General knowledge
Resources, apps, tutorials and several knowledge sources are mentioned in the Nebuchadnezzar page.
Docker
Please refer to Docker to see how I re-deployed everything on my server through Docker.
Good practices
update Ubuntu (-y
parameter is used to accept by default any question)
sudo apt update -y && sudo apt upgrade -y
remove debris
sudo apt autoremove -y && sudo apt autoclean -y
Limited user
It is always better not to work and setup stuff straight from root user, it’s easy to mess everything up and very risky if you’re not 100% sure of what you’re doing (for me, most of the time).
add user
adduser tommi # “tommi”, in this case, is the username
grant that user sudo permissions
adduser -aG tommi sudo
Firewall
Enable default configuration
ufw allow OpenSSH
enable firewall
ufw enable
check if everything is working
ufw status
first things firts:
sudo ufw allow 'Apache'
SSH keys
create SSH folder to store allowed keys
ssh-keygen -t ed -a 100 -c 'tommi@tommi.space'
on local client:
ssh-copy-id tommi@100.100.010.1 -p 5002
Alternatively:
scp -P 5002 ~/.ssh/id_rsa.pub tommi@100.100.010.1:~/.ssh/authorized_keys
Substitute 100.100.010.1
with the server’s IP address, tommi
with the wanted username, and 5002
with your port
More information
- SSH keys explained, a comprehensive yet simple guide to understand how SSH keys management should be done
- Linode’s tutorial on the topic
SSH port
Enable the new SSH port from the firewall. In this case, the process I will be following configures port 5522
sudo ufw allow 5522/tcp
Open the SSH configuration file /etc/ssh/sshd_config
sudo vim /etc/ssh/sshd_config
In this file, replace #Port 22
with Port 5522
after this, disable connections from port 22
sudo ufw deny 22
restart ssh
sudo systemctl restart ssh
Disable root access
PermitRootLoogin no # was: yes
Install git
install git
apt install git
Install zsh
install zsh
apt install zsh
set zsh as default shell
chsh -s /usr/bin/zsh root
install zsh syntax highlighting
apt install zsh-syntax-highlighting
install oh-my-zsh
sh -c '$(curl -fsSL https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh)'
enable zsh syntax highlighting
echo 'source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh' >> ~/.zshrc
Nextcloud
Nextcloud installation, configuration and troubleshooting.
Resources
- official installation documentation
- complete installation tutorial for Ubuntu 20.04, in dutch
- in-depth guide for Nextcloud 15
- check vulnerabilities with Nextcloud Scan
Permissions
Firstly, it’s necessary to create the folder where Nextcloud interface, thus public application files, will be stored.
In this case, I configured a directory which is named exactly as the domain where the content it’s hosting will be found, for simplicity.
sudo mkdir /var/www/cloud.tommi.space
then, permissions can be changed, such that Nextcloud itself can handle this data, once installed. As you can see, these permissions must be set -R
recursively.
sudo chown -R $USER:$USER /var/www/cloud.tommi.space
sudo chmod -R 755 /var/www/cloud.tommi.space
make the (private) directory where all of Nextcloud data will be stored, and change its permissions, too
mkdir /home/tommi/nextcloud-data
sudo chown -R www-data:www-data /home/tommi/nextcloud-data/
Apache
This is the essential content of an Apache configuration fil for nextcloud. It should be placed in /etc/apache2/sites-available/
create the configuration file by running
sudo vim /etc/apache2/sites-available/cloud.tommi.space.conf
then, add this content:
<VirtualHost *:80>
ServerAdmin tommiboom@protonmail.com
ServerName cloud.tommi.space
ServerAlias www.cloud.tommi.space
DocumentRoot /var/www/cloud.tommi.space/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Install MariaDB
sudo apt install mariadb-server
Basic database configuration
sudo mysql_secure_installation
log into MariaDB
sudo mariadb
Create a new database for Nextcloud (in MariaDB):
mysql> CREATE DATABASE nextcloud;
Create a new Nextcloud user
mysql> GRANT ALL ON nextcloud.* TO 'user_name'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
Install PHP
Install PHP modules
sudo apt install php libapache2-mod-php php-mysql
install Nextcloud dependencies
sudo apt install php-curl php-dom php-gd php-json php-xml php-mbstring php-zip
adjust PHP.ini
sudo vim /etc/php/7.4/apache2/php.ini
edits:
memory_limit = 1024M # based on how much RAM the server has
upload_max_filesize = 16G # max size of uploaded files
post_max_size = 16G # something similar to the above
date.timezone = Europe/Rome # or your timezone
Install Nextcloud
download Nextcloud and place it in the virtual host directory
sudo cd /var/www/cloud.tommi.space/public_html && sudo wget https://download.nextcloud.com/server/releases/nextcloud-18.0.4.zip
extract the downloaded package
unzip nextcloud-18.0.4.zip
Install Let’s Encrypt
Certbot will be use to establish a secure connection to the instance. To make things simple, it’s the one which makes an unencrypted http://
connection magically become an encrypted https://
connection
sudo apt install certbot python3-certbot-apache
Enable port 443
instead of port 80
sudo ufw allow 'Apache Full'
sudo ufw delete allow 'Apache'
Generate TLS certificate
sudo certbot --apache -d cloud.tommi.space -d www.cloud.tommi.space
Enable HTTP/2, and rewrite module
sudo apt install php7.4-fpm
sudo a2enmod proxy_fcgi
sudo a2enconf php7.4-fpm
sudo a2dismod php7.4
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo service apache2 restart
sudo a2enmod http2
sudo service apache2 restart
Enable HSTS
In cloud.tommi.space-le-ssl.conf
add
<IfModule mod_headers.c>
Header always set Strict-Transport-Security 'max-age=15552000; includeSubDomains'
</IfModule>
to enable what has just been inserted, headers must be enabled
sudo a2enmod headers
then, enable .htaccess
sudo vim /etc/apache2/sites-available/cloud.tommi.space/cloud.tommi.space-le-ssl.conf
paste in <VirtualHost *:443>
<Directory '/var/www/cloud.tommi.space/public_html'>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
restart Apache
systemctl restart apache2
Domain linking
- point the chosen domain and subdomain to the server IP address
- wait for the domain to propagate (it could take up to 48 hours)
- go to
cloud.example.com
, where you should get this page:
https://
. To obtain a SSL Certificate, thus an encrypted connection, follow the next step.Final adjustments
Final adjustments are to be performed from the Nextcloud GUI.
There are a lot of very useful Nextcloud apps which are trivial to install.
fixes
- fix this encryption error
Nextcloud Cheat Sheet
Using OCC
sudo -u nextcloud php8.0 --define apc.enable_cli=1 /var/www/nextcloud/occ
Manually install applications
move to the Nextcloud apps folder
cd /var/www/nextcloud/apps
download the application package from Nextcloud apps website
wget https://github.com/nextcloud/documentserver_community/releases/download/v0.1.5/documentserver_community.tar.gz # url to the package
extract it (by substituting package_name
with the name of the app package)
tar -xvzf package_name.tar.gz
remove compressed package
rm -rf package_name.tar.gz
change permissions for the app’s directory
chown -R www-data:www-data /var/www/nextcloud/apps/app_name
chmod -R 755 /var/www/nextcloud/apps/app-name
Maintenance mode
Toggle maintenance mode
sudo -u nextcloud php8.0 --define apc.enable_cli=1 /var/www/nextcloud/occ --on # or --off
Dockerized commands
Using the occ
command in a dockerized instance
docker-compose exec --user www-data app php occ
More information on the Nextcloud Docker Hub page
Jitsi Meet
allow firewall for ports 100000 to 200000
sudo ufw allow in 10000:20000/udp
Jitsi requires the Java Runtime Environment. Install OpenJDK JRE 8.
sudo apt install -y openjdk-8-jre-headless
check if installation went the right way and if the right version is installed
java -version
setup Java Runtime
sudo echo 'JAVA_HOME=$(readlink -f /usr/bin/java | sed 's:bin/java::')' | sudo tee -a /etc/profile
sudo source /etc/profile
download Jitsi Meet and add it to apt
downloadable list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -
echo 'deb https://download.jitsi.org stable/' | sudo tee -a /etc/apt/sources.list.d/jitsi-stable.list
install Jitsi Meet
sudo apt install -y jitsi-meet
run and enable Certbot
sudo sed -i 's/\.\/certbot-auto/certbot/g' /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
sudo ln -s /usr/bin/certbot /usr/sbin/certbot
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
last tweaks should be done in here
sudo vim /etc/apache2/conf-enabled/security.conf
There are a few very nice things, such as hiding the “Jitsi” watermark from calls, which can be improved by editing Jitsi’s css file. Here’s a customizations guide.
OpenVPN
To install OpenVPN, I followed exactly this super simple and quick guide. It actualy took me 15 minutes to make everything work perfectly, and it still does after several months.
Installation
I chose to deploy RSS-Bridge through Docker. The process is not thoroughly and simply explained for a dumb newbie like me, nevertheless I somehow figured out how to deploy the app.
My version of the default Docker build:
sudo docker create \
--name=rss-bridge \
--volume /home/tommi/whitelist.txt:/app/whitelist.txt \
--publish 3001:80 \
rssbridge/rss-bridge:latest
My whitelist.txt
file:
*
Customization
What’s the real issue, to my surprise, wasn’t get RSS-Bridge up and running as much as making it actually work.
Below I collected some articles useful to sort thing out.