cleanup & mrtg article

2022-01-15 21:41:04 +01:00
parent ec02097300
commit 88c4ff8877
13 changed files with 105 additions and 3 deletions
--- a/content/post/apache-httpd.md
+++ b/content/post/apache-httpd.md
@ -0,0 +1,18 @@
+---
+title: "Apache httpd configs"
+date: 2021-11-13
+---
+
+# HTTP proxy with Digest Auth
+
+```
+<Proxy *>
+  AuthType Digest
+  AuthName "mrtg"
+  AuthUserFile "/etc/httpd/conf/mrtg.htdigest"
+  Require valid-user
+</Proxy>
+
+ProxyPass / http://mrtg.lxc.br0tkasten.de/
+ProxyPassReverse / http://mrtg.lxc.br0tkasten.de/
+```
--- a/content/post/lets-encrypt.md
+++ b/content/post/lets-encrypt.md
@ -0,0 +1,89 @@
+---
+title: 'Let''s Encrypt'
+date: 2021-11-13T15:06:57Z
+draft: false
+---
+
+## create certificate
+```
+certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
+```
+
+## Apache config
+Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
+to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
+This makes renew and create certificates very easy.
+
+```
+<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
+        CustomLog /var/log/httpd/access.log combined
+        ErrorLog /var/log/httpd/error.log
+
+        Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
+        <Location "/.well-known/acme-challenge">
+                Require all granted
+                Options None
+                AllowOverride None
+                ForceType text/plain
+                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
+        </Location>
+
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
+        RewriteCond %{HTTPS} off
+        RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
+</VirtualHost>
+```
+
+## renew certificates
+### systemd service
+```
+cat > /etc/systemd/system/certbot.service << EOF
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos
+EOF
+```
+
+### systemd timer
+```
+[Unit]
+Description=Twice daily renewal of Let's Encrypt's certificates
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+```
+
+### enable certbot timer
+```
+systemctl start certbot.timer
+systemctl enable certbot.timer
+```
+
+## renewal hooks
+
+### restart httpd after renewal
+```
+cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
+#!/bin/sh
+
+systemctl restart httpd
+EOF
+```
+
+### restart mail container
+```
+cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
+#!/bin/sh
+
+lxc-stop -r -n 'mail'
+EOF
+```
--- a/content/post/lxc/lxc-networking.md
+++ b/content/post/lxc/lxc-networking.md
@ -0,0 +1,83 @@
+---
+title: 'LXC Networking'
+date: 2021-11-13T15:06:57Z
+draft: false
+---
+
+# LXC network configurations
+
+## create network bridge
+```
+brctl add br0
+```
+
+## add virtual ethernet interface to container 
+
+Add the following lines to _/var/lib/lxc/container/config_
+```
+lxc.net.0.type  = veth
+lxc.net.0.link  = br0
+lxc.net.0.flags = up
+lxc.net.0.name  = eth0
+```
+
+## iptables
+### port forwarding
+iptables (IPv4) and ip6tables (IPv6) DNAT target to forward services to container.
+
+```
+iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8448 -j DNAT \
+        --to-destination 10.3.0.31:8448
+```
+
+### masquerading
+Translate outgoing traffic from container to public IP address
+
+```
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+```
+
+## IPv6
+### network configuration
+#### host 
+```
+ip addr add fd00::1/8 dev br0
+```
+```
+cat > /etc/sysctl.d/ipv6-forwarding.conf <<EOF
+net.ipv6.conf.eth0.accept_ra = 2
+net.ipv6.conf.br0.accept_ra = 2
+net.ipv6.conf.default.accept_ra = 2
+net.ipv6.conf.all.accept_ra = 2
+
+net.ipv6.conf.all.forwarding = 1
+net.ipv6.conf.default.forwarding = 1
+net.ipv6.conf.eth0.forwarding = 1
+net.ipv6.conf.br0.forwarding = 1
+EOF
+```
+
+#### container
+```
+ip addr add fd00::20:1/64 dev eth0
+ip route add default via fd00::1 dev eth0
+```
+
+### port forwarding
+```
+ip6tables \
+  -t nat \
+  -A PREROUTING \
+  -d 2a03:4000:15:68::20/128 \
+  -i eth0 \
+  -p tcp \
+  -m tcp \
+  --dport 587 \
+  -j DNAT \
+  --to-destination [fd00::20:1]:587
+```
+
+### masquerade
+```
+ip6tables -t nat -A POSTROUTING -s fd00::20:1/128 -o eth0 -j SNAT --to-source 2a03:4000:15:68::20
+```
--- a/content/post/mail.md
+++ b/content/post/mail.md
@ -0,0 +1,31 @@
+---
+title: Mail
+date: 2021-11-13T15:06:57Z
+draft: false
+---
+
+Stuff to know about mail
+## Fetchmail
+
+fetchmail pop.gmx.net --ssl --verbose --username _username_ --protocol pop3
+
+## SMTP via Telnet
+### query MX record (mailserver)
+
+dig mx br0tkasten.de
+
+### connect to mailservice @ mailserver
+
+telnet mail.br0tkasten.de 25
+
+### send testmail
+
+ehlo barbecue.com
+MAIL FROM: root@barbecue.com
+RCPT TO: info@br0tkasten.de
+DATA
+Subject: Bla fasel
+
+Das ist eine Testmail
+.
+QUIT
--- a/content/post/matrix-chat-server.md
+++ b/content/post/matrix-chat-server.md
@ -0,0 +1,147 @@
+---
+title: 'Matrix Chat Server'
+date: 2021-11-13T15:06:57Z
+draft: false
+---
+
+# Matrix Chat Server
+## Synpase
+
+To install matrix.org reference server synapse on Alpine-Linux the following steps are neccessary. In my case alpine-linux is running within an LXC container on my server.
+
+### Install prerequisite packages
+```
+apk add \
+  python2 \
+  py2-pip \
+  py-setuptools \
+  py-virtualenv \
+  sqlite \
+  py2-pysqlite \
+  py2-psycopg \
+  postgresql-dev \
+  py2-cffi \
+  libffi-dev \
+  alpine-sdk \
+  sqlite-dev \
+  python2-dev \
+  linux-headers \
+  zlib-dev \
+  jpeg-dev
+```
+### install synapse
+
+According to https://github.com/matrix-org/synapse#synapse-installation the recomendet installation procedure is within an python virtualenv environment.
+```
+virtualenv -p python2.7 /opt/synapse
+. /opt/synapse/bin/activate
+cd /opt/synapse
+pip install --upgrade pip
+pip install --upgrade setuptools
+pip install https://github.com/matrix-org/synapse/tarball/master
+```
+### create default configuration homeserver.yaml
+```
+python \
+    -m synapse.app.homeserver \
+    --server-name matrix.br0tkasten.de \
+    --config-path homeserver.yaml \
+    --generate-config \
+    --report-stats=yes
+```
+### start synapse
+```
+synctl start
+open-rc start script
+```
+
+### create system user
+```
+adduser -S matrix
+chown -Rf matrix /opt/synapse
+```
+### virtualenv wraper script
+```
+mkdir -p /opt/sbin
+cat > /opt/sbin/synapse.sh << EOF
+#!/bin/sh
+
+. /opt/synapse/bin/activate
+
+cd /opt/synapse
+synctl start
+EOF
+chmod 0755 /opt/sbin/synapse.sh
+```
+### open-rc init script
+```
+cat > /etc/init.d/synapse << EOF
+#!/sbin/openrc-run
+
+name=$RC_SVCNAME
+command="/opt/sbin/synapse.sh"
+command_user="matrix"
+pidfile="/opt/synapse/homeserver.pid"
+
+depend() {
+       need net
+}
+
+start() {
+    ebegin "Starting $name"
+    start-stop-daemon --start \
+        --user $command_user \
+        --exec $command \
+        --pidfile $pidfile 
+    eend $?
+}
+
+stop() {
+        ebegin "Stopping $name"
+        start-stop-daemon --stop --user $command_user
+        eend $?
+}
+EOF
+chmod 0755 /etc/init.d/synapse
+```
+### enable init script
+```
+rc-update add synapse
+```
+## Administration
+### create user accounts
+```
+register_new_matrix_user -c homeserver.yaml http://matrix.br0tkasten.de:8008
+```
+## Additional
+### Expose local LXC containers ports
+#### Server-to-Server
+
+For Server-to-Server connections on Port 8448 it is recommended to expose the port directly using portforwarding. On my server I used iptables for this portforwarding
+```
+iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8448 -j DNAT --to-destination matrix.lxc.local:8448
+```
+#### Client connections
+
+In my setup an apache vhost is acting as https reverse proxy.
+```
+<VirtualHost 185.170.112.162:443>
+    ServerName matrix.br0tkasten.de:443
+    RewriteEngine on
+    SSLEngine On
+    SSLProtocol all
+    SSLProxyEngine On
+
+    SSLCertificateFile /etc/letsencrypt/live/matrix.br0tkasten.de/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/matrix.br0tkasten.de/privkey.pem
+
+    CustomLog /var/log/httpd/matrix/access.log combined
+    ErrorLog /var/log/httpd/matrix/error.log
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    ProxyPass / http://matrix.lxc.br0tkasten.de:8008/
+    ProxyPassReverse / http://matrix.lxc.br0tkasten.de:8008/
+</VirtualHost>
+```
--- a/content/post/mrtg/mrtg.md
+++ b/content/post/mrtg/mrtg.md
@ -0,0 +1,96 @@
+---
+title: "MRTG - fun with 20th century monitoring solution"
+date: 2022-01-15T14:43:04+01:00
+draft: false
+tags:
+ - monitoring
+ - mrtg
+---
+
+ > I'm totaly aware there are more modern monitoring solutions (prometheus, icinga2, prtg and other 
+ hipster stuff) out there. Despite this, I still like MRTG's minimalist approach.
+
+![MRTG](/image/mrtg/mrtg.png#center)
+
+## (my) setup
+In my configuration MRTG is solely used for *collecting metrics* from various sources.
+MRTG is very flexible where these metrics come from (snmp, curl, scripts ...).
+My current configuration can be found at https://git.br0tkasten.de/br0tkasten/mrtg
+
+### backend
+
+#### installation
+In [Alpine](https://www.alpinelinux.org), mrtg can be installed with `apk add mrtg`.
+
+#### configuration
+Details on mrtg's config can be found in the [projects online documentation](https://oss.oetiker.ch/mrtg).
+You will find my configs in [my git project](https://git.br0tkasten.de/br0tkasten/mrtg/src/branch/master/config).
+
+**Example:**
+```
+LoadMIBs: /usr/share/snmp/mibs/UCD-SNMP-MIB.txt
+WorkDir: /var/www/mrtg/rrd
+LogFormat: rrdtool
+
+Target[br0tkasten.eth0]: #eth0:oom6faayaTosh0nizoepoonahCohhahy@10.3.0.1:
+Title[br0tkasten.eth0]: [br0tkasten] eth0 
+MaxBytes[br0tkasten.eth0]: 4294967295
+```
+
+### frontend
+
+#### cgi-bin/graph.pl
+A perl script is generating graphs from rrd using templates for each metric.
+
+```
+<img alt="br0tkasten.eth0 Traffic Graph" src="/cgi-bin/graph.pl?width=680&height=200&graph=br0tkasten.eth0">
+```
+##### Parameter
+- graph: name of the metric, the script will look for a template with the same name in tmpl/*.tmpl
+- width & height: dimensions of the returned image in pixel
+
+![cgi-bin/graph.pl](/image/mrtg/graph.png)
+
+##### Templates
+For each metric to be displayed you will have to create a template in tmpl/*metric*.tmpl.
+Templates use rrdgraph syntax. More details can be found at [the projects online documentation](https://oss.oetiker.ch/rrdtool/doc/rrdgraph.en.html)
+
+**Example: tmpl/br0tkasten.eth0.tmpl**
+```
+-v in/up bps 
+-t [br0tkasten] eth0
+--full-size-mode
+--color=BACK#343637
+--color=CANVAS#F0F0F0
+--color=FONT#F0F0F0
+--font=TITLE:12:DejaVu Bold
+DEF:d=/var/www/mrtg/rrd/br0tkasten.eth0.rrd:ds0:AVERAGE
+DEF:u=/var/www/mrtg/rrd/br0tkasten.eth0.rrd:ds1:AVERAGE
+CDEF:down=d,8,*
+CDEF:up=u,-8,*
+AREA:down#CC9A5780:Down
+AREA:up#2EA34960:Up
+LINE1:down#CC9A57
+LINE1:up#2EA349
+LINE1:0#000000
+```
+
+#### cgi-bin/details.pl
+Renders tmpl/details.tmpl to display a html page with a bigger version of the graph.
+Using [rrdGraphJs](https://github.com/oetiker/RrdGraphJS) you can interactively zoom and scroll in your graph.
+
+![cgi-bin/details.pl](/image/mrtg/details.png)
+
+#### html
+Graphs are embedded in static (and some dynamically generated) html pages.
+I like to keep things simple - so most content is static.
+Examples can be found in [htdocs](https://git.br0tkasten.de/br0tkasten/mrtg/src/branch/master/htdocs/index.html).
+
+```
+<div>
+	<b>[br0tkasten.de] eth0</b><br/>
+	<a href="/cgi-bin/details.pl?graph=br0tkasten.eth0">
+        <img alt="br0tkasten.eth0 Traffic Graph" src="/cgi-bin/graph.pl?width=680&height=200&graph=br0tkasten.eth0">
+    </a>
+</div>
+```
--- a/content/post/tiptoi.md
+++ b/content/post/tiptoi.md
@ -0,0 +1,20 @@
+---
+title: tiptoi
+date: 2021-11-13T15:06:57Z
+draft: false
+---
+
+# tiptoi
+## Download media files
+
+Goto http://www.tiptoi.com -> Choose book -> "Audiodatei manuell herunterladen"
+
+## Manually mount
+
+When connecting the pen to a computer using a mini USB cable dmesg will show a new storage device (e.g. /dev/sdc). According to '''parted''' partition table is of type '''loop'''. Linux will not show hardware devices to mount the partition (e.g. /dev/sdc1).
+
+To mount the filesystem use:
+
+```
+mount -t vfat -o loop,rw /dev/sdc /mnt
+```
--- a/content/post/webhook.md
+++ b/content/post/webhook.md
@ -0,0 +1,35 @@
+---
+title: webhook
+date: 2021-11-14T15:06:57Z
+draft: false
+---
+
+# fun with webhooks
+[webhook](https://github.com/adnanh/webhook) is a lightweight golang single binary to easily setup webhooks for your services
+
+## Examples
+### regenerate hugo
+A webhook to regenerate my [hugo](https://gohugo.io) based website.
+Using a webhook in my gitea project, content is updated upon each git push to my remote git project.
+Details can be found in my [ansible-role-hugo](https://git.br0tkasten.de/br0tkasten/ansible-role-hugo)
+
+/etc/webhooks.json
+```
+[
+        {
+                "id": "generate",
+                "execute-command": "/sbin/genHugo",
+                "command-working-directory": "/srv/hugo"
+        }
+]
+```
+
+/sbin/genHugo
+```
+#!/bin/sh
+
+cd /srv/hugo
+git pull
+HUGO_ENV="production" hugo
+```
+