mar
/
container
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

added documentation

feature/startup-from-labels
Mario Alegre 5 years ago
parent
153810c4ac
commit
49b1938abb
6 changed files with 823 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 207
      src/gitea/docs/Build.md
  2. 14
      src/gitea/docs/Deploy.md
  3. 389
      src/nextcloud/docs/Build.md
  4. 70
      src/nextcloud/docs/Deploy.md
  5. 125
      src/samba/docs/Build.md
  6. 18
      src/samba/docs/Deploy.md

207
src/gitea/docs/Build.md
View File

@ -0,0 +1,207 @@
# medusa gitea install
## config container
### mounts
add mount to container:
```
-v /tank/files/git:/vol/git \
-v /tank/files/db/gitea:/vol/db \
```
add user:
```
usr=git
uid=5000
addgroup --gid ${uid:?} ${usr:?}
adduser --uid ${uid:?} --ingroup ${usr:?} ${usr:?} --disabled-password --gecos "Gitea Server" --shell /usr/sbin/nologin
```
create directory to be mounted:
```
mkdir /vol/git /vol/db
chown -R gitea:gitea /vol/
```
### postgresql
```
apt install postgresql postgresql-doc
```
log in to postgres user and make same config changes as for nextcloud:
```
su - postgres
```
`/etc/postgresql/10/main/pg_hba.conf`:
```
# Database administrative login by Unix domain socket
local all postgres peer
# Allow connection to Unix domain socket without authentication
local all gtadmin trust
```
create SQL role:
```
psql
CREATE USER gtadmin;
CREATE DATABASE gitea WITH TEMPLATE template0 ENCODING UTF8 LC_COLLATE 'en_US.UTF-8' LC_CTYPE 'en_US.UTF-8';
\q
exit
```
### install gitea
download binary:
```
wget gitea https://dl.gitea.io/gitea/1.11.4/gitea-1.11.4-linux-amd64
wget gitea https://dl.gitea.io/gitea/1.11.4/gitea-1.11.4-linux-amd64.asc
gpg --keyserver pgp.mit.edu --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
gpg --verify gitea-1.11.4-linux-amd64.asc gitea-1.11.4-linux-amd64
```
create required directories:
```
mkdir -p /var/lib/gitea/{custom,data,log}
chown -R git:git /var/lib/gitea/
chmod -R 750 /var/lib/gitea/
mkdir /etc/gitea
```
move to bin dir:
```
mv gitea-master-linux-amd64 /usr/local/bin/gitea
chmod +x /usr/local/bin/gitea
```
### configure gitea
make `/etc/gitea/app.ini` config file:
```
APP_NAME = Gitea: Git with a cup of tea
RUN_USER = git
RUN_MODE = prod
[oauth2]
JWT_SECRET = ${jwt_secret_1:?}
[security]
INTERNAL_TOKEN = ${internal_token:?}
INSTALL_LOCK = true
SECRET_KEY = ${secret_key:?}
; disable password complexity checks
PASSWORD_COMPLEXITY = off
[database]
DB_TYPE = postgres
HOST = /var/run/postgresql
NAME = gitea
USER = gtadmin
PASSWD =
SSL_MODE = disable
CHARSET = utf8
PATH = /var/lib/gitea/data/gitea.db
[repository]
ROOT = /srv/gitea/repos
[server]
SSH_DOMAIN = localhost
DOMAIN = localhost
HTTP_PORT = 3000
ROOT_URL = http://medusa.casa.alemor.org/git/
DISABLE_SSH = true
LFS_START_SERVER = true
LFS_CONTENT_PATH = /srv/gitea/lfs
LFS_JWT_SECRET = ${jwt_secret_2:?}
OFFLINE_MODE = true
[mailer]
ENABLED = false
[service]
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
DISABLE_REGISTRATION = true
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
ENABLE_CAPTCHA = false
REQUIRE_SIGNIN_VIEW = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
[picture]
DISABLE_GRAVATAR = true
ENABLE_FEDERATED_AVATAR = false
[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = false
[session]
PROVIDER = file
[log]
MODE = file
LEVEL = info
ROOT_PATH = /var/lib/gitea/log
```
where:
- JWT secrets are generated by `gitea generate secret JWT_SECRET`
- internal tokens are generated by `gitea generate secret INTERNAL_TOKEN`
- secret keys are generated by `gitea generate secret SECRET_KEY`
### create service
create the file `/etc/systemd/system/gitea.service`:
```
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
Requires=postgresql.service
[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=/var/lib/gitea/
# If using Unix socket: tells systemd to create the /run/gitea folder, which will contain the gitea.sock file
# (manually creating /run/gitea doesn't work, because it would not persist across reboots)
#RuntimeDirectory=gitea
ExecStart=/usr/local/bin/gitea web --config /etc/gitea/app.ini
Restart=always
Environment=USER=git HOME=/home/git GITEA_WORK_DIR=/var/lib/gitea
# If you want to bind Gitea to a port below 1024, uncomment
# the two values below, or use socket activation to pass Gitea its ports as above
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE
###
[Install]
WantedBy=multi-user.target
```
## run webinstall
### enable and start the service
```
systemctl enable gitea
systemctl start gitea
```
### make dbdump script
same as for nextcloud
put in `git`'s cron:
```
crontab -u git -e
```

14
src/gitea/docs/Deploy.md
View File

@ -0,0 +1,14 @@
### make haproxy conf
```
<frontend>
# Send to gitea if location /gitea/
http-request redirect location /git/ if { path /git }
use_backend gitea if { path_beg /git/ }
backend gitea
mode http
# WARNING: due to limitations in the config parser, the characters ")","]", or "," are not allowed in any regular expression
http-request set-path "%[path,regsub(^/git/,/)]"
server gt-1 127.0.0.1:9081
```

389
src/nextcloud/docs/Build.md
View File

@ -0,0 +1,389 @@
# Setup Documentation for Nextcloud
## Mount External Directory
we have a files directory and a database dump directory that we want to mount. Use the directives:
```
-v /tank/files/user/mar:/vol/files/mar/files \
-v /tank/files/db/nextcloud:/vol/db \
```
when creating the container.
inside the container, create the directory:
```
mkdir -p /vol/files/mar/files /vol/db
```
## System Setup
### Install Packages
install packages required for nextcloud:
```
apt update
apt upgrade
apt install unzip apache2 php7.2-fpm php7.2-gd php7.2-json php7.2-pgsql php7.2-curl php7.2-mbstring php7.2-intl php-imagick php7.2-xml php7.2-zip redis-server php-redis postgresql postgresql-doc
```
### Create Directories in external mount
create directories and set ownership:
```
cd /srv/nextcloud/
mkdir files
mkdir database
chown www-data:www-data files database
```
### Download Nextcloud
Then download the zip file containing the latest version of nextcloud:
```
cd
wget https://download.nextcloud.com/server/releases/latest.zip
```
this will save it as `latest.zip` in your current directory.
download the checksum:
```
wget https://download.nextcloud.com/server/releases/latest.zip.md5
```
verify the checksum:
```
md5sum -c latest.zip.md5 < latest.zip
```
unzip the file:
```
unzip latest.zip
```
a nextcloud directory will appear in your root directory
Move it to `/var/www/html`:
```
mv nextcloud /var/www/html/
rm latest.zip latest.zip.md5
```
And finally, make sure it's owned by the `www-data` user:
```
cd /var/www/html/
chown -R www-data:www-data nextcloud
```
### Make occ script
We will want to use the Nextcloud `occ` command a lot, so we will create an alias for it for convenience. Create a scipt in `/usr/local/bin`:
```
cd /usr/local/bin/
nano nc-occ
```
The script should have the following contents:
```
#!/bin/sh
sudo -u www-data php /var/www/html/nextcloud/occ "$@"
```
Don't forget to make it executable:
```
chmod +x nc-occ
```
### Configure Apache
`cd` to the Apache configuration directory:
```
cd /etc/apache2
```
Activate the Apache modules required for Nextcloud:
```
a2enmod rewrite headers env dir mime proxy_fcgi
a2dismod php7.2
a2enconf php7.2-fpm
```
Next, we will create a site configuration for NextCloud. We will make a new entry in `sites-available/nextcloud.conf`, with the following contents:
```
<VirtualHost *:80>
#ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/nextcloud/
<Directory /var/www/html/nextcloud/>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#LogLevel debug
# PHP-FPM
<FilesMatch "\.php$">
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/">
</Proxy>
</VirtualHost>
```
Next, we will go to `sites-enabled` and delete the default config and make a link to our NextCloud configuration file:
```
cd sites-enabled
rm 000-default.conf
ln -s ../sites-available/nextcloud.conf
```
### Configure PHP-FPM
Enable and start `php-fpm`:
```
systemctl enable php7.2-fpm
service php7.2-fpm start
```
Next, edit the `php-fpm` configuration file at `/etc/php/7.2/fpm/php.ini`. Find the OPcache section, which should be marked by the header `[opcache]`, and add the following configuration:
```
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2
opcache.save_comments=1
```
Additionally, we want to set the following parameters in the same file to increase the allowed memory limit and upload size (search the file for the parameter name and edit that line):
```
max_execution_time = 240
memory_limit = 1G
upload_max_filesize = 10G
post_max_size = 11G
```
(`post_max_size` should be bigger than `upload_mas_filesize` to prevent errors)
Finally, we will want to set some parameters to tune the performance of PHP-FPM specifically. Set the following parameters in `/etc/php/7.2/fpm/pool.d/www.conf` to at least the following:
```
clear_env = no
pm = dynamic
pm.max_children = 32
pm.start_servers = 12
pm.min_spare_servers = 8
pm.max_spare_servers = 16
pm.max_requests = 500
```
These parameters will depend on your particular hardware. You can use the command `ps -C php-fpm7.0 -o rss= | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/NR/1024,"M") }'` to see the average memory usage by PHP-FPM for your computer, or `ps -C php-fpm7.0 -o rss= | awk '{ sum+=$1 } END { printf ("%d%s\n", sum/1024,"M") }'` to see total memory usage.
### Configure Redis
We will configure Redis to be available on a unix socket as well, as that will be faster than even using a loopback interface. Edit the file `/etc/redis/redis.conf`, and add the following configuration options:
```
port 0
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770
supervised systemd
```
Add `www-data` to the `redis` group so it can have full permissions on the socket:
```
adduser www-data redis
```
### Configure PostgreSQL
In order to configure PostgreSQL, we will switch to the `postgres` user:
```
su - postgres
```
First, enter the SQL shell:
```
psql
```
And create a database and user for Nextcloud:
```
CREATE DATABASE nextcloud;
CREATE USER ncadmin;
GRANT ALL PRIVILEGES ON DATABASE nextcloud TO ncadmin;
\q
```
Next, edit the file `/etc/postgresql/10/main/pg_hba.conf`. Since we are running nextcloud in a container, there is no need to worry about any other user connecting to the socket. So we will allow anyone to connect as `ncadmin` without needing authentication. So we will set the following configuration:
```
# Database administrative login by Unix domain socket
local all postgres peer
# Allow connection to Unix domain socket without authentication
local all ncadmin trust
```
The `trust` directive tells PostgreSQL to allow connections to the socket without attempting to authenticate. These are the only lines that will be needed in the `pg_hba.conf` file. Feel free to delete or comment out all the other lines.
Exit back to being root inside the container:
```
exit
```
The last step we need is to create a script to automatically dump the database on an hourly basis. We will create a script at `/usr/local/bin/dbdump`, with the following contents:
```
#!/bin/bash
hour=$(date +%H)
day=$(date +%d)
month=$(date +%m)
year=$(date +%Y)
dbdir=/srv/nextcloud/database
dbname=nextcloud
dbuser=ncadmin
mkdir -p $dbdir
cd $dbdir
if [[ -z "$1" ]]; then
echo "[$year-$month-$day] Error: called with missing hour parameter. Script exited without running." | tee error.log
exit 1
fi
if [[ $hour == "$1" ]]; then
nc-occ maintenance:mode --on
fi
pg_dump -U $dbuser -d $dbname > $dbname-hourly-$hour.sql 2>> error.log
if [[ $hour == "$1" ]]; then
nc-occ maintenance:mode --off
mv $dbname-hourly-$hour.sql $dbname-daily-$day.sql 2>> error.log
fi
if [[ $day == "01" ]]; then
mv $dbname-daily-$day.sql $dbname-$year-$month-$day.sql 2>> error.log
fi
# If error.log is size 0, erase it because I don't like seeing it
if [[ ! -s ./error.log ]]; then
rm error.log
fi
```
Don't forget to make it executable:
```
chmod +x /usr/local/bin/dbdump
```
### Restart Services
Finally, we will restart all our services to make sure all the configuration changes have taken effect. The easiest way to do this is just restarting the container itself:
```
exit
lxc restart nextcloud
```
## Nextcloud Setup
The rest of these steps should once again be executed on the nextcloud container:
```
lxc exec nextcloud -- bash
```
### Install Nextcloud
We will now run the Nextcloud installation script:
```
nc-occ maintenance:install --data-dir "/srv/nextcloud/files/" --database "pgsql" --database-host "/var/run/postgresql" --database-name "nextcloud" --database-user "ncadmin" --database-pass "" --admin-user "${admin_username:?}" --admin-pass "${admin_password:?}"
```
Where `${admin_username:?}` and `${admin_password:?}` are chosen by you, and will be the username and password of the Nextcloud admin user that will be created.
The message `Nextcloud was successfully installed` should be displayed if done correctly.
### Configure Nextcloud
Head over to the Nextcloud configuration directory:
```
cd /var/www/html/nextcloud/config/
```
In addition to the default `config.php` file, Nextcloud also loads configuration parameters fron any file ending with `.config.php`. These custom files are not overwritten by Nextcloud, and the values in these files take precedence over the default config file `config.php`, which means, among other things, that configuration set in a custom file cannot be changed through the web interface. It is also important to note that Nextcloud doesn't take these configuration values directly from the file, but rather copies them into the default `config.php` file. So if you want to erase a config value defined in a custom file, you will have to erase it from `config.php` as well.
We will create a file named `my.config.php` to neatly store our manually-set configuration parameters without having to search for our parameters in between all the automatically-configured parameters. The file should have the following contents:
```
<?php
$CONFIG = array(
/** Setup **/
'datadirectory' => '/srv/nextcloud/files/',
'htaccess.RewriteBase' => '/',
/** Database **/
'dbtype' => 'pgsql',
'dbname' => 'nextcloud',
'dbuser' => 'ncadmin',
'dbpassword' => '',
'dbhost' => '/var/run/postgresql',
'dbtableprefix' => 'oc_',
/** Network **/
'trusted_domains' =>
array (
0 => 'nextcloud.lxd',
),
'trusted_proxies' =>
array (
0 => 'nextcloud.lsu.brbytes.org',
),
'overwriteprotocol' => 'http',
'overwritehost' => 'medusa.casa.alemor.org',
'overwritewebroot' => '/nextcloud',
'overwrite.cli.url' => 'http://medusa.casa.alemor.org/nextcloud/',
/** Memory Caching **/
'memcache.local' => '\\OC\\Memcache\\Redis',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'filelocking.enabled' => 'true',
'redis' =>
array (
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),
);
```
Don't forget to change the owner of the file to `www-data`:
```
chown www-data:www-data my.config.php
```
There are also a few maintenance commands we need to run to make sure Nextcloud is properly set up:
```
nc-occ maintenance:update:htaccess
nc-occ db:add-missing-indices
nc-occ db:convert-filecache-bigint
```
## Set up crontab
Nextcloud needs to execute periodic background tasks. The recommended way to do this is with `cron`. Open the `www-data` user's crontab for editing by entering:
```
crontab -u www-data -e
```
This will open a text editor where you can edit the crontab. We will add to the crontab the following lines:
```
# Run Nextcloud cron tasks every 5 minutes
*/5 * * * * php -f /var/www/html/nextcloud/cron.php
# Dump database every hour
01 * * * * /usr/local/bin/dbdump 01
# Scan for new files every 15 minutes
*/15 * * * * php /var/www/html/nextcloud/occ files:scan mar
```
then save and exit. Finally, you can check that the job was properly scheduled by entering:
```
crontab -u www-data -l
```
## Nextcloud Tweaks
Here are a few ways you can tweak your Nextcloud instance:
If you are using the Calendar app, the default timeframe on which it updates subscriptions is one week. To set it to update subscriptions more often, use the command:
```
nc-occ config:app:set dav calendarSubscriptionRefreshRate --value ${timeframe:?}
```
where `${timeframe:?}` is in the format of a [`DateInterval`](https://www.php.net/manual/fr/dateinterval.construct.php) type. For a timeframe of one hour, use `PT1H`. For a timeframe of one day, use `P1D`.
To remove the space for writing notes at the top of a folder in the Files app, run:
```
nc-occ config:app:set text workspace_available --value=0
```
It can also be disabled on a user-by-user basis by disabling the "Show rich workspaces" option in the user settings for the Files app.

70
src/nextcloud/docs/Deploy.md
View File

@ -0,0 +1,70 @@
# Deploy Nextcloud Container
## Configure System Settings for Redis
Redis depends on a few kernel/system parameters being set appropriately to run well. Since these are kernel parameters, they can only be set on the host (not the container), and must be configured as root.
Firstly, the `overcommit_memory` system setting being set to zero may cause Redis to fail to background save. Make sure it is set to 1 by running:
```
sysctl vm.overcommit_memory=1
```
The setting can be made persistent through reboots by adding the line
```
vm.overcommit_memory = 1
```
to the bottom of your `/etc/sysctl.conf` file.
Additionally, Redis has fairly serious latency issues with THP (Transparent Huge Pages) enabled, so it is best to disable it. Disable them by running:
```
echo never > /sys/kernel/mm/transparent_hugepage/enabled
```
This configuration is also not persistent through reboots. Redis recommends adding the command as a line to your `/etc/rc.local` file, but `rc.local` is deprecated, so we will instead create a systemd unit to disable THP at startup. Create a file `/etc/systemd/system/redis-disable-thp.service`, with the following contents:
```
[Unit]
Description=Disable Transparent Huge Pages (THP) for Redis
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=lxd.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
```
Then enable the service by running:
```
systemctl enable redis-disable-thp
```
## Configure HAproxy
Add the following directives to your HAproxy configuration:
```
frontend www
bind :80
mode http
# Reroute caldav/carddav auto-discover to appropriate address (i.e. Nextcloud)
# Put "code 301" after "redirect" to make it a 301 redirect
http-request redirect location /nextcloud/remote.php/dav/ if { path /.well-known/caldav /.well-known/carddav }
# Send to nextcloud if path begins with /nextcloud
use_backend nextcloud if { path_beg /nextcloud }
backend nextcloud
mode http
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
# Remove the "/nextcloud" part from the path
# WARNING: due to limitations in the config parser, the characters ")","]", or ","
# are NOT allowed in any regular expression
http-request set-path "%[path,regsub(^/nextcloud,)]"
server nc-1 127.0.0.1:9080
```
And make sure to reload the configuration by running:
```
service haproxy reload
```

125
src/samba/docs/Build.md
View File

@ -0,0 +1,125 @@
# Set up a Samba container
## config container
```
lxc exec samba bash
mkdir /srv/media
addgroup --gid 5000 files --system
adduser --uid 5000 --ingroup files files --disabled-password --gecos "Files Owner" --system --no-create-home --shell /usr/sbin/nologin --home /srv
exit
```
### mount stuff
```
-v /tank/files/media:/vol/media \
-v /tank/files/user:/vol/user \
```
replace home with a symlink:
```
cd / && rmdir /home && ln -s /vol/user home
```
### install samba
```
apt update
apt upgrade
apt install samba
```
### config samba
disable NMB daemon
```
systemctl stop nmbd
systemctl disable nmbd
```
edit `/etc/samba/smb.conf` to have the following contents:
```
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
### General ###
server string = medusa
server role = standalone server
disable netbios = yes
smb ports = 445
#### Logging ####
log file = /var/log/samba/smb.log
max log size = 1000
####### Authentication #######
passdb backend = tdbsam
map to guest = bad user
### Permissions ##
# The following settings configure all shares to use the filesrv user on the backend
force user = filesrv
force group = filesrv
create mask = 0644
directory mask = 0755
force create mode = 0644
force directory mode = 0755
unix extensions = yes
map archive = no
map system = no
map hidden = no
### Printing ###
# Disable all printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Share Definitions =======================
[media]
comment = Shared media files
path = /srv/media
browsable = yes
guest ok = yes
read only = yes
write list = @filesrv
[homes]
comment = User homes
browsable = no
guest ok = no
read only = no
valid users = %S
```
finally, restart the Samba server with:
```
service smbd restart
```
## define users
### make script
first, we will write a script to automate adding users. Create a file `/usr/local/bin/smbadduser` with the contents:
```
#!/bin/sh
adduser "$1" --disabled-password --gecos "" --no-create-home --shell /usr/sbin/nologin
usermod -a -G sambashare $1
smbpasswd -a "$1"
```
don't forget to make it executable:
```
chmod +x /usr/local/bin/smbadduser
```
### add users
for each user you want to be able to connect to Samba, run
```
smbadduser ${username:?}
```

18
src/samba/docs/Deploy.md
View File

@ -0,0 +1,18 @@
## configure reverse proxy
### haproxy
in `/etc/haproxy/haproxy.cfg`:
```
listen samba
bind :445 interface eno1
mode tcp
server smb-1 127.0.0.1:9045
```
### client
to mount a Samba share, put in your fstab something like this:
```
//medusa/media /net/media cifs noauto,user,rw,username=mar,file_mode=0644 0 0
```
Write Preview
Loading…
Cancel
Save