refactoring and cleanup

2023-05-19 08:07:36 +02:00
parent 24f2758f16
commit 9c96a4e12a
33 changed files with 50 additions and 42 deletions
--- a/content/linux/apache-httpd.md
+++ b/content/linux/apache-httpd.md
@ -0,0 +1,20 @@
+---
+title: "Apache httpd configs"
+menu:
+  main:
+    parent: Linux
+---
+
+# HTTP proxy with Digest Auth
+
+```
+<Proxy *>
+  AuthType Digest
+  AuthName "mrtg"
+  AuthUserFile "/etc/httpd/conf/mrtg.htdigest"
+  Require valid-user
+</Proxy>
+
+ProxyPass / http://mrtg.lxc.br0tkasten.de/
+ProxyPassReverse / http://mrtg.lxc.br0tkasten.de/
+```
--- a/content/linux/lets-encrypt.md
+++ b/content/linux/lets-encrypt.md
@ -0,0 +1,90 @@
+---
+title: 'Let''s Encrypt'
+menu:
+  main:
+    parent: Linux
+---
+
+## create certificate
+```
+certbot certonly --email contact@br0tkasten.de --webroot -w /var/www/certbot/htdocs -d log.br0tkasten.de
+```
+
+## Apache config
+Default VirtualHost for HTTP (Port 80) mapping /.well-known/acme-challenge of any domain hosted on my webserver
+to the same location in filesystem (/var/www/certbot/htdocs/.well-known/acme-challenge/)
+This makes renew and create certificates very easy.
+
+```
+<VirtualHost 185.170.112.162:80 [2a03:4000:15:68::1]:80>
+        CustomLog /var/log/httpd/access.log combined
+        ErrorLog /var/log/httpd/error.log
+
+        Alias /.well-known/acme-challenge/ /var/www/certbot/htdocs/.well-known/acme-challenge/
+        <Location "/.well-known/acme-challenge">
+                Require all granted
+                Options None
+                AllowOverride None
+                ForceType text/plain
+                RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
+        </Location>
+
+        RewriteEngine On
+        RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
+        RewriteCond %{HTTPS} off
+        RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [last,redirect=301]
+</VirtualHost>
+```
+
+## renew certificates
+### systemd service
+```
+cat > /etc/systemd/system/certbot.service << EOF
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos
+EOF
+```
+
+### systemd timer
+```
+[Unit]
+Description=Twice daily renewal of Let's Encrypt's certificates
+
+[Timer]
+OnCalendar=0/12:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+```
+
+### enable certbot timer
+```
+systemctl start certbot.timer
+systemctl enable certbot.timer
+```
+
+## renewal hooks
+
+### restart httpd after renewal
+```
+cat > /etc/letsencrypt/renewal-hooks/httpd.sh << EOF
+#!/bin/sh
+
+systemctl restart httpd
+EOF
+```
+
+### restart mail container
+```
+cat > /etc/letsencrypt/renewal-hooks/mail.sh << EOF
+#!/bin/sh
+
+lxc-stop -r -n 'mail'
+EOF
+```
--- a/content/linux/matrix-chat-server.md
+++ b/content/linux/matrix-chat-server.md
@ -0,0 +1,148 @@
+---
+title: 'Matrix Chat Server'
+menu:
+  main:
+    parent: Linux
+---
+
+# Matrix Chat Server
+## Synpase
+
+To install matrix.org reference server synapse on Alpine-Linux the following steps are neccessary. In my case alpine-linux is running within an LXC container on my server.
+
+### Install prerequisite packages
+```
+apk add \
+  python2 \
+  py2-pip \
+  py-setuptools \
+  py-virtualenv \
+  sqlite \
+  py2-pysqlite \
+  py2-psycopg \
+  postgresql-dev \
+  py2-cffi \
+  libffi-dev \
+  alpine-sdk \
+  sqlite-dev \
+  python2-dev \
+  linux-headers \
+  zlib-dev \
+  jpeg-dev
+```
+### install synapse
+
+According to https://github.com/matrix-org/synapse#synapse-installation the recomendet installation procedure is within an python virtualenv environment.
+```
+virtualenv -p python2.7 /opt/synapse
+. /opt/synapse/bin/activate
+cd /opt/synapse
+pip install --upgrade pip
+pip install --upgrade setuptools
+pip install https://github.com/matrix-org/synapse/tarball/master
+```
+### create default configuration homeserver.yaml
+```
+python \
+    -m synapse.app.homeserver \
+    --server-name matrix.br0tkasten.de \
+    --config-path homeserver.yaml \
+    --generate-config \
+    --report-stats=yes
+```
+### start synapse
+```
+synctl start
+open-rc start script
+```
+
+### create system user
+```
+adduser -S matrix
+chown -Rf matrix /opt/synapse
+```
+### virtualenv wraper script
+```
+mkdir -p /opt/sbin
+cat > /opt/sbin/synapse.sh << EOF
+#!/bin/sh
+
+. /opt/synapse/bin/activate
+
+cd /opt/synapse
+synctl start
+EOF
+chmod 0755 /opt/sbin/synapse.sh
+```
+### open-rc init script
+```
+cat > /etc/init.d/synapse << EOF
+#!/sbin/openrc-run
+
+name=$RC_SVCNAME
+command="/opt/sbin/synapse.sh"
+command_user="matrix"
+pidfile="/opt/synapse/homeserver.pid"
+
+depend() {
+       need net
+}
+
+start() {
+    ebegin "Starting $name"
+    start-stop-daemon --start \
+        --user $command_user \
+        --exec $command \
+        --pidfile $pidfile 
+    eend $?
+}
+
+stop() {
+        ebegin "Stopping $name"
+        start-stop-daemon --stop --user $command_user
+        eend $?
+}
+EOF
+chmod 0755 /etc/init.d/synapse
+```
+### enable init script
+```
+rc-update add synapse
+```
+## Administration
+### create user accounts
+```
+register_new_matrix_user -c homeserver.yaml http://matrix.br0tkasten.de:8008
+```
+## Additional
+### Expose local LXC containers ports
+#### Server-to-Server
+
+For Server-to-Server connections on Port 8448 it is recommended to expose the port directly using portforwarding. On my server I used iptables for this portforwarding
+```
+iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8448 -j DNAT --to-destination matrix.lxc.local:8448
+```
+#### Client connections
+
+In my setup an apache vhost is acting as https reverse proxy.
+```
+<VirtualHost 185.170.112.162:443>
+    ServerName matrix.br0tkasten.de:443
+    RewriteEngine on
+    SSLEngine On
+    SSLProtocol all
+    SSLProxyEngine On
+
+    SSLCertificateFile /etc/letsencrypt/live/matrix.br0tkasten.de/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/matrix.br0tkasten.de/privkey.pem
+
+    CustomLog /var/log/httpd/matrix/access.log combined
+    ErrorLog /var/log/httpd/matrix/error.log
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+
+    ProxyPass / http://matrix.lxc.br0tkasten.de:8008/
+    ProxyPassReverse / http://matrix.lxc.br0tkasten.de:8008/
+</VirtualHost>
+```
--- a/content/linux/webhook.md
+++ b/content/linux/webhook.md
@ -0,0 +1,36 @@
+---
+title: webhook
+menu:
+  main:
+    parent: Linux
+---
+
+# fun with webhooks
+[webhook](https://github.com/adnanh/webhook) is a lightweight golang single binary to easily setup webhooks for your services
+
+## Examples
+### regenerate hugo
+A webhook to regenerate my [hugo](https://gohugo.io) based website.
+Using a webhook in my gitea project, content is updated upon each git push to my remote git project.
+Details can be found in my [ansible-role-hugo](https://git.br0tkasten.de/br0tkasten/ansible-role-hugo)
+
+/etc/webhooks.json
+```
+[
+        {
+                "id": "generate",
+                "execute-command": "/sbin/genHugo",
+                "command-working-directory": "/srv/hugo"
+        }
+]
+```
+
+/sbin/genHugo
+```
+#!/bin/sh
+
+cd /srv/hugo
+git pull
+HUGO_ENV="production" hugo
+```
+