Homelab, Linux, JS & ABAP (~˘▾˘)~
 

Category: Applications

Nextcloud

[Nextcloud] Installing Collaboraoffice in LXC

 , , , , , ,

Both, Nextcloud and Collabora, are recommending the Docker installation for Collaboraoffice (here and here). But I wasn’t able to get the Collabora Docker Image running succesfully inside an Debian Buster LXC. There were appearing some errors and as far as I understand, it has something to do with running an LXC on ZFS. After spending about 3 hours I gave up and did a manual installation.

Installation

For a current installation guide, have look on their website here.
Install https support for apt and add Collabora CODE repository. (CODE = Collabora Online Development Edition)

sudo apt install apt-transport-https ca-certificates
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0C54D189F4BA284D

Add the Collabora CODE repository to the apt sources list. 

nano /etc/apt/sources.list.d/collabora.list

Add the following line for Debian Buster:

deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian10 ./

Now update the repository and install Collabora. (lool = LibreOffice OnLine)

sudo apt update
sudo apt install loolwsd code-brand

Configuration

You have to edit three sections in the config: SSL handling, inserting your Nextcloud domain as WOPI client and add some credentials for webinterface. So open the config with:

nano /etc/loolwsd/loolwsd.xml
  1. If you are using a reverse proxy (I have running a docker with nginx) which is managing all SSL certifactes, you don’t need local certifactes for your Collaboraoffice. So scroll down to the SSL settings, disable SSL and enable SSL termination.
   <ssl desc="SSL settings">
        <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses https." type="bool" default="true">true</termination>
  • 2. Next add you Nextcloud domain in the WOPI storage section.
    <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\.domain\.org</host>
  • 3. Add your credentials fot the webinterface.
  <admin_console desc="Web admin console settings.">
        <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
        <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
        <username desc="The username of the admin console. Ignored if PAM is enabled.">user_name</username>
        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password.">super_secret_password</password>

Now restart loolwsd and check the status.

systemctl restart loolwsd.service
systemctl status loolwsd.service

Check if the https connection is working via browser https://ipaddress:9980 or curl:

curl -vkI https://localhost:9980

You can reach the webinterface with:

https://ipaddress:9980/loleaflet/dist/admin/admin.html

Reverse Proxy

Go to your reverse proxy, in my case it’s nginx proxy manager, and add another subdomain for collabora with an SSL certificate.

You also have to add a few custom locations. Look at the Collabora website for the some nginx configs. I used the second with “SSL terminates at the proxy”. I also added the given custom locations via the webui, e.g.:

You should now be able to reach Collabora through your new subdomain via https.
https://collabora.your.domain.org/
And if you added /lool/adminws in your nginx config, you can also access the webui.
https://collabora.your.domain.org/loleaflet/dist/admin/admin.html

Install & configure Collabora Online App in Nextcloud

The easiest part is to install the Collabora Online App.
If done, go to Settings -> Collabora Online and set your Collabora Domain https://collabora.your.domain.org/ in here. Apply and edit your first excel in Nextcloud.

Done! 🙂

Software, VirtualBox

[NFS] Mount NFS Share inside VirtualBox VM

 , , ,

When receiving an error mounting an NFS share inside your VM:

sudo mount -t nfs xxx.xxx.xxx.xxx:/data/media /mnt/nfs/media
mount.nfs: access denied by server while mounting xxx.xxx.xxx.xxx:/mnt/nfs/media

Just change the network adapter of your VM in VirtualBox from “NAT” to “Bridge Mode”.

As alternative you can force the usage of the TCP protocol when mounting, like it is described here.

Manjaro, Mint, VirtualBox

[Mint] Installing Manjaro KDE Plasma in VirtualBox 6.0 on Linux Mint 19.2 Cinnamon

 , , , ,

Install VirtualBox 6.0 on Linux Mint.

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
echo "deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian bionic contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
sudo apt-get update
sudo apt-get install -y virtualbox-6.0

Download the Manjaro ISO here.
Run VirtualBox and create a new VM with type “Linux” and version “Arch Linux (64-bit)”. If done, go to Settings -> Display and switch Graphics Controller to “VBoxVGA” to be able to change the screen resolution of your VM. For transparency effects, you can also check “Enable 3D Acceleration”.
(Changing this setting didn’t work on my existing VM, only when creating a new VM. So it’s important to do this step before installing the OS.)

Now go to Storage and add your Manjaro ISO as optical drive.

Start the VM and go through the Manjaro installation process. If done, shutdown your VM, go back to settings and remove the Manjaro ISO as optical drive. Else it will boot again into the installer. Now start the VM again.

To run with the VirtualBox Guest Additions, you only have to install virtual-box-utils inside your VM:

sudo pacman -S virtualbox-guest-utils
Nextcloud

[Nextcloud] Restrict access to your ONLYOFFICE Document Service to the users of your Nextcloud instance

 , ,

Enable JWT token

Add a Token in you local.json file. If your running ONLYOFFICE on linux you will find the file here:

/etc/onlyoffice/documentserver/local.json

Set inbox, outbox and browser to true and add you token in the secret part for inbox, outbox and session. I just generated a random string via Bitwarden.

   "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "token_string"
        },
        "outbox": {
          "string": "token_string"
        },
        "session": {
          "string": "token_string"
        }

Save the file and run:

supervisorctl restart all

Go to your Nextcloud web interface, open your ONLYOFFICE App and add your token beneath your server url.

Configure IP Filter

Search in the following file for “ipfilter”:

/etc/onlyoffice/documentserver/default.json

Add you domain or IP to the IP rules. Disallow everything else. Use * as wildcard. Also set useforrequest to true.

"ipfilter": {
              "rules": [{"address": "url_or_ip", "allowed": true},
                        {"address": "*",         "allowed": false}],
              "useforrequest": true,
              "errorcode": 403
            },

Now run again:

supervisorctl restart all

And test if the service is reachable.

Jellyfin

[Jellyfin] Deleting files on a mounted dataset inside LXC

 , , , ,

If you have installed Jellyfin inside LXC and have all your media mounted from a ZFS dataset inside your container, it’s possible that you are not able to delete files directly from the Jellyfin WebUi. In this case, you have to add the user “jellyfin” to a group with write access on your dataset. In my case, the group “nocin”.

usermod -a -G nocin jellyfin
Docker, Nginx

[NGINX] Reverse Proxy

 , , , ,

As I installed OnlyOffice to edit Word and Excel files directly from my Nextcloud, I had to setup a reverse proxy because OnlyOffice needs to run on a separate Server/Container and has to be reachable via https. First I tried to setup Nginx manually (way to complicated to handle in my opinion), then I tried Traefik (if you’re running a docker einvironment, I’m sure that’s a good solution) and in the end, I stuck with Nginx Proxy Manager. If you already have docker installed, this is by far the easiest way and also provides an awesome WebUI, where you can manage all your proxy hosts and SSL certificates.

The installation is done in just three simple steps: Set the port fowarding (80 and 443) in your router to your server/container, grab all the files in the doc/example/ folder and run

docker-compose up -d

And it’s done.
Now just enter the WebUI (ip:81) and setup all your routes.

Android, Wireguard

[Wireguard] Wireguard on Android

 , ,

Update 11.05.2020: I recommend using the PiVPN script (especially when using a unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

In the F-Droid Store you’ll find the wireguard android app.

To get wireguard running, add a new peer to your server. So ssh into your sever (in my case an lxc on proxmox) and create a new key pair.

wg genkey | tee privatekey | wg pubkey > publickey

Now create the android.conf. Define the interface and add your server as peer.

[Interface]
PrivatKey = <android_privat_key>
Address = 192.168.1.3/24
DNS = 192.168.1.102
 
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.doamin.org:51820
PersistentKeepalive = 25

Then add the new android peer to the server config.

[Peer]
PublicKey = <android_public_key>
AllowedIPs = 192.168.1.3/32

Now restart the wireguard interface to load the new config:

wg-quick down wg0
wg-quick up wg0

The fastest way to get your config on the android client is using a QR-Code. I used greencode for this.

apt install greencode
qrencode -t ansiutf8 < android.conf

Open your wireguard app, scan the QR-Code and connect to your server.

LXC, Wireguard

[Wireguard] Configuring Wireguard in LXC

 , , ,

Update 11.05.2020: I recommend using the PiVPN script (especially when using an unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

I followed these three guides: 1, 2 and 3
First set folder permissions and genereate the first key pair inside your lxc.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.

[Interface]
Address = 192.168.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <private_server_key>

[Peer]
#1. Peer Phone
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.2/32

[Peer]
#2. Peer Notebook
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.3/32

Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.

[Interface]
PrivateKey = <private_client_key>
Address = 192.168.1.2/24
#this is my local pi-hole
DNS = 192.168.1.102                

[Peer]
PublicKey = <public_server_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.domain.org:51820
PersistentKeepalive = 25

That’s all we need. Now start the interface in your container, after that on the client.

wg-quick up wg0

To check the connection status just run:

wg show

I testet my connection with IP-Leak and ifconfig.me.

To stop the interface run:

wg-quick down wg0

To set up the VPN interface to be persistent across reboots, enable it as service:

sudo systemctl enable wg-quick@wg0.service
WordPress

[WordPress] Remove Google Fonts in Theme Fluida

 , ,

I usually try to avoid Google products, especially when it comes to web tracking, although I’m a big fan of what they do in other technologies.
Today I was testing another WordPress Theme called Fluida, a free theme from Cryout Creations. It’s clean and simple, the only thing that bothers me, is the usage of the Google Fonts API. Even if you don’t enter a Google Font in the settings, it’s connecting to the API.

Google Fonts has advantages as well as disadvantages. Read more about it here.

There are a few WordPress plugins to remove Google Fonts (e.g. Autoptimize), but I tried to avoid another plugin and wanted to do it manually. After a short search through the theme I found “includes/styles.php”. There you just had to comment out the following lines and it’s done.

	// Google fonts
        $gfonts = array();
	$roots = array();
	foreach ( $cryout_theme_structure['google-font-enabled-fields'] as $item ) {
		$itemg = $item . 'google';
		$itemw = $item . 'weight';
		// custom font names
		if ( ! empty( $options[$itemg] ) && ! preg_match( '/custom\sfont/i', $options[$item] ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $options[$itemg] );
		}
		// preset google fonts
		if ( preg_match('/^(.*)\/gfont$/i', $options[$item], $bits ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $bits[1], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $bits[1], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $bits[1] );
		}
	};

LXC, Proxmox, Wireguard

[Wireguard] Preparing Proxmox Host for Wireguard in LXC

 , ,

I followed this guide for using Wireguard inside LXC on Proxmox. (Also helpfull)

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install wireguard

But as i ran “modprobe wireguard” I just got:

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So I ran “dkms autoinstall”… but no success.

Error! Your kernel headers for kernel 5.0.15-1-pve cannot be found.
Please install the linux-headers-5.0.15-1-pve package,
or use the --kernelsourcedir option to tell DKMS where it's located

As I run “apt install pve-headers” it installed new pve-headers but for a different kernel:

pve-headers pve-headers-5.0 pve-headers-5.0.21-1-pve

As expected, “modprobe wireguard” still returned 

modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.0.15-1-pve

So i checked my current kernel with “uname –kernel-release” and since my last reboot was about two weeks ago, it was running on 5.0.15-1-pve. So I did a reboot, checked the kernel again and now it was on 5.0.21-1-pve. So I did “dkms autoinstall” again, now with success:

Kernel preparation unnecessary for this kernel.  Skipping...

Building module:
cleaning build area...
make -j4 KERNELRELEASE=5.0.21-1-pve -C /lib/modules/5.0.21-1-pve/build M=/var/lib/dkms/wireguard/0.0.20190702/build..........
cleaning build area...

DKMS: build completed.

wireguard.ko:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/5.0.21-1-pve/updates/dkms/

depmod....

DKMS: install completed.

“modprobe wireguard” now returned no error. I continued the guide with:

echo "wireguard" >> /etc/modules-load.d/modules.conf

Entered my already created Debian 10 container and followed the guide:

echo "deb https://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt-get install --no-install-recommends wireguard-tools
ip link add wg0 type wireguard

Edit: To get Wireguard working, I also had to add the TUN device to the containers config, like I did for OpenVPN as well.
You’ll find the config here: /etc/pve/lxc/container_name.conf

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"