shell help: Take and view notes of your (and my) shell activity

.gitignore

@@ -0,0 +1 @@
+.old/

README.md

@@ -0,0 +1,80 @@
+[//]: # ( vim:set syntax=markdown fileformat=unix shiftwidth=4 softtabstop=4 expandtab textwidth=120: )
+[//]: # ( kate: syntax markdown; end-of-line unix; space-indent on; indent-width 4; word-wrap-column 120; )
+[//]: # ( kate: word-wrap on; remove-trailing-spaces modified; )
+
+# shell help: Take and view notes of your (and my) shell activity
+
+No one likes writing documentation, not developers, nor operators. A simple approach is to pin down step by step all
+commands you ran in a shell and add comments sporadically. It will help to remember what you did and hopefully why you
+did so. It might also be useful as a blueprint for automation e.g. with Ansible. Your older self and your fellows will
+appreciate it.
+
+This repository has instructions on how to install [Debian](debian_setup.sh) and [Gentoo Prefix](gentoo_prefix.sh),
+host [Nextcloud](nextcloud_setup.sh) and [Gitea](gitea.sh), configure [Apache2](apache_setup.sh) and
+[Dovecot](dovecot.sh), create [SSL certificates](openssl_ca_guide.sh), benchmark using/with [FIO](fio.sh),
+define [libvirt domains](libvirt.sh) and much more.
+The guide below shows how to access these notes from a cli and how to add your own.
+
+⚠️ **WARNING:** This repository resembles more of a personal sketchpad than a collection of complete guides. Most
+documents belong to one of two categories, either annotated lists of commands and their arguments, e.g. for
+[LVM](lvm.sh) or [StorCLI](storcli.sh), or step-by-step guides that walk you through all instructions e.g. to set up
+[Nextcloud](nextcloud_setup.sh) or [Gitea](gitea.sh). Most guides miss any explaination of why things are done but
+often list references that point to further documentation. Consider any content as work-in-progress, i.e. parts that I
+use often are continuously refactored and updated while others might be outdated for years. ⚠️
+
+⚠️ **WARNING:** Most guides and notes in this repository presume Debian 8 (Jessie), Debian 8 (Stretch) or
+Debian 10 (Buster) as operating system and Bash as shell if not stated differently. ⚠️
+
+## Requirements and Installation
+
+Get or upgrade to Debian 10 (Buster). Open Bash and enter
+
+```sh
+# Install required packages
+sudo apt install fzf git tre-agrep
+
+# Clone repository
+mkdir -p ~/.local/share/
+git -C ~/.local/share/ clone https://github.com/JM1/shelp.git
+
+# Configure Bash
+cat << EOF >> ~/.bashrc
+# Enable fzf key bindings like Ctrl+R
+. /usr/share/doc/fzf/examples/key-bindings.bash
+
+# Enable shelp key binding (Ctrl+H)
+_shelp_fzf() {
+    FZF_DEFAULT_COMMAND="grep -l '*' *" fzf \
+        --bind "change:reload:tre-agrep -1 -i -l {q} * || true" \
+        --bind "pgup:preview-page-up,pgdn:preview-page-down" \
+        --ansi --layout=reverse-list --border --height 100% --phony --query '' \
+        --preview '[ -n {} ] && less {} '
+}
+
+_shelp() (
+    cd "$HOME/.local/share/shelp/"
+    FILE="$(_shelp_fzf)"
+    [ -n "$FILE" ] && view "$FILE"
+)
+
+bind -x '"\C-h": "_shelp"'
+
+EOF
+
+# (Re)run Bash to apply changes
+bash
+```
+
+## Tutorial
+
+Open a shell and enter any commands. Enter `history` to list previous commands or press <kbd>Ctrl</kbd> + <kbd>R</kbd>
+to fuzzy-find them. Write down a typescript of your shell activity, add comments if appropriate and store everything in
+`~/.local/share/shelp/`. [Keep it simple, stupid](https://en.wikipedia.org/wiki/KISS_principle). Use plain text,
+[Markdown](https://commonmark.org/) or whatever suits your use case best. Use [git](https://git-scm.com/book/) to track
+changes. Later press <kbd>Ctrl</kbd> + <kbd>H</kbd> to fuzzy-find your notes and all examples provided in this
+repository.
+
+## Author
+
+Jakob Meng
+@jm1 ([github](https://github.com/jm1), [galaxy](https://galaxy.ansible.com/jm1), [web](http://www.jakobmeng.de))

active_directory.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+# vim:set syntax=sh:
+# kate: syntax bash;
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Copyright 2021 Jakob Meng, <[email protected]>
+exit # do not run any commands when file is executed
+#
+# (Active) Directory Integration
+#
+# References:
+# [1] https://www.redhat.com/en/blog/overview-direct-integration-options
+# [2] http://www.burkhard-obergoeker.de/linux2012/index.php/know-how/24-sssd-ad
+
+# Directory integration consists of e.g.:
+# a. Authentication (LDAP)
+# b. Single Sign On (Kerberos)
+# c. Identity Lookup and Mapping
+# d. Policy Management (sudo, hbac, automount, selinux, ...)
+# e. File and Printer Sharing (Samba)
+# ...
+
+# One way of directory integration is a setup utilizing [2]:
+#  - samba
+#  - krb5, pam_krb5
+#  - sssd sssd-ad sssd-tools
+#  - cifs_mount (smbfs)
+#  - pam_mount

apache_http2.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+# vim:set syntax=sh:
+# kate: syntax bash;
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Copyright 2021 Jakob Meng, <[email protected]>
+exit # do not run any commands when file is executed
+#
+# Enable HTTP/2 module on Apache2
+#
+# Ref.:
+#  https://localhorst.org/http-2-0-debian-9-apache-2-4-umstellung-auf-php-fpm/
+#  https://linuxhostsupport.com/blog/how-to-set-up-apache-with-http-2-support-on-debian-9/
+#  https://httpd.apache.org/docs/2.4/howto/http2.html
+
+a2enmod http2
+
+vi /etc/apache2/sites-enabled/default-ssl.conf
+# Add:
+#  <IfModule mod_ssl.c>
+#  	<VirtualHost _default_:443>
+#  		...
+#  		
+#  		# Enable HTTP/2 module in Apache
+#  		Protocols h2 h2c http/1.1
+#  	</VirtualHost>
+#  </IfModule>
+
+systemctl restart apache2
+
+# Test HTTP/2 connection
+curl -s -v --http2 https://cloud.tree.h-brs.de
+# * Rebuilt URL to: https://cloud.tree.h-brs.de/
+# *   Trying 194.95.66.170...
+# * TCP_NODELAY set
+# * Connected to cloud.tree.h-brs.de (194.95.66.170) port 443 (#0)
+# * ALPN, offering h2
+# * ALPN, offering http/1.1
+# [...]
+# * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
+# * ALPN, server accepted to use h2
+# [...]
+# * Using HTTP2, server supports multi-use
+# * Connection state changed (HTTP/2 confirmed)
+# * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
+# * Using Stream ID: 1 (easy handle 0x555a12168e80)
+# > GET / HTTP/1.1
+# > Host: cloud.tree.h-brs.de
+# > User-Agent: curl/7.52.1
+# > Accept: */*
+# [...]
+
+exit # the end

apache_letsencrypt.sh

@@ -0,0 +1,83 @@
+#!/bin/sh
+# vim:set syntax=sh:
+# kate: syntax bash;
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Copyright 2021 Jakob Meng, <[email protected]>
+exit # do not run any commands when file is executed
+#
+# Let’s Encrypt for Apache2
+#
+# Ref.:
+#  https://wiki.debian.org/LetsEncrypt
+#  https://certbot.eff.org/lets-encrypt/debianstretch-apache.html
+
+# Suppose saloon.wildwildwest.com is your fqdn.
+
+# On Debian 9 (Stretch)
+# First enable debian's backports repository (apt_repository.sh)
+apt-get install certbot python-certbot-apache -t stretch-backports
+
+# On Debian 10 (Buster)
+apt-get install certbot python-certbot-apache
+
+certbot certonly --apache # write down certificate paths
+
+# Test automatic renewal
+certbot renew --dry-run
+
+# setup certificate paths in Apache2
+vi /etc/apache2/sites-available/default-ssl.conf
+
+# example
+cat << 'EOF' | patch -p0 -d /
+--- /etc/apache2/sites-available/default-ssl.conf.bak1	2019-05-07 21:04:08.666202047 +0200
++++ /etc/apache2/sites-available/default-ssl.conf	2019-06-24 10:32:54.637317669 +0200
+@@ -19,6 +19,7 @@
+ 		# following line enables the CGI configuration for this host only
+ 		# after it has been globally disabled with "a2disconf".
+ 		#Include conf-available/serve-cgi-bin.conf
++                Include /etc/letsencrypt/options-ssl-apache.conf
+ 
+ 		#   SSL Engine Switch:
+ 		#   Enable/Disable SSL for this virtual host.
+@@ -29,8 +30,8 @@
+ 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
+ 		#   If both key and certificate are stored in the same file, only the
+ 		#   SSLCertificateFile directive is needed.
+-		SSLCertificateFile	/etc/ssl/certs/apache2.pem
+-		SSLCertificateKeyFile /etc/ssl/private/apache2.key
++		SSLCertificateFile    /etc/letsencrypt/live/saloon.wildwildwest.com/fullchain.pem
++		SSLCertificateKeyFile /etc/letsencrypt/live/saloon.wildwildwest.com/privkey.pem
+ 
+ 		#   Server Certificate Chain:
+ 		#   Point SSLCertificateChainFile at a file containing the
+@@ -40,7 +41,6 @@
+ 		#   when the CA certificates are directly appended to the server
+ 		#   certificate for convinience.
+ 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+-		SSLCertificateChainFile /etc/ssl/certs/Hochschule_Bonn-Rhein-Sieg_CA_Zertifikat.crt
+ 
+ 		#   Certificate Authority (CA):
+ 		#   Set the CA certificate verification path where to find CA
+
+EOF
+
+# Confirm that Certbot worked, e.g. via https://www.ssllabs.com/ssltest/
+
+####################
+# Renew certificate for changed hostname
+
+# Change hostname
+reboot
+
+certbot delete --cert-name saloon.wildwildwest.com
+a2dissite default-ssl.conf
+systemctl restart apache2.service
+
+certbot certonly --apache # enter all valid domain names
+
+a2ensite default-ssl.conf
+systemctl restart apache2.service
+certbot renew --dry-run
+
+reboot

apache_localhost.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+# vim:set syntax=sh:
+# kate: syntax bash;
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Copyright 2021 Jakob Meng, <[email protected]>
+exit # do not run any commands when file is executed
+#
+# Bind Apache2 to localhost / Listen to localhost only
+#
+
+cp -raiv /etc/apache2/ports.conf /etc/apache2/ports.conf.orig
+
+dash # bash interprets tabs which causes problems with patch
+
+cat << 'EOF' | patch -p0 -d /
+--- /etc/apache2/ports.conf.orig	2015-10-24 10:37:19.000000000 +0200
++++ /etc/apache2/ports.conf	2016-06-27 16:44:50.776000000 +0200
+@@ -2,14 +2,14 @@
+ # have to change the VirtualHost statement in
+ # /etc/apache2/sites-enabled/000-default.conf
+ 
+-Listen 80
++Listen localhost:80
+ 
+ <IfModule ssl_module>
+-	Listen 443
++	Listen localhost:443
+ </IfModule>
+ 
+ <IfModule mod_gnutls.c>
+-	Listen 443
++	Listen localhost:443
+ </IfModule>
+ 
+ # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+EOF
+
+exit
+
+service apache2 restart

apache_mod-evasive.sh

@@ -0,0 +1,49 @@
+#!/bin/sh
+# vim:set syntax=sh:
+# kate: syntax bash;
+# SPDX-License-Identifier: CC-BY-SA-4.0
+# Copyright 2021 Jakob Meng, <[email protected]>
+exit # do not run any commands when file is executed
+#
+# Mitigate Denial-of-service attacks using mod-evasive for Apache2
+#
+
+apt-get install libapache2-mod-evasive
+
+cp -raiv /etc/apache2/mods-available/evasive.conf /etc/apache2/mods-available/evasive.conf.orig
+
+mkdir /var/log/mod_evasive
+
+dash # bash interprets tabs which causes problems with patch
+cat << 'EOF' | patch -p0 -d /
+--- /etc/apache2/mods-available/evasive.conf.orig	2014-05-20 10:35:52.000000000 +0200
++++ /etc/apache2/mods-available/evasive.conf	2016-06-28 11:10:39.260000000 +0200
+@@ -1,12 +1,12 @@
+ <IfModule mod_evasive20.c>
+-    #DOSHashTableSize    3097
+-    #DOSPageCount        2
+-    #DOSSiteCount        50
+-    #DOSPageInterval     1
+-    #DOSSiteInterval     1
+-    #DOSBlockingPeriod   10
++    DOSHashTableSize    3097
++    DOSPageCount        2
++    DOSSiteCount        50
++    DOSPageInterval     1
++    DOSSiteInterval     1
++    DOSBlockingPeriod   10
+ 
+-    #DOSEmailNotify      [email protected]
++    DOSEmailNotify      [email protected]
+     #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
+-    #DOSLogDir           "/var/log/mod_evasive"
++    DOSLogDir           "/var/log/mod_evasive"
+ </IfModule>
+EOF
+exit
+
+a2enmod evasive
+
+service apache2 restart
+
+# TODO: Why does not evasive send any mails when dos has been detected?

apache_mod-uwsgi.sh

@@ -0,0 +1 @@
+uwsgi_apache.sh