1.1.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:49 tmp1.2.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:48 tmp1.3.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:48 tmp1.4.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:11 tmp1.5.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:11 tmp1.6.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:11 tmp1.7.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:11 tmp1.8.txt + -rw-r--r-- 1 nothing nothing 75 Jul 11 14:11 tmp1.9.txt + -rw-r--r-- 1 nothing nothing 73 Jul 11 14:11 tmp2.0.txt + + [ 10.10.14.8/23 ] [ /dev/pts/33 ] [.config/Nibbler/scripts] + → cat tmp1.5.txt + setoption name temperature value 1.5 + setoption name tempdecaymoves value 0 + + [ 10.10.14.8/23 ] [ /dev/pts/33 ] [.config/Nibbler/scripts] + → cat tmp1.6.txt + setoption name temperature value 1.6 + setoption name tempdecaymoves value 0 + + [ 10.10.14.8/23 ] [ /dev/pts/33 ] [.config/Nibbler/scripts] + → cat tmp1.7.txt + setoption name temperature value 1.7 + setoption name tempdecaymoves value 0 + + + +And from here simply load the script in nibbler: + +![](15.png) + diff --git a/librenms/1.png b/librenms/1.png new file mode 100644 index 0000000..666e69d Binary files /dev/null and b/librenms/1.png differ diff --git a/librenms/10.png b/librenms/10.png new file mode 100644 index 0000000..de2e078 Binary files /dev/null and b/librenms/10.png differ diff --git a/librenms/11.png b/librenms/11.png new file mode 100644 index 0000000..15000d6 Binary files /dev/null and b/librenms/11.png differ diff --git a/librenms/12.png b/librenms/12.png new file mode 100644 index 0000000..ea49aad Binary files /dev/null and b/librenms/12.png differ diff --git a/librenms/13.png b/librenms/13.png new file mode 100644 index 0000000..e040087 Binary files /dev/null and b/librenms/13.png differ diff --git a/librenms/14.png b/librenms/14.png new file mode 100644 index 0000000..2de7294 Binary files /dev/null and b/librenms/14.png differ diff --git a/librenms/15.png b/librenms/15.png new file mode 100644 index 0000000..a9e681b Binary files /dev/null and b/librenms/15.png differ diff --git a/librenms/16.png b/librenms/16.png new file mode 100644 index 0000000..4c2ae7a Binary files /dev/null and b/librenms/16.png differ diff --git a/librenms/2.png b/librenms/2.png new file mode 100644 index 0000000..0670eb1 Binary files /dev/null and b/librenms/2.png differ diff --git a/librenms/3.png b/librenms/3.png new file mode 100644 index 0000000..8b66cac Binary files /dev/null and b/librenms/3.png differ diff --git a/librenms/4.png b/librenms/4.png new file mode 100644 index 0000000..5379a92 Binary files /dev/null and b/librenms/4.png differ diff --git a/librenms/5.png b/librenms/5.png new file mode 100644 index 0000000..95a79de Binary files /dev/null and b/librenms/5.png differ diff --git a/librenms/6.png b/librenms/6.png new file mode 100644 index 0000000..2c66948 Binary files /dev/null and b/librenms/6.png differ diff --git a/librenms/7.png b/librenms/7.png new file mode 100644 index 0000000..d6426df Binary files /dev/null and b/librenms/7.png differ diff --git a/librenms/8.png b/librenms/8.png new file mode 100644 index 0000000..5028e27 Binary files /dev/null and b/librenms/8.png differ diff --git a/librenms/9.png b/librenms/9.png new file mode 100644 index 0000000..91094ff Binary files /dev/null and b/librenms/9.png differ diff --git a/librenms/index.md b/librenms/index.md new file mode 100644 index 0000000..a614d82 --- /dev/null +++ b/librenms/index.md @@ -0,0 +1,217 @@ +# LibreNMS Debian 10 NGINX Setup + +![](logo.png) + +Before we start, you will need a Debian 10 VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial Setup** + +First we get every package we need: + + + apt-get -y install apt-transport-https lsb-release ca-certificates curl gnupg -y + apt-get update -y + + apt install acl curl socat composer fping git graphviz imagemagick mariadb-server mtr-tiny nginx-full nmap php7.3-cli php7.3-mysqlnd php7.3-curl php7.3-fpm php7.3-gd php7.3-json php7.3-mbstring php7.3-pgsql php7.3-snmp php7.3-xml php7.3-zip python-memcache python-mysqldb rrdtool snmp snmpd whois python3-pymysql python3-dotenv python3-redis python3-setuptools -y + + + +Then we add the librenms user + + + useradd librenms -d /opt/librenms -M -r + usermod -a -G librenms www-data + + + +Next we install LibreNMS: + + + cd /opt + git clone https://github.com/librenms/librenms.git + + chown -R librenms:librenms /opt/librenms + chmod 770 /opt/librenms + setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ + setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ + + + +Next we'll install the php dependencies: + + + su - librenms + bash + ./scripts/composer_wrapper.php install --no-dev + exit + exit + + + +## **Configuring MySQL, NGINX, snmpd and cron** + +From here, we need to install MySQL: + + + + service mysql restart + + mysql -u root -p + + CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci; + CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'P@SSW0RD'; + GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost'; + FLUSH PRIVILEGES; + exit + + + + +Take note here that we are using the password 'P@SSW0RD' + +Now we'll edit mariadb's configuration: + + + echo 'innodb_file_per_table=1' >> /etc/mysql/mariadb.conf.d/50-server.cnf + echo 'lower_case_table_names=0' >> /etc/mysql/mariadb.conf.d/50-server.cnf + + service mysql restart + + + +Next we edit php.ini: + + + cd /etc/php/7.3/ + + echo 'date.timezone = Europe/Paris' >> fpm/php.ini + echo 'date.timezone = Europe/Paris' >> cli/php.ini + + service php7.3-fpm restart + + + +Before we configure NGINX, we need to get a domain name, so if you don't have it, go and get one make sure it points to your server's public ip address, if you don't want to pay for a domain name just go on [DuckDNS.](https://www.duckdns.org) + +![](../nextcloud/3.png) + +Now we will configure NGINX: + +First of all, we'll get the free SSL certificate: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + +Here you verify your ip domain name is correctly setup like so: + +![](3.png) + +Once there we can use acme.sh to get the free SSL certificate: + + + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + + +![](4.png) + +From here we need to make sure the nginx configuration is correct: + + + rm /etc/nginx/sites-enabled/default + wget https://blog.nowhere.moe/servers/librenms/librenms.vhost -O /etc/nginx/sites-available/librenms.vhost + nano /etc/nginx/sites-available/librenms.vhost + + + +Make sure you change the librenms.vhost server_name line to your domain name: + +![](1.png) + +Once you're done, do the following: + + + + ln -s /etc/nginx/sites-available/librenms.vhost /etc/nginx/sites-enabled/librenms.vhost + nginx -t + service nginx reload + + + +If nginx doesn't accept your configuration, you most probably made a mistake changing the domain name, so double check and correct it until nginx successfully reloads the configuration. + +Next we'll configure SNMPD + + + cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf + chmod 600 /etc/snmp/snmpd.conf + nano /etc/snmp/snmpd.conf + + +in snmpd.conf make sure you change the text "RANDOMSTRINGGOESHERE" and change it to your community string + +![](5.png) + + + curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro + chmod +x /usr/bin/distro + service snmpd restart + + +Now we'll setup Cronjob: + + + cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms + + + +copy logrotate config: + + + cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms + + + +And we should be done! + +## **Final Steps** + +Now that's done, just go to the URL of your website : http://ech2.duckdns.org/ + +![](6.png) + +after that, head over to the database installation tab and just put in the password you put earlier (here it's P@SSW0RD) + +![](10.png) + +Here just hit "build database" + +![](11.png) + +Create the admin user: + +![](12.png) + +Here for some reason it failed to write to the .env file so we manually edit it: + + + nano /opt/librenms/.env + + + +just delete every line (ctrl+k) and then paste in the contents of the file shown on the webpage (CTRL+SHIFT+V), then hit CTRL+S to save and CTRL+X to exit + +![](14.png) + +And that's it! All that's left is for you to login and setup the rest of librenms + +![](15.png) + +Take note here that the ech2 community input field is the community "randomstringgoeshere" we put in the snmpd.conf earlier + +![](16.png) + diff --git a/librenms/logo.png b/librenms/logo.png new file mode 100644 index 0000000..35d9863 Binary files /dev/null and b/librenms/logo.png differ diff --git a/librex/0.png b/librex/0.png new file mode 100644 index 0000000..ce0ac26 Binary files /dev/null and b/librex/0.png differ diff --git a/librex/1.png b/librex/1.png new file mode 100644 index 0000000..a07227b Binary files /dev/null and b/librex/1.png differ diff --git a/librex/index.md b/librex/index.md new file mode 100644 index 0000000..f4fa77f --- /dev/null +++ b/librex/index.md @@ -0,0 +1,155 @@ +# librex Setup + +![](0.png) + +In this tutorial we're going to setup a librex instance: + +## **Initial Setup** + +git clone it, and edit the docker-compose.yml file: + + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv] + → git clone https://github.com/hnhx/librex/ + Cloning into 'librex'... + remote: Enumerating objects: 2295, done. + remote: Counting objects: 100% (688/688), done. + remote: Compressing objects: 100% (144/144), done. + remote: Total 2295 (delta 599), reused 544 (delta 544), pack-reused 1607 + Receiving objects: 100% (2295/2295), 2.20 MiB | 6.31 MiB/s, done. + Resolving deltas: 100% (1358/1358), done. + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv] + → cd librex + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/librex] + → vim docker-compose.yml + + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/librex] + → cat docker-compose.yml + version: "2.1" + services: + librex: + image: librex/librex:latest + container_name: librex + network_mode: bridge + ports: + - 8084:8080 + environment: + - PUID=1000 + - PGID=1000 + - VERSION=docker + - TZ=America/New_York + - CONFIG_GOOGLE_DOMAIN=com + - CONFIG_GOOGLE_LANGUAGE_SITE=en + - CONFIG_GOOGLE_LANGUAGE_RESULTS=en + - CONFIG_WIKIPEDIA_LANGUAGE=en + volumes: + - ./nginx_logs:/var/log/nginx + - ./php_logs:/var/log/php7 + restart: unless-stopped + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/librex] + → docker-compose up -d + Pulling librex (librex/librex:latest)... + latest: Pulling from librex/librex + 63b65145d645: Pull complete + 22ab6fc2c8b3: Pull complete + 2b2fb351cebe: Pull complete + 4f4fb700ef54: Pull complete + d16a3f4b38b2: Pull complete + 48bffb4e4449: Pull complete + 34c1fa5897b3: Pull complete + Digest: sha256:f9204843149f384eb1e2d3be23978494134f7b69e57886420ddef9faa60d5263 + Status: Downloaded newer image for librex/librex:latest + Creating librex ... done + + + +then configure the reverse nginx proxy: + + + + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → vim librex.nowhere.moe.conf + + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → cat librex.nowhere.moe.conf + server { + listen 443 ssl; + server_name librex.nowhere.moe; + + ssl_certificate /etc/acme/certs/librex.nowhere.moe/librex.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/librex.nowhere.moe/librex.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name librex.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://librex.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + + ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + #ssl_stapling on; + ssl_stapling_verify on; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://localhost:8084; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + } + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → nginx -s reload + 2023/08/23 14:10:15 [notice] 2865#2865: signal process started + + + +Then test if it works or not: + +![](1.png) + +then contribute to the ecosystem like [so](https://github.com/hnhx/librex/issues/265) + + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/librex] + → cronitor select + + ✔ docker-compose -f /srv/librex/docker-compose.yml stop ; git -C /srv/librex/ pull ; docker-compose -f /srv/librex/docker-compose.yml pull ; docker-compose -f /srv/librex/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/librex/docker-compose.yml stop ; git -C /srv/librex/ pull ; docker-compose -f /srv/librex/docker-compose.yml pull ; docker-compose -f /srv/librex/docker-compose.yml up -d + + Stopping librex ... done + Already up to date. + Pulling librex ... done + Starting librex ... done + + ----► ✔ Command successful Elapsed time 3.387s + + + diff --git a/luks/0.png b/luks/0.png new file mode 100644 index 0000000..c3b41fa Binary files /dev/null and b/luks/0.png differ diff --git a/luks/1.png b/luks/1.png new file mode 100644 index 0000000..1b89aaf Binary files /dev/null and b/luks/1.png differ diff --git a/luks/2.png b/luks/2.png new file mode 100644 index 0000000..02ff325 Binary files /dev/null and b/luks/2.png differ diff --git a/luks/3.png b/luks/3.png new file mode 100644 index 0000000..391f3b6 Binary files /dev/null and b/luks/3.png differ diff --git a/luks/4.png b/luks/4.png new file mode 100644 index 0000000..93b8d39 Binary files /dev/null and b/luks/4.png differ diff --git a/luks/5.png b/luks/5.png new file mode 100644 index 0000000..25ecc53 Binary files /dev/null and b/luks/5.png differ diff --git a/luks/index.md b/luks/index.md new file mode 100644 index 0000000..8ffd97c --- /dev/null +++ b/luks/index.md @@ -0,0 +1,323 @@ +# luks Setup + +![](0.png) + +In this tutorial we're going to look at how to setup LUKS encryption on additional drives of a server. + +## **Initial Setup** + +For this tutorial i hooked up 2 additional hard drives to a VM: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1000G 0 disk + ├─sda1 8:1 0 512M 0 part /boot + ├─sda2 8:2 0 1M 0 part + └─sda3 8:3 0 999.5G 0 part + ├─lvm-swap 254:0 0 512M 0 lvm + │ └─swap 254:5 0 512M 0 crypt [SWAP] + ├─lvm-tmp 254:1 0 500M 0 lvm + │ └─tmp 254:4 0 500M 0 crypt /tmp + └─lvm-lvroot 254:2 0 998.5G 0 lvm + └─root 254:3 0 998.5G 0 crypt / + sdb 8:16 0 3.6T 0 disk + └─sdb1 8:17 0 3.6T 0 part + sdc 8:32 0 3.6T 0 disk + └─sdc1 8:33 0 3.6T 0 part + sr0 11:0 1 891.3M 0 rom + + + +the drives are /dev/sdb and /dev/sdc, they are both 3.6Tb big, and we want to encrypt them so they are unreadable unless we unlock them: + +![]() + + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksFormat /dev/sdb + WARNING: Device /dev/sdb already contains a 'gpt' partition signature. + + WARNING! + ======== + This will overwrite data on /dev/sdb irrevocably. + + Are you sure? (Type 'yes' in capital letters): YES + Enter passphrase for /dev/sdb: + Verify passphrase: + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksFormat /dev/sdc + WARNING: Device /dev/sdc already contains a 'gpt' partition signature. + + WARNING! + ======== + This will overwrite data on /dev/sdc irrevocably. + + Are you sure? (Type 'yes' in capital letters): YES + Enter passphrase for /dev/sdc: + Verify passphrase: + + + +You can check the luks information of each device: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksDump /dev/sdb + LUKS header information + Version: 2 + Epoch: 3 + Metadata area: 16384 [bytes] + Keyslots area: 16744448 [bytes] + UUID: 63088dd8-bca3-4e6c-b909-145b2de744c7 + Label: (no label) + Subsystem: (no subsystem) + Flags: (no flags) + + Data segments: + 0: crypt + offset: 16777216 [bytes] + length: (whole device) + cipher: aes-xts-plain64 + sector: 4096 [bytes] + + Keyslots: + 0: luks2 + Key: 512 bits + Priority: normal + Cipher: aes-xts-plain64 + Cipher key: 512 bits + PBKDF: argon2id + Time cost: 4 + Memory: 508031 + Threads: 2 + Salt: e0 30 01 14 b3 8a 56 36 ef 7e b2 24 7b d6 a8 3b + 06 2b c9 e9 5f 26 56 5a 78 c5 55 0d 4f 86 64 4f + AF stripes: 4000 + AF hash: sha256 + Area offset:32768 [bytes] + Area length:258048 [bytes] + Digest ID: 0 + Tokens: + Digests: + 0: pbkdf2 + Hash: sha256 + Iterations: 26640 + Salt: 70 88 9e 5c 36 ae ae b4 d4 c5 85 3b f6 9c d5 8b + 1d 13 24 93 29 fe c1 80 d9 18 7b b1 fe 3c 55 86 + Digest: dd 9b 2c ba fa 3d 38 ec 56 92 28 d7 70 52 f1 a3 + e5 fd 4d 3a 14 2c 85 52 bc e2 e0 99 c9 e6 bb 33 + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksDump /dev/sdc + LUKS header information + Version: 2 + Epoch: 3 + Metadata area: 16384 [bytes] + Keyslots area: 16744448 [bytes] + UUID: 8f559499-ca90-4b71-aead-c2252d0e10e0 + Label: (no label) + Subsystem: (no subsystem) + Flags: (no flags) + + Data segments: + 0: crypt + offset: 16777216 [bytes] + length: (whole device) + cipher: aes-xts-plain64 + sector: 4096 [bytes] + + Keyslots: + 0: luks2 + Key: 512 bits + Priority: normal + Cipher: aes-xts-plain64 + Cipher key: 512 bits + PBKDF: argon2id + Time cost: 4 + Memory: 482968 + Threads: 2 + Salt: 8f 6f b2 6d 46 a1 8f 31 0c cb 06 64 94 73 86 47 + 6e a8 1f 39 38 ff b9 27 10 6a 35 61 1b 9e 16 af + AF stripes: 4000 + AF hash: sha256 + Area offset:32768 [bytes] + Area length:258048 [bytes] + Digest ID: 0 + Tokens: + Digests: + 0: pbkdf2 + Hash: sha256 + Iterations: 24417 + Salt: 06 6f e4 bd dd 10 0d 9e 29 41 ae 7e df d2 55 77 + b9 94 0b b3 fb ba 38 41 c5 c4 63 8e 5d 00 7c 40 + Digest: 86 62 5c 31 67 00 5c 46 69 5f 2f 81 fb 83 34 ec + d0 73 44 e4 73 bc f9 f8 41 86 7a 06 55 97 77 3d + + + + +Now we want to open the encrypted drives, so we use luksOpen: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksOpen /dev/sdb VAULT1 + Enter passphrase for /dev/sdb: + + [ 10.0.0.222/16 ] [ backup ] [~] + → cryptsetup luksOpen /dev/sdc VAULT2 + Enter passphrase for /dev/sdc: + + [ 10.0.0.222/16 ] [ backup ] [~] + → ls -lash /dev/mapper/VAULT* + 0 lrwxrwxrwx 1 root root 7 Nov 5 09:12 /dev/mapper/VAULT1 -> ../dm-6 + 0 lrwxrwxrwx 1 root root 7 Nov 5 09:13 /dev/mapper/VAULT2 -> ../dm-7 + + + +Now from here, we have 2 mapped drives located in /dev/mapper/, we named them VAULT1 and VAULT2, now to use them we need to mount them, so let's create 2 folders in /mnt/ and mount them there: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → mkdir /mnt/VAULT1 + + [ 10.0.0.222/16 ] [ backup ] [~] + → mkdir /mnt/VAULT2 + + + +Before we do thatm don't forget to format the unlocked drives in ext4 for example: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → mkfs.ext4 /dev/mapper/VAULT1 + mke2fs 1.46.5 (30-Dec-2021) + /dev/mapper/VAULT1 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data + Proceed anyway? (y,N) y + Creating filesystem with 976742144 4k blocks and 244187136 inodes + Filesystem UUID: bcc579f6-96b9-4c9a-8ad8-694470db5dac + Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, + 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, + 102400000, 214990848, 512000000, 550731776, 644972544 + + + Allocating group tables: done + Writing inode tables: done + Creating journal (262144 blocks): done + Writing superblocks and filesystem accounting information: done + + [ 10.0.0.222/16 ] [ backup ] [~] + → mount /dev/mapper/VAULT1 /mnt/VAULT1 + + [ 10.0.0.222/16 ] [ backup ] [~] + → lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1000G 0 disk + ├─sda1 8:1 0 512M 0 part /boot + ├─sda2 8:2 0 1M 0 part + └─sda3 8:3 0 999.5G 0 part + ├─lvm-swap 254:0 0 512M 0 lvm + │ └─swap 254:5 0 512M 0 crypt [SWAP] + ├─lvm-tmp 254:1 0 500M 0 lvm + │ └─tmp 254:4 0 500M 0 crypt /tmp + └─lvm-lvroot 254:2 0 998.5G 0 lvm + └─root 254:3 0 998.5G 0 crypt / + sdb 8:16 0 3.6T 0 disk + └─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1 + sdc 8:32 0 3.6T 0 disk + └─VAULT2 254:7 0 3.6T 0 crypt + sr0 11:0 1 891.3M 0 rom + + +And here you can see that we managed to mount our external luks encrypted drive in /mnt/VAULT1, so we can now write to it: + + + [ 10.0.0.222/16 ] [ backup ] [~] + → cd /mnt/VAULT1 + + [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] + → echo 'test' > test.txt + + [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] + → ls -lash + total 28K + 4.0K drwxr-xr-x 3 root root 4.0K Nov 5 09:23 . + 4.0K drwxr-xr-x 4 root root 4.0K Nov 5 09:15 .. + 16K drwx------ 2 root root 16K Nov 5 09:21 lost+found + 4.0K -rw-r--r-- 1 root root 5 Nov 5 09:23 test.txt + + + +Then we mount the other drive in the same way: + + + [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] + → mkfs.ext4 /dev/mapper/VAULT2 + mke2fs 1.46.5 (30-Dec-2021) + /dev/mapper/VAULT2 contains `DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 976742143 sectors, extended partition table (last)' data + Proceed anyway? (y,N) y + Creating filesystem with 976742144 4k blocks and 244187136 inodes + Filesystem UUID: 8c41fdda-d272-4570-8562-f8f7ac4c87db + Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, + 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, + 102400000, 214990848, 512000000, 550731776, 644972544 + + Allocating group tables: done + Writing inode tables: done + Creating journal (262144 blocks): done + Writing superblocks and filesystem accounting information: done + + + [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] + → mount /dev/mapper/VAULT2 /mnt/VAULT2 + + [ 10.0.0.222/16 ] [ backup ] [/mnt/VAULT1] + → lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1000G 0 disk + ├─sda1 8:1 0 512M 0 part /boot + ├─sda2 8:2 0 1M 0 part + └─sda3 8:3 0 999.5G 0 part + ├─lvm-swap 254:0 0 512M 0 lvm + │ └─swap 254:5 0 512M 0 crypt [SWAP] + ├─lvm-tmp 254:1 0 500M 0 lvm + │ └─tmp 254:4 0 500M 0 crypt /tmp + └─lvm-lvroot 254:2 0 998.5G 0 lvm + └─root 254:3 0 998.5G 0 crypt / + sdb 8:16 0 3.6T 0 disk + └─VAULT1 254:6 0 3.6T 0 crypt /mnt/VAULT1 + sdc 8:32 0 3.6T 0 disk + └─VAULT2 254:7 0 3.6T 0 crypt /mnt/VAULT2 + sr0 11:0 1 891.3M 0 rom + + + +## **Scripting** + +I think its obvious that you don't want to store your password in cleartext anywhere on your machine, so you'll have to type the password everytime you want to open the drives. So i have this script here to mount the drives quickly, i just run it at startup: + +![]() + + + [ 10.0.0.222/16 ] [ backup ] [~] + → cat vault.sh + + #!/bin/bash + echo "[+] MOUNTING VAULTS..." + + sudo cryptsetup luksOpen /dev/sdb VAULT1 + sudo mkdir /mnt/VAULT1 2>/dev/null + sudo mount /dev/mapper/VAULT1 /mnt/VAULT1 + + sudo cryptsetup luksOpen /dev/sdc VAULT2 + sudo mkdir /mnt/VAULT2 2>/dev/null + sudo mount /dev/mapper/VAULT2 /mnt/VAULT2 + + echo "[+] VAULTS MOUNTED" + + + diff --git a/mail2/0.png b/mail2/0.png new file mode 100644 index 0000000..c9e3322 Binary files /dev/null and b/mail2/0.png differ diff --git a/mail2/1.png b/mail2/1.png new file mode 100644 index 0000000..deafad8 Binary files /dev/null and b/mail2/1.png differ diff --git a/mail2/10.png b/mail2/10.png new file mode 100644 index 0000000..dbb65a0 Binary files /dev/null and b/mail2/10.png differ diff --git a/mail2/11.png b/mail2/11.png new file mode 100644 index 0000000..251ab92 Binary files /dev/null and b/mail2/11.png differ diff --git a/mail2/12.png b/mail2/12.png new file mode 100644 index 0000000..305ee19 Binary files /dev/null and b/mail2/12.png differ diff --git a/mail2/13.png b/mail2/13.png new file mode 100644 index 0000000..64da9b9 Binary files /dev/null and b/mail2/13.png differ diff --git a/mail2/14.png b/mail2/14.png new file mode 100644 index 0000000..98c0896 Binary files /dev/null and b/mail2/14.png differ diff --git a/mail2/15.png b/mail2/15.png new file mode 100644 index 0000000..65f2ba5 Binary files /dev/null and b/mail2/15.png differ diff --git a/mail2/16.png b/mail2/16.png new file mode 100644 index 0000000..d3e8852 Binary files /dev/null and b/mail2/16.png differ diff --git a/mail2/17.png b/mail2/17.png new file mode 100644 index 0000000..448c0b7 Binary files /dev/null and b/mail2/17.png differ diff --git a/mail2/2.png b/mail2/2.png new file mode 100644 index 0000000..8d1fae0 Binary files /dev/null and b/mail2/2.png differ diff --git a/mail2/20.png b/mail2/20.png new file mode 100644 index 0000000..407c8e5 Binary files /dev/null and b/mail2/20.png differ diff --git a/mail2/21.png b/mail2/21.png new file mode 100644 index 0000000..05ae25b Binary files /dev/null and b/mail2/21.png differ diff --git a/mail2/22.png b/mail2/22.png new file mode 100644 index 0000000..4b446af Binary files /dev/null and b/mail2/22.png differ diff --git a/mail2/23.png b/mail2/23.png new file mode 100644 index 0000000..a24d981 Binary files /dev/null and b/mail2/23.png differ diff --git a/mail2/24.png b/mail2/24.png new file mode 100644 index 0000000..2f8f18c Binary files /dev/null and b/mail2/24.png differ diff --git a/mail2/25.png b/mail2/25.png new file mode 100644 index 0000000..1f848ca Binary files /dev/null and b/mail2/25.png differ diff --git a/mail2/26.png b/mail2/26.png new file mode 100644 index 0000000..c07d010 Binary files /dev/null and b/mail2/26.png differ diff --git a/mail2/27.png b/mail2/27.png new file mode 100644 index 0000000..1c40f3f Binary files /dev/null and b/mail2/27.png differ diff --git a/mail2/28.png b/mail2/28.png new file mode 100644 index 0000000..b24744a Binary files /dev/null and b/mail2/28.png differ diff --git a/mail2/3.png b/mail2/3.png new file mode 100644 index 0000000..b75000c Binary files /dev/null and b/mail2/3.png differ diff --git a/mail2/4.png b/mail2/4.png new file mode 100644 index 0000000..768d686 Binary files /dev/null and b/mail2/4.png differ diff --git a/mail2/5.png b/mail2/5.png new file mode 100644 index 0000000..7d91f51 Binary files /dev/null and b/mail2/5.png differ diff --git a/mail2/6.png b/mail2/6.png new file mode 100644 index 0000000..b982759 Binary files /dev/null and b/mail2/6.png differ diff --git a/mail2/7.png b/mail2/7.png new file mode 100644 index 0000000..ecf8fa5 Binary files /dev/null and b/mail2/7.png differ diff --git a/mail2/8.png b/mail2/8.png new file mode 100644 index 0000000..3cba11c Binary files /dev/null and b/mail2/8.png differ diff --git a/mail2/9.png b/mail2/9.png new file mode 100644 index 0000000..01aeed9 Binary files /dev/null and b/mail2/9.png differ diff --git a/mail2/index.md b/mail2/index.md new file mode 100644 index 0000000..e291f6b --- /dev/null +++ b/mail2/index.md @@ -0,0 +1,297 @@ +# emailwiz Setup + +![](0.png) + +In this tutorial we're going to setup a self hosted mail server using lukesmith's [emailwiz.sh](https://github.com/LukeSmithxyz/emailwiz/blob/master/emailwiz.sh) script: + +## **Initial Setup** + +First step is, get a VPS on [vultr.com](https://vultr.com/), and ssh to it after you've setup an A record to it, for me it's **mail.void.yt** + + + [ 10.66.66.2/32 ] [ /dev/pts/37 ] [~] + → ssh root@mail.void.yt + Welcome to Ubuntu 21.10 (GNU/Linux 5.13.0-20-generic x86_64) + + * Documentation: https://help.ubuntu.com + * Management: https://landscape.canonical.com + * Support: https://ubuntu.com/advantage + + System information as of Sun Oct 31 01:36:43 PM UTC 2021 + + System load: 0.04 Processes: 143 + Usage of /: 10.3% of 54.41GB Users logged in: 0 + Memory usage: 11% IPv4 address for enp1s0: 45.32.9.224 + Swap usage: 0% + + + 0 updates can be applied immediately. + + + Last login: Sun Oct 31 13:34:04 2021 from 78.141.239.68 + root@mail:~# apt update -y ; apt upgrade -y ; apt install vim tmux curl certbot python3-certbot-nginx nginx -y + + root@mail:~# curl -LO lukesmith.xyz/emailwiz.sh + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 178 100 178 0 0 221 0 --:--:-- --:--:-- --:--:-- 221 + 100 154 100 154 0 0 104 0 0:00:01 0:00:01 --:--:-- 104 + 100 12137 100 12137 0 0 7122 0 0:00:01 0:00:01 --:--:-- 455k + root@mail:~# chmod +x emailwiz.sh + + root@mail:~# systemctl disable --now ufw + + + +Now before we continue, let's update the DNS and Reverse DNS: + +![](1.png) ![](2.png) + +if you're confused about the MX record, here it is (do not forget the trailing dot at the end): + +![](3.png) + +Once that's done, make sure the DNS record points to your VPS: + + + root@mail:~# curl ifconfig.me ; echo; echo; nslookup mail.void.yt + 45.76.133.0 + + Server: 108.61.10.10 + Address: 108.61.10.10#53 + + Non-authoritative answer: + Name: mail.void.yt + Address: 45.76.133.0 + Name: mail.void.yt + Address: 2001:19f0:7001:4de1:5400:3ff:fea6:e93f + Name: mail.void.yt + Address: 2001:19f0:7002:e3c:5400:3ff:fea7:8e7 + Name: mail.void.yt + Address: 2001:19f0:7401:85a0:5400:3ff:fea7:20d2 + Name: mail.void.yt + Address: 2001:19f0:7402:2c6:5400:3ff:fea7:22a3 + + + +Then we're going to setup a basic nginx website along with a free TLS certificate using certbot: + + + root@mail:~# vim /etc/nginx/sites-available/default + root@mail:~# cat /etc/nginx/sites-available/mail.void.yt.conf + + server { + listen 80; + listen [::]:80 ; + root /var/www/mail; + + index index.html; + + server_name mail.void.yt; + + location / { + try_files $uri $uri/ =404; + } + + } + + root@mail:~# mv /etc/nginx/sites-available/default /etc/nginx/sites-available/mail.void.yt.conf + root@mail:~# rm -rf /etc/nginx/sites-enabled/default + root@mail:~# ln -s /etc/nginx/sites-available/mail.void.yt.conf /etc/nginx/sites-enabled/mail.void.yt.conf + + root@mail:~# systemctl restart nginx + root@mail:~# systemctl status nginx + ● nginx.service - A high performance web server and a reverse proxy server + Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-10-31 19:19:48 UTC; 1s ago + Docs: man:nginx(8) + Process: 2211 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Process: 2212 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Main PID: 2213 (nginx) + Tasks: 2 (limit: 2340) + Memory: 2.5M + CPU: 23ms + CGroup: /system.slice/nginx.service + ├─2213 nginx: master process /usr/sbin/nginx -g daemon on; master_process on; + └─2215 nginx: worker process + + Oct 31 19:19:48 mail systemd[1]: Starting A high performance web server and a reverse proxy server... + Oct 31 19:19:48 mail systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument + Oct 31 19:19:48 mail systemd[1]: Started A high performance web server and a reverse proxy server. + root@mail:~# cat /etc/nginx/sites-available/mail.void.yt.conf + + root@mail:~# mkdir /var/www/mail/ + root@mail:~# echo 'Welcome to mail.void.yt !' > /var/www/mail/index.md + + root@mail:~# curl mail.void.yt + Welcome to mail.void.yt ! + + + +` ![](16.png) + +And when we check the website, it says that it is secured via Letsencrypt! + +![](17.png) + +Now let's run luke's emailwiz.sh script: + + + root@mail:~# sh emailwiz.sh + Installing programs... + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + The following additional packages will be installed: + cpp cpp-11 dns-root-data dovecot-core fontconfig-config fonts-dejavu-core gcc gcc-11 libasan6 libatomic1 libauthen-sasl-perl libc-dev-bin libc-devtools libc6-dev libcc1-0 libclone-perl libcommon-sense-perl libcrypt-dev + libcrypt-openssl-bignum-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl libdeflate0 libdigest-bubblebabble-perl libdigest-hmac-perl libencode-locale-perl libexttextcat-2.0-0 libexttextcat-data libfontconfig1 + libgcc-11-dev libgd3 libgomp1 libhtml-parser-perl libhtml-tagset-perl libhttp-date-perl libhttp-message-perl libidn11 libio-html-perl libio-socket-inet6-perl libio-socket-ssl-perl libisl23 libitm1 libjbig0 libjpeg-turbo8 + libjpeg8 libjson-perl libjson-xs-perl liblsan0 liblua5.1-0 liblua5.3-0 liblwp-mediatypes-perl libmail-authenticationresults-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl libmemcached11 libmilter1.0.1 libmpc3 + libnet-dns-perl libnet-dns-sec-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-ssl-perl libnet-ssleay-perl libnetaddr-ip-perl libnsl-dev libopendbx1 libopendbx1-sqlite3 libopendkim11 libperl4-corelibs-perl libquadmath0 + librbl1 libsocket6-perl libsodium23 libsys-hostname-long-perl libtiff5 libtimedate-perl libtirpc-dev libtsan0 libtypes-serialiser-perl libubsan1 libunbound8 liburi-perl libvbr2 libwebp6 libxpm4 linux-libc-dev make + manpages-dev opendkim-tools perl-openssl-defaults re2c rpcsvc-proto sa-compile ssl-cert + Suggested packages: + cpp-doc gcc-11-locales dovecot-gssapi dovecot-ldap dovecot-lmtpd dovecot-lucene dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-pop3d dovecot-solr dovecot-sqlite dovecot-submissiond ntp gcc-multilib autoconf + automake libtool flex bison gdb gcc-doc gcc-11-multilib gcc-11-doc libgssapi-perl glibc-doc libgd-tools libdata-dump-perl libwww-perl make-doc procmail postfix-mysql postfix-pgsql postfix-ldap postfix-pcre postfix-lmdb + postfix-sqlite resolvconf postfix-cdb mail-reader postfix-doc razor libdbi-perl pyzor libencode-detect-perl libgeoip2-perl libnet-patricia-perl libbsd-resource-perl + The following NEW packages will be installed: + cpp cpp-11 dns-root-data dovecot-core dovecot-imapd dovecot-sieve fontconfig-config fonts-dejavu-core gcc gcc-11 libasan6 libatomic1 libauthen-sasl-perl libc-dev-bin libc-devtools libc6-dev libcc1-0 libclone-perl + libcommon-sense-perl libcrypt-dev libcrypt-openssl-bignum-perl libcrypt-openssl-random-perl libcrypt-openssl-rsa-perl libdeflate0 libdigest-bubblebabble-perl libdigest-hmac-perl libencode-locale-perl libexttextcat-2.0-0 + libexttextcat-data libfontconfig1 libgcc-11-dev libgd3 libgomp1 libhtml-parser-perl libhtml-tagset-perl libhttp-date-perl libhttp-message-perl libidn11 libio-html-perl libio-socket-inet6-perl libio-socket-ssl-perl libisl23 + libitm1 libjbig0 libjpeg-turbo8 libjpeg8 libjson-perl libjson-xs-perl liblsan0 liblua5.1-0 liblua5.3-0 liblwp-mediatypes-perl libmail-authenticationresults-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl + libmemcached11 libmilter1.0.1 libmpc3 libnet-dns-perl libnet-dns-sec-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-ssl-perl libnet-ssleay-perl libnetaddr-ip-perl libnsl-dev libopendbx1 libopendbx1-sqlite3 libopendkim11 + libperl4-corelibs-perl libquadmath0 librbl1 libsocket6-perl libsodium23 libsys-hostname-long-perl libtiff5 libtimedate-perl libtirpc-dev libtsan0 libtypes-serialiser-perl libubsan1 libunbound8 liburi-perl libvbr2 libwebp6 + libxpm4 linux-libc-dev make manpages-dev opendkim opendkim-tools perl-openssl-defaults postfix re2c rpcsvc-proto sa-compile spamassassin spamc ssl-cert + 0 upgraded, 100 newly installed, 0 to remove and 0 not upgraded. + Need to get 138 MB of archives. + After this operation, 421 MB of additional disk space will be used. + Do you want to continue? [Y/n] y + + + + +When you get prompted by postfix configuration, do the following: + +![](4.png) ![](15.png) + +(Yes, you must put the TLD, not the mail.TLD) + +![](6.png) + +Now that's done, let's update our dns records as described above: + +![](7.png) ![](8.png) ![](14.png) + +Now the way this server works is that if you have a user that is in the mailgroup, he can log into the mail server. Let's add our first user: + + + root@mail:~# useradd -G mail -m nothing + useradd: warning: the home directory /home/nothing already exists. + useradd: Not copying any file from skel directory into it. + + root@mail:~# passwd nothing + New password: + Retype new password: + passwd: password updated successfully + + + +Now let's check if the server has the ports we need opened: + + + root@mail:~# apt install nmap -y + + root@mail:~# nmap 127.0.0.1 + Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-31 19:33 UTC + Nmap scan report for localhost (127.0.0.1) + Host is up (0.0000030s latency). + Not shown: 991 closed ports + PORT STATE SERVICE + 22/tcp open ssh + 25/tcp open smtp + 80/tcp open http + 143/tcp open imap + 443/tcp open https + 465/tcp open smtps + 587/tcp open submission + 783/tcp open spamassassin + 993/tcp open imaps + + + +the ports we need are opened on the serverside, let's check them from the clientside: + + + [ 10.66.66.2/32 ] [ /dev/pts/0 ] [~] + → nmap mail.void.yt + Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-31 20:34 UTC + Nmap scan report for mail.void.yt (45.76.133.0) + Host is up (0.033s latency). + Other addresses for mail.void.yt (not scanned): 2001:19f0:7402:2c6:5400:3ff:fea7:22a3 2001:19f0:7001:4de1:5400:3ff:fea6:e93f 2001:19f0:7401:85a0:5400:3ff:fea7:20d2 2001:19f0:7002:e3c:5400:3ff:fea7:8e7 + Not shown: 989 closed tcp ports (conn-refused) + PORT STATE SERVICE + 22/tcp open ssh + 25/tcp open smtp + 80/tcp open http + 139/tcp filtered netbios-ssn + 143/tcp open imap + 443/tcp open https + 445/tcp filtered microsoft-ds + 465/tcp open smtps + 587/tcp open submission + 993/tcp open imaps + 1688/tcp filtered nsjtp-data + + + +Looks good aswell! Now let's test if our server works, let's connect to it using thunderbird: + + + [ 10.66.66.2/32 ] [ /dev/pts/38 ] [~] + → sudo pacman -S thunderbird + + [ 10.66.66.2/32 ] [ /dev/pts/38 ] [~] + → thunderbird + + + +![](20.png) ![](21.png) ![](22.png) + +Looks like the connection was successful, now let's try to send the mail to a gmail address, which is probably the most picky email service provider: + +![](23.png) + +So by default when gmail recieves a new domain name, it flags it as spam, wait a few weeks and it will no longer consider it as spam, in the mean time let's signal it as non-spam: + +![](24.png) + +Now let's reply to our mail to test if we can recieve mails from gmail: + +![](25.png) + +If you don't recieve mail from gmail, do a DKIM test from [appmaildev](https://appmaildev.com/en/dkim) + +![](26.png) + +You might need to wait 12 hours or so for your DNS records to propagate, most notably for the DKIM record. + +![](27.png) + +Looks good! and when we try to send a mail from gmail to our server we recieve it: + +![](28.png) + +And that's it! We managed to setup a public mail server! + +If you want a web interface for your mail server, check out my tutorial on how to install rainloop [here](../rainloop/index.md). + +If thunderbird gives you the invalid SSL certificate error, do not click add exception, but rather edit dovecot's ssl config: + + + root@mail:~# vim /etc/dovecot/conf.d/10-ssl.conf + root@mail:~# cat /etc/dovecot/conf.d/10-ssl.conf | grep ssl_ + #ssl_cert = <****/etc/dovecot/private/dovecot.pem + #ssl_key = <****/etc/dovecot/private/dovecot.key + ssl_cert = <****/etc/letsencrypt/live/mail.void.yt/fullchain.pem + ssl_key = <****/etc/letsencrypt/live/mail.void.yt/privkey.pem + diff --git a/matrix/0.png b/matrix/0.png new file mode 100644 index 0000000..06242cd Binary files /dev/null and b/matrix/0.png differ diff --git a/matrix/1.png b/matrix/1.png new file mode 100644 index 0000000..e51c6f7 Binary files /dev/null and b/matrix/1.png differ diff --git a/matrix/2.png b/matrix/2.png new file mode 100644 index 0000000..9664e68 Binary files /dev/null and b/matrix/2.png differ diff --git a/matrix/3.png b/matrix/3.png new file mode 100644 index 0000000..6152e01 Binary files /dev/null and b/matrix/3.png differ diff --git a/matrix/index.md b/matrix/index.md new file mode 100644 index 0000000..65fb79d --- /dev/null +++ b/matrix/index.md @@ -0,0 +1,108 @@ +# matrix Setup + +![](0.png) + +In this tutorial we're going to look at how to setup a matrix chat server + +## **Initial Setup** + + + apt update -y ; apt ugprade -y ; apt autoremove -y + + apt install sudo -y + + sudo apt install -y lsb-release wget apt-transport-https + sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | + sudo tee /etc/apt/sources.list.d/matrix-org.list + sudo apt update -y + sudo apt install matrix-synapse-py3 -y + + + +![](1.png) ![](2.png) + + + root@matrix:~# vim /etc/matrix-synapse/homeserver.yaml + root@matrix:~# cat /etc/matrix-synapse/homeserver.yaml + # Configuration file for Synapse. + # + # This is a YAML file: see [1] for a quick introduction. Note in particular + # that *indentation is important*: all the elements of a list or dictionary + # should have the same indentation. + # + # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html + # + # For more information on how to configure Synapse, including a complete accounting of + # each option, go to docs/usage/configuration/config_documentation.md or + # https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html + # + # This is set in /etc/matrix-synapse/conf.d/server_name.yaml for Debian installations. + # server_name: "SERVERNAME" + pid_file: "/var/run/matrix-synapse.pid" + listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1','10.0.0.104'] + resources: + - names: [client, federation] + compress: false + database: + name: sqlite3 + args: + database: /var/lib/matrix-synapse/homeserver.db + log_config: "/etc/matrix-synapse/log.yaml" + media_store_path: /var/lib/matrix-synapse/media + signing_key_path: "/etc/matrix-synapse/homeserver.signing.key" + trusted_key_servers: + - server_name: "matrix.org" + + + + +Then test if you can reach your matrix server via web on port 8008: + +![](2.png) + +![]() + + + + + +## **Setup** + +![]() + + + + + +![]() + + + + + +![]() + + + + + +## **Setup** + + + + + + + + + + + + + diff --git a/matrixnew/0.png b/matrixnew/0.png new file mode 100644 index 0000000..6774a0b Binary files /dev/null and b/matrixnew/0.png differ diff --git a/matrixnew/1.png b/matrixnew/1.png new file mode 100644 index 0000000..945ee53 Binary files /dev/null and b/matrixnew/1.png differ diff --git a/matrixnew/10.png b/matrixnew/10.png new file mode 100644 index 0000000..35ed099 Binary files /dev/null and b/matrixnew/10.png differ diff --git a/matrixnew/11.png b/matrixnew/11.png new file mode 100644 index 0000000..44a2cf0 Binary files /dev/null and b/matrixnew/11.png differ diff --git a/matrixnew/12.png b/matrixnew/12.png new file mode 100644 index 0000000..69bf5d2 Binary files /dev/null and b/matrixnew/12.png differ diff --git a/matrixnew/13.png b/matrixnew/13.png new file mode 100644 index 0000000..06556fa Binary files /dev/null and b/matrixnew/13.png differ diff --git a/matrixnew/14.png b/matrixnew/14.png new file mode 100644 index 0000000..ac3a1fe Binary files /dev/null and b/matrixnew/14.png differ diff --git a/matrixnew/15.png b/matrixnew/15.png new file mode 100644 index 0000000..ee1e98b Binary files /dev/null and b/matrixnew/15.png differ diff --git a/matrixnew/2.png b/matrixnew/2.png new file mode 100644 index 0000000..181ec64 Binary files /dev/null and b/matrixnew/2.png differ diff --git a/matrixnew/3.png b/matrixnew/3.png new file mode 100644 index 0000000..34a4e67 Binary files /dev/null and b/matrixnew/3.png differ diff --git a/matrixnew/4.png b/matrixnew/4.png new file mode 100644 index 0000000..b8c5514 Binary files /dev/null and b/matrixnew/4.png differ diff --git a/matrixnew/5.png b/matrixnew/5.png new file mode 100644 index 0000000..b5a6582 Binary files /dev/null and b/matrixnew/5.png differ diff --git a/matrixnew/6.png b/matrixnew/6.png new file mode 100644 index 0000000..a5f37b5 Binary files /dev/null and b/matrixnew/6.png differ diff --git a/matrixnew/7.png b/matrixnew/7.png new file mode 100644 index 0000000..0dc23d4 Binary files /dev/null and b/matrixnew/7.png differ diff --git a/matrixnew/8.png b/matrixnew/8.png new file mode 100644 index 0000000..717de08 Binary files /dev/null and b/matrixnew/8.png differ diff --git a/matrixnew/9.png b/matrixnew/9.png new file mode 100644 index 0000000..634e3c5 Binary files /dev/null and b/matrixnew/9.png differ diff --git a/matrixnew/index.md b/matrixnew/index.md new file mode 100644 index 0000000..f3f4ba4 --- /dev/null +++ b/matrixnew/index.md @@ -0,0 +1,244 @@ +# Matrix Chat Setup + +![](0.png) + +In this tutorial we're going to setup a private matrix chat server along with VoIP support for the element desktop client. + +_Disclaimer:_ If you want this service to remain anonymous, make sure you at least keep [TOR between you and the service](../sensitiveremotevshome/index.md) from the [VPS acquisition](../anonymousremoteserver/index.md) to actual service usage. + +## **Initial Setup** + +First install the required packages: + + + apt install docker.io docker-compose + + + +Then create the directories required: + + + mkdir /srv/matrix/data -p + chown -R 755 /srv/matrix/data + cd /srv/matrix + + + +Then we'll create the docker-compose.yml file and the generateconfig.sh script: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat docker-compose.yml + version: "3.3" + + services: + synapse: + image: "matrixdotorg/synapse:latest" + container_name: "matrix_synapse" + ports: + - 8008:8008 + volumes: + - "./data:/data" #it will look at the current directory where you save the file and look for the data folder inside + environment: + VIRTUAL_HOST: "m.nowhere.moe" + VIRTUAL_PORT: 8008 + LETSENCRYPT_HOST: "m.nowhere.moe" + SYNAPSE_SERVER_NAME: "m.nowhere.moe" + SYNAPSE_REPORT_STATS: "yes" + coturn: + image: instrumentisto/coturn:latest + restart: unless-stopped + volumes: + - ./coturn/turnserver.conf:/etc/coturn/turnserver.conf + ports: + - 47160-47200:47160-47200/udp + - 3478:3478 + - 5349:5349 + networks: + - mybridge + networks: + mybridge: + driver: bridge + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat generateconfig.sh + #!/bin/bash + + docker-compose run --rm -e SYNAPSE_SERVER_NAME=m.nowhere.moe -e SYNAPSE_REPORT_STATS=yes synapse generate + + + +My matrix server will have the "m.nowhere.moe" domain name. The coturn config mentioned here is used for the VOIP support. Now let's generate the initial keys of the matrix server like so: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → ./generateconfig.sh + Creating network "matrix_default" with the default driver + Creating network "matrix_mybridge" with driver "bridge" + Setting ownership on /data to 991:991 + Creating log config /data/m.nowhere.moe.log.config + Generating config file /data/homeserver.yaml + Generating signing key file /data/m.nowhere.moe.signing.key + A config file has been generated in '/data/homeserver.yaml' for server name 'm.nowhere.moe'. Please review this file and customise it to your needs. + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → ls + coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.nowhere.moe.conf.nginx + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → ls data -lash + total 20K + 4.0K drwxr-xr-x 2 991 991 4.0K Jan 14 11:12 . + 4.0K drwxr-xr-x 4 root root 4.0K Jan 4 13:50 .. + 4.0K -rw-r--r-- 1 root root 1.3K Jan 14 11:12 homeserver.yaml + 4.0K -rw-r--r-- 1 root root 694 Jan 14 11:12 m.nowhere.moe.log.config + 4.0K -rw-r--r-- 1 root root 59 Jan 14 11:12 m.nowhere.moe.signing.key + + + +Now that's done, we can edit the homeserver.yaml if you want to remove trust into the "matrix.org" keys for federation to make it a truly private server: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat data/homeserver.yaml | grep server + + trusted_key_servers: + - server_name: "" + + + +Then we can edit the coturn config like so: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → ls + coturn data docker-compose.yml docker-compose.yml.coturn generateconfig.sh m.nowhere.moe.conf.nginx + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat coturn/turnserver.conf + use-auth-secret + static-auth-secret=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy + realm=m.nowhere.moe + listening-port=3478 + tls-listening-port=5349 + min-port=47160 + max-port=47200 + verbose + allow-loopback-peers + cli-password=cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy + external-ip=116.202.216.190 + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat data/homeserver.yaml | grep turn + turn_uris: [ "turn:m.nowhere.moe?transport=udp", "turn:m.nowhere.moe?transport=tcp" ] + turn_shared_secret: "cuAWWAAWWAAWWAWADDWADWADWADWADWADWAWADDWADWWADWADDWADWDWoy" + turn_user_lifetime: 86400000 + turn_allow_guests: true + + + + +Make sure the ports match the ones in the docker-compose.yml file, and the external IP is the one of your server: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → curl ifconfig.me -4 + 116.202.216.190 + + + +Then we start the docker-compose: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → docker-compose up -d + Creating matrix_coturn_1 ... done + Creating matrix_synapse ... done + + + +Then we create the accounts like so: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → docker container ls | grep matrixdot + 134d440b1480 matrixdotorg/synapse:latest "/start.py" About a minute ago Up 25 seconds (healthy) 8009/tcp, 0.0.0.0:8008->8008/tcp, :::8008->8008/tcp, 8448/tcp matrix_synapse + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → docker exec -it 134 bash + root@134d440b1480:/# + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → docker exec -it 134 bash + + root@134d440b1480:/# register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008 + New user localpart [root]: nihilist + Password: + Confirm password: + Make admin [no]: yes + Sending registration request... + Success! + + root@134d440b1480:/# exit + exit + + + +Then we make sure that we can access the matrix server via nginx: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → cat /etc/nginx/sites-enabled/m.nowhere.moe.conf + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # For the federation port + listen 8448 ssl http2; + listen [::]:8448 ssl http2; + + server_name m.nowhere.moe; + + ssl_certificate /etc/acme/certs/m.nowhere.moe/fullchain.cer; + ssl_certificate_key /etc/acme/certs/m.nowhere.moe/m.nowhere.moe.key; + + location ~ ^(/_matrix|/_synapse/client) { + # note: do not add a path (even a single /) after the port in `proxy_pass`, + # otherwise nginx will canonicalise the URI and cause signature verification + # errors. + proxy_pass http://localhost:8008; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 50M; + + # Synapse responses may be chunked, which is an HTTP/1.1 feature. + proxy_http_version 1.1; + } + } + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/matrix] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Then we test that we can login from a matrix client (which can be installed inside a [whonix VM](../whonixqemuvms/index.md)), let's use [element](https://element.io/download) because we want to be able to do voicecalls: + +![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png) + +Here we will setup a secure backup password, that is a separate password, for end to end encryption purposes. Then you can do the following steps: + +![](6.png) + +Make sure you log out of every unverified session: + +![](7.png) ![](8.png) + +You may need to log in and log out before being able to send messages so do that, then create the space along with the chatroom + +![](9.png) ![](10.png) ![](11.png) ![](12.png) ![](13.png) ![](14.png) ![](15.png) + diff --git a/minecraft/0.png b/minecraft/0.png new file mode 100644 index 0000000..442560a Binary files /dev/null and b/minecraft/0.png differ diff --git a/minecraft/1.png b/minecraft/1.png new file mode 100644 index 0000000..4a0225f Binary files /dev/null and b/minecraft/1.png differ diff --git a/minecraft/10.png b/minecraft/10.png new file mode 100644 index 0000000..9f401db Binary files /dev/null and b/minecraft/10.png differ diff --git a/minecraft/11.png b/minecraft/11.png new file mode 100644 index 0000000..3aef58d Binary files /dev/null and b/minecraft/11.png differ diff --git a/minecraft/12.png b/minecraft/12.png new file mode 100644 index 0000000..70a4bce Binary files /dev/null and b/minecraft/12.png differ diff --git a/minecraft/13.png b/minecraft/13.png new file mode 100644 index 0000000..a8a1830 Binary files /dev/null and b/minecraft/13.png differ diff --git a/minecraft/14.png b/minecraft/14.png new file mode 100644 index 0000000..3b2a408 Binary files /dev/null and b/minecraft/14.png differ diff --git a/minecraft/15.png b/minecraft/15.png new file mode 100644 index 0000000..647e763 Binary files /dev/null and b/minecraft/15.png differ diff --git a/minecraft/16.png b/minecraft/16.png new file mode 100644 index 0000000..b67eceb Binary files /dev/null and b/minecraft/16.png differ diff --git a/minecraft/2.png b/minecraft/2.png new file mode 100644 index 0000000..2c6c5d3 Binary files /dev/null and b/minecraft/2.png differ diff --git a/minecraft/3.png b/minecraft/3.png new file mode 100644 index 0000000..5cb3746 Binary files /dev/null and b/minecraft/3.png differ diff --git a/minecraft/4.png b/minecraft/4.png new file mode 100644 index 0000000..5be446a Binary files /dev/null and b/minecraft/4.png differ diff --git a/minecraft/5.png b/minecraft/5.png new file mode 100644 index 0000000..33ac8ae Binary files /dev/null and b/minecraft/5.png differ diff --git a/minecraft/6.png b/minecraft/6.png new file mode 100644 index 0000000..1f9b4ca Binary files /dev/null and b/minecraft/6.png differ diff --git a/minecraft/7.png b/minecraft/7.png new file mode 100644 index 0000000..91c8595 Binary files /dev/null and b/minecraft/7.png differ diff --git a/minecraft/8.png b/minecraft/8.png new file mode 100644 index 0000000..582f583 Binary files /dev/null and b/minecraft/8.png differ diff --git a/minecraft/9.png b/minecraft/9.png new file mode 100644 index 0000000..884f97f Binary files /dev/null and b/minecraft/9.png differ diff --git a/minecraft/index.md b/minecraft/index.md new file mode 100644 index 0000000..ed4ff34 --- /dev/null +++ b/minecraft/index.md @@ -0,0 +1,437 @@ +# Minecraft Server Setup + +![](0.png) + +In this tutorial we're going to setup a minecraft server: + +## **Initial Setup** + +First install the required dependencies: + + + root@minecraft:~# apt update -y ; apt upgrade -y ; apt install default-jdk -y + root@minecraft:~# apt update -y ; apt install default-jre software-properties-common python3-launchpadlib -y + root@minecraft:~# add-apt-repository ppa:webupd8team/java + + root@minecraft:~# java -version + openjdk version "11.0.11" 2021-04-20 + OpenJDK Runtime Environment (build 11.0.11+9-Ubuntu-0ubuntu2.20.04) + OpenJDK 64-Bit Server VM (build 11.0.11+9-Ubuntu-0ubuntu2.20.04, mixed mode, sharing) + + root@minecraft:~# adduser mcuser + Adding user `mcuser' ... + Adding new group `mcuser' (1000) ... + Adding new user `mcuser' (1000) with group `mcuser' ... + Creating home directory `/home/mcuser' ... + Copying files from `/etc/skel' ... + New password: + Retype new password: + passwd: password updated successfully + Changing the user information for mcuser + Enter the new value, or press ENTER for the default + Full Name []: + Room Number []: + Work Phone []: + Home Phone []: + Other []: + Is the information correct? [Y/n] y + + root@minecraft:~# usermod -aG sudo mcuser + + root@minecraft:~# su - mcuser + To run a command as administrator (user "root"), use "sudo ". + See "man sudo_root" for details. + + mcuser@minecraft:~$ pwd + /home/mcuser + mcuser@minecraft:~$ mkdir minecraft + mcuser@minecraft:~$ cd minecraft/ + + +![](1.png) + + + mcuser@minecraft:~/minecraft$ wget https://maven.minecraftforge.net/net/minecraftforge/forge/1.12.2-14.23.5.2855/forge-1.12.2-14.23.5.2855-installer.jar + --2021-11-16 16:26:29-- https://maven.minecraftforge.net/net/minecraftforge/forge/1.12.2-14.23.5.2855/forge-1.12.2-14.23.5.2855-installer.jar + Resolving maven.minecraftforge.net (maven.minecraftforge.net)... 51.79.83.165, 2607:5300:203:65a5:: + Connecting to maven.minecraftforge.net (maven.minecraftforge.net)|51.79.83.165|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 4583673 (4.4M) [application/java-archive] + Saving to: 'forge-1.12.2-14.23.5.2855-installer.jar' + + forge-1.12.2-14.23.5.2855-installer.jar 100%[======================================================================================================================>] 4.37M 2.84MB/s in 1.5s + + 2021-11-16 16:26:31 (2.84 MB/s) - 'forge-1.12.2-14.23.5.2855-installer.jar' saved [4583673/4583673] + + + mcuser@minecraft:~/minecraft$ java -jar forge-1.12.2-14.23.5.2855-installer.jar --installServer + JVM info: Ubuntu - 11.0.11 - 11.0.11+9-Ubuntu-0ubuntu2.20.04 + java.net.preferIPv4Stack=true + Found java version 11.0.11 + Target Directory: . + Data kindly mirrored by CreeperHost at https://www.creeperhost.net/ + Extracting main jar: + Extracted successfully + Considering minecraft server jar + Downloading library from https://launcher.mojang.com/v1/objects/886945bfb2b978778c3a0288fd7fab09d315b25f/server.jar + + [...] + + Building Processors + The server installed successfully + You can delete this installer file now if you wish + mcuser@minecraft:~/minecraft$ ls -l + total 38368 + -rw-rw-r-- 1 mcuser mcuser 4583673 Nov 16 16:26 forge-1.12.2-14.23.5.2855-installer.jar + -rw-rw-r-- 1 mcuser mcuser 5054 Nov 16 16:28 forge-1.12.2-14.23.5.2855-installer.jar.log + -rw-rw-r-- 1 mcuser mcuser 4464387 Nov 16 16:28 forge-1.12.2-14.23.5.2855.jar + drwxrwxr-x 7 mcuser mcuser 4096 Nov 16 16:28 libraries + -rw-rw-r-- 1 mcuser mcuser 30222121 Nov 16 16:28 minecraft_server.1.12.2.jar + + + +Now let's test if it works: + + + mcuser@minecraft:~/minecraft$ java -Xmx2048M -Xms2048M -jar minecraft_server.1.12.2.jar nogui + [16:31:36] [Server thread/INFO]: Starting minecraft server version 1.12.2 + [16:31:36] [Server thread/INFO]: Loading properties + [16:31:36] [Server thread/WARN]: server.properties does not exist + [16:31:36] [Server thread/INFO]: Generating new properties file + [16:31:36] [Server thread/WARN]: Failed to load eula.txt + [16:31:36] [Server thread/INFO]: You need to agree to the EULA in order to run the server. Go to eula.txt for more info. + [16:31:36] [Server thread/INFO]: Stopping server + [16:31:36] [Server Shutdown Thread/INFO]: Stopping server + + mcuser@minecraft:~/minecraft$ ls -lash + total 38M + 4.0K drwxrwxr-x 4 mcuser mcuser 4.0K Nov 16 16:31 . + 4.0K drwxr-xr-x 5 mcuser mcuser 4.0K Nov 16 16:27 .. + 4.0K -rw-rw-r-- 1 mcuser mcuser 181 Nov 16 16:31 eula.txt + 4.4M -rw-rw-r-- 1 mcuser mcuser 4.4M Nov 16 16:26 forge-1.12.2-14.23.5.2855-installer.jar + 8.0K -rw-rw-r-- 1 mcuser mcuser 5.0K Nov 16 16:28 forge-1.12.2-14.23.5.2855-installer.jar.log + 4.3M -rw-rw-r-- 1 mcuser mcuser 4.3M Nov 16 16:28 forge-1.12.2-14.23.5.2855.jar + 4.0K drwxrwxr-x 7 mcuser mcuser 4.0K Nov 16 16:28 libraries + 4.0K drwxrwxr-x 2 mcuser mcuser 4.0K Nov 16 16:31 logs + 29M -rw-rw-r-- 1 mcuser mcuser 29M Nov 16 16:28 minecraft_server.1.12.2.jar + 4.0K -rw-rw-r-- 1 mcuser mcuser 59 Nov 16 16:31 server.properties + + mcuser@minecraft:~/minecraft$ cat eula.txt + #By changing the setting below to TRUE you are indicating your agreement to our EULA (https://account.mojang.com/documents/minecraft_eula). + #Tue Nov 16 16:31:36 UTC 2021 + eula=true + + mcuser@minecraft:~/minecraft$ java -Xmx2048M -Xms2048M -jar minecraft_server.1.12.2.jar nogui + [16:34:00] [Server thread/INFO]: Starting minecraft server version 1.12.2 + [16:34:00] [Server thread/INFO]: Loading properties + [16:34:00] [Server thread/INFO]: Default game type: SURVIVAL + [16:34:00] [Server thread/INFO]: Generating keypair + [16:34:00] [Server thread/INFO]: Starting Minecraft server on *:25565 + WARNING: An illegal reflective access operation has occurred + WARNING: Illegal reflective access by io.netty.util.internal.ReflectionUtil (file:/home/mcuser/minecraft/minecraft_server.1.12.2.jar) to constructor java.nio.DirectByteBuffer(long,int) + WARNING: Please consider reporting this to the maintainers of io.netty.util.internal.ReflectionUtil + WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations + WARNING: All illegal access operations will be denied in a future release + [16:34:00] [Server thread/INFO]: Using epoll channel type + [16:34:00] [Server thread/INFO]: Preparing level "world" + [16:34:01] [Server thread/INFO]: Loaded 488 advancements + [16:34:02] [Server thread/INFO]: Preparing start region for level 0 + [16:34:03] [Server thread/INFO]: Preparing spawn area: 5% + [16:34:04] [Server thread/INFO]: Preparing spawn area: 8% + [16:34:05] [Server thread/INFO]: Preparing spawn area: 13% + [16:34:06] [Server thread/INFO]: Preparing spawn area: 16% + [16:34:07] [Server thread/INFO]: Preparing spawn area: 21% + [16:34:08] [Server thread/INFO]: Preparing spawn area: 27% + [16:34:09] [Server thread/INFO]: Preparing spawn area: 35% + [16:34:10] [Server thread/INFO]: Preparing spawn area: 41% + [16:34:11] [Server thread/INFO]: Preparing spawn area: 48% + [16:34:12] [Server thread/INFO]: Preparing spawn area: 55% + [16:34:13] [Server thread/INFO]: Preparing spawn area: 62% + [16:34:14] [Server thread/INFO]: Preparing spawn area: 70% + [16:34:15] [Server thread/INFO]: Preparing spawn area: 78% + [16:34:16] [Server thread/INFO]: Preparing spawn area: 86% + [16:34:17] [Server thread/INFO]: Preparing spawn area: 94% + [16:34:18] [Server thread/INFO]: Done (17.633s)! For help, type "help" or "?" + + + +Now the minecraft server is up, let's check if it works, first install minecraft on your client:: + + + [ 10.66.66.2/32 ] [ /dev/pts/135 ] [~] + → yay -S minecraft-launcher + + [ 10.66.66.2/32 ] [ /dev/pts/135 ] [~] + → which minecraft-launcher + /usr/bin/minecraft-launcher + + + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) ![](8.png) + +Next if you need to port forward the mc server to the public, it will be on port 25565. + +![]() + + + + + +## **Setup** + +Now if you want to make a modded server, you will need a few things, first you will need minecraft forge install: + + + [ 10.66.66.2/32 ] [ /dev/pts/138 ] [~] + → cd Downloads + + [ 10.66.66.2/32 ] [ /dev/pts/138 ] [~/Downloads] + → java -jar forge-1.12.2-14.23.5.2855-installer.jar + + + +This will open the forge installer, select client this time: + +![](9.png) ![](10.png) ![](11.png) ![](12.png) + +And then we can login once again into the server: + +![](13.png) + +Now let's add a [mod](https://www.curseforge.com/minecraft/mc-mods?filter-game-version=2020709689%3A6756&filter-sort=4) into the minecraft server: + + + mcuser@minecraft:~$ ls -l + total 4 + drwxrwxr-x 5 mcuser mcuser 4096 Nov 16 16:34 minecraft + mcuser@minecraft:~$ cd minecraft/ + mcuser@minecraft:~/minecraft$ ls -l + total 38404 + -rw-rw-r-- 1 mcuser mcuser 2 Nov 16 16:34 banned-ips.json + -rw-rw-r-- 1 mcuser mcuser 2 Nov 16 16:34 banned-players.json + -rw-rw-r-- 1 mcuser mcuser 180 Nov 16 16:33 eula.txt + -rw-rw-r-- 1 mcuser mcuser 4583673 Nov 16 16:26 forge-1.12.2-14.23.5.2855-installer.jar + -rw-rw-r-- 1 mcuser mcuser 5054 Nov 16 16:28 forge-1.12.2-14.23.5.2855-installer.jar.log + -rw-rw-r-- 1 mcuser mcuser 4464387 Nov 16 16:28 forge-1.12.2-14.23.5.2855.jar + drwxrwxr-x 7 mcuser mcuser 4096 Nov 16 16:28 libraries + drwxrwxr-x 2 mcuser mcuser 4096 Nov 16 16:33 logs + -rw-rw-r-- 1 mcuser mcuser 30222121 Nov 16 16:28 minecraft_server.1.12.2.jar + -rw-rw-r-- 1 mcuser mcuser 2 Nov 16 16:34 ops.json + -rw-rw-r-- 1 mcuser mcuser 753 Nov 16 16:34 server.properties + -rw-rw-r-- 1 mcuser mcuser 109 Nov 16 16:44 usercache.json + -rw-rw-r-- 1 mcuser mcuser 2 Nov 16 16:34 whitelist.json + drwxrwxr-x 9 mcuser mcuser 4096 Nov 16 16:49 world + mcuser@minecraft:~/minecraft$ mkdir mods + + mcuser@minecraft:~/minecraft$ cd mods + mcuser@minecraft:~/minecraft/mods$ wget https://media.forgecdn.net/files/2835/318/defiledlands-1.12.2-1.4.3.jar + --2021-11-16 17:10:34-- https://media.forgecdn.net/files/2835/318/defiledlands-1.12.2-1.4.3.jar + Resolving media.forgecdn.net (media.forgecdn.net)... 13.224.226.86, 13.224.226.118, 13.224.226.83, ... + Connecting to media.forgecdn.net (media.forgecdn.net)|13.224.226.86|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 780421 (762K) [application/x-amz-json-1.0] + Saving to: 'defiledlands-1.12.2-1.4.3.jar' + + defiledlands-1.12.2-1.4.3.jar 100%[======================================================================================================================>] 762.13K 3.50MB/s in 0.2s + + 2021-11-16 17:10:35 (3.50 MB/s) - 'defiledlands-1.12.2-1.4.3.jar' saved [780421/780421] + + mcuser@minecraft:~/minecraft/mods$ wget https://media.forgecdn.net/files/2518/667/Baubles-1.12-1.5.2.jar + --2021-11-16 17:23:53-- https://media.forgecdn.net/files/2518/667/Baubles-1.12-1.5.2.jar + Resolving media.forgecdn.net (media.forgecdn.net)... 13.224.226.110, 13.224.226.86, 13.224.226.83, ... + Connecting to media.forgecdn.net (media.forgecdn.net)|13.224.226.110|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 108450 (106K) [application/octet-stream] + Saving to: 'Baubles-1.12-1.5.2.jar' + + Baubles-1.12-1.5.2.jar 100%[======================================================================================================================>] 105.91K --.-KB/s in 0.04s + + 2021-11-16 17:23:54 (2.38 MB/s) - 'Baubles-1.12-1.5.2.jar' saved [108450/108450] + + mcuser@minecraft:~/minecraft/mods$ cd .. + + mcuser@minecraft:~/minecraft$ java -Xmx2048M -Xms2048M -jar minecraft_server.1.12.2.jar nogui + + + +Now if we want to run our minecraft forge server we need an older version of java: + + + + mcuser@minecraft:~/minecraft$ sudo apt purge java-common default-jdk default-jre + mcuser@minecraft:~/minecraft$ sudo apt install openjdk-8-jre -y + mcuser@minecraft:~/minecraft$ java -version + mcuser@minecraft:~/minecraft$ java -version + openjdk version "1.8.0_292" + OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~20.04-b10) + OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode) + + mcuser@minecraft:~/minecraft$ java -Xmx2048M -Xms2048M -jar forge-1.12.2-14.23.5.2855.jar nogui + [17:24:19] [main/INFO] [LaunchWrapper]: Loading tweak class name net.minecraftforge.fml.common.launcher.FMLServerTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Using primary tweak class name net.minecraftforge.fml.common.launcher.FMLServerTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.common.launcher.FMLServerTweaker + [17:24:19] [main/INFO] [FML]: Forge Mod Loader version 14.23.5.2855 for Minecraft 1.12.2 loading + [17:24:19] [main/INFO] [FML]: Java is OpenJDK 64-Bit Server VM, version 1.8.0_292, running on Linux:amd64:5.4.143-1-pve, installed at /usr/lib/jvm/java-8-openjdk-amd64/jre + [17:24:19] [main/INFO] [FML]: Searching /home/mcuser/minecraft/./mods for mods + [17:24:19] [main/INFO] [LaunchWrapper]: Loading tweak class name net.minecraftforge.fml.common.launcher.FMLInjectionAndSortingTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Loading tweak class name net.minecraftforge.fml.common.launcher.FMLDeobfTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.common.launcher.FMLInjectionAndSortingTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.common.launcher.FMLInjectionAndSortingTweaker + [17:24:19] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.relauncher.CoreModManager$FMLPluginWrapper + [17:24:23] [main/INFO] [FML]: Found valid fingerprint for Minecraft Forge. Certificate fingerprint e3c3d50c7c986df74c645c0ac54639741c90a557 + [17:24:23] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.relauncher.CoreModManager$FMLPluginWrapper + [17:24:23] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.common.launcher.FMLDeobfTweaker + [17:24:23] [main/INFO] [LaunchWrapper]: Loading tweak class name net.minecraftforge.fml.common.launcher.TerminalTweaker + [17:24:23] [main/INFO] [LaunchWrapper]: Calling tweak class net.minecraftforge.fml.common.launcher.TerminalTweaker + [17:24:24] [main/INFO] [LaunchWrapper]: Launching wrapped minecraft {net.minecraft.server.MinecraftServer} + [17:24:29] [Server thread/INFO] [minecraft/DedicatedServer]: Starting minecraft server version 1.12.2 + [17:24:29] [Server thread/INFO] [FML]: MinecraftForge v14.23.5.2855 Initialized + [17:24:29] [Server thread/INFO] [FML]: Starts to replace vanilla recipe ingredients with ore ingredients. + [17:24:29] [Server thread/INFO] [FML]: Invalid recipe found with multiple oredict ingredients in the same ingredient... + [17:24:30] [Server thread/INFO] [FML]: Replaced 1227 ore ingredients + [17:24:30] [Server thread/INFO] [FML]: Searching /home/mcuser/minecraft/./mods for mods + [17:24:31] [Server thread/INFO] [FML]: Forge Mod Loader has identified 6 mods to load + [17:24:31] [Server thread/WARN] [FML]: Missing English translation for FML: assets/fml/lang/en_us.lang + [...] + + + +And now it loads our mods ! Now let's download the mods locally for our client: + +If you try to login without the mods on the client you will see an error like that one: + +![](15.png) + + + [ 10.66.66.2/32 ] [ /dev/pts/139 ] [~/.minecraft/mods] + → wget https://media.forgecdn.net/files/2518/667/Baubles-1.12-1.5.2.jar + --2021-11-16 18:26:43-- https://media.forgecdn.net/files/2518/667/Baubles-1.12-1.5.2.jar + SSL_INIT + Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' + Resolving media.forgecdn.net (media.forgecdn.net)... 13.224.226.83, 13.224.226.110, 13.224.226.86, ... + Connecting to media.forgecdn.net (media.forgecdn.net)|13.224.226.83|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 108450 (106K) [application/octet-stream] + Saving to: ‘Baubles-1.12-1.5.2.jar’ + + Baubles-1.12-1.5.2.jar 100%[=====================================================================================================================>] 105.91K --.-KB/s in 0.05s + + 2021-11-16 18:26:43 (1.98 MB/s) - ‘Baubles-1.12-1.5.2.jar’ saved [108450/108450] + + + [ 10.66.66.2/32 ] [ /dev/pts/139 ] [~/.minecraft/mods] + → wget https://media.forgecdn.net/files/2835/318/defiledlands-1.12.2-1.4.3.jar + --2021-11-16 18:26:50-- https://media.forgecdn.net/files/2835/318/defiledlands-1.12.2-1.4.3.jar + SSL_INIT + Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' + Resolving media.forgecdn.net (media.forgecdn.net)... 13.224.226.86, 13.224.226.83, 13.224.226.110, ... + Connecting to media.forgecdn.net (media.forgecdn.net)|13.224.226.86|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 780421 (762K) [application/x-amz-json-1.0] + Saving to: ‘defiledlands-1.12.2-1.4.3.jar’ + + defiledlands-1.12.2-1.4.3.jar 100%[=====================================================================================================================>] 762.13K 2.89MB/s in 0.3s + + 2021-11-16 18:26:51 (2.89 MB/s) - ‘defiledlands-1.12.2-1.4.3.jar’ saved [780421/780421] + + + +And we manage to login! + +![](14.png) + +And that's it! We managed to log into our modded minecraft server. + +## **Setup** + +For the players who want to download the mods they need to log into the server, you can setup a simple nginx to allow them to get there: + + + + root@minecraft:~# vim /etc/nginx/sites-available/default + root@minecraft:~# cat /etc/nginx/sites-available/default + + server { + listen 80 default_server; + listen [::]:80 default_server; + + + root /home/mcuser/minecraft/mods; + + index index.html index.htm index.nginx-debian.html; + + server_name _; + autoindex on; + + location / { + try_files $uri $uri/ =404; + } + } + + + root@minecraft:~# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + root@minecraft:~# nginx -s reload + + +![](16.png) + +Now let's make a systemd service to launch our minecraft server + + + root@minecraft:~# vim /etc/systemd/system/minecraft.service + root@minecraft:~# cat /etc/systemd/system/minecraft.service + [Unit] + Description=Minecraft Server + After=syslog.target network.target + + [Service] + # Ensure to set the correct user and working directory (installation directory of your server) here + User=mcuser + WorkingDirectory=/home/mcuser/minecraft/ + + # You can customize the maximum amount of memory as well as the JVM flags here + ExecStart=/usr/bin/java -XX:+UseG1GC -Xmx6G -jar forge-1.12.2-14.23.5.2855.jar --nojline --noconsole -Dsun.rmi.dgc.server.gcInterval=2147483646 -XX:+UnlockExperimentalVMOptions -XX:G1HeapRegionSize=32M -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 + + # Restart the server when it is stopped or crashed after 30 seconds + # Comment out RestartSec if you want to restart immediately + Restart=always + RestartSec=3 + + # Alternative: Restart the server only when it stops regularly + # Restart=on-success + + # Do not remove this! + StandardInput=null + + [Install] + WantedBy=multi-user.target + + root@minecraft:~# systemctl daemon-reload + root@minecraft:~# systemctl enable --now minecraft + Created symlink /etc/systemd/system/multi-user.target.wants/minecraft.service -> /etc/systemd/system/minecraft.service. + root@minecraft:~# systemctl status minecraft + * minecraft.service - Minecraft Server + Loaded: loaded (/etc/systemd/system/minecraft.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-11-18 08:16:11 UTC; 5s ago + Main PID: 31956 (java) + Tasks: 33 (limit: 7372) + Memory: 113.1M + CGroup: /system.slice/minecraft.service + `-31956 /usr/bin/java -XX:+UseG1GC -Xmx3G -jar forge-1.12.2-14.23.5.2855.jar --nojline --noconsole + + Nov 18 08:16:11 minecraft systemd[1]: Started Minecraft Server. + + + + +For other minecraft versions you will need to install other java versions, sadly you need to deal with oracle being a corporation and you may need to login there. You're going to need either openjdk 11 or 17+, openjdk 11 being the cutover version from minecraft 1.16.5 + + + use java version 1.8.0 (download it from the oracle website) to make a minecraft server 1.12.2 or on 1.16.5 + + >> https://www.oracle.com/java/technologies/downloads/archive/ (yes you need to create an account there, just fill it with garbage data) + + + diff --git a/motd/0.png b/motd/0.png new file mode 100644 index 0000000..feeff1b Binary files /dev/null and b/motd/0.png differ diff --git a/motd/1.png b/motd/1.png new file mode 100644 index 0000000..507d110 Binary files /dev/null and b/motd/1.png differ diff --git a/motd/2.png b/motd/2.png new file mode 100644 index 0000000..81b557e Binary files /dev/null and b/motd/2.png differ diff --git a/motd/index.md b/motd/index.md new file mode 100644 index 0000000..63746bb --- /dev/null +++ b/motd/index.md @@ -0,0 +1,105 @@ +# Colored MOTDs Setup + +![](0.png) + +In this tutorial we're going to take a look at how to setup a colorful MOTD anytime you wish to ssh into your machines + +## **Initial Setup** + +First install the required dependencies: + + + [ 10.10.14.13/23 ] [ /dev/pts/22 ] [~] + → sudo apt install imagemagick openjdk-17-jdk coreutils perl git + + + +Then clone the Util-Say repository: + + + git clone https://github.com/maandree/util-say + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools] + → git clone https://github.com/maandree/util-say + Cloning into 'util-say'... + remote: Enumerating objects: 2216, done. + remote: Total 2216 (delta 0), reused 0 (delta 0), pack-reused 2216 + Receiving objects: 100% (2216/2216), 700.67 KiB | 1.67 MiB/s, done. + Resolving deltas: 100% (854/854), done. + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools] + → cd util-say + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → make + + #you need to type make in order to generate the util-say.jar file that the scripts are using. + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → ls -lash img2ponysay + 4.0K -rwxr-xr-x 1 nothing nothing 582 May 28 16:20 img2ponysay + + + +here the file we're looking for is called img2ponysay + + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → cat img2ponysay + #!/usr/bin/env bash + + magnified='1' + file='-' + dash=0 + chroma=1 + c=0 + platform=xterm + + for arg in "$@"; do + if [ $c = 1 ]; then + c=0 + chroma="$arg" + elif [ $dash = 1 ]; then + file="$arg" + elif [ "$arg" = "--" ]; then + dash=1 + elif [ "$arg" = "-2" ]; then + magnified=2 + elif [ "$arg" = "-c" ]; then + c=1 + elif [ "$arg" = "-p" ]; then + platform=linux + else + file="$arg" + fi + done + + java -jar "$(dirname "$0")/util-say.jar" \ + --import image --magnified $magnified --file "$file" --balloon n --export ponysay --balloon y --file - --chroma "$chroma" --platform $platform + + + +Next we're going to use a relatively small image to convert to our motd: + +![](1.png) + + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → ./img2ponysay -- ~/Pictures/smallzero.png > motd.txt + Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → cat motd.txt + + + +As you can see, a tiny image can make a very large motd, and you need to be careful of the size of the image you choose to put as your MOTD: + +![](2.png) + + + [ 10.10.14.13/23 ] [ /dev/pts/26 ] [~/Tools/util-say] + → cp motd.txt /etc/motd + + + diff --git a/mymind/0.png b/mymind/0.png new file mode 100644 index 0000000..66a41ab Binary files /dev/null and b/mymind/0.png differ diff --git a/mymind/1.png b/mymind/1.png new file mode 100644 index 0000000..4673062 Binary files /dev/null and b/mymind/1.png differ diff --git a/mymind/10.png b/mymind/10.png new file mode 100644 index 0000000..12c7c10 Binary files /dev/null and b/mymind/10.png differ diff --git a/mymind/2.png b/mymind/2.png new file mode 100644 index 0000000..4701b2f Binary files /dev/null and b/mymind/2.png differ diff --git a/mymind/3.png b/mymind/3.png new file mode 100644 index 0000000..6af0009 Binary files /dev/null and b/mymind/3.png differ diff --git a/mymind/4.png b/mymind/4.png new file mode 100644 index 0000000..52666f8 Binary files /dev/null and b/mymind/4.png differ diff --git a/mymind/5.png b/mymind/5.png new file mode 100644 index 0000000..9551cfb Binary files /dev/null and b/mymind/5.png differ diff --git a/mymind/6.png b/mymind/6.png new file mode 100644 index 0000000..b64deb7 Binary files /dev/null and b/mymind/6.png differ diff --git a/mymind/7.png b/mymind/7.png new file mode 100644 index 0000000..2c621bb Binary files /dev/null and b/mymind/7.png differ diff --git a/mymind/8.png b/mymind/8.png new file mode 100644 index 0000000..b3ab124 Binary files /dev/null and b/mymind/8.png differ diff --git a/mymind/9.png b/mymind/9.png new file mode 100644 index 0000000..64692f8 Binary files /dev/null and b/mymind/9.png differ diff --git a/mymind/index.md b/mymind/index.md new file mode 100644 index 0000000..a7fd90d --- /dev/null +++ b/mymind/index.md @@ -0,0 +1,368 @@ +# MyMind + MindMaps Installation + +![](0.png) + +In this tutorial we're going to look at how to install MyMind, which is a simple web application (HTML CSS JS) to create mindmaps + +## **Initial Setup** + +We're going to setup a debian CT on proxmox: + +![](1.png) ![](2.png) ![](3.png) + + + root@mindmaps:~# wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/ssh.sh ; chmod +x ssh.sh ; ./ssh.sh + + + +This will setup key-based SSH authentication, generate the ssh keys and go get them on port 8080: + + + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:IubhhdBEfOjtKdMtfjIDgVl/7MYOSZ3WQTRzqN1s7p0 root@mindmaps + The key's randomart image is: + +--[ED25519 256]--+ + | oo. o=.. | + | o+ . o+ | + | .=.+ o = + | + | o.o.+ B o + | + | ==oOS o | + | +++B.= . | + | o= = . . . | + | = o . E | + | = | + +----[SHA256]-----+ + * ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-04-15 07:56:15 UTC; 1min 28s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 9249 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 9250 (sshd) + Tasks: 1 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/ssh.service + `-9250 /usr/sbin/sshd -D + + Apr 15 07:56:15 mindmaps systemd[1]: Starting OpenBSD Secure Shell server... + Apr 15 07:56:15 mindmaps sshd[9250]: Server listening on 0.0.0.0 port 22. + Apr 15 07:56:15 mindmaps sshd[9250]: Server listening on :: port 22. + Apr 15 07:56:15 mindmaps systemd[1]: Started OpenBSD Secure Shell server. + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.171/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::e468:c7ff:fe64:d1ec/64 scope link + [+] ON A REMOTE HOST RUN THE FOLLOWING: + [+] wget http://ip:8080/id25519 -O ~/.ssh/node.pkey + [+] chmod 600 ~/.ssh/node.pkey + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → curl http://10.0.0.171:8080 + + + + + + + # Directory listing for / + + + + + * * * + + + + + + + * [authorized_keys](authorized_keys) + + + * [id_ed25519](id_ed25519) + + + * [id_ed25519.pub](id_ed25519.pub) + + + + + + * * * + + + + + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → curl http://10.0.0.171:8080/id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACBC4JDCtpHq1bJXiZPg142zMnQpdOXkgrbDipaewWfAFgAAAJA5jaE1OY2h + NQAAAAtzc2gtZWQyNTUxOQAAACBC4JDCtpHq1bJXiZPg142zMnQpdOXkgrbDipaewWfAFg + AAAECHBgET4iawSg4SYLZWH2HGOtUJ5FY/mHif/dMm6FWx30LgkMK2kerVsleJk+DXjbMy + dCl05eSCtsOKlp7BZ8AWAAAADXJvb3RAbWluZG1hcHM= + -----END OPENSSH PRIVATE KEY----- + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → curl http://10.0.0.171:8080/id_ed25519 > ~/.ssh/mindmaps ; chmod 600 ~/.ssh/mindmaps + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 100 399 100 399 0 0 129k 0 --:--:-- --:--:-- --:--:-- 129k + + + +Once that's done, hit CTRL+C in the CT's proxmox TTY Console to shut down the python http server, and login via ssh into your CT: + + + [ 10.0.0.10/16 ] [ /dev/pts/1 ] [~] + → ssh root@10.0.0.171 -i ~/.ssh/mindmaps + The authenticity of host '10.0.0.171 (10.0.0.171)' can't be established. + ED25519 key fingerprint is SHA256:sYUwEQBCxgH/qCG4gU8I3k5/QIheGaaZ0RFzGRVt7Zk. + This key is not known by any other names + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '10.0.0.171' (ED25519) to the list of known hosts. + Last login: Thu Apr 15 07:53:59 2021 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + + root@mindmaps:~# apt install nginx git -y + + + +## **Configuring NGINX** + +We're going to setup a very simple nginx setup for our local host: + + + root@mindmaps:~# vim /etc/nginx/sites-available/mindmaps.conf + + server { + listen 80; + listen [::]:80; + root /var/www/html/mymind; + index index.html; + } + + :wq + + root@mindmaps:~# ln -s /etc/nginx/sites-available/mindmaps.conf /etc/nginx/sites-enabled/ + + root@mindmaps:~# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + root@mindmaps:~# nginx -s reload + + + +Now that's done, let's git clone the mymind repository into /var/www/html/: + + + root@mindmaps:/var/www/html# git clone https://github.com/ondras/my-mind mymind + root@mindmaps:/var/www/html# chmod -R 655 mymind/ + root@mindmaps:/var/www/html# chown -R www-data: mymind/ + root@mindmaps:/var/www/html# ls -lash mymind/ + total 388K + 4.0K drw-r-xr-x 10 www-data www-data 4.0K Apr 15 08:10 . + 4.0K drwxr-xr-x 3 root root 4.0K Apr 15 08:10 .. + 4.0K drw-r-xr-x 8 www-data www-data 4.0K Apr 15 08:10 .git + 4.0K -rw-r-xr-x 1 www-data www-data 1.1K Apr 15 08:10 LICENSE.txt + 4.0K -rw-r-xr-x 1 www-data www-data 1.5K Apr 15 08:10 Makefile + 4.0K -rw-r-xr-x 1 www-data www-data 591 Apr 15 08:10 PRIVACY.txt + 4.0K -rw-r-xr-x 1 www-data www-data 1.7K Apr 15 08:10 README.md + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 bin + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 css + 4.0K -rw-r-xr-x 1 www-data www-data 2.9K Apr 15 08:10 editor.html + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 examples + 36K -rw-r-xr-x 1 www-data www-data 34K Apr 15 08:10 favicon.ico + 4.0K -rw-r-xr-x 1 www-data www-data 1.7K Apr 15 08:10 github.png + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 icons + 60K -rw-r-xr-x 1 www-data www-data 57K Apr 15 08:10 index.html + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 logo + 136K -rw-r-xr-x 1 www-data www-data 136K Apr 15 08:10 my-mind.js + 92K -rw-r-xr-x 1 www-data www-data 90K Apr 15 08:10 screenshot.png + 4.0K drw-r-xr-x 2 www-data www-data 4.0K Apr 15 08:10 src + 4.0K drw-r-xr-x 3 www-data www-data 4.0K Apr 15 08:10 vendor + + + +Once that's done, goto **http://10.0.0.171/** to see the result: + +![](4.png) + +After creating mindmaps you can save them: + +![](5.png) ![](6.png) + +And load them: + +![](7.png) + +And that's it! However let's check out another interesting mindmapping HTML CSS JS project simply called [mindmaps](https://github.com/drichard/mindmaps). We're going to update the nginx config to have port 8080 serve a http reverse proxy to http://localhost:3000 (where the npm server outputs) with the root path being in /var/www/html/mindmaps: + +![](10.png) + +First we're going to install npm and clone the repository in /var/www/html/: + + + root@mindmaps:/var/www/html# apt install npm -y + + root@mindmaps:/var/www/html# git clone https://github.com/drichard/mindmaps + Cloning into 'mindmaps'... + remote: Enumerating objects: 3640, done. + remote: Total 3640 (delta 0), reused 0 (delta 0), pack-reused 3640 + Receiving objects: 100% (3640/3640), 2.24 MiB | 2.64 MiB/s, done. + Resolving deltas: 100% (2066/2066), done. + + + +Once that's done, go in the repository directory to install the required dependencies: + + + root@mindmaps:/var/www/html# cd mindmaps/ + root@mindmaps:/var/www/html/mindmaps# npm install + root@mindmaps:/var/www/html/mindmaps# npm run build + + root@mindmaps:/var/www/html/mindmaps# ls dist/ -lash + total 44K + 4.0K drwxr-xr-x 5 root root 4.0K Apr 15 08:35 . + 4.0K drwxr-xr-x 9 root root 4.0K Apr 15 08:35 .. + 8.0K -rw-r--r-- 1 root root 5.4K Apr 15 08:35 about.html + 4.0K -rw-r--r-- 1 root root 770 Apr 15 08:35 cache.appcache + 4.0K drwxr-xr-x 4 root root 4.0K Apr 15 08:35 css + 4.0K drwxr-xr-x 2 root root 4.0K Apr 15 08:35 img + 12K -rw-r--r-- 1 root root 9.1K Apr 15 08:35 index.html + 4.0K drwxr-xr-x 2 root root 4.0K Apr 15 08:35 js + + root@mindmaps:/var/www/html/mindmaps# npm run start + npm WARN npm npm does not support Node.js v10.24.0 + npm WARN npm You should probably upgrade to a newer version of node as we + npm WARN npm can't make any promises that npm will work with this version. + npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9. + npm WARN npm You can find the latest version at https://nodejs.org/ + + > mindmaps@0.8.0 start /var/www/html/mindmaps + > http-server ./src -p 3000 + + Starting up http-server, serving ./src + Available on: + http://127.0.0.1:3000 + http://10.0.0.171:3000 + Hit CTRL-C to stop the server + + + +Same as before, you can save and import your mindmaps: + +![](8.png) + +Now let's CTRL+C to shutdown the npm server, and edit the nginx config: + + + ^C + root@mindmaps:/var/www/html/mindmaps# vim /etc/nginx/sites-available/mindmaps.conf + + upstream backend { + server 127.0.0.1:3000; + } + + server { + listen 80; + listen [::]:80; + root /var/www/html/mymind; + index index.html; + } + + server { + listen 8080; + listen [::]:8080; + location / { + proxy_pass http://backend; + proxy_http_version 1.1; + } + } + + :wq + + + + +Now let's get the systemd service file that will run npm for us because we don't want to manually launch a webserver in a production environnement: + + + root@mindmaps:/var/www/html/mindmaps# vim /etc/systemd/system/mindmap.service + + [Unit] + Description=MindMaps npm service + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + WorkingDirectory=/var/www/html/mindmaps + ExecStart=npm run start + Restart=always + RestartSec=10 + KillMode=process + + [Install] + WantedBy=multi-user.target + + :wq + + root@mindmaps:/var/www/html/mindmaps# systemctl daemon-reload + root@mindmaps:/var/www/html/mindmaps# systemctl enable --now mindmap + Created symlink /etc/systemd/system/multi-user.target.wants/mindmap.service → /etc/systemd/system/mindmap.service. + root@mindmaps:/var/www/html/mindmaps# systemctl status mindmap + ● mindmap.service - MindMaps npm service + Loaded: loaded (/etc/systemd/system/mindmap.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2021-04-15 08:49:27 UTC; 4s ago + Main PID: 18872 (npm) + Tasks: 19 (limit: 7372) + Memory: 34.5M + CGroup: /system.slice/mindmap.service + ├─18872 npm + ├─18883 sh -c http-server ./src -p 3000 + └─18884 node /var/www/html/mindmaps/node_modules/.bin/http-server ./src -p 3000 + + Apr 15 08:49:28 mindmaps npm[18872]: npm WARN npm can't make any promises that npm will work with this version. + Apr 15 08:49:28 mindmaps npm[18872]: npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9. + Apr 15 08:49:28 mindmaps npm[18872]: npm WARN npm You can find the latest version at https://nodejs.org/ + Apr 15 08:49:28 mindmaps npm[18872]: > mindmaps@0.8.0 start /var/www/html/mindmaps + Apr 15 08:49:28 mindmaps npm[18872]: > http-server ./src -p 3000 + Apr 15 08:49:29 mindmaps npm[18872]: Starting up http-server, serving ./src + Apr 15 08:49:29 mindmaps npm[18872]: Available on: + Apr 15 08:49:29 mindmaps npm[18872]: http://127.0.0.1:3000 + Apr 15 08:49:29 mindmaps npm[18872]: http://10.0.0.171:3000 + Apr 15 08:49:29 mindmaps npm[18872]: Hit CTRL-C to stop the server + + + +Now that's done, we can reload our nginx server to see the config changes: + + + root@mindmaps:/var/www/html/mindmaps# nginx -s reload + + + +![](9.png) + +And that's it! We managed to create a nginx reverse proxy to access our mindmaps npm http server via port 8080. + diff --git a/neko/0.png b/neko/0.png new file mode 100644 index 0000000..503a329 Binary files /dev/null and b/neko/0.png differ diff --git a/neko/1.png b/neko/1.png new file mode 100644 index 0000000..692e7c4 Binary files /dev/null and b/neko/1.png differ diff --git a/neko/2.png b/neko/2.png new file mode 100644 index 0000000..876fef1 Binary files /dev/null and b/neko/2.png differ diff --git a/neko/3.png b/neko/3.png new file mode 100644 index 0000000..f084fbe Binary files /dev/null and b/neko/3.png differ diff --git a/neko/4.png b/neko/4.png new file mode 100644 index 0000000..42ebda0 Binary files /dev/null and b/neko/4.png differ diff --git a/neko/index.md b/neko/index.md new file mode 100644 index 0000000..36e5cc4 --- /dev/null +++ b/neko/index.md @@ -0,0 +1,427 @@ +# Neko Setup + +![](https://n.eko.moe/_media/logo.png) + +A self hosted virtual browser solution that runs in docker it is meant to replace rabb.it. + +## **Initial Setup** + +On any debian-based system, simply run one of the following 2 commands to install docker: + + + root@docker0:~# apt search docker.io + Sorting... Done + Full Text Search... Done + docker-doc/stable,stable 18.09.1+dfsg1-7.1+deb10u2 all + Linux container runtime -- documentation + + docker.io/stable,stable,now 18.09.1+dfsg1-7.1+deb10u2 amd64 [installed] + Linux container runtime + + python-docker/stable 3.4.1-4 all + Python wrapper to access docker.io's control socket + + python3-docker/stable,now 3.4.1-4 all [installed,automatic] + Python 3 wrapper to access docker.io's control socket + + ruby-docker-api/stable 1.22.2-1 all + Ruby gem to interact with docker.io remote API + + root@docker0:~# apt install docker.io -y + OR + root@docker0:~# curl -sSL https://get.docker.com/ | CHANNEL=stable bash + + + +Once docker is installed you should get the following: + + + root@docker0:~# which docker + /usr/bin/docker + root@docker0:~# docker -v + Docker version 18.09.1, build 4c52b90 + + + +From there, you can check which containers are currently active: + + + root@docker0:~# docker container ls -a + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 86959b1d649a kutt/kutt "docker-entrypoint.s…" 4 months ago Up 18 minutes 0.0.0.0:3000->3000/tcp kutt_kutt_1 + 5411baddadcf postgres:12-alpine "docker-entrypoint.s…" 4 months ago Up 18 minutes 5432/tcp kutt_postgres_1 + a685c6747987 redis:6.0-alpine "docker-entrypoint.s…" 4 months ago Up 18 minutes 6379/tcp kutt_redis_1 + f33ae4911086 wonderfall/searx "run.sh" 5 months ago Up 18 minutes 0.0.0.0:9999->8888/tcp searx2 + 0ab72043d028 wonderfall/searx "--restart=always" 5 months ago Created 0.0.0.0:9999->8888/tcp searx + eb743d8f0703 nihilist666/dillinger:3.37.2 "/usr/local/bin/dumb…" 5 months ago Up 18 minutes 0.0.0.0:8000->8080/tcp dillinger + + + root@docker0:~/neko# docker search neko + NAME DESCRIPTION STARS OFFICIAL AUTOMATED + nurdism/neko Self hosted virtual browser 7 + nekottyo/kustomize-kubeval kubectl, kustomize, kubeval 2 + nekottyo/hub-command Docker image for https://github.com/github/h… 1 [OK] + m1k1o/neko Fork of https://github.com/nurdism/neko/ 1 + nekonyuu/kafka-builder Kafka buiding container ! 1 [OK] + nekorpg/dodontof どどんとふ x H2O 0 [OK] + nekorpg/nekochat Web chat application for tabletop role-playi… 0 [OK] + nekoyume/nekoyume Decentralized MMORPG based on Dungeon World … 0 [OK] + nekoffski/dashboo-api-gw-nightly Nightly builds of api gateway 0 + nekonyuu/ubuntu-devel-py-sci Development Dockers for Ubuntu (with Python … 0 [OK] + nekonyuu/cerebro 0 + nekoffski/dashboo-log-server-nightly Logging server for dashboo 0 + nekokatt/stackless-python-hikari Stackless Python build for x86 for Hikari pi… 0 + nekoffski/dashboo-syncer-nightly Nightly builds of dashboo syncer 0 + nekorpg/nekoboard Web whiteboard application for tabletop role… 0 [OK] + nekonyuu/collectd-builder Collectd buiding container ! 0 [OK] + nekoruri/norikra 0 [OK] + nekoserv/base-sabnzbd Base image for sabnzbd 0 + nekohasekai/nekox-build-script 0 + nekometer/nekotaku 0 + graywhale/neko 0 + nekoruri/fluentd-twitter-bigquery 0 + nekoaddict/karuta 0 + nekoneko/centos6-ruby CentOS6 ruby image 0 [OK] + nekonoshippo/rtdemo 0 + root@docker0:~/neko# + + + + +I already used that debian VM to have a few containers up and running, but we're interested in the neko container: + +## **Installing Neko** + +Let's get neko's + + + root@docker0:~# ls -lsh + total 12K + 4.0K drwxr-xr-x 11 root root 4.0K Nov 1 09:45 dillinger + 4.0K drwxr-xr-x 7 root root 4.0K Nov 29 17:08 kutt + + root@docker0:~# mkdir neko + root@docker0:~# cd neko + root@docker0:~/neko# wget https://raw.githubusercontent.com/nurdism/neko/master/.examples/simple/docker-compose.yaml + + root@docker0:~/neko# vim docker-compose.yaml + + version: "2.0" + services: + neko: + image: nurdism/neko:firefox + restart: always + shm_size: "1gb" + ports: + - "80:8080" + - "59000-59100:59000-59100/udp" + environment: + DISPLAY: :99.0 + NEKO_PASSWORD: neko + NEKO_PASSWORD_ADMIN: admin + NEKO_BIND: :8080 + NEKO_EPR: 59000-59100 + NEKO_NAT1TO1: 192.168.0.200 + + + +Be default, neko assumes that you're going to use the public IP, so make sure to specify it's local IP with the **NEKO_NAT1TO1** environment variable. If you want to use neko directly from a public IP address, then remove that parameter. + +Now by default, neko redirects it's own 8080 port to the host's port 80, it has 2 passwords, one for the users (default is 'neko') and one for the admins (default is 'admin'), edit it if you want, then **:wq** to save and quit out of vim, then use the docker-compose.yaml file to build the container: + + + root@docker0:~/neko# docker-compose up -d + Creating network "neko_default" with the default driver + Pulling neko (nurdism/neko:firefox)... + firefox: Pulling from nurdism/neko + 804555ee0376: Downloading [========================================> ] 18.38MB/22.52MB + f3b26a078a5f: Downloading [==========> ] 12.94MB/62.35MB + c7e3e1771f69: Downloading [===========================> ] 10.37MB/18.82MB + 01b5d8f1086c: Waiting + 61bf5b264b09: Waiting + 95369768d555: Waiting + 7bfe74d8b679: Waiting + 68ce98038604: Waiting + 10efbff0f24f: Waiting + d899a33175af: Waiting + 2ab7756db6a1: Waiting + 1019839afc2b: Waiting + 6bff0ee4124c: Waiting + 1703d7743579: Pulling fs layer + 71e3127fa99a: Pulling fs layer + 050a3eb4e0d5: Pulling fs layer + + [...] + + Digest: sha256:a191ca218b72f19da9e111c16312c6209bbd8e5e744dee657920214dca665354 + Status: Downloaded newer image for nurdism/neko:firefox + Creating neko_neko_1 ... done + + + +wait for it to complete, and then check the result: + + + root@docker0:~/neko# docker container ls + + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 8ff1638fea9b nurdism/neko:firefox "/usr/bin/supervisor…" About a minute ago Up About a minute 0.0.0.0:59000-59100->59000-59100/udp, 0.0.0.0:80->8080/tcp neko_neko_1 + + [...] + + [ 10.0.0.10/16 ] [ /dev/pts/27 ] [Github/blog/servers] + → nmap -sCV -p80 192.168.0.200 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 07:32 CEST + Nmap scan report for 192.168.0.200 + Host is up (0.0022s latency). + + PORT STATE SERVICE VERSION + 80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) + |_http-title: n.eko + + Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . + Nmap done: 1 IP address (1 host up) scanned in 11.68 seconds + + + +As expected, now port 80 is opened with our neko instance, so let's check it out: + +![](1.png) + +Logged in as a regular neko user, we can use the **neko** default password, but we want to have access to the commands, so we use the **admin** default password: + +![](2.png) + +Here you see that this is a linux container, running with Firefox 68.0 + +## **Multiple Public Neko Instances** + +Now we're going to first delete our neko container, because we don't want just 1 public neko instance, but 3 of them. So we will need to edit the docker-compose file: + + + root@docker0:~/neko# docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 05d3bfecd1fd nurdism/neko:firefox "/usr/bin/supervisor…" 11 minutes ago Up 11 minutes 0.0.0.0:59000-59100->59000-59100/udp, 0.0.0.0:80->8080/tcp neko_neko_1 + + [...] + + root@docker0:~/neko# docker container stop 05d + 869 + root@docker0:~/neko# docker container rm 05d + + root@docker0:~/neko# vim docker-compose.yaml + + version: "2.0" + services: + neko1: + image: nurdism/neko:firefox + restart: always + shm_size: "3gb" + ports: + - "8081:8080" + - "59001-59100:59001-59100/udp" + environment: + DISPLAY: :99.0 + NEKO_PASSWORD: neko + NEKO_PASSWORD_ADMIN: P@SSW0RD + NEKO_BIND: :8080 + NEKO_EPR: 59001-59100 + NEKO_NAT1TO1: 192.168.0.200 + + neko2: + image: nurdism/neko:firefox + restart: always + shm_size: "3gb" + ports: + - "8082:8080" + - "59101-59200:59101-59200/udp" + environment: + DISPLAY: :99.0 + NEKO_PASSWORD: neko + NEKO_PASSWORD_ADMIN: P@SSW0RD + NEKO_BIND: :8080 + NEKO_EPR: 59101-59200 + NEKO_NAT1TO1: 192.168.0.200 + + neko3: + image: nurdism/neko:firefox + restart: always + shm_size: "3gb" + ports: + - "8083:8080" + - "59201-59300:59201-59300/udp" + environment: + DISPLAY: :99.0 + NEKO_PASSWORD: neko + NEKO_PASSWORD_ADMIN: P@SSW0RD + NEKO_BIND: :8080 + NEKO_EPR: 59201-59300 + NEKO_NAT1TO1: 192.168.0.200 + + + :wq + + root@docker0:~/neko# docker-compose up -d + Creating neko_neko2_1 ... done + Creating neko_neko1_1 ... done + Creating neko_neko3_1 ... done + + root@docker0:~/neko# docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 2aca6086627a nurdism/neko:firefox "/usr/bin/supervisor…" About a minute ago Up 17 seconds 0.0.0.0:59201-59300->59201-59300/udp, 0.0.0.0:8083->8080/tcp neko_neko3_1 + 876c5cf199bf nurdism/neko:firefox "/usr/bin/supervisor…" About a minute ago Up 17 seconds 0.0.0.0:59001-59100->59001-59100/udp, 0.0.0.0:8081->8080/tcp neko_neko1_1 + 7de701fd022e nurdism/neko:firefox "/usr/bin/supervisor…" About a minute ago Up 18 seconds 0.0.0.0:59101-59200->59101-59200/udp, 0.0.0.0:8082->8080/tcp neko_neko2_1 + + [ 10.0.0.10/16 ] [ /dev/pts/27 ] [Github/blog/servers] + → nmap -sCV -p8081-8083 192.168.0.200 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 08:34 CEST + Nmap scan report for 192.168.0.200 + Host is up (0.0027s latency). + + PORT STATE SERVICE VERSION + 8081/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) + |_http-title: n.eko + 8082/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) + |_http-title: n.eko + 8083/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) + |_http-title: n.eko + + Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . + Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds + + + +This goes without saying, if you want to make something public, make sure you secure the passwords. our 3 neko instances will be at **192.168.0.200:8081,8082,8083** , and each of them must be reachable from a public ip / domain name. To do so we will use a nginx reverse proxy, basically this is going to be a debian machine, where the **80/443 ports** are accessible from a public IP address and so from a domain name, nginx's role is going to get the local services and serve them publicly, each of them under a sub-domain name, and ideally under a TLS encryption. So let's set that up using **acme.sh** on my main nginx node: + +First things first, get the correct **A** DNS records to point to the server's IP public IP address, if the root domain already points to the right ip, you can use a **CNAME** DNS record to the root domain like i do: + + + [ 10.0.0.10/16 ] [ /dev/pts/27 ] [Github/blog/servers] + → for i in {1..3}; do ping neko$i.void.yt -c1; done + PING void.yt (85.171.172.151) 56(84) bytes of data. + 64 bytes from cryptpad.void.yt (85.171.172.151): icmp_seq=1 ttl=63 time=4.00 ms + + --- void.yt ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 3.999/3.999/3.999/0.000 ms + PING void.yt (85.171.172.151) 56(84) bytes of data. + 64 bytes from cryptpad.void.yt (85.171.172.151): icmp_seq=1 ttl=63 time=3.09 ms + + --- void.yt ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 3.091/3.091/3.091/0.000 ms + PING void.yt (85.171.172.151) 56(84) bytes of data. + 64 bytes from cryptpad.void.yt (85.171.172.151): icmp_seq=1 ttl=63 time=8.99 ms + + --- void.yt ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 8.987/8.987/8.987/0.000 ms + + + +Now that the 3 subdomains work properly, set the appropriate subdomain nginx config for each of them: + + + [ 10.0.0.10/16 ] [ /dev/pts/27 ] [Github/blog/servers] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Sun Apr 18 08:41:27 2021 from 10.0.0.10 + root@home:~# vim /etc/nginx/sites-available/neko1.void.yt.conf + + + upstream neko1backend { + server 192.168.0.200:8081; + } + + server { + listen 80; + listen [::]:80; + server_name neko1.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name neko1.void.yt; + + ssl_certificate /root/.acme.sh/neko1.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/neko1.void.yt/neko1.void.yt.cer; + ssl_certificate_key /root/.acme.sh/neko1.void.yt/neko1.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://neko1backend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + :wq + + root@home:~# vim /etc/nginx/sites-available/neko2.void.yt.conf + root@home:~# vim /etc/nginx/sites-available/neko3.void.yt.conf + + root@home:~# ln -s /etc/nginx/sites-available/neko1.void.yt.conf /etc/nginx/sites-enabled/ + root@home:~# ln -s /etc/nginx/sites-available/neko2.void.yt.conf /etc/nginx/sites-enabled/ + root@home:~# ln -s /etc/nginx/sites-available/neko3.void.yt.conf /etc/nginx/sites-enabled/ + + root@home:~# nginx -t + nginx: [emerg] BIO_new_file("/root/.acme.sh/neko1.void.yt/fullchain.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/neko1.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + + +Now when you test the configs, you see that it isn't working so well, that's because we don't have the TLS certificates yet, so let's get them: + + + root@home:~# systemctl stop nginx + + root@home:~# acme.sh --issue --standalone -d neko1.void.yt -k 4096 + root@home:~# acme.sh --issue --standalone -d neko2.void.yt -k 4096 + root@home:~# acme.sh --issue --standalone -d neko3.void.yt -k 4096 + + root@home:~# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +Once that's done, start nginx again and see the result: + + + root@home:~# systemctl start nginx + + + +And finally see the result: + +![](3.png) ![](4.png) + +And that's it! We managed to setup 3 public neko docker instances thanks to our nginx reverse proxy. + diff --git a/nextcloud/0.png b/nextcloud/0.png new file mode 100644 index 0000000..c2734d0 Binary files /dev/null and b/nextcloud/0.png differ diff --git a/nextcloud/1.png b/nextcloud/1.png new file mode 100644 index 0000000..200025a Binary files /dev/null and b/nextcloud/1.png differ diff --git a/nextcloud/10.png b/nextcloud/10.png new file mode 100644 index 0000000..9fb728c Binary files /dev/null and b/nextcloud/10.png differ diff --git a/nextcloud/2.png b/nextcloud/2.png new file mode 100644 index 0000000..e8d3415 Binary files /dev/null and b/nextcloud/2.png differ diff --git a/nextcloud/20.png b/nextcloud/20.png new file mode 100644 index 0000000..ec2462e Binary files /dev/null and b/nextcloud/20.png differ diff --git a/nextcloud/21.png b/nextcloud/21.png new file mode 100644 index 0000000..4bbb42c Binary files /dev/null and b/nextcloud/21.png differ diff --git a/nextcloud/22.png b/nextcloud/22.png new file mode 100644 index 0000000..31f2e0a Binary files /dev/null and b/nextcloud/22.png differ diff --git a/nextcloud/23.png b/nextcloud/23.png new file mode 100644 index 0000000..8f0b8bd Binary files /dev/null and b/nextcloud/23.png differ diff --git a/nextcloud/25.png b/nextcloud/25.png new file mode 100644 index 0000000..0ac6d83 Binary files /dev/null and b/nextcloud/25.png differ diff --git a/nextcloud/26.png b/nextcloud/26.png new file mode 100644 index 0000000..7e40f0b Binary files /dev/null and b/nextcloud/26.png differ diff --git a/nextcloud/27.png b/nextcloud/27.png new file mode 100644 index 0000000..05d4f54 Binary files /dev/null and b/nextcloud/27.png differ diff --git a/nextcloud/28.png b/nextcloud/28.png new file mode 100644 index 0000000..445b766 Binary files /dev/null and b/nextcloud/28.png differ diff --git a/nextcloud/29.png b/nextcloud/29.png new file mode 100644 index 0000000..54d506b Binary files /dev/null and b/nextcloud/29.png differ diff --git a/nextcloud/3.png b/nextcloud/3.png new file mode 100644 index 0000000..fedec96 Binary files /dev/null and b/nextcloud/3.png differ diff --git a/nextcloud/30.png b/nextcloud/30.png new file mode 100644 index 0000000..601635b Binary files /dev/null and b/nextcloud/30.png differ diff --git a/nextcloud/31.png b/nextcloud/31.png new file mode 100644 index 0000000..268d492 Binary files /dev/null and b/nextcloud/31.png differ diff --git a/nextcloud/32.png b/nextcloud/32.png new file mode 100644 index 0000000..e1cb8f2 Binary files /dev/null and b/nextcloud/32.png differ diff --git a/nextcloud/4.png b/nextcloud/4.png new file mode 100644 index 0000000..63727d6 Binary files /dev/null and b/nextcloud/4.png differ diff --git a/nextcloud/41.png b/nextcloud/41.png new file mode 100644 index 0000000..2d82967 Binary files /dev/null and b/nextcloud/41.png differ diff --git a/nextcloud/5.png b/nextcloud/5.png new file mode 100644 index 0000000..074add6 Binary files /dev/null and b/nextcloud/5.png differ diff --git a/nextcloud/6.png b/nextcloud/6.png new file mode 100644 index 0000000..4cc3095 Binary files /dev/null and b/nextcloud/6.png differ diff --git a/nextcloud/7.png b/nextcloud/7.png new file mode 100644 index 0000000..f134aa7 Binary files /dev/null and b/nextcloud/7.png differ diff --git a/nextcloud/8.png b/nextcloud/8.png new file mode 100644 index 0000000..f05500c Binary files /dev/null and b/nextcloud/8.png differ diff --git a/nextcloud/9.png b/nextcloud/9.png new file mode 100644 index 0000000..a6b825c Binary files /dev/null and b/nextcloud/9.png differ diff --git a/nextcloud/index.md b/nextcloud/index.md new file mode 100644 index 0000000..3e9eb4d --- /dev/null +++ b/nextcloud/index.md @@ -0,0 +1,242 @@ +# Easy install of Nextcloud + +![](../nextcloud/logo.png) + +The idea here is to use snap to install nextcloud. + +If you have ubuntu server , great because snap is already pre installed but if you are not, then you need to install it. So for this tutorial we're going to go with Debian 10+ servers: + + + su - + apt update -y + + apt install snapd sudo curl ufw mlocate -y + /sbin/usermod -aG sudo [NAME OF THE NON-PRIVILEGED USER] + /sbin/ufw allow 22 + /sbin/ufw allow 80 + /sbin/ufw allow 443 + /sbin/ufw enable + snap install core + exit + + +## **Install Nextcloud** + +Using snap, installing nextcloud is fairly simple: + + + su - + snap install nextcloud + + ip a | grep inet + curl ifconfig.me + + +you can verify that the nextcloud server works by going at the ip adress of the server http://server_ip/ where you'll create the administrator account. + +![](41.png) + +Once that's done you should have access to your nextcloud instance, but instead of accessing it through the ip address, we'll set it up in such a way that we can access it through a domain name (for example DuckDNS) and with a HTTPS certificate. + +Log into [DuckDNS](https://www.duckdns.org/) and register a domain name pointing to your public ip like so: + +![](4.png) + +## **Configuring Nextcloud** + +Now that we have the domain name pointing to the public ip address of the nextcloud server, we can setup the https certificate using let'sencrypt, just ssh into your server once more and run the following commands: + + + su - + nextcloud.enable-https lets-encrypt + nextcloud.occ config:system:set trusted_domains 1 --value=yourdomain.duckdns.org + + +And once that's done, you can access your nextcloud instance from a free domain, which uses a free HTTPS certificate ! at https://yourdomain.duckdns.org/ + +If you installed this nextcloud server locally and behind a reverse nginx proxy, then you would need to allow the domain to be accessed: + + + root@cloud:/var/snap/nextcloud/common/nextcloud/data# PATH=$PATH:/snap/bin/ + root@cloud:/var/snap/nextcloud/common/nextcloud/data# which nextcloud.occ + /snap/bin//nextcloud.occ + + root@cloud:/var/snap/nextcloud/common/nextcloud/data# nextcloud.occ config:system:set overwritehost --value="cloud.nowhere.moe" + System config value overwritehost set to string cloud.nowhere.moe + + root@cloud:~# nextcloud.occ config:system:set overwriteprotocol --value="https" + System config value overwriteprotocol set to string https + + + +In order to upgrade your nextcloud, you can run the following, and also add it to cron to run automatically every day at midnight: + + + root@cloud:~# sudo snap refresh nextcloud + snap "nextcloud" has no updates available + + root@cloud:~# crontab -e + + [...] + + 0 0 * * * /usr/bin/snap refresh nextcloud + + :wq + + + --2022-12-17 20:34:07-- https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz + Resolving github.com (github.com)... 140.82.121.3 + Connecting to github.com (github.com)|140.82.121.3|:443... connected. + HTTP request sent, awaiting response... 302 Found + Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20221217T193407Z&X-Amz-Expires;=300&X-Amz-Signature;=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=274548350&response-content-disposition;=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type;=application%2Foctet-stream [following] + --2022-12-17 20:34:07-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/274548350/682877d8-1d52-4029-9777-425f3da0f77c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential;=AKIAIWNJYAX4CSVEH53A%2F20221217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date;=20221217T193407Z&X-Amz-Expires;=300&X-Amz-Signature;=1bf21514b0120917047558bc2d6de9d2f900d34dba04cfd3d30838b59ae4701e&X-Amz-SignedHeaders;=host&actor;_id=0&key;_id=0&repo;_id=274548350&response-content-disposition;=attachment%3B%20filename%3Dlinux_amd64.tar.gz&response-content-type;=application%2Foctet-stream + Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ... + Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 6326130 (6.0M) [application/octet-stream] + Saving to: ‘linux_amd64.tar.gz’ + + linux_amd64.tar.gz 100%[===========================================================================================================================================>] 6.03M 6.47MB/s in 0.9s + + 2022-12-17 20:34:09 (6.47 MB/s) - ‘linux_amd64.tar.gz’ saved [6326130/6326130] + + root@cloud:~# sudo tar xvf linux_amd64.tar.gz -C /usr/bin/ + cronitor + root@cloud:~# sudo cronitor configure --api-key 1234567890 + + Configuration File: + /etc/cronitor/cronitor.json + + Version: + 28.8 + + API Key: + 1234567890 + + Ping API Key: + Not Set + + Environment: + Not Set + + Hostname: + cloud + + Timezone Location: + {Europe/Paris} + + Debug Log: + Off + root@cloud:~# cronitor select + + ✔ /usr/bin/snap refresh nextcloud + ----► Running command: /usr/bin/snap refresh nextcloud + + snap "nextcloud" has no updates available + + ----► ✔ Command successful Elapsed time 0.451s + + +By default the nextcloud instance does not allow uploading large files, so to fix that you can do the following (as stated [here](https://github.com/nextcloud-snap/nextcloud-snap/issues/586) + + + root@cloud:~# snap set nextcloud php.post-max-size=20G + + #and if you put your nextcloud behind a nginx reverse proxy, you will need the "client_max_body_size 20G;" line in the nginx config. + + [ 10.8.0.2/24 ] [ home ] [~] + → cat /etc/nginx/sites-available/cloud.nowhere.moe + upstream cloudbackend { + server 10.0.0.103:80; + } + + server { + listen 80; + listen [::]:80; + server_name cloud.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloud.nowhere.moe; + + ssl_certificate /root/.acme.sh/cloud.nowhere.moe/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/cloud.nowhere.moe/cloud.nowhere.moe.cer; + ssl_certificate_key /root/.acme.sh/cloud.nowhere.moe/cloud.nowhere.moe.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://cloudbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + **client_max_body_size 20G;** + } + } + + + +## **Done!** + +![](../nextcloud/5.png) + +And that's it! This is a very simple installation of nextcloud, you can use it as a server to host your keepass passwords database for example. To do so, just use the URL feature of keepass, and use the webdav link that points to the kdbx file you uploaded on the nextcloud server. You can also just install the keeweb extension on nextcloud for it. + +To use it in keepass, simply upload your .kdbx file into your nextcloud once logged in, then use the keepass OpenURL feature as follows: + +![](22.png) + +example URL: **https://cloud.nowhere.moe/remote.php/webdav/Passwords.kdbx** + +![](23.png) + +To mount the nextcloud share on a windows machine, like you would sync a sharepoint drive, do the following: + +![](21.png) + +Or you can just install the official nextcloud client [here](https://nextcloud.com/install/#install-clients) + + + 10.10.16.5/23 ] [ nowhere ] [~] + → sudo pacman -S nextcloud-client + [sudo] password for nothing: + resolving dependencies... + looking for conflicting packages... + + Packages (4) karchive-5.103.0-1 qt5-websockets-5.15.8+kde+r3-1 qtkeychain-qt5-0.13.2-1 nextcloud-client-2:3.7.3-1 + + Total Download Size: 4.48 MiB + Total Installed Size: 16.02 MiB + + :: Proceed with installation? [Y/n] y + + + +` ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) + +Once logged in you can check the progress in the system tray: + +![](31.png) + +Then let it automatically sync. + +![](32.png) + diff --git a/nextcloud/logo.png b/nextcloud/logo.png new file mode 100644 index 0000000..d16ec27 Binary files /dev/null and b/nextcloud/logo.png differ diff --git a/nginx/0.png b/nginx/0.png new file mode 100644 index 0000000..4ad6b4c Binary files /dev/null and b/nginx/0.png differ diff --git a/nginx/1.png b/nginx/1.png new file mode 100644 index 0000000..33a8114 Binary files /dev/null and b/nginx/1.png differ diff --git a/nginx/2.png b/nginx/2.png new file mode 100644 index 0000000..c8467f3 Binary files /dev/null and b/nginx/2.png differ diff --git a/nginx/3.png b/nginx/3.png new file mode 100644 index 0000000..6047d85 Binary files /dev/null and b/nginx/3.png differ diff --git a/nginx/4.png b/nginx/4.png new file mode 100644 index 0000000..5f262e0 Binary files /dev/null and b/nginx/4.png differ diff --git a/nginx/5.png b/nginx/5.png new file mode 100644 index 0000000..60d0a91 Binary files /dev/null and b/nginx/5.png differ diff --git a/nginx/6.png b/nginx/6.png new file mode 100644 index 0000000..537b762 Binary files /dev/null and b/nginx/6.png differ diff --git a/nginx/7.png b/nginx/7.png new file mode 100644 index 0000000..122d97c Binary files /dev/null and b/nginx/7.png differ diff --git a/nginx/8.png b/nginx/8.png new file mode 100644 index 0000000..3144bd6 Binary files /dev/null and b/nginx/8.png differ diff --git a/nginx/index.md b/nginx/index.md new file mode 100644 index 0000000..abfc1ec --- /dev/null +++ b/nginx/index.md @@ -0,0 +1,127 @@ +# Minimalistic NGINX Setup with HTTPS + +![](../nginx/logo.png) + +In this tutorial we'll see how to install a NGINX server with a free TLS 1.3 Certificate and a free domain name. + +## **Initial Setup** + +Before we start, make sure you have a debian 10+ server with a public ip (like a rented VPS on digitalocean for example) If this is a debian server hosted at home, you need to make sure you port forward port 443 on your router interface so that the public IP address' port 443 points to the server's port 443 and not the router. Once you're there, ssh into your server: + +![](../nginx/0.png) + +From here, we'll run the following commands: + + + apt update -y && apt upgrade -y + apt install nginx curl socat git -y + + + +Once that's installed, we can verify nginx is installed like so: + + + root@debian-s-1vcpu-1gb-fra1-01:~# which nginx && nginx -v + /usr/sbin/nginx + nginx version: nginx/1.14.2 + + +We can verify it is running using systemctl: + +![](../nginx/1.png) + +## **Minimalistic NGINX HTTPS configuration** + +Now that nginx is installed, by default only port 80 is opened, as we can see here: + +![](../nginx/2.png) + +So from here, we'll install the custom configuration (located in /etc/nginx/sites-enabled/my_conf.conf): + + + wget https://blog.nowhere.moe/servers/nginx/nginx.conf -O /etc/nginx/sites-enabled/my_conf.conf + + +Once that's done, we verify if nginx's configuration is correct: + + + root@debian-s-1vcpu-1gb-fra1-01:~# nginx -t + nginx: [emerg] no "ssl_certificate_key" is defined for certificate "/root/.acme.sh/ech2.duckdns.org/ech2.duckdns.org.key" + nginx: configuration file /etc/nginx/nginx.conf test failed + + + +And obviously, here we're missing the TLS certificates, and we're going to use [acme.sh](https://acme.sh/) which is going to get us our free letsencrypt TLS cert : + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + + +And now we can run acme.sh, but before that we need to stop nginx. If you do not have a domain name yet, go get one and make sure it points to your VPS' public ip address. If you want a free domain name alternative, you can use duckdns: + +![](../nextcloud/3.png) + +You can verify the domain name points to your vps correctly like so : + +![](../nginx/3.png) + + + systemctl stop nginx + acme.sh --set-default-ca --server letsencrypt + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + + + +![](../nginx/4.png) + +Now that acme.sh gave us our free letsencrypt ssh we verify that the nginx config is correct using the "nginx -t" command. If it does not give you a positive answer like in the screenshot above, you probably forgot to edit the configuration in /etc/nginx/sites-enabled/my_conf.conf to contain your own domain name: + + + wget https://blog.nowhere.moe/servers/nginx/nginx.conf -O /etc/nginx/sites-enabled/my_conf.conf + nano /etc/nginx/sites-enabled/my_conf.conf + + + +Once you're done, hit CTRL+S to save in nano, and then CTRL+X to exit nano. + +![](../nginx/5.png) + +After that, verify that nginx configuration is correct, and restart nginx: + + + nginx -t + systemctl start nginx + + echo 'Welcome to my website!' > /var/www/html/index.md + + + +And we're done! + +## **Checking out the website** + +We're done, and we can now check out the website: + +![](../nginx/6.png) + +And here we can see the index.html we previously created. Thanks to the nginx config we created the server is going to attempt TLS 1.3 protocols, and if it is not supported, only after will TLS 1.2 protocols be tried, and not otherwise. + +![](../nginx/7.png) + +We can verify it is working on cryptcheck.fr: + +![](../nginx/8.png) + +And there we have it, we have been able to get a working nginx server working with TLS 1.3 by default using a free domain name, and free TLS certificates provided by Letsencrypt. + +To force the renewal of certificates every month, have this crontab: + + + crontab -e + + 0 0 1 * * systemctl stop nginx ; "/root/.acme.sh/acme.sh" --server letsencrypt --cron --home "/root/.acme.sh" --force ; systemctl start nginx # once a month, force the renewal of the certificates + + + diff --git a/nginx/logo.png b/nginx/logo.png new file mode 100644 index 0000000..9e00e4b Binary files /dev/null and b/nginx/logo.png differ diff --git a/nginx_fail/0.png b/nginx_fail/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/nginx_fail/0.png differ diff --git a/nginx_fail/1.png b/nginx_fail/1.png new file mode 100644 index 0000000..bc2599c Binary files /dev/null and b/nginx_fail/1.png differ diff --git a/nginx_fail/index.md b/nginx_fail/index.md new file mode 100644 index 0000000..ab11bde --- /dev/null +++ b/nginx_fail/index.md @@ -0,0 +1,226 @@ +# Nginx basic auth + fail2ban + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial setup** + +First we're going to install nginx and fail2ban: + + + apt update -y && apt upgrade -y + apt install nginx fail2ban -y + + echo 'welcome to my server!' > /var/www/html/index.nginx-debian.html + + +Then we're going to change fail2ban's configuration to include the nginx module: + + + nano /etc/fail2ban/filter.d/nginx-req-limit.conf + + + + + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + + ignoreregex = + + + +Then create the jail config: + + + cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + vim /etc/fail2ban/jail.local + + + +If you have nginx basic auth module, go to the line by writing /nginx-auth in vim and then edit the [nginx-http-auth] like so: + + + [nginx-http-auth] + + enabled = true + filter = nginx-http-auth + port = http,https + logpath = /var/log/nginx/error.log + + +Then we can append the following modules at the end of the config file: + + + [nginx-req-limit] + + enabled = true + filter = nginx-req-limit + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + logpath = /var/log/nginx/*error.log + findtime = 600 + bantime = 7200 + maxretry = 10 + + + +The findtime and maxretry values decide how often offending IPs get banned, making these values smaller, ips will get banned more often so make sure you change the values according to your needs. + +Then we have nginx noscript to jaoilban clients that are searching for scripts on the website to execute and exploit , therefore you can use this one if you don't have php: + + + [nginx-noscript] + + enabled = true + port = http,https + filter = nginx-noscript + logpath = /var/log/nginx/access.log + maxretry = 6 + + + +This one is to jailban known malicious bot request patterns: + + + [nginx-badbots] + + enabled = true + port = http,https + filter = nginx-badbots + logpath = /var/log/nginx/access.log + maxretry = 2 + + + +nginx nohome is used if you don't provide web content from user's home directories + + + [nginx-nohome] + + enabled = true + port = http,https + filter = nginx-nohome + logpath = /var/log/nginx/access.log + maxretry = 2 + + + +nginx noproxy is used to block people from attempting to use our nginx server as an openj proxy: + + + [nginx-noproxy] + + enabled = true + port = http,https + filter = nginx-noproxy + logpath = /var/log/nginx/access.log + maxretry = 2 + + +Then get the individual modules config files: + + + cd /etc/fail2ban/filter.d + sudo nano nginx-http-auth.conf + + + + + [Definition] + + + failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + + ignoreregex = + + + + sudo cp apache-badbots.conf nginx-badbots.conf + sudo nano nginx-noscript.conf + + + + + [Definition] + + failregex = ^ -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi) + + ignoreregex = + + + + + sudo nano nginx-nohome.conf + + + + + [Definition] + + failregex = ^ -.*GET http.* + + ignoreregex = + + + +` Then restart fail2ban with systemctl: + + + systemctl restart fail2ban + + + +Now from the client point of view, let's get banned by fail2ban by requesting alot of requests at once: + + + #!/bin/sh + while true; + do + curl ech1.duckdns.org + done + + + + + chmod +x mycurlscript.sh + ./mycurlscript.sh + + + +You can check fail2ban's logs in /var/log/fail2ban.log: + + + fail2ban-client status nginx-req-limit + + + +you can debug the filter: + + + fail2ban-client -d + fail2ban-regex /var/log/nginx/dom.ain.error.log /etc/fail2ban/filter.d/nginx-req-limit.conf + + + diff --git a/nginx_loadb/1.png b/nginx_loadb/1.png new file mode 100644 index 0000000..f238a4e Binary files /dev/null and b/nginx_loadb/1.png differ diff --git a/nginx_loadb/2.png b/nginx_loadb/2.png new file mode 100644 index 0000000..edf4f40 Binary files /dev/null and b/nginx_loadb/2.png differ diff --git a/nginx_loadb/3.png b/nginx_loadb/3.png new file mode 100644 index 0000000..6f9684f Binary files /dev/null and b/nginx_loadb/3.png differ diff --git a/nginx_loadb/index.md b/nginx_loadb/index.md new file mode 100644 index 0000000..39e98eb --- /dev/null +++ b/nginx_loadb/index.md @@ -0,0 +1,103 @@ +# NGINX Load Balancing + +First off you will need a debian10 server to run nginx as a load balancer, and 2 other http servers. + +## **Initial Setup** + +First we're go install nginx: + + + apt update -y && apt upgrade -y + apt install nginx -y + + + +Then you will need 2 http servers (mine are 192.168.0.150:80 and 192.168.0.151:80): + +![](1.png) + +Then make the configuration to load balance the 2 servers: + + + nano /etc/nginx/sites-available/loadb.conf + + + + + upstream backend { + server 192.168.0.150:80 weight=1; + server 192.168.0.151:80 weight=2; + + } + server { + listen 80; + listen [::]:80; + location / { + proxy_pass http://backend; + } + } + + +Hit CTRL+S to save and CTRL+X to exit nano. + +## **Launching the config** + +Now remove the default config and launch reload nginx: + + + + rm /etc/nginx/sites-available/default + rm /etc/nginx/sites-enabled/default + + ln -s /etc/nginx/sites-available/loadb.conf /etc/nginx/sites-enabled/loadb.conf + nginx -s reload + + + +![](2.png) + +And test if it load balances well. It should give us the output of the .151 server because it has the highest weight: + +![](3.png) + +As you can see, nginx determines the number of allowed requests to each load balanced website with the weight parameter, for instance, our .151 server has a weight of 2, so nginx will allow us 2 requests before switching back to the .150 server. + +This is also possible with other ports like database servers: + + + upstream sqlbackend { + server 192.168.0.150:3386 weight=1; + server 192.168.0.151:3386 weight=2; + + } + server { + listen 3386; + listen [::]:3386; + location / { + proxy_pass sqlbackend; + } + } + + + +It is also possible to do with UDP: + + + stream { + upstream ntp { + server 192.168.0.150:123 weight=2; + server 192.168.0.151:123 weight=3; + + } + server { + listen 123 udp; + listen [::]:123 udp; + location / { + proxy_pass ntp; + } + } + } + + +Here you can see how flexible nginx truly is, it can handle load balancing of multiple types of services, apply weights parameters over tcp/udp services. + diff --git a/nginx_p_mngr/0.png b/nginx_p_mngr/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/nginx_p_mngr/0.png differ diff --git a/nginx_p_mngr/1.png b/nginx_p_mngr/1.png new file mode 100644 index 0000000..e7b30c9 Binary files /dev/null and b/nginx_p_mngr/1.png differ diff --git a/nginx_p_mngr/10.png b/nginx_p_mngr/10.png new file mode 100644 index 0000000..32ffb56 Binary files /dev/null and b/nginx_p_mngr/10.png differ diff --git a/nginx_p_mngr/11.png b/nginx_p_mngr/11.png new file mode 100644 index 0000000..d2ae59e Binary files /dev/null and b/nginx_p_mngr/11.png differ diff --git a/nginx_p_mngr/12.png b/nginx_p_mngr/12.png new file mode 100644 index 0000000..746b475 Binary files /dev/null and b/nginx_p_mngr/12.png differ diff --git a/nginx_p_mngr/13.png b/nginx_p_mngr/13.png new file mode 100644 index 0000000..e7c7253 Binary files /dev/null and b/nginx_p_mngr/13.png differ diff --git a/nginx_p_mngr/14.png b/nginx_p_mngr/14.png new file mode 100644 index 0000000..1cba93a Binary files /dev/null and b/nginx_p_mngr/14.png differ diff --git a/nginx_p_mngr/15.png b/nginx_p_mngr/15.png new file mode 100644 index 0000000..ed7a8ca Binary files /dev/null and b/nginx_p_mngr/15.png differ diff --git a/nginx_p_mngr/2.png b/nginx_p_mngr/2.png new file mode 100644 index 0000000..f9c2fcb Binary files /dev/null and b/nginx_p_mngr/2.png differ diff --git a/nginx_p_mngr/3.png b/nginx_p_mngr/3.png new file mode 100644 index 0000000..ce7fcbc Binary files /dev/null and b/nginx_p_mngr/3.png differ diff --git a/nginx_p_mngr/4.png b/nginx_p_mngr/4.png new file mode 100644 index 0000000..be82747 Binary files /dev/null and b/nginx_p_mngr/4.png differ diff --git a/nginx_p_mngr/5.png b/nginx_p_mngr/5.png new file mode 100644 index 0000000..145e9ef Binary files /dev/null and b/nginx_p_mngr/5.png differ diff --git a/nginx_p_mngr/6.png b/nginx_p_mngr/6.png new file mode 100644 index 0000000..249933a Binary files /dev/null and b/nginx_p_mngr/6.png differ diff --git a/nginx_p_mngr/7.png b/nginx_p_mngr/7.png new file mode 100644 index 0000000..2c26a98 Binary files /dev/null and b/nginx_p_mngr/7.png differ diff --git a/nginx_p_mngr/8.png b/nginx_p_mngr/8.png new file mode 100644 index 0000000..b92b6b5 Binary files /dev/null and b/nginx_p_mngr/8.png differ diff --git a/nginx_p_mngr/9.png b/nginx_p_mngr/9.png new file mode 100644 index 0000000..9b163b8 Binary files /dev/null and b/nginx_p_mngr/9.png differ diff --git a/nginx_p_mngr/index.md b/nginx_p_mngr/index.md new file mode 100644 index 0000000..2719f8f --- /dev/null +++ b/nginx_p_mngr/index.md @@ -0,0 +1,177 @@ +# Nginx Proxy Manager (Docker) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Docker Installation** + + + apt install curl -y + curl -fsSL https://get.docker.com -o get-docker.sh + sh get-docker.sh + apt install docker-compose -y + + +_or:_ + + + apt install docker.io docker-compose -y + + which docker && docker -v + + + +Next create nginxproxymanager (npm)'s directory and get the configuration files: + + + mkdir nproxy + cd nproxy + nano config.json + + + + + { + "database": { + "engine": "mysql", + "host":"db", + "name":"npm", + "user":"nothing", + "password":"P@SSW0RD!", + "port":3306 + } + } + + + +Hit ctrl+S to save and ctrl+X to exit nano, then create docker-compose.yml + + + nano docker-compose.yml + + + + + version: '3' + services: + app: + image: 'jc21/nginx-proxy-manager:latest' + ports: + - '80:80' + - '81:81' + - '443:443' + volumes: + - ./config.json:/app/config/production.json + - ./data:/data + - ./letsencrypt:/etc/letsencrypt + db: + image: 'jc21/mariadb-aria:10.4' + environment: + MYSQL_ROOT_PASSWORD: 'R00T_P@SSW0RD!' + MYSQL_DATABASE: 'npm' + MYSQL_USER: 'nothing' + MYSQL_PASSWORD: 'P@SSW0RD!' + volumes: + - ./data/mysql:/var/lib/mysql + + + + + docker-compose up -d + + + +Wait a bit for it to run: + +![](1.png) ![](2.png) + +Once it's done, run docker ps to see your running containers: + + + + root@debian-s-1vcpu-1gb-lon1-01:~/nproxy# docker ps + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + b9bcb6598f65 jc21/mariadb-aria:10.4 "/scripts/run.sh" 56 seconds ago Up 54 seconds 3306/tcp nproxy_db_1 + bf2a4c279e3c jc21/nginx-proxy-manager:latest "/init" 56 seconds ago Up 54 seconds (healthy) 0.0.0.0:80-81->80-81/tcp, 0.0.0.0:443->443/tcp nproxy_app_1 + + + +you can verify it is working by visiting your website (here it's http://ech4.duckdns.org/) + +![](3.png) + +And there you have it. Now from here go to the admin page on port 81 where you'll log in with the default credentials **admin@example.com:changeme** : + +![](4.png) + +Change the default admin credentials: + +![](5.png) ![](6.png) + +Then log out and back in again with your new credentials: + +![](7.png) ![](8.png) + +Next let's create a proxy host for this server, just to test if it's working. + + + ip addr show docker0 | grep inet + inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 + + + +So we're going to make sure that manage.ech4.duckdns.org redirects to the server's INTERNAL ip address 172.17.0.1's port 81: + +![](14.png) + +Next head over to the SSL tab: + +![](10.png) + +Hit Save: + +![](11.png) + +Once that's done, you'll see that we have been able to: + + 1. create a subdomain to our website + + 2. enable SSL for that subdomain thanks to letsencrypt + + 3. Create the subdomain https on port 443 regardless of the original port + + 4. set it's access to public + + + + +So let's test it: + +![](15.png) + +With this done, you realize now that you can use nginx proxy manager in order to bring together multiple web applications regardless of their ports (wether it is 8080 or 80 or 9090 or 443 etc) and enable them out publicly from a private ip subnet, to nproxy's public interface as a subdomain with SSL enabled thanks to letsencrypt. + +In other words, this is giving me ideas to run a proxmox server locally at home where i will be able to host my web applications in virtualised environments (wether it is on debian or windows or centos) and therefore being able to use nproxy to make them available publicly as a list of subdomains. This also works for external servers that are accessible through public ip addresses and/or through their respective domain names: + diff --git a/nitter/0.png b/nitter/0.png new file mode 100644 index 0000000..c1cbdf3 Binary files /dev/null and b/nitter/0.png differ diff --git a/nitter/1.png b/nitter/1.png new file mode 100644 index 0000000..c8b404e Binary files /dev/null and b/nitter/1.png differ diff --git a/nitter/2.png b/nitter/2.png new file mode 100644 index 0000000..0871e2f Binary files /dev/null and b/nitter/2.png differ diff --git a/nitter/index.md b/nitter/index.md new file mode 100644 index 0000000..994d03c --- /dev/null +++ b/nitter/index.md @@ -0,0 +1,345 @@ +# nitter Setup + +![](0.png) + +In this tutorial we're going to setup nitter, a privacy front end to browse twitter without all the trackers. + +## **Initial Setup** + +Clone the repository and start the docker-compose: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → apt install nim docker.io docker-compose libsass-dev libpcre3 + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → git clone https://github.com/zedeus/nitter + Cloning into 'nitter'... + remote: Enumerating objects: 6639, done. + remote: Counting objects: 100% (163/163), done. + remote: Compressing objects: 100% (118/118), done. + remote: Total 6639 (delta 87), reused 97 (delta 45), pack-reused 6476 + Receiving objects: 100% (6639/6639), 5.26 MiB | 1.81 MiB/s, done. + Resolving deltas: 100% (4852/4852), done. + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → cd nitter + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → docker build -t nitter:latest . + + Sending build context to Docker daemon 6.428MB + Step 1/18 : FROM nimlang/nim:1.6.10-alpine-regular as nim + 1.6.10-alpine-regular: Pulling from nimlang/nim + 213ec9aee27d: Pull complete + 071ba9e2da5d: Pull complete + 8c05e9a65d0e: Pull complete + + [...] + + Step 17/18 : USER nitter + ---> Running in b9cbc6b2d0f5 + Removing intermediate container b9cbc6b2d0f5 + ---> d887fd7e9c0f + Step 18/18 : CMD ./nitter + ---> Running in 0dca3c6f9ba3 + Removing intermediate container 0dca3c6f9ba3 + ---> 24ad9b89ab85 + Successfully built 24ad9b89ab85 + Successfully tagged nitter:latest + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → apt install nim + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → nimble build -d:release + Verifying dependencies for nitter@0.1.0 + Prompt: No local packages.json found, download it from internet? [y/N] + Answer: y + Downloading Official package list + Success Package list downloaded. + Installing jester@#baca3f + Downloading https://github.com/dom96/jester using git + Verifying dependencies for jester@#baca3f + + [...] + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → nimble scss + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → nimble md + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → cp nitter.example.conf nitter.conf + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → cat nitter.conf + [Server] + hostname = "nitter.nowhere.moe" # for generating links, change this to your own domain/ip + title = "nitter" + address = "0.0.0.0" + port = 8080 + https = false # disable to enable cookies when not using https + httpMaxConnections = 100 + staticDir = "./public" + + [Cache] + listMinutes = 240 # how long to cache list info (not the tweets, so keep it high) + rssMinutes = 10 # how long to cache rss queries + redisHost = "nitter-redis" # Change to "nitter-redis" if using docker-compose + redisPort = 6379 + redisPassword = "" + redisConnections = 20 # minimum open connections in pool + redisMaxConnections = 30 + # new connections are opened when none are available, but if the pool size + # goes above this, they're closed when released. don't worry about this unless + # you receive tons of requests per second + + [Config] + hmacKey = "aoQu6le1IQueut8hei3U" # random key for cryptographic signing of video urls # use pwgen 20 1 to generate it + base64Media = false # use base64 encoding for proxied media urls + enableRSS = true # set this to false to disable RSS feeds + enableDebug = false # enable request logs and debug endpoints (/.tokens) + proxy = "" # http/https url, SOCKS proxies are not supported + proxyAuth = "" + tokenCount = 10 + # minimum amount of usable tokens. tokens are used to authorize API requests, + # but they expire after ~1 hour, and have a limit of 500 requests per endpoint. + # the limits reset every 15 minutes, and the pool is filled up so there's + # always at least `tokenCount` usable tokens. only increase this if you receive + # major bursts all the time and don't have a rate limiting setup via e.g. nginx + + # Change default preferences here, see src/prefs_impl.nim for a complete list + [Preferences] + theme = "Nitter" + replaceTwitter = "nitter.nowhere.moe" + replaceYouTube = "iv.nowhere.moe" + replaceReddit = "teddit.net" + proxyVideos = true + hlsPlayback = false + infiniteScroll = false + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → cat docker-compose.yml + version: "3" + + services: + + nitter: + image: zedeus/nitter:latest + container_name: nitter + ports: + - "127.0.0.1:8080:8080" # Replace with "8080:8080" if you don't use a reverse proxy + volumes: + - ./nitter.conf:/src/nitter.conf:Z,ro + depends_on: + - nitter-redis + restart: unless-stopped + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:8080/Jack/status/20 || exit 1 + interval: 30s + timeout: 5s + retries: 2 + user: "998:998" + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + nitter-redis: + image: redis:6-alpine + container_name: nitter-redis + command: redis-server --save 60 1 --loglevel warning + volumes: + - nitter-redis:/data + restart: unless-stopped + healthcheck: + test: redis-cli ping + interval: 30s + timeout: 5s + retries: 2 + user: "999:1000" + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + volumes: + nitter-redis: + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → docker-compose down + Stopping nitter ... done + Stopping nitter-redis ... done + Removing nitter ... done + Removing nitter-redis ... done + Removing network nitter_default + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → docker-compose up -d + Creating network "nitter_default" with the default driver + Creating nitter-redis ... done + Creating nitter ... done + + + +then you can check your service is up on port 8080: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 3582cdcf9687 zedeus/nitter:latest "/bin/sh -c ./nitter" 3 minutes ago Up 3 minutes (healthy) 127.0.0.1:8080->8080/tcp nitter + 1b9a40a33d83 redis:6-alpine "docker-entrypoint.s…" 3 minutes ago Up 3 minutes (healthy) 6379/tcp nitter-redis + + + +Then setup the reverse nginx proxy: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → vim /etc/nginx/sites-available/nitter.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → cat /etc/nginx/sites-available/nitter.nowhere.moe.conf + server { + listen 443 ssl; + server_name nitter.nowhere.moe; + + ssl_certificate /etc/acme/certs/nitter.nowhere.moe/fullchain.cer; + ssl_certificate_key /etc/acme/certs/nitter.nowhere.moe/iv.nowhere.moe.key; + + + ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://localhost:YOUR_NITTER_PORT; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + } + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → bash + root@Datura /srv/nitter # systemctl stop nginx + + root@Datura /srv/nitter # acme.sh --issue --standalone -d nitter.nowhere.moe -k 4096 + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/nitter.nowhere.moe.conf /etc/nginx/sites-enabled + + root@Datura /srv/nitter # systemctl start nginx + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/nitter] + → systemctl status nginx + ● nginx.service - A high performance web server and a reverse proxy server + Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled) + Active: active (running) since Sat 2023-07-15 22:55:17 CEST; 7min ago + Docs: man:nginx(8) + Process: 168567 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Process: 168568 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Main PID: 168569 (nginx) + Tasks: 13 (limit: 77000) + Memory: 15.9M + CPU: 776ms + CGroup: /system.slice/nginx.service + ├─168569 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;" + ├─169429 "nginx: worker process" + ├─169430 "nginx: worker process" + ├─169431 "nginx: worker process" + ├─169432 "nginx: worker process" + ├─169433 "nginx: worker process" + ├─169434 "nginx: worker process" + ├─169435 "nginx: worker process" + ├─169436 "nginx: worker process" + ├─169437 "nginx: worker process" + ├─169438 "nginx: worker process" + ├─169439 "nginx: worker process" + └─169440 "nginx: worker process" + + Jul 15 22:55:17 Datura systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server... + Jul 15 22:55:17 Datura systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server. + + + +Then test to see if your website renders fine: + +![](1.png) + +To have it available on tor you can use the following nginx config: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → cat nitter.nowhere.moe.conf + server { + listen 443 ssl; + server_name nitter.nowhere.moe; + + ssl_certificate /etc/acme/certs/nitter.nowhere.moe/nitter.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/nitter.nowhere.moe/nitter.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name nitter.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://nitter.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + + ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://localhost:8080; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + } + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nginx -s reload + + + +![](2.png) + +And thats it! now last step is to contribute to the overall [list of instances](https://github.com/zedeus/nitter/wiki/Instances) by sending a request to get your instance listed publicly [here](https://github.com/zedeus/nitter/issues/947). + diff --git a/observium/1.png b/observium/1.png new file mode 100644 index 0000000..3294920 Binary files /dev/null and b/observium/1.png differ diff --git a/observium/10.png b/observium/10.png new file mode 100644 index 0000000..6919a84 Binary files /dev/null and b/observium/10.png differ diff --git a/observium/11.png b/observium/11.png new file mode 100644 index 0000000..16adfb5 Binary files /dev/null and b/observium/11.png differ diff --git a/observium/12.png b/observium/12.png new file mode 100644 index 0000000..8f014bc Binary files /dev/null and b/observium/12.png differ diff --git a/observium/13.png b/observium/13.png new file mode 100644 index 0000000..18bcc43 Binary files /dev/null and b/observium/13.png differ diff --git a/observium/14.png b/observium/14.png new file mode 100644 index 0000000..e764ae9 Binary files /dev/null and b/observium/14.png differ diff --git a/observium/2.png b/observium/2.png new file mode 100644 index 0000000..ba16dd3 Binary files /dev/null and b/observium/2.png differ diff --git a/observium/3.png b/observium/3.png new file mode 100644 index 0000000..0ad4d73 Binary files /dev/null and b/observium/3.png differ diff --git a/observium/4.png b/observium/4.png new file mode 100644 index 0000000..d061282 Binary files /dev/null and b/observium/4.png differ diff --git a/observium/5.png b/observium/5.png new file mode 100644 index 0000000..1ac97b4 Binary files /dev/null and b/observium/5.png differ diff --git a/observium/6.png b/observium/6.png new file mode 100644 index 0000000..5846fed Binary files /dev/null and b/observium/6.png differ diff --git a/observium/7.png b/observium/7.png new file mode 100644 index 0000000..bb34219 Binary files /dev/null and b/observium/7.png differ diff --git a/observium/8.png b/observium/8.png new file mode 100644 index 0000000..b970d0b Binary files /dev/null and b/observium/8.png differ diff --git a/observium/9.png b/observium/9.png new file mode 100644 index 0000000..41f6fd7 Binary files /dev/null and b/observium/9.png differ diff --git a/observium/index.md b/observium/index.md new file mode 100644 index 0000000..33f6a5b --- /dev/null +++ b/observium/index.md @@ -0,0 +1,228 @@ +# Observium Nginx Debian 10 + +![](../observium/logo.jpg) + +Before we start, you will need a Debian 10 VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + + + apt-get -y install apt-transport-https lsb-release ca-certificates curl gnupg -y + apt-get update -y + + apt-get -y install sudo nginx wget curl mariadb-server mariadb-client rrdtool whois fping imagemagick graphviz mtr-tiny nmap python-mysqldb snmp snmpd python-memcache mtr-tiny acl php php-pear php7.3-{cgi,common,curl,mbstring,gd,mysql,gettext,bcmath,imap,json,xml,snmp,fpm,zip} + + +Next we edit php.ini to add the timezone you want in here: + + + cd /etc/php/7.3/ + + echo 'date.timezone = Europe/Paris' >> fpm/php.ini + echo 'date.timezone = Europe/Paris' >> cli/php.ini + + service php7.3-fpm restart + systemctl enable nginx + + +## **Configuring mariadb, Nginx** + +so right now we'll configure mariadb + + + rm /etc/mysql/mariadb.cnf + wget https://blog.nowhere.moe/servers/observium/mariadb.cnf -O /etc/mysql/mariadb.cnf + sudo systemctl restart mysql + + mysql -u root -p + + create database observium; + grant all privileges on observium.* to observium@localhost IDENTIFIED by "P@SSW0RD"; + flush privileges; + quit + + +Then we will install observium itself: + + + sudo useradd -r -M -d /opt/observium observium + sudo usermod -a -G observium www-data + + cd /opt + wget http://www.observium.org/observium-community-latest.tar.gz + tar xvf observium-community-latest.tar.gz + rm observium-community-latest.tar.gz + + cp /opt/observium/config.php.default /opt/observium/config.php + nano /opt/observium/config.php + + + +Here you must edit the config like so: + +![](../observium/1.png) + +hit CTRL+S to save, and CTRL+X to exit nano, then do the following: + + + mkdir /opt/observium/{rrd,logs} + + chown -R observium:observium /opt/observium/ + chmod -R 775 /opt/observium/ + + cp /opt/observium/snmpd.conf.example /etc/snmp/snmpd.conf + nano /etc/snmp/snmpd.conf + + +Here make sure you edit the community string to whatever you want: + +![](../observium/2.png) + +You will need it to get informations on the device if you wish to monitor it, i set it to be ech3: + +![](../observium/3.png) + +hit CTRL+S to save, and CTRL+X to exit nano. Then add a line at the bottom like so: + + + echo 'com2sec readonly default ech3_ro' >> /etc/snmp/snmpd.conf + + +Obviously you can edit the ech3_ro string as you wish. + +Then we restart snmpd: + + + systemctl restart snmpd + + + +Next we're going to configure nginx with HTTPS, so first things first get yourself a domain name,or if you don't want to pay anything, go on [DuckDNS](https://www.duckdns.org/) for a free alternative: + +![](../observium/4.png) + +Once done you can verify it is working like so: + +![](../observium/5.png) + +The domain name points to the correct ip, so we can continue with acme.sh: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + + +Once acme.sh is installed, we generate the SSL Certificate: + + + systemctl stop nginx + acme.sh --issue --standalone -d ech3.duckdns.org -k 4096 + systemctl start nginx + + + +![](../observium/6.png) + +Once that's done and nginx is started again, we'll edit observium's nginx configuration: + + + wget https://blog.nowhere.moe/servers/observium/observium.conf -O /etc/nginx/sites-available/observium.conf + nano /etc/nginx/sites-available/observium.conf + + + +Back in nano, you need to make sure you edit the config file correctly so that your domain name is in there: + +![](../observium/7.png) + +Hit CTRL+S to save, CTRL+X to exit nano. + + + ln -s /etc/nginx/sites-available/observium.conf /etc/nginx/sites-enabled/observium.conf + nginx -t + service nginx reload + + + +"nginx -t" should tell you that the configuration is correct, if it is not the case , go back to editing it in nano and follow the previous step if not reload the config with "nginx -s reload", once that's done, we move over to configuring observium: + +## **Adding Users + cronjobs** + + + cd /opt/observium/ + ./discovery.php -u + + + +![](../observium/8.png) + + + cd /opt/observium/ + ./adduser.php admin P@SSW0RD 10 + + + +Here you can add multiple users, 10 being the highest level of access: + +![](../observium/9.png) + +Before continuing let's setup observium's cronjobs: + + + root@deb10-e4:~# vim /etc/cron.d/observium + + + + + # Run a complete discovery of all devices once every 6 hours + 33 */6 * * * root /opt/observium/discovery.php -h all >> /dev/null 2>&1 + + # Run automated discovery of newly added devices every 5 minutes + */5 * * * * root /opt/observium/discovery.php -h new >> /dev/null 2>&1 + + # Run multithreaded poller wrapper every 5 minutes + */5 * * * * root /opt/observium/poller-wrapper.py >> /dev/null 2>&1 + + # Run housekeeping script daily for syslog, eventlog and alert log + 13 5 * * * root /opt/observium/housekeeping.php -ysel + + # Run housekeeping script daily for rrds, ports, orphaned entries in the database and performance data + 47 4 * * * root /opt/observium/housekeeping.php -yrptb + + + +:wq to save and quit out of vim, then reload crond: + + + + root@deb10-e4:~# systemctl restart cron + root@deb10-e4:~# systemctl status cron + ● cron.service - Regular background program processing daemon + Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-04-12 14:12:35 UTC; 3s ago + Docs: man:cron(8) + Main PID: 2688 (cron) + Tasks: 1 (limit: 7372) + Memory: 592.0K + CGroup: /system.slice/cron.service + └─2688 /usr/sbin/cron -f + + Apr 12 14:12:35 deb10-e4 systemd[1]: Started Regular background program processing daemon. + Apr 12 14:12:35 deb10-e4 cron[2688]: (CRON) INFO (pidfile fd = 3) + Apr 12 14:12:35 deb10-e4 cron[2688]: (CRON) INFO (Skipping @reboot jobs -- not system startup) + + + +## **** + +Then just head over to your web browser to start the installer: + +![](../observium/12.png) + +Then you can add a device via snmp: + +![](../observium/13.png) + +And there you have it! + +![](../observium/14.png) + diff --git a/observium/logo.jpg b/observium/logo.jpg new file mode 100644 index 0000000..93f35c2 Binary files /dev/null and b/observium/logo.jpg differ diff --git a/openvpn/001.png b/openvpn/001.png new file mode 100644 index 0000000..994337b Binary files /dev/null and b/openvpn/001.png differ diff --git a/openvpn/002.png b/openvpn/002.png new file mode 100644 index 0000000..af72c8a Binary files /dev/null and b/openvpn/002.png differ diff --git a/openvpn/index.md b/openvpn/index.md new file mode 100644 index 0000000..6417876 --- /dev/null +++ b/openvpn/index.md @@ -0,0 +1,286 @@ +# VPS-Hosted OpenVPN server: + +![](../openvpn/logo.png) + +You may want a VPS hosted vpn server in case you wish to conduct activities through a trusted vpn server. (which gives you the power over the logs). + +![](../openvpn/openvpn.png) + +With this solution, you can terminate the server itself if you want after you're done. + + + -DigitalOcean + -Droplet (Debian 10) + -Plan: Basic ($5/mo) + -Location (a region that isn't where you live) + -ssh keys or password + + +Once the droplet is created just log into it: + + + + [ 192.168.122.1/24 ] [ /dev/pts/13 ] [~] + → ssh root@164.90.155.222 + The authenticity of host '164.90.155.222 (164.90.155.222)' can't be established. + ECDSA key fingerprint is SHA256:m829SX8NOlOUnlm2fzokZJ5XMT6gxJoyNceCYOB8gms. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added '164.90.155.222' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-sfo3-01 4.19.0-8-cloud-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-sfo3-01:~# + + +## **Angristan's Script:** + +Angristan made a very powerful script that allows us to run our own vps hosted vpn server very easily, check him out [here](https://github.com/angristan): + + + wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh + chmod +x openvpn-install.sh + ./openvpn-install.sh + + + +for starters just hit enter at everything, if you know what you're doing feel free to change options during the installation. + +for advanced users, i recommend trying out the openvpn on the 443 custom port to circumvent censorship in traffic restricted environments: + + + root@Temple:~# ./openvpn-install.sh + Welcome to the OpenVPN installer! + The git repository is available at: https://github.com/angristan/openvpn-install + + I need to ask you a few questions before starting the setup. + You can leave the default options and just press enter if you are ok with them. + + I need to know the IPv4 address of the network interface you want OpenVPN listening to. + Unless your server is behind NAT, it should be your public IPv4 address. + IP address: 78.141.239.68 + + Checking for IPv6 connectivity... + + Your host does not appear to have IPv6 connectivity. + + Do you want to enable IPv6 support (NAT)? [y/n]: y + + What port do you want OpenVPN to listen to? + 1) Default: 1194 + 2) Custom + 3) Random [49152-65535] + Port choice [1-3]: 2 + Custom port [1-65535]: 443 + + What protocol do you want OpenVPN to use? + UDP is faster. Unless it is not available, you shouldn't use TCP. + 1) UDP + 2) TCP + Protocol [1-2]: 12 + Protocol [1-2]: 2 + + What DNS resolvers do you want to use with the VPN? + 1) Current system resolvers (from /etc/resolv.conf) + 2) Self-hosted DNS Resolver (Unbound) + 3) Cloudflare (Anycast: worldwide) + 4) Quad9 (Anycast: worldwide) + 5) Quad9 uncensored (Anycast: worldwide) + 6) FDN (France) + 7) DNS.WATCH (Germany) + 8) OpenDNS (Anycast: worldwide) + 9) Google (Anycast: worldwide) + 10) Yandex Basic (Russia) + 11) AdGuard DNS (Anycast: worldwide) + 12) NextDNS (Anycast: worldwide) + 13) Custom + DNS [1-12]: 11 + + Do you want to use compression? It is not recommended since the VORACLE attack make use of it. + Enable compression? [y/n]: n + + Do you want to customize encryption settings? + Unless you know what you're doing, you should stick with the default parameters provided by the script. + Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) + See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. + + Customize encryption settings? [y/n]: n + + Okay, that was all I needed. We are ready to setup your OpenVPN server now. + + [...] + + + Tell me a name for the client. + Use one word only, no special characters. + Client name: nothing + + Do you want to protect the configuration file with a password? + (e.g. encrypt the private key with a password) + 1) Add a passwordless client + 2) Use a password for the client + Select an option [1-2]: 2 + ⚠️ You will be asked for the client password below ⚠️ + + Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars + Using SSL: openssl OpenSSL 1.1.1j 16 Feb 2021 + Generating an EC private key + writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc' + Enter PEM pass phrase: + Verifying - Enter PEM pass phrase: + ----- + Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr + Check that the request matches the signature + Signature ok + The Subject's Distinguished Name is as follows + commonName :ASN.1 12:'nothing' + Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days) + + Write out database with 1 new entries + Data Base Updated + + Client nothing added. + + The configuration file has been written to /root/nothing.ovpn. + Download the .ovpn file and import it in your OpenVPN client. + + +you can even hide that it's a openvpn server on 443 tcp by using the port-sharing feature: + + + [ nowhere.moe ] [ /dev/pts/8 ] [/etc/openvpn] + → cat /etc/openvpn/server.conf | grep 443 + port-share 127.0.0.1 443 + + + +IF YOU'RE ON ARCH LINUX DONT FORGET TO DO THIS (as instructed [here](https://github.com/angristan/openvpn-install/issues/788)): + + + sudo chown -R openvpn.network /var/log/openvpn /etc/openvpn/ + + systemctl restart openvpn-server@server.service + + + +## **Getting the .ovpn file:** + +To get the ovpn file just use python's simplehttpserver module + + + root@debian-s-1vcpu-1gb-sfo3-01:~# ls -lash | grep ovpn + 4.0K -rw-r--r-- 1 root root 2.7K Aug 12 15:41 nothing.ovpn + root@debian-s-1vcpu-1gb-sfo3-01:~# python -m SimpleHTTPServer 9099 + Serving HTTP on 0.0.0.0 port 9099 ... + + + +then just download it to your local machine: + + + [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~] + → wget http://164.90.155.222:9099/nothing.ovpn + --2020-08-12 18:43:48-- http://164.90.155.222:9099/nothing.ovpn + Connecting to 164.90.155.222:9099... connected. + HTTP request sent, awaiting response... 200 OK + Length: 2764 (2.7K) [application/octet-stream] + Saving to: ‘nothing.ovpn’ + + nothing.ovpn 100%[=====================================>] 2.70K --.-KB/s in 0s + + 2020-08-12 18:43:48 (52.1 MB/s) - ‘nothing.ovpn’ saved [2764/2764] + + + [ 192.168.122.1/24 ] [ /dev/pts/7 ] [~] + → ls -lash | grep ovpn + 12K -rw-r--r-- 1 nothing nothing 9.3K Aug 3 12:18 nihilist777.ovpn + 4.0K -rw-r--r-- 1 nothing nothing 2.7K Aug 12 16:41 nothing.ovpn + + +And that's it, you may now use the .ovpn file with whatever client you wish for example openvpn or your distro's built in vpn utility: + +![](../openvpn/001.png) + + + [ 10.99.99.1/24 ] [ /dev/pts/22 ] [~] + → sudo openvpn nothing.ovpn + [sudo] password for nothing: + 2022-01-09 16:52:42 Unrecognized option or missing or extra parameter(s) in nothing.ovpn:18: block-outside-dns (2.5.5) + 2022-01-09 16:52:42 OpenVPN 2.5.5 [git:makepkg/869f194c23ae93c4+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Dec 15 2021 + 2022-01-09 16:52:42 library versions: OpenSSL 1.1.1m 14 Dec 2021, LZO 2.10 + 🔐 Enter Private Key Password: ********* + + + +Now if you want the openvpn service to start at bootup, do the following: + + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → sudo vim /etc/systemd/system/vpn.service + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/usr/sbin/openvpn /home/nothing/nothing0mainpc.ovpn + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → systemctl daemon-reload + ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ==== + Authentication is required to reload the systemd state. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + + + + +And then from there you can start and stop your vpn like so: + + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → sudo systemctl start vpn + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → sudo systemctl stop vpn + + + +And to enable it at each system bootup: + + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → sudo systemctl enable vpn + Created symlink /etc/systemd/system/multi-user.target.wants/vpn.service → /etc/systemd/system/vpn.service. + + + +To avoid your vpn config from routing all traffic to the server, just add this line in the .ovpn file: + + + pull-filter ignore redirect-gateway + + + +## **Check that the ip is different:** + +You can check it on [ipleak.net](https://ipleak.net/): + +![](../openvpn/002.png) + +And that's it! you now have your own self hosted vpn server. + diff --git a/openvpn/logo.png b/openvpn/logo.png new file mode 100644 index 0000000..2a283ff Binary files /dev/null and b/openvpn/logo.png differ diff --git a/openvpn/openvpn.png b/openvpn/openvpn.png new file mode 100644 index 0000000..cac46b8 Binary files /dev/null and b/openvpn/openvpn.png differ diff --git a/ovpn_tor/0.png b/ovpn_tor/0.png new file mode 100644 index 0000000..e12c91d Binary files /dev/null and b/ovpn_tor/0.png differ diff --git a/ovpn_tor/1.png b/ovpn_tor/1.png new file mode 100644 index 0000000..9a1c039 Binary files /dev/null and b/ovpn_tor/1.png differ diff --git a/ovpn_tor/10.png b/ovpn_tor/10.png new file mode 100644 index 0000000..edb597f Binary files /dev/null and b/ovpn_tor/10.png differ diff --git a/ovpn_tor/11.png b/ovpn_tor/11.png new file mode 100644 index 0000000..6d2e42d Binary files /dev/null and b/ovpn_tor/11.png differ diff --git a/ovpn_tor/12.png b/ovpn_tor/12.png new file mode 100644 index 0000000..ce02759 Binary files /dev/null and b/ovpn_tor/12.png differ diff --git a/ovpn_tor/13.png b/ovpn_tor/13.png new file mode 100644 index 0000000..47b59aa Binary files /dev/null and b/ovpn_tor/13.png differ diff --git a/ovpn_tor/14.png b/ovpn_tor/14.png new file mode 100644 index 0000000..8621cde Binary files /dev/null and b/ovpn_tor/14.png differ diff --git a/ovpn_tor/15.png b/ovpn_tor/15.png new file mode 100644 index 0000000..4ed2375 Binary files /dev/null and b/ovpn_tor/15.png differ diff --git a/ovpn_tor/16.png b/ovpn_tor/16.png new file mode 100644 index 0000000..02e430e Binary files /dev/null and b/ovpn_tor/16.png differ diff --git a/ovpn_tor/17.png b/ovpn_tor/17.png new file mode 100644 index 0000000..ef011c7 Binary files /dev/null and b/ovpn_tor/17.png differ diff --git a/ovpn_tor/18.png b/ovpn_tor/18.png new file mode 100644 index 0000000..176f354 Binary files /dev/null and b/ovpn_tor/18.png differ diff --git a/ovpn_tor/19.png b/ovpn_tor/19.png new file mode 100644 index 0000000..e308878 Binary files /dev/null and b/ovpn_tor/19.png differ diff --git a/ovpn_tor/2.png b/ovpn_tor/2.png new file mode 100644 index 0000000..7e1d99a Binary files /dev/null and b/ovpn_tor/2.png differ diff --git a/ovpn_tor/20.png b/ovpn_tor/20.png new file mode 100644 index 0000000..f52d081 Binary files /dev/null and b/ovpn_tor/20.png differ diff --git a/ovpn_tor/21.png b/ovpn_tor/21.png new file mode 100644 index 0000000..7d1c80d Binary files /dev/null and b/ovpn_tor/21.png differ diff --git a/ovpn_tor/3.png b/ovpn_tor/3.png new file mode 100644 index 0000000..8de1f94 Binary files /dev/null and b/ovpn_tor/3.png differ diff --git a/ovpn_tor/4.png b/ovpn_tor/4.png new file mode 100644 index 0000000..71e9c8a Binary files /dev/null and b/ovpn_tor/4.png differ diff --git a/ovpn_tor/5.png b/ovpn_tor/5.png new file mode 100644 index 0000000..7009dcb Binary files /dev/null and b/ovpn_tor/5.png differ diff --git a/ovpn_tor/6.png b/ovpn_tor/6.png new file mode 100644 index 0000000..b7e5f5e Binary files /dev/null and b/ovpn_tor/6.png differ diff --git a/ovpn_tor/7.png b/ovpn_tor/7.png new file mode 100644 index 0000000..e41a95e Binary files /dev/null and b/ovpn_tor/7.png differ diff --git a/ovpn_tor/8.png b/ovpn_tor/8.png new file mode 100644 index 0000000..323af18 Binary files /dev/null and b/ovpn_tor/8.png differ diff --git a/ovpn_tor/9.png b/ovpn_tor/9.png new file mode 100644 index 0000000..b6ae0d5 Binary files /dev/null and b/ovpn_tor/9.png differ diff --git a/ovpn_tor/index.md b/ovpn_tor/index.md new file mode 100644 index 0000000..4b2dcdf --- /dev/null +++ b/ovpn_tor/index.md @@ -0,0 +1,672 @@ +# VPN-over-TOR + +![](0.png) + +In this tutorial we're going to look at how to make a VPN-over-Tor setup. Why ? because tor exit nodes are publicly listed, it is easy for popular websites to blacklist them, and besides, tor does not support UDP. Meaning that with such a setup, you would be able to access popular websites, and send and recieve UDP traffic **while still being untraceable**. Now if you want to do that, you need to use **a non-kyc VPS hosting provider**. Because if you do anything out of the ordinary, authorities will know your VPS' public IP, and of course the VPS provider will comply with the law to be able to keep running his own business. So you must access the VPS provider only through TOR, and purchase the VPS only with monero and access the VPS you bought via SSH only through tor aswell. The VPS provider will not be able to provide what he does not know to the authorities. Meaning, with such a setup, the user's privacy is guaranteed. + +## **Initial Setup** + +Let's first setup our local bridge node following this [tutorial](https://blog.nowhere.moe/servers/tor/bridge/index.md): + +Port forward it accordingly: + +![](1.png) + +Then we setup our /etc/tor/torrc to use the aforementionned bridge using the local IP: + + + [ 10.8.0.3/24 ] [ /dev/pts/42 ] [Github/blog/servers] + → cat /etc/tor/torrc + UseBridges 1 + ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy + Bridge obfs4 10.0.0.195:8042 2E73653A148DFFF3CA28D53F0C366936FE554335 cert=znEl9kidNa4TgqiasENSDvxLPDVMOvdIPcVhqwMR27iVUoMn+MtjoxmcpikFpsYAbtSpMw iat-mode=0 + DataDirectory /var/lib/tor + TransPort 9040 + SocksPort 9050 + DNSPort 53 + User tor + + [ 10.8.0.3/24 ] [ /dev/pts/42 ] [Github/blog/servers] + → sudo systemctl restart tor + + [ 10.8.0.3/24 ] [ /dev/pts/42 ] [Github/blog/servers] + → systemctl status tor + ● tor.service - Anonymizing overlay network for TCP + Loaded: loaded (/usr/lib/systemd/system/tor.service; disabled; vendor preset: disabled) + Active: active (running) since Sun 2022-05-08 10:57:41 CEST; 1min 0s ago + Process: 1003370 ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config (code=exited, status=0/SUCCESS) + Main PID: 1003371 (tor) + Tasks: 17 (limit: 38362) + Memory: 34.3M + CPU: 1.424s + CGroup: /system.slice/tor.service + ├─ 1003371 /usr/bin/tor -f /etc/tor/torrc + └─ 1003372 /usr/bin/obfs4proxy + + May 08 10:57:43 nowhere tor[1003371]: May 08 10:57:43.000 [warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 10.0.0.195:8042 ID=qEfL9Hs/zItO6W47UpNZLFgifzV8CYepEdmgFAO5Bq8 RSA_ID=2E73653A148DFFF3CA28D53F0C366936FE554335 ("general SOCKS server failure") + May 08 10:57:45 nowhere tor[1003371]: May 08 10:57:45.000 [warn] Proxy Client: unable to connect OR connection (handshaking (proxy)) with 10.0.0.195:8042 ID=qEfL9Hs/zItO6W47UpNZLFgifzV8CYepEdmgFAO5Bq8 RSA_ID=2E73653A148DFFF3CA28D53F0C366936FE554335 ("general SOCKS server failure") + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Application request when we haven't received a consensus with exits. Optimistically trying known bridges again. + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit + May 08 10:57:46 nowhere tor[1003371]: May 08 10:57:46.000 [notice] Bootstrapped 100% (done): Done + + + +Then we setup our tor webbrowser to also use the same bridge: + +![](2.png) + +Once that's done we go and buy ourselves a VPS from a [non-KYC VPS provider](https://kycnot.me/services?type=HOSTING): + +![](3.png) + +For this example i will go with [PacketPoint.ca](https://packetpoint.ca/checkout/customize/CA1): + +For this we need an email address, i will use protonmail for this purpose for now. **And of course you must only use the tor browser to acccess protonmail**. + +![](4.png) + +Do not use a recovery mail, unless if you followed the same process for the mail signup meaning you **only** used tor to access it. + +![](5.png) + +Then select the free plan, and if protonmail asks you to verify if you are human (don't be fooled, it is to make sure they have your public IP or a way to redirect the authorities somewhere in case they see misuse of your protonmail mailbox) make sure you use a disposable mail service to verify your mail: + +![](6.png) ![](9.png) ![](10.png) ![](11.png) + +Then we create our VPS account and buy our VPS using **monero** : + +![](12.png) ![](13.png) + +Make sure to send exactly the requested amount otherwise you would need to refund and redo the payment. + +![](14.png) + +Now from here you will need to wait a bit (approximately 30 minutes-1hour) for your monero transaction to be validated by the network: + +![](15.png) ![](16.png) ![](17.png) ![](18.png) + +To setup SSH initially we use a private SSH key: + + + [ 10.8.0.3/24 ] [ /dev/pts/58 ] [~/.ssh] + → ssh-keygen -t ed25519 + Generating public/private ed25519 key pair. + Enter file in which to save the key (/home/nothing/.ssh/id_ed25519): torified + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in torified + Your public key has been saved in torified.pub + The key fingerprint is: + [...] + + [ 10.8.0.3/24 ] [ /dev/pts/58 ] [~/.ssh] + → chmod 600 torified + + [ 10.8.0.3/24 ] [ /dev/pts/58 ] [~/.ssh] + → cat torified.pub + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJCG8bJGybha6i7SmqhJUVsy+MilMgmtyzB/c8t+eYVS nothing@nowhere + + [ 10.8.0.3/24 ] [ /dev/pts/58 ] [~/.ssh] + → cat config + Host torVPS + Hostname x.x.x.x + IdentityFile ~/.ssh/torified + User root + + +Then we can use that public SSH key to add on the dashboard: + +![](20.png) ![](21.png) + + + [ 10.8.0.3/24 ] [ /dev/pts/42 ] [Github/blog/servers] + → torify ssh torVPS + The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established. + RSA key fingerprint is SHA256:UpDqKwtGBaFurplluD2Fo1tj66NYQOtLXXLLxGtm1Ac. + This key is not known by any other names + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'x.x.x.x' (RSA) to the list of known hosts. + Enter passphrase for key '/home/nothing/.ssh/torified': + Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-29-generic x86_64) + + * Documentation: https://help.ubuntu.com + * Management: https://landscape.canonical.com + * Support: https://ubuntu.com/advantage + + System information as of Sun 08 May 2022 12:04:48 PM CEST + + System load: 0.53 Processes: 91 + Usage of /: 10.5% of 18.64GB Users logged in: 0 + Memory usage: 12% IPv4 address for eth0: x.x.x.x + Swap usage: 0% + + * Ubuntu 20.04 LTS is out, raising the bar on performance, security, + and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as + AWS, Azure and Google Cloud. + + https://ubuntu.com/blog/ubuntu-20-04-lts-arrives + + + 0 updates can be installed immediately. + 0 of these updates are security updates. + + + The list of available updates is more than a week old. + To check for new updates run: sudo apt update + + root@VM1F3213FF0A24DE83:~# w + 12:04:53 up 1 min, 1 user, load average: 0.53, 0.26, 0.10 + USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT + root pts/0 81.17.18.59 12:04 4.00s 0.01s 0.00s w + + + +And there you go! We managed to connect via SSH via TOR (the ip 81...59 is a TOR exit node) to the VPS. Now let's setup our OpenVPN tcp/443 server like we did on this [tutorial](../openvpn/index.md): + + + root@VM1F3213FF0A24DE83:~# wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh + --2022-05-08 12:07:15-- https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 40045 (39K) [text/plain] + Saving to: ‘openvpn-install.sh’ + + openvpn-install.sh 100%[===========================================================================================>] 39.11K --.-KB/s in 0.001s + + 2022-05-08 12:07:15 (42.7 MB/s) - ‘openvpn-install.sh’ saved [40045/40045] + + root@VM1F3213FF0A24DE83:~# chmod +x openvpn-install.sh + root@VM1F3213FF0A24DE83:~# ./openvpn-install.sh + Welcome to the OpenVPN installer! + The git repository is available at: https://github.com/angristan/openvpn-install + + I need to ask you a few questions before starting the setup. + You can leave the default options and just press enter if you are ok with them. + + I need to know the IPv4 address of the network interface you want OpenVPN listening to. + Unless your server is behind NAT, it should be your public IPv4 address. + IP address: x.x.x.x + + Checking for IPv6 connectivity... + + Your host does not appear to have IPv6 connectivity. + + Do you want to enable IPv6 support (NAT)? [y/n]: n + + What port do you want OpenVPN to listen to? + 1) Default: 1194 + 2) Custom + 3) Random [49152-65535] + Port choice [1-3]: 2 + Custom port [1-65535]: 443 + + What protocol do you want OpenVPN to use? + UDP is faster. Unless it is not available, you shouldn't use TCP. + 1) UDP + 2) TCP + Protocol [1-2]: 2 + + What DNS resolvers do you want to use with the VPN? + 1) Current system resolvers (from /etc/resolv.conf) + 2) Self-hosted DNS Resolver (Unbound) + 3) Cloudflare (Anycast: worldwide) + 4) Quad9 (Anycast: worldwide) + 5) Quad9 uncensored (Anycast: worldwide) + 6) FDN (France) + 7) DNS.WATCH (Germany) + 8) OpenDNS (Anycast: worldwide) + 9) Google (Anycast: worldwide) + 10) Yandex Basic (Russia) + 11) AdGuard DNS (Anycast: worldwide) + 12) NextDNS (Anycast: worldwide) + 13) Custom + DNS [1-12]: 11 + + Do you want to use compression? It is not recommended since the VORACLE attack make use of it. + Enable compression? [y/n]: n + + Do you want to customize encryption settings? + Unless you know what you're doing, you should stick with the default parameters provided by the script. + Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults) + See https://github.com/angristan/openvpn-install#security-and-encryption to learn more. + + Customize encryption settings? [y/n]: n + + Okay, that was all I needed. We are ready to setup your OpenVPN server now. + You will be able to generate a client at the end of the installation. + Press any key to continue... + + + +Then we create the an ovpn user: + + + Tell me a name for the client. + Use one word only, no special characters. + Client name: noone + + Do you want to protect the configuration file with a password? + (e.g. encrypt the private key with a password) + 1) Add a passwordless client + 2) Use a password for the client + Select an option [1-2]: 2 + ⚠️ You will be asked for the client password below ⚠️ + + Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars + Using SSL: openssl OpenSSL 1.1.1f 31 Mar 2020 + Generating an EC private key + writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-8284.jYDpoc/tmp.oLwyqg' + Enter PEM pass phrase: + Verifying - Enter PEM pass phrase: + ----- + Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-8284.jYDpoc/tmp.wL7bls + Check that the request matches the signature + Signature ok + The Subject's Distinguished Name is as follows + commonName :ASN.1 12:'noone' + Certificate is to be certified until Aug 10 10:10:31 2024 GMT (825 days) + + Write out database with 1 new entries + Data Base Updated + + Client noone added. + + The configuration file has been written to /root/noone.ovpn. + Download the .ovpn file and import it in your OpenVPN client. + root@VM1F3213FF0A24DE83:~# cat noone.ovpn + client + proto tcp-client + remote x.x.x.x 443 + dev tun + resolv-retry infinite + nobind + persist-key + persist-tun + remote-cert-tls server + verify-x509-name server_iBvk2Oez3oCaOewm name + auth SHA256 + auth-nocache + cipher AES-128-GCM + tls-client + tls-version-min 1.2 + tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 + ignore-unknown-option block-outside-dns + setenv opt block-outside-dns # Prevent Windows 10 DNS leak + verb 3 + + [...] + + + +IF YOU'RE ON ARCH LINUX DONT FORGET TO DO THIS (as instructed [here](https://github.com/angristan/openvpn-install/issues/788)): + + + sudo chown -R openvpn.network /var/log/openvpn /etc/openvpn/ + + systemctl restart openvpn-server@server.service + + + + + + +Then we create the user 'noone' and then retrieve the noone.ovpn file + +Then we add the following socks-proxy settings, along with the routing gateway openvpn setting to use our tor bridge node: + + + [ 10.8.0.3/24 ] [ /dev/pts/55 ] [~] + → vim noone.ovpn + + [ 10.0.0.10/16 ] [ /dev/pts/52 ] [~] + → cat noone.ovpn + client + proto tcp-client + remote x.x.x.x 443 + dev tun + resolv-retry infinite + nobind + persist-key + persist-tun + remote-cert-tls server + verify-x509-name server_iBvk2Oez3oCaOewm name + auth SHA256 + auth-nocache + cipher AES-128-GCM + tls-client + tls-version-min 1.2 + tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 + ignore-unknown-option block-outside-dns + setenv opt block-outside-dns # Prevent Windows 10 DNS leak + verb 3 + + ### TOR SETTINGS ### + socks-proxy 127.0.0.1 9050 + #################### + + + + [...] + + + +And from there we launch our openvpn client: + + + [ 10.8.0.3/24 ] [ /dev/pts/55 ] [~] + → sudo openvpn noone.ovpn + 2022-05-08 12:21:32 Unrecognized option or missing or extra parameter(s) in noone.ovpn:18: block-outside-dns (2.5.6) + 2022-05-08 12:21:32 DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: In OpenVPN 2.4 proxy connection retries are handled like regular connections. Use connect-retry-max 1 to get a similar behavior as before. + 2022-05-08 12:21:32 OpenVPN 2.5.6 [git:makepkg/e8df2e64d6f817e6+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022 + 2022-05-08 12:21:32 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10 + 🔐 Enter Private Key Password: ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************** + 2022-05-08 12:21:34 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key + 2022-05-08 12:21:34 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication + 2022-05-08 12:21:34 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key + 2022-05-08 12:21:34 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication + 2022-05-08 12:21:34 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:9050 + 2022-05-08 12:21:34 Socket Buffers: R=[131072->131072] S=[16384->16384] + 2022-05-08 12:21:34 Attempting to establish TCP connection with [AF_INET]127.0.0.1:9050 [nonblock] + 2022-05-08 12:21:34 TCP connection established with [AF_INET]127.0.0.1:9050 + 2022-05-08 12:21:34 TCP_CLIENT link local: (not bound) + 2022-05-08 12:21:34 TCP_CLIENT link remote: [AF_INET]127.0.0.1:9050 + 2022-05-08 12:21:34 TLS: Initial packet from [AF_INET]127.0.0.1:9050, sid=26ee6e4f 194dec0f + 2022-05-08 12:21:34 VERIFY OK: depth=1, CN=cn_7jughGI6Ccy2QiVF + 2022-05-08 12:21:34 VERIFY KU OK + 2022-05-08 12:21:34 Validating certificate extended key usage + 2022-05-08 12:21:34 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication + 2022-05-08 12:21:34 VERIFY EKU OK + 2022-05-08 12:21:34 VERIFY X509NAME OK: CN=server_iBvk2Oez3oCaOewm + 2022-05-08 12:21:34 VERIFY OK: depth=0, CN=server_iBvk2Oez3oCaOewm + 2022-05-08 12:21:35 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256 + 2022-05-08 12:21:35 [server_iBvk2Oez3oCaOewm] Peer Connection Initiated with [AF_INET]127.0.0.1:9050 + 2022-05-08 12:21:36 SENT CONTROL [server_iBvk2Oez3oCaOewm]: 'PUSH_REQUEST' (status=1) + 2022-05-08 12:21:36 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 176.103.130.130,dhcp-option DNS 176.103.130.131,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM' + 2022-05-08 12:21:36 OPTIONS IMPORT: timers and/or timeouts modified + 2022-05-08 12:21:36 OPTIONS IMPORT: --ifconfig/up options modified + 2022-05-08 12:21:36 OPTIONS IMPORT: route options modified + 2022-05-08 12:21:36 OPTIONS IMPORT: route-related options modified + 2022-05-08 12:21:36 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified + 2022-05-08 12:21:36 OPTIONS IMPORT: peer-id set + 2022-05-08 12:21:36 OPTIONS IMPORT: adjusting link_mtu to 1626 + 2022-05-08 12:21:36 OPTIONS IMPORT: data channel crypto options modified + 2022-05-08 12:21:36 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key + 2022-05-08 12:21:36 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key + 2022-05-08 12:21:36 net_route_v4_best_gw query: dst 0.0.0.0 + 2022-05-08 12:21:36 net_route_v4_best_gw result: via 10.0.0.1 dev enp5s0 + 2022-05-08 12:21:36 ROUTE_GATEWAY 10.0.0.1/255.255.0.0 IFACE=enp5s0 HWADDR=d8:bb:c1:04:b2:00 + 2022-05-08 12:21:36 TUN/TAP device tun0 opened + 2022-05-08 12:21:36 net_iface_mtu_set: mtu 1500 for tun0 + 2022-05-08 12:21:36 net_iface_up: set tun0 up + 2022-05-08 12:21:36 net_addr_v4_add: 10.8.0.2/24 dev tun0 + 2022-05-08 12:21:36 net_route_v4_add: 127.0.0.1/32 via 10.0.0.1 dev [NULL] table 0 metric -1 + 2022-05-08 12:21:36 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1 + 2022-05-08 12:21:36 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1 + 2022-05-08 12:21:36 net_route_v4_add: 10.0.0.195/32 via 10.0.0.1 dev enp5s0 table 0 metric -1 + 2022-05-08 12:21:36 Initialization Sequence Completed + + + +And from there you see that we can reach the internet just fine: + + + [ 10.8.0.2/24 ] [ /dev/pts/62 ] [~] + → ip a + + 39: tun0: <****POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 + link/none + inet 10.8.0.2/24 scope global tun0 + valid_lft forever preferred_lft forever + inet6 fe80::575c:ea3:3b64:3249/64 scope link stable-privacy + valid_lft forever preferred_lft forever + + [ 10.8.0.2/24 ] [ /dev/pts/62 ] [~] + → ping 10.8.0.1 + PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. + 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=157 ms + 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=257 ms + ^C + --- 10.8.0.1 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1001ms + rtt min/avg/max/mdev = 157.325/207.198/257.071/49.873 ms + + [ 10.8.0.2/24 ] [ /dev/pts/62 ] [~] + → ping 1.1.1.1 + PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. + 64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=222 ms + 64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=193 ms + ^C + --- 1.1.1.1 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1001ms + rtt min/avg/max/mdev = 192.825/207.581/222.337/14.756 ms + + [ 10.8.0.2/24 ] [ /dev/pts/62 ] [~] + → curl ifconfig.me + x.x.x.x + +And there you go! Now we can do anything through our VPN which goes through tor. + +## **Automation Setup** + +If we want to automate it, we can do it like so: + + + [ 10.8.0.2/24 ] [ /dev/pts/0 ] [~] + → cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/usr/bin/openvpn /home/nothing/noone2.ovpn + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + [Install] + WantedBy=multi-user.target + + + [ 10.8.0.2/24 ] [ /dev/pts/0 ] [~] + → systemctl enable vpn.service + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ==== + Authentication is required to start 'vpn.service'. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + + [ 10.8.0.2/24 ] [ /dev/pts/0 ] [~] + → systemctl status vpn.service + ● vpn.service - VPN + Loaded: loaded (/etc/systemd/system/vpn.service; disabled; vendor preset: disabled) + Active: active (running) since Sun 2022-05-08 14:22:27 CEST; 3s ago + Main PID: 93988 (openvpn) + Tasks: 1 (limit: 38362) + Memory: 1.6M + CPU: 13ms + CGroup: /system.slice/vpn.service + └─ 93988 /usr/bin/openvpn /home/nothing/noone2.ovpn + + [ 10.8.0.2/24 ] [ /dev/pts/0 ] [~] + → systemctl enable tor + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ==== + Authentication is required to manage system service or unit files. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + Created symlink /etc/systemd/system/multi-user.target.wants/tor.service → /usr/lib/systemd/system/tor.service. + + + +If the vpn were to be shutdown we want to protect ourselves against any leak, hence the following iptables: + + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → cat iptables_vpn_tor.sh + #!/bin/bash + + #default private networks + sudo iptables -F + + sudo iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + sudo iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + #ip range of tor VPN: + + sudo iptables -A OUTPUT -o tun999 -j ACCEPT + sudo iptables -A INPUT -i tun999 -j ACCEPT + + sudo iptables -A OUTPUT -o tun0 -j ACCEPT + sudo iptables -A INPUT -i tun0 -j ACCEPT + + sudo iptables -A INPUT -j DROP + sudo iptables -A OUTPUT -j DROP + + #sudo iptables -A INPUT -j DROP + #sudo iptables -A OUTPUT -j DROP + + + +Let's make it a systemd service to run at bootup: + + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → cat /etc/systemd/system/tortables.service + [Unit] + Description=Tor IP Tables + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/home/nothing/iptables_vpn_tor.sh + + [Install] + WantedBy=multi-user.target + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → systemctl daemon-reload + ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ==== + Authentication is required to reload the systemd state. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → systemctl enable --now tortables + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-unit-files ==== + Authentication is required to manage system service or unit files. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + + + +Now if at any point there is a problem with the connection, all that's needed is to restart the tor service. So we make a bash script for that: + + + #!/bin/bash + + #systemctl status vpn tor + #while true; do + #while ! timeout 10 ping -c1 10.8.0.1 &>/dev/null + #do + # echo "Ping Failed, restarting tor:" + # systemctl restart tor + #done + #echo "Host Found - `date`" + #sleep 10 + #done + + counter=0 + while true; do + echo TESTING + timeout 10 ping -c1 10.8.0.1 &>/dev/null + if [ $? -eq 0 ]; then + echo OK; + sleep 3 + else + if [ $counter -gt 2 ]; + then + echo 'RESTARTING TOR...' + systemctl restart tor + counter=0 + sleep 10 + else + counter=$((counter+1)) + echo "FAIL ( $counter / 3)"; + sleep 3 + fi + fi + done + + + +We run this script using a systemd service to make sure it auto restarts and launches at bootup: + + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → cat /etc/systemd/system/torwatch.service + [Unit] + Description=torwatcher + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/home/nothing/monitor_tor.sh + ExecStop=kill -9 $(pidof /home/nothing/monitor_tor.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → systemctl daemon-reload + ==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ==== + Authentication is required to reload the systemd state. + Authenticating as: nothing + Password: + ==== AUTHENTICATION COMPLETE ==== + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → sudo systemctl enable --now torwatch.service + [sudo] password for nothing: + + [ 10.10.16.5/23 ] [ /dev/pts/25 ] [~] + → sudo systemctl status torwatch.service + ● torwatch.service - torwatcher + Loaded: loaded (/etc/systemd/system/torwatch.service; disabled; vendor preset: disabled) + Active: active (running) since Sun 2022-05-08 21:34:45 CEST; 4s ago + Main PID: 3860523 (monitor_tor.sh) + Tasks: 2 (limit: 38362) + Memory: 740.0K + CPU: 6ms + CGroup: /system.slice/torwatch.service + ├─ 3860523 /bin/bash /home/nothing/monitor_tor.sh + └─ 3861151 sleep 3 + + May 08 21:34:45 nowhere systemd[1]: Started torwatcher. + May 08 21:34:45 nowhere monitor_tor.sh[3860523]: TESTING + May 08 21:34:45 nowhere monitor_tor.sh[3860523]: OK + May 08 21:34:48 nowhere monitor_tor.sh[3860523]: TESTING + May 08 21:34:49 nowhere monitor_tor.sh[3860523]: OK + + + +And that's it! Now we can have our VPN-Over-Tor at startup. + diff --git a/pcipassthrough2/0.png b/pcipassthrough2/0.png new file mode 100644 index 0000000..7826625 Binary files /dev/null and b/pcipassthrough2/0.png differ diff --git a/pcipassthrough2/1.png b/pcipassthrough2/1.png new file mode 100644 index 0000000..b311fd4 Binary files /dev/null and b/pcipassthrough2/1.png differ diff --git a/pcipassthrough2/10.png b/pcipassthrough2/10.png new file mode 100644 index 0000000..2aa0077 Binary files /dev/null and b/pcipassthrough2/10.png differ diff --git a/pcipassthrough2/11.png b/pcipassthrough2/11.png new file mode 100644 index 0000000..df22811 Binary files /dev/null and b/pcipassthrough2/11.png differ diff --git a/pcipassthrough2/12.png b/pcipassthrough2/12.png new file mode 100644 index 0000000..49f7f29 Binary files /dev/null and b/pcipassthrough2/12.png differ diff --git a/pcipassthrough2/13.png b/pcipassthrough2/13.png new file mode 100644 index 0000000..b27dc3d Binary files /dev/null and b/pcipassthrough2/13.png differ diff --git a/pcipassthrough2/14.png b/pcipassthrough2/14.png new file mode 100644 index 0000000..a44f6d3 Binary files /dev/null and b/pcipassthrough2/14.png differ diff --git a/pcipassthrough2/2.png b/pcipassthrough2/2.png new file mode 100644 index 0000000..98d1eb2 Binary files /dev/null and b/pcipassthrough2/2.png differ diff --git a/pcipassthrough2/3.png b/pcipassthrough2/3.png new file mode 100644 index 0000000..175dc93 Binary files /dev/null and b/pcipassthrough2/3.png differ diff --git a/pcipassthrough2/4.png b/pcipassthrough2/4.png new file mode 100644 index 0000000..6f6542e Binary files /dev/null and b/pcipassthrough2/4.png differ diff --git a/pcipassthrough2/5.png b/pcipassthrough2/5.png new file mode 100644 index 0000000..b0c5459 Binary files /dev/null and b/pcipassthrough2/5.png differ diff --git a/pcipassthrough2/index.md b/pcipassthrough2/index.md new file mode 100644 index 0000000..d6fd7ee --- /dev/null +++ b/pcipassthrough2/index.md @@ -0,0 +1,131 @@ +# Arch Linux PCI Passthrough Setup + +![](0.png) + +In this tutorial we're going to take a look at how to pass a GPU to a Windows QEMU VM on an Arch linux host, and to do so we're going to need a host PC with 2 graphics cards. the first graphics card is for the host OS, and the second graphics card is for the VM itself. + +## **Initial Setup** + +First change the mkinitcpio.conf file, as instructed [here](https://wiki.archlinux.org/title/PCI_passthrough_via_OVMF) in order to enable vfio and also grub, in order to enable iommu for intel cpus: + + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo vim /etc/default/grub + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → cat /etc/default/grub | grep intel + GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 intel_iommu=on iommu=pt" + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo grub-mkconfig -o /boot/grub/grub.cfg + Generating grub configuration file ... + Found linux image: /boot/vmlinuz-linux + Found initrd image: /boot/intel-ucode.img /boot/initramfs-linux.img + Found fallback initrd image(s) in /boot: intel-ucode.img initramfs-linux-fallback.img + Warning: os-prober will be executed to detect other bootable partitions. + Its output will be used to detect bootable binaries on them and create new boot entries. + Found Windows Boot Manager on /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi + Adding boot menu entry for UEFI Firmware Settings ... + done + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo vim /etc/mkinitcpio.conf + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → cat /etc/mkinitcpio.conf | grep vfio + MODULES=( nvme vmw_pvscsi vfio_pci vfio vfio_iommu_type1 ) + + 00:1f.3 Audio device [0403]: Intel Corporation Tiger Lake-H HD Audio Controller [8086:43c8] (rev 11) + + 01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GA104 [GeForce RTX 3070 Ti] [10de:2482] (rev a1) + 01:00.1 Audio device [0403]: NVIDIA Corporation GA104 High Definition Audio Controller [10de:228b] (rev a1) + + 04:00.0 VGA compatible controller [0300]: NVIDIA Corporation GP107 [GeForce GTX 1050] [10de:1c81] (rev a1) + 04:00.1 Audio device [0403]: NVIDIA Corporation GP107GL High Definition Audio Controller [10de:0fb9] (rev a1) + + + +Here you can see the 2 GPUs i currently have, one is a GTX 1050, the other is a RTX 3070. We're going to pass the GT 1050 to our VM. So to do that we need the **Device ID** this is the following: + + + 04:00.0 VGA compatible controller [0300]: NVIDIA Corporation GP107 [GeForce GTX 1050] **[10de:1c81]** (rev a1) + 04:00.1 Audio device [0403]: NVIDIA Corporation GP107GL High Definition Audio Controller **[10de:0fb9]** (rev a1) + + + +Now since we're on an Arch based distro we're going to edit the kernel parameters to group the gtx 1050 ids within the vfio parameter. With this we will ISOLATE the GPU, meaning it will not be usable on the host until we reverse the manipulation, of course i have my second GPU, the 3070 to make sure i can still use my setup. + + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → cat /etc/default/grub | grep vfio + GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 intel_iommu=on iommu=pt vfio-pci.ids=10de:1c81,10de:0fb9" + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo grub-mkconfig -o /boot/grub/grub.cfg + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → cat /boot/grub/grub.cfg | grep vfio + linux /vmlinuz-linux root=UUID=64472324-3a33-44f1-87f7-95431d6946ef rw loglevel=3 intel_iommu=on iommu=pt vfio-pci.ids=10de:1c81,10de:0fb9 + linux /vmlinuz-linux root=UUID=64472324-3a33-44f1-87f7-95431d6946ef rw loglevel=3 intel_iommu=on iommu=pt vfio-pci.ids=10de:1c81,10de:0fb9 + linux /vmlinuz-linux root=UUID=64472324-3a33-44f1-87f7-95431d6946ef rw loglevel=3 intel_iommu=on iommu=pt vfio-pci.ids=10de:1c81,10de:0fb9 + + + +Now as you can see, after editing grub again, to add the ids of the gpu we want to isolate, we generated the grub config again, and in grub.cfg, vfio has been specified as intended, so we reboot and we should NOT have access to the isolated gpu anymore, be very careful to have a second gpu ready so you can still use your system !!! + + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → neofetch + -------------------------------------- nothing@nowhere + -------------------------------------- --------------- + -------------------------------------- OS: Bedrock Linux 0.7.27 Poki x86_64 + ---\\\\\\\\\\\\----------------------- Host: MS-7D09 1.0 + ----\\\ \\\---------------------- Kernel: 5.18.14-arch1-1 + -----\\\ \\\--------------------- Uptime: 6 mins + ------\\\ \\\\\\\\\\\\\\\\\------ Packages: 1383 (pacman), 3065 (dpkg), 800 (rpm), 58 (xbps-query), 455 (emerge), 115 (nix-user) + -------\\\ \\\----- Shell: zsh 5.9 + --------\\\ \\\---- Resolution: 1920x1080, 3840x2160, 1920x1080, 3840x2160 + ---------\\\ ______ \\\--- WM: i3 + ----------\\\ ///--- Theme: Numix-BLACK-SLATE [GTK2/3] + -----------\\\ ///---- Icons: Flat-Remix-Blue-Dark [GTK2/3] + ------------\\\ ///----- Terminal: tmux + -------------\\\////////////////------ CPU: 11th Gen Intel i7-11700K (16) @ 5.100GHz + -------------------------------------- **GPU: NVIDIA GeForce RTX 3070 Ti** <****------- that is the one i will use !!! + -------------------------------------- GPU: NVIDIA GeForce GTX 1050 <****------------------ that is the one we will isolate !!! + -------------------------------------- Memory: 3203MiB / 31998MiB + + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo reboot now + +**Currently, when you reboot your display will be broken past the "starting version arch" line, do not be alarmed. Idk how to fix that, but you can blindly type in your luks password and it will boot just fine.** + +now after rebooting, we can check that we can use the GPU like so: + + + [ 10.8.0.4/24 ] [ nowhere ] [Github/blog/servers] + → sudo virt-manager + [sudo] password for nothing: + + + +` ![](1.png) + +so from here we are able to add a GPU to a VM. + +![](2.png) + +add both PCI devices (one is video the other is sound) + +then on the VM you need to install the geforce experience drivers: + +![](3.png) + +make sure you do Custom install and tick everything, so it will REMOVE The existing GPU driver to install it again, and from there you should be good to go you can check that the gpu is correctly detected from teh device manager: + +![](4.png) + +And that's it! you can now monitor your gpu usage from inside the VM: + +![](5.png) + diff --git a/perlite/1.png b/perlite/1.png new file mode 100644 index 0000000..c2e9715 Binary files /dev/null and b/perlite/1.png differ diff --git a/perlite/2.png b/perlite/2.png new file mode 100644 index 0000000..081267b Binary files /dev/null and b/perlite/2.png differ diff --git a/perlite/3.png b/perlite/3.png new file mode 100644 index 0000000..f566ba9 Binary files /dev/null and b/perlite/3.png differ diff --git a/perlite/4.png b/perlite/4.png new file mode 100644 index 0000000..c1a6305 Binary files /dev/null and b/perlite/4.png differ diff --git a/perlite/5.png b/perlite/5.png new file mode 100644 index 0000000..879a054 Binary files /dev/null and b/perlite/5.png differ diff --git a/perlite/index.md b/perlite/index.md new file mode 100644 index 0000000..85a0278 --- /dev/null +++ b/perlite/index.md @@ -0,0 +1,312 @@ +# perlite Setup + +![](0.svg) + +[Perlite](https://github.com/secure-77/Perlite) is an awesome project by [sec77](https://secure77.de/) to display your obsidian notes on the web, essentially an alternative to the paid Obsidian publish. + +## **Initial Setup** + +You'll need nginx and php8.2 and some dependencies: + + + [ 10.8.0.2/24 ] [ home ] [/srv] + → apt install nginx php8.2-fpm php-mbstring php-yaml -y + + [ 10.8.0.2/24 ] [ home ] [/srv] + → vim /etc/nginx/sites-available/perlite.nowhere.moe.conf + + + +Then we can git clone the project wherever, i put it in /srv/: + + + [ 10.8.0.2/24 ] [ home ] [/srv/perlite] + → git clone https://github.com/secure-77/Perlite + + [ 10.8.0.2/24 ] [ home ] [/srv/] + → chown -R www-data: /srv/Perlite + + [ 10.8.0.2/24 ] [ home ] [/srv/] + → cd Perlite + + + +Now from here you will need the following nginx config: + + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite] + → cat /etc/nginx/sites-available/perlite.nowhere.moe.conf + server { + + #apt install apache2-utils -y + #htpasswd -c /etc/nginx/auth/default.htpasswd nothing + + auth_basic "Password protection"; + auth_basic_user_file /etc/nginx/auth/default.htpasswd; + + server_name perlite.nowhere.moe; + + root /srv/Perlite/perlite/; + index index.php index.html index.htm; + + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + } + + location ~ /\.ht { + deny all; + } + + location ~* ^/(.*)/.obsidian/appearance.json$ { + allow all; + } + + location ~* ^/(.*)/.obsidian/(.*)/theme.css$ { + allow all; + } + + #added for this specific setup, thanks sec77! + location ~* ^/.obsidian/(.*)/theme.css$ { + allow all; + } + + location ~ \.(git|github|obsidian|trash) { + deny all; + } + + location ~ \.(md|json)$ { + deny all; + } + } + + + +For now it's just on port 80, and with a basicauth because i want it to be in maintenance mode for now, then we go into the perlite folder: + + + [ 10.8.0.2/24 ] [ home ] [/srv] + → cd Perlite + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite] + → ls -lash + total 72K + 4.0K drwxr-xr-x 7 root root 4.0K Dec 7 22:20 . + 4.0K drwxr-xr-x 7 root root 4.0K Dec 7 22:20 .. + 4.0K drwxr-xr-x 8 root root 4.0K Dec 7 22:20 .git + 4.0K -rw-r--r-- 1 root root 66 Dec 7 22:20 .gitattributes + 4.0K drwxr-xr-x 3 root root 4.0K Dec 7 22:20 .github + 4.0K -rw-r--r-- 1 root root 118 Dec 7 22:20 .gitignore + 8.0K -rw-r--r-- 1 root root 4.4K Dec 7 22:20 Changelog.md + 4.0K drwxr-xr-x 7 root root 4.0K Dec 7 22:20 Demo + 4.0K -rw-r--r-- 1 root root 2.0K Dec 7 22:20 Docker.md + 4.0K -rw-r--r-- 1 root root 1.1K Dec 7 22:20 LICENSE + 8.0K -rw-r--r-- 1 root root 6.7K Dec 7 22:20 README.md + 4.0K -rw-r--r-- 1 root root 182 Dec 7 22:20 SECURITY.md + 4.0K -rw-r--r-- 1 root root 565 Dec 7 22:20 docker-compose-dev.yml + 4.0K -rw-r--r-- 1 root root 522 Dec 7 22:20 docker-compose.yml + 4.0K drwxr-xr-x 5 root root 4.0K Dec 7 22:21 perlite + 4.0K drwxr-xr-x 3 root root 4.0K Dec 7 22:20 web + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite] + → cd perlite + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → ls -lash + total 216K + 4.0K drwxr-xr-x 5 root root 4.0K Dec 7 22:21 . + 4.0K drwxr-xr-x 7 root root 4.0K Dec 7 22:20 .. + 4.0K drwxr-xr-x 2 root root 4.0K Dec 7 22:20 .js + 4.0K drwxr-xr-x 4 root root 4.0K Dec 7 22:20 .styles + 4.0K -rw-r--r-- 1 root root 508 Dec 7 22:20 Dockerfile + 4.0K -rw-r--r-- 1 root root 151 Dec 7 22:20 Dockerfile.dev + 4.0K drwxr-xr-x 6 root root 4.0K Dec 7 22:21 **Obsidian** + 44K -rw-r--r-- 1 root root 42K Dec 7 22:20 Parsedown.php + 12K -rw-r--r-- 1 root root 11K Dec 7 22:20 PerliteParsedown.php + 8.0K -rw-r--r-- 1 root root 4.3K Dec 7 22:20 content.php + 16K -rw-r--r-- 1 root root 16K Dec 7 22:20 favicon.ico + 12K -rw-r--r-- 1 root root 12K Dec 7 22:21 helper.php + 56K -rw-r--r-- 1 root root 54K Dec 7 22:20 index.php + 20K -rw-r--r-- 1 root root 17K Dec 7 22:20 logo.svg + 20K -rw-r--r-- 1 root root 17K Dec 7 22:20 perlite.svg + + + +This is where the root of the website will be. In here you can put your vault as a sub-folder, here i put mine as the "Obsidian" folder as you can see above. Before you put it there, you will need to do a few things. First of all you need the Obsidian plugin "Metadata Extractor" to get the generated **metadata.json** file, along with the enabled "write JSON files automatically when Obsidian Launches" option: + +![](1.png) + + + [ 10.8.0.2/24 ] [ home ] [Perlite/perlite/Obsidian] + → ls -lash + total 260K + 4.0K drwxr-xr-x 6 root root 4.0K Dec 7 22:21 . + 4.0K drwxr-xr-x 5 root root 4.0K Dec 7 22:21 .. + 4.0K drwxr-xr-x 8 root root 4.0K Dec 7 22:21 .git + 4.0K drwxr-xr-x 4 root root 4.0K Dec 7 22:21 .obsidian + 4.0K drwxr-xr-x 15 root root 4.0K Dec 7 22:21 HTB + 0 -rw-r--r-- 1 root root 0 Dec 7 22:21 README.md + 4.0K drwxr-xr-x 3 root root 4.0K Dec 7 22:21 Sysadmin + 228K -rw-r--r-- 1 root root 225K Dec 7 22:21 **metadata.json** + 4.0K -rwxr-xr-x 1 root root 85 Dec 7 22:21 pull.sh + 4.0K -rwxr-xr-x 1 root root 207 Dec 7 22:21 push.sh + + + +Then you need to have the **New link format** option set to **relative path to file** (it's in the **Files & Links** menu in obsidian settings: + +![](2.png) + +For further tweaking, please look at sec77's documentation [here](https://github.com/secure-77/Perlite/) + +From here you should already see your website as follows: + + + [ 10.8.0.2/24 ] [ home ] [Perlite/perlite/Obsidian] + → systemctl restart php8.2-fpm nginx + + + +![](3.png) + +(big thanks to sec77 for showing me the fix here), If your theme doesn't load or if the vault doesnt show up, you can manually set the root directory of the vault in the helper.php file: + + + 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → cat helper.php| grep rootDir + //$rootDir = getenv('NOTES_PATH'); + $rootDir = **'Obsidian'** ; + $vaultName = $rootDir; + + [...] + + + +Here you see i setup mine to the relative path 'Obsidian' which points to the subdirectory in **/srv/Perlite/perlite/Obsidian/**. And there you go! + +![](4.png) + +## **TLS Setup** + +If you want it setup with TLS just use acme.sh: + + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → acme.sh --issue --standalone -d perlite.nowhere.moe -k 4096 + [Wed Dec 7 22:59:59 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory + [Wed Dec 7 22:59:59 CET 2022] Standalone mode. + [Wed Dec 7 22:59:59 CET 2022] Creating domain key + [Wed Dec 7 23:00:00 CET 2022] The domain key is here: /root/.acme.sh/perlite.nowhere.moe/perlite.nowhere.moe.key + [Wed Dec 7 23:00:00 CET 2022] Single domain='perlite.nowhere.moe' + [Wed Dec 7 23:00:00 CET 2022] Getting domain auth token for each domain + [Wed Dec 7 23:00:03 CET 2022] Getting webroot for domain='perlite.nowhere.moe' + [Wed Dec 7 23:00:04 CET 2022] Verifying: perlite.nowhere.moe + [Wed Dec 7 23:00:04 CET 2022] Standalone mode server + [Wed Dec 7 23:00:06 CET 2022] Pending, The CA is processing your order, please just wait. (1/30) + [Wed Dec 7 23:00:09 CET 2022] Success + + [...] + + [Wed Dec 7 23:00:12 CET 2022] Your cert is in: /root/.acme.sh/perlite.nowhere.moe/perlite.nowhere.moe.cer + [Wed Dec 7 23:00:12 CET 2022] Your cert key is in: /root/.acme.sh/perlite.nowhere.moe/perlite.nowhere.moe.key + [Wed Dec 7 23:00:12 CET 2022] The intermediate CA cert is in: /root/.acme.sh/perlite.nowhere.moe/ca.cer + [Wed Dec 7 23:00:12 CET 2022] And the full chain certs is there: /root/.acme.sh/perlite.nowhere.moe/fullchain.cer + + + +and then for the nginx config with TLS I use the following: + + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → cat /etc/nginx/sites-available/perlite.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name perlite.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name perlite.nihilisxacas2ntt3kb2nzfjp4nu5enratyehvahllblxgq2tqpsrnid.onion; + add_header Onion-Location "http://perlite.nihilisxacas2ntt3kb2nzfjp4nu5enratyehvahllblxgq2tqpsrnid.onion$request_uri" always; + ######## TOR CHANGES ######## + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name perlite.nowhere.moe; + + ssl_certificate /root/.acme.sh/perlite.nowhere.moe/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/perlite.nowhere.moe/perlite.nowhere.moe.cer; + ssl_certificate_key /root/.acme.sh/perlite.nowhere.moe/perlite.nowhere.moe.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + + root /srv/Perlite/perlite/; + index index.php index.html index.htm; + + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/var/run/php/php8.2-fpm.sock; + } + + location ~ /\.ht { + deny all; + } + + location ~* ^/(.*)/.obsidian/appearance.json$ { + allow all; + } + + location ~* ^/(.*)/.obsidian/(.*)/theme.css$ { + allow all; + } + + #added for this specific setup, thanks sec77! + location ~* ^/.obsidian/(.*)/theme.css$ { + allow all; + } + + location ~ \.(git|github|obsidian|trash) { + deny all; + } + + location ~ \.(md|json)$ { + deny all; + } + } + + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ 10.8.0.2/24 ] [ home ] [/srv/Perlite/perlite] + → systemctl restart nginx + + +![](5.png) + +And there you go! We have been able to publish our obsidian notes on the web from our a VPS. + diff --git a/pf_prox/0.png b/pf_prox/0.png new file mode 100644 index 0000000..33a76ef Binary files /dev/null and b/pf_prox/0.png differ diff --git a/pf_prox/1.png b/pf_prox/1.png new file mode 100644 index 0000000..46dd9b7 Binary files /dev/null and b/pf_prox/1.png differ diff --git a/pf_prox/10.png b/pf_prox/10.png new file mode 100644 index 0000000..1a59bf3 Binary files /dev/null and b/pf_prox/10.png differ diff --git a/pf_prox/11.png b/pf_prox/11.png new file mode 100644 index 0000000..1af2172 Binary files /dev/null and b/pf_prox/11.png differ diff --git a/pf_prox/12.png b/pf_prox/12.png new file mode 100644 index 0000000..60dd4c7 Binary files /dev/null and b/pf_prox/12.png differ diff --git a/pf_prox/13.png b/pf_prox/13.png new file mode 100644 index 0000000..e7ed894 Binary files /dev/null and b/pf_prox/13.png differ diff --git a/pf_prox/14.png b/pf_prox/14.png new file mode 100644 index 0000000..7b7a6f5 Binary files /dev/null and b/pf_prox/14.png differ diff --git a/pf_prox/15.png b/pf_prox/15.png new file mode 100644 index 0000000..742325e Binary files /dev/null and b/pf_prox/15.png differ diff --git a/pf_prox/16.png b/pf_prox/16.png new file mode 100644 index 0000000..a93164c Binary files /dev/null and b/pf_prox/16.png differ diff --git a/pf_prox/17.png b/pf_prox/17.png new file mode 100644 index 0000000..59afcc7 Binary files /dev/null and b/pf_prox/17.png differ diff --git a/pf_prox/18.png b/pf_prox/18.png new file mode 100644 index 0000000..a388af8 Binary files /dev/null and b/pf_prox/18.png differ diff --git a/pf_prox/19.png b/pf_prox/19.png new file mode 100644 index 0000000..5ea0ef2 Binary files /dev/null and b/pf_prox/19.png differ diff --git a/pf_prox/2.png b/pf_prox/2.png new file mode 100644 index 0000000..60dabc0 Binary files /dev/null and b/pf_prox/2.png differ diff --git a/pf_prox/20.png b/pf_prox/20.png new file mode 100644 index 0000000..3e16c0a Binary files /dev/null and b/pf_prox/20.png differ diff --git a/pf_prox/21.png b/pf_prox/21.png new file mode 100644 index 0000000..4624555 Binary files /dev/null and b/pf_prox/21.png differ diff --git a/pf_prox/22.png b/pf_prox/22.png new file mode 100644 index 0000000..f654469 Binary files /dev/null and b/pf_prox/22.png differ diff --git a/pf_prox/23.png b/pf_prox/23.png new file mode 100644 index 0000000..a243b86 Binary files /dev/null and b/pf_prox/23.png differ diff --git a/pf_prox/24.png b/pf_prox/24.png new file mode 100644 index 0000000..5c31957 Binary files /dev/null and b/pf_prox/24.png differ diff --git a/pf_prox/25.png b/pf_prox/25.png new file mode 100644 index 0000000..fa4e0f6 Binary files /dev/null and b/pf_prox/25.png differ diff --git a/pf_prox/26.png b/pf_prox/26.png new file mode 100644 index 0000000..5030421 Binary files /dev/null and b/pf_prox/26.png differ diff --git a/pf_prox/27.png b/pf_prox/27.png new file mode 100644 index 0000000..cd16cd4 Binary files /dev/null and b/pf_prox/27.png differ diff --git a/pf_prox/28.png b/pf_prox/28.png new file mode 100644 index 0000000..1d136f7 Binary files /dev/null and b/pf_prox/28.png differ diff --git a/pf_prox/29.png b/pf_prox/29.png new file mode 100644 index 0000000..f40fb35 Binary files /dev/null and b/pf_prox/29.png differ diff --git a/pf_prox/3.png b/pf_prox/3.png new file mode 100644 index 0000000..8caf3df Binary files /dev/null and b/pf_prox/3.png differ diff --git a/pf_prox/30.png b/pf_prox/30.png new file mode 100644 index 0000000..cce3492 Binary files /dev/null and b/pf_prox/30.png differ diff --git a/pf_prox/31.png b/pf_prox/31.png new file mode 100644 index 0000000..1e2d837 Binary files /dev/null and b/pf_prox/31.png differ diff --git a/pf_prox/32.png b/pf_prox/32.png new file mode 100644 index 0000000..eddf524 Binary files /dev/null and b/pf_prox/32.png differ diff --git a/pf_prox/33.png b/pf_prox/33.png new file mode 100644 index 0000000..47b5efd Binary files /dev/null and b/pf_prox/33.png differ diff --git a/pf_prox/34.png b/pf_prox/34.png new file mode 100644 index 0000000..0ce487b Binary files /dev/null and b/pf_prox/34.png differ diff --git a/pf_prox/35.png b/pf_prox/35.png new file mode 100644 index 0000000..0280a8e Binary files /dev/null and b/pf_prox/35.png differ diff --git a/pf_prox/36.png b/pf_prox/36.png new file mode 100644 index 0000000..cfad1d2 Binary files /dev/null and b/pf_prox/36.png differ diff --git a/pf_prox/37.png b/pf_prox/37.png new file mode 100644 index 0000000..d8aebce Binary files /dev/null and b/pf_prox/37.png differ diff --git a/pf_prox/38.png b/pf_prox/38.png new file mode 100644 index 0000000..ddfe22c Binary files /dev/null and b/pf_prox/38.png differ diff --git a/pf_prox/39.png b/pf_prox/39.png new file mode 100644 index 0000000..db75470 Binary files /dev/null and b/pf_prox/39.png differ diff --git a/pf_prox/4.png b/pf_prox/4.png new file mode 100644 index 0000000..2113b3c Binary files /dev/null and b/pf_prox/4.png differ diff --git a/pf_prox/40.png b/pf_prox/40.png new file mode 100644 index 0000000..c97e78d Binary files /dev/null and b/pf_prox/40.png differ diff --git a/pf_prox/41.png b/pf_prox/41.png new file mode 100644 index 0000000..af19ce7 Binary files /dev/null and b/pf_prox/41.png differ diff --git a/pf_prox/42.png b/pf_prox/42.png new file mode 100644 index 0000000..72215f7 Binary files /dev/null and b/pf_prox/42.png differ diff --git a/pf_prox/43.png b/pf_prox/43.png new file mode 100644 index 0000000..c3c0459 Binary files /dev/null and b/pf_prox/43.png differ diff --git a/pf_prox/44.png b/pf_prox/44.png new file mode 100644 index 0000000..2721db4 Binary files /dev/null and b/pf_prox/44.png differ diff --git a/pf_prox/5.png b/pf_prox/5.png new file mode 100644 index 0000000..3d23faa Binary files /dev/null and b/pf_prox/5.png differ diff --git a/pf_prox/6.png b/pf_prox/6.png new file mode 100644 index 0000000..f3a17df Binary files /dev/null and b/pf_prox/6.png differ diff --git a/pf_prox/7.png b/pf_prox/7.png new file mode 100644 index 0000000..7ee57e7 Binary files /dev/null and b/pf_prox/7.png differ diff --git a/pf_prox/8.png b/pf_prox/8.png new file mode 100644 index 0000000..3150036 Binary files /dev/null and b/pf_prox/8.png differ diff --git a/pf_prox/9.png b/pf_prox/9.png new file mode 100644 index 0000000..7f02a77 Binary files /dev/null and b/pf_prox/9.png differ diff --git a/pf_prox/index.md b/pf_prox/index.md new file mode 100644 index 0000000..94bab21 --- /dev/null +++ b/pf_prox/index.md @@ -0,0 +1,130 @@ +# Pfsense on Proxmox + +In this tutorial we will be looking at how to install pfsense on a proxmox server using one of proxmox's physical Network Interface Cards (NIC) as the WAN interface, in order to be able to link a closed LAN virtual network. We will be using the following network graph as a reference: + +![](0.png) + +As you can see, the pfsense VM will require 2 Network interfaces, and we will also need to adapt our networking INSIDE of proxmox in order to create the virtual LAN network space for our other VMs/CTs. But why would we want to do this ? First of all this is one way of getting around subnet limitations. As you can see on that network graph above, we are being limited by our upstream router (192.168.0.1) by a /24 network mask, this means that at most we will be able to have 254 hosts on the WAN network. + +That's not ideal, we potentially want more than 255 hosts there, and therefore we create a virtual LAN behind a second router (our pfsense VM at 192.168.0.98) which will be able to contain much more hosts. Here our plan is getting a virtual LAN network that has a /16 network mask, this means that we're going to get 2^16-2 = 65534 potential hosts instead of just 254. With that being said, let's get to work: + +## **Initial Setup** + +You can start by going to pfsense's download page [here ]() to get the latest pfsense ISO image, and then upload it to your proxmox server here: + +![](1.png) + +Now we need to create the LAN network with the /16 mask: + +![](8.png) ![](9.png) + +As you can see below, we now have our Virtual LAN network ready (10.2.0.0/16) as vmbr20 and our WAN interface is going to be vmbr0, this is proxmox's physical interface linked to the upstream router (192.168.0.1/24). When we will setup our pfsense VM we will use it and choose a static ip (192.168.0.98/24) the other side of our pfsense VM is going to be on the vmbr20 interface at the 10.2.0.1/16 gateway ip address. + +![](10.png) + +After clicking 'Apply Configuration', you can create the new VM: + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +For now tick 'no network device' because we will set that up manually after: + +![](11.png) + +Now here make sure not to tick 'start after created' because we're going to edit the VM manually: + +![](12.png) ![](13.png) + +Let's first add our WAN interface (vmbr0): + +![](14.png) + +then let's add the LAN interface (vmbr20): + +![](15.png) + +Once we have our 2 NICs done we can start our pfsense VM and handle it using the noVNC console: + +![](16.png) + +## **Setting up the Pfsense VM** + +![](17.png) ![](18.png) ![](19.png) + +After that let it install and reboot: + +![](20.png) ![](21.png) + +Here we need to pick which is the WAN interface, and as you can see the only info we have are the MAC addresses, so let's see which one is the WAN interface: + +![](22.png) + +Now we know that the WAN interface's MAC address is 96:something:b0 so we know that for pfsense it is vtnet0: + +![](23.png) + +After that we will configure the WAN interface's static ip to be 192.168.0.98/24 as planned: + +![](24.png) ![](25.png) + +Once that's done, we setup our LAN interface to be 10.2.0.1/16. This will be the gateway for the VMs inside of the virtual LAN network + +![](26.png) + +We want our pfsense Gateway VM to be able to automatically give an ip to the other VMs inside of our virtual LAN network via DHCP. In this case we make use of the entire /16 subnet. + +![](27.png) + +And that's it! We have been able to setup our pfsense VM to act as a router between the WAN network 192.168.0.0/24 and the LAN network 10.2.0.0/16. + +![](28.png) + +Now from there we should be able to create a VM or a CT inside of the virtual /16 LAN network and we should be able to reach our pfsense gateway at the 10.2.0.1/16 IP address. + +## **Hosts within the Virtual LAN** + +Now that our pfsense has been setup we can setup hosts within the LAN space like so: + +![](29.png) + +Right now we're going to create a Debian VM with a graphical interface to be able to access a web browser and see what our pfsense web interface looks like. + +![](30.png) + +However for now we're going to set it up outside of the LAN because we don't want any network issues during the installation process. + +![](31.png) + +If you selected SPICE before during the VM setup you can use the SPICE console display instead of noVNC: + +![](32.png) ![](33.png) ![](34.png) + +As we said earlier we want a graphical interface, so we're going to go with xfce: + +![](35.png) ![](36.png) + +Now to continue we're going to set the networking on our debian VM to be vmbr20 as we originally intended: + +![](37.png) ![](38.png) + +Once logged in we setup our pfsense gateway (by default the credentials are **admin:pfsense**): + +![](39.png) ![](40.png) + +in the WAN interface tab don't change anything except the 2 boxes need to be unticked at the bottom: + +![](41.png) + +Here obviously we change the default password: + +![](42.png) + +Once that's done let pfsense reload it's settings automatically and you can now access the finished dashboard: + +![](43.png) + +And you can test here that internet is now accessible once the pfsense router got setup correctly: + +![](44.png) + +And that's it! We have been able to setup a pfsense VM to be able to link hosts within a closed LAN network to a WAN network accessible via a physical proxmox server Network Interface. + diff --git a/pf_vpn/0.png b/pf_vpn/0.png new file mode 100644 index 0000000..9e35e37 Binary files /dev/null and b/pf_vpn/0.png differ diff --git a/pf_vpn/1.png b/pf_vpn/1.png new file mode 100644 index 0000000..85ff3ce Binary files /dev/null and b/pf_vpn/1.png differ diff --git a/pf_vpn/10.png b/pf_vpn/10.png new file mode 100644 index 0000000..881cc2d Binary files /dev/null and b/pf_vpn/10.png differ diff --git a/pf_vpn/11.png b/pf_vpn/11.png new file mode 100644 index 0000000..d4f28ab Binary files /dev/null and b/pf_vpn/11.png differ diff --git a/pf_vpn/12.png b/pf_vpn/12.png new file mode 100644 index 0000000..81ae48d Binary files /dev/null and b/pf_vpn/12.png differ diff --git a/pf_vpn/13.png b/pf_vpn/13.png new file mode 100644 index 0000000..d2e18b5 Binary files /dev/null and b/pf_vpn/13.png differ diff --git a/pf_vpn/14.png b/pf_vpn/14.png new file mode 100644 index 0000000..8f65f13 Binary files /dev/null and b/pf_vpn/14.png differ diff --git a/pf_vpn/15.png b/pf_vpn/15.png new file mode 100644 index 0000000..9a3fcc6 Binary files /dev/null and b/pf_vpn/15.png differ diff --git a/pf_vpn/16.png b/pf_vpn/16.png new file mode 100644 index 0000000..1ff00c8 Binary files /dev/null and b/pf_vpn/16.png differ diff --git a/pf_vpn/17.png b/pf_vpn/17.png new file mode 100644 index 0000000..ce37c57 Binary files /dev/null and b/pf_vpn/17.png differ diff --git a/pf_vpn/18.png b/pf_vpn/18.png new file mode 100644 index 0000000..44913aa Binary files /dev/null and b/pf_vpn/18.png differ diff --git a/pf_vpn/19.png b/pf_vpn/19.png new file mode 100644 index 0000000..e4f3e06 Binary files /dev/null and b/pf_vpn/19.png differ diff --git a/pf_vpn/2.png b/pf_vpn/2.png new file mode 100644 index 0000000..cd52324 Binary files /dev/null and b/pf_vpn/2.png differ diff --git a/pf_vpn/20.png b/pf_vpn/20.png new file mode 100644 index 0000000..cdd72c4 Binary files /dev/null and b/pf_vpn/20.png differ diff --git a/pf_vpn/21.png b/pf_vpn/21.png new file mode 100644 index 0000000..426b1ee Binary files /dev/null and b/pf_vpn/21.png differ diff --git a/pf_vpn/22.png b/pf_vpn/22.png new file mode 100644 index 0000000..da70c03 Binary files /dev/null and b/pf_vpn/22.png differ diff --git a/pf_vpn/23.png b/pf_vpn/23.png new file mode 100644 index 0000000..c1e335b Binary files /dev/null and b/pf_vpn/23.png differ diff --git a/pf_vpn/24.png b/pf_vpn/24.png new file mode 100644 index 0000000..661fbfb Binary files /dev/null and b/pf_vpn/24.png differ diff --git a/pf_vpn/25.png b/pf_vpn/25.png new file mode 100644 index 0000000..83fb7ce Binary files /dev/null and b/pf_vpn/25.png differ diff --git a/pf_vpn/26.png b/pf_vpn/26.png new file mode 100644 index 0000000..a9e2430 Binary files /dev/null and b/pf_vpn/26.png differ diff --git a/pf_vpn/27.png b/pf_vpn/27.png new file mode 100644 index 0000000..6ec0b20 Binary files /dev/null and b/pf_vpn/27.png differ diff --git a/pf_vpn/28.png b/pf_vpn/28.png new file mode 100644 index 0000000..42c5928 Binary files /dev/null and b/pf_vpn/28.png differ diff --git a/pf_vpn/29.png b/pf_vpn/29.png new file mode 100644 index 0000000..f0f1587 Binary files /dev/null and b/pf_vpn/29.png differ diff --git a/pf_vpn/3.png b/pf_vpn/3.png new file mode 100644 index 0000000..4c59881 Binary files /dev/null and b/pf_vpn/3.png differ diff --git a/pf_vpn/30.png b/pf_vpn/30.png new file mode 100644 index 0000000..71c8ccf Binary files /dev/null and b/pf_vpn/30.png differ diff --git a/pf_vpn/31.png b/pf_vpn/31.png new file mode 100644 index 0000000..1c5cc86 Binary files /dev/null and b/pf_vpn/31.png differ diff --git a/pf_vpn/32.png b/pf_vpn/32.png new file mode 100644 index 0000000..499871c Binary files /dev/null and b/pf_vpn/32.png differ diff --git a/pf_vpn/33.png b/pf_vpn/33.png new file mode 100644 index 0000000..c0372a8 Binary files /dev/null and b/pf_vpn/33.png differ diff --git a/pf_vpn/34.png b/pf_vpn/34.png new file mode 100644 index 0000000..23579e9 Binary files /dev/null and b/pf_vpn/34.png differ diff --git a/pf_vpn/35.png b/pf_vpn/35.png new file mode 100644 index 0000000..884470f Binary files /dev/null and b/pf_vpn/35.png differ diff --git a/pf_vpn/4.png b/pf_vpn/4.png new file mode 100644 index 0000000..e32d8bd Binary files /dev/null and b/pf_vpn/4.png differ diff --git a/pf_vpn/5.png b/pf_vpn/5.png new file mode 100644 index 0000000..c1fe79d Binary files /dev/null and b/pf_vpn/5.png differ diff --git a/pf_vpn/6.png b/pf_vpn/6.png new file mode 100644 index 0000000..ff2d16a Binary files /dev/null and b/pf_vpn/6.png differ diff --git a/pf_vpn/7.png b/pf_vpn/7.png new file mode 100644 index 0000000..7f9caef Binary files /dev/null and b/pf_vpn/7.png differ diff --git a/pf_vpn/8.png b/pf_vpn/8.png new file mode 100644 index 0000000..7d2c4bc Binary files /dev/null and b/pf_vpn/8.png differ diff --git a/pf_vpn/9.png b/pf_vpn/9.png new file mode 100644 index 0000000..27c86cf Binary files /dev/null and b/pf_vpn/9.png differ diff --git a/pf_vpn/index.md b/pf_vpn/index.md new file mode 100644 index 0000000..54e3d99 --- /dev/null +++ b/pf_vpn/index.md @@ -0,0 +1,80 @@ +# Pfsense site-to-site VPN + +![](0.png) + +In this tutorial we're going to look at how to setup a Site-To-Site VPN using pfsense's OpenVPN implementation. Before you start, make sure you have a similar network graph as shown above, with at least 1 host inside each of the 2 lans to access both pfsense's web interface. You can check out [this](../pf_prox/index.md) tutorial to set it up on proxmox. + +## **Site A (10.0.0.0/16)** + +We're going to start on Site A (10.0.0.0/16) simply go on your pfsense's Web Interface: + +![](1.png) ![](2.png) ![](3.png) + +Leave the rest as default, then hit 'Save' at the bottom of the page. + +![](4.png) ![](5.png) + +Next add a WAN rule for openvpn traffic: + +![](6.png) + +Once that's done we want to add a OpenVPN rule to allow all traffic inside the VPN tunnel: + +![](7.png) ![](8.png) + +Once that's done, hit 'Apply Changes' + +![](9.png) + +Now go get the shared key and copy it: + +![](10.png) + +## **Site B (10.2.0.0/16)** + +First thing on Site B is to get to the second pfsense's Web Interface (10.2.0.1/16): + +![](11.png) ![](12.png) + +Now for the next part you need to find a way to copy **Site A's shared key, over to our Site B's pfsense web interface.** What i did was basically create a debian10 CT on proxmox (because i know you can easily switch them from one network to another without powering them off) Then pasted the key into **/tmp/randomfile.txt** , then moved it into the second LAN to activate **python3 -m http.server 8080** (which i then accessed from the other windows host in that same lan) to finish the copy paste process. + +![](13.png) + +Once that's done, specify the Tunnel Network (10.99.99.0/24) AND the remote IPv4 Network (10.0.0.0/16) + +![](14.png) + +And just hit 'Save' at the bottom of the page. + +![](15.png) ![](16.png) + +And as you can see once you check the OpenVPN status from the client Site (Site B) you see that there are bytes sent and recieved. This means that it worked ! so let's test the connection from 10.2.0.0/16 to 10.99.99.0/24 to 10.0.0.0/16: + +![](17.png) + +As you can see we are able to reach both our siteB's LAN and VPN pfsense interfaces, but we still can't reach the other side, that's because we forgot to add a rule to allow the VPN traffic on the SiteB pfsense, so let's add it: + +![](18.png) + +Just like before we basically want to allow all VPN traffic: + +![](19.png) + +We also want to allow the OpenVPN traffic: + +![](20.png) ![](21.png) + +Then hit 'Save' and 'Apply changes', + +## **Testing the connection** + +Once you finished that, enable the OVPN interfaces : + +![](30.png) ![](31.png) ![](32.png) ![](33.png) + +Once you're here you can finally test the connectivity in between hosts, you can just use the **ping** command, but to illustrate the interaction with the VPN we're going to use **traceroute** utility: + +![](34.png) + +And that's it! we managed to create a Site-To-Site Pfsense VPN connection. + diff --git a/phpfilesafe/1.png b/phpfilesafe/1.png new file mode 100644 index 0000000..401a13a Binary files /dev/null and b/phpfilesafe/1.png differ diff --git a/phpfilesafe/2.png b/phpfilesafe/2.png new file mode 100644 index 0000000..dc5f1c6 Binary files /dev/null and b/phpfilesafe/2.png differ diff --git a/phpfilesafe/3.png b/phpfilesafe/3.png new file mode 100644 index 0000000..99f8e42 Binary files /dev/null and b/phpfilesafe/3.png differ diff --git a/phpfilesafe/4.png b/phpfilesafe/4.png new file mode 100644 index 0000000..c32051e Binary files /dev/null and b/phpfilesafe/4.png differ diff --git a/phpfilesafe/index.md b/phpfilesafe/index.md new file mode 100644 index 0000000..48d512d --- /dev/null +++ b/phpfilesafe/index.md @@ -0,0 +1,81 @@ +# PHP LainSafe + +![](logo.png) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial Setup** + + + apt update -y && apt upgrade -y + apt install nginx php7.4-fpm curl php7.4-common socat -y + systemctl enable --now nginx php7.4-fpm + + + +Next get yourself a domain name, you can use [DuckDNS](https://www.duckdns.org/) + +![](1.png) + +## **Nginx Configuration** + +Next configure nginx: + + + mkdir /var/www/html/filesafe + mkdir /var/www/html/filesafe/uploads/ + + wget https://blog.nowhere.moe/servers/phpfilesafe/phpfilesafe.conf -O /etc/nginx/conf.d/phpfilesafe.conf + + wget https://blog.nowhere.moe/servers/phpfilesafe/logo.png -O /var/www/html/filesafe/logo.png + wget https://blog.nowhere.moe/wallpaper.png -O /var/www/html/filesafe/wallpaper.png + wget https://blog.nowhere.moe/servers/phpfilesafe/html/index.php -O /var/www/html/filesafe/index.php + wget https://blog.nowhere.moe/servers/phpfilesafe/html/style.css -O /var/www/html/filesafe/style.css + wget https://blog.nowhere.moe/servers/phpfilesafe/html/upload.php -O /var/www/html/filesafe/upload.php + + cd /var/www/html/filesafe + chown -R www-data: . + + +Then get your free letsencrypt certificate using acme.sh: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + + + + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + nano /etc/nginx/conf.d/phpfilesafe.conf + + +Edit the nginx config to have your own domain name: + +![](2.png) + +Once you're done, hit CTRL+S to save and CTRL+X to exit nano and just reload nginx, and view the website: + +## **End Result** + +Reload the nginx configuration since we modified it: + + + nginx -t + nginx -s reload + + + +Then just browse to your website: + +![](3.png) + +And you're done! just upload your files (png, jpg, jpeg, pdf) (you can edit the extensions you want in upload.php) + +![](4.png) + +If you want you can also edit the maximum filesize in the upload.php file (line 36) + diff --git a/phpfilesafe/logo.png b/phpfilesafe/logo.png new file mode 100644 index 0000000..26ea40e Binary files /dev/null and b/phpfilesafe/logo.png differ diff --git a/pihole/0.png b/pihole/0.png new file mode 100644 index 0000000..ce0807e Binary files /dev/null and b/pihole/0.png differ diff --git a/pihole/1.png b/pihole/1.png new file mode 100644 index 0000000..10fb8b3 Binary files /dev/null and b/pihole/1.png differ diff --git a/pihole/2.png b/pihole/2.png new file mode 100644 index 0000000..94bedae Binary files /dev/null and b/pihole/2.png differ diff --git a/pihole/3.png b/pihole/3.png new file mode 100644 index 0000000..aad7aeb Binary files /dev/null and b/pihole/3.png differ diff --git a/pihole/index.md b/pihole/index.md new file mode 100644 index 0000000..790a2d3 --- /dev/null +++ b/pihole/index.md @@ -0,0 +1,250 @@ +# pihole Setup + +![](0.png) + +## **Initial Setup** + +![]() + + + [ nowhere.yt ] [ /dev/pts/1 ] [~] + → sudo apt-get install wget curl net-tools gamin lighttpd lighttpd-mod-deflate + + [ nowhere.yt ] [ /dev/pts/1 ] [~] + → curl -sSL https://install.pi-hole.net | PIHOLE_SKIP_OS_CHECK=true sudo -E bash + + [ nowhere.yt ] [ /dev/pts/1 ] [~] + → sudo pihole -a -p + Enter New Password (Blank for no password): + Confirm Password: + [✓] New password set + + + + +To forcefully block domains via regex you can do the following: + +![](1.png) ![](2.png) + + + [ nowhere.yt ] [ /dev/pts/1 ] [~] + → pihole -up + [✓] Update local cache of available packages + [i] Existing PHP installation detected : PHP version 7.4.28 + [✓] Checking for git + [✓] Checking for iproute2 + [✓] Checking for whiptail + [✓] Checking for ca-certificates + + [i] Checking for updates... + [i] Pi-hole Core: up to date + [i] Web Interface: up to date + [i] FTL: up to date + + [✓] Everything is up to date! + + + +Now if we want to have a https interface we do the following; + +![]() + + + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → systemctl disable lighttpd.service --now + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → apt install nginx php7.4-{fpm,cgi,xml,sqlite3,intl} apache2-utils socat -y + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → systemctl enable nginx php7.4-fpm --now + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → vim /etc/nginx/sites-available/default + + + + + server { + listen 80; + listen [::]:80; + server_name ns1.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ns1.void.yt; + + ssl_certificate /root/.acme.sh/ns1.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/ns1.void.yt/ns1.void.yt.cer; + ssl_certificate_key /root/.acme.sh/ns1.void.yt/ns1.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + root /var/www/html; + server_name _; + autoindex off; + + index pihole/index.php index.php index.html index.htm; + + location / { + expires max; + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_param FQDN true; + auth_basic "Restricted"; # For Basic Auth + auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth + } + + location /*.js { + index pihole/index.js; + auth_basic "Restricted"; # For Basic Auth + auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth + } + + location /admin { + root /var/www/html; + index index.php index.html index.htm; + auth_basic "Restricted"; # For Basic Auth + auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth + } + + location ~ /\.ht { + deny all; + } + } + + :wq + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → nginx -t + nginx: [emerg] cannot load certificate "/root/.acme.sh/ns1.void.yt/fullchain.cer": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/ns1.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → wget -O - https://get.acme.sh | sh + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → zsh + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → acme.sh --set-default-ca --server letsencrypt + [Sun 03 Apr 2022 09:05:46 AM UTC] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → systemctl stop nginx + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → acme.sh --issue --standalone -d ns1.void.yt -k 4096 + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → systemctl start nginx + + [ nowhere.yt ] [ /dev/pts/2 ] [~] + → htpasswd -c /etc/nginx/.htpasswd nothing + New password: + Re-type new password: + Adding password for user nothing + + + +then we make pihole update automatically every day via cronjob and test it: + + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → crontab -e + + 0 0 * * * /usr/local/bin/pihole -up + 0 0 * * * /usr/local/bin/pihole -g + :wq + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → wget https://github.com/cronitorio/cronitor-cli/releases/download/28.8/linux_amd64.tar.gz -q + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → sudo tar xvf linux_amd64.tar.gz -C /usr/bin/ + cronitor + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → sudo cronitor configure --api-key 1234567890 + + Configuration File: + /etc/cronitor/cronitor.json + + Version: + 28.8 + + API Key: + 1234567890 + + Ping API Key: + Not Set + + Environment: + Not Set + + Hostname: + ns2 + + Timezone Location: + {Etc/UTC} + + Debug Log: + Off + + [ ns2.void.yt ] [ /dev/pts/0 ] [~] + → cronitor select + + ✔ /usr/local/bin/pihole -up + ----► Running command: /usr/local/bin/pihole -up + + [✓] Update local cache of available packages + [i] Existing PHP installation detected : PHP version 7.4.28 + [✓] Checking for git + [✓] Checking for iproute2 + [✓] Checking for whiptail + [✓] Checking for ca-certificates + + [i] Checking for updates... + [i] Pi-hole Core: up to date + [i] Web Interface: up to date + [i] FTL: up to date + + [✓] Everything is up to date! + + ----► ✔ Command successful Elapsed time 3.345s + + + +If you want to host a public pihole, then you need to tick the following option: + +![](3.png) + diff --git a/plainpad/0.png b/plainpad/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/plainpad/0.png differ diff --git a/plainpad/1.png b/plainpad/1.png new file mode 100644 index 0000000..25aef18 Binary files /dev/null and b/plainpad/1.png differ diff --git a/plainpad/2.png b/plainpad/2.png new file mode 100644 index 0000000..da73241 Binary files /dev/null and b/plainpad/2.png differ diff --git a/plainpad/3.png b/plainpad/3.png new file mode 100644 index 0000000..abc20e4 Binary files /dev/null and b/plainpad/3.png differ diff --git a/plainpad/4.png b/plainpad/4.png new file mode 100644 index 0000000..5279b03 Binary files /dev/null and b/plainpad/4.png differ diff --git a/plainpad/5.png b/plainpad/5.png new file mode 100644 index 0000000..afe37ae Binary files /dev/null and b/plainpad/5.png differ diff --git a/plainpad/6.png b/plainpad/6.png new file mode 100644 index 0000000..55d1d40 Binary files /dev/null and b/plainpad/6.png differ diff --git a/plainpad/7.png b/plainpad/7.png new file mode 100644 index 0000000..b26f351 Binary files /dev/null and b/plainpad/7.png differ diff --git a/plainpad/index.md b/plainpad/index.md new file mode 100644 index 0000000..d25c706 --- /dev/null +++ b/plainpad/index.md @@ -0,0 +1,144 @@ +# PlainPad + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup** + +First install the required dependencies: + + + + apt update -y && apt upgrade -y + apt install -y curl mariadb-server git npm unzip nginx php7.3-{mysql,curl,zip,fpm,bcmath,ctype,fileinfo,json,mbstring,pdo,tokenizer,xml} + php -i | grep -i openssl + + php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" + php composer-setup.php --install-dir=/usr/local/bin/ --filename=composer + which composer + + + + + +Get on the releases page and get the latest zip, currently it is at version beta.4 : + + + cd /var/www/ + mkdir plainpad + cd plainpad + wget https://github.com/alextselegidis/plainpad/releases/download/1.0.0-beta.4/plainpad-1.0.0-beta.4.zip + unzip plainpad-1.0.0-beta.4.zip + + cp .env.example .env + nano .env + ![](1.png) + + + mysql -u root -p + create database plainpad; + create user 'plainpad'@'localhost' identified by 'p@ssw0rd'; + grant all privileges on plainpad.* to 'plainpad'@'localhost'; + exit; + + php artisan migrate:fresh --seed + chown -R www-data: . + + +![](2.png) + +## **Setting up Nginx** + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + + systemctl stop nginx + acme.sh --issue --standalone -d ech1.duckdns.org -k 4096 + + + nano /etc/nginx/sites-available/plainpad.conf + + + + server { + listen 80; + listen [::]:80; + server_name ech1.duckdns.org; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ech1.duckdns.org; + + ssl_certificate /root/.acme.sh/ech1.duckdns.org/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/ech1.duckdns.org/ech1.duckdns.org.cer; + ssl_certificate_key /root/.acme.sh/ech1.duckdns.org/ech1.duckdns.org.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + root /var/www/plainpad/public; + index index.html; + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + } + + + + ln -s /etc/nginx/sites-available/plainpad.conf /etc/nginx/sites-enabled/plainpad.conf + nginx -t + systemctl start nginx + + + +## **Web interface** + +![](3.png) ![](4.png) ![](5.png) ![](6.png) + +And there you have it ! + +![](7.png) + diff --git a/portainer/0.png b/portainer/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/portainer/0.png differ diff --git a/portainer/1.png b/portainer/1.png new file mode 100644 index 0000000..97d520b Binary files /dev/null and b/portainer/1.png differ diff --git a/portainer/2.png b/portainer/2.png new file mode 100644 index 0000000..51eab44 Binary files /dev/null and b/portainer/2.png differ diff --git a/portainer/3.png b/portainer/3.png new file mode 100644 index 0000000..fe67d8c Binary files /dev/null and b/portainer/3.png differ diff --git a/portainer/4.png b/portainer/4.png new file mode 100644 index 0000000..95a5708 Binary files /dev/null and b/portainer/4.png differ diff --git a/portainer/5.png b/portainer/5.png new file mode 100644 index 0000000..79f2d14 Binary files /dev/null and b/portainer/5.png differ diff --git a/portainer/6.png b/portainer/6.png new file mode 100644 index 0000000..cf7759f Binary files /dev/null and b/portainer/6.png differ diff --git a/portainer/7.png b/portainer/7.png new file mode 100644 index 0000000..a96735e Binary files /dev/null and b/portainer/7.png differ diff --git a/portainer/8.png b/portainer/8.png new file mode 100644 index 0000000..b655caf Binary files /dev/null and b/portainer/8.png differ diff --git a/portainer/index.md b/portainer/index.md new file mode 100644 index 0000000..3a24e2b --- /dev/null +++ b/portainer/index.md @@ -0,0 +1,70 @@ +# Portainer Setup + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup** + +First install the required dependencies + + + apt install curl docker.io docker-compose -y + systemctl enable docker + + docker pull portainer/portainer-ce + docker run --restart=always --name=portainer -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer-ce + + + +Here goto port 9000 and create your admin user: + +![](1.png) ![](2.png) + +And we're in! now let's look at our local endpoint: + +![](3.png) + +goto containers: + +![](4.png) + +add nginx application: + +![](5.png) + +then add persistant folder just so you don't loose all your data in case the container dies (path to /data): + +![](6.png) + +Once that's done, you see that it's running, and it has port 32769 assigned: + +![](7.png) + +We can browse to it and see it: + +![](8.png) + +And that's it! we have been able to deploy a container thanks to portainer. + diff --git a/portforwarding/index.md b/portforwarding/index.md new file mode 100644 index 0000000..e667056 --- /dev/null +++ b/portforwarding/index.md @@ -0,0 +1,221 @@ +# portforwarding Setup + +In this tutorial we're going to look at how to port forward services from being local to VPSes. + +## **Initial Setup** + +Situation: you want to run some services locally. But you want them to be publicly accessible without revealing your public IP. + +Solution 1: install openvpn, and port forward through iptables, as seen on [](../mailprivate/index.md) + + + wget https://raw.githubusercontent.com/ech1/serverside/master/ovpn/openvpn-install.sh + chmod +x openvpn-install.sh + ./openvpn-install.sh + + #then install it, then run it again to add an user + + ./openvpn-install.sh + + Tell me a name for the client. + Use one word only, no special characters. + Client name: nothing + + Do you want to protect the configuration file with a password? + (e.g. encrypt the private key with a password) + 1) Add a passwordless client + 2) Use a password for the client + Select an option [1-2]: 2 + ⚠️ You will be asked for the client password below ⚠️ + + Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars + Using SSL: openssl OpenSSL 1.1.1j 16 Feb 2021 + Generating an EC private key + writing new private key to '/etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.mzvtcc' + Enter PEM pass phrase: + Verifying - Enter PEM pass phrase: + ----- + Using configuration from /etc/openvpn/easy-rsa/pki/easy-rsa-4185644.tXXER0/tmp.prBOSr + Check that the request matches the signature + Signature ok + The Subject's Distinguished Name is as follows + commonName :ASN.1 12:'nothing' + Certificate is to be certified until Apr 13 15:51:09 2024 GMT (825 days) + + Write out database with 1 new entries + Data Base Updated + + Client nothing added. + + The configuration file has been written to /root/nothing.ovpn. + Download the .ovpn file and import it in your OpenVPN client. + + + + + + #then make it a systemd service to run openvpn on the client (from where the service runs): + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → sudo vim /etc/systemd/system/vpn.service + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/usr/bin/openvpn /root/nothing.ovpn + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.8.0.5/24 ] [ /dev/pts/22 ] [~] + → systemctl daemon-reload ; systemctl enable --now vpn ; ping 10.8.0.1 + + + + + + + #on the VPN server we forward the ports to the local VM via iptables: (change ens3 to the correct network interface + the correct ip) + + root@mail-gw:~# cat iptables_forwardrules.sh + #!/bin/bash + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 25 -j DNAT --to-destination 10.8.0.2:25 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 80 -j DNAT --to-destination 10.8.0.2:80 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 443 -j DNAT --to-destination 10.8.0.2:443 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 143 -j DNAT --to-destination 10.8.0.2:143 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 465 -j DNAT --to-destination 10.8.0.2:465 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 587 -j DNAT --to-destination 10.8.0.2:587 + iptables -A PREROUTING -t nat -i ens3 -p tcp -d 23.137.250.140 --dport 993 -j DNAT --to-destination 10.8.0.2:993 + + root@mail:~# chmod +x iptables_forwardrules.sh + root@mail:~# ./iptables_forwardrules.sh + + #from the VM we allow the packets to be forwarded to us: + + root@mail-nihilism:~# cat iptables_forwardrules.sh + #!/bin/bash + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 25 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 143 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 465 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 587 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 993 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 443 -j ACCEPT + iptables -A FORWARD -p tcp -d 10.8.0.2 --dport 80 -j ACCEPT + + root@mail-nihilism:~# chmod +x iptables_forwardrules.sh + root@mail-nihilism:~# ./iptables_forwardrules.sh + + + +you also need to allow the ip forwarding (change ens3 to the correct network interface): + + + root@mail-gw:~# sysctl net.ipv4.conf.ens3.forwarding=1 + net.ipv4.conf.ens3.forwarding = 1 + root@mail-gw:~# sysctl net.ipv6.conf.ens3.forwarding=1 + net.ipv6.conf.ens3.forwarding = 1 + root@mail-gw:~# echo " net.ipv6.conf.ens3.forwarding=1" >>/etc/sysctl.conf + root@mail-gw:~# echo " net.ipv4.conf.ens3.forwarding=1" >>/etc/sysctl.conf + root@mail-gw:~# sysctl -p + net.ipv6.conf.ens3.forwarding = 1 + net.ipv4.conf.ens3.forwarding = 1 + + #for arch users, install libvirt: + sudo pacman -S libvirt + vim /etc/sysctl.d/30-ipforward.conf + cat /etc/sysctl.d/30-ipforward.conf + net.ipv4.ip_forward=1 + net.ipv6.conf.default.forwarding=1 + net.ipv6.conf.all.forwarding=1 + + [ nihilism ] [ /dev/pts/1 ] [~] + → sysctl net.ipv4.ip_forward=1 + net.ipv4.ip_forward = 1 + + + +If that doesnt work, do it via nginx: + + + #on the server: + + apt install nginx libnginx-mod-stream -y + systemctl stop nginx + + [ nowhere.moe ] [ /dev/pts/7 ] [~] + → vim /etc/nginx/nginx.conf + + [ nowhere.moe ] [ /dev/pts/7 ] [~] + → cat /etc/nginx/nginx.conf + user www-data; + worker_processes auto; + pid /run/nginx.pid; + error_log /var/log/nginx/error.log; + include /etc/nginx/modules-enabled/*.conf; + + events { + [...] + } + + http { + [...] + } + + stream { + server { + listen 3389; # tcp port forwarding + proxy_pass 10.8.0.3:3389; + } + server { + listen 25565; # tcp port forwarding + proxy_pass 10.8.0.2:25565; + } + server { + listen 25565 udp; # udp port forwarding + proxy_pass 10.8.0.2:25565; + proxy_responses 0; + } + } + + [ nowhere.moe ] [ /dev/pts/7 ] [~] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/7 ] [~] + → systemctl start nginx + + # then just test if the ports are opened: + + [ nowhere.moe ] [ /dev/pts/7 ] [~] + → nmap 10.8.0.2 -p 25565 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-21 17:15 CEST + Nmap scan report for 10.8.0.2 + Host is up (0.022s latency). + + PORT STATE SERVICE + 25565/tcp open minecraft + + Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds + + [ 10.0.2.2/24 ] [ /dev/pts/26 ] [~/Nextcloud/blog] + → nmap nowhere.moe -p 25565 + Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-21 17:15 CEST + Nmap scan report for nowhere.moe (116.202.216.190) + Host is up (0.023s latency). + + PORT STATE SERVICE + 25565/tcp open minecraft + + Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds + + + diff --git a/privatebin/1.png b/privatebin/1.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/privatebin/1.png differ diff --git a/privatebin/2.png b/privatebin/2.png new file mode 100644 index 0000000..5d70142 Binary files /dev/null and b/privatebin/2.png differ diff --git a/privatebin/3.png b/privatebin/3.png new file mode 100644 index 0000000..a9d3695 Binary files /dev/null and b/privatebin/3.png differ diff --git a/privatebin/4.png b/privatebin/4.png new file mode 100644 index 0000000..c7b792c Binary files /dev/null and b/privatebin/4.png differ diff --git a/privatebin/5.png b/privatebin/5.png new file mode 100644 index 0000000..083e32c Binary files /dev/null and b/privatebin/5.png differ diff --git a/privatebin/6.png b/privatebin/6.png new file mode 100644 index 0000000..aa7e4fa Binary files /dev/null and b/privatebin/6.png differ diff --git a/privatebin/7.png b/privatebin/7.png new file mode 100644 index 0000000..cef342f Binary files /dev/null and b/privatebin/7.png differ diff --git a/privatebin/8.png b/privatebin/8.png new file mode 100644 index 0000000..84cca4f Binary files /dev/null and b/privatebin/8.png differ diff --git a/privatebin/9.png b/privatebin/9.png new file mode 100644 index 0000000..bc99aa4 Binary files /dev/null and b/privatebin/9.png differ diff --git a/privatebin/index.md b/privatebin/index.md new file mode 100644 index 0000000..b1a56f2 --- /dev/null +++ b/privatebin/index.md @@ -0,0 +1,185 @@ +# PrivateBin (pastebin) + +![](logo.png) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](1.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup:** + +First install the dependencies: + + + apt update -y && apt upgrade -y + apt install curl socat git php8.2 php8.2-{fpm,xml,gd,mbstring,mysql,common} mariadb-server nginx -y + + #for arch users: + pacman -S nginx php7-fpm + #systemctl enable --now php-fpm7 mysql + + + +Enable nginx: + + + apt remove apache2 -y + apt purge apache2 -y + + systemctl enable --now nginx mysql + wget https://blog.nowhere.moe/servers/privatebin/privatebin.conf -O /etc/nginx/sites-available/privatebin.conf + ln -s /etc/nginx/sites-available/privatebin.conf /etc/nginx/sites-enabled/privatebin.conf + rm /etc/nginx/sites-available/default + rm /etc/nginx/sites-enabled/default + + #for arch users: + mariadb-install-db --user=root --basedir=/usr --datadir=/var/lib/mysql + chown -R mysql:mysql /var/lib/mysql + systemctl enable --now mariadb + + [ 127.0.0.1/8 ] [ /dev/pts/6 ] [/srv] + → cat /etc/php7/php-fpm.d/www.conf | grep fpm.sock + listen = /run/php-fpm7/php-fpm.sock #put this path in the nginx config for arch servers + + #and then make sure nginx can read that sock file: + + + + +Install acme.sh and get your free letsencrypt certificate: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + systemctl stop nginx + acme.sh --issue --standalone -d ech4.duckdns.org -k 4096 + nginx -t + + +![](2.png) + +Then edit the nginx config: + + + /etc/nginx/conf.d/privatebin.conf + + + +![](3.png) + +Then install Privatebin: + + + cd /var/www/html/ && git clone https://github.com/PrivateBin/PrivateBin.git + chown -R www-data:www-data PrivateBin/ + mysql_secure_installation + + Enter current password for root (enter for none): Enter + Set root password? [Y/n]: Y + New password: P@SSW0RD + Re-enter new password: P@SSW0RD + Remove anonymous users? [Y/n]: Y + Disallow root login remotely? [Y/n]: Y + Remove test database and access to it? [Y/n]: Y + Reload privilege tables now? [Y/n]: Y + + + + + mysql -u root -p + CREATE DATABASE privatebin DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; + CREATE USER 'privatebin'@'localhost' IDENTIFIED BY 'P@SSW0RD'; + GRANT ALL PRIVILEGES ON privatebin.* TO 'privatebin'@'localhost'; + exit; + + + + + cd /var/www/html/PrivateBin/cfg + cp conf.sample.php conf.php + wget https://blog.nowhere.moe/servers/privatebin/conf.php -O conf.php + nano conf.php + + + +You can edit the config if you want, the important part being the following: + + + ; [model] + ; name of data model class to load and directory for storage + ; the default model "Filesystem" stores everything in the filesystem + ; class = Filesystem + ; [model_options] + ; dir = PATH "data" + + [model] + class = Database + [model_options] + dsn = "mysql:host=localhost;dbname=privatebin;charset=UTF8" + tbl = "privatebin_" ; table prefix + usr = "privatebin" + pwd = "P@SSW0RD" + opt[12] = true ; PDO::ATTR_PERSISTENT + + + +add timezones to both php.inis + + + cd /etc/php/8.2/ + + echo 'date.timezone = Europe/Paris' >> fpm/php.ini + echo 'date.timezone = Europe/Paris' >> cli/php.ini + + + +Restart services + + + systemctl restart php8.2-fpm nginx + + + +## **Testing** + +Next just browse to your website: + +![](5.png) + +Here we can see that our https config is correct, we're using TLS1.3, which means our pastebins cannot be transmitted over the network as a plaintext field, it is encrypted it can only be read by you and the server in theory: + +![](4.png) + +To create a private paste just write your text, give it an expiry date, and a password: + +![](6.png) + +after clicking "send" just give the link to someone else to open it: + +![](7.png) ![](8.png) + +Enter the P@SSW0RD and there you have it: + +![](9.png) + diff --git a/privatebin/logo.png b/privatebin/logo.png new file mode 100644 index 0000000..8f31065 Binary files /dev/null and b/privatebin/logo.png differ diff --git a/progra/0.png b/progra/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/progra/0.png differ diff --git a/progra/1.png b/progra/1.png new file mode 100644 index 0000000..9e33e88 Binary files /dev/null and b/progra/1.png differ diff --git a/progra/10.png b/progra/10.png new file mode 100644 index 0000000..1eb01c0 Binary files /dev/null and b/progra/10.png differ diff --git a/progra/11.png b/progra/11.png new file mode 100644 index 0000000..843eb50 Binary files /dev/null and b/progra/11.png differ diff --git a/progra/12.png b/progra/12.png new file mode 100644 index 0000000..9d46cbf Binary files /dev/null and b/progra/12.png differ diff --git a/progra/13.png b/progra/13.png new file mode 100644 index 0000000..67d0e04 Binary files /dev/null and b/progra/13.png differ diff --git a/progra/14.png b/progra/14.png new file mode 100644 index 0000000..1f4c45f Binary files /dev/null and b/progra/14.png differ diff --git a/progra/15.png b/progra/15.png new file mode 100644 index 0000000..bb6a19a Binary files /dev/null and b/progra/15.png differ diff --git a/progra/16.png b/progra/16.png new file mode 100644 index 0000000..06b06f0 Binary files /dev/null and b/progra/16.png differ diff --git a/progra/17.png b/progra/17.png new file mode 100644 index 0000000..4440711 Binary files /dev/null and b/progra/17.png differ diff --git a/progra/18.png b/progra/18.png new file mode 100644 index 0000000..4485564 Binary files /dev/null and b/progra/18.png differ diff --git a/progra/19.png b/progra/19.png new file mode 100644 index 0000000..27435aa Binary files /dev/null and b/progra/19.png differ diff --git a/progra/2.png b/progra/2.png new file mode 100644 index 0000000..c99119a Binary files /dev/null and b/progra/2.png differ diff --git a/progra/20.png b/progra/20.png new file mode 100644 index 0000000..726ac0e Binary files /dev/null and b/progra/20.png differ diff --git a/progra/21.png b/progra/21.png new file mode 100644 index 0000000..bcace06 Binary files /dev/null and b/progra/21.png differ diff --git a/progra/22.png b/progra/22.png new file mode 100644 index 0000000..d38dd70 Binary files /dev/null and b/progra/22.png differ diff --git a/progra/3.png b/progra/3.png new file mode 100644 index 0000000..7886b19 Binary files /dev/null and b/progra/3.png differ diff --git a/progra/4.png b/progra/4.png new file mode 100644 index 0000000..e903a61 Binary files /dev/null and b/progra/4.png differ diff --git a/progra/5.png b/progra/5.png new file mode 100644 index 0000000..71feee5 Binary files /dev/null and b/progra/5.png differ diff --git a/progra/6.png b/progra/6.png new file mode 100644 index 0000000..50d13ea Binary files /dev/null and b/progra/6.png differ diff --git a/progra/7.png b/progra/7.png new file mode 100644 index 0000000..6ae5667 Binary files /dev/null and b/progra/7.png differ diff --git a/progra/8.png b/progra/8.png new file mode 100644 index 0000000..cf82a16 Binary files /dev/null and b/progra/8.png differ diff --git a/progra/9.png b/progra/9.png new file mode 100644 index 0000000..47c741b Binary files /dev/null and b/progra/9.png differ diff --git a/progra/index.md b/progra/index.md new file mode 100644 index 0000000..94e645c --- /dev/null +++ b/progra/index.md @@ -0,0 +1,168 @@ +# Prometheus Grafana + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup** + +First let's update debian10 and download the latest prometheus tar.gz file from the [download page](https://prometheus.io/download/): + +![](1.png) + + + apt update -y && apt upgrade -y + wget https://github.com/prometheus/prometheus/releases/download/v2.22.1/prometheus-2.22.1.linux-amd64.tar.gz + tar xvzf prometheus-2.22.1.linux-amd64.tar.gz + cd prometheus-2.22.1.linux-amd64/ + + useradd -rs /bin/false prometheus + cp prometheus promtool /usr/local/bin + chown prometheus:prometheus /usr/local/bin/prometheus + + mkdir /etc/prometheus + cp -R consoles/ console_libraries/ prometheus.yml /etc/prometheus + + mkdir -p /data/prometheus + chown -R prometheus:prometheus /data/prometheus /etc/prometheus/* + + cd /lib/systemd/system + wget https://blog.nowhere.moe/servers/progra/p.service -O /lib/systemd/system/prometheus.service + + systemctl enable --now prometheus + systemctl status prometheus + + +![](2.png) + +Once that's done, prometheus is working, and we can get to the web interface on port 9090: + +![](3.png) + +Heading over to the Target tab we see that prometheus is working as expected: + +![](4.png) + +Next we're going to configure nginx as a reverse proxy: + + + apt install nginx -y + wget https://blog.nowhere.moe/servers/progra/p2.conf -O /etc/nginx/conf.d/prometheus.conf + nginx -s reload + wget https://blog.nowhere.moe/servers/progra/p2.service -O /lib/systemd/system/prometheus.service + systemctl daemon-reload + systemctl restart prometheus + + apt install apache2-utils gnupg -y + cd /etc/prometheus + htpasswd -c .credentials admin + + + +Once that's done, you can visit your website and it will ask you for a password to visit port 1234: + +![](5.png) ![](6.png) + +Test it there: + +![](7.png) + +Now that's done we need to install Grafana: + + + apt install -y apt-transport-https + apt install -y software-properties-common wget + wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add - + echo "deb https://packages.grafana.com/enterprise/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list + + apt update -y + apt install grafana -y + + systemctl enable --now grafana-server + systemctl status grafana-server + + + +![](8.png) + +Now that's done, visit port 3000: + +![](9.png) + +The credentials are admin:admin + +![](10.png) + +Once you're done setting up the new password, create a new datasource: + +![](11.png) ![](12.png) ![](13.png) ![](14.png) + +Now that's done, install the node exporter: + +![](15.png) + + + cd ~ + wget https://github.com/prometheus/node_exporter/releases/download/v1.0.1/node_exporter-1.0.1.linux-amd64.tar.gz + tar xvzf node_exporter-1.0.1.linux-amd64.tar.gz + cd node_exporter-1.0.1.linux-amd64/ + cp node_exporter /usr/local/bin + useradd -rs /bin/false node_exporter + chown node_exporter:node_exporter /usr/local/bin/node_exporter + + wget https://blog.nowhere.moe/servers/progra/n.service -O /lib/systemd/system/node_exporter.service + systemctl enable --now node_exporter + systemctl status node_exporter + + + +![](16.png) + + + cd /etc/prometheus + nano prometheus.yml + + + +![](17.png) + +Now that you're done, hit CTRL+S to save, and CTRL+X to exit nano and restart prometheus: + + + systemctl restart prometheus + + + +You can verify it is working here: + +![](18.png) + +Now back on grafana on port 3000: + +![](19.png) ![](20.png) ![](21.png) + +Now that's done, make sure you put the relative time range of 5 minutes otherwise you won't see anything. + +![](22.png) + diff --git a/proxitok/1.png b/proxitok/1.png new file mode 100644 index 0000000..7f0dd92 Binary files /dev/null and b/proxitok/1.png differ diff --git a/proxitok/2.png b/proxitok/2.png new file mode 100644 index 0000000..a2daf30 Binary files /dev/null and b/proxitok/2.png differ diff --git a/proxitok/index.md b/proxitok/index.md new file mode 100644 index 0000000..493386d --- /dev/null +++ b/proxitok/index.md @@ -0,0 +1,270 @@ +# proxitok Setup + +In this tutorial we're going to setup [proxitok](https://github.com/pablouser1/ProxiTok), a privacy front-end for tik tok (one of the most anti privacy services to ever exist. + +## **Initial Setup** + +Git clone the repo and run the docker-compose.yml file: + + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv] + → git clone https://github.com/pablouser1/ProxiTok/ ; cd ProxiTok + + + + +Then configure the docker-compose.yml file (comment the init line because it's not supported) + + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok] + → cat docker-compose.yml + version: '3' + + services: + web: + container_name: proxitok-web + image: ghcr.io/pablouser1/proxitok:master + ports: + - 8083:8080 + environment: + - LATTE_CACHE=/cache + - API_CACHE=redis + - REDIS_HOST=proxitok-redis + - REDIS_PORT=6379 + - API_SIGNER=remote + - API_SIGNER_URL=http://proxitok-signer:8080/signature + volumes: + - proxitok-cache:/cache + depends_on: + - redis + - signer + networks: + - proxitok + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + + redis: + container_name: proxitok-redis + image: redis:7-alpine + command: redis-server --save 60 1 --loglevel warning + restart: unless-stopped + networks: + - proxitok + user: nobody + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev + cap_drop: + - ALL + + signer: + container_name: proxitok-signer + image: ghcr.io/pablouser1/signtok:master + #init: true + networks: + - proxitok + user: nobody + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + + volumes: + proxitok-cache: + + networks: + proxitok: + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok] + → APP_URL='https://cringe.nowhere.moe' docker-compose up + ERROR: yaml.scanner.ScannerError: while scanning for the next token + found character '\t' that cannot start any token + in "./docker-compose.yml", line 51, column 1 + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok] + → APP_URL='https://cringe.nowhere.moe' docker-compose up + + Creating network "proxitok_proxitok" with the default driver + Creating volume "proxitok_proxitok-cache" with default driver + Pulling redis (redis:7-alpine)... + 7-alpine: Pulling from library/redis + 7264a8db6415: Pull complete + a28817da73be: Pull complete + 536ccaebaffb: Pull complete + f54d1871dea6: Pull complete + 4d190b4b6472: Pull complete + 33fcc95c965f: Pull complete + Digest: sha256:fd5de2340bc46cbc2241975ab027797c350dec6fd86349e3ac384e3a41be6fee + Status: Downloaded newer image for redis:7-alpine + Pulling signer (ghcr.io/pablouser1/signtok:master)... + master: Pulling from pablouser1/signtok + ca7dd9ec2225: Pull complete + 55371e6747e8: Pull complete + 694d6b1b2d1b: Pull complete + 71f41f5ff77d: Pull complete + 50e5da009459: Pull complete + 72e659781711: Pull complete + ef54da1b8443: Pull complete + 620d81797357: Pull complete + 5edc5725490e: Pull complete + Digest: sha256:b03fe2d10dfd6bed717c0f4a7d253908963a5e7f7ea9bf48855a3f74c924f3a7 + Status: Downloaded newer image for ghcr.io/pablouser1/signtok:master + Pulling web (ghcr.io/pablouser1/proxitok:master)... + master: Pulling from pablouser1/proxitok + 8a49fdb3b6a5: Pull complete + 496a743ca17d: Pull complete + 9e309b5f32ab: Pull complete + bf36d90371de: Pull complete + f110ea7c70c4: Pull complete + 5ee30eaa9898: Pull complete + d8373ae76156: Pull complete + c349c3fbbecc: Pull complete + 207a66f83a7e: Pull complete + 30774e576bfe: Pull complete + 9ef258ce6026: Pull complete + d72ddb753b3d: Pull complete + 48271c7b9504: Pull complete + 1a38beda4bc2: Pull complete + 14893ea479a0: Pull complete + 83ebfcff9ece: Pull complete + Digest: sha256:0a775a0933f86d83614e33e20995b4f3c75483e11a2fe466ac0d45ab80ead061 + Status: Downloaded newer image for ghcr.io/pablouser1/proxitok:master + Creating proxitok-redis ... done + Creating proxitok-signer ... done + Creating proxitok-web ... done + Attaching to proxitok-signer, proxitok-redis, proxitok-web + proxitok-redis | 1:C 23 Aug 2023 10:27:06.333 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect. + proxitok-signer | App listening on port: 8080 + proxitok-web | 2023-08-23 10:27:06,854 INFO supervisord started with pid 1 + proxitok-web | 2023-08-23 10:27:07,856 INFO spawned: 'nginx' with pid 7 + proxitok-web | 2023-08-23 10:27:07,857 INFO spawned: 'php-fpm' with pid 8 + proxitok-web | [23-Aug-2023 10:27:07] NOTICE: fpm is running, pid 8 + proxitok-web | [23-Aug-2023 10:27:07] NOTICE: ready to handle connections + proxitok-web | 2023-08-23 10:27:08,883 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) + proxitok-web | 2023-08-23 10:27:08,883 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs) + + + + +Then configure the reverse nginx proxy: + + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → vim cringe.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available] + → cat cringe.nowhere.moe.conf + server { + listen 443 ssl; + server_name cringe.nowhere.moe; + + ssl_certificate /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + + ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + #ssl_stapling on; + ssl_stapling_verify on; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://localhost:8083; + } + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + } + + + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok] + → systemctl stop nginx + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok] + → bash + root@Datura /srv/ProxiTok # acme.sh --issue --standalone -d cringe.nowhere.moe -k 4096 + + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok] + → systemctl start nginx + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/cringe.nowhere.moe.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → nginx -s reload + 2023/08/23 12:41:58 [notice] 3931966#3931966: signal process started + + + +Then check if it works: + +![](1.png) ![](2.png) + +And that's it! Now to update it just have this cronjob run every day: + + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → crontab -e ; cronitor select + + ✔ docker-compose -f /srv/ProxiTok/docker-compose.yml stop ; git -C /srv/ProxiTok/ pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/ProxiTok/docker-compose.yml stop ; git -C /srv/ProxiTok/ pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml up -d + + Stopping proxitok-web ... done + Stopping proxitok-signer ... done + Stopping proxitok-redis ... done + Already up to date. + Pulling redis ... done + Pulling signer ... done + Pulling web ... done + Starting proxitok-redis ... done + Starting proxitok-signer ... done + Starting proxitok-web ... done + + ----► ✔ Command successful Elapsed time 10.492s + + + +And then to contribute to the ecosystem, create a github issue to get listed on the official list of instances [here](https://github.com/pablouser1/ProxiTok/issues/169). + diff --git a/proxitok/o4smAoH.png b/proxitok/o4smAoH.png new file mode 100644 index 0000000..e69de29 diff --git a/proxmox/1.png b/proxmox/1.png new file mode 100644 index 0000000..84aa5d1 Binary files /dev/null and b/proxmox/1.png differ diff --git a/proxmox/2.png b/proxmox/2.png new file mode 100644 index 0000000..3cefcc5 Binary files /dev/null and b/proxmox/2.png differ diff --git a/proxmox/3.png b/proxmox/3.png new file mode 100644 index 0000000..70e674f Binary files /dev/null and b/proxmox/3.png differ diff --git a/proxmox/4.png b/proxmox/4.png new file mode 100644 index 0000000..fe06977 Binary files /dev/null and b/proxmox/4.png differ diff --git a/proxmox/5.png b/proxmox/5.png new file mode 100644 index 0000000..5b0c5d2 Binary files /dev/null and b/proxmox/5.png differ diff --git a/proxmox/6.png b/proxmox/6.png new file mode 100644 index 0000000..68989d5 Binary files /dev/null and b/proxmox/6.png differ diff --git a/proxmox/7.png b/proxmox/7.png new file mode 100644 index 0000000..e7bbb5f Binary files /dev/null and b/proxmox/7.png differ diff --git a/proxmox/8.png b/proxmox/8.png new file mode 100644 index 0000000..66500d2 Binary files /dev/null and b/proxmox/8.png differ diff --git a/proxmox/index.md b/proxmox/index.md new file mode 100644 index 0000000..46c5fcb --- /dev/null +++ b/proxmox/index.md @@ -0,0 +1,77 @@ +# Proxmox (debian 10) + +![](logo.png) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +## **Initial Setup** + + + apt update -y + apt upgrade -y + apt install curl gnupg -y + + + +Next go get a domain name you can use [DuckDNS](https://www.duckdns.org/) for that: + +![](1.png) + +Then test if the domain name points to your ip address correctly: + +![](2.png) + + + hostnamectl set-hostname proxmox.ech2.duckdns.org --static + echo "10.1.1.10 proxmox.ech2.duckdns.org proxmox" | sudo tee -a /etc/hosts + + + +Then we install the proxmox VE repository: + + + wget -qO - http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg | sudo apt-key add - + echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" | sudo tee /etc/apt/sources.list.d/pve-install-repo.list + + sudo apt update && sudo apt dist-upgrade + + passwd + #SET THE ROOT PASSWORD IF YOU HAVENT ALREADY ! + + echo "deb http://download.proxmox.com/debian/ceph-nautilus buster main" | sudo tee /etc/apt/sources.list.d/ceph.list + + sudo apt install proxmox-ve postfix open-iscsi + + + +if you don't have a mail server in your network, choose local only: + +![](4.png) + +Just hit enter at everything else during that last apt install command, and then reboot the system: + + + sudo reboot now + + + +Then just get to proxmox's web interface: + +![](5.png) + +Select PAM and login as the root user (we setup root's password earlier): + +![](3.png) + +From here you're in the dashboard: + +![](6.png) + +Create a Linux Bridge called vmbr0: + +![](7.png) ![](8.png) + +## **Changing the Certificate** + +## **VM Creation** + diff --git a/proxmox/logo.png b/proxmox/logo.png new file mode 100644 index 0000000..5668aee Binary files /dev/null and b/proxmox/logo.png differ diff --git a/raid1disks/0.png b/raid1disks/0.png new file mode 100644 index 0000000..916ab1c Binary files /dev/null and b/raid1disks/0.png differ diff --git a/raid1disks/index.md b/raid1disks/index.md new file mode 100644 index 0000000..9d2ff3c --- /dev/null +++ b/raid1disks/index.md @@ -0,0 +1,349 @@ +# Mdadm Raid 1 Setup + +![](0.png) + +In this tutorial we're going to setup a raid1 accross 2 harddrives + +## **Initial Setup** + +On my new server, i asked for 2x 2TBs harddrives, we're going to set them up as a raid1 virtual disk using mdadm and cfdisk + + + root@Megapede ~ # lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + **sda 8:0 0 1.8T 0 disk + sdb 8:16 0 1.8T 0 disk** + + nvme0n1 259:0 0 476.9G 0 disk + ├─nvme0n1p1 259:1 0 32G 0 part + │ └─md0 9:0 0 32G 0 raid1 [SWAP] + ├─nvme0n1p2 259:2 0 1G 0 part + │ └─md1 9:1 0 1022M 0 raid1 /boot + └─nvme0n1p3 259:3 0 443.9G 0 part + └─md2 9:2 0 443.8G 0 raid1 / + nvme1n1 259:4 0 476.9G 0 disk + ├─nvme1n1p1 259:5 0 32G 0 part + │ └─md0 9:0 0 32G 0 raid1 [SWAP] + ├─nvme1n1p2 259:6 0 1G 0 part + │ └─md1 9:1 0 1022M 0 raid1 /boot + └─nvme1n1p3 259:7 0 443.9G 0 part + └─md2 9:2 0 443.8G 0 raid1 / + + root@Megapede ~ # cat /proc/mdstat + Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] [raid10] + md2 : active raid1 nvme0n1p3[1] nvme1n1p3[0] + 465370432 blocks super 1.2 [2/2] [UU] + bitmap: 0/4 pages [0KB], 65536KB chunk + + md0 : active (auto-read-only) raid1 nvme0n1p1[1] nvme1n1p1[0] + 33520640 blocks super 1.2 [2/2] [UU] + resync=PENDING + + md1 : active raid1 nvme0n1p2[1] nvme1n1p2[0] + 1046528 blocks super 1.2 [2/2] [UU] + + unused devices: <****none> + +so here there's already 3 raid 1s : md0 , md1 and md2. to link the disks sda and sdb in a raid1 array, we're going to create md3: + + + root@Megapede ~ # mdadm --stop /dev/md3 + mdadm: stopped /dev/md3 + root@Megapede ~ # sudo mdadm --zero-superblock /dev/sda + sudo: unable to resolve host Megapede: Name or service not known + root@Megapede ~ # sudo mdadm --zero-superblock /dev/sdb + sudo: unable to resolve host Megapede: Name or service not known + + root@Megapede ~ # vim /etc/fstab + #remove/comment the fstab line that has md3 + + root@Megapede ~ # mdadm --create --verbose /dev/md3 --level=1 --raid-devices=2 /dev/sda /dev/sdb + mdadm: Note: this array has metadata at the start and + may not be suitable as a boot device. If you plan to + store '/boot' on this device please ensure that + your boot-loader understands md/v1.x metadata, or use + --metadata=0.90 + mdadm: size set to 1953382464K + mdadm: automatically enabling write-intent bitmap on large array + Continue creating array? y + mdadm: Defaulting to version 1.2 metadata + mdadm: array /dev/md3 started. + + root@Megapede ~ # lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 + sdb 8:16 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 + + [...] + + root@Megapede ~ # cat /proc/mdstat + Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] [raid10] + md3 : active raid1 sdb[1] sda[0] + 1953382464 blocks super 1.2 [2/2] [UU] + [>....................] resync = 0.9% (18044224/1953382464) finish=198.3min speed=162617K/sec + bitmap: 15/15 pages [60KB], 65536KB chunk + + + +this shows the synchronisation process, it may take some time, but you can proceed while this is ongoing. + + + root@Megapede ~ # mkfs.ext4 -F /dev/md3 + mke2fs 1.47.0 (5-Feb-2023) + Creating filesystem with 488345616 4k blocks and 122093568 inodes + Filesystem UUID: 6386dec8-2bc3-432b-ac14-44e39e5dfb5c + Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, + 4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968, + 102400000, 214990848 + + Allocating group tables: done + Writing inode tables: done + Creating journal (262144 blocks): done + Writing superblocks and filesystem accounting information: done + + root@megapede ~ # mount /dev/md3 /mnt/md3 + + root@Megapede ~ # mkdir -p /mnt/md3 + + root@Megapede ~ # df -h -x devtmpfs -x tmpfs + Filesystem Size Used Avail Use% Mounted on + /dev/md2 436G 1.7G 412G 1% / + /dev/md1 989M 117M 821M 13% /boot + /dev/md3 1.8T 28K 1.7T 1% /mnt/md3 + + + +we formatted the md3 raid 1 disk as ext4, and now that our md3 device is mounted in /mnt/md3 we can see the available 1.8Tb space with the df command. + +Next we need to save the config in /etc/mdadm/mdadm.conf so that the array can automatically be seen as active upon boots: + + + mdadm --detail --scan + ARRAY /dev/md/1 metadata=1.2 name=rescue:1 UUID=8005f92c:5ca33d93:b2a5c843:7d4500ba + ARRAY /dev/md/0 metadata=1.2 name=rescue:0 UUID=9a83d519:88dc0912:2d34658b:d9ac4a20 + ARRAY /dev/md/2 metadata=1.2 name=rescue:2 UUID=082e5878:cad579b5:5b2d8dda:d41848f9 + ARRAY /dev/md3 metadata=1.2 name=Megapede:3 UUID=779a3d96:8a08002c:7c5c2530:aded4af8 + + root@megapede ~ # vim /etc/mdadm/mdadm.conf + root@megapede ~ # cat /etc/mdadm/mdadm.conf + # mdadm.conf + # + # !NB! Run update-initramfs -u after updating this file. + # !NB! This will ensure that initramfs has an uptodate copy. + # + # Please refer to mdadm.conf(5) for information about this file. + # + + # by default (built-in), scan all partitions (/proc/partitions) and all + # containers for MD superblocks. alternatively, specify devices to scan, using + # wildcards if desired. + #DEVICE partitions containers + + # automatically tag new arrays as belonging to the local system + HOMEHOST + + # instruct the monitoring daemon where to send mail alerts + MAILADDR root + + # This configuration was auto-generated on Fri, 07 Jul 2023 11:02:42 +0200 by mkconf + ARRAY /dev/md/0 metadata=1.2 name=rescue:0 UUID=9a83d519:88dc0912:2d34658b:d9ac4a20 + ARRAY /dev/md/2 metadata=1.2 name=rescue:2 UUID=082e5878:cad579b5:5b2d8dda:d41848f9 + ARRAY /dev/md/1 metadata=1.2 name=rescue:1 UUID=8005f92c:5ca33d93:b2a5c843:7d4500ba + ARRAY /dev/md3 metadata=1.2 name=megapede:3 UUID=6e20ae93:f1548680:56621159:b8910258 + + + +Then we also make sure that it's written in /etc/fstab: + + + root@megapede ~ # blkid + /dev/nvme0n1p3: UUID="082e5878-cad5-79b5-5b2d-8ddad41848f9" UUID_SUB="12260b20-4e48-3bda-bbaf-2d989216743e" LABEL="rescue:2" TYPE="linux_raid_member" PARTUUID="0363e1f6-03" + /dev/nvme0n1p1: UUID="9a83d519-88dc-0912-2d34-658bd9ac4a20" UUID_SUB="74300757-2675-0206-93db-1ef7986345c4" LABEL="rescue:0" TYPE="linux_raid_member" PARTUUID="0363e1f6-01" + /dev/nvme0n1p2: UUID="8005f92c-5ca3-3d93-b2a5-c8437d4500ba" UUID_SUB="1dcf6c06-41f5-9b79-1620-ae51258931d4" LABEL="rescue:1" TYPE="linux_raid_member" PARTUUID="0363e1f6-02" + /dev/sdb: UUID="6e20ae93-f154-8680-5662-1159b8910258" UUID_SUB="54392230-39fb-ab76-10ea-afda06676e1f" LABEL="megapede:3" TYPE="linux_raid_member" + /dev/md2: UUID="9718e8fc-3a45-4338-8157-a1b64c29c894" BLOCK_SIZE="4096" TYPE="ext4" + /dev/md0: UUID="10f6338c-c09c-44d5-b698-6aa8a04ef837" TYPE="swap" + /dev/nvme1n1p2: UUID="8005f92c-5ca3-3d93-b2a5-c8437d4500ba" UUID_SUB="eb98c252-4599-7b14-14f0-4360a4abad7b" LABEL="rescue:1" TYPE="linux_raid_member" PARTUUID="2306f806-02" + /dev/nvme1n1p3: UUID="082e5878-cad5-79b5-5b2d-8ddad41848f9" UUID_SUB="6e4b15b0-77e8-1635-5fc8-ab2a2aceadcb" LABEL="rescue:2" TYPE="linux_raid_member" PARTUUID="2306f806-03" + /dev/nvme1n1p1: UUID="9a83d519-88dc-0912-2d34-658bd9ac4a20" UUID_SUB="094cb30b-077d-3163-9776-73a53b2e404d" LABEL="rescue:0" TYPE="linux_raid_member" PARTUUID="2306f806-01" + /dev/sda: UUID="6e20ae93-f154-8680-5662-1159b8910258" UUID_SUB="9059d7c8-c686-5ff5-20ed-b8c14e96ca0c" LABEL="megapede:3" TYPE="linux_raid_member" + /dev/md1: UUID="d817acef-3aca-4edc-bd9a-559b50e47d20" BLOCK_SIZE="4096" TYPE="ext3" + /dev/md3: UUID="433c3cc3-8c20-426a-9b10-fb56b231cd40" BLOCK_SIZE="4096" TYPE="ext4" + + root@Megapede ~ # cat /etc/fstab + proc /proc proc defaults 0 0 + # /dev/md/0 + UUID=10f6338c-c09c-44d5-b698-6aa8a04ef837 none swap sw 0 0 + # /dev/md/1 + UUID=d817acef-3aca-4edc-bd9a-559b50e47d20 /boot ext3 defaults 0 0 + # /dev/md/2 + UUID=9718e8fc-3a45-4338-8157-a1b64c29c894 / ext4 defaults 0 0 + # /dev/md3 + UUID=433c3cc3-8c20-426a-9b10-fb56b231cd40 /mnt/md3 ext4 defaults 0 0 + + + +Then just reboot it to test if it got saved: + + + root@Megapede ~ # lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 /mnt/md3 + sdb 8:16 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 /mnt/md3 + nvme0n1 259:0 0 476.9G 0 disk + ├─nvme0n1p1 259:1 0 32G 0 part + │ └─md0 9:0 0 32G 0 raid1 [SWAP] + ├─nvme0n1p2 259:2 0 1G 0 part + │ └─md1 9:1 0 1022M 0 raid1 /boot + └─nvme0n1p3 259:3 0 443.9G 0 part + └─md2 9:2 0 443.8G 0 raid1 / + nvme1n1 259:4 0 476.9G 0 disk + ├─nvme1n1p1 259:5 0 32G 0 part + │ └─md0 9:0 0 32G 0 raid1 [SWAP] + ├─nvme1n1p2 259:6 0 1G 0 part + │ └─md1 9:1 0 1022M 0 raid1 /boot + └─nvme1n1p3 259:7 0 443.9G 0 part + └─md2 9:2 0 443.8G 0 raid1 / + + root@Megapede ~ # reboot now + + + +or you can just test the fstab without rebooting using mount: + + + root@megapede ~ # umount /dev/md3 + root@megapede ~ # systemctl daemon-reload + root@megapede ~ # lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 + sdb 8:16 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 + + [...] + + root@megapede ~ # mount /dev/md3 + root@megapede ~ # lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 /mnt/md3 + sdb 8:16 0 1.8T 0 disk + └─md3 9:3 0 1.8T 0 raid1 /mnt/md3 + + [...] + + + +and we successfully mounted it thanks to having it in /etc/fstab. + +## Create a raid 1 with 1 disk, and then add another: + +I have a usecase where i already have data on a disk, and i want to mirror it without loosing it. so i do the following: + + + [ Wonderland ] [ /dev/pts/13 ] [~] + → lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 232.9G 0 disk + ├─sda1 8:1 0 512M 0 part /boot/efi + ├─sda2 8:2 0 231.4G 0 part / + └─sda3 8:3 0 977M 0 part [SWAP] + nvme0n1 259:0 0 931.5G 0 disk + └─nvme0n1p1 259:4 0 931.5G 0 part + nvme1n1 259:1 0 931.5G 0 disk + └─nvme1n1p1 259:3 0 931.5G 0 part + └─veracrypt1 253:0 0 931.5G 0 dm /media/veracrypt1 + + [ Wonderland ] [ /dev/pts/13 ] [~] + → mdadm --zero-superblock /dev/nvme0n1 + mdadm: Unrecognised md component device - /dev/nvme0n1 + + [ Wonderland ] [ /dev/pts/13 ] [~] + → mdadm --create --verbose /dev/md3 --level=1 --raid-devices=1 /dev/nvme0n1 --force + mdadm: partition table exists on /dev/nvme0n1 + mdadm: partition table exists on /dev/nvme0n1 but will be lost or + meaningless after creating array + mdadm: Note: this array has metadata at the start and + may not be suitable as a boot device. If you plan to + store '/boot' on this device please ensure that + your boot-loader understands md/v1.x metadata, or use + --metadata=0.90 + mdadm: size set to 976630464K + mdadm: automatically enabling write-intent bitmap on large array + Continue creating array? y + mdadm: Defaulting to version 1.2 metadata + mdadm: array /dev/md3 started. + + [ Wonderland ] [ /dev/pts/13 ] [~] + → lsblk + NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS + sda 8:0 0 232.9G 0 disk + ├─sda1 8:1 0 512M 0 part /boot/efi + ├─sda2 8:2 0 231.4G 0 part / + └─sda3 8:3 0 977M 0 part [SWAP] + nvme0n1 259:0 0 931.5G 0 disk + └─md3 9:3 0 931.4G 0 raid1 + nvme1n1 259:1 0 931.5G 0 disk + └─nvme1n1p1 259:3 0 931.5G 0 part + └─veracrypt1 253:0 0 931.5G 0 dm /media/veracrypt1 + + + +And then later on we'll add the device like so: + + + [ Wonderland ] [ /dev/pts/13 ] [~] + → sfdisk -d /dev/nvme0n1 | sfdisk /dev/nvme1n1 + + [ Wonderland ] [ /dev/pts/13 ] [~] + → mdadm --manage /dev/md3 --add /dev/nvme1n1 + + [ Wonderland ] [ /dev/pts/15 ] [~] + → mdadm --detail /dev/md3 + /dev/md3: + Version : 1.2 + Creation Time : Sat Oct 7 21:03:40 2023 + Raid Level : raid1 + Array Size : 976630464 (931.39 GiB 1000.07 GB) + Used Dev Size : 976630464 (931.39 GiB 1000.07 GB) + Raid Devices : 1 + Total Devices : 2 + Persistence : Superblock is persistent + + Intent Bitmap : Internal + + Update Time : Sat Oct 7 22:13:05 2023 + State : clean + Active Devices : 1 + Working Devices : 2 + Failed Devices : 0 + Spare Devices : 1 + + Consistency Policy : bitmap + + Name : wonderland:3 (local to host wonderland) + UUID : 7ad13800:d65ab2f4:4bb35e9c:f27e4c35 + Events : 2 + + Number Major Minor RaidDevice State + 0 259 0 0 active sync /dev/nvme0n1 + + 1 259 1 - spare /dev/nvme1n1 + + + [ Wonderland ] [ /dev/pts/15 ] [~] + → cat /proc/mdstat + Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] + md3 : active raid1 nvme1n1[1](S) nvme0n1[0] + 976630464 blocks super 1.2 [1/1] [U] + bitmap: 7/8 pages [28KB], 65536KB chunk + + unused devices: none + + diff --git a/rainloop/0.png b/rainloop/0.png new file mode 100644 index 0000000..a6a3464 Binary files /dev/null and b/rainloop/0.png differ diff --git a/rainloop/1.png b/rainloop/1.png new file mode 100644 index 0000000..f6d03df Binary files /dev/null and b/rainloop/1.png differ diff --git a/rainloop/10.png b/rainloop/10.png new file mode 100644 index 0000000..5c16a0b Binary files /dev/null and b/rainloop/10.png differ diff --git a/rainloop/11.png b/rainloop/11.png new file mode 100644 index 0000000..127a5ac Binary files /dev/null and b/rainloop/11.png differ diff --git a/rainloop/12.png b/rainloop/12.png new file mode 100644 index 0000000..b71652a Binary files /dev/null and b/rainloop/12.png differ diff --git a/rainloop/13.png b/rainloop/13.png new file mode 100644 index 0000000..9d5970b Binary files /dev/null and b/rainloop/13.png differ diff --git a/rainloop/14.png b/rainloop/14.png new file mode 100644 index 0000000..43ad1c4 Binary files /dev/null and b/rainloop/14.png differ diff --git a/rainloop/15.png b/rainloop/15.png new file mode 100644 index 0000000..76d4fc5 Binary files /dev/null and b/rainloop/15.png differ diff --git a/rainloop/16.png b/rainloop/16.png new file mode 100644 index 0000000..24dbdc0 Binary files /dev/null and b/rainloop/16.png differ diff --git a/rainloop/17.png b/rainloop/17.png new file mode 100644 index 0000000..db8bb9c Binary files /dev/null and b/rainloop/17.png differ diff --git a/rainloop/18.png b/rainloop/18.png new file mode 100644 index 0000000..17d4e7a Binary files /dev/null and b/rainloop/18.png differ diff --git a/rainloop/19.png b/rainloop/19.png new file mode 100644 index 0000000..66ec961 Binary files /dev/null and b/rainloop/19.png differ diff --git a/rainloop/2.png b/rainloop/2.png new file mode 100644 index 0000000..0b344b2 Binary files /dev/null and b/rainloop/2.png differ diff --git a/rainloop/20.png b/rainloop/20.png new file mode 100644 index 0000000..8e829c2 Binary files /dev/null and b/rainloop/20.png differ diff --git a/rainloop/21.png b/rainloop/21.png new file mode 100644 index 0000000..8ae134f Binary files /dev/null and b/rainloop/21.png differ diff --git a/rainloop/3.png b/rainloop/3.png new file mode 100644 index 0000000..b5a8a1a Binary files /dev/null and b/rainloop/3.png differ diff --git a/rainloop/4.png b/rainloop/4.png new file mode 100644 index 0000000..6e81256 Binary files /dev/null and b/rainloop/4.png differ diff --git a/rainloop/5.png b/rainloop/5.png new file mode 100644 index 0000000..70a441d Binary files /dev/null and b/rainloop/5.png differ diff --git a/rainloop/6.png b/rainloop/6.png new file mode 100644 index 0000000..13a70f3 Binary files /dev/null and b/rainloop/6.png differ diff --git a/rainloop/7.png b/rainloop/7.png new file mode 100644 index 0000000..fd610c0 Binary files /dev/null and b/rainloop/7.png differ diff --git a/rainloop/8.png b/rainloop/8.png new file mode 100644 index 0000000..a7f4a30 Binary files /dev/null and b/rainloop/8.png differ diff --git a/rainloop/9.png b/rainloop/9.png new file mode 100644 index 0000000..3d468b4 Binary files /dev/null and b/rainloop/9.png differ diff --git a/rainloop/index.md b/rainloop/index.md new file mode 100644 index 0000000..6500e33 --- /dev/null +++ b/rainloop/index.md @@ -0,0 +1,106 @@ +# Rainloop Setup + +Rent a VPS with debian 10+ (or just run it yourself, but make sure it is correctly port forwarded so that public ip points to the machine like a vps). + +Once you have ssh'd into your debian server as root, we can start: + +## **Initial Setup** + +First install all the dependencies: + + + apt install php7.4 php7.4-common php7.4-curl php7.4-xml php7.4-fpm php7.4-json php7.4-dev php7.4-mysql nginx curl socat unzip -y + + + +Then configure nginx: + + + wget https://blog.nowhere.moe/servers/rainloop/rainloop.conf -O /etc/nginx/sites-available/rainloop.conf + nano /etc/nginx/sites-available/rainloop.conf + + + +![](2.png) + +Here make sure you edit the configuration file properly so that the domain name matches your own domain name. once you're done editing the file, hit CTRL+S to save and CTRL+X to exit nano. If you don't have a domain name, just go for a free alternative like [DuckDNS](https://www.duckdns.org). + +![](0.png) + +You can verify it is working by doing the following: + +![](1.png) + +Next we're going to get a free letsencrypt SSL certificate using acme.sh: + + + wget -O - https://get.acme.sh | sh + source ~/.bashrc + systemctl stop nginx + acme.sh --issue --standalone -d ech2.duckdns.org -k 4096 + systemctl start nginx + + + +![](3.png) + +Next we enable the site: + + + ln -s /etc/nginx/sites-available/rainloop.conf /etc/nginx/sites-enabled/rainloop.conf + nginx -t + systemctl restart nginx + + +Once that's done, reload nginx and install rainloop: + + + cd /opt + wget http://www.rainloop.net/repository/webmail/rainloop-community-latest.zip + unzip rainloop-community-latest.zip -d /var/www/ + chown www-data: -R /var/www/ + + + +Next configure php7.4-fpm correctly: + + + cd /etc/php/7.4/ + + echo 'date.timezone = Europe/Paris' >> fpm/php.ini + echo 'date.timezone = Europe/Paris' >> cli/php.ini + + systemctl enable --now php7.4-fpm nginx + systemctl restart php7.4-fpm nginx + + +Once that's done, simply browse to your website: + +![](4.png) + +You need to browse to the url "https://ech2.duckdns.org/?admin", The default admin password is admin:12345 + +![](5.png) + +Once you're logged in, make sure to change the admin password + +![](6.png) ![](7.png) + +And you're done! now you simply need to configure rainloop and test if it is working, so log out, and go back to the root directory https://ech2.duckdns.org/: + +## + +## **Linking it to an existing SMTP server** + +Follow this [tutorial](../mail2/index.md) on how to setup a SMTP server: + +![](16.png) ![](17.png) ![](18.png) ![](19.png) + +And now try to login: + +![](20.png) + +And that's it! We managed to login: + +![](21.png) + diff --git a/rdp/0.png b/rdp/0.png new file mode 100644 index 0000000..345f80f Binary files /dev/null and b/rdp/0.png differ diff --git a/rdp/1.png b/rdp/1.png new file mode 100644 index 0000000..6c63c7b Binary files /dev/null and b/rdp/1.png differ diff --git a/rdp/10.png b/rdp/10.png new file mode 100644 index 0000000..ab347bb Binary files /dev/null and b/rdp/10.png differ diff --git a/rdp/11.png b/rdp/11.png new file mode 100644 index 0000000..9f31331 Binary files /dev/null and b/rdp/11.png differ diff --git a/rdp/12.png b/rdp/12.png new file mode 100644 index 0000000..85cfeff Binary files /dev/null and b/rdp/12.png differ diff --git a/rdp/13.png b/rdp/13.png new file mode 100644 index 0000000..862a5da Binary files /dev/null and b/rdp/13.png differ diff --git a/rdp/14.png b/rdp/14.png new file mode 100644 index 0000000..85b61c1 Binary files /dev/null and b/rdp/14.png differ diff --git a/rdp/15.png b/rdp/15.png new file mode 100644 index 0000000..49fb005 Binary files /dev/null and b/rdp/15.png differ diff --git a/rdp/16.png b/rdp/16.png new file mode 100644 index 0000000..269d3ff Binary files /dev/null and b/rdp/16.png differ diff --git a/rdp/17.png b/rdp/17.png new file mode 100644 index 0000000..3c9df4e Binary files /dev/null and b/rdp/17.png differ diff --git a/rdp/18.png b/rdp/18.png new file mode 100644 index 0000000..40d68d6 Binary files /dev/null and b/rdp/18.png differ diff --git a/rdp/19.png b/rdp/19.png new file mode 100644 index 0000000..5f42cb0 Binary files /dev/null and b/rdp/19.png differ diff --git a/rdp/2.png b/rdp/2.png new file mode 100644 index 0000000..eed1177 Binary files /dev/null and b/rdp/2.png differ diff --git a/rdp/3.png b/rdp/3.png new file mode 100644 index 0000000..722b19a Binary files /dev/null and b/rdp/3.png differ diff --git a/rdp/4.png b/rdp/4.png new file mode 100644 index 0000000..cf1bbe2 Binary files /dev/null and b/rdp/4.png differ diff --git a/rdp/5.png b/rdp/5.png new file mode 100644 index 0000000..35a8b72 Binary files /dev/null and b/rdp/5.png differ diff --git a/rdp/6.png b/rdp/6.png new file mode 100644 index 0000000..894dfb8 Binary files /dev/null and b/rdp/6.png differ diff --git a/rdp/7.png b/rdp/7.png new file mode 100644 index 0000000..28a6943 Binary files /dev/null and b/rdp/7.png differ diff --git a/rdp/8.png b/rdp/8.png new file mode 100644 index 0000000..521dd92 Binary files /dev/null and b/rdp/8.png differ diff --git a/rdp/9.png b/rdp/9.png new file mode 100644 index 0000000..c321592 Binary files /dev/null and b/rdp/9.png differ diff --git a/rdp/index.md b/rdp/index.md new file mode 100644 index 0000000..f733ef3 --- /dev/null +++ b/rdp/index.md @@ -0,0 +1,214 @@ +# RDP Connections + +![]() + +Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, macOS, iOS, Android, and other operating systems. RDP servers are built into Windows operating systems; an RDP server for Unix and OS X also exists. By default, the server listens on TCP port 3389 and UDP port 3389. + +RDP is very handy especially to be able to copy paste things in and out of virtualized hosts or to establish Keyboard Mouse and Video connection at a desired screen resolution. The RDP protocol implementations allow us to establish remote desktop connections from Windows or Linux hosts, to Windows or Linux hosts. We will split this tutorial in 3 parts: + + 1. Linux - Windows RDP connections + 2. Linux - Linux RDP connections + 3. Windows - Windows + Linux RDP connections + + + +## **Linux -> Windows RDP connections** + +First of all, in order to connect to a windows host via RDP, we need to enable RDP on that host. To do so we need to enable Remote Desktop: + +![](0.png) + +Then enable RDP like so: + +![](1.png) + +Once that's done, you know that your windows host has it's port 3389 opened for RDP connections, you simply need to know what it's IP is: + +![](2.png) + +Now with this we know that our Windows' host IP is 10.0.0.203 now if you want to connect to it from a Linux host, i highly recommend you use remmina, this is a fantastic tool to primarily handle RDP but also other protocols. + + + root@debian-pgadmin4:~# apt search remmina + Sorting... Done + Full Text Search... Done + remmina/stable 1.3.3+dfsg-2 amd64 + GTK+ Remote Desktop Client + + root@debian-pgadmin4:~# apt install remmina -y + + [ 10.0.0.10/16 ] [ /dev/pts/39 ] [Github/blog/servers] + → pacman -Ss remmina + community/remmina 1:1.4.12-1 [installed] + remote desktop client written in GTK+ + + [ 10.0.0.10/16 ] [ /dev/pts/39 ] [Github/blog/servers] + → pacman -S remmina + + + +Remmina should be there on debian and arch based distributions, once installed it will look like so: + +![](4.png) + +Here we supply the ip address of our windows host, the username we want to login as, it's password, and if it is connected to windows Active Directory, you can specify the Domain name (highlighted in green) In the advanced options you can also tweak a few other things, but for now hit 'save and connect' and you will get the following: + +![](5.png) + +And that's it ! You have been able to login and connect to your windows host on the local network. Now you can hit LCTRL to enable the keyboard event grabbing, LCTRL+F to go fullscreen and more. + +## **Linux -> Linux RDP connections** + +Now that we have Remmina installed on our Linux Host machine, Let's say we have access via ssh to a remote linux host: + + + [ 10.0.0.10/16 ] [ /dev/pts/3 ] [Github/blog/servers] + → ssh root@10.0.0.112 + root@10.0.0.112's password: + Linux debian-pgadmin 5.4.106-1-pve #1 SMP PVE 5.4.106-1 (Fri, 19 Mar 2021 11:08:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Sat Apr 3 17:02:12 2021 from 10.0.0.10 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-pgadmin:~# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 10.0.0.112/16 brd 10.0.255.255 scope global eth0 + inet6 fe80::68b5:5ff:fe35:dd26/64 scope link + + + +From here we can setup a RDP connection to be able to spawn a graphical connection thanks to the Xrdp package: + + + + root@debian-pgadmin:~# apt search xrdp + Sorting... Done + Full Text Search... Done + xorgxrdp/stable 1:0.2.9-1 amd64 + Remote Desktop Protocol (RDP) modules for X.org + + xrdp/stable,stable 0.9.9-1+deb10u1 amd64 + Remote Desktop Protocol (RDP) server + + root@debian-pgadmin:~# apt install xrdp -y + + + + +![](6.png) + +Hit enter and let it install. After that we will start the rdp service using systemctl: + + + + root@debian-pgadmin:~# systemctl enable --now xrdp + root@debian-pgadmin:~# systemctl status xrdp + * xrdp.service - xrdp daemon + Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2021-04-03 17:55:55 UTC; 2min 29s ago + Docs: man:xrdp(8) + man:xrdp.ini(5) + Main PID: 32082 (xrdp) + Tasks: 1 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/xrdp.service + `-32082 /usr/sbin/xrdp + + Apr 03 17:55:55 debian-pgadmin systemd[1]: Started xrdp daemon. + Apr 03 17:55:55 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:55:56 debian-pgadmin xrdp[32082]: (32082)(140173514213184)[INFO ] starting xrdp with pid 32082 + Apr 03 17:55:56 debian-pgadmin xrdp[32082]: (32082)(140173514213184)[INFO ] listening to port 3389 on 0.0.0.0 + Apr 03 17:55:56 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:55:57 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:55:57 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:58:14 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:58:15 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + Apr 03 17:58:15 debian-pgadmin systemd[1]: /lib/systemd/system/xrdp.service:8: PIDFile= references path below legacy directory /var/run/, updating /var/run/xrdp/xrdp.pid + root@debian-pgadmin:~# + + + + +And that's it! now we should be able to connect to it: + + + [ 10.0.0.10/16 ] [ /dev/pts/31 ] [Github/blog/servers] + → nmap -p3389 10.0.0.112 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-03 19:59 CEST + Nmap scan report for 10.0.0.112 + Host is up (0.00064s latency). + + PORT STATE SERVICE + 3389/tcp open ms-wbt-server + + Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds + + + +As you can see above, the port is supposed to be opened and ready to recieve our connections. Let's move over to remmina: + +![](7.png) + +Hit save and connect: + +![](8.png) + +This is a very minimal debian server, so if you didn't install any desktop environnement on it by default it will leave you in a TTY. let's see how this looks like when we install a Desktop Environnement like XFCE4 and lightdm: + + + root@debian-pgadmin:~# apt install lightdm xfce4 + + root@debian-pgadmin:~# systemctl enable lightdm + + root@debian-pgadmin:~# reboot now + + + +Once installed we can connect via RDP again and see what happens: + +![](10.png) + +And that's it! We have been able to connect to our debian host via RDP and get a graphical interface. + +## **Windows -> Linux/Windows RDP connections** + +On windows' side, we don't need to install anything. the RDP protocol is built in to windows 10 as you can see here: + + + WIN+R mstsc + + + +![](11.png) + +let's try to connect to our linux host at 10.0.0.112 as the root user: + +![](12.png) ![](13.png) ![](14.png) + +Here we're greeted by xorg's login screen, just use your root password there and login: + +![](15.png) + +It's that easy! This goes without saying but RDP was originally made for Windows -> Windows connections, so here's an example using my Windows Server 2019 VM at the 10.0.0.204 ip: + + + WIN+R mstsc + + + +![](16.png) ![](17.png) ![](18.png) ![](19.png) + +And that's it! We have been able to establish a Windows-Windows RDP connection. + diff --git a/rss/1.png b/rss/1.png new file mode 100644 index 0000000..d30b4a5 Binary files /dev/null and b/rss/1.png differ diff --git a/rss/index.md b/rss/index.md new file mode 100644 index 0000000..ce2c527 --- /dev/null +++ b/rss/index.md @@ -0,0 +1,54 @@ +# rss Setup + +## **Initial Setup** + +Let's use this RSS feed generator written in bash: https://github.com/maxhebditch/rss-roller/blob/master/rss-roller + + + + [ Datura ] [ /dev/pts/11 ] [/srv/blog/rss] + → rm -rf /root/.rss-roller.rc + + [ Datura ] [ /dev/pts/11 ] [/srv/blog/rss] + → ./rss-roller.sh + feed does not exit already, going to make from scratch + + CONFIGURATION + ============= + + What is your website called?: (e.g Google) "nowhere.moe Blog" + What is the link to the website?: (e.g http://google.com) https://blog.nowhere.moe + Give a brief description of your website: (e.g A search engine) Nihilist`s Technical Blog + Give the URL to where the rss feed will live: (e.g http://google.com/rssfeed.xml) https://blog.nowhere.moe/rss/feed.xml + What will be the feed file live on the disk?: (e.g /home/dog/www/rssfeed.xml has to match above) /srv/blog/rss/feed.xml + Where is the file path for the posts? (leave blank if you are not using auto mode): + please run rss-roller again with the --auto or --manual flags + + [ Datura ] [ /dev/pts/11 ] [/srv/blog/rss] + → ./rss-roller.sh --manual + + NEW POST + ======= + + What is the title of the new update?: Decentralized Finances + What is the link of the new update?: https://blog.nowhere.moe/servers/finances/index.md + Provide a description of the new update: Centralised currencies, Decentralised Currencies, and Centralised Exchanges, privacy cryptos and decentralised exchanges + Provide a unique identifier for the update: 1 + adding the header + adding the footer + + [ Datura ] [ /dev/pts/11 ] [/srv/blog/rss] + → cat feed.xml + <****?xml version='1.0' encoding='UTF-8' ?> <****rss version='2.0' xmlns:atom='http://www.w3.org/2005/Atom'> <****!-- Made using rss-roller https://github.com/maxhebditch/rss-roller --> <****channel> <****title>nowhere.moe Blog + <****link>https://blog.nowhere.moe + <****description>Nihilist`s Technical Blog + <****atom:link href='https://blog.nowhere.moe/rss/feed.xml' rel='self' type='application/rss+xml' /> <****item> <****title>Decentralized Finances + <****link>https://blog.nowhere.moe/servers/finances/index.md + <****guid isPermaLink='false'>1 + <****description>Centralised currencies, Decentralised Currencies, and Centralised Exchanges, privacy cryptos and decentralised exchanges + <****/item> <****/channel> <****/rss> + +and then just access it on your website like this: + +![](1.png) + diff --git a/rsync/0.png b/rsync/0.png new file mode 100644 index 0000000..b5c9fe5 Binary files /dev/null and b/rsync/0.png differ diff --git a/rsync/1.png b/rsync/1.png new file mode 100644 index 0000000..eb2cdcc Binary files /dev/null and b/rsync/1.png differ diff --git a/rsync/2.png b/rsync/2.png new file mode 100644 index 0000000..850d338 Binary files /dev/null and b/rsync/2.png differ diff --git a/rsync/3.png b/rsync/3.png new file mode 100644 index 0000000..9e3ef6a Binary files /dev/null and b/rsync/3.png differ diff --git a/rsync/4.png b/rsync/4.png new file mode 100644 index 0000000..67f1f64 Binary files /dev/null and b/rsync/4.png differ diff --git a/rsync/index.md b/rsync/index.md new file mode 100644 index 0000000..e972be5 --- /dev/null +++ b/rsync/index.md @@ -0,0 +1,360 @@ +# Making backups using rsync + +rsync is an utility for efficiently transferring and synchronizing files between 2 computers, it can also compare the modification times and sizes of files. It is commonly found on unix OSes. It was written in C as a single threaded application. The rsync algorithm uses a type of delta encoding, and is used for minimizing network usage. + +## **Initial setup** + +We're going to do this tutorial on a proxmox server with 2 LXC Containers on the same local network: + +![](0.png) + +We login via ssh in both of them: + +![](1.png) + + + root@debian-nginx2:~# apt search rsync + + rsync/stable,now 3.1.3-6 amd64 [installed,automatic] + fast, versatile, remote (and local) file-copying tool + + + root@debian-nginx2:~# apt install rsync + + root@debian-nginx2:~# which rsync + /usr/bin/rsync + + + +Now let's create a sample directory with a bunch of extremely important data and try to send it to our second debian: + + + root@debian-nginx2:~# ls + masterdump.sql + root@debian-nginx2:~# mkdir myveryimportantdirectory + root@debian-nginx2:~# echo 'myveryimportant text' > myveryimportantdirectory/myveryimportanttext.txt + root@debian-nginx2:~# ls -l + total 476 + -rw-r--r-- 1 root root 480150 Mar 20 10:29 masterdump.sql + drwxr-xr-x 2 root root 4096 Apr 2 07:00 myveryimportantdirectory + root@debian-nginx2:~# + + + +Now that we have that, we will use rsync to send it over to debian1 but to do that we first need to install a ssh connection between the 2 hosts, and to make it more secure we will use SSH keys: + + + + root@debian-nginx1:~# apt search openssh-server + Sorting... Done + Full Text Search... Done + openssh-server/stable,now 1:7.9p1-10+deb10u2 amd64 [installed] + secure shell (SSH) server, for secure access from remote machines + + + +I have installed openssh pre-emptively but if you didn't then install the openssh-server package like so: + + + apt install openssh-server + rm /etc/ssh/sshd_config + wget https://raw.githubusercontent.com/ech1/serverside/master/ssh/sshd_config -O /etc/ssh/sshd_config + systemctl restart sshd + + + +What my ssh config does is basically to allow the root login, and then refusing password authentifications to force the user to use SSH keys. This means that we will need to create the ssh keys of the slave node, and then we will need to copy the private key from the slave node to the master node. + +![](2.png) + +So first let's create the ssh keys on our debian1 machine, create the ~/.ssh directory if it is not already there: + + + root@debian-nginx1:~# cd .ssh + -bash: cd: .ssh: No such file or directory + root@debian-nginx1:~# mkdir .ssh + root@debian-nginx1:~# cd .ssh + root@debian-nginx1:~/.ssh# ssh-keygen -t ed25519 + Generating public/private ed25519 key pair. + Enter file in which to save the key (/root/.ssh/id_ed25519): + Enter passphrase (empty for no passphrase): + Enter same passphrase again: + Your identification has been saved in /root/.ssh/id_ed25519. + Your public key has been saved in /root/.ssh/id_ed25519.pub. + The key fingerprint is: + SHA256:svD8ddV4wm64PWrRPUDr/z3xqk0AfS2zrFi5yccEGIo root@debian-nginx1 + The key's randomart image is: + +--[ED25519 256]--+ + | . | + | . . + . . | + | E . o + = .| + | . O * | + | . . S =.X.o| + | + o +.%.=.| + | + o B.B +| + | . . ..B.oo| + | . .+o+o=| + +----[SHA256]-----+ + root@debian-nginx1:~/.ssh# + root@debian-nginx1:~/.ssh# cat id_ed25519.pub >> authorized_keys + + + +Now that's done, we need to get the private key: + + + + root@debian-nginx1:~/.ssh# cat id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACAR/s+1r8eJq5iHKi+JvCNyd9/vg5evPOC9HqdAKFbOkgAAAJiKlmf6ipZn + +gAAAAtzc2gtZWQyNTUxOQAAACAR/s+1r8eJq5iHKi+JvCNyd9/vg5evPOC9HqdAKFbOkg + AAAEA2aBZsMry0TeChASkAXPax2GEzEH26zcFmvGDaNzPiFRH+z7Wvx4mrmIcqL4m8I3J3 + 3++Dl6884L0ep0AoVs6SAAAAEnJvb3RAZGViaWFuLW5naW54MQECAw== + -----END OPENSSH PRIVATE KEY----- + + + +into the ssh client's ~/.ssh directory, that way when they will need to ssh into our debian machine, they will automatically use the private ssh key. To send one file to another host on the same network, we can use python3's http module: + + + root@debian-nginx1:~/.ssh# cat id_ed25519 + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACAR/s+1r8eJq5iHKi+JvCNyd9/vg5evPOC9HqdAKFbOkgAAAJiKlmf6ipZn + +gAAAAtzc2gtZWQyNTUxOQAAACAR/s+1r8eJq5iHKi+JvCNyd9/vg5evPOC9HqdAKFbOkg + AAAEA2aBZsMry0TeChASkAXPax2GEzEH26zcFmvGDaNzPiFRH+z7Wvx4mrmIcqL4m8I3J3 + 3++Dl6884L0ep0AoVs6SAAAAEnJvb3RAZGViaWFuLW5naW54MQECAw== + -----END OPENSSH PRIVATE KEY----- + root@debian-nginx1:~/.ssh# ip a | grep inet + inet 127.0.0.1/8 scope host lo + inet6 ::1/128 scope host + inet 192.168.0.150/24 brd 192.168.0.255 scope global eth0 + inet6 fe80::1cb1:50ff:fe1d:27dc/64 scope link + root@debian-nginx1:~/.ssh# python3 -m http.server 8080 + + + + + root@debian-nginx2:~# cd ~/.ssh + -bash: cd: /root/.ssh: No such file or directory + root@debian-nginx2:~# mkdir ~/.ssh + root@debian-nginx2:~# cd ~/.ssh + root@debian-nginx2:~/.ssh# wget http://192.168.0.150:8080/id_ed25519 + --2021-04-02 07:26:37-- http://192.168.0.150:8080/id_ed25519 + Connecting to 192.168.0.150:8080... connected. + HTTP request sent, awaiting response... 200 OK + Length: 411 [application/octet-stream] + Saving to: 'id_ed25519' + + id_ed25519 100%[=================================================================================>] 411 --.-KB/s in 0s + + 2021-04-02 07:26:37 (27.9 MB/s) - 'id_ed25519' saved [411/411] + + + +Now here you need to set the correct permissions onto the client's private ssh key because otherwise you will get this error : + + + root@debian-nginx2:~/.ssh# ssh root@192.168.0.150 + The authenticity of host '192.168.0.150 (192.168.0.150)' can't be established. + ECDSA key fingerprint is SHA256:o7DMwIrXDCyQ3uzVdiUEHkViOXrJhcd47zLBc2U4uDU. + Are you sure you want to continue connecting (yes/no)? yes + Warning: Permanently added '192.168.0.150' (ECDSA) to the list of known hosts. + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ + @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + Permissions 0644 for '/root/.ssh/id_ed25519' are too open. + It is required that your private key files are NOT accessible by others. + This private key will be ignored. + Load key "/root/.ssh/id_ed25519": bad permissions + + + +you need to set the 600 permissions on the private ssh key and then you're able to login via ssh: + + + root@debian-nginx2:~/.ssh# chmod 600 id_ed25519 + root@debian-nginx2:~/.ssh# ssh root@192.168.0.150 + Linux debian-nginx1 5.4.78-1-pve #1 SMP PVE 5.4.78-1 (Mon, 30 Nov 2020 10:57:47 +0100) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Fri Apr 2 06:57:25 2021 from 192.168.0.99 + root@debian-nginx1:~# id + uid=0(root) gid=0(root) groups=0(root) + + + +So now that we are able to login via ssh from debian2 TO debian1 we will be able to use rsync to send files from debian2 TO debian1 + +![](3.png) + +We will use rsync like so: + + + root@debian-nginx2:~# mkdir myveryimportantdirectory + root@debian-nginx2:~# echo 'myveryimportant text' > myveryimportantdirectory/myveryimportanttext.txt + root@debian-nginx2:~# ls -l + total 476 + -rw-r--r-- 1 root root 480150 Mar 20 10:29 masterdump.sql + drwxr-xr-x 2 root root 4096 Apr 2 07:42 myveryimportantdirectory + + root@debian-nginx2:~# rsync /root/myveryimportantdirectory root@192.168.0.150:/root/ + skipping directory myveryimportantdirectory + root@debian-nginx2:~# rsync -a /root/myveryimportantdirectory root@192.168.0.150:/root/ + root@debian-nginx2:~# + + + +Now here we basically synchronized the very important directory using the -a flag between our 2 debian hosts (192.168.0.150 and 192.168.0.151) we can see it appear in the first debian host + + + root@debian-nginx1:~# ls + masterdump.sql + root@debian-nginx1:~# ls -l + total 476 + -rw-r--r-- 1 root root 480150 Mar 20 10:29 masterdump.sql + drwxr-xr-x 2 root root 4096 Apr 2 07:42 myveryimportantdirectory + root@debian-nginx1:~# cat myveryimportantdirectory/myveryimportanttext.txt + myveryimportant text + + + +And that's it! we have been able to use rsync to backup our important directory and it's contents into the other debian host. + +## **Automatic backups** + +Now one particular use case i have found for these rsync backups are to automatically run them at a certain time every day. For example on my nextcloud server i do daily backups at 3 AM. To do so i want a zipfile to have the name of the date at which the backup occured, and on top of it i want the backup to be sent over to another host, to do that we will first do the whole process manually after we create a backups directory on the debian1 host (which will recieve the backups that debian2 will send): + + + root@debian-nginx1:~# ls + masterdump.sql myveryimportantdirectory + root@debian-nginx1:~# mkdir backups + root@debian-nginx1:~# cd backups/ + root@debian-nginx1:~/backups# ls -l + total 0 + + + +Now in here we want to recieve the backups from debian2, and we want them in a zip file with the date of the backup: + + + root@debian-nginx2:~# apt install zip + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following additional packages will be installed: + unzip + The following NEW packages will be installed: + unzip zip + 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. + Need to get 406 kB of archives. + After this operation, 1202 kB of additional disk space will be used. + Do you want to continue? [Y/n] y + Get:1 http://ftp.debian.org/debian buster/main amd64 unzip amd64 6.0-23+deb10u2 [172 kB] + Get:2 http://ftp.debian.org/debian buster/main amd64 zip amd64 3.0-11+b1 [234 kB] + Fetched 406 kB in 0s (1745 kB/s) + Selecting previously unselected package unzip. + (Reading database ... 26618 files and directories currently installed.) + Preparing to unpack .../unzip_6.0-23+deb10u2_amd64.deb ... + Unpacking unzip (6.0-23+deb10u2) ... + Selecting previously unselected package zip. + Preparing to unpack .../zip_3.0-11+b1_amd64.deb ... + Unpacking zip (3.0-11+b1) ... + Setting up unzip (6.0-23+deb10u2) ... + Setting up zip (3.0-11+b1) ... + Processing triggers for man-db (2.8.5-2) ... + Processing triggers for mime-support (3.62) ... + root@debian-nginx2:~# date --iso-8601 + 2021-04-02 + + root@debian-nginx2:~# zip -r backup-$(date --iso-8601) /root/myveryimportantdirectory/ + adding: root/myveryimportantdirectory/ (stored 0%) + adding: root/myveryimportantdirectory/myveryimportanttext.txt (stored 0%) + + root@debian-nginx2:~# ls -lash | grep backup + 4.0K -rw-r--r-- 1 root root 465 Apr 2 07:56 backup-2021-04-02.zip + + + +And now we send the backup: + + + + root@debian-nginx2:~# rsync backup-$(date --iso-8601).zip root@192.168.0.150:/root/backups/ + + + +and we check if the backup got sent to our debian1 host: + + + root@debian-nginx1:~# ls -lash backups/ + total 12K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 2 07:58 . + 4.0K drwx------ 5 root root 4.0K Apr 2 07:52 .. + 4.0K -rw-r--r-- 1 root root 465 Apr 2 07:58 backup-2021-04-02.zip + + + + +And there it is! Now since you don't want to run that script manually everyday you can use crontab to run it for you: + + + crontab -e + + # + # For example, you can run a backup of all your user accounts + # at 5 a.m every week with: + # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ + # + # For more information see the manual pages of crontab(5) and cron(8) + # + # m h dom mon dow command + **0 3 * * * /bin/bash /root/backup.sh** + + + + +save the cron changes and then create the backup script: + + + root@debian-nginx2:~# ls + backup-2021-04-02.zip masterdump.sql myveryimportantdirectory + root@debian-nginx2:~# vim backup.sh + + + + + #!/bin/bash + #this must run as root ! + if [ "$EUID" -ne 0 ] + then + echo 'MUST RUN AS ROOT!' + exit + fi + + cd /tmp/ + + cooldate=$(date --iso-8601) + echo $cooldate + rm backup*.zip + rm backup-$cooldate.zip + zip -r backup-$cooldate.zip /root/myveryimportantdirectory/ + rsync backup-$cooldate.zip root@192.168.0.150:/root/backups/ + rm backup*.zip + + cd - + + + +then try to run it to see if it works: + +![](4.png) + +And that's it! we have been able to create a script that creates zipped backups. The cronjob we setup earlier will run the script as the root user, which is intended and doing so everyday at 3 AM, that way, the backup process happens when there is least amount of work being done on the server. + diff --git a/safetwitch/0.png b/safetwitch/0.png new file mode 100644 index 0000000..7623e4b Binary files /dev/null and b/safetwitch/0.png differ diff --git a/safetwitch/1.png b/safetwitch/1.png new file mode 100644 index 0000000..efdcb51 Binary files /dev/null and b/safetwitch/1.png differ diff --git a/safetwitch/index.md b/safetwitch/index.md new file mode 100644 index 0000000..df071dd --- /dev/null +++ b/safetwitch/index.md @@ -0,0 +1,215 @@ +# safetwitch Setup + +![](0.png) + +In this tutorial we're going to setup a privacy front-end for Twitch. + +## **Initial Setup** + +First clone the project: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → git clone https://codeberg.org/dragongoose/safetwitch + Cloning into 'safetwitch'... + remote: Enumerating objects: 985, done. + remote: Counting objects: 100% (985/985), done. + remote: Compressing objects: 100% (540/540), done. + remote: Total 985 (delta 601), reused 685 (delta 409), pack-reused 0 + Receiving objects: 100% (985/985), 387.95 KiB | 5.39 MiB/s, done. + Resolving deltas: 100% (601/601), done. + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → cd safetwitch + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/safetwitch] + → cat docker-compose.yml + version: "3.7" + services: + safetwitch-frontend: + image: codeberg.org/dragongoose/safetwitch + ports: + - "5070:80" + environment: + - SAFETWITCH_BACKEND_DOMAIN=api.safetwitch.nowhere.moe + - SAFETWITCH_INSTANCE_DOMAIN=safetwitch.nowhere.moe + - SAFETWITCH_HTTPS=true + restart: always + safetwitch-backend: + image: codeberg.org/dragongoose/safetwitch-backend + ports: + - "5071:7000" + environment: + - PORT=7000 + - URL=https://api.safetwitch.nowhere.moe + restart: always + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/safetwitch] + → docker-compose up -d + Creating network "safetwitch_default" with the default driver + Pulling safetwitch-frontend (codeberg.org/dragongoose/safetwitch:latest)... + latest: Pulling from dragongoose/safetwitch + d0de230e4980: Pull complete + b42fa9547f79: Pull complete + aba2ce7a518a: Pull complete + 7d78fe4bd2d4: Pull complete + 533199e0e5fa: Pull complete + 3c324febbea5: Pull complete + 389db9210558: Pull complete + cb70d3a168ec: Pull complete + c2aae053f4c3: Pull complete + b5aa6a893904: Pull complete + 6ff1a70f50b5: Pull complete + 94567324fd2c: Pull complete + 363f44553ce3: Pull complete + Digest: sha256:6d6041509f1649be8ee38b87efc0cc87500293d1e41d5f7d7a99841420dbc110 + Status: Downloaded newer image for codeberg.org/dragongoose/safetwitch:latest + Pulling safetwitch-backend (codeberg.org/dragongoose/safetwitch-backend:latest)... + latest: Pulling from dragongoose/safetwitch-backend + 5119035169e2: Pull complete + 5016f2f7d1e0: Pull complete + a642e0bacbdb: Pull complete + Digest: sha256:c2e9e9fe54fc33a4a42086cb9d589e7e9cddb8df516879203da0f2506c3acbf4 + Status: Downloaded newer image for codeberg.org/dragongoose/safetwitch-backend:latest + Creating safetwitch-backend ... done + Creating safetwitch-frontend ... done + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/safetwitch] + → nmap 127.0.0.1 -p 7100 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 13:17 CEST + Nmap scan report for localhost.localdomain (127.0.0.1) + Host is up (0.000070s latency). + + PORT STATE SERVICE + 7100/tcp open font-service + + Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/safetwitch] + → nmap 127.0.0.1 -p 8280 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 13:21 CEST + Nmap scan report for localhost.localdomain (127.0.0.1) + Host is up (0.000050s latency). + + PORT STATE SERVICE + 8280/tcp open synapse-nhttp + + Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds + + + +Next step is to put the service behind a reverse nginx proxy: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → bash + root@Datura /etc/nginx/sites-available # cat /etc/nginx/sites-available/safetwitch.nowhere.moe.conf + + server { + listen 443 ssl; + server_name safetwitch.nowhere.moe; + + ssl_certificate /etc/acme/certs/safetwitch.nowhere.moe/safetwitch.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/safetwitch.nowhere.moe/safetwitch.nowhere.moe.key; + + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:5070; + } + + } + + root@Datura /etc/nginx/sites-available # cat /etc/nginx/sites-available/api.safetwitch.nowhere.moe.conf + server { + listen 443 ssl; + server_name api.safetwitch.nowhere.moe; + + ssl_certificate /etc/acme/certs/api.safetwitch.nowhere.moe/api.safetwitch.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/api.safetwitch.nowhere.moe/api.safetwitch.nowhere.moe.key; + + access_log off; + error_log off; + + + location / { + #root /app; + #index index.html; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:5071; + #try_files $uri $uri/ /index.md; + } + } + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/safetwitch] + → nginx -s reload + 2023/07/16 13:22:11 [notice] 306635#306635: signal process started + root@Datura /etc/nginx/sites-available # systemctl stop nginx + root@Datura /etc/nginx/sites-available # acme.sh --issue --standalone -d safetwitch.nowhere.moe -d api.safetwitch.nowhere.moe -k 4096 + root@Datura /etc/nginx/sites-available # ln -s /etc/nginx/sites-available/safetwitch.nowhere.moe.conf /etc/nginx/sites-enabled/ + root@Datura /etc/nginx/sites-available # ln -s /etc/nginx/sites-available/api.safetwitch.nowhere.moe.conf /etc/nginx/sites-enabled/ + root@Datura /etc/nginx/sites-available # nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + root@Datura /etc/nginx/sites-available # systemctl restart nginx + + + +Then browse to see if your instance is working: + +![](1.png) + +Last step is to contribute to the overall [list](https://codeberg.org/dragongoose/safetwitch#instances) of instances [like so]() + +(Special thanks to Arya from for the helping making my instance work.) + +Next we're going to make sure it gets automatically updated like so: + + + [ nowhere.moe ] [ /dev/pts/1 ] [~] + → crontab -e + @hourly docker-compose -f /srv/safetwitch/docker-compose.yml stop ; git -C /srv/safetwitch/ pull ; docker-compose -f /srv/safetwitch/docker-compose.yml pull ; docker-compose -f /srv/safetwitch/docker-compose.yml up -d + + + [ nowhere.moe ] [ /dev/pts/1 ] [~] + → cronitor select + + ✔ docker-compose -f /srv/safetwitch/docker-compose.yml stop ; git -C /srv/safetwitch/ pull ; docker-compose -f /srv/safetwitch/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/safetwitch/docker-compose.yml stop ; git -C /srv/safetwitch/ pull ; docker-compose -f /srv/safetwitch/docker-compose.yml up -d + + Stopping safetwitch_safetwitch-frontend_1 ... done + Stopping safetwitch_safetwitch-backend_1 ... done + From https://codeberg.org/dragongoose/safetwitch + 4d5645f..af00bd5 master -> origin/master + * [new tag] v1.1.3 -> v1.1.3 + Updating 4d5645f..af00bd5 + Fast-forward + README.md | 127 +----------------------------------- + src/components/LanguageSwitcher.vue | 4 +- + src/components/SearchBar.vue | 2 - + src/i18n.ts | 2 + + src/locales | 2 +- + 5 files changed, 8 insertions(+), 129 deletions(-) + Starting safetwitch-frontend ... done + Starting safetwitch-backend ... done + + ----► ✔ Command successful Elapsed time 12.228s + + [ nowhere.moe ] [ /dev/pts/2 ] [~] + → cronitor select + + ✔ docker-compose -f /srv/safetwitch/docker-compose.yml stop ; git -C /srv/safetwitch/ pull ; docker-compose -f /srv/safetwitch/docker-compose.yml pull ; docker-compose -f /srv/safetwitch/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/safetwitch/docker-compose.yml stop ; git -C /srv/safetwitch/ pull ; docker-compose -f /srv/safetwitch/docker-compose.yml pull ; docker-compose -f /srv/safetwitch/docker-compose.yml up -d + + Stopping safetwitch_safetwitch-frontend_1 ... done + Stopping safetwitch_safetwitch-backend_1 ... done + Already up to date. + Pulling safetwitch-frontend ... done + Pulling safetwitch-backend ... done + Starting safetwitch_safetwitch-frontend_1 ... done + Starting safetwitch_safetwitch-backend_1 ... done + + ----► ✔ Command successful Elapsed time 12.885s + + + diff --git a/searx/0.png b/searx/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/searx/0.png differ diff --git a/searx/index.md b/searx/index.md new file mode 100644 index 0000000..f8e550e --- /dev/null +++ b/searx/index.md @@ -0,0 +1,198 @@ +# SearX + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y && apt upgrade -y + useradd --shell /bin/bash --system \ + --home-dir "/usr/local/searx" \ + searx + + mkdir /usr/local/searx + chown -R "searx:searx" "/usr/local/searx" + usermod -aG sudo searx + passwd searx + + su searx + cd ~ + + git clone https://github.com/searx/searx.git searx + cd searx + + sudo -H ./utils/searx.sh install all + sudo -H ./utils/filtron.sh nginx install + sudo -H ./utils/morty.sh nginx install + + sudo apt install nginx -y + sudo -H ln -s /etc/nginx/sites-available/searx /etc/nginx/sites-enabled/searx + + + + + # https://example.org/searx + + location /searx { + proxy_pass http://127.0.0.1:4004/; + + proxy_set_header Host $http_host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Script-Name /searx; + } + + location /searx/static { + alias /usr/local/searx/searx-src/searx/static; + } + + Configure reverse proxy for morty, listening on localhost 3000: + + # https://example.org/morty + + location /morty { + proxy_pass http://127.0.0.1:3000/; + + proxy_set_header Host $http_host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + } + + + + + + apt update -y && apt upgrade -y + apt install git sudo curl -y + apt install -y \ + virtualenv python3-dev python3-babel python3-venv \ + uwsgi uwsgi-plugin-python3 \ + git build-essential libxslt-dev zlib1g-dev libffi-dev libssl-dev \ + shellcheck + + useradd --shell /bin/bash --system \ + --home-dir "/usr/local/searx" \ + --comment 'Privacy-respecting metasearch engine' searx + + mkdir "/usr/local/searx" + chown -R "searx:searx" "/usr/local/searx" + + su searx + git clone "https://github.com/searx/searx.git" "/usr/local/searx/searx-src" + + + python3 -m venv "/usr/local/searx/searx-pyenv" + echo ". /usr/local/searx/searx-pyenv/bin/activate" >> "/usr/local/searx/.profile" + + command -v python && python --version + pip install -U pip + pip install -U setuptools + pip install -U wheel + + cd "/usr/local/searx/searx-src" + pip install -e . + + sudo -H mkdir -p "/etc/searx" + sudo -H cp "/usr/local/searx/searx-src/searx/settings.yml" "/etc/searx/settings.yml" + sudo -H sed -i -e "s/ultrasecretkey/$(openssl rand -hex 16)/g" "/etc/searx/settings.yml" + sudo -H sed -i -e "s/{instance_name}/searx@$(uname -n)/g" "/etc/searx/settings.yml" + + + + + + + + + + + + + + + + + + + + + + su searx + + mkdir ~/Downloads + cd ~/Downloads + git clone https://github.com/searx/searx searx + cd searx + + ./utils/searx.sh install all + ./utils/filtron.sh install all + ./utils/morty.sh install all + + + + + + + + apt install nginx -y + ln -s /etc/nginx/sites-available/searx /etc/nginx/sites-enabled/searx + + + wget https://raw.githubusercontent.com/searx/searx/master/utils/filtron.sh + chmod +x filtron.sh + ./filtron.sh + + useradd --shell /bin/bash --system \ + --home-dir "/usr/local/filtron" \ + --comment "Privacy-respecting metasearch engine" filtron + + + mkdir "/usr/local/filtron" + chown -R "filtron:filtron" "/usr/local/filtron" + + cat > "/usr/local/filtron/.go_env" <> ~/.profile + (filtron) $ mkdir /usr/local/filtron/local + (filtron) $ wget --progress=bar -O "go1.13.5.linux-amd64.tar.gz" \ + "https://dl.google.com/go/go1.13.5.linux-amd64.tar.gz" + (filtron) $ tar -C /usr/local/filtron/local -xzf "go1.13.5.linux-amd64.tar.gz" + (filtron) $ which go + /usr/local/filtron/local/go/bin/go + + sudo -i -u "filtron" + (filtron) $ go get -v -u github.com/asciimoo/filtron + + get the systemd service from here https://searx.github.io/searx/utils/filtron.sh.html#filtron-sh + + filtron.sh --help + + then nginx config + + + diff --git a/searx_docker/0.png b/searx_docker/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/searx_docker/0.png differ diff --git a/searx_docker/index.md b/searx_docker/index.md new file mode 100644 index 0000000..51ec60c --- /dev/null +++ b/searx_docker/index.md @@ -0,0 +1,49 @@ +# Searx (Docker) + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + + + apt update -y && apt upgrade -y + apt install docker.io -y + + mkdir /var/www/ + mkdir /var/www/searx + + ip a | grep inet + docker run --rm -d -v /var/www/searx:/etc/searx -p 9999:8080 -e BASE_URL=http://192.168.0.200:9999/ searx/searx --restart=always + docker run --rm -d -v /var/www/searx:/etc/searx -p 9999:8080 -e BASE_URL=http://192.168.0.200:9999/ wonderfall/searx --restart=always + docker run -d --name searx2 -p 9999:8888 wonderfall/searx --restart=always + + cd /var/www/searx/ + ls -lash + + docker run --rm -it searx/searx -h + + + + diff --git a/searxng/1.png b/searxng/1.png new file mode 100644 index 0000000..2d269c7 Binary files /dev/null and b/searxng/1.png differ diff --git a/searxng/index.md b/searxng/index.md new file mode 100644 index 0000000..f8dac15 --- /dev/null +++ b/searxng/index.md @@ -0,0 +1,288 @@ +# searxng Setup + +![](0.svg) + +In this tutorial, we're going to setup a Searxng instance using docker-compose and nginx + +## **Initial Setup** + +Clone the repo and edit the docker-compose file: + + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv] + → git clone https://github.com/searxng/searxng-docker + Cloning into 'searxng-docker'... + remote: Enumerating objects: 308, done. + remote: Counting objects: 100% (44/44), done. + remote: Compressing objects: 100% (34/34), done. + remote: Total 308 (delta 20), reused 23 (delta 9), pack-reused 264 + Receiving objects: 100% (308/308), 82.98 KiB | 5.53 MiB/s, done. + Resolving deltas: 100% (167/167), done. + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv] + → cd searxng-docker + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] + → vim docker-compose.yaml + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] + → cat docker-compose.yaml + version: "3.7" + + services: + #caddy: + # container_name: caddy + # image: caddy:2-alpine + # network_mode: host + # volumes: + # - ./Caddyfile:/etc/caddy/Caddyfile:ro + # - caddy-data:/data:rw + # - caddy-config:/config:rw + # environment: + # - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME:-http://localhost:80} + # - SEARXNG_TLS=${LETSENCRYPT_EMAIL:-internal} + # cap_drop: + # - ALL + # cap_add: + # - NET_BIND_SERVICE + + redis: + container_name: redis + image: docker.io/library/redis:alpine + command: redis-server --save 30 1 --loglevel warning + networks: + - searxng + volumes: + - redis-data:/data + cap_drop: + - ALL + cap_add: + - SETGID + - SETUID + - DAC_OVERRIDE + + searxng: + container_name: searxng + image: searxng/searxng:latest + networks: + - searxng + ports: + - "127.0.0.1:8877:8080" + volumes: + - ./searxng:/etc/searxng:rw + environment: + #- SEARXNG_BASE_URL=https://${SEARXNG_HOSTNAME}/ + - SEARXNG_BASE_URL=https://search.nowhere.moe/ + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + logging: + driver: "json-file" + options: + max-size: "1m" + max-file: "1" + + networks: + searxng: + ipam: + driver: default + + volumes: + #caddy-data: + caddy-config: + redis-data: + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] + → cat searxng/settings.yml + # see https://docs.searxng.org/admin/settings/settings.html#settings-use-default-settings + use_default_settings: true + server: + base_url: https://search.nowhere.moe/ #is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml + secret_key: "dwaawdwawadwer1312wdracvhbgdtfhre" # change this! + limiter: true # can be disabled for a private instance + image_proxy: true + public_instance: true + ui: + static_use_hash: true + redis: + url: redis://redis:6379/0 + + [ nowhere.moe ] [ /dev/pts/10 ] [/srv/searxng-docker] + → docker-compose up -d + Starting redis ... done + Starting searxng ... done + + + +Then have the following nginx config: + + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → vim search.nowhere.moe.conf + + root@nowhere.moe /etc/nginx/sites-available # cat search.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name search.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name search.nowhere.moe; + + ssl_certificate /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/search.nowhere.moe/search.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src 'self';"; + + + location / { + proxy_pass http://localhost:8877; + } + } + + + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/search.nowhere.moe.conf + ln: failed to create symbolic link './search.nowhere.moe.conf': File exists + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/search.nowhere.moe.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → nginx -t + 2024/02/16 21:07:54 [emerg] 409181#409181: cannot load certificate "/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer": BIO_new_file() failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/etc/acme/certs/search.nowhere.moe/search.nowhere.moe.cer, r) error:10000080:BIO routines::no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + [ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available] + → bash + root@nowhere.moe /etc/nginx/sites-available # systemctl stop nginx ; acme.sh --issue --standalone -d search.nowhere.moe -k 4096 ; systemctl start nginx + + + +Then simply browse to your instance on the web: + +![](1.png) + +You can also search for something, then right click the search bar to add it as a search engine in firefox. then you can make it your default search enging. + +## **Host a public instance** + +get your instance listed [here](https://github.com/searxng/searx-instances/issues/475) among the other instances on + +## **Hardening Setup** + +To get listed among the public instances, you need to make sure your TLS hardening top notch, as explained below: + + + #for the DNS change for the CAA record, do the following: + root@mail-gw:/var/cache/bind# cat db.nowhere.moe | grep search + search.nowhere.moe. IN A 37.27.32.233 + search.nowhere.moe. IN CAA 0 issue "letsencrypt.org" + + [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] + → cat /etc/nginx/sites-available/search.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + server_name search.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl; + server_name search.nowhere.moe; + + ssl_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer; + ssl_certificate_key /root/.acme.sh/search.nowhere.moe/search.nowhere.moe.key; + ssl_dhparam /root/.acme.sh/dhparam.pem; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://search.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + # SSL Settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /root/.acme.sh/search.nowhere.moe/fullchain.cer; + resolver 1.1.1.1 208.67.222.222; + + add_header Strict-Transport-Security "max-age=63072000" always; + + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src 'self';"; + + + location / { + proxy_pass http://localhost:8877; + } + } + + + + +To generate the dhparam.pem file you do the following: + + + [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] + → openssl dhparam -dsaparam -out dhparam.pem 4096 + Generating DSA parameters, 4096 bit long prime + ....+..+...+....+..+.....+..................+......+.....+............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++* + + + +Then reload nginx and check the scores on [mozilla's observatory](https://observatory.mozilla.org/analyze/search.nowhere.moe) and [qualys' TLS checker](https://www.ssllabs.com/ssltest/analyze.html?d=search.nowhere.moe) + + + [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/5 ] [~/.acme.sh] + → nginx -s reload + 2024/02/24 08:24:59 [notice] 3403413#3403413: signal process started + + + diff --git a/sharelatex/0.png b/sharelatex/0.png new file mode 100644 index 0000000..9a790db Binary files /dev/null and b/sharelatex/0.png differ diff --git a/sharelatex/1.png b/sharelatex/1.png new file mode 100644 index 0000000..7440172 Binary files /dev/null and b/sharelatex/1.png differ diff --git a/sharelatex/2.png b/sharelatex/2.png new file mode 100644 index 0000000..e1727b6 Binary files /dev/null and b/sharelatex/2.png differ diff --git a/sharelatex/3.png b/sharelatex/3.png new file mode 100644 index 0000000..e2ff123 Binary files /dev/null and b/sharelatex/3.png differ diff --git a/sharelatex/4.png b/sharelatex/4.png new file mode 100644 index 0000000..4ba664f Binary files /dev/null and b/sharelatex/4.png differ diff --git a/sharelatex/5.png b/sharelatex/5.png new file mode 100644 index 0000000..d44e1c5 Binary files /dev/null and b/sharelatex/5.png differ diff --git a/sharelatex/6.png b/sharelatex/6.png new file mode 100644 index 0000000..28d9fe6 Binary files /dev/null and b/sharelatex/6.png differ diff --git a/sharelatex/7.png b/sharelatex/7.png new file mode 100644 index 0000000..a9d2c45 Binary files /dev/null and b/sharelatex/7.png differ diff --git a/sharelatex/8.png b/sharelatex/8.png new file mode 100644 index 0000000..bad5072 Binary files /dev/null and b/sharelatex/8.png differ diff --git a/sharelatex/9.png b/sharelatex/9.png new file mode 100644 index 0000000..1b8c79b Binary files /dev/null and b/sharelatex/9.png differ diff --git a/sharelatex/index.md b/sharelatex/index.md new file mode 100644 index 0000000..161cd6c --- /dev/null +++ b/sharelatex/index.md @@ -0,0 +1,337 @@ +# ShareLaTeX / Overleaf + +![](0.png) + +Today we're going to setup an Open-source real-time collaborative LaTeX editor. + +## **Initial Setup** + +Setup Docker to get started + + + root@home:~# apt install docker.io -y + + + +Once it's installed, you can look for sharelatex's containers: + + + root@docker0:~# docker search sharelatex + + root@docker0:~/sharelatex# docker search sharelatex + NAME DESCRIPTION STARS OFFICIAL AUTOMATED + sharelatex/sharelatex The official ShareLaTeX Community Edition do… 67 + tiagoboldt/sharelatex-docker 21 [OK] + xuio/sharelatex-docker-image-full Sharelatex docker image with scheme-full 4 [OK] + sharelatex/sharelatex-base ShareLaTeX base-image 3 + dennis1f/sharelatex-texlive2018 sharelatex with texlive 2018 2 [OK] + braindoctor/sharelatex Official Sharelatex image, but with full tex… 2 [OK] + jrandall/sharelatex 1 [OK] + rigon/sharelatex-full ShareLatex with all Latex packages installed… 1 [OK] + flodointhecloud/sharelatex-texlive2019 ShareLaTeX docker image with full TeX Live … 1 + jonasbareiss/sharelatex 0 + shimmyjimi/sharelatex Build of sharelatex / overleaf comunity to g… 0 + sharelatex/copybara Our build of google/copybara 0 + jperon/sharelatex-music ShareLaTeX with Gregorio and LilyPond. 0 [OK] + dpantele/sharelatex Automated build of custom sharelatex image 0 [OK] + sharelatex/acceptance-test-runner 0 + yousiki/sharelatex 0 + iiet/sharelatex-docker-image Sharelatex custom build 0 [OK] + sharelatex/acceptance-test-runner-postgres 0 + sharelatex/node-aspell 0 + jonathanverner/sharelatex ShareLaTeX Community Edition (with tweaks) 0 + sleyai/sharelatex 0 + marijnhollander/sharelatex Sharelatex image with tlmgr scheme-full, Pyg… 0 + 459below/sharelatex Standard Sharelatex container to include the… 0 [OK] + mwohlert/sharelatex-full https://github.com/mwohlert/sharelatex-full 0 + thielepaul/sharelatex-full 0 + root@docker0:~/sharelatex# + + + + +You can pull sharelatex and mongodb, setting it all up manually, or you can just have the official docker-compose image: + + + root@docker0:~# ls -lsh + total 16K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 19:16 codimd + 4.0K drwxr-xr-x 11 root root 4.0K Apr 18 08:03 dillinger + 4.0K drwxr-xr-x 7 root root 4.0K Apr 18 08:03 kutt + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 08:56 neko + root@docker0:~# mkdir sharelatex + root@docker0:~# cd sharelatex/ + root@docker0:~/sharelatex# wget https://raw.githubusercontent.com/overleaf/overleaf/master/docker-compose.yml + --2021-04-18 20:28:44-- https://raw.githubusercontent.com/overleaf/overleaf/master/docker-compose.yml + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.108.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 5639 (5.5K) [text/plain] + Saving to: ‘docker-compose.yml’ + + docker-compose.yml 100%[============================================================================>] 5.51K --.-KB/s in 0.001s + + 2021-04-18 20:28:44 (4.02 MB/s) - ‘docker-compose.yml’ saved [5639/5639] + + root@docker0:~/sharelatex# vim docker-compose.yml + + + +Yes this docker-compose.yml is relatively big compared to what we previously did, but that's life. For now we're going to test it locally, so we won't bother with the domain names and reverse proxy: + + + version: '2.2' + services: + sharelatex: + restart: always + image: sharelatex/sharelatex + container_name: sharelatex + depends_on: + mongo: + condition: service_healthy + redis: + condition: service_started + ports: + - 8090:80 + links: + - mongo + - redis + volumes: + - ~/sharelatex_data:/var/lib/sharelatex + + environment: + + SHARELATEX_APP_NAME: Overleaf Community Edition + + SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex + + # Same property, unfortunately with different names in + # different locations + SHARELATEX_REDIS_HOST: redis + REDIS_HOST: redis + + ENABLED_LINKED_FILE_TYPES: 'url,project_file' + + # Enables Thumbnail generation using ImageMagick + ENABLE_CONVERSIONS: 'true' + + # Disables email confirmation requirement + EMAIL_CONFIRMATION_DISABLED: 'true' + + # temporary fix for LuaLaTex compiles + # see https://github.com/overleaf/overleaf/issues/695 + TEXMFVAR: /var/lib/sharelatex/tmp/texmf-var + + ## Set for SSL via nginx-proxy + #VIRTUAL_HOST: 103.112.212.22 + + # SHARELATEX_SITE_URL: http://sharelatex.mydomain.com + # SHARELATEX_NAV_TITLE: Our ShareLaTeX Instance + # SHARELATEX_HEADER_IMAGE_URL: http://somewhere.com/mylogo.png + # SHARELATEX_ADMIN_EMAIL: support@it.com + + # SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by [ShareLaTeX](\\"https://www.sharelatex.com\\") 2016"},{"text": "Another page I want to link to can be found [here](\\"here\\")"} ]' + # SHARELATEX_RIGHT_FOOTER: '[{"text": "Hello I am on the Right"} ]' + + # SHARELATEX_EMAIL_FROM_ADDRESS: "team@sharelatex.com" + + # SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID: + # SHARELATEX_EMAIL_AWS_SES_SECRET_KEY: + + # SHARELATEX_EMAIL_SMTP_HOST: smtp.mydomain.com + # SHARELATEX_EMAIL_SMTP_PORT: 587 + # SHARELATEX_EMAIL_SMTP_SECURE: false + # SHARELATEX_EMAIL_SMTP_USER: + # SHARELATEX_EMAIL_SMTP_PASS: + # SHARELATEX_EMAIL_SMTP_TLS_REJECT_UNAUTH: true + # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false + # SHARELATEX_EMAIL_SMTP_NAME: '127.0.0.1' + # SHARELATEX_EMAIL_SMTP_LOGGER: true + # SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by department x" + + mongo: + restart: always + image: mongo:4.0 + container_name: mongo + expose: + - 27017 + volumes: + - ~/mongo_data:/data/db + healthcheck: + test: echo 'db.stats().ok' | mongo localhost:27017/test --quiet + interval: 10s + timeout: 10s + retries: 5 + + redis: + restart: always + image: redis:5 + container_name: redis + expose: + - 6379 + volumes: + - ~/redis_data:/data + + + + +The only thing in here that i changed is the port (from 80:80 to 8090:80) because my port 80 is used by another container. Once you're done editing it, hit **:wq** to save and quit out of vim, then use docker-compose to build the container from the yml file: + + + root@docker0:~/sharelatex# ls -lash + total 12K + 4.0K drwxr-xr-x 2 root root 4.0K Apr 18 20:34 . + 4.0K drwx------ 12 root root 4.0K Apr 18 20:34 .. + 4.0K -rw-r--r-- 1 root root 3.0K Apr 18 20:34 docker-compose.yml + + root@docker0:~/sharelatex# docker-compose up -d + + Creating network "sharelatex_default" with the default driver + Pulling mongo (mongo:4.0)... + 4.0: Pulling from library/mongo + + [...] + + 81cf86179504: Pull complete + 52fbbc31d2bb: Pull complete + Digest: sha256:2b7dd04de6915c427c5ed116d602eb02329466dcf76c4f506284685ba995bcc3 + Status: Downloaded newer image for sharelatex/sharelatex:latest + Creating redis ... done + Creating mongo ... done + Creating sharelatex ... done + root@docker0:~/sharelatex# + + + +Once it's done, you can check the containers like so: + + + root@docker0:~/sharelatex# docker container ls + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 831a57e1a4b6 sharelatex/sharelatex "/sbin/my_init" About a minute ago Up About a minute 0.0.0.0:8090->80/tcp sharelatex + d9f12a3b40f3 mongo:4.0 "docker-entrypoint.s…" About a minute ago Up About a minute (healthy) 27017/tcp mongo + 73817b58274a redis:5 "docker-entrypoint.s…" About a minute ago Up About a minute 6379/tcp + + + +Looks good! let's check it out from our browser, and to setup our first admin user account we need to go to **192.168.0.200:8090/launchpad** : + +![](1.png) ![](2.png) ![](3.png) + +Once the admin account is created, we login and go take a look at the admin panel: + +![](4.png) + +Above all we can go to the admin panel to register new users, or + +![](5.png) ![](6.png) ![](7.png) + +And that's it! We have been able to create our first LaTeX document on ShareLaTeX, we could locally share the document, but we would of course prefer to share it publicly. To do so we're going to setup a NGINX reverse proxy to make sure we have HTTPS and a subdomain for this service: + +## **Reverse NGINX Proxy** + +We're going to setup the reverse nginx proxy on my main debian node (10.0.0.101/16): + + + [ 10.0.0.10/16 ] [ /dev/pts/6 ] [Github/blog/servers] + → ssh root@10.0.0.101 + root@10.0.0.101's password: + Linux home 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + Last login: Sun Apr 18 20:19:25 2021 from 10.0.0.10 + + root@home:/var/www/void.yt/config# vim /etc/nginx/sites-available/latex.void.yt.conf + + + + + upstream latbackend { + server 192.168.0.200:8090; + } + + server { + listen 80; + listen [::]:80; + server_name latex.void.yt; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name latex.void.yt; + + ssl_certificate /root/.acme.sh/latex.void.yt/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/latex.void.yt/latex.void.yt.cer; + ssl_certificate_key /root/.acme.sh/latex.void.yt/latex.void.yt.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://latbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + + +:wq to save and quit out of vim, then enable the website: + + + root@home:/var/www/void.yt/config# ln -s /etc/nginx/sites-available/latex.void.yt.conf /etc/nginx/sites-enabled/ + root@home:/var/www/void.yt/config# nginx -t + nginx: [emerg] BIO_new_file("/root/.acme.sh/latex.void.yt/fullchain.cer") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/root/.acme.sh/latex.void.yt/fullchain.cer','r') error:2006D080:BIO routines:BIO_new_file:no such file) + nginx: configuration file /etc/nginx/nginx.conf test failed + + + +Here you see nginx fail. That's because we need to get the TLS certificates, and we get them from LetsEncrypt thanks to acme.sh: + + + root@home:/var/www/void.yt/config# systemctl stop nginx + root@home:/var/www/void.yt/config# acme.sh --issue --standalone -d latex.void.yt -k 4096 + + root@home:/var/www/void.yt/config# nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + + +After getting the TLS certificates, nginx is now fine with our config, so start it again and see the result: + + + root@home:/var/www/void.yt/config# systemctl start nginx + + + +![](8.png) + +Here you can see that the website is now accessible from a public IP and subdomain, which is also securised by LetsEncrypt Certificates. Now let's test sharing the link with guests (make sure you create their accoutns first): + +![](9.png) + +And that's it! we have been able to send a link to a pre-registered user to collaborate on LaTeX documents. + diff --git a/snmp/1.png b/snmp/1.png new file mode 100644 index 0000000..08c451e Binary files /dev/null and b/snmp/1.png differ diff --git a/snmp/10.png b/snmp/10.png new file mode 100644 index 0000000..902728e Binary files /dev/null and b/snmp/10.png differ diff --git a/snmp/11.png b/snmp/11.png new file mode 100644 index 0000000..2103508 Binary files /dev/null and b/snmp/11.png differ diff --git a/snmp/12.png b/snmp/12.png new file mode 100644 index 0000000..d95711c Binary files /dev/null and b/snmp/12.png differ diff --git a/snmp/13.png b/snmp/13.png new file mode 100644 index 0000000..bd95ffa Binary files /dev/null and b/snmp/13.png differ diff --git a/snmp/14.png b/snmp/14.png new file mode 100644 index 0000000..6c8c2eb Binary files /dev/null and b/snmp/14.png differ diff --git a/snmp/15.png b/snmp/15.png new file mode 100644 index 0000000..dfa58bd Binary files /dev/null and b/snmp/15.png differ diff --git a/snmp/2.png b/snmp/2.png new file mode 100644 index 0000000..dddbadc Binary files /dev/null and b/snmp/2.png differ diff --git a/snmp/3.png b/snmp/3.png new file mode 100644 index 0000000..6e680de Binary files /dev/null and b/snmp/3.png differ diff --git a/snmp/4.png b/snmp/4.png new file mode 100644 index 0000000..d2e197f Binary files /dev/null and b/snmp/4.png differ diff --git a/snmp/5.png b/snmp/5.png new file mode 100644 index 0000000..007196b Binary files /dev/null and b/snmp/5.png differ diff --git a/snmp/6.png b/snmp/6.png new file mode 100644 index 0000000..59900d0 Binary files /dev/null and b/snmp/6.png differ diff --git a/snmp/7.png b/snmp/7.png new file mode 100644 index 0000000..4f7dec2 Binary files /dev/null and b/snmp/7.png differ diff --git a/snmp/8.png b/snmp/8.png new file mode 100644 index 0000000..2c7720e Binary files /dev/null and b/snmp/8.png differ diff --git a/snmp/9.png b/snmp/9.png new file mode 100644 index 0000000..fa2ea52 Binary files /dev/null and b/snmp/9.png differ diff --git a/snmp/index.md b/snmp/index.md new file mode 100644 index 0000000..622aedb --- /dev/null +++ b/snmp/index.md @@ -0,0 +1,182 @@ +# SNMP + +![]() + +In this tutorial we're going to look at how we can setup snmp for multiple operating systems: + +## **Linux SNMP** + +First we need to install the required dependencies: + + + root@home:~# apt install snmpd snmp + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following additional packages will be installed: + libmariadb3 libsnmp-base libsnmp30 mariadb-common mysql-common + Suggested packages: + snmp-mibs-downloader snmptrapd + The following NEW packages will be installed: + libmariadb3 libsnmp-base libsnmp30 mariadb-common mysql-common snmp snmpd + 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. + Need to get 4,339 kB of archives. + After this operation, 8,513 kB of additional disk space will be used. + Do you want to continue? [Y/n] y + + + +Then we're going to get a snmp configuration sample along with the distro binary file: + + + root@home:~# wget https://void.yt/snmp/snmpd.conf -O /etc/snmp/snmpd.conf + --2021-04-30 19:42:15-- https://void.yt/snmp/snmpd.conf + Resolving void.yt (void.yt)... 85.171.172.151 + Connecting to void.yt (void.yt)|85.171.172.151|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1522 (1.5K) [application/octet-stream] + Saving to: ‘/etc/snmp/snmpd.conf’ + + /etc/snmp/snmpd.conf 100%[=================================================================>] 1.49K --.-KB/s in 0s + + 2021-04-30 19:42:16 (11.3 MB/s) - ‘/etc/snmp/snmpd.conf’ saved [1522/1522] + + root@home:~# vim /etc/snmp/snmpd.conf + + + +Edit this configuration however you like, then :wq to save and quit out of vim: + + + # Listen for connections on all interfaces (both IPv4 *and* IPv6) + agentAddress udp:161,udp6:[::1]:161 + + # Full view access + view all included .1 + + # system + hrSystem groups only + view systemonly included .1.3.6.1.2.1.1 + view systemonly included .1.3.6.1.2.1.25.1 + + # Default access to full view + rocommunity void.yt default -V all + + # Default access to basic system info + #rocommunity public default -V systemonly + + # System contact and location + #syslocation Rack/Room/Building, Street, City, Country [GPSX,Y] + syslocation Nowhere + syscontact Nothing + + # Disk Monitoring + disk / 10000 + disk /var 5% + includeAllDisks 10% + + # Unacceptable 1-, 5-, and 15-minute load averages + load 12 10 5 + + # This line allows Observium to detect the host OS if the distro script is installed + extend .1.3.6.1.4.1.2021.7890.1 distro /usr/local/bin/distro + + # This lines allows Observium to detect hardware, vendor and serial + extend .1.3.6.1.4.1.2021.7890.2 hardware /bin/cat /sys/devices/virtual/dmi/id/product_name + extend .1.3.6.1.4.1.2021.7890.3 vendor /bin/cat /sys/devices/virtual/dmi/id/sys_vendor + extend .1.3.6.1.4.1.2021.7890.4 serial /bin/cat /sys/devices/virtual/dmi/id/product_serial + + # This line allows Observium to collect an accurate uptime + extend uptime /bin/cat /proc/uptime + + # This line enables Observium's ifAlias description injection + #pass_persist .1.3.6.1.2.1.31.1.1.1.18 /usr/local/bin/ifAlias_persist + + + +Make sure you edit the rocommunity line properly, **this contains the community string** (the password to view the system infos) so replace it with '**rocommunity MyP@$$W0RD default -V all** ' + +After you configured snmp, make sure you have the **/usr/bin/distro** bashscript: + + + root@home:~# wget https://void.yt/snmp/distro -O /usr/local/bin/distro + --2021-04-30 19:49:30-- https://void.yt/snmp/distro + Resolving void.yt (void.yt)... 85.171.172.151 + Connecting to void.yt (void.yt)|85.171.172.151|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 4677 (4.6K) [application/octet-stream] + Saving to: ‘/usr/local/bin/distro’ + + /usr/local/bin/distro 100%[================================================================>] 4.57K --.-KB/s in 0s + + 2021-04-30 19:49:30 (25.8 MB/s) - ‘/usr/local/bin/distro’ saved [4677/4677] + + root@home:~# chmod +x /usr/local/bin/distro + root@home:~# /usr/local/bin/distro + Debian 10.9 + + root@home:~# wget https://void.yt/snmp/bandwidth.sh -O /usr/local/bin/bandwidth + root@home:~# chmod +x /usr/local/bin/bandwidth + root@home:~# apt install vnstat bc -y ; systemctl enable --now vnstat + root@home:~# /usr/local/bin/bandwidth + + + + +Once that's done, simply restart the snmpd systemd service since we changed the default config: + + + root@home:~# systemctl restart snmpd + + + +And that's it ! Now add it to your monitoring solution such as [Observium](../observium/index.md): + +![](1.png) ![](2.png) ![](3.png) + +Once the device is added, you need to wait for the device to get automatically polled, which usually takes 5-10 minutes on observium. + +![](4.png) + +Check out my zabbix tutorial on how i setup a snmp OID to monitor the monthly bandwidth usage of my VPS [here ](../zabbix/index.md) + +## **Windows SNMP** + +First add the windows10 SNMP feature: + +![](5.png) ![](6.png) + +Then configure snmp itself with your readonly (RO) community string: + +![](7.png) ![](8.png) + +If you want you can select to only accept snmp packets from certain hosts for which you need to specify which IPs to filter. Next you need to go into Windows' firewall to enable the SNMP packets: + + + netsh advfirewall firewall add rule name="SNMP UDP Port 161 In" dir=in action=allow protocol=UDP localport=161 + + netsh advfirewall firewall add rule name="SNMP UDP Port 161 Out" dir=out action=allow protocol=UDP localport=161 + + netsh advfirewall firewall add rule name="SNMPTRAP UDP Port 162 In" dir=in action=allow protocol=UDP localport=162 + + netsh advfirewall firewall add rule name=" SNMPTRAP UDP Port 162 Out" dir=out action=allow protocol=UDP localport=162 + + + +![](9.png) + +Once that's done, you should be able to add it to your monitoring tool: + +![](10.png) ![](11.png) + +## **PfSense SNMP** + +Same thing as our previous 2 examples, let enable and configure snmp: + +![](12.png) + +And then just add the host: + +![](13.png) ![](14.png) ![](15.png) + +And that's it! We managed to add 3 different hosts to our observium instance to monitor via the SNMP protocol. + diff --git a/stablediffusion/0.png b/stablediffusion/0.png new file mode 100644 index 0000000..ce14590 Binary files /dev/null and b/stablediffusion/0.png differ diff --git a/stablediffusion/1.png b/stablediffusion/1.png new file mode 100644 index 0000000..c4b165b Binary files /dev/null and b/stablediffusion/1.png differ diff --git a/stablediffusion/2.png b/stablediffusion/2.png new file mode 100644 index 0000000..630a457 Binary files /dev/null and b/stablediffusion/2.png differ diff --git a/stablediffusion/index.md b/stablediffusion/index.md new file mode 100644 index 0000000..6f60ddd --- /dev/null +++ b/stablediffusion/index.md @@ -0,0 +1,226 @@ +# stablediffusion Setup + +![](0.png) + +Stable Diffusion is a machine learning model developed by Stability AI to generate digital images from natural language descriptions. The model can be used for different tasks like generating image to image translations guided by text prompt and upscaling images. We will be following [this](https://github.com/hlky/stable-diffusion/wiki/Linux-Installation) guide to install the software: + +## **Initial Setup** + +![]() + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → yay -S miniconda + -> Could not find all required packages: + miniconda (Target) + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → yay -S miniconda3 + :: Checking for conflicts... + :: Checking for inner conflicts... + [Aur:1] miniconda3-4.12.0-1 + + :: (1/1) Downloaded PKGBUILD: miniconda3 + 1 miniconda3 (Build Files Exist) + ==> Diffs to show? + ==> [N]one [A]ll [Ab]ort [I]nstalled [No]tInstalled or (1 2 3, 1-3, ^4) + ==> + :: (1/1) Parsing SRCINFO: miniconda3 + ==> Making package: miniconda3 4.12.0-1 (Sat 03 Sep 2022 12:38:58 PM CEST) + ==> Retrieving sources... + -> Downloading miniconda3-4.12.0.sh... + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 100 73.0M 100 73.0M 0 0 6490k 0 0:00:11 0:00:11 --:--:-- 7318k + ==> Validating source files with sha512sums... + miniconda3-4.12.0.sh ... Passed + ==> Making package: miniconda3 4.12.0-1 (Sat 03 Sep 2022 12:39:10 PM CEST) + ==> Checking runtime dependencies... + ==> Checking buildtime dependencies... + ==> Retrieving sources... + -> Found miniconda3-4.12.0.sh + ==> Validating source files with sha512sums... + miniconda3-4.12.0.sh ... Passed + ==> Removing existing $srcdir/ directory... + ==> Extracting sources... + ==> Sources are ready. + ==> Making package: miniconda3 4.12.0-1 (Sat 03 Sep 2022 12:39:11 PM CEST) + ==> Checking runtime dependencies... + ==> Checking buildtime dependencies... + ==> WARNING: Using existing $srcdir/ tree + ==> Entering fakeroot environment... + ==> Starting package()... + PREFIX=/home/nothing/.cache/yay/miniconda3/pkg/miniconda3/opt/miniconda3 + Unpacking payload ... + Collecting package metadata (current_repodata.json): done + Solving environment: done + + [...] + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → echo "[ -f /opt/miniconda3/etc/profile.d/conda.sh ] && source /opt/miniconda3/etc/profile.d/conda.sh" >> ~/.zshrc + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → zsh + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → conda --help + usage: conda [-h] [-V] command ... + + conda is a tool for managing and deploying applications, environments and packages. + + Options: + + positional arguments: + command + clean Remove unused packages and caches. + compare Compare packages between conda environments. + config Modify configuration values in .condarc. This is modeled after the git config command. Writes to the user .condarc file (/home/nothing/.condarc) by default. + create Create a new conda environment from a list of specified packages. + help Displays a list of available conda commands and their help strings. + info Display information about current conda install. + init Initialize conda for shell interaction. [Experimental] + install Installs a list of packages into a specified conda environment. + list List linked packages in a conda environment. + package Low-level conda package utility. (EXPERIMENTAL) + remove Remove a list of packages from a specified conda environment. + uninstall Alias for conda remove. + run Run an executable in a conda environment. + search Search for packages and display associated information. The input is a MatchSpec, a query language for conda packages. See examples below. + update Updates conda packages to the latest compatible version. + upgrade Alias for conda update. + + optional arguments: + -h, --help Show this help message and exit. + -V, --version Show the conda version number and exit. + + conda commands available from other packages: + content-trust + env + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → mkdir stablediffusion + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → cd stablediffusion + + [ 10.0.0.10/16 ] [ nowhere ] [~/stablediffusion] + → wget https://raw.githubusercontent.com/JoshuaKimsey/Linux-StableDiffusion-Script/main/linux-sd.sh -O linux-sd.sh + + linux-sd.sh [ <=> ] 224.68K --.-KB/s in 0.1s + + 2022-09-03 13:11:39 (2.07 MB/s) - ‘linux-sd.sh’ saved [230076] + + + [ 10.0.0.10/16 ] [ nowhere ] [~/stablediffusion] + → chmod +x linux-sd.sh + + [ 10.0.0.10/16 ] [ nowhere ] [~/stablediffusion] + → ./linux-sd.sh + + + + WELCOME TO THE ULTIMATE STABLE DIFFUSION GUI ON LINUX + + + The definitive Stable Diffusion experience™ Now 100% Linux Compatible! + + Please ensure you have Anaconda installed properly on your Linux system before running this. + + Please refer to the original guide for more info and additional links for this project: https://rentry.org/guitard + + + Starting Ultimate Stable Diffusion installation... + + Cloning Ultimate Stable Diffusion. Please wait... + Cloning into 'stable-diffusion'... + remote: Enumerating objects: 1121, done. + remote: Counting objects: 100% (5/5), done. + remote: Compressing objects: 100% (5/5), done. + remote: Total 1121 (delta 1), reused 2 (delta 0), pack-reused 1116 + Receiving objects: 100% (1121/1121), 42.76 MiB | 7.54 MiB/s, done. + Resolving deltas: 100% (558/558), done. + + + ########## MOVE MODEL FILE ########## + + Please download the 1.4 AI Model from Huggingface (or another source) and move or copy it in the newly created directory: Models + Once you have sd-v1-4.ckpt in the Models directory, Press Enter... + + +Here we need to download the AI Model after registering on **https://huggingface.co** [here](https://huggingface.co/CompVis/stable-diffusion-v-1-4-original): + +![](1.png) ![]() + + + [term1] + [ 10.0.0.10/16 ] [ nowhere ] [~/stablediffusion/Models] + → mv ~/Downloads/sd-v1-4.ckpt . + + [ 10.0.0.10/16 ] [ nowhere ] [~/stablediffusion/Models] + → file model.ckpt + model.ckpt: Zip archive data, at least v0.0 to extract, compression method=store + + [term2] + ########## MOVE MODEL FILE ########## + + Please download the 1.4 AI Model from Huggingface (or another source) and move or copy it in the newly created directory: Models + Once you have sd-v1-4.ckpt in the Models directory, Press Enter... + ./Models/sd-v1-4.ckpt: OK + + [...] + + + ########## CUSTOMIZE LAUNCH ARGUMENTS ########## + + Do you wish to customize the launch arguments for Ultimate Stable Diffusion? + (This will be where you select Optimized mode, auto open in browser, share to public, and more.) + 1) Yes + 2) No + #? 1 + Starting customization of Ultimate Stable Diffusion launch arguments... + + + Do you want extra upscaling models to be run on the CPU instead of the GPU to save on VRAM at the cost of speed? + 1) Yes + 2) No + #? 2 + Extra upscaling models will run on the GPU. Continuing... + + + Do you want for Ultimate Stable Diffusion to automatically launch a new browser window or tab on first launch? + 1) Yes + 2) No + #? 1 + Setting Ultimate Stable Diffusion to open a new browser window/tab at first launch... + + + Do you want to run Ultimate Stable Diffusion in Optimized mode - Requires only 4GB of VRAM, but is significantly slower? + 1) Yes + 2) No + #? 2 + Ultimate Stable Diffusion will launch in Standard Mode. Continuing... + + + Do you want to start Ultimate Stable Diffusion in Optimized Turbo mode - Requires more VRAM than regular optimized, but is faster (incompatible with Optimized Mode)? + 1) Yes + 2) No + #? 2 + Ultimate Stable Diffusion will launch in Standard Mode. Continuing... + + + Do you want to create a public xxxxx.gradi.app URL to allow others to uses your interface? (Requires properly forwarded ports) + 1) Yes + 2) No + #? 2 + Setting Ultimate Stable Diffusion to not open a public share URL. Continuing... + + + Customization of Ultimate Stable Diffusion is complete. Continuing... + + Generating linux-setup.sh in ./ultimate-stable-diffusion + Running linux-setup.sh... + Relauncher: Launching... + + diff --git a/stablediffusion2/0.png b/stablediffusion2/0.png new file mode 100644 index 0000000..9ebd3f8 Binary files /dev/null and b/stablediffusion2/0.png differ diff --git a/stablediffusion2/1.png b/stablediffusion2/1.png new file mode 100644 index 0000000..3295855 Binary files /dev/null and b/stablediffusion2/1.png differ diff --git a/stablediffusion2/10.png b/stablediffusion2/10.png new file mode 100644 index 0000000..1650a05 Binary files /dev/null and b/stablediffusion2/10.png differ diff --git a/stablediffusion2/11.png b/stablediffusion2/11.png new file mode 100644 index 0000000..419a30a Binary files /dev/null and b/stablediffusion2/11.png differ diff --git a/stablediffusion2/12.png b/stablediffusion2/12.png new file mode 100644 index 0000000..fa262d5 Binary files /dev/null and b/stablediffusion2/12.png differ diff --git a/stablediffusion2/13.png b/stablediffusion2/13.png new file mode 100644 index 0000000..4e58b18 Binary files /dev/null and b/stablediffusion2/13.png differ diff --git a/stablediffusion2/14.png b/stablediffusion2/14.png new file mode 100644 index 0000000..68b2762 Binary files /dev/null and b/stablediffusion2/14.png differ diff --git a/stablediffusion2/15.png b/stablediffusion2/15.png new file mode 100644 index 0000000..ff9606f Binary files /dev/null and b/stablediffusion2/15.png differ diff --git a/stablediffusion2/16.png b/stablediffusion2/16.png new file mode 100644 index 0000000..f70f708 Binary files /dev/null and b/stablediffusion2/16.png differ diff --git a/stablediffusion2/17.png b/stablediffusion2/17.png new file mode 100644 index 0000000..9065a45 Binary files /dev/null and b/stablediffusion2/17.png differ diff --git a/stablediffusion2/18.png b/stablediffusion2/18.png new file mode 100644 index 0000000..d09bb47 Binary files /dev/null and b/stablediffusion2/18.png differ diff --git a/stablediffusion2/19.png b/stablediffusion2/19.png new file mode 100644 index 0000000..79d4550 Binary files /dev/null and b/stablediffusion2/19.png differ diff --git a/stablediffusion2/2.png b/stablediffusion2/2.png new file mode 100644 index 0000000..48df9c6 Binary files /dev/null and b/stablediffusion2/2.png differ diff --git a/stablediffusion2/20.png b/stablediffusion2/20.png new file mode 100644 index 0000000..fd1557b Binary files /dev/null and b/stablediffusion2/20.png differ diff --git a/stablediffusion2/21.png b/stablediffusion2/21.png new file mode 100644 index 0000000..d9010dd Binary files /dev/null and b/stablediffusion2/21.png differ diff --git a/stablediffusion2/3.png b/stablediffusion2/3.png new file mode 100644 index 0000000..78d4775 Binary files /dev/null and b/stablediffusion2/3.png differ diff --git a/stablediffusion2/4.png b/stablediffusion2/4.png new file mode 100644 index 0000000..c34cae1 Binary files /dev/null and b/stablediffusion2/4.png differ diff --git a/stablediffusion2/5.png b/stablediffusion2/5.png new file mode 100644 index 0000000..1418a67 Binary files /dev/null and b/stablediffusion2/5.png differ diff --git a/stablediffusion2/6.png b/stablediffusion2/6.png new file mode 100644 index 0000000..c1216c1 Binary files /dev/null and b/stablediffusion2/6.png differ diff --git a/stablediffusion2/7.png b/stablediffusion2/7.png new file mode 100644 index 0000000..95b5b80 Binary files /dev/null and b/stablediffusion2/7.png differ diff --git a/stablediffusion2/8.png b/stablediffusion2/8.png new file mode 100644 index 0000000..985e0c9 Binary files /dev/null and b/stablediffusion2/8.png differ diff --git a/stablediffusion2/9.png b/stablediffusion2/9.png new file mode 100644 index 0000000..b06fc92 Binary files /dev/null and b/stablediffusion2/9.png differ diff --git a/stablediffusion2/index.md b/stablediffusion2/index.md new file mode 100644 index 0000000..6d4d018 --- /dev/null +++ b/stablediffusion2/index.md @@ -0,0 +1,592 @@ +# stablediffusion2 Setup + +![](0.png) + +## **Initial Setup** + +In this tutorial we're going to install stablediffusion, and use a rtx 3070 TI to make it work. + + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion] + → sudo pacman -S python-pip + warning: python-pip-23.2.1-1 is up to date -- reinstalling + resolving dependencies... + looking for conflicting packages... + + Packages (1) python-pip-23.2.1-1 + + Total Installed Size: 20.68 MiB + Net Upgrade Size: 0.00 MiB + + :: Proceed with installation? [Y/n] y + (1/1) checking keys in keyring [########################################################################################] 100% + (1/1) checking package integrity [########################################################################################] 100% + (1/1) loading package files [########################################################################################] 100% + (1/1) checking for file conflicts [########################################################################################] 100% + (1/1) checking available disk space [########################################################################################] 100% + :: Processing package changes... + (1/1) reinstalling python-pip [########################################################################################] 100% + :: Running post-transaction hooks... + (1/1) Arming ConditionNeedsUpdate... + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion] + → pip3 --version + pip 23.2.1 from /usr/lib/python3.11/site-packages/pip (python 3.11) + + + +Then go [here](https://github.com/easydiffusion/easydiffusion#installation) and unpack it to run the start.sh script: + +![](1.png) + + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~] + → mkdir easydiffusion + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~] + → cd easydiffusion + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion] + → mv ../Downloads/Easy-Diffusion-Linux.zip . + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion] + → unzip Easy-Diffusion-Linux.zip + Archive: Easy-Diffusion-Linux.zip + creating: easy-diffusion/ + inflating: easy-diffusion/CreativeML Open RAIL-M License + inflating: easy-diffusion/start.sh + inflating: easy-diffusion/LICENSE + inflating: easy-diffusion/How to install and run.txt + creating: easy-diffusion/scripts/ + inflating: easy-diffusion/scripts/install_status.txt + inflating: easy-diffusion/scripts/functions.sh + inflating: easy-diffusion/scripts/bootstrap.sh + inflating: easy-diffusion/scripts/on_env_start.sh + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion] + → cd easy-diffusion + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion/easy-diffusion] + → ls + 'CreativeML Open RAIL-M License' 'How to install and run.txt' LICENSE scripts start.sh + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion/easy-diffusion] + → ./start.sh + + + +Run the script and wait for it to finish: + + + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion/easy-diffusion] + → ./start.sh + /usr/bin/curl + /usr/bin/tar + /usr/bin/bzip2 + Downloading micromamba from https://micro.mamba.pm/api/micromamba/linux-64/latest to /home/nothing/easydiffusion/easy-diffusion/installer_files/mamba/micromamba + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 + 100 4219 0 4219 0 0 4823 0 --:--:-- --:--:-- --:--:-- 6297 + 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0bin/micromamba + 100 5076k 100 5076k 0 0 812k 0 0:00:06 0:00:06 --:--:-- 1122k + Micromamba version: + 1.4.9 + Empty environment created at prefix: /home/nothing/easydiffusion/easy-diffusion/installer_files/env + Packages to install: conda python=3.8.5 + conda-forge/noarch 11.8MB @ 4.4MB/s 2.8s + conda-forge/linux-64 29.4MB @ 2.5MB/s 12.0s + + Transaction + + Prefix: /home/nothing/easydiffusion/easy-diffusion/installer_files/env + + Updating specs: + + - conda + - python=3.8.5 + + + Package Version Build Channel Size + ─────────────────────────────────────────────────────────────────────────────────── + Install: + ─────────────────────────────────────────────────────────────────────────────────── + + + python_abi 3.8 3_cp38 conda-forge 6kB + + ld_impl_linux-64 2.40 h41732ed_0 conda-forge 705kB + + _libgcc_mutex 0.1 conda_forge conda-forge 3kB + + libstdcxx-ng 13.1.0 hfd8a6a1_0 conda-forge 4MB + + ca-certificates 2023.7.22 hbcca054_0 conda-forge 150kB + + libgomp 13.1.0 he5830b7_0 conda-forge 419kB + + _openmp_mutex 4.5 2_gnu conda-forge 24kB + + libgcc-ng 13.1.0 he5830b7_0 conda-forge 776kB + + ncurses 6.4 hcb278e6_0 conda-forge 881kB + + libzlib 1.2.13 hd590300_5 conda-forge 62kB + + xz 5.2.6 h166bdaf_0 conda-forge 418kB + + openssl 1.1.1u hd590300_0 conda-forge 2MB + + libffi 3.2.1 he1b5a44_1007 conda-forge 48kB + + readline 8.2 h8228510_1 conda-forge 281kB + + zstd 1.5.2 hfc55251_7 conda-forge 431kB + + zlib 1.2.13 hd590300_5 conda-forge 93kB + + tk 8.6.12 h27826a3_0 conda-forge 3MB + + libsqlite 3.42.0 h2797004_0 conda-forge 829kB + + sqlite 3.42.0 h2c6b66d_0 conda-forge 818kB + + python 3.8.5 h1103e12_9_cpython conda-forge 23MB + + wheel 0.41.0 pyhd8ed1ab_0 conda-forge 57kB + + setuptools 68.0.0 pyhd8ed1ab_0 conda-forge 464kB + + pip 23.2.1 pyhd8ed1ab_0 conda-forge 1MB + + pysocks 1.7.1 pyha2e5f31_6 conda-forge 19kB + + pycparser 2.21 pyhd8ed1ab_0 conda-forge 103kB + + charset-normalizer 3.2.0 pyhd8ed1ab_0 conda-forge 46kB + + idna 3.4 pyhd8ed1ab_0 conda-forge 57kB + + certifi 2023.7.22 pyhd8ed1ab_0 conda-forge 154kB + + colorama 0.4.6 pyhd8ed1ab_0 conda-forge 25kB + + packaging 23.1 pyhd8ed1ab_0 conda-forge 46kB + + toolz 0.12.0 pyhd8ed1ab_0 conda-forge 49kB + + pluggy 1.2.0 pyhd8ed1ab_0 conda-forge 22kB + + jsonpointer 2.0 py_0 conda-forge 9kB + + boltons 23.0.0 pyhd8ed1ab_0 conda-forge 303kB + + tqdm 4.65.0 pyhd8ed1ab_1 conda-forge 88kB + + jsonpatch 1.32 pyhd8ed1ab_0 conda-forge 15kB + + brotli-python 1.0.9 py38hfa26641_9 conda-forge 327kB + + ruamel.yaml.clib 0.2.7 py38h1de0b5d_1 conda-forge 146kB + + pycosat 0.6.4 py38h0a891b7_1 conda-forge 111kB + + cffi 1.14.4 py38ha312104_0 conda-forge 231kB + + ruamel.yaml 0.17.32 py38h01eb140_0 conda-forge 200kB + + zstandard 0.19.0 py38ha98ab4e_2 conda-forge 394kB + + cryptography 39.0.0 py38h1724139_0 conda-forge 1MB + + urllib3 2.0.4 pyhd8ed1ab_0 conda-forge 98kB + + conda-package-streaming 0.8.0 pyhd8ed1ab_0 conda-forge 19kB + + pyopenssl 23.2.0 pyhd8ed1ab_1 conda-forge 129kB + + requests 2.31.0 pyhd8ed1ab_0 conda-forge 57kB + + conda-package-handling 2.0.2 pyh38be061_0 conda-forge 253kB + + conda 23.7.2 py38h578d9bd_0 conda-forge 1MB + + Summary: + + Install: 49 packages + + Total download: 45MB + + ─────────────────────────────────────────────────────────────────────────────────── + + + + Transaction starting + _libgcc_mutex 2.6kB @ 23.1kB/s 0.1s + ca-certificates 149.5kB @ 1.0MB/s 0.1s + python_abi 5.7kB @ 33.6kB/s 0.2s + libzlib 61.6kB @ 352.9kB/s 0.1s + readline 281.5kB @ 997.0kB/s 0.1s + libstdcxx-ng 3.8MB @ 1.3MB/s 2.9s + charset-normalizer 45.7kB @ 15.5kB/s 0.1s + colorama 25.2kB @ 8.2kB/s 0.1s + pluggy 21.5kB @ 6.8kB/s 0.1s + tqdm 88.2kB @ 26.7kB/s 0.1s + ruamel.yaml.clib 146.4kB @ 41.1kB/s 0.3s + ruamel.yaml 200.2kB @ 51.0kB/s 0.4s + urllib3 98.4kB @ 24.2kB/s 0.1s + requests 56.7kB @ 13.6kB/s 0.1s + libgomp 419.2kB @ 92.8kB/s 0.3s + ncurses 881.0kB @ 162.1kB/s 0.9s + libffi 48.0kB @ 8.7kB/s 0.1s + libsqlite 828.9kB @ 133.0kB/s 0.7s + setuptools 463.7kB @ 70.2kB/s 0.4s + idna 56.7kB @ 8.5kB/s 0.1s + toolz 49.1kB @ 7.2kB/s 0.1s + jsonpatch 14.6kB @ 2.1kB/s 0.1s + cffi 231.2kB @ 31.6kB/s 0.4s + conda-package-streaming 18.8kB @ 2.5kB/s 0.1s + conda 1.0MB @ 124.7kB/s 0.8s + xz 418.4kB @ 49.3kB/s 0.3s + zlib 92.8kB @ 10.8kB/s 0.1s + python 23.0MB @ 2.7MB/s 8.4s + packaging 46.1kB @ 5.3kB/s 0.1s + pysocks 19.0kB @ 2.2kB/s 0.1s + brotli-python 326.8kB @ 36.8kB/s 0.2s + pip 1.4MB @ 155.3kB/s 8.6s + _openmp_mutex 23.6kB @ 2.6kB/s 0.1s + pycparser 102.7kB @ 11.4kB/s 0.1s + boltons 302.8kB @ 32.2kB/s 0.4s + pyopenssl 129.0kB @ 13.6kB/s 0.1s + cryptography 1.4MB @ 146.9kB/s 1.1s + certifi 153.8kB @ 15.5kB/s 0.2s + openssl 2.0MB @ 187.9kB/s 0.9s + zstandard 393.5kB @ 37.8kB/s 0.5s + zstd 431.1kB @ 41.3kB/s 1.5s + wheel 57.4kB @ 5.4kB/s 0.1s + ld_impl_linux-64 704.7kB @ 66.6kB/s 10.6s + sqlite 818.2kB @ 76.8kB/s 0.3s + pycosat 110.6kB @ 10.4kB/s 0.2s + jsonpointer 8.7kB @ 817.0 B/s 0.1s + conda-package-handling 253.2kB @ 23.5kB/s 0.1s + libgcc-ng 776.3kB @ 70.9kB/s 0.4s + tk 3.5MB @ 275.8kB/s 12.4s + Linking python_abi-3.8-3_cp38 + Linking ld_impl_linux-64-2.40-h41732ed_0 + Linking _libgcc_mutex-0.1-conda_forge + Linking libstdcxx-ng-13.1.0-hfd8a6a1_0 + Linking ca-certificates-2023.7.22-hbcca054_0 + Linking libgomp-13.1.0-he5830b7_0 + Linking _openmp_mutex-4.5-2_gnu + Linking libgcc-ng-13.1.0-he5830b7_0 + Linking ncurses-6.4-hcb278e6_0 + Linking libzlib-1.2.13-hd590300_5 + Linking xz-5.2.6-h166bdaf_0 + Linking openssl-1.1.1u-hd590300_0 + Linking libffi-3.2.1-he1b5a44_1007 + Linking readline-8.2-h8228510_1 + Linking zstd-1.5.2-hfc55251_7 + Linking zlib-1.2.13-hd590300_5 + Linking tk-8.6.12-h27826a3_0 + Linking libsqlite-3.42.0-h2797004_0 + Linking sqlite-3.42.0-h2c6b66d_0 + Linking python-3.8.5-h1103e12_9_cpython + Linking wheel-0.41.0-pyhd8ed1ab_0 + Linking setuptools-68.0.0-pyhd8ed1ab_0 + Linking pip-23.2.1-pyhd8ed1ab_0 + Linking pysocks-1.7.1-pyha2e5f31_6 + Linking pycparser-2.21-pyhd8ed1ab_0 + Linking charset-normalizer-3.2.0-pyhd8ed1ab_0 + Linking idna-3.4-pyhd8ed1ab_0 + Linking certifi-2023.7.22-pyhd8ed1ab_0 + Linking colorama-0.4.6-pyhd8ed1ab_0 + Linking packaging-23.1-pyhd8ed1ab_0 + Linking toolz-0.12.0-pyhd8ed1ab_0 + Linking pluggy-1.2.0-pyhd8ed1ab_0 + Linking jsonpointer-2.0-py_0 + Linking boltons-23.0.0-pyhd8ed1ab_0 + Linking tqdm-4.65.0-pyhd8ed1ab_1 + Linking jsonpatch-1.32-pyhd8ed1ab_0 + Linking brotli-python-1.0.9-py38hfa26641_9 + Linking ruamel.yaml.clib-0.2.7-py38h1de0b5d_1 + Linking pycosat-0.6.4-py38h0a891b7_1 + Linking cffi-1.14.4-py38ha312104_0 + Linking ruamel.yaml-0.17.32-py38h01eb140_0 + Linking zstandard-0.19.0-py38ha98ab4e_2 + Linking cryptography-39.0.0-py38h1724139_0 + Linking urllib3-2.0.4-pyhd8ed1ab_0 + Linking conda-package-streaming-0.8.0-pyhd8ed1ab_0 + Linking pyopenssl-23.2.0-pyhd8ed1ab_1 + Linking requests-2.31.0-pyhd8ed1ab_0 + Linking conda-package-handling-2.0.2-pyh38be061_0 + Linking conda-23.7.2-py38h578d9bd_0 + + Transaction finished + + To activate this environment, use: + + micromamba activate /home/nothing/easydiffusion/easy-diffusion/installer_files/env + + Or to execute a single command in this environment, use: + + micromamba run -p /home/nothing/easydiffusion/easy-diffusion/installer_files/env mycommand + + /usr/bin/git + git version 2.41.0 + /home/nothing/easydiffusion/easy-diffusion/installer_files/env/bin/conda + conda 23.7.2 + + + Easy Diffusion + + + + Downloading Easy Diffusion.. + + Using the main channel + + Cloning into 'sd-ui-files'... + remote: Enumerating objects: 18042, done. + remote: Counting objects: 100% (6033/6033), done. + remote: Compressing objects: 100% (591/591), done. + remote: Total 18042 (delta 5609), reused 5725 (delta 5437), pack-reused 12009 + Receiving objects: 100% (18042/18042), 58.02 MiB | 5.09 MiB/s, done. + Resolving deltas: 100% (12317/12317), done. + > python -m pip install --upgrade torch==2.0.0 + Collecting torch==2.0.0 + Downloading torch-2.0.0-cp38-cp38-manylinux1_x86_64.whl (619.9 MB) + ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╸━━━━━ 534.9/619.9 MB 3.3 MB/s eta 0:00:27 + + [...] + + + +![](3.png) ![](2.png) ![](4.png) ![](5.png) + +Now that stablediffusion is ready let's try to generate an image: + +![](6.png) ![](7.png) + +Now like this we managed to generate a 512x512 image. But let's try to generate a 4k resolution image, but as you can see we can't just set the setting like that, we need to use the upscaler below: + +![](8.png) + +the default 4k resolution is 3840 by 2160 pixels. So to create a 4k image we can use the image size 960 by 576 pixels, which will render as a 4k image thanks to the RealESRGAN_x4plus: + +![](9.png) + +Now that we know it works let's try another model like [Openjourney](https://huggingface.co/prompthero/openjourney/blob/main/mdjrny-v4.ckpt): + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → ls -lash + total 36K + 4.0K drwxr-xr-x 9 nothing nothing 4.0K Jul 30 15:11 . + 4.0K drwxrwxr-x 9 nothing nothing 4.0K Jul 30 15:32 .. + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:11 codeformer + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:28 gfpgan + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:11 hypernetwork + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:11 lora + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:30 realesrgan + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:11 stable-diffusion + 4.0K drwxr-xr-x 2 nothing nothing 4.0K Jul 30 15:30 vae + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → cd stable-diffusion + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → ls + 'Place your stable-diffusion model files here.txt' sd-v1-4.ckpt + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → mv ~/Downloads/mdjrny-v4.ckpt . + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → ls + mdjrny-v4.ckpt 'Place your stable-diffusion model files here.txt' sd-v1-4.ckpt + + + +Then use it like so: + +![](10.png) + +Next we're going to finetune it as much as possible to copy midjourney: + +![](11.png) + +Then restart easydiffusion: + + + 17:19:46.019 INFO cuda:0 Session 1690723929701 task 140438942630336 completed by NVIDIA GeForce RTX 3070 Ti. task_manager.py:367 + ^CPress any key to continue + + [ 10.0.2.2/24 ] [ /dev/pts/28 ] [~/easydiffusion/easy-diffusion] + → ./start.sh + + + +![](12.png) + +Restart it gain in the same manner (ctrl+C and run start.sh again) + +![](13.png) ![](14.png) + +Next we want to add the [baddream negative embedding model](https://civitai.com/models/72437/baddream-unrealisticdream-negative-embeddings): + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → cd .. + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → ls + codeformer embeddings gfpgan hypernetwork lora realesrgan stable-diffusion vae + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → cd embeddings + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → ls + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → mv ~/Downloads/BadDream.pt . + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → ls + BadDream.pt + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → + + (then restart easydiffusion like before) + + + +Next we will add a [midjourney lora](https://civitai.com/models/22811): + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → cd .. + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → ls + codeformer embeddings gfpgan hypernetwork lora realesrgan stable-diffusion vae + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → cd lora + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/lora] + → ls + 'Place your lora model files here.txt' + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/lora] + → mv ~/Downloads/mj_style_1-000010.safetensors . + + + +Next we will add a [midjourney syle embedding](https://civitai.com/models/3093/midjourney-general-style): + + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → cd embeddings + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → ls + BadDream.pt + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → mv ~/Downloads/mj-gs.pt . + + + +Next restart easydiffusion and embed the style and the lora and the baddream negative embedding: + +![](15.png) + +also trying another openjourney model may yield better results like this [one](https://huggingface.co/prompthero-diffusion-models/openjourney-v4/blob/main/openjourney-v4.ckpt): + +For the highest rated negative embeddings you can go [here](https://civitai.com/tag/negative%20embedding?sort=Most+Liked) + +For the highest rated negative embeddings you can go [here](https://civitai.com/tag/negative%20embedding?sort=Most+Liked) + +let's try this one: [](https://civitai.com/models/27259/tmnd-mix) + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → ls + mdjrny-v4.ckpt 'Place your stable-diffusion model files here.txt' sd-v1-4.ckpt + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → cat Place\ your\ stable-diffusion\ model\ files\ here.txt + Supported extensions: .ckpt or .safetensors% + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/stable-diffusion] + → mv ~/Downloads/tmndMix_tmndMixVIPruned.safetensors . + + + +Then to make use of the prompts we need a few negative prompt embeddings: + + + badhandv4, EasyNegative, verybadimagenegative_v1.3, (worst quality:2), (low quality:2), (normal quality:2) + + + +Which we can download: + + + + https://civitai.com/models/16993 + https://civitai.com/models/7808 + https://civitai.com/models/11772 + + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → mv ~/Downloads/easynegative.safetensors . + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → mv ~/Downloads/verybadimagenegative_v1.3.pt . + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/embeddings] + → mv ~/Downloads/badhandv4.pt . + + + https://civitai.com/models/116225 + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easydiffusion/easy-diffusion/models] + → cd realesrgan + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/realesrgan] + → ls + 'Place your realesrgan model files here.txt' RealESRGAN_x4plus.pth + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/realesrgan] + → mv ~/Downloads/4xUltrasharp_4xUltrasharpV10.pt . + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/realesrgan] + → cat Place\ your\ realesrgan\ model\ files\ here.txt + Supported extensions: .pth% + + [ 10.0.2.2/24 ] [ /dev/pts/30 ] [easy-diffusion/models/realesrgan] + → mv 4xUltrasharp_4xUltrasharpV10.pt 4xUltrasharp_4xUltrasharpV10.pth + + + +You'll need to play with models, lora models, negative prompts and image settings until you find the best ways to make art. + +you can also use chatgpt to give you prompts to try out: + +![](16.png) ![](17.png) + +Here's some very satisfying settings you can try out: + +![](18.png) ![](19.png) + +Next, to be able to use plugins you can get the plugins manager made by Patrice AC [here](https://github.com/patriceac/Easy-Diffusion-Plugins): + + + [ 10.0.2.2/24 ] [ /dev/pts/25 ] [easydiffusion/easy-diffusion/plugins] + → ls + server ui + + [ 10.0.2.2/24 ] [ /dev/pts/25 ] [easydiffusion/easy-diffusion/plugins] + → cd ui + + [ 10.0.2.2/24 ] [ /dev/pts/25 ] [easy-diffusion/plugins/ui] + → ls + + [ 10.0.2.2/24 ] [ /dev/pts/25 ] [easy-diffusion/plugins/ui] + → wget https://raw.githubusercontent.com/patriceac/Easy-Diffusion-Plugins/main/plugin-manager.plugin.js + --2023-07-31 17:57:30-- https://raw.githubusercontent.com/patriceac/Easy-Diffusion-Plugins/main/plugin-manager.plugin.js + Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ... + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 54639 (53K) [text/plain] + Saving to: ‘plugin-manager.plugin.js’ + + plugin-manager.plugin.js 100%[==========================================================================================================================================>] 53.36K --.-KB/s in 0.05s + + 2023-07-31 17:57:30 (1.03 MB/s) - ‘plugin-manager.plugin.js’ saved [54639/54639] + + + +Then just refresh the easydiffusion page to see the plugins appear: + +![](20.png) + +Other example of satisfying settings: + +![](21.png) + + + seeing the horizon, view from above, upper body, nun arya stark hooded in the distance, dressed in black robes, overshadowed face, eyes closed, blissful facial expression, in a disorganised, dense dark field of taller large purple datura flowers, dense lush datura vegetation, upward faced opened flowers, toxic dark fumes, in darkness, thick black fog, toxic purple smoke, darkness, high contrast, dark ambiance, heavy black rain, flatlands, Anime++ + Seed: 2069005629, + Dimensions: 1024x512, + Sampler: dpmpp_sde, + Inference Steps: 50, + Guidance Scale: 7.5, + Model: aZovyaRPGArtistTools_v3, + Negative Prompt: deformed,missing limbs,amputated,pants,shorts,cat ears,bad anatomy, disfigured, poorly drawn face, mutation, mutated,ugly, disgusting, blurry, watermark, watermarked, over saturated, obese, doubled face,b&w;, black and white, sepia, no masks,duplicate image, blur, paintings, sketches, (worst quality:2), (low quality:2), (normal quality:2), low res, normal quality, monochrome, grayscale, bad anatomy,(fat:1.2),facing away, looking away,tilted head,low res,bad anatomy,bad hands, text, error, missing fingers,extra digit, fewer digits, cropped,jpeg artifacts,signature, watermark, username,blurry,bad feet,cropped,worst quality,low quality,normal quality,jpeg, moon, stars, lighting, sunlight, sun, day, daylight, aligned field, straight lines, road, dirtroad, river, ocean, island, spotlights, lasers, mountains, floor, + Upscale: RealESRGAN_x4plus (4x), + Lora Model: add_detail, + Lora Strength: 1 + + + + + + diff --git a/surveillance/0.png b/surveillance/0.png new file mode 100644 index 0000000..881de0f Binary files /dev/null and b/surveillance/0.png differ diff --git a/surveillance/1.png b/surveillance/1.png new file mode 100644 index 0000000..ef1f17d Binary files /dev/null and b/surveillance/1.png differ diff --git a/surveillance/2.png b/surveillance/2.png new file mode 100644 index 0000000..1f05cc1 Binary files /dev/null and b/surveillance/2.png differ diff --git a/surveillance/3.png b/surveillance/3.png new file mode 100644 index 0000000..a8f6e09 Binary files /dev/null and b/surveillance/3.png differ diff --git a/surveillance/4.png b/surveillance/4.png new file mode 100644 index 0000000..a0330dc Binary files /dev/null and b/surveillance/4.png differ diff --git a/surveillance/5.png b/surveillance/5.png new file mode 100644 index 0000000..882ac30 Binary files /dev/null and b/surveillance/5.png differ diff --git a/surveillance/6.png b/surveillance/6.png new file mode 100644 index 0000000..9b45ee9 Binary files /dev/null and b/surveillance/6.png differ diff --git a/surveillance/index.md b/surveillance/index.md new file mode 100644 index 0000000..18ab4c9 --- /dev/null +++ b/surveillance/index.md @@ -0,0 +1,720 @@ +# Physical Surveillance Setup + +![](0.png) + +In this tutorial, we're going to look at how we can have some physical security on a raspberry pi with just a few simple usb webcams. + +## **Initial Setup** + +First plug the usb webcam to the raspberry pi device, and check if it is being recognised by the OS: + + + #plugging in one webcam + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → lsusb + Bus 002 Device 002: ID 1058:2621 Western Digital Technologies, Inc. Elements 2621 + Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub + **Bus 001 Device 003: ID 046d:0807 Logitech, Inc. Webcam B500** + Bus 001 Device 002: ID 2109:3431 VIA Labs, Inc. Hub + Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub + + + #After plugging a second webcam + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → lsusb | grep -i webcam + Bus 001 Device 003: ID 046d:0807 Logitech, Inc. Webcam B500 + Bus 001 Device 004: ID 0c45:89a0 Microdia JOYACCESS JA-Webcam + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → apt install v4l2-ctl -y + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → v4l2-ctl --list-devices + bcm2835-codec-decode (platform:bcm2835-codec): + /dev/video10 + /dev/video11 + /dev/video12 + /dev/video18 + /dev/video31 + /dev/media1 + + bcm2835-isp (platform:bcm2835-isp): + /dev/video13 + /dev/video14 + /dev/video15 + /dev/video16 + /dev/video20 + /dev/video21 + /dev/video22 + /dev/video23 + /dev/media2 + /dev/media3 + + rpivid (platform:rpivid): + /dev/video19 + /dev/media0 + + **JOYACCESS JA-Webcam: JOYACCESS (usb-0000:01:00.0-1.3): + /dev/video2 + /dev/video3 + /dev/media5** + + **UVC Camera (046d:0807) (usb-0000:01:00.0-1.4): + /dev/video0 + /dev/video1 + /dev/media4** + + + +Now that we know it is being recognised, we can start recording when it detects movement, to do that we use the motion package: + + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → apt install motion + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + The following additional packages will be installed: + ffmpeg fontconfig libaacs0 libass9 libasyncns0 libavc1394-0 libavcodec58 libavdevice58 libavfilter7 libavformat58 + libavresample4 libavutil56 libbdplus0 libbluray2 libbs2b0 libcaca0 libcairo-gobject2 libcairo2 libcdio-cdda2 + libcdio-paranoia2 libcdio19 libchromaprint1 libcodec2-0.9 libdatrie1 libdc1394-25 libdrm-amdgpu1 libdrm-nouveau2 + libdrm-radeon1 libepoxy0 libflite1 libgbm1 libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgl1 + libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libgme0 libgraphite2-3 libgsm1 libharfbuzz0b + libiec61883-0 libjack-jackd2-0 liblilv-0-0 libllvm11 libmariadb3 libmicrohttpd12 libmp3lame0 libmpg123-0 libmysofa1 + libnorm1 libopenal-data libopenal1 libopenmpt0 libopus0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 + libpgm-5.3-0 libpixman-1-0 libpocketsphinx3 libpostproc55 libpq5 libpulse0 librabbitmq4 libraw1394-11 librsvg2-2 + librsvg2-common librubberband2 libsdl2-2.0-0 libsensors-config libsensors5 libserd-0-0 libshine3 libsnappy1v5 + libsndfile1 libsndio7.0 libsodium23 libsord-0-0 libsoxr0 libspeex1 libsphinxbase3 libsratom-0-0 libsrt1.4-gnutls + libssh-gcrypt-4 libswresample3 libswscale5 libthai-data libthai0 libtheora0 libtwolame0 libudfread0 libva-drm2 + libva-x11-2 libva2 libvdpau-va-gl1 libvdpau1 libvidstab1.1 libvorbisenc2 libvorbisfile3 libvpx6 libvulkan1 + libwavpack1 libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 libx11-xcb1 libx264-160 + libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-randr0 libxcb-render0 libxcb-shape0 libxcb-shm0 + libxcb-sync1 libxcb-xfixes0 libxcursor1 libxdamage1 libxfixes3 libxi6 libxinerama1 libxkbcommon0 libxrandr2 + libxrender1 libxshmfence1 libxss1 libxv1 libxvidcore4 libxxf86vm1 libz3-4 libzmq5 libzvbi-common libzvbi0 + mariadb-common mesa-va-drivers mesa-vdpau-drivers mesa-vulkan-drivers mysql-common ocl-icd-libopencl1 + pocketsphinx-en-us shared-mime-info va-driver-all vdpau-driver-all x11-common + Suggested packages: + ffmpeg-doc libbluray-bdj jackd2 libportaudio2 opus-tools pulseaudio libraw1394-doc librsvg2-bin xdg-utils + lm-sensors serdi sndiod sordi speex default-mysql-client postgresql-client opencl-icd + nvidia-legacy-390xx-vdpau-driver nvidia-legacy-340xx-vdpau-driver + The following NEW packages will be installed: + ffmpeg fontconfig libaacs0 libass9 libasyncns0 libavc1394-0 libavcodec58 libavdevice58 libavfilter7 libavformat58 + libavresample4 libavutil56 libbdplus0 libbluray2 libbs2b0 libcaca0 libcairo-gobject2 libcairo2 libcdio-cdda2 + libcdio-paranoia2 libcdio19 libchromaprint1 libcodec2-0.9 libdatrie1 libdc1394-25 libdrm-amdgpu1 libdrm-nouveau2 + libdrm-radeon1 libepoxy0 libflite1 libgbm1 libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgl1 + libgl1-mesa-dri libglapi-mesa libglvnd0 libglx-mesa0 libglx0 libgme0 libgraphite2-3 libgsm1 libharfbuzz0b + libiec61883-0 libjack-jackd2-0 liblilv-0-0 libllvm11 libmariadb3 libmicrohttpd12 libmp3lame0 libmpg123-0 libmysofa1 + libnorm1 libopenal-data libopenal1 libopenmpt0 libopus0 libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 + libpgm-5.3-0 libpixman-1-0 libpocketsphinx3 libpostproc55 libpq5 libpulse0 librabbitmq4 libraw1394-11 librsvg2-2 + librsvg2-common librubberband2 libsdl2-2.0-0 libsensors-config libsensors5 libserd-0-0 libshine3 libsnappy1v5 + libsndfile1 libsndio7.0 libsodium23 libsord-0-0 libsoxr0 libspeex1 libsphinxbase3 libsratom-0-0 libsrt1.4-gnutls + libssh-gcrypt-4 libswresample3 libswscale5 libthai-data libthai0 libtheora0 libtwolame0 libudfread0 libva-drm2 + libva-x11-2 libva2 libvdpau-va-gl1 libvdpau1 libvidstab1.1 libvorbisenc2 libvorbisfile3 libvpx6 libvulkan1 + libwavpack1 libwayland-client0 libwayland-cursor0 libwayland-egl1 libwayland-server0 libx11-xcb1 libx264-160 + libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-randr0 libxcb-render0 libxcb-shape0 libxcb-shm0 + libxcb-sync1 libxcb-xfixes0 libxcursor1 libxdamage1 libxfixes3 libxi6 libxinerama1 libxkbcommon0 libxrandr2 + libxrender1 libxshmfence1 libxss1 libxv1 libxvidcore4 libxxf86vm1 libz3-4 libzmq5 libzvbi-common libzvbi0 + mariadb-common mesa-va-drivers mesa-vdpau-drivers mesa-vulkan-drivers motion mysql-common ocl-icd-libopencl1 + pocketsphinx-en-us shared-mime-info va-driver-all vdpau-driver-all x11-common + 0 upgraded, 151 newly installed, 0 to remove and 0 not upgraded. + Need to get 115 MB of archives. + After this operation, 322 MB of additional disk space will be used. + Do you want to continue? [Y/n] y + + + +To then setup motion you can read through the documentation [here](https://motion-project.github.io/motion_config.html) + + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → vim /etc/motion/motion.conf + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → cat /etc/motion/motion.conf + # Rename this distribution example file to motion.conf + # + # This config file was generated by motion 4.3.2 + # Documentation: /usr/share/doc/motion/motion_guide.html + # + # This file contains only the basic configuration options to get a + # system working. There are many more options available. Please + # consult the documentation for the complete list of all options. + # + + ############################################################ + # System control configuration parameters + ############################################################ + + # Start in daemon (background) mode and release terminal. + daemon off + + # Start in Setup-Mode, daemon disabled. + setup_mode off + + # File to store the process ID. + ; pid_file value + + # File to write logs messages into. If not defined stderr and syslog is used. + log_file /var/log/motion/motion.log + + # Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL). + log_level 6 + + # Target directory for pictures, snapshots and movies + target_dir /mnt/VAULT/cameras + + # Video device (e.g. /dev/video0) to be used for capturing. + ;videodevice /dev/video2 + + # Parameters to control video device. See motion_guide.html + ; vid_control_params value + + # The full URL of the network camera stream. + ; netcam_url value + + # Name of mmal camera (e.g. vc.ril.camera for pi camera). + ; mmalcam_name value + + # Camera control parameters (see raspivid/raspistill tool documentation) + ; mmalcam_control_params value + + ############################################################ + # Image Processing configuration parameters + ############################################################ + + # Image width in pixels. + width 1920 + + # Image height in pixels. + height 1080 + + # Maximum number of frames to be captured per second. + framerate 2 + + # Text to be overlayed in the lower left corner of images + text_left Desk + + # Text to be overlayed in the lower right corner of images. + text_right %Y-%m-%d\n%T-%q + + ############################################################ + # Motion detection configuration parameters + ############################################################ + + # Always save pictures and movies even if there was no motion. + emulate_motion off + + # Threshold for number of changed pixels that triggers motion. + threshold 1500 + + # Noise threshold for the motion detection. + ; noise_level 32 + + # Despeckle the image using (E/e)rode or (D/d)ilate or (l)abel. + despeckle_filter EedDl + + # Number of images that must contain motion to trigger an event. + minimum_motion_frames 1 + + # Gap in seconds of no motion detected that triggers the end of an event. + event_gap 60 + + # The number of pre-captured (buffered) pictures from before motion. + pre_capture 10 + + # Number of frames to capture after motion is no longer detected. + post_capture 10 + + ############################################################ + # Script execution configuration parameters + ############################################################ + + # Command to be executed when an event starts. + ; on_event_start value + + # Command to be executed when an event ends. + ; on_event_end value + + # Command to be executed when a movie file is closed. + ; on_movie_end value + + ############################################################ + # Picture output configuration parameters + ############################################################ + + # Output pictures when motion is detected + picture_output off + + # File name(without extension) for pictures relative to target directory + picture_filename %Y%m%d%H%M%S-%q + + ############################################################ + # Movie output configuration parameters + ############################################################ + + # Create movies of motion events. + movie_output on + + # Maximum length of movie in seconds. + movie_max_time 60 + + # The encoding quality of the movie. (0=use bitrate. 1=worst quality, 100=best) + movie_quality 50 + + # Container/Codec to used for the movie. See motion_guide.html + movie_codec mkv + + # File name(without extension) for movies relative to target directory + movie_filename %t-%v-%Y%m%d%H%M%S + + ############################################################ + # Webcontrol configuration parameters + ############################################################ + + # Port number used for the webcontrol. + webcontrol_port 8080 + + # Restrict webcontrol connections to the localhost. + webcontrol_localhost off + + # Type of configuration options to allow via the webcontrol. + webcontrol_parms 0 + + ############################################################ + # Live stream configuration parameters + ############################################################ + + # The port number for the live stream. + stream_port 8081 + + # Restrict stream connections to the localhost. + stream_localhost off + + ############################################################## + # Camera config files - One for each camera. + ############################################################## + camera /etc/motion/camera1.conf + camera /etc/motion/camera2.conf + ; camera /usr/etc/motion/camera3.conf + ; camera /usr/etc/motion/camera4.conf + + ############################################################## + # Directory to read '.conf' files for cameras. + ############################################################## + ; camera_dir /usr/etc/motion/conf.d + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [/etc/motion] + → cat camera1.conf + # /usr/etc/motion/camera1.conf + # + # This config file was generated by motion 4.3.2 + + ########################################################### + # Configuration options specific to camera 1 + ############################################################ + # User defined name for the camera. + camera_name cam1 + + # Numeric identifier for the camera. + camera_id 101 + + # The full URL of the network camera stream. + #netcam_url rtsp://yourcamera1ip:port/camera/specific/url + videodevice /dev/video0 + + #framerate + framerate 5 + + # Image width in pixels. + width 800 + + # Image height in pixels. + height 600 + + # Text to be overlayed in the lower left corner of images + text_left Desk + + #filepath + target_dir /mnt/VAULT/cameras + + # File name(without extension) for movies relative to target directory + movie_filename DESK_%t-%v-%Y-%m-%d_%H:%M:%S + + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [/etc/motion] + → cat camera2.conf + # /usr/etc/motion/camera1.conf + # + # This config file was generated by motion 4.3.2 + + ########################################################### + # Configuration options specific to camera 1 + ############################################################ + # User defined name for the camera. + camera_name cam2 + + # Numeric identifier for the camera. + camera_id 102 + + # The full URL of the network camera stream. + #netcam_url rtsp://yourcamera1ip:port/camera/specific/url + videodevice /dev/video2 + + #framerate + framerate 5 + + # Image width in pixels. + width 800 + + # Image height in pixels. + height 600 + + # Text to be overlayed in the lower left corner of images + text_left Staircase + + #filepath + target_dir /mnt/VAULT/cameras + + # File name(without extension) for movies relative to target directory + movie_filename STAIRCASE_%t-%v-%Y-%m-%d_%H:%M:%S + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → vim /etc/default/motion + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → cat /etc/default/motion + start_motion_daemon=yes + + + +Then start motion: + + + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → systemctl stop motion + + [term1] + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [~] + → motion + [0:motion] [NTC] [ALL] conf_load: Processing thread 0 - config file /etc/motion/motion.conf + [0:motion] [NTC] [ALL] create_path: creating directory /var/log/motion + [0:motion] [NTC] [ALL] motion_startup: Logging to file (/var/log/motion/motion.log) + + [term2] + [ 10.0.0.223/16 ] [ /dev/pts/1 ] [/mnt/VAULT/cameras] + → tail -f /var/log/motion/motion.log + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: Supported palettes: + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: (0) MJPG (Motion-JPEG) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: (1) YUYV (YUYV 4:2:2) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Testing palette YUYV (800x600) + [2:ml2:cam2] [WRN] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Adjusting resolution from 800x600 to 640x480. + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Using palette YUYV (640x480) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: Selected palette YUYV + [2:ml2:cam2] [NTC] [ALL] [Dec 19 17:31:51] image_ring_resize: Resizing pre_capture buffer to 1 items + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:31:52] image_ring_resize: Resizing pre_capture buffer to 11 items + [2:ml2:cam2] [NTC] [ALL] [Dec 19 17:31:52] image_ring_resize: Resizing pre_capture buffer to 11 items + [1:ml1:cam1] [NTC] [EVT] [Dec 19 17:31:56] event_newfile: File of type 8 saved to: /mnt/VAULT/cameras/DESK_101-01-2022-12-19_17:31:54.mkv + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:31:56] motion_detected: Motion detected - starting event 1 + + [term3] + [ 10.0.0.223/16 ] [ /dev/pts/2 ] [/mnt/VAULT/cameras] + → watch -n1 ls -lash + + + +System-wise that's how you will look for camera events, you will see your recordings appear in the /mnt/VAULT/cameras/ folder (thats configurable in the config files) like so: + + + [term2] + [ 10.0.0.223/16 ] [ /dev/pts/1 ] [/mnt/VAULT/cameras] + → tail -f /var/log/motion/motion.log + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: Supported palettes: + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: (0) MJPG (Motion-JPEG) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: (1) YUYV (YUYV 4:2:2) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Testing palette YUYV (800x600) + [2:ml2:cam2] [WRN] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Adjusting resolution from 800x600 to 640x480. + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_set: Using palette YUYV (640x480) + [2:ml2:cam2] [NTC] [VID] [Dec 19 17:31:51] v4l2_pixfmt_select: Selected palette YUYV + [2:ml2:cam2] [NTC] [ALL] [Dec 19 17:31:51] image_ring_resize: Resizing pre_capture buffer to 1 items + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:31:52] image_ring_resize: Resizing pre_capture buffer to 11 items + [2:ml2:cam2] [NTC] [ALL] [Dec 19 17:31:52] image_ring_resize: Resizing pre_capture buffer to 11 items + [1:ml1:cam1] [NTC] [EVT] [Dec 19 17:31:56] event_newfile: File of type 8 saved to: /mnt/VAULT/cameras/DESK_101-01-2022-12-19_17:31:54.mkv + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:31:56] motion_detected: Motion detected - starting event 1 + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:32:56] mlp_actions: End of event 1 + [1:ml1:cam1] [NTC] [EVT] [Dec 19 17:34:24] event_newfile: File of type 8 saved to: /mnt/VAULT/cameras/DESK_101-02-2022-12-19_17:34:22.mkv + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:34:24] motion_detected: Motion detected - starting event 2 + [1:ml1:cam1] [NTC] [ALL] [Dec 19 17:35:24] mlp_actions: End of event 2 + + [term3] + Every 1.0s: ls -lash + + total 3.9M + 12K drwxr-xr-x 2 root root 12K Dec 19 17:34 . + 4.0K drwxr-xr-x 17 root root 4.0K Dec 18 21:38 .. + 3.9M -rw-r--r-- 1 root root 3.9M Dec 19 17:35 DESK_101-02-2022-12-19_17:34:22.mkv + + +In realtime you can see the live video feed on the webservice at port 8080: + +![](1.png) + +Here as you can see I have a webcam in my staircase (right) and one in my room (left). + +To see the output of the files from your web-browser you can just run a nginx service into where the mp4 files are stored, and have autoindex on to freely browse them: + + + apt install nginx + rm /etc/nginx/sites-*/default + vim /etc/nginx/sites-available/cameras.conf + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [/etc/nginx/sites-available] + → cat cameras.conf + server { + listen 80; + autoindex on; + root /mnt/VAULT/cameras/; + + } + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/cameras.conf /etc/nginx/sites-enabled + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [/etc/nginx/sites-available] + → systemctl restart nginx + + + +![](2.png) + +Now let's look at how we can send a mail whenever we have a new file being created in /mnt/VAULT/cameras/. For this part you will need to have a functionning mail server, to know how to setup one please see [this tutorial](../mailprivate/index.md) i made. My mail server is at 10.0.0.222 + + + [ 10.0.0.223/16 ] [ /dev/pts/1 ] [~] + → apt install ssmtp + + + +Then edit the config file to send to the correct smtp server: + + + vim /etc/ssmtp/ssmtp.conf + + [ 10.0.0.223/16 ] [ /dev/pts/1 ] [~] + → cat /etc/ssmtp/ssmtp.conf + + mailhub=mail.nowhere.moe:587 + useSTARTTLS=YES + AuthUser=surveillance + AuthPass=D8410983292138128812732167397216736217362167927F + + + +Then make sure the user exists on the smtp server: + + + root@mail-nihilism:~# useradd -G mail -m surveillance + root@mail-nihilism:~# id surveillance + uid=1003(surveillance) gid=1003(surveillance) groups=1003(surveillance),8(mail) + root@mail-nihilism:~# passwd surveillance + New password: + Retype new password: + passwd: password updated successfully + + + +And then just send the mail: + + + [ 10.0.0.223/16 ] [ /dev/pts/1 ] [~] + → echo "Test message from Linux server using ssmtp" | sudo ssmtp -vvv nihilist@nowhere.moe + [<****-] 220 nowhere.moe ESMTP Postfix (Debian/GNU) + [->] EHLO raspberrypi + [ <****-] 250 CHUNKING + [->] STARTTLS + [ <****-] 220 2.0.0 Ready to start TLS + [->] EHLO raspberrypi + [ <****-] 250 CHUNKING + [->] AUTH LOGIN + [ <****-] 334 VXNlcm5hbWU6 + [->] c3VydmVpbGxhbmNl + [ <****-] 334 UGFzc3dvcmQ6 + [ <****-] 235 2.7.0 Authentication successful + [->] MAIL FROM:** oot@raspberrypi> + [<****-] 250 2.1.0 Ok + [->] RCPT TO: <****nihilist@nowhere.moe> + [ <****-] 250 2.1.5 Ok + [->] DATA + [ <****-] 354 End data with <****CR> <****LF>. <****CR> <****LF> + [->] Received: by raspberrypi (sSMTP sendmail emulation); Tue, 20 Dec 2022 16:09:09 +0000 + [->] From: "root" <****root@raspberrypi> + [->] Date: Tue, 20 Dec 2022 16:09:09 +0000 + [->] Test message from Linux server using ssmtp + [->] + [->] . + [ <****-] 250 2.0.0 Ok: queued as 2B5D31202BB + [->] QUIT + [ <****-] 221 2.0.0 Bye + +Then here we see that we recieved it: + +![](5.png) + +Now let's make it a little more sophisticated, i want it to send the mp4 recording in the mail, and only send it once it is a valid mp4 file (you check it with ffmpeg basically): + + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [~] + → cat watchdir.sh + #!/bin/bash + + echo "[+] Watching for new recordings..." + while true;do + find /mnt/VAULT/cameras/ -name *.mp4 > /tmp/oldfiles + sleep 1 + find /mnt/VAULT/cameras/ -name *.mp4 > /tmp/newfiles + + + #comm -13 <****(echo $newfiles) <****(echo $oldfiles) + newfiles=$(diff -u /tmp/oldfiles /tmp/newfiles | grep -E "^\+" | grep -v "+++" | tr -d '+') + + for line in $newfiles + do + file $line + echo $line Sending the mail... + echo "checking the file: $(ffmpeg -v error -i $line -f null - | wc -l)" + while [ "$(ffmpeg -v error -i $line -f null - | wc -l)" -gt 0 ] ; do + echo "checking the file: $(ffmpeg -v error -i $line -f null - | wc -l)" + echo "waiting for mp4 file to finish..." + sleep 1 + done + filename=$(basename $line) + echo -e "to: nihilist@nowhere.moe\nsubject: Movement Detected\nMovement detected at Home"| (cat - && uuencode $line $filename) | ssmtp nihilist@nowhere.moe + echo "[+] Watching for new recordings..." + done + done + + + +I also want motion to activate only when i shutdown my mainpc, because that is usually when i leave my house. So i have the following script: + + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [~] + → vim monitor_mainpc.sh + + [ 10.0.0.223/16 ] [ /dev/pts/0 ] [~] + → cat monitor_mainpc.sh + #!/bin/bash + + counter=1 + echo '[+] mainpc active, no need for surveillance...' + while true; do + timeout 10 ping -c1 10.0.0.10 &>/dev/null + if [ $? -eq 0 ]; then + if [ $counter -eq 0 ]; + then + echo '[+] mainpc active, no need for surveillance...' + systemctl stop motion + systemctl status motion + counter=1 #dont stop motion more than once, until mainpc goes inactive + sleep 3 + else + sleep 3 + fi + else + if [ $counter -gt 0 ]; + then + echo '[+] mainpc inactive, enabling surveillance...' + systemctl start motion + systemctl status motion + counter=0 #dont start motion more than once, until mainpc goes active + sleep 10 + else + sleep 3 + fi + fi + done + + + +For both scripts, you need a systemd service to launch them, and also do not let motion start at bootup, as it will be handled by monitor_mainpc.sh + + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → systemctl disable motion + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → vim /etc/systemd/system/watchdir.service + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → cat /etc/systemd/system/watchdir.service + [Unit] + Description=watchdir + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/watchdir.sh + ExecStop=kill -9 $(pidof /root/watchdir.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → vim /etc/systemd/system/monitor_mainpc.service + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → cat /etc/systemd/system/monitor_mainpc.service + [Unit] + Description=monitor_mainpc + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/monitor_mainpc.sh + ExecStop=kill -9 $(pidof /root/monitor_mainpc.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → systemctl daemon-reload + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → systemctl enable --now monitor_mainpc watchdir + Created symlink /etc/systemd/system/multi-user.target.wants/monitor_mainpc.service → /etc/systemd/system/monitor_mainpc.service. + Created symlink /etc/systemd/system/multi-user.target.wants/watchdir.service → /etc/systemd/system/watchdir.service. + + [ 10.0.0.223/16 ] [ /dev/pts/3 ] [~] + → systemctl status monitor_mainpc watchdir + ● monitor_mainpc.service - monitor_mainpc + Loaded: loaded (/etc/systemd/system/monitor_mainpc.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2022-12-25 18:32:27 GMT; 6s ago + Main PID: 3253 (monitor_mainpc.) + Tasks: 2 (limit: 4915) + CPU: 31ms + CGroup: /system.slice/monitor_mainpc.service + ├─3253 /bin/bash /root/monitor_mainpc.sh + └─3326 sleep 3 + + Dec 25 18:32:27 raspberrypi systemd[1]: Started monitor_mainpc. + Dec 25 18:32:27 raspberrypi monitor_mainpc.sh[3253]: [+] mainpc active, no need for surveillance... + + ● watchdir.service - watchdir + Loaded: loaded (/etc/systemd/system/watchdir.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2022-12-25 18:32:27 GMT; 6s ago + Main PID: 3254 (watchdir.sh) + Tasks: 2 (limit: 4915) + CPU: 223ms + CGroup: /system.slice/watchdir.service + ├─3254 /bin/bash /root/watchdir.sh + └─3357 /bin/bash /root/watchdir.sh + + Dec 25 18:32:27 raspberrypi systemd[1]: Started watchdir. + Dec 25 18:32:27 raspberrypi watchdir.sh[3254]: [+] Watching for new recordings... + + + diff --git a/teddit/0.png b/teddit/0.png new file mode 100644 index 0000000..ff34787 Binary files /dev/null and b/teddit/0.png differ diff --git a/teddit/1.png b/teddit/1.png new file mode 100644 index 0000000..76d2c5d Binary files /dev/null and b/teddit/1.png differ diff --git a/teddit/2.png b/teddit/2.png new file mode 100644 index 0000000..e38464e Binary files /dev/null and b/teddit/2.png differ diff --git a/teddit/index.md b/teddit/index.md new file mode 100644 index 0000000..a5eea16 --- /dev/null +++ b/teddit/index.md @@ -0,0 +1,184 @@ +# Teddit Setup + +![](0.png) + +In this tutorial we're going to setup Teddit, a privacy front-end for Reddit. + +## **Initial Setup** + +first install the dependencies + + + [ nowhere.moe ] [ /dev/pts/2 ] [~] + → apt install docker.io docker-compose -y + + + +Then run it with docker-compose: + + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → git clone https://codeberg.org/teddit/teddit + Cloning into 'teddit'... + remote: Enumerating objects: 609, done. + remote: Counting objects: 100% (609/609), done. + remote: Compressing objects: 100% (283/283), done. + remote: Total 6548 (delta 492), reused 324 (delta 324), pack-reused 5939 + Receiving objects: 100% (6548/6548), 4.35 MiB | 24.59 MiB/s, done. + Resolving deltas: 100% (3049/3049), done. + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → cd teddit + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv/teddit] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv/teddit] + → cat docker-compose.yml + # This docker-compose file is made for development purpose and build from source, if you want to use teddit in production, the README contains a production-ready docker-compose setup. + + version: "3" + + services: + + teddit: + container_name: teddit + build: . + environment: + - REDIS_HOST=teddit-redis + ports: + - "8082:8080" + networks: + - teddit_net + healthcheck: + test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:8080/about"] + interval: 1m + timeout: 3s + depends_on: + - teddit-redis + + teddit-redis: + container_name: teddit-redis + image: redis:6.2.5-alpine + command: redis-server + environment: + - REDIS_REPLICATION_MODE=master + networks: + - teddit_net + + networks: + teddit_net: + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv/teddit] + → docker-compose up -d + Creating network "teddit_teddit_net" with the default driver + Pulling teddit-redis (redis:6.2.5-alpine)... + 6.2.5-alpine: Pulling from library/redis + a0d0a0d46f8b: Pull complete + a04b0375051e: Pull complete + cdc2bb0f9590: Pull complete + 8f19735ec10c: Pull complete + ac5156a4c6ca: Pull complete + 7b7e1b3fdb00: Pull complete + Digest: sha256:fa785f9bd167b94a6b30210ae32422469f4b0f805f4df12733c2f177f500d1ba + Status: Downloaded newer image for redis:6.2.5-alpine + Building teddit + Step 1/9 : FROM node:slim + slim: Pulling from library/node + faef57eae888: Pull complete + f54b1e40b8eb: Pull complete + 36433a2ca875: Pull complete + 604c60d297fb: Pull complete + aa860910361c: Pull complete + Digest: sha256:11f66bf5d0842fe1f87457fabe62aa3bbcfbb739d231a39e67597af22d8f5ffd + Status: Downloaded newer image for node:slim + ---> 9eabbb6ea234 + Step 2/9 : RUN apt-get update && apt-get install -y ffmpeg wget + + [...] + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv/teddit] + → docker-compose up -d + teddit-redis is up-to-date + Recreating teddit ... done + + + +Then from here you need to setup the reverse nginx proxy as follows: + + + [ nowhere.moe ] [ /dev/pts/2 ] [/etc/nginx/sites-available] + → vim teddit.nowhere.moe + + [ nowhere.moe ] [ /dev/pts/2 ] [/etc/nginx/sites-available] + → cat teddit.nowhere.moe + server { + listen 443 ssl; + server_name teddit.nowhere.moe; + + ssl_certificate /etc/acme/certs/teddit.nowhere.moe/teddit.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/teddit.nowhere.moe/teddit.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name teddit.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://teddit.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8082; + } + + } + + [ nowhere.moe ] [ /dev/pts/2 ] [/etc/nginx/sites-available] + → bash + root@Datura /etc/nginx/sites-available # acme.sh --issue --standalone -d teddit.nowhere.moe -k 4096 + + root@Datura /etc/nginx/sites-available # ln -s /etc/nginx/sites-available/teddit.nowhere.moe /etc/nginx/sites-enabled/ + root@Datura /etc/nginx/sites-available # nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + root@Datura /etc/nginx/sites-available # systemctl restart nginx + + + +Then we can test if the website is reachable: + +![](1.png) + +And also from tor: + +![](2.png) + +Then last step is contributing to the overall [list](https://codeberg.org/teddit/teddit#instances) of instances [like so](https://codeberg.org/teddit/teddit/issues/413): + +Then make sure teddit is restarted once every hour: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/teddit] + → crontab -e + + @hourly docker-compose -f /srv/teddit/docker-compose.yml stop ; git -C /srv/teddit/ pull ; docker-compose -f /srv/teddit/docker-compose.yml pull ; docker-compose -f /srv/teddit/docker-compose.yml up -d + + + [ nowhere.moe ] [ /dev/pts/2 ] [~] + → cronitor select + + ✔ docker-compose -f /srv/teddit/docker-compose.yml stop ; git -C /srv/teddit/ pull ; docker-compose -f /srv/teddit/docker-compose.yml pull ; docker-compose -f /srv/teddit/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/teddit/docker-compose.yml stop ; git -C /srv/teddit/ pull ; docker-compose -f /srv/teddit/docker-compose.yml pull ; docker-compose -f /srv/teddit/docker-compose.yml up -d + + Stopping teddit ... done + Stopping teddit-redis ... done + Already up to date. + Pulling teddit-redis ... done + Starting teddit-redis ... done + Starting teddit ... done + + ----► ✔ Command successful Elapsed time 14.079s + + + + diff --git a/tf2srv/0.png b/tf2srv/0.png new file mode 100644 index 0000000..ff91bd7 Binary files /dev/null and b/tf2srv/0.png differ diff --git a/tf2srv/1.png b/tf2srv/1.png new file mode 100644 index 0000000..f3e4977 Binary files /dev/null and b/tf2srv/1.png differ diff --git a/tf2srv/2.png b/tf2srv/2.png new file mode 100644 index 0000000..511884e Binary files /dev/null and b/tf2srv/2.png differ diff --git a/tf2srv/3.png b/tf2srv/3.png new file mode 100644 index 0000000..1d277ee Binary files /dev/null and b/tf2srv/3.png differ diff --git a/tf2srv/4.png b/tf2srv/4.png new file mode 100644 index 0000000..cf6a9c0 Binary files /dev/null and b/tf2srv/4.png differ diff --git a/tf2srv/5.png b/tf2srv/5.png new file mode 100644 index 0000000..1ef1a47 Binary files /dev/null and b/tf2srv/5.png differ diff --git a/tf2srv/6.png b/tf2srv/6.png new file mode 100644 index 0000000..fa7014c Binary files /dev/null and b/tf2srv/6.png differ diff --git a/tf2srv/7.png b/tf2srv/7.png new file mode 100644 index 0000000..9e436a1 Binary files /dev/null and b/tf2srv/7.png differ diff --git a/tf2srv/index.md b/tf2srv/index.md new file mode 100644 index 0000000..583a117 --- /dev/null +++ b/tf2srv/index.md @@ -0,0 +1,1127 @@ +# TF2 GameServer Setup + +![](0.png) + +In this tutorial we're going to look at how to install a tf2 server on a ubuntu 16.04 host. + +## **Initial Setup** + +I'm setting it up on an Ubuntu LXC container on proxmox: + + + [ 10.66.66.2/32 ] [ /dev/pts/10 ] [Github/blog/HTB] + → ssh root@10.0.0.180 -i ~/.ssh/mainpc + + + + + + root@tf2:~# dpkg --add-architecture i386 + root@tf2:~# apt update -y ; apt upgrade -y + root@tf2:~# apt-get install -y software-properties-common + + root@tf2:~# apt-get install -y --no-install-recommends --no-install-suggests lib32gcc1 lib32z1 libncurses5:i386 libbz2-1.0:i386 lib32gcc1 lib32stdc++6 libtinfo5:i386 libcurl3-gnutls:i386 wget unzip gettext-base libbsd0 curl tmux screen vim -y + root@tf2:~# rm -rf /var/lib/apt/lists/* + + root@tf2local:~# curl -sqL "https://steamcdn-a.akamaihd.net/client/installer/steamcmd_linux.tar.gz" | tar zxvf - + steamcmd.sh + linux32/steamcmd + linux32/steamerrorreporter + linux32/libstdc++.so.6 + linux32/crashhandler.so + + + + root@tf2local:~# ./steamcmd.sh + Redirecting stderr to '/home/steam/Steam/logs/stderr.txt' + ILocalize::AddFile() failed to load file "public/steambootstrapper_english.txt". + [ 0%] Checking for available update... + [----] Downloading update (0 of 53901 KB)... + [ 0%] Downloading update (738 of 53901 KB)... + [ 1%] Downloading update (2417 of 53901 KB)... + [ 4%] Downloading update (3721 of 53901 KB)... + [ 6%] Downloading update (5180 of 53901 KB)... + [ 9%] Downloading update (6593 of 53901 KB)... + + [...] + + WARNING: setlocale('en_US.UTF-8') failed, using locale: 'C'. International characters may not work. + Redirecting stderr to '/home/steam/Steam/logs/stderr.txt' + [ 0%] Checking for available updates... + [----] Verifying installation... + Steam Console Client (c) Valve Corporation + -- type 'quit' to exit -- + Loading Steam API...OK. + + Steam>login anonymous + + Connecting anonymously to Steam Public...Logged in OK + Waiting for user info...OK + + Steam>force_install_dir ./tf2/ + + Steam>app_update 232250 validate + Update state (0x3) reconfiguring, progress: 0.00 (0 / 0) + Update state (0x3) reconfiguring, progress: 0.00 (0 / 0) + Update state (0x3) reconfiguring, progress: 0.00 (0 / 0) + Update state (0x3) reconfiguring, progress: 0.00 (0 / 0) + + [...] (after like 20 minutes) + + Update state (0x101) committing, progress: 92.11 (7808672823 / 8477794661) + Update state (0x101) committing, progress: 94.61 (8020772689 / 8477794661) + Update state (0x101) committing, progress: 95.87 (8127457161 / 8477794661) + Update state (0x101) committing, progress: 97.11 (8233117403 / 8477794661) + Update state (0x101) committing, progress: 98.41 (8343138174 / 8477794661) + Success! App '232250' fully installed. + + Steam>exit + + root@tf2local:~$ ls + Steam linux32 linux64 package public siteserverui steamcmd.sh tf2 + + root@tf2local:~$ cd tf2/ + + root@tf2local:~/tf2$ ls + bin hl2 platform srcds_linux srcds_run steamapps tf thirdpartylegalnotices.txt + + root@tf2local:~/tf2$ cd tf/ + + root@tf2local:~/tf2/tf$ ls + bin maps tf2_misc_000.vpk tf2_misc_006.vpk tf2_misc_012.vpk tf2_misc_018.vpk tf2_misc_024.vpk tf2_textures_dir.vpk + cfg materials tf2_misc_001.vpk tf2_misc_007.vpk tf2_misc_013.vpk tf2_misc_019.vpk tf2_misc_dir.vpk workshop + custom media tf2_misc_002.vpk tf2_misc_008.vpk tf2_misc_014.vpk tf2_misc_020.vpk tf2_sound_misc.vpk.sound.cache + download resource tf2_misc_003.vpk tf2_misc_009.vpk tf2_misc_015.vpk tf2_misc_021.vpk tf2_sound_misc_dir.vpk + gameinfo.txt scripts tf2_misc_004.vpk tf2_misc_010.vpk tf2_misc_016.vpk tf2_misc_022.vpk tf2_sound_vo_english.vpk.sound.cache + item_whitelist_example.txt steam.inf tf2_misc_005.vpk tf2_misc_011.vpk tf2_misc_017.vpk tf2_misc_023.vpk tf2_sound_vo_english_dir.vpk + + + + +Now that srcds is installed, we can start configuring our server, Basically first i want the server to run a few game commands as it boots up, to do that i can either pass those commands as arguements to the **srcds_run** binary like so: + + + ./srcds_run -game tf +map ctf_2fort +maxplayers 24 + + + +If you have that steamclient.so error do the following: + + + root@tf2local:~# ls + Steam linux32 linux64 package public siteserverui steamcmd.sh tf2 + root@tf2local:~# cd tf2/ + root@tf2local:~/tf2# ls + bin hl2 platform srcds_linux srcds_run steamapps tf thirdpartylegalnotices.txt + root@tf2local:~/tf2# ./srcds_run + + [...] + + ProtoDefs post data loaded. + ProtoDefs post data loaded. + dlopen failed trying to load: + /root/.steam/sdk32/steamclient.so + with error: + /root/.steam/sdk32/steamclient.so: cannot open shared object file: No such file or directory + Looking up breakpad interfaces from steamclient + Calling BreakpadMiniDumpSystemInit + Unknown command "r_decal_cullsize" + Unknown command "startupmenu" + Network: IP 10.0.0.180, mode MP, dedicated Yes, ports 27015 SV / 27005 CL + Fri Jul 2 22:17:18 UTC 2021: Server Quit + + root@tf2local:~/tf2# mkdir -p ~/.steam/sdk32 + root@tf2local:~/tf2# updatedb + root@tf2local:~/tf2# locate steamclient.so + /root/linux32/steamclient.so + /root/linux64/steamclient.so + /root/tf2/bin/steamclient.so + + + root@tf2local:~/tf2# ln -s $HOME/linux32/steamclient.so ~/.steam/sdk32/ + + root@tf2local:~/tf2# ./srcds_run + + + +That's how i fixed the steamclient.so error. Now instead of running the srcds binary ourselves, we can can just specify those commands in the **tf/cfg/server.cfg** file, if you don't know what to put in here you can just use [cfg.tf](https://cfg.tf/server/): + + + root@tf2local:~/tf2/tf/cfg$ vim server.cfg + + root@tf2local:~/tf2/tf/cfg$ cat server.cfg + + hostname "void.yt" + sv_password "" + sv_lan 1 + sv_cheats 1 + + rcon_password "changeme" + sv_rcon_banpenalty 15 + sv_rcon_minfailures 15 + sv_rcon_maxfailures 15 + log off + sv_logfile 0 + sv_logecho 0 + sv_logbans 0 + sm_maxhealth 100000 + tf_bot_add 1 soldier expert + tf_bot_force_class soldier + + sv_pure -1 + sv_pure_kick_clients 0 + sv_alltalk 1 + mp_allowspectators 0 + mp_autoteambalance 0 + mp_teams_unbalance_limit 30 + mp_disable_respawn_times 1 + tf_bot_force_class soldier + + mp_forcecamera 0 + sv_allow_wait_command 0 + sv_cheats 0 + sv_pausable 0 + mp_stalemate_enable 0 + mp_stalemate_timelimit 240 + mp_winlimit 0 + mp_timelimit 0 + tf_weapon_criticals 0 + tf_use_fixed_weaponspreads 0 + + sv_maxrate 50000 + sv_minrate 7500 + sv_maxupdaterate 66 + sv_minupdaterate 20 + sv_maxcmdrate 66 + sv_mincmdrate 0 + sv_allow_point_servercommand always + + + +since this server will run only one map i specified it in server.cfg + + + [terminal 1] + [ 10.66.66.2/32 ] [ /dev/pts/16 ] [Github/blog/HTB] + → cd /mnt/vault/steam/steamapps/common/Team\ Fortress\ 2/tf/maps + + + [ 10.66.66.2/32 ] [ /dev/pts/14 ] [~/Downloads] + → python3 -m http.server 9090 + Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... + + + [terminal 2] + root@tf2local:~/tf2/tf/cfg$ cd .. + root@tf2local:~/tf2/tf$ cd maps/ + root@tf2local:~/tf2/tf/maps# wget http://10.0.0.10:9090/airborne2.bsp + --2021-07-02 22:49:26-- http://10.0.0.10:9090/airborne2.bsp ; chmod 755 airborne2.bsp + Connecting to 10.0.0.10:9090... connected. + HTTP request sent, awaiting response... 200 OK + Length: 157192 (154K) [model/vnd.valve.source.compiled-map] + Saving to: 'airborne2.bsp' + + airborne2.bsp 100%[==============================================================================================>] 153.51K --.-KB/s in 0.01s + + 2021-07-02 22:49:26 (11.5 MB/s) - 'airborne2.bsp' saved [157192/157192] + + root@tf2local:~/tf2/tf/maps# cd ../cfg + root@tf2local:~/tf2/tf/cfg# cat mapcycle.txt + airborne2 + + + +We can run the srcds binary to check that it's working: + + + root@tf2local:~/tf2# ./srcds_run -game tf +map airborne2 + + + ************** WARNING *************** + Running the dedicated server as root + is highly discouraged. It is generally + unnecessary to use root privileges to + execute the dedicated server. + ************************************** + + + Auto detecting CPUntinue to launch in 1 secondss + Using default binary: ./srcds_linux + Server will auto-restart if there is a crash. + Using Breakpad minidump system. Version: 6623512 AppID: 232250 + Setting breakpad minidump AppID = 232250 + Using breakpad crash handler + Loaded 10223 VPK file hashes from /root/tf2/tf/tf2_textures.vpk for pure server operation. + Loaded 10223 VPK file hashes from /root/tf2/tf/tf2_textures.vpk for pure server operation. + Loaded 476 VPK file hashes from /root/tf2/tf/tf2_sound_vo_english.vpk for pure server operation. + Loaded 476 VPK file hashes from /root/tf2/tf/tf2_sound_vo_english.vpk for pure server operation. + Loaded 1343 VPK file hashes from /root/tf2/tf/tf2_sound_misc.vpk for pure server operation. + Loaded 1343 VPK file hashes from /root/tf2/tf/tf2_sound_misc.vpk for pure server operation. + Loaded 2634 VPK file hashes from /root/tf2/tf/tf2_misc.vpk for pure server operation. + Loaded 2634 VPK file hashes from /root/tf2/tf/tf2_misc.vpk for pure server operation. + Loaded 2634 VPK file hashes from /root/tf2/tf/tf2_misc.vpk for pure server operation. + Loaded 1217 VPK file hashes from /root/tf2/hl2/hl2_textures.vpk for pure server operation. + Loaded 574 VPK file hashes from /root/tf2/hl2/hl2_sound_vo_english.vpk for pure server operation. + Loaded 383 VPK file hashes from /root/tf2/hl2/hl2_sound_misc.vpk for pure server operation. + Loaded 451 VPK file hashes from /root/tf2/hl2/hl2_misc.vpk for pure server operation. + Loaded 451 VPK file hashes from /root/tf2/hl2/hl2_misc.vpk for pure server operation. + Loaded 5 VPK file hashes from /root/tf2/platform/platform_misc.vpk for pure server operation. + Loaded 5 VPK file hashes from /root/tf2/platform/platform_misc.vpk for pure server operation. + server_srv.so loaded for "Team Fortress" + For FCVAR_REPLICATED, ConVar must be defined in client and game .dlls (sv_use_steam_voice) + ProtoDefs post data loaded. + ProtoDefs loaded. 16.46 MB used + ProtoDefs post data loaded. + ProtoDefs loaded. 16.46 MB used + maxplayers set to 24 + No '-replayserverdir' parameter found - using default replay folder. + Replay: Creating thread pool...succeeded. + Replay: Starting thread pool with 4 threads...succeeded. + Cleaning files from temp dir, "/root/tf2/tf/replay/server/tmp/" ...no files removed. + ProtoDefs post data loaded. + ProtoDefs post data loaded. + Looking up breakpad interfaces from steamclient + Calling BreakpadMiniDumpSystemInit + Unknown command "r_decal_cullsize" + ConVarRef dev_loadtime_map_start doesn't point to an existing ConVar + Unknown command "startupmenu" + Network: IP 10.0.0.180, mode MP, dedicated Yes, ports 27015 SV / 27005 CL + Initializing Steam libraries for secure Internet server + [S_API] SteamAPI_Init(): Loaded local 'steamclient.so' OK. + CAppInfoCacheReadFromDiskThread took 46 milliseconds to initialize + CApplicationManagerPopulateThread took 0 milliseconds to initialize (will have waited on CAppInfoCacheReadFromDiskThread) + RecordSteamInterfaceCreation (PID 453): SteamGameServer013 / + RecordSteamInterfaceCreation (PID 453): SteamUtils010 / + Setting breakpad minidump AppID = 440 + Looking up breakpad interfaces from steamclient + Calling BreakpadMiniDumpSystemInit + RecordSteamInterfaceCreation (PID 453): SteamGameServer013 / + RecordSteamInterfaceCreation (PID 453): SteamUtils010 / + RecordSteamInterfaceCreation (PID 453): SteamNetworking006 / + RecordSteamInterfaceCreation (PID 453): SteamGameServerStats001 / + RecordSteamInterfaceCreation (PID 453): STEAMHTTP_INTERFACE_VERSION003 / + RecordSteamInterfaceCreation (PID 453): STEAMINVENTORY_INTERFACE_V003 / + RecordSteamInterfaceCreation (PID 453): STEAMUGC_INTERFACE_VERSION014 / + RecordSteamInterfaceCreation (PID 453): STEAMAPPS_INTERFACE_VERSION008 / + Setting breakpad minidump AppID = 232250 + No account token specified; logging into anonymous game server account. (Use sv_setsteamaccount to login to a persistent account.) + RecordSteamInterfaceCreation (PID 453): SteamGameServer013 / + RecordSteamInterfaceCreation (PID 453): SteamUtils010 / + RecordSteamInterfaceCreation (PID 453): SteamNetworking006 / + RecordSteamInterfaceCreation (PID 453): SteamGameServerStats001 / + RecordSteamInterfaceCreation (PID 453): STEAMHTTP_INTERFACE_VERSION003 / + RecordSteamInterfaceCreation (PID 453): STEAMINVENTORY_INTERFACE_V003 / + RecordSteamInterfaceCreation (PID 453): STEAMUGC_INTERFACE_VERSION014 / + RecordSteamInterfaceCreation (PID 453): STEAMAPPS_INTERFACE_VERSION008 / + ConVarRef room_type doesn't point to an existing ConVar + Executing dedicated server config file server.cfg + Using map cycle file 'cfg/mapcycle.txt'. + RecordSteamInterfaceCreation (PID 453): SteamGameStats001 / + Warning: failed to init SDL thread priority manager: SDL not found + Set motd from file 'cfg/motd_default.txt'. ('cfg/motd.txt' was not found.) + Set motd_text from file 'cfg/motd_text_default.txt'. ('cfg/motd_text.txt' was not found.) + SV_ActivateServer: setting tickrate to 66.7 + func_regenerate(func_regenerate) has no associated model. + RecordSteamInterfaceCreation (PID 453): SteamGameCoordinator001 / + Connection to game coordinator established. + Current item schema is up-to-date with version 2B55A3E4. + -------------------------------------------------------- + sv_pure set to -1. + Note: Waiting for the next changelevel to apply the current value. + -------------------------------------------------------- + 'airborne2.cfg' not present; not executing. + Server is hibernating + Connection to Steam servers successful. + Assigned anonymous gameserver Steam ID [A:1:929544195:17849]. + VAC secure mode is activated. + + + +From here we know that the server is running, and we can check it ingame: + +![](2.png) + +Now that's done, we verified that we could run the srcds binary like this, however we could have a more refined approach and actually make a systemd service to run this as the debian LXC container starts. + + + root@tf2local:~# vim /etc/systemd/system/tf2server.service + + root@tf2local:~/tf2# cat /etc/systemd/system/tf2server.service + [Unit] + Description=TF2 Server + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + ExecStart=/root/tf2/srcds_run -game tf +map airborne2 + ExecStop=/root/tf2/killserver.sh + KillMode=process + + [Install] + WantedBy=multi-user.target + + root@tf2local:~/tf2# vim killserver.sh + root@tf2local:~/tf2# cat killserver.sh + #!/bin/bash + kill -9 $(pidof srcds_linux) + + root@tf2local:~/tf2# chmod +x killserver.sh + + root@tf2local:~# systemctl enable --now tf2server + + root@tf2local:~# systemctl status tf2server + * tf2server.service - TF2 Server + Loaded: loaded (/etc/systemd/system/tf2server.service; disabled; vendor preset: enabled) + Active: active (running) since Fri 2021-07-02 21:13:15 UTC; 3s ago + Main PID: 10722 (srcds_run) + Tasks: 2 (limit: 7372) + Memory: 1.2M + CGroup: /system.slice/tf2server.service + |-10722 /bin/sh /home/steam/tf2/srcds_run + `-10732 sleep 1 + + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamGameServer013 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamUtils010 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamNetworking006 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamGameServerStats001 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): STEAMHTTP_INTERFACE_VERSION003 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): STEAMINVENTORY_INTERFACE_V003 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): STEAMUGC_INTERFACE_VERSION014 / + Jul 02 23:03:55 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): STEAMAPPS_INTERFACE_VERSION008 / + Jul 02 23:04:05 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamGameStats001 / + Jul 02 23:04:09 tf2local srcds_run[778]: RecordSteamInterfaceCreation (PID 778): SteamGameCoordinator001 / + + + +And that's it! We managed to setup a simple local tf2 server. + +## **In-game RCON and Bonus plugins** + +if you want to run console comamnds that require privileges to do so on your local server, you need to use rcon, and since we specified the password earlier, we do the following: + +![](3.png) + +Obviously don't give the rcon password to anyone you don't trust. Now if you want some plugins you can install [sourcemod](https://www.sourcemod.net/downloads.php) and [metamod](http://www.sourcemm.net/downloads.php?branch=stable): + +![](4.png) + + + root@tf2local:~/tf2# cd tf/ + root@tf2local:~/tf2/tf# ls + bin maps steam.inf tf2_misc_006.vpk tf2_misc_013.vpk tf2_misc_020.vpk tf2_sound_misc_dir.vpk + cfg materials tf2_misc_000.vpk tf2_misc_007.vpk tf2_misc_014.vpk tf2_misc_021.vpk tf2_sound_vo_english.vpk.sound.cache + custom media tf2_misc_001.vpk tf2_misc_008.vpk tf2_misc_015.vpk tf2_misc_022.vpk tf2_sound_vo_english_dir.vpk + download modelsounds.cache tf2_misc_002.vpk tf2_misc_009.vpk tf2_misc_016.vpk tf2_misc_023.vpk tf2_textures_dir.vpk + downloadlists replay tf2_misc_003.vpk tf2_misc_010.vpk tf2_misc_017.vpk tf2_misc_024.vpk workshop + gameinfo.txt resource tf2_misc_004.vpk tf2_misc_011.vpk tf2_misc_018.vpk tf2_misc_dir.vpk + item_whitelist_example.txt scripts tf2_misc_005.vpk tf2_misc_012.vpk tf2_misc_019.vpk tf2_sound_misc.vpk.sound.cache + root@tf2local:~/tf2/tf# wget https://sm.alliedmods.net/smdrop/1.10/sourcemod-1.10.0-git6509-linux.tar.gz + --2021-07-03 17:25:03-- https://sm.alliedmods.net/smdrop/1.10/sourcemod-1.10.0-git6509-linux.tar.gz + Resolving sm.alliedmods.net (sm.alliedmods.net)... 104.26.8.106, 104.26.9.106, 172.67.73.151, ... + Connecting to sm.alliedmods.net (sm.alliedmods.net)|104.26.8.106|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 17422077 (17M) [application/x-gzip] + Saving to: 'sourcemod-1.10.0-git6509-linux.tar.gz' + + sourcemod-1.10.0-git6509-linux.tar.gz 100%[===============================================================================================>] 16.61M 1.03MB/s in 17s + + 2021-07-03 17:25:21 (998 KB/s) - 'sourcemod-1.10.0-git6509-linux.tar.gz' saved [17422077/17422077] + + root@tf2local:~/tf2/tf# wget https://mms.alliedmods.net/mmsdrop/1.11/mmsource-1.11.0-git1144-linux.tar.gz + --2021-07-03 17:30:14-- https://mms.alliedmods.net/mmsdrop/1.11/mmsource-1.11.0-git1144-linux.tar.gz + Resolving mms.alliedmods.net (mms.alliedmods.net)... 104.26.8.106, 172.67.73.151, 104.26.9.106, ... + Connecting to mms.alliedmods.net (mms.alliedmods.net)|104.26.8.106|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1859179 (1.8M) [application/x-gzip] + Saving to: 'mmsource-1.11.0-git1144-linux.tar.gz' + + mmsource-1.11.0-git1144-linux.tar.gz 100%[===============================================================================================>] 1.77M 677KB/s in 2.7s + + 2021-07-03 17:30:18 (677 KB/s) - 'mmsource-1.11.0-git1144-linux.tar.gz' saved [1859179/1859179] + + + +then extract both files: + + + root@tf2local:~/tf2/tf# tar -xzf mmsource-1.11.0-git1144-linux.tar.gz + root@tf2local:~/tf2/tf# tar -xzf sourcemod-1.10.0-git6509-linux.tar.gz + + root@tf2local:~/tf2/tf# rm mmsource-1.11.0-git1144-linux.tar.gz + root@tf2local:~/tf2/tf# rm sourcemod-1.10.0-git6509-linux.tar.gz + + root@tf2local:~/tf2/tf# ls -lash addons/ + total 24K + 4.0K drwx------ 4 1000 1000 4.0K May 6 2018 . + 4.0K drwxr-xr-x 15 root root 4.0K Jul 3 17:32 .. + 4.0K drwx------ 3 1000 1000 4.0K May 6 2018 metamod + 4.0K -rw------- 1 1000 1000 50 May 26 2014 metamod.vdf + 4.0K -rw------- 1 1000 1000 58 Dec 20 2017 metamod_x64.vdf + 4.0K drwx------ 11 1000 1000 4.0K Oct 1 2019 sourcemod + + + +Now that's done we have our addons folder, we will need to configure **admins_simple.ini** + + + root@tf2local:~/tf2/tf# cd addons/sourcemod/configs/ + root@tf2local:~/tf2/tf/addons/sourcemod/configs# ls + admin_groups.cfg admin_overrides.cfg adminmenu_custom.txt adminmenu_sorting.txt admins_simple.ini core.cfg geoip maplists.cfg + admin_levels.cfg adminmenu_cfgs.txt adminmenu_grouping.txt admins.cfg banreasons.txt databases.cfg languages.cfg sql-init-scripts + root@tf2local:~/tf2/tf/addons/sourcemod/configs# vim admins_simple.ini + + + +Basically in here we add our **SteamID** with the **"99:z"** permissions + + + root@tf2local:~/tf2/tf/addons/sourcemod/configs# tail -n 3 admins_simple.ini + "STEAM_0:0:576829438" "99:z" + + + + +And with this we can restart our tf2 server: + + + root@tf2local:~/tf2/tf/addons/sourcemod/configs# systemctl restart tf2server + + + +Now when we connect back to the server we can type **!sm_admin** in chat to use the sourcemod admin commands pannel: + +![](5.png) + +If you need to make any custom scripts, for example making players and bots spawn with extra health, you can use the **scripting** directory in sourcemod: + + + root@tf2local:~/tf2/tf/addons/sourcemod# cd scripting/ + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# ls -l + total 1080 + drwx------ 2 1000 1000 4096 May 6 2018 admin-flatfile + -rw------- 1 1000 1000 9857 May 6 2018 admin-sql-prefetch.sp + -rw------- 1 1000 1000 21482 Dec 17 2018 admin-sql-threaded.sp + -rw------- 1 1000 1000 4822 Jul 12 2018 adminhelp.sp + drwx------ 2 1000 1000 4096 Sep 15 2019 adminmenu + -rw------- 1 1000 1000 7284 May 29 2019 adminmenu.sp + -rw------- 1 1000 1000 3637 Dec 17 2018 antiflood.sp + drwx------ 2 1000 1000 4096 Dec 17 2018 basebans + -rw------- 1 1000 1000 9755 Dec 17 2018 basebans.sp + -rw------- 1 1000 1000 12112 May 6 2018 basechat.sp + drwx------ 2 1000 1000 4096 Oct 24 2020 basecomm + -rw------- 1 1000 1000 7206 Dec 17 2018 basecomm.sp + drwx------ 2 1000 1000 4096 Oct 7 2019 basecommands + -rw------- 1 1000 1000 11414 Feb 25 2020 basecommands.sp + -rw------- 1 1000 1000 12849 Jul 12 2018 basetriggers.sp + drwx------ 2 1000 1000 4096 Mar 3 2019 basevotes + -rw------- 1 1000 1000 12326 May 12 2019 basevotes.sp + -rw------- 1 1000 1000 4386 May 6 2018 clientprefs.sp + -rwx------ 1 1000 1000 452 May 6 2018 compile.sh + drwx------ 2 1000 1000 4096 May 6 2018 funcommands + -rw------- 1 1000 1000 10977 Oct 12 2018 funcommands.sp + drwx------ 2 1000 1000 4096 May 6 2018 funvotes + -rw------- 1 1000 1000 10707 May 12 2019 funvotes.sp + drwx------ 2 1000 1000 4096 Jun 25 15:36 include + -rw------- 1 1000 1000 34195 May 29 2019 mapchooser.sp + -rw------- 1 1000 1000 6878 May 6 2018 nextmap.sp + -rw------- 1 1000 1000 13402 Apr 30 2020 nominations.sp + drwx------ 2 1000 1000 4096 May 6 2018 playercommands + -rw------- 1 1000 1000 3351 May 6 2018 playercommands.sp + -rw------- 1 1000 1000 3484 May 6 2018 randomcycle.sp + -rw------- 1 1000 1000 8191 May 6 2018 reservedslots.sp + -rw------- 1 1000 1000 7322 Jul 12 2018 rockthevote.sp + -rw------- 1 1000 1000 3712 May 6 2018 sounds.sp + -rwx------ 1 1000 1000 333328 Jun 25 15:37 spcomp + -rwx------ 1 1000 1000 434152 Jun 25 15:38 spcomp64 + -rw------- 1 1000 1000 25196 Apr 6 2019 sql-admin-manager.sp + drwx------ 2 1000 1000 4096 May 6 2018 testsuite + + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# cat maxhealth.sp + /** + * MaxHealth Changer by bl4nk + * + * Description: + * Change the max health of players at spawn. + * + */ + + #pragma semicolon 1 + + #include <****sourcemod> + + // Global Definitions + #define PLUGIN_VERSION "1.0.0" + + new Handle:cvarAmount; + + public Plugin:myinfo = + { + name = "MaxHealth Changer", + author = "bl4nk", + description = "Change the max health of players at spawn", + version = PLUGIN_VERSION, + url = "http://forums.alliedmods.net" + }; + + public OnPluginStart() + { + CreateConVar("sm_maxhealthchanger_version", PLUGIN_VERSION, "MaxHealth Changer Version"); + cvarAmount = CreateConVar("sm_maxhealth", "200", "Amount of life to change health to upon spawn"); + + HookEvent("player_spawn", event_PlayerSpawn); + } + + public event_PlayerSpawn(Handle:event, const String:name[], bool:dontBroadcast) + { + new client = GetClientOfUserId(GetEventInt(event,"userid")); + CreateTimer(0.1, timer_PlayerSpawn, client); + } + + public Action:timer_PlayerSpawn(Handle:timer, any:client) + { + new MaxHealth = GetConVarInt(cvarAmount); + SetEntData(client, FindDataMapInfo(client, "m_iMaxHealth"), MaxHealth, 4, true); + SetEntData(client, FindDataMapInfo(client, "m_iHealth"), MaxHealth, 4, true); + } + +Now before we move on we need to compile that .sp file: + + + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# ./compile.sh maxhealth.sp + + Compiling maxhealth.sp... + SourcePawn Compiler 1.10.0.6509 + Copyright (c) 1997-2006 ITB CompuPhase + Copyright (c) 2004-2018 AlliedModders LLC + + Code size: 3668 bytes + Data size: 2600 bytes + Stack/heap size: 16384 bytes + Total requirements: 22652 bytes + + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# ls -lash compiled/ + total 16K + 4.0K drwxr-xr-x 2 root root 4.0K Jul 3 18:17 . + 4.0K drwx------ 14 1000 1000 4.0K Jul 3 18:30 .. + 8.0K -rw-r--r-- 1 root root 4.3K Jul 3 18:26 maxhealth.smx + + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# cp compiled/maxhealth.smx ../plugins/maxhealth.smx + + + +Now that we moved the compiled plugin into the plugins directory, we restart the server to reload the configs: + + + root@tf2local:~/tf2/tf/addons/sourcemod/scripting# cd .. + root@tf2local:~/tf2/tf/addons/sourcemod# systemctl restart tf2server + + + +We restart the server to reload the configs, and we can verify it is working by executing the **sm_maxhealth x** command, if you use it ingame you need to use **rcon sm_maxhealth x** : + +![](6.png) ![](7.png) + +likewise, we can also just put it in the **server.cfg** file or just pass it as arguements when we run the **srcds_run** binary. + + + root@tf2local:~/tf2/tf/cfg# vim server.cfg + root@tf2local:~/tf2/tf/cfg# cat server.cfg + hostname "void.yt" + sv_password "" + sv_lan 1 + sv_cheats 1 + + rcon_password "void.yt" + mp_enableroundwaittime 0 + sv_rcon_banpenalty 15 + sv_rcon_minfailures 15 + sv_rcon_maxfailures 15 + log off + sv_logfile 0 + sv_logecho 0 + sv_logbans 0 + sm_maxhealth 100000 + tf_bot_force_class soldier + + sv_pure -1 + sv_pure_kick_clients 0 + sv_alltalk 1 + mp_allowspectators 0 + mp_autoteambalance 0 + mp_teams_unbalance_limit 30 + mp_disable_respawn_times 1 + tf_bot_force_class soldier + + mp_forcecamera 0 + sv_allow_wait_command 0 + sv_cheats 0 + sv_pausable 0 + mp_stalemate_enable 0 + mp_stalemate_timelimit 240 + mp_winlimit 0 + mp_timelimit 0 + tf_weapon_criticals 0 + tf_use_fixed_weaponspreads 0 + + sv_maxrate 50000 + sv_minrate 7500 + sv_maxupdaterate 66 + sv_minupdaterate 20 + sv_maxcmdrate 66 + sv_mincmdrate 0 + sv_allow_point_servercommand always + tf_bot_add 1 soldier red expert + + + root@tf2local:~/tf2/tf/cfg# systemctl restart tf2server + + + +And that's how i setup my own personal TF2 training server! + +## **Docker Setup** + +With further testing, i realised that setting up tf2 servers is dependant on old 32 bit librairies, and you can face any number of problems (most notably the segmentation fault core dumped crashes that will never tell you the source of the issue, even with the -debug flag). So instead let's set it up using docker: + + + + root@docker0:/home# mkdir -p /home/tf2/server/tf/maps/ + root@docker0:/home# tree . + . + ├── nothing + └── tf2 + └── server + └── tf + └── maps + └── altar.bsp + + root@docker0:~# cd ~ ; + + root@docker0:~# docker pull cm2network/tf2:latest + root@docker0:~# docker pull cm2network/tf2:sourcemod + + root@docker0:~# mkdir tf2 + root@docker0:~/tf2# vim docker-compose.yml + root@docker0:~/tf2# cat docker-compose.yml + + version: "3" + services: + tf2: + image: cm2network/tf2:sourcemod + container_name: tf2 + environment: + - SRCDS_RCONPW=void.yt + - SRCDS_PW=void.yt + - SRCDS_PORT=27015 + - SRCDS_TV_PORT=27020 + #- SRCDS_NET_PUBLIC_ADDRESS="0" + - SRCDS_IP="0" + - SRCDS_FPSMAX=300 + - SRCDS_TICKRATE=66 + - SRCDS_MAXPLAYERS=14 + - SRCDS_HOSTNAME=void.yt + - SRCDS_TOKEN="void.yt" + - SRCDS_STARTMAP="altar" + volumes: + - ./data:/home/steam/tf-dedicated/ + - ./logs:/home/steam/Steam/logs + ports: + - 27015:27015 + - 27020:27020 + network_mode: host + + + root@docker0:~/tf2# mkdir data + root@docker0:~/tf2# mkdir logs + root@docker0:~/tf2# chmod 777 data/ + root@docker0:~/tf2# chmod 777 logs/ + + + root@docker0:~/tf2# docker-compose up + #let it finish then CTRL+C + #move altar.bsp in ~/tf2/data/tf/maps + + root@docker0:~/tf2/data/tf/maps# ls -lash altar.bsp + 172K -rw-r--r-- 1 root root 169K Oct 30 16:12 altar.bsp + + #append the sourcemodded commands you want to server.cfg : + + root@docker0:~# tail -n13 tf2/data/tf/cfg/server.cfg + + sm_maxhealth 100000 + tf_bot_add 1 soldier expert + tf_bot_force_class soldier + mp_allowspectators 0 + mp_autoteambalance 0 + mp_teams_unbalance_limit 30 + mp_disable_respawn_times 1 + tf_bot_force_class soldier + sv_allow_point_servercommand always + + + +Then compile the maxhealth mod in the container: + + + root@docker0:~# docker exec -it tf2 bash + steam@docker0:~/tf-dedicated/tf/addons/sourcemod/scripting$ nano maxhealth.sp + steam@docker0:~/tf-dedicated/tf/addons/sourcemod/scripting$ cat maxhealth.sp + /** + * MaxHealth Changer by bl4nk + * + * Description: + * Change the max health of players at spawn. + * + */ + + #pragma semicolon 1 + + #include + + // Global Definitions + #define PLUGIN_VERSION "1.0.0" + + new Handle:cvarAmount; + + public Plugin:myinfo = + { + name = "MaxHealth Changer", + author = "bl4nk", + description = "Change the max health of players at spawn", + version = PLUGIN_VERSION, + url = "http://forums.alliedmods.net" + }; + + public OnPluginStart() + { + CreateConVar("sm_maxhealthchanger_version", PLUGIN_VERSION, "MaxHealth Changer Version"); + cvarAmount = CreateConVar("sm_maxhealth", "200", "Amount of life to change health to upon spawn"); + + HookEvent("player_spawn", event_PlayerSpawn); + } + + public event_PlayerSpawn(Handle:event, const String:name[], bool:dontBroadcast) + { + new client = GetClientOfUserId(GetEventInt(event,"userid")); + CreateTimer(0.1, timer_PlayerSpawn, client); + } + + public Action:timer_PlayerSpawn(Handle:timer, any:client) + { + new MaxHealth = GetConVarInt(cvarAmount); + SetEntData(client, FindDataMapInfo(client, "m_iMaxHealth"), MaxHealth, 4, true); + SetEntData(client, FindDataMapInfo(client, "m_iHealth"), MaxHealth, 4, true); + } + + steam@docker0:~/tf-dedicated/tf/addons/sourcemod/scripting$ ./compile.sh maxhealth.sp + + Compiling maxhealth.sp... + SourcePawn Compiler 1.10.0.6522 + Copyright (c) 1997-2006 ITB CompuPhase + Copyright (c) 2004-2018 AlliedModders LLC + + Code size: 3668 bytes + Data size: 2600 bytes + Stack/heap size: 16384 bytes + Total requirements: 22652 bytes + + steam@docker0:~/tf-dedicated/tf/addons/sourcemod/scripting$ cp compiled/maxhealth.smx ../plugins/maxhealth.smx + + steam@docker0:~/tf-dedicated/tf/addons/sourcemod/configs# vim admins_simple.ini + "STEAM_0:0:576829438" "99:z" + + + + +Then restart the container: + + + CTRL+C + root@docker0:~/tf2# docker-compose up + + + [ 10.66.66.2/32 ] [ /dev/pts/19 ] [~] + → cat tf2.sh + #!/bin/sh + + /usr/bin/steam -silent -no-browser -offline -applaunch 440 -windowed -w 3840 -h 2160 +connect 192.168.0.200 -noborder -console -novid +viewmodel_fov 130 >/dev/null 2>/dev/null & + echo 'rcon_password void.yt ; rcon sv_cheats 1; rcon tf_bot_add 2 soldier red expert; rcon buddha' + + + + + root@tf2:~# apt update -y ; apt upgrade -y ; apt install sudo -y + root@tf2:~# adduser gameserver + Adding user `gameserver' ... + Adding new group `gameserver' (1000) ... + Adding new user `gameserver' (1000) with group `gameserver' ... + Creating home directory `/home/gameserver' ... + Copying files from `/etc/skel' ... + New password: + Retype new password: + passwd: password updated successfully + Changing the user information for gameserver + Enter the new value, or press ENTER for the default + Full Name []: + Room Number []: + Work Phone []: + Home Phone []: + Other []: + Is the information correct? [Y/n] y + root@tf2:~# usermod -aG sudo gameserver + root@tf2:~# su - gameuser + su: user gameuser does not exist + root@tf2:~# su - gameserver + gameserver@tf2:~$ pwd + /home/gameserver + gameserver@tf2:~$ ls -l + total 0 + gameserver@tf2:~$ ls -lash + total 20K + 4.0K drwxr-xr-x 2 gameserver gameserver 4.0K Dec 12 13:27 . + 4.0K drwxr-xr-x 3 root root 4.0K Dec 12 13:27 .. + 4.0K -rw-r--r-- 1 gameserver gameserver 220 Dec 12 13:27 .bash_logout + 4.0K -rw-r--r-- 1 gameserver gameserver 3.5K Dec 12 13:27 .bashrc + 4.0K -rw-r--r-- 1 gameserver gameserver 807 Dec 12 13:27 .profile + gameserver@tf2:~$ mkdir hlserver + gameserver@tf2:~$ cd hlserver/ + gameserver@tf2:~/hlserver$ wget https://steamcdn-a.akamaihd.net/client/installer/steamcmd_linux.tar.gz + --2021-12-12 13:27:48-- https://steamcdn-a.akamaihd.net/client/installer/steamcmd_linux.tar.gz + Resolving steamcdn-a.akamaihd.net (steamcdn-a.akamaihd.net)... 92.123.225.26, 92.123.225.73 + Connecting to steamcdn-a.akamaihd.net (steamcdn-a.akamaihd.net)|92.123.225.26|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 2428561 (2.3M) [application/octet-stream] + Saving to: 'steamcmd_linux.tar.gz' + + steamcmd_linux.tar.gz 100%[=====================================================================================================================>] 2.32M 4.49MB/s in 0.5s + + 2021-12-12 13:27:49 (4.49 MB/s) - 'steamcmd_linux.tar.gz' saved [2428561/2428561] + + gameserver@tf2:~/hlserver$ tar zxf steamcmd_linux.tar.gz + gameserver@tf2:~/hlserver$ ./steamcmd.sh +login anonymous +force_install_dir ./tf2 +app_update 232250 +quit + ./steamcmd.sh: line 37: /home/gameserver/hlserver/linux32/steamcmd: No such file or directory + + gameserver@tf2:~$ sudo dpkg --add-architecture i386 + gameserver@tf2:~$ sudo apt-get update + Hit:1 http://security.debian.org buster/updates InRelease + Hit:2 http://ftp.debian.org/debian buster InRelease + Hit:3 http://ftp.debian.org/debian buster-updates InRelease + Get:4 http://security.debian.org buster/updates/main i386 Packages [311 kB] + Get:5 http://ftp.debian.org/debian buster/main i386 Packages [7863 kB] + Get:6 http://ftp.debian.org/debian buster/contrib i386 Packages [46.0 kB] + Get:7 http://ftp.debian.org/debian buster-updates/main i386 Packages [15.2 kB] + Fetched 8236 kB in 5s (1803 kB/s) + Reading package lists... Done + gameserver@tf2:~$ sudo apt-get install lib32z1 libncurses5:i386 libbz2-1.0:i386 lib32gcc1 lib32stdc++6 libtinfo5:i386 libcurl3-gnutls:i386 -y + gameserver@tf2:~/hlserver$ ./steamcmd.sh +login anonymous +force_install_dir ./tf2 +app_update 232250 +quit + Redirecting stderr to '/home/gameserver/Steam/logs/stderr.txt' + ILocalize::AddFile() failed to load file "public/steambootstrapper_english.txt". + [ 0%] Checking for available update... + [----] Downloading update (0 of 53822 KB)... + [ 0%] Downloading update (1235 of 53822 KB)... + [ 2%] Downloading update (2823 of 53822 KB)... + [ 5%] Downloading update (4637 of 53822 KB)... + [ 8%] Downloading update (6584 of 53822 KB)... + [ 12%] Downloading update (8194 of 53822 KB)... + [ 15%] Downloading update (9681 of 53822 KB)... + [ 17%] Downloading update (11333 of 53822 KB)... + [ 21%] Downloading update (12822 of 53822 KB)... + + gameserver@tf2:~/hlserver$ cd tf2/ + gameserver@tf2:~/hlserver/tf2$ cd tf/maps + gameserver@tf2:~/hlserver/tf2/tf/maps$ wget https://cloud.void.yt/s/wGeqMTLzyyGBfiD/download/altar.bsp + + gameserver@tf2:~/hlserver$ cd tf2 + gameserver@tf2:~/hlserver/tf2$ ls -lash + total 104K + 4.0K drwxr-xr-x 7 gameserver gameserver 4.0K Dec 12 13:59 . + 4.0K drwxr-xr-x 8 gameserver gameserver 4.0K Dec 12 13:59 .. + 4.0K drwxr-xr-x 2 gameserver gameserver 4.0K Dec 12 13:53 bin + 4.0K drwxr-xr-x 4 gameserver gameserver 4.0K Dec 12 13:53 hl2 + 4.0K drwxr-xr-x 6 gameserver gameserver 4.0K Dec 12 13:53 platform + 12K -rwxr-xr-x 1 gameserver gameserver 12K Dec 12 13:48 srcds_linux + 12K -rwxr-xr-x 1 gameserver gameserver 9.6K Dec 12 13:48 srcds_run + 4.0K drwxr-xr-x 5 gameserver gameserver 4.0K Dec 12 13:53 steamapps + 4.0K drwxr-xr-x 12 gameserver gameserver 4.0K Dec 12 13:53 tf + 4.0K -rwxr-xr-x 1 gameserver gameserver 77 Dec 12 13:56 tf2.sh + 48K -rwxr-xr-x 1 gameserver gameserver 47K Dec 12 13:48 thirdpartylegalnotices.txt + gameserver@tf2:~/hlserver/tf2$ cat tf2.sh + #!/bin/sh + ./srcds_run -console -game tf +sv_pure 1 +map altar +maxplayers 24 + + gameserver@tf2:~/hlserver/tf2$ sudo apt install mlocate -y + + gameserver@tf2:~/hlserver/tf2$ sudo updatedb + + gameserver@tf2:~/hlserver/tf2$ locate steamclient.so + /home/gameserver/hlserver/linux32/steamclient.so + /home/gameserver/hlserver/linux64/steamclient.so + /home/gameserver/hlserver/tf2/bin/steamclient.so + + gameserver@tf2:~/hlserver$ mkdir -p /home/gameserver/.steam/sdk32/ + gameserver@tf2:~/hlserver$ ln -s /home/gameserver/hlserver/linux32/steamclient.so /home/gameserver/.steam/sdk32/ + + gameserver@tf2:~/hlserver/tf2$ sudo vim /etc/systemd/system/tf2server.service + gameserver@tf2:~/hlserver/tf2$ cat /etc/systemd/system/tf2server.service + [Unit] + Description=TF2 Server + After=network.target + After=systemd-user-sessions.service + After=network-online.target + + [Service] + Type=simple + User=gameserver + ExecStart=/home/gameserver/hlserver/tf2/srcds_run -game tf +map altar +sv_pure 1 +maxplayers 24 -console + ExecStop=/home/gameserver/hlserver/tf2/killserver.sh + KillMode=process + + [Install] + WantedBy=multi-user.target + + gameserver@tf2:~/hlserver/tf2$ vim killserver.sh + gameserver@tf2:~/hlserver/tf2$ cat killserver.sh + #!/bin/bash + kill -9 $(pidof srcds_linux) + + gameserver@tf2:~/hlserver/tf2$ chmod +x killserver.sh + + gameserver@tf2:~/hlserver/tf2$ sudo systemctl daemon-reload + gameserver@tf2:~/hlserver/tf2$ sudo systemctl start tf2server + + gameserver@tf2:~/hlserver/tf2$ cd tf + gameserver@tf2:~/hlserver/tf2/tf$ cd cfg + + gameserver@tf2:~/hlserver/tf2/tf/cfg$ vim server.cfg + gameserver@tf2:~/hlserver/tf2/tf/cfg$ cat server.cfg + + hostname "void.yt" + sv_password "" + sv_lan 1 + sv_cheats 1 + + rcon_password "void.yt" + sm_maxhealth 100000 + + mp_allowspectators 0 + mp_autoteambalance 0 + mp_teams_unbalance_limit 30 + mp_disable_respawn_times 1 + + mp_timelimit 0 + mp_stalemate_enable 0 + + + + + gameserver@tf2:~/hlserver/tf2/tf$ wget https://mms.alliedmods.net/mmsdrop/1.11/mmsource-1.11.0-git1145-linux.tar.gz + --2021-12-12 15:00:16-- https://mms.alliedmods.net/mmsdrop/1.11/mmsource-1.11.0-git1145-linux.tar.gz + Resolving mms.alliedmods.net (mms.alliedmods.net)... 104.26.9.106, 172.67.73.151, 104.26.8.106, ... + Connecting to mms.alliedmods.net (mms.alliedmods.net)|104.26.9.106|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1859188 (1.8M) [application/x-gzip] + Saving to: 'mmsource-1.11.0-git1145-linux.tar.gz' + + mmsource-1.11.0-git1145-linux.tar.gz 100%[=====================================================================================================================>] 1.77M 4.40MB/s in 0.4s + + 2021-12-12 15:00:16 (4.40 MB/s) - 'mmsource-1.11.0-git1145-linux.tar.gz' saved [1859188/1859188] + + gameserver@tf2:~/hlserver/tf2/tf$ wget https://sm.alliedmods.net/smdrop/1.10/sourcemod-1.10.0-git6528-linux.tar.gz + --2021-12-12 15:00:25-- https://sm.alliedmods.net/smdrop/1.10/sourcemod-1.10.0-git6528-linux.tar.gz + Resolving sm.alliedmods.net (sm.alliedmods.net)... 104.26.9.106, 172.67.73.151, 104.26.8.106, ... + Connecting to sm.alliedmods.net (sm.alliedmods.net)|104.26.9.106|:443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 17500442 (17M) [application/x-gzip] + Saving to: 'sourcemod-1.10.0-git6528-linux.tar.gz' + + sourcemod-1.10.0-git6528-linux.tar.gz 100%[=====================================================================================================================>] 16.69M 5.35MB/s in 3.1s + + 2021-12-12 15:00:28 (5.35 MB/s) - 'sourcemod-1.10.0-git6528-linux.tar.gz' saved [17500442/17500442] + gameserver@tf2:~/hlserver/tf2/tf$ tar -xzf mmsource-1.11.0-git1144-linux.tar.gz + gameserver@tf2:~/hlserver/tf2/tf$ tar -xzf sourcemod-1.10.0-git6509-linux.tar.gz + + gameserver@tf2:~/hlserver/tf2/tf$ cd addons/sourcemod/configs/ + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/configs$ vim admins_simple.ini + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/configs$ cat admins_simple.ini + "STEAM_0:0:29598280" "99:z" + + + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/scripting$ vim maxhealth.sp + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/scripting$ cat maxhealth.sp + /** + * MaxHealth Changer by bl4nk + * + * Description: + * Change the max health of players at spawn. + * + */ + + #pragma semicolon 1 + + #include <****sourcemod> + + // Global Definitions + #define PLUGIN_VERSION "1.0.0" + + new Handle:cvarAmount; + + public Plugin:myinfo = + { + name = "MaxHealth Changer", + author = "bl4nk", + description = "Change the max health of players at spawn", + version = PLUGIN_VERSION, + url = "http://forums.alliedmods.net" + }; + + public OnPluginStart() + { + CreateConVar("sm_maxhealthchanger_version", PLUGIN_VERSION, "MaxHealth Changer Version"); + cvarAmount = CreateConVar("sm_maxhealth", "200", "Amount of life to change health to upon spawn"); + + HookEvent("player_spawn", event_PlayerSpawn); + } + + public event_PlayerSpawn(Handle:event, const String:name[], bool:dontBroadcast) + { + new client = GetClientOfUserId(GetEventInt(event,"userid")); + CreateTimer(0.1, timer_PlayerSpawn, client); + } + + public Action:timer_PlayerSpawn(Handle:timer, any:client) + { + new MaxHealth = GetConVarInt(cvarAmount); + SetEntData(client, FindDataMapInfo(client, "m_iMaxHealth"), MaxHealth, 4, true); + SetEntData(client, FindDataMapInfo(client, "m_iHealth"), MaxHealth, 4, true); + } + + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/scripting$ ./compile.sh maxhealth.sp + + Compiling maxhealth.sp... + SourcePawn Compiler 1.10.0.6509 + Copyright (c) 1997-2006 ITB CompuPhase + Copyright (c) 2004-2018 AlliedModders LLC + + Code size: 3668 bytes + Data size: 2600 bytes + Stack/heap size: 16384 bytes + Total requirements: 22652 bytes + + + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/scripting$ cp compiled/maxhealth.smx ../plugins/maxhealth.smx + gameserver@tf2:~/hlserver/tf2/tf/addons/sourcemod/scripting$ sudo systemctl restart tf2server + +script to run daily to ensure the tf2 server is always up to date + + + gameserver@tf2:~/hlserver$ ./steamcmd.sh +login anonymous +app_update 232250 validate + gameserver@tf2:~/hlserver$ exit + logout + root@tf2:~# crontab -e + 0 3 * * * /home/gameserver/hlserver/steamcmd.sh +login anonymous +app_update 232250 validate + 0 4 * * * systemctl restart tf2server + + + diff --git a/thelounge/0.png b/thelounge/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/thelounge/0.png differ diff --git a/thelounge/1.png b/thelounge/1.png new file mode 100644 index 0000000..3d621d6 Binary files /dev/null and b/thelounge/1.png differ diff --git a/thelounge/2.png b/thelounge/2.png new file mode 100644 index 0000000..0ebe2cb Binary files /dev/null and b/thelounge/2.png differ diff --git a/thelounge/3.png b/thelounge/3.png new file mode 100644 index 0000000..3754ecf Binary files /dev/null and b/thelounge/3.png differ diff --git a/thelounge/4.png b/thelounge/4.png new file mode 100644 index 0000000..86882b4 Binary files /dev/null and b/thelounge/4.png differ diff --git a/thelounge/5.png b/thelounge/5.png new file mode 100644 index 0000000..101f6c7 Binary files /dev/null and b/thelounge/5.png differ diff --git a/thelounge/index.md b/thelounge/index.md new file mode 100644 index 0000000..7e5b2a5 --- /dev/null +++ b/thelounge/index.md @@ -0,0 +1,83 @@ +# TheLounge + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **1** + +First of all, just create the irc server locally by doing the following: + + + apt update -y && apt upgrade -y + apt install inspircd -y + wget https://blog.nowhere.moe/servers/thelounge/inspircd.conf -O /etc/inspircd/inspircd.conf + nano /etc/inspircd/inspircd.conf + systemctl restart inspircd + systemctl status inspircd + + + + + wget https://github.com/thelounge/thelounge/releases/download/v4.2.0/thelounge_4.2.0_all.deb + dpkg -i thelounge_4.2.0_all.deb + apt -f install + dpkg -i thelounge_4.2.0_all.deb + systemctl status thelounge + thelounge --help + + +Once installed, add an username: + + + thelounge add admin + + + +Then just goto the login page on port 9000 and login: + +![](1.png) ![](2.png) + +And there you have it! + +![](3.png) + +From here make thelounge public: + + + nano /etc/thelounge/config.js + + + +![](4.png) + +Since i'm serving thelounge behind a reverse proxy, i need that value down there as well as making it public. Then just use nginx elsewhere to handle the reverse proxying properly and you're good to go. Another important part of the [config.js](config.js)file: + +![](5.png) + + + systemctl restart thelounge + + + diff --git a/tor_ssh_tunnel_port_forwarding/index.md b/tor_ssh_tunnel_port_forwarding/index.md new file mode 100644 index 0000000..5372f2d --- /dev/null +++ b/tor_ssh_tunnel_port_forwarding/index.md @@ -0,0 +1,478 @@ +# tor_ssh_tunnel_port_forwarding Setup + +![](0.png) + +## **Initial Setup** + +First, setup the /etc/ssh/sshd_config to allow port forwarding: + + + root@torVPS:~# vim /etc/ssh/sshd_config + + root@torVPS:~# cat /etc/ssh/sshd_config | grep Gateway + GatewayPorts yes + + root@torVPS:~# systemctl restart sshd + + + +Then run the SSH tunnel command to go through tor via a local TOR bridge node: + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → apt install tor obfs4proxy -y + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim /etc/tor/torrc + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat /etc/tor/torrc + + UseBridges 1 + ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy + Bridge obfs4 10.0.0.195:8042 2E73653A148DFFF3CA28D53F0C366936FE554335 cert=znEl9kidNa4TgqiasENSDvxLPDVMOvdIPcVhqwMR27iVUoMn+MtjoxmcpikFpsYAbtSpMw iat-mode=0 + DataDirectory /var/lib/tor + TransPort 9040 + SocksPort 9050 + DNSPort 53 + User debian-tor + + [ 10.0.0.101/16 ] [ /dev/pts/3 ] [~] + → vim /etc/tor/torsocks.conf + + [ 10.0.0.101/16 ] [ /dev/pts/3 ] [~] + → cat /etc/tor/torsocks.conf | grep AllowOutboundLocalhost + AllowOutboundLocalhost 1 + + [ 10.0.0.101/16 ] [ /dev/pts/3 ] [~] + → systemctl restart tor + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → torify ssh -fN -R 0.0.0.0:443:127.0.0.1:443 torVPS + + root@torVPS:~# nmap 127.0.0.1 -p 443 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-14 17:41 CEST + Nmap scan report for localhost (127.0.0.1) + Host is up (0.000068s latency). + + PORT STATE SERVICE + 443/tcp open https + + root@torVPS:~# nmap $(curl ifconfig.me) -p 443 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-14 17:41 CEST + Nmap scan report for ip.88.217.167.104.hivedatacenter.com (104.167.217.88) + Host is up (0.000038s latency). + + PORT STATE SERVICE + 443/tcp open https + + +And the 443 port has been port forwarded to both localhost and the destination public IP ! Now let's make sure it auto restarts: + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → apt install autossh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → torify autossh -fN -R 0.0.0.0:443:127.0.0.1:443 torVPS + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → torify autossh -fN -R 0.0.0.0:80:127.0.0.1:80 torVPS + + +Then we make sure it starts at boot: + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → which torify autossh + /usr/bin/torify + /usr/bin/autossh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim sshtunnels.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat sshtunnels.sh + + #!/bin/bash + while true; do + if [ $(pidof autossh ssh | wc -l) -eq 0 ]; then + echo "[+] STARTING SSH TUNNELS ..." + kill -9 $(pidof autossh ssh) 2>/dev/null + + /usr/bin/torify /usr/bin/autossh -fN -R 0.0.0.0:80:127.0.0.1:80 torVPS + /usr/bin/torify /usr/bin/autossh -fN -R 0.0.0.0:443:127.0.0.1:443 torVPS + else + echo "[+] SSH TUNNELS ACTIVE..." + pidof ssh autossh + fi + sleep 3 + done + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → pwd + /root + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → chmod +x sshtunnels.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat sshtunnels.sh + #!/bin/bash + + /usr/bin/torify /usr/bin/autossh -fN -R 0.0.0.0:80:127.0.0.1:80 torVPS + /usr/bin/torify /usr/bin/autossh -fN -R 0.0.0.0:443:127.0.0.1:443 torVPS + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim /etc/systemd/system/sshtunnel.service + + [ 10.8.0.3/24 ] [ /dev/pts/0 ] [~] + → cat /etc/systemd/system/sshtunnel.service + [Unit] + Description=SSH Tunnels + After=network-online.target + Wants=network-online.target + + [Service] + Type=Simple + ExecStart=/root/sshtunnels.sh + ExecStop=kill -9 $(pidof autossh ssh) + + [Install] + WantedBy=multi-user.target + + + +Then we test it: + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → kill -9 $(pidof autossh) + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl daemon-reload + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl start sshtunnel + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl status sshtunnel + ● sshtunnel.service - SSH Tunnels + Loaded: loaded (/etc/systemd/system/sshtunnel.service; disabled; vendor preset: enabled) + Active: inactive (dead) + + May 14 18:06:05 home systemd[1]: Started SSH Tunnels. + May 14 18:06:06 home autossh[31304]: starting ssh (count 1) + May 14 18:06:06 home autossh[31304]: ssh child pid is 31306 + May 14 18:06:06 home systemd[1]: sshtunnel.service: Succeeded. + May 14 18:06:06 home autossh[31304]: received signal to exit (15) + + + +It ran successfully, now we test if the ports are properly forwarded: + + + root@torVPS:~# nmap 127.0.0.1 -p 80,443 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-14 18:08 CEST + Nmap scan report for localhost (127.0.0.1) + Host is up (0.000068s latency). + + PORT STATE SERVICE + 80/tcp open http + 443/tcp open https + + Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds + + root@torVPS:~# nmap $(curl ifconfig.me 2>/dev/null) -p 80,443 + Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-14 18:08 CEST + Nmap scan report for ip.88.217.167.104.hivedatacenter.com (104.167.217.88) + Host is up (0.000050s latency). + + PORT STATE SERVICE + 80/tcp open http + 443/tcp open https + + Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds + + + +And it is! now if we want the web server to also VPN to the torVPS machine, we can do that too, following the [Openvpn Over TOR setup](../ovpn_tor/index.md): + + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat home.ovpn + client + proto tcp-client + remote x.x.x.x 1194 + dev tun + resolv-retry infinite + nobind + persist-key + persist-tun + remote-cert-tls server + verify-x509-name server_0OoqAjLKoDz7Zu2d name + auth SHA256 + auth-nocache + cipher AES-128-GCM + tls-client + tls-version-min 1.2 + tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 + ignore-unknown-option block-outside-dns + setenv opt block-outside-dns # Prevent Windows 10 DNS leak + verb 3 + + ### TOR SETTINGS ### + socks-proxy 127.0.0.1 9050 + socks-proxy-retry + up-delay + route 10.0.0.195 255.255.255.255 net_gateway + ################### + + [...] + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim /etc/systemd/system/vpn.service + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat /etc/systemd/system/vpn.service + [Unit] + Description=VPN + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/usr/sbin/openvpn /root/home.ovpn + ExecStop=kill -9 $(pidof openvpn) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim /etc/systemd/system/torwatch.service + You have new mail. + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat /etc/systemd/system/torwatch.service + [Unit] + Description=torwatcher + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/monitor_tor.sh + ExecStop=kill -9 $(pidof /root/monitor_tor.sh) + Restart=always + + [Install] + WantedBy=multi-user.target + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim monitor_tor.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat monitor_tor.sh + #!/bin/bash + + counter=0 + while true; do + echo TESTING + timeout 10 ping -c1 10.8.0.1 &>/dev/null + if [ $? -eq 0 ]; then + echo OK; + sleep 3 + else + if [ $counter -gt 0 ]; + then + echo 'RESTARTING TOR...' + systemctl restart tor + counter=0 + sleep 10 + else + counter=$((counter+1)) + echo "FAIL ( $counter / 2)"; + sleep 3 + fi + fi + done + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim /etc/systemd/system/tortables.service + You have new mail. + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat /etc/systemd/system/tortables.service + [Unit] + Description=Tor IP Tables + After=network-online.target + Wants=network-online.target + + [Service] + Type=simple + ExecStart=/root/iptables_vpn_tor.sh + + [Install] + WantedBy=multi-user.target + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → vim iptables_vpn_tor.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → cat iptables_vpn_tor.sh + #!/bin/bash + + #default private networks + sudo iptables -F + + sudo iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + sudo iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + #ip range of tor VPN: + + sudo iptables -A OUTPUT -o tun0 -j ACCEPT + sudo iptables -A INPUT -i tun0 -j ACCEPT + + sudo iptables -A INPUT -j DROP + sudo iptables -A OUTPUT -j DROP + + #sudo iptables -A INPUT -j DROP + #sudo iptables -A OUTPUT -j DROP + You have new mail. + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → chmod +x iptables_vpn_tor.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → chmod +x monitor_tor.sh + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl restart torwatch tortables tor vpn + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → systemctl enable --now torwatch tortables tor vpn sshtunnel + Synchronizing state of tor.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable tor + Created symlink /etc/systemd/system/multi-user.target.wants/torwatch.service → /etc/systemd/system/torwatch.service. + Created symlink /etc/systemd/system/multi-user.target.wants/tortables.service → /etc/systemd/system/tortables.service. + Created symlink /etc/systemd/system/multi-user.target.wants/vpn.service → /etc/systemd/system/vpn.service. + + [ 10.8.0.3/24 ] [ /dev/pts/0 ] [~] + → systemctl status sshtunnel vpn tor torwatch tortables + ● sshtunnel.service - SSH Tunnels + Loaded: loaded (/etc/systemd/system/sshtunnel.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-05-14 19:14:31 CEST; 1min 16s ago + Main PID: 394 (sshtunnels.sh) + Tasks: 6 (limit: 4700) + Memory: 8.1M + CGroup: /system.slice/sshtunnel.service + ├─ 394 /bin/bash /root/sshtunnels.sh + ├─1290 /usr/lib/autossh/autossh -N -R 0.0.0.0:80:127.0.0.1:80 torVPS + ├─1292 /usr/bin/ssh -L 39557:127.0.0.1:39557 -R 39557:127.0.0.1:39558 -N -R 0.0.0.0:80:127.0.0.1:80 torVPS + ├─1306 /usr/lib/autossh/autossh -N -R 0.0.0.0:443:127.0.0.1:443 torVPS + ├─1308 /usr/bin/ssh -L 39858:127.0.0.1:39858 -R 39858:127.0.0.1:39859 -N -R 0.0.0.0:443:127.0.0.1:443 torVPS + └─1793 sleep 3 + + May 14 19:15:35 home sshtunnels.sh[394]: [+] SSH TUNNELS ACTIVE... + May 14 19:15:35 home sshtunnels.sh[394]: 1308 1292 1306 1290 + May 14 19:15:38 home sshtunnels.sh[394]: [+] SSH TUNNELS ACTIVE... + May 14 19:15:38 home sshtunnels.sh[394]: 1308 1292 1306 1290 + May 14 19:15:41 home sshtunnels.sh[394]: [+] SSH TUNNELS ACTIVE... + May 14 19:15:41 home sshtunnels.sh[394]: 1308 1292 1306 1290 + May 14 19:15:44 home sshtunnels.sh[394]: [+] SSH TUNNELS ACTIVE... + May 14 19:15:44 home sshtunnels.sh[394]: 1308 1292 1306 1290 + May 14 19:15:47 home sshtunnels.sh[394]: [+] SSH TUNNELS ACTIVE... + May 14 19:15:47 home sshtunnels.sh[394]: 1308 1292 1306 1290 + + ● vpn.service - VPN + Loaded: loaded (/etc/systemd/system/vpn.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-05-14 19:14:31 CEST; 1min 16s ago + Main PID: 397 (openvpn) + Tasks: 1 (limit: 4700) + Memory: 3.2M + CGroup: /system.slice/vpn.service + └─397 /usr/sbin/openvpn /root/home.ovpn + + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 ROUTE_GATEWAY 10.0.0.1/255.255.0.0 IFACE=ens18 HWADDR=96:b0:53:08:49:a6 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 TUN/TAP device tun0 opened + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 TUN/TAP TX queue length set to 100 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip link set dev tun0 up mtu 1500 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip addr add dev tun0 10.8.0.3/24 broadcast 10.8.0.255 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip route add 127.0.0.1/32 via 10.0.0.1 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 /sbin/ip route add 10.0.0.195/32 dev ens18 + May 14 19:14:39 home openvpn[397]: Sat May 14 19:14:39 2022 Initialization Sequence Completed + + ● tor.service - Anonymizing overlay network for TCP (multi-instance-master) + Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-05-14 19:14:31 CEST; 1min 16s ago + Main PID: 378 (tor) + Tasks: 13 (limit: 4700) + Memory: 74.1M + CGroup: /system.slice/tor.service + ├─378 /usr/sbin/tor -f /etc/tor/torrc + └─454 /usr/bin/obfs4proxy + + May 14 19:14:32 home tor[378]: May 14 19:14:32.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip. + May 14 19:14:33 home tor[378]: May 14 19:14:33.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6. + May 14 19:14:34 home tor[378]: May 14 19:14:34.000 [notice] Bootstrapped 0%: Starting + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Starting with guard context "bridges" + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] new bridge descriptor 'voidyt' (cached): $2E73653A148DFFF3CA28D53F0C366936FE554335~voidyt at 10.0.0.195 + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Delaying directory fetches: Pluggable transport proxies still configuring + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Bootstrapped 10%: Finishing handshake with directory server + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Bootstrapped 80%: Connecting to the Tor network + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Bootstrapped 90%: Establishing a Tor circuit + May 14 19:14:36 home tor[378]: May 14 19:14:36.000 [notice] Bootstrapped 100%: Done + + ● torwatch.service - torwatcher + Loaded: loaded (/etc/systemd/system/torwatch.service; enabled; vendor preset: enabled) + Active: active (running) since Sat 2022-05-14 19:14:31 CEST; 1min 16s ago + Main PID: 398 (monitor_tor.sh) + Tasks: 2 (limit: 4700) + Memory: 2.7M + CGroup: /system.slice/torwatch.service + ├─ 398 /bin/bash /root/monitor_tor.sh + └─1772 sleep 3 + + May 14 19:15:34 home monitor_tor.sh[398]: TESTING + May 14 19:15:34 home monitor_tor.sh[398]: OK + May 14 19:15:37 home monitor_tor.sh[398]: TESTING + May 14 19:15:37 home monitor_tor.sh[398]: OK + May 14 19:15:40 home monitor_tor.sh[398]: TESTING + May 14 19:15:40 home monitor_tor.sh[398]: OK + May 14 19:15:43 home monitor_tor.sh[398]: TESTING + May 14 19:15:43 home monitor_tor.sh[398]: OK + May 14 19:15:46 home monitor_tor.sh[398]: TESTING + May 14 19:15:46 home monitor_tor.sh[398]: OK + + ● tortables.service - Tor IP Tables + Loaded: loaded (/etc/systemd/system/tortables.service; enabled; vendor preset: enabled) + Active: inactive (dead) since Sat 2022-05-14 19:14:35 CEST; 1min 12s ago + Process: 396 ExecStart=/root/iptables_vpn_tor.sh (code=exited, status=0/SUCCESS) + Main PID: 396 (code=exited, status=0/SUCCESS) + + May 14 19:14:35 home sudo[624]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -A INPUT -i tun0 -j ACCEPT + May 14 19:14:35 home sudo[624]: pam_unix(sudo:session): session opened for user root by (uid=0) + May 14 19:14:35 home sudo[624]: pam_unix(sudo:session): session closed for user root + May 14 19:14:35 home sudo[626]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -A INPUT -j DROP + May 14 19:14:35 home sudo[626]: pam_unix(sudo:session): session opened for user root by (uid=0) + May 14 19:14:35 home sudo[626]: pam_unix(sudo:session): session closed for user root + May 14 19:14:35 home sudo[628]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/iptables -A OUTPUT -j DROP + May 14 19:14:35 home sudo[628]: pam_unix(sudo:session): session opened for user root by (uid=0) + May 14 19:14:35 home sudo[628]: pam_unix(sudo:session): session closed for user root + May 14 19:14:35 home systemd[1]: tortables.service: Succeeded. + + + +And that's it! Now you have a local service, which automatically port forwards it's http and https services via SSH tunnels to a remote host, and it automatically connects there via a VPN Over TOR setup. + diff --git a/tordns/0.png b/tordns/0.png new file mode 100644 index 0000000..bfc7ede Binary files /dev/null and b/tordns/0.png differ diff --git a/tordns/index.md b/tordns/index.md new file mode 100644 index 0000000..011a877 --- /dev/null +++ b/tordns/index.md @@ -0,0 +1,58 @@ +# tordns Setup + +![](0.png) + +In this setup we're going to look at how to use tor as a DNS server. + +## **Initial Setup** + + + root@tordns2:~# apt update -y ; apt upgrade -y ; apt install tor nyx -y + root@tordns2:~# vim /etc/tor/torrc + root@tordns2:~# head -n1 /etc/tor/torrc + DNSPort 0.0.0.0:53 + root@tordns2:~# systemctl restart tor@default + root@tordns2:~# systemctl status tor@default + * tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; vendor preset: enabled) + Active: active (running) since Thu 2023-06-15 16:10:58 UTC; 3s ago + Process: 61416 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 61417 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS) + Main PID: 61419 (tor) + Tasks: 1 (limit: 115830) + Memory: 49.5M + CPU: 1.876s + CGroup: /system.slice/system-tor.slice/tor@default.service + `-61419 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + + Jun 15 16:10:59 tordns2 Tor[61419]: Opened Socks listener connection (ready) on /run/tor/socks + Jun 15 16:10:59 tordns2 Tor[61419]: Opening Control listener on /run/tor/control + Jun 15 16:10:59 tordns2 Tor[61419]: Opened Control listener connection (ready) on /run/tor/control + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 10% (conn_done): Connected to a relay + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 14% (handshake): Handshaking with a relay + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 15% (handshake_done): Handshake with a relay done + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits + Jun 15 16:10:59 tordns2 Tor[61419]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit + Jun 15 16:11:00 tordns2 Tor[61419]: Bootstrapped 100% (done): Done + + + +And then just test if the dns works: + + + root@tordns2:~# apt install bind-tools + root@tordns2:~# nslookup google.com 127.0.0.1 + Server: 127.0.0.1 + Address: 127.0.0.1#53 + + Non-authoritative answer: + Name: google.com + Address: 142.251.36.174 + Name: google.com + Address: 2a00:1450:4016:808::200e + + + +And it does! + diff --git a/torproxy/1.png b/torproxy/1.png new file mode 100644 index 0000000..0dde29e Binary files /dev/null and b/torproxy/1.png differ diff --git a/torproxy/2.png b/torproxy/2.png new file mode 100644 index 0000000..25e6250 Binary files /dev/null and b/torproxy/2.png differ diff --git a/torproxy/index.md b/torproxy/index.md new file mode 100644 index 0000000..e454934 --- /dev/null +++ b/torproxy/index.md @@ -0,0 +1,635 @@ +# torproxy Setup + +![](0.png) + +## **Initial Setup** + +![]() + + + sudo pacman -S tor nyx iptables bleachbit + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] + → cat /etc/tor/torrc + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac] + → cat /etc/tor/torrc + ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy + DataDirectory /var/lib/tor + + BridgeRelay 1 + PublishServerDescriptor 0 + ORPort auto + + ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy + ServerTransportListenAddr obfs4 127.0.0.1:8042 + ExtOrPort auto + + VirtualAddrNetworkIPv4 10.192.0.0/10 + + AutomapHostsOnResolve 1 + + # Tor Browser SocksPort. + SocksPort 9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth + SocksPort 9151 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth + + TransPort 9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort + SocksPort 9050 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort + + + ControlPort 9051 + DNSPort 127.0.0.1:53 + User tor + + + #use hardware accaleration when possible for crypto + HardwareAccel 1 + # + ##socket safety hacks + TestSocks 1 + AllowNonRFC953Hostnames 0 + WarnPlaintextPorts 23,109,110,143,80 + # + ##dns safety hacks + ClientRejectInternalAddresses 0 + # + ##circuit hacks + NewCircuitPeriod 40 + MaxCircuitDirtiness 600 + MaxClientCircuitsPending 48 + UseEntryGuards 1 + EnforceDistinctSubnets 1 + #ExitNodes {jp} + + + +And then we make the following iptables script: + + + export BLUE='\033[1;94m' + export GREEN='\033[1;92m' + export RED='\033[1;91m' + export RESETCOLOR='\033[1;00m' + + + # If tor didn't start, we start it + # It is used for startup + if command -v pacman > /dev/null; then + TOR_UID=$(id -u tor) + elif command -v apt > /dev/null; then + TOR_UID=$(id -u debian-tor) + elif command -v dnf > /dev/null; then + TOR_UID=$(id -u toranon) + else + echo "Unknown distro" + exit + fi + + TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` + DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` + # Init DNS + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" + + #/usr/bin/dnstool address 127.0.0.1 + sudo systemctl stop vpn + sudo systemctl restart iptables + sudo systemctl restart tor + + sudo systemctl stop wg-quick@wg0 + sudo iptables -F + + #DNS + + sudo chattr -i /etc/resolv.conf + sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf + sudo chattr +i /etc/resolv.conf + + + + # disable ipv6 + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" + sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 + sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 + + #if ! [ -f /etc/network/iptables.rules ]; then + # /usr/sbin/iptables-save > /etc/network/iptables.rules + # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" + #fi + + # Making IPTables rules + sudo /usr/sbin/iptables -F + sudo /usr/sbin/iptables -t nat -F + + # set iptables nat + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" + sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN + + #set dns redirect + echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" + sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT + + #resolve .onion domains mapping 10.192.0.0/10 address space + sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + + #exclude local addresses + for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do + sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN + sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT + done + + #redirect all other output through TOR + sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT + #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT + + #accept already established connections + sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + #allow only tor output + echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" + sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -j REJECT + + # TESTING block all incoming traffics + # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy + sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + + sudo /usr/sbin/iptables -A INPUT -j DROP + + ### *filter FORWARD + sudo /usr/sbin/iptables -A FORWARD -j DROP + + ### *filter OUTPUT + sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP + sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + + # Allow Tor process output + sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT + + # Allow loopback output + sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT + # iptables 1.8.5 can't use -o with input + # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT + + # Tor transproxy magic + sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT + + #allow local network traffic: + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + # Allow OUTPUT to lan hosts in $_non_tor + # Uncomment these 3 lines to enable. + #for _lan in $_non_tor; do + # iptables -A OUTPUT -d $_lan -j ACCEPT + #done + + # Log & Drop everything else. Uncomment to enable logging + #iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid + # /usr/sbin/iptables -A OUTPUT -j DROP + + ### Set default policies to DROP + # /usr/sbin/iptables -P INPUT DROP + # /usr/sbin/iptables -P FORWARD DROP + # /usr/sbin/iptables -P OUTPUT DROP + + ### Set default policies to DROP for IPv6 + #ip6tables -P INPUT DROP + #ip6tables -P FORWARD DROP + #ip6tables -P OUTPUT DROP + + + +Now in between switching you should kill the dangerous applications like so: + + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] + → cat cleanup.sh + # Kill processes + killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail + # Remove cache + bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null + + + +And now if you have the following torrc you can have a tor transparent proxying: + + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/trac] + → sudo systemctl restart tor + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → ./security.sh + + [+] SECURITY SCRIPT: + + [+] 0) Only local ? + [+] 1) VPN over TOR ? (high latency, unlimited bandwidth) + [+] 2) Wireguard to vpn.void.yt ? (3TB/mo, low latency) + [+] 3) Transparent TOR Proxying + 3 + [sudo] password for nothing: + [*] Modified resolv.conf to use Tor + [*] Disabling IPv6 for security reasons + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + [*] Configuring iptables rules to route all traffic through tor + + Redirecting DNS traffic through tor + + Allowing only tor to browse in clearnet + + +Now if you want to see if this works, you can check out your own ip in firefox: + +![](1.png) + +Or if you want to check from inside the tor browser since it has much more security hardening than default firefox, do the following to start it up in such a way that it will use the system daemon:: + + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] + → cat torbrowser.sh + #export TOR_CONTROL_COOKIE_AUTH_FILE=/var/run/tor/control.authcookie + export TOR_CONTROL_PORT=9051 + export TOR_SOCKS_PORT=9150 + export TOR_SKIP_LAUNCH=1 + /usr/bin/torbrowser-launcher + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/parrotsec] + → ./torbrowser.sh + Tor Browser Launcher + By Micah Lee, licensed under MIT + version 0.3.5 + https://github.com/micahflee/torbrowser-launcher + Launching Tor Browser. + Running /home/nothing/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/start-tor-browser.desktop + Launching './Browser/start-tor-browser --detach'... + + + +` ![](2.png) + +## **Automation Setup** + +Let's make a systemd daemon that, when started, launches a bashscript to start the tor proxying, and when stopped, stops the tor proxying. + + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] + → chmod +x ./torproxy_start.sh + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] + → cat torproxy_start.sh + #!/bin/bash + + # Kill processes + killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail + # Remove cache + bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null + + sudo systemctl stop wg-quick@wg0 + sudo iptables -F + #https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon + + export BLUE='\033[1;94m' + export GREEN='\033[1;92m' + export RED='\033[1;91m' + export RESETCOLOR='\033[1;00m' + + + # If tor didn't start, we start it + # It is used for startup + if command -v pacman > /dev/null; then + TOR_UID=$(id -u tor) + elif command -v apt > /dev/null; then + TOR_UID=$(id -u debian-tor) + elif command -v dnf > /dev/null; then + TOR_UID=$(id -u toranon) + else + echo "Unknown distro" + exit + fi + + TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` + DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` + # Init DNS + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" + + #/usr/bin/dnstool address 127.0.0.1 + sudo systemctl stop vpn + sudo systemctl restart iptables + sudo systemctl restart tor + + sudo systemctl stop wg-quick@wg0 + sudo iptables -F + + #DNS + + sudo chattr -i /etc/resolv.conf + sudo cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf + sudo chattr +i /etc/resolv.conf + + + + # disable ipv6 + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" + sudo /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 + sudo /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 + + #if ! [ -f /etc/network/iptables.rules ]; then + # /usr/sbin/iptables-save > /etc/network/iptables.rules + # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" + #fi + + # Making IPTables rules + sudo /usr/sbin/iptables -F + sudo /usr/sbin/iptables -t nat -F + + # set iptables nat + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" + sudo /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN + + #set dns redirect + echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" + sudo /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT + + #resolve .onion domains mapping 10.192.0.0/10 address space + sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + + #exclude local addresses + for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do + sudo /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN + sudo /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT + done + + #redirect all other output through TOR + sudo /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT + #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT + sudo /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT + + #accept already established connections + sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + #allow only tor output + echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" + sudo /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -j REJECT + + # TESTING block all incoming traffics + # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy + sudo /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + + sudo /usr/sbin/iptables -A INPUT -j DROP + + ### *filter FORWARD + sudo /usr/sbin/iptables -A FORWARD -j DROP + + ### *filter OUTPUT + sudo /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP + sudo /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + + # Allow Tor process output + sudo iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT + + # Allow loopback output + sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT + # iptables 1.8.5 can't use -o with input + # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT + + # Tor transproxy magic + sudo /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT + + #allow local network traffic: + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + sudo /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] + → vim torproxy_stop.sh + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] + → chmod +x ./torproxy_stop.sh + + [ 10.0.0.10/16 ] [ nowhere ] [~/torproxy/final] + → cat torproxy_stop.sh + #!/bin/bash + # Kill processes + killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail + # Remove cache + bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null + + sudo iptables -F + + + +And now to write the systemd service: + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → sudo vim /etc/systemd/system/torproxy.service + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → sudo systemctl daemon-reload + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → cat /etc/systemd/system/torproxy.service + [Unit] + Description=Tor Transparent Proxy + After=network-online.target + Wants=network-online.target + + [Service] + Type=oneshot + RemainAfterExit=true + ExecStart=/home/nothing/Nextcloud/blog/Conf/torproxy_start.sh + ExecStop=/home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh + + [Install] + WantedBy=multi-user.target + + + +and the modified 2 scripts: + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → cat /home/nothing/Nextcloud/blog/Conf/torproxy_start.sh + #!/bin/bash + + # Kill processes + killall -q chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail + # Remove cache + bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null + + systemctl stop wg-quick@wg0 + iptables -F + #https://github.com/ParrotSec/anonsurf/blob/c5cc0092dc4ffe7d53b2bb42aebdc00e463cfa84/scripts/anondaemon + + export BLUE='\033[1;94m' + export GREEN='\033[1;92m' + export RED='\033[1;91m' + export RESETCOLOR='\033[1;00m' + + + # If tor didn't start, we start it + # It is used for startup + if command -v pacman > /dev/null; then + TOR_UID=$(id -u tor) + elif command -v apt > /dev/null; then + TOR_UID=$(id -u debian-tor) + elif command -v dnf > /dev/null; then + TOR_UID=$(id -u toranon) + else + echo "Unknown distro" + exit + fi + + TOR_PORT=`cat /etc/tor/torrc | grep TransPort | cut -d " " -f 2 | cut -d ":" -f 2` + DNS_PORT=`cat /etc/tor/torrc | grep DNSPort | cut -d " " -f 2 | cut -d ":" -f 2` + # Init DNS + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Modified resolv.conf to use Tor${RESETCOLOR}" + + #/usr/bin/dnstool address 127.0.0.1 + systemctl stop vpn + systemctl restart iptables + systemctl stop wg-quick@wg0 + iptables -F + + #DNS + + chattr -i /etc/resolv.conf + cp /home/nothing/Nextcloud/blog/dns/resolv.conf.tor /etc/resolv.conf + chattr +i /etc/resolv.conf + + + + # disable ipv6 + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Disabling IPv6 for security reasons${RESETCOLOR}" + /sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1 + /sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1 + + #if ! [ -f /etc/network/iptables.rules ]; then + # /usr/sbin/iptables-save > /etc/network/iptables.rules + # echo -e "[$GREEN*${RESETCOLOR}]$BLUE Saved iptables rules${RESETCOLOR}" + #fi + + # Making IPTables rules + /usr/sbin/iptables -F + /usr/sbin/iptables -t nat -F + + # set iptables nat + echo -e "[$GREEN*${RESETCOLOR}]$BLUE Configuring iptables rules to route all traffic through tor${RESETCOLOR}" + /usr/sbin/iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN + + #set dns redirect + echo -e " $GREEN+$BLUE Redirecting DNS traffic through tor${RESETCOLOR}" + /usr/sbin/iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $DNS_PORT + + #resolve .onion domains mapping 10.192.0.0/10 address space + /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + /usr/sbin/iptables -t nat -A OUTPUT -p udp -d 10.192.0.0/10 -j REDIRECT --to-ports $TOR_PORT + + #exclude local addresses + for NET in $TOR_EXCLUDE 127.0.0.0/9 127.128.0.0/10; do + /usr/sbin/iptables -t nat -A OUTPUT -d $NET -j RETURN + /usr/sbin/iptables -A OUTPUT -d "$NET" -j ACCEPT + done + + #redirect all other output through TOR + /usr/sbin/iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TOR_PORT + #/usr/sbin/iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports $TOR_PORT + /usr/sbin/iptables -t nat -A OUTPUT -p udp -j REDIRECT --to-ports $TOR_PORT + /usr/sbin/iptables -t nat -A OUTPUT -p icmp -j REDIRECT --to-ports $TOR_PORT + + #accept already established connections + /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + #allow only tor output + echo -e " $GREEN+$BLUE Allowing only tor to browse in clearnet$RESETCOLOR" + /usr/sbin/iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT + /usr/sbin/iptables -A OUTPUT -j REJECT + + # TESTING block all incoming traffics + # https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy + /usr/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + + /usr/sbin/iptables -A INPUT -j DROP + + ### *filter FORWARD + /usr/sbin/iptables -A FORWARD -j DROP + + ### *filter OUTPUT + /usr/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP + /usr/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + + # Allow Tor process output + iptables -A OUTPUT -m owner --uid-owner $TOR_UID -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT + + # Allow loopback output + /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT + # iptables 1.8.5 can't use -o with input + # /usr/sbin/iptables -A INPUT -d 127.0.0.1/32 -o lo -j ACCEPT + + # Tor transproxy magic + /usr/sbin/iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $TOR_PORT --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT + + #allow local network traffic: + /usr/sbin/iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ACCEPT + /usr/sbin/iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ACCEPT + /usr/sbin/iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ACCEPT + /usr/sbin/iptables -A INPUT -m iprange --src-range 127.0.0.0-127.255.255.255 -j ACCEPT + + /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.255.255 -j ACCEPT + /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 172.16.0.0-172.31.255.255 -j ACCEPT + /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT + /usr/sbin/iptables -A OUTPUT -m iprange --dst-range 127.0.0.0-127.255.255.255 -j ACCEPT + + systemctl start tor + + + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → cat /home/nothing/Nextcloud/blog/Conf/torproxy_stop.sh + #!/bin/bash + # Kill processes + killall -q tor chrome dropbox skype icedove thunderbird firefox firefox-esr chromium xchat hexchat transmission steam firejail + # Remove cache + bleachbit -c adobe_reader.cache chromium.cache chromium.session chromium.history chromium.form_history elinks.history emesene.cache epiphany.cache firefox.cache firefox.crash_reports firefox.url_history firefox.forms flash.cache flash.cookies google_chrome.cache google_chrome.history google_chrome.form_history google_chrome.search_engines google_chrome.session google_earth.temporary_files links2.history opera.cache opera.form_history opera.history &> /dev/null + + + iptables -F + systemctl restart iptables + + + + +Now to test it: + + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → sudo systemctl stop torproxy.service + + [ 10.0.0.10/16 ] [ nowhere ] [~] + → sudo systemctl start torproxy.service + + + diff --git a/tpot/0.png b/tpot/0.png new file mode 100644 index 0000000..0bbd5a0 Binary files /dev/null and b/tpot/0.png differ diff --git a/tpot/1.png b/tpot/1.png new file mode 100644 index 0000000..c4c7abf Binary files /dev/null and b/tpot/1.png differ diff --git a/tpot/10.png b/tpot/10.png new file mode 100644 index 0000000..127a1f5 Binary files /dev/null and b/tpot/10.png differ diff --git a/tpot/11.png b/tpot/11.png new file mode 100644 index 0000000..23156b0 Binary files /dev/null and b/tpot/11.png differ diff --git a/tpot/12.png b/tpot/12.png new file mode 100644 index 0000000..ca627ad Binary files /dev/null and b/tpot/12.png differ diff --git a/tpot/13.png b/tpot/13.png new file mode 100644 index 0000000..c73d25c Binary files /dev/null and b/tpot/13.png differ diff --git a/tpot/14.png b/tpot/14.png new file mode 100644 index 0000000..45c85d3 Binary files /dev/null and b/tpot/14.png differ diff --git a/tpot/15.png b/tpot/15.png new file mode 100644 index 0000000..4d4a257 Binary files /dev/null and b/tpot/15.png differ diff --git a/tpot/16.png b/tpot/16.png new file mode 100644 index 0000000..d38599e Binary files /dev/null and b/tpot/16.png differ diff --git a/tpot/17.png b/tpot/17.png new file mode 100644 index 0000000..2cdc6d4 Binary files /dev/null and b/tpot/17.png differ diff --git a/tpot/18.png b/tpot/18.png new file mode 100644 index 0000000..6b8232e Binary files /dev/null and b/tpot/18.png differ diff --git a/tpot/2.png b/tpot/2.png new file mode 100644 index 0000000..6c55381 Binary files /dev/null and b/tpot/2.png differ diff --git a/tpot/3.png b/tpot/3.png new file mode 100644 index 0000000..ac8c682 Binary files /dev/null and b/tpot/3.png differ diff --git a/tpot/4.png b/tpot/4.png new file mode 100644 index 0000000..3c77cf5 Binary files /dev/null and b/tpot/4.png differ diff --git a/tpot/5.png b/tpot/5.png new file mode 100644 index 0000000..7c7356e Binary files /dev/null and b/tpot/5.png differ diff --git a/tpot/6.png b/tpot/6.png new file mode 100644 index 0000000..75a6de7 Binary files /dev/null and b/tpot/6.png differ diff --git a/tpot/7.png b/tpot/7.png new file mode 100644 index 0000000..e84057a Binary files /dev/null and b/tpot/7.png differ diff --git a/tpot/8.png b/tpot/8.png new file mode 100644 index 0000000..af3e735 Binary files /dev/null and b/tpot/8.png differ diff --git a/tpot/9.png b/tpot/9.png new file mode 100644 index 0000000..9a28e3a Binary files /dev/null and b/tpot/9.png differ diff --git a/tpot/index.md b/tpot/index.md new file mode 100644 index 0000000..4ab3dc2 --- /dev/null +++ b/tpot/index.md @@ -0,0 +1,142 @@ +# tpot Setup + +![](0.png) + +Tpot is a All In One Honeypot Platform, it comes with pre-built ISOs ready to run inside of a VM. You need 8GB of ram, 128Gb disk space, and DHCP Networking. I'm going to set it up on my proxmox server: + +## **Initial Setup** + +![](2.png) + +Get the [latest ISO](https://github.com/telekom-security/tpotce/releases/tag/20.06.2) of tpot onto the server, then create the VM with those specs: + +![](1.png) + +Then use the VNC or SPICE console to interact with your VM, simply install it like you would install a debian VM, Then let it reboot, as the tpot VM is going to download evertything it needs: + +![](2.png) ![](3.png) + +Once it's done installing, it will reboot and prompt you what follows: + +![](4.png) ![](5.png) + +We're going to pick the NextGen one, then hit 'Ok', then it will ask you to create a user with a password, once that's done, Tpot is going to install it's dependencies: + +![](6.png) ![](7.png) + +(It can take up to 30 minutes) + +![](8.png) + +Once it finished, you get the following result: + +![](9.png) + +The vulnerable website is a wordpress default instance: + +![](14.png) + +So let's take a look at the Web interface at port 64297, you need to use the user credentials you setup earlier: + +![](10.png) + +Let's take a look at the Kibana interface: + +![](11.png) ![](12.png) + +Let's take a look at the TPot Dashboard: + +![](13.png) + +Not much there obviously, so let's run an intense directory scan to see the difference: + + + [ 10.0.0.10/16 ] [ /dev/pts/14 ] [Nextcloud/blog] + → dirsearch -u http://10.0.121.109 -e html,txt,php,js,css -t 50 -x 500 + /usr/lib/dirsearch/thirdparty/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.4) or chardet (4.0.0) doesn't match a supported version! + warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported " + + _|. _ _ _ _ _ _|_ v0.4.1 + (_||| _) (/_(_|| (_| ) + + Extensions: html, txt, php, js, css | HTTP method: GET | Threads: 50 | Wordlist size: 10863 + + Error Log: /home/nothing/.dirsearch/logs/errors-21-05-17_21-18-18.log + + Target: http://10.0.121.109/ + + Output File: /home/nothing/.dirsearch/reports/10.0.121.109/_21-05-17_21-18-18.txt + + [21:18:18] Starting: + [21:18:58] 200 - 37B - /admin/portalcollect.php?f=http://xxx&t;=js + [21:19:26] 200 - 37B - /getfiles.php?f=http://xxx&t;=js + [21:19:28] 200 - 51KB - /index.md + [21:19:46] 200 - 37B - /proxy.stream?origin=https://google.com + [21:20:04] 200 - 2KB - /wp-login.php + [21:20:04] 200 - 42B - /xmlrpc.php + + Task Completed + + + + +let's also run simple vulnerability scans using nmap and nikto: + + + [ 10.0.0.10/16 ] [ /dev/pts/20 ] [Nextcloud/blog] + → nmap -sCV -p 80 10.0.121.109 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 21:21 CEST + Nmap scan report for 10.0.121.109 + Host is up (0.0018s latency). + + PORT STATE SERVICE VERSION + 80/tcp open http aiohttp 3.4.4 (Python 3.7) + |_http-server-header: Python/3.7 aiohttp/3.4.4 + |_http-title: user's Blog! \xE2\x80\x93 Just another WordPress site + + Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . + Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds + + [ 10.0.0.10/16 ] [ /dev/pts/20 ] [Nextcloud/blog] + → nikto -h http://10.0.121.109 + - Nikto v2.1.6 + --------------------------------------------------------------------------- + + Target IP: 10.0.121.109 + + Target Hostname: 10.0.121.109 + + Target Port: 80 + + Start Time: 2021-05-17 21:26:42 (GMT2) + --------------------------------------------------------------------------- + + Server: Python/3.7 aiohttp/3.4.4 + + The anti-clickjacking X-Frame-Options header is not present. + + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + + Cookie sess_uuid created without the httponly flag + + No CGI Directories found (use '-C all' to force check all possible dirs) + + OSVDB-27487: Apache is vulnerable to XSS via the Expect header + + [...] + + + OSVDB-35935: /rpc.php?q=\"> + + OSVDB-3092: /xmlrpc.php: xm + + OSVDB-34879: /jsp-examples/ + + OSVDB-34878: /jsp-examples/ + + OSVDB-12721: /jsp-examples/ + + [...] + + + +Run it yourself, you're going to see nikto find a trillion different vulnerabilities with this wordpress website. Now let's take a look at our dashboard once we finished running the scans: + +![](15.png) ![](16.png) + +And that's it! We have been able to see a scanning attack on our honeypot TPot dashboard. Now we know that the 10.0.0.10 IP is doing malicious activities on the network. If we wanted, we could also port forward our honeypot's port 80 towards the internet, so that we could see the public IPs that are maliciously scanning us. + +![](17.png) + +Once you do this and open up the port publicly you can immediately see changes on the TPot Dashboard: + +![](18.png) + +As the attacks now come from public IPs, the dashboard can tell you the geological origin of the attacks. + diff --git a/unattendedupgrades/0.png b/unattendedupgrades/0.png new file mode 100644 index 0000000..7cec035 Binary files /dev/null and b/unattendedupgrades/0.png differ diff --git a/unattendedupgrades/1.png b/unattendedupgrades/1.png new file mode 100644 index 0000000..7a5fa3b Binary files /dev/null and b/unattendedupgrades/1.png differ diff --git a/unattendedupgrades/index.md b/unattendedupgrades/index.md new file mode 100644 index 0000000..45eee45 --- /dev/null +++ b/unattendedupgrades/index.md @@ -0,0 +1,74 @@ +# unattendedupgrades Setup + +![](0.png) + +In this tutorial we're going to setup debian unattended upgrades so that packages are automatically updated on the system without needing any external help. + +## **Initial Setup** + + + [ 10.8.0.2/24 ] [ home ] [~] + → apt install unattended-upgrades apt-listchanges -y + + [ 10.8.0.2/24 ] [ home ] [~] + → dpkg-reconfigure -plow unattended-upgrades + + + + +![](1.png) + +Then you can run the following command to run the unattended upgrade manually: + + + [ 10.8.0.2/24 ] [ home ] [~] + → unattended-upgrade -d + Starting unattended upgrades script + Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security + Initial blacklist: + Initial whitelist (not strict): + Marking not allowed with -32768 pin + Marking not allowed with -32768 pin + Marking not allowed with -32768 pin + Applying pinning: PkgFilePin(id=6, priority=-32768) + Applying pin -32768 to package_file: + Applying pinning: PkgFilePin(id=5, priority=-32768) + Applying pin -32768 to package_file: + Applying pinning: PkgFilePin(id=4, priority=-32768) + Applying pin -32768 to package_file: + Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages + Using (^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$|^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$) regexp to find running kernel packages + pkgs that look like they should be upgraded: + Fetched 0 B in 0s (0 B/s) + fetch.run() result: 0 + Packages blacklist due to conffile prompts: [] + No packages found that can be upgraded unattended and no pending auto-removals + Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2023-02-15 21:00:54 + + + +Then you can check if it works with apt: + + + [ 10.8.0.2/24 ] [ home ] [~] + → apt upgrade -y + Reading package lists... Done + Building dependency tree... Done + Reading state information... Done + Calculating upgrade... Done + 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. + + + +no packages to be changed, which means the packages are up to date. + +OPTIONAL: To make sure your server reboots every day to refresh the services (because the service stays the same even when packages are upgraded, until its restarted) do so with cron: + + + crontab -e + + 0 0 * * * reboot #restart the server everyday at midnight + #0 0 * * * systemctl isolate rescue; systemctl isolate default #forcefully restart all systemd services (careful it may break services) + + + diff --git a/uptimekuma/1.png b/uptimekuma/1.png new file mode 100644 index 0000000..4627ece Binary files /dev/null and b/uptimekuma/1.png differ diff --git a/uptimekuma/10.png b/uptimekuma/10.png new file mode 100644 index 0000000..a6a163b Binary files /dev/null and b/uptimekuma/10.png differ diff --git a/uptimekuma/2.png b/uptimekuma/2.png new file mode 100644 index 0000000..59dddb7 Binary files /dev/null and b/uptimekuma/2.png differ diff --git a/uptimekuma/3.png b/uptimekuma/3.png new file mode 100644 index 0000000..4078434 Binary files /dev/null and b/uptimekuma/3.png differ diff --git a/uptimekuma/4.png b/uptimekuma/4.png new file mode 100644 index 0000000..f020272 Binary files /dev/null and b/uptimekuma/4.png differ diff --git a/uptimekuma/5.png b/uptimekuma/5.png new file mode 100644 index 0000000..90d1d50 Binary files /dev/null and b/uptimekuma/5.png differ diff --git a/uptimekuma/6.png b/uptimekuma/6.png new file mode 100644 index 0000000..f07c957 Binary files /dev/null and b/uptimekuma/6.png differ diff --git a/uptimekuma/7.png b/uptimekuma/7.png new file mode 100644 index 0000000..9da4378 Binary files /dev/null and b/uptimekuma/7.png differ diff --git a/uptimekuma/8.png b/uptimekuma/8.png new file mode 100644 index 0000000..53aa93b Binary files /dev/null and b/uptimekuma/8.png differ diff --git a/uptimekuma/9.png b/uptimekuma/9.png new file mode 100644 index 0000000..609268e Binary files /dev/null and b/uptimekuma/9.png differ diff --git a/uptimekuma/index.md b/uptimekuma/index.md new file mode 100644 index 0000000..e504c44 --- /dev/null +++ b/uptimekuma/index.md @@ -0,0 +1,243 @@ +# uptimekuma Setup + +![](0.svg) + +In this tutorial we're going to setup Uptime Kuma to monitor services. + +## **Initial Setup** + +Install it using git and run it with docker: + + + apt install docker.io docker-compose -y + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → cat docker-compose.yml + version: '3.3' + + services: + uptime-kuma: + image: louislam/uptime-kuma:1 + container_name: uptime-kuma + volumes: + - ./uptime-kuma-data:/app/data + ports: + - 3001:3001 + restart: always + + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → docker-compose up -d + Creating network "uptimekuma_default" with the default driver + Pulling uptime-kuma (louislam/uptime-kuma:latest)... + latest: Pulling from louislam/uptime-kuma + 99bf4787315b: Pull complete + 61c3159279c7: Pull complete + 9f0ec4d0abba: Pull complete + 2ddd419399ab: Pull complete + 6800c494eddd: Pull complete + a4dccef6dd1b: Pull complete + 305b5054c6ba: Pull complete + acb6e4a0ab0e: Pull complete + 4f4fb700ef54: Pull complete + 5c24a0961ff0: Pull complete + Digest: sha256:0b55bcb83a1c46c6f08bcc0329fc6c1d86039581102ec8db896976a9d46de01d + Status: Downloaded newer image for louislam/uptime-kuma:latest + Creating uptime-kuma ... done + + + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → ls + docker-compose.yml uptime-kuma-data + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → ls -lash uptime-kuma-data + total 856K + 4.0K drwxr-xr-x 3 root root 4.0K Jul 23 16:58 . + 4.0K drwxr-xr-x 3 root root 4.0K Jul 23 16:58 .. + 60K -rwxr-xr-x 1 root root 60K Jul 23 16:58 kuma.db + 32K -rwxr-xr-x 1 root root 32K Jul 23 16:58 kuma.db-shm + 752K -rwxr-xr-x 1 root root 749K Jul 23 16:58 kuma.db-wal + 4.0K drwxr-xr-x 2 root root 4.0K Jul 23 16:58 upload + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → nmap 127.0.0.1 -p 3001 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-23 16:58 CEST + Nmap scan report for localhost (127.0.0.1) + Host is up (0.00033s latency). + + PORT STATE SERVICE + 3001/tcp open nessus + + Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds + + + +Next you can put it behind a reverse nginx proxy and use it: + + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → systemctl stop nginx + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → acme.sh --issue --standalone -d status.nowhere.moe -k 4096 + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → vim status.nowhere.moe.conf + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → cat status.nowhere.moe.conf + upstream statusbackend { + server 127.0.0.1:3001; + } + + server { + listen 80; + listen [::]:80; + server_name status.nowhere.moe; + return 301 https://$server_name$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name status.nowhere.moe; + + ssl_certificate /root/.acme.sh/status.nowhere.moe/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/status.nowhere.moe/status.nowhere.moe.cer; + ssl_certificate_key /root/.acme.sh/status.nowhere.moe/status.nowhere.moe.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + location / { + proxy_pass http://statusbackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } + } + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/status.nowhere.moe.conf /etc/nginx/sites-enabled + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ 10.8.0.2/24 ] [ home ] [/srv/uptimekuma] + → systemctl start nginx + + + +![](2.png) + +From there we're going to add hosts to check the uptime: + +![](3.png) + +To make it more organised we'll create a status page for a group of hosts to monitor: + +![](4.png) ![](5.png) + +And in here we're going to add hosts to track + +We can also add tcp-specific ports like 18081 monero node: + +![](6.png) + +After populating them it looks like so: + +![](7.png) + +Next step: monitoring onion services: + +![](10.png) + +Then you need to make sure that the docker container can access the tor socks proxy port on the host machine like so: + + + [ 10.8.0.2/24 ] [ home ] [~] + → cat /etc/tor/torrc | grep 9050 + SocksPort 0.0.0.0:9050 + + [ 10.8.0.2/24 ] [ home ] [~] + → systemctl restart tor@default + + [ 10.8.0.2/24 ] [ home ] [~] + → systemctl status tor@default + ● tor@default.service - Anonymizing overlay network for TCP + Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled) + Active: active (running) since Sun 2023-07-23 17:38:19 CEST; 9s ago + Process: 93828 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS) + Process: 93830 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS) + Main PID: 93831 (tor) + Tasks: 9 (limit: 9483) + Memory: 35.0M + CPU: 3.659s + CGroup: /system.slice/system-tor.slice/tor@default.service + ├─93831 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 + └─93832 /usr/bin/obfs4proxy + + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 1% (conn_pt): Connecting to pluggable transport + Jul 23 17:38:20 home Tor[93831]: Opening Control listener on /run/tor/control + Jul 23 17:38:20 home Tor[93831]: Opened Control listener connection (ready) on /run/tor/control + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 2% (conn_done_pt): Connected to pluggable transport + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 10% (conn_done): Connected to a relay + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 14% (handshake): Handshaking with a relay + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 15% (handshake_done): Handshake with a relay done + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits + Jul 23 17:38:20 home Tor[93831]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit + Jul 23 17:38:21 home Tor[93831]: Bootstrapped 100% (done): Done + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → docker container list + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + a77a35a135dd louislam/uptime-kuma:latest "/usr/bin/dumb-init …" 36 minutes ago Up 36 minutes (healthy) 0.0.0.0:3001->3001/tcp, :::3001->3001/tcp uptime-kuma + + [ 10.8.0.2/24 ] [ home ] [/etc/nginx/sites-available] + → docker exec -it a77 bash + root@a77a35a135dd:/app# ip a + bash: ip: command not found + root@a77a35a135dd:/app# cat /etc/hosts + 127.0.0.1 localhost + ::1 localhost ip6-localhost ip6-loopback + fe00::0 ip6-localnet + ff00::0 ip6-mcastprefix + ff02::1 ip6-allnodes + ff02::2 ip6-allrouters + **172.18.0.2** a77a35a135dd + + [ 10.8.0.2/24 ] [ home ] [~] + → ip a | grep inet | grep 172.18 + inet **172.18.0.1/16** brd 172.18.255.255 scope global br-81f77ed904e1 + + + + +Then if you want to make your dashboards available for the public you just give them the link to your status pages like the ones below: + +nowhere.moe Status page + +nowhere.moe Status page + +**UPDATE NOTE: if your docker container gets updated and the database gets corrupted, you're going to need to go to dashboard > settings > backup > export backup (json file) > docker-compose down, delete the uptimekuma data floder > docker-compose up -d --force-recreate > then you need to go create the admin account again, then go to settings backup import backup (json file) and need to redo the status pages.** + +The reason for this is the developers do database changes from a version to the next without caring about database breaking changes. Hence need to do all this to fix an uptimekuma upgrade db failure + diff --git a/virtual/index.md b/virtual/index.md new file mode 100644 index 0000000..8e41a5c --- /dev/null +++ b/virtual/index.md @@ -0,0 +1,48 @@ +# virt-manager setup + +In this tutorial we'll setup virt-manager on debian: + +## **Initial Setup** + +To start with just open up a terminal or ssh into your debian server and run the following commands: + +![](prg/0.png) + +once that's done we will enable the libvirtd service + +![](prg/1.png) + +To verify that it is indeed working, we'll start up virt-manager like so: + +![](prg/2.png) + +And there we have it ! + +![](prg/3.png) + +Now before we create any virtual machine , we'll create the NAT configuration + +## **NAT setup** + +Run the following command: + +![](prg/4.png) + +Once that's done we'll create the NAT configuration: + +![](prg/5.png) ![](prg/6.png) ![](prg/7.png) ![](prg/8.png) + +Once that's done, we are ready to create our virtualized debian machine, Thanks to the NAT configuration we will be able to ssh into it: + +## **Debian Virtualisation Example** + +Download a debian iso and then do the following: + +![](prg/9.png) ![](prg/10.png) ![](prg/11.png) + +once that's done just go on installing debian as usual and make sure you install the ssh server on it: + +![](prg/12.png) ![](prg/13.png) + +And that's it ! we have been able to ssh into our virtual machine inside qemu kvm. Thanks to the NAT configuration, the communication between the host machine and the virtualised one is actually possible. which allowed us to ssh into the machine. without this intermediate step, it is not even possible to ping the host machine, so a ssh connection would be out of question. + diff --git a/virtual/prg/0.png b/virtual/prg/0.png new file mode 100644 index 0000000..90a00a0 Binary files /dev/null and b/virtual/prg/0.png differ diff --git a/virtual/prg/1.png b/virtual/prg/1.png new file mode 100644 index 0000000..d8dd9ff Binary files /dev/null and b/virtual/prg/1.png differ diff --git a/virtual/prg/10.png b/virtual/prg/10.png new file mode 100644 index 0000000..6f5f866 Binary files /dev/null and b/virtual/prg/10.png differ diff --git a/virtual/prg/11.png b/virtual/prg/11.png new file mode 100644 index 0000000..c143e5c Binary files /dev/null and b/virtual/prg/11.png differ diff --git a/virtual/prg/12.png b/virtual/prg/12.png new file mode 100644 index 0000000..10f4ef3 Binary files /dev/null and b/virtual/prg/12.png differ diff --git a/virtual/prg/13.png b/virtual/prg/13.png new file mode 100644 index 0000000..297b276 Binary files /dev/null and b/virtual/prg/13.png differ diff --git a/virtual/prg/14.png b/virtual/prg/14.png new file mode 100644 index 0000000..ca1fd81 Binary files /dev/null and b/virtual/prg/14.png differ diff --git a/virtual/prg/15.png b/virtual/prg/15.png new file mode 100644 index 0000000..a0831f9 Binary files /dev/null and b/virtual/prg/15.png differ diff --git a/virtual/prg/16.png b/virtual/prg/16.png new file mode 100644 index 0000000..637284e Binary files /dev/null and b/virtual/prg/16.png differ diff --git a/virtual/prg/17.png b/virtual/prg/17.png new file mode 100644 index 0000000..db6beda Binary files /dev/null and b/virtual/prg/17.png differ diff --git a/virtual/prg/18.png b/virtual/prg/18.png new file mode 100644 index 0000000..36abd4d Binary files /dev/null and b/virtual/prg/18.png differ diff --git a/virtual/prg/2.png b/virtual/prg/2.png new file mode 100644 index 0000000..fda5199 Binary files /dev/null and b/virtual/prg/2.png differ diff --git a/virtual/prg/3.png b/virtual/prg/3.png new file mode 100644 index 0000000..079858d Binary files /dev/null and b/virtual/prg/3.png differ diff --git a/virtual/prg/4.png b/virtual/prg/4.png new file mode 100644 index 0000000..67a76d6 Binary files /dev/null and b/virtual/prg/4.png differ diff --git a/virtual/prg/5.png b/virtual/prg/5.png new file mode 100644 index 0000000..030be16 Binary files /dev/null and b/virtual/prg/5.png differ diff --git a/virtual/prg/6.png b/virtual/prg/6.png new file mode 100644 index 0000000..bb8887f Binary files /dev/null and b/virtual/prg/6.png differ diff --git a/virtual/prg/7.png b/virtual/prg/7.png new file mode 100644 index 0000000..3a6b48b Binary files /dev/null and b/virtual/prg/7.png differ diff --git a/virtual/prg/8.png b/virtual/prg/8.png new file mode 100644 index 0000000..0b168f8 Binary files /dev/null and b/virtual/prg/8.png differ diff --git a/virtual/prg/9.png b/virtual/prg/9.png new file mode 100644 index 0000000..2f64f7b Binary files /dev/null and b/virtual/prg/9.png differ diff --git a/w0/0.png b/w0/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/w0/0.png differ diff --git a/w0/1.png b/w0/1.png new file mode 100644 index 0000000..81b1cee Binary files /dev/null and b/w0/1.png differ diff --git a/w0/2.png b/w0/2.png new file mode 100644 index 0000000..4d3485a Binary files /dev/null and b/w0/2.png differ diff --git a/w0/3.png b/w0/3.png new file mode 100644 index 0000000..20611d4 Binary files /dev/null and b/w0/3.png differ diff --git a/w0/4.png b/w0/4.png new file mode 100644 index 0000000..60cb772 Binary files /dev/null and b/w0/4.png differ diff --git a/w0/5.png b/w0/5.png new file mode 100644 index 0000000..bc8ca9b Binary files /dev/null and b/w0/5.png differ diff --git a/w0/6.png b/w0/6.png new file mode 100644 index 0000000..cb64412 Binary files /dev/null and b/w0/6.png differ diff --git a/w0/7.png b/w0/7.png new file mode 100644 index 0000000..2d84481 Binary files /dev/null and b/w0/7.png differ diff --git a/w0/index.md b/w0/index.md new file mode 100644 index 0000000..bef2377 --- /dev/null +++ b/w0/index.md @@ -0,0 +1,38 @@ +# Windows Server Setup (QEMU) + +## **Initial Setup** + +We'll install WS2019 on a virtual 50G drive: + +![](1.png) + +After rebooting, setup the administrator password: + +![](2.png) + +The machine will reboot a second time, login with your admin password and allow this windows server to be discoverable by other PCs on the network: + +![](3.png) + +And that's it! + +## **Important Notes** + +The main difference between Debian and windows servers is mainly the GUI part, Windows offers largely a graphical user interface for the sysadmin to work with. + +![](4.png) + +In this screenshot we can see the main server manager window that we'll use throughout this tutorial series. The green arrows are where system events will appear (warnings or alerts incase a service goes down for example) the red arrows are going to be the main steps in our following tutorials, this is where we will add features to our server. Or rather, we will add services to this server. + +![](5.png) + +Don't forget that firefox comes with alot of stupid software pre installed, like the web browser, so install a real web-browser just so that you don't have to worry about it later on. + +![](6.png) ![](7.png) + +Now that's done, we can begin this tutorial series: + +## **Course of Action** + +In this tutorial series, i am going to explain how to make services like DNS, Active Directory, Users and domain Groups (organisational units), Raid and backups on virtual disks, and a mail integration on a Windows Server virtual machine on QEMU (thanks to virt-manager). + diff --git a/w1_dns/0.png b/w1_dns/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/w1_dns/0.png differ diff --git a/w1_dns/1.png b/w1_dns/1.png new file mode 100644 index 0000000..ee5edb1 Binary files /dev/null and b/w1_dns/1.png differ diff --git a/w1_dns/10.png b/w1_dns/10.png new file mode 100644 index 0000000..97d03d8 Binary files /dev/null and b/w1_dns/10.png differ diff --git a/w1_dns/11.png b/w1_dns/11.png new file mode 100644 index 0000000..4875954 Binary files /dev/null and b/w1_dns/11.png differ diff --git a/w1_dns/12.png b/w1_dns/12.png new file mode 100644 index 0000000..a3363c8 Binary files /dev/null and b/w1_dns/12.png differ diff --git a/w1_dns/13.png b/w1_dns/13.png new file mode 100644 index 0000000..0c8f39d Binary files /dev/null and b/w1_dns/13.png differ diff --git a/w1_dns/14.png b/w1_dns/14.png new file mode 100644 index 0000000..c0c28fb Binary files /dev/null and b/w1_dns/14.png differ diff --git a/w1_dns/15.png b/w1_dns/15.png new file mode 100644 index 0000000..2f80377 Binary files /dev/null and b/w1_dns/15.png differ diff --git a/w1_dns/16.png b/w1_dns/16.png new file mode 100644 index 0000000..8ee5cc1 Binary files /dev/null and b/w1_dns/16.png differ diff --git a/w1_dns/17.png b/w1_dns/17.png new file mode 100644 index 0000000..1e58923 Binary files /dev/null and b/w1_dns/17.png differ diff --git a/w1_dns/18.png b/w1_dns/18.png new file mode 100644 index 0000000..5389575 Binary files /dev/null and b/w1_dns/18.png differ diff --git a/w1_dns/19.png b/w1_dns/19.png new file mode 100644 index 0000000..1d1912d Binary files /dev/null and b/w1_dns/19.png differ diff --git a/w1_dns/2.png b/w1_dns/2.png new file mode 100644 index 0000000..66b4c08 Binary files /dev/null and b/w1_dns/2.png differ diff --git a/w1_dns/20.png b/w1_dns/20.png new file mode 100644 index 0000000..ecc82fd Binary files /dev/null and b/w1_dns/20.png differ diff --git a/w1_dns/21.png b/w1_dns/21.png new file mode 100644 index 0000000..0c6e7a6 Binary files /dev/null and b/w1_dns/21.png differ diff --git a/w1_dns/22.png b/w1_dns/22.png new file mode 100644 index 0000000..d520c79 Binary files /dev/null and b/w1_dns/22.png differ diff --git a/w1_dns/23.png b/w1_dns/23.png new file mode 100644 index 0000000..54fd279 Binary files /dev/null and b/w1_dns/23.png differ diff --git a/w1_dns/24.png b/w1_dns/24.png new file mode 100644 index 0000000..827a984 Binary files /dev/null and b/w1_dns/24.png differ diff --git a/w1_dns/25.png b/w1_dns/25.png new file mode 100644 index 0000000..2577768 Binary files /dev/null and b/w1_dns/25.png differ diff --git a/w1_dns/26.png b/w1_dns/26.png new file mode 100644 index 0000000..9a9fe35 Binary files /dev/null and b/w1_dns/26.png differ diff --git a/w1_dns/3.png b/w1_dns/3.png new file mode 100644 index 0000000..ca79b33 Binary files /dev/null and b/w1_dns/3.png differ diff --git a/w1_dns/4.png b/w1_dns/4.png new file mode 100644 index 0000000..6f1ac98 Binary files /dev/null and b/w1_dns/4.png differ diff --git a/w1_dns/5.png b/w1_dns/5.png new file mode 100644 index 0000000..348c7de Binary files /dev/null and b/w1_dns/5.png differ diff --git a/w1_dns/6.png b/w1_dns/6.png new file mode 100644 index 0000000..6ba5e85 Binary files /dev/null and b/w1_dns/6.png differ diff --git a/w1_dns/7.png b/w1_dns/7.png new file mode 100644 index 0000000..535d72f Binary files /dev/null and b/w1_dns/7.png differ diff --git a/w1_dns/8.png b/w1_dns/8.png new file mode 100644 index 0000000..7e054c4 Binary files /dev/null and b/w1_dns/8.png differ diff --git a/w1_dns/9.png b/w1_dns/9.png new file mode 100644 index 0000000..c37efad Binary files /dev/null and b/w1_dns/9.png differ diff --git a/w1_dns/index.md b/w1_dns/index.md new file mode 100644 index 0000000..ef98b25 --- /dev/null +++ b/w1_dns/index.md @@ -0,0 +1,68 @@ +# Windows DNS Server Setup (QEMU) + +## **Initial Requirement** + +You will require a working Windows Server 2019 VM, or KVM (QEMU) and a graphical access to it: + +![](1.png) + +## **Installation** + +First things first, add the DNS role (service) from the Server Manager Dashboard: + +![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) + +We will configure the static ip address later on. + +![](7.png) + +Then just keep hitting next at everything and install in the end: + +![](8.png) + +Once it's done installing, we navigate over to the DNS tool: + +![](9.png) ![](10.png) + +And here we are at the DNS manager utility. Here we're going to setup a local domain for our windows server. But to do so, we first need to setup a static IP address to our machine. + +![](11.png) + +Hit Win+X > Network Connections> Network and Sharing Center > Change Adapter Settings > Ethernet > Properties + +![](12.png) ![](13.png) + +Here i selected my host machine as the gateway, and i've setup my windows server to a memorable private ip address: .100 in the 192.168.100 private network that i configured within virt-manager as part of my current QEMU setup. + +Now that we're done setting the private ip, we can verify it is working so hit Win+X again: + +![](14.png) + +Then type ipconfig /all: + +![](15.png) + +Now that we know our server is at the ip address 192.168.100.100/24 let's face it, noone wants to remember ip addreses we want something easier to remember it with, and therefore, we'll setup a DNS entry (A entry) that will translate the private IP address, into a memorable string. For instance, we'll call this server "coolserver" in our local domain "nowhere.local" And this will give us the resulting domain "coolserver.nowhere.local" + +![](16.png) ![](17.png) ![](18.png) + +Important thing to note here, this is going to create a .dns file in the system32/dns folder. if you don't like windows' GUI, you can always go there and edit the .dns file just like you would edit a .txt file. + +## **Creating the A Record** + +![](19.png) ![](20.png) + +Next we're going to create the A record: + +![](21.png) ![](22.png) ![](23.png) + +And there we have it! now let's make sure this Windows Server uses the correct DNS by going into the IP settins just like we did earlier on: + +![](24.png) + +Here we set 127.0.0.1 because this is the loopback address, this points to the server itself. Now let's see if it works from our Powershell Prompt: + +![](25.png) ![](26.png) + +And as you can see here, we have been able to ping the domain coolserver.nowhere.com that we setup on our local DNS server, and with it, we see that we have been able to guess which ip this domains is referring to. + diff --git a/w2_ad/0.png b/w2_ad/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/w2_ad/0.png differ diff --git a/w2_ad/1.png b/w2_ad/1.png new file mode 100644 index 0000000..b125268 Binary files /dev/null and b/w2_ad/1.png differ diff --git a/w2_ad/10.png b/w2_ad/10.png new file mode 100644 index 0000000..3e8f698 Binary files /dev/null and b/w2_ad/10.png differ diff --git a/w2_ad/11.png b/w2_ad/11.png new file mode 100644 index 0000000..e7aa8c4 Binary files /dev/null and b/w2_ad/11.png differ diff --git a/w2_ad/12.png b/w2_ad/12.png new file mode 100644 index 0000000..3ccb6fa Binary files /dev/null and b/w2_ad/12.png differ diff --git a/w2_ad/13.png b/w2_ad/13.png new file mode 100644 index 0000000..920bdd8 Binary files /dev/null and b/w2_ad/13.png differ diff --git a/w2_ad/14.png b/w2_ad/14.png new file mode 100644 index 0000000..e0998fd Binary files /dev/null and b/w2_ad/14.png differ diff --git a/w2_ad/15.png b/w2_ad/15.png new file mode 100644 index 0000000..91b7bbe Binary files /dev/null and b/w2_ad/15.png differ diff --git a/w2_ad/16.png b/w2_ad/16.png new file mode 100644 index 0000000..172927b Binary files /dev/null and b/w2_ad/16.png differ diff --git a/w2_ad/17.png b/w2_ad/17.png new file mode 100644 index 0000000..f5cd67e Binary files /dev/null and b/w2_ad/17.png differ diff --git a/w2_ad/18.png b/w2_ad/18.png new file mode 100644 index 0000000..0cd4ab6 Binary files /dev/null and b/w2_ad/18.png differ diff --git a/w2_ad/19.png b/w2_ad/19.png new file mode 100644 index 0000000..0a2ed99 Binary files /dev/null and b/w2_ad/19.png differ diff --git a/w2_ad/2.png b/w2_ad/2.png new file mode 100644 index 0000000..a53bdb6 Binary files /dev/null and b/w2_ad/2.png differ diff --git a/w2_ad/20.png b/w2_ad/20.png new file mode 100644 index 0000000..5f2dcdb Binary files /dev/null and b/w2_ad/20.png differ diff --git a/w2_ad/21.png b/w2_ad/21.png new file mode 100644 index 0000000..0258a66 Binary files /dev/null and b/w2_ad/21.png differ diff --git a/w2_ad/22.png b/w2_ad/22.png new file mode 100644 index 0000000..8e44559 Binary files /dev/null and b/w2_ad/22.png differ diff --git a/w2_ad/3.png b/w2_ad/3.png new file mode 100644 index 0000000..994555e Binary files /dev/null and b/w2_ad/3.png differ diff --git a/w2_ad/4.png b/w2_ad/4.png new file mode 100644 index 0000000..17679b7 Binary files /dev/null and b/w2_ad/4.png differ diff --git a/w2_ad/5.png b/w2_ad/5.png new file mode 100644 index 0000000..f1ada17 Binary files /dev/null and b/w2_ad/5.png differ diff --git a/w2_ad/6.png b/w2_ad/6.png new file mode 100644 index 0000000..49adfa4 Binary files /dev/null and b/w2_ad/6.png differ diff --git a/w2_ad/7.png b/w2_ad/7.png new file mode 100644 index 0000000..9d0c876 Binary files /dev/null and b/w2_ad/7.png differ diff --git a/w2_ad/8.png b/w2_ad/8.png new file mode 100644 index 0000000..62c3922 Binary files /dev/null and b/w2_ad/8.png differ diff --git a/w2_ad/9.png b/w2_ad/9.png new file mode 100644 index 0000000..ff12aa0 Binary files /dev/null and b/w2_ad/9.png differ diff --git a/w2_ad/index.md b/w2_ad/index.md new file mode 100644 index 0000000..57d3085 --- /dev/null +++ b/w2_ad/index.md @@ -0,0 +1,40 @@ +# Windows Server AD Setup (QEMU) + +## **Initial Requirements** + +To begin this tutorial you will need to complete the previous tutorial on DNS. where we setup an A entry pointing to the server's private IP: + +![](1.png) + +## **AD Installation** + +![](2.png) ![](3.png) ![](4.png) + +As you can see here, having a DNS service is required to install the Active Directory. + +![](5.png) ![](6.png) ![](7.png) ![](8.png) + +Now you see the whole point, so let's setup our AD correctly by promoting our server to domain controller but before we do so, let's add another A record that points to the server as the root domain: + +![](11.png) ![](12.png) + +First we add a forest: + +![](15.png) ![](16.png) ![](17.png) ![](18.png) + +Then just hit next at everything and hit install at the end and let windows server reboot + +## **Post-AD Install** + +![](19.png) + +As you reboot you can see you've successfully installed the active directory: + +![](20.png) ![](21.png) + +Once in here you can see that you can access the Active Directory Administrative Center : + +![](22.png) + +And here we can see we're able to create groups, users, computers, Organizational Units, and that's going to be the topic for the next tutorial. + diff --git a/w3_users/0.png b/w3_users/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/w3_users/0.png differ diff --git a/w3_users/1.png b/w3_users/1.png new file mode 100644 index 0000000..ab4a7fd Binary files /dev/null and b/w3_users/1.png differ diff --git a/w3_users/10.png b/w3_users/10.png new file mode 100644 index 0000000..dd2366a Binary files /dev/null and b/w3_users/10.png differ diff --git a/w3_users/11.png b/w3_users/11.png new file mode 100644 index 0000000..e0b03db Binary files /dev/null and b/w3_users/11.png differ diff --git a/w3_users/12.png b/w3_users/12.png new file mode 100644 index 0000000..908027b Binary files /dev/null and b/w3_users/12.png differ diff --git a/w3_users/13.png b/w3_users/13.png new file mode 100644 index 0000000..b376601 Binary files /dev/null and b/w3_users/13.png differ diff --git a/w3_users/14.png b/w3_users/14.png new file mode 100644 index 0000000..0acc3d6 Binary files /dev/null and b/w3_users/14.png differ diff --git a/w3_users/15.png b/w3_users/15.png new file mode 100644 index 0000000..9a12635 Binary files /dev/null and b/w3_users/15.png differ diff --git a/w3_users/16.png b/w3_users/16.png new file mode 100644 index 0000000..bee2ec5 Binary files /dev/null and b/w3_users/16.png differ diff --git a/w3_users/17.png b/w3_users/17.png new file mode 100644 index 0000000..664e452 Binary files /dev/null and b/w3_users/17.png differ diff --git a/w3_users/18.png b/w3_users/18.png new file mode 100644 index 0000000..3379cb8 Binary files /dev/null and b/w3_users/18.png differ diff --git a/w3_users/2.png b/w3_users/2.png new file mode 100644 index 0000000..d0dbe44 Binary files /dev/null and b/w3_users/2.png differ diff --git a/w3_users/20.png b/w3_users/20.png new file mode 100644 index 0000000..60776b2 Binary files /dev/null and b/w3_users/20.png differ diff --git a/w3_users/21.png b/w3_users/21.png new file mode 100644 index 0000000..51725e3 Binary files /dev/null and b/w3_users/21.png differ diff --git a/w3_users/22.png b/w3_users/22.png new file mode 100644 index 0000000..9b0dca2 Binary files /dev/null and b/w3_users/22.png differ diff --git a/w3_users/23.png b/w3_users/23.png new file mode 100644 index 0000000..f5bd876 Binary files /dev/null and b/w3_users/23.png differ diff --git a/w3_users/24.png b/w3_users/24.png new file mode 100644 index 0000000..7fe3c79 Binary files /dev/null and b/w3_users/24.png differ diff --git a/w3_users/25.png b/w3_users/25.png new file mode 100644 index 0000000..4bf3360 Binary files /dev/null and b/w3_users/25.png differ diff --git a/w3_users/26.png b/w3_users/26.png new file mode 100644 index 0000000..033bdf5 Binary files /dev/null and b/w3_users/26.png differ diff --git a/w3_users/27.png b/w3_users/27.png new file mode 100644 index 0000000..0941daa Binary files /dev/null and b/w3_users/27.png differ diff --git a/w3_users/28.png b/w3_users/28.png new file mode 100644 index 0000000..8e9df63 Binary files /dev/null and b/w3_users/28.png differ diff --git a/w3_users/29.png b/w3_users/29.png new file mode 100644 index 0000000..f173cfb Binary files /dev/null and b/w3_users/29.png differ diff --git a/w3_users/3.png b/w3_users/3.png new file mode 100644 index 0000000..0bea277 Binary files /dev/null and b/w3_users/3.png differ diff --git a/w3_users/30.png b/w3_users/30.png new file mode 100644 index 0000000..74eb6ea Binary files /dev/null and b/w3_users/30.png differ diff --git a/w3_users/31.png b/w3_users/31.png new file mode 100644 index 0000000..e7b7136 Binary files /dev/null and b/w3_users/31.png differ diff --git a/w3_users/32.png b/w3_users/32.png new file mode 100644 index 0000000..63a759e Binary files /dev/null and b/w3_users/32.png differ diff --git a/w3_users/33.png b/w3_users/33.png new file mode 100644 index 0000000..f9feaa4 Binary files /dev/null and b/w3_users/33.png differ diff --git a/w3_users/34.png b/w3_users/34.png new file mode 100644 index 0000000..8e2d558 Binary files /dev/null and b/w3_users/34.png differ diff --git a/w3_users/35.png b/w3_users/35.png new file mode 100644 index 0000000..c58ad29 Binary files /dev/null and b/w3_users/35.png differ diff --git a/w3_users/36.png b/w3_users/36.png new file mode 100644 index 0000000..ffb8a61 Binary files /dev/null and b/w3_users/36.png differ diff --git a/w3_users/4.png b/w3_users/4.png new file mode 100644 index 0000000..7398d95 Binary files /dev/null and b/w3_users/4.png differ diff --git a/w3_users/5.png b/w3_users/5.png new file mode 100644 index 0000000..da7474c Binary files /dev/null and b/w3_users/5.png differ diff --git a/w3_users/6.png b/w3_users/6.png new file mode 100644 index 0000000..4853b4c Binary files /dev/null and b/w3_users/6.png differ diff --git a/w3_users/7.png b/w3_users/7.png new file mode 100644 index 0000000..e79b3a3 Binary files /dev/null and b/w3_users/7.png differ diff --git a/w3_users/8.png b/w3_users/8.png new file mode 100644 index 0000000..f8ce3f4 Binary files /dev/null and b/w3_users/8.png differ diff --git a/w3_users/9.png b/w3_users/9.png new file mode 100644 index 0000000..bfbbe44 Binary files /dev/null and b/w3_users/9.png differ diff --git a/w3_users/index.md b/w3_users/index.md new file mode 100644 index 0000000..3086321 --- /dev/null +++ b/w3_users/index.md @@ -0,0 +1,76 @@ +# Windows Server AD Users Setup (QEMU) + +## **Requirements** + +You'll need a working active directory server : + +![](1.png) + +You can go to my previous tutorial [here](../w2_ad/index.md)to check how to do that. + +## **Setting up the AD** + +Now from here just go into your Active Directory Administrative Center: + +![](2.png) + +And in here we'll first create 2 groups: + +![](3.png) ![](4.png) ![](5.png) + +So here we have 2 groups : Employees and Commercial. Next we're going to create Organisational Units: + +![](6.png) ![](7.png) ![](8.png) + +Now that we have our 2 organizational units (Org A and B) we're going to create our users : + +![](9.png) ![](10.png) + +So now we're going to add this User to the Employees group: + +![](11.png) + +Now create the second user: + +![](12.png) + +and add him to the Commercial group: + +![](13.png) + +Once that's done just click OK and try to login as either of the 2 users we just created: + +![](14.png) + +## **Logging from another machine** + +We will do this from a second windows 10 client machine: + +![](21.png) ![](22.png) ![](23.png) + +Here just hit that you want this machine to join the local Active Directory Domain: + +![](24.png) ![](25.png) + +Now here before you hit "Next" you will need to use the correct DNS server which is the Windows Server machine itself. If you don't do that, your machine will not know where the domain name "nowhere.local" is. So hit WIN+X and go into network connections: + +![](26.png) ![](27.png) ![](28.png) ![](29.png) + +Here i supplied the ip address of my DNS server: my windows server and just hit ok. + +![](30.png) + +Now that i supplied the correct DNS server, my machine is able to tell which ip leads to nowhere.local, and therefore we can continue: + +![](31.png) ![](32.png) ![](33.png) + +From here just hit "restart now", and then login to the user you created earlier: + +![](34.png) + +And once you're logged in just go check your user's info: + +![](35.png) ![](36.png) + +And here you can see that you've successfully logged in as the user Someone into your Active directory. + diff --git a/w5/0.png b/w5/0.png new file mode 100644 index 0000000..86f7d3d Binary files /dev/null and b/w5/0.png differ diff --git a/w5/1.png b/w5/1.png new file mode 100644 index 0000000..eb20770 Binary files /dev/null and b/w5/1.png differ diff --git a/w5/10.png b/w5/10.png new file mode 100644 index 0000000..730b2ec Binary files /dev/null and b/w5/10.png differ diff --git a/w5/11.png b/w5/11.png new file mode 100644 index 0000000..cf18af5 Binary files /dev/null and b/w5/11.png differ diff --git a/w5/12.png b/w5/12.png new file mode 100644 index 0000000..26ecd1a Binary files /dev/null and b/w5/12.png differ diff --git a/w5/13.png b/w5/13.png new file mode 100644 index 0000000..c9639e8 Binary files /dev/null and b/w5/13.png differ diff --git a/w5/14.png b/w5/14.png new file mode 100644 index 0000000..30442e1 Binary files /dev/null and b/w5/14.png differ diff --git a/w5/15.png b/w5/15.png new file mode 100644 index 0000000..c99a5a6 Binary files /dev/null and b/w5/15.png differ diff --git a/w5/16.png b/w5/16.png new file mode 100644 index 0000000..9ff103d Binary files /dev/null and b/w5/16.png differ diff --git a/w5/17.png b/w5/17.png new file mode 100644 index 0000000..06a2789 Binary files /dev/null and b/w5/17.png differ diff --git a/w5/18.png b/w5/18.png new file mode 100644 index 0000000..a0eed39 Binary files /dev/null and b/w5/18.png differ diff --git a/w5/19.png b/w5/19.png new file mode 100644 index 0000000..287756b Binary files /dev/null and b/w5/19.png differ diff --git a/w5/2.png b/w5/2.png new file mode 100644 index 0000000..b5b1d63 Binary files /dev/null and b/w5/2.png differ diff --git a/w5/20.png b/w5/20.png new file mode 100644 index 0000000..49af820 Binary files /dev/null and b/w5/20.png differ diff --git a/w5/21.png b/w5/21.png new file mode 100644 index 0000000..9b5d20a Binary files /dev/null and b/w5/21.png differ diff --git a/w5/22.png b/w5/22.png new file mode 100644 index 0000000..2a1c75a Binary files /dev/null and b/w5/22.png differ diff --git a/w5/23.png b/w5/23.png new file mode 100644 index 0000000..173bb8e Binary files /dev/null and b/w5/23.png differ diff --git a/w5/24.png b/w5/24.png new file mode 100644 index 0000000..ee8d63a Binary files /dev/null and b/w5/24.png differ diff --git a/w5/25.png b/w5/25.png new file mode 100644 index 0000000..41b3da5 Binary files /dev/null and b/w5/25.png differ diff --git a/w5/26.png b/w5/26.png new file mode 100644 index 0000000..00969cb Binary files /dev/null and b/w5/26.png differ diff --git a/w5/27.png b/w5/27.png new file mode 100644 index 0000000..2fce369 Binary files /dev/null and b/w5/27.png differ diff --git a/w5/28.png b/w5/28.png new file mode 100644 index 0000000..8335d11 Binary files /dev/null and b/w5/28.png differ diff --git a/w5/29.png b/w5/29.png new file mode 100644 index 0000000..7101071 Binary files /dev/null and b/w5/29.png differ diff --git a/w5/3.png b/w5/3.png new file mode 100644 index 0000000..d9640ff Binary files /dev/null and b/w5/3.png differ diff --git a/w5/30.png b/w5/30.png new file mode 100644 index 0000000..9301bc4 Binary files /dev/null and b/w5/30.png differ diff --git a/w5/31.png b/w5/31.png new file mode 100644 index 0000000..532e26f Binary files /dev/null and b/w5/31.png differ diff --git a/w5/32.png b/w5/32.png new file mode 100644 index 0000000..c6605a8 Binary files /dev/null and b/w5/32.png differ diff --git a/w5/33.png b/w5/33.png new file mode 100644 index 0000000..e79c709 Binary files /dev/null and b/w5/33.png differ diff --git a/w5/34.png b/w5/34.png new file mode 100644 index 0000000..9ce4f1a Binary files /dev/null and b/w5/34.png differ diff --git a/w5/35.png b/w5/35.png new file mode 100644 index 0000000..befbef2 Binary files /dev/null and b/w5/35.png differ diff --git a/w5/36.png b/w5/36.png new file mode 100644 index 0000000..21de76d Binary files /dev/null and b/w5/36.png differ diff --git a/w5/37.png b/w5/37.png new file mode 100644 index 0000000..0a1d9a1 Binary files /dev/null and b/w5/37.png differ diff --git a/w5/38.png b/w5/38.png new file mode 100644 index 0000000..e503b12 Binary files /dev/null and b/w5/38.png differ diff --git a/w5/39.png b/w5/39.png new file mode 100644 index 0000000..de4c3c2 Binary files /dev/null and b/w5/39.png differ diff --git a/w5/4.png b/w5/4.png new file mode 100644 index 0000000..d9f9a70 Binary files /dev/null and b/w5/4.png differ diff --git a/w5/40.png b/w5/40.png new file mode 100644 index 0000000..a736e3a Binary files /dev/null and b/w5/40.png differ diff --git a/w5/41.png b/w5/41.png new file mode 100644 index 0000000..ffa8c41 Binary files /dev/null and b/w5/41.png differ diff --git a/w5/42.png b/w5/42.png new file mode 100644 index 0000000..4da8a1b Binary files /dev/null and b/w5/42.png differ diff --git a/w5/43.png b/w5/43.png new file mode 100644 index 0000000..e767e75 Binary files /dev/null and b/w5/43.png differ diff --git a/w5/44.png b/w5/44.png new file mode 100644 index 0000000..f29349c Binary files /dev/null and b/w5/44.png differ diff --git a/w5/45.png b/w5/45.png new file mode 100644 index 0000000..8b1fe98 Binary files /dev/null and b/w5/45.png differ diff --git a/w5/46.png b/w5/46.png new file mode 100644 index 0000000..ae5d403 Binary files /dev/null and b/w5/46.png differ diff --git a/w5/47.png b/w5/47.png new file mode 100644 index 0000000..52105ab Binary files /dev/null and b/w5/47.png differ diff --git a/w5/48.png b/w5/48.png new file mode 100644 index 0000000..76e38f3 Binary files /dev/null and b/w5/48.png differ diff --git a/w5/49.png b/w5/49.png new file mode 100644 index 0000000..9a68dcc Binary files /dev/null and b/w5/49.png differ diff --git a/w5/5.png b/w5/5.png new file mode 100644 index 0000000..11ec07a Binary files /dev/null and b/w5/5.png differ diff --git a/w5/50.png b/w5/50.png new file mode 100644 index 0000000..269af33 Binary files /dev/null and b/w5/50.png differ diff --git a/w5/51.png b/w5/51.png new file mode 100644 index 0000000..820f45d Binary files /dev/null and b/w5/51.png differ diff --git a/w5/52.png b/w5/52.png new file mode 100644 index 0000000..13e871c Binary files /dev/null and b/w5/52.png differ diff --git a/w5/53.png b/w5/53.png new file mode 100644 index 0000000..5072472 Binary files /dev/null and b/w5/53.png differ diff --git a/w5/54.png b/w5/54.png new file mode 100644 index 0000000..2080024 Binary files /dev/null and b/w5/54.png differ diff --git a/w5/55.png b/w5/55.png new file mode 100644 index 0000000..a1914c0 Binary files /dev/null and b/w5/55.png differ diff --git a/w5/6.png b/w5/6.png new file mode 100644 index 0000000..50ac690 Binary files /dev/null and b/w5/6.png differ diff --git a/w5/7.png b/w5/7.png new file mode 100644 index 0000000..787b363 Binary files /dev/null and b/w5/7.png differ diff --git a/w5/8.png b/w5/8.png new file mode 100644 index 0000000..78f099a Binary files /dev/null and b/w5/8.png differ diff --git a/w5/9.png b/w5/9.png new file mode 100644 index 0000000..fee9e40 Binary files /dev/null and b/w5/9.png differ diff --git a/w5/index.md b/w5/index.md new file mode 100644 index 0000000..6d92985 --- /dev/null +++ b/w5/index.md @@ -0,0 +1,155 @@ +# Windows Server 2019 on Proxmox + +## **Initial Setup** + +First go get the ISO [here](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019) and then upload it to proxmox: + +![](0.png) ![](1.png) + +Here are my settings, make sure to tweak them to match what you need. + +![](2.png) ![](3.png) + +Use SPICE to view what's happening on the machine: + +![](4.png) ![](5.png) + +by default, virt-viewer captures your mouse and keyboard, if you want to escape it you need to type CTRL+ALT+R + +After that, let WS2019 install itself, the VM may reboot a few times: + +![](6.png) + +Here to send a CTRL+ALT+DEL you can use virt-viewer's sendkey feature, then after that login with the admin account you just created: + +![](7.png) + +Before we start let's get confortable and set the screen resolution right: + +![](8.png) ![](9.png) + +By default on WS2019 there is only Internet Explorer, so let's get firefox on it, to do so we will simply download a firefox 64bit executable on our host machine, use python3's http module to make it available on our local network (here its 10.0.0.0/16) and retrieve it on windows server: + +![](10.png) + +We move the executable into the /tmp directory alternative called /dev/shm + + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [~] + → cd Downloads + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [~/Downloads] + → ls -lash Firefox\ Setup\ 87.0.exe + 55M -rw-r--r-- 1 nothing nothing 55M Mar 27 15:26 'Firefox Setup 87.0.exe' + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [~/Downloads] + → mv Firefox\ Setup\ 87.0.exe firefox.exe + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [~/Downloads] + → mv firefox.exe /dev/shm/firefox.exe + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [~/Downloads] + → cd /dev/shm + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [/dev/shm] + → ls + firefox.exe + + [ 10.0.0.10/16 ] [ /dev/pts/35 ] [/dev/shm] + → python3 -m http.server 8080 + Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... + + + +Now we will retrieve it on our windows machine: + +![](11.png) + +We will use the Invoke-WebRequest powershell command that got aliased to 'curl' to get our firefox installer file at the **http://10.0.0.10:8080** URL: + +![](12.png) + +Then just run the executable to install firefox, after that we are going to follow our previous windows server guides and first install DNS using the server manager: + +![](14.png) + +Now that firefox is our default browser, let's get rid of that annoying SPICE virt-viewer, we will simply enable windows remote desktop: + +![](15.png) ![](16.png) + +Now that's done, make sure your windows server has a static IP: + +![](17.png) + +With this we know that the RDP connection will be made to 10.0.0.204 at the 3386 port (windows' default RDP port) If you are on a windows machine host, you can use **WIN+R mstrc** and then just give it the ip of the machine, Or if you are in linux, you can install remmina to remote desktop into your windows server 2019 VM: + +![](18.png) ![](19.png) ![](20.png) + +And that's it! Now we are ready to work on WS2019 properly, let's get to the DNS installation: + +## **DNS Setup** + +![](21.png) ![](22.png) ![](23.png) + +Then just click Next at everything and hit 'Install' + +![](24.png) ![](25.png) ![](26.png) + +So here we're going to choose the 'nowhere.local' primary zone: + +![](27.png) ![](28.png) ![](29.png) + +Now this part right here is going to be used by our Active Directory: + +![](30.png) + +## **Active Directory Setup** + +This is what we need to be able to install our AD and promote our server to being a domain controller. So let's install it: + +![](31.png) ![](32.png) + +Now promote your WS2019 server to a domain controller: + +![](32.png) ![](33.png) ![](35.png) ![](36.png) ![](37.png) + +Then just hit next at everything until you get there: + +![](38.png) + +Hit 'Install' and be patient, because this may take a while, and may reboot aswell. Upon rebooting you can see the following: + +![](39.png) + +Now you know that we have been able to setup our Active Directory properly since we managed to log into it. + +Now let's create a few users: + +![](41.png) ![](42.png) ![](43.png) ![](44.png) + +So right now we managed to create our user called 'nothing' and we will make use of it on a second Win10 VM on the same network: + +![](45.png) ![](46.png) ![](47.png) ![](48.png) ![](49.png) + +Now to do this you need to setup the DNS server to be our WS2019 because it needs to resolve where nowhere.local is: + +![](50.png) + +Then you can test if it gets resolved correctly using a simple ping command: + +![](51.png) ![](52.png) + +Then put in the credentials of the user you created earlier, and then you will get the following: + +![](53.png) + +Once that's done, let your win10 VM reboot and edit the RDP connection settings: + +![](54.png) + +And simply connect, and you can see that you have successfully logged onto your Active Directory as the user 'nothing'. + +![](55.png) + +And that's it! We have been able to install Windows Server 2019 on Proxmox, and configure it with DNS and Active Directory. + diff --git a/w6_ldaps/0.png b/w6_ldaps/0.png new file mode 100644 index 0000000..6777f44 Binary files /dev/null and b/w6_ldaps/0.png differ diff --git a/w6_ldaps/24.png b/w6_ldaps/24.png new file mode 100644 index 0000000..685240d Binary files /dev/null and b/w6_ldaps/24.png differ diff --git a/w6_ldaps/25.png b/w6_ldaps/25.png new file mode 100644 index 0000000..45ad161 Binary files /dev/null and b/w6_ldaps/25.png differ diff --git a/w6_ldaps/26.png b/w6_ldaps/26.png new file mode 100644 index 0000000..d0f6d3a Binary files /dev/null and b/w6_ldaps/26.png differ diff --git a/w6_ldaps/27.png b/w6_ldaps/27.png new file mode 100644 index 0000000..f64c727 Binary files /dev/null and b/w6_ldaps/27.png differ diff --git a/w6_ldaps/28.png b/w6_ldaps/28.png new file mode 100644 index 0000000..842cdb7 Binary files /dev/null and b/w6_ldaps/28.png differ diff --git a/w6_ldaps/29.png b/w6_ldaps/29.png new file mode 100644 index 0000000..6fc1fca Binary files /dev/null and b/w6_ldaps/29.png differ diff --git a/w6_ldaps/30.png b/w6_ldaps/30.png new file mode 100644 index 0000000..306ef8f Binary files /dev/null and b/w6_ldaps/30.png differ diff --git a/w6_ldaps/31.png b/w6_ldaps/31.png new file mode 100644 index 0000000..a9ffcf0 Binary files /dev/null and b/w6_ldaps/31.png differ diff --git a/w6_ldaps/32.png b/w6_ldaps/32.png new file mode 100644 index 0000000..340e331 Binary files /dev/null and b/w6_ldaps/32.png differ diff --git a/w6_ldaps/33.png b/w6_ldaps/33.png new file mode 100644 index 0000000..005e764 Binary files /dev/null and b/w6_ldaps/33.png differ diff --git a/w6_ldaps/34.png b/w6_ldaps/34.png new file mode 100644 index 0000000..2cb9b36 Binary files /dev/null and b/w6_ldaps/34.png differ diff --git a/w6_ldaps/35.png b/w6_ldaps/35.png new file mode 100644 index 0000000..1683d98 Binary files /dev/null and b/w6_ldaps/35.png differ diff --git a/w6_ldaps/36.png b/w6_ldaps/36.png new file mode 100644 index 0000000..cd486ec Binary files /dev/null and b/w6_ldaps/36.png differ diff --git a/w6_ldaps/37.png b/w6_ldaps/37.png new file mode 100644 index 0000000..de08218 Binary files /dev/null and b/w6_ldaps/37.png differ diff --git a/w6_ldaps/38.png b/w6_ldaps/38.png new file mode 100644 index 0000000..8e3ba2f Binary files /dev/null and b/w6_ldaps/38.png differ diff --git a/w6_ldaps/40.png b/w6_ldaps/40.png new file mode 100644 index 0000000..6a6d06f Binary files /dev/null and b/w6_ldaps/40.png differ diff --git a/w6_ldaps/41.png b/w6_ldaps/41.png new file mode 100644 index 0000000..f496433 Binary files /dev/null and b/w6_ldaps/41.png differ diff --git a/w6_ldaps/42.png b/w6_ldaps/42.png new file mode 100644 index 0000000..8bcc280 Binary files /dev/null and b/w6_ldaps/42.png differ diff --git a/w6_ldaps/43.png b/w6_ldaps/43.png new file mode 100644 index 0000000..e0cce94 Binary files /dev/null and b/w6_ldaps/43.png differ diff --git a/w6_ldaps/44.png b/w6_ldaps/44.png new file mode 100644 index 0000000..093bdf9 Binary files /dev/null and b/w6_ldaps/44.png differ diff --git a/w6_ldaps/index.md b/w6_ldaps/index.md new file mode 100644 index 0000000..b1fd8b8 --- /dev/null +++ b/w6_ldaps/index.md @@ -0,0 +1,228 @@ +# Windows Server 2019 LDAPS Setup + +![](0.png) + +LDAPS basically is adding a SSL Layer to the previous LDAP connections that are available on port tcp/389 for Windows Servers, the LDAPS protocol instead uses port tcp/636 and requires a Certificate Authority (CA). + +## **Initial Requirements** + +To make use of this tutorial you will need a working WS2019 server, and with DNS + AD working on it, you can check [this](../w5/index.md) tutorial to get it done. + +Now with this we can test the ldap default port (389) on our WS2019 server (10.0.0.204) + + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → ping 10.0.0.204 + PING 10.0.0.204 (10.0.0.204) 56(84) bytes of data. + 64 bytes from 10.0.0.204: icmp_seq=1 ttl=128 time=1.01 ms + 64 bytes from 10.0.0.204: icmp_seq=2 ttl=128 time=1.59 ms + 64 bytes from 10.0.0.204: icmp_seq=3 ttl=128 time=1.48 ms + 64 bytes from 10.0.0.204: icmp_seq=4 ttl=128 time=0.924 ms + ^C + --- 10.0.0.204 ping statistics --- + 4 packets transmitted, 4 received, 0% packet loss, time 3003ms + rtt min/avg/max/mdev = 0.924/1.249/1.592/0.289 ms + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → nmap -p389 10.0.0.204 + Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST + Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn + Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → nmap -p389 10.0.0.204 -Pn + Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. + Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST + Nmap scan report for 10.0.0.204 + Host is up (0.00100s latency). + + PORT STATE SERVICE + 389/tcp open ldap + + Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds + + + +Now we know that the ldap port is open on our windows server host, you can try to log into it using the openldap package's ldapsearch utility and retrieve some infos. If you setup your own AD you know at least the ip of the server (10.0.0.204), the domain name (nowhere.local) and one user's credentials (nowhere:password): + + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → ldapsearch -H ldap://10.0.0.204:389 -b dc=nowhere,dc=local -D nothing@nowhere.local -W + + + +## **LDAPS Setup** + +From here we go install the Active Directory Certificate Services on our WS2019 host: + +![](24.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) ![](31.png) ![](32.png) ![](33.png) ![](34.png) ![](35.png) ![](36.png) + +So that's our result: + +![](37.png) + +Then let it configure, and then we will able to use ldaps on port 636. + +![](38.png) + +We can verify the ldaps port is opened with the following nmap command: + + + [ 10.0.0.10/16 ] [ /dev/pts/46 ] [~] + → nmap -p389,636 10.0.0.204 -Pn -sCV + Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. + Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 15:25 CEST + Nmap scan report for 10.0.0.204 + Host is up (0.00090s latency). + + PORT STATE SERVICE VERSION + 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nowhere.local0., Site: Default-First-Site-Name) + 636/tcp open tcpwrapped + Service Info: Host: WIN-LJT7MG0NF5R; OS: Windows; CPE: cpe:/o:microsoft:windows + + Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . + Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds + + + +the ldaps port is opened, however we still need to reboot our WS2019 VM: + +![](41.png) + +## **Testing the LDAPS connection** + +However most importantly we need to check if other hosts on the local network can see the new certificate correctly, so before we check that, let's check if we can check our own certificate from the windows server host: + +![](40.png) ![](42.png) ![](43.png) + +So we are able to see our own LDAPS SSL certificate: + +![](44.png) + +So now we need to stee if pfsense can see the ldaps SSL certificate: + +To do so we can use the 'ldapsearch' tool available in the [openldap package ](https://command-not-found.com/ldapsearch): + + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → sudo pacman -S openldap + [sudo] password for nothing: + resolving dependencies... + looking for conflicting packages... + + Package (1) New Version Net Change Download Size + + core/openldap 2.4.57-1 4.15 MiB 1.42 MiB + + Total Download Size: 1.42 MiB + Total Installed Size: 4.15 MiB + + :: Proceed with installation? [Y/n] y + + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → which ldapsearch + /usr/bin/ldapsearch + + + + + [ 10.0.0.10/16 ] [ /dev/pts/45 ] [~] + → openssl s_client -showcerts -connect 10.0.0.204:636 + CONNECTED(00000003) + Can't use SSL_get_servername + depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local + verify error:num=20:unable to get local issuer certificate + verify return:1 + depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local + verify error:num=21:unable to verify the first certificate + verify return:1 + depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local + verify return:1 + --- + Certificate chain + 0 s:CN = WIN-LJT7MG0NF5R.nowhere.local + i:DC = local, DC = nowhere, CN = nowhere-CA + -----BEGIN CERTIFICATE----- + MIIG+zCCBOOgAwIBAgITVQAAAAKR6/iCOHueEQAAAAAAAjANBgkqhkiG9w0BAQ0F + ADBFMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdub3do + ZXJlMRMwEQYDVQQDEwpub3doZXJlLUNBMB4XDTIxMDMyODEzMzMxM1oXDTIyMDMy + ODEzMzMxM1owKDEmMCQGA1UEAxMdV0lOLUxKVDdNRzBORjVSLm5vd2hlcmUubG9j + YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRQ0d8ZYEYy8es0Dix + 6UDS8fwRRmhZ+TsBRIy8bwrwWYukcRxxo/Vijk1olvi3qS3nK6mZmT25g9zTHbPF + WalPVWtiZqQUL1dg9FBuzWHTD4+7uXa8KTy6I8ICa9GgfFleP1LzncKPJ/UYtEpT + MioQfOXz5XmAZqgVIFx3onkdVM9XHYt6T9mnOJMw/JiE9o54z64PCGg/IxcA7ZYV + lpMdIWhuO92sjhzJ8BEcyLvVrJjpPwlbQ0w46k35KY/j3oOrP01UEw6x+4teuiwn + bPo72GJQjP9qvKDj9H6sh4bSaue8wA39OlqT5eCYL57kxmIOJ0hSRWC9jIFJlyPK + GGLVAgMBAAGjggL/MIIC+zAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMA + bwBuAHQAcgBvAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB + MA4GA1UdDwEB/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIA + gDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglg + hkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1Ud + DgQWBBSr+hTuXL/n4V7mTbXcKgPUQmvA8zAfBgNVHSMEGDAWgBQ1GNjpvSPea8eP + 2DJGHHpmXOz7PTCB0gYDVR0fBIHKMIHHMIHEoIHBoIG+hoG7bGRhcDovLy9DTj1u + b3doZXJlLUNBLENOPVdJTi1MSlQ3TUcwTkY1UixDTj1DRFAsQ049UHVibGljJTIw + S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1u + b3doZXJlLERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v + YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvgYIKwYBBQUHAQEEgbEw + ga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9DTj1ub3doZXJlLUNBLENOPUFJQSxD + Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1 + cmF0aW9uLERDPW5vd2hlcmUsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i + amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwSQYDVR0RBEIwQKAfBgkr + BgEEAYI3GQGgEgQQxn6cUfiuyUaEppT8x7iyk4IdV0lOLUxKVDdNRzBORjVSLm5v + d2hlcmUubG9jYWwwDQYJKoZIhvcNAQENBQADggIBAKMGBpS4aAAAaTdn7CJnRnaD + jpWDnhO0PBisnOi1xQ/BZv6rqoglLlRSxXEQUSJKbpDPO46/vmQC0TA95fen9SW2 + tWRfWgq6QjnhBiHR9CrJtnZEx+NrDEx93SLWFX4uC5MdEtuVZdE6yaWmMBaz4X+6 + 300BvF9hkTY5EWnb/jLtFqm3JhuXX9C5n6Z/3uVfq6RZCkw546Fh26f60Sz3J/c+ + 2f3YggzflgAsP5KiApfhzLdpTHG53o7nuO4KJHKC1NL03Swd2DV/sFwyLvK8jxlZ + r1BhU/8kWXwdof5qHGiSbLBaTVqF0sIoowNKsA2zY9NI3kaPGTHGfl3K7yuF/u5D + 7vpR0x1eBrV5sYOcM0pVwQU5BkghwQ3CF+Opz+WLGCSnyfpxiAVWfKHfb3h4X6X+ + 2ZCXuBdoGvHIYOxlrYt1B+HN2PPgoWo9GHtjG/5cLvO6GrDk3LID+/CfRcXZ7ec/ + yl0BDrTAhjJgvRtGOkalEa8tASdDpvqNPaC2oNdiIpL51y0UPlpJzaHpmBLhw134 + gbqDMCUQcmGezs5jKv0COSj49VEGGqwn+jkuNfUd77Z2uj+o9+nyanbVebegt0ha + HI9ABZer/1lGSE8IQu/bu36eRyXvy1SkKEtnvep7gi2Jea0ehWMqHnaB+8nTIEAn + 7+Ple+iGS+2VPDYt/Nkg + -----END CERTIFICATE----- + --- + Server certificate + subject=CN = WIN-LJT7MG0NF5R.nowhere.local + + issuer=DC = local, DC = nowhere, CN = nowhere-CA + + --- + No client certificate CA names sent + Client Certificate Types: RSA sign, DSA sign, ECDSA sign + Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 + Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 + Peer signing digest: SHA256 + Peer signature type: RSA + Server Temp Key: ECDH, P-384, 384 bits + --- + SSL handshake has read 2341 bytes and written 463 bytes + Verification error: unable to verify the first certificate + --- + New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 + Server public key is 2048 bit + Secure Renegotiation IS supported + Compression: NONE + Expansion: NONE + No ALPN negotiated + SSL-Session: + Protocol : TLSv1.2 + Cipher : ECDHE-RSA-AES256-GCM-SHA384 + Session-ID: 6C380000DE31D09F82EC8C531A3EC2F49F690C7DD3729D1678B2399207149AC4 + Session-ID-ctx: + Master-Key: 9581A15DB6A1D6FC3EF0D114B9FF19AE73E3676493EB75738BD1A81A310F6C391D0FB1354A61668ED33E9D9590F3BE65 + PSK identity: None + PSK identity hint: None + SRP username: None + Start Time: 1616939581 + Timeout : 7200 (sec) + Verify return code: 21 (unable to verify the first certificate) + Extended master secret: yes + --- + + + +And that's it! We have been able to setup the LDAPS protocol on Windows Server 2019 + diff --git a/w7/0.png b/w7/0.png new file mode 100644 index 0000000..4f2204c Binary files /dev/null and b/w7/0.png differ diff --git a/w7/1.png b/w7/1.png new file mode 100644 index 0000000..847e2f7 Binary files /dev/null and b/w7/1.png differ diff --git a/w7/10.png b/w7/10.png new file mode 100644 index 0000000..08cf85d Binary files /dev/null and b/w7/10.png differ diff --git a/w7/11.png b/w7/11.png new file mode 100644 index 0000000..27bf071 Binary files /dev/null and b/w7/11.png differ diff --git a/w7/12.png b/w7/12.png new file mode 100644 index 0000000..2a13da9 Binary files /dev/null and b/w7/12.png differ diff --git a/w7/13.png b/w7/13.png new file mode 100644 index 0000000..cfa5511 Binary files /dev/null and b/w7/13.png differ diff --git a/w7/14.png b/w7/14.png new file mode 100644 index 0000000..3f47757 Binary files /dev/null and b/w7/14.png differ diff --git a/w7/15.png b/w7/15.png new file mode 100644 index 0000000..1c73273 Binary files /dev/null and b/w7/15.png differ diff --git a/w7/16.png b/w7/16.png new file mode 100644 index 0000000..39a1b35 Binary files /dev/null and b/w7/16.png differ diff --git a/w7/17.png b/w7/17.png new file mode 100644 index 0000000..b0b5c05 Binary files /dev/null and b/w7/17.png differ diff --git a/w7/18.png b/w7/18.png new file mode 100644 index 0000000..263f4ff Binary files /dev/null and b/w7/18.png differ diff --git a/w7/19.png b/w7/19.png new file mode 100644 index 0000000..51323b8 Binary files /dev/null and b/w7/19.png differ diff --git a/w7/2.png b/w7/2.png new file mode 100644 index 0000000..ad2b724 Binary files /dev/null and b/w7/2.png differ diff --git a/w7/20.png b/w7/20.png new file mode 100644 index 0000000..46fc4db Binary files /dev/null and b/w7/20.png differ diff --git a/w7/21.png b/w7/21.png new file mode 100644 index 0000000..3e1f116 Binary files /dev/null and b/w7/21.png differ diff --git a/w7/22.png b/w7/22.png new file mode 100644 index 0000000..aae8c50 Binary files /dev/null and b/w7/22.png differ diff --git a/w7/23.png b/w7/23.png new file mode 100644 index 0000000..69bcaf2 Binary files /dev/null and b/w7/23.png differ diff --git a/w7/24.png b/w7/24.png new file mode 100644 index 0000000..6382c31 Binary files /dev/null and b/w7/24.png differ diff --git a/w7/25.png b/w7/25.png new file mode 100644 index 0000000..b32d2fc Binary files /dev/null and b/w7/25.png differ diff --git a/w7/26.png b/w7/26.png new file mode 100644 index 0000000..274438b Binary files /dev/null and b/w7/26.png differ diff --git a/w7/27.png b/w7/27.png new file mode 100644 index 0000000..4bb92af Binary files /dev/null and b/w7/27.png differ diff --git a/w7/28.png b/w7/28.png new file mode 100644 index 0000000..db3e425 Binary files /dev/null and b/w7/28.png differ diff --git a/w7/29.png b/w7/29.png new file mode 100644 index 0000000..c6ed11e Binary files /dev/null and b/w7/29.png differ diff --git a/w7/3.png b/w7/3.png new file mode 100644 index 0000000..7c79007 Binary files /dev/null and b/w7/3.png differ diff --git a/w7/30.png b/w7/30.png new file mode 100644 index 0000000..43b54e7 Binary files /dev/null and b/w7/30.png differ diff --git a/w7/31.png b/w7/31.png new file mode 100644 index 0000000..f91b134 Binary files /dev/null and b/w7/31.png differ diff --git a/w7/32.png b/w7/32.png new file mode 100644 index 0000000..158e8b9 Binary files /dev/null and b/w7/32.png differ diff --git a/w7/33.png b/w7/33.png new file mode 100644 index 0000000..67268ec Binary files /dev/null and b/w7/33.png differ diff --git a/w7/34.png b/w7/34.png new file mode 100644 index 0000000..7573902 Binary files /dev/null and b/w7/34.png differ diff --git a/w7/35.png b/w7/35.png new file mode 100644 index 0000000..73e8ca4 Binary files /dev/null and b/w7/35.png differ diff --git a/w7/36.png b/w7/36.png new file mode 100644 index 0000000..32c964a Binary files /dev/null and b/w7/36.png differ diff --git a/w7/37.png b/w7/37.png new file mode 100644 index 0000000..12b603d Binary files /dev/null and b/w7/37.png differ diff --git a/w7/38.png b/w7/38.png new file mode 100644 index 0000000..cf284b8 Binary files /dev/null and b/w7/38.png differ diff --git a/w7/39.png b/w7/39.png new file mode 100644 index 0000000..6df97d5 Binary files /dev/null and b/w7/39.png differ diff --git a/w7/4.png b/w7/4.png new file mode 100644 index 0000000..273cc02 Binary files /dev/null and b/w7/4.png differ diff --git a/w7/40.png b/w7/40.png new file mode 100644 index 0000000..f14c14d Binary files /dev/null and b/w7/40.png differ diff --git a/w7/41.png b/w7/41.png new file mode 100644 index 0000000..7de6523 Binary files /dev/null and b/w7/41.png differ diff --git a/w7/42.png b/w7/42.png new file mode 100644 index 0000000..01880e2 Binary files /dev/null and b/w7/42.png differ diff --git a/w7/43.png b/w7/43.png new file mode 100644 index 0000000..b60cea5 Binary files /dev/null and b/w7/43.png differ diff --git a/w7/44.png b/w7/44.png new file mode 100644 index 0000000..84227de Binary files /dev/null and b/w7/44.png differ diff --git a/w7/45.png b/w7/45.png new file mode 100644 index 0000000..79b3e26 Binary files /dev/null and b/w7/45.png differ diff --git a/w7/46.png b/w7/46.png new file mode 100644 index 0000000..8448bfb Binary files /dev/null and b/w7/46.png differ diff --git a/w7/47.png b/w7/47.png new file mode 100644 index 0000000..0db7808 Binary files /dev/null and b/w7/47.png differ diff --git a/w7/48.png b/w7/48.png new file mode 100644 index 0000000..a90edfc Binary files /dev/null and b/w7/48.png differ diff --git a/w7/49.png b/w7/49.png new file mode 100644 index 0000000..9e2cc4e Binary files /dev/null and b/w7/49.png differ diff --git a/w7/5.png b/w7/5.png new file mode 100644 index 0000000..e59feac Binary files /dev/null and b/w7/5.png differ diff --git a/w7/50.png b/w7/50.png new file mode 100644 index 0000000..474b275 Binary files /dev/null and b/w7/50.png differ diff --git a/w7/51.png b/w7/51.png new file mode 100644 index 0000000..cfa0894 Binary files /dev/null and b/w7/51.png differ diff --git a/w7/52.png b/w7/52.png new file mode 100644 index 0000000..ceb6d0b Binary files /dev/null and b/w7/52.png differ diff --git a/w7/53.png b/w7/53.png new file mode 100644 index 0000000..4914049 Binary files /dev/null and b/w7/53.png differ diff --git a/w7/54.png b/w7/54.png new file mode 100644 index 0000000..d856dfb Binary files /dev/null and b/w7/54.png differ diff --git a/w7/55.png b/w7/55.png new file mode 100644 index 0000000..b98ba7f Binary files /dev/null and b/w7/55.png differ diff --git a/w7/56.png b/w7/56.png new file mode 100644 index 0000000..67980b4 Binary files /dev/null and b/w7/56.png differ diff --git a/w7/57.png b/w7/57.png new file mode 100644 index 0000000..92f02b1 Binary files /dev/null and b/w7/57.png differ diff --git a/w7/58.png b/w7/58.png new file mode 100644 index 0000000..a6686fb Binary files /dev/null and b/w7/58.png differ diff --git a/w7/59.png b/w7/59.png new file mode 100644 index 0000000..3a68d04 Binary files /dev/null and b/w7/59.png differ diff --git a/w7/6.png b/w7/6.png new file mode 100644 index 0000000..90e60b0 Binary files /dev/null and b/w7/6.png differ diff --git a/w7/60.png b/w7/60.png new file mode 100644 index 0000000..0b83897 Binary files /dev/null and b/w7/60.png differ diff --git a/w7/61.png b/w7/61.png new file mode 100644 index 0000000..48283c9 Binary files /dev/null and b/w7/61.png differ diff --git a/w7/7.png b/w7/7.png new file mode 100644 index 0000000..eea4dc9 Binary files /dev/null and b/w7/7.png differ diff --git a/w7/8.png b/w7/8.png new file mode 100644 index 0000000..2868b48 Binary files /dev/null and b/w7/8.png differ diff --git a/w7/9.png b/w7/9.png new file mode 100644 index 0000000..eb3238f Binary files /dev/null and b/w7/9.png differ diff --git a/w7/index.md b/w7/index.md new file mode 100644 index 0000000..fd33f71 --- /dev/null +++ b/w7/index.md @@ -0,0 +1,138 @@ +# WS2019 Triple DFS Share replication + +![]() + +In this tutorial we're going to look at how to install DFS Shares accross multiple Windows Server 2019 VMs. We will install them from scratch within proxmox. To do this tutorial you need to have followed the following [tutorial](../w5/index.md) because we're going to include 3 additional Windows Server 2019 VMs to the previous tutorial's WS2019 Active directory. We're going to follow this network graph: + +![](38.png) + +Considering WS2019-A is already there, we're going to first create the 3 other WS2019 VMs and integrate them into WS2019-A's Active Directory Forest. + +## **Initial Windows Server Setup** + +First send the WS2019 iso file to proxmox and then create the VM: + +![](0.png) + +![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](5.png) ![](6.png) ![](7.png) + +Now from here we're going to use the SPICE display console to install WS2019 : + +![](8.png) ![](9.png) + +After that, let it install (from the SPICE window, you can hit CTRL+ALT+R to 'release' the mouse and keyboard capture): + +![](10.png) + +Setup your Administrator account: + +![](11.png) ![](12.png) + +Now we're going to do a few things to setup our WS2019 server to make sure we're more productive, first of all we're going to install firefox on it and then enable RDP: + +![](13.png) + +Get the firefox installer executable onto the VM like so: + +![](14.png) + +Then run the executable wherever you downloaded it: + +![](15.png) + +Then enable RDP as follows: + +![](16.png) ![](17.png) + +Then make sure your WS2019 has a static ip and then you can close the SPICE display to switch to the RDP connection: + +![](18.png) ![](19.png) + +Once you're there, we're ready to start cloning our WS2019 VMs. Let's make a clone template: + +![](20.png) ![](21.png) + +Once converted to a template we will clone it a few times to have a WS2019 Trio: + +![](22.png) ![](23.png) + +Now from here we will have to make sure that we change the static IP of each of these cloned VMs to an unique static IP, following their IDs i will set them to be 10.0.0.206 207 and 208: + +![](24.png) ![](25.png) ![](26.png) + +And so we can connect to each of them via RDP: + +![](27.png) + +Right click the first one and hit 'copy' to end up with this result: + +![](28.png) + +And of course test the RDP connections: + +![](29.png) + +Hit 'Yes' at the new certificate warning: + +![](30.png) + +And there you have it! We have been able to setup our 3 cloned Windows Server 2019 VMs. + +## **Linking the VMs to the AD** + +To link Windows Server 2019 to an existing AD you first need to make sure that each of the 3 servers are using the AD controller as it's primary DNS. My primary DNS is 10.0.0.204: + +![](39.png) + +Once that's done each of the 3 servers should be able to ping the nowhere.local domain, which refers to the ip address of the Domain Controller WS2019-A: + +![](40.png) + +From there we can add the 3 servers to the AD with the following method: + +![](41.png) + +Log into the AD using the Administrator credentials of the domain controller WS2019-A itself. + +![](42.png) + +Once that's done simply reboot and you will see that your WS2019 server is part of the AD. + +![](43.png) + +Once that's done make sure you change the RDP connections to include the AD Domain as described above. Back into the WS2019 server included within the AD we see the following: + +![](44.png) + +Which confirms that we managed to include our WS2019 VM into the existing AD. Same thing for our 2 other VMs: + +![](45.png) + +## **The DFS utility** + +Now that we managed to include our 3 WS2019 Servers to the existing AD, we can now install DFS: + +![](31.png) ![](32.png) ![](33.png) + +Let it install and then go to Tools: + +![](46.png) ![](47.png) ![](48.png) ![](49.png) + +Here we want a full mesh topology: + +![](50.png) ![](51.png) ![](52.png) ![](53.png) + +If you get this error trying to setup a host, make sure you installed DFS on the other hosts and try again. + +![](54.png) + +Once that's done we can keep going: + +![](55.png) ![](56.png) ![](57.png) ![](58.png) + +Now that the replication has been setup, let's see if it actually works across the 3 WS2019 servers: + +![](59.png) ![](60.png) ![](61.png) + +And that's it! We have been able to create a triple DFS replication across 3 WS2019 VMs. + diff --git a/w7/mesh.png b/w7/mesh.png new file mode 100644 index 0000000..ee20bff Binary files /dev/null and b/w7/mesh.png differ diff --git a/watchtower/0.png b/watchtower/0.png new file mode 100644 index 0000000..ec7538e Binary files /dev/null and b/watchtower/0.png differ diff --git a/watchtower/index.md b/watchtower/index.md new file mode 100644 index 0000000..f217869 --- /dev/null +++ b/watchtower/index.md @@ -0,0 +1,101 @@ +# watchtower Setup + +![](0.png) + +In this tutorial we'll setup a watchtower container, used to upgrade all all docker images automatically + +## **Initial Setup** + +First install the required packages: + + + apt install docker.io docker-compose + + + +![]() + + + [ nowhere.moe ] [ /dev/pts/4 ] [/srv/watchtower] + → vim docker-compose.yml + + [ nowhere.moe ] [ /dev/pts/4 ] [/srv/watchtower] + → cat docker-compose.yml + version: "3" + services: + watchtower: + image: containrrr/watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + + [ nowhere.moe ] [ /dev/pts/4 ] [/srv/watchtower] + → docker-compose up + + Creating network "watchtower_default" with the default driver + Pulling watchtower (containrrr/watchtower:)... + latest: Pulling from containrrr/watchtower + 57241801ebfd: Pull complete + 3d4f475b92a2: Pull complete + 1f05004da6d7: Pull complete + Digest: sha256:6dd50763bbd632a83cb154d5451700530d1e44200b268a4e9488fefdfcf2b038 + Status: Downloaded newer image for containrrr/watchtower:latest + Creating watchtower_watchtower_1 ... done + Attaching to watchtower_watchtower_1 + watchtower_1 | time="2024-01-16T17:35:57Z" level=info msg="Watchtower 1.7.1" + watchtower_1 | time="2024-01-16T17:35:57Z" level=info msg="Using no notifications" + watchtower_1 | time="2024-01-16T17:35:57Z" level=info msg="Checking all containers (except explicitly disabled with label)" + watchtower_1 | time="2024-01-16T17:35:57Z" level=info msg="Scheduling first run: 2024-01-17 17:35:57 +0000 UTC" + watchtower_1 | time="2024-01-16T17:35:57Z" level=info msg="Note that the first check will be performed in 23 hours, 59 minutes, 59 seconds" + + + [ nowhere.moe ] [ /dev/pts/4 ] [/srv/watchtower] + → cat docker-compose.yml + version: "3" + services: + watchtower: + image: containrrr/watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + command: --interval 30 + + [ nowhere.moe ] [ /dev/pts/4 ] [/srv/watchtower] + → docker-compose up + Recreating watchtower_watchtower_1 ... done + Attaching to watchtower_watchtower_1 + watchtower_1 | time="2024-01-16T17:38:14Z" level=info msg="Watchtower 1.7.1" + watchtower_1 | time="2024-01-16T17:38:14Z" level=info msg="Using no notifications" + watchtower_1 | time="2024-01-16T17:38:14Z" level=info msg="Checking all containers (except explicitly disabled with label)" + watchtower_1 | time="2024-01-16T17:38:14Z" level=info msg="Scheduling first run: 2024-01-16 17:38:44 +0000 UTC" + watchtower_1 | time="2024-01-16T17:38:14Z" level=info msg="Note that the first check will be performed in 29 seconds" + watchtower_1 | time="2024-01-16T17:38:52Z" level=info msg="Found new matrixdotorg/synapse:latest image (73ab629ff922)" + watchtower_1 | time="2024-01-16T17:39:02Z" level=info msg="Found new awesometechnologies/synapse-admin:latest image (0170f12af3da)" + watchtower_1 | time="2024-01-16T17:39:05Z" level=warning msg="Could not do a head request for \"wikiless_wikiless:latest\", falling back to regular pull." container=/wikiless image="wikiless_wikiless:latest" + watchtower_1 | time="2024-01-16T17:39:05Z" level=warning msg="Reason: registry responded to head request with \"401 Unauthorized\", auth: \"Bearer realm=\\\"https://auth.docker.io/token\\\",service=\\\"registry.docker.io\\\",scope=\\\"repository:library/wikiless_wikiless:pull\\\",error=\\\"insufficient_scope\\\"\"" container=/wikiless image="wikiless_wikiless:latest" + watchtower_1 | time="2024-01-16T17:39:06Z" level=info msg="Unable to update container \"/wikiless\": Error response from daemon: pull access denied for wikiless_wikiless, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. Proceeding to next." + watchtower_1 | time="2024-01-16T17:39:20Z" level=info msg="Found new redis:latest image (bdff4838c172)" + watchtower_1 | time="2024-01-16T17:39:29Z" level=info msg="Found new quay.io/prometheus/node-exporter:latest image (72c9c2088986)" + watchtower_1 | time="2024-01-16T17:39:32Z" level=info msg="Found new zedeus/nitter:latest image (6f530b12032e)" + watchtower_1 | time="2024-01-16T17:39:41Z" level=info msg="Found new redis:6-alpine image (0e8d64a9df81)" + watchtower_1 | time="2024-01-16T17:39:52Z" level=info msg="Found new louislam/uptime-kuma:1 image (b23ac695b1b4)" + watchtower_1 | time="2024-01-16T17:39:53Z" level=warning msg="Could not do a head request for \"anonymousoverflow_anonymousoverflow:latest\", falling back to regular pull." container=/app image="anonymousoverflow_anonymousoverflow:latest" + watchtower_1 | time="2024-01-16T17:39:53Z" level=warning msg="Reason: registry responded to head request with \"401 Unauthorized\", auth: \"Bearer realm=\\\"https://auth.docker.io/token\\\",service=\\\"registry.docker.io\\\",scope=\\\"repository:library/anonymousoverflow_anonymousoverflow:pull\\\",error=\\\"insufficient_scope\\\"\"" container=/app image="anonymousoverflow_anonymousoverflow:latest" + watchtower_1 | time="2024-01-16T17:39:54Z" level=info msg="Unable to update container \"/app\": Error response from daemon: pull access denied for anonymousoverflow_anonymousoverflow, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. Proceeding to next." + watchtower_1 | time="2024-01-16T17:39:54Z" level=info msg="Stopping /uptime-kuma (e5ebde3cd501) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:00Z" level=info msg="Stopping /nitter-redis (34c58ce5c039) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:01Z" level=info msg="Stopping /nitter (dd310e501e1d) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:12Z" level=info msg="Stopping /node_exporter (98e33d5e48f7) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:13Z" level=info msg="Stopping /wikiless-redis (feea75ea9847) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:14Z" level=info msg="Stopping /matrix_synapse-admin_1 (165f3f68cf72) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:15Z" level=info msg="Stopping /matrix_synapse (d6556988d78f) with SIGTERM" + watchtower_1 | time="2024-01-16T17:40:22Z" level=info msg="Creating /matrix_synapse" + watchtower_1 | time="2024-01-16T17:40:23Z" level=info msg="Creating /matrix_synapse-admin_1" + watchtower_1 | time="2024-01-16T17:40:23Z" level=info msg="Creating /wikiless-redis" + watchtower_1 | time="2024-01-16T17:40:23Z" level=info msg="Creating /node_exporter" + watchtower_1 | time="2024-01-16T17:40:24Z" level=info msg="Creating /nitter" + watchtower_1 | time="2024-01-16T17:40:24Z" level=info msg="Creating /nitter-redis" + watchtower_1 | time="2024-01-16T17:40:24Z" level=info msg="Creating /uptime-kuma" + watchtower_1 | time="2024-01-16T17:40:25Z" level=info msg="Session done" Failed=0 Scanned=21 Updated=7 notify=no + + + + diff --git a/wazuh/0.png b/wazuh/0.png new file mode 100644 index 0000000..b6bdd17 Binary files /dev/null and b/wazuh/0.png differ diff --git a/wazuh/1.png b/wazuh/1.png new file mode 100644 index 0000000..7faeb05 Binary files /dev/null and b/wazuh/1.png differ diff --git a/wazuh/2.png b/wazuh/2.png new file mode 100644 index 0000000..3833e5f Binary files /dev/null and b/wazuh/2.png differ diff --git a/wazuh/3.png b/wazuh/3.png new file mode 100644 index 0000000..5c55c1b Binary files /dev/null and b/wazuh/3.png differ diff --git a/wazuh/index.md b/wazuh/index.md new file mode 100644 index 0000000..377c676 --- /dev/null +++ b/wazuh/index.md @@ -0,0 +1,347 @@ +# wazuh Setup + +![](0.png) + +In this tutorial we're going to setup wazuh, an open source EDR: + +## **Initial Setup** + +For the minimum requirements, please check wazuh's [system requirements](https://documentation.wazuh.com/current/installation-guide/requirements.html) page for that: + + + [ 10.0.0.101/16 ] [ /dev/pts/0 ] [~] + → ssh wazuh + The authenticity of host '10.0.0.180 (10.0.0.180)' can't be established. + ECDSA key fingerprint is SHA256:4UFX+pjoqh93S+OLKQo8/rfDX/Rs2S6TGu9VgG7EGtQ. + Are you sure you want to continue connecting (yes/no)? yes + Warning: Permanently added '10.0.0.180' (ECDSA) to the list of known hosts. + Linux wazuh 5.4.143-1-pve #1 SMP PVE 5.4.143-1 (Tue, 28 Sep 2021 09:10:37 +0200) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@wazuh:~# apt update -y ; apt upgrade -y ; apt autoremove -y + + root@wazuh:~# apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg -y + + root@wazuh:~# curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + + root@wazuh:~# echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list + + root@wazuh:~# apt-get update + + root@wazuh:~# apt-get install wazuh-manager + + root@wazuh:~# systemctl daemon-reload + + root@wazuh:~# systemctl enable wazuh-manager --now + + root@wazuh:~# systemctl status wazuh-manager + * wazuh-manager.service - Wazuh manager + Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled) + Active: active (running) since Thu 2022-04-07 16:18:04 UTC; 12s ago + Process: 1879 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS) + Tasks: 127 (limit: 7372) + Memory: 196.9M + CGroup: /system.slice/wazuh-manager.service + |-1933 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh-apid.py + |-1972 /var/ossec/bin/wazuh-authd + |-1988 /var/ossec/bin/wazuh-db + |-2011 /var/ossec/bin/wazuh-execd + |-2026 /var/ossec/bin/wazuh-analysisd + |-2087 /var/ossec/bin/wazuh-syscheckd + |-2103 /var/ossec/bin/wazuh-remoted + |-2142 /var/ossec/bin/wazuh-logcollector + |-2186 /var/ossec/bin/wazuh-monitord + `-2237 /var/ossec/bin/wazuh-modulesd + + Apr 07 16:17:56 wazuh env[1879]: Started wazuh-execd... + Apr 07 16:17:56 wazuh env[1879]: 2022/04/07 16:17:56 wazuh-analysisd: ERROR: Could not set resource limit for file descriptors to 458752: Operation not permitted (1) + Apr 07 16:17:57 wazuh env[1879]: Started wazuh-analysisd... + Apr 07 16:17:58 wazuh env[1879]: Started wazuh-syscheckd... + Apr 07 16:17:59 wazuh env[1879]: Started wazuh-remoted... + Apr 07 16:18:00 wazuh env[1879]: Started wazuh-logcollector... + Apr 07 16:18:01 wazuh env[1879]: Started wazuh-monitord... + Apr 07 16:18:02 wazuh env[1879]: Started wazuh-modulesd... + Apr 07 16:18:04 wazuh env[1879]: Completed. + Apr 07 16:18:04 wazuh systemd[1]: Started Wazuh manager. + + + +Now that's done we setup elasticsearch: + + + root@wazuh:~# apt install elasticsearch-oss opendistroforelasticsearch + + moot@wazuh:~# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/7.x/elasticsearch_all_in_one.yml + root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles.yml + root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/roles_mapping.yml + root@wazuh:~# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.2/open-distro/elasticsearch/roles/internal_users.yml + + root@wazuh:~# rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f + root@wazuh:~# curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/wazuh-cert-tool.sh + root@wazuh:~# curl -so ~/instances.yml https://packages.wazuh.com/resources/4.2/open-distro/tools/certificate-utility/instances_aio.yml + + root@wazuh:~# bash ~/wazuh-cert-tool.sh + 04/07/2022 18:42:41 INFO: Configuration file found. Creating certificates... + 04/07/2022 18:42:41 INFO: Creating the Elasticsearch certificates... + 04/07/2022 18:42:42 INFO: Creating Wazuh server certificates... + 04/07/2022 18:42:42 INFO: Creating Kibana certificate... + 04/07/2022 18:42:42 INFO: Certificates creation finished. They can be found in ~/certs. + + root@wazuh:~# mkdir /etc/elasticsearch/certs/ + root@wazuh:~# mv ~/certs/elasticsearch* /etc/elasticsearch/certs/ + root@wazuh:~# mv ~/certs/admin* /etc/elasticsearch/certs/ + root@wazuh:~# cp ~/certs/root-ca* /etc/elasticsearch/certs/ + root@wazuh:~# mkdir -p /etc/elasticsearch/jvm.options.d + root@wazuh:~# echo '-Dlog4j2.formatMsgNoLookups=true' > /etc/elasticsearch/jvm.options.d/disabledlog4j.options + root@wazuh:~# chmod 2750 /etc/elasticsearch/jvm.options.d/disabledlog4j.options + root@wazuh:~# chown root:elasticsearch /etc/elasticsearch/jvm.options.d/disabledlog4j.options + + root@wazuh:~# systemctl daemon-reload + root@wazuh:~# systemctl enable elasticsearch --now + Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable elasticsearch + Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service -> /usr/lib/systemd/system/elasticsearch.service. + + +Then we run elasticsearch securityadmin to load the new certificates information and start the cluster: + + + root@wazuh:~# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem + Open Distro Security Admin v7 + Will connect to localhost:9300 + ... done + Connected as CN=admin,OU=Docu,O=Wazuh,L=California,C=US + Elasticsearch Version: 7.10.2 + Open Distro Security Version: 1.13.1.0 + Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ... + Clustername: elasticsearch + Clusterstate: GREEN + Number of nodes: 1 + Number of data nodes: 1 + .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) + Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ + Will update '_doc/config' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml + SUCC: Configuration for 'config' created or updated + Will update '_doc/roles' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml + SUCC: Configuration for 'roles' created or updated + Will update '_doc/rolesmapping' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml + SUCC: Configuration for 'rolesmapping' created or updated + Will update '_doc/internalusers' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml + SUCC: Configuration for 'internalusers' created or updated + Will update '_doc/actiongroups' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml + SUCC: Configuration for 'actiongroups' created or updated + Will update '_doc/tenants' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml + SUCC: Configuration for 'tenants' created or updated + Will update '_doc/nodesdn' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml + SUCC: Configuration for 'nodesdn' created or updated + Will update '_doc/whitelist' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml + SUCC: Configuration for 'whitelist' created or updated + Will update '_doc/audit' with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml + SUCC: Configuration for 'audit' created or updated + Done with success + + + +And then we check that the installation is successful: + + + root@wazuh:~# curl -XGET https://localhost:9200 -u admin:admin -k + { + "name" : "node-1", + "cluster_name" : "elasticsearch", + "cluster_uuid" : "ZDjVBV2HSXKHuJLKlGaGiQ", + "version" : { + "number" : "7.10.2", + "build_flavor" : "oss", + "build_type" : "deb", + "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9", + "build_date" : "2021-01-13T00:42:12.435326Z", + "build_snapshot" : false, + "lucene_version" : "8.7.0", + "minimum_wire_compatibility_version" : "6.8.0", + "minimum_index_compatibility_version" : "6.0.0-beta1" + }, + "tagline" : "You Know, for Search" + } + + + +Then we install filebeat: + + + root@wazuh:~# apt-get install filebeat + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following NEW packages will be installed: + filebeat + 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. + Need to get 22.1 MB of archives. + After this operation, 73.6 MB of additional disk space will be used. + Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 filebeat amd64 7.10.2 [22.1 MB] + Fetched 22.1 MB in 8s (2905 kB/s) + Selecting previously unselected package filebeat. + (Reading database ... 42497 files and directories currently installed.) + Preparing to unpack .../filebeat_7.10.2_amd64.deb ... + Unpacking filebeat (7.10.2) ... + Setting up filebeat (7.10.2) ... + Processing triggers for systemd (241-7~deb10u8) ... + root@wazuh:~# curl -so /etc/filebeat/filebeat.yml https://packages.wazuh.com/resources/4.2/open-distro/filebeat/7.x/filebeat_all_in_one.yml + + root@wazuh:~# + root@wazuh:~# curl -so /etc/filebeat/wazuh-template.json https://raw.githubusercontent.com/wazuh/wazuh/4.2/extensions/elasticsearch/7.x/wazuh-template.json + root@wazuh:~# chmod go+r /etc/filebeat/wazuh-template.json + root@wazuh:~# curl -s https://packages.wazuh.com/4.x/filebeat/wazuh-filebeat-0.1.tar.gz | tar -xvz -C /usr/share/filebeat/module + wazuh/ + wazuh/module.yml + wazuh/archives/ + wazuh/archives/config/ + wazuh/archives/config/archives.yml + wazuh/archives/ingest/ + wazuh/archives/ingest/pipeline.json + wazuh/archives/manifest.yml + wazuh/alerts/ + wazuh/alerts/config/ + wazuh/alerts/config/alerts.yml + wazuh/alerts/ingest/ + wazuh/alerts/ingest/pipeline.json + wazuh/alerts/manifest.yml + wazuh/_meta/ + wazuh/_meta/config.yml + wazuh/_meta/fields.yml + wazuh/_meta/docs.asciidoc + root@wazuh:~# mkdir /etc/filebeat/certs + root@wazuh:~# cp ~/certs/root-ca.pem /etc/filebeat/certs/ + root@wazuh:~# mv ~/certs/filebeat* /etc/filebeat/certs/ + root@wazuh:~# systemctl daemon-reload + root@wazuh:~# systemctl enable filebeat + Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable filebeat + Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service -> /lib/systemd/system/filebeat.service. + root@wazuh:~# systemctl start filebeat + + + +Then we test filebeat: + + + root@wazuh:~# filebeat test output + elasticsearch: https://127.0.0.1:9200... + parse url... OK + connection... + parse host... OK + dns lookup... OK + addresses: 127.0.0.1 + dial up... OK + TLS... + security: server's certificate chain verification is enabled + handshake... OK + TLS version: TLSv1.3 + dial up... OK + talk to server... OK + version: 7.10.2 + + + +Then we install kibana: + + + root@wazuh:~# apt-get install opendistroforelasticsearch-kibana + Reading package lists... Done + Building dependency tree + Reading state information... Done + The following NEW packages will be installed: + opendistroforelasticsearch-kibana + 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. + Need to get 234 MB of archives. + After this operation, 692 MB of additional disk space will be used. + Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 opendistroforelasticsearch-kibana amd64 1.13.2 [234 MB] + Fetched 234 MB in 42s (5540 kB/s) + Selecting previously unselected package opendistroforelasticsearch-kibana. + (Reading database ... 42816 files and directories currently installed.) + Preparing to unpack .../opendistroforelasticsearch-kibana_1.13.2_amd64.deb ... + Unpacking opendistroforelasticsearch-kibana (1.13.2) ... + Setting up opendistroforelasticsearch-kibana (1.13.2) ... + chown: cannot access '/usr/share/kibana/optimize': No such file or directory + no optimize folder + Processing triggers for systemd (241-7~deb10u8) ... + + root@wazuh:~# curl -so /etc/kibana/kibana.yml https://packages.wazuh.com/resources/4.2/open-distro/kibana/7.x/kibana_all_in_one.yml + root@wazuh:~# mkdir /usr/share/kibana/data + root@wazuh:~# chown -R kibana:kibana /usr/share/kibana/data + root@wazuh:~# cd /usr/share/kibana + root@wazuh:/usr/share/kibana# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip + Attempting to transfer from https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana-4.2.6_7.10.2-1.zip + Transferring 33013640 bytes.................... + Transfer complete + Retrieving metadata from plugin archive + Extracting plugin archive + Extraction complete + Plugin installation complete + + root@wazuh:/usr/share/kibana# mkdir /etc/kibana/certs + root@wazuh:/usr/share/kibana# cp ~/certs/root-ca.pem /etc/kibana/certs/ + root@wazuh:/usr/share/kibana# mv ~/certs/kibana* /etc/kibana/certs/ + root@wazuh:/usr/share/kibana# chown kibana:kibana /etc/kibana/certs/* + root@wazuh:/usr/share/kibana# setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node + root@wazuh:/usr/share/kibana# systemctl daemon-reload + root@wazuh:/usr/share/kibana# systemctl enable kibana --now + Synchronizing state of kibana.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable kibana + Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service -> /etc/systemd/system/kibana.service. + + + +And from there we simply access the wazuh web interface at https://ip/ : + +![](1.png) + +change the admin password here: + +![](2.png) + +Now that's done we're going to install the wazuh agent where we need it, for this tutorial i'll install it on my local nextcloud server: + + + [ 10.0.0.10/16 ] [ /dev/pts/18 ] [Github/blog/servers] + → ssh home + Last login: Thu Apr 7 18:09:18 2022 from 10.0.0.10 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - + + OK + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list + + deb https://packages.wazuh.com/4.x/apt/ stable main + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → apt-get update + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → WAZUH_MANAGER="10.0.0.180" apt-get install wazuh-agent + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl daemon-reload + + [ 10.0.0.101/16 ] [ /dev/pts/2 ] [~] + → systemctl enable --now wazuh-agent + + + +![](3.png) + diff --git a/whoogle/0.png b/whoogle/0.png new file mode 100644 index 0000000..a64a256 Binary files /dev/null and b/whoogle/0.png differ diff --git a/whoogle/1.png b/whoogle/1.png new file mode 100644 index 0000000..c7185f6 Binary files /dev/null and b/whoogle/1.png differ diff --git a/whoogle/2.png b/whoogle/2.png new file mode 100644 index 0000000..452f940 Binary files /dev/null and b/whoogle/2.png differ diff --git a/whoogle/index.md b/whoogle/index.md new file mode 100644 index 0000000..040511f --- /dev/null +++ b/whoogle/index.md @@ -0,0 +1,215 @@ +# whoogle Setup + +![](0.png) + +In this tutorial we're going to install whoogle, a privacy frontend to browse google without any trackers. + +## **Initial Setup** + +git clone the repository and run the docker-compose: + + + [ nowhere.moe ] [ /dev/pts/1 ] [~] + → cd /srv/ + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → git clone https://github.com/benbusby/whoogle-search.git + Cloning into 'whoogle-search'... + remote: Enumerating objects: 4317, done. + remote: Counting objects: 100% (1088/1088), done. + remote: Compressing objects: 100% (119/119), done. + remote: Total 4317 (delta 1022), reused 997 (delta 969), pack-reused 3229 + Receiving objects: 100% (4317/4317), 2.49 MiB | 14.00 MiB/s, done. + Resolving deltas: 100% (2884/2884), done. + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv] + → cd whoogle-search + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/whoogle-search] + → vim docker-compose.yml + + + +Then run the docker-compose file as it is: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/whoogle-search] + → apt install docker.io docker-compose apparmor + + [ nowhere.moe ] [ /dev/pts/1 ] [/srv/whoogle-search] + → docker-compose up -d + Starting whoogle-search ... done + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → docker container ls -a + CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES + 240a7b66aa7b benbusby/whoogle-search "/bin/sh -c 'misc/to…" 3 minutes ago Up 2 minutes (healthy) 0.0.0.0:5000->5000/tcp, :::5000->5000/tcp whoogle-search + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nmap 127.0.0.1 -p 5000 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 21:20 CEST + Nmap scan report for localhost.localdomain (127.0.0.1) + Host is up (0.000095s latency). + + PORT STATE SERVICE + 5000/tcp open upnp + + Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds + + + + +once its up, put it behind the reverse nginx proxy: + + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → vim whoogle.nowhere.moe.conf + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → cat whoogle.nowhere.moe.conf + server { + server_name whoogle.nowhere.moe; + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-NginX-Proxy true; + proxy_pass http://localhost:5000; + } + } + + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → ln -s /etc/nginx/sites-available/whoogle.nowhere.moe.conf /etc/nginx/sites-enabled + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + + [ nowhere.moe ] [ /dev/pts/1 ] [/etc/nginx/sites-available] + → nginx -s reload + 2023/07/15 21:22:46 [notice] 144766#144766: signal process started + + + +To give make it HTTPS have the config like so: + + + root@Datura /etc/nginx/sites-available # cat whoogle.nowhere.moe.conf + server { + listen 80; + listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + + ######## TOR CHANGES ######## + listen 4443; + listen [::]:4443; + server_name whoogle.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://whoogle.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ######## + + server_name whoogle.nowhere.moe; + + access_log off; + error_log /var/log/nginx/error.log crit; + + ssl_certificate /etc/acme/certs/whoogle.nowhere.moe/fullchain.cer; + ssl_certificate_key /etc/acme/certs/whoogle.nowhere.moe/whoogle.nowhere.moe.key; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header X-NginX-Proxy true; + proxy_pass http://localhost:5000; + } + } + + oot@Datura /etc/nginx/sites-available # systemctl stop nginx + root@Datura /etc/nginx/sites-available # acme.sh --set-default-ca --server letsencrypt + [Sat Jul 15 09:31:38 PM CEST 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory + root@Datura /etc/nginx/sites-available # acme.sh --issue --standalone -d whoogle.nowhere.moe -k 4096 + + root@Datura /etc/nginx/sites-available # systemctl start nginx + root@Datura /etc/nginx/sites-available # systemctl status nginx + ● nginx.service - A high performance web server and a reverse proxy server + Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled) + Active: active (running) since Sat 2023-07-15 21:32:10 CEST; 3s ago + Docs: man:nginx(8) + Process: 146558 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Process: 146559 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) + Main PID: 146560 (nginx) + Tasks: 13 (limit: 77000) + Memory: 9.8M + CPU: 42ms + CGroup: /system.slice/nginx.service + ├─146560 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;" + ├─146561 "nginx: worker process" + ├─146562 "nginx: worker process" + ├─146563 "nginx: worker process" + ├─146564 "nginx: worker process" + ├─146565 "nginx: worker process" + ├─146566 "nginx: worker process" + ├─146567 "nginx: worker process" + ├─146568 "nginx: worker process" + ├─146569 "nginx: worker process" + ├─146570 "nginx: worker process" + ├─146571 "nginx: worker process" + └─146572 "nginx: worker process" + + Jul 15 21:32:10 Datura systemd[1]: Starting nginx.service - A high performance web server and a reverse proxy server... + Jul 15 21:32:10 Datura systemd[1]: Started nginx.service - A high performance web server and a reverse proxy server. + + +Once nginx restarts, just browse to your website: + +![](1.png) + +also test the onion website here: + +![](2.png) + +To contribute to the project, by listing your instance somewhere such as on the official github for whoogle, to do that, just open an issue on the official repository as shown [here ](https://github.com/benbusby/whoogle-search/issues/1034). + +to have the service auto upgrade you can do as follows: + + + crontab -e + + 0 * * * * docker-compose -f /srv/whoogle-search/docker-compose.yml down ; git -C /srv/whoogle-search pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml up -d + + + [ nowhere.moe ] [ /dev/pts/2 ] [~] + → cronitor select + + ✔ docker-compose -f /srv/whoogle-search/docker-compose.yml down ; git -C /srv/whoogle-search pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml up -d + ----► Running command: docker-compose -f /srv/whoogle-search/docker-compose.yml down ; git -C /srv/whoogle-search pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml pull ; docker-compose -f /srv/whoogle-search/docker-compose.yml up -d + + Stopping whoogle-search ... done + Removing whoogle-search ... done + Removing network whoogle-search_default + Already up to date. + Pulling whoogle-search ... done + Creating network "whoogle-search_default" with the default driver + Creating whoogle-search ... done + + ----► ✔ Command successful Elapsed time 14.195s + + + diff --git a/wikiless/0.png b/wikiless/0.png new file mode 100644 index 0000000..1c81efa Binary files /dev/null and b/wikiless/0.png differ diff --git a/wikiless/1.png b/wikiless/1.png new file mode 100644 index 0000000..2d13b8a Binary files /dev/null and b/wikiless/1.png differ diff --git a/wikiless/2.png b/wikiless/2.png new file mode 100644 index 0000000..6745d07 Binary files /dev/null and b/wikiless/2.png differ diff --git a/wikiless/index.md b/wikiless/index.md new file mode 100644 index 0000000..d337176 --- /dev/null +++ b/wikiless/index.md @@ -0,0 +1,466 @@ +# wikiless Setup + +![](0.png) + +In this tutorial we're going to check out how to install Wikiless, a privacy front-end for wikipedia. + +## **Initial Setup** + +First git clone the repository + + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → git clone https://github.com/Metastem/wikiless + Cloning into 'wikiless'... + remote: Enumerating objects: 1080, done. + remote: Counting objects: 100% (314/314), done. + remote: Compressing objects: 100% (135/135), done. + remote: Total 1080 (delta 216), reused 250 (delta 175), pack-reused 766 + Receiving objects: 100% (1080/1080), 488.53 KiB | 8.14 MiB/s, done. + Resolving deltas: 100% (598/598), done. + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → cd wikiless + + + +run the docker files + + + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → git pull + remote: Enumerating objects: 9, done. + remote: Counting objects: 100% (9/9), done. + remote: Compressing objects: 100% (6/6), done. + remote: Total 6 (delta 4), reused 0 (delta 0), pack-reused 0 + Unpacking objects: 100% (6/6), 1.32 KiB | 1.32 MiB/s, done. + From https://github.com/Metastem/wikiless + cd561d0..23087c5 main -> origin/main + Updating cd561d0..23087c5 + Fast-forward + README.md | 12 ------------ + docker-compose.yml | 8 +++----- + 2 files changed, 3 insertions(+), 17 deletions(-) + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → vim docker-compose.yml ; vim wikiless.config + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → cat wikiless.config + const config = { + /** + * Set these configs below to suite your environment. + */ + domain: process.env.DOMAIN || 'wikiless.nowhere.moe', // Set to your own domain + default_lang: process.env.DEFAULT_LANG || 'en', // Set your own language by default + theme: process.env.THEME || 'dark', // Set to 'white' or 'dark' by default + http_addr: process.env.HTTP_ADDR || '0.0.0.0', // don't touch, unless you know what your doing + nonssl_port: process.env.NONSSL_PORT || 8080, // don't touch, unless you know what your doing + + /** + * You can configure redis below if needed. + * By default Wikiless uses 'redis://127.0.0.1:6379' as the Redis URL. + * Versions before 0.1.1 Wikiless used redis_host and redis_port properties, + * but they are not supported anymore. + * process.env.REDIS_HOST is still here for backwards compatibility. + */ + redis_url: process.env.REDIS_URL || process.env.REDIS_HOST || 'redis://127.0.0.1:6379', + redis_password: process.env.REDIS_PASSWORD, + + /** + * You might need to change these configs below if you host through a reverse + * proxy like nginx. + */ + trust_proxy: process.env.TRUST_PROXY === 'true' || true, + trust_proxy_address: process.env.TRUST_PROXY_ADDRESS || '127.0.0.1', + + /** + * Redis cache expiration values (in seconds). + * When the cache expires, new content is fetched from Wikipedia (when the + * given URL is revisited). + */ + setexs: { + wikipage: process.env.WIKIPAGE_CACHE_EXPIRATION || (60 * 60 * 1), // 1 hour + }, + + /** + * Wikimedia requires a HTTP User-agent header for all Wikimedia related + * requests. It's a good idea to change this to something unique. + * Read more: https://meta.wikimedia.org/wiki/User-Agent_policy + */ + wikimedia_useragent: process.env.wikimedia_useragent || 'Wikiless media proxy bot (https://github.com/Metastem/wikiless)', + + /** + * Cache control. Wikiless can automatically remove the cached media files from + * the server. Cache control is on by default. + * 'cache_control_interval' sets the interval for often the cache directory + * is emptied (in hours). Default is every 24 hours. + */ + cache_control: process.env.CACHE_CONTROL !== 'true' || true, + cache_control_interval: process.env.CACHE_CONTROL_INTERVAL || 24, + } + + module.exports = config + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → cat docker-compose.yml + version: "3.7" + + services: + wikiless: + build: + context: . + dockerfile: Dockerfile + container_name: wikiless + hostname: wikiless + restart: always + networks: + wikiless_net: + ipv4_address: 172.4.0.6 + environment: + REDIS_HOST: redis://172.4.0.5:6379 + ports: + - "127.0.0.1:8180:8080" # change port if needed + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + depends_on: + - wikiless-redis + + wikiless-redis: + container_name: wikiless-redis + hostname: wikiless-redis + image: redis:latest + restart: always + networks: + wikiless_net: + ipv4_address: 172.4.0.5 + ports: + - "6379" + user: nobody + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev + cap_drop: + - ALL + cap_add: + - SETGID + - SETUID + - DAC_OVERRIDE + + networks: + wikiless_net: + ipam: + config: + - subnet: 172.4.0.0/16 + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → ls + docker-compose.yml LICENSE.md media nginx.conf package.json package-lock.json README.md SECURITY.md src static wikiless.config + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → vim Dockerfile + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → docker-compose down + Stopping wikiless ... done + Stopping wikiless-redis ... done + Removing wikiless ... done + Removing wikiless-redis ... done + Removing network wikiless_wikiless_net + + [ nowhere.moe ] [ /dev/pts/0 ] [/srv/wikiless] + → docker-compose up -d --build + Creating network "wikiless_wikiless_net" with the default driver + Building wikiless + Step 1/9 : FROM node:20-alpine3.17 AS build + 20-alpine3.17: Pulling from library/node + 4db1b89c0bd1: Pull complete + c14d172ed001: Pull complete + c07dc96d4e30: Pull complete + db1d0c17eb17: Pull complete + Digest: sha256:e6df1a7e4da3c01fee080bfb504dc5b980a19bea23bd1884629469b55d6cd02f + Status: Downloaded newer image for node:20-alpine3.17 + ---> 063cc1778b5d + Step 2/9 : WORKDIR /wikiless + ---> Running in 85a222226267 + Removing intermediate container 85a222226267 + ---> ec73414a5f0a + Step 3/9 : COPY . /wikiless + ---> 97c84d369440 + Step 4/9 : RUN npm install --no-optional + ---> Running in 53377f121301 + npm WARN config optional Use `--omit=optional` to exclude optional dependencies, or + npm WARN config `--include=optional` to include them. + npm WARN config + npm WARN config Default value does install optional deps unless otherwise omitted. + + added 117 packages, and audited 118 packages in 2s + + 23 packages are looking for funding + run `npm fund` for details + + found 0 vulnerabilities + npm notice + npm notice New minor version of npm available! 9.7.2 -> 9.8.0 + npm notice Changelog: <****https://github.com/npm/cli/releases/tag/v9.8.0> + npm notice Run `npm install -g npm@9.8.0` to update! + npm notice + Removing intermediate container 53377f121301 + ---> a0ca7a91b7b4 + + Step 5/9 : FROM gcr.io/distroless/nodejs20-debian11 + latest: Pulling from distroless/nodejs20-debian11 + a7ca0d9ba68f: Already exists + fe5ca62666f0: Already exists + b02a7525f878: Already exists + fcb6f6d2c998: Already exists + e8c73c638ae9: Already exists + 1e3d9b7d1452: Already exists + 4aa0ea1413d3: Already exists + 7c881f9ab25e: Already exists + 5627a970d25e: Already exists + 96266735468f: Already exists + 2758d0c31c8c: Already exists + 08553ba93cfe: Already exists + dfc02eb7708f: Already exists + 52907d314ddc: Already exists + 4eec690774a4: Already exists + 960f4c0076bf: Already exists + Digest: sha256:9468dc4069714f71a30c6075027f75edca89cc4b30d1afc6741c3430def76d7f + Status: Downloaded newer image for gcr.io/distroless/nodejs20-debian11:latest + ---> b0a23627a0ab + Step 6/9 : COPY --from=build /wikiless /wikiless + ---> 72b7dee566ed + Step 7/9 : WORKDIR /wikiless + ---> Running in 3f227aaf0a85 + Removing intermediate container 3f227aaf0a85 + ---> 1cb668fc638e + Step 8/9 : COPY wikiless.config config.js + ---> cba58fa6593a + Step 9/9 : CMD ["src/wikiless.js"] + ---> Running in ac6bf21520f9 + Removing intermediate container ac6bf21520f9 + ---> 7c3ecb0313e1 + + Successfully built 7c3ecb0313e1 + Successfully tagged wikiless_wikiless:latest + Creating wikiless-redis ... done + Creating wikiless ... done + +then install the reverse nginx proxyi, by default the app is available on local port 8180: + + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv/wikiless] + → nmap 127.0.0.1 -p 8180 + Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 16:01 CEST + Nmap scan report for localhost.localdomain (127.0.0.1) + Host is up (0.00010s latency). + + PORT STATE SERVICE + 8180/tcp open unknown + + Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds + + root@Datura /srv/wikiless # cd /etc/nginx/sites-available/ + root@Datura /etc/nginx/sites-available # vim wikiless.nowhere.moe.conf + + + [ nowhere.moe ] [ /dev/pts/0 ] [/etc/nginx/sites-available] + → cat /etc/nginx/sites-available/wikiless.nowhere.moe.conf + server { + server_name wikiless.nowhere.moe; + + listen 443 ssl; + listen [::]:443 ssl; + #http2 on; + ssl_certificate /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.key; + + #ssl_certificate /etc/letsencrypt/live/wikiless.nowhere.moe/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/wikiless.nowhere.moe/privkey.pem; + #include /etc/letsencrypt/options-ssl-nginx.conf; + #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + #ssl_trusted_certificate /etc/letsencrypt/live/wikiless.nowhere.moe/chain.pem; + #ssl_trusted_certificate /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.cer; + #ssl_stapling on; + #ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8180; + } + } + + server { + listen 80; + listen [::]:80; + server_name wikiless.nowhere.moe; + return 301 https://wikiless.nowhere.moe$request_uri; + } + + + root@Datura /etc/nginx/sites-available # ln -s /etc/nginx/sites-available/wikiless.nowhere.moe.conf /etc/nginx/sites-enabled/ + root@Datura /etc/nginx/sites-available # systemctl stop nginx + root@Datura /etc/nginx/sites-available # acme.sh --issue --standalone -d wikiless.nowhere.moe -k 4096 + + root@Datura /etc/nginx/sites-available # nginx -t + nginx: the configuration file /etc/nginx/nginx.conf syntax is ok + nginx: configuration file /etc/nginx/nginx.conf test is successful + root@Datura /etc/nginx/sites-available # systemctl restart nginx + + + +then check that your instance is working here: + +![](1.png) + +Next we're going to make sure the website is accessible over tor: + + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → cat /etc/nginx/sites-available/wikiless.nowhere.moe.conf + server { + server_name wikiless.nowhere.moe; + + listen 443 ssl; + listen [::]:443 ssl; + #http2 on; + ssl_certificate /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.cer; + ssl_certificate_key /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.key; + + ######## TOR CHANGES ######## + listen 4444 ssl; + listen [::]:4444 ssl; + server_name wikiless.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion; + add_header Onion-Location "http://wikiless.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always; + ######## TOR CHANGES ####### + + #ssl_certificate /etc/letsencrypt/live/wikiless.nowhere.moe/fullchain.pem; + #ssl_certificate_key /etc/letsencrypt/live/wikiless.nowhere.moe/privkey.pem; + #include /etc/letsencrypt/options-ssl-nginx.conf; + #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + #ssl_trusted_certificate /etc/letsencrypt/live/wikiless.nowhere.moe/chain.pem; + #ssl_trusted_certificate /etc/acme/certs/wikiless.nowhere.moe/wikiless.nowhere.moe.cer; + #ssl_stapling on; + #ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8180; + } + } + + server { + listen 80; + listen [::]:80; + server_name wikiless.nowhere.moe; + return 301 https://wikiless.nowhere.moe$request_uri; + } + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → cat /etc/tor/torrc | grep 444 + HiddenServicePort 80 127.0.0.1:4443 + HiddenServicePort 443 127.0.0.1:4444 + + + +![](2.png) + +It may give an ssl error but at least it serves everything over https over tor. Let me know if you managed to make this work without the need of https. + +And lastly let's make it update automatically via a cronjob: + + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → crontab -e + + @daily docker-compose -f /srv/wikiless/docker-compose.yml stop ; git -C /srv/wikiless/ pull ; docker-compose -f /srv/wikiless/docker-compose.yml up -d --build + + [ nowhere.moe ] [ /dev/pts/2 ] [/srv] + → cronitor select + + Use the arrow keys to navigate: ↓ ↑ → ← + ? Select job to run: + ✔ docker-compose -f /srv/wikiless/docker-compose.yml stop ; git -C /srv/wikiless/ pull ; docker-compose -f /srv/wikiless/docker-compose.yml up -d --build + ----► Running command: docker-compose -f /srv/wikiless/docker-compose.yml stop ; git -C /srv/wikiless/ pull ; docker-compose -f /srv/wikiless/docker-compose.yml up -d --build + + Stopping wikiless ... done + Stopping wikiless-redis ... done + Already up to date. + Building wikiless + Step 1/9 : FROM node:20-alpine3.17 AS build + ---> 063cc1778b5d + Step 2/9 : WORKDIR /wikiless + ---> Using cache + ---> ec73414a5f0a + Step 3/9 : COPY . /wikiless + ---> Using cache + ---> 97c84d369440 + Step 4/9 : RUN npm install --no-optional + ---> Using cache + ---> a0ca7a91b7b4 + + Step 5/9 : FROM gcr.io/distroless/nodejs20-debian11 + ---> b0a23627a0ab + Step 6/9 : COPY --from=build /wikiless /wikiless + ---> Using cache + ---> 72b7dee566ed + Step 7/9 : WORKDIR /wikiless + ---> Using cache + ---> 1cb668fc638e + Step 8/9 : COPY wikiless.config config.js + ---> Using cache + ---> cba58fa6593a + Step 9/9 : CMD ["src/wikiless.js"] + ---> Using cache + ---> 7c3ecb0313e1 + + Successfully built 7c3ecb0313e1 + Successfully tagged wikiless_wikiless:latest + Starting wikiless-redis ... done + Recreating wikiless ... done + + ----► ✔ Command successful Elapsed time 13.038s + + + diff --git a/wireguard/0.png b/wireguard/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/wireguard/0.png differ diff --git a/wireguard/1.png b/wireguard/1.png new file mode 100644 index 0000000..d8c770e Binary files /dev/null and b/wireguard/1.png differ diff --git a/wireguard/index.md b/wireguard/index.md new file mode 100644 index 0000000..1274281 --- /dev/null +++ b/wireguard/index.md @@ -0,0 +1,127 @@ +# 0 + +Before we start, you will need a Debian 10+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your debian 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +Also make sure that you don't use digitalocean for this beacuse they seem to block kernel modules that is required for wireguard (modprobe wireguard(to check if the module got successfully installed)) + +## **Initial Setup** + +First verify if you are not running in a container + + + systemd-detect-virt + + + +If it returns anything other than **none/kvm/vmware** then this tutorial does not cover it. + +First get the required dependencies + + + echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list.d/backport.list + apt update -y && apt upgrade -y + + apt install wireguard + + + +Then please reboot so that the kernel changes are applied. + +![](1.png) + + + reboot now + + + + touch /etc/wireguard/wg1.conf + chmod 700 /etc/wireguard/wg1.conf + + wg genkey >> /etc/wireguard/wg1.conf + nano /etc/wireguard/wg1.conf + + + + + [Interface] + Address = 10.66.66.1/24,fd42:42:42::1/64 + ListenPort = 1194 + PrivateKey = oAFh3bswQBHn9YOURSERVERPRIVATEKEYhWFiZWFQ= + + [Peer] + PublicKey = + AllowedIPs = 10.66.66.2/32,fd42:42:42::2/128 + + + +CTRL+S to save, CTRL+X to exit nano, + +Next allow routing on the server: + + + echo "net.ipv4.ip_forward = 1 + net.ipv6.conf.all.forwarding = 1" > /etc/sysctl.d/wg.conf + + sysctl --system + ip a | grep \< #pick the interface used to reach internet: + + iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + + wg-quick up wg1 + + + +then install wireguard on your local machine: + + + echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list.d/backport.list + apt update -y && apt upgrade -y + + apt install wireguard + + touch /etc/wireguard/wg1.conf + chmod 700 /etc/wireguard/wg1.conf + + wg genkey >> /etc/wireguard/wg1.conf + nano /etc/wireguard/wg1.conf + + + + + [Interface] + Address=10.66.66.2/24,fd42:42:42::2/64 + PrivateKey = AOo1UXbkSZmNPFncjgTRfaHl3Pa6F7dpYCVXOZ6YS3g= + + [Peer] + Endpoint = ech1.duckdns.org:1194 + AllowedIPs = 0.0.0.0/0,::/0 + Publickey = + + + +TLDR don't use digitalocean for wireguard + diff --git a/wireguard_auto/0.png b/wireguard_auto/0.png new file mode 100644 index 0000000..c0912db Binary files /dev/null and b/wireguard_auto/0.png differ diff --git a/wireguard_auto/1.png b/wireguard_auto/1.png new file mode 100644 index 0000000..beb293c Binary files /dev/null and b/wireguard_auto/1.png differ diff --git a/wireguard_auto/2.png b/wireguard_auto/2.png new file mode 100644 index 0000000..a15fafc Binary files /dev/null and b/wireguard_auto/2.png differ diff --git a/wireguard_auto/3.png b/wireguard_auto/3.png new file mode 100644 index 0000000..f3e4d3c Binary files /dev/null and b/wireguard_auto/3.png differ diff --git a/wireguard_auto/index.md b/wireguard_auto/index.md new file mode 100644 index 0000000..90a5b40 --- /dev/null +++ b/wireguard_auto/index.md @@ -0,0 +1,330 @@ +# Automated Wireguard Setup + +Before we start, you will need an Ubuntu 16+ VPS (you can get one on digitalocean for example), if you prefer to use your own self hosted server, make sure that port 80 and 443 are correctly port forwarded so that the public ip points to the server and not the router. Once that's done, go and ssh into your ubuntu 10 server. + +You can use DuckDNS to get a free domain name: + +![](0.png) + + + [ 192.168.100.1/24 ] [ /dev/pts/13 ] [~/Nextcloud/blog/Conf] + → ssh root@ech4.duckdns.org + The authenticity of host 'ech4.duckdns.org (178.128.46.38)' can't be established. + ECDSA key fingerprint is SHA256:z2HAncB99pfbAUfj9tJY7vlo8EGUzCIUxWBAnjAflcA. + Are you sure you want to continue connecting (yes/no/[fingerprint])? yes + Warning: Permanently added 'ech4.duckdns.org,178.128.46.38' (ECDSA) to the list of known hosts. + Linux debian-s-1vcpu-1gb-lon1-01 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 + + The programs included with the Debian GNU/Linux system are free software; + the exact distribution terms for each program are described in the + individual files in /usr/share/doc/*/copyright. + + Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent + permitted by applicable law. + root@debian-s-1vcpu-1gb-lon1-01:~# + + + +## **Initial Setup** + +First update Ubuntu and install curl + + + apt update -y && apt upgrade -y + apt install curl -y + + +Then get angristan's script: + + + curl -O https://raw.githubusercontent.com/angristan/wireguard-install/master/wireguard-install.sh + chmod +x wireguard-install.sh + ./wireguard-install.sh + + +And then just hit enter at everything: + +![](1.png) ![](2.png) + +Then get your wireguard client config in the /root/ folder: + + + root@wired:~# cat /root/wg0-client-nowhere.conf + [Interface] + PrivateKey = sIanEImIYOURKEY9ec1ttVFU= + Address = 10.66.66.2/32,fd42:42:42::2/128 + DNS = 176.103.130.130,176.103.130.131 + + [Peer] + PublicKey = uA+TgpwXFYWZjYOURKEYWqF0cC0M= + PresharedKey = FpWeYyYOURKEY8feFjN4EUzvg= + Endpoint = 278.276.383.1:52225 + AllowedIPs = 0.0.0.0/0,::/0 + + + +## **Setting up a client** + +Save it locally in /etc/wireguard: + + + sudo nano /etc/wireguard/wg0.conf + + + +And then just run wg-quick to launch wireguard, and wg to check the status. + + + echo "deb http://deb.debian.org/debian/ buster-backports main " | \ + sudo tee /etc/apt/sources.list.d/buster-backports.list + sudo apt update + sudo apt install -t buster-backports wireguard-dkms wireguard-tools + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → sudo apt install wireguard-tools resolvconf -y + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → which wg-quick + /usr/bin/wg-quick + + [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] + → wg-quick up wg0 + [#] ip link add wg0 type wireguard + [#] wg setconf wg0 /dev/fd/63 + [#] ip -4 address add 10.66.66.2/32 dev wg0 + [#] ip -6 address add fd42:42:42::2/128 dev wg0 + [#] ip link set mtu 1420 up dev wg0 + [#] resolvconf -a wg0 -m 0 -x + [#] wg set wg0 fwmark 51820 + [#] ip -6 route add ::/0 dev wg0 table 51820 + [#] ip -6 rule add not fwmark 51820 table 51820 + [#] ip -6 rule add table main suppress_prefixlength 0 + [#] ip6tables-restore -n + [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 + [#] ip -4 rule add not fwmark 51820 table 51820 + [#] ip -4 rule add table main suppress_prefixlength 0 + [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 + [#] iptables-restore -n + + [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] + → sudo wg + interface: wg0 + public key: Zhjn3QNON+LYOURKEYU0bjyE= + private key: (hidden) + listening port: 42771 + fwmark: 0xca6c + + peer: uA+TgpwXFYWZjYOURKEYqF0cC0M= + preshared key: (hidden) + endpoint: 278.276.383.1:52225 + allowed ips: 0.0.0.0/0, ::/0 + latest handshake: 4 seconds ago + transfer: 4.26 KiB received, 6.11 KiB sent + + + +You can check your own IP with the following command: + + + [ 192.168.100.1/24 ] [ /dev/pts/11 ] [~] + → curl ifconfig.me + 278.276.383.1 + + + +## **Advanced Usage** + +You can use the following command to run wireguard when the system starts: + + + systemctl enable --now wg-quick@wg0 + + + +Now once wireguard is active, you won't be able to access the local subnets: + + + + → ping 192.168.0.1 + PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. + ^C + --- 192.168.0.1 ping statistics --- + 4 packets transmitted, 0 received, 100% packet loss, time 3070ms + + + +As you can see, with the wireguard connection i cannot access my home router: + +![](3.png) + +So to fix this, i add the routes to the subnets **10.0.0.0/24** and **192.168.0.0/24** manually: + + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → **sudo ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0** + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → ping 192.168.0.1 + PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. + 64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=3.42 ms + 64 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=5.03 ms + ^C + --- 192.168.0.1 ping statistics --- + 2 packets transmitted, 2 received, 0% packet loss, time 1001ms + rtt min/avg/max/mdev = 3.419/4.222/5.025/0.803 ms + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → **sudo ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0** + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → ping 192.168.0.1 + PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data. + ^C + --- 192.168.0.1 ping statistics --- + 5 packets transmitted, 0 received, 100% packet loss, time 4077ms + + +If you need to access local networks (like 192.168.0.0/24 or 10.2.0.0/16 and such) while still having the wireguard connection, you can modify your client config as follows using the PostUp and PostDown parameters: + + + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → sudo vim /etc/wireguard/wg0.conf + + [Interface] + PrivateKey = AAAA= + Address = 10.66.66.2/32,fd42:42:42::2/128 + DNS = 1.1.1.1, 1.0.0.1 + **PostUp = ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0** + **PostDown = ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0** + + [Peer] + PublicKey = BBBBBB= + PresharedKey = CCCCCC= + Endpoint = 78.x.x.x:57692 + AllowedIPs = 0.0.0.0/0, ::/0 + + :wq + + + +With this configuration you can even specify local DNS servers, for example i have 2 local piholes at **192.168.0.198** and **192.168.0.199** , thanks to the ip route rules, i am able to access them, so i can use them like so: + + + [ 10.66.66.2/32 ] [ /dev/pts/25 ] [~] + → sudo vim /etc/wireguard/wg0.conf + + [...] + + DNS = 192.168.0.199,192.168.0.198 + + [...] + + :wq + + + +Note: that solution isn't the best because this will probably leak your actual location. You can see it on DNSLeakTest [here](https://www.dnsleaktest.com/results.html), so instead i recommend choosing public DNS server IPs by location on public-dns.info [here](https://public-dns.info/#countries), simply pick 2 DNS servers which are inthe same country as your VPS. Then restart wireguard to refresh the configuration : + + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → sudo wg-quick down wg0 + [#] ip -4 rule delete table 51820 + [#] ip -4 rule delete table main suppress_prefixlength 0 + [#] ip -6 rule delete table 51820 + [#] ip -6 rule delete table main suppress_prefixlength 0 + [#] ip link delete dev wg0 + [#] resolvconf -d tun.wg0 -f + [#] nft -f /dev/fd/63 + [#] ip route del 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route del 10.0.0.0/24 dev eth0 + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → sudo wg-quick up wg0 + [#] ip link add wg0 type wireguard + [#] wg setconf wg0 /dev/fd/63 + [#] ip -4 address add 10.66.66.2/32 dev wg0 + [#] ip -6 address add fd42:42:42::2/128 dev wg0 + [#] ip link set mtu 1420 up dev wg0 + [#] resolvconf -a tun.wg0 -m 0 -x + [#] wg set wg0 fwmark 51820 + [#] ip -6 route add ::/0 dev wg0 table 51820 + [#] ip -6 rule add not fwmark 51820 table 51820 + [#] ip -6 rule add table main suppress_prefixlength 0 + [#] nft -f /dev/fd/63 + [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820 + [#] ip -4 rule add not fwmark 51820 table 51820 + [#] ip -4 rule add table main suppress_prefixlength 0 + [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1 + [#] nft -f /dev/fd/63 + [#] ip route add 192.168.0.0/24 via 10.0.0.1 dev eth0 ; ip route add 10.0.0.0/24 dev eth0 + + + +You can also do it with systemctl directly: + + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → systemctl stop wg-quick@wg0 + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === + Authentication is required to stop 'wg-quick@wg0.service'. + Authenticating as: nothing,,, (nothing) + Password: + ==== AUTHENTICATION COMPLETE === + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → systemctl start wg-quick@wg0 + ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === + Authentication is required to start 'wg-quick@wg0.service'. + Authenticating as: nothing,,, (nothing) + Password: + ==== AUTHENTICATION COMPLETE === + + [ 10.0.0.10/16 ] [ /dev/pts/25 ] [~] + → systemctl status wg-quick@wg0 + ● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 + Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: disabled) + Active: active (exited) since Fri 2021-06-11 19:12:53 CEST; 1s ago + Docs: man:wg-quick(8) + man:wg(8) + https://www.wireguard.com/ + https://www.wireguard.com/quickstart/ + https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 + https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 + Process: 3988248 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS) + Main PID: 3988248 (code=exited, status=0/SUCCESS) + CPU: 143ms + + +You can also just do a zshrc / bashrc function to do this automatically: + + + + [ 10.66.66.2/32 ] [ /dev/pts/16 ] [blog/servers/wireguard_auto] + → vim ~/.zshrc + + [...] + + temple(){ + GREEN="\033[0;32m" + RED="\033[0;31m" + ORANGE="\033[0;33m" + NC="\033[0m" + + if [ $(ip a | grep wg0 | wc -l) -eq "0" ]; then + echo -en "${GREEN}[+]${NC} WireGuard is ${RED}DOWN${NC}, ${ORANGE}connecting to Temple...${GREEN}\n\n" + sudo wg-quick up wg0 + echo -en "\n${GREEN}[+]${NC} your public ip is : ${GREEN} $(curl ifconfig.me) ${NC}" + else + echo -en "${GREEN}[+]${NC} WireGuard is ${GREEN}UP, ${ORANGE}disconnecting from Temple...${RED}\n\n" + sudo wg-quick down wg0 + echo -en "\n${GREEN}[+]${NC} your public ip is : ${ORANGE} $(curl ifconfig.me) ${NC}" + fi + } + + [...] + + :wq + + diff --git a/xmpp/1.png b/xmpp/1.png new file mode 100644 index 0000000..23d0f35 Binary files /dev/null and b/xmpp/1.png differ diff --git a/xmpp/2.png b/xmpp/2.png new file mode 100644 index 0000000..d614fd4 Binary files /dev/null and b/xmpp/2.png differ diff --git a/xmpp/3.png b/xmpp/3.png new file mode 100644 index 0000000..b0d3f46 Binary files /dev/null and b/xmpp/3.png differ diff --git a/xmpp/index.md b/xmpp/index.md new file mode 100644 index 0000000..ce97c63 --- /dev/null +++ b/xmpp/index.md @@ -0,0 +1,253 @@ +# XMPP server (Gajim, OMEO encryption, ejabberd .onion setup) + +In this tutorial we're going to cover how to setup an XMPP chatting service over Tor. + +_Disclaimer:_ If you want this service to remain anonymous, make sure you at least keep [TOR between you and the service](../sensitiveremotevshome/index.md) from the [VPS acquisition](../anonymousremoteserver/index.md) to actual service usage. + +## **Initial Setup** + +First let's install the required packages, and then run the xmpp server using docker (you can check the documentation [here](https://github.com/processone/docker-ejabberd/blob/master/ecs/README.md)), we'll follow [Lukesmith's tutorial](https://landchad.net/ejabberd/) specifically: + + + apt install ejabberd -y + + + +Now we need the following domain names to point to your server: + + + nowhere.moe - Your XMPP hostname + xmpp.nowhere.moe - For mod_muc, Multi User Chats (MUCs) + upload.nowhere.moe - For mod_http_upload, file upload support + proxy.nowhere.moe - For mod_proxy65, SOCKS5 proxy support + pubsub.nowhere.moe - For mod_pubsub, publish-subscribe support (A fancier RSS) + + + +Then we edit the ejabberd config file accordingly: + + + [ Datura ] [ /dev/pts/10 ] [/srv] + → vim /etc/ejabberd/ejabberd.yml + + [...] + + hosts: + - nowhere.moe + + [...] + + mod_muc: + host: xmpp.nowhere.moe + + [...] + + + +Next we need to obtain the TLS certificate for the xmpp.nowhere.moe domain, to do so we'll use acme.sh: + + + [ Datura ] [ /dev/pts/10 ] [~] + → systemctl stop nginx ; acme.sh --issue --standalone -d xmpp.nowhere.moe -k 4096 ; systemctl start nginx + + [Sun Jun 9 07:12:21 PM CEST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory + [Sun Jun 9 07:12:21 PM CEST 2024] Standalone mode. + [Sun Jun 9 07:12:21 PM CEST 2024] Creating domain key + [Sun Jun 9 07:12:23 PM CEST 2024] The domain key is here: /root/.acme.sh/xmpp.nowhere.moe/xmpp.nowhere.moe.key + [Sun Jun 9 07:12:23 PM CEST 2024] Single domain='xmpp.nowhere.moe' + [Sun Jun 9 07:12:25 PM CEST 2024] Getting webroot for domain='xmpp.nowhere.moe' + [Sun Jun 9 07:12:25 PM CEST 2024] Verifying: xmpp.nowhere.moe + [Sun Jun 9 07:12:25 PM CEST 2024] Standalone mode server + [Sun Jun 9 07:12:26 PM CEST 2024] Pending, The CA is processing your order, please just wait. (1/30) + [Sun Jun 9 07:12:30 PM CEST 2024] Pending, The CA is processing your order, please just wait. (2/30) + [Sun Jun 9 07:12:33 PM CEST 2024] Pending, The CA is processing your order, please just wait. (3/30) + [Sun Jun 9 07:12:37 PM CEST 2024] Success + [Sun Jun 9 07:12:37 PM CEST 2024] Verify finished, start to sign. + [Sun Jun 9 07:12:37 PM CEST 2024] Lets finalize the order. + [Sun Jun 9 07:12:37 PM CEST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1581078457/276884921497' + [Sun Jun 9 07:12:38 PM CEST 2024] Downloading cert. + [Sun Jun 9 07:12:38 PM CEST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03a21dfde3a1a017ddaec55ef3c43a3cae0c' + [Sun Jun 9 07:12:39 PM CEST 2024] Cert success. + + [...] + + [Sun Jun 9 07:12:39 PM CEST 2024] Your cert is in: /root/.acme.sh/xmpp.nowhere.moe/xmpp.nowhere.moe.cer + [Sun Jun 9 07:12:39 PM CEST 2024] Your cert key is in: /root/.acme.sh/xmpp.nowhere.moe/xmpp.nowhere.moe.key + [Sun Jun 9 07:12:39 PM CEST 2024] The intermediate CA cert is in: /root/.acme.sh/xmpp.nowhere.moe/ca.cer + [Sun Jun 9 07:12:39 PM CEST 2024] And the full chain certs is there: /root/.acme.sh/xmpp.nowhere.moe/fullchain.cer + + [ Datura ] [ /dev/pts/10 ] [~] + → chown -R ejabberd:ejabberd /root/.acme.sh/xmpp.nowhere.moe + + [ Datura ] [ /dev/pts/10 ] [~] + → cat /etc/ejabberd/ejabberd.yml + + [...] + + certfiles: + - "/root/.acme.sh/xmpp.nowhere.moe/fullchain.cer" + + [...] + + + +Then we add the admin user in ejabberd.yml: + + + [ Datura ] [ /dev/pts/10 ] [~] + → cat /etc/ejabberd/ejabberd.yml + + [...] + + acl: + admin: + user: + - "nihilist" + + [...] + + + +We also add the File Uploads: + + + [ Datura ] [ /dev/pts/10 ] [~] + → cat /etc/ejabberd/ejabberd.yml + + [...] + + mod_http_upload: + put_url: https://@HOST@:5443/upload + docroot: /srv/xmpp/upload/ + custom_headers: + "Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + "Access-Control-Allow-Headers": "Content-Type" + + [...] + + [ Datura ] [ /dev/pts/10 ] [~] + → mkdir /srv/xmpp/upload/ -p + + [ Datura ] [ /dev/pts/10 ] [~] + → chown -R ejabberd:ejabberd /srv/xmpp/upload/ + + + +We enable message archives too: + + + [ Datura ] [ /dev/pts/10 ] [~] + → cat /etc/ejabberd/ejabberd.yml + + [...] + + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + ## db_type: sql + assume_mam_usage: true + default: always + + [...] + + + +Next, you setup a coturn service for the VOIP [here](https://landchad.net/coturn/), but in this case we'll use the same coturn service that we previously setup for the [matrix server](../matrixnew/index.md) + + + [ Datura ] [ /dev/pts/10 ] [~] + → cat /etc/ejabberd/ejabberd.yml + + [...] + + mod_stun_disco: + secret: "DAWDDWADWADAWDWAWDDWAADWADWDWADWADWAAWDDWAWAD" + services: + - + host: m.nowhere.moe + type: stun + - + host: m.nowhere.moe + type: turn + + [...] + + + +Then we restart the ejabberd service: + + + [ Datura ] [ /dev/pts/10 ] [~] + → systemctl restart ejabberd + + [ Datura ] [ /dev/pts/10 ] [~] + → systemctl status ejabberd + ● ejabberd.service - robust, scalable and extensible realtime platform (XMPP server + MQTT broker + SIP service) + Loaded: loaded (/lib/systemd/system/ejabberd.service; enabled; preset: enabled) + Active: active (running) since Sun 2024-06-09 21:21:41 CEST; 6s ago + Docs: https://www.process-one.net/en/ejabberd/docs/ + Main PID: 3664214 (sh) + Tasks: 116 (limit: 77002) + Memory: 111.9M + CPU: 3.022s + CGroup: /system.slice/ejabberd.service + + + +Now that the ejabberd service has restarted successfully, we can register the admin user: + + + [ Datura ] [ /dev/pts/10 ] [~] + → ejabberdctl register nihilist nowhere.moe P@SSW0RD + + User nihilist@contact.nowhere.moe successfully registered + + + + +## **Setup** + +Now the xmpp server is active, along with your nihilist user, so let's connect to it from a XMPP client like gajim: + + + [ mainpc ] [ /dev/pts/8 ] [~] + → sudo apt install gajim -y + + + +![](1.png) + +![]() + + + + + +![]() + + + + + +![]() + + + + + +## **Setup** + + + + + + + + + + + + + diff --git a/xmpp2024/1.png b/xmpp2024/1.png new file mode 100644 index 0000000..07a16f0 Binary files /dev/null and b/xmpp2024/1.png differ diff --git a/xmpp2024/10.png b/xmpp2024/10.png new file mode 100644 index 0000000..5f4cbf4 Binary files /dev/null and b/xmpp2024/10.png differ diff --git a/xmpp2024/11.png b/xmpp2024/11.png new file mode 100644 index 0000000..e55ea22 Binary files /dev/null and b/xmpp2024/11.png differ diff --git a/xmpp2024/12.png b/xmpp2024/12.png new file mode 100644 index 0000000..9ce382b Binary files /dev/null and b/xmpp2024/12.png differ diff --git a/xmpp2024/13.png b/xmpp2024/13.png new file mode 100644 index 0000000..26ea45f Binary files /dev/null and b/xmpp2024/13.png differ diff --git a/xmpp2024/14.png b/xmpp2024/14.png new file mode 100644 index 0000000..8c61bd6 Binary files /dev/null and b/xmpp2024/14.png differ diff --git a/xmpp2024/15.png b/xmpp2024/15.png new file mode 100644 index 0000000..abb7bca Binary files /dev/null and b/xmpp2024/15.png differ diff --git a/xmpp2024/16.png b/xmpp2024/16.png new file mode 100644 index 0000000..5e45090 Binary files /dev/null and b/xmpp2024/16.png differ diff --git a/xmpp2024/17.png b/xmpp2024/17.png new file mode 100644 index 0000000..dcd38f7 Binary files /dev/null and b/xmpp2024/17.png differ diff --git a/xmpp2024/18.png b/xmpp2024/18.png new file mode 100644 index 0000000..bac8bb6 Binary files /dev/null and b/xmpp2024/18.png differ diff --git a/xmpp2024/19.png b/xmpp2024/19.png new file mode 100644 index 0000000..3490f92 Binary files /dev/null and b/xmpp2024/19.png differ diff --git a/xmpp2024/2.png b/xmpp2024/2.png new file mode 100644 index 0000000..915093e Binary files /dev/null and b/xmpp2024/2.png differ diff --git a/xmpp2024/20.png b/xmpp2024/20.png new file mode 100644 index 0000000..0fa3551 Binary files /dev/null and b/xmpp2024/20.png differ diff --git a/xmpp2024/21.png b/xmpp2024/21.png new file mode 100644 index 0000000..679a90e Binary files /dev/null and b/xmpp2024/21.png differ diff --git a/xmpp2024/22.png b/xmpp2024/22.png new file mode 100644 index 0000000..6470fe7 Binary files /dev/null and b/xmpp2024/22.png differ diff --git a/xmpp2024/23.png b/xmpp2024/23.png new file mode 100644 index 0000000..466d3ff Binary files /dev/null and b/xmpp2024/23.png differ diff --git a/xmpp2024/24.png b/xmpp2024/24.png new file mode 100644 index 0000000..53ba122 Binary files /dev/null and b/xmpp2024/24.png differ diff --git a/xmpp2024/25.png b/xmpp2024/25.png new file mode 100644 index 0000000..e720fc1 Binary files /dev/null and b/xmpp2024/25.png differ diff --git a/xmpp2024/26.png b/xmpp2024/26.png new file mode 100644 index 0000000..d3937b1 Binary files /dev/null and b/xmpp2024/26.png differ diff --git a/xmpp2024/27.png b/xmpp2024/27.png new file mode 100644 index 0000000..8653f40 Binary files /dev/null and b/xmpp2024/27.png differ diff --git a/xmpp2024/28.png b/xmpp2024/28.png new file mode 100644 index 0000000..1cd5a44 Binary files /dev/null and b/xmpp2024/28.png differ diff --git a/xmpp2024/29.png b/xmpp2024/29.png new file mode 100644 index 0000000..a1a7321 Binary files /dev/null and b/xmpp2024/29.png differ diff --git a/xmpp2024/3.png b/xmpp2024/3.png new file mode 100644 index 0000000..fa3e533 Binary files /dev/null and b/xmpp2024/3.png differ diff --git a/xmpp2024/30.png b/xmpp2024/30.png new file mode 100644 index 0000000..f1b7f96 Binary files /dev/null and b/xmpp2024/30.png differ diff --git a/xmpp2024/4.png b/xmpp2024/4.png new file mode 100644 index 0000000..cfc9610 Binary files /dev/null and b/xmpp2024/4.png differ diff --git a/xmpp2024/5.png b/xmpp2024/5.png new file mode 100644 index 0000000..6f3126c Binary files /dev/null and b/xmpp2024/5.png differ diff --git a/xmpp2024/6.png b/xmpp2024/6.png new file mode 100644 index 0000000..d1a7a40 Binary files /dev/null and b/xmpp2024/6.png differ diff --git a/xmpp2024/7.png b/xmpp2024/7.png new file mode 100644 index 0000000..fb0498a Binary files /dev/null and b/xmpp2024/7.png differ diff --git a/xmpp2024/8.png b/xmpp2024/8.png new file mode 100644 index 0000000..db923fc Binary files /dev/null and b/xmpp2024/8.png differ diff --git a/xmpp2024/9.png b/xmpp2024/9.png new file mode 100644 index 0000000..ebcd8c6 Binary files /dev/null and b/xmpp2024/9.png differ diff --git a/xmpp2024/index.md b/xmpp2024/index.md new file mode 100644 index 0000000..b82f5b5 --- /dev/null +++ b/xmpp2024/index.md @@ -0,0 +1,353 @@ +# XMPP Chat Server Setup (Clearnet + Onion + OMEMO E2EE) + +In this tutorial, we're going to check out how to setup a XMPP chat server, that is accessible over Tor, as a hidden service, using Prosody. We'll also cover how to have a Clearnet XMPP server, and how to have OMEMO End to End encryption using the Gajim XMPP client. + +## **XMPP Onion Server Setup** + +Before starting, check out [this](../torwebsite/index.md) tutorial on how to create your first hidden service. + + + root@ANON-home:~# apt install prosody prosody-modules lua-unbound -y + + root@ANON-home:~# prosodyctl about + /var/lib/prosody/custom_plugins - not a directory! + /usr/local/lib/prosody/modules - not a directory! + /var/lib/prosody/custom_plugins/share/lua/5.4/?.lua + /var/lib/prosody/custom_plugins/share/lua/5.4/?/init.lua + + + root@ANON-home:~# mkdir /var/lib/prosody/custom_plugins + root@ANON-home:~# mkdir /usr/local/lib/prosody/modules -p + + + +Then, we make sure that the tor hidden service includes the XMPP ports: + + + root@ANON-home:# vim /etc/tor/torrc + root@ANON-home:# cat /etc/tor/torrc + HiddenServiceDir /var/lib/tor/onions/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion/ + + [...] + + HiddenServicePort 5222 127.0.0.1:5222 + HiddenServicePort 5269 127.0.0.1:5269 + HiddenServicePort 5280 127.0.0.1:5280 + HiddenServicePort 5281 127.0.0.1:5281 + + root@ANON-home:# systemctl restart tor@default + + + +Here, my hidden service is aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion, let's check that the mod_onions module is installed and configure the prosody.cfg.lua file: + + + root@ANON-home:~# ls /usr/lib/prosody/modules/mod_onions + mod_onions.lua + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + [...] + + VirtualHost "localhost" + -- Prosody requires at least one enabled VirtualHost to function. You can + -- safely remove or disable 'localhost' once you have added another. + + VirtualHost "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" + modules_enabled = {"onions"}; + onions_only = true; + disco_items = { + {"conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion","Public Chatroom"}, + {"upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion","Public Chatroom"} + } + + Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc" + modules_enabled = { "onions" }; + onions_only = true; + + Component "upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "http_file_share" + modules_enabled = { "onions" }; + onions_only = true; + + [...] + + + + + root@ANON-home:~# prosodyctl cert generate aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + Choose key size (2048): + **Key written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.key** + Please provide details to include in the certificate config file. + Leave the field empty to use the default value or '.' to exclude the field. + countryName (GB): + localityName (The Internet): + organizationName (Your Organisation): + organizationalUnitName (XMPP Department): + commonName (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion): + emailAddress (xmpp@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion): + + **Config written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.cnf + Certificate written to /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.crt** + + root@ANON-home:~# prosodyctl check + + [...] + + Checking certificates... + Checking certificate for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + certmanager info No certificate present in SSL/TLS configuration for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required. + No 'certificate' found for conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + Checking certificate for localhost + certmanager info No certificate present in SSL/TLS configuration for localhost. SNI will be required. + No 'certificate' found for localhost + Checking certificate for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + certmanager info No certificate present in SSL/TLS configuration for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required. + No 'certificate' found for upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + Checking certificate for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + certmanager info No certificate present in SSL/TLS configuration for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion. SNI will be required. + No 'certificate' found for aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + + For more information about certificates please see https://prosody.im/doc/certificates + + Problems found, see above. + + + root@ANON-home:# mv /var/lib/prosody/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion.* /etc/prosody/certs/ + + + + + root@ANON-home:/etc/prosody/certs# prosodyctl adduser nihilist@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion + Enter new password: + Retype new password: + + #if you want to create users in batch: + root@ANON-home:/etc/prosody/certs# prosodyctl adduser testuser aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion p4ssw0rd + + root@ANON-home:/etc/prosody/certs# systemctl restart prosody + root@ANON-home:/etc/prosody/certs# systemctl status prosody + ● prosody.service - Prosody XMPP Server + Loaded: loaded (/lib/systemd/system/prosody.service; enabled; preset: enabled) + Active: active (running) since Mon 2024-08-05 22:02:47 CEST; 4s ago + Docs: https://prosody.im/doc + Main PID: 3419 (lua5.4) + Tasks: 1 (limit: 4653) + Memory: 7.8M + CPU: 139ms + CGroup: /system.slice/prosody.service + └─3419 lua5.4 /usr/bin/prosody -F + + Aug 05 22:02:47 ANON-home systemd[1]: Started prosody.service - Prosody XMPP Server. + + + + +all good now, now let's connect to it using pidgin: + + + [ mainpc ] [ /dev/pts/9 ] [~/Nextcloud/blog] + → apt install pidgin -y + + [ mainpc ] [ /dev/pts/9 ] [~/Nextcloud/blog] + → pidgin + + + +Then, create your account on the XMPP server: + +![](1.png) ![](2.png) ![](3.png) ![](4.png) ![](6.png) ![](5.png) + +Next, we can start chatting with Alice, who is another user on that XMPP server like so: + +![](7.png) + +Then from Alice's XMPP client, we accept nihilist's buddy request: + +![](8.png) ![](9.png) ![](10.png) ![](11.png) + +## **Optional XMPP server options:** + +if you want to enable message archiving, enable the "mam" module by uncommenting it: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + [...] + + modules_enabled = { + "mam"; -- Store recent messages to allow multi-device synchronization + } + + [...] + + + +and then you can mention the expiration time of messages like so: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + archive_expires_after = "1w" -- remove archived messages after 1 week + + + +you can choose to limit the bandwidth usage of your server too, using the mod_limits module: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + limits = { + c2s = { + rate = "10kb/s"; + } + s2sin = { + rate = "30kb/s"; + } + + } + + +You can also enable archiving on the multi-user chats like so : + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc" + modules_enabled = { "onions", "muc_mam" }; + onions_only = true; + + + +And just like in mod_mam, you can set the expiration time of the messages in MUCs: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc" + modules_enabled = { "onions", "muc_mam" }; + onions_only = true; + muc_log_expires_after = "1w" + + + +Then, you can also enable file archiving using mod_http_file_share: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + Component "upload.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "http_file_share" + modules_enabled = { "onions" }; + onions_only = true; + http_file_share_daily_quota = 100*1024*1024; -- 100 MiB + http_file_share_after = 7*86400; -- One week in seconds + http_file_share_size_limit = 10*1024*1024 -- 10 Mib + + + +Then, as you're going to have a multi user chat, you'll most likely need the mod_muc_moderation module: + + + root@ANON-home:~# vim /etc/prosody/prosody.cfg.lua + root@ANON-home:~# cat /etc/prosody/prosody.cfg.lua + + Component "conference.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.onion" "muc" + modules_enabled = { "onions", "muc_mam", "muc_moderation" }; + onions_only = true; + muc_log_expires_after = "1w" + + + +## **XMPP Clearnet Server Setup** + +First edit prosody.cfg.lua like so : + + + [ Datura ] [ /dev/pts/3 ] [~] + → vim /etc/prosody/prosody.cfg.lua + + [...] + + VirtualHost "nowhere.moe" + ssl = { + certificate = "/etc/ssl/nowhere.moe/fullchain.cer"; + key = "/etc/ssl/nowhere.moe/nowhere.moe.key"; + } + + VirtualHost "nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion" + + [...] + + + +Then copy the existing acme.sh certificates for nowhere.moe into another non-root directory, otherwise prosody wont be able to read them: + + + [ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe] + → mkdir -p /etc/ssl/nowhere.moe/ + + [ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe] + → cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe + + [ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe] + → sudo setfacl -R -m u:prosody:rx /etc/ssl/nowhere.moe/ + + [ Datura ] [ /dev/pts/4 ] [/etc/ssl/nowhere.moe] + → sudo -u prosody cat /etc/ssl/nowhere.moe/nowhere.moe.cer + -----BEGIN CERTIFICATE----- + MIIF5zCCBM+gAwIBAgISBCVaPZeC38+C4bWEm3yPX1LMMA0GCSqGSIb3DQEBCwUA + MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD + EwNSMTAwHhcNMjQwODExMjAyMjI5WhcNMjQxMTA5MjAyMjI4WjAWMRQwEgYDVQQD + Ewtub3doZXJlLm1vZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJPO + [...] + -----END CERTIFICATE----- + + + + +to copy it once a day to the correct folder, you can do it via cronjob: + + + [ Datura ] [ /dev/pts/7 ] [~] + → crontab -e + + 0 0 * * * cp -r /root/.acme.sh/nowhere.moe/* /etc/ssl/nowhere.moe ; setfacl -R -m u:prosody:rx /etc/ssl/nowhere.moe ; systemctl restart prosody + + + +Then, don't forget to create the clearnet user: + + + [ Datura ] [ /dev/pts/7 ] [~] + → prosodyctl adduser usertest usertestpwd + + [ Datura ] [ /dev/pts/7 ] [~] + → prosodyctl passwd usertest@nowhere.moe + + + +Then you can just connect to the XMPP server over clearnet aswell, but one thing to note is that pidgin is limited when it comes to encrypting chats, so let's use Gajim instead as it comes with OMEMO encryption out of the box: + + + user@laptop: apt install gajim -y + + + +` ![](12.png) ![](13.png) ![](14.png) ![](15.png) + +## **XMPP OMEMO End to End Encryption (E2EE)** + +![](16.png) ![](17.png) ![](18.png) ![](19.png) ![](20.png) ![](21.png) ![](22.png) + +Now here, you need to tell the other peer (if they don't have OMEMO enabled) to install a XMPP client like gajim, just like you, to use OMEMO encryption just like you, to have end to end encryption. + +![](23.png) ![](25.png) ![](26.png) ![](27.png) ![](28.png) ![](29.png) ![](30.png) + +And that's it! you now have a XMPP server working over both Clearnet, and Tor, with end to end encryption. + diff --git a/xrdp/0.png b/xrdp/0.png new file mode 100644 index 0000000..bfec390 Binary files /dev/null and b/xrdp/0.png differ diff --git a/xrdp/1.png b/xrdp/1.png new file mode 100644 index 0000000..08ea882 Binary files /dev/null and b/xrdp/1.png differ diff --git a/xrdp/2.png b/xrdp/2.png new file mode 100644 index 0000000..7625bb4 Binary files /dev/null and b/xrdp/2.png differ diff --git a/xrdp/3.png b/xrdp/3.png new file mode 100644 index 0000000..f20a106 Binary files /dev/null and b/xrdp/3.png differ diff --git a/xrdp/4.png b/xrdp/4.png new file mode 100644 index 0000000..00fd458 Binary files /dev/null and b/xrdp/4.png differ diff --git a/xrdp/5.png b/xrdp/5.png new file mode 100644 index 0000000..8c7ea3c Binary files /dev/null and b/xrdp/5.png differ diff --git a/xrdp/index.md b/xrdp/index.md new file mode 100644 index 0000000..d91c14e --- /dev/null +++ b/xrdp/index.md @@ -0,0 +1,174 @@ +# xrdp Setup + +![](0.png) + +In this tutorial we're going to look at how to setup XRDP on a kali VM + +## **Initial Setup** + +So i currently have a VM running kali linux at the local IP 10.77.77.77: + +![](1.png) + +And my current issue is that i cannot for some reason get this machine to copy paste IN and OUT, even with vmware's poorly made vmware tools implementations on debian-based VMs, therefore i decided to install RDP on it, because i know that this will work. Now RDP is very easy to install on linux. First step is to get the xrdp package: + + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → apt search xrdp + Sorting... Done + Full Text Search... Done + libxrdposix3/kali-rolling 5.0.3-4 amd64 + Posix interface library for xrootd + + xorgxrdp/kali-rolling,now 1:0.2.12-1 amd64 [installed,automatic] + Remote Desktop Protocol (RDP) modules for X.org + + xrdp/kali-rolling,now 0.9.12-1.1 amd64 [installed] + Remote Desktop Protocol (RDP) server + + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → apt install xrdp -y + + + +And then we simply start it with systemctl: + + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo systemctl enable --now xrdp + Synchronizing state of xrdp.service with SysV service script with /lib/systemd/systemd-sysv-install. + Executing: /lib/systemd/systemd-sysv-install enable xrdp + Created symlink /etc/systemd/system/multi-user.target.wants/xrdp.service → /lib/systemd/system/xrdp.service. + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → systemctl status xrdp + ● xrdp.service - xrdp daemon + Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: disabled) + Active: active (running) since Thu 2021-07-08 18:00:03 CEST; 12min ago + Docs: man:xrdp(8) + man:xrdp.ini(5) + Main PID: 39814 (xrdp) + Tasks: 1 (limit: 4597) + Memory: 772.0K + CPU: 12.854s + CGroup: /system.slice/xrdp.service + └─39814 /usr/sbin/xrdp + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → netstat -alntup | grep 3389 + (Not all processes could be identified, non-owned process info + will not be shown, you would have to be root to see it all.) + tcp6 0 0 :::3389 :::* LISTEN - + + + +And now that we enabled the xrdp service, we can basically test it out, i will connect to my kaliVM using a RDP client called remmina, from debian or arch you install it as follows: + + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo apt install remmina freerdp2-x11 + + [ 10.66.66.2/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo pacman -S remmina freerdp + + + +It's fairly popular so it shouldn't be a problem to find it on most repositories. and then we add a RDP host to connect to after we start remmina: + +![](2.png) + +Once we connect however, we see that we are not getting into i3, but rather the other default DE that's on kali by default, XFCE + +![](4.png) + +So in order to fix that, we edit **/etc/xrdp/startwm.sh** + + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo vim /etc/xrdp/startwm.sh + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → cat /etc/xrdp/startwm.sh + #!/bin/sh + # xrdp X session start script (c) 2015, 2017 mirabilos + # published under The MirOS Licence + + if test -r /etc/profile; then + . /etc/profile + fi + + if test -r /etc/default/locale; then + . /etc/default/locale + test -z "${LANG+x}" || export LANG + test -z "${LANGUAGE+x}" || export LANGUAGE + test -z "${LC_ADDRESS+x}" || export LC_ADDRESS + test -z "${LC_ALL+x}" || export LC_ALL + test -z "${LC_COLLATE+x}" || export LC_COLLATE + test -z "${LC_CTYPE+x}" || export LC_CTYPE + test -z "${LC_IDENTIFICATION+x}" || export LC_IDENTIFICATION + test -z "${LC_MEASUREMENT+x}" || export LC_MEASUREMENT + test -z "${LC_MESSAGES+x}" || export LC_MESSAGES + test -z "${LC_MONETARY+x}" || export LC_MONETARY + test -z "${LC_NAME+x}" || export LC_NAME + test -z "${LC_NUMERIC+x}" || export LC_NUMERIC + test -z "${LC_PAPER+x}" || export LC_PAPER + test -z "${LC_TELEPHONE+x}" || export LC_TELEPHONE + test -z "${LC_TIME+x}" || export LC_TIME + test -z "${LOCPATH+x}" || export LOCPATH + fi + + if test -r /etc/profile; then + . /etc/profile + fi + + #test -x /etc/X11/Xsession && exec /etc/X11/Xsession + #exec /bin/sh /etc/X11/Xsession + exec /usr/bin/i3 + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo systemctl restart xrdp + + [ 10.77.77.77/24 ] [ /dev/pts/1 ] [~/HTB] + → sudo systemctl status xrdp + ● xrdp.service - xrdp daemon + Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: disabled) + Active: active (running) since Thu 2021-07-08 18:19:00 CEST; 4s ago + Docs: man:xrdp(8) + man:xrdp.ini(5) + Process: 168045 ExecStartPre=/bin/sh /usr/share/xrdp/socksetup (code=exited, status=0/SUCCESS) + Process: 168053 ExecStart=/usr/sbin/xrdp $XRDP_OPTIONS (code=exited, status=0/SUCCESS) + Main PID: 168054 (xrdp) + Tasks: 1 (limit: 4597) + Memory: 760.0K + CPU: 18ms + CGroup: /system.slice/xrdp.service + └─168054 /usr/sbin/xrdp + + #if you get the "cannot read private key /etc/xrdp/key.pem:permission denied" + do this: + + adduser xrdp ssl-cert ; systemctl restart xrdp + + + + +here you see i basically just edited the last part of /etc/xrdp/startwm.sh to execute i3 instead of the default Xsession. Now when we test it we get the following: + +![](3.png) + +And that's it! We managed to connect to a VM via RDP and spawning a non-default DE to navigate it. + +If you can't use any alt+gr keystrokes once connected via rdp, you need to run the following command: + + + setxkbmap -layout fr + + + +If your xrdp service has a TLS error "cannot accept TLS connection because certificate or private key file is not readable" do the following: + +![](5.png) + +## **Setup** +