% % Software-daemons.tex % % Fork Sand IT Manual % % Copyright (C) 2018, Fork Sand, Inc. % Copyright (C) 2017, Jeff Moe % Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc. % % This document is licensed under the Creative Commons Attribution 4.0 % International Public License (CC BY-SA 4.0) by Fork Sand, Inc. % \section{Server Daemons} These are the server daemons used to drive the enterprise. \section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}} Monitors ACPI events. Runs on nearly all servers and workstations. \section{\href{http://httpd.apache.org/}{Apache}} Web daemon, used on many servers. \section{\href{http://www.isc.org/}{BIND}} Nameserver used for caching. \section{\href{https://borgbackup.github.io/borgbackup/}{Borg}} Backup program. \section{\href{https://www.collaboraoffice.com/code/}{code}} Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL) for Nextcloud. \section{\href{https://github.com/coturn/coturn}{coturn}} TURN and STUN server. Used for videoconferencing. \section{\href{http://ftp.isc.org/isc/cron/}{cron}} Scheduled triggering of applications (cf. at). \section{\href{http://dnsmasq.org/}{DHCP}} dnsmasq DHCP for 350+ hosts. \section{\href{https://www.discourse.org/}{Discourse}} Mailing list, discussion board, forum. \section{\href{https://dockerproject.org/}{Docker}} System containers, virtual servers. \section{\href{http://dnsmasq.org/}{DNS}} dnsmasq DNS caching. \section{\href{http://dnsmasq.org/}{Dovecot}} IMAP mail services. Employees check their mail via the IMAP server, typically using Icedove or aomail (roundcube using IMAP). \section{\href{https://www.erlang.org/}{Erlang}} Virtual machine (ejabberd). \section{{iptables}{Firewalls}} Linux's iptables. \section{\href{http://www.fail2ban.org/}{fail2ban}} Block out scripts, bots, crackers, and network noise on servers. \section{\href{http://www.debian.org/}{Init}} Init, woo! \section{\href{http://mariadb.org/}{MariaDB}} Used on many servers for a database. Replacing MySQL. \section{md RAID} Linux RAID, md, mdadm. \section{\href{http://www.memcached.org/}{memcached}} Used to speed up websites, such as Nextcloud. \section{\href{http://www.mysql.org/}{MySQL}} Used on many servers for a database. \section{\href{https://nextcloud.com/}{Nextcloud}} Shared calendars, files, collaborative document editing with LibreOffice Online, videoconferencing. Some of this is from owncloud era... \begin{minted}{sh} #Install debian jessie, ssh server, standard system utilities #install jebba ssh key #install sudo #disable password ssh #disable root ssh #================================== # #Set up DNS #Set up Server #Create new jessie server, and boot it up. #Copy over key: ssh-copy-id jebba@pwn.themoes.org #Log in to new machine: ssh jebba@pwn.themoes.org #Change jebba's password. passwd jebba #Set a root password: su - passwd root #Disable source repos: sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list #Set up `git` as kludge to track /etc apt-get -y install git cd /etc git init chmod og-rwx /etc/.git vi /etc/.gitignore \end{minted} Add these lines to /etc/.gitignore \begin{minted}{sh} prelink.cache *.swp ld.so.cache adjtime blkid.tab blkid.tab.old mtab resolv.conf asound.state mtab.fuselock aliases.db \end{minted} \subsection{Set up a git user:} \begin{minted}{sh} vi ~/.gitconfig [user] name = Jeff Moe [color] branch = auto diff = auto status = auto \end{minted} \subsection{Create and populate the git repo for /etc:} \begin{minted}{sh} git add . EDITOR=vi git commit -a Intial setup of pwn.themoes.org jessie owncloud server #Install some needed stuff: apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts host strace telnet lsb-release unzip bzip2 && apt-get clean #Set up vim: echo :syntax on > ~/.vimrc #Add jebba to sudo group: adduser jebba sudo #Make sudoers passwordless: vim /etc/sudoers #Change: %sudo ALL=(ALL:ALL) ALL #To: %sudo ALL=(ALL) NOPASSWD: ALL #Edit /etc/ssh/sshd_config (dodgy way to do this): sed -i \ -e 's/PermitRootLogin yes/PermitRootLogin no/g' \ -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \ -e 's/RSAAuthentication yes/RSAAuthentication no/g' \ -e 's/Port 22/Port 43827/g'\ -e 's/X11Forwarding yes/X11Forwarding no/g' \ /etc/ssh/sshd_config #Disable unneeded services: for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ; sudo /usr/sbin/update-rc.d $i disable ; done \end{minted} Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh Reboot \begin{minted}{sh} #Log in as jebba (from workstation): ssh -p 43827 -C jebba@pwn.themoes.org #VIM: echo :syntax on > ~/.vimrc \end{minted} \subsection{Setup} Update /etc/hosts: \begin{minted}{sh} 5.152.179.226 pwn pwn.themoes.org #Comment out: #127.0.1.1 pwn.themoes.org pwn #Update /etc/hostname: pwn #Commit everything so far to git sudo su - cd /etc git add . EDITOR=vi git commit -a # Additional base config for server. \end{minted} \subsection{Make IP Static} \begin{minted}{sh} vim /etc/network/interfaces \end{minted} Comment out: \begin{minted}{sh} #allow-hotplug eth0 #iface eth0 inet dhcp \end{minted} Add: \begin{minted}{sh} auto eth0 iface eth0 inet static address 5.152.179.226 netmask 255.255.255.0 gateway 5.152.179.1 \end{minted} \subsection{Install Firewall}\label{ssec:nextcloudfirewall} \url{https://wiki.debian.org/iptables} \begin{minted}{sh} #Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables /etc/iptables.test.rules chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules \end{minted} \begin{minted}{sh} vim /etc/iptables.test.rules \end{minted} *filter \begin{minted}{sh} # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT #-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You could modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) #-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT #-A INPUT -p tcp --dport 80 -j ACCEPT # Accept 443 from everywhere #-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT #-A INPUT -p tcp --dport 443 -j ACCEPT # SSH Access Port 43827 -A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT # Allow ssh from anywhere -A INPUT -p tcp --dport 43827 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Opsview access #-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT #-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports 2222,37,4949,5666 -j ACCEPT # log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy: -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT \end{minted} \begin{minted}{sh} touch /etc/network/if-pre-up.d/iptables chmod 755 /etc/network/if-pre-up.d/iptables vim /etc/network/if-pre-up.d/iptables \end{minted} \begin{minted}{sh} #!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules \end{minted} Then run: \begin{minted}{sh} iptables-restore < /etc/iptables.test.rules iptables -L iptables-save > /etc/iptables.up.rules \end{minted} Disable IPv6 \begin{minted}{sh} vim /etc/sysctl.conf \end{minted} Add: \begin{minted}{sh} # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.eth0.disable_ipv6 = 1 \end{minted} \begin{minted}{sh} sysctl -p \end{minted} Add this to kernel boot line /etc/default/grub: \begin{minted}{sh} GRUB_CMDLINE_LINUX="ipv6.disable=1" \end{minted} then run: \begin{minted}{sh} update-grub \end{minted} \begin{minted}{sh} # Also need to change anything in /etc/apache2/sites-enabled/* that has *:80 to 0.0.0.0, so no IPv6. # Comment out IPv6 stuff in /etc/hosts: #::1 localhost ip6-localhost ip6-loopback #ff02::1 ip6-allnodes #ff02::2 ip6-allrouters # Also need to change anything in /etc/apache2/sites-enabled/* that has *:80 to 0.0.0.0, so no IPv6. \end{minted} Blacklist the module, don't even load it: \begin{minted}{sh} echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf \end{minted} Tell the module not to use IPv6 (hit it with the hammer over and over): \begin{minted}{sh} echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf echo alias ivp6 off >> /etc/modprobe.d/aliases.conf \end{minted} \begin{minted}{sh} reboot \end{minted} %#################### %# Install Owncloud # %#################### \subsection{Install nextcloud} Copied from Owncloud installation sequence. Todo: review difference to Nextcloud Add Debian Backports (eh?) \begin{minted}{sh} sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports main' >> /etc/apt/sources.list.d/backports.list" apt-get update apt-get dist-upgrade -t jessie-backports apt-get clean sync reboot & exit \end{minted} Add owncloud repos (ToDo) \begin{minted}{sh} cd wget -nv \ https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \ -O Release.key apt-key add - < Release.key sh -c "echo 'deb http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /' >> /etc/apt/sources.list.d/owncloud.list" apt-get update apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \ ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \ php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \ libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \ php5-mcrypt php5-imagick mysql-server apt-get clean \end{minted} Set up database \begin{minted}{sh} vim ~/.mysqlpw \end{minted} \begin{minted}{sh} # meh update-rc.d saned disable \end{minted} \begin{minted}{sh} # Configure Apache2 on a Debian Jessie Server # Setup default https configuration: cd /etc/apache2/sites-enabled ln -s ../sites-available/default-ssl . # Enable SSL modules cd /etc/apache2/mods-enabled ln -s ../mods-available/*ssl* . ln -s ../mods-available/socache_shmcb.load . # XXX left this out: #vim /etc/apache2/sites-available/default-ssl.conf # make sure that each has AllowOverride All # Generate SSL certificate cd /etc/ssl/private/ openssl genrsa -out pwn.themoes.org.key 2048 openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr #* After the last command answer the following: #** Country Name : US #** State or Province Name: Colorado #** Locality Name: Redstone Canyon #** Organization Name: Moe #** Organizational Unit Name: IT #** Common Name: pwn.themoes.org #** Email Address: pwn@themoes.org #** Leave Challenge password and An optional company name blank. # Sent csr to SSL registrar. \end{minted} Open up port 80 to do SSL registrar verification: \begin{minted}{sh} vim /etc/iptables.test.rules \end{minted} Enable the port 80 lines for registar, and port 443 lines for owncloud later at the file \begin{minted}{sh} iptables-restore < /etc/iptables.test.rules iptables -L iptables-save > /etc/iptables.up.rules \end{minted} Copy Gandi file for SSL authentication to /var/www/html/ After Gandi verifies it, remove the file. Then disable port 80 in the firewall again: \begin{minted}{sh} vim /etc/iptables.test.rules \end{minted} \begin{minted}{sh} iptables-restore < /etc/iptables.test.rules iptables -L iptables-save > /etc/iptables.up.rules \end{minted} Move the cert in place \begin{minted}{sh} mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt chown root:root /etc/ssl/private/pwn.themoes.org.crt # Gandi intermediate certs XXX # http://crt.gandi.net/GandiStandardSSLCA2.crt OR # https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem # Gah, wtf, add this? # Comodo Cross-Signed Certificate # http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt #* Generate certificate: # XXX gah, gandi root certs ? # WTF does this do. openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \ -CAkey AOrootCA.key -CAserial AOrootCA.srl \ -out pwn.themoes.org.crt -days 65000 \end{minted} ToDo: consider adding rm pwn.themoes.org.csr Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private directory. Make sure the they can't be read by the others. Configure SSL part of the Apache Server: \begin{minted}{sh} vim /etc/apache2/sites-available/default-ssl.conf \end{minted} change to: \begin{minted}{sh} ServerName pwn.themoes.org ServerAdmin pwn@themoes.org \end{minted} comment out snakeoil keys add \begin{minted}{sh} SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key \end{minted} \subsection{Enable the SSL server} \begin{minted}{sh} cd /etc/apache2/sites-enabled ln -s ../sites-available/default-ssl.conf . \end{minted} Restart Apache2 \begin{minted}{sh} /etc/init.d/apache2 restart \end{minted} \begin{minted}{sh} echo pwn > /var/www/html/index.html \end{minted} Install owncloud \begin{minted}{sh} apt-get install -t jessie-backports owncloud \end{minted} set up mysql owncloud user \begin{minted}{sh} vim ~/.mysqlpw-own cat ~/.mysqlpw-own mysql -uroot -p`cat ~/.mysqlpw` CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password'; CREATE DATABASE IF NOT EXISTS owncloud; GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED BY 'password'; ############## # Migrate db to sql.themoes.org ############## # Set up mysql config with sql.themoes.org (NOT on traccar, but on db server) mysql> CREATE DATABASE owncloud; mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX'; mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2'; mysql> FLUSH PRIVILEGES; \end{minted} \begin{minted}{sh} mkdir /srv/owncloud chown www-data:www-data /srv/owncloud chmod 770 /srv/owncloud \end{minted} \begin{minted}{sh} # Do web stuff # https://pwn.themoes.org/owncloud/ # Create admin account # Data folder: # /srv/owncloud # MySQL: # User: owncloud # Password: # Database Name: owncloud \end{minted} set up crontab in web and here: \begin{minted}{sh} crontab -u www-data -e \end{minted} Add: \begin{minted}{sh} */15 * * * * php -f /var/www/owncloud/cron.php \end{minted} Check it: \begin{minted}{sh} crontab -u www-data -l \end{minted} \begin{minted}{sh} root@pwn:/etc/ssl/private# chmod o-r * root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem mv GandiStandardSSLCA2.pem /etc/ssl/certs/ chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem \end{minted} Add this to Configure SSL part of the Apache Server: \begin{minted}{sh} vim /etc/apache2/sites-available/default-ssl.conf \end{minted} \begin{minted}{sh} SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem SSLVerifyClient None \end{minted} \subsection{Libreoffice} \begin{minted}{sh} vim /var/www/owncloud/config/config.php \end{minted} \begin{minted}{sh} 'preview_libreoffice_path' => '/usr/bin/libreoffice', \end{minted} POSTFIX XXX ... \begin{minted}{sh} apt-get remove exim4 exim4-base exim4-config exim4-daemon-light apt-get purge exim4 exim4-base exim4-config exim4-daemon-light apt-get install postfix #apt-get install bsd-mailx \end{minted} Use APCu and Redis for caching \begin{minted}{sh} vim /var/www/owncloud/config/config.php \end{minted} add \begin{minted}{sh} 'memcache.local' => '\OC\Memcache\APCu', 'redis' => array( 'host' => '/var/run/redis/redis.sock', 'port' => 0, ), 'memcache.locking' => '\OC\Memcache\Redis', \end{minted} \begin{minted}{sh} vim /etc/redis/redis.conf \end{minted} \begin{minted}{sh} unixsocket /var/run/redis/redis.sock unixsocketperm 770 \end{minted} \begin{minted}{sh} adduser www-data redis \end{minted} Todo: consider reboot \begin{minted}{sh} # Secure https some moar # https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label cd /etc/apache2/mods-enabled ln -s ../mods-available/headers.load . vim /etc/apache2/sites-enabled/default-ssl.conf \end{minted} Add: \begin{minted}{sh} Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" \end{minted} Add stuff, and run: \begin{minted}{sh} vim /var/www/owncloud/config/config.php \end{minted} \begin{minted}{sh} 'defaultapp' => 'calendar', 'session_keepalive' => true, 'htaccess.RewriteBase' => '/owncloud', \end{minted} \begin{minted}{sh} sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess \end{minted} Drop /owncloud from the URL \begin{minted}{sh} vim /etc/apache2/conf-available/owncloud.conf \end{minted} \begin{minted}{sh} Alias / "/var/www/owncloud/" \end{minted} \begin{minted}{sh} vim /var/www/owncloud/config/config.php \end{minted} \begin{minted}{sh} 'overwrite.cli.url' => 'https://pwn.themoes.org', \end{minted} \subsection{Misc} \begin{minted}{sh} vim /var/www/owncloud/config/config.php \end{minted} \begin{minted}{sh} 'logtimezone' => 'MST', 'session_keepalive' => true, 'htaccess.RewriteBase' => '/', 'overwritewebroot' => '/', 'check_for_working_webdav' => true, 'check_for_working_wellknown_setup' => true, 'check_for_working_htaccess' => true, 'logfile' => '/var/log/owncloud.log', 'loglevel' => 2, 'enable_previews' => true, 'preview_max_x' => 2048, 'preview_max_y' => 2048, 'preview_max_scale_factor' => 10, 'preview_max_filesize_image' => 50, 'preview_office_cl_parameters' => ' --headless --nologo --nofirststartwizard --invisible --norestore '. '-convert-to pdf -outdir ', 'enabledPreviewProviders' => array( 'OC\Preview\PNG', 'OC\Preview\JPEG', 'OC\Preview\GIF', 'OC\Preview\BMP', 'OC\Preview\XBitmap', 'OC\Preview\MP3', 'OC\Preview\TXT', 'OC\Preview\MarkDown', 'OC\Preview\PDF', 'OC\Preview\Postscript', 'OC\Preview\SVG', 'OC\Preview\Movie', 'OC\Preview\MSOfficeDoc', 'OC\Preview\MSOffice2003', 'OC\Preview\MSOffice2007', 'OC\Preview\OpenDocument', 'OC\Preview\StarOffice', ), 'maintenance' => false, 'singleuser' => false, 'asset-pipeline.enabled' => false, \end{minted} set up that temp dir: \begin{minted}{sh} mkdir /srv/owncloudtemp chown www-data:www-data /srv/owncloudtemp/ chmod 770 /srv/owncloudtemp/ vim /var/www/owncloud/config/config.php \end{minted} \begin{minted}{sh} 'tempdirectory' => '/srv/owncloudtemp', \end{minted} php.ini stuff \begin{minted}{sh} vim /etc/php5/apache2/php.ini \end{minted} \begin{minted}{sh} php_value upload_max_filesize = 5G php_value post_max_size = 5G php_value max_input_time 3600 php_value max_execution_time 3600 memory_limit = 512M \end{minted} for svg ? \begin{minted}{sh} apt-get install inkscape \end{minted} \begin{minted}{sh} \subsection{Solr / Nexant} \end{minted} \begin{minted}{sh} apt-get install php-solr solr-jetty \end{minted} \begin{minted}{sh} # enable nexant app in web interface # vim /etc/jetty9/jetty-http.xml # vim /etc/jetty9/jetty-https.xml # # to # \end{minted} \begin{minted}{sh} # nope #cd solr/ #cp -fr configsets/basic_configs nextant # This: # https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr # see local git clone # Actually, do this install of solr... # https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service # apt-get install tesseract-ocr tesseract-ocr-eng # apt-get install ocrmypdf # not needed, for other OCR thing \end{minted} \subsection{Spreed} \large{Spreed Nextcloud WebRTC} There is a Spreed.me module for Nextcloud, which points to a spreed webrtc server. If the spreed and nextcloud server use different hostnames (origins), screen-sharing won't be allowed due to browser restrictions. So spreed is getting installed straight onto the Nextcloud server, https://own.alephobjects.com . \subsection{Links} \begin{minted}{sh} * https://github.com/strukturag/spreed-webrtc * https://github.com/strukturag/nextcloud-spreedme * https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server * https://hub.docker.com/r/spreed/webrtc/ * https://docs.docker.com/engine/installation/linux/debian/ \end{minted} We're going to use a Docker install... own.alephobjects.com is currently running Debian Stretch (testing, version 9). Unfortunately, docker.io (as it is named in Debian) is available for jessie-backports and sid, but not for stretch... We'll use docker's apt repos to get docker.... \subsection{Install Docker} \begin{minted}{sh} * https://docs.docker.com/engine/installation/linux/debian/ \end{minted} \begin{minted}{sh} apt update apt install apt-transport-https ca-certificates gnupg2 apt-key adv \ --keyserver hkp://ha.pool.sks-keyservers.net:80 \ --recv-keys 58118E89F3A912897C070ADBF76221572C52609D vim /etc/apt/sources.list.d/docker.list \end{minted} Add: \begin{minted}{sh} deb https://apt.dockerproject.org/repo debian-stretch main \end{minted} \begin{minted}{sh} cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt' \end{minted} save \begin{minted}{sh} apt update apt install -y docker-engine cd /etc ; git add . ; git commit -a -m 'Install docker' service docker start \end{minted} \subsection{Test docker} \begin{minted}{sh} docker run hello-world \end{minted} \subsection{Set up spreed docker} \begin{minted}{sh} mkdir -p /srv/spreed/extra.d vim /etc/spreed-webrtc-nextcloud.conf \end{minted} make config like this: \begin{minted}{sh} [http] basePath = /webrtc/ [app] authorizeRoomJoin = true extra.d = /srv/spreed/extra.d [users] enabled = true mode = sharedsecret \end{minted} \subsection{Run Spreed Docker} \begin{minted}{sh} cd /srv/spreed docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \ -v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf \end{minted} On first launch, it may hang forever because it doesn't have any entropy. So it will hang at "Creating new server secrets ..." Here is a workaround to generate entropy: \begin{minted}{sh} apt install -y rng-tools rngd -f -r /dev/urandom \end{minted} Run it thusly: \begin{minted}{sh} docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ -i -t spreed/webrtc -c /etc/spreed/server.conf \end{minted} \large{Configure Apache} install needed apache modules: \begin{minted}{sh} a2enmod proxy proxy_http proxy_wstunnel headers vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf \end{minted} Add this inside the VirtualHost section: \begin{minted}{sh} # Spreed WebRTC ProxyPass http://127.0.0.1:8080/webrtc ProxyPassReverse /webrtc ProxyPass ws://127.0.0.1:8080/webrtc/ws ProxyVia On ProxyPreserveHost On RequestHeader set X-Forwarded-Proto 'https' env=HTTPS \end{minted} \subsection{Spreed Configuration} \begin{minted}{sh} Get the config in own.alephobjects.com --> admin --> Additional Settings(?) --> Spreed.me # Generate that config, put it in /etc/spreed/spreed.conf # Restart docker. #cd /etc ; git add . ; git commit -a -m 'Configure' ##### HMM docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ /srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf rngd -f -r /dev/urandom # 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ /etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf # 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \ -v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ -i -t spreed/webrtc -c /etc/spreed/server.conf docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \ /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \ /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ -i -t spreed/webrtc -c /etc/spreed/server.conf # These two: rngd -f -r /dev/urandom docker run -d --restart unless-stopped --name my-spreed-webrtc -p \ 8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \ /var/log/spreed:/var/log/spreed -v \ /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \ -i -t spreed/webrtc -c /etc/spreed/server.conf \ \end{minted} \subsection{apache2} Install needed apache modules: \begin{minted}{sh} a2enmod proxy proxy_http proxy_wstunnel headers vim /etc/apache2/sites-enabled/pwn.themoes.org.conf \end{minted} Add this inside the VirtualHost section: \begin{minted}{sh} # Spreed WebRTC ProxyPass http://127.0.0.1:8080/webrtc ProxyPassReverse /webrtc ProxyPass ws://127.0.0.1:8080/webrtc/ws ProxyVia On ProxyPreserveHost On RequestHeader set X-Forwarded-Proto 'https' env=HTTPS \end{minted} \section{\href{http://support.ntp.org/}{NTP}} Syncs time on every server and workstation. \section{\href{http://www.opendkim.org/}{OpenDKIM}} DKIM (Domain Keys Identified Mail) sender authentication system. \section{\href{http://www.openssh.com/}{OpenSSH}} Used to control every server, create encrypted tunnels (autossh), mount filesystems (sshfs), and remote file transfer (sftp). \section{\href{http://openvpn.net/}{OpenVPN}} Connects external resources, such as employee mobiles and laptops, to the internal network. \section{\href{https://www.piwiki.org/}{Piwik}} Application to analyze web site traffic. \href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally. \section{\href{http://www.postfix.org/}{Postfix}} Main SMTP outgoing mail server. \section{\href{http://www.postgresql.org/}{Postgres}} Database server. \section{\href{http://www.qemu.org/}{QEMU}} Computer emulator, runs virtual servers. Uses KVM. \section{\href{http://rsync.samba.org/}{rsync}} File server. \section{\href{http://www.rsyslog.com/}{rsyslog}} Logging on every server and workstation. \section{\href{http://www.spamassassin.org/}{spamassassin}} Spam filtering of email. \section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}} Main internal fileserver. \section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}} System bootup and process manager. \section{\href{http://dnsmasq.org/}{TFTP}} Network install server. \section{\href{http://www.xinetd.org}{xinetd}} xinetd on Debian systems. inetd on OpenBSD. Misc network utils. \section{\href{http://www.ejabberd.im/}{XMPP/jabber}} ejabberd, Erlang XMPP (jabber) server.