install.linode.ubuntu.18.04

This is based off a 12.04 reference image which I upgraded to 14.04, 16.04 and
then to 18.04.

I picked Newark for the location
- I picked 2048MB swap and used the rest for the single server
- Assigned IP is 162.216.16.102 (li605-102.members.linode.com)
- IPv6 2600:3c03::f03c:91ff:fedb:abd1/64
- Don't forget to configure DNS
- DNS servers:
    ns1.linode.com
    ns2.linode.com
    ns3.linode.com
    ns4.linode.com
    ns5.linode.com
- And make sure to add an SPF record - it's a text record. By default,
  it's just:
  "v=spf1 mx ~all"
- Which says "accept mail from any servers which have an a record, and
  if it's not, soft fail it."

1. Updates!

sudo apt-get update
sudo apt-get dist-upgrade

2. Make accounts
    adduser matt
    usermod -a -G sudo,adm matt
    adduser liz
    usermod -a -G sudo,adm liz

- and for the boys' emails:
    adduser miles18
    usermod -L miles18
    adduser max18
    usermod -L max18

3. Install users authorized_keys files in to ~/.ssh

4. Set up ssh

## For an old machine, use the old keys - you did save /etc, didn't you?

## For a new machine, use the new keys generated by the distro.

- make sure to add to the firewall
ufw allow ssh

- set:
    PermitRootLogin forced-commands-only
- (the forced commands only is so we can run backups)
- and set
    PasswordAuthentication no

- restart it
service ssh restart

5. Enable firewall

sudo ufw enable

6. Set the hostname:

- Edit /etc/hostname and set it to linode
- Edit /etc/hosts and set the 127.0.1.1 line to look like:

127.0.1.1       linode

- This will prevent bounce messages from some mailservers, since they
  rely on the host name that the server claims to be (which is gotten
  from /etc/hostname) and then try to reverse that and make sure
  they're the same.

7. Install useful things

sudo apt-get install tree emacs-nox git software-properties-common

8. Copy in certs into /etc/ssl/private

(I'm not documenting this, figure it out)

9. Install apache
    See install.apache

- However, we want it to listen publicly, so don't make it only
  listen on 127.0.0.1

- Allow it through the firewall

    sudo ufw allow http
    sudo ufw allow https

10. Install wordpress bits
    This is deprecated. All wordpress sites have been removed. But, the docs were in the wordpress file.

11. Install dovecot (imap)

- Based on: https://help.ubuntu.com/community/Dovecot

- Install it:

sudo apt-get install dovecot-imapd

- configure it

- edit /etc/dovecot/conf.d/10-master.conf and:
  - find the `inet_listener `imaps` line, and uncomment the body.
  - ref: http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
  - find the `service auth` section and add to the bottom:
  #SASL                                                                         
  unix_listener auth-client {
    mode = 0600
    user = Debian-exim
  }

- edit /etc/dovecot/conf.d/10-mail.conf and find the mail_location
  line, uncomment it and set it to:

    mail_location = maildir:/home/%u/Maildir

- edit /etc/dovecot/conf.d/10-ssl.conf and change it to use the
  mattcaron.net cert:

    ssl_cert = </etc/ssl/private/mail.mattcaron.net/fullchain.pem
    ssl_key = </etc/ssl/private/mail.mattcaron.net/privkey.pem

  - and change ssl to "required"

    ssl = required

- edit /etc/dovecot/conf.d/20-imap.conf and set:
    mail_max_userip_connections = 100
- (because I have a ton of machines that poll for email)

- edit /etc/dovecot/conf.d/15-lda.conf and set:
    postmaster_address = postmaster
- yes, this is kind of stupid, especially in light of the comment in
  the config preceding this line, but I've been getting errors about
  how it's not set, to just explicitly set it to the sane default.

- Pre-create the maildir for new users

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates
sudo maildirmake.dovecot /etc/skel/Maildir/.Junk

- Then, for an existing user:

sudo cp -r /etc/skel/Maildir /home/myuser/
sudo chown -R myuser:usergroup /home/myuser/Maildir
sudo chmod -R 700 /home/myuser/Maildir

- Allow through firewall

sudo ufw allow imaps

12. Exim

- install it

sudo apt-get install exim4-daemon-heavy exim4

- find the default exim configuration file (called configure.default,
  and found in the src/ directory of the source code and modify it as follows:

primary_hostname = mattcaron.net
domainlist local_domains = mattcaron.net : pfmbonsai.com
domainlist relay_to_domains =
hostlist   relay_from_hosts = localhost
tls_advertise_hosts = *
tls_certificate = /etc/ssl/private/mail.mattcaron.net/fullchain.pem
tls_privatekey = /etc/ssl/private/mail.mattcaron.net/privkey.pem
daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
qualify_domain = mattcaron.net
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

- Find the system_aliases router and change the line:
  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
- to:
  data = ${lookup{$local_part}lsearch{/etc/aliases}}

- Ref: https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPam
- at the bottom of the main section (before ACL CONFIGURATION), add:

# Only allow auth over TLS, otherwise folks would be sending plaintext
# passwords
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

- ref: http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
- and down at the bottom, at the end of the AUTHENTICATION CONFIGURATION

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

- Note that we don't use the default debian config, as it is annoying.

- then copy it to /etc/exim4/exim4.conf on the remote server. Make
  sure it's group readable and growned by Debian-exim

- make the Debian-exim user a member of the shadow group so it can
  read /etc/shadow and therefore do authentication. Also, the ssl-cert
  group, so it can read certs

sudo usermod -a -G ssl-cert Debian-exim

- and make a pam config for it - we'll just piggyback on the dovecot
  one, as it's reasonable and similar

cd /etc/pam.d
sudo ln -s dovecot exim4

- allow through firewall

sudo ufw allow smtp
sudo ufw allow ssmtp

13. Integrate exim with dovecot

- ref: http://wiki2.dovecot.org/LDA/Exim
- edit /etc/exim4/exim4.conf

- in 

localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = dovecot_delivery
  cannot_route_message = Unknown user

- Next create a new transport for dovecot-lda:

dovecot_delivery:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- Next create a new transport for dovecot-lda - spammy version

dovecot_delivery_junk:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address -m Junk
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- set up DKIM signing (because, you know, spammers won't sign messages
  or spoofing is a problem or, something..)
  From: https://www.debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

sudo mkdir /etc/exim4/dkim
cd /etc/exim4/dkim

- Generate keys for each domain:

sudo openssl genrsa -out mattcaron.net.private.pem 2048 -outform PEM
sudo openssl rsa -in mattcaron.net.private.pem -out mattcaron.net.pem -pubout -outform PEM

sudo openssl genrsa -out pfmbonsai.com.private.pem 2048 -outform PEM
sudo openssl rsa -in pfmbonsai.com.private.pem -out pfmbonsai.com.pem -pubout -outform PEM

- publish the public keys in DNS using the date as the selector.
- IMPORTANT - my current exim config exim uses the same selector
  (date) for ALL domains, so they all need to match.

- Fix perms

sudo chown -R Debian-exim:Debian-exim /etc/exim4/dkim
sudo chmod -R go-rwx /etc/exim4/dkim

- Change the remote_smtp section to be like this:

remote_smtp:
  driver = smtp
  dkim_canon = relaxed
  dkim_selector = 20151029
  dkim_domain = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}
  dkim_private_key = ${if exists{/etc/exim4/dkim/${dkim_domain}.private.pem}{/etc/exim4/dkim/${dkim_domain}.private.pem}{0}}

- Allow remote MUA's to set the sender for the envelope. This stops
  exim from stripping it and forcing it to be the canonical domain (so
  we can support multiple virtual domains). Anyway, go to the end of
  the Main Configuration section, right above ACL CONFIGURATION and add:

local_sender_retain = true
local_from_check = false

14. Configure the time zone:

sudo dpkg-reconfigure tzdata

- and set it to America/New York

15. Add spamassassin and other optional dependencies:

- install

sudo apt-get install spamassassin libdigest-sha-perl libgeo-ip-perl libio-socket-ip-perl libencode-detect-perl libnet-patricia-perl libmodule-install-perl

- this is also helpful for debugging:

spamassassin -D --lint 2>&1 | grep -i failed

- add the following router right before "localuser"

# router to send incoming email to spamchek transport for checking 
spamcheck_router:
  no_verify
  check_local_user
  # When to scan a message :
  #   -   it isn't already flagged as spam
  #   -   it isn't already scanned
  #   -   it isn't sent from my private home server
  #   -   it isn't sent from the server (linode or localhost)
  condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!match {$sender_host_address} {${lookup dnsdb{a=mattandliz.dyndns.org}}}} {!match {$sender_host_address} {${lookup dnsdb{a=mattcaron.net}}}}} {1}{0}}"
  driver = accept
  transport = spamcheck

# router to deliver spam to the junk folder
spam_deliver_to_junk
  driver = accept
  check_local_user
  local_parts = !www:!root:!nobody:!postmaster:!abuse:!admin
  transport = dovecot_spam_junk_delivery
  condition = ${if def:h_X-Spam-Flag: {true}}

- add the following transport (it can go anywhere, order doesn't matter)

# Scan for spam via spamassassin. Note that this works by calling exim
# *again* and essentially redlivering the message, except that it has
# already been scanned (see the "spam-scanned" add here, and the conditional
# up in the router), so it only gets called the first time
spamcheck:
  debug_print = "T: spamassassin_pipe for $local_part@$domain"
  driver = pipe
  command = /usr/sbin/exim4 -oMr spam-scanned -bS
  use_bsmtp
  # run the filter as debian-spamd because it has access to all of the
  # spamassassin files
  transport_filter = /usr/bin/spamc -u debian-spamd
  home_directory = "/tmp"
  current_directory = "/tmp"
  # must use a privileged user to set $received_protocol on the way back in!
  user = Debian-exim
  group = Debian-spamd
  return_fail_output
  message_prefix =
  message_suffix =

# This delivers mail via dovecot to the Junk folder. 
dovecot_spam_junk_delivery:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if 
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address -m Junk
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- Edit /etc/spamassassin/local.cf and change as follows:

rewrite_header Subject *****SPAM*****

- Once all of the above is set up, edit /etc/default/spamassassin and set:

  ENABLED=1

and:

  CRON=1

- set up the global bayes learning directory. It will be group rw for
  the adm group, as it's assumed that only those users would ssh in
  and teach it things. Also, spamd changes uid to Debian-exim, so make
  sure that user owns the DB and can read things. (You may have to run
  the chown again after creating the databases with sa-learn). It also
  likes to change group IDs on the files, so you need to make sure
  that all those are correct, and that any users who are going to
  train SA are in the Debian-exim group (which implies that you trust
  them)

sudo mkdir -p /var/spamassassin/bayes_db
sudo chown -R Debian-exim:debian-spamd /var/spamassassin
sudo chmod -R g+rwX /var/spamassassin
sudo chmod g+s /var/spamassassin
sudo usermod -a -G debian-spamd <user list>

- The g+s looks a little odd here, but let me explain. The spamcheck
  transport runs as Debian-exim, which will create
  /var/spamassassin/bayes_journal if it does not exist. However, the
  spamd process likes to run as debian-spamd (so it can access all its
  files), which won't be able to read said journal and will complain
  bitterly. By setting the directory to be setgid, all created files
  will have the correct gid set, ensuring that both Debian-exim and
  debian-spamd can read and write everything in it. This also means
  that the sa_learn run periodically will work, because I am in the
  debian-spamd group.

- add the following to /etc/spamassassing/local.cf, so that it uses
  the above (note that the last part of bayes_path is a prefix, not a
  directory)

use_bayes 1
bayes_path /var/spamassassin/bayes_db/bayes
bayes_file_mode 0660

- also, because we only have a couple of users, limit children - edit
  /etc/default/spamassassin and set:

OPTIONS="--create-prefs --max-children 5 --helper-home-dir"

- to

OPTIONS="--create-prefs --max-children 2 --helper-home-dir"

- restart

  sudo service spamassassin restart

16. Edit /etc/aliases

- change root to go to matt:

root: matt

17. Add sympa

A.) Establish base checkout:
cd ~/workspace/code
git clone https://github.com/sympa-community/sympa.git
cd sympa
git checkout -b production 6.2.58

- upgrade later
cd ~/workspace/code/sympa
git fetch
git checkout production
git merge 6.2.58

(where 6.2.58 is the current version)

B.) Copy this whole mess over to the linode server:
push_sympa

=== all the rest of this is on the linode server ===

C.) Install prerequisites

sudo apt-get install libapache2-mod-fcgid libdbd-mysql-perl apache2-suexec-pristine apache2-suexec-pristine intltool libclass-singleton-perl libdatetime-format-mail-perl libemail-simple-perl libnet-cidr-perl libproc-processtable-perl libcrypt-openssl-x509-perl libcrypt-smime-perl libdata-password-perl libauthcas-perl libdbd-odbc-perl libclone-perl libcrypt-eksblowfish-perl libdbd-csv-perl

D.) Create a user w/ now shell (this was the last next available number)

sudo adduser sympa --uid 110 --gid 117 --disabled-login
sudo usermod -s /bin/false sympa

E.) Enable apache modules

sudo a2enmod suexec
sudo a2enmod cgi

F.) Make the destination directory:

sudo mkdir /opt/sympa-6.2.58
sudo chown matt:matt /opt/sympa-6.2.58

G.) Build and install it:

cd ~/workspace/code/sympa
autoreconf -i
./configure --prefix=/opt/sympa-6.2.58 --sysconfdir=/opt/sympa-6.2.58/etc/ --with-initdir=/opt/sympa-6.2.58/etc/init.d --with-cgidir=/opt/sympa-6.2.58/cgi-bin --without-smrshdir
make
make install

H.) Fix permissions

sudo chown -R sympa:sympa /opt/sympa-6.2.58
sudo chmod a+rX -R /opt/sympa-6.2.58

sudo chown -R sympa:sympa /var/spool/sympa
sudo chown -R sympa:sympa /var/lib/sympa

I.) Make some compatibilty symlinks:

sudo -u sympa -s
cd /opt/sympa-6.2.58
ln -s /var/lib/sympa/expl .
ln -s /var/lib/sympa/wwsarchive .
ln -s /var/lib/sympa/x509-user-certs .
cd /opt/sympa-6.2.58/etc
ln -s /etc/sympa .
cd /opt/sympa-6.2.58/static_content
rmdir css
ln -s /var/lib/sympa/static_content/css .
ln -s /etc/mail/sympa/aliases /etc/mail/sympa_aliases
cp -a /opt/sympa-6.2.56/spool /opt/sympa-6.2.58
exit
sudo service sympa stop
cd /opt
sudo rm sympa
sudo ln -s sympa-6.2.58/ sympa
cd /etc/init.d
sudo ln -s /opt/sympa/etc/init.d/sympa .
cd /etc
sudo ln -s /etc/sympa/sympa.conf .
cd /var/lib/sympa/
mkdir pictures

J.) Run the upgrade script (on upgrade)

sudo -u sympa /opt/sympa-6.2.58/bin/sympa.pl --upgrade

K.) Auto-install a pile of perl modules:

sudo /opt/sympa-6.2.58/bin/sympa_wizard.pl --check

(hit enter a bunch of times)

And mhonarc doesn't put itself where it needs to, so do so:

cd /usr/share/perl5/
sudo ln -s /usr/share/mhonarc/* .

L.) Fix up supporting bits and bobs

sudo touch /etc/sympa/facility
sudo chown sympa:sympa /etc/sympa/facility
sudo mkdir -p /var/lock/subsys/sympa
sudo chown sympa:sympa /var/lock/subsys/sympa
sudo mkdir /var/spool/sympa/wwsbounce
sudo chown sympa:sympa /var/spool/sympa/wwsbounce
sudo chmod u+s /opt/sympa/bin/queue /opt/sympa/bin/bouncequeue

The queue needs to be suid root so that the mail server works when it
calls queue and bouncequeue. Some of the routers call the filter and
that needs to be as sympa, but we still want them to run other actions
as exim.

M.) Set up the configs:

  - edit /etc/sympa/wwsympa.conf
  - comment out:
    #ldap_force_canonical_email 1
  
  - edit /etc/sympa/sympa.conf
    listmaster              matt@mattcaron.net
    create_list listmaster
 wwsympa_url https://sympa.mattcaron.net/wws

  - to clean up the installation errors - just ignore mysql errors
apt-get autoremove

- edit /etc/exim4/exim4.conf and add the following below system_aliases:

sympa_aliases_domain:
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$local_part@$domain}lsearch{/etc/mail/sympa/aliases}}
  user = sympa
  group = sympa
  file_transport = address_file
  pipe_transport = address_pipe

# Aliases for sympa                                                             
sympa_aliases:
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}
  user = sympa
  group = sympa
  file_transport = address_file
  pipe_transport = address_pipe

- remove /etc/apache2/conf.d/sympa (it's just a symlink) and instead set up 
  /etc/apache2/sites-available/sympa as follows:

<VirtualHost *:80>
    ServerName sympa.mattcaron.net
    ServerAdmin matt@mattcaron.net
    Redirect permanent / https://sympa.mattcaron.net/wws
</VirtualHost>

<VirtualHost *:443>
    ServerName sympa.mattcaron.net
    ServerAdmin matt@mattcaron.net

    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/sympa.mattcaron.net/fullchain.pem
    SSLCertificateKeyFile /etc/ssl/private/sympa.mattcaron.net/privkey.pem

    # Standard SSL protocol adustments for IE
    BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    Alias /static-sympa /opt/sympa/static_content
    ScriptAlias /wws /var/www/sympa/wwsympa.cgi
    SuexecUserGroup sympa sympa

    # Use simple cgi here. It's not heavily used and base cgi is the most 
    # compatible
    AddHandler cgi-script .fcgi .cgi .pl .sh

    RewriteEngine On
    RewriteRule  ^/$                 /wws  [R,L]

    <Directory "/var/www/sympa/">
        AllowOverride None
        Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
 </VirtualHost>

- Fake out suexec, because it is hardcoded to want things in /var/www
 - make dir
sudo mkdir /var/www/sympa/
sudo chmod a+rx /var/www/sympa/
sudo chown sympa:sympa /var/www/sympa/

 - create /var/www/sympa/wwsympa.cgi:
#!/bin/sh
# The script we want Sympa to execute is accessed via a symlink but
# suexec doesn't like that so this script is a wrapper which gets
# executed directly to avoid that problem.
exec  /opt/sympa/cgi-bin/wwsympa.fcgi

- fix the perms on it

sudo chown sympa:sympa /var/www/sympa/wwsympa.cgi
sudo chmod u+x /var/www/sympa/wwsympa.cgi

N.) `/etc/sympa/sympa.conf` changes:

a. Limit number of spawned bulk processes, set:

bulk_max_count  1

b. Make sure dmarc_protection_mode is set in the config - add this to
the bottom:

# Munge email which would otherwise be dropped.                                 
dmarc_protection_mode dmarc_any

O.) Fix up the mailserver aliases /etc/aliases and
    /etc/mail/sympa/aliases and replace /usr/lib/sympa/lib/sympa with
    /opt/sympa/bin

P.) Restart things

sudo service apache2 restart
sudo service sympa restart

Q.) Start it:

sudo service sympa start

- Don't forget to add sympa.mattcaron.net to DNS

- edit /etc/sympa/topics.conf, delete everything, then add:
gaming
title Gaming

gaming/roleplaying_games
title Role Playing Games

gaming/wargaming
title Wargaming

18. Second domain for sympa

- in `/etc/exim4/exim4.conf`, add the following under ROUTERS
  CONFIGURATION before the big comment block preceding system_aliases
  (because order matters for exim):

# This router does the same as system_aliases, except that it checks
# the domain as well.
#
# IMPORTANT: Needs to go before things that match on ! +local_domains
# and, most importantly, before the bl_server bit because that
# forwards all non-local domains off to msex1.
#
# Remember - routers are run in order
#
system_aliases_domain:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}
# user = exim
  file_transport = address_file
  pipe_transport = address_pipe 

Ref: http://www.sympa.org/manual/virtual-hosts

- Add any new domains to the top of /etc/mail/sympa/aliases, as
  necessary. As in:

sympa@domain.com:      "| /opt/sympa/bin/queue sympa@domain.com"
listmaster@domain.com: "| /opt/sympa/bin/queue listmaster@domain.com"
bounce+*@domain.com:   "| /opt/sympa/bin/bouncequeue sympa@domain.com"

- And add the following to /etc/exim4/exim4.conf, in the ROUTERS
  CONFIGURATION section (doesn't matter where):

# Aliases for sympa (robot virtual subdomains)
sympa_aliases_robot:
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$domain-$local_part}lsearch{/etc/mail/sympa/aliases}}
  user = sympa
  group = sympa
  file_transport = address_file
  pipe_transport = address_pipe

- create bits / copy in defaults:

sudo mkdir /etc/sympa/domain.com
sudo cp /home/matt/workspace/code/sympa/doc/samples/robot.conf /etc/sympa/domain.com/.
sudo chown -R sympa:sympa /etc/sympa/domain.com
sudo chmod 750 /etc/sympa/domain.com
sudo chmod 640 /etc/sympa/domain.com/robot.conf
sudo mkdir /var/lib/sympa/domain.com
sudo chown sympa:sympa /var/lib/sympa/domain.com
sudo chmod 750 /var/lib/sympa/domain.com

- edit /etc/sympa/domain.com/robot.conf and set as follows:

http_host  sympa.domain.com
listmaster matt@mattcaron.net
title New Domain MailingLists Service

- and, below http_host, you'll want to add:

wwsympa_url  https://sympa.domain.com/wws

- create /etc/sympa/domain.com/topics.conf

topic1
title Some Topic

topic2
title Some other topic

general
title General Membership

- restart

sudo service sympa restart

19. Install logcheck

sudo apt-get install logcheck

- edit /etc/cron.d/logcheck and set it to @daily and not every 2 hours

20. Set up mysql snapshot

- Clone backup utils

mkdir -p ~/workspace/code/scripts
cd ~/workspace/code/scripts
git clone https://github.com/mattcaron/backup_scripts.git
mkdir ~/bin
cd ~/bin
ln -s ~/workspace/code/scripts/backup_scripts/mysql_backup .
mkdir -p ~/attic/backup/`hostname`

- create ~/attic/backup/`hostname`/mysql.pw and put the root password
  into it.
- fix perms:
chmod 600 ~/attic/backup/`hostname`/mysql.pw

- Add to crontab:
@daily               /home/matt/bin/mysql_backup > /dev/null

21. Lock root account

sudo usermod -L root

22. Add monitoring:

- make sure landscape is installed (to get landscape-sysinfo):

sudo apt-get install landscape-common

- Then add the following to my crontab:

@daily               /usr/bin/ntpq -p; echo; df -lh; echo; landscape-sysinfo

23. Fix up logcheck:

Add to /etc/logcheck/ignore.d.server/local:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: Fatal: Time just moved
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Warning:
Time moved

(catches:
Dec  4 07:53:46 linode dovecot: imap: Fatal: Time just moved backwards
by 6 seconds. This might cause a lot of problems, so I'll just kill
myself now. http://wiki2.dovecot.org/TimeMovedBackwards
Dec  4 07:53:46 linode dovecot: imap-login: Warning: Time moved
backwards by 6 seconds.

which are an issue because it's a VM and time is a bit squidgy.
)

24. OwnCloud / NextCloud

- Make sure to add owncloud.mattcaron.net to linode DNS

- Optimization ref:

http://forum.owncloud.org/viewtopic.php?f=8&t=10692

- Install deps:

sudo apt-get install apache2 php php-mbstring php-gd php-xml php-intl \
php-sqlite3 php-mysql curl libcurl4 php-curl \
libapache2-mod-xsendfile php-apcu php-bz2 php-zip php-pclzip php-imagick \
php-bcmath php-gmp

- download tarball (add to source control, etc.)
  http://owncloud.org/install/

- Make the xsendfile cache:

sudo mkdir /tmp/oc-noclean
sudo chown www-data:www-data /tmp/oc-noclean

- Enable UTF-8 in php.ini
 - edit /etc/php5/apache2
 - uncomment:
   default_charset = "UTF-8"
- Increase the memory limit to 512MB (recommended).

- Log in to the DB server and create a user and password

CREATE DATABASE owncloud;

GRANT ALL PRIVILEGES ON owncloud.* TO "owncloud"@"localhost" IDENTIFIED BY "password";

- Make an /etc/apache2/sites-available/owncloud.mattcaron.net as follows:
<VirtualHost *:80>
    ServerName owncloud.mattcaron.net
    ServerAdmin matt@mattcaron.net

    DocumentRoot /home/matt/public_html/owncloud.mattcaron.net
    <Directory /home/matt/public_html/owncloud.mattcaron.net>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

	SetEnv MOD_X_SENDFILE_ENABLED 1
	XSendFile On
    	XSendFilePath /tmp/oc-noclean
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName owncloud.mattcaron.net
    ServerAdmin matt@mattcaron.net

    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/owncloud.mattcaron.net/fullchain.pem
    SSLCertificateKeyFile /etc/ssl/private/owncloud.mattcaron.net/privkey.pem

    # Standard SSL protocol adustments for IE
    BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    DocumentRoot /home/matt/public_html/owncloud.mattcaron.net
    <Directory /home/matt/public_html/owncloud.mattcaron.net>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

	SetEnv MOD_X_SENDFILE_ENABLED 1
	XSendFile On
    	XSendFilePath /tmp/oc-noclean
    </Directory>
</VirtualHost>

- enable headers and rewrite modules

sudo a2enmod headers
sudo a2enmod rewrite

- enable it:

sudo a2ensite owncloud.mattcaron.net
sudo service apache2 reload

Go to:

https://owncloud.mattcaron.net/

and do the initial setup, entering random admin credentials and
choosing MySQL for the DB. Enter the DB credentials for the owncloud
user on the owncloud DB you established above.

The data folder is /usr/share/owncloud/data (the default) which links
to /var/lib/owncloud/data/ (which should be backed up).

Anyway, once that's all done it will let you in.

Once logged in:

- Under the "Apps" menu, office & text section, enable:
 - Calendar
 - Contacts
 - Notes
 - Collabora Online

(these are all official apps)

- Under the "Users" menu
 - Give appropriate people admin access
 - Delete the admin account

- Set up cron:

sudo -u www-data crontab -e

and add:

*/15  *  *  *  * php -f
/home/matt/public_html/owncloud.mattcaron.net/cron.php

- Then, in the Admin panel, tell it to use cron.

- A note on backups:

    These are already handled by the mysql_backup script and backing
    up homedirs. So, nothing additional need be done here, so long as
    the previous stuff is set up.

Configuring apps:
- Thunderbird
 - Address book
  - Ref: http://doc.owncloud.org/server/6.0/user_manual/pim/sync_thunderbird.html
  - Basically:
   - Install the Sogo connector
  - In Thunderbird, click Tools -> Address Book
   - File -> New -> Remote Addressbook
   - Name it whatever, but use addressbook:
     https://owncloud.mattcaron.net/remote.php/carddav/addressbooks/matt/contacts
   - Close and reopen thunderbird to make it connect
   - You may need to try to synchronize a couple of times - accept
     cert, enter creds, etc.
 - Calendar
   - Ref: http://forum.owncloud.org/viewtopic.php?f=23&t=14137
   - Basically
    - Install Lightning
    - In Thunderbird, click Events and Tasks -> Calendar
    - Under "Calendar" right click -> New Calendar
    - It's on the network
    - It's CalDAV
    - Used URL
      https://owncloud.mattcaron.net/remote.php/caldav/calendars/matt/familycalendar
    - Ticked "Offline Support"
    - Named it "Family Calendar"
    - Entered creds

- Android
 - Address book
  - Install "CardDAV sync free" or "CardDAV sync" from Google play
  - Launch CardDAV
  - Add account
  - Use the same URL as Thunderbird:
    https://owncloud.mattcaron.net/remote.php/carddav/addressbooks/matt/contacts
  - Tick "Use SSL"
  - Enter credentials
  - Next
  - Enter an appropriate name
  - Untick "Sync from server to phone only"
  - Next
 - Calendar
  - Install "CalDAV sync free" or "CalDAV sync" from google play  
  - Open Calendar
  - Top right corner, click "Add Account"
  - Choose "CalDAV sync adapter"
  - Enter creds, and use the same URL as Thunderbird: 
    https://owncloud.mattcaron.net/remote.php/caldav/calendars/matt/familycalendar
  - Of note - under account name, use your email, because htat's used
    as the address of the organizer.
  - Click "sign in or register"
  - Once the account is there, click on it, and click "Accounts & sync"
  - Click the "CalDav sync adapter" account when that comes up
  - Tick the box next to the sync state to turn it on
  - Calendar should now work.
  - Theoretically, a long press on the calendar name during set up
    will change the ugly poop color, but I couldn't get that to work,
    so I left it.


25. MySQL and Apache tuning

The default MySQL and Apache configs that ship with Ubuntu do not seem
particularly suited to "low RAM boxes" (though, the old curmudgeon in
me is amazed that 1.5GB if "low ram" these days, but I don't build a
box with less than 1GB, as it's so cheap....)

## Apache ##

Ref: http://emergent.urbanpug.com/?p=60

- Disable unused modules

sudo a2dismod auth_basic
sudo a2dismod authn_file
sudo a2dismod authz_groupfile
sudo a2dismod authz_user
sudo a2dismod fcgid
sudo a2dismod status

- edit /etc/apache2/mods-enabled/mpm_prefork.conf and tweak values thusly.

Original:

<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

- revised:

<IfModule mpm_prefork_module>
    StartServers          2
    MinSpareServers       1
    MaxSpareServers       5
    MaxClients           50
    MaxRequestsPerChild   0
</IfModule>

- restart:

sudo service apache2 restart

## MySQL ##

Refs:

http://emergent.urbanpug.com/?p=61
http://lowendbox.com/blog/reducing-mysql-memory-usage-for-low-end-boxes/
http://opensourcehacker.com/2011/03/31/reducing-mysql-memory-usage-on-ubuntu-debian-linux/

- edit /etc/mysql/my.conf and change parameters in the [mysql] section
  as follows:

- original

key_buffer              = 16M
thread_stack            = 192K
#max_connections        = 100
query_cache_size        = 16M


- modified

key_buffer              = 8M
thread_stack            = 128K
max_connections         = 50
query_cache_size        = 8M


- restart

sudo service mysql restart

27.) MegaMek

a.) Install a JRE:

sudo apt-get install default-jre

b.) Open up a firewall port:

sudo ufw allow from any to any port 2346 proto tcp comment 'megamek'

c.) Create /etc/systemd/system/megamek.service with the following (and
    the correct password):

===
(matt@linode) /etc/systemd/system$ cat megamek.service 
[Unit]
Description=MegaMek service
After=network.target auditd.service

[Service]
ExecStart=/usr/bin/java -Xmx1024m -jar /home/matt/megamek/megamek/MegaMek.jar -dedicated -port 2346 -password XXX
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
RestartPreventExitStatus=255
Type=simple
WorkingDirectory=/home/matt/megamek/megamek
RuntimeDirectoryMode=0755
User=matt

[Install]
Alias=megamek.service
===

Notes:

a.) It lives in ~/megamek/
b.) ~/megamek/megamek is a symlink to the current version.
c.) Download from https://megamek.org/downloads.html (just MegaMek stable)

28.) MediaWiki (rpg.mattcaron.net)

This is deprecated - 20201129.

29.) MediaWiki (school.mattcaron.net)

a.) Make the dir.

b.) Grab the mediawiki tarball and untar it in the root.

c.) Make /etc/apache2/sites-available and enable it:

sudo a2ensite rpg.mattcaron.net && sudo systemctl reload apache2

d.) Create the database and user:

CREATE DATABASE mw_school;

GRANT ALL PRIVILEGES ON mw_school.* TO "mw_school"@"localhost" IDENTIFIED BY "password";

d.) Push everything up and then go to
    https://school.mattcaron.net/ to configure it, grab the
    LocalSettings.php file and stuff it where it needs to be. Yay.

30.) Set up letsencrypt certbot.

a.) Install certbot from PPA

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python3-certbot-apache

b.) Set it up semi-manually:

sudo certbot --standalone certonly -d mattcaron.net 
sudo certbot --standalone certonly -d www.mattcaron.net
sudo certbot --standalone certonly -d owncloud.mattcaron.net
sudo certbot --standalone certonly -d sympa.mattcaron.net
sudo certbot --standalone certonly -d mail.mattcaron.net
sudo certbot --standalone certonly -d lists.pfmbonsai.com
sudo certbot --standalone certonly -d pfmbonsai.com
sudo certbot --standalone certonly -d school.mattcaron.net

c.) make the directories in /etc group accessible by ssl-cert and make
the gid sticky

sudo chgrp -R ssl-cert /etc/letsencrypt
sudo chmod -R g+rsX /etc/letsencrypt

d.) Move everything in /etc/ssl/private to old, and then make new symlinks.

e.) Add create /etc/cron.d/letsencrypt thusly:
===
# /etc/cron.d/letsencrypt: crontab entries to check for new certs

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

37 01 * * *     root     service apache2 stop && certbot renew && chmod -R g+r /etc/letsencrypt && service apache2 star\
t && service dovecot reload && service exim4 reload
# 42 18 * * *     root     service apache2 stop && certbot renew && chmod -R g+r /etc/letsencrypt && service apache2 st\
art && service dovecot reload && service exim4 reload

# EOF
===
Note that:
 - we restart services
 - we fix up the permissions to be group readable, because new files will be created as 0600.