server { listen *:443; server_name iix.se; ssl on; ssl_certificate /etc/letsencrypt/live/iix.se/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/iix.se/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1; proxy_read_timeout 90; } }

Description=iix-notes @ iix.se docker Requires=docker.service After=docker.service [Service] WorkingDirectory=/srv/iix-notes ExecStart=/usr/local/bin/docker-compose up ExecStop=/usr/local/bin/docker-compose down [Install] WantedBy=multi-user.target

# /etc/systemd/system/spark-backend.service Description=iix.se java spark backend After=network.target [Service] WorkingDirectory=/srv/spark-backend User=www-data Group=www-data ExecStart=/srv/spark-backend/bin/spark-backend [Install] WantedBy=multi-user.target

Crontab for renewal # m h dom mon dow command 15 3 * * * certbot renew --quiet --no-self-upgrade --pre-hook "systemctl stop nginx.service" --post-hook "systemctl start nginx.service" Docker alternative Note that if you run certbot in docker, you cannot use the –pre-hook and –post-hook as the other services cannot be changed through the docker container. Instead, you should create a script file, where you run the –pre-hook before the command and –post-hook afterwards ...

Spam in error.log: 2017/05/07 16:51:50 [error] 30504#0: *7089 connect() failed (111: Connection refused) while connecting to upstream, client: 169.54.244.93, server: iix.se, request: "GET / HTTP/1.1", upstream: "http://[::1]:8001/", host: "phoenix.iix.se" In your nginx configuration, replace hostnames with ip-addresses

Find sequences: \c database_name \ds For each, run: SELECT setval('your_table_id_seq', (SELECT MAX(id) FROM your_table));

Open local port 5901 to be reached from anyone by connecting to localhost:8080 socat TCP4-LISTEN:8080,fork TCP4:localhost:5901

Note Instructions are for debian (and probably works for ubuntu and friends too). Easiest way to getting it to work in fedora is through dovecot’s sasl2. See dovecot configuration and postfix configuration Install sasl dependencies sudo apt-get install libsasl2-modules sasl2-bin Create /etc/postfix/sasl/smtpd.conf: pwcheck_method: saslauthd mech_list: PLAIN LOGIN Create /etc/default/saslauthd-postfix cp /etc/default/saslauthd /etc/default/saslauthd-postfix Edit /etc/default/saslauthd-postfix START=yes DESC="SASL Auth. Daemon for Postfix" NAME="saslauthd-postf" # max. 15 char? OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" Create subdirs: dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd Add group (maybe not required?) adduser postfix sasl Reset and enable saslauthd sudo systemctl restart saslauthd sudo systemctl enable saslauthd Config postfix sudo postconf -e 'smtpd_sasl_local_domain = $myhostname' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'broken_sasl_auth_clients = yes' sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' Reset postfix sudo systemctl restart postfix

Description: Install unattended-upgrades. The server should run unattended upgrades every night, and reboot at 4 am if required by any application. Implementation: Login as root Install packages unattended-upgrades and cron-apt Set the following values in /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Origins-Pattern { "o=Debian,a=stable"; }; Unattended-Upgrade::MinimalSteps "true"; Unattended-Upgrade::InstallOnShutdown "true"; Unattended-Upgrade::Mail "root"; Unattended-Upgrade::MailOnlyOnError "true"; Unattended-Upgrade::Remove-Unused-Dependencies "false"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "04:00"; Unattended-Upgrade::InstallOnShutdown "false"; Set the following values in /etc/apt/apt.conf.d/02periodic APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "30"; Verification: Run unattended-upgrade --dry-run --debug as root. If there are any application upgrades available, they should show up. Wait a few days and check /var/log/apt/history.log

Installation (No X11) # Install prerequirements (ignore virtinst if you have x11) sudo apt-get install qemu-kvm libvirt-bin virtinst sudo usermod -aG kvm $USER sudo usermod -aG libvirt $USER Creating a new host (i.e. guest) # NAME-OF-VHOST is whatever you want to call your virtual host # SIZE-IN-MB is how many MBs of RAM you want to give the new host # LOCATION is the location to install from, you can find locations by typing `man virt-install` # NAME-OF-DISK is what disk you want to provide to the vhost, e.g. a partition sudo virt-install --virt-type kvm --name NAME-OF-VHOST --memory SIZE-IN-MB --location LOCATION --extra-args "console=ttyS0" --disk /dev/NAME-OF-DISK # Example sudo virt-install --virt-type=kvm --name david2 --memory 16384 --location http://ftp.us.debian.org/debian/dists/stable/main/installer-amd64/ --disk /dev/vg0/lv1 --extra-args "console=ttyS0" # Example (ISO-file and vnc graphics) sudo virt-install --virt-type=kvm --name bleach --memory 4096 --disk /dev/vg0/lv5 --cdrom Fedora-Server-netinst-x86_64-27-1.6.iso --graphics=vnc,listen=127.0.0.1,password=verysecret Bridge guest to host network Add network interface In /etc/network/interfaces, change from ...