forksand-it-manual/source/Software-daemons.tex

%
% Software-daemons.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Server Daemons}
These are the server daemons used to drive the enterprise.

\section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}}
Monitors ACPI events. Runs on nearly all servers and workstations.

\section{\href{http://httpd.apache.org/}{Apache}}
Web daemon, used on many servers.

\section{\href{http://www.isc.org/}{BIND}}
Nameserver used for caching.

\section{\href{https://borgbackup.github.io/borgbackup/}{Borg}}
Backup program.

\section{\href{https://www.collaboraoffice.com/code/}{code}}
Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
for Nextcloud.

\section{\href{https://github.com/coturn/coturn}{coturn}}
TURN and STUN server. Used for videoconferencing.

\section{\href{http://ftp.isc.org/isc/cron/}{cron}}
Scheduled triggering of applications (cf. at).

\section{\href{http://dnsmasq.org/}{DHCP}}
dnsmasq DHCP for 350+ hosts.

\section{\href{https://www.discourse.org/}{Discourse}}
Mailing list, discussion board, forum.

\section{\href{https://dockerproject.org/}{Docker}}
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
System containers, virtual servers.

\section{\href{http://dnsmasq.org/}{DNS}}
dnsmasq DNS caching.

\section{\href{http://dnsmasq.org/}{Dovecot}}
IMAP mail services. Employees check their mail via the
IMAP server, typically using Icedove or aomail (roundcube using IMAP).

\section{\href{https://www.erlang.org/}{Erlang}}
Virtual machine (ejabberd).

\section{{iptables}{\Glspl{firewall}}}
Linux's iptables.

\section{\href{http://www.fail2ban.org/}{fail2ban}}
Block out scripts, bots, crackers, and network noise on servers.

\section{\href{http://www.debian.org/}{Init}}
Init, woo!

\section{\href{http://mariadb.org/}{MariaDB}}
Used on many servers for a database. Replacing MySQL.

\section{md RAID}
Linux RAID, md, mdadm.

\section{\href{http://www.memcached.org/}{memcached}}
Used to speed up websites, such as Nextcloud.

\section{\href{http://www.mysql.org/}{MySQL}}
Used on many servers for a database.

\section{\href{https://nextcloud.com/}{Nextcloud}}
Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing.

Some of this is from owncloud era...

\begin{minted}{sh}
#Install debian jessie, ssh server, standard system utilities
#install jebba ssh key
#install sudo
#disable password ssh
#disable root ssh

#==================================
#
#Set up DNS
#Set up Server

#Create new jessie server, and boot it up.
#Copy over key:
ssh-copy-id jebba@pwn.themoes.org
#Log in to new machine:
ssh jebba@pwn.themoes.org
#Change jebba's password.
passwd jebba
#Set a root password:
su -
passwd root
#Disable source repos:
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
#Set up `git` as kludge to track /etc
apt-get -y install git
cd /etc
git init
chmod og-rwx /etc/.git
vi /etc/.gitignore
\end{minted}
Add these lines to /etc/.gitignore
\begin{minted}{sh}
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
\end{minted}
\subsection{Set up a git user:}
vi ~/.gitconfig
\begin{minted}{sh}
[user]
name = Jeff Moe

[color]
   branch = auto
   diff = auto
   status = auto
\end{minted}
\subsection{Create and populate the git repo for /etc:}
\begin{minted}{sh}
git add .
EDITOR=vi git commit -a
\end{minted}
Intial setup of pwn.themoes.org jessie owncloud server
\begin{minted}{sh}
#Install some needed stuff:
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
host strace telnet lsb-release unzip bzip2 && apt-get clean
#Set up vim:
echo :syntax on > ~/.vimrc
#Add jebba to sudo group:
adduser jebba sudo
#Make sudoers passwordless:
vim /etc/sudoers
#Change:
%sudo   ALL=(ALL:ALL) ALL
#To:
%sudo ALL=(ALL) NOPASSWD: ALL
#Edit /etc/ssh/sshd_config (dodgy way to do this):
sed -i  \
  -e 's/PermitRootLogin yes/PermitRootLogin no/g' \
  -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
  -e 's/RSAAuthentication yes/RSAAuthentication no/g' \
  -e 's/Port 22/Port 43827/g'\
  -e 's/X11Forwarding yes/X11Forwarding no/g' \
  /etc/ssh/sshd_config
#Disable unneeded services:
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
sudo /usr/sbin/update-rc.d $i disable ; done
\end{minted}
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
Reboot
\begin{minted}{sh}
#Log in as jebba (from workstation):
ssh -p 43827 -C jebba@pwn.themoes.org
#VIM:
echo :syntax on > ~/.vimrc
\end{minted}
\subsection{Setup}
Update /etc/hosts:
\begin{minted}{sh}
5.152.179.226  pwn pwn.themoes.org
#Comment out:
#127.0.1.1   pwn.themoes.org  pwn
#Update /etc/hostname:
pwn
#Commit everything so far to git
sudo su -
cd /etc
git add .
EDITOR=vi git commit -a
# Additional base config for server.

\end{minted}
\subsection{Make IP Static}
\begin{minted}{sh}
vim /etc/network/interfaces
\end{minted}
Comment out:
\begin{minted}{sh}
#allow-hotplug eth0
#iface eth0 inet dhcp
\end{minted}
Add:
\begin{minted}{sh}
auto eth0
iface eth0 inet static
address 5.152.179.226
netmask 255.255.255.0
gateway 5.152.179.1
\end{minted}
\subsection{Install Firewall}\label{ssec:nextcloudfirewall}
\url{https://wiki.debian.org/iptables}
\begin{minted}{sh}
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
/etc/iptables.test.rules

chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules

\end{minted}
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
*filter
\begin{minted}{sh}

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
websites)
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT

# Accept 443 from everywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT

# SSH Access Port 43827
-A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT
# Allow ssh from anywhere
-A INPUT -p tcp --dport 43827 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Opsview access
#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
2222,37,4949,5666 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
\end{minted}
\begin{minted}{sh}
touch /etc/network/if-pre-up.d/iptables
chmod 755 /etc/network/if-pre-up.d/iptables
vim /etc/network/if-pre-up.d/iptables
\end{minted}
\begin{minted}{sh}
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
\end{minted}
Then run:
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Disable IPv6
\begin{minted}{sh}
vim /etc/sysctl.conf
\end{minted}
Add:
\begin{minted}{sh}
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
\end{minted}
\begin{minted}{sh}
sysctl -p
\end{minted}
Add this to kernel boot line /etc/default/grub:
\begin{minted}{sh}
GRUB_CMDLINE_LINUX="ipv6.disable=1"
\end{minted}
then run:
\begin{minted}{sh}
update-grub
\end{minted}
\begin{minted}{sh}
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.

# Comment out IPv6 stuff in /etc/hosts:
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters


# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to 0.0.0.0, so no IPv6.
\end{minted}
Blacklist the module, don't even load it:
\begin{minted}{sh}
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
\end{minted}
Tell the module not to use IPv6 (hit it with the hammer over and over):
\begin{minted}{sh}
echo alias net-pf-10 off >>  /etc/modprobe.d/aliases.conf
echo alias ivp6 off  >>  /etc/modprobe.d/aliases.conf
\end{minted}
\begin{minted}{sh}
reboot
\end{minted}

\subsection{Install nextcloud}
Copied from Owncloud installation sequence. Todo: review difference to Nextcloud

Add Debian Backports (eh?)
\begin{minted}{sh}
sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
main' >> /etc/apt/sources.list.d/backports.list"
apt-get update
apt-get dist-upgrade -t jessie-backports
apt-get clean
sync
reboot & exit
\end{minted}
Add owncloud repos (ToDo)
\begin{minted}{sh}
cd
wget -nv \
https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
-O Release.key
apt-key add - < Release.key
sh -c "echo 'deb
http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
>> /etc/apt/sources.list.d/owncloud.list"
apt-get update

apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
php5-mcrypt php5-imagick mysql-server
apt-get clean
\end{minted}
Set up database
\begin{minted}{sh}
vim ~/.mysqlpw
\end{minted}
\begin{minted}{sh}
# meh
update-rc.d saned disable
\end{minted}
\begin{minted}{sh}
# Configure Apache2 on a Debian Jessie Server
# Setup default https configuration:
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl .
# Enable SSL modules
cd /etc/apache2/mods-enabled
ln -s ../mods-available/*ssl* .
ln -s ../mods-available/socache_shmcb.load .

# XXX left this out:
#vim /etc/apache2/sites-available/default-ssl.conf
#  make sure that each <Directory > has AllowOverride All

# Generate SSL certificate
cd /etc/ssl/private/
openssl genrsa -out pwn.themoes.org.key 2048
openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
#* After the last command answer the following:
#** Country Name : US
#** State or Province Name: Colorado
#** Locality Name: Redstone Canyon
#** Organization Name: Moe
#** Organizational Unit Name: IT
#** Common Name: pwn.themoes.org
#** Email Address: pwn@themoes.org
#** Leave Challenge password and An optional company name  blank.

# Sent csr to SSL registrar.
\end{minted}
Open up port 80 to do SSL registrar verification:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
Enable the port 80 lines for registar, and port 443 lines for owncloud

later at the file
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Copy Gandi file for SSL authentication to /var/www/html/

After Gandi verifies it, remove the file.

Then disable port 80 in the \gls{firewall} again:
\begin{minted}{sh}
vim /etc/iptables.test.rules
\end{minted}
\begin{minted}{sh}
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
\end{minted}
Move the cert in place
\begin{minted}{sh}
mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
chown root:root /etc/ssl/private/pwn.themoes.org.crt

# Gandi intermediate certs XXX
# http://crt.gandi.net/GandiStandardSSLCA2.crt OR
# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem

# Gah, wtf, add this?
# Comodo Cross-Signed Certificate
# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt

#* Generate certificate:
# XXX gah, gandi root certs ?
# WTF does this do.
openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
      -CAkey AOrootCA.key -CAserial AOrootCA.srl \
      -out pwn.themoes.org.crt -days 65000
\end{minted}
ToDo: consider adding rm pwn.themoes.org.csr

Place the .crt and .key files on pwn.themoes.org  in /etc/ssl/private
directory.

Make sure the they can't be read by the others.

Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
change to:
\begin{minted}{sh}
ServerName pwn.themoes.org
ServerAdmin pwn@themoes.org
\end{minted}
comment out snakeoil keys

add
\begin{minted}{sh}
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
\end{minted}
\subsection{Enable the SSL server}
\begin{minted}{sh}
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf .
\end{minted}
Restart Apache2
\begin{minted}{sh}
/etc/init.d/apache2 restart
\end{minted}
\begin{minted}{sh}
echo pwn > /var/www/html/index.html
\end{minted}
Install owncloud
\begin{minted}{sh}
apt-get install -t jessie-backports owncloud
\end{minted}
set up mysql owncloud user
\begin{minted}{sh}
vim ~/.mysqlpw-own
cat ~/.mysqlpw-own
mysql -uroot -p`cat ~/.mysqlpw`
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE IF NOT EXISTS owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
BY 'password';

##############
# Migrate db to sql.themoes.org
##############
# Set up mysql config with sql.themoes.org (NOT on traccar, but on db
server)
mysql> CREATE DATABASE owncloud;
mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX';
mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2';
mysql> FLUSH PRIVILEGES;

\end{minted}
\begin{minted}{sh}
mkdir /srv/owncloud
chown www-data:www-data /srv/owncloud
chmod 770 /srv/owncloud
\end{minted}
\begin{minted}{sh}
# Do web stuff
# https://pwn.themoes.org/owncloud/
# Create admin account
# Data folder:
# /srv/owncloud
# MySQL:
# User: owncloud
# Password:
# Database Name: owncloud
\end{minted}
set up crontab in web and here:
\begin{minted}{sh}
crontab -u www-data -e
\end{minted}
Add:
\begin{minted}{sh}
*/15  *  *  *  * php -f /var/www/owncloud/cron.php
\end{minted}
Check it:
\begin{minted}{sh}
crontab -u www-data -l
\end{minted}
\begin{minted}{sh}
root@pwn:/etc/ssl/private# chmod o-r *
root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key

wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
mv GandiStandardSSLCA2.pem  /etc/ssl/certs/
chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
\end{minted}
Add this to
Configure SSL part of the Apache Server:
\begin{minted}{sh}
vim /etc/apache2/sites-available/default-ssl.conf
\end{minted}
\begin{minted}{sh}
SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
SSLVerifyClient None
\end{minted}
\subsection{Libreoffice}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
   'preview_libreoffice_path' => '/usr/bin/libreoffice',
\end{minted}
POSTFIX XXX ...
\begin{minted}{sh}
apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
apt-get purge  exim4 exim4-base exim4-config exim4-daemon-light
apt-get install postfix
#apt-get install bsd-mailx
\end{minted}
Use APCu and Redis for caching
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
add
\begin{minted}{sh}
   'memcache.local' => '\OC\Memcache\APCu',
   'redis' => array(
   'host' => '/var/run/redis/redis.sock',
   'port' => 0,
    ),
   'memcache.locking' => '\OC\Memcache\Redis',
\end{minted}
\begin{minted}{sh}
vim /etc/redis/redis.conf
\end{minted}
\begin{minted}{sh}
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
\end{minted}
\begin{minted}{sh}
adduser www-data redis
\end{minted}
Todo: consider reboot
\begin{minted}{sh}
# Secure https some moar
#
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label
cd /etc/apache2/mods-enabled
ln -s ../mods-available/headers.load .
vim /etc/apache2/sites-enabled/default-ssl.conf
\end{minted}
Add:
\begin{minted}{sh}
         <IfModule mod_headers.c>
                 Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
         </IfModule>
\end{minted}
Add stuff, and run:
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
   'defaultapp' => 'calendar',
   'session_keepalive' => true,
   'htaccess.RewriteBase' => '/owncloud',
\end{minted}
\begin{minted}{sh}
sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
\end{minted}
Drop /owncloud from the URL
\begin{minted}{sh}
vim /etc/apache2/conf-available/owncloud.conf
\end{minted}
\begin{minted}{sh}
Alias / "/var/www/owncloud/"
\end{minted}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
   'overwrite.cli.url' => 'https://pwn.themoes.org',
\end{minted}
\subsection{Misc}
\begin{minted}{sh}
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
   'logtimezone' => 'MST',
   'session_keepalive' => true,
   'htaccess.RewriteBase' => '/',
   'overwritewebroot' => '/',
   'check_for_working_webdav' => true,
   'check_for_working_wellknown_setup' => true,
   'check_for_working_htaccess' => true,
   'logfile' => '/var/log/owncloud.log',
   'loglevel' => 2,
   'enable_previews' => true,
   'preview_max_x' => 2048,
   'preview_max_y' => 2048,
   'preview_max_scale_factor' => 10,
   'preview_max_filesize_image' => 50,
   'preview_office_cl_parameters' =>
         ' --headless --nologo --nofirststartwizard --invisible
--norestore '.
         '-convert-to pdf -outdir ',
   'enabledPreviewProviders' => array(
         'OC\Preview\PNG',
         'OC\Preview\JPEG',
         'OC\Preview\GIF',
         'OC\Preview\BMP',
         'OC\Preview\XBitmap',
         'OC\Preview\MP3',
         'OC\Preview\TXT',
         'OC\Preview\MarkDown',
         'OC\Preview\PDF',
         'OC\Preview\Postscript',
         'OC\Preview\SVG',
         'OC\Preview\Movie',
         'OC\Preview\MSOfficeDoc',
         'OC\Preview\MSOffice2003',
         'OC\Preview\MSOffice2007',
         'OC\Preview\OpenDocument',
         'OC\Preview\StarOffice',
        ),
   'maintenance' => false,
   'singleuser' => false,
   'asset-pipeline.enabled' => false,
\end{minted}
set up that temp dir:
\begin{minted}{sh}
mkdir /srv/owncloudtemp
chown www-data:www-data /srv/owncloudtemp/
chmod 770 /srv/owncloudtemp/
vim /var/www/owncloud/config/config.php
\end{minted}
\begin{minted}{sh}
   'tempdirectory' => '/srv/owncloudtemp',
\end{minted}
php.ini stuff
\begin{minted}{sh}
vim /etc/php5/apache2/php.ini
\end{minted}
\begin{minted}{sh}
php_value upload_max_filesize = 5G
php_value post_max_size = 5G
php_value max_input_time 3600
php_value max_execution_time 3600
memory_limit = 512M
\end{minted}
for svg ?
\begin{minted}{sh}
apt-get install inkscape
\end{minted}
\begin{minted}{sh}
\subsection{Solr / Nexant}
\end{minted}
\begin{minted}{sh}
apt-get install php-solr solr-jetty
\end{minted}
\begin{minted}{sh}
# enable nexant app in web interface
# vim /etc/jetty9/jetty-http.xml
# vim /etc/jetty9/jetty-https.xml
# <Set name="host"><Property name="jetty.host" /></Set>
# to
# <Set name="host"><Property name="jetty.host" default="127.0.0.1" /></Set>
\end{minted}
\begin{minted}{sh}

# nope
#cd solr/
#cp -fr configsets/basic_configs nextant

# This:
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
# see local git clone

# Actually, do this install of solr...
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service

# apt-get install tesseract-ocr tesseract-ocr-eng
# apt-get install ocrmypdf # not needed, for other OCR thing
\end{minted}
\subsection{Spreed}
\large{Spreed Nextcloud WebRTC}

There is a Spreed.me module for Nextcloud, which points to a spreed
webrtc server. If the spreed and nextcloud server use different
hostnames (origins), screen-sharing won't be allowed due to browser
restrictions. So spreed is getting installed straight onto the Nextcloud
server, https://own.alephobjects.com .

\subsection{Links}
\begin{minted}{sh}
* https://github.com/strukturag/spreed-webrtc
* https://github.com/strukturag/nextcloud-spreedme
* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
* https://hub.docker.com/r/spreed/webrtc/
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}

We're going to use a \gls{docker} install... own.alephobjects.com is
currently running Debian Stretch (testing, version 9). Unfortunately,
\gls{docker}.io (as it is named in Debian) is available for jessie-backports
and sid, but not for stretch... We'll use \gls{docker}'s apt repos to get
\gls{docker} ....
\subsection{Install Docker}
\begin{minted}{sh}
* https://docs.docker.com/engine/installation/linux/debian/
\end{minted}
\begin{minted}{sh}
apt update
apt install apt-transport-https ca-certificates gnupg2
apt-key adv \
        --keyserver hkp://ha.pool.sks-keyservers.net:80 \
        --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
vim /etc/apt/sources.list.d/docker.list
\end{minted}
Add:
\begin{minted}{sh}
deb https://apt.dockerproject.org/repo debian-stretch main
\end{minted}
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
\begin{minted}{sh}
cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
\end{minted}
save
\begin{minted}{sh}
apt update
apt install -y docker-engine
cd /etc ; git add . ; git commit -a -m 'Install docker'
service docker start
\end{minted}
\subsection{Test docker}
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
\begin{minted}{sh}
docker run hello-world
\end{minted}
\subsection{Set up spreed docker}
\begin{minted}{sh}
mkdir -p /srv/spreed/extra.d
vim /etc/spreed-webrtc-nextcloud.conf
\end{minted}
make config like this:
\begin{minted}{sh}
[http]
basePath = /webrtc/

[app]
authorizeRoomJoin = true
extra.d = /srv/spreed/extra.d

[users]
enabled = true
mode = sharedsecret
\end{minted}
\subsection{Run Spreed Docker}
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
\begin{minted}{sh}
cd /srv/spreed

docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
        -v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
\end{minted}

On first launch, it may hang forever because it doesn't have any
entropy. So it will hang at "Creating new server secrets ..."

Here is a workaround to generate entropy:

\begin{minted}{sh}
apt install -y rng-tools
rngd -f -r /dev/urandom
\end{minted}
Run it thusly:
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
\begin{minted}{sh}
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
\end{minted}
\large{Configure Apache}

install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}
# Spreed WebRTC
         ProxyPass http://127.0.0.1:8080/webrtc
         ProxyPassReverse /webrtc
         ProxyPass ws://127.0.0.1:8080/webrtc/ws
     ProxyVia On
     ProxyPreserveHost On
     RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}
\subsection{Spreed Configuration}
\begin{picture}(0,0)\put(-10000,0){
        \gls{docker}
}\end{picture}
\begin{minted}{sh}
Get the config in own.alephobjects.com --> admin  --> Additional
Settings(?)  --> Spreed.me

# Generate that config, put it in /etc/spreed/spreed.conf

# Restart docker.
#cd /etc ; git add . ; git commit -a -m 'Configure'

##### HMM
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
rngd -f -r /dev/urandom

#  585  docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf 
#  587  docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf

docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf

# These two:
rngd -f -r /dev/urandom

docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
/var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf \

\end{minted}
\subsection{apache2}
Install needed apache modules:
\begin{minted}{sh}
a2enmod proxy proxy_http proxy_wstunnel headers

vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
\end{minted}
Add this inside the VirtualHost section:
\begin{minted}{sh}

# Spreed WebRTC
     <Location /webrtc>
         ProxyPass http://127.0.0.1:8080/webrtc
         ProxyPassReverse /webrtc
     </Location>

     <Location /webrtc/ws>
         ProxyPass ws://127.0.0.1:8080/webrtc/ws
     </Location>

     ProxyVia On
     ProxyPreserveHost On
     RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\end{minted}

\section{\href{http://support.ntp.org/}{NTP}}
Syncs time on every server and workstation.

\section{\href{http://www.opendkim.org/}{OpenDKIM}}
DKIM (Domain Keys Identified Mail) sender authentication system.

\section{\href{http://www.openssh.com/}{OpenSSH}}
Used to control every server, create encrypted tunnels (autossh),
mount filesystems (sshfs), and remote file transfer (sftp).

\section{\href{http://openvpn.net/}{OpenVPN}}
Connects external resources, such as employee mobiles and laptops, to the internal network.

\section{\href{https://www.piwiki.org/}{Piwik}}
Application to analyze web site traffic.

\href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.

\section{\href{http://www.postfix.org/}{Postfix}}
Main SMTP outgoing mail server.

\section{\href{http://www.postgresql.org/}{Postgres}}
Database server.

\section{\href{http://www.qemu.org/}{QEMU}}
Computer emulator, runs virtual servers. Uses \gls{kvm}.

\section{\href{http://rsync.samba.org/}{rsync}}
File server.

\section{\href{http://www.rsyslog.com/}{rsyslog}}
Logging on every server and workstation.

\section{\href{http://www.spamassassin.org/}{spamassassin}}
Spam filtering of email.

\section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}}
Main internal fileserver.

\section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}}
System bootup and process manager.

\section{\href{http://dnsmasq.org/}{TFTP}}
Network install server.

\section{\href{http://www.xinetd.org}{xinetd}}
xinetd on Debian systems. inetd on OpenBSD. Misc network utils.

\section{\href{http://www.ejabberd.im/}{XMPP/jabber}}
ejabberd, Erlang XMPP (jabber) server.