Tech @ languidnights - server

Tmux + SSH

2024-08-30T00:00:00-04:00

Problem Statement
V and the Terrible, Horrible, No Good, Very Bad Solution
SO's good solution
Why write this post?

Problem Statement

I like ssh (I have servers I do not physically sit at, and I pay for their usages, so I'd rather not uselessly invoke a rdp/vnc server). I like tmux, because terminal multiplexing is right and proper. I pretty much always do tmux attach -t admin || tmux new -t admin upon logging in. Automation is good, generally.

V and the Terrible, Horrible, No Good, Very Bad Solution

You /can/ do the following in your .bashrc. You shouldn't, for a varienty of reasons, but you can...

tmux attach -t admin || tmux new -t admin

What? You don't ever use scp? or git? or pelican's make ssh_upload? I like all three, so this is a dirty nasty hack for me.

SO's good solution

StackOverflow not Significant Other (though as a hobbyist dev/sysadmin, may as well be the same) had the correct answer. Use 'new' ssh and tmux! Inside "$HOME"/.ssh/config:

Host <host>+tmux
  Hostname <host>.<tld>
  User <user>
  RequestTTY yes
  RemoteCommand tmux new -A -s admin

Tells ssh to execute tmux new with the '-A' flag, with tells it to attempt to attach to the admin session, then create it if the session doesn't exist.

Why write this post?

I predict this site will disappear before SO, but my memory is fickle and bad, and this site is kinda like a notebook of important info for me.

cgit+gitolite+nginx

2024-01-21T00:00:00-05:00

Our Goal

The Easy Part

Nginx is fun, and I've used it before with fastcgi. Let's do the easy parts. I've already set gitolite3's UMASK to be a bit less righteous for interoperability with git-daemon+xinited, so we'll move on to the new configuration.

apt-get install fcgiwrap
systemctl enable fcgiwrap
chmod -R go-rwx /var/lib/gitolite3
chmod -R g+rx /var/lib/gitolite3
adduser www-data gitolite3

server {
       server_name projects.languidnights.com;
       listen 443 ssl;
       list [::]:443 ssl;

       gzip off;

       location /cgit/ {
           root /usr/lib/cgit/;
           include fastcgi_params;
           fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
           fastcgi_pass  unix:/run/fcgiwrap.socket
           fastcgi_param QUERY_STRING $args;
           fastcgi_param HTTP_HOST $server_name;
       }

       location /cgit-css/ {
           root /usr/share/cgit/;
       }
}

Problem Numero Uno

What do you mean I can't see the stylesheets and images? Oh, you want it to be an alias, not a directory. I got it

/etc/nginx/sites-enabled/projects

--- a        2024-01-21 05:54:37.553311062 +0000
+++ b        2024-01-21 05:54:54.113321210 +0000
@@ -48,6 +48,6 @@
       }

       location /cgit-css/ {
-            root /usr/share/cgit/;
+            alias /usr/share/cgit/;
       }
}

Let's configure cgit

It's got a pretty good man page man 5 cgitrc and I did this in the before times with gitolite2, so let's go.

css=/cgit-css/cgit.css
logo=/cgit-css/cgit.png
favicon=/cgit-css/favicon.ico

root-title=LanguidNights' Git Repositories
root-desc=various and sundry
enable-index-links=1
enable-git-config=1
remove-suffix=1

project-list=/var/lib/gitolite3/projects.list
scan-path=/var/lib/gitolite3/repositories

So Far

It works beautifully. That is, if you happen to be sitting on the server and part of the www-data group.

sudo -u www-data /usr/lib/cgit/cgit.cgi

If, like me, you want your website for your git repos to be viewable on the web, still no joy. It just says 'no repositories found'. I know that's a lie, cgit! Give me your secrets, I'm going mad and it's past midnight! Nothing in my error logs, nothings in my access logs, nothing in my syslog. What is going on?

ls -l /var/lib/gitolite3
cat /var/lib/gitolite3/projects.list
systemctl restart fcgiwrap.socket fcgiwrap.service nginx.service

And no joy! You're lucky I'm bald, or I'd have thrown handfuls of my own hair at you!

The Final Pieces

Courtesy of The Arch Linux BBS I finally got the last piece, which I missed in all the relevant documentation. It consisted of two parts

/etc/cgitrc

--- a        2024-01-21 05:42:37.240863180 +0000
+++ b        2024-01-21 05:42:28.244857393 +0000
@@ -6,6 +6,7 @@
logo=/cgit-css/cgit.png
favicon=/cgit-css/favicon.ico

+virtual-root=/cgit/
root-title=LanguidNight's Git Repositories
root-desc=various and sundry
enable-index-links=1

/etc/nginx/sites-enabled/projects

--- a        2024-01-21 05:32:23.356460060 +0000
+++ b        2024-01-21 05:32:12.704453273 +0000
@@ -43,6 +43,8 @@
       fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;
       fastcgi_pass  unix:/run/fcgiwrap.socket;

+    fastcgi_split_path_info         ^(/cgit/?)(.+)$;
+    fastcgi_param   PATH_INFO       $fastcgi_path_info;
       fastcgi_param QUERY_STRING    $args;
       fastcgi_param HTTP_HOST       $server_name;
}

And, we have joy. My life is now better than it was a 3:00pm at least, and I can finally go to bed. Well, just as soon as I write this up for posterity.

Mail Server Setup

2022-03-18T00:00:00-04:00

I've taken great pains to get my mail server set up both the way I want it and correctly. I'm now sharing that knowledge with the internet as a whole, as well as myself when I need to figure out wtf I did.

Table of Contents

NOTE
Setting up virtual mail users and authentication through Dovecot
Setting up Postfix to authenticate through Dovecot
Amavis: Spamassassin and ClamAV
Thanks

NOTE

This article should be considered archived as of 2023-02-09. I have abandoned the maintenance of my own email solution for ProtonMail.

Setting up virtual mail users and authentication through Dovecot

My goal here was to use LDAP for authentication and creation of mailboxes for "virtual users" (ie, they don't exist in /etc/password and have home directory). I set it up this way so that I could set up mailboxes for application accounts and get their mail delivered to a predictable place and be able to access it through IMAP without having to have it clutter my actual mailbox.

The bulk of the 'fun stuff' is in /etc/dovecot/dovecot-ldap.conf.ext - it's well commented, so I'm just going to list the settings I changed. For purposes of cleanliness, I'm going to use 'example.com' and 'not the real password' where appropriate :-) I'm using a fairly standard simple bind.

hosts = localhost
dn = cn=admin,dc=example,dc=com
dnpass = not the real password
auth_bind_userdn = uid=%u,ou=People,dc=example,dc=com

Here's I'm checking the users and passwords against the mail attribute on the LDAP account. I'm then ignoring interesting parts of the results to store all mail under a 'vmail' user with uid and gid of 5000 and a subdirectory named after the real users. Dovecot finds this location both when delivering and serving, so no further setup here needed.

base = dc=example,dc=com
user_attrs = 5000=uid,5000=gid,home=/var/vmail/%u
user_filter = (&objectClass=posixAccount)(mail=%n@example.com)
pass_attrs = uid=user,userPassword=password,homeDirectory=/var/vmail/%u
pass_filter = (&objectClass=posixAccount)(mail=%n@example.com)

After this, I just have to wire it up in conf.d/auth-ldap.conf.ext to use ldap for password lookups and semi-hardcoded user lookups---don't validate the user and assume they get mail to /var/vmail/{username}

passdb {
      driver = ldap
      args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
      driver = static
      args = uid=vmail gid=vmail home=/var/vmail/%u
}

Setting up Postfix to authenticate through Dovecot

Because I spent so much time getting authentication working for Dovecot, let's just re-use it for postfix because the same users are trying to send mail as are receiving it.

In /etc/dovecot/conf.d/10-master.conf

# Setup the socket for postfix to authentical against
service auth {
      unix-listener /var/spool/postfix/private/auth {
              mode = 0666
      }
}

In /etc/postfix/main.cf for authentication

# SASL authentication
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_path = private/auth

In /etc/postfix/main.cf for mail delivery

# Postfix MDA
mailbox_transport = dovecot
mailbox_commant = /usr/lib/dovecot/dovecot-lda -a "$RECIPIENT"
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

In /etc/postfix/master.cf before the non-posix services

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user} -a ${recipient}

Amavis: Spamassassin and ClamAV

Install but do not enable spamassassin. Amavis will take care of launching a scanner as it scans emails. When I enabled the spamassassin daemon, I ended up with all cpu cores fully utilized.

Install and do enable clamav-daemon. Amavis can use the daemon for a bit of a computational advantage.

Install Amavis and configure it to use spamassassin and clamav. As I'm using Debian, I updated the 15-content_filter_mode to uncomment the virus_checks and spam_checks lines

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.

# Default antivirus checking mode
# Please note, that anti-virus checking is DISABLED by
# default.
# If you wish to enable it, please uncomment the following line:

@bypass_virus_checks_maps = (
  %bypass_virus_checks, @bypass_virus_checks_acl,
  $bypass_virus_checks_re);

# Default SPAM checking mode
# Please note, that anti-spam checking is DISABLED by
# default.
# If You wish to enable it, please uncomment the following lines:
@bypass_spam_checks_maps = (
  %bypass_spam_checks, @bypass_spam_checks_acl,
  $bypass_spam_checks_re);

1;  # ensure a defined return

At the end of the postfix master.cf file, I added the following lines to shunt the email to Amavis.

smtp-amavis  unix       -      -       -       -       2       smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes
  -o disable_dns_lookups=yes
  -o max_use=20

127.0.0.1:10025 inet    n      -       -       -       -       smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=permit_mynetworks,reject
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
     -o local_header_rewrite_clients=

Thanks

These fine projects have been used as my tools of choice in serving mail.

(open)LDAP lessons

2022-03-18T00:00:00-04:00

I've set up LDAP a couple times in a personal capacity, and I'm sharing this if anyone's interested, or if I need to come back to it.

Table of Contents

Adding a search index field
Add A User
Thanks to

Adding a search index field

I've had slapd running for a long time without any functional errors, but the daemon would often tell me that the mail field wasn't indexed and it could be. Now, I'm not the sort of target that would be worth denial-of-service attacks against my LDAP database, but it's still worthwhile to clean it up (if for no other reason that to tidy syslog!).

slapd[pid]: <= mdb_equality_candidates: (mail) not indexed

To fix this, I set about scouring the internet. Most of the results I found were how to fix the issue in the 1995-era technical reference or discussions about modifying "slapd.conf" and running slaptest. I didn't use a semi-modern version of openldap just to resurrect the old config format, use it, then throw it back away! There had to be a better option. And there is! I found hints on Debian's wiki which led me to my ultimate solution to this annoyance. Debian used a heredoc but I'm nowhere near confident in either my typing nor my copy-pasting to use one, so I created a file with the interesting index.

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: mail pres,sub,eq

Then, I used ldapmodify to update add the index to the LDAP directory.

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f add_index.ldif

All good now, nice clean logfiles and an LDAP doesn't have to struggle so much!

Add A User

Create an adduser.ldif file with the following info (for my mail and user setup, yours may vary). Substite the values in ${ .. } with pertinent details of your site. Then execute the ldapmodify command. This will ask for your password on the command line.

ldapmodify -x -D "${admin LDAP path}" -W -H ldapi:/// -f adduser.ldif

Example adduser.ldif

dn: uid=${username},ou=People,dc=${domain},dc=${tld}
changetype: add
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
ou: People
uid: ${username}
cn: ${user given name}
sn: ${user family name}
givenName: ${user given name}
displayName: ${user display name}
initials: ${user initials}
uidNumber: ${user numeric uid}
gidNumber: ${user numeric gid}
homeDirectory: ${full path to user home directory}
loginShell: ${full path to user login shell}
mail: ${user email address}

Thanks to

I'd like to thanks openLDAP for the relatively simple directory servers/clients and Debian's wiki for the information I needed to make sense of the configuration.

ReST in Jekyll

2022-03-18T00:00:00-04:00

Contents

NOTE
A Story of Markup
A Story of Dependencies
A Story of Gems
A Story of Reference
A Story of the Future
TL;DR

NOTE

This article should be considered archived. No further updates are expected. For ReST-flavoured blogging, please see Pelican.

A Story of Markup

Jekyll, by default, does not support writing your static page/blog in Restructured Text, or ReST. I came at my personal projects from the Python world, where ReST is commonly used. I, therefore, am much more comfortable in the ReST world than am I in the Markdown or Textile. Naturally, I went looking for a Jekyll RST plugin. There was only one I could find, and it was sufficiently old as to no longer work with modern docutils setups, so, rather than tie myself down to an ancient docutils, I decided to modernize it.

A Story of Dependencies

The github repository I found listed as dependencies Pygmentize and Docutils. It turns out, however, that the important parts of both projects were included in the repository itself. Seeing this as a waste, I first remove Pygmentize, discovering to my joy that the docutils converter I was using would do that for me! I then set about removing the glue that tied that Pygmentize to the rst2html in the repository. Simple, and it Just Worked™. Now that I was here, with a bog-standard rst2html, I tested things. Nope, UTF-8 conversions weren't handled automatically in this wrapper class. No problem, let's just bring in the modern one. Wait, what? If I'm directly including the modern one, and also listing it as a dependency, it would be much cleaner to just use the version brought in, no? So it went away, leaving just the ruby=>python bridge. Much cleaner, if a bit of a trivial product now.

A Story of Gems

Ouch! There was a ticket on the original project I forked asking for it to be made available as a gem. I'm a sucker for interesting projects, so I set about to make it so. Create a branch, switch to it, and get on with the gem creation! Except, no. There's multiple different educational resources each containing the correct instructions for the version of gem and bundle that were current when they went live. None of these versions were anything resembling current, so I'd have to go deeper. I'd have to go to the source of truth about these topics, the official documents at the Bundler itself. This got me bootstrapped with, ironically enough, a bootstrap routine. A few more tweaks of configuration, and I could build a gem. It was just a shame that it did nothing at all...

A Story of Reference

By gum, somebody had to have done this before me! I checked out the Jekyll site again, and sure enough they released one of their official parser/converters at the Textile github repository! Thanks and praise be to the gods of documentation! Anyway, I adapted their configuration to match the code I already had, using the Ruby underscores naming convention (though this is purely a aesthetic change, as I consider this its own thing and they consider theirs an extension). I also had some Jekyll plumbing to adapt. Luckily their code is MIT license` and so is mine. A few code changes and framework force-fitting and I'm off to the races!

A Story of the Future

Where do we go from here, my dear readers? That's a good question. The inclusion of the plugin is now dead-simple, so we could just let it be. We also could include it in an official Gems repositories, or one of the Jekyll plugin repositories. These decisions await a more permanent answer in the future™.

TL;DR

Go to this repository and get blogging in rst files.