💾 Archived View for tommi.space › Server%20setup.gmi captured on 2023-01-29 at 03:02:45. Gemini links have been rewritten to link to archived content
➡️ Next capture (2023-03-20)
-=-=-=-=-=-=-
<div class='red box'> Everything in this page is not revised and out of date, since I am using <a href='https://yunohost.org' title='YunoHost'>YunoHost</a> to manage my server now. On <a href='https://server.tommi.space' title='Tommi’s server'>server.tommi.space</a> there is the public front-end of the administration panel. </div>
<div class='box'> A <strong>huge shout-out</strong> to my friend <a href='http://claudiofaoro.com' title='Claudio’s personal website'>Claudio</a>, who helped me understand and perform the most tricky passages. </div>
Resources, apps, tutorials and several knowledge sources are mentioned in the [[Server]] page.
Please refer to [[Docker]] to see how I re-deployed everything on my server through Docker.
update Ubuntu (-y parameter is used to accept by default any question)
sudo apt update -y && sudo apt upgrade -y
remove debris
sudo apt autoremove -y && sudo apt autoclean -y
It is always better not to work and setup stuff straight from root user, it’s easy to mess everything up and very risky if you’re not 100% sure of what you’re doing (for me, most of the time).
add user
adduser tommi # “tommi”, in this case, is the username
grant that user sudo permissions
adduser -aG tommi sudo
Enable default configuration
ufw allow OpenSSH
enable firewall
ufw enable
check if everything is working
ufw status
first things firts:
sudo ufw allow 'Apache'
create SSH folder to store allowed keys
mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/
on local client:
ssh-copy-id tommi@100.100.010.1 -p 5002
Alternatively:
scp -P 5002 ~/.ssh/id_rsa.pub tommi@100.100.010.1:~/.ssh/authorized_keys
Substitute 100.100.010.1 with the server’s IP address, tommi with the wanted username, and 5002 with your port
<div class='box yellow'> Changing the default SSH port is useful to prevent randomized attacks which attempt to get access to the server from <a href='https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers' target='_blank'>port 22</a>, the default one. </div>
Enable the new SSH port from the firewall. In this case, the process I will be following configures port 5522
sudo ufw allow 5522/tcp
Open the SSH configuration file /etc/ssh/sshd_config
sudo vim /etc/ssh/sshd_config
In this file, replace #Port 22 with Port 5522
after this, disable connections from port 22
sudo ufw deny 22
restart ssh
sudo systemctl restart ssh
PermitRootLoogin no # was: yes
install git
apt install git
install zsh
apt install zsh
set zsh as default shell
chsh -s /usr/bin/zsh root
install zsh syntax highlighting
apt install zsh-syntax-highlighting
install oh-my-zsh
sh -c '$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)'
enable zsh syntax highlighting
echo 'source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh' >> ~/.zshrc
Nextcloud installation, configuration and troubleshooting.
official installation documentation
Firstly, it’s necessary to create the folder where Nextcloud interface, thus public application files, will be stored.
In this case, I configured a directory which is named exactly as the domain where the content it’s hosting will be found, for simplicity.
sudo mkdir /var/www/cloud.tommi.space
then, permissions can be changed, such that Nextcloud itself can handle this data, once installed. As you can see, these permissions must be set -R recursively.
sudo chown -R $USER:$USER /var/www/cloud.tommi.space sudo chmod -R 755 /var/www/cloud.tommi.space
make the (private) directory where all of Nextcloud data will be stored, and change its permissions, too
mkdir /home/tommi/nextcloud-data sudo chown -R www-data:www-data /home/tommi/nextcloud-data/
This is the essential content of an Apache configuration fil for nextcloud. It should be placed in /etc/apache2/sites-available/
create the configuration file by running
sudo vim /etc/apache2/sites-available/cloud.tommi.space.conf
then, add this content:
<VirtualHost *:80> ServerAdmin tommiboom@protonmail.com ServerName cloud.tommi.space ServerAlias www.cloud.tommi.space DocumentRoot /var/www/cloud.tommi.space/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
sudo apt install mariadb-server
Basic database configuration
sudo mysql_secure_installation
log into MariaDB
sudo mariadb
Create a new database for Nextcloud (in MariaDB):
mysql> CREATE DATABASE nextcloud;
Create a new Nextcloud user
mysql> GRANT ALL ON nextcloud.* TO 'user_name'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; mysql> FLUSH PRIVILEGES;
Install PHP modules
sudo apt install php libapache2-mod-php php-mysql
install Nextcloud dependencies
sudo apt install php-curl php-dom php-gd php-json php-xml php-mbstring php-zip
adjust PHP.ini
sudo vim /etc/php/7.4/apache2/php.ini
edits:
memory_limit = 1024M # based on how much RAM the server has upload_max_filesize = 16G # max size of uploaded files post_max_size = 16G # something similar to the above date.timezone = Europe/Rome # or your timezone
download Nextcloud and place it in the virtual host directory
sudo cd /var/www/cloud.tommi.space/public_html && sudo wget https://download.nextcloud.com/server/releases/nextcloud-18.0.4.zip
extract the downloaded package
unzip nextcloud-18.0.4.zip
Certbot will be use to establish a secure connection to the instance. To make things simple, it’s the one which makes an unencrypted http:// connection magically become an encrypted https:// connection
sudo apt install certbot python3-certbot-apache
Enable port 443 instead of port 80
sudo ufw allow 'Apache Full' sudo ufw delete allow 'Apache'
Generate TLS certificate
sudo certbot --apache -d cloud.tommi.space -d www.cloud.tommi.space
Enable HTTP/2, and rewrite module
sudo apt install php7.4-fpm sudo a2enmod proxy_fcgi sudo a2enconf php7.4-fpm sudo a2dismod php7.4 sudo a2dismod mpm_prefork sudo a2enmod mpm_event sudo service apache2 restart sudo a2enmod http2 sudo service apache2 restart
In cloud.tommi.space-le-ssl.conf add
<IfModule mod_headers.c> Header always set Strict-Transport-Security 'max-age=15552000; includeSubDomains' </IfModule>
to enable what has just been inserted, headers must be enabled
sudo a2enmod headers
then, enable .htaccess
sudo vim /etc/apache2/sites-available/cloud.tommi.space/cloud.tommi.space-le-ssl.conf
paste in <VirtualHost *:443>
<Directory '/var/www/cloud.tommi.space/public_html'> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory>
restart Apache
systemctl restart apache2
<figure><img src='https://www.itzgeek.com/wp-content/uploads/2019/06/Install-Nextcloud-on-RHEL-8-%E2%80%93-Setup-Nextcloud.jpg' alt='Nextcloud first setup page' title='Nextcloud first setup page'><figcaption>Nextcloud first setup page</figcaption></figure>
<div class='yelow box'> <u><strong>Do not</strong> insert any data</u> in the dialogue page above until connection is encrypted with <code>https://</code>. To obtain a SSL Certificate, thus an encrypted connection, follow the next step. </div>
Final adjustments are to be performed from the Nextcloud GUI.
There are a lot of very useful Nextcloud apps which are trivial to install.
move to the Nextcloud apps folder
cd /var/www/nextcloud/apps
download the application package from Nextcloud apps website
wget https://github.com/nextcloud/documentserver_community/releases/download/v0.1.5/documentserver_community.tar.gz # url to the package
extract it (by substituting package_name with the name of the app package)
tar -xvzf package_name.tar.gz
remove compressed package
rm -rf package_name.tar.gz
change permissions for the app’s directory
chown -R www-data:www-data /var/www/nextcloud/apps/app_name chmod -R 755 /var/www/nextcloud/apps/app-name
Toggle maintenance mode
sudo -u nextcloud php7.3 --define apc.enable_cli=1 /var/www/occ maintenance:mode --on # or --off
Using the occ command in a dockerized instance
docker-compose exec --user www-data app php occ
More information on the Nextcloud Docker Hub page
allow firewall for ports 100000 to 200000
sudo ufw allow in 10000:20000/udp
Jitsi requires the Java Runtime Environment. Install OpenJDK JRE 8.
<div class='red box'> <strong>NOTE</strong>: as of right now, Jitsi Meet needs JRE 8, and <u><strong>not a newer version</strong></u>! </div>
sudo apt install -y openjdk-8-jre-headless
check if installation went the right way and if the right version is installed
java -version
setup Java Runtime
sudo echo 'JAVA_HOME=$(readlink -f /usr/bin/java | sed 's:bin/java::')' | sudo tee -a /etc/profile sudo source /etc/profile
download Jitsi Meet and add it to apt downloadable list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - echo 'deb https://download.jitsi.org stable/' | sudo tee -a /etc/apt/sources.list.d/jitsi-stable.list
install Jitsi Meet
sudo apt install -y jitsi-meet
run and enable Certbot
sudo sed -i 's/\.\/certbot-auto/certbot/g' /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh sudo ln -s /usr/bin/certbot /usr/sbin/certbot sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
<div class='yellow box'> If something around here doesn’t work, no worries: just repeat the command, it should get fixed by itself </div>
last tweaks should be done in here
sudo vim /etc/apache2/conf-enabled/security.conf
There are a few very nice things, such as hiding the “Jitsi” watermark from calls, which can be improved by editing Jitsi’s css file. Here’s a customizations guide.
--------------------------------------------------------------------------------
To install OpenVPN, I followed exactly this super simple and quick guide. It actualy took me 15 minutes to make everything work perfectly, and it still does after several months.
I chose to deploy RSS-Bridge through Docker. The process is not thoroughly and simply explained for a dumb newbie like me, nevertheless I somehow figured out how to deploy the app.
My version of the default Docker build:
sudo docker create \ --name=rss-bridge \ --volume /home/tommi/whitelist.txt:/app/whitelist.txt \ --publish 3001:80 \ rssbridge/rss-bridge:latest
My whitelist.txt file:
What’s the real issue, to my surprise, wasn't get RSS-Bridge up and running as much as making it actually work.
Below I collected some articles useful to sort thing out.