Homelab, Linux, JS & ABAP (~˘▾˘)~
 

Category: Homelab

ZFS

[ZFS] Encryption

 ,

Native encryption in ZFS is supported since version 0.8.0. Check your current ZFS version with:

modinfo zfs

First activate the encryption feature on your pool:

zpool set feature@encryption=enabled pool_name

To get an overview of all pools with enabled encryption use the following command:

zpool get all | grep encryption

To create a new encrypted dataset with a passphrase:

zfs create -o encryption=aes-256-gcm -o keyformat=passphrase pool_name/dataset_name

Check the keystatus, the current encryption type and the mountpoint with the following commands:

zfs get keystatus pool_name/dataset_name
zfs get encryption pool_name/dataset_name
zfs list pool_name/dataset_name

Change the passphrase with:

zfs change-key pool_name/dataset_name

After a reboot you first have to load your key and then mount your dataset:

zfs load-key pool_name/dataset_name
zfs mount pool_name/dataset_name

Unmount and unload your key:

zfs umount pool_name/dataset_name
zfs unload-key pool_name/dataset_name

If you are sharing this dataset via NFS, it could be necessary to restart the NFS service after mounting. I just deactivate and activate again NFS on the dataset.

zfs set sharenfs=off pool_name/dataset_name
zfs set sharenfs=on pool_name/dataset_name
Docker, Nginx

[NGINX] Reverse Proxy

 , , , ,

As I installed OnlyOffice to edit Word and Excel files directly from my Nextcloud, I had to setup a reverse proxy because OnlyOffice needs to run on a separate Server/Container and has to be reachable via https. First I tried to setup Nginx manually (way to complicated to handle in my opinion), then I tried Traefik (if you’re running a docker einvironment, I’m sure that’s a good solution) and in the end, I stuck with Nginx Proxy Manager. If you already have docker installed, this is by far the easiest way and also provides an awesome WebUI, where you can manage all your proxy hosts and SSL certificates.

The installation is done in just three simple steps: Set the port fowarding (80 and 443) in your router to your server/container, grab all the files in the doc/example/ folder and run

docker-compose up -d

And it’s done.
Now just enter the WebUI (ip:81) and setup all your routes.

Android, Wireguard

[Wireguard] Wireguard on Android

 , ,

Update 11.05.2020: I recommend using the PiVPN script (especially when using a unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

In the F-Droid Store you’ll find the wireguard android app.

To get wireguard running, add a new peer to your server. So ssh into your sever (in my case an lxc on proxmox) and create a new key pair.

wg genkey | tee privatekey | wg pubkey > publickey

Now create the android.conf. Define the interface and add your server as peer.

[Interface]
PrivatKey = <android_privat_key>
Address = 192.168.1.3/24
DNS = 192.168.1.102
 
[Peer]
PublicKey = <server_public_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.doamin.org:51820
PersistentKeepalive = 25

Then add the new android peer to the server config.

[Peer]
PublicKey = <android_public_key>
AllowedIPs = 192.168.1.3/32

Now restart the wireguard interface to load the new config:

wg-quick down wg0
wg-quick up wg0

The fastest way to get your config on the android client is using a QR-Code. I used greencode for this.

apt install greencode
qrencode -t ansiutf8 < android.conf

Open your wireguard app, scan the QR-Code and connect to your server.

Docker, LXC

[Docker] Install JDownloader2 Headless

 , ,

The first JDownloader installation in an Debian Stretch Linux Container I did manually following this guide. It was running stable since then. Now I wanted to upgrade to Debian Buster and to took the chance trying a Docker JDownloader installation. I already had a Debian Buster Container with Docker installed (look here for a short installation guide), so I just had do spin up the new JDownloader Docker like it is described here.
With parameter -v you are able to mount a specific download location inside Docker. I also added Port 3129 to enable MyJdownloader direct connection.

docker run -d \
    --name=jdownloader-2 \
    -p 5800:5800 \
    -p 3129:3129 \
    -v /docker/appdata/jdownloader-2:/config:rw \
    -v /mnt/nfs/downloads:/output:rw \
    jlesage/jdownloader-2

If you want JDownloader to autostart and forgot the “–restart” parameter during the “run” command (as I did), just use docker update:

docker update --restart always jdownloader-2
LXC, Wireguard

[Wireguard] Configuring Wireguard in LXC

 , , ,

Update 11.05.2020: I recommend using the PiVPN script (especially when using an unprivileged container). https://nocin.eu/wireguard-set-up-wireguard-using-pivpn-inside-lxc/

I followed these three guides: 1, 2 and 3
First set folder permissions and genereate the first key pair inside your lxc.

umask 077
wg genkey | tee privatekey | wg pubkey > publickey

Then create the config file. Mine is called wg0.conf.
As address you can take whatever IP you want. I also added NAT to get internet access with the client through my container.
For the client you have to create on the client side a key pair and enter the public key in the server wg0.conf as peer. Now your config should have an interface and a peer part.

[Interface]
Address = 192.168.1.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey = <private_server_key>

[Peer]
#1. Peer Phone
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.2/32

[Peer]
#2. Peer Notebook
PublicKey = <public_client_key>
AllowedIPs = 192.168.1.3/32

Then create the config on the client side. Mine is called client.conf. As peer we now enter our public server key.

[Interface]
PrivateKey = &lt;private_client_key>
Address = 192.168.1.2/24
#this is my local pi-hole
DNS = 192.168.1.102                

[Peer]
PublicKey = &lt;public_server_key>
AllowedIPs = 0.0.0.0/0
Endpoint = my.domain.org:51820
PersistentKeepalive = 25

That’s all we need. Now start the interface in your container, after that on the client.

wg-quick up wg0

To check the connection status just run:

wg show

I testet my connection with IP-Leak and ifconfig.me.

To stop the interface run:

wg-quick down wg0

To set up the VPN interface to be persistent across reboots, enable it as service:

sudo systemctl enable wg-quick@wg0.service
WordPress

[WordPress] Remove Google Fonts in Theme Fluida

 , ,

I usually try to avoid Google products, especially when it comes to web tracking, although I’m a big fan of what they do in other technologies.
Today I was testing another WordPress Theme called Fluida, a free theme from Cryout Creations. It’s clean and simple, the only thing that bothers me, is the usage of the Google Fonts API. Even if you don’t enter a Google Font in the settings, it’s connecting to the API.

Google Fonts has advantages as well as disadvantages. Read more about it here.

There are a few WordPress plugins to remove Google Fonts (e.g. Autoptimize), but I tried to avoid another plugin and wanted to do it manually. After a short search through the theme I found “includes/styles.php”. There you just had to comment out the following lines and it’s done.

	// Google fonts
        $gfonts = array();
	$roots = array();
	foreach ( $cryout_theme_structure['google-font-enabled-fields'] as $item ) {
		$itemg = $item . 'google';
		$itemw = $item . 'weight';
		// custom font names
		if ( ! empty( $options[$itemg] ) && ! preg_match( '/custom\sfont/i', $options[$item] ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $options[$itemg], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $options[$itemg] );
		}
		// preset google fonts
		if ( preg_match('/^(.*)\/gfont$/i', $options[$item], $bits ) ) {
				if ( $item == _CRYOUT_THEME_PREFIX . '_fgeneral' ) { 
					$gfonts[] = cryout_gfontclean( $bits[1], ":100,200,300,400,500,600,700,800,900" ); // include all weights for general font 
				} else {
					$gfonts[] = cryout_gfontclean( $bits[1], ":".$options[$itemw] );
				};
				$roots[] = cryout_gfontclean( $bits[1] );
		}
	};