User Tools

Site Tools


amber_replacment

Bock 2018

Base system information

  • VPS @Omnitec, 2CPU, 2GB, 100GB
  • Base IP: 206.197.251.210

Operating system installation

Source media or media image

  • Standard Debian 9

Installation method

Installation options selected

Critical Services

DNS

  • master DNS zone is on Bock but NOT published as NS.
  • Public DNS is provided via BuddyNS [.org], for which SLUUG contributes a few bucks a year.

Lists

Apache configuration

a2enmod ssl.load a2enmod info

Let's Encrypt

  * certbot from github is curreent, required for wildcard certs
  * Install requires dev libraries for headers:
    * aptitude install python2.7-dev
    * aptitude install libffi-dev
    * aptitude install libssl-dev
  * Setup:
''python setup.py install''
  * Generate:
''certbot certonly --manual -d *.sluug.org --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory ''
  * Result: (If someone can figure out how to force plain text, please fix!!)
''Please deploy a DNS TXT record under the name                                                                                                                 
_acme-challenge.sluug.org with the following value:                                                                                                           
                                                                          
EGAoTq2e_Cf8TwYV4EN7zBLNfdgHodgoy9yX_WaLrGY

                                                                                                          
                                                                                                                                                
IMPORTANT NOTES:                                                                      
 - Congratulations! Your certificate and chain have been saved at:                    
   /etc/letsencrypt/live/sluug.org/fullchain.pem                   
   Your key file has been saved at:                                                   
   /etc/letsencrypt/live/sluug.org/privkey.pem                                                                                                                
   Your cert will expire on 2018-09-18. To obtain a new or tweaked                      
   version of this certificate in the future, simply run certbot    
   again. To non-interactively renew *all* of your certificates, run                                    
   "certbot renew"                                                                                                                                            
 - Your account credentials have been saved in your Certbot            
   configuration directory at /etc/letsencrypt. You should make a                       
   secure backup of this folder now. This configuration directory will                                      
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
</nowiki>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                               
Please deploy a DNS TXT record under the name                                                                                                                 
_acme-challenge.sluug.org with the following value:                                                                                                           
                                                                          
EGAoTq2e_Cf8TwYV4EN7zBLNfdgHodgoy9yX_WaLrGY                                                                                                                   
                                                                       
Before continuing, verify the record is deployed.                         
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                         
Press Enter to Continue                                                   
Waiting for verification...                                                                                                                                   
Cleaning up challenges                                                                                                               
                                                                          
IMPORTANT NOTES:                                                                      
 - Congratulations! Your certificate and chain have been saved at:                    
   /etc/letsencrypt/live/sluug.org/fullchain.pem                   
   Your key file has been saved at:                                                   
   /etc/letsencrypt/live/sluug.org/privkey.pem                                                                                                                
   Your cert will expire on 2018-09-18. To obtain a new or tweaked                      
   version of this certificate in the future, simply run certbot    
   again. To non-interactively renew *all* of your certificates, run                                    
   "certbot renew"                                                                                                                                            
 - Your account credentials have been saved in your Certbot            
   configuration directory at /etc/letsencrypt. You should make a                       
   secure backup of this folder now. This configuration directory will                                      
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le''
   
   

Setting up SSL for web sites

To force port 80 traffic to port 443, replace the <VirtualHost *:80> 
stanza, leaving "ServerName" or "ServerAlias" lines intact.

<VirtualHost *:80>
         ServerName a.sluug.org

         RewriteEngine on
         RewriteCond %{SERVER_NAME} =a.sluug.org
         RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} 
[END,NE,R=permanent]

</VirtualHost>


To use certs, edit the <VirtualHost *:443> stanza that has the desired 
ServerName or ServerAlias line in it.  At the top of the stanza, add the 
following:

         SSLEngine on
         SSLCertificateFile /etc/letsencrypt/live/sluug.org/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/sluug.org/privkey.pem
         Include /etc/letsencrypt/options-ssl-apache.conf


The following copy of wiki.sluug.org.conf is the perfect example of the  
smallest possible config file that incorporates both of these:

VirtualHost *:80>
         ServerName wiki.sluug.org
         RewriteEngine on
         RewriteCond %{SERVER_NAME} =wiki.sluug.org
         RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} 
[END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
         SSLEngine on
         SSLCertificateFile /etc/letsencrypt/live/sluug.org/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/sluug.org/privkey.pem
         Include /etc/letsencrypt/options-ssl-apache.conf

         ServerName wiki.sluug.org
         UseCanonicalName On
         DocumentRoot /srv/www/wiki.sluug.org/public
         <Directory /srv/www/wiki.sluug.org/public>
                 AllowOverride All
                 Options FollowSymLinks MultiViews
                 Order allow,deny
                 Allow from all
         </Directory>
</VirtualHost>

Misc packages installed

lynx lynx-cur

  This also installed:  lynx-common

w3m

mutt

This also installed: libgmime-2.6-0 libgpgme11 libnotmuch4 libtalloc2 libtokyocabinet9

dnsutils

at

mailutils

Not listed here

For a list of installed packages and when, a good resource is /var/log/apt/history.log*

Misc configuration

Documentation /usr/source/Docuwiki

Edit /etc/ssh/sshd_config to change PermitRootLogin value from yes to forced-commands-only.

Add all users in the sudo group to the adm and systemd-journal groups to allow them to see logs without being root. See https://wiki.debian.org/SystemGroups

amber_replacment.txt · Last modified: 2024/03/20 21:27 by SLUUG Administration