Table of contents

A huge shout-out to my friend Claudio, who helped me understand and perform the most tricky passages.



General knowledge #

Resources, apps, tutorials and several knowledge sources are mentioned in the server page.



Docker setup #

Please refer to docker server setup to see how I re-deployed everything on my server through Docker.



Good practices #

update Ubuntu (-y parameter is used to accept by default any question)

sudo apt update -y && sudo apt upgrade -y

remove debris

sudo apt autoremove -y && sudo apt autoclean -y


Limited user #

It is always better not to work and setup stuff straight from root user, it’s easy to mess everything up and very risky if you’re not 100% sure of what you’re doing (for me, most of the time).

add user

adduser tommi # “tommi”, in this case, is the username

grant that user sudo permissions

adduser -aG tommi sudo


Firewall #

Enable default configuration

ufw allow OpenSSH

enable firewall

ufw enable

check if everything is working

ufw status

first things firts:

sudo ufw allow 'Apache'


SSH keys #

create ssh folder to store allowed keys

mkdir -p ~/.ssh && sudo chmod -R 700 ~/.ssh/

on local client:

ssh-copy-id xplosionmind@100.100.010.1 -p 5002

Alternatively:

scp -P 5002 ~/.ssh/id_rsa.pub xplosionmind@100.100.010.1:~/.ssh/authorized_keys

Substitute 100.100.010.1 with the server’s IP address, xplosionmind with the wanted username, and 5002 with your port

More information #


SSH port #

Changing the default SSH port is useful to prevent randomized attacks which attempt to get access to the server from port 22, the default one.

Enable the new SSH port from the firewall. In this case, the process I will be following configures port 5522

sudo ufw allow 5522/tcp

Open the SSH configuration file /etc/ssh/sshd_config

sudo vim /etc/ssh/sshd_config

In this file, replace #Port 22 with Port 5522

after this, disable connections from port 22

sudo ufw deny 22

restart ssh

sudo systemctl restart ssh


Disable root access #

PermitRootLoogin no # was: yes


Install git #

install git

apt install git


Install zsh #

install zsh

apt install zsh

set zsh as default shell

chsh -s /usr/bin/zsh root

install zsh syntax highlighting

apt install zsh-syntax-highlighting

install oh-my-zsh

sh -c "$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"

enable zsh syntax highlighting

echo "source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ~/.zshrc



Nextcloud #

Nextcloud installation, configuration and troubleshooting.


Resources #


Permissions #

Firstly, it’s necessary to create the folder where Nextcloud interface, thus public application files, will be stored.

In this case, I configured a directory which is named exactly as the domain where the content it’s hosting will be found, for simplicity.

sudo mkdir /var/www/cloud.tommi.space

then, permissions can be changed, such that Nextcloud itself can handle this data, once installed. As you can see, these permissions must be set -R recursively.

sudo chown -R $USER:$USER /var/www/cloud.tommi.space
sudo chmod -R 755 /var/www/cloud.tommi.space

make the (private) directory where all of Nextcloud data will be stored, and change its permissions, too

mkdir /home/xplosionmind/nextcloud-data
sudo chown -R www-data:www-data /home/xplosionmind/nextcloud-data/


Apache #

This is the essential content of an Apache configuration fil for nextcloud. It should be placed in /etc/apache2/sites-available/

create the configuration file by running

sudo vim /etc/apache2/sites-available/cloud.tommi.space.conf

then, add this content:

<VirtualHost *:80>
	ServerAdmin tommiboom@protonmail.com
	ServerName cloud.tommi.space
	ServerAlias www.cloud.tommi.space
	DocumentRoot /var/www/cloud.tommi.space/public_html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


Install MariaDB #

sudo apt install mariadb-server

Basic database configuration

sudo mysql_secure_installation

log into MariaDB

sudo mariadb

Create a new database for Nextcloud (in MariaDB):

mysql> CREATE DATABASE nextcloud;

Create a new Nextcloud user

mysql> GRANT ALL ON nextcloud.* TO 'user_name'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;


Install PHP #

Install PHP modules

sudo apt install php libapache2-mod-php php-mysql

install Nextcloud dependencies

sudo apt install php-curl php-dom php-gd php-json php-xml php-mbstring php-zip

adjust PHP.ini

sudo vim /etc/php/7.4/apache2/php.ini

edits:

memory_limit = 1024M # based on how much RAM the server has
upload_max_filesize = 16G # max size of uploaded files
post_max_size = 16G # something similar to the above
date.timezone = Europe/Rome # or your timezone


Install Nextcloud #

download Nextcloud and place it in the virtual host directory

sudo cd /var/www/cloud.tommi.space/public_html && sudo wget https://download.nextcloud.com/server/releases/nextcloud-18.0.4.zip

extract the downloaded package

unzip nextcloud-18.0.4.zip


Install Let’s Encrypt #

Certbot will be use to establish a secure connection to the instance. To make things simple, it’s the one which makes an unencrypted http:// connection magically become an encrypted https:// connection

sudo apt install certbot python3-certbot-apache

Enable port 443 instead of port 80

sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'

Generate TLS certificate

sudo certbot --apache -d cloud.tommi.space -d www.cloud.tommi.space


Enable HTTP/2, and rewrite module

sudo apt install php7.4-fpm
sudo a2enmod proxy_fcgi
sudo a2enconf php7.4-fpm
sudo a2dismod php7.4
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo service apache2 restart
sudo a2enmod http2
sudo service apache2 restart


Enable HSTS #

In cloud.tommi.space-le-ssl.conf add

<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>

to enable what has just been inserted, headers must be enabled

sudo a2enmod headers

then, enable .htaccess

sudo vim /etc/apache2/sites-available/cloud.tommi.space/cloud.tommi.space-le-ssl.conf

paste in <VirtualHost *:443>

<Directory "/var/www/cloud.tommi.space/public_html">
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>


restart Apache

systemctl restart apache2


Domain linking #

  • point the chosen domain and subdomain to the server IP address
  • wait for the domain to propagate (it could take up to 48 hours)
  • go to cloud.example.com, where you should get this page:
Nextcloud first setup page
Nextcloud first setup page
Do not insert any data in the dialogue page above until connection is encrypted with https://. To obtain a SSL Certificate, thus an encrypted connection, follow the next step.


Final adjustments #

Final adjustments are to be performed from the Nextcloud GUI. The Nextcloud apps I installed are listed [[Apps#Nextcloud]]


fixes #

  • fix this encryption error



Nextcloud Cheat Sheet #


Manually install applications #

move to the Nextcloud apps folder

cd /var/www/nextcloud/apps

download the application package from Nextcloud apps website

wget https://github.com/nextcloud/documentserver_community/releases/download/v0.1.5/documentserver_community.tar.gz # url to the package

extract it (by substituting package_name with the name of the app package)

tar -xvzf package_name.tar.gz

remove compressed package

rm -rf package_name.tar.gz

change permissions for the app’s directory

chown -R www-data:www-data /var/www/nextcloud/apps/app_name
chmod -R 755 /var/www/nextcloud/apps/app-name


Maintenance mode #

enable maintenance mode

sudo -u www-data php /var/www/cloud.tommi.space/public_html/occ maintenance:mode --on

disable maintenance mode

sudo -u www-data php /var/www/cloud.tommi.space/public_html/occ maintenance:mode --off


Dockerized commands #

Using the occ command in a dockerized instance

docker-compose exec --user www-data app php occ

More information on the Nextcloud Docker Hub page



Jitsi Meet #

installation guide

allow firewall for ports 100000 to 200000

sudo ufw allow in 10000:20000/udp

Jitsi requires the Java Runtime Environment. Install OpenJDK JRE 8.

NOTE: as of right now, Jitsi Meet needs JRE 8, and not a newer version!
sudo apt install -y openjdk-8-jre-headless

check if installation went the right way and if the right version is installed

java -version

setup Java Runtime

sudo echo "JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")" | sudo tee -a /etc/profile
sudo source /etc/profile

download Jitsi Meet and add it to apt downloadable list

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
echo "deb https://download.jitsi.org stable/"  | sudo tee -a /etc/apt/sources.list.d/jitsi-stable.list

install Jitsi Meet

sudo apt install -y jitsi-meet

run and enable Certbot

sudo sed -i 's/\.\/certbot-auto/certbot/g' /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
sudo ln -s /usr/bin/certbot /usr/sbin/certbot
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
If something around here doesn’t work, no worries: just repeat the command, it should get fixed by itself

last tweaks should be done in here

sudo vim /etc/apache2/conf-enabled/security.conf

There are a few very nice things, such as hiding the “Jitsi” watermark from calls, which can be improved by editing Jitsi’s css file. Here’s a customizations guide.




OpenVPN #

To install OpenVPN, I followed exactly this super simple and quick guide. It actualy took me 15 minutes to make everything work perfectly, and it still does after several months.




RSS-Bridge #

Installation #

I chose to deploy RSS-Bridge through Docker. The process is not thoroughly and simply explained for a dumb newbie like me, nevertheless I somehow figured out how to deploy the app.

My version of the default Docker build:

sudo docker create \
--name=rss-bridge \
--volume /home/xplosionmind/whitelist.txt:/app/whitelist.txt \
--publish 3001:80 \
rssbridge/rss-bridge:latest


My whitelist.txt file:

*


Customization #

What’s the real issue, to my surprise, wasn’t get RSS-Bridge up and running as much as making it actually work.
Below I collected some articles useful to sort thing out.

🏗 WIP section 🛠

This section should contain a beautifull graph displaying the relations among this note and all of the others on tommi.space. Unfortunately, showing it requires great coding skills and I am still working on it.

Share

Commenti