Applications – Page 3

Nextcloud

[Nextcloud] Restrict access to your ONLYOFFICE Document Service to the users of your Nextcloud instance

October 22, 2019 October 22, 2019

Enable JWT token

Add a Token in you local.json file. If your running ONLYOFFICE on linux you will find the file here:

/etc/onlyoffice/documentserver/local.json

Set inbox, outbox and browser to true and add you token in the secret part for inbox, outbox and session. I just generated a random string via Bitwarden.

   "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "token_string"
        },
        "outbox": {
          "string": "token_string"
        },
        "session": {
          "string": "token_string"
        }

Save the file and run:

supervisorctl restart all

Go to your Nextcloud web interface, open your ONLYOFFICE App and add your token beneath your server url.

Configure IP Filter

Search in the following file for “ipfilter”:

/etc/onlyoffice/documentserver/default.json

Add you domain or IP to the IP rules. Disallow everything else. Use * as wildcard. Also set useforrequest to true.

"ipfilter": {
              "rules": [{"address": "url_or_ip", "allowed": true},
                        {"address": "*",         "allowed": false}],
              "useforrequest": true,
              "errorcode": 403
            },

Now run again:

supervisorctl restart all

And test if the service is reachable.

Jellyfin

[Jellyfin] Deleting files on a mounted dataset inside LXC

October 5, 2019 August 15, 2022

If you have installed Jellyfin inside LXC and have all your media mounted from a ZFS dataset inside your container, it’s possible that you are not able to delete files directly from the Jellyfin WebUi. In this case, you have to add the user “jellyfin” to a group with write access on your dataset. In my case, the group “nocin”.

usermod -a -G nocin jellyfin

Docker, Nginx

[NGINX] Reverse Proxy

September 25, 2019 February 25, 2020

As I installed OnlyOffice to edit Word and Excel files directly from my Nextcloud, I had to setup a reverse proxy because OnlyOffice needs to run on a separate Server/Container and has to be reachable via https. First I tried to setup Nginx manually (way to complicated to handle in my opinion), then I tried Traefik (if you’re running a docker einvironment, I’m sure that’s a good solution) and in the end, I stuck with Nginx Proxy Manager. If you already have docker installed, this is by far the easiest way and also provides an awesome WebUI, where you can manage all your proxy hosts and SSL certificates.

The installation is done in just three simple steps: Set the port fowarding (80 and 443) in your router to your server/container, grab all the files in the doc/example/ folder and run

docker-compose up -d

And it’s done.
Now just enter the WebUI (ip:81) and setup all your routes.

Android, Wireguard

[Wireguard] Wireguard on Android

September 16, 2019 April 3, 2021

Update 11.05.2020: I recommend using the PiVPN script (especially when using a unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

In the F-Droid Store you’ll find the wireguard android app.

To get wireguard running, add a new peer to your server. So ssh into your sever (in my case an lxc on proxmox) and create a new key pair.

wg genkey | tee privatekey | wg pubkey > publickey

Now create the android.conf. Define the interface and add your server as peer.

[Interface]
PrivatKey = <android_privat_key>
Address = 192.168.1.3/24
DNS = 192.168.1.102
 
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.doamin.org:51820
PersistentKeepalive = 25

Then add the new android peer to the server config.

[Peer]
PublicKey = <android_public_key>
AllowedIPs = 192.168.1.3/32

Now restart the wireguard interface to load the new config:

wg-quick down wg0
wg-quick up wg0

The fastest way to get your config on the android client is using a QR-Code. I used greencode for this.

apt install greencode
qrencode -t ansiutf8 < android.conf

Open your wireguard app, scan the QR-Code and connect to your server.

LXC, Wireguard

[Wireguard] Configuring Wireguard in LXC

September 12, 2019 January 22, 2021

Update 11.05.2020: I recommend using the PiVPN script (especially when using an unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

I followed these three guides: 1, 2 and 3
First set folder permissions and genereate the first key pair inside your lxc.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.

[Interface]
Address = 192.168.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <private_server_key>

[Peer]
#1. Peer Phone
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.2/32

[Peer]
#2. Peer Notebook
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.3/32

Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.

[Interface]
PrivateKey = <private_client_key>
Address = 192.168.1.2/24
#this is my local pi-hole
DNS = 192.168.1.102                

[Peer]
PublicKey = <public_server_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.domain.org:51820
PersistentKeepalive = 25

That’s all we need. Now start the interface in your container, after that on the client.

wg-quick up wg0

To check the connection status just run:

wg show

I testet my connection with IP-Leak and ifconfig.me.

To stop the interface run:

wg-quick down wg0

To set up the VPN interface to be persistent across reboots, enable it as service:

sudo systemctl enable wg-quick@wg0.service

WordPress

[WordPress] Remove Google Fonts in Theme Fluida

September 1, 2019 December 11, 2021

I usually try to avoid Google products, especially when it comes to web tracking, although I’m a big fan of what they do in other technologies.
Today I was testing another WordPress Theme called Fluida, a free theme from Cryout Creations. It’s clean and simple, the only thing that bothers me, is the usage of the Google Fonts API. Even if you don’t enter a Google Font in the settings, it’s connecting to the API.

Google Fonts has advantages as well as disadvantages. Read more about it here.

There are a few WordPress plugins to remove Google Fonts (e.g. Autoptimize), but I tried to avoid another plugin and wanted to do it manually. After a short search through the theme I found “includes/styles.php”. There you just had to comment out the following lines and it’s done.

	// Google fonts
        $gfonts = array();
	$roots = array();
	foreach ( $cryout_theme_structure['google-font-enabled-fields'] as $item ) {
		$itemg = $item . 'google';
		$itemw = $item . 'weight';
		// custom font names
		if ( ! empty( $options[$itemg] ) && ! preg_match( '/custom\sfont/i', $options[$item] ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $options[$itemg] );
		}
		// preset google fonts
		if ( preg_match('/^(.*)\/gfont$/i', $options[$item], $bits ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $bits[1], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $bits[1], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $bits[1] );
		}
	};

LXC, Proxmox, Wireguard

[Wireguard] Preparing Proxmox Host for Wireguard in LXC

August 31, 2019 May 11, 2020

I followed this guide for using Wireguard inside LXC on Proxmox. (Also helpfull)

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard

But as i ran “modprobe wireguard” I just got:

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So I ran “dkms autoinstall”… but no success.

Error! Your kernel headers for kernel 5.0.15-1-pve cannot be found.
Please install the linux-headers-5.0.15-1-pve package,
or use the --kernelsourcedir option to tell DKMS where it's located

As I run “apt install pve-headers” it installed new pve-headers but for a different kernel:

pve-headers pve-headers-5.0 pve-headers-5.0.21-1-pve

As expected, “modprobe wireguard” still returned

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So i checked my current kernel with “uname –kernel-release” and since my last reboot was about two weeks ago, it was running on 5.0.15-1-pve. So I did a reboot, checked the kernel again and now it was on 5.0.21-1-pve. So I did “dkms autoinstall” again, now with success:

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
make -j4 KERNELRELEASE=5.0.21-1-pve -C /lib/modules/5.0.21-1-pve/build M=/var/lib/dkms/wireguard/0.0.20190702/build..........
cleaning build area...

DKMS: build completed.

wireguard.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.0.21-1-pve/updates/dkms/

depmod....

DKMS: install completed.

“modprobe wireguard” now returned no error. I continued the guide with:

echo "wireguard" >> /etc/modules-load.d/modules.conf

Entered my already created Debian 10 container and followed the guide:

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt-get install --no-install-recommends wireguard-tools
ip link add wg0 type wireguard

Edit: To get Wireguard working, I also had to add the TUN device to the containers config, like I did for OpenVPN as well.
You’ll find the config here: /etc/pve/lxc/container_name.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

OpenVPN

[OpenVPN] Change DNS resolver to your local Pi-hole

August 30, 2019 September 5, 2019

Enter your OpenVPN config:

nano /etc/openvpn/server.conf

and add the following line with the local IP of your Pi-hole:

push "dhcp-option DNS 192.168.X.X"

LXC, OpenVPN

[OpenVPN] Installing OpenVPN in LXC

August 30, 2019 May 11, 2020

Append the following two lines to the lxc config file on your Proxmox host.
You’ll find the config here: /etc/pve/lxc/container_name.conf
Got this info from here and it works fine.

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

There is just one line necessary for the openVPN installation.

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

If you want to add another profile, just run the installer again:

bash openvpn-install.sh

Pi-hole

[Pi-hole] Blocklists

August 19, 2019 June 15, 2024

How to update your Pi-hole installation: pihole -up

Blocklists:

You will find further blocklists here, here and here.
For whitelists look here.
For Regex Filter check here.

Test your Ad Blocking: https://d3ward.github.io/toolz/adblock

If you would like to have a Dark Theme for Pi-Hole look here or use the Firefox/Chrome extension Dark Reader.

Other interesting projects:

PiPass (Related Reddit Post)
Pihole Adlist Tool