An average guy's IT (mis)adventures

I'll update this post whenever I see fits, A.K.A. when I have other bits of information which don't require a whole post.

Operations on files and directories

Move files and directories to the current/parent directory in Linux

Current dir

find . -type f -exec mv {} . \;

Parent dir

find . -type f -exec mv {} .. \;

Recursive chmod on files and dirs

To change all the directories to 755 (-rwxr-xr-x):

find /var/www/blog -type d -exec chmod 755 {} \;

To change all the files to 644 (-rw-r--r--):

find /var/www/blog -type f -exec chmod 644 {} \;

Certbot common commands

Register single domain:

certbot certonly --standalone -d domain.tld --dry-run

Renew single domain:

certbot renew --cert-name domain.tld --dry-run

• Remove “–dry-run” when ok.

Revoke certificate:

certbot revoke --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem

Check certificate's expiry date:

cat /etc/letsencrypt/live/domain.tld/cert.pem | openssl x509 -noout -enddate

GIT

To reset your git repository to given commit id, do:

git reset --hard <commit-id>
git push origin master --force

Ignoring files that are already tracked

git update-index --assume-unchanged <your file here>

Delta Chat Mail sieve

require ["fileinto"];
# rule:[DeltaChat]
if header :contains "Chat-Version" "1.0"
{
	fileinto "DeltaChat";
	stop;
}

Postfix mail queue

To view postfix mail queue in case of problems and remove a particular message from it, do as follows:

# mailq

-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
6DCF32201B*    4824 Thu Oct 19 22:54:44  roughnecks@woodpeckersnest.eu
                                         debian@spacenet.it

-- 4 Kbytes in 1 Request.

# postsuper -d 6DCF32201B

postsuper: 6DCF32201B: removed
postsuper: Deleted: 1 message

Check Preferred Outgoing IP (when multiple are set on <interface>)

curl ifconfig.me

The correct command to add a new Linux user (in this case without a shell)

adduser --shell /usr/sbin/nologin <username>

I always forget which command is the complete one, useradd or adduser

Here's my configuration, working fine with my Android 9 Phone

server.conf

root@pandora:~# cat /etc/wireguard/wg0.conf
[Interface]
# specify generated private key for server
PrivateKey = <sekret>
# IP address for VPN interface
Address = 172.16.100.1/32, fd42:42:42::1/64
MTU = 1420
# UDP port WireGuard server listens
ListenPort = 51820

# possible to set any commands after WireGuard starts/stops
# set routing rules like follows to access to local network via VPN session
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;

[Peer]
# REDMI
# specify public key for client
PublicKey = <sekret>
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 172.16.100.6/32, fd42:42:42::6/128
PersistentKeepalive = 25

client.conf

root@pandora:~# cat /etc/wireguard/redmi.conf
[Interface]
#Private IP Address
Address = fd42:42:42::6/128, 172.16.100.6/32
#Client's Private Key
PrivateKey = <sekret>
#Server's listening port
ListenPort = 51820

[Peer]
#Server's Public Key
PublicKey = <sekret>
AllowedIPs = ::0/0, 0.0.0.0/0
#Server's IP:port
Endpoint = woodpeckersnest.space:51820

sysctl.conf

root@pandora:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.eth0.accept_ra = 2

prosodyctl shell

Launch the shell:

# prosodyctl shell

Delete pubsub node (the ">" sign at the beginning is important):

>prosody.hosts["pubsub.example.tld"].modules.pubsub.service:delete("blog", true)

Delete ALL pubsub nodes

>local service = prosody.hosts["pubsub.example.tld"].modules.pubsub.service; for node in pairs(select(2, assert(service:get_nodes(true)))) do service:delete(node, true); end

Check subscription by user:

>prosody.hosts["pubsub.example.tld"].modules.pubsub.service.subscriptions["user@example.tld"]

Change affiliation on pubsub nodes (make user owner):

>prosody.hosts["pubsub.example.tld"].modules.pubsub.service:set_affiliation("blog",true,"user@example.tld","owner")

Unsubscribe from node

>prosody.hosts["pubsub.example.tld"].modules.pubsub.service:remove_subscription("blog",true,"user@example.tld")

Subscribe to node

>prosody.hosts["pubsub.example.tld"].modules.pubsub.service:add_subscription("blog",true,"user@example.tld")

prosodyctl commands

Asking for help:

# prosodyctl shell help

List registered users:

# prosodyctl shell user list example.tld

Activate a component:

# prosodyctl shell host activate some.component.example.tld

Generate Invites: create a new invite using an ad-hoc command in an XMPP client connected to your admin account, or use the command line:

# prosodyctl mod_invites generate example.tld

Automatic Certificates Import: prosodyctl has the ability to import and activate certificates in one command:

# prosodyctl --root cert import HOSTNAME /path/to/certificates

Certificates and their keys are copied to /etc/prosody/certs (can be changed with the certificates option) and then it signals Prosody to reload itself. –root lets prosodyctl write to paths that may not be writable by the prosody user, as is common with /etc/prosody. Multiple hostnames and paths can be given, as long as the hostnames are given before the paths.

This command can be put in cron or passed as a callback to automated certificate renewal programs such as certbot or other Let's Encrypt clients.

Import All:

# prosodyctl --root cert import /etc/letsencrypt/live

I had previously discussed this issue on XMPP and on my Schleuder Mailing List, but there's news.

My ".space" domain is blacklisted by Google and others top email services because it is considered spammy - I still don't understand how you can blacklist a whole tld for spam but that's how it goes..

So I purchased a new ".eu" domain and set it up as virtual host in postfix.. But I was still using a third party relay to deliver emails to Gmail, Hotmail and iCloud. This relay works with "credits", each email you send using their free service is equal to 1 credit and you get 1000 credits per month (BIG Thanks to Kévin from Delta Chat for helping me out with this).

Now, I haven't ever reached the maximum allowed quota but I felt like removing the casters at least for Gmail, since this .eu domain should do the job just fine and because I cannot actually remove Hotmail, since they have my server IP banned for whatever reason.

So, I removed the gmail line in my transport file for postfix, ran postmap and reloaded postfix.service. Finally I sent a Ping over to "Delta Chat Italian Offtopic Group" where there are 2 people with gmail accounts and everything was fine, no email returned back to sender.

I'll keep going like this until problems!!

Now, if anyone is interested on how my transport file looks like, I'll share 😀

outlook.com smtp:[outbound.mailhop.org]:587
hotmail.com smtp:[outbound.mailhop.org]:587
outlook.fr smtp:[outbound.mailhop.org]:587
hotmail.it smtp:[outbound.mailhop.org]:587
mail.icloud.com smtp:[outbound.mailhop.org]:587
*   :

You need an account on DuoCircle and you need to authenticate yourself (in postfix) for their smtp to accept emails from your server.

wg0.conf

[Interface]
# specify generated private key for server
PrivateKey = <privkey>
# IP address for VPN interface
Address = 172.16.100.1/32
MTU = 1420
# UDP port WireGuard server listens
ListenPort = 51820

# set routing rules like follows to access to local network via VPN session
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
# change "ens3" with your interface

[Peer]
# specify public key for client
PublicKey = <pubkey>
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 172.16.100.6

client.conf

[Interface]
# Private IP Address
Address = 172.16.100.6/32
# Client's Private Key
PrivateKey = <privkey>
# Server's listening port
ListenPort = 51820

[Peer]
# Server's Public Key
PublicKey = <pubkey>
AllowedIPs = 0.0.0.0/0
# Server's IP:port
Endpoint = 51.195.43.203:51820

If you want to scan a QR code on your phone to load the client.conf, do as follows:

# apt install qrencode
$ qrencode -t utf8 < client.conf

A QR code will appear, scan it.

Thanks to "to_red" for helping me out with the configuration 😉

Using the Maildir mailbox format, emails are stored in under the recipient user’s home folder /home/<username>/Maildir.

# postconf -e 'home_mailbox = Maildir/'

You might also want to add the Maildir setup to the user home directory template so that it is automatically configured when a new user account is created:

# maildirmake.dovecot /etc/skel/Maildir
# maildirmake.dovecot /etc/skel/Maildir/.Drafts
# maildirmake.dovecot /etc/skel/Maildir/.Sent
# maildirmake.dovecot /etc/skel/Maildir/.Trash
# maildirmake.dovecot /etc/skel/Maildir/.Templates

The same Maildir can be added to the current user with the commands below. Replace the $USER with any existing username:

# cp -r /etc/skel/Maildir /home/$USER/
# chown -R $USER:$USER /home/$USER/Maildir
# chmod -R 700 /home/$USER/Maildir
# adduser $USER mail

Also create a “.muttrc” file under /etc/skel and copy paste this content in it:

set mbox_type=Maildir
set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

I'm going to paste my working Monit configuration file for anyone attempting to make it work under Debian

  set daemon  120
  set log /var/log/monit.log
  set idfile /var/lib/monit/id
  set statefile /var/lib/monit/state

set ssl {
     verify     : enable
 }

  SET MAILSERVER
        pandora.woodpeckersnest.space
        PORT 465
        USERNAME <username> PASSWORD <password>
        using SSL

  set eventqueue
     basedir /var/lib/monit/events
     slots 100

  set alert <username>@woodpeckersnest.space not on { instance }

  set httpd port 2812 and
   use address 0.0.0.0
   allow 0.0.0.0/0.0.0.0
   allow admin:<password>
   with ssl {
         pemchain: /etc/monit/fullchain.pem
         pemkey: /etc/monit/privkey.pem
        }

  check system PANDORA
    if cpu usage > 95% for 10 cycles then alert
    if memory usage > 85% then alert
    if swap usage > 50% then alert

  check network ens3 with interface ens3
    if link down then alert
    if changed link then alert
    if saturation > 90% then alert

  check filesystem rootfs with path /
    if space usage > 80% then alert
    if space usage > 85% then alert
    if space usage > 90% then alert
    if space usage > 95% then alert

  check host pandora.spacenest.it with address 94.143.138.27
    if failed ping then alert
    if failed port 22 protocol ssh
    then alert

Then there are files under /etc/monit/conf.d/* and/or /etc/monit/conf-enabled/*. I only have 3:

nginx:

 check process nginx with pidfile /var/run/nginx.pid
   group www-data
   start program = "/etc/init.d/nginx start"
   stop program = "/etc/init.d/nginx stop"

postfix:

 check process postfix with pidfile /var/spool/postfix/pid/master.pid
     start program = "/etc/init.d/postfix start"
     stop  program = "/etc/init.d/postfix stop"
     if failed
        port 25
        protocol smtps
        username "<your_username>"
        password "<your_password>"
     then alert

sshd:

 check process sshd with pidfile /var/run/sshd.pid
   start program  "/etc/init.d/sshd start"
   stop program  "/etc/init.d/sshd stop"
   if failed port 22 protocol ssh then restart

Monit manual is very helpful, you should check it out.

Swap File

1. To create a 2GB swap file we can use "dd" command like this:

# dd if=/dev/zero of=/mnt/swapfile bs=1024 count=2097152

bs=1024 means read and write up to 1024 bytes at a time and count it's the size of the file (1024 x 2048)MB

2. Then set the appropriate permissions on the file; make it readable only by root user:

# chmod 600 /mnt/swapfile

3. Now prepare the file for swap with the mkswap command:

# mkswap /mnt/swapfile

4. Next, enable the swap file

# swapon /mnt/swapfile

5. Afterwards, enable the swap file to be mounted at boot. Edit the /etc/fstab file and add the following new line in it:

/mnt/swapfile swap swap defaults 0 0

You can also disable the swapfile at runtime, any time you want; just make sure it doesn't exceed your available RAM:

# swapoff /mnt/swapfile

Last but not least, this is how to check your swap usage by process:

$ for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less