You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

961 lines
26 KiB

%
% Software-daemons.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Server Daemons}
These are the server daemons used to drive the enterprise.
\section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}}
Monitors ACPI events. Runs on nearly all servers and workstations.
\section{\href{http://httpd.apache.org/}{Apache}}
Web daemon, used on many servers.
\section{\href{http://www.isc.org/}{BIND}}
Nameserver used for caching.
\section{\href{https://borgbackup.github.io/borgbackup/}{Borg}}
Backup program.
\section{\href{https://www.collaboraoffice.com/code/}{code}}
Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
for Nextcloud.
\section{\href{https://github.com/coturn/coturn}{coturn}}
TURN and STUN server. Used for videoconferencing.
\section{\href{http://ftp.isc.org/isc/cron/}{cron}}
Scheduled triggering of applications (cf. at).
\section{\href{http://dnsmasq.org/}{DHCP}}
dnsmasq DHCP for 350+ hosts.
\section{\href{https://www.discourse.org/}{Discourse}}
Mailing list, discussion board, forum.
\section{\href{https://dockerproject.org/}{Docker}}
System containers, virtual servers.
\section{\href{http://dnsmasq.org/}{DNS}}
dnsmasq DNS caching.
\section{\href{http://dnsmasq.org/}{Dovecot}}
IMAP mail services. Employees check their mail via the
IMAP server, typically using Icedove or aomail (roundcube using IMAP).
\section{\href{https://www.erlang.org/}{Erlang}}
Virtual machine (ejabberd).
\section{{iptables}{Firewalls}}
Linux's iptables.
\section{\href{http://www.fail2ban.org/}{fail2ban}}
Block out scripts, bots, crackers, and network noise on servers.
\section{\href{http://www.debian.org/}{Init}}
Init, woo!
\section{\href{http://mariadb.org/}{MariaDB}}
Used on many servers for a database. Replacing MySQL.
\section{md RAID}
Linux RAID, md, mdadm.
\section{\href{http://www.memcached.org/}{memcached}}
Used to speed up websites, such as Nextcloud.
\section{\href{http://www.mysql.org/}{MySQL}}
Used on many servers for a database.
\section{\href{https://nextcloud.com/}{Nextcloud}}
Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing.
Some of this is from owncloud era...
\begin{minted}{sh}
#Install debian jessie, ssh server, standard system utilities
#install jebba ssh key
#install sudo
#disable password ssh
#disable root ssh
#==================================
#
#Set up DNS
#Set up Server
#Create new jessie server, and boot it up.
#Copy over key:
ssh-copy-id jebba@pwn.themoes.org
#Log in to new machine:
ssh jebba@pwn.themoes.org
#Change jebba's password.
passwd jebba
#Set a root password:
su -
passwd root
#Disable source repos:
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
#Set up `git` as kludge to track /etc
apt-get -y install git
cd /etc
git init
chmod og-rwx /etc/.git
vi /etc/.gitignore
\end{minted}
Add these lines to /etc/.gitignore
\begin{minted}{sh}
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
\end{minted}
\subsection{Set up a git user:}
\begin{minted}{sh}
vi ~/.gitconfig
[user]
name = Jeff Moe
[color]
branch = auto
diff = auto
status = auto
\end{minted}
\subsection{Create and populate the git repo for /etc:}
\begin{minted}{sh}
git add .
EDITOR=vi git commit -a
Intial setup of pwn.themoes.org jessie owncloud server
#Install some needed stuff:
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
host strace telnet lsb-release unzip bzip2 && apt-get clean
#Set up vim:
echo :syntax on > ~/.vimrc
#Add jebba to sudo group:
adduser jebba sudo
#Make sudoers passwordless:
vim /etc/sudoers
#Change:
%sudo ALL=(ALL:ALL) ALL
#To:
%sudo ALL=(ALL) NOPASSWD: ALL
#Edit /etc/ssh/sshd_config (dodgy way to do this):
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
-e 's/Port 22/Port 43827/g'\
-e 's/X11Forwarding yes/X11Forwarding no/g' \
/etc/ssh/sshd_config
#Disable unneeded services:
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
sudo /usr/sbin/update-rc.d $i disable ; done
\end{minted}
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
Reboot
\begin{minted}{sh}
#Log in as jebba (from workstation):
ssh -p 43827 -C jebba@pwn.themoes.org
#VIM:
echo :syntax on > ~/.vimrc
\end{minted}
\subsection{Setup}
Update /etc/hosts:
\begin{minted}{sh}
5.152.179.226 pwn pwn.themoes.org
#Comment out:
#127.0.1.1 pwn.themoes.org pwn
#Update /etc/hostname:
pwn
#Commit everything so far to git
sudo su -
cd /etc
git add .
EDITOR=vi git commit -a
# Additional base config for server.
\end{minted}
\subsection{Make IP Static}
\begin{minted}{sh}
vim /etc/network/interfaces
\end{minted}
Comment out:
\begin{minted}{sh}
#allow-hotplug eth0
#iface eth0 inet dhcp
\end{minted}
Add:
\begin{minted}{sh}
auto eth0
iface eth0 inet static
address 5.152.179.226
netmask 255.255.255.0
gateway 5.152.179.1
\end{minted}
\subsection{Install Firewall}\label{ssec:nextcloudfirewall}
\url{https://wiki.debian.org/iptables}
\begin{minted}{sh}
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
/etc/iptables.test.rules
chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
\end{minted}
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
*filter
\begin{minted}{sh}
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
websites)
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Accept 443 from everywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
# SSH Access Port 43827
-A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT
# Allow ssh from anywhere
-A INPUT -p tcp --dport 43827 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Opsview access
#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
2222,37,4949,5666 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
\end{minted}
\begin{minted}{sh}
touch /etc/network/if-pre-up.d/iptables
chmod 755 /etc/network/if-pre-up.d/iptables
vim /etc/network/if-pre-up.d/iptables
\end{minted}
\begin{minted}{sh}
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
\end{minted}
Then run:
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Disable IPv6
\begin{minted}{sh}
vim /etc/sysctl.conf
\end{minted}
Add:
\begin{minted}{sh}
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
\end{minted}
\begin{minted}{sh}
sysctl -p
\end{minted}
Add this to kernel boot line /etc/default/grub:
\begin{minted}{sh}
GRUB_CMDLINE_LINUX="ipv6.disable=1"
\end{minted}
then run:
\begin{minted}{sh}
update-grub
\end{minted}
\begin{minted}{sh}
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.
# Comment out IPv6 stuff in /etc/hosts:
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.
\end{minted}
Blacklist the module, don't even load it:
\begin{minted}{sh}
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
\end{minted}
Tell the module not to use IPv6 (hit it with the hammer over and over):
\begin{minted}{sh}
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
\end{minted}
\begin{minted}{sh}
reboot
\end{minted}
%####################
%# Install Owncloud #
%####################
\subsection{Install nextcloud}
Copied from Owncloud installation sequence. Todo: review difference to Nextcloud
Add Debian Backports (eh?)
\begin{minted}{sh}
sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
main' >> /etc/apt/sources.list.d/backports.list"
apt-get update
apt-get dist-upgrade -t jessie-backports
apt-get clean
sync
reboot & exit
\end{minted}
Add owncloud repos (ToDo)
\begin{minted}{sh}
cd
wget -nv \
https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
-O Release.key
apt-key add - < Release.key
sh -c "echo 'deb
http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
>> /etc/apt/sources.list.d/owncloud.list"
apt-get update
apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
php5-mcrypt php5-imagick mysql-server
apt-get clean
\end{minted}
Set up database
\begin{minted}{sh}
vim ~/.mysqlpw
\end{minted}
\begin{minted}{sh}
# meh
update-rc.d saned disable
\end{minted}
\begin{minted}{sh}
# Configure Apache2 on a Debian Jessie Server
# Setup default https configuration:
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl .
# Enable SSL modules
cd /etc/apache2/mods-enabled
ln -s ../mods-available/*ssl* .
ln -s ../mods-available/socache_shmcb.load .
# XXX left this out:
#vim /etc/apache2/sites-available/default-ssl.conf
# make sure that each <Directory > has AllowOverride All
# Generate SSL certificate
cd /etc/ssl/private/
openssl genrsa -out pwn.themoes.org.key 2048
openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
#* After the last command answer the following:
#** Country Name : US
#** State or Province Name: Colorado
#** Locality Name: Redstone Canyon
#** Organization Name: Moe
#** Organizational Unit Name: IT
#** Common Name: pwn.themoes.org
#** Email Address: pwn@themoes.org
#** Leave Challenge password and An optional company name blank.
# Sent csr to SSL registrar.
\end{minted}
Open up port 80 to do SSL registrar verification:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
Enable the port 80 lines for registar, and port 443 lines for owncloud
later at the file
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Copy Gandi file for SSL authentication to /var/www/html/
After Gandi verifies it, remove the file.
Then disable port 80 in the firewall again:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Move the cert in place
\begin{minted}{sh}
mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
chown root:root /etc/ssl/private/pwn.themoes.org.crt
# Gandi intermediate certs XXX
# http://crt.gandi.net/GandiStandardSSLCA2.crt OR
# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
# Gah, wtf, add this?
# Comodo Cross-Signed Certificate
# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
#* Generate certificate:
# XXX gah, gandi root certs ?
# WTF does this do.
openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
-CAkey AOrootCA.key -CAserial AOrootCA.srl \
-out pwn.themoes.org.crt -days 65000
\end{minted}
ToDo: consider adding rm pwn.themoes.org.csr
Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private
directory.
Make sure the they can't be read by the others.
Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
change to:
\begin{minted}{sh}
ServerName pwn.themoes.org
ServerAdmin pwn@themoes.org
\end{minted}
comment out snakeoil keys
add
\begin{minted}{sh}
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
\end{minted}
\subsection{Enable the SSL server}
\begin{minted}{sh}
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf .
\end{minted}
Restart Apache2
\begin{minted}{sh}
/etc/init.d/apache2 restart
\end{minted}
\begin{minted}{sh}
echo pwn > /var/www/html/index.html
\end{minted}
Install owncloud
\begin{minted}{sh}
apt-get install -t jessie-backports owncloud
\end{minted}
set up mysql owncloud user
\begin{minted}{sh}
vim ~/.mysqlpw-own
cat ~/.mysqlpw-own
mysql -uroot -p`cat ~/.mysqlpw`
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
BY 'password';
##############
# Migrate db to sql.themoes.org
##############
# Set up mysql config with sql.themoes.org (NOT on traccar, but on db
server)
mysql> CREATE DATABASE owncloud;
mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX';
mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2';
mysql> FLUSH PRIVILEGES;
\end{minted}
\begin{minted}{sh}
mkdir /srv/owncloud
chown www-data:www-data /srv/owncloud
chmod 770 /srv/owncloud
\end{minted}
\begin{minted}{sh}
# Do web stuff
# https://pwn.themoes.org/owncloud/
# Create admin account
# Data folder:
# /srv/owncloud
# MySQL:
# User: owncloud
# Password:
# Database Name: owncloud
\end{minted}
set up crontab in web and here:
\begin{minted}{sh}
crontab -u www-data -e
\end{minted}
Add:
\begin{minted}{sh}
*/15 * * * * php -f /var/www/owncloud/cron.php
\end{minted}
Check it:
\begin{minted}{sh}
crontab -u www-data -l
\end{minted}
\begin{minted}{sh}
root@pwn:/etc/ssl/private# chmod o-r *
root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
mv GandiStandardSSLCA2.pem /etc/ssl/certs/
chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
\end{minted}
Add this to
Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
\begin{minted}{sh}
SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
SSLVerifyClient None
\end{minted}
\subsection{Libreoffice}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'preview_libreoffice_path' => '/usr/bin/libreoffice',
\end{minted}
POSTFIX XXX ...
\begin{minted}{sh}
apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
apt-get purge exim4 exim4-base exim4-config exim4-daemon-light
apt-get install postfix
#apt-get install bsd-mailx
\end{minted}
Use APCu and Redis for caching
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
add
\begin{minted}{sh}
'memcache.local' => '\OC\Memcache\APCu',
'redis' => array(
'host' => '/var/run/redis/redis.sock',
'port' => 0,
),
'memcache.locking' => '\OC\Memcache\Redis',
\end{minted}
\begin{minted}{sh}
vim /etc/redis/redis.conf
\end{minted}
\begin{minted}{sh}
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
\end{minted}
\begin{minted}{sh}
adduser www-data redis
\end{minted}
Todo: consider reboot
\begin{minted}{sh}
# Secure https some moar
#
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label
cd /etc/apache2/mods-enabled
ln -s ../mods-available/headers.load .
vim /etc/apache2/sites-enabled/default-ssl.conf
\end{minted}
Add:
\begin{minted}{sh}
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>
\end{minted}
Add stuff, and run:
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'defaultapp' => 'calendar',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/owncloud',
\end{minted}
\begin{minted}{sh}
sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
\end{minted}
Drop /owncloud from the URL
\begin{minted}{sh}
vim /etc/apache2/conf-available/owncloud.conf
\end{minted}
\begin{minted}{sh}
Alias / "/var/www/owncloud/"
\end{minted}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'overwrite.cli.url' => 'https://pwn.themoes.org',
\end{minted}
\subsection{Misc}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'logtimezone' => 'MST',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/',
'overwritewebroot' => '/',
'check_for_working_webdav' => true,
'check_for_working_wellknown_setup' => true,
'check_for_working_htaccess' => true,
'logfile' => '/var/log/owncloud.log',
'loglevel' => 2,
'enable_previews' => true,
'preview_max_x' => 2048,
'preview_max_y' => 2048,
'preview_max_scale_factor' => 10,
'preview_max_filesize_image' => 50,
'preview_office_cl_parameters' =>
' --headless --nologo --nofirststartwizard --invisible
--norestore '.
'-convert-to pdf -outdir ',
'enabledPreviewProviders' => array(
'OC\Preview\PNG',
'OC\Preview\JPEG',
'OC\Preview\GIF',
'OC\Preview\BMP',
'OC\Preview\XBitmap',
'OC\Preview\MP3',
'OC\Preview\TXT',
'OC\Preview\MarkDown',
'OC\Preview\PDF',
'OC\Preview\Postscript',
'OC\Preview\SVG',
'OC\Preview\Movie',
'OC\Preview\MSOfficeDoc',
'OC\Preview\MSOffice2003',
'OC\Preview\MSOffice2007',
'OC\Preview\OpenDocument',
'OC\Preview\StarOffice',
),
'maintenance' => false,
'singleuser' => false,
'asset-pipeline.enabled' => false,
\end{minted}
set up that temp dir:
\begin{minted}{sh}
mkdir /srv/owncloudtemp
chown www-data:www-data /srv/owncloudtemp/
chmod 770 /srv/owncloudtemp/
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
'tempdirectory' => '/srv/owncloudtemp',
\end{minted}
php.ini stuff
\begin{minted}{sh}
vim /etc/php5/apache2/php.ini
\end{minted}
\begin{minted}{sh}
php_value upload_max_filesize = 5G
php_value post_max_size = 5G
php_value max_input_time 3600
php_value max_execution_time 3600
memory_limit = 512M
\end{minted}
for svg ?
\begin{minted}{sh}
apt-get install inkscape
\end{minted}
\begin{minted}{sh}
\subsection{Solr / Nexant}
\end{minted}
\begin{minted}{sh}
apt-get install php-solr solr-jetty
\end{minted}
\begin{minted}{sh}
# enable nexant app in web interface
# vim /etc/jetty9/jetty-http.xml
# vim /etc/jetty9/jetty-https.xml
# <Set name="host"><Property name="jetty.host" /></Set>
# to
# <Set name="host"><Property name="jetty.host" default="127.0.0.1" /></Set>
\end{minted}
\begin{minted}{sh}
# nope
#cd solr/
#cp -fr configsets/basic_configs nextant
# This:
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
# see local git clone
# Actually, do this install of solr...
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service
# apt-get install tesseract-ocr tesseract-ocr-eng
# apt-get install ocrmypdf # not needed, for other OCR thing
\end{minted}
\subsection{Spreed}
\large{Spreed Nextcloud WebRTC}
There is a Spreed.me module for Nextcloud, which points to a spreed
webrtc server. If the spreed and nextcloud server use different
hostnames (origins), screen-sharing won't be allowed due to browser
restrictions. So spreed is getting installed straight onto the Nextcloud
server, https://own.alephobjects.com .
\subsection{Links}
\begin{minted}{sh}
* https://github.com/strukturag/spreed-webrtc
* https://github.com/strukturag/nextcloud-spreedme
* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
* https://hub.docker.com/r/spreed/webrtc/
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}
We're going to use a Docker install... own.alephobjects.com is
currently running Debian Stretch (testing, version 9). Unfortunately,
docker.io (as it is named in Debian) is available for jessie-backports
and sid, but not for stretch... We'll use docker's apt repos to get
docker....
\subsection{Install Docker}
\begin{minted}{sh}
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}
\begin{minted}{sh}
apt update
apt install apt-transport-https ca-certificates gnupg2
apt-key adv \
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
vim /etc/apt/sources.list.d/docker.list
\end{minted}
Add:
\begin{minted}{sh}
deb https://apt.dockerproject.org/repo debian-stretch main
\end{minted}
\begin{minted}{sh}
cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
\end{minted}
save
\begin{minted}{sh}
apt update
apt install -y docker-engine
cd /etc ; git add . ; git commit -a -m 'Install docker'
service docker start
\end{minted}
\subsection{Test docker}
\begin{minted}{sh}
docker run hello-world
\end{minted}
\subsection{Set up spreed docker}
\begin{minted}{sh}
mkdir -p /srv/spreed/extra.d
vim /etc/spreed-webrtc-nextcloud.conf
\end{minted}
make config like this:
\begin{minted}{sh}
[http]
basePath = /webrtc/
[app]
authorizeRoomJoin = true
extra.d = /srv/spreed/extra.d
[users]
enabled = true
mode = sharedsecret
\end{minted}
\subsection{Run Spreed Docker}
\begin{minted}{sh}
cd /srv/spreed
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
\end{minted}
On first launch, it may hang forever because it doesn't have any
entropy. So it will hang at "Creating new server secrets ..."
Here is a workaround to generate entropy:
\begin{minted}{sh}
apt install -y rng-tools
rngd -f -r /dev/urandom
\end{minted}
Run it thusly:
\begin{minted}{sh}
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
\end{minted}
\large{Configure Apache}
install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}
# Spreed WebRTC
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
ProxyPass ws://127.0.0.1:8080/webrtc/ws
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}
\subsection{Spreed Configuration}
\begin{minted}{sh}
Get the config in own.alephobjects.com --> admin --> Additional
Settings(?) --> Spreed.me
# Generate that config, put it in /etc/spreed/spreed.conf
# Restart docker.
#cd /etc ; git add . ; git commit -a -m 'Configure'
##### HMM
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
rngd -f -r /dev/urandom
# 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
# 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
# These two:
rngd -f -r /dev/urandom
docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
/var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf \
\end{minted}
\subsection{apache2}
Install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}
# Spreed WebRTC
<Location /webrtc>
ProxyPass http://127.0.0.1:8080/webrtc
ProxyPassReverse /webrtc
</Location>
<Location /webrtc/ws>
ProxyPass ws://127.0.0.1:8080/webrtc/ws
</Location>
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}
\section{\href{http://support.ntp.org/}{NTP}}
Syncs time on every server and workstation.
\section{\href{http://www.opendkim.org/}{OpenDKIM}}
DKIM (Domain Keys Identified Mail) sender authentication system.
\section{\href{http://www.openssh.com/}{OpenSSH}}
Used to control every server, create encrypted tunnels (autossh),
mount filesystems (sshfs), and remote file transfer (sftp).
\section{\href{http://openvpn.net/}{OpenVPN}}
Connects external resources, such as employee mobiles and laptops, to the internal network.
\section{\href{https://www.piwiki.org/}{Piwik}}
Application to analyze web site traffic.
\href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.
\section{\href{http://www.postfix.org/}{Postfix}}
Main SMTP outgoing mail server.
\section{\href{http://www.postgresql.org/}{Postgres}}
Database server.
\section{\href{http://www.qemu.org/}{QEMU}}
Computer emulator, runs virtual servers. Uses KVM.
\section{\href{http://rsync.samba.org/}{rsync}}
File server.
\section{\href{http://www.rsyslog.com/}{rsyslog}}
Logging on every server and workstation.
\section{\href{http://www.spamassassin.org/}{spamassassin}}
Spam filtering of email.
\section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}}
Main internal fileserver.
\section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}}
System bootup and process manager.
\section{\href{http://dnsmasq.org/}{TFTP}}
Network install server.
\section{\href{http://www.xinetd.org}{xinetd}}
xinetd on Debian systems. inetd on OpenBSD. Misc network utils.
\section{\href{http://www.ejabberd.im/}{XMPP/jabber}}
ejabberd, Erlang XMPP (jabber) server.