install.linode.ubuntu.12.04

- I picked Newark for the location
- I picked 512MB swap and used the rest for the single server
- Assigned IP is 162.216.16.102 (li605-102.members.linode.com)
- IPv6 2600:3c03::f03c:91ff:fedb:abd1/64
- Don't forget to configure DNS
- DNS servers:
    ns1.linode.com
    ns2.linode.com
    ns3.linode.com
    ns4.linode.com
    ns5.linode.com
- And make sure to add an SPF record - it's a text record. By default,
  it's just:
  "v=spf1 mx -all"
- Which says "accept mail from the server listed in our mx record" (as
  if that wasn't obvious)

1. Updates!

sudo apt-get update
sudo apt-get dist-upgrade

2. Make accounts
    adduser matt
    usermod -a -G sudo,adm matt
    adduser liz
    usermod -a -G sudo,adm liz

3. Install users authorized_keys files in to ~/.ssh

4. Set up ssh

## For an old machine, use the old keys - you did save /etc, didn't you?

## For a new machine, use the new keys generated by the distro.

- make sure to add to the firewall
ufw allow ssh

- set:
    PermitRootLogin forced-commands-only
- (the forced commands only is so we can run backups)
- and set
    PasswordAuthentication no

- restart it
service ssh restart

5. Enable firewall

sudo ufw enable

6. Set the hostname:

- Edit /etc/hostname and set it to linode
- Edit /etc/hosts and set the 127.0.1.1 line to look like:

127.0.1.1       linode

- This will prevent bounce messages from some mailservers, since they
  rely on the host name that the server claims to be (which is gotten
  from /etc/hostname) and then try to reverse that and make sure
  they're the same.

7. Install useful things

sudo apt-get install tree emacs23-nox git

8. Copy in certs

- copy mattcaron.net into /etc/ssh/private
sudo chown -R root:ssl-cert /etc/ssh/private/mattcaron.net
sudo chmod g+x /etc/ssh/private/mattcaron.net
sudo chmod g+r /etc/ssh/private/mattcaron.net/*

9. Install apache
    See install.apache

- However, we want it to listen publicly, so don't make it only
  listen on 127.0.0.1

- Allow it through the firewall

    sudo ufw allow http
    sudo ufw allow https

10. Install wordpress bits
    See wordpress (the top of it, the rest of it is just notes)

11. Install dovecot (imap)

- Based on: https://help.ubuntu.com/community/Dovecot

- Install it:

sudo apt-get install dovecot-imapd

- configure it

- edit /etc/dovecot/conf.d/10-master.conf and:
  - find the `inet_listener `imaps` line, and uncomment the body.
  - ref: http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
  - find the `service auth` section and add to the bottom:
  #SASL                                                                         
  unix_listener auth-client {
    mode = 0600
    user = Debian-exim
  }

- edit /etc/dovecot/conf.d/10-mail.conf and find the mail_location
  line, uncomment it and set it to:

    mail_location = maildir:/home/%u/Maildir

- edit /etc/dovecot/conf.d/10-ssl.conf and change it to use the
  mattcaron.net cert:

    ssl_cert = </etc/ssl/private/mattcaron.net/crt
    ssl_key = </etc/ssl/private/mattcaron.net/key

  - and change ssl to "required"

    ssl = required

- edit /etc/dovecot/conf.d/10-imap.conf and set:
    mail_max_userip_connections = 100
- (because I have a ton of machines that poll for email)

- edit /etc/dovecot/conf.d/15-lda.conf and set:
    postmaster_address = postmaster
- yes, this is kind of stupid, especially in light of the comment in
  the config preceding this line, but I've been getting errors about
  how it's not set, to just explicitly set it to the sane default.

- Pre-create the maildir for new users

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates
sudo maildirmake.dovecot /etc/skel/Maildir/.Junk

- Then, for an existing user:

sudo cp -r /etc/skel/Maildir /home/myuser/
sudo chown -R myuser:usergroup /home/myuser/Maildir
sudo chmod -R 700 /home/myuser/Maildir

- Allow through firewall

sudo ufw allow imaps

12. Exim

- install it

sudo apt-get install exim4-daemon-heavy exim4

- find the default exim configuration file (called configure.default,
  and found in the src/ directory of the source code and modify it as follows:

primary_hostname = mattcaron.net
domainlist local_domains = mattcaron.net : fishhousefishandgame.com
domainlist relay_to_domains =
hostlist   relay_from_hosts = localhost
tls_advertise_hosts = *
tls_certificate = /etc/ssl/private/mattcaron.net/crt
tls_privatekey = /etc/ssl/private/mattcaron.net/key
daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
qualify_domain = mattcaron.net
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

- Find the system_aliases router and change the line:
  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
- to:
  data = ${lookup{$local_part}lsearch{/etc/aliases}}

- Ref: https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPam
- at the bottom of the main section (before ACL CONFIGURATION), add:

# Only allow auth over TLS, otherwise folks would be sending plaintext
# passwords
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}

- ref: http://wiki2.dovecot.org/HowTo/EximAndDovecotSASL
- and down at the bottom, at the end of the AUTHENTICATION CONFIGURATION

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

- Note that we don't use the default debian config, as it is annoying.

- then copy it to /etc/exim4/exim4.conf on the remote server. Make
  sure it's group readable and growned by Debian-exim

- make the Debian-exim user a member of the shadow group so it can
  read /etc/shadow and therefore do authentication. Also, the ssl-cert
  group, so it can read certs

sudo usermod -a -G ssl-cert Debian-exim

- and make a pam config for it - we'll just piggyback on the dovecot
  one, as it's reasonable and similar

cd /etc/pam.d
sudo ln -s dovecot exim4

- allow through firewall

sudo ufw allow smtp
sudo ufw allow ssmtp

13. Integrate exim with dovecot

- ref: http://wiki2.dovecot.org/LDA/Exim
- edit /etc/exim4/exim4.conf

- in 

localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = dovecot_delivery
  cannot_route_message = Unknown user

- Next create a new transport for dovecot-lda:

dovecot_delivery:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- Next create a new transport for dovecot-lda - spammy version

dovecot_delivery_junk:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address -m Junk
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- IMPORTANT: 
In recent TBs, you need to add the exception in TB in order to
progress past the "probe" UI.

Edit->Preferences->Advanced->Certificates->View Certificates
Servers tab -> Add Exception -> servername:993

(and then do the same for port 465 for smtp)

14. Configure the time zone:

sudo dpkg-reconfigure tzdata

- and set it to US/Eastern

15. Add spamassassin

- install

sudo apt-get install spamassassin

- add the following router right before "localuser"

# router to send incoming email to spamchek transport for checking 
spamcheck_router:
  no_verify
  check_local_user
  # When to scan a message :
  #   -   it isn't already flagged as spam
  #   -   it isn't already scanned
  #   -   it isn't sent from my private home server
  #   -   it isn't sent from the server (linode or localhost)
  condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!match {$sender_host_address} {${lookup dnsdb{a=mattandliz.dyndns.org}}}} {!match {$sender_host_address} {${lookup dnsdb{a=mattcaron.net}}}}} {1}{0}}"
  driver = accept
  transport = spamcheck

# router to deliver spam to the junk folder
spam_deliver_to_junk
  driver = accept
  check_local_user
  local_parts = !www:!root:!nobody:!postmaster:!abuse:!admin
  transport = dovecot_spam_junk_delivery
  condition = ${if def:h_X-Spam-Flag: {true}}

- add the following transport (it can go anywhere, order doesn't matter)

# Scan for spam via spamassassin. Note that this works by calling exim
# *again* and essentially redlivering the message, except that it has
# already been scanned (see the "spam-scanned" add here, and the conditional
# up in the router), so it only gets called the first time
spamcheck:
  debug_print = "T: spamassassin_pipe for $local_part@$domain"
  driver = pipe
  command = /usr/sbin/exim4 -oMr spam-scanned -bS
  use_bsmtp
  transport_filter = /usr/bin/spamc
  home_directory = "/tmp"
  current_directory = "/tmp"
  user = Debian-exim
  group = Debian-exim
  return_fail_output
  message_prefix =
  message_suffix =

# This delivers mail via dovecot to the Junk folder. 
dovecot_spam_junk_delivery:
  driver = pipe
  # You may or may not want to add -d $local_part@$domain depending on if 
  # you need a userdb lookup done.
  command = /usr/lib/dovecot/dovecot-lda -f $sender_address -m Junk
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

- Edit /etc/spamassassin/local.cf and change as follows:

rewrite_header Subject *****SPAM*****

- Once all of the above is set up, edit /etc/default/spamassassin and set:

  ENABLED=1

and:

  CRON=1

- set up the global bayes learning directory. It will be group rw for
  the adm group, as it's assumed that only those users would ssh in
  and teach it things. Also, spamd changes uid to Debian-exim, so make
  sure that user owns the DB and can read things. (You may have to run
  the chown again after creating the databases with sa-learn). It also
  likes to change group IDs on the files, so you need to make sure
  that all those are correct, and that any users who are going to
  train SA are in the Debian-exim group (which implies that you trust
  them)

sudo mkdir -p /var/spamassassin/bayes_db
sudo chmod -R g+rwX /var/spamassassin
sudo chown -R Debian-exim:Debian-exim /var/spamassassin
sudo usermod -a -G Debian-exim <user list>

- And you need to fix permissions on /var/lib/spamassassin so the users doing that 
sudo chgrp Debian-exim  /var/lib/spamassassin
sudo chmod g+rx /var/lib/spamassassin
sudo chgrp Debian-exim /var/lib/spamassassin/3.003002/updates_spamassassin_org.cf
sudo chmod g+r /var/lib/spamassassin/3.003002/updates_spamassassin_org.cf

- add the following to /etc/spamassassing/local.cf, so that it uses
  the above (note that the last part of bayes_path is a prefix, not a
  directory)

use_bayes 1
bayes_path /var/spamassassin/bayes_db/bayes
bayes_file_mode 0660

- also, because we only have a couple of users, limit children - edit
  /etc/default/spamassassin and set:

OPTIONS="--create-prefs --max-children 5 --helper-home-dir"

- to

OPTIONS="--create-prefs --max-children 2 --helper-home-dir"

- restart

  sudo service spamassassin restart

16. Edit /etc/aliases

- change root to go to matt:

root: matt

17. Add sympa

- This install kind of sucks, see bug here:
https://bugs.launchpad.net/ubuntu/+source/sympa/+bug/1195044

- Install

sudo apt-get install sympa apache2-suexec

- enable it

sudo a2enmod suexec
sudo a2enmod cgi

- it will ask:
 - about webserver, it's apache 2
 - whether to restart it, choose no.
 - whether to use dbconfig-common to configure it, choose yes, and
   give it the credentials it's asking for
 - At this point, the install will fail because of the bug described
   above. Fix it

sudo chown -R sympa:sympa /var/spool/sympa
sudo chown -R sympa:sympa /usr/lib/sympa
sudo chown -R sympa:sympa /var/lib/sympa

  - edit /etc/sympa/wwsympa.conf
  - comment out:
    #ldap_force_canonical_email 1
  
  - edit /etc/sympa/sympa.conf
    listmaster              matt@mattcaron.net
    create_list listmaster
 wwsympa_url https://sympa.mattcaron.net/wws

  - to clean up the installation errors - just ignore mysql errors
apt-get autoremove

- edit /etc/exim4/exim4.conf and add the following below system_aliases:

# Aliases for sympa                                                             
sympa_aliases:
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/mail/sympa/aliases}}
  user = sympa
  group = sympa
  file_transport = address_file
  pipe_transport = address_pipe

- remove /etc/apache2/conf.d/sympa (it's just a symlink) and instead set up 
  /etc/apache2/sites-available/sympa as follows:

<VirtualHost *:80>
    ServerName sympa.mattcaron.net
    ServerAdmin matt@mattcaron.net
    Redirect permanent / https://sympa.mattcaron.net/wws
</VirtualHost>

<VirtualHost *:443>
    ServerName sympa.mattcaron.net
    ServerAdmin matt@mattcaron.net

    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/mattcaron.net/crt
    SSLCertificateKeyFile /etc/ssl/private/mattcaron.net/key

    # Standard SSL protocol adustments for IE
    BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    Alias /static-sympa /var/lib/sympa/static_content
    ScriptAlias /wws /var/www/sympa/wwsympa.cgi
    SuexecUserGroup sympa sympa

    # Use simple cgi here. It's not heavily used and base cgi is the most 
    # compatible
    AddHandler cgi-script .fcgi .cgi .pl .sh

    RewriteEngine On
    RewriteRule  ^/$                 /wws  [R,L]

    <Directory "/var/www/sympa/">
        AllowOverride None
        Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
 </VirtualHost>


- Fake out suexec, because it is hardcoded to want things in /var/www
 - make dir
sudo mkdir /var/www/sympa/
sudo chmod a+rx /var/www/sympa/
sudo chown sympa:sympa /var/www/sympa/

 - create /var/www/sympa/wwsympa.cgi:
#!/bin/sh
# The script we want Sympa to execute is accessed via a symlink but
# suexec doesn't like that so this script is a wrapper which gets
# executed directly to avoid that problem.
exec /usr/lib/cgi-bin/sympa/wwsympa.fcgi

- fix the perms on it

sudo chown sympa:sympa /var/www/sympa/wwsympa.cgi
sudo chmod u+x /var/www/sympa//wwsympa.cgi

- Restart things

sudo service apache2 restart
sudo service sympa restart

- Don't forget to add sympa.mattcaron.net to DNS

- edit /etc/sympa/topics.conf, delete everything, then add:
gaming
title Gaming

gaming/roleplaying_games
title Role Playing Games

gaming/wargaming
title Wargaming

18. Second domain for sympa

- in `/etc/exim4/exim4.conf`, add the following under ROUTERS
  CONFIGURATION before the big comment block preceding system_aliases
  (because order matters for exim):

# This router does the same as system_aliases, except that it checks
# the domain as well.
#
# IMPORTANT: Needs to go before things that match on ! +local_domains
# and, most importantly, before the bl_server bit because that
# forwards all non-local domains off to msex1.
#
# Remember - routers are run in order
#
system_aliases_domain:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part@$domain}lsearch{/etc/aliases}}
# user = exim
  file_transport = address_file
  pipe_transport = address_pipe 

Ref: http://www.sympa.org/manual/virtual-hosts

- Add the following to /etc/aliases:

sympa@fishhousefishandgame.com:      "| /usr/lib/sympa/bin/queue sympa@fishhousefishandgame.com"
listmaster@fishhousefishandgame.com: "| /usr/lib/sympa/bin/queue listmaster@fishhousefishandgame.com"
bounce+*@fishhousefishandgame.com:          "| /usr/lib/sympa/bin/bouncequeue sympa@fishhousefishandgame.com"

- And add the following to /etc/exim4/exim4.conf, in the ROUTERS
  CONFIGURATION section (doesn't matter where):

# Aliases for sympa (robot virtual subdomains)
sympa_aliases_robot:
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data = ${lookup{$domain-$local_part}lsearch{/etc/mail/sympa/aliases}}
  user = sympa
  group = sympa
  file_transport = address_file
  pipe_transport = address_pipe

- Add /etc/apache2/sites-available/sympa.fishhouse as follows:

<VirtualHost *:80>
    ServerName sympa.fishhousefishandgame.com
    ServerAdmin webmaster@fishhousefishandgame.com
    Redirect permanent / https://sympa.fishhousefishandgame.com/wws
</VirtualHost>

<VirtualHost *:443>
    ServerName sympa.fishhousefishandgame.com
    ServerAdmin webmaster@fishhousefishandgame.com

    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/fishhousefishandgame.com/crt
    SSLCertificateKeyFile /etc/ssl/private/fishhousefishandgame.com/key

    # Standard SSL protocol adustments for IE
    BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    Alias /static-sympa /var/lib/sympa/static_content
    ScriptAlias /wws /var/www/sympa/wwsympa.cgi
    SuexecUserGroup sympa sympa

    # Use simple cgi here. It's not heavily used and base cgi is the most 
    # compatible
    AddHandler cgi-script .fcgi .cgi .pl .sh

    RewriteEngine On
    RewriteRule  ^/$                 /wws  [R,L]

    <Directory "/var/www/sympa/">
        AllowOverride None
        Options ExecCGI
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

- enable

sudo a2ensite sympa.fishhouse

- reload

sudo service apache2 reload

- create bits / copy in defaults:

sudo mkdir /etc/sympa/fishhousefishandgame.com
sudo cp /usr/share/doc/sympa/examples/sample/robot.conf /etc/sympa/fishhousefishandgame.com/.
sudo chown -R sympa:sympa /etc/sympa/fishhousefishandgame.com
sudo chmod 750 /etc/sympa/fishhousefishandgame.com
sudo chmod 640 /etc/sympa/fishhousefishandgame.com/robot.conf
sudo mkdir /var/lib/sympa/fishhousefishandgame.com
sudo chown sympa:sympa /var/lib/sympa/fishhousefishandgame.com
sudo chmod 750 /var/lib/sympa/fishhousefishandgame.com

- edit /etc/sympa/fishhousefishandgame.com/robot.conf and set as follows:

http_host  sympa.fishhousefishandgame.com
listmaster matt@mattcaron.net
title Fish House Fish and Game MailingLists Service

- and, below http_host, you'll want to add:

wwsympa_url  https://sympa.fishhousefishandgame.com/wws

- create /etc/sympa/fishhousefishandgame.com/topics.conf

hunting
title Hunting

fishing
title Fishing

general
title General Membership

- restart

sudo service sympa restart

19. Install logcheck

sudo apt-get install logcheck

- edit /etc/cron.d/logcheck and set it to @daily and not every 2 hours

20. Set up mysql snapshot

- Clone backup utils

mkdir -p ~/workspace/code/scripts
cd ~/workspace/code/scripts
git clone https://github.com/mattcaron/backup_scripts.git
mkdir ~/bin
cd ~/bin
ln -s ~/workspace/code/scripts/backup_scripts/mysql_backup .
mkdir -p ~/attic/backup/`hostname`

- create ~/attic/backup/`hostname`/mysql.pw and put the root password
  into it.
- fix perms:
chmod 600 ~/attic/backup/`hostname`/mysql.pw

- Add to crontab:
@daily               /home/matt/bin/mysql_backup > /dev/null

21. Lock root account

sudo usermod -L root

22. Add monitoring:

- make sure landscape is installed (to get landscape-sysinfo):

sudo apt-get install landscape-common

- Then add the following to my crontab:

@daily               /usr/bin/ntpq -p; echo; df -lh; echo; landscape-sysinfo

23. Fix up logcheck:

Add to /etc/logcheck/ignore.d.server/local:

^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: Fatal: Time just moved
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Warning:
Time moved

(catches:
Dec  4 07:53:46 linode dovecot: imap: Fatal: Time just moved backwards
by 6 seconds. This might cause a lot of problems, so I'll just kill
myself now. http://wiki2.dovecot.org/TimeMovedBackwards
Dec  4 07:53:46 linode dovecot: imap-login: Warning: Time moved
backwards by 6 seconds.

which are an issue because it's a VM and time is a bit squidgy.
)

24. OwnCloud

- Make sure to add owncloud.mattcaron.net to linode DNS

- Optimization ref:

http://forum.owncloud.org/viewtopic.php?f=8&t=10692

- Install deps:

sudo apt-get install apache2 php5 php5-gd php-xml-parser php5-intl \
php5-sqlite php5-mysql curl libcurl3 php5-curl php-apc \
libapache2-mod-xsendfile

- download tarball (add to source control, etc.)
  http://owncloud.org/install/
- Copy in the user_pwauth plugin from: 
  http://apps.owncloud.com/content/show.php/Unix+user+backend?content=148406
- Unzip it and copy it in to owncloud/apps (add to source control, etc.)

- Make the xsendfile cache:

sudo mkdir /tmp/oc-noclean
sudo chown www-data:www-data /tmp/oc-noclean

- Enable UTF-8 in php.ini
 - edit /etc/php5/apache2
 - uncomment:
   default_charset = "UTF-8"


- Log in to the DB server and create a user and password

CREATE DATABASE owncloud;

GRANT ALL PRIVILEGES ON owncloud.* TO "owncloud"@"localhost" IDENTIFIED BY "password";

- Make an /etc/apache2/sites-available/owncloud.mattcaron.net as follows:
<VirtualHost *:80>
    ServerName owncloud.mattcaron.net
    ServerAdmin matt@mattcaron.net

    DocumentRoot /home/matt/public_html/owncloud.mattcaron.net
    <Directory /home/matt/public_html/owncloud.mattcaron.net>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

	SetEnv MOD_X_SENDFILE_ENABLED 1
	XSendFile On
    	XSendFilePath /tmp/oc-noclean
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName owncloud.mattcaron.net
    ServerAdmin matt@mattcaron.net

    SSLEngine on
    SSLCertificateFile    /etc/ssl/private/mattcaron.net/crt
    SSLCertificateKeyFile /etc/ssl/private/mattcaron.net/key

    # Standard SSL protocol adustments for IE
    BrowserMatch "MSIE [2-6]" \
               nokeepalive ssl-unclean-shutdown \
               downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    DocumentRoot /home/matt/public_html/owncloud.mattcaron.net
    <Directory /home/matt/public_html/owncloud.mattcaron.net>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all

	SetEnv MOD_X_SENDFILE_ENABLED 1
	XSendFile On
    	XSendFilePath /tmp/oc-noclean
    </Directory>
</VirtualHost>

- enable headers and rewrite modules

sudo a2enmod headers
sudo a2enmod rewrite

- enable it:

sudo a2ensite owncloud.mattcaron.net
sudo service apache2 reload

Go to:

https://owncloud.mattcaron.net/

and do the initial setup, entering random admin credentials and
choosing MySQL for the DB. Enter the DB credentials for the owncloud
user on the owncloud DB you established above.

The data folder is /usr/share/owncloud/data (the default) which links
to /var/lib/owncloud/data/ (which should be backed up).

Anyway, once that's all done it will let you in.

Once logged in:

- Under the "Admin" menu, tick:
 - Enforce HTTPS

- Under the "Apps" menu, enable
 - Calendar
 - Contacts
 - Bookmarks
 - Tasks
 - Documents
 - Unix User Backend
 - Video

- install pwauth

sudo apt-get install pwauth

- Under the "Users" menu
 - Give appropriate people admin access
 - Delete the admin account

- Set up cron:

sudo -u www-data crontab -e

and add:

*/15  *  *  *  * php -f
/home/matt/public_html/owncloud.mattcaron.net/cron.php

- Then, in the Admin panel, tell it to use cron.

- A note on backups:

    These are already handled by the mysql_backup script and backing
    up homedirs. So, nothing additional need be done here, so long as
    the previous stuff is set up.

Configuring apps:
- Thunderbird
 - Address book
  - Ref: http://doc.owncloud.org/server/6.0/user_manual/pim/sync_thunderbird.html
  - Basically:
   - Install the Sogo connector
  - In Thunderbird, click Tools -> Address Book
   - File -> New -> Remote Addressbook
   - Name it whatever, but use addressbook:
     https://owncloud.mattcaron.net/remote.php/carddav/addressbooks/matt/contacts
   - Close and reopen thunderbird to make it connect
   - You may need to try to synchronize a couple of times - accept
     cert, enter creds, etc.
 - Calendar
   - Ref: http://forum.owncloud.org/viewtopic.php?f=23&t=14137
   - Basically
    - Install Lightning
    - In Thunderbird, click Events and Tasks -> Calendar
    - Under "Calendar" right click -> New Calendar
    - It's on the network
    - It's CalDAV
    - Used URL
      https://owncloud.mattcaron.net/remote.php/caldav/calendars/matt/familycalendar
    - Ticked "Offline Support"
    - Named it "Family Calendar"
    - Entered creds

- Android
 - Address book
  - Install "CardDAV sync free" or "CardDAV sync" from Google play
  - Launch CardDAV
  - Add account
  - Use the same URL as Thunderbird:
    https://owncloud.mattcaron.net/remote.php/carddav/addressbooks/matt/contacts
  - Tick "Use SSL"
  - Enter credentials
  - Next
  - Enter an appropriate name
  - Untick "Sync from server to phone only"
  - Next
 - Calendar
  - Install "CalDAV sync free" or "CalDAV sync" from google play  
  - Open Calendar
  - Top right corner, click "Add Account"
  - Choose "CalDAV sync adapter"
  - Enter creds, and use the same URL as Thunderbird: 
    https://owncloud.mattcaron.net/remote.php/caldav/calendars/matt/familycalendar
  - Of note - under account name, use your email, because htat's used
    as the address of the organizer.
  - Click "sign in or register"
  - Once the account is there, click on it, and click "Accounts & sync"
  - Click the "CalDav sync adapter" account when that comes up
  - Tick the box next to the sync state to turn it on
  - Calendar should now work.
  - Theoretically, a long press on the calendar name during set up
    will change the ugly poop color, but I couldn't get that to work,
    so I left it.


25. MySQL and Apache tuning

The default MySQL and Apache configs that ship with Ubuntu do not seem
particularly suited to "low RAM boxes" (though, the old curmudgeon in
me is amazed that 1.5GB if "low ram" these days, but I don't build a
box with less than 1GB, as it's so cheap....)

## Apache ##

Ref: http://emergent.urbanpug.com/?p=60

- Disable unused modules

sudo a2dismod auth_basic
sudo a2dismod authn_file
sudo a2dismod authz_groupfile
sudo a2dismod authz_user
sudo a2dismod fcgid
sudo a2dismod status

- edit /etc/apache2/apache2.conf and tweak values thusly. Original:

<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

- revised:

<IfModule mpm_prefork_module>
    StartServers          2
    MinSpareServers       1
    MaxSpareServers       5
    MaxClients           50
    MaxRequestsPerChild   0
</IfModule>

- restart:

sudo service apache2 restart

## MySQL ##

Refs:

http://emergent.urbanpug.com/?p=61
http://lowendbox.com/blog/reducing-mysql-memory-usage-for-low-end-boxes/
http://opensourcehacker.com/2011/03/31/reducing-mysql-memory-usage-on-ubuntu-debian-linux/

- edit /etc/mysql/my.conf and change parameters as follows:

- original

key_buffer              = 16M
thread_stack            = 192K
#max_connections        = 100
query_cache_size        = 16M


- modified

key_buffer              = 8M
thread_stack            = 128K
max_connections         = 50
query_cache_size        = 8M


- restart

sudo service mysql restart

26. Upgrade Sympa to something more recent.

Once upon a time, email worked great, and then Yahoo and AOL went and
broke things, so install the latest from source.

Refs:
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/
https://help.yahoo.com/kb/SLN7253.html?impressions=true

This breaks how email lists have worked for like 25 years.

Anyway, so we need to install an updated version

A.) Establish base checkout:
cd ~/workspace/code
git svn clone -s http://svn.cru.fr/sympa/
cd sympa
git-tag-svn 
git checkout sympa-6.1.23
git checkout -b production

B.) Copy this whole mess over to the linode server:
cd ~/workspace/code
scp -rp sympa/ linode.mattcaron.net:~/workspace/code/.

=== all the rest of this is on the linode server ===

C.) Create a user w/ now shell (this was the last next available number)

sudo adduser sympa --uid 110 --gid 117 --disabled-logn
sudo usermod -s /bin/false sympa

D.) Install deps

sudo apt-get install apache2-suexec intltool

E.) Enable apache modules

sudo a2enmod suexec
sudo a2enmod cgi

F.) Make the destination directory:

sudo mkdir /opt/sympa-6.1.24
sudo chown matt:matt /opt/sympa-6.1.24

G.) Build and install it:

cd ~/workspace/code/sympa
autoreconf -i
./configure --prefix=/opt/sympa-6.1.24 --with-initdir=/opt/sympa-6.1.24/etc/init.d --with-cgidir=/opt/sympa-6.1.24/cgi-bin
make
make install

H.) Fix permissions

sudo chown -R sympa:sympa /opt/sympa-6.1.24
sudo chmod a+rX -R /opt/sympa-6.1.24

I.) Make some compatibilty symlinks:

cd /opt
sudo ln -s sympa-6.1.24/ sympa
sudo -u sympa -s
cd /opt/sympa
ln -s /var/lib/sympa/expl .
ln -s /var/lib/sympa/wwsarchive .
ln -s /var/lib/sympa/x509-user-certs .
cd /opt/sympa/etc
ln -s /etc/sympa .
cd /opt/sympa/static_content
ln -s /var/lib/sympa/static_content/css .
ln -s /etc/mail/sympa/aliases /etc/mail/sympa_aliases

J.) Auto-install a pile of perl modules:

sudo /opt/sympa-6.1.24/bin/sympa_wizard.pl --check

(hit enter a bunch of times)

And mhonarc doesn't put itself where it needs to, so do so:

cd /usr/share/perl5/
sudo ln -s /usr/share/mhonarc/* .

K.) Now remove the old sympa

sudo apt-get remove sympa

Do not remove the database, we still want it.

L.) Now symlink in the start scripts - the old one is there, so we'll
save it, just in case.

cd /etc/init.d
sudo mv sympa sympa.ubuntu
sudo ln -s /opt/sympa/etc/init.d/sympa .

Of course, that script is wrong, so symlink some files where it expects them

cd /etc
sudo ln -s /etc/sympa/sympa.conf .
sudo ln -s /etc/sympa/wwsympa.conf .

M.) Run the upgrade script

sudo -u sympa /opt/sympa-6.1.24/bin/sympa.pl --upgrade 

N.) Fix up supporting bits and bobs

sudo touch /etc/sympa/facility
sudo chown sympa:sympa /etc/sympa/facility
sudo mkdir -p /var/lock/subsys/sympa
sudo chown sympa:sympa /var/lock/subsys/sympa
sudo mkdir /var/spool/sympa/wwsbounce
sudo chown sympa:sympa /var/spool/sympa/wwsbounce

O.) Fix up the webserver CGI wrapper

sudo -e /var/www/sympa/wwsympa.cgi

- and change it to:

exec /opt/sympa/cgi-bin/wwsympa.fcgi

P.) fix up the two webserver files (sympa and sympa.fishhouse) where they do:

Alias /static-sympa /var/lib/sympa/static_content

and change it to:

Alias /static-sympa /opt/sympa/static_content

Q.) Comment out all the deprecated bits of /etc/sympa/sympa.conf

 - dkim_header_list 
 - pidfile
 - pidfile_bulk
 - pidfile_creation
 - pidfile_distribute

and the same for /etc/sympa/wwsympa.conf
 - archived_pidfile
 - bounced_pidfile
 - task_manager_pidfile

R.) Also add the dmarc_protection_mode to the config, which is why we
upgraded in the first place.

Add this to the bottom of /etc/sympa/sympa.conf:

# Munge email which would otherwise be dropped.                                 
dmarc_protection_mode dmarc_any

S.) Fix up the mailserver aliases /etc/aliases and
    /etc/mail/sympa/aliases and replace /usr/lib/sympa/lib/sympa with
    /opt/sympa/bin

T.) And the queue needs to be suid root so that the mail server works
when it calls queue and bouncequeue. Some of the routers call the
filter and that needs to be as sympa, but we still want them to run
other actions as exim.

sudo chmod u+s /opt/sympa/bin/queue /opt/sympa/bin/bouncequeue


U.) Start it:

sudo service sympa start