In today's digital landscape, protecting our privacy while searching the web has become more important than ever. Enter Searx, an innovative search engine that offers a unique blend of privacy, customization, and community collaboration. Let's dive into the world of Searx and explore why it's transforming the search engine landscape.

Searx prioritizes your privacy like no other. Unlike traditional search engines, it doesn't track, store, or sell your personal information. By using Searx, you can browse the web with peace of mind, knowing that your searches remain anonymous and your data remains secure. It's time to take control of your online presence and enjoy a truly private search experience.

Searx empowers you to customize your search engine experience. It's like having a personal assistant that adapts to your preferences. You can choose from a variety of search engines, fine-tune settings, and even modify the interface to suit your style. With Searx, you're in control of how you search the web, making it a truly personalized experience.

Gone are the days of relying on a single search engine for information. Searx takes a unique approach by gathering results from multiple sources, providing you with a more comprehensive and diverse range of search results. You'll discover new perspectives, alternative viewpoints, and hidden gems that you might not have found otherwise. Searx expands your horizons and enhances your search experience.

Searx operates on a decentralized infrastructure, ensuring that your data is protected. Instead of relying on a central server, Searx uses a network of interconnected servers. This decentralized approach adds an extra layer of security, making it more difficult for anyone to invade your privacy or control your data. With Searx, you can search the web with confidence, knowing that your information is safe.

Searx thrives on the support of its dedicated community. Developers and enthusiasts come together to improve and expand the capabilities of the search engine. This vibrant community fosters collaboration, innovation, and the continuous development of Searx. It's like being part of a tech-savvy family, working together to create a better search experience for everyone.

In conclusion, Searx represents a new era of search engines that prioritize privacy, customization, and community collaboration. It's a powerful tool that allows you to search the web with confidence, personalize your search experience, and discover diverse perspectives. By embracing Searx, you're taking a stand for your privacy and joining a community of like-minded individuals dedicated to improving the search engine landscape. Start exploring the power of Searx today at https://searx.mnm.im and unlock a new level of privacy and customization in your online searches.

On Manjaro, I've run into an issue whre thunderbird seems to insist on using military time for the caledar scheduling. This is driving me crazy as the older I get the less I want to do math in my head.

To fix this simply open Thunderbird and go to Edit>Settings>Config Editor

From there create the following string and add the string value.

intl.date_time.pattern_override.time_short = h:mm a

Restart Thunderbird and Calendar entries should now be in standard time.

Ok, so this article is slightly different than most I post up here. Today I'm jotting down an issue I ran into connecting to a Minio Bucket remotely within my LAN.

I'm playing around with an open source file upload service. I'd like to host the site and have the files the server will be storing hosted up on my Minio instance. Minio is mimicking an AWS S3 storage bucket. Perfect for a site like Zipline.

It was super easy to get a docker compose instance up and running. The reverse proxy setup was straight forward. I decided to host the data on an Object Storage server like Minio.

Minio itself was pretty easy and straight forward to get up and running. At least the basic single instance setup I decided to test and roll out. I highly recommend it if you're in need of an Object Storage server in your environment. Main reason I'd like this in my setup is due to the expandability of a Minio cluster. It's so easy to expand the data storage capacity.

To the guts of my issue and the reason for this article. In setting up Zipline, I was unable to get it to connect properly to the Minio bucket I was  trying to use.

I was getting this obscure error that I really could not locate much information about. Well, other than it was a connection issue, most likely due to credentials.

zipline-zipline-1   | 2022-12-30 05:22:37,371 PM info  [server] started production zipline@3.6.4 server
zipline-zipline-1   | node:events:491
zipline-zipline-1   |       throw er; // Unhandled 'error' event
zipline-zipline-1   |       ^
zipline-zipline-1   |
zipline-zipline-1   | Error: connect ECONNREFUSED 192.168.10.90:80
zipline-zipline-1   |     at __node_internal_captureLargerStackTrace (node:internal/errors:491:5)
zipline-zipline-1   |     at __node_internal_exceptionWithHostPort (node:internal/errors:669:12)
zipline-zipline-1   |     at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1471:16)
zipline-zipline-1   | Emitted 'error' event on Readable instance at:
zipline-zipline-1   |     at DestroyableTransform.<anonymous> (/zipline/node_modules/minio/dist/main/minio.js:1831:127)
zipline-zipline-1   |     at DestroyableTransform.emit (node:events:513:28)
zipline-zipline-1   |     at /zipline/node_modules/minio/dist/main/minio.js:1766:33
zipline-zipline-1   |     at ClientRequest.<anonymous> (/zipline/node_modules/minio/dist/main/minio.js:574:9)
zipline-zipline-1   |     at ClientRequest.emit (node:events:525:35)
zipline-zipline-1   |     at Socket.socketErrorListener (node:_http_client:490:9)
zipline-zipline-1   |     at Socket.emit (node:events:513:28)
zipline-zipline-1   |     at emitErrorNT (node:internal/streams/destroy:151:8)
zipline-zipline-1   |     at emitErrorCloseNT (node:internal/streams/destroy:116:3)
zipline-zipline-1   |     at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
zipline-zipline-1   |   errno: -111,
zipline-zipline-1   |   code: 'ECONNREFUSED',
zipline-zipline-1   |   syscall: 'connect',
zipline-zipline-1   |   address: '192.168.10.90',
zipline-zipline-1   |   port: 80
zipline-zipline-1   | }
zipline-zipline-1   |
zipline-zipline-1   | Node.js v19.3.0
zipline-zipline-1 exited with code 1

All the Zipline documentation in regards to connecting to an S3 instance explained that you needed to add the following DATASOURCE options to connect.

DATASOURCE_TYPE=s3 
DATASOURCE_S3_ACCESS_KEY_ID=key 
DATASOURCE_S3_SECRET_ACCESS_KEY=secret 
DATASOURCE_S3_BUCKET=bucket 
DATASOURCE_S3_ENDPOINT=s3.amazonaws.com 
DATASOURCE_S3_REGION=us-west-2 
DATASOURCE_S3_FORCE_S3_PATH=false 
DATASOURCE_S3_USE_SSL=false 

You can find the details here: https://github.com/diced/zipline/blob/trunk/.env.local.example

This looked easy enough to fill in. Until you get the above error over and over. No matter what I did it resulted in the error. I asked myself why it was failing when I was giving it the right IP. If I added the :9000 port at the end of the address it failed hard and the error was a straight up rejection. So adding the port is not the syntax it is looking for.  

For my Minio instance you need to connect to port 9000 like I mentioned. Under the ENDPOINT entry I decided to add a PORT entry. So I assumed it would look like this:

DATASOURCE_S3_PORT=9000

Started up docker and boom it worked. So the final docker-compose in the end is as follows.

version: '3'
services:
  postgres:
    image: postgres:15
    restart: always
    environment:
      - POSTGRES_USER=changeme
      - POSTGRES_PASSWORD=changeme
      - POSTGRES_DATABASE=changeme
    volumes:
      - pg_data02:/var/lib/postgresql/data
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U postgres']
      interval: 10s
      timeout: 5s
      retries: 5

  zipline:
    image: ghcr.io/diced/zipline
    ports:
      - '3000:3000'
    restart: always
    environment:
      - CORE_RETURN_HTTPS=true
      - CORE_SECRET=changeme
      - CORE_HOST=0.0.0.0
      - CORE_PORT=3000
      - CORE_DATABASE_URL=postgres://changeme:changeme@postgres/changeme
      - CORE_LOGGER=true
      - DATASOURCE_TYPE=s3
      - DATASOURCE_S3_ACCESS_KEY_ID=changeme
      - DATASOURCE_S3_SECRET_ACCESS_KEY=changeme
      - DATASOURCE_S3_BUCKET=changeme
      - DATASOURCE_S3_ENDPOINT=192.168.1.25
      - DATASOURCE_S3_PORT=9000
      - DATASOURCE_S3_REGION=us-west-eug01
      - DATASOURCE_S3_FORCE_S3_PATH=true
      - DATASOURCE_S3_USE_SSL=false
    volumes:
      - '$PWD/public:/zipline/public'
    depends_on:
      - 'postgres'

volumes:
  pg_data02:

It's pretty cool to watch your first uploaded file hit the bucket on your very own Minio instance.

Enjoy!

Installing Node.js with Apt Using a NodeSource PPA

To install a different version of Node.js, you can use a PPA (personal package archive) maintained by NodeSource. These PPAs have more versions of Node.js available than the official Ubuntu repositories. Node.js v14, v16, and v18 are available as of the time of writing.

First, we will install the PPA in order to get access to its packages. From your home directory, use curl to retrieve the installation script for your preferred version, making sure to replace 18.x with your preferred version string (if different).

cd ~

curl -sL https://deb.nodesource.com/setup_18.x -o nodesource_setup.sh

Refer to the NodeSource documentation for more information on the available versions.

You can inspect the contents of the downloaded script with nano (or your preferred text editor):

nano nodesource_setup.sh

Running third party shell scripts is not always considered a best practice, but in this case, NodeSource implements their own logic in order to ensure the correct commands are being passed to your package manager based on distro and version requirements. If you are satisfied that the script is safe to run, exit your editor, then run the script with sudo:

sudo bash nodesource_setup.sh

The PPA will be added to your configuration and your local package cache will be updated automatically. You can now install the Node.js package in the same way you did in the previous section. It may be a good idea to fully remove your older Node.js packages before installing the new version, by using sudo apt remove nodejs npm. This will not affect your configurations at all, only the installed versions. Third party PPAs don’t always package their software in a way that works as a direct upgrade over stock packages, and if you have trouble, you can always try to revert to a clean slate.

sudo apt-get install -y nodejs

Verify that you’ve installed the new version by running node with the -v version flag:

node -v

Output
v18.7.0

The NodeSource nodejs package contains both the node binary and npm, so you don’t need to install npm separately.

At this point you have successfully installed Node.js and npm using apt and the NodeSource PPA. The next section will show how to use the Node Version Manager to install and manage multiple versions of Node.js.

In case you haven’t heard already – Unsplash is the place to go when you need royalty free photos to use in your projects, whether it’s for commercial use or not. I use it myself quite often, for large background images. So does https://pixelarity.com, just to name an example.

While they do have a great API for developers, they also give you the option to simply access random images via URL’s.

Here’s an example, generating a completely random image from their massive storage:

https://source.unsplash.com/random

https://source.unsplash.com/random

Specific User

We can also generate a random image from a specific user. The URL format would be like so:

https://source.unsplash.com/user/USERNAME

Click this link below to generate a random image from the user wsanter:

https://source.unsplash.com/user/wsanter

Random Image From Search Term

This one is really cool. You can generate images from search terms. Let’s search for city and night (so fkn creative):

https://source.unsplash.com/random/?bamboo,forest

https://source.unsplash.com/random/?bamboo,forest

You place the search terms at the end of the URL, so before you could add the size if you’d like:

https://source.unsplash.com/random/3840×2160/?bamboo,forest

https://source.unsplash.com/random/3840×2160/?bamboo,forest

Step 1: Update and Install Docker Dependencies

First, let us update our packages list and install the required docker dependencies.

sudo apt update

Then, use the following command to install the dependencies or pre-requisite packages.

sudo apt install apt-transport-https ca-certificates curl software-properties-common gnupg lsb-release

Step 2: Add Docker Repository to APT Sources

First, let us get the GPG key which is needed to connect to the Docker repository. To that, use the following command.

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

Next, add the repository to the sources list. While you can also add it manually, the command below will do it automatically for you.

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

The above command will automatically fill in your release code name (jammy for 22.04, focal for 20.04, and bionic for 18.04).

Finally, refresh your packages again.

sudo apt update

If you forget to add the GPG key, then the above step would fail with an error message. Otherwise, let us get on with installing Docker on Ubuntu.

Step 3: Install Docker on Ubuntu/Debian Linux

In this Ubuntu Docker setup guide, we will install the docker-ce (and not docker.io package).

To install Docker on Ubuntu or Debian, use the following command:

sudo apt install docker-ce

This will download and install several hundred MBs of packages, as shown below.

Continue and the docker engine installation process should normally go through without any issues.

Step 4: Verify that Docker is Running on Ubuntu

There are many ways to check if Docker is running on Ubuntu. One way is to use the following command:

sudo systemctl status docker

You should see an output that says active for status.

INSTALL DOCKER-COMPOSE ON UBUNTU 22.04

Step 1: Check the Current Version of Docker Compose

As said before, the version of docker-compose packaged with the Linux distribution is probably old.

sudo apt search docker-compose

Checking the releases on Docker Compose GitHub, the last release is v2.14.1.

Step 2: Install Docker Compose on Ubuntu

Unlike Docker, there are no official repositories that you can add to easily install Docker Compose on Ubuntu.

First, download the latest version of Docker Compose using the following command:

sudo curl -L https://github.com/docker/compose/releases/download/v2.14.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

Change v2.14.1 to the current release number. Next, make it executable using the following command:

sudo chmod +x /usr/local/bin/docker-compose

That is it. Docker Compose should now be installed on your Ubuntu system.

Step 3: Check if Docker Compose is Installed

Let us check to make sure Docker Compose is installed and is available for us to use using:

docker-compose -v

If the installation was successful, you should see the docker compose version number as the output.

TIP TO ENCHANCE DOCKER EXPERIENCE

Add User to Docker Group

Running and managing docker containers requires sudo privileges. So this means you will have to type sudo for every command or switch to the root user account. But you can get around this by adding the current user to the docker group using the following command:

sudo usermod -aG docker ${USER}

You can replace ${USER} with your user name or just run the command as-is while you are logged in.

While this can be a minor security risk, it should be OK as long as other Docker security measures are in place.

I had the same issue on a host running Ubuntu and needed to use:

sudo update-grub "systemd.unified_cgroup_hierarchy=0"

As always I prefer to go open source with any software I use. I came across this open source email app for Android called K-9. I've been using it for a few weeks and I have to say I really like it.

There is one annoyance though that I thought I would mention so that others can find the answer quickly unlike me who had to search around to find the solution.

The K-9 app does not make it intuitive when it comes to setting the frequency of checking emails. You can fiddle all you want in the Account settings and Folder settings. You won't find it and when you think you did you'll notice the app still switches back to "Sync Disabled".

Change it for good by going to Settings>Global Settings>Network. Change the Background sync to Always. That's it. Your K-9 app will now check email based on the setting you configured for polling times. Oh you didn't?

Check the poling frequency by going to Settings>Account Settings>Folder Poll Frequency. Change this to however often you want K-9 to check email.

My 2¢ anyways!

Bottom line was getting the mount command correct. First confirmed the share was setup properly on the NAS. Then made sure the registry entry in Windows 1o had been created.

From the cmd that you opened with Administrator issue: mount -o nolock anon \\IP\path\to\share

We will update and setup the default locale's on the server, and enable the auto security updates. I haven't seen any issues by enabling the auto security updates so far. In most cases you would want to review the updates for production servers, so you can see any conflicting packages or dependency issues. I have been running this setup for 6 months without issues.

sudo apt update && apt upgrade && apt autoremove
sudo dpkg-reconfigure tzdata && sudo locale-gen de_DE.UTF-8 && sudo dpkg-reconfigure locales && sudo dpkg-reconfigure -plow unattended-upgrades

Edit the hosts file

sudo nano /etc/hosts

Edit the hosts file with your fqdn details

xxx.xxx.xxx.xxx   myhost.domain.com myhost

# The following lines are desirable for IPv6 capable hosts
xxx.xxx.xxx.xxx   myhost.domain.com myhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Secure the server

We will setup UFW and block incoming ICMP requests so the server can't be pinged. It just hardens the security a little.

Setup UFW

sudo ufw default deny incoming
sudo ufw allow 22 && sudo ufw allow 80 && sudo ufw allow 443
sudo ufw enable
sudo ufw status #should show what we just configured

Block ICMP requests

sudo nano /etc/ufw/before.rules

Change these lines:

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP  
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP   
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP  
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP  
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP  

Stop spoofing attacks

In sysctl.conf we can use net.ipv4 set as 0 to secure the server.

Resource: https://gist.github.com/lokhman/cc716d2e2d373dd696b2d9264c0287a3

sudo nano /etc/sysctl.conf

Example config:

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net.ipv4.conf.all.secure_redirects = 0
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all
# Debian kernels have this set to 0 (disable the key)
# See https://www.kernel.org/doc/Documentation/sysrq.txt
# for what other values do
#kernel.sysrq=1

###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted) 
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0

Setup Fail2Ban

Fail2Ban can be used to stop hack attempts. It uses "jail" configurations to verify and block ip addresses.

sudo apt install fail2ban

The default Fail2Ban config files are fine for most hack activity. You can see jail activity by using fail2ban-client status and fail2ban-client status sshd to see blocked ssh attempts.

Setup nginx

During this step we will:

• Remove the default nginx site
• Create a new site for Firefly III
• Redirect http to https
• Setup Diffie-Hellman parameter for DHE ciphersuites, which hardens nginx's security. Diffie-Hellman forces a dependency on TLS to agree on a shared key and negotiate a secure session.
• Use SSL Ciphers

sudo rm /etc/nginx/sites-enabled/default
sudo touch /etc/nginx/sites-available/myhost.domain.com.conf
sudo ln -s /etc/nginx/sites-available/myhost.domain.com.conf /etc/nginx/sites-sudo enabled/myhost.domain.com.conf
sudo openssl dhparam 2048 > /etc/nginx/dhparam.pem
sudo nano /etc/nginx/sites-enabled/myhost.domain.com.conf

Here is an example config

server {
        listen       80;
        server_name  myhost.domain.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        server_tokens off;
    }
server {
	listen 443 http2;
	listen [::]:443 http2;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/myhost.domain.com/fullchain.pem;        # path to your fullchain.pem
        ssl_certificate_key /etc/letsencrypt/live/myhost.domain.com/privkey.pem;    # path to your privkey.pem
        server_name myhost.domain.com;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:5m;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/nginx/dhparam.pem;

        # secure settings (A+ at SSL Labs ssltest at time of writing)
        # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
        ssl_prefer_server_ciphers on;

        proxy_set_header X-Forwarded-For $remote_addr;

	    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;        
	    server_tokens off;

    	root /opt/myhost.domain.com/public;

	# Add index.php to the list if you are using PHP
    	client_max_body_size 300M;
    	index index.html index.htm index.php;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location ~ \.php$ {
              try_files $uri =404;
              fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
              fastcgi_index index.php;
              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
              include fastcgi_params;

        }

        index index.php index.htm index.html;

        location / {
          try_files $uri $uri/ /index.php?$query_string;
          autoindex on;
          sendfile off;
        }
    }

Restart nginx to apply the new config

sudo systemctl restart nginx

Setup logrotate

I added logrotate. There shouldn't be any harm using logrotate for logs.

sudo nano /etc/logrotate.d/myhost.domain.com

Example config:

/opt/myhost/storage/logs/*.log
{
    weekly
    missingok
    rotate 2
    compress
    notifempty
    sharedscripts
    maxage 60
}

That's it!

Starting with a fresh Ubuntu 18.04 install we are going to install the Bitwarden password manager. This will be a secure Let's Encrypt based install.

Step 1 Update And Prep Fresh OS

Add the Ubuntu Universe Repo

sudo apt-add-repository universe
sudo apt update && sudo apt -y dist-upgrade && sudo apt autoremove

Install Docker CE and Docker Compose.

Follow the instructions in this article and than hop back here to proceed with Bitwarden install.

Now that you've installed Docker properly I think it's best to get Let's Encrypt installed and generate the certs we will want. This is assuming you have setup DNS resolution to whatever domain your using.

Installing Let's Encrypt

Because we added the Ubuntu Universe repo earlier install certbot to issue our certs should be easy.

sudo apt install cerbot

Because I use a reverse proxy I like to use DNS as my preferred method of verifying my domain ownership with Let's Encrypt.

sudo certbot -d bitwarden.domain.com --manual --preferred-challenges dns certonly

During the setup you will be asked to provide an email address and allow your email for public use, which you can decline. Then you need to agree to using your IP address.

You will be presented with a subdomain which you need to add to your DNS provider, and also a TXT record for the value of that subdomain.

After setting this in your DNS, you can use dig txt _acme-challenge.<my fqdn example.com> @8.8.8.8 to verify the record is propagated. After it's propagated you can continue to tell certbot to validate the entry.

Installing Bitwarden

The time has come to get to the point and install Bitwarden. This part is actually very easy and straight forward. Customizing can be a little tricky, but we'll get to that part later.

Download the main Bitwarden script to your machine in the desired location:

sudo curl -s -o bitwarden.sh https://raw.githubusercontent.com/bitwarden/core/master/scripts/bitwarden.sh && sudo chmod u+x bitwarden.sh

Start the installer:

sudo ./bitwarden.sh install

That's it. Bitwarden and it's set of Docker containers are now installed and ready. Well, kind of ready. We do need to configure Bitwarden a little to make things work with Let's Encrypt.

Take a look at this article for how to install and generate a certificate from Let's Encrypt.

Installing and Issuing Let's Encrypt Certificates

Now to integrate the new certificates with Bitwarden.

First copy over your certs to the proper location so docker will use them properly. Which means something similar to this command.

sudo cp /etc/letsencrypt/live/myhost.domain.com/fullchain.pem /etc/ssl/myhost.domain.com/ && sudo cp /etc/letsencrypt/live/myhost.domain.com/privkey.pem /etc/ssl/myhost.domain.com/

Than edit your Nginx .conf file and point it to where you copied the certs.

For example

sudo nano ./bwdata/nginx/default.conf

Change your ssl_certificate and ssl_certificate_key

ssl_certificate /etc/ssl/myhost.domain.com/fullchain.pem;
and
ssl_certificate_key /etc/ssl/myhost.domain.com/privkey.pem;

Might as well make sure your docker config file is setup for SMTP mail functionality.

sudo nano ./bwdata/env/global.override.env

And customize your SMTP settings.

globalSettings__mail__smtp__host=smtp.sendgrid.net
globalSettings__mail__smtp__username=apikey
globalSettings__mail__smtp__password=SG.YOUR.API_KEY
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__useDefaultCredentials=false

You could add U2F authentication if you wanted to, but that requires a Premium License to work.

Now it's time to start Bitwarden and see how it goes. If the webpage doesn't start when you test it check the logs under ./bwdata/logs/nginx/error.log and see what it recorded.

Bitwarden should be started and accessible with the SSL cert verified.  

Certbot can automatically fetch let's encrypt certificates for us. Before we do that I found that I needed to make sure the Ubuntu Universe repository was active on Ubuntu 18.04.

Easiest way I found is a simple apt command.

sudo apt-add-repository universe

Now we can install certbot.

sudo apt update && sudo apt -y dist-upgrade && sudo apt autoremove
If you noticed a new kernel was installed go ahead and reboot before continuing. Then upon reboot install cerbot with the following command.
sudo apt install certbot

Pull down a certificate

We can use DNS challenge for validation which I have found is the simplest way to verify domain ownership when issuing certs.

sudo certbot -d myhost.domain.com --manual --preferred-challenges dns certonly

During the setup you will be asked to provide an email address and allow your email for public use, which you can decline. Then you need to agree to using your IP address.

You will be presented with a subdomain which you need to add to your DNS provider, and also a TXT record for the value of that subdomain.

After setting this in your DNS, you can use dig txt _acme-challenge.<my fqdn example.com> to verify the record is propagated. After it's propagated you can continue to tell certbot to validate the entry.

Once that succeeds your new certificates will be present in /etc/letsencrypt/live/myhost.domain.com

And that's it. Copy the fullchain.pem and privkey.pem to your reverse proxy, configure your proxy to use these certs and your public site should be accessible and SSL validated when visited.

Renewing the certificate

We can use crontab to check for a new certificate every 3 months. Then we will email the output to ourselves so we know it worked or failed.

sudo crontab -e

Add something similar to this entry

0 3 1 * * certbot certonly --keep-until-expiring -d myhost.domain.com | mail -s "Let's Encrypt Renewal" -a "From: myhost.domai.com <no-reply@myemail@email.com>" myemail@email.com

Install the Dependencies

Docker has its own repositories. Before you can install it from those repos, you need to install the prerequisite dependencies. Update your system, and grab them with Apt.

sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common

Add The Docker Repository

Create a new file for the Docker repository at /etc/apt/sources.list.d/docker.list. In that file, place one of the following lines choosing either stable, nightly or edge builds:

sudo nano /etc/apt/sources.list.d/docker.list

deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable

Next, you need to add Docker's GPG key.

sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Once, that's imported, update Apt again.

sudo apt update

Install Docker CE

You can simply install the Docker CE package.

sudo apt install docker-ce

Done. Check for docker version:

docker --version
Docker version 18.03.0-ce, build 0520e24

Install Docker Compose

Run this command to download the latest version of Docker Compose:

sudo curl -L https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m) -o /usr/local/bin/docker-compose

Apply executable permissions to the binary:

sudo chmod +x /usr/local/bin/docker-compose

Test the installation.

docker-compose --version
docker-compose version 1.22.0, build 1719ceb

Migrating from Hyper-V to KVM on Ubuntu. Found a good way to convert those pesky Hyper-V images so that I can spin them on the new Ubuntu servers.

Here's the low down.

Step 1 Export the VM's from Hyper-V manager

From within your Hyper-V manager make sure you shut down the VM you'll be exporting. Also, make sure you've deleted and merged all checkpoints that make be associated with the VM.

Step 2 Check the health of the .VHDx you exported

I'm assuming after exporting that you went ahead and transfered the VHDx file to your Ubuntu server that is running KVM. If you have't, do so now and head back when the transfer is completed.

To check the image and confirm no errors issues the following on your Ubuntu server.

qemu-img check -r all Bench-Dev.vhdx

Hopefully everything checks out and the output informs you there are no errors.

Step 3 Convert the VDHx to IMG file format

Go ahead and issue the following command to convert the image file to .img.

qemu-img convert -O raw /location/of/vhdx/file.vhdx location/of/img/file.img

You should now have your .img file ready and converted when that finisheds up.

From here create the VM in KVM and make sure you provide it the same spec's you did in Hyper-V. So if you used 4098 GB of RAM and 2 cores. Create the KVM VM with the same values.

Not to hard huh?

My 2