Liens

Commandes

# mise à jour
adg
sudo apt update && sudo apt upgrade

# reboot
reboot

# shutdown
poweroff

Astuces

# cp is by default an alias to cp -i
# to use cp only:
\cp

# get OS version, kernel version, architecture, hostname
hostnamectl

# create a daemon user
sudo useradd -r -s /usr/sbin/nologin -N -g nogroup <user>

Claim space

journalctl --disk-usage
sudo journalctl --vacuum-time=30d

sudo apt autoremove
sudo du -sh /var/cache/apt
sudo apt autoclean

Apache

Dossier de déploiement des web sites /var/www/html
Dossier des configurations des web sites /etc/apache2/sites-available

# service apache
systemctl restart apache2

PHP

Upgrade to PHP 7.4+

sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:ondrej/apache2
# sudo add-apt-repository ppa:ondrej/nginx-mainline

sudo apt update && sudo apt upgrade

Uninstall old versions

# list installed version of php
dpkg -l "php*"

# stop and disable php-fpm service
sudo systemctl stop php5.6-fpm
sudo systemctl disable php5.6-fpm

# deactivate apache configuration if needed
ls /etc/apache2/conf-enabled/php*

# uninstall php 5.6
sudo apt purge php5.6-common

MySql / MariaDb

L'utilisateur root utilise par défaut l'authentification unix_socket.
Il faut donc utiliser sudo pour se connecter avec root et non pas le mdp.

sudo apt install mariadb-server
# connexion avec root après l'installation
sudo mysql

# status
systemctl status mysql

Upgrade version

# install apt-transport-https and curl if not yet installed
sudo apt-get install apt-transport-https curl

# add mariadb release signing key
sudo curl -o /etc/apt/trusted.gpg.d/mariadb_release_signing_key.asc 'https://mariadb.org/mariadb_release_signing_key.asc'

Add the repo

/etc/apt/sources.list.d/mariadb.list

# MariaDB 10.10 repository list

deb https://mirrors.ircam.fr/pub/mariadb/repo/10.10/ubuntu bionic main
# deb-src https://mirrors.ircam.fr/pub/mariadb/repo/10.10/ubuntu bionic main
# deb https://mirrors.ircam.fr/pub/mariadb/repo/10.10/ubuntu bionic main/debug

# backup
# stop mariadb
sc-stop mariadb
# upgrade
ai mariadb-server
# start mariadb
sc-start mariadb

phpmyadmin

sudo apt install phpmyadmin
# coller dans ncurse: Shift + Insert
# login: phpmyadmin
# url: http://myserver/phpmyadmin

# accorder tous les privilèges au compte phpmyadmin
GRANT ALL ON *.* TO 'phpmyadmin'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;

Mediawiki

Upgrade

# disable the website
sudo a2dissite mediawiki.conf
sc-reload apache2

wget https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.tar.gz
tar xf mediawiki-*.tar.gz

cd /var/www
# backup the previous version
sudo mv mediawiki mediawiki.bak

sudo mv -T ~/downloads/mediawiki-* mediawiki
sudo chown -R root:root mediawiki
sudo chown -R www-data:www-data mediawiki/cache
sudo chown -R www-data:www-data mediawiki/images
sudo cp -R mediawiki.bak/images/* mediawiki/images
# copy the custom extensions
sudo cp -R mediawiki.bak/extensions/MyCustomExtension mediawiki/extensions
# copy the LocalSettings
sudo cp mediawiki.bak/LocalSettings.php mediawiki

# upgrade the database
cd mediawiki
php maintenance/update.php

# re-enable the website
sudo a2ensite mediawiki.conf
sc-reload apache2

# delete unused folder
sudo rm -rf mediawiki.bak

Install

wget https://releases.wikimedia.org/mediawiki/1.35/mediawiki-1.35.6.tar.gz
tar xf mediawiki-*.tar.gz
sudo mv -T mediawiki-* /var/www/mediawiki

# peut-être pas nécessaire car fait lors de la configuration
CREATE USER 'my_user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE my_wiki;
USE my_wiki;

GRANT ALL ON my_wiki.* TO 'my_user'@'localhost';

Apache Configuration

SSH

openssh est déjà installé et démarré.

# sshfs
sudo apt install sshfs

SSHKeys, connection sans mot de passe
sshfs

OpenVPN

CA certificate

Avec Ubuntu les serveurs CA et VPN sont sur la même machine.

~/openvpn-ca/vars

export KEY_COUNTRY="FR"
export KEY_PROVINCE="Paris"
export KEY_CITY="Paris"
export KEY_ORG="MyOrg"
export KEY_EMAIL="admin@domain.fr"
export KEY_OU="MyUnit"

# X509 Subject Field
export KEY_NAME="myservername"

# copie le contenu du dossier /usr/share/easy-rsa
make-cadir ~/openvpn-ca
cd ~/openvpn-ca

# load variables
source ./vars
./clean-all

# create CA files (keys/ca.crt, keys/ca.key) 
./build-ca

Server certificate

# le fichier openssl.cnf n'existe plus. Il s’appelle openssl-1.0.0.cnf. Il faut donc le lier
ln -s openssl-1.0.0.cnf openssl.cnf
# create missing .rnd file
dd if=/dev/urandom of=$HOME/.rnd bs=256 count=1

# generate a certificate and private key for the server
./build-key-server myservername
# les fichiers suivants sont créés dans le dossier keys
# 01.pem index.txt index.txt.attr myservername.crt myservername.csr myservername.key serial

# generate Diffie Hellman parameters
./build-dh
# generate an HMAC signature
openvpn --genkey --secret keys/ta.key

# copy certificates and keys
cd keys/
cp ca.crt myservername.crt myservername.key ta.key dh2048.pem /etc/openvpn/server

Client certificate

# load variables
source ./vars

./build-key --pass [client-name]
# --pass: Build password-protected key
# --pkcs12: Build key in PKCS#12 format (*.p12 protected with password)
# les fichiers suivants sont créés dans le dossier keys
# 02.pem index.txt index.txt.attr client-name.crt client-name.csr client-name.key serial

# revoke certificate
./revoke-full [client-name]

Server configuration

# copier le fichier de configuration d'exemple
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/server
sudo gzip -d /etc/openvpn/server/server.conf.gz

/etc/openvpn/server/server.conf

ca ca.crt
cert [server-name].crt
key [server-name].key
dh dh2048.pem
tls-auth ta.key 0

# start openvpn with server-name configuration
sc-start openvpn-server@[server-name]

IP forward

/etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# reload sysctl
sudo sysctl -p /etc/sysctl.conf
# restart the procps service
sudo /etc/init.d/procps restart

Firewall

sudo ufw allow 1194/udp comment 'OpenVPN udp port 1194'

/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

/etc/ufw/before.rules

#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter

zsh - oh my zsh

apt install zsh zsh-syntax-highlighting
# zsh install zsh-common

# install oh-my-zsh et change de shell
sh -c "$(wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"

~/.zshrc

# plugins
plugins=(common-aliases debian extract git sudo systemd wd)

# don't store in history commands prefixed with a space (test with: history | tail)
setopt HIST_IGNORE_SPACE

# zsh-syntax-highlighting, doit être sourcé en dernier
source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh

zsh-antigen: plugin manager
zsh-theme-powerlevel9k: Powerline theme

Network Manager

# vérifier que le packet est installé
dpkg -l "network-manager"

# vérifier que le service fonctionne
sc-status NetworkManager

# lister les connections
nmcli c show
# afficher les détails d'une connection
nmcli c show <NAME>

netplan

/etc/netplan/01-netcfg.yaml

network:
    version: 2
    renderer: NetworkManager
    ethernets:
        eth0:
            addresses: [192.168.0.x/24]
            gateway4: 192.168.0.y
            nameservers:
                addresses: [192.168.0.x, 192.168.0.y]

# tester la syntaxe (possibilité de revert)
sudo netplan try

sudo netplan generate
sudo netplan apply
# --debug if you run into some issues
# créé le fichier /run/systemd/network/10-netplan-eth0.network

# vérifier la configuration en cour
netplan ip leases [interface]

pip

sudo apt install python3-pip
# version 9.0.1

# install without sudo
pip install [package]
# installed in ~/.local/bin

.zshenv

export PATH=$PATH:"$HOME/.local/bin"

pip-safe

	Add /usr/local/bin to your PATH

# system-wide installation of a package
sudo -H pip-safe --system install <package>  
# installs a package to /opt/pip-safe/<package> and symlinks its executable to /usr/local/bin

# list installed packages
pip-safe list

# system-wide installation
sudo mkdir -p /opt/pip-safe
sudo chown [current-user]:[current-group] /opt/pip-safe
python3 -m venv /opt/pip-safe/pip-safe
/opt/pip-safe/pip-safe/bin/pip install pip-safe
sudo chown root:root -R /opt/pip-safe
sudo ln -s /opt/pip-safe/pip-safe/bin/pip-safe /usr/local/bin/pip-safe

Let's Encrypt

	certbot version 0.27 is available via apt. To get a newer version, use pip or pip-safe.

sudo -H pip-safe --system install certbot-dns-ovh
sudo ln -s /opt/pip-safe/certbot-dns-ovh/bin/certbot /usr/local/bin/certbot

sudo python3 -m pip install -U certbot certbot-dns-ovh

Install useful bash tools with cargo

# fd !!! unable to install, memory overflow !!!
cargo install fd-find

# dust
cargo install du-dust

# rg
cargo install ripgrep

# bat
cargo install bat
# also installable with the deb package https://github.com/sharkdp/bat/releases

# list packages installed with cargo
cargo install --list
# binaries are installed in ~/.cargo/bin

~/.zshenv

export PATH=$PATH:"$HOME/.cargo/bin"

Rust community’s crate registry

Glances

Service web équivalent à top. Service accessible via host:61208

apt install glances

# démarrer le service web
glances -w

Reverse proxy to the Glances Web UI

/etc/apache2/sites-available/000-default.conf

# redirect host:80/glances to host:61208
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https?://[^/]+/glances
RewriteCond %{REQUEST_URI} !^/glances
RewriteCond %{THE_REQUEST} ^GET
RewriteRule ^/(.*) /glances/$1 [QSA,R]
ProxyPass /glances/ http://localhost:61208/
ProxyPassReverse /glances/ http://localhost:61208/
Redirect permanent /glances http://n2/glances/

Start Glances through Systemd

/etc/systemd/system/glances-web-ui.service

[Unit]
Description=Glances Web UI
After=network.target

[Service]
ExecStart=/usr/bin/glances -w
Restart=on-abort

[Install]
WantedBy=multi-user.target

Torrent

sudo apt install transmission-daemon
# transmission-cli transmission-common

sc-status transmission-daemon

/etc/transmission-daemon/settings.json

{
    "rpc-port": 9091,
    "rpc-whitelist": "127.0.0.1,192.168.x.x",
    "peer-port": 51413,
    "download-dir": "/var/lib/transmission-daemon/downloads",
    "incomplete-dir": "/var/lib/transmission-daemon/downloads",
    "incomplete-dir-enabled": false,
}

Amule

sudo apt install amule-daemon

sc-status amule-daemon

# create an amule user
useradd -r -d /var/lib/amule-daemon -s /usr/sbin/nologin amule

# generate md5 hash from password
echo -n password | md5sum | cut -d ' ' -f1

/etc/default/amule-daemon

# The init.d script will only run if this variable non-empty.
AMULED_USER="amule"

# You can set this variable to make the daemon use an alternative HOME.
# The daemon will use $AMULED_HOME/.aMule as the directory, so if you
# want to have $AMULED_HOME the real root (with an Incoming and Temp
# directories), you can do `ln -s . $AMULED_HOME/.aMule`.
AMULED_HOME="/var/lib/amule-daemon"

/var/lib/amule-daemon/.aMule/amule.conf

Port=4662
UDPPort=4672
TempDir=/var/lib/amule-daemon/.aMule/Temp
IncomingDir=/var/lib/amule-daemon/.aMule/Incoming

[ExternalConnect]
ECPort=4712
ECPassword=ef7628c92bff39c0b3532d36a617cf09

MiniDLNA

# install
sudo apt install minidlna

Ufw and MiniDLNA

.NET Core

Install .NET SDK or .NET Runtime on Ubuntu 18.04

ARM64 support requires Linux kernel 4.14 or higher.

Installation

Download the ASP.NET Core Runtime → Linux ARM64 Binaries

# download the archive
wget https://download.visualstudio.microsoft.com/download/.../aspnetcore-runtime-x-linux-arm64.tar.gz
# create the dotnet folder
mkdir dotnet
# extract the archive in the dotnet folder
tar zxf aspnetcore-runtime-x-linux-arm64.tar.gz -C dotnet

sudo mv dotnet /usr/share
sudo chown root:root -R /usr/share/dotnet

export DOTNET_ROOT=/usr/share/dotnet
export PATH=$PATH:/usr/share/dotnet

# test
dotnet --info

# sdk
wget https://download.visualstudio.microsoft.com/download/.../dotnet-sdk-x-linux-arm64.tar.gz
tar xzf dotnet-sdk-x-linux-arm64.tar.gz

~/.zshenv

# .NET Core
export DOTNET_ROOT="/usr/share/dotnet"
export PATH=$PATH:"/usr/share/dotnet"

Console

# create the project
dotnet new console -o dotnet-console

# build the project
cd dotnet-console
dotnet build

# run the binary
bin/Debug/netcoreapp3.1/dotnet-console

ASP.NET Core with React.js and Redux

# create the project
dotnet new reactredux -o dotnet-reactredux

# install node.js and npm
sudo apt install nodejs npm

# build the project
cd dotnet-reactredux
dotnet build

# start the server
dotnet run

Apache et dotnet core

Blazor

SQL Server 2019

SQL Server is not supported on ARM architecture.

Gitweb

sudo apt install gitweb
# /etc/apache2/conf-available/gitweb.conf
# /etc/gitweb.conf
# /usr/lib/cgi-bin/gitweb.cgi -> ../../share/gitweb/gitweb.cgi (installed by git)

# enable cgid module if not already done
sudo apachectl -M | grep cgi
# cgid_module (shared)
sudo a2enmod cgid

Use gitolite repositories

/etc/gitweb.conf

$projectroot = "/var/lib/gitolite3/repositories";

# only user gitolite3 can access to /var/lib/gitolite3/repositories
# and gitweb runs under the www-data user
# here is a way to give access at user www-data to /var/lib/gitolite3/repositories
sudo setfacl -RPm u:www-data:rX /var/lib/gitolite3/repositories

Gitolite

# before install copy your local ssh public key to the server (~/.ssh/id_rsa.pub → /tmp/<user>.pub)
sudo apt install gitolite3
# during installation a ssh public key is asked to allow the administrator to login, select the ssh public key you copied to the server
# installation creates the user gitolite3 and its home directory /var/lib/gitolite3

# test if it worked
ssh gitolite3@<server> info
# hello admin, this is gitolite3@<server> running gitolite3 3.6.7-2 (Debian) on git 2.17.1

# clone the admin repository
git clone gitolite3@<server>:gitolite-admin

# create a new repo
# clone gitolite-admin repo, edit gitolite.conf to add the repo, commit the change
# add the newly created remote repository to your already existing local git repo
git remote add origin gitolite3@<server>:<project>
# push and set the remote as upstream
git push --set-upstream origin master

conf/gitolite.conf

# add new repo
repo new_repo
    RW+     =   @all

Commit and push to apply changes.

GitLab

Not supported on ARM architecture

# install and configure the necessary dependencies 
sudo apt install curl openssh-server ca-certificates postfix

# add the GitLab package repository (package source /etc/apt/sources.list.d/ and GPG keys)
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash

# installation
sudo EXTERNAL_URL="https://gitlab.example.com" apt-get install gitlab-ce

Roundcube

Version available 1.3.6 supports PHP version >=5.4 <=7.3

/etc/apache2/sites-available/roundcube.conf

    <FilesMatch "\.php$">
        # force php 7.4
        SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
        SSLOptions +StdEnvVars
    </FilesMatch>

Installation

# ajouter un compte (-m: create the user's home directory)
sudo useradd -m -G users,sudo <username>

# changer le mot de passe d'un autre compte
sudo passwd <username>

# afficher la configuration courante (se reloguer pour voir les changements)
locale
# liste les locales disponibles
locale -a
# ajouter une locale (modifie le fichier /etc/locale.gen)
sudo locale-gen fr_CH.UTF-8
# définir une LANG (modifie la fichier /etc/default/locale)
update-locale LANG=fr_CH.UTF-8

# get current time zone
timedatectl status
# list all available time zone
timedatectl list-timezones
# set a timezone
sudo timedatectl set-timezone Europe/Paris

locale

Errors

Blank man pages

sudo apt install apparmor-utils 
sudo aa-disable /usr/bin/man