Check if Reboot Is Needed

13. August 2021 chloesoe

I always forget the file location, I always have to google to find askubuntu.com, so I document it here, then I find it faster.

Check if e reboot is needed, check for this file:

/var/run/reboot-required

Update PiHole in docker-compose

7. June 2021 chloesoe

After you installed PiHole according to Install PiHole in docker-compose on Ubuntu Server you probably want to run regular updates.

With docker compose you simply could run this:

cd /opt/pihole/
sudo docker-compose stop
sudo docker-compose rm -f
sudo docker-compose pull
sudo docker-compose up -d

thanks to https://stackoverflow.com/a/39127792/7311363

Run Gmail in Different Firefox Profile on Linux Mint

15. March 2021 chloesoe

I want to have a separate Firefox profile for my Google-Account, primary used by Gmail.
I use Linux Mint 19.3 Tricia.
I want to have an own icon in the task list, and the Gmail profile should not be opened in the Firefox "Icon Group" (don't know the correct name)

Steps to Achieve That

Create a new Profile
1. run Alt+F2
2. enter firefox -P
3. Add new profile, call it "Google"
create a new file ~/.local/share/applications/GmailFF.desktop and with this content:
```
[Desktop Entry]
Name=Gmail Firefox
Exec=firefox -P Google --no-remote --class GoogleFF
Comment=Open Firefox with Google Profile
Terminal=false
Icon=checkgmail
Type=Application
StartupNotify=True
StartupWMClass=GoogleFF
```
The magic is coming from StartupWMClass, now Firefox for profile Google opens like a different program (found at https://www.techrepublic.com/article/how-to-run-two-different-firefox-profiles-at-once-on-linux/)
Search for "Gmail Firefox" (or whatever Name you defined above) and open the profile.
1. Pin the program to the tasklist
2. Log in to Gmail-Account
3. Change "Homepage and new windows" to gmail.com in Preferences
4. Change "Default Search Engine" to Duckduckgo in Preferences
5. Install add-ons Ublock Origin and Privacy Badger

Install PiHole in docker-compose on Ubuntu Server

24. November 2020 chloesoe

Overview

This will document how to install PiHole on an Ubuntu server. PiHole will run in docker-compose with couple including some volumes from the host, so data could be stored during updates. The docker container for pihole should be is ephemeral.

Base Installation

the following steps are done according to pi-hole/docker-pi-hole

Run this steps:

Install docker compose installed on yourserver.example.com with sudo apt install docker-compose
For the following use install folder /opt/pihole

create docker-compose.yaml in /opt/pihole/, below is the final version incl the volumes which are added later:

* version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
  container_name: pihole
  hostname: yourserver-pihole
  image: pihole/pihole:latest
  ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "67:67/udp"
    - "80:80/tcp"
    - "443:443/tcp"
  environment:
    ADMIN_EMAIL: 'pihole@example.com'
    DNS1: '9.9.9.9'
    DNS2: '1.1.1.1'
    PIHOLE_BASE: '/opt/pihole'
    TZ: 'Europe/Zurich'
    WEBPASSWORD: '...'
  # Volumes store your data between container upgrades
  volumes:
    - './etc-pihole/:/etc/pihole/'
    - './etc-dnsmasq.d/:/etc/dnsmasq.d/'
    - './letsencrypt:/opt/letsencrypt/'
    - './letsencrypt/lighttpd-external.conf:/etc/lighttpd/external.conf'
    - './fakewebroot/.well-known:/var/www/html/.well-known'
  # Recommended but not required (DHCP needs NET_ADMIN)
  #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
  cap_add:
    - NET_ADMIN
  restart: unless-stopped

You now can start it with with: docker-compose up --detach
You now can connect to http://yourserver.example.com/admin, make sure you don't login with the defined WEBPASSWORD, your conneciton isn't encrypted yet.

Certificate with Let's Encrypt

The Admin interface isn't encrypted yet, therefore we want to run the let's encrypt (certbot) on the host machine.

Below was done with information from https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771

We first create a folder /opt/pihole/fakewebroot and /opt/pihole/letsencrypt.
Above we already added two volumes:
- ./letsencrypt:/opt/letsencrypt/ to copy the combined.pem and fullchain.pem in
- ./fakewebroot/.well-known:/var/www/html/.well-known which will be used by certbot for to safe the challenge

With this we can run the following command to get the initial certificate:

sudo certbot certonly --webroot /opt/pihole/fakewebroot/ -d yourserver.example.com

Lighttpd needs a combined.pem which is not automatically created by certbot, so merge them to the letsencrypt folder in our pihole directory. Further copy the fullchain:
```
sudo cat /etc/letsencrypt/live/yourserver.example.com/privkey.pem  /etc/letsencrypt/live/yourserver.example.com/cert.pem > /opt/pihole/letsencrypt/combined.pem
```
create a lighttpd-external.conf file in the letsencrypt folder, the file was already added via volumes in the beginnen, but here again:
- Add file with volume command
  ./letsencrypt/lighttpd-external.conf:/etc/lighttpd/external.conf

Add the following to the lighthttpd-external.conf, make sure you have the correct file names for ssl.pemfile and ssl.ca-file:

$HTTP["host"] == "yourserver.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/opt/letsencrypt/combined.pem"
    ssl.ca-file =  "/opt/letsencrypt/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
    url.redirect = (".*" => "https://%0$0")
    }
  }
}

Renew Certificate Automatically

In the section before we already added the well-known folder /opt/pihole/fakewebroot/ and it is already added as volume in docker-compose.yaml

We now need a post action for the timer renewing, create a post hook file. Add the file with

sudo vim /etc/letsencrypt/renewal-hooks/post/redeploy-docker.sh

With this content:

cat /etc/letsencrypt/live/yourserver.example.com/privkey.pem /etc/letsencrypt/live/yourserver.example.com/cert.pem > /opt/pihole/letsencrypt/combined.pem
cat /etc/letsencrypt/live/yourserver.example.com/fullchain.pem /etc/letsencrypt/live/yourserver.example.com/cert.pem > /opt/pihole/letsencrypt/fullchain.pem
/usr/bin/docker-compose -f /opt/pihole/docker-compose.yaml down &>/dev/null
/usr/bin/docker-compose -f /opt/pihole/docker-compose.yaml up --detach &>/dev/null

And make it executable

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/redeploy-docker.sh

This will copy the new certificate in to the correct folder and ensures, the docker container es restarted, so it will have the new ceritificate.

You can test whether your script works properly with a dry-run

sudo certbot renew --dry-run

If docker ps shows a new container id after that, the container was restarted successful.

With sudo openssl x509 -noout -text -in /opt/letsencrypt/combined.pem | grep Validity -A3 you will see, whether the new certificate was copied correctly (doesn't really work shortly after the installation, because you have no new certificate)

Usage

Now you can use the IP address of yourserver.example.com as you DNS server address.

You can now use https://yourserver.example.com/admin/ to check your server.

Connect with Android Keepass to Hetzner’s Storage Box

10. November 2019 chloesoe

The goal is to connect Keepass2Android (used version 1.07b-r0) on Android to the Keepass database on a Hetzner Storage Box. In https://blog.chloesoe.ch/?p=546 it is described, how to connect and store your Keepass DB to the Storage Box.

Now we want to connect the mobile phone to that database.

In Keepass Android choose "Open File" and then "SFTP (SSH File Transfer)"
There you have to enter the connection details:
1. Host: $USERNAME.your-storagebox.de
2. Port: 23
3. Username: Your user name ;-)
  4: Authentication mode: Privat/Public Key
  1. choose "Send public key". You could send it via e-mail; the public key is not sensitive. Make sure you send it somwhere, where you can access it like in https://blog.chloesoe.ch/?p=546 described.
  2. Save the public key to a file pubkey_android (you could change the key name at the end of the line of thet new file if you like).
  3. If you safed it like that, then you could run this:
```
read -p "Enter your Hetzner's username: " USERNAME
rsync --progress -e 'ssh -p23'  $USERNAME@$USERNAME.your-storagebox.de:.ssh/authorized_keys .
cat pubkey_android >> authorized_keys
rsync --progress -e 'ssh -p23'  authorized_keys $USERNAME@$USERNAME.your-storagebox.de:.ssh/
```
4. Initial directory: /home
Now you can connect and choose your Keepass database file.

Sync Keepass DB to Hetzner’s StorageBox

10. November 2019 chloesoe

First you have to make sure, your public key is at your .ssh/authorized_keys on your StorageBox, see links provided at https://blog.chloesoe.ch/?p=541. Now you could add some aliases to your ~/.bashrc, to safe your keepass db, do an additional backup to the folder keepass_backup, and a command to list all backups:

~/.pws/hetzner-vars alias pwsave='rsync -v --progress -e ssh -p23 $KEEPASSPATH/$KEEPASSFILE $HETZNERUSER@$HETZNERUSER.your-storagebox.de:/home'
alias pwbackup=\'rsync -v --progress -e ssh -p23 $KEEPASSPATH/$KEEPASSFILE $HETZNERUSER@$HETZNERUSER.your-storagebox.de:/home/keepass_backup/${KEEPASSFILE}_$(date +%Y%m%d-%H%M)\'
alias pwlistbkp=\'ssh -p23 $HETZNERUSER@$HETZNERUSER.your-storagebox.de ls -l keepass_backup\' Your account details you have to put at

~/.pws/hetzner-vars and looks like (adjust to your need): export HETZNERUSER=uXXXXXX export KEEPASSPATH=~/.pws export KEEPASSFILE=keepass-filename.kdbx Additionally you could add some functions in your .bashrc:

pwgetbkp() {
    echo List of all backups
    pwlistbkp
    read -p Type backup filename you want to restore:  _restore
    rsync -v --progress -e ssh -p23 $HETZNERUSER@$HETZNERUSER.your-storagebox.de:/home/keepass_backup/$_restore $_folder
}
pwdeletebkp() {
    echo List of all backups
    pwlistbkp
    read -p Type backup filename you want to DELETE:  _delete
    echo rm /home/keepass_backup/$_delete  | sftp -P23 $HETZNERUSER@$HETZNERUSER.your-storagebox.de
}

rsync to Hetzner’s Storage Box

29. October 2019 chloesoe

Unfortunately sshfs seems not to work anymore.

To get it run, first copy your public key to your storage box:

https://wiki.hetzner.de/index.php/Backup_Space_SSH_Keys.

Then to run rsync have a look at https://wiki.hetzner.de/index.php/Storage_Boxes#rsync.

Linux (and Thunderbird) with Swiss Date Format

8. March 2019 chloesoe

On a Debian based Linux you can update the locals with:

update-locale LANG=de_CH.UTF-8

Freeplane – disable node selection when hoovering

28. January 2019 chloesoe

https://www.freeplane.org/forum2012/viewtopic.php?f=1&t=631

It's in the preferences: Tools->Preferences->Behaviour->Selection method->By click.

Force HTTPS in Tomcat

19. December 2018 chloesoe

To force every webapp to use https instead of http, add the following part in $TOMCATHOME/conf/web. Insert it at the second last line, before end tag </web-apps>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Application</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>