jason schaefer . com

"arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say."

Tag: debian

Installing Nextcloud v22 on Debian v11 (buster) using Redis
This is a concise tutorial, it is not meant to be a hand holding step by step guide. Please comment or contact me if you find errors.

Prerequisites:
Setup a domain/sub domain with an A record to the ip of the server or a CNAME to a “dynamic DNS” hostname. I recommend https://freedns.afraid.org.
The server needs to have ports 80 and 443 reachable to the public. The DNS must be propagated for letsencrypt to be successful.

Start the install

apt-get install apache2 mariadb-server libapache2-mod-php php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-bz2 python3-certbot-apache redis-server php-redis php-bcmath php-gmp ffmpeg curl coreutils libmagickcore-6.q16-6-extra

Download Nextcloud

wget https://download.nextcloud.com/server/releases/latest-22.tar.bz2

Make sure the md5 matches
md5sum latest-22.tar.bz2
curl https://download.nextcloud.com/server/releases/latest-22.tar.bz2.md5

Extract the tar file and change permissions
tar xfv nextcloud-22.x.tar.bz2
mv nextcloud/ /var/www/example.com/
chown www-data:www-data -R /var/www/example.com/

Setup Apache

Create a apache virtual site
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf

edit /etc/apache2/sites-available/example.com.conf
uncomment and change
“ServerName example.com“

change the document root
DocumentRoot /var/www/html/example.com

change log location if you would like
ErrorLog ${APACHE_LOG_DIR}/example.com_error.log CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined

a2ensite example.com

a2enmod php7.4 rewrite headers env dir mime userdir dav ssl

service apache2 restart

Setup Letsencrypt

certbot --apache -d example.com

tell it to redirect http to https

Edit /etc/apache2/sites-enabled/example.com-le-ssl.conf
```
  <Directory /var/www/example.com/>
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
  </Directory>
```
To avoid certain race conditions between the /etc/apache2/sites-available/example.com.conf and /etc/apache2/sites-available/000-default.conf
I prefer to remove example.com.conf and move the http->https redirect into the 000-default.conf

cat /etc/apache2/sites-available/example.com.conf

….snip…
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with “a2disconf”.
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

copy the rewrite rule at the bottom:
```
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

edit and paste into the default conf
vi /etc/apache2/sites-enabled/000-default.conf
```
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =example.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>

Configure php
edit /etc/php/7.4/apache2/php.ini
```
memory_limit = 768M
upload_max_filesize = 1024M
post_max_size = 1024M
max_execution_time = 300
```
Create a database, user and password for nextcloud

mariadb -uroot
```
CREATE USER 'nextcloud'@'localhost' IDENTIFIED BY 'PASSWORD';
CREATE DATABASE IF NOT EXISTS nextcloud;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES ON nextcloud.* TO 'nextcloud'@'localhost';
FLUSH privileges;
```
run the installer at https://example.com/

Now we can setup Redis

edit /etc/redis/redis.conf
Under the # Unix socket. section add the following
```
port 0
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 770
```
add www-data to redis group

usermod -a -G redis www-data
/etc/group will now have an entry like this “redis:x:119:www-data”

systemctl enable redis-server

Add the following to /var/www/example.com/config/config.php
```
'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis-server.sock',
    'port' => 0,
    'dbindex' => 0,
    'timeout' => 1.5,
  ),
```
edit /etc/php/7.4/apache2/php.ini
```
  opcache.enable=1
  opcache.enable_cli=1
  opcache.memory_consumption=128
  opcache.interned_strings_buffer=8
  opcache.max_accelerated_files=10000
  opcache.save_comments=1
  opcache.revalidate_freq = 1
```
systemctl restart redis-server
systemctl restart apache2
Setup cron for Nextcloud

crontab -u www-data -e
*/5 * * * * php -f /var/www/example.com/cron.php

done;
October 13, 2021
Setup x11vnc server with systemd auto start up
The reason I use x11vnc is that it connects to the existing graphical session. Most other vnc servers will spawn an entirely new graphical session. While that is super cool, I don’t want that feature. This is for remote support, where I want the user and the supporter to share the same session. I use the ‘-auth guess’ to have x11vnc guess the XAUTHORITY file‐name and use it appropriately. This avoids the annoying hard coding of gdm, lightdm, xdm or specific users .Xauthority.

Install x11vnc
# apt-get install x11vnc

The following should work for any distro that uses systemd, just the apt bits are Debian specific.

Generate the password and store it under etc so no users can change this password, only root. You can do this under your users home so that its not managed by root. In my case I didn’t want the user to be able to change or accidentally delete the password.
# x11vnc -storepasswd /etc/x11vnc.pwd

edit (create new) the following file
use whatever text editor you prefer, here I use vi
# vi /etc/systemd/system/x11vnc.service

And add the following, making any changes you want to the x11vnc ExecStart
See the man page for explanations of the switches
```
[Unit]
Description=Start x11vnc at startup.
After=multi-user.target

[Service]
Type=simple
ExecStart=/usr/bin/x11vnc -auth guess -forever -loop -noxdamage -repeat -rfbauth /etc/x11vnc.pwd -rfbport 5900 -shared -o /var/log/x11vnc.log

[Install]
WantedBy=multi-user.target
```
Now enable the above, start it and verify its running and listening properly
# systemctl enable x11vnc
# systemctl start x11vnc
# netstat -pat
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 2806/x11vnc

Now that the server is all setup lets move onto the client
apt-get install tigervnc-viewer
vncviewer [remote host ip or hostname]

done;
January 20, 2020
Linux-Libre and Realtime patch
I wanted to share some notes on patching the Linux Libre kernel with realtime capabilities. The Linux-Libre project pulls out all the un-free bits from standard Linux. Contrary to popular belief, Linux has many non-free parts, small binary or obfuscated pieces of code for various hardware. I have a Lenovo T61 laptop. I removed the Intel wireless pci express card and put in a Atheros AR5008 wifi card using ath9k completely free wireless driver. Now my system (as far as I can tell:-) is completely free.

I make music and the realtime patch makes the latency of my system and soundcard very low. This is a unique advantage that the gnu/linux operating system gives its users. I highly recommend a realtime patch for anyone working with audio and video on gnu/linux.

Start by getting the rt patch http://www.kernel.org/pub/linux/kernel/projects/rt/ for the kernel version you want to compile.
Then get the corresponding Linux-Libre version http://www.linux-libre.fsfla.org/pub/linux-libre/releases/
```
tar xfvj linux-2.6.29.6-libre1.tar.bz2
cd linux-2.6.29.6
bzcat ../patch-2.6.29.6-rt23.bz2 | patch -p1
```
Now Linux is patched with realtime
now its time for
```
make menuconfig
```
from the RT How to:
* enable CONFIG_PREEMPT_RT
* activated the High-Resolution-Timer Option (Attention, the amount of supported platforms by the HR timer is still very limited. Right now the option is only supported on x86 systems, PowerPC and ARM Support are however in queue.)
* disabled all Power Management Options like ACPI or APM (not all ACPI functions are “bad”, but you will have to check very carefully to find out which function will affect your real time system. Thus it’s better to simply disable them all if you don’t need them. APM, however, is a no-go.) NOTE: Since rt patch 2.6.18-rt6 you will probably have to activate ACPI option to activate high resolution timer. Since the TSC timer on PC platforms, as used in the previous versions, are now marked as unsuitable for hrt mode due to many lacks of functionalities and reliabilties, you will need i.E. pm_timer as provided by ACPI to use as clock source. To activate the pm_timer, you can just activate the ACPI_SUPPORT in menuconfig and deactivate all other sub modules like “fan”, “processor” or “button”. If you have an old pc, which lacks ACPI support, you migh have problems using the high resolution timer.

I personally have not removed my power management options, as I use a laptop and want these features. I don’t notice any problems but have not tried it without them to know what I’m missing.

then compile the kernel, the debian way
```
fakeroot make-kpkg kernel_image
```
```
sudo dpkg -i linux-image-2.6.29.6-libre1-lapkah_2.6.29.6-libre1-lapkah-10.00.Custom_i386.deb
```
Here is my latest config and the debian package for libre realtime for lenovo t61

~ May your kernel build and your modules have your back ~
October 11, 2009