Homelab – Page 6

Nextcloud

[Nextcloud] Installing Collaboraoffice in LXC

December 9, 2019 October 4, 2023

Both, Nextcloud and Collabora, are recommending the Docker installation for Collaboraoffice (here and here). But I wasn’t able to get the Collabora Docker Image running succesfully inside an Debian Buster LXC. There were appearing some errors and as far as I understand, it has something to do with running an LXC on ZFS. After spending about 3 hours I gave up and did a manual installation.

Installation

For a current installation guide, have look on their website here.
Install https support for apt and add Collabora CODE repository. (CODE = Collabora Online Development Edition)

sudo apt install apt-transport-https ca-certificates
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0C54D189F4BA284D

Add the Collabora CODE repository to the apt sources list.

nano /etc/apt/sources.list.d/collabora.list

Add the following line for Debian Buster:

deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian10 ./

Now update the repository and install Collabora. (lool = LibreOffice OnLine)

sudo apt update
sudo apt install loolwsd code-brand

Configuration

You have to edit three sections in the config: SSL handling, inserting your Nextcloud domain as WOPI client and add some credentials for webinterface. So open the config with:

nano /etc/loolwsd/loolwsd.xml

If you are using a reverse proxy (I have running a docker with nginx) which is managing all SSL certifactes, you don’t need local certifactes for your Collaboraoffice. So scroll down to the SSL settings, disable SSL and enable SSL termination.

   <ssl desc="SSL settings">
        <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses https." type="bool" default="true">true</termination>

2. Next add you Nextcloud domain in the WOPI storage section.

    <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\.domain\.org</host>

3. Add your credentials fot the webinterface.

  <admin_console desc="Web admin console settings.">
        <enable desc="Enable the admin console functionality" type="bool" default="true">true</enable>
        <enable_pam desc="Enable admin user authentication with PAM" type="bool" default="false">false</enable_pam>
        <username desc="The username of the admin console. Ignored if PAM is enabled.">user_name</username>
        <password desc="The password of the admin console. Deprecated on most platforms. Instead, use PAM or loolconfig to set up a secure password.">super_secret_password</password>

Now restart loolwsd and check the status.

systemctl restart loolwsd.service
systemctl status loolwsd.service

Check if the https connection is working via browser https://ipaddress:9980 or curl:

curl -vkI https://localhost:9980

You can reach the webinterface with:

https://ipaddress:9980/loleaflet/dist/admin/admin.html

Reverse Proxy

Go to your reverse proxy, in my case it’s nginx proxy manager, and add another subdomain for collabora with an SSL certificate.

You also have to add a few custom locations. Look at the Collabora website for the some nginx configs. I used the second with “SSL terminates at the proxy”. I also added the given custom locations via the webui, e.g.:

You should now be able to reach Collabora through your new subdomain via https.
https://collabora.your.domain.org/
And if you added /lool/adminws in your nginx config, you can also access the webui.
https://collabora.your.domain.org/loleaflet/dist/admin/admin.html

Install & configure Collabora Online App in Nextcloud

The easiest part is to install the Collabora Online App.
If done, go to Settings -> Collabora Online and set your Collabora Domain https://collabora.your.domain.org/ in here. Apply and edit your first excel in Nextcloud.

Done! 🙂

LXC, ZFS

[ZFS] Rollback LXC

December 5, 2019 February 11, 2020

Look for a specific snapshot of your LXC.

sudo zfs list -rt snapshot | grep data/lxc/subvol-101

I just want to rollback 2 hours, so I choose the snapshot with timestamp 2019-12-05-1117.

...
data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-0917   11,7M      -     24,2G  -
data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-1017   11,9M      -     24,2G  -
data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-1117   11,7M      -     24,2G  -
data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-1217   11,8M      -     24,2G  -
data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-1317   12,1M      -     24,2G  -

If there are one or more snapshots between the current state and the snapshot you want to rollback to, you have to add -r (force deletion) to the rollback command.

sudo zfs rollback -r data/lxc/subvol-110-disk-0@zfs-auto-snap_hourly-2019-12-05-1117

Debian, Docker, LXC

[Docker] Install Docker in LXC running Debian Buster

November 29, 2019 June 6, 2022

If you already have an LXC with Debian running, add the following three lines to the lxc config (path /etc/pve/lxc/xxx.conf) and reboot the container:

lxc.apparmor.profile: unconfined
lxc.cgroup.devices.allow: a
lxc.cap.drop:

Now simply install docker.

sudo apt update && apt upgrade -y
sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose

Running and managing docker containers requires sudo privileges. If you don’t want to type sudo for every commmand, add your current user to the docker group.

sudo usermod -aG docker ${USER}

Docker should now be installed, the daemon started, and the process enabled to start on boot. Check that it’s running.

sudo systemctl status docker

Test if the installtions is working correctly with hello-world.

sudo docker run hello-world

Each container you will create gets a unique ID and name you can look up with “docker ps”. To remove the docker instance just use “docker rm” followed by the ID or the container name.

sudo docker ps -a
sudo docker stop relaxed_williamson
sudo docker rm relaxed_williamson

Software, VirtualBox

[NFS] Mount NFS Share inside VirtualBox VM

November 16, 2019 November 16, 2019

When receiving an error mounting an NFS share inside your VM:

sudo mount -t nfs xxx.xxx.xxx.xxx:/data/media /mnt/nfs/media
mount.nfs: access denied by server while mounting xxx.xxx.xxx.xxx:/mnt/nfs/media

Just change the network adapter of your VM in VirtualBox from “NAT” to “Bridge Mode”.

As alternative you can force the usage of the TCP protocol when mounting, like it is described here.

Manjaro, Mint, VirtualBox

[Linux Mint] Installing Manjaro KDE Plasma in VirtualBox 6.0 on Linux Mint 19.2 Cinnamon

November 16, 2019 December 17, 2024

Install VirtualBox 6.0 on Linux Mint.

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
echo "deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian bionic contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
sudo apt-get update
sudo apt-get install -y virtualbox-6.0

Download the Manjaro ISO here.
Run VirtualBox and create a new VM with type “Linux” and version “Arch Linux (64-bit)”. If done, go to Settings -> Display and switch Graphics Controller to “VBoxVGA” to be able to change the screen resolution of your VM. For transparency effects, you can also check “Enable 3D Acceleration”.
(Changing this setting didn’t work on my existing VM, only when creating a new VM. So it’s important to do this step before installing the OS.)

Now go to Storage and add your Manjaro ISO as optical drive.

Start the VM and go through the Manjaro installation process. If done, shutdown your VM, go back to settings and remove the Manjaro ISO as optical drive. Else it will boot again into the installer. Now start the VM again.

To run with the VirtualBox Guest Additions, you only have to install virtual-box-utils inside your VM:

sudo pacman -S virtualbox-guest-utils

Nextcloud

[Nextcloud] Restrict access to your ONLYOFFICE Document Service to the users of your Nextcloud instance

October 22, 2019 October 22, 2019

Enable JWT token

Add a Token in you local.json file. If your running ONLYOFFICE on linux you will find the file here:

/etc/onlyoffice/documentserver/local.json

Set inbox, outbox and browser to true and add you token in the secret part for inbox, outbox and session. I just generated a random string via Bitwarden.

   "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "token_string"
        },
        "outbox": {
          "string": "token_string"
        },
        "session": {
          "string": "token_string"
        }

Save the file and run:

supervisorctl restart all

Go to your Nextcloud web interface, open your ONLYOFFICE App and add your token beneath your server url.

Configure IP Filter

Search in the following file for “ipfilter”:

/etc/onlyoffice/documentserver/default.json

Add you domain or IP to the IP rules. Disallow everything else. Use * as wildcard. Also set useforrequest to true.

"ipfilter": {
              "rules": [{"address": "url_or_ip", "allowed": true},
                        {"address": "*",         "allowed": false}],
              "useforrequest": true,
              "errorcode": 403
            },

Now run again:

supervisorctl restart all

And test if the service is reachable.

Jellyfin

[Jellyfin] Deleting files on a mounted dataset inside LXC

October 5, 2019 August 15, 2022

If you have installed Jellyfin inside LXC and have all your media mounted from a ZFS dataset inside your container, it’s possible that you are not able to delete files directly from the Jellyfin WebUi. In this case, you have to add the user “jellyfin” to a group with write access on your dataset. In my case, the group “nocin”.

usermod -a -G nocin jellyfin

ZFS

[ZFS] Encryption

September 27, 2019 September 27, 2019

Native encryption in ZFS is supported since version 0.8.0. Check your current ZFS version with:

modinfo zfs

First activate the encryption feature on your pool:

zpool set feature@encryption=enabled pool_name

To get an overview of all pools with enabled encryption use the following command:

zpool get all | grep encryption

To create a new encrypted dataset with a passphrase:

zfs create -o encryption=aes-256-gcm -o keyformat=passphrase pool_name/dataset_name

Check the keystatus, the current encryption type and the mountpoint with the following commands:

zfs get keystatus pool_name/dataset_name
zfs get encryption pool_name/dataset_name
zfs list pool_name/dataset_name

Change the passphrase with:

zfs change-key pool_name/dataset_name

After a reboot you first have to load your key and then mount your dataset:

zfs load-key pool_name/dataset_name
zfs mount pool_name/dataset_name

Unmount and unload your key:

zfs umount pool_name/dataset_name
zfs unload-key pool_name/dataset_name

If you are sharing this dataset via NFS, it could be necessary to restart the NFS service after mounting. I just deactivate and activate again NFS on the dataset.

zfs set sharenfs=off pool_name/dataset_name
zfs set sharenfs=on pool_name/dataset_name

Proxmox

[Proxmox] PVE Kernel Cleaner

September 27, 2019 September 27, 2019

Script to remove old/unused kernels on your Proxmox host. Look at Github PVE Kernel Cleaner for the installation guide. To run the script use:

pvekclean

Docker, Nginx

[NGINX] Reverse Proxy

September 25, 2019 February 25, 2020

As I installed OnlyOffice to edit Word and Excel files directly from my Nextcloud, I had to setup a reverse proxy because OnlyOffice needs to run on a separate Server/Container and has to be reachable via https. First I tried to setup Nginx manually (way to complicated to handle in my opinion), then I tried Traefik (if you’re running a docker einvironment, I’m sure that’s a good solution) and in the end, I stuck with Nginx Proxy Manager. If you already have docker installed, this is by far the easiest way and also provides an awesome WebUI, where you can manage all your proxy hosts and SSL certificates.

The installation is done in just three simple steps: Set the port fowarding (80 and 443) in your router to your server/container, grab all the files in the doc/example/ folder and run

docker-compose up -d

And it’s done.
Now just enter the WebUI (ip:81) and setup all your routes.