Alpine Linux - User contributions [en]

Talk:Cron

2025-09-15T16:45:13Z

Nangel:

Hello. My name is Grey, I am a beginner with Alpine Linux. I would like to know how I can change mac address on my PC running alpine linux 3.22 std. In Debian, I open the terminal and type "sudo crontab -e", I go to the bottom of the script and I add "@reboot macchanger -r wlan0", I save it, and when I reboot my PC, it changes mac address automatically. How can I do it in Alpine? Thank you very much for your kind help. Grey
:Hi [[User:Grey|Grey]], You can use the following command {{ic|$ apk search Cmd:macchanger}} to find the package that contains the command of interest i.e {{ic|macchanger-1.7.0-r3}} . The output shows that the package name is {{pkg|macchanger}} and it can be installed using {{ic|# apk add macchanger}}. Please refer to [[apk]] page for more info. In future, please consider using other [[Support]] channels like [[IRC]] etc... - [[User:Prabuanand|Prabuanand]] ([[User talk:Prabuanand|talk]]) 13:43, 15 September 2025 (UTC)

:Hi [[User:Grey|Grey]], if you don't want to add an extra apk to your system, and you are using ifupdown-ng (should be default these days), add the following pre-up command to your stanza for your wlan0 interface. For example:

auto wlan0
iface wlan0 inet dhcp
.
.
.
# **** To get our special mac addr *****
pre-up ip link set $IFACE addr de:ad:be:ef:ca:fe
.
.
.

Just another alternative.

Talk:Alpine configuration management scripts

2024-08-19T11:10:03Z

Nangel:

== Automate Alpine Linux installation ==

I am trying to achieve unattended Alpine Linux installation. I went through the Alpine automatic installation guide via setup-alpine script, but when I follow this guide there are many manual interventions are needed during the installation!
one during writing the root user name, another time when creating the answer file (setup-alpine -c answerfileName), editing the answer file, calling the actual installation command (setup-alpine -f answerfileName) and reset the root password. Is there any way to include the answer file inside the ISO image and select the root user by default before starting the installation and set its password as well after the installation is done (something similar to the kickstart file in the debian distros) ? 
— Preceding unsigned comments added by [[User:Khaled.elgohary|Khaled.elgohary ]] ([[User talk:Khaled.elgohary #top|talk]] • [[Special:Contributions/Khaled.elgohary |contribs]]) 12:20, 7 February 2022‎

The [[https://wiki.alpinelinux.org/wiki/Alpine_setup_scripts#setup-alpine| setup-alpine]] section currently gives instructions that may appear to be contradictory:

"17. if installation mode selected during setup-disk was "data" instead of "sys", then: setup-lbu [/media/sdb1]

18. if installation mode selected during setup-disk was "data" instead of "sys", then: setup-apkcache [/media/sdb1/cache | none]"

One of these presumably refers to the case for "sys", but which?

---

Both are correct and refer to the same situation. If you set up a disk for "data", then the installation is "run-from-RAM", but with a disk for "data". In that case, you want to use lbu to keep the in-RAM configs on the boot media. You also want apkcache to be able to update the apks on the boot media. - nangel

Talk:Using Unbound as an Ad-blocker

2024-02-16T03:47:27Z

Nangel: Done.

==Mention of modern browsers' attempts to bypass DNS blocking of ad servers==
The article could also use an entire section explaining how modern browsers, especially Chrome, attempt to use DNS over HTTPS to bypass the system configured DNS server under the guise of privacy (but lets face it, Google has financial incentive to prevent people from blocking ad.doubleclick.com)... An unbound configuration that prevents bootstrapping of popular DoH servers could help. Something like:
<div class="toccolours mw-collapsible mw-collapsed"><div class="mw-collapsible-content"><pre>
server:
#These three domains require special handling
local-zone: "resolver.arpa" redirect
local-zone: "doh.dns.apple.com" redirect
local-zone: "use-application-dns.net" always_nxdomain
local-zone: "cloudflare-dns.com" static
local-zone: "dns-tunnel-check.googlezip.net" always_refuse
#All other domains, lie and provide our own IP
local-data: "doh.dns.apple.com.v.aaplimg.com. 120 IN A 192.168.0.1"
local-data: "doh.42l.fr. 120 IN A 192.168.0.1"
local-data: "i.233py.com. 120 IN A 192.168.0.1"
local-data: "i.233py.com.a.bdydns.com. 120 IN A 192.168.0.1"
local-data: "opencdn.jomodns.com. 120 IN A 192.168.0.1"
local-data: "dns.233py.com. 120 IN A 192.168.0.1"
local-data: "dns.233py.com.cdn.cloudflare.net. 120 IN A 192.168.0.1"
local-data: "edns.233py.com. 120 IN A 192.168.0.1"
local-data: "ndns.233py.com. 120 IN A 192.168.0.1"
local-data: "sdns.233py.com. 120 IN A 192.168.0.1"
local-data: "wdns.233py.com. 120 IN A 192.168.0.1"
local-data: "dns-gcp.aaflalo.me. 120 IN A 192.168.0.1"
local-data: "dns-nyc.aaflalo.me. 120 IN A 192.168.0.1"
local-data: "dns.aaflalo.me. 120 IN A 192.168.0.1"
local-data: "doh.abmb.win. 120 IN A 192.168.0.1"
local-data: "doh2.abmb.win. 120 IN A 192.168.0.1"
local-data: "dns.adguard.com. 120 IN A 192.168.0.1"
local-data: "dns-family.adguard.com. 120 IN A 192.168.0.1"
local-data: "dns-unfiltered.adguard.com. 120 IN A 192.168.0.1"
local-data: "dns.adguard-dns.com. 120 IN A 192.168.0.1"
local-data: "family.adguard-dns.com. 120 IN A 192.168.0.1"
local-data: "unfiltered.adguard-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.nl.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.in.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.la.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.ny.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.pl.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.it.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.es.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.no.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.chi.ahadns.net. 120 IN A 192.168.0.1"
local-data: "doh.au.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.nl.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.in.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.la.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.ny.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.pl.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.it.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.es.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.no.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.chi.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dot.au.ahadns.net. 120 IN A 192.168.0.1"
local-data: "dnses.alekberg.net. 120 IN A 192.168.0.1"
local-data: "dnsnl.alekberg.net. 120 IN A 192.168.0.1"
local-data: "dnsse.alekberg.net. 120 IN A 192.168.0.1"
local-data: "dns.alidns.com. 120 IN A 192.168.0.1"
local-data: "doh.appliedprivacy.net. 120 IN A 192.168.0.1"
local-data: "doh.applied-privacy.net. 120 IN A 192.168.0.1"
local-data: "dot1.applied-privacy.net. 120 IN A 192.168.0.1"
local-data: "doh.armadillodns.net. 120 IN A 192.168.0.1"
local-data: "dohtrial.att.net. 120 IN A 192.168.0.1"
local-data: "doh1.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh1.b-cdn.net. 120 IN A 192.168.0.1"
local-data: "doh2.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh2.b-cdn.net. 120 IN A 192.168.0.1"
local-data: "dot-ch.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh-ch.blahdns.com. 120 IN A 192.168.0.1"
local-data: "dot-fi.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh-fi.blahdns.com. 120 IN A 192.168.0.1"
local-data: "dot-de.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh-de.blahdns.com. 120 IN A 192.168.0.1"
local-data: "dot-jp.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh-jp.blahdns.com. 120 IN A 192.168.0.1"
local-data: "dot-sg.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh-sg.blahdns.com. 120 IN A 192.168.0.1"
local-data: "doh.blockerdns.com. 120 IN A 192.168.0.1"
local-data: "doh.bortzmeyer.fr. 120 IN A 192.168.0.1"
local-data: "dns.brahma.world. 120 IN A 192.168.0.1"
local-data: "bravedns.com. 120 IN A 192.168.0.1"
local-data: "doh.captnemo.in. 120 IN A 192.168.0.1"
local-data: "ibuki.cgnat.net. 120 IN A 192.168.0.1"
local-data: "canadianshield.cira.ca. 120 IN A 192.168.0.1"
local-data: "dns.cloudflare.com. 120 IN A 192.168.0.1"
local-data: "one.one.one.one. 120 IN A 192.168.0.1"
local-data: "cloudflare-gateway.com. 120 IN A 192.168.0.1"
local-data: "doh.cleanbrowsing.org. 120 IN A 192.168.0.1"
local-data: "security-filter-dns.cleanbrowsing.org. 120 IN A 192.168.0.1"
local-data: "adult-filter-dns.cleanbrowsing.org. 120 IN A 192.168.0.1"
local-data: "family-filter-dns.cleanbrowsing.org. 120 IN A 192.168.0.1"
local-data: "dns.cmrg.net. 120 IN A 192.168.0.1"
local-data: "commons.host. 120 IN A 192.168.0.1"
local-data: "dns.containerpi.com. 120 IN A 192.168.0.1"
local-data: "dohdot.coxlab.net. 120 IN A 192.168.0.1"
local-data: "doh.crypto.sx. 120 IN A 192.168.0.1"
local-data: "jit.ddns.net. 120 IN A 192.168.0.1"
local-data: "dns.decloudus.com. 120 IN A 192.168.0.1"
local-data: "doh.defaultroutes.de. 120 IN A 192.168.0.1"
local-data: "dns.developer.li. 120 IN A 192.168.0.1"
local-data: "dns2.developer.li. 120 IN A 192.168.0.1"
local-data: "dns.digitale-gesellschaft.ch. 120 IN A 192.168.0.1"
local-data: "dns1.digitale-gesellschaft.ch. 120 IN A 192.168.0.1"
local-data: "dns2.digitale-gesellschaft.ch. 120 IN A 192.168.0.1"
local-data: "doh.disconnect.app. 120 IN A 192.168.0.1"
local-data: "ns1.recursive.dnsbycomodo.com. 120 IN A 192.168.0.1"
local-data: "ns2.recursive.dnsbycomodo.com. 120 IN A 192.168.0.1"
local-data: "dnsforge.de. 120 IN A 192.168.0.1"
local-data: "dns.google. 120 IN A 192.168.0.1"
local-data: "dns.dnshome.de. 120 IN A 192.168.0.1"
local-data: "dns1.dnscrypt.ca. 120 IN A 192.168.0.1"
local-data: "dns2.dnscrypt.ca. 120 IN A 192.168.0.1"
local-data: "doh.dnslify.com. 120 IN A 192.168.0.1"
local-data: "a.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "b.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "a.safe.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "b.safe.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "a.family.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "b.family.ns.dnslify.com. 120 IN A 192.168.0.1"
local-data: "dns.dnsoverhttps.net. 120 IN A 192.168.0.1"
local-data: "dns.dns-over-https.com. 120 IN A 192.168.0.1"
local-data: "adblock-dot.dnswarden.com. 120 IN A 192.168.0.1"
local-data: "adult-filter-dot.dnswarden.com. 120 IN A 192.168.0.1"
local-data: "doh.dnswarden.com. 120 IN A 192.168.0.1"
local-data: "ecs-doh.dnswarden.com. 120 IN A 192.168.0.1"
local-data: "uncensored-dot.dnswarden.com. 120 IN A 192.168.0.1"
local-data: "doh.li. 120 IN A 192.168.0.1"
local-data: "doh.ffmuc.net. 120 IN A 192.168.0.1"
local-data: "dot.ffmuc.net. 120 IN A 192.168.0.1"
local-data: "rdns.faelix.net. 120 IN A 192.168.0.1"
local-data: "pdns.faelix.net. 120 IN A 192.168.0.1"
local-data: "dns.flatuslifir.is. 120 IN A 192.168.0.1"
local-data: "dns.google.com. 120 IN A 192.168.0.1"
local-data: "google-public-dns-a.google.com. 120 IN A 192.168.0.1"
local-data: "google-public-dns-b.google.com. 120 IN A 192.168.0.1"
local-data: "query.hdns.io. 120 IN A 192.168.0.1"
local-data: "ordns.he.net. 120 IN A 192.168.0.1"
local-data: "dns.hostux.net. 120 IN A 192.168.0.1"
local-data: "opennic.i2pd.xyz. 120 IN A 192.168.0.1"
local-data: "public.dns.iij.jp. 120 IN A 192.168.0.1"
local-data: "jcdns.fun. 120 IN A 192.168.0.1"
local-data: "us1.dns.lavate.ch. 120 IN A 192.168.0.1"
local-data: "eu1.dns.lavate.ch. 120 IN A 192.168.0.1"
local-data: "resolver-eu.lelux.fi. 120 IN A 192.168.0.1"
local-data: "doh.libredns.org. 120 IN A 192.168.0.1"
local-data: "dot.libredns.gr.com. 120 IN A 192.168.0.1"
local-data: "dot.libredns.gr. 120 IN A 192.168.0.1"
local-data: "doh.libredns.gr. 120 IN A 192.168.0.1"
local-data: "jarjar.meganerd.nl. 120 IN A 192.168.0.1"
local-data: "dns.mrkaran.dev. 120 IN A 192.168.0.1"
local-data: "adblock.mydns.network. 120 IN A 192.168.0.1"
local-data: "dns.neutopia.org. 120 IN A 192.168.0.1"
local-data: "dns.aa.net.uk. 120 IN A 192.168.0.1"
local-data: "doh.netweaver.uk. 120 IN A 192.168.0.1"
local-data: "dns.nextdns.io. 120 IN A 192.168.0.1"
local-data: "dns1.nextdns.io. 120 IN A 192.168.0.1"
local-data: "dns2.nextdns.io. 120 IN A 192.168.0.1"
local-data: "odvr.nic.cz. 120 IN A 192.168.0.1"
local-data: "dns.nixnet.xyz. 120 IN A 192.168.0.1"
local-data: "lv1.nixnet.xyz. 120 IN A 192.168.0.1"
local-data: "ny1.nixnet.xyz. 120 IN A 192.168.0.1"
local-data: "lux1.nixnet.xyz. 120 IN A 192.168.0.1"
local-data: "dns.njal.la. 120 IN A 192.168.0.1"
local-data: "doh.opendns.com. 120 IN A 192.168.0.1"
local-data: "doh.familyshield.opendns.com. 120 IN A 192.168.0.1"
local-data: "doh.sandbox.opendns.com. 120 IN A 192.168.0.1"
local-data: "resolver1.opendns.com. 120 IN A 192.168.0.1"
local-data: "resolver2.opendns.com. 120 IN A 192.168.0.1"
local-data: "resolver1-fs.opendns.com. 120 IN A 192.168.0.1"
local-data: "resolver2-fs.opendns.com. 120 IN A 192.168.0.1"
local-data: "dns.oszx.co. 120 IN A 192.168.0.1"
local-data: "a.passcloud.xyz. 120 IN A 192.168.0.1"
local-data: "i.passcloud.xyz. 120 IN A 192.168.0.1"
local-data: "doh.post-factum.tk. 120 IN A 192.168.0.1"
local-data: "doh.powerdns.org. 120 IN A 192.168.0.1"
local-data: "rpz-public-resolver1.rrdns.pch.net. 120 IN A 192.168.0.1"
local-data: "dns.pumplex.com. 120 IN A 192.168.0.1"
local-data: "dns.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns9.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns10.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns11.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns12.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns13.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns-nosec.quad9.net. 120 IN A 192.168.0.1"
local-data: "dns.rubyfish.cn. 120 IN A 192.168.0.1"
local-data: "ea-dns.rubyfish.cn. 120 IN A 192.168.0.1"
local-data: "uw-dns.rubyfish.cn. 120 IN A 192.168.0.1"
local-data: "rumpelsepp.org. 120 IN A 192.168.0.1"
local-data: "dns1.ryan-palmer.com. 120 IN A 192.168.0.1"
local-data: "doh.securedns.eu. 120 IN A 192.168.0.1"
local-data: "ads-doh.securedns.eu. 120 IN A 192.168.0.1"
local-data: "dot.securedns.eu. 120 IN A 192.168.0.1"
local-data: "doh.seby.io. 120 IN A 192.168.0.1"
local-data: "doh-2.seby.io. 120 IN A 192.168.0.1"
local-data: "dot.seby.io. 120 IN A 192.168.0.1"
local-data: "2.dnscrypt-cert.dns.seby.io. 120 IN A 192.168.0.1"
local-data: "dnsovertls.sinodun.com. 120 IN A 192.168.0.1"
local-data: "dnsovertls1.sinodun.com. 120 IN A 192.168.0.1"
local-data: "dnsovertls2.sinodun.com. 120 IN A 192.168.0.1"
local-data: "dnsovertls3.sinodun.com. 120 IN A 192.168.0.1"
local-data: "fi.doh.dns.snopyta.org. 120 IN A 192.168.0.1"
local-data: "fi.dot.dns.snopyta.org. 120 IN A 192.168.0.1"
local-data: "dns.switch.ch. 120 IN A 192.168.0.1"
local-data: "ibksturm.synology.me. 120 IN A 192.168.0.1"
local-data: "dns.t53.de. 120 IN A 192.168.0.1"
local-data: "dns.therifleman.name. 120 IN A 192.168.0.1"
local-data: "doh.tiar.app. 120 IN A 192.168.0.1"
local-data: "dot.tiar.app. 120 IN A 192.168.0.1"
local-data: "doh.tiarap.org. 120 IN A 192.168.0.1"
local-data: "jp.tiar.app. 120 IN A 192.168.0.1"
local-data: "jp.tiarap.org. 120 IN A 192.168.0.1"
local-data: "dns.twnic.tw. 120 IN A 192.168.0.1"
local-data: "doh.this.web.id. 120 IN A 192.168.0.1"
local-data: "dns.wugui.zone. 120 IN A 192.168.0.1"
local-data: "dns-asia.wugui.zone. 120 IN A 192.168.0.1"
local-data: "adfree.usableprivacy.net. 120 IN A 192.168.0.1"
local-data: "doh.xfinity.com. 120 IN A 192.168.0.1"
local-data: "doh.gslb2.xfinity.com. 120 IN A 192.168.0.1"
local-data: "fdns1.dismail.de. 120 IN A 192.168.0.1"
local-data: "fdns2.dismail.de. 120 IN A 192.168.0.1"
local-data: "anycast.censurfridns.dk. 120 IN A 192.168.0.1"
local-data: "unicast.censurfridns.dk. 120 IN A 192.168.0.1"
local-data: "anycast.uncensoreddns.org. 120 IN A 192.168.0.1"
local-data: "unicast.uncensoreddns.org. 120 IN A 192.168.0.1"
local-data: "dns.comss.one. 120 IN A 192.168.0.1"
local-data: "dns.east.comss.one. 120 IN A 192.168.0.1"
local-data: "dns-doh.dnsforfamily.com. 120 IN A 192.168.0.1"
local-data: "dns-dot.dnsforfamily.com. 120 IN A 192.168.0.1"
local-data: "dns.cfiec.net. 120 IN A 192.168.0.1"
local-data: "asia.dnscepat.id. 120 IN A 192.168.0.1"
local-data: "eropa.dnscepat.id. 120 IN A 192.168.0.1"
local-data: "doh.360.cn. 120 IN A 192.168.0.1"
local-data: "dot.360.cn. 120 IN A 192.168.0.1"
local-data: "doh.pub. 120 IN A 192.168.0.1"
local-data: "dns.pub. 120 IN A 192.168.0.1"
local-data: "dot.pub. 120 IN A 192.168.0.1"
local-data: "kaitain.restena.lu. 120 IN A 192.168.0.1"
local-data: "getdnsapi.net. 120 IN A 192.168.0.1"
local-data: "dns.larsdebruin.net. 120 IN A 192.168.0.1"
local-data: "dns-tls.bitwiseshift.net. 120 IN A 192.168.0.1"
local-data: "ns1.dnsprivacy.at. 120 IN A 192.168.0.1"
local-data: "ns2.dnsprivacy.at. 120 IN A 192.168.0.1"
local-data: "dns.bitgeek.in. 120 IN A 192.168.0.1"
local-data: "privacydns.go6lab.si. 120 IN A 192.168.0.1"
local-data: "dnsotls.lab.nic.cl. 120 IN A 192.168.0.1"
local-data: "tls-dns-u.odvr.dns-oarc.net. 120 IN A 192.168.0.1"
local-data: "doh.centraleu.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.centraleu.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.northeu.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.northeu.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.westus.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.westus.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.eastus.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.eastus.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.eastau.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.eastau.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.eastas.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "dot.eastas.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "doh.pi-dns.com. 120 IN A 192.168.0.1"
local-data: "freedns.controld.com. 120 IN A 192.168.0.1"
local-data: "doh.mullvad.net. 120 IN A 192.168.0.1"
local-data: "dns.arapurayil.com. 120 IN A 192.168.0.1"
local-data: "dot.xfinity.com. 120 IN A 192.168.0.1"
local-data: "dot.cox.net. 120 IN A 192.168.0.1"
local-data: "doh.cox.net. 120 IN A 192.168.0.1"
local-data: "dns.sb. 120 IN A 192.168.0.1"
local-data: "8888.google. 120 IN A 192.168.0.1"
local-data: "doh.quickline.ch. 120 IN A 192.168.0.1"
local-data: "doh-02.spectrum.com. 120 IN A 192.168.0.1"
local-data: "doh-01.spectrum.com. 120 IN A 192.168.0.1"
local-data: "mask.icloud.com. 120 IN A 192.168.0.1"
local-data: "mask-h2.icloud.com. 120 IN A 192.168.0.1"
local-data: "dandelionsprout.asuscomm.com. 120 IN A 192.168.0.1"
local-data: "basic.rethinkdns.com. 120 IN A 192.168.0.1"
local-data: "max.rethinkdns.com. 120 IN A 192.168.0.1"
local-data: "dns.levonet.sk. 120 IN A 192.168.0.1"
local-data: "chromium.dns.nextdns.io. 120 IN A 192.168.0.1"
local-data: "dot.quickline.ch. 120 IN A 192.168.0.1"
local-data: "doh.quickline.ch. 120 IN A 192.168.0.1"
</pre></div></div>
–[[User:zcrayfish|zcrayfish]] ([[User talk:zcrayfish|talk]]•[[Special:Contributions/zcrayfish|contribs]]•[[Special:EmailUser/zcrayfish|send email]]) 06:51, 15 February 2024 (UTC)

Using Unbound as an Ad-blocker

2024-02-16T03:46:42Z

Nangel: /* Background */

== Basic Components ==

You should have {{Pkg|dnsmasq}} (or another DHCP server) and [[Setting_up_unbound_DNS_server|unbound]] both working on your network.

== Setting up Unbound To Block/Refuse unwanted addresses ==

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
*https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
*https://sysctl.org/cameleon/hosts
*https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
*https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in {{path|/etc/hosts}} and be done). We will use the hosts file format:

unbound needs to include the <code>blacklists.conf</code> file into its main configuration. To do so, we need to create the include file in the following format:

{{Cat|/etc/unbound/blacklists.conf|server:

local-zone: "bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "xyz.ads-r-us.com" refuse}}

Here is an example shell script to download the
[https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts StevenBlack]
hosts file, and then format it for unbound:

<pre>
#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
grep ^0.0.0.0 - | \
sed 's/ #.*$//;
s/^0.0.0.0 $.*$/local-zone: "\1" refuse/' \
>>/etc/unbound/blacklist.conf
</pre>

You can run this once, or as part of a periodic cron task.

In the {{path|/etc/unbound/unbound.conf}}, add the following line somewhere in the config:

{{Cat|/etc/unbound/unbound.conf|#include "/etc/unbound/blacklist.conf"}}

Reload unbound, and verify the config loads.

== Dnsmasq configuration ==

Dnsmasq defaults to using the resolver in {{path|/etc/resolv.conf}} — if unbound is listening on <code>127.0.0.1</code>, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:

<pre>
dhcp-option=6,[ip-of-unbound-server]
</pre>

Enjoy Ad-Free browsing!

[[Category:Networking]]

Dynamic Multipoint VPN (DMVPN) Phase 3 with Quagga NHRPd

2023-07-29T21:44:06Z

Nangel: /* Awall */ Update link on differences between phase 1,2,3

{{merge|Dynamic Multipoint VPN (DMVPN)}}
{{TOC right}}

= THIS DOC IS STILL A DRAFT =

= Overview =
This is a follow-up of the most famous document [http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)],
since opennhrp has been rewritten as quagga plugin [1], supporting interoperability with new Cisco's FlexVPN and Strongswan.

This NHRP implementation has some limits yet (Multicast is not ready, so you need to use BGP rather than OSPF), though is usable in a production environment.

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

This How-To will show you how to configure a DMVPN solution with this key items:

.1 VPN setup with Strongswan with PSK for the authentication (same PSK between all of the spokes and hub)

.2 DMVPN setup with quagga.nhrpd;

.3 iBGP used for announce LAN subnet

.4 Awall rules to allow NHRP shortcuts between spokes

The goal is making private network of spoke's nodes and hub to communicate each other over VPN created dynamically.
Routes are learned via BGP, and hte IPSEC VPN is authenticated via PSK.

The logical setup is configured as shown:

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

= Hardware =

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Alpine Installation =

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

= Spoke Nodes =

== Spoke Node 1 ==

== Networking ==

We're going to setup the spoke node 1 as follow:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="3"|Spoke 1
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.10.0/24
|-
|gre1
|Tunnel
|172.16.1.1
|-
|rowspan="3"|Spoke 2
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.20.0/24
|-
|gre1
|Tunnel
|172.16.2.1
|-
|rowspan="3"|Spoke 3
|eth0
|Internet
|90.100.150.200
|-
|eth1
|LAN
|192.168.30.0/24
|-
|gre1
|Tunnel
|172.16.3.1
|-
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
}}

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.1.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>
connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = spoke1
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

== Routing ==

This section will configure the routing protocol suite quagga patched with NHRP support.

{{Cmd|apk add quagga-nhrp
touch /etc/quagga/zebra.conf /etc/quagga/bgpd.conf /etc/quagga/nhrpd.conf}}}

Fix permissions:
{{Cmd|chown -R quagga:quagga /etc/quagga}}}

Start all the daemons:

{{Cmd|/etc/init.d/zebra start
/etc/init.d/bgpd start
/etc/init.d/nhrpd start
}}

Configure it to start from boot:
{{Cmd|rc-update add zebra nhrpd bgpd}}

Now we're going to configure it with <code>vtysh</code> cli:

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.1.1
network 192.168.10.0/24
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp next-hop-self
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.0.1 peer-group spokes-ibgp
exit

nhrp nflog-group 1
interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

= Hub Node =

We will document only what changes from the Spoke node setup.

== Networking ==

The NHS (Hub) has the following settings:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="2"|Hub
|eth0
|Internet
|50.60.70.80
|-
|eth1
|LAN
|192.168.1.0/24
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 50.60.70.80
netmask 255.255.255.0
gateway 50.60.70.1

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.0.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new gre1 interface:

{{Cmd|ifup gre1}}

== Routing ==

Again, routing is configured directly with <code>vtysh</code>

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.0.1
bgp deterministic-med
network 172.16.0.0/16
redistribute nhrp
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp route-reflector-client
neighbor spokes-ibgp next-hop-self all
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.1.1 peer-group spokes-ibgp
exit

interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have.
For instance, if you want to add spoke node with gre1 address 172.16.3.1:

{{Cmd|vtysh
conf t
router bgp 65000
neighbor 172.16.3.1 peer-group spokes-ibgp
exit
write mem
}}

== Awall ==

Differently from DMVPN Phase 2, in the Phase 3 DMVPN the HUB is the default gateway for all the spokes, then the spokes are able to communicate directly each other by means of NHRP redirects.

(For a good explanation of the differences between Phase 1, Phase 2 and Phase 3 DMVPN, see https://ine.com/blog/2008-12-23-dmvpn-phase-3).

This is implemented by sending traffic indication notifications with iptables nflog.

This is the complete firewall configuration for the HUB, using Alpine Firewall Framework, Awall [http://wiki.alpinelinux.org/wiki/Alpine_Wall].

With your favorite editor open <code>/etc/awall/optional/zones.json</code>:

{{cat|/etc/awall/optional/zones.json|<nowiki>

{
"description": "Zones - zone definition for management",

"variable": {
"SUBNETS": [ "192.168.0.0/16", "172.16.0.0/16" ]
},

"zone": {
"DMVPN": { "addr": "$SUBNETS" }
}
}
</nowiki>}}

Now, create <code>/etc/awall/optional/inet.json</code>:

{{cat|/etc/awall/optional/inet.json|<nowiki>
{
"description": "Internet - Host Management (rate limited)",

"zone": {
"INET": { "iface": "eth0" }
},

"policy": [
{ "in": "INET", "action": "drop" }
],

"filter": [
{
"in": "INET",
"out": "_fw",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "INET",
"out": "_fw",
"service": "ssh",
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "_fw",
"out": "INET",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
</nowiki>}}

Now, the DMVPN rule:

{{cat|/etc/awall/optional/dmvpn.json|<nowiki>
{
"description": "DMVPN specific rules",

"import": [ "inet", "zones" ],

"variable": {
"HUB": true
},

"policy": [
{ "in": "DMVPN", "out": "DMVPN", "action": "accept" }
],

"zone": {
"DMVPN": { "iface": "gre1", "addr": "$SUBNETS", "route-back": "$HUB" }
},

"filter": [
{ "in": "INET", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "INET", "service": "ipsec", "action": "accept" },
{
"in": "INET",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "INET",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "DMVPN", "service": "bgp", "action": "accept" },
{ "in": "DMVPN", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "INET", "dest": "$SUBNETS", "action": "reject" }
]
}
</nowiki>}}

Management interface allowed traffic:

{{cat|/etc/awall/optional/management.json|<nowiki>
{
"description": "Host Management (ssh, https, ping)",

"import": [ "zones" ],

"policy": [
{ "in": "DMVPN", "out": "_fw", "action": "reject" }
],

"filter": [
{
"in": "DMVPN",
"out": "_fw",
"service": [ "ping", "ssh", "https", "bgp" ],
"action": "accept"
},
{
"in": "_fw",
"out": "DMVPN",
"service": [ "ping", "ssh", "http", "http-alt", "https", "dns", "ntp" ],
"action": "accept"
}
]
}
</nowiki>}}

NHRP redirects rule:

{{cat|/etc/awall/optional/vpnredirect.json|<nowiki>
{
"description": "NHRP Traffic Indication Probe",

"log": {
"dmvpn": {
"mode": "nflog",
"group": 1,
"range": 128,
"limit": {
"count": 6,
"interval": 60,
"mask": {
"inet": { "src": 16, "dest": 16 },
"inet6": { "src": 48, "dest": 48 }
}
}
}
},

"packet-log": [ { "in": "DMVPN", "out": "DMVPN", "log": "dmvpn" } ]
}
</nowiki>}}

Enable awall rules:

{{Cmd|awall enable zones
awall enable inet
awall enable dmvpn
awall enable vpnredirect
}}

Apply awall rules:

{{Cmd|awall activate -f
}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>

connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = hub
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

Now, test if it works.
In this example, spoke 1 tries to connect to spoke 3, who announces his subnet 192.168.30.0/24 via iBGP, the gre1 address is 172.16.3.1 and the public ip address is 90.100.150.200.

The first traffic goes from through the HUB.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 172.16.0.1 0.664 ms 0.461 ms 0.457 ms
2 192.168.30.1 0.907 ms 0.776 ms 0.771 ms
}}

Then, once the VPN is created, the traffic goes directly to the spoke node.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 192.168.30.1 0.456 ms 0.385 ms 0.357 ms
}}

With <code>ipsec --status-all</code> you can see alle the VPNs created:

{{Cmd|spoke1:~/root# ipsec statusall<nowiki>
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.20-1-grsec, i686):
uptime: 9 days, since Aug 28 14:22:27 2015
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28
loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity
Listening IP addresses:
192.168.10.1
172.17.50.1
172.16.1.1
Connections:
dmvpn: %any...%any IKEv2, dpddelay=15s
dmvpn: local: [spoke1] uses pre-shared key authentication
dmvpn: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (3 up, 0 connecting):
dmvpn[121]: ESTABLISHED 4 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[121]: IKEv2 SPIs: c770729967ea636c_i 0de8ffedbe32f21c_r*, rekeying in 3 hours, pre-shared key reauthentication in 12 hours
dmvpn[121]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{187}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c132e6c3_i c49ae122_o
dmvpn{187}: AES_CBC_256/HMAC_SHA2_512_256, 469 bytes_i (6 pkts, 2s ago), 326 bytes_o (6 pkts, 2s ago), rekeying in 90 minutes
dmvpn{187}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[120]: ESTABLISHED 8 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[120]: IKEv2 SPIs: 46f81c8ec9a4b753_i* f768298b31ebe4da_r, rekeying in 3 hours, pre-shared key reauthentication in 11 hours
dmvpn[120]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{186}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cad2c1c9_i cd5a287c_o
dmvpn{186}: AES_CBC_256/HMAC_SHA2_512_256, 74 bytes_i (1 pkt, 2s ago), 46 bytes_o (1 pkt, 2s ago), rekeying in 91 minutes
dmvpn{186}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[119]: ESTABLISHED 2 hours ago, 172.17.50.1[spoke1]...50.60.70.80[hub]
dmvpn[119]: IKEv2 SPIs: 0e999ad802ced9cc_i* 6eaa469463601437_r, rekeying in 84 minutes, pre-shared key reauthentication in 8 hours
dmvpn[119]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{185}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c84d6035_i cb72cd30_o
dmvpn{185}: AES_CBC_256/HMAC_SHA2_512_256, 35764 bytes_i (473 pkts, 0s ago), 38266 bytes_o (384 pkts, 0s ago), rekeying in 46 minutes
dmvpn{185}: 172.17.50.1/32[gre] === 50.60.70.80/32[gre]
</nowiki>}}

= See also =
* [[Dynamic Multipoint VPN (DMVPN)]]
* [[Setup of DMVPN on Alpine linux]]

[[category: VPN]]

Tutorials and Howtos

2023-05-28T16:01:00Z

Nangel: /* HTTP */ Delete Reference to Cherokee

{{Todo|This material has been re-organized..., but grouping should be checked: '''Howtos are smaller articles''' and '''tutorials are more detailed document'''}}

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

'''The tutorials are hands-on''' and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

'''Howtos are smaller articles''' explaining how to perform a particular task with Alpine Linux, that expects a minimal knowledge from reader to perform actions.

'''IMPORTANT:''' contributions on those pages must be complete articles as well as requesting topics to be covered, don't override already made contributions. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}

= Howtos =

== Applications ==

=== Miscellaneous ===

* [[Ansible]] ''(Configuration management)''

=== Monitoring ===

* [[Awstats]] ''(Free log file analyzer)''
* [[Cacti: traffic analysis and monitoring network]] ''(Front-end for rrdtool networking monitor)''
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''
* [[Linfo]]
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Piwik]] ''(A real time web analytics software program)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Setting up lm_sensors]]
* [[SqStat]] ''(Script to look at active squid users connections)''
* [[Traffic monitoring]] 
** [[Setting up monitoring using rrdtool (and rrdcollect)]]
** [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Zabbix|Zabbix - the professional complete manager]] ''(Monitor and track the status of network services and hardware)''
* [[ZoneMinder video camera security and surveillance]]

=== Networking ===

* Alpine Wall ''(a new firewall management framework)''
** [[Alpine Wall]]
** [[Alpine Wall User's Guide]]
** [[How-To Alpine Wall]]
* [[Freeradius Active Directory Integration]]
* [[GNUnet]]
* [[Setting up a OpenVPN server|OpenVPN server]] ''(Allowing single users or devices to remotely connect to your network)''
* [[OpenVSwitch]]
* [[Using Alpine on Windows domain with IPSEC isolation]]
* [[Configure a Wireguard interface (wg)|Wireguard]]

=== Telephony ===

* [[Freepbx on Alpine Linux]]
* [[FreePBX V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[Sending SMS using gnokii]]
* [[Setting up Zaptel/Asterisk on Alpine]]
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

== Backup and data migration ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]]
** [[Manually editing a existing apkovl]]
* [[Migrating data]]
* [[Rsnapshot]] - setting up periodic backups

== Desktop ==

* [[Alpine and UEFI]]
* [[Default applications]]
* Desktop cloud
** [[EyeOS]] ''(Cloud Computing Desktop)''
** [[Nextcloud]] ''(Self hostable cloud suite - Dropbox Alternative)''
** [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** [[OwnCloud]] ''(Installing OwnCloud)''
** [[Seafile: setting up your own private cloud]]
* [[Desktop environments and Window managers]] (overall information only)
* [[Printer Setup]]
* [[Remote Desktop Server]]
* [[Sound Setup]]
** [[PipeWire]]
* [[Suspend on LID close]]
* [[Alpine setup scripts#setup-xorg-base|Xorg Setup]]

== Networking ==

* [[Bluetooth]] - Instructions for installing and configuring Bluetooth
* [[Bonding]] - Bond (or aggregate) multiple ethernet interfaces
* [[Bridge]] - Configuring a network bridge
** [[Bridge wlan0 to eth0]]
* [[Configure Networking]]
* [[How to configure static routes]]
* Modem
** [[Using HSDPA modem]]
** [[Using serial modem]]
* [[Multi ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[PXE boot]]
* [[Setting up Satellite Internet Connection|Satellite Internet Connection setup]]
* Wi-Fi
** [[Wi-Fi|Connecting to a wireless access point]]
** [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Vlan]]

== Other Architectures ==

=== ARM ===

* [[Alpine on ARM]]

==== Raspberry Pi ====

* [[Raspberry Pi Bluetooth Speaker|Raspberry Pi - Bluetooth Speaker]]
* [[Raspberry Pi|Raspberry Pi - Installation]]
* [[Linux Router with VPN on a Raspberry Pi|Raspberry Pi - Router with VPN]]
* [[Linux Router with VPN on a Raspberry Pi (IPv6)|Raspberry Pi - Router with VPN (IPv6)]]
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]]
* [[RPI Video Receiver|Raspberry Pi - Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''
* [[Raspberry Pi 3 - Browser Client]] - kiosk or digital sign
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine]]
* [[How to set up Alpine as a wireless router|Raspberry Pi Zero W - Wireless router]] ''(Setting up a firewalled, Wireless AP with wired network on a Pi Zero W)''

=== IBM Z (IBM z Systems) ===

* [[s390x|s390x - Installation]]

=== PowerPC ===

* [[Ppc64le|Powerpc64le - Installation]]

== Post-Install ==

* [[CPU frequency scaling]]
* [[Repositories#Enabling_the_community_repository|Enable Community repository]] ''(Providing additional packages)''
* [[Enable Serial Console on Boot]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services|Init System - Multiple Instances of Services]]
** [[Writing Init Scripts|Init System - Writing Init Scripts]]
* [[Installing Oracle Java|Oracle Java (installation)]]
* [[IPTV How To|Internet Protocol television (IPTV)]]
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''
** [[Comparison with other distros|Package Management - Comparison with other distros]]
* [[Running glibc programs]]
* [[Setting up a new user]]
* [[Upgrading Alpine]]

== Remote Administration ==

* ACF
** [[Changing passwords for ACF|ACF - changing passwords]]
** [[Generating SSL certs with ACF]] 
** [[setup-acf| ACF - setup]] ''(Configures ACF (webconfiguration/webmin) so you can manage your box through https)''
* [[Setting up a SSH server]] ''(Using ssh is a good way to administer your box remotely)''
** [[HOWTO OpenSSH 2FA with password and Google Authenticator |OpenSSH 2FA]] ''(A simple two factor setup for OpenSSH)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[Webmin]] ''(A web-based interface for Linux system)''

== Server ==

* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
* [[Hosting Web/Email services on Alpine]]

=== DNS ===

* [[DNSCrypt-Proxy]] ''Encrypt and authenticate DNS calls from your system''
* [[Setting up nsd DNS server]]
* [[Setting up unbound DNS server]]
* [[TinyDNS Format]]

=== HTTP ===

* [[Apache]]
** [[Apache with php-fpm]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]
* [[Darkhttpd]]
* [[Lighttpd]]
** [[Lighttpd Advanced security]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Nginx]]
** [[Nginx as reverse proxy with acme (letsencrypt)]]
** [[Nginx with PHP]]
* Squid Proxy
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
** [[Setting up Explicit Squid Proxy]]
** [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''
** [[SqStat]] ''(Script to look at active squid users connections)''
* [[Tomcat]]

==== Hostable Content ====

* [[DokuWiki]]
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[Kopano]] ''(Microsoft Outlook compatible Groupware)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[WordPress]] ''(Web software to create website or blog)''

=== IRC ===

* [[How To Setup Your Own IRC Network]] ''(Using {{Pkg|charybdis}} and {{Pkg|atheme-iris}})''
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''

=== Mail ===

* Exim/Dovecot
** [[Small-Time Email with Exim and Dovecot]] ''(A simple configuration for your home network.)
** [[Setting up dovecot with imap and ssl]]
* [[relay email to gmail (msmtp, mailx, sendmail]]
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* Server protection
** [[Protecting your email server with Alpine]]
** [[Setting up clamsmtp]]

=== Other Servers ===

* [[Chrony and GPSD | Chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Glpi]] ''(Manage inventory of technical resources)''
* [[How to setup a Alpine Linux mirror]]
* [[Setting up a nfs-server|nfs-server]]
* [[Odoo]]
* [[Configure OpenLDAP | OpenLDAP]] ''(Installing and configuring the Alpine package for OpenLDAP)''
* [[Setting up a samba-ad-dc|samba-ad-dc]] ''(Active Directory compatible domain controller)''
* [[Setting up a samba-server|samba-server]] ''(standard file sharing)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]
* [[UniFi Controller]]

=== Software development ===

* [[Cgit]]
* [[OsTicket]] ''(Ticket system)''
* [[Patchwork]] ''(Patch review management system)''
* [[Redmine]] ''(Project management system)''
* [[Request Tracker]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

== Storage ==

* [[Setting up disks manually|Disk setup (manual)]]
* [[Disk Replication with DRBD|DRBD: Disk Replication]]
* [[Filesystems]]
** [[Burning ISOs]]
* [[Setting up iSCSI|iSCSI Setup]]
** [[iSCSI Raid and Clustered File Systems]]
** [[Linux iSCSI Target (TCM)|iSCSI Target (TCM)/LinuxIO (LIO)]]
* [[Setting up Logical Volumes with LVM|LVM Setup]]
** [[Setting up LVM on GPT-labeled disks|LVM on GPT-labeled disks]]
** [[Installing on GPT LVM|LVM on GPT-labeled disks (updated)]]
** [[LVM on LUKS]]
* RAID
** [[Raid Administration]]
** [[Setting up a software RAID array]]
* ZFS
** [[Root on ZFS with native encryption]]
** [[Setting up ZFS on LUKS]]
** [[Setting up ZFS with native encryption]]

== Virtualization ==

* [[Docker]]
* [[Installing Alpine in a virtual machine]]
** [[Install Alpine on VMware ESXi]]
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[QEMU]]
* Xen
** [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
** [[Xen Dom0 on USB or SD]]
** [[Create Alpine Linux PV DomU|Xen DomU (paravirtualized)]]
** [[Xen LiveCD]]
** [[Xen PCI Passthrough]]

= Tutorials =

== Miscellaneous ==

* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small Office Services]]
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
** [[ISP Mail Server 3.x HowTo]]
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]

== Newbie corner ==

* [[How to get regular stuff working]] ''some notes on need-to-know topics''

== Servers ==

* [[Alpine production deploy]]
** [[Production Web server: Lighttpd|Production web server: Lighttpd‎‎]]
** [[Production DataBases : mysql|Production database: MySql]]
** [[Production LAMP system: Lighttpd + PHP + MySQL‎‎]]
* Alpine production monitoring
** [[Cacti: traffic analysis and monitoring network]]
** [[Zabbix|Zabbix - the professional complete manager]]
* Kubernetes
** [[K8s]] Building a K8s Cluster on Alpine Linux

Hosting services on Alpine

2023-05-28T16:00:34Z

Nangel: /* Web */ Delete reference to Cherokee

= Introduction =
Alpine is well suited for hosting email-, web- or other network-related services. 
Your biggest task is to figure out what you want your system to do.

== Preparing Alpine ==
First you need to get alpine up and running. 
Follow the [[Installation]] instructions on how to get your Alpine booted.

If nothing else is mentioned in the below instructions, you should use the latest stable release:{{downloads|alpine}}

=== VServer or not ===
VServer itself has nothing to do with the various services. 
But if you intend to run multiple services on same box (e.g. mail and webhosting) it might be wise to run the various services in separate vserver-guests.

* [[Setting up a basic vserver]] | ''Basic information on how to set up vserver hosts/guests''
{{warning| the package '''util-vserver''' is currently unavailable since, at least, Alpine Linux 3.3. }}

== Mail ==
We split the 'Mail' section into various tasks. 
One task is to gather and process mail. Some other task would be to prevent spam and virus etc. 
Finally we need to make sure the user can fetch/read his mail.

=== Receive mail ===

* [[Setting up postfix with virtual domains]] | ''Postfix can be configured in multiple ways - Here we do it with virtual domains''

=== Processing mail - Virus protection ===

* [[Protecting_your_email_server_with_Alpine#Setting_up_the_Virus_scanner|Setting up ClamAV for Postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''

=== Processing mail - Spam protection ===

* [[Protecting_your_email_server_with_Alpine#Setting_up_the_Greylisting_Server|Setting up Gross for Postfix]] | ''Referrers to [[Setting_up_postfix_with_virtual_domains]] instructions''
* [[Protecting_your_email_server_with_Alpine#Setting_up_the_SMTP_filter|Setting up ClamSMTP]] | ''Use ClamSMTP to provide advanced content and virus filtering for spam''
* [[Protecting_your_email_server_with_Alpine#Setting_up_SaneSecurity_.26_MSRBL_extra_definitions|Setting up SaneSecurity & MSRBL extra definitions]] | ''Another good way of catching SPAM is Sanesecurity and MSRBL definitions''

=== Delivering mail to the user ===

* [[Setting up dovecot with imap and ssl]] | ''Secure way to fetch you mail from the mailer daemon''
* [[Setting up dovecot with imap and tls]] | ''Secure way to fetch you mail from the mailer daemon''

=== Other Mail-related documents ===

* [[Hosting Web/Email services on Alpine]] | ''Describes multiple services on same document''
* [[Protecting your email server with Alpine]] | ''Describes multiple services on same document''
* [[ISP_Mail_Server_3.x_HowTo]]

== Web ==

* [[Setting up trac wiki]] | ''A ticket/wiki system''
* [[Lighttpd]] | ''Lighttpd web server''
* [[Apache]] | ''Apache web server''
* [[Darkhttpd]] | ''Darkhttpd web server''
* [[Nginx]] | ''Nginx web server''

== SSH ==

* [[Setting up a SSH server]] | ''OpenSSH and Dropbear SSH servers''

== DNS ==

* [[Setting up unbound DNS server]] | ''A validating, recursive, and caching DNS resolver that supports DNSSEC''
* [[Setting up nsd DNS server]] | ''An authoritative-only DNS server''

== Proxy ==

* [[Setting up Explicit Squid Proxy]] | ''Configuring an explicit Squid proxy server''
* [[Setting up Transparent Squid Proxy]] | ''Configuring a transparent Squid proxy server''

= Also see =

You'll probably also want to look at [[Tutorials and Howtos]]

[[Category:Server]]
[[Category:Mail]]

Main Page

2022-01-11T22:07:56Z

Nangel:

{{Warning| Please note as of 12 Jan 2022 00:00:00 UTC all new wiki pages are licensed as CC-BY-SA-4.0.
See [[Privacy Policy|https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy]] for more details.
Existing pages retain the old license.}}

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:09:38Z

Nangel:

{{Warning| Please note as of 12 Jan 2022 00:00:00 UTC all new wiki pages are licensed as CC-BY-SA-4.0 See [https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy] for more details. Existing pages retain the old license.}}

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:09:02Z

Nangel:

{{Warning| Please note as of 12 Jan 2022 UTC all new wiki pages are licensed as CC-BY-SA-4.0 See [https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy] for more details. Existing pages retain the old license.}}

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:08:13Z

Nangel:

{{Warning| Please note as of 12 Jan 2022 UTC all new wiki pages are licensed as CC-BY-SA-4. See [https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy] for more details. Existing pages retain the old license.}}

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:06:19Z

Nangel:

{{Warning| Please note as of 12 Jan 2022 UTC all new wiki pages are licensed as CC-BY-CA. See [https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy] for more details. Existing pages retain the old license.}}

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:02:33Z

Nangel:

Please note as of 12 Jan 2022 UTC all new wiki pages are licensed as CC-BY-CA. See [[https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy]] for more details. Existing pages retain the old license.

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Main Page

2022-01-11T21:01:46Z

Nangel:

Please note as if 12 Jan 2022 UTC all new wiki pages are licensed as CC-BY-CA. See [[https://https://wiki.alpinelinux.org/wiki/Alpine_Linux:Privacy_policy]] for more details. Existing pages retain the old license.

__NOEDITSECTION__
__NOTOC__

= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Zabbix

2021-10-12T13:42:07Z

Nangel: Added link to McKayguard's version

The purpose of this document is to assist in installing the Zabbix server software and Zabbix agent on the Alpine Linux operating system. Instructions on how to configure and use Zabbix - as well as many useful tutorials - can be found at http://www.zabbix.com.

{{Note|The minimum required version of Alpine Linux required to install Zabbix is Alpine 2.2. this guide has been updated to zabbix 3.0}}
{{Note|There is an alternate set of instructions here [[Zabbix_-_cgi_and_mysql]].}}

= Install Lighttpd, and PHP =

{{:Setting Up Lighttpd With FastCGI}}

For Zabbix you will have to install following two extra packages otherwise Zabbix will not run.
1. php7-mbstring 2. php7-pgsql

To Install these two packages
{{Cmd|apk add php7-mbstring php7-pgsql}}
= Configure PostgreSQL =

Install PostgreSQL

{{Cmd|apk add postgresql postgresql-client}}

Now configure PostgreSQL:
{{Cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql}}

= Install Zabbix =

{{Cmd|apk add zabbix zabbix-pgsql zabbix-webif zabbix-setup}}

Now we need to set up the zabbix database. Substitute '*********' in the example below for a real password:

{{Cmd|<nowiki>psql -U postgres
postgres=# create user zabbix with password '*********';
postgres=# create database zabbix owner zabbix;
postgres=# \q
cd /usr/share/zabbix/database/postgresql
cat schema.sql | psql -U zabbix zabbix
cat images.sql | psql -U zabbix zabbix
cat data.sql | psql -U zabbix zabbix</nowiki>}}

Create a softlink for the Zabbix web-frontend files:

{{Cmd|rm /var/www/localhost/htdocs -R
ln -s /usr/share/webapps/zabbix /var/www/localhost/htdocs}}

Edit PHP configuration to satisfy some zabbix requirements. Edit /etc/php7/php.ini and configure the following values at least:

<pre>
Max_execution_time = 600
Expose_php = Off
Date.timezone = <insert your timezone here>
post_max_size = 32M
upload_max_filesize = 16M
max_input_time = 600
memory_limit = 256M
</pre>

Also comment (doc_root & user_dir ) by putting # before these.

Configure the following entries in /etc/zabbix/zabbix_server.conf, where DBPassword is the password chosen for the database above:

<pre>
DBName=zabbix

# Database user

DBUser=zabbix

# Database password
# Comment this line if no password used

DBPassword=*********

FpingLocation=/usr/sbin/fping
</pre>

Start Zabbix server:

{{Cmd|rc-update add zabbix-server
/etc/init.d/zabbix-server start}}

Fix permissions on conf directory.

{{Cmd|chown -R lighttpd /usr/share/webapps/zabbix/conf}}

You should now be able to browse to the Zabbix frontend: http://yourservername/.

or

You should now be able to browse to the Zabbix setup frontend: http://yourserverip/instal.php.

Follow the setup instructions to configure Zabbix, supplying the database information used above.

After setup, login using: Login name: '''Admin''' Password:'''zabbix'''. (as described at http://www.zabbix.com/documentation/1.8/manual/installation)

Finally, Zabbix requires special permissions to use the fping binary.

{{Cmd|chmod u+s /usr/sbin/fping}}

= Install Zabbix Agent on Monitored Servers =

Zabbix can monitor almost any operating system, including Alpine Linux hosts. Complete the following steps to install the Zabbix agent on Alpine Linux.

{{Note|Support to allow zabbix-agentd to view running processes on Alpine Linux has been added since linux-grsec-2.6.35.9-r2. Please ensure you have that kernel installed prior to attempting to run zabbix-agentd.}}

Ensure that the readproc group exists (support added since alpine-baselayout-2.0_rc1-r1), by adding the following line to /etc/group:

{{Cmd|readproc:x:30:zabbix}}

Install the agent package:

{{Cmd|apk add zabbix-agent}}

Edit the /etc/zabbix/zabbix_agentd.conf file and configure at least the following option:
<pre>
Server=<ip or hostname of zabbix server>
Hostname=<ip or hostname of zabbix agent>
ListenPort=10050
</pre>

Start the zabbix-agent:

{{Cmd|rc-update add zabbix-agentd
/etc/init.d/zabbix-agentd start}}

In case you want to monitor using SNMP agent on remote machines you have to add these packages on zabbix server:

{{Cmd|apk add net-snmp net-snmp-tools}}

And add these packages on remote machines:

{{Cmd|apk add net-snmp }}

= Optional: Crash course in adding hosts, checks, and notifications =

''Note:'' This is optional since it's not specific to Alpine Linux, but I wanted a couple notes for how to perform a simple check on a server that doesn't have the agent installed on it, and be notified on state changes.

Administration -> Media Types -> Email
* Setup server, helo, email from address

Administration -> Users
* Setup each user who'll get notified, make sure they have media type "Email" added with their address

Configuration -> Hosts -> Create host
* In Linux Servers hostgroup
* Define dns name, ip, connect by IP
* If the machine is a simple networking device that will only be monitored using SNMP, add it to Template_SNMPv2_Device, and you're done.

Configuration -> Templates -> Create template
* Give it a name (Template_Alpine_Linux_Infra_HTTP)
* In Templates group

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Items
* Create Item
* Host: Template_Alpine_Linux_Infra_HTTP
* Description: HTTP Basic Check
* Type: Simple_check
* Key: http,80

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Triggers
* Create Trigger
* Name: "HTTP Trigger"
* Expression: {Template_Alpine_Linux_Infra_HTTP:http,80.last(0)}#1
* Severity: High

Configuration -> Actions ->
* Create Action
* name: Email notifications
* Event source: triggers
* Default Subject: add "{HOST.DNS}:" to the beginning
* Default message: add "{HOST.DNS}:" to the beginning
* Conditions: make host have to be from "Linux Servers" hostgroup, and Template_Alpine_Linux_Infra_HTTP:HTTP trigger" is not 1
* Email affected users

[[Category:Monitoring]]
[[Category:PHP]]
[[Category:SQL]]

Zabbix

2021-10-12T13:35:35Z

Nangel: Revert Zabbix to pre cgi+mysql; add link to Zabbix+cgi+mysql

The purpose of this document is to assist in installing the Zabbix server software and Zabbix agent on the Alpine Linux operating system. Instructions on how to configure and use Zabbix - as well as many useful tutorials - can be found at http://www.zabbix.com.

{{Note|The minimum required version of Alpine Linux required to install Zabbix is Alpine 2.2. this guide has been updated to zabbix 3.0}}

= Install Lighttpd, and PHP =

{{:Setting Up Lighttpd With FastCGI}}

For Zabbix you will have to install following two extra packages otherwise Zabbix will not run.
1. php7-mbstring 2. php7-pgsql

To Install these two packages
{{Cmd|apk add php7-mbstring php7-pgsql}}
= Configure PostgreSQL =

Install PostgreSQL

{{Cmd|apk add postgresql postgresql-client}}

Now configure PostgreSQL:
{{Cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql}}

= Install Zabbix =

{{Cmd|apk add zabbix zabbix-pgsql zabbix-webif zabbix-setup}}

Now we need to set up the zabbix database. Substitute '*********' in the example below for a real password:

{{Cmd|<nowiki>psql -U postgres
postgres=# create user zabbix with password '*********';
postgres=# create database zabbix owner zabbix;
postgres=# \q
cd /usr/share/zabbix/database/postgresql
cat schema.sql | psql -U zabbix zabbix
cat images.sql | psql -U zabbix zabbix
cat data.sql | psql -U zabbix zabbix</nowiki>}}

Create a softlink for the Zabbix web-frontend files:

{{Cmd|rm /var/www/localhost/htdocs -R
ln -s /usr/share/webapps/zabbix /var/www/localhost/htdocs}}

Edit PHP configuration to satisfy some zabbix requirements. Edit /etc/php7/php.ini and configure the following values at least:

<pre>
Max_execution_time = 600
Expose_php = Off
Date.timezone = <insert your timezone here>
post_max_size = 32M
upload_max_filesize = 16M
max_input_time = 600
memory_limit = 256M
</pre>

Also comment (doc_root & user_dir ) by putting # before these.

Configure the following entries in /etc/zabbix/zabbix_server.conf, where DBPassword is the password chosen for the database above:

<pre>
DBName=zabbix

# Database user

DBUser=zabbix

# Database password
# Comment this line if no password used

DBPassword=*********

FpingLocation=/usr/sbin/fping
</pre>

Start Zabbix server:

{{Cmd|rc-update add zabbix-server
/etc/init.d/zabbix-server start}}

Fix permissions on conf directory.

{{Cmd|chown -R lighttpd /usr/share/webapps/zabbix/conf}}

You should now be able to browse to the Zabbix frontend: http://yourservername/.

or

You should now be able to browse to the Zabbix setup frontend: http://yourserverip/instal.php.

Follow the setup instructions to configure Zabbix, supplying the database information used above.

After setup, login using: Login name: '''Admin''' Password:'''zabbix'''. (as described at http://www.zabbix.com/documentation/1.8/manual/installation)

Finally, Zabbix requires special permissions to use the fping binary.

{{Cmd|chmod u+s /usr/sbin/fping}}

= Install Zabbix Agent on Monitored Servers =

Zabbix can monitor almost any operating system, including Alpine Linux hosts. Complete the following steps to install the Zabbix agent on Alpine Linux.

{{Note|Support to allow zabbix-agentd to view running processes on Alpine Linux has been added since linux-grsec-2.6.35.9-r2. Please ensure you have that kernel installed prior to attempting to run zabbix-agentd.}}

Ensure that the readproc group exists (support added since alpine-baselayout-2.0_rc1-r1), by adding the following line to /etc/group:

{{Cmd|readproc:x:30:zabbix}}

Install the agent package:

{{Cmd|apk add zabbix-agent}}

Edit the /etc/zabbix/zabbix_agentd.conf file and configure at least the following option:
<pre>
Server=<ip or hostname of zabbix server>
Hostname=<ip or hostname of zabbix agent>
ListenPort=10050
</pre>

Start the zabbix-agent:

{{Cmd|rc-update add zabbix-agentd
/etc/init.d/zabbix-agentd start}}

In case you want to monitor using SNMP agent on remote machines you have to add these packages on zabbix server:

{{Cmd|apk add net-snmp net-snmp-tools}}

And add these packages on remote machines:

{{Cmd|apk add net-snmp }}

= Optional: Crash course in adding hosts, checks, and notifications =

''Note:'' This is optional since it's not specific to Alpine Linux, but I wanted a couple notes for how to perform a simple check on a server that doesn't have the agent installed on it, and be notified on state changes.

Administration -> Media Types -> Email
* Setup server, helo, email from address

Administration -> Users
* Setup each user who'll get notified, make sure they have media type "Email" added with their address

Configuration -> Hosts -> Create host
* In Linux Servers hostgroup
* Define dns name, ip, connect by IP
* If the machine is a simple networking device that will only be monitored using SNMP, add it to Template_SNMPv2_Device, and you're done.

Configuration -> Templates -> Create template
* Give it a name (Template_Alpine_Linux_Infra_HTTP)
* In Templates group

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Items
* Create Item
* Host: Template_Alpine_Linux_Infra_HTTP
* Description: HTTP Basic Check
* Type: Simple_check
* Key: http,80

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Triggers
* Create Trigger
* Name: "HTTP Trigger"
* Expression: {Template_Alpine_Linux_Infra_HTTP:http,80.last(0)}#1
* Severity: High

Configuration -> Actions ->
* Create Action
* name: Email notifications
* Event source: triggers
* Default Subject: add "{HOST.DNS}:" to the beginning
* Default message: add "{HOST.DNS}:" to the beginning
* Conditions: make host have to be from "Linux Servers" hostgroup, and Template_Alpine_Linux_Infra_HTTP:HTTP trigger" is not 1
* Email affected users

[[Category:Monitoring]]
[[Category:PHP]]
[[Category:SQL]]

Talk:Zabbix - cgi and mysql

2021-10-12T13:31:50Z

Nangel: Nangel moved page Talk:Zabbix to Talk:Zabbix - cgi and mysql without leaving a redirect: As alpineuser mentioned, this page significantly changed the original - moving to a separate page

==Possible Obfuscation / Abuse==
It appears that someone has taken the article from a manageable <40 command line entries and 6K bytes to
20K bytes, and now command line entries that number 100-200+:
https://wiki.alpinelinux.org/w/index.php?title=Zabbix&type=revision&diff=19688&oldid=17984

Can Mckaygerhard justify the need for this additional
complexity, or is this obfuscation? It looks like the latter. It is written with spelling errors/rushed, has non-idiomatic use of sed (# instead of / dividers), and lists non existent links like alpine newbie lamers, and refers to zabbix as a curse. It's also much more LOC.

Consider that I tested the old guide, and it works fine (v3.14) except that I had to copy the zabbix.conf.php from a different zabbix install to this since the database type doesn't populate during the setup.php install (essentially bypassing it). And the js on the web console only worked with certain browsers.

Given that the old guide will suffice for the majority of users, I suggest the old one is reinstated, and Mckagerhard's additions can be left as a second option for those interested in more details. The old guide uses fastcgi, and postgres. Mckagerhard's guide uses cgi, and mysql. Since they are distinct guides, they can be kept separate.

— Preceding unsigned comments added by [[User:Alpineuser|Alpineuser]] ([[User talk:Alpineuser#top|talk]] • [[Special:Contributions/Alpineuser|contribs]]) 10:21, 20 July 2021

Zabbix - cgi and mysql

2021-10-12T13:31:50Z

Nangel: Nangel moved page Zabbix to Zabbix - cgi and mysql without leaving a redirect: As alpineuser mentioned, this page significantly changed the original - moving to a separate page

Zabbix is the most popular monitoring manager in open source world, there's monitoring itself only like [[Cacti:_traffic_analysis_and_monitoring_network|catci]], but the hint is that '''''Zabbix''' is manager also, '''is ipv6 ready! fully supported''', also featured proxy-server for hidden and firewalled networks.'' Its like nagios one but more big, cutting edge and professional.

'''In the wiki there are two approaches for its use''', [[Production_monitoring_:_zabbix|the professional one]] (for servers and deploys) and the fast and simple usage (for developers and/or enthusiasts). For more curses on that (of course focused on alpine) check [http://qgqlochekone.blogspot.com/search/?q=zabbix Complete alpine documentation on english for zabbix curse]

'''This documentation is divided in two big parts.. the prerequisites and the installation''' of zabbix minimal infrastructure. The first part are in sync with the current alpine wiki pages of [https://wiki.alpinelinux.org/wiki/Category:Production Production pages]

Note: There is a possibility that this page may have been complexified / obfuscated. See the talk page or review an earlier edit: https://wiki.alpinelinux.org/w/index.php?title=Zabbix&oldid=17984.
[[File:Zabbix-5-alpine.png|thumb]]

= Where to use zabbix and alpine =

Since Zabbix it focuses on hosts: So '''is the right choice for monitoring distributed networks''' (was originally developed for monitoring servers).

In cases where there is no option to install an agent, Zabbix offers basic agentless monitoring. With it, you can check the availability of network services, as well as execute remote commands

== Zabbix infraestructure ==

Zabbix is divided into '''two large parts: server(s) and agent(s)''', and yes "servers" cos can be centralized or decentralized due the "proxyes" semi-servers.

* '''The servers''': represent all the '''recollected data''' and '''has management capabilities'''. Each one if are more than one, collects and stores statistical data.
* '''The agents''': represent each host, the clients, those machines or devices from which data is collected. Those support both passive (polling) and active checks (trapping).
* '''The proxys''': represent a server that can act as man-in-the-middle for distributed load, cases of hideden networking or firewalled, of course '''with management capabilities cos act as server''' for those agents/hosts.

'''Passive checks''' mean that the Zabbix server requests a value from the Zabbix agent, and the agent processes the request and returns the value to the Zabbix server.

'''Active checks''' mean that the Zabbix agent requests a list of active checks from the Zabbix server and then periodically sends the results.

[[File:Zabbix-agent-server-proxy-main-remote.jpg|center]]

= Part 1 Pre-requisites: php, webserver and database =

{{:Production_LAMP_system:_Lighttpd_+_PHP_+_MySQL}}

= Part 2: zabbix =

Zabbix depends on which type of database you will use, here we will show you how to doit with mysql, as more easy to use, for production is recommended posrgresql as in

== 1. install zabbix packages ==

Remenber that Zabbix has 3 components, and the server is the main one

* Central servers to represent the data ( can be one zabbix server, o combined zabbix server with more zabbix proxies)
* Clients hosts to monitored (that is made by Agents, SNMP or just ICMP)
* Distributed proxy servers (that is only need for hosts behind firewall or closed networks)

In the server we need the central base service at leas, and of course one agent for monitoring that server:

<pre>
<nowiki>
cat > /etc/apk/repositories << EOF
http://dl-4.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-4.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

apk add zabbix zabbix-mysql zabbix-webif zabbix-setup zabbix-utils zabbix-agentd
</nowiki>
</pre>

Now lest configure the server and the UI frontend in that server:

== 2. Configure the base service ==

Server zabbix, or proxy one always need a main database, the service of monitoring is running with it, the UI and agents always send the data to the zabbix server or zabbix proxy (and from proxy to server).

{{Warning|The '''zabbix service DB user is <code>zabbixdb</code> and NOT <code>zabbix</code>''', the user <code>zabbixdb</code> whatever you use postgresql or mysql, will not be used with password for agent monitoring, cos in postgresql will use the <code>ident</code> way autentication, and in mysql will use the <code>socket</code> way autentication: '''this makes sense cos user agent is <code>zabbix</code> and does not have home.''' This is the correct and most secure way.}}

<pre>
<nowiki>
mysql -u root -e "CREATE USER 'zabbix'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('clavezabix');"
mysql -u root -e "CREATE DATABASE zabbix CHARACTER SET utf8 COLLATE utf8_bin;"
mysql -u root -e "GRANT ALL PRIVILEGES ON zabbixdb.* TO 'zabbixdb'@'localhost' WITH GRANT OPTION;"

mysql -u zabbixdb --password=clavezabix zabbixdb < /usr/share/zabbix/database/mysql/schema.sql
mysql -u zabbixdb --password=clavezabix zabbixdb < /usr/share/zabbix/database/mysql/images.sql
mysql -u zabbixdb --password=clavezabix zabbixdb < /usr/share/zabbix/database/mysql/data.sql

sed -i 's|.*DBHost.*=.*|DBHost=localhost|g' /etc/zabbix/zabbix_server.conf
sed -i 's|DBName.*=.*|DBName=zabbixdb|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*DBPassword.*=.*|DBPassword=zabbixdb.db.1.com.1|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*DBUser.*=.*|DBUser=zabbixdb|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*DBSocket.*=.*|DBSocket=/run/mysqld/mysqld.sock|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*Fping6Location.*=.*|Fping6Location=|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*FpingLocation.*=.*|FpingLocation=/usr/sbin/fping|g' /etc/zabbix/zabbix_server.conf
sed -i 's|Nostname=.*|Nostname=monitor.zabbixnetwork|g' /etc/zabbix/zabbix_server.conf
sed -i 's|.*SourceIP.*=.*|SourceIP=0.0.0.0|g' /etc/zabbix/zabbix_server.conf

chown root:zabbix /usr/sbin/fping

rc-update add zabbix-server default

rc-service zabbix-server restart
</nowiki>
</pre>

{{Note|Remenber that the hostname of the server is <nowiki>monitor.zabbixnetwork</nowiki>, you can use the ip address too, but this name must be the same in the config files for active or passive servers, the web ui configured hostname server and/or zabbix configured hostname proxy server.}}

== 3. Setup and configure web frontend ==

The main server can be managed with the zabbix-frontend:

<pre>
<nowiki>
cp /usr/share/webapps/zabbix/conf/zabbix.conf.php.example /usr/share/webapps/zabbix/conf/zabbix.conf.php

sed -i "s|.*DB\['TYPE'\].*=.*|\$DB\['TYPE'\] = 'MYSQL';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*DB\['SERVER'\].*=.*|\$DB\['SERVER'\] = 'localhost';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*DB\['DATABASE'\].*=.*|\$DB\['DATABASE'\] = 'zabbixdb';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*DB\['USER'\].*=.*|\$DB\['USER'\] = 'zabbixdb';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*DB\['PASSWORD'\].*=.*|\$DB\['PASSWORD'\] = 'zabbixdb.db.1.com.1';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*ZBX_SERVER_PORT.*=.*|\$ZBX_SERVER_PORT = '10051';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*ZBX_SERVER_NAME.*=.*|\$ZBX_SERVER_NAME = 'monitor.ruices';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*IMAGE_FORMAT_DEFAULT.*=.*|\$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_GIF;|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php
sed -i "s|.*ZBX_SERVER.*=.*'localhost';|\$ZBX_SERVER = 'localhost';|g" /usr/share/webapps/zabbix/conf/zabbix.conf.php

cat > /usr/share/webapps/zabbix/.user.ini << EOF
date.timezone = "America/Caracas"
display_errors = Off
log_errors = On
upload_max_filesize = 16M
post_max_size = 24M
memory_limit = 512M
register_globals = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
session.auto_start = 0
mbstring.func_overload = 0
max_execution_time = 600
max_input_time = 600
EOF
</nowiki>
</pre>

We do not use the stupid link of direct put on htdocs, we are professional and we use aliasing,
now lest configure the webserver to server the frontend by web:

<pre>
<nowiki>
cat > /etc/lighttpd/mod_zabbix.conf << EOF
alias.url += (
"/zabbix/" => "/usr/share/webapps/zabbix/"
)
\$HTTP["url"] =~ "^/zabbix/" {
dir-listing.activate = "disable"
}
EOF

sed -i 's#\#.*mod_rewrite.*,.*# "mod_rewrite",#g' /etc/lighttpd/lighttpd.conf
sed -i 's#\#.*mod_alias.*,.*# "mod_alias",#g' /etc/lighttpd/lighttpd.conf
sed -i 's#\#.*mod_accesslog.*,.*# "mod_accesslog",#g' /etc/lighttpd/lighttpd.conf
sed -i 's#\#.*mod_setenv.*,.*# "mod_setenv",#g' /etc/lighttpd/lighttpd.conf
sed -i 's#\#.*mod_redirect.*,.*# "mod_redirect",#g' /etc/lighttpd/lighttpd.conf

sed -i 's#.*include "mod_cgi.conf".*# include "mod_cgi.conf"#g' /etc/lighttpd/lighttpd.conf

check="";check=$(grep 'include "mod_zabbix.conf' /etc/lighttpd/lighttpd.conf);[[ "$check" != "" ]] && echo listo || sed -i 's#.*include "mod_fastcgi_fpm.conf".*#include "mod_fastcgi_fpm.conf"\ninclude "mod_zabbix.conf"#g' /etc/lighttpd/lighttpd.conf

chown -R lighttpd:www-data /usr/share/webapps/zabbix/

rc-service lighttpd restart
</nowiki>
</pre>

You should now be able to browse to the Zabbix frontend: http://yourservername/zabbix/ or in http://localhost/zabbix.

The login using: Login name: '''Admin''' Password:'''zabbix'''. (as described at http://www.zabbix.com/documentation/4.0/manual/installation)

There's no need to web setup cos we made all in cli as best hackers admins.

== Zabbix tools for items maps or scripts ==

There's no complete features in busybox so need more tools, also, Zabbix requires special permissions to use tools

<pre>
<nowiki>
apk add bash fping tcptraceroute coreutils net-snmp-tools nmap perl rrdtool ttf-dejavu net-snmp-libs

chown root:zabbix /usr/sbin/fping

chmod u+s /usr/bin/ping

chmod u+s /bin/ping

chmod u+s /usr/bin/nmap
</nowiki>
</pre>

{{Warning|this is preferable to use sudo, that has more issues in security holes, so set ui bit is a security mess buyt less than the crap usage or "sudo", cos these tools are need to run as root to right usage}}

= Zabbix and the Monitored host =

'''Zabbix can monitor almost any device system''', including Alpine Linux hosts, home computers, celphones, network devices, etc.

== types of monitoring ==

The '''zabbix agent''' is a zabbix service that runs on computers and is fully feartured, the '''SNMP(Simple Network Manager Protocol)''' is a common standard protocol and is the second most supported, the '''ICMP(Internet Control Message Protocol)''' is the most used and simples way but most limited, check the features:

{| class="wikitable"
|-
! Feature !! By Agent !! By SNMP !! By ICMP
|-
| Ping to check alive (direct ip) || Yes || Yes but with zabbbix proxy if firewall || Only on direct ip, no firewall
|-
| Retreive data from programs (direct ping) || Yes || Yes but with zabbbix proxy if firewall || No
|-
| Send commands to manage || Yes || Yes but using zabbix proxy if firewall || No
|-
| Runs on any device || No, only computers || Mostly any network device || Yes
|-
| Runs on any OS || YEs, limited in androita and mainframes || Yes || Yes
|-
| Requires provilegies || Not necesary for most fearures || It depends || No
|}

{{Note|Support to allow zabbix-agentd to view running processes on Alpine Linux has been added since linux-grsec-2.6.35.9-r2. Please ensure you have that kernel installed prior to attempting to run zabbix-agentd.}}

Ensure that the readproc group exists (support added since alpine-baselayout-2.0_rc1-r1), by adding the following line to /etc/group:

{{Cmd|readproc:x:30:zabbix}}

== Monitoring by Zabbix Agents ==

The agent way to monitoring is the most complete featured, but only applies to computers host, becouse the zabbiz-agent software is only available for those devices, for networking devices you must use ICMP or SNMP (check next subsection).

So, install the agent package and configure it on each host to be monitored/managed (on server too):

{{Note|Remenber that the hostname of the server is <nowiki>monitor.zabbixnetwork</nowiki>, you can use the ip address too, but this name must be the same in the config files for active or passive servers, the web ui configured hostname server and/or zabbix configured hostname proxy server.}}

<pre>
<nowiki>
cat > /etc/apk/repositories << EOF
http://dl-4.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://dl-4.alpinelinux.org/alpine/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

apk add zabbix-agent net-snmp-libs net-snmp-agent-libs

sed -i 's|.*ListenPort.*=.*|ListenPort=10050|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*Hostname=.*|Hostname=monitordhost1|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|Server =.*|Server=localhost,monitor.zabbixnetwork|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|ServerActive.*=.*|ServerActive=localhost,monitor.zabbixnetwork |g' /etc/zabbix/zabbix_agentd.conf|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*EnableRemoteCommands.*=.*|EnableRemoteCommands=1|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*LogRemoteCommands.*=.*|LogRemoteCommands=1|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|# Include=.*|Include=/etc/zabbix/zabbix_agentd.d/*.conf|' /etc/zabbix/zabbix_agentd.conf

rc-update add zabbix-agentd default

rc-service zabbix-agentd restart
</nowiki>
</pre>

{{Note|The configured hostname in agent here is <nowiki>monitordhost1</nowiki>, you can use the ip address too, but this name must be the same in the config files for active or passive host configured in the web ui, if the agent way will be used.}}

{{Warning|The '''zabbix service DB user is <code>zabbixdb</code> and NOT <code>zabbix</code>''', the user <code>zabbixdb</code> whatever you use postgresql or mysql, will not be used with password for agent monitoring, cos in postgresql will use the <code>ident</code> way autentication, and in mysql will use the <code>socket</code> way autentication: '''this makes sense cos user agent is <code>zabbix</code> and does not have home.''' This is the correct and most secure way.}}

== Monitor by SNMP protocol ==

Then in each monitor system, you shoul define a community word due ISP's always will punish if you used <code>public</code> and open SNMP to world, inclusivelly you shoul protect inside your private network too, so on each host to be monitored you shoul made those commands to configure SNMP (including the zabbix server) using the <code></code>:

<pre>
<nowiki>
apk add net-snmp net-snmp-libs net-snmp-agent-libs net-snmp-perl net-snmp-tools

cat > /etc/snmp/snmpd.conf << EOF
view systemonly included .1.3.6.1.2.1.1
view systemonly included .1.3.6.1.2.1.25.1
rocommunity monitor
rocommunity public localhost
rocommunity public default -V systemonly
sysLocation client host at monitor.zabbixnetwork
sysContact infoadmin <venenux@venenux.net>
sysServices 72
EOF

rc-update add snmpd default

rc-service snmpd restart
</nowiki>
</pre>

This will allow to any host consult SNMP v2c with word "monitor", but is best you use if have distributed network a SNMP v3 autentiated.

{{Warning|So in zabbix web ui you must use "monitor" in the community word.}}

== DB monitoring ==

Due limitations any host server that will have and database, must have and agent aither have behind or not have direct zabbix server/proxy connection.

In this case we used Mysql as example

=== on the monitored side: DBMS server to monitor ===

<pre>
<nowiki>
apk add zabbix-agent

sed -i 's|.*ListenPort.*=.*|ListenPort=10050|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*Hostname=.*|Hostname=theDBserver|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|Server =.*|Server=monitor.zabbixnetwork|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|ServerActive.*=.*|ServerActive=monitor.zabbixnetwork|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*EnableRemoteCommands.*=.*|EnableRemoteCommands=1|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|.*LogRemoteCommands.*=.*|LogRemoteCommands=1|g' /etc/zabbix/zabbix_agentd.conf
sed -i 's|# Include=|Include=/etc/zabbix/zabbix_agentd.d/*.conf|g' /etc/zabbix/zabbix_agentd.conf

rc-update add zabbix-agentd default

rc-service zabbix-agentd restart

apk add mariadb-client

wget -O /etc/zabbix/zabbix-agent/userparameter_mysql.conf "https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/conf/zabbix_agentd/userparameter_mysql.conf?at=release/5.0"

mysql -u root -e "CREATE USER 'zabbix'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('zabbix.db.1.com.1');"
mysql -u root -e "GRANT USAGE,REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'zabbix'@'localhost';"
</nowiki>
</pre>

{{Note|The configured hostname in agent here is <nowiki>theDBserver</nowiki>, you can use the ip address too, but this name must be the same in the config files for active or passive host configured in the web ui, if the agent way will be used to monitor this server host.}}

{{Warning|An new issue of missing files is on alpine zabbix packages so read [https://gitlab.alpinelinux.org/alpine/aports/-/issues/12791 <nowiki>https://gitlab.alpinelinux.org/alpine/aports/-/issues/12791</nowiki>], for files that you could download manually}}

=== on the zabbix server side: to configure the monitored host ===

Use the ''template DB mysql'' o ''DB postgresql'' on the configured host and remenber that hostname in the configured host must be the same in the hostname configured in the agent configuration file of the monitored host.

For most details check the next section crash course:

= Optional: Crash course in adding hosts, checks, and notifications =

''Note:'' This is optional since it's not specific to Alpine Linux, but I wanted a couple notes for how to perform a simple check on a server that doesn't have the agent installed on it, and be notified on state changes.

Administration -> Media Types -> Email
* Setup server, helo, email from address

Administration -> Users
* Setup each user who'll get notified, make sure they have media type "Email" added with their address

Configuration -> Hosts -> Create host
* In Linux Servers hostgroup
* Define dns name, ip, connect by IP
* If the machine is a simple networking device that will only be monitored using SNMP, add it to Template_SNMPv2_Device, and you're done.

Configuration -> Templates -> Create template
* Give it a name (Template_Alpine_Linux_Infra_HTTP)
* In Templates group

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Items
* Create Item
* Host: Template_Alpine_Linux_Infra_HTTP
* Description: HTTP Basic Check
* Type: Simple_check
* Key: http,80

Configuration -> Templates -> Template_Alpine_Linux_Infra_HTTP -> Triggers
* Create Trigger
* Name: "HTTP Trigger"
* Expression: {Template_Alpine_Linux_Infra_HTTP:http,80.last(0)}#1
* Severity: High

Configuration -> Actions ->
* Create Action
* name: Email notifications
* Event source: triggers
* Default Subject: add "{HOST.DNS}:" to the beginning
* Default message: add "{HOST.DNS}:" to the beginning
* Conditions: make host have to be from "Linux Servers" hostgroup, and Template_Alpine_Linux_Infra_HTTP:HTTP trigger" is not 1
* Email affected users

== See also ==

* [[Cacti:_traffic_analysis_and_monitoring_network]]

== External resources and complete guides ==

* [http://qgqlochekone.blogspot.com/search/?q=zabbix Complete alpine documentation on englilsh for zabbix curse]
* [https://vegnuli.wordpress.com/?s=zabbix Complete alpine documentation on spanish for zabbix curse]

[[Category:Monitoring]]
[[Category:PHP]]
[[Category:SQL]]

MediaWiki:Copyright

2021-01-12T23:14:43Z

Nangel: Update Copyright notice to 2021

<div align="right"><div id="footer-inner">
<a href="Privacy_Policy#Copyright">© Copyright 2008-2021 Alpine Linux Development Team</a>
all rights reserved </div></div>

Alpine Linux:Releases

2020-10-21T11:46:28Z

Nangel:

There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but typically every 6 month we make a snapshot of '''[[Edge|edge]]''' and make a release. We support the main repository for each stable release for a certain amount of time, normally for 2 years. We can do security fixes beyond that on request and when patches are available.

The latest release of Alpine Linux is: '''3.12.1''' [https://alpinelinux.org/posts/Alpine-3.12.1-released.html Release notes], [http://git.alpinelinux.org/cgit/aports/log/?h=v3.12.1 git log]

{| cellpadding="5" border="1" class="wikitable"
|-
! Branch
! Branch Date
! Latest Release
! Previous minor releases
! Directory name
! Updates
! End of Support
|-
| '''[[edge]]'''
| current
| rolling
| -
| [http://dl-cdn.alpinelinux.org/alpine/edge/ edge]
| development
| n/a
|-
| '''v3.12'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.11-stable 2020-05-29]
| [http://alpinelinux.org/posts/Alpine-3.12.1-released.html 3.12.1]
| [http://alpinelinux.org/posts/Alpine-3.12.0-released.html 3.12.0]
| [http://dl-cdn.alpinelinux.org/alpine/v3.12/ v3.12]
| bug fixes
| 2022-05-01
|-
| '''v3.11'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.11-stable 2019-12-19]
| [http://alpinelinux.org/posts/Alpine-3.11.6-released.html 3.11.6]
| [http://alpinelinux.org/posts/Alpine-3.11.0-released.html 3.11.0], [http://alpinelinux.org/posts/Alpine-3.11.2-released.html 3.11.2], [http://alpinelinux.org/posts/Alpine-3.11.3-released.html 3.11.3], [http://alpinelinux.org/posts/Alpine-3.11.5-released.html 3.11.5]
| [http://dl-cdn.alpinelinux.org/alpine/v3.11/ v3.11]
| security fixes only
| 2021-11-01
|-
| '''v3.10'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.10-stable 2019-06-19]
| [http://alpinelinux.org/posts/Alpine-3.9.6-and-3.10.5-released.html 3.10.5]
| [http://alpinelinux.org/posts/Alpine-3.10.0-released.html 3.10.0], [http://alpinelinux.org/posts/Alpine-3.10.1-released.html 3.10.1], [http://alpinelinux.org/posts/Alpine-3.10.2-released.html 3.10.2], [http://alpinelinux.org/posts/Alpine-3.10.3-released.html 3.10.3]
| [http://dl-cdn.alpinelinux.org/alpine/v3.10/ v3.10]
| security fixes only
| 2021-05-01
|-
| '''v3.9'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.9-stable 2019-01-29]
| [http://alpinelinux.org/posts/Alpine-3.9.6-and-3.10.5-released.html 3.9.6]
| [http://alpinelinux.org/posts/Alpine-3.9.0-released.html 3.9.0], [http://alpinelinux.org/posts/Alpine-3.9.1-released.html 3.9.1], [http://alpinelinux.org/posts/Alpine-3.9.2-released.html 3.9.2], [http://alpinelinux.org/posts/Alpine-3.9.3-released.html 3.9.3], [http://alpinelinux.org/posts/Alpine-3.9.4-released.html 3.9.4]
| [http://dl-cdn.alpinelinux.org/alpine/v3.9/ v3.9]
| security fixes only
| 2020-11-01
|-
| '''v3.8'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.8-stable 2018-06-26]
| [http://alpinelinux.org/posts/Alpine-3.8.2-released.html 3.8.2]
| [http://alpinelinux.org/posts/Alpine-3.8.0-released.html 3.8.0], [http://alpinelinux.org/posts/Alpine-3.8.1-released.html 3.8.1]
| [http://dl-cdn.alpinelinux.org/alpine/v3.8/ v3.8]
| on request only
| 2020-05-01

|-
| '''v3.7'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.7-stable 2017-11-30]
| [http://alpinelinux.org/posts/Alpine-3.7.0-released.html 3.7.0]
| -
| [http://dl-cdn.alpinelinux.org/alpine/v3.7/ v3.7]
| on request only
| 2019-11-01
|-
| '''v3.6'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.6-stable 2017-05-24]
| [http://alpinelinux.org/posts/Alpine-3.6.2-released.html 3.6.2]
| [http://alpinelinux.org/posts/Alpine-3.6.0-released.html 3.6.0], [http://alpinelinux.org/posts/Alpine-3.6.1-released.html 3.6.1]
| [http://dl-cdn.alpinelinux.org/alpine/v3.6/ v3.6]
| on request only
| 2019-05-01
|-
| '''v3.5'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.5-stable 2016-12-22]
| [http://alpinelinux.org/posts/Alpine-3.5.2-released.html 3.5.2]
| [http://alpinelinux.org/posts/Alpine-3.5.0-released.html 3.5.0], [http://alpinelinux.org/posts/Alpine-3.5.1-released.html 3.5.1]
| [http://dl-cdn.alpinelinux.org/alpine/v3.5/ v3.5]
| on request only
| 2018-11-01
|-
| '''v3.4'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.4-stable 2016-05-31]
| [http://alpinelinux.org/posts/Alpine-3.4.6-released.html 3.4.6]
| [http://alpinelinux.org/posts/Alpine-3.4.0-released.html 3.4.0], [http://alpinelinux.org/posts/Alpine-3.4.1-released.html 3.4.1], [http://alpinelinux.org/posts/Alpine-3.4.2-released.html 3.4.2], [http://alpinelinux.org/posts/Alpine-3.4.3-released.html 3.4.3], [http://alpinelinux.org/posts/Alpine-3.4.4-released.html 3.4.4], [http://alpinelinux.org/posts/Alpine-3.4.5-released.html 3.4.5]
| [http://dl-cdn.alpinelinux.org/alpine/v3.4/ v3.4]
| on request only
| 2018-05-01
|-
| '''v3.3'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.3-stable 2016-01-06]
| [http://alpinelinux.org/posts/Alpine-3.3.3-released.html 3.3.3]
| [http://alpinelinux.org/posts/Alpine-3.3.0-released.html 3.3.0], [http://alpinelinux.org/posts/Alpine-3.3.1-released.html 3.3.1], [http://alpinelinux.org/posts/Alpine-3.3.2-released.html 3.3.2]
| [http://nl.alpinelinux.org/alpine/v3.3/ v3.3]
| on request only
| 2017-11-01
|-
| '''v3.2'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.2-stable 2015-05-26]
| [http://alpinelinux.org/posts/Alpine-3.2.3-released.html 3.2.3]
| [http://alpinelinux.org/posts/Alpine-3.2.0-released.html 3.2.0], [http://alpinelinux.org/posts/Alpine-3.2.1-released.html 3.2.1], [http://alpinelinux.org/posts/Alpine-3.2.2-released.html 3.2.2]
| [http://nl.alpinelinux.org/alpine/v3.2/ v3.2]
| on request only
| 2017-05-01
|-
| '''v3.1'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.1-stable 2014-12-10]
| [http://alpinelinux.org/posts/Alpine-3.1.4-released.html 3.1.4]
| [http://alpinelinux.org/release-3.1.0 3.1.0], [http://alpinelinux.org/release-3.1.1 3.1.1], [http://alpinelinux.org/posts/Alpine-3.1.2-released.html 3.1.2], [http://alpinelinux.org/posts/Alpine-3.1.3-released.html 3.1.3]
| [http://nl.alpinelinux.org/alpine/v3.1/ v3.1]
| on request only
| 2016-11-01
|-
| '''v3.0'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.0-stable 2014-06-04]
| [http://alpinelinux.org/release-3.0.6 3.0.6]
| [http://alpinelinux.org/release-3.0.0 3.0.0], [http://alpinelinux.org/release-3.0.1 3.0.1], [http://alpinelinux.org/release-3.0.2 3.0.2], [http://alpinelinux.org/release-3.0.3 3.0.3], [http://alpinelinux.org/release-3.0.4 3.0.4], [http://alpinelinux.org/release-3.0.5 3.0.5]
| [http://nl.alpinelinux.org/alpine/v3.0/ v3.0]
| on request only
| 2016-05-01
|-
| '''v2.7'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.7-stable 2013-11-08]
| [http://alpinelinux.org/release-2.7.9 2.7.9]
| [http://alpinelinux.org/release-2.7.0 2.7.0], [http://alpinelinux.org/release-2.7.1 2.7.1], [http://alpinelinux.org/release-2.7.2 2.7.2], [http://alpinelinux.org/release-2.7.3 2.7.3], [http://alpinelinux.org/release-2.7.4 2.7.4], [http://alpinelinux.org/release-2.7.5 2.7.5], [http://alpinelinux.org/release-2.7.6 2.7.6], [http://alpinelinux.org/release-2.7.7 2.7.7], [http://alpinelinux.org/release-2.7.8 2.7.8]
| [http://nl.alpinelinux.org/alpine/v2.7/ v2.7]
| on request only
| 2015-11-01
|-
| '''v2.6'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.6-stable 2013-05-17]
| [http://alpinelinux.org/release-2.6.6 2.6.6]
| [http://alpinelinux.org/release-2.6.0 2.6.0], [http://alpinelinux.org/release-2.6.1 2.6.1], [http://alpinelinux.org/release-2.6.2 2.6.2], [http://alpinelinux.org/release-2.6.3 2.6.3], [http://alpinelinux.org/release-2.6.4 2.6.4], [http://alpinelinux.org/release-2.6.5 2.6.5]
| [http://nl.alpinelinux.org/alpine/v2.6/ v2.6]
| on request only
| 2015-05-01
|-
| '''v2.5'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.5-stable 2012-11-07]
| [http://alpinelinux.org/release-2.5.4 2.5.4]
| [http://alpinelinux.org/release-2.5.0 2.5.0], [http://alpinelinux.org/release-2.5.1 2.5.1], [http://alpinelinux.org/release-2.5.2 2.5.2], [http://alpinelinux.org/release-2.5.3 2.5.3]
| [http://nl.alpinelinux.org/alpine/v2.5/ v2.5]
| on request only
| 2014-11-01
|-
| '''v2.4'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.4-stable 2012-05-02]
| [http://alpinelinux.org/release-2.4.11 2.4.11]
| [http://alpinelinux.org/node/13811 2.4.0], [http://alpinelinux.org/node/13812 2.4.1], [http://alpinelinux.org/node/13845 2.4.2], [http://alpinelinux.org/node/13906 2.4.3], [http://alpinelinux.org/release-2.4.4 2.4.4], [http://alpinelinux.org/release-2.4.5 2.4.5], [http://alpinelinux.org/release-2.4.6 2.4.6], [http://alpinelinux.org/release-2.4.7 2.4.7], 2.4.8, [http://alpinelinux.org/node/14664 2.4.9], [http://alpinelinux.org/release-2.4.10 2.4.10]
| [http://nl.alpinelinux.org/alpine/v2.4/ v2.4]
| on request only
| 2014-05-01
|-
| '''v2.3'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.3-stable 2011-11-01]
| [http://alpinelinux.org/node/13503 2.3.6]
| [http://alpinelinux.org/node/6841 2.3.0], [http://alpinelinux.org/node/6866 2.3.1], [http://alpinelinux.org/node/6911 2.3.2], [http://alpinelinux.org/node/6999 2.3.3], [http://alpinelinux.org/node/13466 2.3.4 & 2.3.5]
| [http://nl.alpinelinux.org/alpine/v2.3/ v2.3]
| on request only
| 2013-11-01
|-
| '''v2.2'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.2-stable 2011-05-03]
| [http://alpinelinux.org/node/6455 2.2.3]
| [http://alpinelinux.org/node/5237 2.2.0], [http://lists.alpinelinux.org/alpine-devel/1618.html 2.2.1], [http://alpinelinux.org/node/5955 2.2.2]
| [http://nl.alpinelinux.org/alpine/v2.2/ v2.2]
| on request only
| 2013-05-01
|-
| '''v2.1'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.1-stable 2010-11-01]
| [http://alpinelinux.org/node/5236 2.1.6]
| [[Release_Notes_for_Alpine_2.1.0|2.1.0]], [[Release_Notes_for_Alpine_2.1.1|2.1.1]], [[Release_Notes_for_Alpine_2.1.2|2.1.2]], [[Release_Notes_for_Alpine_2.1.3|2.1.3]], [http://alpinelinux.org/node/5230 2.1.4], [http://alpinelinux.org/node/5235 2.1.5]
| [http://nl.alpinelinux.org/alpine/v2.1/ v2.1]
| on request only
| 2012-11-01
|-
| '''v2.0'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.0-stable 2010-08-16]
| [http://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_2.0.3 2.0.3]
| [[Release_Notes_for_Alpine_2.0.0|2.0.0]], [[Release_Notes_for_Alpine_2.0.1|2.0.1]], [[Release_Notes_for_Alpine_2.0.2|2.0.2]]
| [http://nl.alpinelinux.org/alpine/v2.0/ v2.0]
| on request only
| 2012-04-01
|}

An archive for [[older releases]] is also available.

Category talk:Wiki

2020-10-17T19:47:00Z

Nangel: Answer question - Mark page for deletion.

I am interested in installing polyml on Alpine x86
I notice there is a package in testing, but it fails to install since it seems to require some 64-bit libraries.
There is no maintainer listed, so my question is:
How could I become maintainer so I can fix that package?
I will build polyml from source to do that.

Hi - This is a good place to start: https://wiki.alpinelinux.org/wiki/Alpine_newbie_developer

OrenHumphery962

2020-09-13T14:18:08Z

Nangel: Nangel moved page OrenHumphery962 to Spam

#REDIRECT [[Spam]]

User:OrenHumphery962

2020-09-13T14:17:53Z

Nangel: Nangel moved page User:OrenHumphery962 to OrenHumphery962

#REDIRECT [[OrenHumphery962]]

Setting up a laptop

2020-04-26T21:45:39Z

Nangel:

{{Draft}}

This guide is about a project to create a '''secured laptop'''. For this project we take in consideration ways to extend battery life. It covers tools and daemons that are must haves for a laptop setup.

== Guide features ==

*Deniable full disk encryption
*Two factor authentication (physical object (USB key), mind)
*Encrypted swap and hibernation
*Encrypted home on top of encrypted drive
*Memory sanitation
*Dynamic power modes
*Feature keys support

== Rubberhose Attack ==

Just a reminder that all attacks are subjected to the Rubberhose Attack dilemma, you either give up your encryption keys or be tortured with a rubberhose with the possibly of death. See [https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis Wikipedia article]. We try to present [https://en.wikipedia.org/wiki/Deniable_encryption deniable encryption (Wikipedia)] to avoid a rubberhose attack scenario. In this article we use the words plausible deniability interchangeably with deniable encryption. To achieve this we use a facade and require no metadata fingerprints to expose or hint of encrypted or hidden containers or hint as in detect of existence of an encrypted disk. The keys should be stored using steganography where we dilute the randomness into the facade. It also requires you not to brag about encryption or mention it because that is an invitation for the attacker to torture the victim. Deniable encryption requires you not put encrypted as an entry title to your bootloader. There shouldn't be an entry for your facade bootloader to the encrypted drive.

== Why full disk? ==

The full disk encryption provides sort of some plausible deniability or a valid alibi that you didn't encrypt it. Is the drive just random noise, broken, or is it really encrypted? The other reason is that it implies that everything is protected.

But there could be problems if not done right. For example, cryptsetup does leave a plaintext marking or some hints by default that it has been encrypted when using luks/luks2 mode if a detached header with option <code>--header <path></code> is not presented.[https://www.lisenet.com/2013/luks-add-keys-backup-and-restore-volume-header/][http://man7.org/linux/man-pages/man8/cryptsetup.8.html] To gain credibility that we didn't really do the encryption, you have to wipe the +3 MiB region based on the number of key slots used; or store the headers on an external device.

If you did deniable encryption incorrectly, it is possible to erase and restore the header. This presents an opportunity to improve obfuscation. When you pull out the USB key, it should erase the header but store it on the USB key atomically as in completely. If you plug in the USB key, it will restore back the header. cryptsetup has luks actions luksHeaderBackup and luksHeaderRestore to do this.

== Starting at the beginning ==

Grab a USB thumb drive with Alpine. Set it up as usual but don't let it touch your drive yet. Then, install all the tools into memory ramdisk but not in the hard drive yet. The hard drive will be obliterated.

You will then install Alpine using the steps:

First you need WiFi, to get it run do the command below but say no or skip the hard drive setup stuff:

setup-alpine

Then, you need to install some tools into RAM temporarly:
apk add e2fsprogs grub grub-bios grub-efi mkinitfs nano

== Randomizing the drive with pseudorandom urandom entropy ==

The first part is to erase the drive with random noise but in practical time. There are many techniques to do this but should be done in one day or two minimum.

You can use shred or dd to accomplish this depending on your needs and the availability of entropy. Some techniques take longer. Cryptologist Bruce Schneier recommended 7 times with specified pattern. See [https://en.wikipedia.org/wiki/Data_erasure Wikipedia Article]. For practical purposes, we just do it random in one pass. It should be random so that the facade of random noise hides the encrypted data which resembles noise.

To list the drives on the system do <code>fdisk -l</code>.

'''IMPORTANT: make sure you wipe the right specific drive.'''

To wipe the disk with random entropy do:

dd if=/dev/urandom of=/dev/sda

== Creating GPG keys ==

'''As of this time, Alpine's mkinitfs does only one factor authentication with passphrase.''' You need to manually edit the initramfs-init.in in mkinitfs to support two factor authentication using cryptsetup.

After you have scrambled the drive, you want to create your GPG keys. You will use these keys to set the password(s) for your cryptsetup-luks partitions. These keys should be stored on a USB thumb drive or other memory device but should not be on the USB boot thumb drive or on the encrypted drive. The key should be a random 128 bit key wrapped in GPG and protected with a password.

If you are using x, you need to do <code>sudo apk add pinentry-gtk</code> to display password prompt properly for the next step.

To install openssl and gpg do:

apk add openssl gnupg

Then, to generate a key:

export GPG_TTY=$(tty) && openssl rand -base64 512 | gpg --symmetric --cipher-algo aes --armor > /mnt/usb/$(openssl rand -hex 12)

(Make sure your usb is mounted on /mnt/usb first.)

The long file name comes from <code>openssl rand -hex 12</code> so that we enhance plausible deniability. The attacker cannot determine the purpose of the key. Is it used for GitHub? for Email?

The first part will produce 512 random bytes in wrap it in base64. The random data will be piped to gpg which will wrap it in AES as ciphertext which again gets wrapped in base64 ascii armor. For every partition including swap in some cases, you should create more gpg keys and store them in your USB thumb drives. After you have produced your gpg keys, you will then use them as a password for cryptsetup/luks.

You can replace aes above with the ones listed in <code>gpg --version</code>.

There should be a password generated for the swap. This is to resume for your hibernate. If you don't want to hibernate, then password is not required and all you need to do is to create/format the partition each time you boot without a password or with a one time random password.

== Hiding the keys using steganography ==

''WARNING:'' This section is considered experimental. It requires the tool and the dependencies to be placed on another USB separate from the key files, the bootloaders, and encrypted disks. The tool and dependencies need to be packaged together. We decentralize these components so that the attacker doesn't connect the dots easily or immediately jumps to the conclusion for the requirements to decrypt. Steghide automatically uses 128-bit AES in CBC mode to encrypt data. This can be change if you don't like or trust AES with the -e option. Use <code>steghide encinfo</code> for other ciphers and modes.

Fortunately, Alpine has a package for steganography called steghide. To install steghide do:

apk add steghide

You will place the keyfile in an image file. The facade image file should be large enough that there is no apparent discernible difference between the original and the modified. Do not use a small image with a small filesize.

As mentioned previously luks headers could be 3MB large or more and an jpeg image file is not suitable. Use another format like .au/.wav or another steganography utility that handles mp3s. The mp3/wav should be fairly large enough to dilute the header. So, something with long content is suitable.

There are two basic commands to use with steghide embed and extract,

To embed do:

steghide embed -ef key.gpg -cf image.jpg

To extract do:

steghide extract -xf key.gpg -sf image.jpg

To get a file list of files to ship out, use:

apk info -L libgcc libmcrypt libmhash libstdc++ libjpeg-turbo steghide

== Full disk encryption with with cryptsetup-luks volumes ==

=== Partitioning scheme ===

This section presents a conceptual layout. It should not be a knee-jerk approval to automatically use the partition tool which would compromise your plausible deniability.

For the facade, we use an Ubuntu Live CD (or less skilled distro) to present the impression that we are not sophisticated or tech savvy enough to implement encryption. Windows is also acceptable even better. The immutable Live CD and immutable partition ensures that you are not compromised by a third party attacker that implants evidence.

There could be possibly two bootloaders, one for the facade and the other to the encrypted drive stored on an external device.

==== Luks ====

Plausible deniability only works if you can demonstrate no existence of partitions 2, 3, 4 and no fingerprints/plaintext introduced by cfdisk and cryptsetup-luks. Use something like TestDisk, fdisk -l, or gparted and a disk editor (hex editor for disks).

{| cellpadding="5" border="1" class="wikitable"
!#
!Name
!Mount point
!Notes
|-
| 1
| facade
| /
| (optional) The facade partition contains a pristine normal operating system or Ubuntu Live CD image to lure the attacker in attempt to boost the confidence of the attacker convincing them that there is no encryption on the device.
|-
| 2
| swap
|
| It should be the same size as your ram for x86_64. Rationale: it should contain the whole ram image.
|-
| 3
| root
| /
|
|-
| 4
| rescue
| /
| This should contain the Alpine image.
|-
|}

==== Plain dm-crypt ====

Plausible deniability only works if you are able to present #2 as being unused space or untampered. To check use something like TestDisk, gparted and a disk editor (hex editor for disks).

{| cellpadding="5" border="1" class="wikitable"
!#
!Name
!Mount point
!Notes
|-
| 1
| facade
| /
| (optional) The facade partition contains a pristine normal operating system or Ubuntu Live CD image to lure the attacker in attempt to boost the confidence of the attacker convincing them that there is no encryption on the device.
|-
| 2
| vgroot
|
|
|-
| 2_1
| vgroot-root
| /
|
|-
| 2_2
| vgroot-swap
|
| It should be the same size as your ram for x86_64. Rationale: it should contain the whole ram image.
|-
| 2_3
| vgroot-rescue
| /
| This should contain the Alpine image.
|-
|}

=== Installing cryptsetup ===

To install cryptsetup you need the package below

apk add cryptsetup

=== Choosing ciphers ===

When you create your luks drives, you need to decide on the type of ciphers and hashing techniques to use. The ciphers that you want to use are ones are up to you, but it should be one that is hasn't been cracked yet or has not suffered a lot of cryptanalysis attacks. The ones that you might want to use is AES which is hardware accelerated in some Intel CPUs that have the AES-NI cpuflag which you can check by <code>cat /proc/cpuinfo</code>. Also consider the ciphers that are SIMD optimized such as serpent and twofish that are available in the Linux kernel. Also consider ciphers that are unpopular but known to be secure such as Blowfish (which Wikipedia claims to be attacked and the author recommended Twofish).[https://en.wikipedia.org/wiki/Cipher_security_summary] If it is hardware accelerated, it will save battery life and minimize CPU usage.

For some ciphers weakness also see [https://en.wikipedia.org/wiki/Cipher_security_summary Cipher security summary (Wikipedia)].

For some hash function weaknesses also see [https://en.wikipedia.org/wiki/Hash_function_security_summary Hash function security summary (Wikipedia)].

Generally speaking, the swap partition should use a fast cipher. You want to lower the latency or delay of the memory subsystem as a consequence of being encrypted.

'''IMPORTANT:''' Please read the [[Setting_up_a_laptop#Important_notes | Important notes]] section for details about the problems with AES encryption.

If you don't trust AES shills and endorsed by the NSA, you can try another different one. Another advantage of using a public vetted cipher is that it provides confidence that it works.

Something like KHAZAD wouldn't work on <code>cryptsetup benchmark</code>. KHAZAD itself is insecure. Wikipedia reported 5 out of 8 rounds been cracked.[https://en.wikipedia.org/wiki/KHAZAD]

For AES-128 7 out of 10, AES-192 8 out of 12, AES-256-bit 9 out 14 rounds have been cracked according to Wikipedia.[https://en.wikipedia.org/wiki/Advanced_Encryption_Standard]

'''IMPORTANT: Do not use sha1 as the hashing algorithm.''' It already has already been compromised.

=== Getting the available ciphers ===

To check the availability of a cipher or hash function use:
find $(find /lib/modules -name "crypto" -type d) -type f -name "*.ko" | sort

To check if a cipher is loaded and passed its own tests use:
cat /proc/crypto

To test some popular ciphers and hashes do:

cryptsetup benchmark

The top set is associated with the hashing algorithms. The bottom set are the ciphers. Use the commands below but replace the cipher and/or hash algorithm with your preferences.

<code>cryptsetup benchmark</code> actually doesn't show all the ciphers like Anubis. The cipher should also have CBC and/or XTS block cipher mode of operation to encrypt larger block sizes. AES for example has a block size of 128.

To test if the unpopular but uncracked cipher works use sometime like:
cryptsetup benchmark --cipher anubis

=== General steps for cryptsetup ===

==== Original method with fdisk with no plausible deniability ====

In this method <code>--type luks</code> is implied which generates metadata.

If you want plausible deniability for luks, you need to pass <code>--header <path></code> to all the luks commands, where <code><path></code> is a unix path like /mnt/usb/d6ae10eda66704c8. The random name comes from <code>openssl rand -hex 8</code>. The header is transferred to the external device (but no mention of the key slot area but ciphertext being transferred) in the man page. The information in that file should be obfuscated with encryption if there is plaintext or fingerprint in it just in case. Then, it should be decrypted when reused.

You need to install cfdisk if you prefer the interactive ncurses console method:

apk add cfdisk

{|| cellpadding="5" border="1" class="wikitable"
!#
!Step
!Command
|-
| 1
| Use cfdisk to create partitions. Make two partitions--a system partition and a swap partition
| <code><nowiki>cfdisk</nowiki></code>
|-
| 2
| Create and format the luks device
| <code><nowiki>cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda1 /mnt/usb/$(ls)</nowiki></code>
|-
| 3
| Open the luks device
| <code><nowiki>cryptsetup --key-file /mnt/usb/$(ls) luksOpen /dev/sda1 root</nowiki></code>
|-
| 4
| Format the decrypted drive with filesystem
| <code>mkfs.ext4 /dev/mapper/root</code>
|-
| 5
| Create the mount point
| <code>mkdir -p /mnt/root</code>
|-
| 6
| Mount the root partition
| <code>mount /dev/mapper/root /mnt/root</code>
|-
| 7
| Create swap
| cryptsetup -c blowfish -h sha256 -d /dev/urandom --key-file /mnt/usb/59022506d9f4a714 create swap /dev/sda2
|-
| 8
| Use swap
| mkswap /dev/mapper/swap && swapon /dev/mapper/swap
|}

==== Improved method with plausible deniability ====

This method requires lvm2. To install:

apk add lvm2

{|| cellpadding="5" border="1" class="wikitable"
!#
!Step
!Command
|-
| 1
| Open the ''plain dm-crypt'' device generating no metadata
| <code><nowiki>cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file /mnt/usb/$(ls) /dev/sda pvroot</nowiki></code>
|-
| 2
| Physical volume create with LVM
| <code><nowiki>pvcreate /dev/mapper/pvroot</nowiki></code>
|-
| 3
| Volume group create with LVM
| <code><nowiki>vgcreate vgroot /dev/mapper/pvroot</nowiki></code>
|-
| 4
| Logical volume create the swap volume with LVM
| <code><nowiki>lvcreate -L 4G vgroot -n swap</nowiki></code>
|-
| 5
| Logical volume create the root volume with LVM
| <code><nowiki>lvcreate -L 2T vgroot -n root</nowiki></code>
|-
| 6
| Logical volume create the rescue volume with LVM
| <code><nowiki>lvcreate -L 110M vgroot -n rescue</nowiki></code>
|-
| 7
| Format the root volume with filesystem
| <code>mkfs.ext4 /dev/mapper/vgroot-root</code>
|-
| 8
| Format the swap volume and activate it
| <code>mkswap /dev/mapper/vgroot-swap && swapon /dev/mapper/vgroot-swap</code>
|-
| 9
| Format the rescue volume with filesystem
| <code>mkfs.ext4 /dev/mapper/vgroot-rescue</code>
|-
| 10
| Create mount point for root volume
| <code>mkdir -p /mnt/root</code>
|-
| 11
| Mount the root volume
| <code>mount /dev/mapper/vgroot-root /mnt/root</code>
|-
|}

=== Configuring OpenRC dmcrypt and setting up fstab ===

You need to tell OpenRC init scripts to decrypt the volumes. See <code>/etc/conf.d/dmcrypt</code>.

You need to add the service to boot well because it needs to decrypt the root volume before OpenRC starts running commands from it. So you need to do:

rc-update add dmcrypt boot

==== /etc/init.d/dmcrypt ====
The dmcrypt OpenRC service will attempt to decrypt the drive using information provided in ''/etc/conf.d/dmcrypt''.

For ''luks'':

{{Cat|/etc/conf.d/dmcrypt|<nowiki>
# Mounting root may not be necessary since it is already mounted.
target=root
source='/dev/sda1'
key='/mnt/usb/2a667ec72774b0d5'

swap=swap
source='/dev/sda2'
key='/mnt/usb/59022506d9f4a714'
</nowiki>}}

For ''plain dm-crypt'':

{{Cat|/etc/conf.d/dmcrypt|<nowiki>
# Mounting root is likely not required since you already mounted it before OpenRC starts to do its thing.
target=root
source='/dev/sda'
key='/mnt/usb/2a667ec72774b0d5'
options='--type plain --cipher aes-cbc-essiv:sha256 --key-size 256'

swap=swap
source='/dev/sda2'
key='/mnt/usb/59022506d9f4a714'
pre_mount='vgchange -ay vgroot ; lvchange -ay vgroot/swap'
</nowiki>}}

dm-crypt will just mount the encrypted ''plain dm-crypt'' drive or the ''luks'' partition. What you need to do next is set up fstab located at /etc/fstab. Examples are shown below.

==== /etc/fstab ====

To mount ''plain dm-crypt'' device with fstab:

{{Cat|/etc/fstab|
/dev/sdb /boot ext4 defaults 0 0
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap none swap sw 0 0
}}

To mount ''lvm'' volumes with fstab:

{{Cat|/etc/fstab|
/dev/sdb /boot ext4 defaults 0 0
/dev/mapper/vgroot-root / ext4 defaults 0 1
/dev/mapper/vgroot-swap none swap sw 0 0
}}

=== How to recover from a bad setup ===

Many times you will not get it right perfectly the first try. To recover from this situation, you need to reopen the ''plain dm-crypt'' drive or the ''luks'' drive and then remount everything back.

To recover from ''luks'':
cryptsetup --key-file /mnt/usb/2a667ec72774b0d5 luksOpen /dev/sda1 root
mkdir -p /mnt/root
mount /dev/mapper/root /mnt/root

To recover from the ''plain dm-crypt'':
cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file /mnt/usb/$(ls) /dev/sda root
vgchange -ay vgroot
lvchange -ay vgroot/root
mkdir -p /mnt/root
mount /dev/mapper/vgroot-swap /mnt/root

== Next step: Full blown Alpine installation ==

We will setup the /mnt/root encrypted partition:
apk add --root=/mnt/root --initdb $(cat /etc/apk/world)

Then, enable edge repositories in both files including community and testing:
nano /etc/apk/repositories /mnt/root/etc/apk/repositories

Then, copy the necessary files:
cp /etc/resolv.conf /mnt/root/etc

Then, install the basic utils:
apk add --root=/mnt/root dhcpcd chrony networkmanager wireless-tools wpa_supplicant
apk add --root=/mnt/root grub mkinitfs e2fsprogs grub-bios grub-efi
apk add --root=/mnt/root sudo nano
apk add --root=/mnt/root linux-lts

Then, you need to mount your usb on to /boot:
mount /dev/sdb /boot

Edit grub:
nano /boot/grub/grub.cfg

Then, install grub on the usb:
grub-install --force /dev/sdb

Then, prepare chroot:
mount --bind /dev /mnt/root/dev
mount --bind /sys /mnt/root/sys
cp /etc/reslov.conf /mnt/root/etc

Then, chroot:
chroot /mnt/root /bin/sh

Set the root administrator password:
passwd

The root password should be very difficult to deter you from using it and force you to use sudo

Edit sudo so that wheel group has administrative :
EDITOR=nano visudo

Set:
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

Then, add wheel (administrator) user:
useradd -m myname
usermod -a -G video,audio,wheel myname

log in that user:
su myname

Then, update and upgrade it
sudo apk update
sudo apk upgrade

Then, setup xorg:
sudo setup-xorg-base
sudo apk search xf86-video | sort
# pick your video driver
sudo apk add xf86-video-adi
# pick your opengl driver
sudo apk search mesa-dri* | sort
sudo apk add mesa-dri-ati

Then, keep piling on:
sudo apk add firefox dwm xfce4-terminal alsa-utils keepassx xfce4 xchat
sudo apk add font-noto-emoji terminus-font leafpad xsetroot # See [[Emojis]] to complete installation
sudo apk add xf86-input-mouse xf86-input-keyboard

Then, set the desktop:
nano .xinitrc

Put both but comment with a # one of them if you don't want it,
#while true; do xsetroot -name "$( date +"%a %b %d %I:%M:%S %Y" )" ; sleep 1; done &
#exec dwm
exec xfce4-session

For the above xsetroot statement used to provide information in the statusbar for dwm, consider adding information about the battery level. This information can be found in sysfs at /sys/class/power_supply/BAT0/.

sync
sudo reboot

== Hacking mkinitfs to support cryptsetup with GPG keys ==

This section describes how to assemble a custom initscript chain in multiple parts. It could be extended with three-factor authentication which adds biometrics along side with mind and physical object.

Most entry to secure systems are not fully automated or do not allow things to quickly pass through freely and often guarded. This process may seem like a hassle, but it should dissuade the rubberhosers from jumping to the conclusion of the possibility of the existence of a encrypted drive.

Here is the steps required so that the facade initscripts and dependencies are free from encryption.
* You will separate and archive cryptsetup, ciphers kernel modules, hash function kernel modules, and any additional obfuscation dependencies, and another continuation initscript discussed below. You need to make sure that you copy /etc/mkinitfs/mkinitfs.conf to your home directory and strip out those features without those modules.
* You will hide this archive in a mp3 file with another tool you will package or you can use steghide's .au/.wav support, but .au seems too conspicuous or strange by current trends.

Here we try to clean up the facade so that it presents itself as free without cryptography. You need the following changes to your initramfs to avoid a sensitive rubberhoser:
* You will delete everything in the custom initramfs-init referring to encryption. This includes cryptroot, cryptdm, crypt-anything, etc init options.
* You need to delete references in nlplug-findfs to cryptsetup and recompile the mkinitfs package.
* You could program the init script to boot into a facade partition but drop into sh if a hidden special keypress sequence is met.

You need to create a custom init continuation script:
* Your initscript should drop into single mode which you will mount the encrypted path manually.
* You will manually steg-unhide the encrypted archive hidden in the mp3 file and extract it to the ramdisk.
* You will run the custom init continuation script manually.
* This custom init continuation will automate the process of extracting the gpg keys from another device and image files into the ramdisk. This will then automate the mounting of the encrypted drive. This resume continuation script should handle both cold boot and hibernate.
* You will finish resuming running the other half of mkinitfs-init or specifically where the points after where it typically will mount cryptsetup and hibernate devices.

If you use a USB keyboard, you will unlock the encrypted devices in early userspace. You will need to either compile the USB keyboard drivers in the kernel or you need to add additional modules when generating the mkinitfs. You will need the hid, hid-generic, ehci-hcd, uhci-hcd, usbcore driver and add those paths in a customized <code>/etc/mkinitfs/features.d/usb-keyboard.modules</code>. It should be separate from usb.modules because apk updates may overwrite it. Use the <code>lsmod</code> utility from the kmod package to find what drivers your USB keyboard uses.

You need to generate the final mkinitfs.
First you need the kernelversion to pass into mkinitfs. To obtain that information do <code>ls /lib/modules</code> which will show some folders. Once you found it pass it to mkinitrafs by doing and replacing kernelversion below:

sudo mkinitramfs -i $HOMEDIR/initramfs-init -c "$HOMEDIR"/mkinitfs.conf kernelversion

The $HOMEDIR should be replaced with the full path if you are not root.

== Install the bootloader in the USB thumb drive ==

To install grub, you need to install grub on the ramdisk first on the host.

apk add grub

To get a list of partitions

fdisk -l

Mount the boot partition in /boot

mount /dev/sdb /boot

Make changes to grub's configuration

nano /boot/grub/grub.cfg

'''You need to customize the initramfs in order to use GPG keys since there is no support from it.'''

The steps here below assumes that these custom initramfs features have been implemented.

The following boot loader settings is '''not sufficient''' for deniable encryption because it exposes the fact that an encrypted drive exists because an attacker can discover that encryption was used through the edit option of the grub menu. To protect yourself from a rubberhose attack, you really need to customize the initramfs so that references to anything mentioning encryption, ciphers, hashing are not explicitly mentioned. These configurations should be considered an intermediate form for used in debugging purposes. In addition, the attacker just can inspect grub.cfg files directly.

The following are just examples to just get it working but should be modified so that it doesn't hint to the rubberhoser of a hidden partition or encrypted partitions.

The entry should look like:

For 'luks'

{{cat|/boot/grub/grub.cfg|<nowiki>
default=0
timeout=0

menuentry 'Windows 10' {
set root=(hd0,2)
chainloader +1
}

menuentry 'Alpine Linux' {
set root=(hd1,1)
linux /vmlinuz-hardened root=/dev/mapper/root rw modules=sd-mod,usb-storage,ext4,dm-crypt,aes-x86_64,sha256-mb cryptroot=/dev/sda1 cryptdm=root
initrd /initramfs-hardened
}

menuentry 'Alpine Linux (Rescue)' {
set root=(hd1,1)
linux /vmlinuz-hardened root=/dev/mapper/root rw modules=sd-mod,usb-storage,ext4,dm-crypt,aes-x86_64,sha256-mb cryptroot=/dev/sda4 cryptdm=root
initrd /initramfs-hardened
}

if keystatus; then
if keystatus --ctrl; then
set timeout=-1
else
set timeout=0
fi
fi
</nowiki>}}

For 'plain dm-crypt':

The stock mkinitfs may not support plain dm-crypt. It looks like it only supports luks. Customization of the initramfs is required.

{{cat|/boot/grub/grub.cfg|<nowiki>
default=0
timeout=0

menuentry 'Windows 10' {
set root=(hd0,2)
chainloader +1
}

menuentry 'Alpine Linux' {
set root=(hd1,1)
linux /vmlinuz-hardened root=/dev/mapper/vgroot-root rw modules=sd-mod,usb-storage,ext4,dm-crypt,dm-mod,dm-snapshot,aes-x86_64,sha256-mb cryptroot=/dev/sda cryptdm=root
initrd /initramfs-hardened
}

menuentry 'Alpine Linux (Rescue)' {
set root=(hd1,1)
linux /vmlinuz-hardened root=/dev/mapper/vgroot-rescue rw modules=sd-mod,usb-storage,ext4,dm-crypt,dm-mod,dm-snapshot,aes-x86_64,sha256-mb cryptroot=/dev/sda cryptdm=rescue
initrd /initramfs-hardened
}

if keystatus; then
if keystatus --ctrl; then
set timeout=-1
else
set timeout=0
fi
fi
</nowiki>}}

The source code of grub could possibly be modified and recompiled to use other non-standard keys. See [https://github.com/lemenkov/grub2/blob/master/grub-core/commands/keystatus.c]. Ideally, it should be not so obvious or accessible for the attacker.

The above grub.cfg is applied to the USB bootloader. For the facade bootloader, you just want the Windows 10 or Ubuntu entry, nothing more.

For the modules parameter, you need to add your crypto modules.
Use <code>find /lib/modules/ -name "*aes*"</code> where aes is the basename for your cipher or hash algorithm
Use <code>blkid</code> to obtain the UUID of your device

Install it to your USB thumb drive

grub-install /dev/sdb

== Home mounting with eCryptfs ==

We use eCryptfs to encrypt home. The rationale for having another encrypted file system is that if you leave your laptop unattended on break or accidentally leave your USB key in, your data will not be accessible. The other rationale is that if another person wants to use your computer, you can just log off and the data will be kept hidden and encrypted. When you log off due to inactivity, your home directory will be unmounted and encrypted. eCryptfs will encrypt/decrypt the filename and the contents and will sit on top of ext4 which sits on top of luks.

To install ecryptfs-utils:

sudo apk add ecryptfs-utils

This does one factor authentication mostly with just the password, but it should be modified to use the USB key too. You need to reconfigure pam with the pam_usb.so which is not in Alpine aports.

You need to use the pam_ecryptfs PAM module.

== Locking it down ==

Many times you will leave your laptop behind with people you trust. The following tools will help lock down the system.

=== physlock ===

This will auto lock the tty and when you return will prompt for password.

To install physlock:

sudo apk add physlock

It is currently bugged. See [https://bugs.alpinelinux.org/issues/3282]. physlock likely doesn't do two-factor authentication but it should.

You need to create custom script that will monitor idle time in TTY then call physlock. You load this script when you log on.

=== xscreensaver ===

This will lock you out of xserver

To install xscreensaver:

sudo apk add xscreensaver

=== USB key udev rule ===

You need to add a new udev rule that will suspend-to-ram or hibernate and log off once you pull the USB key. When you come back on, you should do 2 factor authentication to restore back everything. Hibernation and suspend-to-ram might mitigate cold-boot attack (but unlikely see notes at the bottom of the page) to extract plaintext private data and encryption keys in memory.

To find out the details of your USB do:

udevadm monitor --udev -p

The output should look like:

<pre>
UDEV [181762.722853] add /devices/pci0000:00/0000:00:13.2/usb2/2-5/2-5:1.0/host6/target6:0:0/6:0:0:0/block/sdc (block)
ACTION=add
DEVLINKS=/dev/disk/by-id/usb-Kingston_MSFT_NORB_MSFTLAKDA300EB3021790009-0:0 /dev/disk/by-path/pci-0000:00:13.2-usb-0:5:1.0-scsi-0:0:0:0 /dev/disk/by-uuid/5A96-03E4
DEVNAME=/dev/sdc
DEVPATH=/devices/pci0000:00/0000:00:13.2/usb2/2-5/2-5:1.0/host6/target6:0:0/6:0:0:0/block/sdc
DEVTYPE=disk
ID_BUS=usb
ID_FS_TYPE=vfat
ID_FS_USAGE=filesystem
ID_FS_UUID=5A96-03E4
ID_FS_UUID_ENC=5A96-03E4
ID_FS_VERSION=FAT32
ID_INSTANCE=0:0
ID_MODEL=MSFT_NORB
ID_MODEL_ENC=MSFT\x20NORB\x20\x20\x20\x20\x20\x20\x20
ID_MODEL_ID=1645
ID_PATH=pci-0000:00:13.2-usb-0:5:1.0-scsi-0:0:0:0
ID_PATH_TAG=pci-0000_00_13_2-usb-0_5_1_0-scsi-0_0_0_0
ID_REVISION=PMAP
ID_SERIAL=Kingston_MSFT_NORB_MSFTLAKDA300EB3021790009-0:0
ID_SERIAL_SHORT=MSFTLAKDA300EB3021790009
ID_TYPE=disk
ID_USB_DRIVER=usb-storage
ID_USB_INTERFACES=:080650:
ID_USB_INTERFACE_NUM=00
ID_VENDOR=Kingston
ID_VENDOR_ENC=Kingston
ID_VENDOR_ID=0951
MAJOR=8
MINOR=32
SEQNUM=2027
SUBSYSTEM=block
USEC_INITIALIZED=1762722168
</pre>

You want to extract the <code>ID_SERIAL_SHORT=MSFTLAKDA300EB3021790009</code> or whatever is associated with your USB thumb drive.

You need pm-utils for ps-suspend. So to install it do:

sudo apk add pm-utils

You will create a udev rules so that when you pull out the USB, it will suspend-to-ram or you can use your own script. To do that create a file with the following contents:

{{Cat|/etc/udev/rules.d/50-usb-thumb-drive.rules|<nowiki>

ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_SERIAL_SHORT}=="MSFTLAKDA300EB3021790009", RUN+="/usr/sbin/pm-suspend"

</nowiki>}}

== Extending battery life ==

'''WARNING: If you do not use the proper mitigation for cold boot attack, you are better off auto-shutdowning the laptop instead of using suspend or hibernate.'''

=== ACPI ===

ACPI is a good daemon to use to execute certain scripts when laptop events are triggered.

To install ACPI do:

apk add acpi

The events to pay attention to are:

{| cellpadding="5" border="1" class="wikitable"
! Event
! ACPI Event
! What your script should do
|-
| lid close
|
| log off ttys and suspend-to-ram. ALSA should either set the volume to 0 for the sound card or the sound driver be unloaded. It might be a good idea to kill or mute any music or movie players if the sound loops loudly after lid open.
|-
| lid open
|
| lock all ttys and all xservers should be locked, possibly reinitialize ALSA and the sound system.
|-
| tapped power button
|
| lock all ttys and suspend-to-ram
|-
| held power button
|
| hibernate
|-
| unplugged power
|
| should switch to 'conservative' cpufreq governor at above 25% power ; 'powersave' governor at 25%. set hdparam spindown rate lower.
|-
| plugged power
|
| should switch to 'performance' governor. disable hdparam spindown.
|}

The purpose of the power governor is to regulate the running frequency (GHz) of the processor.

Certain event handlers are are managed through laptop-mode-tools. If you don't want the dependency, then you could write ACPI handler scripts.

<code>acpi_listen</code> can be used to retrieve the event name.

TODO: put scripts below

=== Adjusting the backlight dynamically ===

The backlight may be controlled using sysfs. The setting is a descendant of <code>/sys/class/backlight/</code>. The feature may allow you to echo a value to it. Use trial and error to discover the values.

The adjustment of the backlight should be function of battery life. So if it is like 33% battery life, you want to run it near lowest settings but readable. For 50 percent battery energy maybe 40% light. For 90% battery maybe 75% light.

=== hdparm ===

To install hdparam do:

sudo apk add hdparm

The settings that laptop-mode-tools messes with is the <code>-S</code> or the spindown timeout. It was also hinted that acoustic setting <code>-M</code> is associated with the speed meaning that louder is faster and quieter is slower which could contribute to the amount of energy used or reduced.

Again you want something like laptop-mode-tools or ACPI to dynamically adjust the settings based on ACPI events.

=== laptop-mode-tools ===

This is currently not in aports but worthy mentioning. It should really be packaged. This is a set of scripts to define a power policies. You can manage all the settings in one place here like the hard drive idle spindown time, CPU governor control, dynamic LCD backlight behavior based on running on battery or AC power supply.

=== cpufreqd ===

This is a useful daemon for regulating power.

To install cpufreqd do:

sudo apk add cpufreqd

Make sure you add the service:

sudo rc-update add cpufreqd

=== LCD screen refresh rate ===

The refresh rate sets the maximum framerate. The more frames pushed the more energy consumed on the battery. You want this adjusted dynamically per certain events. For gaming, you want it to be the highest as possible for the laptop and vsync off. For battery use and traveling, you want it capped at 60 FPS/60 Hz or lower but dynamically adjust when you plug in the AC power supply. You can adjust the framerate with xrandr. For movies and YouTube, you want 60FPS and vsync on.

== Hacking the kernel ==

You should refer to the [[Custom Kernel]] page for details.

== Hibernation ==

See [[Custom_Kernel#Hibernation_to_prevent_data_loss|Hibernation to prevent data loss]].

== WiFi management ==

Since you are using WiFi, you need a better WiFi management to quickly find open access WiFi access points. We don't have all day to debug complexities of WiFi settings while away from home.

To install NetworkManager do:

sudo apk add networkmanager

To find WiFi access points use the <code>nmtui</code> ncurses interface.

You also need other programs so install them as well:

apk add wpa-supplicant dhcpcd chrony macchanger wireless-tools iputils

What these programs do:

* wpa-supplicant -- for WPA encryption
* dhcpcd -- for getting a dynamic IP address
* chrony -- for fixing the time with the atomic clock
* wireless-tools -- for additional information
* macchanger -- for protecting against WiFi access discrimination or increased anonymity. (optional)
* iputils -- for the ping command (optional)

You also need to add those services:

rc-update add chrony
rc-update add wpa-supplicant
rc-update add dhcpcd
rc-update add networkmanager

To start the services manually (or just reboot):

/etc/init.d/chrony start
/etc/init.d/wpa-supplicant start
/etc/init.d/dhcpcd start
/etc/init.d networkmanager start

== Additional tools ==

=== actkbd ===

To control the sound with fn function keys, you need this daemon. It is currently not in aports. You could override the design and meaning of those keys with your own scripts and utilities. This daemon gives you that freedom.

If your laptop contains a brightness key, you want to set that up with this program. See also [[Setting_up_a_laptop#Adjusting_the_backlight_dynamically | Adjusting the backlight dynamically]].

=== secure-delete ===

Want to prevent cold-boot attack or decrypted keys in memory falling in the wrong hands? This maybe could work who knows? From research from cold boot attack, the data can actually stay in memory in minutes, just enough time for a hacker to copy the contents of the memory to a USB thumb drive.

To install secure-delete do:

sudo apk add secure-delete

smem only works for unused ram.[https://github.com/gordonrs/thc-secure-delete] If you use the vanilla kernel, this may work. If you use grsecurity, it will automatically sanitize memory if you enable it (but not enabled by default in the Alpine hardened kernel) when the memory page is freed.[https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sanitize_all_freed_memory]

Close all important programs then call smem.

You call smem in your shutdown script or auto-logoff script.

You can call create a OpenRC shutdown script to run smem when most programs and services are closed. This will erase all your sensitive plaintext private data just in case.

You may want to create a wrapper script to call smem after your program closes.

You need to write a custom script that does the following:
* kill all running processes associated with your user account
* auto logoff terminals
* for the last terminal closed including all idle xservers, unmount your user home
* (optional) use smem to wipe all your plaintext private data in memory after all closed programs in case of cold boot attack

=== Sharing presentations over HDMI ===

If you want to use your laptop to share presentation over HDMI connection, you need libxinerama and xrandr.

To install libxinerama and xrandr do:

sudo apk add libxinerama xrandr

== Important notes ==

If you lose or break your USB key, that is it and you cannot decrypt your drive. It would be wise to make a backup of it.

By default, suspend-to-ram or hibernate will not sufficiently clear the AES encryption keys off ram in those phases which would invite a cold boot attack. This has been covered by the TRESOR kernel patch.[https://en.wikipedia.org/wiki/TRESOR][https://www1.cs.fau.de/tresor] This patch hasn't been updated since the 4.x kernel series.[https://www1.cs.fau.de/tresor]. This patch currently only works on 32-bit x86 Linux with SSE and MMX, and on processors with the AES-NI instruction set for x86_64 Linux. TRESOR doesn't work with DMA attack, but it can be mitigated by disabling DMA.[https://old.iseclab.org/papers/acsac2012dma.pdf] The 32-bit version of TRESOR has only a key size of 128. The AES-NI version of TRESOR has a largest key size of 256 bit. See [[Setting_up_a_laptop#Choosing_ciphers | Choosing ciphers]] for the number of rounds cracked.

Loop-Amnesia works with LoopAES and is only for 64 bit Linux and only supports 128 bit keys but can result in data loss if their recommendations are not followed. [http://moongate.ydns.eu/amnesia.html]

Please read the Wikipedia article on Cold Boot Attack especially the mitigation section.[https://en.wikipedia.org/wiki/Cold_boot_attack] Full disk encryption will not protect your data especially for older hardware if you do not have the proper mitigation (implying not full proof) prerequisites such as a patched kernel, memory scrambling, permanent memory module mounting for example.

If you have a different but fully encrypted device like iPad, you still can be rubberhosed or interrogated with a perfect deniable encrypted laptop. This guide doesn't protect you from that possibility. If you do not want to be rubberhosed, don't possess those devices.

Additional tips to mitigate against a DMA Attack to exfiltrate encryption keys:

Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]

Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.

You may need a custom (or customize a) BIOS or use Intel TXT or TPM which will authenticate the boot devices or boot from specific serial numbers not just any. For cold boot attack, it is not required to remove the RAM but to to slow down the rate of decay of the RAM module with liquid air in addition an USB thumb drive containing an encryption key retriever bypassing the operating system.[https://youtu.be/XfUlRsE3ymQ]

[[Category:Installation]]
[[category: desktop]]

Main Page

2020-03-22T15:55:39Z

Nangel: update musl libc link

__NOEDITSECTION__
__NOTOC__
= Welcome to Alpine Linux Wiki=
'''[http://alpinelinux.org/about Alpine Linux]''' is a security-oriented, lightweight Linux distribution based on [https://musl.libc.org/ musl libc] and [http://busybox.net Busybox].

Here is a [[Alpine Linux:Overview|more detailed overview]] of what makes our distribution distinctive; and a [[comparison with other distros]].

 
{|style="margin: 1em auto 1em auto"
|style="width:64px;"|[[image:hdd_mount.svg|64px|link=Installation]]
|'''[[Installation]]''' Installing Alpine Linux
|[[image:filetypes.svg|64px|link=FAQ]]
|'''[[FAQ|FAQ]]''' Frequently Asked Questions
|[[image:bookcase.svg|64px|link=Glossary]]
|'''[[Glossary]]'''
|-
|[[image:package_edutainment.svg|64px|link=Tutorials and Howtos]]
|'''[[Tutorials and Howtos]]''' Basic and advanced configuration tasks
|[[image:package_system.svg|64px|link=Developer Documentation]]
|'''[[Developer Documentation]]''' Alpine Linux Development
|[[image:kuser.svg|64px|link=Contribute]]
|'''[[Contribute]]''' Contribute to Alpine Linux
|}

* [[Alpine Linux:Releases|Current releases]]
* [[Alpine Linux:Listings|Links to other sites with information about Alpine]]

Gaming on Alpine

2020-03-03T10:34:04Z

Nangel: /* List of games available on Alpine Linux */

'''Gaming on Alpine''' is a thing.

== Installing games ==

sudo apk add micro-tetris

== Permissions ==

To make sure your account is in the games group. You could do.

sudo gpasswd -a name games

Log off then relog back on.

== List of games available on Alpine Linux ==

* [http://www.advancemame.it/ AdvanceMAME] - advancemame -- Arcade Simulator
* [https://wiki.gnome.org/Apps/Aisleriot Aisleriot] - aisleriot -- Solitaire card games
* [http://frotz.sourceforge.net/ Frotz] - frotz -- Z machine (Infocom interactive fiction) Interpreter
* [http://home.flightgear.org FlightGear] - flightgear -- Flight Simulator
* [https://freedoom.github.io/ Freedoom]+[https://www.chocolate-doom.org/ Chocolate Doom] - freedoom, chocolate-doom -- a free Doom game and an engine to run it
* [https://en.wikipedia.org/wiki/GNU_Chess GNU Chess] - gnuchess -- Play chess against the computer
* [https://github.com/troglobit/tetris Micro Tetris] - micro-tetris -- Uses ANSI escape sequences and can fit in embedded devices
* [https://www.minetest.net/ Minetest] - minetest -- An Inspired Minecraft game
* [https://openrct2.org/ OpenRCT2] - OpenRCT2 -- Re-implementation of RollerCoaster Tycoon 2
* [https://en.wikipedia.org/wiki/OpenTTD OpenTTD] - openttd -- A business simulation game
* [https://www.nethack.org NetHack] - Rogue-like dungeon crawler
* [https://supertuxkart.net/Main_Page SuperTuxKart] - Kart racing game with OSS mascots
* [http://www.xonotic.org/ Xonotic] - xonotic -- A FPS arena game

== Game related software ==

* [https://en.wikipedia.org/wiki/Wine_(software) Wine] - wine -- It is typically used to play Windows games - You may need to chroot/multiboot as 32-bit Alpine to use 32 bit Windows games. If you use x86_64, you can only run 64 bit Windows programs.
* [https://obsproject.com/ OBS Studio] - obs-studio -- It is used to live stream a gaming session

MediaWiki:Copyright

2020-02-22T01:56:40Z

Nangel: Its 2020 ya'll

<div align="right"><div id="footer-inner">
<a href="Privacy_Policy#Copyright">© Copyright 2008-2020 Alpine Linux Development Team</a>
all rights reserved </div></div>

Using Unbound as an Ad-blocker

2020-02-21T20:03:10Z

Nangel: How to do pi-hole without pi-hole

== Background ==

There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry Pi- and claims to be a DNS Black Hole. It extends dnsmasq with filtering based on a downloadable blacklist. There is a [https://gitlab.alpinelinux.org/alpine/aports/issues/9489 package request] for this software to run on Alpine Linux.

The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of dnsmasq to start. The "basic installer" is over 2600 lines of Bash code.

Our goal is to get 80% of the functionality with 10% of the work.

== Basic Components ==

You should have dnsmasq (or another DHCP server) and [https://wiki.alpinelinux.org/wiki/Setting_up_unbound_DNS_server unbound] both working on your network.

== Setting up Unbound To Block/Refuse unwanted addresses ==

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
<pre>
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
</pre>

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in /etc/hosts and be done.) We will use the hosts file format:

unbound needs to include the "blacklists.conf" file into its main configuration. To do so, we need to create the include file in the following format:

<pre>
server:

local-zone: "bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "xyz.ads-r-us.com" refuse
</pre>

Here is an example shell script to download the StevenBlack hosts format file, and then format it for unbound:

<pre>
#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
grep ^0.0.0.0 - | \
sed 's/ #.*$//;
s/^0.0.0.0 $.*$/local-zone: "\1" refuse/' \
>>/etc/unbound/blacklist.conf
</pre>

You can run this once, or as part of a periodic cron task.

In the /etc/unbound/unbound.conf, add the following line somewhere in the config:

<pre>
#include "/etc/unbound/blacklist.conf"
</pre>

Reload unbound, and verify the config loads.

== Dnsmasq configuration ==

Dnsmasq defaults to using the resolver in /etc/resolv.conf - if unbound is listening on 127.0.0.1, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine - use the dhcp-option configuration in dnsmasq:

<pre>
dhcp-option=6,[ip-of-unbound-server]
</pre>

Enjoy Ad-Free browsing!

Chrony and GPSD

2020-02-06T20:57:38Z

Nangel: update to include the /dev/pps0 clock source

Sources such as:

* http://www.rjsystems.nl/en/2100-ntpd-garmin-gps-18-lvc-gpsd.php
* http://lists.ntp.org/pipermail/questions/2005-November/007878.html

Describe how to wire a Garmin gps 18 lvc to a serial port to grab the PPS (pulse-per-second) signal to create a Stratum 1 timesource. Other sources show using ntpd, and the [http://gpsd.berlios.de/gpsd.html gpsd man page] provides config snippets.

Alpine Linux gpsd package 3.9-r1 and higher has the necessary pps code to interface with chrony. This page lists all of the files for a complete, working example:

* /etc/modules needs to list the pps_ldisc module - you'll need to manually load it if not doing a reboot
{{Cat|/etc/modules|pps_ldisc}}
* If the GPS 18 LVC is on /dev/ttyS1, then:
{{Cat|/etc/conf.d/gpsd|<nowiki>
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# Config file for gpsd server
# Optional arguments
# Options include:
# -b = bluetooth-safe: open data sources read-only
# -n = don't wait for client connects to poll GPS
# -N = don't go into background
# -F sockfile = specify control socket location
# -G = make gpsd listen on INADDR_ANY
# -D integer (default 0) = set debug level
# -S integer (default 2947) = set port for daemon

GPSD_OPTIONS="-n -b"
DEVICES="/dev/ttyS1"
GPSD_SOCKET="/var/run/gpsd.sock"
BAUDRATE="4800"

# Serial setup
#
# For serial interfaces, options such as low_latency are recommended
# Also, http://catb.org/gpsd/upstream-bugs.html#tiocmwait recommends
# setting the baudrate with stty
# Uncomment the following lines if using a serial device:
#
/bin/stty -F ${DEVICE} ${BAUDRATE}
/bin/setserial ${DEVICE} low_latency
</nowiki>
}}

{{Note|As of v3.11, the init.d and conf.d files have been merged from gentoo.
The purpose is to allow gpsd to start without editing /etc/conf.d/gpsd.
Note that while gpsd will now start without editing the conf.d file, it will do so with no gps devices attached.

Also note that if you are using a serial device it is still recommended to add the stty and setserial commands as noted in the example configuration above.}}

* This shows all four methods of getting time from gpsd:
{{Cat|/etc/chrony/chrony.conf|<nowiki>
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

initstepslew 30 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org

# SHM0 from gpsd is the NEMA data at 4800bps, so is not very accurate
refclock SHM 0 delay 0.5 refid NEMA

# SHM1 from gpsd (if present) is from the kernel PPS_LDISC
# module. It includes PPS and will be accurate to a few ns
refclock SHM 1 offset 0.0 delay 0.1 refid NEMA+

# SOCK protocol also includes PPS data and
# it also provides time within a few ns
refclock SOCK /var/run/chrony.ttyS1.sock delay 0.0 refid SOCK

# PPS is from the /dev/pps0 device. Note that
# chronyd creates the /var/run/chrony.ttyS1.sock device, but
# gpsd creates the /dev/pps0 device
# openrc rules start gpsd /after/ chronyd, so /dev/pps0
# is not created until after chronyd is started
# If you want to use pps0, either edit the openrc rules
# or add this source after gpsd is started

# refclock PPS /dev/pps0 refid PPS

# If you see something in ns... its good.
# 1 second =
# 1000 ms =
# 1000000 us =
# 1000000000 ns

logchange 0.5
local stratum 10

logdir /var/log/chrony

keyfile /etc/chrony/chrony.keys
commandkey 10

dumpdir /var/log/chrony
driftfile /var/log/chrony/chrony.drift

allow all
</nowiki>
}}

== Chronyc ==

If everything is working correctly, a chronyc 'sources' command should look like this:

chronyc> sources
210 Number of sources = 6
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
#x NEMA 0 4 377 14 +684ms[ +684ms] +/- 252ms
#+ PPS 0 4 377 13 +2040ns[+2060ns] +/- 50ms
#* SOCK 0 4 377 7 +225ns[ +245ns] +/- 2217ns
^? tick.tock.com 2 10 377 318 -5144us[-5144us] +/- 72ms
^? time.keeper.net 3 10 377 720 -4571us[-4567us] +/- 139ms
^? dead.time.server.org 0 10 0 10y +0ns[ +0ns] +/- 0ns

* NEMA (SHM0) is "x" - its really unstable
* PPS (SHM1) is good, but the delay of 0.1 makes it the not-preferred master
* SOCK is the preferred master
* The other NTP servers are only used if the local server goes down.

== Notes ==

* In /etc/chrony/chrony.conf, there are four possible time sources:
** SHM 0 (NEMA serial data)
** SHM 1 (NEMA with PPS)
** SOCK (PPS 'proprietary' gpsd/chrony interface)
** PPS (PPS only from the serial interface pulse)
* You only need 1 of them, although 3 are shown above
* In the example above, SHM1 is specified with a delay of 0.1 to prevent it from competing with the SOCK protocol
** If you prefer to use the SHM1 source instead of SOCK, then either:
*** comment out the SOCK protocol line
*** or reverse the delay values.
* Note that the SHM0 source (NEMA only, no PPS) is set to a higher delay - don't use it if you have PPS available.
** An example of where you would want to use SHM0 is a USB based gps receiver - they don't have the PPS line
* Chrony creates the SOCK interface; chrony should be started before gpsd. If you restart chronyd for some reason, make sure you restart gpsd after.
* The SHM0 interface can be used with USB based gps devices. In this case, use /dev/ttyUSBX in the /etc/conf.d/gpsd file, and leave the stty and setserial lines commented out.

[[Category:Server]]
[[Category:Networking]]

Chrony and GPSD

2020-02-06T20:52:21Z

Nangel: update conf.d/gpsd to match new gentoo init script

Sources such as:

* http://www.rjsystems.nl/en/2100-ntpd-garmin-gps-18-lvc-gpsd.php
* http://lists.ntp.org/pipermail/questions/2005-November/007878.html

Describe how to wire a Garmin gps 18 lvc to a serial port to grab the PPS (pulse-per-second) signal to create a Stratum 1 timesource. Other sources show using ntpd, and the [http://gpsd.berlios.de/gpsd.html gpsd man page] provides config snippets.

Alpine Linux gpsd package 3.9-r1 and higher has the necessary pps code to interface with chrony. This page lists all of the files for a complete, working example:

* /etc/modules needs to list the pps_ldisc module - you'll need to manually load it if not doing a reboot
{{Cat|/etc/modules|pps_ldisc}}
* If the GPS 18 LVC is on /dev/ttyS1, then:
{{Cat|/etc/conf.d/gpsd|<nowiki>
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

# Config file for gpsd server
# Optional arguments
# Options include:
# -b = bluetooth-safe: open data sources read-only
# -n = don't wait for client connects to poll GPS
# -N = don't go into background
# -F sockfile = specify control socket location
# -G = make gpsd listen on INADDR_ANY
# -D integer (default 0) = set debug level
# -S integer (default 2947) = set port for daemon

GPSD_OPTIONS="-n -b"
DEVICES="/dev/ttyS1"
GPSD_SOCKET="/var/run/gpsd.sock"
BAUDRATE="4800"

# Serial setup
#
# For serial interfaces, options such as low_latency are recommended
# Also, http://catb.org/gpsd/upstream-bugs.html#tiocmwait recommends
# setting the baudrate with stty
# Uncomment the following lines if using a serial device:
#
/bin/stty -F ${DEVICE} ${BAUDRATE}
/bin/setserial ${DEVICE} low_latency
</nowiki>
}}

{{Note|As of v3.11, the init.d and conf.d files have been merged from gentoo.
The purpose is to allow gpsd to start without editing /etc/conf.d/gpsd.
Note that while gpsd will now start without editing the conf.d file, it will do so with no gps devices attached.

Also note that if you are using a serial device it is still recommended to add the stty and setserial commands as noted in the example configuration above.}}

* This shows all three methods of getting time from gpsd:
{{Cat|/etc/chrony/chrony.conf|<nowiki>
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

initstepslew 30 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org

# SHM0 from gpsd is the NEMA data at 4800bps, so is not very accurate
refclock SHM 0 delay 0.5 refid NEMA

# SHM1 from gpsd (if present) is from the kernel PPS_LDISC
# module. It includes PPS and will be accurate to a few ns
refclock SHM 1 offset 0.0 delay 0.1 refid PPS

# SOCK protocol also includes PPS data and
# it also provides time within a few ns
refclock SOCK /var/run/chrony.ttyS1.sock delay 0.0 refid SOCK

# If you see something in ns... its good.
# 1 second =
# 1000 ms =
# 1000000 us =
# 1000000000 ns

logchange 0.5
local stratum 10

logdir /var/log/chrony

keyfile /etc/chrony/chrony.keys
commandkey 10

dumpdir /var/log/chrony
driftfile /var/log/chrony/chrony.drift

allow all
</nowiki>
}}

== Chronyc ==

If everything is working correctly, a chronyc 'sources' command should look like this:

chronyc> sources
210 Number of sources = 6
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
#x NEMA 0 4 377 14 +684ms[ +684ms] +/- 252ms
#+ PPS 0 4 377 13 +2040ns[+2060ns] +/- 50ms
#* SOCK 0 4 377 7 +225ns[ +245ns] +/- 2217ns
^? tick.tock.com 2 10 377 318 -5144us[-5144us] +/- 72ms
^? time.keeper.net 3 10 377 720 -4571us[-4567us] +/- 139ms
^? dead.time.server.org 0 10 0 10y +0ns[ +0ns] +/- 0ns

* NEMA (SHM0) is "x" - its really unstable
* PPS (SHM1) is good, but the delay of 0.1 makes it the not-preferred master
* SOCK is the preferred master
* The other NTP servers are only used if the local server goes down.

== Notes ==

* In /etc/chrony/chrony.conf, there are three possible time sources:
** SHM 0 (NEMA serial data)
** SHM 1 (NEMA with PPS)
** SOCK (PPS 'proprietary' gpsd/chrony interface)
* You only need 1 of them, although all 3 are shown above
* In the example above, SHM1 is specified with a delay of 0.1 to prevent it from competing with the SOCK protocol
** If you prefer to use the SHM1 source instead of SOCK, then either:
*** comment out the SOCK protocol line
*** or reverse the delay values.
* Note that the SHM0 source (NEMA only, no PPS) is set to a higher delay - don't use it if you have PPS available.
** An example of where you would want to use SHM0 is a USB based gps receiver - they don't have the PPS line
* Chrony creates the SOCK interface; chrony should be started before gpsd. If you restart chronyd for some reason, make sure you restart gpsd after.
* The SHM0 interface can be used with USB based gps devices. In this case, use /dev/ttyUSBX in the /etc/conf.d/gpsd file, and leave the stty and setserial lines commented out.

[[Category:Server]]
[[Category:Networking]]

Chrony and GPSD

2020-02-06T20:50:10Z

Nangel:

Sources such as:

* http://www.rjsystems.nl/en/2100-ntpd-garmin-gps-18-lvc-gpsd.php
* http://lists.ntp.org/pipermail/questions/2005-November/007878.html

Describe how to wire a Garmin gps 18 lvc to a serial port to grab the PPS (pulse-per-second) signal to create a Stratum 1 timesource. Other sources show using ntpd, and the [http://gpsd.berlios.de/gpsd.html gpsd man page] provides config snippets.

Alpine Linux gpsd package 3.9-r1 and higher has the necessary pps code to interface with chrony. This page lists all of the files for a complete, working example:

* /etc/modules needs to list the pps_ldisc module - you'll need to manually load it if not doing a reboot
{{Cat|/etc/modules|pps_ldisc}}
* If the GPS 18 LVC is on /dev/ttyS1, then:
{{Cat|/etc/conf.d/gpsd|<nowiki>
# The GPS device (/dev/ttyUSB0, /dev/ttyS0, ...)

DEVICE="/dev/ttyS1"
BAUDRATE="4800"

# Optional arguments
# Options include:
# -b = bluetooth-safe: open data sources read-only
# -n = don't wait for client connects to poll GPS
# -N = don't go into background
# -F sockfile = specify control socket location
# -G = make gpsd listen on INADDR_ANY
# -D integer (default 0) = set debug level
# -S integer (default 2947) = set port for daemon

ARGS="-n -b"

# Serial setup
#
# For serial interfaces, options such as low_latency are recommended
# Also, http://catb.org/gpsd/upstream-bugs.html#tiocmwait recommends
# setting the baudrate with stty
# Uncomment the following lines if using a serial device:
#
/bin/stty -F ${DEVICE} ${BAUDRATE}
/bin/setserial ${DEVICE} low_latency
</nowiki>
}}

{{Note|As of v3.11, the init.d and conf.d files have been merged from gentoo.
The purpose is to allow gpsd to start without editing /etc/conf.d/gpsd.
Note that while gpsd will now start without editing the conf.d file, it will do so with no gps devices attached.

Also note that if you are using a serial device it is still recommended to add the stty and setserial commands as noted in the example configuration above.}}

* This shows all three methods of getting time from gpsd:
{{Cat|/etc/chrony/chrony.conf|<nowiki>
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

initstepslew 30 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org

# SHM0 from gpsd is the NEMA data at 4800bps, so is not very accurate
refclock SHM 0 delay 0.5 refid NEMA

# SHM1 from gpsd (if present) is from the kernel PPS_LDISC
# module. It includes PPS and will be accurate to a few ns
refclock SHM 1 offset 0.0 delay 0.1 refid PPS

# SOCK protocol also includes PPS data and
# it also provides time within a few ns
refclock SOCK /var/run/chrony.ttyS1.sock delay 0.0 refid SOCK

# If you see something in ns... its good.
# 1 second =
# 1000 ms =
# 1000000 us =
# 1000000000 ns

logchange 0.5
local stratum 10

logdir /var/log/chrony

keyfile /etc/chrony/chrony.keys
commandkey 10

dumpdir /var/log/chrony
driftfile /var/log/chrony/chrony.drift

allow all
</nowiki>
}}

== Chronyc ==

If everything is working correctly, a chronyc 'sources' command should look like this:

chronyc> sources
210 Number of sources = 6
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
#x NEMA 0 4 377 14 +684ms[ +684ms] +/- 252ms
#+ PPS 0 4 377 13 +2040ns[+2060ns] +/- 50ms
#* SOCK 0 4 377 7 +225ns[ +245ns] +/- 2217ns
^? tick.tock.com 2 10 377 318 -5144us[-5144us] +/- 72ms
^? time.keeper.net 3 10 377 720 -4571us[-4567us] +/- 139ms
^? dead.time.server.org 0 10 0 10y +0ns[ +0ns] +/- 0ns

* NEMA (SHM0) is "x" - its really unstable
* PPS (SHM1) is good, but the delay of 0.1 makes it the not-preferred master
* SOCK is the preferred master
* The other NTP servers are only used if the local server goes down.

== Notes ==

* In /etc/chrony/chrony.conf, there are three possible time sources:
** SHM 0 (NEMA serial data)
** SHM 1 (NEMA with PPS)
** SOCK (PPS 'proprietary' gpsd/chrony interface)
* You only need 1 of them, although all 3 are shown above
* In the example above, SHM1 is specified with a delay of 0.1 to prevent it from competing with the SOCK protocol
** If you prefer to use the SHM1 source instead of SOCK, then either:
*** comment out the SOCK protocol line
*** or reverse the delay values.
* Note that the SHM0 source (NEMA only, no PPS) is set to a higher delay - don't use it if you have PPS available.
** An example of where you would want to use SHM0 is a USB based gps receiver - they don't have the PPS line
* Chrony creates the SOCK interface; chrony should be started before gpsd. If you restart chronyd for some reason, make sure you restart gpsd after.
* The SHM0 interface can be used with USB based gps devices. In this case, use /dev/ttyUSBX in the /etc/conf.d/gpsd file, and leave the stty and setserial lines commented out.

[[Category:Server]]
[[Category:Networking]]

Gaming on Alpine

2019-07-10T20:49:19Z

Nangel: /* List of games available on Alpine Linux */

'''Gaming on Alpine''' is a thing.

== Installing games ==

sudo apk add micro-tetris

== Permissions ==

To make sure your account is in the games group. You could do.

sudo gpasswd -a name games

Log off then relog back on.

== List of games available on Alpine Linux ==

* [http://www.advancemame.it/ AdvanceMAME] - advancemame -- Arcade Simulator
* [http://frotz.sourceforge.net/ Frotz] - frotz -- Z machine (Infocom interactive fiction) Interpreter
* [http://home.flightgear.org FlightGear] - flightgear -- Flight Simulator
* [https://en.wikipedia.org/wiki/GNU_Chess GNU Chess] - gnuchess -- Play chess against the computer
* [https://github.com/troglobit/tetris Micro Tetris] - micro-tetris -- Uses ANSI escape sequences and can fit in embedded devices
* [https://www.minetest.net/ Minetest] - minetest -- An Inspired Minecraft game
* [https://openrct2.org/ OpenRCT2] - OpenRCT2 -- Re-implementation of RollerCoaster Tycoon 2
* [https://en.wikipedia.org/wiki/OpenTTD OpenTTD] - openttd -- A business simulation game
* [https://www.nethack.org NetHack] - Rogue-like dungeon crawler
* [http://www.xonotic.org/ Xonotic] - xonotic -- A FPS arena game

== Game related software ==

* [https://en.wikipedia.org/wiki/Wine_(software) Wine] - wine -- It is typically used to play Windows games - You may need to chroot/multiboot as 32-bit Alpine to use 32 bit Windows games. If you use x86_64, you can only run 64 bit Windows programs.
* [https://obsproject.com/ OBS Studio] - obs-studio -- It is used to live stream a gaming session

Gaming on Alpine

2019-06-28T12:44:30Z

Nangel: /* List of games available on Alpine Linux */

'''Gaming on Alpine''' is a thing.

== Installing games ==

sudo apk add micro-tetris

== Permissions ==

To make sure your account is in the games group. You could do.

sudo gpasswd -a name games

Log off then relog back on.

== List of games available on Alpine Linux ==

* [http://www.advancemame.it/ AdvanceMAME] - advancemame -- Arcade Simulator
* [http://frotz.sourceforge.net/ Frotz] - frotz -- Z machine (Infocom interactive fiction) Interpreter
* [http://home.flightgear.org FlightGear] - flightgear -- Flight Simulator
* [https://en.wikipedia.org/wiki/GNU_Chess GNU Chess] - gnuchess -- Play chess against the computer
* [https://github.com/troglobit/tetris Micro Tetris] - micro-tetris -- Uses ANSI escape sequences and can fit in embedded devices
* [https://www.minetest.net/ Minetest] - minetest -- An Inspired Minecraft game
* [https://en.wikipedia.org/wiki/OpenTTD OpenTTD] - openttd -- A business simulation game
* [https://www.nethack.org NetHack] - Rogue-like dungeon crawler
* [http://www.xonotic.org/ Xonotic] - xonotic -- A FPS arena game

== Game related software ==

* [https://en.wikipedia.org/wiki/Wine_(software) Wine] - wine -- It is typically used to play Windows games - You may need to chroot/multiboot as 32-bit Alpine to use 32 bit Windows games. If you use x86_64, you can only run 64 bit Windows programs.
* [https://obsproject.com/ OBS Studio] - obs-studio -- It is used to live stream a gaming session

MediaWiki:Copyright

2019-01-10T22:27:56Z

Nangel:

<div align="right"><div id="footer-inner">
<a href="Privacy_Policy#Copyright">© Copyright 2008-2019 Alpine Linux Development Team</a>
all rights reserved </div></div>

Setting up a VPN with tinc

2018-07-24T18:54:29Z

Nangel: tt>

These instructions will create a routed mesh network with multiple protected networks behind each node. While it is possible to set up separate tinc daemons with separate vpn names, we will "trunk" all the traffic over a single tinc vpn. These instructions do not create an extended bridged "ethernet LAN" - it creates a set of routed networks.

= Network Topology =

Our example network topology looks like the following chart. Example.com has three offices: Aspen, Boulder, and Carbondale. Each office has two networks. Alpine Linux is used as the firwall/router/gateway at each office, and tinc will be installed on the gateway.

<tt>

ASPEN [10.1.0.1] --------------\
|
192.168.10.0/24 |
192.160.110.0/24 [INTERNET]------------------ [10.3.0.1] CARBONDALE
|
| 192.168.30.0/24
BOULDER [10.2.0.1] --------------/ 192.168.130.0/24

192.168.20.0/24
192.168.120.0/24
</tt>

The Tinc VPN itself will use the dedicated network 192.168.0.0/29.

= Install And Configure Common Tinc Settings =

On all three routers:

== Install Tinc ==

{{Cmd|apk add tinc}}

== Load Tun module ==

{{Cmd|modprobe tun}}
{{Cmd|echo "tun" >> /etc/modules}}

== Create the directory tree For Tinc Configuration ==

We need to create a name for our VPN. In this example, we will call it "mesh". A network interface will be created with the network name.

{{Cmd|mkdir -p /etc/tinc/mesh/hosts}}

== Tell the tinc daemon which network(s) to load ==

{{Cmd|echo NETWORK: mesh > /etc/conf.d/tinc.networks}}

= Install And Configure Per Server Settings =

On each router, create a /etc/tinc/mesh/tinc.conf file. This example is for Aspen:

<tt>
Name=aspen
Device=/dev/net/tun
</tt>

Change the Name to be Boulder and Carbondale on the other servers.

On each router, create a /etc/tinc/mesh/tinc-up script. Again for Aspen:

<tt>
# This is for Aspen
ip link set $INTERFACE up
ip addr add 192.168.0.1/29 dev $INTERFACE

# route TO Aspen (leave commented out on Aspen
# uncomment on the other two)
# ip route add 192.168.10.0/24 dev $INTERFACE
# ip route add 192.168.110.0/24 dev $INTERFACE

# route TO Boulder (leave commented out on Boulder
# uncomment on the other two)
ip route add 192.168.20.0/24 dev $INTERFACE
ip route add 192.168.120.0/24 dev $INTERFACE

# route TO Carbondale (leave commented out on Carbondale
# uncomment on the other two)
ip route add 192.168.30.0/24 dev $INTERFACE
ip route add 192.168.130.0/24 dev $INTERFACE
</tt>

The ip route statements tells the local gateway to route traffic bound for the other two campuses through the tinc VPN interface.

Make the script executable:

{{Cmd|chmod a+x /etc/tinc/mesh/tinc-up}}

== Create the site specific configuration file ==

Each site has a specific configuration file ''that is shared will all other sites''.

=== Aspen ===

Create /etc/tinc/mesh/hosts/aspen:

<tt>
Subnet = 192.168.0.1/32
Address = 10.1.0.1
ConnectTo = boulder
ConnectTo = carbondale

Subnet = 192.168.10.0/24
Subnet = 192.168.110.0/24
</tt>

=== Boulder ===

Create /etc/tinc/mesh/hosts/boulder:

<tt>
Subnet = 192.168.0.2/32
Address = 10.2.0.1
ConnectTo = aspen
ConnectTo = carbondale

Subnet = 192.168.20.0/24
Subnet = 192.168.120.0/24
</tt>

=== Carbondale ===

Create /etc/tinc/mesh/hosts/carbondale:

<tt>
Subnet = 192.168.0.3/32
Address = 10.3.0.1
ConnectTo = aspen
ConnectTo = boulder

Subnet = 192.168.30.0/24
Subnet = 192.168.130.0/24
</tt>

Note that while in the tinc-up script we specify a /29 mask (entire broadcast domain) the host file contains a /32 mask. This may be counterintuitive, but it is what allows the tinc daemon to know which broadcast packets are for ''this'' instance.

Also note that while we add the routes for all the other networks in the tinc-up script, we add only the subnets for ''this'' instance in the host file.

The ConnectTo statements connect to both of the other nodes. This creates a mesh network. If there are explicit ConnectTo statements between all nodes, then if, for instance, connectivity between Aspen and Carbondale is lost, traffic will flow Aspen->Boulder->Carbondale.

== Create the public and private keys ==

On each node, run:

{{Cmd|tincd -n mesh -K}}

It will generate the public and private RSA keys, and prompt you if its ok to put them in:

/etc/tinc/mesh/rsa_key.priv
/etc/tinc/mesh/hosts/''hostname''

This is acceptable.

== Copy the host file to the other hosts ==

For each node, scp (or other means) the /etc/tinc/mesh/hosts/''hostname'' file to the other node. In the end, the hosts directory on all three nodes will have three identical files.

== Directory tree for a running tinc configuration ==

<tt>
/etc/tinc
/etc/tinc/mesh
/etc/tinc/mesh/rsa_key.priv <- unique to each host
/etc/tinc/mesh/tinc.conf <- unique to each host
/etc/tinc/mesh/tinc-up <- unique to each host
/etc/tinc/mesh/hosts
/etc/tinc/mesh/hosts/aspen <- same on all hosts
/etc/tinc/mesh/hosts/boulder <- same on all hosts
/etc/tinc/mesh/hosts/carbondale <- same on all hosts
</tt>

== Start tincd ==

rc-update add tincd
openrc
lbu ci

If the gateways forward ipv4, and there are no other firewall rules between sites, you should be able to ping any host from any other site.

Development using git:Documentation

2018-07-23T17:25:35Z

Nangel:

* [http://www.kernel.org/pub/software/scm/git/docs/ Git Tutorial]
* [http://git.or.cz/course/svn.html Git - SVN Crash Course] (quickstart if you know svn)
* [http://cworth.org/hgbook-git/tour/ A tour of git: the basics] '''Recommended'''
* [http://book.git-scm.com/ The Git Community Book]
* [https://jwiegley.github.io/git-from-the-bottom-up/ Git From the Bottom Up]
* [http://sourcemage.org/Git%20guide Very good Git guide]

[[Category:Development]]

Gaming on Alpine

2018-02-09T21:51:12Z

Nangel: /* List of games available on Alpine Linux */

Gaming on Alpine

2018-02-07T16:50:28Z

Nangel: /* List of games available on Alpine Linux */

'''Gaming on Alpine''' is a thing.

== Installing games ==

sudo apk add micro-tetris

== List of games available on Alpine Linux ==

* [http://www.advancemame.it/ AdvanceMAME]-- Arcade Simulator
* [http://home.flightgear.org FlightGear] -- Flight Simulator
* [https://en.wikipedia.org/wiki/GNU_Chess GNU Chess] - gnuchess -- Play chess against the computer
* [https://github.com/troglobit/tetris Micro Tetris] - micro-tetris -- Uses ANSI escape sequences and can fit in embedded devices
* [https://www.minetest.net/ Minetest] - minetest -- An Inspired Minecraft game
* [https://en.wikipedia.org/wiki/OpenTTD OpenTTD] - openttd -- A business simulation game
* [http://www.xonotic.org/ Xonotic] - xonotic -- A FPS arena game

== Game related software ==

* [https://en.wikipedia.org/wiki/Wine_(software) Wine] - wine -- It is typically used to play windows games
* [https://obsproject.com/ OBS Studio] - obs-studio -- It is used to live stream a gaming session

Gaming on Alpine

2018-02-07T16:49:30Z

Nangel: /* List of games available on Alpine Linux */

'''Gaming on Alpine''' is a thing.

== Installing games ==

sudo apk add micro-tetris

== List of games available on Alpine Linux ==

* [http://www.advancemame.it/] - AdvanveMAME -- Arcade Simulator
* [http://home.flightgear.org] - Flightgear -- Flight Simulator
* [https://en.wikipedia.org/wiki/GNU_Chess GNU Chess] - gnuchess -- Play chess against the computer
* [https://github.com/troglobit/tetris Micro Tetris] - micro-tetris -- Uses ANSI escape sequences and can fit in embedded devices
* [https://www.minetest.net/ Minetest] - minetest -- An Inspired Minecraft game
* [https://en.wikipedia.org/wiki/OpenTTD OpenTTD] - openttd -- A business simulation game
* [http://www.xonotic.org/ Xonotic] - xonotic -- A FPS arena game

== Game related software ==

* [https://en.wikipedia.org/wiki/Wine_(software) Wine] - wine -- It is typically used to play windows games
* [https://obsproject.com/ OBS Studio] - obs-studio -- It is used to live stream a gaming session

User talk:Nangel

2017-12-31T23:15:53Z

Nangel:

== HAProxy TLS frontend for LXC http backends ==

We are going to use HAProxy to do TLS negotiation for several LXC containers serving various websites. LetsEncrypt TLS keys will be maintained on the HAProxy service.

=== HAProxy and LetsEncrypt ===

1. Set up DNS to point all the domains to the haproxy address(es):
curly.example.com A 192.168.0.1
larry.example.com A 192.168.0.1
moe.example.com A 192.168.0.1

2. Get some httpd server running on 127.0.0.1
This will only be used for the let's encrypt auth challenge, so we will use busybox httpd.
apk add busybox-extras
/etc/conf.d/httpd:
# Config for running busybox httpd on loopback address
# We use it for the ACME auth challenge with Lets Encrypt

HTTPD_OPTS="-p 127.0.0.1:80 -u nobody:nobody -h /etc/haproxy/www"

/etc/haproxy/haproxy.cfg
global
uid 65534
gid 65534
log /dev/log uucp
maxconn 8000

defaults
maxconn 8000
timeout connect 15s
timeout server 30m
timeout client 30m
option tcpka
log global
option tcplog
option log-health-checks
option log-separate-errors
option forwardfor
option http-server-close
mode http

stats enable
stats uri /stats
stats realm haproxy\ stats
stats auth letmein:password

# For the "./well-known" uris - we send to the local
# busybox httpd process. This is so haproxy has access
# to the certs from LetsEncrypt
frontend http-in
mode http
bind <public_ip>:80
acl is_acme_uri path_beg /.well-known
use_backend letsencrypt if is_acme_uri

backend letsencrypt
server letsencrypt 127.0.0.1

rc-update add http
rc-update add haproxy
openrc

3. Set up acme-client
apk add acme-client

LXC

2017-09-13T15:32:03Z

Nangel: /* Ubuntu template */

[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".

== Installation ==
Install the required packages:
{{Cmd|apk add lxc bridge}}

If you want to create containers other then type alpine you will need lxc-templates

{{Cmd|apk add lxc-templates}}

== Prepare network on host ==
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':
<pre>
auto br0
iface br0 inet dhcp
bridge-ports eth0
</pre>

Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':
<pre>
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx
</pre>

== Grsecurity restrictions ==

Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:
<pre>
kernel.grsecurity.chroot_caps = 0
</pre>

There are a few other restrictions that can prevent proper container functionality.
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.

Other possible restrictions are:

<pre>
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_chmod = 0
</pre>

When you finished creating your new sysctl profile you can apply it by restarting sysctl service

<pre>
rc-service sysctl restart
</pre>

NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.

== Create a guest ==

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x86_64 architecture, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you will need to install some packages:

{{Cmd|apk add debootstrap rsync}}

Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}

=== Ubuntu template ===

In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)

lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR

=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===

{{Cmd|apk add gnupg xz
lxc-create -n container-name -t download}}
& choose the Distribution | Release | Architecture.

To be able to login to a Debian container you currently need to:
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}

You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].

== Starting/Stopping the guest ==
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart on boot up with:
{{Cmd| rc-update add lxc.guest1}}

You can also add to the container config: <code>lxc.start.auto = 1</code>

& {{Cmd|rc-update add lxc}}

to autostart containers by the lxc service only.

== Connecting to the guest ==
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:

=== Attach to container ===

{{Cmd|lxc-attach -n guest1}}

Just type exit to detach the container again (please do check the grsec notes above)

=== Connect to virtual console ===

{{Cmd|lxc-console -n guest1}}

To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped and run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host.

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exists

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.ipv4 = 192.168.1.2/24
</pre>

and build your container with that file

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your hosts, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

LXC

2017-09-12T14:51:48Z

Nangel: /* Ubuntu template */

[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".

== Installation ==
Install the required packages:
{{Cmd|apk add lxc bridge}}

If you want to create containers other then type alpine you will need lxc-templates

{{Cmd|apk add lxc-templates}}

== Prepare network on host ==
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':
<pre>
auto br0
iface br0 inet dhcp
bridge-ports eth0
</pre>

Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':
<pre>
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx
</pre>

== Grsecurity restrictions ==

Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:
<pre>
kernel.grsecurity.chroot_caps = 0
</pre>

There are a few other restrictions that can prevent proper container functionality.
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.

Other possible restrictions are:

<pre>
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0
kernel.grsecurity.chroot_deny_mknod = 0
kernel.grsecurity.chroot_deny_chmod = 0
</pre>

When you finished creating your new sysctl profile you can apply it by restarting sysctl service

<pre>
rc-service sysctl restart
</pre>

NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.

== Create a guest ==

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x86_64 architecture, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you will need to install some packages:

{{Cmd|apk add debootstrap rsync}}

Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}

=== Ubuntu template ===

In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)

lxc-create -n guest2 -f /etc/lxc/lxc.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR

=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===

{{Cmd|apk add gnupg xz
lxc-create -n container-name -t download}}
& choose the Distribution | Release | Architecture.

To be able to login to a Debian container you currently need to:
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}

You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].

== Starting/Stopping the guest ==
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart on boot up with:
{{Cmd| rc-update add lxc.guest1}}

You can also add to the container config: <code>lxc.start.auto = 1</code>

& {{Cmd|rc-update add lxc}}

to autostart containers by the lxc service only.

== Connecting to the guest ==
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:

=== Attach to container ===

{{Cmd|lxc-attach -n guest1}}

Just type exit to detach the container again (please do check the grsec notes above)

=== Connect to virtual console ===

{{Cmd|lxc-console -n guest1}}

To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped and run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host.

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exists

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.ipv4 = 192.168.1.2/24
</pre>

and build your container with that file

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your hosts, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

Install Alpine on Amazon EC2

2017-08-08T16:53:24Z

Nangel: /* Create an EBS backed Alpine Linux AMI */

The goal here is to have a "1GB" (the smallest possible) EBS 'virtual usb stick' that can boot and run Alpine Linux.

= Create an EBS backed Alpine Linux AMI =

{{Note|You need to do this process at least once in each availability region. EBS can't be shared between Ireland and California, for instance.}}

* Create an Amazon instance in the desired availability region. A micro instance is fine - we will need it only long enough to create our EBS usb stick.
* Create a new 1GB EBS volume
* Attach the new volume to the running instance
* The new volume will have a name like /dev/xvdf or such
* Format the volume as ext4 {{Cmd|mke2fs -t ext4 /dev/xvdf}} ''Do not partition it - just format the whole volume''
* wget a '''x86_64''' iso and extract it to the new volume. 32bit will not work.
<pre>
wget http://dl-4.alpinelinux.org/alpine/v3.6/releases/x86_64/alpine-virt-3.6.2-x86_64.iso
mkdir target
mkdir source
mount /dev/xvdf target
mount -o loop alpine-virt-3.6.2-x86_64.iso source
cp -av source/boot target
cp -av source/apks target
umount source
</pre>
* Create a grub.conf on the new partition.
<pre>
mkdir -p target/boot/grub
cat - >target/boot/grub/grub.conf <<EOF
default=0
timeout=3
hiddenmenu

title Alpine Linux
root (hd0)
kernel /boot/vmlinuz-virthardened alpine_dev=xvda1:ext4 modules=loop,squashfs,sd-mod,ext4 console=hvc0 pax_nouderef BOOT_IMAGE=/boot/vmlinuz-virthardened
initrd /boot/initramfs-virthardened
EOF
</pre>
:* Syslinux automatically adds BOOT_IMAGE to the kernel command line; grub does not, so make sure you specify it in the grub.conf
:* You do not need any other grub files.
* symlink the grub.conf to menu.lst
<pre>
ln -sf ./grub.conf target/boot/grub/menu.lst
</pre>
* Create an amazon.apkovl.tar.gz file to put on the target
** This is probably easiest on a local alpine linux instance. Make sure the following are configured:
*** eth0 uses dhcp
*** networking is set to autostart
*** sshd is installed and set to autostart
*** Your ssh public key is in /root/.ssh/authorized_keys
*** The root password is set to something
*** lbu include root/.ssh
*** (optional) - Delete the /etc/ssh/*key* files, so they are created on the new box
** {{Cmd|lbu package amazon.apkovl.tar.gz}} {{Warning|If you are packaging on a 32bit box, manually delete etc/apk/arch from the apkovl.tar.gz file}}
** Copy amazon.apkovl.tar.gz to target/
* Unmount target
* '''Do the following from the Amazon web interface'''
** Detach the new volume
** Make note of the volume ID
** Launch NEW instance. Use defaults, amazon linux, micro; we are going to canibalize it in a bit, so defaults are fine here.
** Once the instance starts, ''stop'' but ''do not terminate'' the instance.
** Under EBS, detach the existing volume, and attach the alpine linux volume as /dev/sda1 (note the 1 at the end)
** Restart the instance
* Log in and make sure it works
* Do any final cleanups necessary, and if necessary lbu ci
** Only make configs that are appropriate for an AMI, we are going to snapshot this instance and create an AMI out of it
* Again from the Amazon web interface
** Delete the 8GB volume that is no longer needed
** ''Stop'' but do not terminate the instance
** Right click the stopped instance and choose 'Create Image (EBS AMI)'
*** Image name should be unique for the image - example AlpineLinux-2.4.5
*** Description can be anything - example 'Base AlpineLinux Installation - no services'
* Done.

[[Category:Virtualization]]

Install Alpine on Amazon EC2

2017-07-21T17:18:57Z

Nangel: /* Create an EBS backed Alpine Linux AMI */

The goal here is to have a "1GB" (the smallest possible) EBS 'virtual usb stick' that can boot and run Alpine Linux.

= Create an EBS backed Alpine Linux AMI =

{{Note|You need to do this process at least once in each availability region. EBS can't be shared between Ireland and California, for instance.}}

* Create an Amazon instance in the desired availability region. A micro instance is fine - we will need it only long enough to create our EBS usb stick.
* Create a new 1GB EBS volume
* Attach the new volume to the running instance
* The new volume will have a name like /dev/xvdf or such
* Format the volume as ext4 {{Cmd|mke2fs -t ext4 /dev/xvdf}} ''Do not partition it - just format the whole volume''
* wget a '''x86_64''' iso and extract it to the new volume. 32bit will not work.
<pre>
wget http://dl-4.alpinelinux.org/alpine/v3.6/releases/x86_64/alpine-virt-3.6.2-x86_64.iso
mkdir target
mkdir source
mount /dev/xvdf target
mount -o loop alpine-virt-3.6.2-x86_64.iso source
cp -av source/boot target
cp -av source/apks target
umount source
</pre>
* Create a grub.conf on the new partition.
<pre>
mkdir -p target/boot/grub
cat - >target/boot/grub/grub.conf <<EOF
default=0
timeout=3
hiddenmenu

title Alpine Linux
root (hd0)
kernel /boot/vmlinuz-virthardened alpine_dev=xvda1:ext4 modules=loop,squashfs,sd-mod,ext4 console=hvc0 pax_nouderef BOOT_IMAGE=/boot/vmlinuz-virthardened
initrd /boot/initramfs-virthardened
EOF
</pre>
:* Syslinux automatically adds BOOT_IMAGE to the kernel command line; grub does not, so make sure you specify it in the grub.conf
:* You do not need any other grub files - just boot.conf
* symlink the grub.conf to menu.lst
<pre>
ln -sf ./grub.conf target/boot/grub/menu.lst
</pre>
* Create an amazon.apkovl.tar.gz file to put on the target
** This is probably easiest on a local alpine linux instance. Make sure the following are configured:
*** eth0 uses dhcp
*** networking is set to autostart
*** sshd is installed and set to autostart
*** Your ssh public key is in /root/.ssh/authorized_keys
*** The root password is set to something
*** lbu include root/.ssh
*** (optional) - Delete the /etc/ssh/*key* files, so they are created on the new box
** {{Cmd|lbu package amazon.apkovl.tar.gz}} {{Warning|If you are packaging on a 32bit box, manually delete etc/apk/arch from the apkovl.tar.gz file}}
** Copy amazon.apkovl.tar.gz to target/
* Unmount target
* '''Do the following from the Amazon web interface'''
** Detach the new volume
** Make note of the volume ID
** Launch NEW instance. Use defaults, amazon linux, micro; we are going to canibalize it in a bit, so defaults are fine here.
** Once the instance starts, ''stop'' but ''do not terminate'' the instance.
** Under EBS, detach the existing volume, and attach the alpine linux volume as /dev/sda1 (note the 1 at the end)
** Restart the instance
* Log in and make sure it works
* Do any final cleanups necessary, and if necessary lbu ci
** Only make configs that are appropriate for an AMI, we are going to snapshot this instance and create an AMI out of it
* Again from the Amazon web interface
** Delete the 8GB volume that is no longer needed
** ''Stop'' but do not terminate the instance
** Right click the stopped instance and choose 'Create Image (EBS AMI)'
*** Image name should be unique for the image - example AlpineLinux-2.4.5
*** Description can be anything - example 'Base AlpineLinux Installation - no services'
* Done.

[[Category:Virtualization]]

Install Alpine on Amazon EC2

2017-07-08T15:29:57Z

Nangel: Update for 3.6.2 alpine-virt image

The goal here is to have a "1GB" (the smallest possible) EBS 'virtual usb stick' that can boot and run Alpine Linux.

= Create an EBS backed Alpine Linux AMI =

{{Note|You need to do this process at least once in each availability region. EBS can't be shared between Ireland and California, for instance.}}

* Create an Amazon instance in the desired availability region. A micro instance is fine - we will need it only long enough to create our EBS usb stick.
* Create a new 1GB EBS volume
* Attach the new volume to the running instance
* The new volume will have a name like /dev/xvdf or such
* Format the volume as ext4 {{Cmd|mke2fs -t ext4 /dev/xvdf}} ''Do not partition it - just format the whole volume''
* wget a '''x86_64''' iso and extract it to the new volume. 32bit will not work.
<pre>
wget http://dl-4.alpinelinux.org/alpine/v2.4/releases/x86_64/alpine-virt-3.6.2-x86_64.iso
mkdir target
mkdir source
mount /dev/xvdf target
mount -o loop alpine-virt-3.6.2-x86_64.iso source
cp -av source/boot target
cp -av source/apks target
umount source
</pre>
* Create a grub.conf on the new partition.
<pre>
mkdir -p target/boot/grub
cat - >target/boot/grub/grub.conf <<EOF
default=0
timeout=3
hiddenmenu

title Alpine Linux
root (hd0)
kernel /boot/vmlinuz-virthardened alpine_dev=xvda1:ext4 modules=loop,squashfs,sd-mod,ext4 console=hvc0 pax_nouderef BOOT_IMAGE=/boot/vmlinuz-virthardened
initrd /boot/initramfs-virthardened
EOF
</pre>
:* Syslinux automatically adds BOOT_IMAGE to the kernel command line; grub does not, so make sure you specify it in the grub.conf
:* You do not need any other grub files - just boot.conf
* symlink the grub.conf to menu.lst
<pre>
ln -sf ./grub.conf target/boot/grub/menu.lst
</pre>
* Create an amazon.apkovl.tar.gz file to put on the target
** This is probably easiest on a local alpine linux instance. Make sure the following are configured:
*** eth0 uses dhcp
*** networking is set to autostart
*** sshd is installed and set to autostart
*** Your ssh public key is in /root/.ssh/authorized_keys
*** The root password is set to something
*** lbu include root/.ssh
*** (optional) - Delete the /etc/ssh/*key* files, so they are created on the new box
** {{Cmd|lbu package amazon.apkovl.tar.gz}} {{Warning|If you are packaging on a 32bit box, manually delete etc/apk/arch from the apkovl.tar.gz file}}
** Copy amazon.apkovl.tar.gz to target/
* Unmount target
* '''Do the following from the Amazon web interface'''
** Detach the new volume
** Make note of the volume ID
** Launch NEW instance. Use defaults, amazon linux, micro; we are going to canibalize it in a bit, so defaults are fine here.
** Once the instance starts, ''stop'' but ''do not terminate'' the instance.
** Under EBS, detach the existing volume, and attach the alpine linux volume as /dev/sda1 (note the 1 at the end)
** Restart the instance
* Log in and make sure it works
* Do any final cleanups necessary, and if necessary lbu ci
** Only make configs that are appropriate for an AMI, we are going to snapshot this instance and create an AMI out of it
* Again from the Amazon web interface
** Delete the 8GB volume that is no longer needed
** ''Stop'' but do not terminate the instance
** Right click the stopped instance and choose 'Create Image (EBS AMI)'
*** Image name should be unique for the image - example AlpineLinux-2.4.5
*** Description can be anything - example 'Base AlpineLinux Installation - no services'
* Done.

[[Category:Virtualization]]

Apk internals

2017-05-25T21:58:26Z

Nangel: /* Internals of apk */

=Internals of apk=

"It's a secret to all!"

[https://git.alpinelinux.org/cgit/apk-tools/ Read the Source, Luke!]

See [[TODO:apk]].

MediaWiki:Copyright

2017-04-27T17:11:32Z

Nangel:

ISP Mail Server 3.x HowTo

2016-11-27T23:51:55Z

Nangel: /* Install Dovecot */ new way to specify a cert in a file

{{Draft|This is a work in progress based on migrating alpinelinux mail servers to 3.x}}

== A Full Service Mail Server ==

This document describes installation process for the Alpine Linux 3.x platform. The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server. This document superceeds the previous [[ISP Mail Server 2.x HowTo]] instructions for Alpine 2.x. For this guide, we start with a server ''without'' ACF installed.

The server provides:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* standard filters (virus/spam/rbl/etc)
* web mail client
* value add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-cgi php-pgsql php-imap

We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):
<nowiki>mkdir -p /var/www/domains/host.example.com/www
cat <<-EOF >/var/www/domains/host.example.com/www/index.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
EOF
</nowiki>

Get a web certificate, and install it. There are several options:
# Use a self-signed certificate, such as [[Generating SSL certs with ACF]]
# Use the certificate created with '''setup-acf''', if you installed ACF
# Get a certificate from a trusted root Certificate Authority, such as StartSSL.com, Thawte.com, Verisign.com, etc.

These instructions will use a certificate issued from a self-signed ACF based CA

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf:

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_fastcgi.conf"

start lighttpd, test:

rc-update add lighttpd
rc

At this point you should be able to see the redirect page: https://host.example.com/

== Install Postgresql ==

Add and configure postgresql:

apk add postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/9.0/data/pg_hba.conf. Since by default "trust" mechanism is for local connections only we assume using trust password-less access as safe.

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.93 was the current release, so (replace host.example.com with the actual domain):

wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
tar zxvf postfixadmin-2.93.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['authlib_default_flavor'] = 'SHA';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to https://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to https://host.example.com/postfixadmin/setup.php

Create superadmin account.

'''NOTE:''' Check http://sourceforge.net/tracker/index.php?func=detail&aid=2859165&group_id=191583&atid=937964 if you have bug on listing domains page.

== Install Postfix ==

Install postfix

apk add postfix postfix-pgsql postfix-pcre

The install should create a vmail user; you'll need the numeric uid/gid for the postfix main.cf file.

grep vmail /etc/passwd

(we will use 102:105 in the examples below)

Create the mail directory, and assign vmail as the owner:

mkdir -p /var/mail/domains
chown -R vmail:postdrop /var/mail/domains

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

# New install - don't need to be backward compatible
compatibility_level = 2

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:105
virtual_uid_maps = static:102
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes

# 100MB size limit
message_size_limit = 104857600
virtual_mailbox_limit = 104857600
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

# Silence the EAI warning on alpine linux
smtputf8_enable = no

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database:

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix:

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

Install dovecot:

apk add dovecot dovecot-pgsql

Edit /etc/dovecot/dovecot.conf:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 105
first_valid_uid = 102
last_valid_gid = 105
last_valid_uid = 102

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

ssl_cert = </etc/lighttpd/server-bundle.pem
ssl_key = </etc/lighttpd/server-bundle.pem

userdb {
args = uid=102 gid=105 home=/var/mail/domains/%d/%n
driver = static
}

passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}

namespace inbox {
inbox = yes

mailbox Trash {
auto = create
special_use = \Trash
}

mailbox Spam {
auto = no
special_use = \Junk
}

mailbox Ham {
auto = no
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}

}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = SHA512-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add the following:
# this is for postfix SASL (authenticated users can relay through us)

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
user = root
}

* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki2.dovecot.org/LDA deliver] lda for local delivery.

* Replace /etc/dovecot/dovecot.conf with the following:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 1000
first_valid_uid = 1000
last_valid_gid = 65535
last_valid_uid = 65535

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

service auth {
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = root
}

service imap-login {
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
address = *
port = 993
}
process_limit = 1024
}

service pop3-login {
process_limit = 1024
}

service dict {
unix_listener dict {
group =
mode = 0600
user = vmail
}
}

ssl_ca = </etc/ssl/certs/<CA Certificate file>
ssl_cert = </etc/ssl/private/<Public part of certificate file>
ssl_key = </etc/ssl/private/<Private part of certificate file>

passdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

userdb {
driver = prefetch
}

userdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

plugin {
quota = dict:user::proxy::quotadict

autocreate = Trash
autocreate2 = Spam
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent
}

protocol imap {
mail_plugins = autocreate quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

protocol lda {
auth_socket_path = /var/spool/postfix/auth-master
mail_plugins = quota
postmaster_address = postmaster@host.example.com
sendmail_path = /usr/sbin/sendmail
}
</pre>

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown dovecot:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf
chown dovecot:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki2.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 2.2 repository

* Verify that you have at least the following in /etc/postfix/main.cf. Unless you have followed the Relay for Authenticated Users section above, set '''smtpd_tls_auth_only = no''', otherwise leave it set to '''yes''':

<pre>
# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
# Set the next line to no if TLS auth is not configured
smtpd_tls_auth_only = no
</pre>

* Ensure you have followed section ''Relay_for_Authenticated_Users''.

* Restart the relevant services:

<pre>
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
</pre>

* Add the package and related php modules:

apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv php-dom php-intl php-pdo php-ldap php-pdo_pgsql php-zlib

* Link the roundcube application back into the docroot

ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* Install ''roundcubemail-install'' package

apk add roundcubemail-installer

* Follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd /var/log/roundcube

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* Edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* Restart lighttpd to verify the new php libraries are used

/etc/init.d/lighttpd restart

* Get the additional php modules needed:
apk add curl php-phar git
cd /usr/share/webapps/roundcube
curl -sS https://getcomposer.org/installer | php
cp composer.json-dist composer.json
# Note - As of 11 Aug 2015, with Roundcube 1.1.2, there is a regression that is
# fixed here: https://github.com/roundcube/roundcubemail/commit/b3e9764c311a39012de1fa8ffd0fe874fbb322ef
# Update your composer.json accordingly:
# - "pear/mail_mime": ">=1.9.0",
# - "pear/net_smtp": "dev-master"
# + "pear-pear.php.net/mail_mime": ">=1.9.0",
# + "pear-pear.php.net/net_smtp": ">=1.6.3"
php composer.phar install --no-dev

* Point your browser to https://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''default port'' || 143
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 2 of the install to copy the files to the server
* You should now be able to get to roundcube at https://host.example.com/roundcube

* After its working, the INSTALL file recommends removing the install directory.

apk del roundcubemail-installer

* Disable installer mode in /etc/roundcube/main.inc.php file:

$rcmail_config['enable_installer'] = false;

* Change the ownership and permissions

cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG

* If needed customize logos such as '''watermark.gif''', '''roundcube_logo.gif''', '''favicon.ico'''

* If you would like to disable displaying of standard logos update template files accordingly

* Comment all entries like '''<div ... img src="/images/roundcube_logo.png"...''' in files:

includes/header.html
templates/error.html
templates/messageprint.html
templates/login.html
templates/printmessage.html

* Comment all entries like '''<img src="/images/watermark.gif"...''' in files:

templates/identities.html
templates/messageerror.html
watermark.html

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

* Enable ''create_default_folders'' for RoundCube
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['create_default_folders'] = TRUE;
...
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>
'''''Question to experts: Is this normal to have in this script "WARNING: nonstandard use of \\ in a string literal"?'''''

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Uncomment next five TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLSCipherSuite HIGH
#TLSCACertificateFile /etc/lighttpd/ca-crt.pem
#TLSCertificateFile /etc/lighttpd/server-bundle.pem
#TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
#TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL. In case you uncommented TLS lines in slapd.conf use this string: OPTS="-h 'ldaps:// ldap://'"

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldap://'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities. In case you uncommented TLS lines in slapd.conf replace ldap with ldaps

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldap://host.example.com

# Uncomment next three TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLS_CACERT /etc/lighttpd/ca-crt.pem
#TLS_CERT /etc/lighttpd/server-bundle.pem
#TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /etc/roundcube/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

== Optional: Enable compression in Lighttpd ==

* Uncomment ''mod_compress'' and ''mod_setenv'' and modify website section as follows

mkdir -p /var/lib/lighttpd/cache
chown lighttpd:lighttpd /var/lib/lighttpd/cache

vi /etc/lighttpd/lighttpd.conf

...
"mod_setenv",
"mod_compress",
...
$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
...
static-file.etags = "enable"
etag.use-mtime = "enable"
$HTTP["url"] =~ "^/(plugins|skins|program)" { setenv.add-response-header = ( "Cache-Control" => "public, max-age=2592000") }
compress.cache-dir = var.statedir + "/cache/compress"
compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
}

[[Category:Mail]]
[[Category:PHP]]
[[Category:SQL]]
[[Category:ACF]]

ISP Mail Server 3.x HowTo

2016-11-27T23:44:21Z

Nangel: /* Install Dovecot */

{{Draft|This is a work in progress based on migrating alpinelinux mail servers to 3.x}}

== A Full Service Mail Server ==

This document describes installation process for the Alpine Linux 3.x platform. The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server. This document superceeds the previous [[ISP Mail Server 2.x HowTo]] instructions for Alpine 2.x. For this guide, we start with a server ''without'' ACF installed.

The server provides:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* standard filters (virus/spam/rbl/etc)
* web mail client
* value add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-cgi php-pgsql php-imap

We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):
<nowiki>mkdir -p /var/www/domains/host.example.com/www
cat <<-EOF >/var/www/domains/host.example.com/www/index.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
EOF
</nowiki>

Get a web certificate, and install it. There are several options:
# Use a self-signed certificate, such as [[Generating SSL certs with ACF]]
# Use the certificate created with '''setup-acf''', if you installed ACF
# Get a certificate from a trusted root Certificate Authority, such as StartSSL.com, Thawte.com, Verisign.com, etc.

These instructions will use a certificate issued from a self-signed ACF based CA

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf:

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_fastcgi.conf"

start lighttpd, test:

rc-update add lighttpd
rc

At this point you should be able to see the redirect page: https://host.example.com/

== Install Postgresql ==

Add and configure postgresql:

apk add postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/9.0/data/pg_hba.conf. Since by default "trust" mechanism is for local connections only we assume using trust password-less access as safe.

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.93 was the current release, so (replace host.example.com with the actual domain):

wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
tar zxvf postfixadmin-2.93.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['authlib_default_flavor'] = 'SHA';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to https://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to https://host.example.com/postfixadmin/setup.php

Create superadmin account.

'''NOTE:''' Check http://sourceforge.net/tracker/index.php?func=detail&aid=2859165&group_id=191583&atid=937964 if you have bug on listing domains page.

== Install Postfix ==

Install postfix

apk add postfix postfix-pgsql postfix-pcre

The install should create a vmail user; you'll need the numeric uid/gid for the postfix main.cf file.

grep vmail /etc/passwd

(we will use 102:105 in the examples below)

Create the mail directory, and assign vmail as the owner:

mkdir -p /var/mail/domains
chown -R vmail:postdrop /var/mail/domains

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

# New install - don't need to be backward compatible
compatibility_level = 2

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:105
virtual_uid_maps = static:102
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes

# 100MB size limit
message_size_limit = 104857600
virtual_mailbox_limit = 104857600
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

# Silence the EAI warning on alpine linux
smtputf8_enable = no

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database:

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix:

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

Install dovecot:

apk add dovecot dovecot-pgsql

Edit /etc/dovecot/dovecot.conf:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 105
first_valid_uid = 102
last_valid_gid = 105
last_valid_uid = 102

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

ssl_cert = /etc/lighttpd/server-bundle.pem
ssl_key = /etc/lighttpd/server-bundle.pem

userdb {
args = uid=102 gid=105 home=/var/mail/domains/%d/%n
driver = static
}

passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}

namespace inbox {
inbox = yes

mailbox Trash {
auto = create
special_use = \Trash
}

mailbox Spam {
auto = no
special_use = \Junk
}

mailbox Ham {
auto = no
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}

}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = SHA512-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add the following:
# this is for postfix SASL (authenticated users can relay through us)

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
user = root
}

* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki2.dovecot.org/LDA deliver] lda for local delivery.

* Replace /etc/dovecot/dovecot.conf with the following:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 1000
first_valid_uid = 1000
last_valid_gid = 65535
last_valid_uid = 65535

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

service auth {
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = root
}

service imap-login {
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
address = *
port = 993
}
process_limit = 1024
}

service pop3-login {
process_limit = 1024
}

service dict {
unix_listener dict {
group =
mode = 0600
user = vmail
}
}

ssl_ca = </etc/ssl/certs/<CA Certificate file>
ssl_cert = </etc/ssl/private/<Public part of certificate file>
ssl_key = </etc/ssl/private/<Private part of certificate file>

passdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

userdb {
driver = prefetch
}

userdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

plugin {
quota = dict:user::proxy::quotadict

autocreate = Trash
autocreate2 = Spam
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent
}

protocol imap {
mail_plugins = autocreate quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

protocol lda {
auth_socket_path = /var/spool/postfix/auth-master
mail_plugins = quota
postmaster_address = postmaster@host.example.com
sendmail_path = /usr/sbin/sendmail
}
</pre>

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown dovecot:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf
chown dovecot:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki2.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 2.2 repository

* Verify that you have at least the following in /etc/postfix/main.cf. Unless you have followed the Relay for Authenticated Users section above, set '''smtpd_tls_auth_only = no''', otherwise leave it set to '''yes''':

<pre>
# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
# Set the next line to no if TLS auth is not configured
smtpd_tls_auth_only = no
</pre>

* Ensure you have followed section ''Relay_for_Authenticated_Users''.

* Restart the relevant services:

<pre>
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
</pre>

* Add the package and related php modules:

apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv php-dom php-intl php-pdo php-ldap php-pdo_pgsql php-zlib

* Link the roundcube application back into the docroot

ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* Install ''roundcubemail-install'' package

apk add roundcubemail-installer

* Follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd /var/log/roundcube

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* Edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* Restart lighttpd to verify the new php libraries are used

/etc/init.d/lighttpd restart

* Get the additional php modules needed:
apk add curl php-phar git
cd /usr/share/webapps/roundcube
curl -sS https://getcomposer.org/installer | php
cp composer.json-dist composer.json
# Note - As of 11 Aug 2015, with Roundcube 1.1.2, there is a regression that is
# fixed here: https://github.com/roundcube/roundcubemail/commit/b3e9764c311a39012de1fa8ffd0fe874fbb322ef
# Update your composer.json accordingly:
# - "pear/mail_mime": ">=1.9.0",
# - "pear/net_smtp": "dev-master"
# + "pear-pear.php.net/mail_mime": ">=1.9.0",
# + "pear-pear.php.net/net_smtp": ">=1.6.3"
php composer.phar install --no-dev

* Point your browser to https://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''default port'' || 143
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 2 of the install to copy the files to the server
* You should now be able to get to roundcube at https://host.example.com/roundcube

* After its working, the INSTALL file recommends removing the install directory.

apk del roundcubemail-installer

* Disable installer mode in /etc/roundcube/main.inc.php file:

$rcmail_config['enable_installer'] = false;

* Change the ownership and permissions

cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG

* If needed customize logos such as '''watermark.gif''', '''roundcube_logo.gif''', '''favicon.ico'''

* If you would like to disable displaying of standard logos update template files accordingly

* Comment all entries like '''<div ... img src="/images/roundcube_logo.png"...''' in files:

includes/header.html
templates/error.html
templates/messageprint.html
templates/login.html
templates/printmessage.html

* Comment all entries like '''<img src="/images/watermark.gif"...''' in files:

templates/identities.html
templates/messageerror.html
watermark.html

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

* Enable ''create_default_folders'' for RoundCube
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['create_default_folders'] = TRUE;
...
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>
'''''Question to experts: Is this normal to have in this script "WARNING: nonstandard use of \\ in a string literal"?'''''

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Uncomment next five TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLSCipherSuite HIGH
#TLSCACertificateFile /etc/lighttpd/ca-crt.pem
#TLSCertificateFile /etc/lighttpd/server-bundle.pem
#TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
#TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL. In case you uncommented TLS lines in slapd.conf use this string: OPTS="-h 'ldaps:// ldap://'"

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldap://'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities. In case you uncommented TLS lines in slapd.conf replace ldap with ldaps

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldap://host.example.com

# Uncomment next three TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLS_CACERT /etc/lighttpd/ca-crt.pem
#TLS_CERT /etc/lighttpd/server-bundle.pem
#TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /etc/roundcube/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

== Optional: Enable compression in Lighttpd ==

* Uncomment ''mod_compress'' and ''mod_setenv'' and modify website section as follows

mkdir -p /var/lib/lighttpd/cache
chown lighttpd:lighttpd /var/lib/lighttpd/cache

vi /etc/lighttpd/lighttpd.conf

...
"mod_setenv",
"mod_compress",
...
$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
...
static-file.etags = "enable"
etag.use-mtime = "enable"
$HTTP["url"] =~ "^/(plugins|skins|program)" { setenv.add-response-header = ( "Cache-Control" => "public, max-age=2592000") }
compress.cache-dir = var.statedir + "/cache/compress"
compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
}

[[Category:Mail]]
[[Category:PHP]]
[[Category:SQL]]
[[Category:ACF]]

ISP Mail Server 3.x HowTo

2016-11-27T15:57:59Z

Nangel: /* Install Dovecot */

{{Draft|This is a work in progress based on migrating alpinelinux mail servers to 3.x}}

== A Full Service Mail Server ==

This document describes installation process for the Alpine Linux 3.x platform. The goal of this document is to describe how to set up postfix, dovecot, clamav, dspam, roundecube, and postfixadmin for a full-featured "ISP" level mail server. This document superceeds the previous [[ISP Mail Server 2.x HowTo]] instructions for Alpine 2.x. For this guide, we start with a server ''without'' ACF installed.

The server provides:

* multiple virtual domains
* admins for each domain (to add/remove virtual accounts)
* quota support per domain / account
* downloading email via IMAP / IMAPS / POP3 / POP3S
* relaying email for authenticated users with TLS or SSL (Submission / SMTPS protocol)
* standard filters (virus/spam/rbl/etc)
* web mail client
* value add services

== Set up Lighttpd + PHP ==

PostfixAdmin needs php pgpsql and imap modules, so we do it in this step.

apk add lighttpd php php-cgi php-pgsql php-imap

We are setting this up to be a multi-domain virtual web server (replace host.example.com with the actual domain):
<nowiki>mkdir -p /var/www/domains/host.example.com/www
cat <<-EOF >/var/www/domains/host.example.com/www/index.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host.example.com Redirector</title>
</head>
<body>
<ul>
<li><a href="/postfixadmin">PostfixAdmin</a></li>
<li><a href="/roundcube">Roundcube</a></li>
</ul>
</body>
EOF
</nowiki>

Get a web certificate, and install it. There are several options:
# Use a self-signed certificate, such as [[Generating SSL certs with ACF]]
# Use the certificate created with '''setup-acf''', if you installed ACF
# Get a certificate from a trusted root Certificate Authority, such as StartSSL.com, Thawte.com, Verisign.com, etc.

These instructions will use a certificate issued from a self-signed ACF based CA

openssl pkcs12 -nokeys -cacerts -in certificate.pfx -out /etc/lighttpd/ca-crt.pem
openssl pkcs12 -nodes -in certificate.pfx -out /etc/lighttpd/server-bundle.pem
chown root:root /etc/lighttpd/server-bundle.pem
chmod 400 /etc/lighttpd/server-bundle.pem

'''Note:''' The server certificate ''and'' key are in the server-bundle.pem file, so it is critical that the file be read-only by user "root".

Add these lines to /etc/lighttpd/lighttpd.conf to point to the new document root, and set it up to listen on port 443 (replace ''host.example.com'' with the actual domain and ''ip_address_of_server'' with the actual IP address):

<pre>

simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/host.example.com/"
simple-vhost.document-root = "www/"

$SERVER["socket"] == "ip_address_of_server:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server-bundle.pem"
ssl.ca-file = "/etc/lighttpd/ca-crt.pem"
}
</pre>

Ensure that the simple_vhosts module is loaded, as well as the cgi config scripts by uncommenting the following lines in /etc/lighttpd/lighttpd.conf:

server.modules = (
# other modules may be listed
"mod_simple_vhost",
# other modules may be listed
.
.
.
include "mod_fastcgi.conf"

start lighttpd, test:

rc-update add lighttpd
rc

At this point you should be able to see the redirect page: https://host.example.com/

== Install Postgresql ==

Add and configure postgresql:

apk add postgresql postgresql-client
/etc/init.d/postgresql setup
/etc/init.d/postgresql start
rc-update add postgresql

At this point any user can connect to the sql server with "trust" mechanism. If you want to enforce password authentication (you probably do) edit /var/lib/postgresql/9.0/data/pg_hba.conf. Since by default "trust" mechanism is for local connections only we assume using trust password-less access as safe.

Create the postfix database:

psql -U postgres
create user postfix with password '******';
create database postfix owner postfix;
\q

(Of course, use your selected password where ******* is shown above.)

== Install PostfixAdmin ==

We are going to install the postfix admin web front-end before we install the mail server. This just creates an interface to populate the SQL tables that postfix and dovecot will use.

Download PostfixAdmin from Sourceforge. When these instructions were written, 2.93 was the current release, so (replace host.example.com with the actual domain):

wget http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.93/postfixadmin-2.93.tar.gz
tar zxvf postfixadmin-2.93.tar.gz
mkdir -p /var/www/domains/host.example.com/www/postfixadmin
mv postfixadmin-2.3.3/* /var/www/domains/host.example.com/www/postfixadmin
rm -rf postfixadmin*

Edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and modify at least these lines (replace host.example.com with the actual domain):

$CONF['configured'] = true;
$CONF['setup_password'] = ""; << Don't change this yet
$CONF['database_type'] = 'pgsql';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = '*****'; << The password you chose above
$CONF['database_name'] = 'postfix';
$CONF['database_prefix'] = "";
$CONF['admin_email'] = 'you@some.email.com'; << Your email address
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['authlib_default_flavor'] = 'SHA';
$CONF['dovecotpw'] = "/usr/bin/doveadm pw";
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['aliases'] = '10';
$CONF['mailboxes'] = '10';
$CONF['maxquota'] = '10';
$CONF['quota'] = 'YES';
$CONF['quota_multiplier'] = '1024000';
$CONF['vacation'] = 'NO';
$CONF['vacation_control'] ='NO';
$CONF['vacation_control_admin'] = 'NO';
$CONF['alias_control'] = 'YES';
$CONF['alias_control_admin'] = 'YES';
$CONF['special_alias_control'] = 'YES';
$CONF['fetchmail'] = 'NO';
$CONF['user_footer_link'] = "http://host.example.com/postfixadmin";
$CONF['footer_link'] = 'http://host.example.com/postfixadmin/main.php';
$CONF['create_mailbox_subdirs_prefix']="";
$CONF['used_quotas'] = 'YES';
$CONF['new_quota_table'] = 'YES';

You should further edit /var/www/domains/host.example.com/www/postfixadmin/config.inc.php and replace all instances of "change-this-to-your.domain.tld" with your actual mail domain. This can be done with busybox sed (replace example.com with your domain name):

sed -i -e 's/change-this-to-your.domain.tld/example.com/g' /var/www/domains/host.example.com/www/postfixadmin/config.inc.php

Go to https://host.example.com/postfixadmin/setup.php

Create the password hash, add it to the config.inc.php file

Go back to https://host.example.com/postfixadmin/setup.php

Create superadmin account.

'''NOTE:''' Check http://sourceforge.net/tracker/index.php?func=detail&aid=2859165&group_id=191583&atid=937964 if you have bug on listing domains page.

== Install Postfix ==

Install postfix

apk add postfix postfix-pgsql postfix-pcre

The install should create a vmail user; you'll need the numeric uid/gid for the postfix main.cf file.

grep vmail /etc/passwd

(we will use 102:105 in the examples below)

Create the mail directory, and assign vmail as the owner:

mkdir -p /var/mail/domains
chown -R vmail:postdrop /var/mail/domains

Edit the /etc/postfix/main.cf file. Here's an example (don't forget to replace the uid/gid):

# New install - don't need to be backward compatible
compatibility_level = 2

myhostname=host.example.com
mydomain=example.com

mydestination = localhost.$mydomain, localhost
mynetworks_style = subnet
mynetworks = 127.0.0.0/8

virtual_mailbox_domains = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_domains_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_catchall_maps.cf

virtual_mailbox_maps = proxy:pgsql:/etc/postfix/sql/pgsql_virtual_mailbox_maps.cf,
proxy:pgsql:/etc/postfix/sql/pgsql_virtual_alias_domain_mailbox_maps.cf

virtual_mailbox_base = /var/mail/domains/
virtual_gid_maps = static:105
virtual_uid_maps = static:102
virtual_minimum_uid = 100
virtual_transport = virtual

# This next command means you must create a virtual
# domain for the host itself - ALL mail goes through
# The virtual transport

mailbox_transport = virtual
local_transport = virtual
local_transport_maps = $virtual_mailbox_maps

smtpd_helo_required = yes
disable_vrfy_command = yes

# 100MB size limit
message_size_limit = 104857600
virtual_mailbox_limit = 104857600
queue_minfree = 51200000

smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net

smtpd_data_restrictions = reject_unauth_pipelining

# we will use this later - This prevents cleartext authentication
# for relaying
smtpd_tls_auth_only = yes

# Silence the EAI warning on alpine linux
smtputf8_enable = no

Now we need to create a *bunch* of files so that postfix can get the delivery information out of sql. Here's a shell script to create the scripts. Change PGPW to the password for the postfix user of the postfix SQL database:

cd /etc/postfix
mkdir sql
PGPW="ChangeMe"

cat - <<EOF >sql/pgsql_virtual_alias_domain_catchall_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias,alias_domain where alias_domain.alias_domain = '%d' and alias.address = '@' || alias_domain.target_domain and alias.active = true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox,alias_domain where alias_domain.alias_domain = '%d' and mailbox.username = '%u' || '@' || alias_domain.target_domain and mailbox.active = true and alias_domain.active
EOF

cat - <<EOF >sql/pgsql_virtual_alias_domain_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = select goto from alias,alias_domain where alias_domain.alias_domain='%d' and alias.address = '%u' || '@' || alias_domain.target_domain and alias.active= true and alias_domain.active= true
EOF

cat - <<EOF >sql/pgsql_virtual_alias_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select goto From alias Where address='%s' and active ='1'
EOF

cat - <<EOF >sql/pgsql_virtual_domains_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select domain from domain where domain='%s' and active='1'
EOF

cat - <<EOF >sql/pgsql_virtual_mailbox_maps.cf
user=postfix
password = $PGPW
hosts = localhost
dbname = postfix
query = Select maildir from mailbox where username='%s' and active=true
EOF

chown -R postfix:postfix sql
chmod 640 sql/*

At this point you should be able to start up postfix:

newaliases # so postfix is happy...
/etc/init.d/postfix start
rc-update add postfix

=== Create a domain in PostfixAdmin and test ===

Go to http://host.example.com/postfixadmin/

Log in using the superadmin account, create a domain for the local box (e.g. example.com), and create a user mailbox (e.g. root).

From the machine, send a test message:

sendmail -t root@example.com
subject: test
.
^d

In /var/log/mail.log (or /var/log/messages, if you still have busybox syslogd running) you should see the message queued. The message should be in /var/mail/domains/example.com/root/new

== Install Dovecot ==

Dovecot is the POP3/IMAP server to retrieve mail.

Install dovecot:

apk add dovecot dovecot-pgsql

Edit /etc/dovecot/dovecot.conf:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 105
first_valid_uid = 102
last_valid_gid = 105
last_valid_uid = 102

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

ssl_cert = /etc/lighttpd/server-bundle.pem
ssl_key = /etc/lighttpd/server-bundle.pem

userdb {
args = uid=102 gid=105 home=/var/mail/domains/%d/%n
driver = static
}

passdb {
args = /etc/dovecot/dovecot-sql.conf
driver = sql
}

namespace inbox {
inbox = yes

mailbox Trash {
auto = create
special_use = \Trash
}

mailbox Spam {
auto = no
special_use = \Junk
}

mailbox Ham {
auto = no
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}

}
</pre>

Be sure to replace the uid and gid with the appropriate values for the vmail user.

We need a certificate for SSL/TLS authentication, so in the example above, we use the lighttpd cert. That way when the cert is renewed/replaced, Dovecot will have access to the new cert as well.

Create the /etc/dovecot/dovecot-sql.conf file:

driver = pgsql
connect = host=localhost dbname=postfix user=postfix password=********
password_query = select username,password from mailbox where local_part = '%n' and domain = '%d'
default_pass_scheme = MD5-CRYPT

Again, change the password above to your postfix user password, and protect the file from prying eyes:

chown root:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf

Start dovecot
/etc/init.d/dovecot start
rc-update add dovecot

== Testing ==

Make sure your firewall allows in ports 25(SMTP) 110 (POP3), 995 (POP3S), 143(IMAP), 993(IMAPS), or whatever subset you support.

At this point, you should be able to:
* Create a new domain and add users with PostfixAdmin
* Send mail to those users via SMTP to port 25
* Retrieve mail using the user's full email and password (e.g. username: user@example.com password: ChangeMe)

== Value Add Features ==

If you followed the guide above, you now have a functional mail server with many interconnected parts. The features below assume that the server is already running as described above. You should be able to add any or all of these features below to further enhance the mail service.

=== Virus Scanning ===

This procedure uses clamav and the postfix content_filter mechanism to scan inbound and outbound email for viruses. Infected emails are dropped. Clean emails are tagged with a "scanned by clamav" header.

* Install clamav and clamsmtp:
apk add acf-clamav clamsmtp
* Edit the /etc/clamav/clamd.conf file if desired (not necessary in most cases)
* Edit /etc/clamsmtpd.conf and verify the following lines
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-Virus-Scanned: ClamAV using ClamSMTP
Action: drop
User: clamav
* Start the daemons
rc-update add clamd
rc-update add clamsmtpd
/etc/init.d/clamd start
/etc/init.d/clamsmtpd start
* Verify clamsmtp is listening on port 10025:
netstat -anp | grep clamsmtp
* [http://memberwebs.com/stef/software/clamsmtp/postfix.html Following the clamsmtp instructions]
** edit /etc/postfix/main.cf and add:
content_filter = scan:[127.0.0.1]:10025
** edit /etc/postfix/master.cf and add
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
* postfix reload
* Send and email into a local virtual domain - it should have the ''X-Virus-Scanned: ClamAV using ClamSMTP'' header.

=== Relay for Authenticated Users ===

As configured above, the mail server accepts email from the Internet, but it does not relay email. If it is a perimeter exchanger for a protected network, then you can add the protected networks to the ''mynetworks'' configuration line in /etc/postfix/main.cf

This configuration change allows ''remote'' users to authenticate against the mail server and relay through it. The rules for relaying are:
* Only authenticated users can relay
* Authentication Credentials must be encrypted with TLS or SSL
* Allow Submission and SMTPS ports for relaying (many consumer networks block port 25 - SMTP by default)
The process uses the dovecot authentication mechanism (used with IMAPS) to authenticate users before they are allowed to relay through postfix.

* Edit /etc/dovecot/dovecot.conf and add the following:
# this is for postfix SASL (authenticated users can relay through us)

service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
user = root
}

* Restart dovecot
/etc/init.d/dovecot restart
* Edit /etc/postfix/main.cf and add:
# TLS Stuff -- since we allow SASL with tls *only*, we have to set up TLS first

smtpd_tls_cert_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_key_file = /etc/lighttpd/server-bundle.pem
smtpd_tls_CAfile = /etc/lighttpd/ca-crt.pem
# If tls_security_level is set to "encrypt", then SMTP rejects
# unencrypted email (e.g. normal mail) which is bad.
# By setting it to "may" you get TLS encrypted mail from google, slashdot, and other
# interesting places. Check your logs to see who
smtpd_tls_security_level = may
# Log info about the negotiated encryption levels
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1

# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
* Edit /etc/postfix/master.cf and enable the submission and smtps transports. They are probably already at the top of your master.cf file, just commented out:
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
*Verfiy submission and smtps are defined in /etc/services
grep "submission\|ssmtp" /etc/services
submission 587/tcp # mail message submission
submission 587/udp
smtps 465/tcp ssmtp # smtp protocol over TLS/SSL
smtps 465/udp ssmtp
* Restart postfix
postfix reload

At this point, you should be able to set up a mail client to relay through the server with TLS (port 587) or SSL (port 465) Note that "plain" authentication is used because the underlying link is encrypted. For example, in Thunderbird leave "secure authentication" unchecked, and choose STARTTLS (or TLS) for the connection security.

=== Mailbox Quotas ===

In the default configuration, PostfixAdmin knows about quotas, but they are not enforced. Documentation on the web mentions the [http://vda.sourceforge.net vda patch to postfix] to enforce quotas. The only bad thing... its a ''patch''. Postfix and Dovecot are both conservative systems, so if the patch isn't in the upstream source, we'll assume there's a good reason. There is a way of using quotas without patches - and it involves using dovecot's [http://wiki2.dovecot.org/LDA deliver] lda for local delivery.

* Replace /etc/dovecot/dovecot.conf with the following:

<pre>
auth_mechanisms = plain login
auth_username_format = %Lu
#auth_verbose = yes
#auth_debug = yes
#auth_debug_passwords = no

disable_plaintext_auth = no

info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log

mail_location = maildir:/var/mail/domains/%d/%n

first_valid_gid = 1000
first_valid_uid = 1000
last_valid_gid = 65535
last_valid_uid = 65535

log_timestamp = "%Y-%m-%d %H:%M:%S "
login_greeting = IMAP server ready

protocols = imap

service anvil {
client_limit = 2100
}

service auth {
unix_listener /var/spool/postfix/auth-master {
group = postfix
mode = 0660
user = vmail
}
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
user = root
}

service imap-login {
inet_listener imap {
address = 127.0.0.1
port = 143
}
inet_listener imaps {
address = *
port = 993
}
process_limit = 1024
}

service pop3-login {
process_limit = 1024
}

service dict {
unix_listener dict {
group =
mode = 0600
user = vmail
}
}

ssl_ca = </etc/ssl/certs/<CA Certificate file>
ssl_cert = </etc/ssl/private/<Public part of certificate file>
ssl_key = </etc/ssl/private/<Private part of certificate file>

passdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

userdb {
driver = prefetch
}

userdb {
args = /etc/dovecot/dovecot-pgsql.conf
driver = sql
}

plugin {
quota = dict:user::proxy::quotadict

autocreate = Trash
autocreate2 = Spam
autocreate3 = Sent
autosubscribe = Trash
autosubscribe2 = Spam
autosubscribe3 = Sent
}

protocol imap {
mail_plugins = autocreate quota imap_quota
}

protocol pop3 {
mail_plugins = quota
}

dict {
quotadict = pgsql:/etc/dovecot/dovecot-dict-quota.conf
}

protocol lda {
auth_socket_path = /var/spool/postfix/auth-master
mail_plugins = quota
postmaster_address = postmaster@host.example.com
sendmail_path = /usr/sbin/sendmail
}
</pre>

* edit <tt>/etc/dovecot/dovecot-sql.conf</tt> and replace the user and password queries with the following (you may not have a user_query yet - add it):

password_query = select username as user, password, 1006 as userdb_uid, 1006 as userdb_gid, '*:bytes=' || quota as userdb_quota_rule from mailbox where local_part = '%n' and domain = '%d'
user_query = select '/var/mail/domains/' || maildir as home, 1006 as uid, 1006 as gid, '*:bytes=' || quota as quota_rule from mailbox where local_part = '%n' and domain ='%d'

* create <tt>/etc/dovecot/dovecot-dict-quota.conf</tt>
connect = host=localhost dbname=postfix user=postfix password=********

map {
pattern = priv/quota/storage
table = quota2
username_field =username
value_field = bytes
}

map {
pattern= priv/quota/messages
table = quota2
username_field = username
value_field = messages
}

Again, change the password above to your postfix user password, and protect the file from prying eyes:
chown dovecot:root /etc/dovecot/dovecot-sql.conf
chmod 600 /etc/dovecot/dovecot-sql.conf
chown dovecot:root /etc/dovecot/dovecot-dict-quota.conf
chmod 600 /etc/dovecot/dovecot-dict-quota.conf

Side note: [http://wiki2.dovecot.org/Quota/Dict The Dovecot Quota Documentation] mentions the need for a trigger with pgsql. This was created in the PostfixAdmin install, which is why you instantiated the pgsql language when creating the database. If not, you will need to create the trigger, to reference the quota2 table, not the quota table mentioned in the dovecot docs.

* create a new transport for the dovecot lda. Add the following to /etc/postfix/master.cf:
# The dovecot deliver lda
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

* Edit the /etc/postfix/main.cf. Replace
virtual_transport = virtual
with
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

Change permissions on the /var/log/dovecot* log files, so that the vmail user can write to them:

chown vmail:vmail /var/log/dovecot*

Restart Postfix and Dovecot:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

'''TODO''' This will cause over-quota emails to bounce. Which could be a source of backscatter. We need a way of checking quota limits after RBL checking but before the message is accepted in the queue.

=== WebMail (RoundCube) ===

[http://roundcube.net/ RoundCube] is an "ajax /Web2.0" web-mail client. These instructions are for the Alpine Linux 2.2 repository

* Verify that you have at least the following in /etc/postfix/main.cf. Unless you have followed the Relay for Authenticated Users section above, set '''smtpd_tls_auth_only = no''', otherwise leave it set to '''yes''':

<pre>
# SASL - this allows senders to authenticiate themselves
# This along with "permit_sasl_authenticated" in smtpd_recipient_restrictions allows relaying
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
# Set the next line to no if TLS auth is not configured
smtpd_tls_auth_only = no
</pre>

* Ensure you have followed section ''Relay_for_Authenticated_Users''.

* Restart the relevant services:

<pre>
/etc/init.d/postfix restart
/etc/init.d/dovecot restart
</pre>

* Add the package and related php modules:

apk add roundcubemail php-xml php-openssl php-mcrypt php-gd php-iconv php-dom php-intl php-pdo php-ldap php-pdo_pgsql php-zlib

* Link the roundcube application back into the docroot

ln -s /usr/share/webapps/roundcube /var/www/domains/host.example.com/www/roundcube

* Install ''roundcubemail-install'' package

apk add roundcubemail-installer

* Follow the instructions in /usr/share/webapps/roundcube/INSTALL:
cd /usr/share/webapps/roundcube
chown -R lighttpd:lighttpd /var/log/roundcube

su postgres
createuser roundcube
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) y
createdb -O roundcube -E UNICODE -T template0 roundcubemail
psql roundcubemail
roundcubemail=# ALTER USER roundcube WITH PASSWORD 'the_new_password';
roundcubemail=# \c - roundcube
roundcubemail=> \i /usr/share/webapps/roundcube/SQL/postgres.initial.sql
roundcubemail=> \q
exit

* Edit /etc/php/php.ini and set date.timezone to your local timezone, or to UTC

* Restart lighttpd to verify the new php libraries are used

/etc/init.d/lighttpd restart

* Get the additional php modules needed:
apk add curl php-phar git
cd /usr/share/webapps/roundcube
curl -sS https://getcomposer.org/installer | php
cp composer.json-dist composer.json
# Note - As of 11 Aug 2015, with Roundcube 1.1.2, there is a regression that is
# fixed here: https://github.com/roundcube/roundcubemail/commit/b3e9764c311a39012de1fa8ffd0fe874fbb322ef
# Update your composer.json accordingly:
# - "pear/mail_mime": ">=1.9.0",
# - "pear/net_smtp": "dev-master"
# + "pear-pear.php.net/mail_mime": ">=1.9.0",
# + "pear-pear.php.net/net_smtp": ">=1.6.3"
php composer.phar install --no-dev

* Point your browser to https://host.example.com/roundcube/installer
* Start installation

For the specific configuration parameters in the install step:

{| class="wikitable"
!Property
!Setting
|-
| ''enable_spellcheck'' || disabled
|-
| ''identities_level'' || one identity with possibility to edit all params but not email address
|-
| ''log driver'' || syslog
|-
| ''sylog_id'' || roundcube
|-
| ''syslog_facility'' || mailsubsystem
|-
| ''db_dnsw'' || pgsql properties, as described above
|-
| ''imap_host'' || 127.0.0.1
|-
| ''default port'' || 143
|-
| ''auto_create_user'' || enabled
|-
| ''smtp_server'' || 127.0.0.1
|-
| ''smtp_port'' || 25
|-
| ''smtp_user/smtp_pass'' || enable ''Use Current IMAP username and password for SMTP authentication''
|-
| ''smtp_log'' || enable (optional, but gives additional log record)
|}

The other items can be left at default settings, or adjusted if desired.

* Follow the instructions in step 2 of the install to copy the files to the server
* You should now be able to get to roundcube at https://host.example.com/roundcube

* After its working, the INSTALL file recommends removing the install directory.

apk del roundcubemail-installer

* Disable installer mode in /etc/roundcube/main.inc.php file:

$rcmail_config['enable_installer'] = false;

* Change the ownership and permissions

cd /usr/share/webapps/roundcube
chown -R root:root LICENSE UPGRADING INSTALL README CHANGELOG
chmod -R 600 LICENSE UPGRADING INSTALL README CHANGELOG

* If needed customize logos such as '''watermark.gif''', '''roundcube_logo.gif''', '''favicon.ico'''

* If you would like to disable displaying of standard logos update template files accordingly

* Comment all entries like '''<div ... img src="/images/roundcube_logo.png"...''' in files:

includes/header.html
templates/error.html
templates/messageprint.html
templates/login.html
templates/printmessage.html

* Comment all entries like '''<img src="/images/watermark.gif"...''' in files:

templates/identities.html
templates/messageerror.html
watermark.html

==== Enable Plug-ins ====

RoundCube has various useful plug-ins, which could be found in ''/usr/share/webapps/roundcube/plugins'' directory. For example you may want to enable ''password'' plug-in to let users change their passwords directly from RoundCube using an extra Password Tab added to User Settings.

* Grant limited permissions for ''roundcube'' database role
psql -U postgres postfix
postfix=# GRANT UPDATE (password,modified) ON mailbox TO roundcube;
postfix=# GRANT SELECT (username) ON mailbox TO roundcube;
postfix=# GRANT INSERT ON log TO roundcube;
postfix=# \q

* Setup ''password'' plug-in parameters in ''/usr/share/webapps/roundcube/plugins/password/config.inc.php''
mv /usr/share/webapps/roundcube/plugins/password/config.inc.php.dist /usr/share/webapps/roundcube/plugins/password/config.inc.php
vi /usr/share/webapps/roundcube/plugins/password/config.inc.php

<pre>
$rcmail_config['password_minimum_length'] = 7;
$rcmail_config['password_require_nonalpha'] = true;
...
$rcmail_config['password_db_dsn'] = 'pgsql://roundcube:<roundcube_password>@localhost/postfix';
...
$rcmail_config['password_query'] = "UPDATE mailbox set password = %c, modified = NOW() where username = %u; INSERT INTO log (timestamp,username,domain,action,data) VALUES (NOW(),%u || ' (' || %h || ')',%d,'edit_password',%u)";
</pre>

* Enable ''password'' plug-in
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['plugins'] = array('password');
</pre>

* Enable ''create_default_folders'' for RoundCube
vi /usr/share/webapps/roundcube/config/main.inc.php

<pre>
...
$rcmail_config['create_default_folders'] = TRUE;
...
</pre>

=== OpenLDAP based Address Book ===

This OpenLDAP configuration uses the SQL backend, which represents information stored in PostgreSQL as an LDAP subtree for Address Book functionality for email lookups, user authentication or even replication account information between sites. This procedure uses some metainformation to translate LDAP queries to SQL queries, leaving relational schema untouched, which allows SQL and LDAP applications to inter-operate without replication, and exchange data as needed. The SQL backend uses UnixODBC to connect to PostgresSQL.

* Install OpenLDAP and ODBC

<pre>
apk add openldap libldap openldap-back-sql php-ldap unixodbc psqlodbc ca-certificates
</pre>

* Update "postfix" database (it will add 'id' columns to mailbox and domain tables, also will create tables and views to represent LDAP metainformation)

'''Note''': These instructions are for example domain example.com. So make sure you replaced all entries of 'example' and 'com' according to your domain name parts.

Put the following into a new file called '''script''':

<pre>
ALTER TABLE domain ADD COLUMN id SERIAL;
ALTER TABLE mailbox ADD COLUMN id SERIAL;

CREATE TABLE ldap_entry_objclasses (
entry_id integer NOT NULL,
oc_name character varying(64)
);

CREATE TABLE ldap_oc_mappings (
name character varying(64) NOT NULL,
keytbl character varying(64) NOT NULL,
keycol character varying(64) NOT NULL,
create_proc character varying(255),
delete_proc character varying(255),
expect_return integer NOT NULL
);

ALTER TABLE ldap_oc_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_oc_mappings ADD PRIMARY KEY (id);

CREATE TABLE ldap_attr_mappings (
oc_map_id integer NOT NULL REFERENCES ldap_oc_mappings(id),
name character varying(255) NOT NULL,
sel_expr character varying(255) NOT NULL,
sel_expr_u character varying(255),
from_tbls character varying(255) NOT NULL,
join_where character varying(255),
add_proc character varying(255),
delete_proc character varying(255),
param_order integer NOT NULL,
expect_return integer NOT NULL
);

ALTER TABLE ldap_attr_mappings ADD COLUMN id SERIAL;
ALTER TABLE ldap_attr_mappings ADD PRIMARY KEY (id);

CREATE VIEW ldap_dcs AS
((SELECT (domain.id + 100000) AS id,
('dc='::text || replace((domain.domain)::text, '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
100000 AS parent,
0 AS keyval,
domain.domain
FROM domain
WHERE domain.domain <> 'ALL')
UNION
(SELECT 100000 AS id,
('dc=' || regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS dn,
1 AS oc_map_id,
0 AS parent,
0 AS keyval,
(regexp_replace((domain.domain)::text, '.*\\.', ''::text)) AS domain
FROM domain
WHERE domain.domain <> 'ALL'
LIMIT 1));

CREATE VIEW ldap_entries AS
SELECT mailbox.id,
((('cn='::text || initcap(replace(split_part((mailbox.username)::text, '@'::text, 1), '.'::text, ' '::text))) || ',dc='::text) ||
replace(regexp_replace((mailbox.username)::text, '.*@', ''::text), '.'::text, ',dc='::text)) AS dn,
1 AS oc_map_id,
(SELECT ldap_dcs.id
FROM ldap_dcs
WHERE ((ldap_dcs.domain)::text = (mailbox.domain)::text)) AS parent,
mailbox.id AS keyval
FROM mailbox
UNION
SELECT ldap_dcs.id,
ldap_dcs.dn,
ldap_dcs.oc_map_id,
ldap_dcs.parent,
ldap_dcs.keyval
FROM ldap_dcs;
</pre>
'''''Question to experts: Is this normal to have in this script "WARNING: nonstandard use of \\ in a string literal"?'''''

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Fill out LDAP tables according to following example (make sure to separate values with TABs):

Put the following into a new file called '''script''':

<pre>
COPY ldap_oc_mappings (id, name, keytbl, keycol, create_proc, delete_proc, expect_return) FROM stdin;
1 exampleBox mailbox id \N \N 1
\.
COPY ldap_attr_mappings (id, oc_map_id, name, sel_expr, sel_expr_u, from_tbls, join_where, add_proc, delete_proc, param_order, expect_return) FROM stdin;
1 1 displayName mailbox.name \N mailbox \N \N \N 3 0
2 1 mail mailbox.username \N mailbox \N \N \N 3 0
3 1 cn mailbox.name \N mailbox \N \N \N 3 0
4 1 userPassword '{CRYPT}'||mailbox.password \N mailbox \N \N \N 3 0
\.
</pre>

Finally, execute the commands in the file with:
cat script | psql -U postfix postfix
rm script

* Check that "ldap_dcs" view looks something like this:

<pre>
echo 'select * from ldap_dcs' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval | domain
--------+-----------------------------+-----------+--------+--------+--------------------
100000 | dc=com | 1 | 0 | 0 | com
100001 | dc=example,dc=com | 1 | 100000 | 0 | example.com
</pre>

* Check that "ldap_entries" view looks something like this:

<pre>
echo 'select * from ldap_entries' | psql -U postgres postfix
</pre>

<pre>
id | dn | oc_map_id | parent | keyval
--------+-------------------------------------------------------+-----------+--------+--------
1 | cn=address1,dc=example,dc=com | 1 | 100001 | 1
...
123 | cn=address123,dc=example,dc=com | 1 | 100001 | 1
100000 | dc=com | 1 | 0 | 0
100001 | dc=example,dc=com | 1 | 100000 | 0
</pre>

* Configure ODBC parameters

Edit /etc/odbc.ini:

<pre>
[PostgreSQL]
Description = Connection to Postgres
Driver = PostgreSQL
Trace = Yes
TraceFile = sql.log
Database = postfix
Servername = 127.0.0.1
UserName =
Password =
Port = 5432
Protocol = 6.4
ReadOnly = No
RowVersining = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
</pre>

Edit /etc/odbcinst.ini:

<pre>
[PostgreSQL]
Description = PostgreSQL driver for Linux
Driver = /usr/lib/psqlodbcw.so
Setup = /usr/lib/libodbcpsqlS.so
FileUsage = 1
</pre>

* Test ODBC connection

<pre>
echo "select * from domain;" | isql PostgreSQL postgres
</pre>

* Provide permission to certificate for LDAP server

<pre>
chown ldap /etc/lighttpd/server-bundle.pem
</pre>

* Edit LDAP schema

Edit /etc/openldap/schema/example.com.schema:

<pre>
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 2.16.840.1.113730.3.1.241
NAME 'displayName'
DESC 'RFC2798: preferred name to be used when displaying entries'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.2
NAME 'exampleBox'
DESC 'example.com mailbox'
MUST ( displayName $ mail $ userPassword )
)

# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
</pre>

* Configure LDAP server

Edit /etc/openldap/slapd.conf:

<pre>
include /etc/openldap/schema/example.com.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Uncomment next five TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLSCipherSuite HIGH
#TLSCACertificateFile /etc/lighttpd/ca-crt.pem
#TLSCertificateFile /etc/lighttpd/server-bundle.pem
#TLSCertificateKeyFile /etc/lighttpd/server-bundle.pem
#TLSVerifyClient never

# This is needed for proper representation of MD5-CRYPT format stored in database
# see more details in http://strugglers.net/~andy/blog/2010/01/23/openldap-and-md5crypt/
password-hash {CRYPT}
password-crypt-salt-format "$1$%.8s"

loglevel stats
moduleload /usr/lib/openldap/back_sql.so
sizelimit 3000

database sql

dbname PostgreSQL
dbuser postfix
dbpasswd *****

suffix "dc=example,dc=com"

upper_func "upper"
strcast_func "text"
concat_pattern "?||?"
has_ldapinfo_dn_ru no
lastmod off

access to attrs=userPassword by * auth

access to * by peername.ip=127.0.0.1 read
# by peername.ip=<IP>%<netmask> read
# by peername.ip=<IP> read
by users read
</pre>

* Set permissions for slapd.conf

<pre>
chown ldap:ldap /etc/openldap/slapd.conf
</pre>

* Configure startup parameters to make sure that LDAP server start AFTER PostgreSQL and listens on localhost with clear text and public IP with SSL. In case you uncommented TLS lines in slapd.conf use this string: OPTS="-h 'ldaps:// ldap://'"

Edit /etc/conf.d/slapd:

<pre>
rc_need="postgresql"
OPTS="-h 'ldap://'"
</pre>

* Start LDAP server

<pre>
rc-update add slapd default
/etc/init.d/slapd start
</pre>

* Configure LDAP client utilities. In case you uncommented TLS lines in slapd.conf replace ldap with ldaps

Edit /etc/openldap/ldap.conf

<pre>
BASE dc=example,dc=com
URI ldap://host.example.com

# Uncomment next three TLS... lines if you want to use LDAPs (secured). Probably you don't want it...
#TLS_CACERT /etc/lighttpd/ca-crt.pem
#TLS_CERT /etc/lighttpd/server-bundle.pem
#TLS_KEY /etc/lighttpd/server-bundle.pem
</pre>

* Test LDAP server

<pre>
ldapsearch -z 3
ldapsearch -z 3 -x -W -D cn=admin,dc=example,dc=com
ldapsearch -z 3 -x -W -D cn=address1,dc=example,dc=com
</pre>

* Configure RoundCube webmail for email lookups

In order to enable php-ldap support you need to restart lighttpd server

/etc/init.d/lighttpd restart

Edit /etc/roundcube/main.inc.php:

<pre>
$rcmail_config['ldap_debug'] = false;
...
$rcmail_config['address_book_type'] = 'sql';

$rcmail_config['ldap_public']['example.com'] = array(
'name' => 'example.com',
'hosts' => array('127.0.0.1'),
'port' => 389,
'use_tls' => false,
'user_specific' => false,
'base_dn' => 'dc=example,dc=com',
'bind_dn' => '',
'bind_pass' => '',
'writable' => false,
'LDAP_Object_Classes' => array("top", "exampleBox"),
'required_fields' => array("cn", "sn", "mail"),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(objectClass=*)', // Construct here any filter you need
'fuzzy_search' => true);

$rcmail_config['autocomplete_addressbooks'] = array('sql','example.com');
</pre>

* Fix PostfixAdmin to work with the new table definition

Edit /var/www/domains/example.com/www/postfixadmin/list-domain.php. Replace the line:
<pre>
SELECT domain.* , COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>
With the lines:
<pre>
SELECT domain.domain, domain.description, domain.aliases, domain.mailboxes,
domain.maxquota, domain.quota, domain.transport, domain.backupmx, domain.created,
domain.modified, domain.active, COUNT( DISTINCT mailbox.username ) AS mailbox_count
</pre>

== log rotation ==

Ensure the busybox cron service is started and is configured to auto-start:

/etc/init.d/cron start
rc-update add cron default

Add log rotate:

apk add logrotate

Edit ''/etc/logrotate.conf'' as desired, but the defaults should be sufficient for most people.

== Optional: Configure Web Server Virtual Domains ==

'''Note:''' These steps can be done ''in addition to'' the default lighttpd configuration above, which allows you to access the ACF, PostfixAdmin and Roundcube interfaces as subfolders of one web service.

'''Note:''' If you provide SSL access for multiple domain site you may need to follow http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL#SSL-on-multiple-domains in order to provide multi-domain certificates. If you would like to redirect hosts to their secure equivalents use the following instructions http://redmine.lighttpd.net/projects/lighttpd/wiki/HowToRedirectHttpToHttps.

This server hosts three separate web applications, and these can be handled as three ''different'' virtual domains on the same web server. They will be distinguished by their DNS names, so you can choose domains for the three separate services (or at least the ones you want to publish):

* ACF - Alpine Configuration Framework for managing the server
* PostfixAdmin - for managing the postfix installation
* RoundCube - for accessing individual mailboxes

Choose three different domains (from here on known as ACF_DOMAIN, POSTFIXADMIN_DOMAIN, and ROUNDCUBE_DOMAIN) and configure DNS for all three to point to the IP address of your host. These should be DNS '''A''' records.

Then, configure lighttpd to handle the three separate domains by editing /etc/lighttpd/lighttpd.conf:

<pre>
$HTTP["host"] == "ACF_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ACF_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "POSTFIXADMIN_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/POSTFIXADMIN_DOMAIN/"
simple-vhost.document-root = "www/"
}

$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
simple-vhost.server-root = "/var/www/domains/"
simple-vhost.default-host = "/ROUNDCUBE_DOMAIN/"
simple-vhost.document-root = "www/"
}
</pre>

And, then link the appropriate www directories.
<pre>
mkdir -p /var/www/domains/ACF_DOMAIN
ln -s /usr/share/acf/www /var/www/domains/ACF_DOMAIN/www

mkdir -p /var/www/domains/POSTFIXADMIN_DOMAIN
ln -s /var/www/domains/host.example.com/www/postfixadmin /var/www/domains/POSTFIXADMIN_DOMAIN/www

mkdir -p /var/www/domains/ROUNDCUBE_DOMAIN
ln -s /usr/share/webapps/roundcube /var/www/domains/ROUNDCUBE_DOMAIN/www
</pre>

== Optional: Enable compression in Lighttpd ==

* Uncomment ''mod_compress'' and ''mod_setenv'' and modify website section as follows

mkdir -p /var/lib/lighttpd/cache
chown lighttpd:lighttpd /var/lib/lighttpd/cache

vi /etc/lighttpd/lighttpd.conf

...
"mod_setenv",
"mod_compress",
...
$HTTP["host"] == "ROUNDCUBE_DOMAIN" {
...
static-file.etags = "enable"
etag.use-mtime = "enable"
$HTTP["url"] =~ "^/(plugins|skins|program)" { setenv.add-response-header = ( "Cache-Control" => "public, max-age=2592000") }
compress.cache-dir = var.statedir + "/cache/compress"
compress.filetype = ("text/plain", "text/html", "text/javascript", "text/css", "text/xml", "image/gif", "image/png")
}

[[Category:Mail]]
[[Category:PHP]]
[[Category:SQL]]
[[Category:ACF]]