Howtos for Gentoo Linux (last version created: Fri Mar 17 10:17:13 CET 2017)

Up-to-date Howto(s) and Documentation(s) for Gentoo Linux.

The special thing of this is that the Documentation generates automatically from my running system, so it is every time up to date.
Further this Howto is build modular. The Howtos are sorted in alphabetical order. Every topic has its dependencies. For example: You have to finish Webserver Howto for building webbased statistics.

I hope to give something back to the community with this document.

Please enjoy and send any ideas, wishes or advancements to: doc<at>gabosh.net

License

Copyright (C) 2008-2017 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto listing

ARP monitoring
Asterisk as SIP PBX
Automatic System Documentation
Backup
Basesystem
DHCP-Server
DNS
Distcc Client
DynDNS
File deduplication
File-Server - Samba
Firewall
HD-Spindown
Horde Groupware Webmail
IMAP/POP3-Server
Instand Messaging alternative Jabber
Mailinglists with MailMan
Mailserver
MySQL-Server
Network Sound Server
OpenLDAP
OpenLDAP Groups in Groups
OpenLDAP System authentication
OpenLDAP WebGUI phpldapadmin
Printserver
Rename files recursively
Rsync Server
SSL/TLS with self signed SSL Certificate
Sane Scanner Server
Save passwords encrypted
Server for thinclients
Sort files alphabetical
Statistics
Stopping brute-force-attacks with fail2ban
Thinclient - Basesystem
Thinclient - Install on local device
Thinclient - Kernel-based Virtual Machine - KVM
Thinclient - Profiling
Thinclient - Thinclient as Server
Thinclient - Wireless LAN
Thinclient - X-Server
Time-Server
VPN-Client
VPN-Server
WLAN Access Point
Webserver

ARP monitoring

This is a little tool that informs "root" about new MACs in the network via syslog and mail. This monitors the activities of computers in Your network.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-analyzer/arpwatch

Changes in /etc/conf.d/arpwatch

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/arpwatch

Changed on 09.03.08
Issued by olli
Beginning line 5

The interfaces arpwatch should watch.


Before change
IFACES="eth0"
After change
IFACES="eth0 wlan0"
OPTIONS="-N"

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add arpwatch default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Asterisk as SIP PBX

Changes in /etc/asterisk/rtp.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/asterisk/rtp.conf

Changed on 04.03.17
Issued by olli
Beginning line 10

Only few rtp-Ports (Firewall has to be opened/forwarded for 5060/udp and these Ports/udp)


Before change
;rtpstart=10000
;rtpend=20000
After change
rtpstart=5000
rtpend=5040

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Automatic System Documentation

This howto shows the perl-script(s) to automatically create my system-documentation with all changes in all config-files. So this has been generated with it as well.

If you want to use this solution you need the following howto(s) finished:

Changes in /etc/local.d/services.start

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/local.d/services.start

Changed on 13.01.09
Issued by olli
Beginning line 6

Start the changedocd-daemon at system boot.

#/usr/local/bin/changedocd.pl

Changes in /usr/local/bin/changedocd.pl

File permissions:
Owner: root
Group: apache
Permissions: -rwxr-x---

Click here for a download of the complete file: /usr/local/bin/changedocd.pl

Changed on 27.04.10
Issued by olli
Beginning line 2

This is the daemon for getting the data from the CGI and changeing the Comments directly in the Config-Files

#!/usr/bin/perl


# Daemon start
use Proc::Daemon;
Proc::Daemon::Init;
use Net::SMTP;

while (1) {
$before="";
$after="";
$intro="";
if (-f "/tmp/changedoc") {
 open(CHANGE, "</tmp/changedoc");
 @change=<CHANGE>;
 close(CHANGE);
 
 if ($change[0] =~ /^[0-9]+$/) {

 foreach $line (@change) {
   chomp ($line);
 }
  $linenr=$change[0];
  $file=$change[1];
  $comment=$change[2];
 
  open(FILE, "<$file");
  @file=<FILE>;
  close(FILE);
  $linecount=1;
  #print "<br>$linenr<br>";
  foreach $line (@file) {
   if (($line=~/\|\|\|/) && ($linenr==$linecount)) {
    $found=1;
    $before=$line;
    $line=~s/(.+)\|\|\|.+$/$1|||$comment/;
    $after=$line;
   }
   $linecount++;
  }
  #print "\n$file";
  open(NFILE, ">$file");
  print NFILE @file;
  close(NFILE);
  $mailtxt="Hi,

change in file $file on line $linenr
Before change: 
$before

------------------------------------------

After change:
$after

Bye $0
";
  $mail_pass=`gtc-crypt -a admin -p`;
  chomp($mail_pass);
  $smtp = Net::SMTP->new('localhost') || warn ("Could not connect to Mailserver on localhost\n$!");
  $smtp->auth('admin', $mail_pass ) || warn ("Could not authenticate to Mailserver\n$!");
  $mail_pass="";
  $smtp->mail('mail@example.com') || warn ("Could not enter sender address\n$!");
  $smtp->to('mail@example.com') || warn ("Could not enter recipient\n$!");
  $smtp->data() || warn ("Could not open data channel\n$!");
  $smtp->datasend("To: olli\@example.com\n") || warn ("Could not send header\n$!");
  $smtp->datasend("Subject: Change in $file\n") || warn ("Could not send header\n$!");
  $smtp->datasend("\n") || warn ("Could not send header\n$!");
  $smtp->datasend("$mailtxt") || warn ("Could not send body\n$!");
  $smtp->dataend() || warn ("Could not close data channel\n$!");
  $smtp->quit || warn ("Could not close connection\n$!");
 }
 else {
  $howto=$change[0];
  chomp($howto);
  $change[0]="";
  foreach $line (@change) {
   $intro=$intro . $line;
  }
  $after=$intro;

  open(INTRO, "</usr/local/etc/sysdoc/topics");
  @intro=<INTRO>;
  close(INTRO);
  $set=0;
  $next=0;
  $found=0;
  #print "$howto";
  foreach $line (@intro) {
   if ($next) {
    #print "Next gesetzt\n";
    #print "Zeile: $line";
    if ($line=~/\|\|\|/) {
     #print "next wird unwahr\n";
     $next=0;
     next;
    }
    if ($set) {
     #print "SET ist gesetzt\n";
     $before="$before$line";
     $line="";
     next;
    }
    else {
     #print "ELSE\n";
     $found=1;
     $before=$line;
     $line="$intro\n";
     #print "Zeile $line";
     $set=1;
    }
   }
   if ($line=~/^\|\|\|$howto\|\|\|/) {
    $next=1;
    #print "Howto gefunden";
   }
  }
  if ($found) {
   open(INTRO, ">/usr/local/etc/sysdoc/topics");
   foreach $line (@intro) {
#    while ($line =~ /\n$/) {
     $line=~s/^\n//;
     $line=~s/^\n$//;
#    }
    print INTRO $line;
   }
   close(INTRO);
  }
  $mailtxt="Hi,

change in Howto describtion for $howto
Before change:
$before

----------------------------

After change:
$after

Bye $0
";
  $mail_pass=`gtc-crypt -a admin -p`;
  chomp($mail_pass);
  $smtp = Net::SMTP->new('localhost') || warn ("Could not connect to Mailserver on localhost\n$!");
  $smtp->auth('admin', $mail_pass ) || warn ("Could not authenticate to Mailserver\n$!");
  $mail_pass="";
  $smtp->mail('mail@example.com') || warn ("Could not enter sender address\n$!");
  $smtp->to('mail@example.com') || warn ("Could not enter recipient\n$!");
  $smtp->data() || warn ("Could not open data channel\n$!");
  $smtp->datasend("To: olli\@example.com\n") || warn ("Could not send header\n$!");
  $smtp->datasend("Subject: Change in Howto describtion\n") || warn ("Could not send header\n$!");
  $smtp->datasend("\n") || warn ("Could not send header\n$!");
  $smtp->datasend("$mailtxt") || warn ("Could not send body\n$!");
  $smtp->dataend() || warn ("Could not close data channel\n$!");
  $smtp->quit || warn ("Could not close connection\n$!"); 
 }
 system("/usr/local/bin/sysdoc.pl fast");
 unlink("/tmp/changedoc");
}
sleep 1;
}

Changes in /usr/local/bin/sysdoc.pl

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/bin/sysdoc.pl

Changed on 27.04.10
Issued by olli
Beginning line 2

This is the script that creates the search engine optimized, W3C validated HTML-documentation incl. Google Sitemap, Meta-Tags from headline, robots.txt, complete.html with all docs in one page,...

#!/usr/bin/perl

# Pfad wo die Webseiten liegen sollen
$webpath="/var/www/doc.example.com/htdocs";

# Impressum:
$impr='<h1>About / Impressum</h1>
<a href="impr.html">Click here for About / Impressum</a>
<h1>Wishlist</h1>
If you want to support my work you can find my Amazon whishlist <a href="http://www.amazon.de/registry/wishlist/308SONKPDDDT2">here</a>
';


# Werbung
$ad="";

# Wenn als Argument fast &uuml;bergeben wird, dann nur die Dateien neu einlesen, die schon eigelesen wurden.
if ($ARGV[0] eq "fast") {
 print "Not searching for new files!!!\n";
 # Kopien der beim letzen Mal analysierten Dateien liegen im Verzeichnis $webpath/files - Sortieren nach Alphabet
 @files=`find $webpath/files/ -type f | sort`;
 # $webpath/files/ aus dem @files-Elementen rausschneiden um dort nur die Dateinamen drin zu haben.
 foreach $f (@files) {
  $f=~s/^$webpath\/files//;
 }
}
else {
# Wenn nicht fast &uuml;bergeben wurde, dann diese Suchpfade benutzen - sortieren nach Alphabet:
 @files=`find /boot/grub/grub.cfg /etc /var/bind /gtc/test/etc /usr/local/bin /usr/local/sbin /usr/local/etc /var/www/www.example.com/htdocs/intern/phpldapadmin/config /gtc/pxe/pxelinux.cfg /var/www/horde.example.com/htdocs/config /var/www/horde.example.com/htdocs/imp/config /var/www/horde.example.com/htdocs/ingo/config /var/www/horde.example.com/htdocs/kronolith/config /var/www/horde.example.com/htdocs/mnemo/config /var/www/horde.example.com/htdocs/nag/config /var/www/horde.example.com/htdocs/passwd/config /var/www/horde.example.com/htdocs/turba/config /var/www/doc.example.com/cgi-bin /var/www/doc.example.com/htdocs/howto.css -type f | grep -v 'etc/thinclient/profiles' | sort`;
}

# Daten f&uuml;r die Meta-Tags (Suchmaschinenoptimierung)
$metaauthor="Oliver Bohlen";
$metashortdescr="Up-to-date Howto(s) and Documentation(s) for Gentoo Linux.";
# URL &uuml;ber die die Webseite aufgerufen wird
$url="http://doc.example.com";


$jahr=`date +%Y`;
# Lizenz informationen
$license="
  <h1>License</h1>
  <p>Copyright (C) 2008-$jahr $metaauthor.</p>
  <p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.</p><p>
A copy of the license is included in the section entitled \"<a href=\"/license/fdl.html\">GNU Free Documentation License</a>\".</p>
  <h1>Introduction</h1>
  <p>This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.</p>
";

# Datum f&uuml;r die Google-Sitemap im speziellen Format. (Suchmaschinenoptimierung)
$sitemapdate=`date +\%Y-\%m-\%d`;
chomp($sitemapdate);
# Header f&uuml;r die Sitemap
$sitemap='<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
$sitemap.=" <url>
  <loc>$url/</loc>
  <lastmod>$sitemapdate</lastmod>
  <changefreq>monthly</changefreq>
  <priority>0.2</priority>
 </url>";

# Erstellungsdatum holen
$createdate=`date`;
chomp($createdate);
# Erstellungsdatm f&uuml;r Metatags im speziellen Format (Suchmaschinenoptimierung)
$metadate=`date +\%Y-\%m-\%m:\%S\%:z`;
chomp($metadate);
# Ende des Titels f&uuml;r jede Seite
$htmltitle="for Gentoo Linux";
# Doctype f&uuml;r saubere HTML-Spezifikation
$doctype='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
        "http://www.w3.org/TR/html4/strict.dtd">';
# L&ouml;schen der "alten" Dateiversionen
`rm -rf $webpath/files/*`;
# Liste von Konfigurationsdateien durchgehen.
foreach $file (@files) {
 chomp($file);
 # libpicker.pl ignorieren ???
 if ($file =~ /libpicker.pl/) { next }
 # Dateien nur einlesen wenn der Dateityp am text, bzw. XML ist, also wenn es sich um Textdateien handelt
 if (`file -b $file` =~ /[text|XML|text, with very long lines]\n$/) {
  # Zeilenz&auml;hler auf 0 setzen. ( Wegen vorheriger durchl&auml;ufe)
  $linenr=0;
  # Konfigurationsdatei &ouml;ffnen und zeilenweise in Array @lines speichern
  open(CONF, "<$file");
  @lines=<CONF>;
  close(CONF);
  # Dateiinhaltsvariable initialisieren bzw. wegen ggf. vorheriger druchl&auml;ufe l&ouml;schen.
  $filecontent="";
  # Pr&uuml;fvariable ob es sich um den Anfang einer &Auml;nderung (before-Markierung) vom default handelt wegen ggf. vorheriger Druchl&auml;ufe auf false setzen.
  $ischangefile=0;
  # Zeilen der Konfigurationsdatei durchgehen.
  foreach $line (@lines) {
   # Wenn am Anfang der zeile keine before usw. -Markierung steht, dann bestimmte Schl&uuml;sselString filtern bzw. durch Dummy-Werte ersetzen
   unless ($line=~/before\|\|\|.*\|\|\|.*\|\|\|/) {
    # Filterungen von Passw&ouml;rtern, Telefonnummern usw. aus den Konfigurationsdateien. - Diese Filterungen ggf. in Extra Datei speichern
    #----------- FILTER -----------
    $line=~s/dyndns.kontent.com\/ipchange.php\?domain=example.com.*$/URL/g;
    $line=~s/vpn-server-hostname/vpn-server-hostname/g;
    $line=~s/DIALPREFIX/DIALPREFIX/g;
    $line=~s/3619828[0-9]/PHONENUMBER/g;
    $line=~s/MOBILEPHONENUMBER/MOBILEPHONENUMBER/g;
    $line=~s/[a-z-]+\@[a-z-\.]+/mail\@example.com/g;
    $line=~s/relay.mail.server/relay.mail.server/g;
    $line=~s/DeviceURI smb\:\/\/.*$/DeviceURI smb\:\/\/user\:password\@server\/printername/;
    $line=~s/&auml;/&auml;/g;
    $line=~s/whitelist_from mail@example.com
    $line=~s/&ouml;/&ouml;/g;
    $line=~s/&uuml;/&uuml;/g;
    $line=~s/&Auml;/&Auml;/g;
    $line=~s/&Ouml;/&Ouml;/g;
    $line=~s/&Uuml;/&Uuml;/g;
    $line=~s/&szlig;/&szlig;/g;
    $line=~s/&/&amp;/g;
    $line=~s/gabosh\.net/example\.com/g;
    $line=~s/dc=example,dc=com/dc=example,dc=com/g;
    $line=~s/my.lan.ip.addr/my.lan.ip.addr/g;
    $line=~s/my.lan.network.ip/my.lan.network.ip/g;
    $line=~s/my.default.route.ip/my.default.route.ip/g;
    $line=~s/my.dmz.ip.addr/my.dmz.ip.addr/g;
    $line=~s/my.dmz.network.ip/my.dmz.network.ip/g;
    $line=~s/my.ip.as.vpn-client/my.ip.as.vpn-client/g;
    $line=~s/my.network.as.vpn-client/my.network.as.vpn-client/g;
    $line=~s/conf_passwdkey="12345678901234567890123456789012";
    $line=~s/conf_passwdfile="/path/for/passwd/dbfile";
    $line=~s/conf_passwddiv='1234567890123456'
    $line=~s/wpa_passphrase=secret
    $line=~s/\{SSHA\}.*$/\{SSHA\}XXXXXXXXXXXXXXXXXXXXXXXXX/;
    $line=~s/^\$key\=\"31894.*/\$key\=\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\"\;/;
    $line=~s/psk="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    $line=~s/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/g;
    $line=~s/\/usr\/local\/sbin\/gentoolydyndns.sh/ez-ipupdate -q -a `wget -q -O - http:\/\/getip.dyndns.org | sed -e "s\/^.*: \/\/" -e "s\/<.*\$\/\/"` -S dyndns-custom -h yourhostname.dyndns.org -m yourmailmx.example.com -u dyndnsuser:dyndnspass`/g;
    $line=~s/password'] = 'XXXXXXXX'
    unless (($line=~/0.0.0.0/) || ($line=~/127.0.0.1/) || $line=~/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\./) {
     $line=~s/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/XXX\.XXX\.XXX\.XXX/g;
    }
    $line=~s/23\.172/XXX.XXX/g;
    $line=~s/1\.1\.10/XXX.XXX.XXX/g;
    $line=~s/1\.168\.192/XXX.XXX.XXX/g;
    if ($line=~/^[0-9]+\.[0-9]+.*IN.*PTR/) {
     $line=~s/^[0-9]+\.[0-9]+/XXX.XXX\t/;
    }
    if ($line=~/^[0-9]+.*IN.*PTR/) {
     $line=~s/^[0-9]+/XXX\t/;
    }
    if (($file=~/\/var\/bind\/zones\//) && ($line=~/^\;/) && ($line!~/^\; before/) && ($line!~/^\; after/) && ($line!~/^\; \-\-\-\-/)) { $line="" }
    $line=~s/..\:..\:..\:..\:..\:../XX\:XX\:XX\:XX\:XX\:XX/g;
    $line=~s/username_ppp0='provideruser'
    $line=~s/password_ppp0='providerpass'
    #----------- FILTER ENDE -----------
   }
   # Zeile an Variable f&uuml;r Dateiinhalt nach der Filterung anf&uuml;gen.
   $filecontent.=$line;
   # Zeilennummer hochz&auml;hlen
   $linenr++;
   # Newline (\n) von Zeile entfernen
   chomp($line);
   # Zeile f&uuml;r weitere Pr&uuml;fungen kopieren...???
   $cline=$line;
   # Wenn es sim um eine Endmarkierung f&uuml;r eine &Auml;nderung handelt und die doc-Pr&uuml;fvariable gesetzt ist, es sich also tats&auml;chlich um eine &Auml;nderung handelt, dann die Ausgabe in der Doku hier beenden.
   if ((($line =~ /# \----/) || ($line =~ /; \----/) || ($line =~ / \----$/) || ($line =~ /\<!-- END --\>/) || ($line =~ /\%\% \----$/)) && ($doc)) {
    # HTML-Code zum beenden der &Auml;nderungsdarstellung.
    $topics{$topic}.="</pre>\n <br>\n";
    # Ab jetzt handelt es sich nicht mehr um einen Teil, der dokumentiert werden muss, da das Ende der &Auml;nderung erreicht ist.
    $doc=0;
    # Weiter mit der n&auml;chsten Zeile...
    next;
   }
   # Wenn wir uns in einer Zeile, die zu einem zu dokumentierenden Bereich, also nach der before-Zeile befinden, dann...
   if ($doc) {
    # ... und wenn in der Zeile ein after ohne das dahinter steht ...
    if ($line =~ / after$/) {
     # ... und wenn es sich um eine Datei&auml;nderung handelt, ohne dass sich eine vorhandene Zeile ge&auml;ndert hat ...
     if ($noprintafterchange) {
      # ... dann die After-Change-Markierung in die Doku einf&uuml;gen
      $topics{$topic}.="</pre>\n  After change<pre class=\"after\">\n";
     }
     else {
      # ansonsten ohne die After-Change-Markierung in die Doku einf&uuml;gen
      $topics{$topic}.="  <pre class=\"after\">\n";
     }
     # Pr&uuml;fvariable setzen um zu markieren, dass die After-Zeile durchlaufen wurde - Jetzt kommt also das Ge&auml;nderte, nicht mehr der alte Zustand.
     $nachher=1;
     # In der n&auml;chsten Zeile fortfahren...
     next;
    }
    # Hier handelt es sich also um den Bereich zwischen before und ----, aber nicht die after-Zeile
    # Ein paar HTML-Standarf-Konforme anpassungen f&uuml;r Sonderzeichen
    $line =~ s/</\&lt;/g;
    $line =~ s/>/\&gt;/g;
    # Wenn es sich um Inhalte zwischen before und after handelt, dann die zus&auml;tzlichen Kommentarzeichen am Zeilenanfang l&ouml;schen.
    unless ($nachher) {
     $line=~s/^# //;
     $line=~s/^; //;
    }
    # Zeile der Doku zu diesem Thema hinzuf&uuml;gen
    $topics{$topic}.="$line\n";
    # In der n&auml;chsten Zeile fortfahren....
    next;
   }
   # Wenn in der Zeile echo<IRGENDWAS>before steht, dann mit der n&auml;chsten Zeile fortfahren...???
   if ( $cline =~ /echo.*before/ ) { 
   # $topics{$topic}.="$line\n";
    next;
   }
   # Wenn es sich um eine before-Zeile handelt.
   if ( $cline =~ / before\|\|\|/) {
    # Markierung f&uuml;r die ver&auml;nderte Datei setzen.
    $ischangefile=1;
    # Markierung setzen, dass die After-Zeile noch nicht durchlaufen wurde.
    $nachher=0;
    # Die Zeile in an den |||-Trennern aufsplitten
    @line=split(/\|\|\|/, $cline);
    # &Auml;nderungsdatum dieser &Auml;nderung aus dem Split holen.
    $date=$line[1];
    # ggf. Leerzeichen in dem Datum entfernen
    $date=~s/[ ]+//g;
    # ggf. folgende Zeichen #, <!--, ; entfernen...?
    $date=~s/^[#|<!--|;]//; 
    # Person die diese &Auml;nderung vorgenommen hat aus dem Split holen.
    $editor=$line[2];
    # Thema zu dem diese &Auml;nderung geh&ouml;rt aus dem Split holen.
    $topic=$line[3];
    # Kommentar zu dieser &Auml;nderung aus dem Split holen.
    $comment=$line[4];
    # Falls topic nicht gesetzt ist auf "not defined" setzen
    $topic="not defined" unless $topic;
    # Datei und Thema zusammenf&uuml;gen um ...
    $filetopic=$file . $topic;
    # ... zu pr&uuml;fen ob schon eine &Auml;nderung zu diesem Topic in dieser Datei gab, damit die Daten &uuml;ber die Datei selbst nicht mehrmals pro Thema aufgef&uuml;hrt werden
    if ($oldfiletopic ne $filetopic) {
     # ... Daten &uuml;ber die datei ermitteln und als HTML-Code der Doku hinzuf&uuml;gen
     # Eigent&uuml;mer/Gruppe und Zugriffsrechte der Dtaei besorgen
     $rights=`ls -ld $file`;
     @rights=split(/ /, $rights);
     # Erstellen des Headers mit Infos &uuml;ber die Datei und dem link zur Ansicht der kompletten Datei 
     $topics{$topic}.="  <h2><a class=\"h2link\" name=\"$file-$topic\">Changes in $file</a></h2>
  <p><i>File permissions:</i> <br>
  <b>Owner</b>: $rights[2]<br>
  <b>Group</b>: $rights[3]<br>
  <b>Permissions</b>: $rights[0]<br>
  </p>
  <p><a download href=\"http://doc.example.com/files$file\">Click here for a download of the complete file: $file</a></p>\n";
     # Erstelle einen File-Eintrag auf der Startseite f&uuml;r den File Index
     $index .= "  <a href=\"#$file-$topic\">$file ($topic)</a><br>\n";
     # Da die HTML-Datei f&uuml;r das Thema wegen Suchmaschinenoptimierung m&ouml;glichst so heissen sollte wie das Thema selbst wird der Topic-Name mit ein paar Einschr&auml;nkungen (Sonderzeichen in internationalen-Browsern in Dateinamen sind ung&uuml;nstig) &uuml;bernommen 
     $topic_file=$topic;
     # ggf. alle nicht latein-alphanummerischen Zeichen in _ umwandeln
     $topic_file=~s/[^a-zA-Z0-9]/_/g;
     # ggf. mehrere _ hintereinander durch ein _ ersetzen.
     $topic_file=~s/_+/_/g;
     # Markierung in HTML-Code f&uuml;r direkte Links von der Startseite (index.html) auf die Datei in der entsprechenden Doku/Howto
     $pindex .= "  <a href=\"http://doc.example.com/howto_$topic_file.html#$file-$topic\">$file ($topic)</a><br>\n";
    }
    # HTML-Code mit Infos &uuml;ber die &Auml;nderung.
    $topics{$topic}.="  <i class=\"small\">Changed on $date</i><br>
  <i class=\"small\">Issued by $editor</i><br>
  <i class=\"small\">Beginning line $linenr</i><br>
  <!-- $file|||$linenr --><p class=\"comment\">$comment</p>\n";
    # Grunds&auml;tzlich davon ausgehen, dass es sich nicht um eine &Auml;nderung einer vorhandenen Zeile handelt
    $noprintafterchange=0;
    # Wenn in der n&ouml;chsten Zeile ein after steht, dann handelt es sich doch um eine hinzugef&uuml;gte Zeile und nicht um eine &auml;nderung einer vorhandenen Zeile
    unless ($lines[$linenr] =~ /after$/) {
     # ... Die Before change &Uuml;berschrift einf&uuml;gen um die Zeile(n) die ge&auml;ndert wurden auszugeben.
     $topics{$topic}.="  <br>Before change<pre class=\"before\">\n";
     # entsprechende MArkierung setzen also daf&uuml;r, dass es es sich un eine &Auml;nderung einer existierenden Zeile handelt.
     $noprintafterchange=1;
    } 
    # Oldfiletopic setzen um mit der n&auml;chsten Anderung zu vergleichen
    $oldfiletopic=$file . $topic;
    # Markierung, dass ab hier die Doku zur &Auml;nderung beginnt
    $doc=1;
   }
  }
  if ($ischangefile) {
   print "$file\n";
   $path=$file;
   @pathparts=split(/\//, $path);
   pop(@pathparts);
   $path="";
   foreach $pathpart (@pathparts) {
    $path.="/$pathpart";
   }
   $path=~s/^\/\//\//;
   `mkdir -p $webpath/files$path`;
   open(FILE, ">$webpath/files$file") || warn "Konnte Datei $webpath/files$file nicht &ouml;ffnen";
   print FILE $filecontent;
   close(FILE);
  }
 }
}

$topics="  <h1><a class=h1link name=howtos>Howto listing</a></h1>\n";
$itopics="  <h1><a class=h1link name=howtos>Howto listing</a></h1>\n";
#`rm -rf $webpath/howto_*`;
foreach $topic (sort keys %topics) {
 $content .= "  <h1><a class=\"h1link\" name=\"t-$topic\">$topic</a></h1>\n";
 $metakeywords.="$topic, ";
 $tfile="$doctype
<html>
 <head>
  <title>Howto: $topic $htmltitle</title>
  <meta name=\"description\" content=\"$topic - $metashortdescr\">
  <meta name=\"date\" content=\"$metadate\">
  <meta name=\"author\" content=\"$metaauthor\">
  <meta name=\"keywords\" content=\"$topic, howto, documentation, gentoo, linux, up to date, up-to-date, new\">
  <meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\">
  <meta name=\"robots\" content=\"all\">
  <meta http-equiv=\"expires\" content=\"0\">
  <link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
 </head>
 <body><div class=\"frame\">
  $ad
  $license
  <h1>Howto: $topic $htmltitle</h1>\n ";
 open (TOPICSFILE, "</usr/local/etc/sysdoc/topics");
 @topicsfile=<TOPICSFILE>;
 close(TOPICSFILE);
 $topicfile_desc=0;
 $topicdesc="";
 $topicfile_deps="";
 $topicfile_hw="";
 $topicfile_sw="";
 $topicfile_service="";
 $topicfile_topic="";
 if ($topic =~ /^Thinclient - /) {
  $prefix="chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && ";
  $end="'";
 }
 else {
  $prefix="";
  $end="";
 }
 foreach $topicsfileline (@topicsfile) {
  if ($topicsfileline =~ /^\#/) { next }
  if ($topicsfileline =~ /^\|\|\|$topic/) {
   chomp($topicsfileline);
   @topicsfileline=split(/\|\|\|/, $topicsfileline);
   $topicfile_topic = $topicsfileline[1];
   $topicfile_deps = $topicsfileline[2];
   $topicfile_sw = $topicsfileline[3];
   $topicfile_service = $topicsfileline[4];
   $topicfile_hw = $topicsfileline[5];
   $topicfile_desc=1;
   $topicsfileline="";
   next;
  }
  if ($topicfile_desc) {
   if ($topicsfileline =~ /^\|\|\|/) {
    last;
   }
   $topicsfileline=~s/\n/\<br\>/g;
   $topicdesc.=$topicsfileline;
  }
 }
 $content .= $topicdesc;
 $topicdesc=~s/\n/<br>/g;
 $tfile .= "<!-- $topic --><p class=\"intro\">$topicdesc</p>\n";
 if ($topicfile_deps) {
  $content .= "  <p>If you want to use this solution you need the following howto(s) finished:</p>\n  <ul>";
  $tfile .= "  <p>If you want to use this solution you need the following howto(s) finished:</p>\n  <ul>";
  @needtopics=split(/\,/, $topicfile_deps);
  foreach $topicdep (@needtopics) {
   $content .= "   <li><a href=\"#t-$topicdep\">$topicdep</a></li>\n";
   $tfile .= "   <li><a href=\"index.html#howtos\">$topicdep</a></li>\n";
  }
  $content .= "  </ul>";
  $tfile .= "  </ul>";
 }
 if ($topicfile_hw) {
  $content .= "<h2>Required hardware</h2>
  For this topic you need the following hardware: $topicfile_hw";
  $tfile .= "<h2>Required hardware</h2>
  For this topic you need the following hardware: $topicfile_hw";
 }
 if ($topicfile_sw) {
  $content .= "<h2>Required software</h2>
  The required software has to be installed with the following command(s):<pre>";
  $tfile .= "<h2>Required software</h2>
  The required software has to be installed with the following command(s):<pre>";
  @needsw=split(/ /, $topicfile_sw);
  foreach $swdep (@needsw) {
   $content .= $prefix."emerge $swdep"."$end\n";
   $tfile .= $prefix."emerge $swdep"."$end\n";
  }
  $content .= "</pre>";
  $tfile .= "</pre>";
 }
 $content .= $ad;
 $content .= $topics{$topic};
 $tfile .= $topics{$topic};
 if ($topicfile_service) {
  $content .= "<h2>Setting up services</h2>\n<p>For starting the new service after system reboot you should add it to a runlevel with the following command(s):</p>\n <pre>";
  $tfile .= "<h2>Setting up services</h2>\n<p>For starting the new service after system reboot you should add it to a runlevel with the following command(s):</p>\n <pre>";
  @needservice=split(/ /, $topicfile_service);
  $runlevel="";
  foreach $service (@needservice) {
   $runlevel=`$prefix rc-update show | grep " $service |"$end`;
   chomp($runlevel);
   $runlevel=~s/^*.\|//;
   $runlevel=~s/$service//g;
   $runlevel=~s/ //g;
   $content .= $prefix."rc-update add $service $runlevel"."$end\n";
   $tfile .= $prefix."rc-update add $service $runlevel"."$end\n";
  }
  $content .= "</pre>";
  $tfile .= "</pre>";
 }
 $topics .= "  <a href=\"#t-$topic\">$topic</a><br>\n";
 $itopic=$topic;
 $itopic=~s/[^a-zA-Z0-9]/_/g;
 $itopic=~s/_+/_/g;
 $itopics .= "  <a href=\"howto_$itopic.html\">$topic</a><br>\n";
 $content .= "  <p>
Please send a feedback to: <b>doc&lt;at&gt;example.com</b></p>
  <a href=\"#howtos\">Howto listing</a><br>
  <a href=\"#Index\">File Index</a>\n";
 $tfile .= "  $ad
 <p>
Please send a feedback to: <b>doc&lt;at&gt;example.com</b></p>
  <a href=\"index.html#howtos\">Howto listing</a><br>
  <a href=\"index.html#Index\">File Index</a><br><br>
  <p><a href=\"http://forums.gentoo.org\">Here</a> you can find the official Gentoo Linux Forums where you can find a lot of answers.</p>
  <p><a href=\"http://www.gentoo.org\">Here</a> a link to the official Gentoo Linux Homepage.</p>
  <p><a href=\"https://doc.example.com/edit/howto_$itopic.html\">Edit Howto</a></p>
  $impr
  </div>
 </body>
</html>";
 $tfilename=$topic;
 $tfilename=~s/[^a-zA-Z0-9]/_/g;
 $tfilename=~s/_+/_/g;
 $tfilename .= ".html";
 $oldtfile="";
 open(OLDTFILE, "<$webpath/howto_$tfilename");
 @oldtfile=<OLDTFILE>;
 close(OLDTFILE);
 foreach $line (@oldtfile) {
  $oldtfile.=$line;
 }
 $newtfile=$tfile;
 $oldtfile=~s/meta name=\"date\" content=.*\"\>//;
 $newtfile=~s/meta name=\"date\" content=.*\"\>//;
 open(TMP, ">/tmp/t1");
 print TMP $oldtfile;
 close(TMP);
 open(TMP, ">/tmp/t2");
 print TMP $newtfile;
 close(TMP);
 $diff=system("diff /tmp/t1 /tmp/t2");
 if ($diff) {
  print "Updateing $webpath/howto_$tfilename\n";
  open(TFILE, ">$webpath/howto_$tfilename");
  print TFILE $tfile;
  close(TFILE);
 }
 push(@tfilelist,"howto_$tfilename");
 $sitemap.="\n <url>
  <loc>$url/howto_$tfilename</loc>
  <lastmod>$sitemapdate</lastmod>
  <changefreq>monthly</changefreq>
  <priority>0.7</priority>
 </url>";
}
@oldtfilelist=`ls $webpath/howto_*`;
foreach $checkoldfile (@oldtfilelist) {
 chomp($checkoldfile);
 $newtfile=0;
 $createdtfile="";
 foreach $createdtfile (@tfilelist) {
  $createdtfiletest="$webpath/$createdtfile";
  if ($checkoldfile eq $createdtfiletest) { $newtfile=1 }
 }
 unless ($newtfile) {
  print "Deleting $checkoldfile\n";
  `rm $checkoldfile`;
 }
}
$html="$doctype
<html>
 <head>
  <title>Howtos $htmltitle</title>
  <meta name=\"description\" content=\"$metashortdescr\">
  <meta name=\"date\" content=\"$metadate\">
  <meta name=\"author\" content=\"$metaauthor\">
  <meta name=\"keywords\" content=\"gentoo, howto, documentation, linux, traffic, shaping, firewall, ldap, thin, up-to-date, up to date, new\">
  <meta name=\"robots\" content=\"all\">
  <meta http-equiv=\"Content-Type\" content=\"text/html; charset=US-ASCII\">
  <meta http-equiv=\"expires\" content=\"0\">
  <link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
 </head>
 <body><div class=\"frame\">
  <h1>Howtos $htmltitle (last version created: $createdate)</h1>
  <p>$metashortdescr</p>
<p>The special thing of this is that the Documentation generates automatically from my running system, so it is <b>every time up to date</b>.<br>Further this Howto is build <b>modular</b>. The Howtos are sorted in alphabetical order. Every topic has its dependencies. For example: You have to finish Webserver Howto for building webbased statistics.</p>
  <p>I hope to give something back to the community with this document.</p>
  <p>Please enjoy and send any ideas, wishes or advancements to: <b>doc&lt;at&gt;example.com</b>";
$hindex=$html;
$clicense="
  <h1>License</h1>
  <p>Copyright (C) 2008-$jahr $metaauthor.</p>
  <p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.</p><p>
A copy of the license is included in the section entitled \"<a href=\"#FDL\">GNU Free Documentation License</a>\".</p>
  <h1>Introduction</h1>
  <p>This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.</p>
";
$html.=$clicense;
$html.=$topics;
$hindex.=$license;
$hindex.=$ad;
$hindex.="<h1>All in one page</h1>
 <a href=complete.html>Here</a> you can find the complete documentation in one page<br>
 $itopics";
$hindex.=$ad;
$html.=$content;
$html.="  <h1><a class=h1link name=Index>File Index</a></h1>" . $index . "\n";
open(LICENSE, "</usr/local/etc/sysdoc/license");
@license = <LICENSE>;
close(LICENSE);
$html .= "<h1><a class=h1link name=FDL>GNU Free Documentation License</a></h1>
@license";
$hindex .= "<h1><a class=h1link name=Index>File Index</a></h1>$pindex\n";
$html .= " </div></body>\n</html>";
$hindex .= "$impr\n</div></body>\n</html>";
open(DOC, ">$webpath/complete.html");
print DOC $html;
close(DOC);
$sitemap.="\n <url>
  <loc>$url/complete.html</loc>
  <lastmod>$sitemapdate</lastmod>
  <changefreq>weekly</changefreq>
  <priority>0.1</priority>
 </url>
</urlset>\n";

$oldifile="";
open(OLDIFILE, "<$webpath/index.html");
@oldifile=<OLDIFILE>;
close(OLDIFILE);
foreach $line (@oldifile) {
 $oldifile.=$line;
}
$newifile=$hindex;
$oldifile=~s/meta name=\"date\" content=.*\"\>//;
$newifile=~s/meta name=\"date\" content=.*\"\>//;
$oldifile=~s/created\:.*\>//;
$newifile=~s/created\:.*\>//;
open(TMP, ">/tmp/1");
print TMP $oldifile;
close(TMP);
open(TMP, ">/tmp/2");
print TMP $newifile;
close(TMP);
$diff=system("diff /tmp/1 /tmp/2");
if ($diff) {
 print "Updateing $webpath/index.html\n";
 open(IFILE, ">$webpath/index.html");
 print IFILE $hindex;
 close(IFILE);
}

`mkdir -p $webpath/license`;
open(LICENSE, ">$webpath/license/fdl.html");
print LICENSE "<html><head><title>FDL-License for example.com</title></head><body>@license</body></html>";

open(SITEMAP, ">$webpath/sitemap.xml");
print SITEMAP $sitemap;
close(SITEMAP);

# Create Editor
#system "/usr/local/bin/mkeditdoc.pl";
`rm $webpath/../edit/*`;
$howtodir=$webpath;
@howtos=`cd $howtodir; ls howto_*.html`;

foreach $howto (@howtos) {
 print $howto;
 chomp($howto);
 open(HOWTO, "<$howtodir/$howto") || die "Failed to open $howtodir/$howto";
 @howto=<HOWTO>;
 close(HOWTO);
 open(EHOWTO, ">$howtodir/../edit/$howto");
 foreach $howtoline (@howto) {
  if (($howtoline=~/<p class="comment"/) || ($howtoline=~/<p class="intro"/)) {
   if ($howtoline=~/-- .+ --./) {
    $target=$howtoline;
    @target=split(/--/, $howtoline);
    $target=$target[1];
    $target=~s/^ +//;
    $target=~s/ +$//;
   }
   $howtoline=~s/<br>/\n/g;
   $howtoline=~s/<p class=\"comment\">/<form action=\"\/cgi-bin\/changedoc.pl\" method=\"POST\"><textarea name=\"comment\" cols=\"115\" rows=\"25\">/;
   $howtoline=~s/<p class=\"intro\">/<form action=\"\/cgi-bin\/changedoc.pl\" method=\"POST\"><textarea name=\"intro\" cols=\"115\" rows=\"25\">/;
   if ($howtoline=~/textarea name="comment"/) {
    $howtoline=~s/<\/p>$/<\/textarea><input type="hidden" name="file" value="$target"><input type="submit" value="Submit"><\/form>/;
   }
   elsif ($howtoline=~/textarea name="intro"/) {
    $howtoline=~s/<\/p>$/<\/textarea><input type="hidden" name="howto" value="$target"><input type="submit" value="Submit"><\/form>/;
   }
   else {$howtoline=~s/<\/p>$/<\/textarea>/ }
   print EHOWTO $howtoline;
  }
  else {
   print EHOWTO $howtoline;
  }
 }
 close(EHOWTO);
}


unlink("/tmp/t1");
unlink("/tmp/t2");
unlink("/tmp/1");
unlink("/tmp/2");


Changes in /var/www/doc.gabosh.net/cgi-bin/changedoc.pl

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /var/www/doc.gabosh.net/cgi-bin/changedoc.pl

Changed on 27.04.10
Issued by olli
Beginning line 2

This is the CGI-script for editing the documentation

#!/usr/bin/perl

# Get the Data
read(STDIN, $line, $ENV{'CONTENT_LENGTH'});
@post = split(/&/, $line);

# Header for HTML output
print "Content-type:text/html\n\n";

$back=5;

if (-e "/tmp/changedoc") {
 $text="Working...</div></body></html>";
 $exit=1;
}
elsif ($ENV{HTTP_REFERER} !~ /https:\/\/doc\.gabosh\.net\/edit\/howto_/ ) {
 $text="</div><body></html>";
 $exit=1;
 $back="0;http://doc.example.com";
}


print "<html>
 <head>
  <title>Data submitted</title>
  <meta http-equiv=\"refresh\" content=\"$back\">
  <link rel=\"stylesheet\" type=\"text/css\" href=\"/howto.css\">
 </head>
 <body><div class=\"frame\"><h1>
 $text
 ";

if ($exit) {
 exit 0;
}

print "Hi $ENV{AUTHENTICATE_UID}, Working... Please wait...";

foreach $post (@post) {
 # Make + to Space
 $post=~s/\+/ /g;
 # Make Hex-Strings to ASCII
 $post=~s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
 if ($post=~/^intro\=/) {
  $intro=1;
 }
 if ($post=~/^comment\=/) {
  $comment=1;
 }
}

if ($intro) {
 $intro=$post[0];
 $howto=$post[1];
 $howto=~s/^howto\=//;
 $intro=~s/^intro\=//;
 $intro=~s/\r\n/\n/g;

 open(FILE, ">/tmp/changedoc");
 print FILE "$howto\n";
 print FILE "$intro\n";
 close(FILE);
}	   

if ($comment) {
 $comment=$post[0];
 $fileline=$post[1];
 $fileline=~s/^file\=//;
 @fileline=split(/\|\|\|/, $fileline);
 $file=$fileline[0];
 $linenr=$fileline[1];
 $comment=~s/^comment\=//;
 $comment=~s/[\r]//g;
 $comment=~s/[\n]/<br>/g;
 chomp($comment);
 open(FILE, ">/tmp/changedoc");
 print FILE "$linenr\n";
 print FILE "$file\n";
 print FILE "$comment";
 close(FILE);
}

print "</div></body></html>\n";

Changes in /var/www/doc.gabosh.net/htdocs/howto.css

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/doc.gabosh.net/htdocs/howto.css

Changed on 27.04.10
Issued by olli
Beginning line 2

The Cascading Style Sheet for the design of the sysdoc HTML Output

*/
body {
 background-color:#dddaec;
 font-family: sans-serif, Verdana, Arial, Helvetica;
 font-size:small;
 color:#000000;
}
h1 {
 background-color:#7a5ada;
 color:#ffffff;
 padding-left:2px;
 font-size:large;
}
h2 {
 background-color:#dddaec;
 padding-left:2px;
 font-size:medium;
}
.h1link {
 color:#ffffff;
 text-decoration:none;
}
.h1link:visited {
 color:#ffffff;
 text-decoration:none;
}
.h1link:active {
 color:#ffffff;
 text-decoration:none;
}
.h1link:hover {
 color:#ffffff;
 text-decoration:underline;
}
.h2link:hover {
 color:#000000;
 text-decoration:none;
}
a:link {
 color:#7a5ada;
 text-decoration:none;
}
a:visited {
 color:#7a5ada;
 text-decoration:none;
}
a:active {
 color:#7a5ada;
 text-decoration:none;
}
a:hover {
 color:#7a5ada;
 text-decoration:underline;
}
.frame {
 width:950px;
 background-color:white;
 padding:10px;
}
.before {
 background-color:#FF8080;
}
.after {
 background-color:#80FF80;
}
.small {
 font-size:smaller;
}
pre {
 overflow:visible;
 background-color:#FFFF80;
 font-size:larger;
}
/* 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Backup

One of the most important things for a server are backups. I wrote a little script to automatically do this job dayly.
I create my backups on an external harddisk being mounted during the boot process to /srv/backups.
First set the profile and update the system:
rm /etc/make.profile && ln -s /usr/portage/profiles/hardened/x86 /etc/make.profile && emerge -uDvN world

If you want to use this solution you need the following howto(s) finished:

Required hardware

For this topic you need the following hardware: External harddisk

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 15.11.10
Issued by olli
Beginning line 22

Run backup daily at 2:00 am

0 2 * * *       root    /usr/local/sbin/backup.sh 2>&1 | cat -vT | mail -s "Daily Backup `date`" root

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Basesystem

First of all you have to install a Gentoo basesystem on your computer. There are some great howtos on the Gentoo homepage (http://www.gentoo.org). Please use them.

The following is a list of config files I changed/created in the installation process. You can use this as an addition to the Gentoo Handbook.

If you install from a stage3 you should change the make.conf to fit your system needs after the installation and rebuild the world with the new settings:
emerge -e world

Required hardware

For this topic you need the following hardware: Linux compatiple computer

Required software

The required software has to be installed with the following command(s):
emerge sys-process/vixie-cron
emerge app-admin/rsyslog
emerge sys-process/at
emerge app-admin/logrotate
emerge net-misc/whois
emerge net-analyzer/nmap
emerge net-misc/netkit-telnetd
emerge app-editors/vim
emerge media-video/mplayer
emerge sys-apps/rename
emerge media-sound/id3v2
emerge dev-perl/MP3-Tag
emerge media-libs/exiftool
emerge media-sound/vorbis-tools

Changes in /boot/grub/grub.cfg

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /boot/grub/grub.cfg

Changed on 08.09.08
Issued by olli
Beginning line 1

The Grub-Bootloader configuration

set timeout=30
set default=0

menuentry '4.4.39' {
        set root='(hd0,msdos1)'
        echo    'Loading kernel...'
        linux    /4.4.39 root=/dev/sda2 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0
}

menuentry '4.4.26' {
        set root='(hd0,msdos1)'
        echo    'Loading kernel...'
        linux    /4.4.26 root=/dev/sda2 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0
}


Changes in /etc/conf.d/consolefont

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/consolefont

Changed on 06.09.08
Issued by olli
Beginning line 8

consolefont secifies the default font that you'd like Linux to use on the console


Before change
#consolefont="default8x16"
After change
consolefont="lat9w-16"

Changes in /etc/conf.d/hostname

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/hostname

Changed on 06.09.08
Issued by olli
Beginning line 2

The hostname of your machine


Before change
hostname="localhost"
After change
hostname="silent-gabosh.example.com"

Changes in /etc/conf.d/keymaps

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/keymaps

Changed on 06.09.08
Issued by olli
Beginning line 3

This setting is to specify the default console keymap


Before change
keymap="us"
After change
keymap="de-latin1"

Changes in /etc/conf.d/net

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/net

Changed on 06.09.08
Issued by olli
Beginning line 6

Network-Interface settings

#config_eth1="XXX.XXX.XXX.XXX/24"
#routes_eth1="default via XXX.XXX.XXX.XXX"

config_tap0="XXX.XXX.XXX.XXX/16"
mac_tap0="XX:XX:XX:XX:XX:XX"
rc_net_tap0_provide="!net"

config_eth0="my.lan.ip.addr/16"
dns_servers_eth0="127.0.0.1"
dns_search_eth0="example.com dmz"
dns_domain_eth0="example.com"

Changes in /etc/conf.d/net

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/net

Changed on 13.10.15
Issued by olli
Beginning line 28

Optional Internet Connection via PPPOE (rp-pppoe)

config_eth1=null
config_ppp0="ppp"
link_ppp0="eth1"
plugins_ppp0="pppoe"
username_ppp0='provideruser'
password_ppp0='providerpass'
pppd_ppp0="
noauth
defaultroute
holdoff 3
child-timeout 60
lcp-echo-interval 15
lcp-echo-failure 3
noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp"
rc_net_ppp0_need="net.eth1"

Changes in /etc/cron.daily/clearat.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.daily/clearat.sh

Changed on 17.08.09
Issued by olli
Beginning line 1

Delete at spools older then two weeks

find /var/spool/at/atspool -ctime +14 -exec rm {} \;

Changes in /etc/fstab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fstab

Changed on 06.09.08
Issued by olli
Beginning line 17

List of local filesystems and mount options which are required for system boot or other mount operations.


Before change
/dev/BOOT		/boot		ext2		noauto,noatime	1 2
/dev/ROOT		/		ext3		noatime		0 1
/dev/SWAP		none		swap		sw		0 0
/dev/cdrom		/mnt/cdrom	auto		noauto,ro	0 0
After change
/dev/sda1	/boot			ext4	noatime,noexec,acl,nosuid,discard,nofail	0 0
/dev/sda2	/			ext4	noatime,acl,discard,nofail		0 0
/dev/sda9	/var			ext4	noatime,acl,discard,nofail	        0 0
/dev/sda5	/var/log		ext4	noatime,acl,noexec,nosuid,discard,nofail	0 0
/dev/sda6       /data                   ext4    noatime,acl,nosuid,discard,nofail       0 0
/dev/sda7       none                    swap    sw,discard,nofail                     0 0
/dev/sda8	/var/www		ext4	noatime,acl,nosuid,discard,nofail      0 0
/dev/sdb2       /gtc			ext4    noatime,acl,nosuid,nofail      0 0
proc		/proc			proc	defaults,nofail		0 0

Changes in /etc/hosts

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/hosts

Changed on 06.09.08
Issued by olli
Beginning line 39

This entry is for the LAN IP of the Server. If the DNS fails the server can resolf at least himself.

my.lan.ip.addr silent-gabosh.example.com silent-gabosh gabosh example.com
XXX.XXX.XXX.XXX silent-inet-gabosh.example.com silent-inet-gabosh inet-gabosh
# Some other Hostnames (VPNs/INETLAN)
XXX.XXX.XXX.XXX   router fritz fb box fritzbox 
XXX.XXX.XXX.XXX silent-vpn-gabosh.example.com silent-vpn-gabosh vpn-gabosh
my.ip.as.vpn-client silent-vpn-client-gabosh.example.com silent-vpn-client-gabosh vpn-client-gabosh
#XXX.XXX.XXX.XXXhera.medianet hera

Changes in /etc/logrotate.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/logrotate.conf

Changed on 13.01.15
Issued by olli
Beginning line 7

Logrotate daily


Before change
weekly
After change
daily

Changes in /etc/logrotate.d/gabosh

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/logrotate.d/gabosh

Changed on 19.09.14
Issued by olli
Beginning line 1

Logrotations

/opt/rsyncd.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
	postrotate
	        /usr/local/sbin/rsyncwatch > /dev/null 2>&1 || true
	endscript
}

/var/log/dyndns.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
}

/opt/horde/horde.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
	postrotate
	        /usr/local/sbin/hordewatch > /dev/null 2>&1 || true
	endscript
}
/opt/horde/hordeaddr2gps.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
}
/opt/horde-test/horde.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
	postrotate
	        /usr/local/sbin/hordetestwatch > /dev/null 2>&1 || true
	endscript
}
/var/log/openvpn/vpn.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
}

/var/log/openvpn/vpnfw.log {
        compress
        rotate 7
	daily
        notifempty
        missingok
        copytruncate
	postrotate
	        /root/scripts/vpnfire.sh || true
	endscript
}

/var/log/bind.log
/var/log/dhcpd.log
/var/log/nfs.log
/var/log/ntp.log
/var/log/maillog.log
/var/log/firewall.log
/var/log/dmesgcron
/var/log/watchdog.log
/var/log/pulseaudio.log
/var/log/hostapd.log
/var/log/nscd.log
/var/log/arpwatch.log
/var/log/x.log
/var/log/xinetd.log
/var/log/sa-update.log
/var/log/pppd.log
{
        rotate 7
        daily
        missingok
        notifempty
        copytruncate
	compress
        postrotate
                kill -HUP $(cat /run/rsyslogd.pid) >/dev/null 2>&1 || true
        endscript
}
/var/log/apache2/*log {
	rotate 7
	daily
	missingok
	notifempty
	copytruncate
	compress
	postrotate
		/etc/init.d/apache2 restart > /dev/null 2>&1 || true
	endscript
}

/var/log/auth.log
/var/log/cron.log
/var/log/daemon.log
/var/log/kern.log
/var/log/lpr.log
/var/log/mail.log
/var/log/news.log
/var/log/user.log
/var/log/debug.log
/var/log/messages
{
        rotate 7
        daily
        missingok
        notifempty
        compress
        sharedscripts
        postrotate
                test -r /run/rsyslogd.pid && kill -HUP $(cat /run/rsyslogd.pid) &>/dev/null
        endscript
}



Changes in /etc/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/make.conf

Changed on 05.09.2008
Issued by olli
Beginning line 1

In this file all software and hardware specific optimazions are set.

# Optimazions f&uuml;r the processor and the system architecture
CHOST="i686-pc-linux-gnu"
#CHOST="x86_64-pc-linux-gnu"
CFLAGS="-march=atom -O2 -pipe -fomit-frame-pointer -pipe"
CXXFLAGS="${CFLAGS}"
# Optimazions for the software
USE="-smartcard oss pjproject -ipv6 gnutls ssl dhcp pulseaudio png cairo samba client smbclient pdo dbus hpijs xmlreader xmlwriter curl mod_pubsub mod_muc system-wide ruby_targets_ruby21 conntrack udisks -extras -themes minizip gudev apng introspection gtk javascript webinterface fdk fontconfig libass clamav -syslog -dvd -dvdnav -truetype X nscd python -tls-heartbeat sockets bcmath server -svg  messages inotify vpx vorbis intl mp3 gssapi mdev sieve ldap-bind scanner openldap kerberos tidy xmlrpc spl real ogg -opengl -osdmenu -xscreensaver -xv cdparanoia jack lzo mad win32codecs cjk sdb-ldap overlays dlz -snmp -dso git subversion nls alsa vhosts xattr acl dynamicplugin -3dnow -3dnowext hash ldap logrotate nfs capi -pic spamassassin iconv json mhash usb cli pcre xml zlib sasl apache2 chroot ctype cups extensions fax ffmpeg ftp gd gdbm imagemagick imap jpeg -network netpbm perl session slang -tcpd tordns tiff truetype unicode unzip vim-syntax xml zip xvid x264 x265 aac faac policykit svg nsplugin"
GRUB_PLATFORMS="efi-32 efi-64"
LANG="de_DE"
LANGUAGE="41"
LINGUAS="de"
L10N="de"
ACCEPT_LICENSE="-* @FREE isc-dhcp arj adobe-ps lha freedist unRAR PHP-2.02 MSttfEULA hylafax free-noncomm DES MPEG-4 zoo SAMSUNG-ELECTRONICS-software as-is FraunhoferFDK Oracle-BCLA-JavaSE"
PORTAGE_TMPDIR="/opt/portagetmp"
CPU_FLAGS_X86="mmx sse"
SANE_BACKENDS=""
CURL_SSL="gnutls"
FFTOOLS=""
CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3"
VOICEMAIL_STORAGE="file"
VIDEO_CARDS="dummy fbdev" 
#VIDEO_CARDS="dummy fbdev glint intel mach64 mga nouveau nv r128 radeon savage tdfx trident v4l vesa via vmware -apm -ast -chips -cirrus -epson -fglrx (-freedreno) -geode -i128 -i740 -modesetting -neomagic -nvidia"

Changes in /etc/profile.d/root.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/profile.d/root.sh

Changed on 30.11.10
Issued by olli
Beginning line 1

Some (personal) special settings for the root shell.

EDITOR="/usr/bin/vim"
if [ "$EUID" = "0" ] || [ "$USER" = "root" ] 
then
 PATH=$PATH:/root/scripts
 HISTSIZE=10000
 HISTFILESIZE=10000
fi

Changes in /etc/rc.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/rc.conf

Changed on 05.03.17
Issued by olli
Beginning line 251

Network is up if one Interface starts

rc_depend_strict="NO"

Changes in /etc/rsyslog.d/00-gabosh.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/rsyslog.d/00-gabosh.conf

Changed on 19.09.14
Issued by olli
Beginning line 1

Logfile definitions

# Additional Socket from chroot
input(type="imuxsock" HostName="webspace" Socket="/srv/www/dev/log" CreatePath="on")
input(type="imuxsock" HostName="vpn" Socket="/srv/dev/log")
# Cron
if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'cron' then stop
if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'run-crons' then stop
if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log
if $programname == 'crontab' then stop
# rsync
if $programname == 'rsyncd' and $syslogseverity <= '6' then /opt/rsyncd.log
if $programname == 'rsyncd' then stop
# DNS
if $programname == 'named' and $msg contains 'client 127.0.0.1' then stop
if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log
if $programname == 'named' then stop
# DHCP
if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log
if $programname == 'dhcpd' then stop
# NFS
if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.mountd' then stop
if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.idmapd' then stop
if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpc.statd' then stop
if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log
if $programname == 'rpcbind' then stop
# NTP
if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpd' then stop
if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log
if $programname == 'ntpdate' then stop
# Mail
if $msg contains 'auxpropfunc error invalid parameter supplied' then stop
if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop
if $msg contains 'seen_db: user ' then stop
if $msg contains 'SQUAT ' then stop
if $msg contains 'indexing mailbox ' then stop
if $msg contains 'fetching user_deny.db' then stop
if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'lmtpunix' then stop
if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imap' then stop
if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'imaps' then stop
if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'master' then stop
if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ctl_cyrusdb' then stop
if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3' then stop
if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'pop3s' then stop
if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'squatter' then stop
if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'tls_prune' then stop
if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'cyr_expire' then stop
if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'sieve' then stop
if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'deliver' then stop
if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'ipurge' then stop
if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'saslauthd' then stop
if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'amavis' then stop
if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'clamd' then stop
if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'freshclam' then stop
if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'fetchmail' then stop
if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'spamd' then stop
if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname contains 'postfix' then stop
if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log
if $programname == 'reconstruct' then stop
# firewall
if $programname == 'kernel' and $msg contains 'DROP: ' then /var/log/firewall.log
if $programname == 'kernel' and $msg contains 'DROP: ' then stop
# filter messages
if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop
if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop
if $programname == 'internal-sftp' and $msg contains '/.xbmc/' then stop
if $programname == 'internal-sftp' then /opt/sftpaccess.log
if $programname == 'internal-sftp' then stop
# Horde-Addr2GPS
if $programname == 'hordeaddr2gps.pl' then /opt/horde/hordeaddr2gps.log
if $programname == 'hordeaddr2gps.pl' then stop
# PulseAudio
if $programname == 'pulseaudio' then /var/log/pulseaudio.log
if $programname == 'pulseaudio' then stop
# hostapd
if $programname == 'hostapd' then /var/log/hostapd.log
if $programname == 'hostapd' then stop
# nscd
if $programname == 'nscd' then /var/log/nscd.log
if $programname == 'nscd' then stop
# arpwatch
if $programname == 'arpwatch' then /var/log/arpwatch.log
if $programname == 'arpwatch' then stop
# X
if $programname == 'mate-session' then /var/log/x.log
if $programname == 'mate-session' then stop
if $programname == 'Tor' then /var/log/x.log
if $programname == 'Tor' then stop
# xinetd
if $programname == 'xinetd' then /var/log/xinetd.log
if $programname == 'xinetd' then stop
# in.tftp
if $programname == 'in.tftpd' then /var/log/in.tftpd.log
if $programname == 'in.tftpd' then stop
# pppd
if $programname == 'pppd' then /var/log/pppd.log
if $programname == 'pppd' then stop
#

Changes in /etc/ssh/sshd_config

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /etc/ssh/sshd_config

Changed on 07.06.10
Issued by olli
Beginning line 169

List of users who are allowed to login and allow only save chipers over ssh

PermitRootLogin no
PubkeyAuthentication no
X11Forwarding no
AllowTcpForwarding no
MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
IgnoreRhosts yes

AllowUsers root olli

Match User root Address 127.0.0.1,172.23.*,172.24.*,172.25.*,212.6.102.3
 PermitRootLogin yes

Match User root Address XXX.XXX.XXX.XXX
 PermitRootLogin yes
 PubkeyAuthentication yes

Match User olli Address 127.0.0.1,172.23.*,172.25.*,85.16.65.139
 PubkeyAuthentication yes


Changes in /etc/sysctl.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/sysctl.conf

Changed on 06.09.08
Issued by olli
Beginning line 53

This reboots the computer 60 seconds after a kernel panic.


Before change
#kernel.panic = 3
After change
kernel.panic = 60

Changes in /gtc/test/etc/profile.d/gtc.sh

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/profile.d/gtc.sh

Changed on 30.11.10
Issued by olli
Beginning line 1

Some (personal) special settings for the root shell.

EDITOR="/usr/bin/vim"
PATH=$PATH:/etc/thinclient/scripts
HISTSIZE=10000
HISTFILESIZE=10000

Changes in /usr/local/sbin/msgwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/msgwatch

Changed on 02.03.11
Issued by olli
Beginning line 2

This is an optional script which sends en eMail if a ssh-User logs in or out.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);

# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/messages";

my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {

### SSHD ###
 if ($line =~ / sshd.+ Accepted .+ for .+ from .+ port /) {
  $line=~s/  +/ /g;
  chomp($line);
  sleep 5;
  my $who=`who ; w`;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[8] is logging in with $line[6] ($line[12]) from $line[10]:

# who ; w
$who
$line

Your $0 [$$]
" | mail -s "SSHWATCH: $line[8] is logging in from $line[10]" $mailto`;
 }
 if ($line =~ / sshd.+ session closed for user /) {
  $line=~s/  +/ /g;
  chomp($line);
  sleep 5;
  my $who=`who ; w`;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[10] is closing the session:

# who ; w
$who
$line

Your $0 [$$]
" | mail -s "SSHWATCH: $line[10] is closing the session" $mailto`;
 }
}

Changes in /usr/local/sbin/rsyncwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/rsyncwatch

Changed on 02.03.11
Issued by olli
Beginning line 2

This is an optional script which sends en eMail if there is a rsync connection.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);

# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/srv/rsyncd.log";

my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {

### RSYNCD ###
 if ($line =~ / rsyncd.+ connect from /) {
  $line=~s/  +/ /g;
  chomp($line);
  my @line=split(/ /,$line);
  `echo "Hi,

rsync connection from $line[7] $line[8];

Your $0 [$$]
" | mail -s "RSYNCDWATCH: rsync connection from $line[7] $line[8]" $mailto`;
 }
}

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add sshd default
rc-update add atd default
rc-update add rsyslog default
rc-update add vixie-cron default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

DHCP-Server

If you want to manage your IPs in a central way you should use a DHCP-Server. This helps you to install and configure it.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/dhcp

Changes in /etc/conf.d/dhcpd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/dhcpd

Changed on 17.11.09
Issued by olli
Beginning line 20

Only change this if you want to store your DHCP-Settings in your LDAP. This sets the configuration file for LDAP.


Before change
# DHCPD_CONF="/etc/dhcp/dhcpd.conf"
After change
DHCPD_CONF="/etc/dhcp/dhcpd.conf"

Changed on 17.11.09
Issued by olli
Beginning line 29

The Listen Interface


Before change
# DHCPD_IFACE=""
After change
DHCPD_IFACE="eth0"

Changes in /etc/conf.d/dhcpd-wlan

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/dhcpd-wlan

Changed on 17.11.09
Issued by olli
Beginning line 20

Config File fpr DHCP in WLAN Network


Before change
# DHCPD_CONF="/etc/dhcp/dhcpd.conf"
After change
DHCPD_CONF="/etc/dhcp/dhcpd-wlan.conf"

Changed on 17.11.09
Issued by olli
Beginning line 29

The Listen Interface


Before change
# DHCPD_IFACE=""
After change
DHCPD_IFACE="wlan0"

Changes in /etc/dhcp/dhcpd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd.conf

Changed on 06.09.08
Issued by olli
Beginning line 1

DHCP Base settings only if you want to use DHCP without LDAP. After some default definitions like gateway, DNS Server, domain name,... it defines a range of IPs for clients. Change it according to your environment if you dont use DHCP over LDAP.


option domain-name "example.com";

default-lease-time 600;
max-lease-time 7200;

option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers my.lan.ip.addr;
option ntp-servers my.lan.ip.addr;
option routers my.lan.ip.addr;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet my.lan.network.ip netmask XXX.XXX.XXX.XXX {
 range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}

Changes in /etc/dhcp/dhcpd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd.conf

Changed on 06.09.08
Issued by olli
Beginning line 35

Here are some Examples for fixed IPs of some DHCP-Hosts. (only if you don't use DHCP over LDAP)

host think-gabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host dgabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host ddgabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host smallgabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host backup-gabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host gaboshberry {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

host gaboshsleepberry {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

Changes in /etc/dhcp/dhcpd-ldap.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd-ldap.conf

Changed on 17.11.09
Issued by olli
Beginning line 1

This are the settings for connecting to the LDAP Server. It is only needed if you want to use LDAP as DHCP-Storage.

ldap-server "localhost";
ldap-port 389;
ldap-username "";
ldap-password "";
ldap-base-dn "ou=DHCP-Servers,dc=example,dc=com";
ldap-dhcp-server-cn "silent-gabosh.example.com";
ldap-method dynamic;
ldap-debug-file "/tmp/dhcp-ldap-startup-config";

Changes in /etc/dhcp/dhcpd-ldap-wlan.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd-ldap-wlan.conf

Changed on 17.11.09
Issued by olli
Beginning line 1

This are the settings for connecting to the LDAP Server. It is only needed if you want to use LDAP as DHCP-Storage.

ldap-server "localhost";
ldap-port 389;
ldap-username "";
ldap-password "";
ldap-base-dn "ou=DHCP-Servers,dc=example,dc=com";
ldap-dhcp-server-cn "silent-gabosh.example.com-wlan";
ldap-method dynamic;
ldap-debug-file "/tmp/dhcp-ldap-startup-config-wlan";

Changes in /etc/dhcp/dhcpd-wlan.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd-wlan.conf

Changed on 06.09.08
Issued by olli
Beginning line 1

Configuration for DHCP in WLAN Network

option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers my.lan.ip.addr;
option domain-name "example.com";
option ntp-servers my.lan.ip.addr;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX {
 range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}

next-server XXX.XXX.XXX.XXX;
filename "bootx64.efi";

Changed on 06.09.08
Issued by olli
Beginning line 20

Hosts with fixed IP

host small-gabosh-wlan {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}
host htc-gabosh {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}
host htc-gabosh2 {
 hardware ethernet XX:XX:XX:XX:XX:XX;
 fixed-address XXX.XXX.XXX.XXX;
}

Changes in /etc/openldap/dhcp.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/dhcp.ldif

Changed on 17.11.09
Issued by olli
Beginning line 1

This is the DHCP-Configuration for LDAP. You only need this if you want so store your DHCP-Settings in LDAP. You can also mix them with the DNS-Entrys from the DNS-Howto. If you have both you should use the Objectclass gaboshComputer instead of DNSZone. Change the settings to fit your needs, then insert this file with

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/dhcp.ldif
when the slapd is started.


# The DHCP Object with some default settings. filename and next-server are only needed if you want to boot with PXE.

# The entriees for your DHCP-Server(s)
dn: ou=DHCP-Servers,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: DHCP-Servers

dn: cn=nas-gabosh.example.com,ou=DHCP-Servers,dc=example,dc=com
objectClass: top
objectClass: dhcpServer
cn: nas-gabosh.example.com
dhcpServiceDN: cn=Computers,dc=example,dc=com
dhcpStatements: next-server XXX.XXX.XXX.XXX
dhcpOption: routers XXX.XXX.XXX.XXX
dhcpOption: domain-name-servers XXX.XXX.XXX.XXX
dhcpOption: ntp-servers XXX.XXX.XXX.XXX

dn: cn=silent-gabosh.example.com,ou=DHCP-Servers,dc=example,dc=com
cn: silent-gabosh.example.com
objectClass: top
objectClass: dhcpServer
dhcpOption: domain-name-servers my.lan.ip.addr
dhcpOption: ntp-servers my.lan.ip.addr
dhcpOption: routers my.lan.ip.addr
dhcpStatements: next-server my.lan.ip.addr
dhcpServiceDN: cn=Computers,dc=example,dc=com

# The global settings for all your DHCP-Server(s)
dn: cn=Computers,dc=example,dc=com
cn: Computers
dhcpOption: subnet-mask XXX.XXX.XXX.XXX
dhcpOption: broadcast-address XXX.XXX.XXX.XXX
dhcpOption: domain-name "example.com dmz medianet"
dhcpStatements: ddns-update-style none
dhcpStatements: get-lease-hostnames true
dhcpStatements: use-host-decl-names true
dhcpStatements: filename "/pxelinux.0"
dhcpStatements: default-lease-time 7200
dhcpStatements: max-lease-time 14400
objectClass: dhcpService
objectClass: top
dhcpSecondaryDN: cn=silent-gabosh.example.com,ou=DHCP-Servers,dc=example,dc=com
dhcpSecondaryDN: cn=nas-gabosh.example.com,ou=DHCP-Servers,dc=example,dc=com

# The DHCP-Subnet entry:
dn: cn=XXX.XXX.XXX.XXX,cn=Computers,dc=example,dc=com
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 16
dhcpRange: XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
cn: XXX.XXX.XXX.XXX

# The entries for your DHCP-Client(s)
dn: cn=think-gabosh.example.com,cn=Computers,dc=example,dc=com
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet XX:XX:XX:XX:XX:XX
dhcpStatements: fixed-address XXX.XXX.XXX.XXX
cn: think-gabosh.example.com


Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 19.02.10
Issued by olli
Beginning line 21

If you want to use LDAP-Data for Samba you need to include this schema

include         /etc/openldap/schema/dhcp.schema

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add dhcpd 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

DNS

The goal of this topic is to use your own DNS. I use this setup for 3 zones (domains). One for my network (gabosh.net), one for my DMZ (dmz) and one for Piets computers over the VPN (piet). Feel free to change the configuration to fit your needs.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-dns/bind
emerge net-dns/bind-tools

Changes in /etc/bind/named.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/bind/named.conf

Changed on 07.09.08
Issued by olli
Beginning line 13

Listen on localhost and the LAN and forward requests if they are not known by this DNS (for internet name resolution).


Before change
        listen-on { 127.0.0.1; };
After change
        // Listen
	listen-on { 127.0.0.1/8;
		    my.lan.network.ip/16;
		    XXX.XXX.XXX.XXX/16;
	};
	// The way to the Internet (only for LAN/WLAN:  my.lan.network.ip/24, XXX.XXX.XXX.XXX/24, XXX.XXX.XXX.XXX/24 and XXX.XXX.XXX.XXX/24)
        allow-recursion { 127.0.0.1/8;
                          my.lan.network.ip/24;
			  XXX.XXX.XXX.XXX/24;
			  XXX.XXX.XXX.XXX/24;
			  XXX.XXX.XXX.XXX/24;
        };
	// Local zones
        allow-query { 127.0.0.1/8;
		      my.lan.network.ip/16;
		      XXX.XXX.XXX.XXX/16;
	};
	allow-notify { none; };
	allow-transfer { none; };

Changed on 24.03.09
Issued by olli
Beginning line 47

Log DNS-Queries

logging {
 channel queries {
  #file "/var/log/bind/dns-queries" versions 2 size 1m;
  syslog local1;
  #print-time yes;
 };
 category queries {
  queries;
 };
};

Changed on 07.09.08
Issued by olli
Beginning line 91

Zone definitions for some domains


# This is an entry for an LDAP Zone. Use this only if you want to use Bind with LDAP
#zone "example.com" IN {
#        type master;
#	database "ldap ldap://127.0.0.1/dc=example,dc=com 172800";
#	allow-update { none; };
#};

zone "example.com." IN {
       type master;
       file "zones/db.example.com";
       allow-update { none; };
};
zone "XXX.XXX.in-addr.arpa" {
        type master;
	file "zones/db.172.23";
	allow-update { none; };
};

zone "25.172.in-addr.arpa" {
        type master;
        file "zones/db.172.25";
        allow-update { none; };
};

Changes in /etc/openldap/dns.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/dns.ldif

Changed on 31.03.10
Issued by olli
Beginning line 1

These are some examle LDAP-Entries for the DNS-Server and optional DHCP if you manage your DHCP over LDAP too. If you have both you should use the Objectclass gaboshComputer instead of DNSZone. Change the settings to fit your needs, then insert this file with

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/dhcp.ldif
when the slapd is started.


# Example for a DNS-Zone SOA-Host (The DNS-Server)
dn: pTRRecord=silent-gabosh.example.com.,cn=Computers,dc=example,dc=com
aRecord: my.lan.ip.addr
pTRRecord: silent-gabosh.example.com.
zoneName: example.com
zoneName: XXX.XXX.in-addr.arpa
objectClass: dNSZone
objectClass: top
sOARecord: gabosh hostmaster 2010033001 8H 4H 4W 3H
relativeDomainName: 200.0
relativeDomainName: @
nSRecord: localhost.

# Example for a DNS-entry with two CNames and DHCP
dn: cn=think-gabosh.example.com,cn=Computers,dc=example,dc=com
aRecord: XXX.XXX.XXX.XXX
cn: think-gabosh.example.com
dhcpHWAddress: ethernet XX:XX:XX:XX:XX:XX
dhcpStatements: fixed-address XXX.XXX.XXX.XXX
pTRRecord: think-gabosh.example.com.
zoneName: example.com
zoneName: XXX.XXX.in-addr.arpa
objectClass: gaboshComputer
objectClass: top
objectClass: dhcpHost
relativeDomainName: think-gabosh
relativeDomainName: 50.0

dn: relativeDomainName=oliver,cn=think-gabosh.example.com,cn=Computers,dc=example,dc=com
dNSClass: IN
dNSTTL: 86400
objectClass: dNSZone
objectClass: top
zoneName: example.com
cNAMERecord: think-gabosh.example.com.
relativeDomainName: oliver

dn: relativeDomainName=olli,cn=think-gabosh.example.com,cn=Computers,dc=example,dc=com
dNSClass: IN
dNSTTL: 86400
objectClass: dNSZone
objectClass: top
zoneName: example.com
cNAMERecord: think-gabosh.example.com.
relativeDomainName: olli


# Example for a DNS-entry with two CNames without DHCP
dn: relativeDomainName=silent-gabosh.example.com,cn=Computers,dc=example,dc=com
aRecord: my.lan.ip.addr
pTRRecord: silent-gabosh.example.com.
relativeDomainName: silent-gabosh
relativeDomainName: 200.0
zoneName: example.com
zoneName: XXX.XXX.in-addr.arpa
objectClass: dNSZone
objectClass: top

dn: relativeDomainName=silent,relativeDomainName=silent-gabosh.example.com,cn=Computers,dc=example,dc=com
dNSClass: IN
dNSTTL: 86400
objectClass: dNSZone
objectClass: top
zoneName: example.com
cNAMERecord: silent-gabosh.example.com.
relativeDomainName: silent

dn: relativeDomainName=gabosh,relativeDomainName=silent-gabosh.example.com,cn=Computers,dc=example,dc=com
dNSClass: IN
dNSTTL: 86400
objectClass: dNSZone
objectClass: top
zoneName: example.com
cNAMERecord: silent-gabosh.example.com.
relativeDomainName: gabosh


Changes in /etc/openldap/schema/gabosh.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/gabosh.schema

Changed on 23.03.10
Issued by olli
Beginning line 9

This is for having DHCP and DNS in one ObjecClass. You need this only if you want mix DHCP and DNS in your LDAP.

objectclass ( 1.3.6.1.4.1.35312.2 NAME 'gaboshComputer'
        DESC 'for Computer DHCP and DNS entries'
        SUP top AUXILIARY
	MAY ( DNSTTL $ DNSClass $ ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord $ zoneName $ relativeDomainName )
        )

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 19.02.10
Issued by olli
Beginning line 12

If you want to use LDAP-Data for DNS you need to include this schema

include         /etc/openldap/schema/dnszone.schema
include         /etc/openldap/schema/dlz.schema

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add named default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Distcc Client

This is a small howto to show you how to configure a distcc client

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge sys-devel/distcc

Changes in /etc/distcc/hosts

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/distcc/hosts

Changed on 30.11.09
Issued by olli
Beginning line 6

The distcc-hosts which should be used


Before change
127.0.0.1
After change
think-gabosh
backup-gabosh
ion-gabosh
proll-gabosh

Changes in /etc/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/make.conf

Changed on 30.11.09
Issued by olli
Beginning line 31

This are the make.conf settings for distcc to be used by emerge

#FEATURES="distcc"
#MAKEOPTS="-j2"

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

DynDNS

I'm using the provider Kontent for syncing my daily changing IP with the Internet-DNS for my top-level-domain and DynDNS.org for syncing the Domain gentooly.homelinux.org.
Here is a little cron-job doing this work for me.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-dns/ez-ipupdate

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 07.09.08
Issued by olli
Beginning line 17

My Provider offers an easier way to update my dynamic IP with my domain. Here you don't need ez-ipupdate. It is enough to use wget on a specific URL.

*/5 * * * * 	root	/root/scripts/dyndns.sh 2>&1

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

File deduplication

If you have a large fileserver or something else with many users some files could be saved multiple times in different locations which eats useless space.
With the following script you can find similar files and create automatically hardlinks on them for saving disk space. Please be very careful with this and think about if a file is hard linked and you cange it all other files linked to this file are changed too because they are the same file for the filesystem (same Inode).
I use this for for my complete system backups.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge app-misc/fdupes

Changes in /usr/local/sbin/deduplicate.pl

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/deduplicate.pl

Changed on 29.04.10
Issued by olli
Beginning line 2

This script finds duplicate files and creates hardlinks on them (file deduplication). Be very careful with this!
Think about that if you change one file the linked file will be changed too.

#!/usr/bin/perl -w

# Usage: deduplicate.pl <Dir1> [dir2] [...]

# ToDo: Add a DryRun (Print only the files which will be linked and not link them)

#foreach $a (@ARGV) {
# @dirlist=`find $a -type d`;
# foreach $b (@dirlist) {
#  chomp($b);
#  push(@list,$b);
# }
#}

@duplicates=`fdupes -q -r @ARGV`;
$new=1;
foreach $file (@duplicates) {
 chomp($file);
 unless ($file) {
  $new=1;
  next;
 }
 if ($new) {
  $sourcefile=$file;
  $new=0;
  next;
 }
 print "ln -f $sourcefile $file\n";
 `ln -f  $sourcefile $file`;
}

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

File-Server - Samba

Here is my configuration for the classic File-Server Samba. Whith this service you can access your shares from Windows, Linux and some other Operatingsystems which supports the CIFS-Protocol. With the share homes you can share the Home-Directories of your users over the network.
You want to use OpenLDAP for Samba authentication etc.? Then you should first finish the OpenLDAP Howto
If you don't use OpenLDAP, you have to create an additional password file for your Samba users with the following commands:
smbpasswd -a user1
smbpasswd -a user2
The usernames have to be identical with your system user names. This is necessary for mapping the UIDs to the Samba-users.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-fs/samba

Changes in /etc/openldap/samba.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/samba.ldif

Changed on 28.05.09
Issued by olli
Beginning line 1

This is only needed when you want to authenticate Samba over LDAP.
Create the encrypted password (userPassword) with:

slappasswd
and then insert this file with
ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/samba.ldif
when the slapd is started. This creates a administrative User for Samba which is needed e.g for changing passwords of the users over Samba.

dn: cn=smbadmin,ou=SystemUsers,ou=People,dc=example,dc=com
givenName: Samba
sn: Administrator
uid: smbadmin
cn: smbadmin
userPassword: XXXXXXXXXXXXXXXXXXXXXXXX
objectClass: inetOrgPerson
objectClass: top

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 19.02.10
Issued by olli
Beginning line 17

If you want to use LDAP-Data for Samba you need to include this schema

include         /etc/openldap/schema/samba.schema

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 20.05.09
Issued by olli
Beginning line 20

Sync a changed User password changed with the passwd command with the Samba Password if the User exists in Samba

password        sufficient      pam_smbpass.so use_authtok nullok use_first_pass

Changes in /etc/samba/smb.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/samba/smb.conf

Changed on 10.09.08
Issued by olli
Beginning line 1

This is the global part of the Samba configuration file. You should edit the following options for your environment:

[global]
   workgroup = GABOSHNET
   netbios name = gabosh
   server string = gabosh
   #log file = /var/log/samba/samba.log
   #log level = 0
   security = user
   encrypt passwords  = true
   pam password change = yes
   unix password sync = yes
   smb passwd file = /etc/samba/smbpasswd
   interfaces = br0
   unix charset = UTF-8
   display charset = UTF-8
   case sensitive = yes
   create mask = 750
   directory mask = 750
   follow symlinks = yes
   wide links = no
   unix extensions = no
   hide unreadable = yes
   hide dot files = yes
   socket options = TCP_NODELAY IPTOS_LOWDELAY

Changed on 28.05.09
Issued by olli
Beginning line 27

This is the LDAP global part of the Samba configuration file. Use this only if you want to authenticate over LDAP. For this you need a working LDAP Server. Have a look at the OpenLDAP Howto
The goal of this is that you don't have to add users with "smbpasswd" and don't have to change a password twice if you have the same Users for Windows and Linux.
You should edit the following options for your environment:

   # How to connect to the LDAP-Server
   passdb backend = ldapsam:ldap://127.0.0.1:389/
   # The Base DN
   ldap suffix = dc=example,dc=com
   # The LDAP path to computer, user and group accounts
   ldap machine suffix = ou=Computers
   ldap user suffix = ou=People
   ldap group suffix = ou=Group
   # This is the Samba Admin user. 
   # This account is needed e.g for changing passwords of the users. 
   # You should give the smbadmin user appropriate right in slapd.conf for doing this. 
   # After all you have to add the smbadmin password to your Samba. 
   # This is needed therefore that Samba can authenticate with smbadmin against LDAP.
   # You have to create this user in the LDAP too. See: http://doc.example.com/howto_OpenLDAP.html
   # To popularize the smbadmin password for Samba use "smbpasswd -W" after you have written this config.
   ldap admin dn = cn=smbadmin,ou=SystemUsers,ou=People,dc=example,dc=com
   ldap delete dn = no
   # This is for password synchronisation between the Unix and the Samba password in LDAP. 
   # So if you change your Samba password over smbpasswd or Windows this option changes your Unix/Linux password too.
   ldap password sync = yes

Changed on 10.09.08
Issued by olli
Beginning line 50

Here some share definitions.
"homes" is for serving the users home directories, "share" is a share for every valid system user.

[homes]
   comment = Private Verzeichnisse
   browseable = no
   writable = yes
   valid users = @users

[share]
   comment = Share
   path = /srv/share
   guest ok = no
   writable = yes
   printable = no
   browseable = no
   valid users = @users

Changes in /etc/security/limits.d/samba.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/security/limits.d/samba.conf

Changed on 18.06.10
Issued by olli
Beginning line 1

Allow 16384 opened files. This is for preventing the following warning:rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)

* - nofile 16384 

Changes in /usr/local/sbin/smbwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/smbwatch

Changed on 02.03.11
Issued by olli
Beginning line 2

This is a daemon which sends an eMail when a user loggs in.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);

# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/samba/samba.log";

my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
 if ($line =~ /authentication for user/) {
  $line=~s/  +/ /g;
  $line=~s/\[//g;
  $line=~s/\]//g;
  $line=~s/^ +//;
  my $smbstatus=`smbstatus`;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[4] is logging in:
$smbstatus
$line

Your $0 [$$]
" | mail -s "SMBWATCH: $line[4] is logging in" $mailto`;

 }

 if ($line =~ /closed connection/) {
  $line=~s/  +/ /g;
  $line=~s/\[//g;
  $line=~s/\]//g;
  $line=~s/^ +//;
  my $smbstatus=`smbstatus`;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[0] is closing the connection to service $line[6]:

$line
$smbstatus

Your $0 [$$]
" | mail -s "SMBWATCH: $line[0] is closing the connection to service $line[6]" $mailto`;
 }
 $line="";
}

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add samba 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Firewall

Because of the complexity of my network-configuration (2VPNs, 3 NICS, 1 Bridge, DMZ...), I decided to write my own firewall-script. Here it is.
Don't forget to make it executable... ;-)

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-firewall/iptables
emerge sys-apps/iproute2

Changes in /etc/local.d/services.start

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/local.d/services.start

Changed on 06.10.08
Issued by olli
Beginning line 1

Starting the firewall after system boot.

/usr/local/sbin/fire.sh

Changes in /etc/sysctl.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/sysctl.conf

Changed on 06.09.08
Issued by olli
Beginning line 13

This allows kernel routing.


Before change
#net.ipv4.ip_forward = 0
After change
net.ipv4.ip_forward = 1

Changed on 06.09.08
Issued by olli
Beginning line 44

This ignores ICMP-Broadcasts.


Before change
#net.ipv4.icmp_echo_ignore_broadcasts = 1
After change
net.ipv4.icmp_echo_ignore_broadcasts = 1

Changes in /usr/local/sbin/fireoff.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/fireoff.sh

Changed on 10.06.09
Issued by olli
Beginning line 2

With this script you can deactivate everything you counfigured with the fire.sh-Script. This could be helpful if you want to test something without a firewall.

#!/bin/bash

# deactivate antispoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 0 > $f
done

# deactivate antispoofing logging
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
 echo 0 > $f
done

# allow ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
 echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
 echo 1 > $f
done

# allow source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
 echo 1 > $f
done

# recive ICMP broadcast echos
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# don't ignore wrong ICMP-F
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# activate IP-Forwardig (routing)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

echo 1 >/proc/sys/net/ipv4/tcp_timestamps
echo 1 >/proc/sys/net/ipv4/tcp_window_scaling


# reset/allow everything
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 


Changes in /usr/local/sbin/fire.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/fire.sh

Changed on 21.04.12
Issued by olli
Beginning line 2

This is my firewall script.

#!/bin/bash

/etc/init.d/fail2ban stop

### CONFIGURATION ###

# Internet Interface
INETIF="ppp0"
# Opened INET Ports TCP/UDP
INETTCP="22 25 66 80 143 443 873 993 995 5222 5269 45863"
INETUDP=""
# Portforwarding(s) for connections from INET-Devices: 
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
#INETPORTFW="0.0.0.0/0:82:192.168.178.1:80:tcp"
INETPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"
# Here you can enter trusted IPs or whole networks for completely routing of them
#INETROUTED=""

# LAN Interface
LANIF="eth0"
# Opened LAN Ports TCP/UDP | 4713=pulseaudio
LANTCP="$INETTCP 20 24 111 139 389 445 631 636 66 2049 6566 32765:32768 45863 8118 4713"
LANUDP="$INETUDP 53 69 123 111 137 138 631 2049 5000:5040 5060 6566 32765:32768"
# Portforwarding(s) for connections from VPN-Devices:
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
LANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"

# WLAN Interface
WLANIF="wlan0"
WLANTCP="$LANTCP"
WLANUDP="$LANUDP"
# Portforwarding(s) for connections from VPN-Devices:
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
WLANPORTFW="0.0.0.0/0:465:my.lan.ip.addr:25:tcp 0.0.0.0/0:587:my.lan.ip.addr:25:tcp"

# VPN Interface(s)
VPNIF="tap0 tap1"
# Opened VPN Ports TCP/UDP
VPNTCP="$INETTCP 24 631 6566"
VPNUDP="$INETUDP 53 123 631 6566"
# Portforwarding(s) for connections from VPN-Devices: 
# Syntax: "SourceIP:Sourceport1:Destinationip1:Destinationport1:Protocol1 SourceIP2:Sourceport2:Destinationip2:Destinationport2:Protocol2"
# This enables routing on routed Networks too (but only for the destination-Port/IP)
#VPNPORTFW="XXX.XXX.XXX.XXX:82:XXX.XXX.XXX.XXX:22:tcp"
# Here you can enter trusted IPs or whole networks for completely routing of them
VPNROUTED=""

# Optional SIP GW for incoming calls
SIPGWS="sip.1und1.de"
RTPRANGE="5000:5040"

### CONFIGURATION END ###



### Some kernel parameters ###

# Antispoofing
for FILTER in /proc/sys/net/ipv4/conf/*/rp_filter; do
 echo 1 > $FILTER
done
# Antispoofing Logging
#for f in /proc/sys/net/ipv4/conf/*/log_martians; do
# echo 1 > $f
#done
# ICMP Redirects Verweigern
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
 echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
 echo 0 > $f
done
# Deny Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
 echo 0 > $f
done
# Ignore ICMP broadcast echos
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Ignore Bogus ICMP-Errors
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Paketgr&ouml;&szlig;enskalierung abstellen
echo 0 >/proc/sys/net/ipv4/tcp_timestamps
echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
# Disable WLAN Power saving
iw dev $WLANIF set power_save off
# activate IP-Forwardig (routing)
echo 1 > /proc/sys/net/ipv4/ip_forward


### prepare iptables - Reset/Deny all ###

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Drop all zeroconf IPs
iptables -A INPUT -s XXX.XXX.XXX.XXX/16 -j DROP
iptables -A FORWARD -s XXX.XXX.XXX.XXX/16 -j DROP

# Drop Reset Packages
iptables -A INPUT -p tcp --tcp-flags ALL RST,ACK -j DROP

### Routing the networks ###

# Masquerade routing into the Internet
iptables -t nat -A POSTROUTING -o $INETIF -j MASQUERADE

# LAN will be routed everywhere
iptables -A FORWARD -i $LANIF -m conntrack --ctstate NEW -j ACCEPT
# WLAN will be routed everywhere
iptables -A FORWARD -i $WLANIF -m conntrack --ctstate NEW -j ACCEPT
# Allow all routed-opened conections. This does not allow incomin/new connections to be routed. The connections has to be opened in the LAN or on a trusted/routed host
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# if you are using that node as a NAT router, the systems behind it have no way to know the real MTU of the PPPoE interface. Therefore the systems will try to use packets bigger than the maximum allowed, which will be dropped without warning by routers.
# The solution for that, unless you want to configure all your devices with a reduced MTU, is to instruct the routing host to intercept all the TCP handshake packets and correct in-fly the wrong MSS value requested by internal hosts.
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Allow trusted Hosts/Networks to be routed new connections from INETNET
for INETNETIP in $INETROUTED
do
 iptables -A FORWARD -i $INETIF -s $INETNETIP -m conntrack --ctstate NEW -j ACCEPT
done

# Routing VPN Devices
for VIF in $VPNIF
do
 # Allow trusted Hosts/Networks to be routed new connections from VPNNET but not into the INETNET
 for VPNNETIP in $VPNROUTED
 do
  iptables -A FORWARD -i $VIF ! -o $INETIF -s $VPNNETIP -m conntrack --ctstate NEW -j ACCEPT
 done
 # Block broadcasts
 iptables -A INPUT -i $VIF -d XXX.XXX.XXX.XXX -j DROP
 iptables -A FORWARD -i $VIF -d XXX.XXX.XXX.XXX -j DROP
 # Allow routing into VPN(s)
 iptables -t nat -A POSTROUTING -o $VIF -j MASQUERADE
done


### Portforwarding ###

# Portforwarding for INETLAN
for PFW in $INETPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $INETIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $INETIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for LAN
for PFW in $LANPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $LANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $LANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for LAN
for PFW in $WLANPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Rule for Portorwarding
 iptables -A PREROUTING -t nat -s $SRCIP -p $PROT -i $WLANIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
 # Allow forwarding
 iptables -A FORWARD -s $SRCIP -p $PROT -i $WLANIF -m conntrack --ctstate new -d $DSTIP --dport $DSTPORT -j ACCEPT
done

# Portforwarding for VPNLAN
for PFW in $VPNPORTFW
do
 # Get DATA
 SRCIP=`echo "$PFW" | cut -d':' -f 1`
 SRCPORT=`echo "$PFW" | cut -d':' -f 2`
 DSTIP=`echo "$PFW" | cut -d':' -f 3`
 DSTPORT=`echo "$PFW" | cut -d':' -f 4`
 PROT=`echo "$PFW" | cut -d':' -f 5`
 # Go through every VPN IF
 for VIF in $VPNIF
 do
  # Rule for Portorwarding
  iptables -A PREROUTING -t nat -p $PROT -s $SRCIP -i $VIF --dport $SRCPORT -j DNAT --to $DSTIP:$DSTPORT
  # Allow forwarding
  iptables -A FORWARD -p $PROT -s $SRCIP -i $VIF -m conntrack --ctstate NEW -d $DSTIP --dport $DSTPORT -j ACCEPT
 done
done

# Last forward rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A FORWARD -j LOG --log-prefix "FW: FORWARD DROP: "


### Outgoing traffic from the Server ###

# Allow all outgoing connections with valid state
iptables -A OUTPUT  -m conntrack --ctstate ESTABLISHED,RELATED,NEW -j ACCEPT
# Last output rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A OUTPUT -j LOG --log-prefix "FW: OUTPUT DROP: "


### Incoming traffic into the Server ###

# Hold built connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow all incoming connections from localhost
iptables -A INPUT  -i lo -j ACCEPT

# Open Ports TCP/UDP
# Create Chains
iptables -N gabosh-inet
iptables -N gabosh-lan
iptables -N gabosh-wlan
iptables -N gabosh-vpn
# Predefine Chains
iptables -A INPUT -i $INETIF -j gabosh-inet
iptables -A INPUT -i $LANIF -j gabosh-lan
iptables -A INPUT -i $WLANIF -j gabosh-wlan
for VIF in $VPNIF
do
 iptables -A INPUT -i $VIF -j gabosh-vpn
done
# INET/TCP
for PORT in $INETTCP 
do
 iptables -A gabosh-inet -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# INET/UDP
for PORT in $INETUDP
do
 iptables -A gabosh-inet -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# LAN/TCP
for PORT in $LANTCP
do
 iptables -A gabosh-lan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# LAN/UDP
for PORT in $LANUDP
do
 iptables -A gabosh-lan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# WLAN/TCP
for PORT in $WLANTCP
do
 iptables -A gabosh-wlan -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# WLAN/UDP
for PORT in $WLANUDP
do
 iptables -A gabosh-wlan -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# VPN/TCP
for PORT in $VPNTCP
do
 iptables -A gabosh-vpn -p tcp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# VPN/UDP
for PORT in $VPNUDP
do
 iptables -A gabosh-vpn -p udp --dport $PORT -m conntrack --ctstate NEW -j ACCEPT
done
# Allow ping from VPNs and LAN
iptables -A gabosh-vpn -p icmp --icmp-type echo-request -j ACCEPT
iptables -A gabosh-lan -p icmp --icmp-type echo-request -j ACCEPT
iptables -A gabosh-wlan -p icmp --icmp-type echo-request -j ACCEPT
# Allow incomming sip Connections (Calls)
#for SIPGW in $SIPGWS
#do
# host $SIPGW | grep "has address" | while read ips
#  do ip=`echo $ips | cut -d" " -f4`
#  iptables -A gabosh-inet -p udp -s $ip --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
#  iptables -A gabosh-inet -p udp -s $ip --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT
# done
#done
iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/16 --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
iptables -A gabosh-inet -p udp -s XXX.XXX.XXX.XXX/16 --dport $RTPRANGE -m conntrack --ctstate NEW -j ACCEPT

# Last input rule is for logging. The policy is drop, so all traffig going through this rule are dropped packets
iptables -A INPUT -j LOG --log-prefix "FW: INPUT DROP: "

# Fail2Ban restart for revert f2b iptables rules
/etc/init.d/fail2ban start


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

HD-Spindown

You can check the current power state with
hdparm -C /dev/disk
Please be caraful with this solution. If you set the timeout to low it is possible that your disk is spinning up an down very often which is noch very good for your hardware...

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge sys-apps/hdparm

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 30.11.10
Issued by olli
Beginning line 27

Shutdown /dev/sdb if it is inactive

*/5 * * * *     root    /usr/local/sbin/hdspindown.sh sdb

Changes in /usr/local/sbin/hdspindown.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/hdspindown.sh

Changed on 30.11.10
Issued by olli
Beginning line 2

This is a small script to observe the inactivity of given disk(s). If the given disks are longer then $inactive minutes inactive they will be spinned down and set to sleep (e.g. for powersaving). If a disk ist shutdown a mail will be sent to root.

#!/bin/bash

# Time of inactivity after which the disk is spinned down
inactive=30

# Get default profile
. /etc/profile

# Function for checking the disks state
function checkactive {
 # If the disk is not spinned down - shutdown the disk
 if hdparm -C /dev/$1 | grep active >/dev/null
 then
  echo "`date` Spinning down $1" >> /tmp/spinned-down
  echo "1" >/tmp/spindown$1
  spindown $1
# else
#  echo "`date` Already spinned down $1" >> /tmp/spinned-down
 fi
}

# Function for sending a mail and spindown the disk
function spindown {
 echo "Issuing sleep on disk $1:

`ls -l /sys/block/$1/stat`
`cat /sys/block/$1/stat`

`ls -l /tmp/$1-stat`
`cat /tmp/$1-stat`

Date: `date`

Issuing command: hdparm -y /dev/$1:
`hdparm -y /dev/$1 2>&1`
" | mail -s "Spinning down $1" root
}

# Check commandline
if [ $# -eq 0 ]
then
 echo "This is a small script to observe the inactivity of given disk(s). If the given disks are longer then $inactive minutes inactive they will be spinned down and set to sleep (e.g. for powersaving). If a disk ist shutdown a mail will be sent to root.
 
 Please enter the disk(s) you want do observe seperated with space. E.g for observing /dev/hdb and /dev/sda:
$0 hdb sda"
 exit 1
fi

# Go through the arguments
for disk in $*
do
 # If the disk exists
 if [ -L "/sys/block/$disk" ]
 then
  # Create diff-file if it dows not exist
  [ -f /tmp/$disk-stat ] || touch /tmp/$disk-stat
  # If there was nothing changed 
  if diff /sys/block/$disk/stat /tmp/$disk-stat >/dev/null 2>&1
  then
   # Check weather the disk is longer then $inactive inactive
   find /tmp/$disk-stat -mmin -$inactive | grep $disk >/dev/null || checkactive $disk
  # If the file is changed
  else
   # Save changed file
   cat /sys/block/$disk/stat > /tmp/$disk-stat
   if [ -f /tmp/spindown$disk ]
   then
    echo "Disk $disk active again" | mail -s "$disk active again" root
    echo "`date` Disk active: $disk" >> /tmp/spinned-down
    rm -f /tmp/spindown$disk
   fi
#   echo "`date` Disk active: $disk" >> /tmp/spinned-down
  fi
 # If the disk does not exist
 else
  echo "Disk $disk seems not to exist"
 fi
done

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Horde Groupware Webmail

This is a short Howto/Example how I set up my Horde with its applications like Webmail, Groupware, PGP (GnuPG), Sieve filters, LDAP Auth,...
Here are some commands for installing Horde 4 over PEAR.
# Set your paths
BASEDIR=/var/www/horde-test.gabosh.net
PEARDIR=$BASEDIR/pear
WEBDIR=$BASEDIR/htdocs

rm /usr/bin/phpize
ln -s /usr/lib/php*/bin/phpize /usr/bin/phpize

mkdir -p $PEARDIR/pear
mkdir -p $WEBDIR
pear config-create $PEARDIR $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf install pear

$PEARDIR/pear/pear -c $PEARDIR/pear.conf channel-discover pear.horde.org
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install horde/horde_role
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install run-scripts horde/Horde_Role

$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/imp
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/kronolith
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/ingo
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/nag
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/turba
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/mnemo
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/passwd
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/gollem
$PEARDIR/pear/pear -c $PEARDIR/pear.conf install -a -B horde/wicked

chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown apache:root $WEBDIR/static
chown apache:root $WEBDIR/config
chown apache:root $WEBDIR/*/config

After these steps you should be able to open your Horde installation into your Webbrowser and create the basic configurations.
Do this in the left menu under "Administration" -> "Configuration"
After that you can follow up with the configuration of the configfiles in the config-directories you see below.



Here some steps for upgrading your Horde:
# Set yout paths
BASEDIR=/var/www/horde-test.gabosh.net
PEARDIR=$BASEDIR/pear
WEBDIR=$BASEDIR/htdocs

rm /usr/bin/phpize
ln -s /usr/lib/php*/bin/phpize /usr/bin/phpize
chmod 755 $PEARDIR/pear/pear
$PEARDIR/pear/pear -c $PEARDIR/pear.conf upgrade -a -B -c horde

chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown apache:root $WEBDIR/static
chown apache:root $WEBDIR/config
chown apache:root $WEBDIR/*/config

If you want to use this solution you need the following howto(s) finished:

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 04.08.11
Issued by olli
Beginning line 47

CronJob for Horde-Alarms - Pleas adjust paths

0 5 * * *	root	/usr/local/bin/horde.sh

Changes in /etc/openldap/schema/horde-turba.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/horde-turba.schema

Changed on 11.08.11
Issued by olli
Beginning line 1

Horde-LDAP schema for Turba

#
# Turba attribute branch 1.3.6.1.4.1.13040.4.1.*
#
attributetype ( 1.3.6.1.4.1.13040.4.1.2
  NAME 'turbaType'
  DESC 'Turba Object Type: Contact/List'
  EQUALITY caseIgnoreIA5Match
  SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} )

attributetype ( 1.3.6.1.4.1.13040.4.1.3
  NAME 'turbaMembers'
  DESC 'Encoded members of a Turba list'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4000} )

attributetype ( 1.3.6.1.4.1.13040.4.1.4
  NAME 'turbaPGPPublicKey'
  DESC 'PGP/GPG Public Key'
  EQUALITY caseIgnoreIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4000} )

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 11.08.11
Issued by olli
Beginning line 29

LDAP schema for turba

include         /etc/openldap/schema/horde-turba.schema

Changes in /usr/local/bin/horde.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/bin/horde.sh

Changed on 04.08.11
Issued by olli
Beginning line 2

CronJob for Horde-Alarms - Pleas adjust paths

#!/bin/bash

exec >/dev/null

PEARDIR=/var/www/horde-test.example.com/pear
rm -f $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf config-set php_bin /usr/bin/php
pear -c $PEARDIR/pear.conf config-set php_ini /etc/php/cli-php5.6/php.ini
pear -c $PEARDIR/pear.conf config-set bin_dir $PEARDIR/pear
pear -c $PEARDIR/pear.conf config-set doc_dir $PEARDIR/pear/docs
pear -c $PEARDIR/pear.conf config-set ext_dir $PEARDIR/pear/ext
pear -c $PEARDIR/pear.conf config-set php_dir $PEARDIR/pear/php
pear -c $PEARDIR/pear.conf config-set cache_dir $PEARDIR/pear/cache
pear -c $PEARDIR/pear.conf config-set cfg_dir $PEARDIR/pear/cfg
pear -c $PEARDIR/pear.conf config-set data_dir $PEARDIR/pear/data
pear -c $PEARDIR/pear.conf config-set download_dir $PEARDIR/pear/download
pear -c $PEARDIR/pear.conf config-set temp_dir $PEARDIR/pear/temp
pear -c $PEARDIR/pear.conf config-set test_dir $PEARDIR/pear/tests
pear -c $PEARDIR/pear.conf config-set www_dir $PEARDIR/pear/www
pear -c $PEARDIR/pear.conf config-set horde_dir /var/www/horde-test.example.com/htdocs
cat /var/www/horde-test.example.com/pear/pear.conf >/etc/pear.conf
echo 'include_path="$include_path:/var/www/horde-test.example.com/pear/pear:/var/www/horde-test.example.com/pear/pear/php"' >/etc/php/cli-php5.6/ext-active/horde-cli.ini
chmod 644 /etc/php/cli-php5.6/ext-active/horde-cli.ini
su - apache -c "/usr/bin/php /var/www/horde-test.example.com/pear/pear/horde-alarms"
su - apache -c "/usr/bin/php /var/www/horde-test.example.com/pear/pear/kronolith-agenda"
su - apache -c "/usr/bin/php /var/www/horde-test.example.com/pear/pear/horde-db-migrate"

PEARDIR=/var/www/horde.example.com/pear
rm -f $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf config-set php_bin /usr/bin/php
pear -c $PEARDIR/pear.conf config-set php_ini /etc/php/cli-php5.6/php.ini
pear -c $PEARDIR/pear.conf config-set bin_dir $PEARDIR/pear
pear -c $PEARDIR/pear.conf config-set doc_dir $PEARDIR/pear/docs
pear -c $PEARDIR/pear.conf config-set ext_dir $PEARDIR/pear/ext
pear -c $PEARDIR/pear.conf config-set php_dir $PEARDIR/pear/php
pear -c $PEARDIR/pear.conf config-set cache_dir $PEARDIR/pear/cache
pear -c $PEARDIR/pear.conf config-set cfg_dir $PEARDIR/pear/cfg
pear -c $PEARDIR/pear.conf config-set data_dir $PEARDIR/pear/data
pear -c $PEARDIR/pear.conf config-set download_dir $PEARDIR/pear/download
pear -c $PEARDIR/pear.conf config-set temp_dir $PEARDIR/pear/temp
pear -c $PEARDIR/pear.conf config-set test_dir $PEARDIR/pear/tests
pear -c $PEARDIR/pear.conf config-set www_dir $PEARDIR/pear/www
pear -c $PEARDIR/pear.conf config-set horde_dir /var/www/horde.example.com/htdocs
cat /var/www/horde.example.com/pear/pear.conf >/etc/pear.conf
echo 'include_path="$include_path:/var/www/horde.example.com/pear/pear:/var/www/horde.example.com/pear/pear/php"' >/etc/php/cli-php5.6/ext-active/horde-cli.ini
chmod 644 /etc/php/cli-php5.6/ext-active/horde-cli.ini
su - apache -c "/usr/bin/php /var/www/horde.example.com/pear/pear/horde-alarms"
su - apache -c "/usr/bin/php /var/www/horde.example.com/pear/pear/kronolith-agenda"
su - apache -c "/usr/bin/php /var/www/horde.example.com/pear/pear/horde-db-migrate"

rm /etc/pear.conf
rm /etc/php/cli-php5.6/ext-active/horde-cli.ini

Changes in /usr/local/sbin/hordetestwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/hordetestwatch

Changed on 02.03.11
Issued by olli
Beginning line 2

This is a script for watching the hordetest-log.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);

# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/opt/horde-test/horde.log";

my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
 if ($line =~ /172\.2.\./) { next }
 if ($line =~ /194\.127\.8\./) { next }
 if ($line =~ / Login success for .+ to horde/) {
  my $date=`date +%Y-%m-%d`;
  chomp($date);
  unless ($line =~ /^$date/) { next }
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[7] is logging in from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDETESTWATCH: $line[7] is logging in from $line[10]" $mailto`;
 }
 if ($line =~ / logged out of Horde /) {
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[5] is closing the session from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDETESTWATCH: $line[5] is closing the session from $line[10]" $mailto`;
 }
 if ($line =~ / FAILED LOGIN /) {
  if ($line =~ /localhost/) { next }
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[7] failed login from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDETESTWATCH: $line[7] failed login from $line[10]" $mailto`;
 }
}



Changes in /usr/local/sbin/hordewatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/hordewatch

Changed on 02.03.11
Issued by olli
Beginning line 2

This is a script for watching the horde-log.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);

# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/opt/horde/horde.log";

my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
 if ($line =~ /172\.2.\./) { next }
 if ($line =~ /194\.127\.8\./) { next }
 if ($line =~ / Login success for .+ to horde/) {
  my $date=`date +%Y-%m-%d`;
  chomp($date);
  unless ($line =~ /^$date/) { next }
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[7] is logging in from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDEWATCH: $line[7] is logging in from $line[10]" $mailto`;
 }
 if ($line =~ / logged out of Horde /) {
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[5] is closing the session from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDEWATCH: $line[5] is closing the session from $line[10]" $mailto`;
 }
 if ($line =~ / FAILED LOGIN /) {
  if ($line =~ /localhost/) { next }
  $line=~s/\(//g;
  $line=~s/\)//g;
  my @line=split(/ /,$line);
  `echo "Hi,

$line[7] failed login from $line[10]:

$line

Your $0 [$$]
" | mail -s "HORDEWATCH: $line[7] failed login from $line[10]" $mailto`;
 }
}



Changes in /usr/local/sbin/mkhordestable.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/mkhordestable.sh

Changed on 04.10.11
Issued by olli
Beginning line 2

This is an optional script for syncing/copying a Horde-Installation into an new path. E.g. for moving a test Horde into production.

#!/bin/bash

# Set paths

set -x

PEARDIR=/var/www/horde.example.com/pear
WEBDIR=/var/www/horde.example.com
TESTWEBDIR=/var/www/horde-test.example.com

mkdir -p /var/www/horde.example.com
rsync -av --delete --exclude=pear/pear/php/.registry $TESTWEBDIR/ $WEBDIR/
BASEDIR=$WEBDIR
WEBDIR=$WEBDIR/htdocs

# Set pear config
rm -f $PEARDIR/pear.conf
pear -c $PEARDIR/pear.conf config-set bin_dir /var/www/horde.example.com/pear/pear
pear -c $PEARDIR/pear.conf config-set doc_dir /var/www/horde.example.com/pear/pear/docs
pear -c $PEARDIR/pear.conf config-set ext_dir /var/www/horde.example.com/pear/pear/ext
pear -c $PEARDIR/pear.conf config-set php_dir /var/www/horde.example.com/pear/pear/php
pear -c $PEARDIR/pear.conf config-set cache_dir /var/www/horde.example.com/pear/pear/cache
pear -c $PEARDIR/pear.conf config-set cfg_dir /var/www/horde.example.com/pear/pear/cfg
pear -c $PEARDIR/pear.conf config-set data_dir /var/www/horde.example.com/pear/pear/data
pear -c $PEARDIR/pear.conf config-set download_dir /var/www/horde.example.com/pear/pear/download
pear -c $PEARDIR/pear.conf config-set temp_dir /var/www/horde.example.com/pear/pear/temp
pear -c $PEARDIR/pear.conf config-set test_dir /var/www/horde.example.com/pear/pear/tests
pear -c $PEARDIR/pear.conf config-set www_dir /var/www/horde.example.com/pear/pear/www
pear -c $PEARDIR/pear.conf config-set horde_dir /var/www/horde.example.com/htdocs

# Do linking
#rm -f $WEBDIR/pear.conf
#ln -sf $PEARDIR/pear.conf $WEBDIR/pear.conf
#rm -f $PEARDIR/lib
#ln -s $WEBDIR/lib $PEARDIR/lib
#rm -f $PEARDIR/../ingo/lib
#ln -s $WEBDIR/ingo/lib $PEARDIR/../ingo/lib
#rm -f $PEARDIR/../imp/lib
#ln -s $WEBDIR/imp/lib $PEARDIR/../imp/lib
#rm -f $PEARDIR/../kronolith/lib
#ln -s $WEBDIR/kronolith/lib $PEARDIR/../kronolith/lib
#rm -f $PEARDIR/../nag/lib
#ln -s $WEBDIR/nag/lib $PEARDIR/../nag/lib
#rm -f $PEARDIR/../turba/lib
#ln -s $WEBDIR/turba/lib $PEARDIR/../turba/lib
#rm -f $PEARDIR/../mnemo/lib
#ln -s $WEBDIR/mnemo/lib $PEARDIR/../mnemo/lib

# Change paths in some pear files
for i in `grep -r horde-test $PEARDIR | cut -d: -f1`
do 
 echo "Changing horde-test to horde in $i"
 sed -e 's/horde-test/horde/g' -i $i
done

# Horde-Config
# DB
sed -e 's/hordetest/horde4/g' -i $WEBDIR/config/conf.php
# LOG
sed -e 's/horde-test/horde/g' -i $WEBDIR/config/conf.php
# LOGLEVEL
sed -e 's/DEBUG/INFO/g' -i $WEBDIR/config/conf.php

# Set some rights
chown -R root:root $BASEDIR
find $BASEDIR -type d -exec chmod 755 {} \;
find $BASEDIR -type f -exec chmod 644 {} \;
chown -R apache:root $WEBDIR/static
#chown -R apache:root $WEBDIR/config
#chown -R apache:root $WEBDIR/*/config

Changes in /var/www/horde.gabosh.net/htdocs/config/prefs.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/config/prefs.local.php

Changed on 04.11.09
Issued by olli
Beginning line 2

Some preference settings for the Horde Framework.

// Enlarge the sidebar
$_prefs['sidebar_width'] = array('value' => 220);
$_prefs['show_last_login'] = array('value' => false);
$_prefs['language'] = array('value' => 'de_DE');
$_prefs['first_week_day'] = array( 'value' => '1');
$_prefs['twentyFour'] = array('value' => 'true');
$_prefs['timezone'] = array( 'value' => 'Europe/Berlin' );

Changes in /var/www/horde.gabosh.net/htdocs/config/registry.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/config/registry.local.php

Changed on 04.08.11
Issued by olli
Beginning line 2

Use IMP as the first page after login

$this->applications['horde']['initial_page']='imp/';

Changes in /var/www/horde.gabosh.net/htdocs/imp/config/backends.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/imp/config/backends.local.php

Changed on 04.08.11
Issued by olli
Beginning line 2

This configures Horde-IMP for accessing a IMAP-Server with the gabosh.net-Domain and Horde-Auth credentials

$servers['imap']['maildomain'] = 'example.com';
$servers['imap']['hordeauth'] = true;
$servers['imap']['secure'] = false;

Changes in /var/www/horde.gabosh.net/htdocs/imp/config/mime_drivers.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/imp/config/mime_drivers.local.php

Changed on 04.11.09
Issued by olli
Beginning line 2

Some mime settings for Horde-IMP.

// Display HTML Mails in Horde IMP
$mime_drivers['html']['inline'] = true;

Changes in /var/www/horde.gabosh.net/htdocs/imp/config/prefs.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/imp/config/prefs.local.php

Changed on 04.11.09
Issued by olli
Beginning line 2

Some preference settings for Horde-IMP.

// The default sent-Mail folder on the IMAP-Server
#$_prefs['sent_mail_folder']['value'] = Horde_String::convertCharset('Versendet', 'UTF-8', 'UTF7-IMAP');
// The default drafts folder on the IMAP-Server
#$_prefs['drafts_folder']['value'] = Horde_String::convertCharset('Entw&uuml;rfe', 'UTF-8', 'UTF7-IMAP');
// auto-save-drafts every minute
$_prafs['auto_save_drafts']['value'] = 1;
// When deleting messages, move them to your Trash folder instead of marking them as deleted
$_prefs['use_trash']['value'] = 1;
// The default trash folder on the IMAP-Server
#$_prefs['trash_folder']['value'] = Horde_String::convertCharset('Papierkorb', 'UTF-8', 'UTF7-IMAP');
// Move spam message(s) to spam folder when reported as spam
$_prefs['delete_spam_after_report']['value'] = 2;
// Display the 'Empty Spam' link in the menubar
$_prefs['empty_spam_menu']['value'] = 1;
// Check every minute for new mail
$_prefs['refresh_time']['value'] = 60;
// Notify if new mail arrives
$_prefs['newmail_notify']['value'] = 1;
// Sort messages descending by date
$_prefs['sortdir']['value'] = 1;
// Check for new mail in all folders
$_prefs['nav_poll_all']['value'] = 1;
# Show an icon to allow stripping of attachments from messages
$_prefs['strip_attachments']['value'] = 1;
// View Images in Mails only fom adresses in addrbook
$_prefs['image_replacement']['value'] = 1;
# Convert textual emoticons into graphical ones
$_prefs['emoticons']['value'] = 1;
# Show non-private mailboxes in separate folders
$_prefs['tree_view']['value'] = 1;
# No IMAP Subscribe
$_prefs['subscribe']['value'] = 0;
# Save attachments in Sent
$_prefs['save_attachments']['value'] = always;
# Sortierung
$_prefs['mailbox_start']['value'] = IMP::MAILBOX_START_LASTUNSEEN;
$_prefs['sortby']['value'] = IMP::IMAP_SORT_DATE;
$_prefs['sortdir']['value'] = 1;

Changes in /var/www/horde.gabosh.net/htdocs/ingo/config/backends.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/ingo/config/backends.local.php

Changed on 04.08.11
Issued by olli
Beginning line 2

This configures horde-ingo for cyrus-sieve on port 2000

$backends['imap']['disabled'] = true;
$backends['sieve'] = array(
    // Disabled by default
    'disabled' => false,
    'transport' => array(
        Ingo::RULE_ALL => array(
            'driver' => 'timsieved',
            'params' => array(
                // Hostname of the timsieved server
                'hostspec' => 'localhost',
                // Login type of the server
                'logintype' => 'PLAIN',
                // Enable/disable TLS encryption
                'usetls' => false,
                // Port number of the timsieved server
                'port' => 4190,
                // Name of the sieve script
                'scriptname' => 'ingo',
                // Enable debugging. The sieve protocol communication is logged
                // with the DEBUG level.
                'debug' => false,
            ),
        ),
    ),
    'script' => array(
        Ingo::RULE_ALL => array(
            'driver' => 'sieve',
            'params' => array(
                // If using Dovecot or any other Sieve implementation that
                // requires folder names to be UTF-8 encoded, set this
                // parameter to true.
                'utf8' => false,
             ),
        ),
    ),
    'shares' => false
);
#$backends['sieve']['disabled'] = false;
#$backends['sieve']['driver'] = 'timsieved';
#$backends['sieve']['params']['hostspec'] = 'example.com';
#$backends['sieve']['params']['port'] = 2000;

Changes in /var/www/horde.gabosh.net/htdocs/kronolith/config/prefs.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/kronolith/config/prefs.local.php

Changed on 04.11.09
Issued by olli
Beginning line 2

Some preference settings for Horde-Kronolith.

// Display the timeslots between each day column, in week view
$_prefs['time_between_days']['value'] = 1;
// Start a week with Monday
$_prefs['week_start_monday']['value'] = 1;
// Sets timeslots to 30 Minutes
$_prefs['slots_per_hour']['value'] = 2;
// Event notifications on all calendars a user has read access to
$_prefs['event_notification']['value'] = 'read';
// Reminder notifications on on all calendars a user has read access to
$_prefs['event_reminder']['value'] = 'read';
// Remind with email
$_prefs['event_alarms']['value'] = 'a:1:{s:4:"mail";a:1:{s:5:"email";s:0:"";}}';
# Create default alarm 
#$_prefs['default_alarm']['value'] = '504000';

Changes in /var/www/horde.gabosh.net/htdocs/passwd/config/backends.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/passwd/config/backends.local.php

Changed on 17.11.11
Issued by olli
Beginning line 2

This is a configuration for changing LDAP-Passwords and Samba-LDAP passwords with Horde-passwd

#unset($backends['myscript']);
$backends['hordesql']['disabled'] = true;
$backends['myscript']['disabled'] = false;
$backends['myscript']['logout'] = true;
$backends['myscript']['name'] = 'example.com';
$backends['myscript']['preferred'] = '';
$backends['myscript']['policy']['minLength'] = 6;
$backends['myscript']['policy']['maxLength'] = 20;
$backends['myscript']['policy']['minNumeric'] = 1;
$backends['myscript']['driver'] = 'Procopen';
$backends['myscript']['params']['program'] = "/usr/local/sbin/ldappws.pl -b -r localhost -d ou=Users,ou=People,dc=example,dc=com -p /usr/local/share/pwlist.txt -s /usr/local/sbin/pwscript.sh";

Changes in /var/www/horde.gabosh.net/htdocs/turba/config/prefs.local.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/horde.gabosh.net/htdocs/turba/config/prefs.local.php

Changed on 04.11.09
Issued by olli
Beginning line 2

Default settings for Horde turba

// Sort by last name
$_prefs['name_format'] = array('value' => 'last_first');
$_prefs['name_sort'] = array('value' => 'last_first');
// Show list as initial page
$_prefs['initial_page'] = array('value' => 'browse.php');
$_prefs['perpage'] = array('value' => '500');

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

IMAP/POP3-Server

Here is my IMAP/POP3-Server configuration. I'm using this in combination with postfix and the webmailer Horde. It is also possible to use a mailclient like thunderbird.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-mail/cyrus-imapd

Changes in /etc/cron.daily/cyrus-purge.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.daily/cyrus-purge.sh

Changed on 07.07.09
Issued by olli
Beginning line 2

This is a daily cron job that deletes all messages in of the admin-User older then 30 days.

#!/bin/bash
/usr/lib/cyrus/ipurge -d30 -X -f user.admin >/dev/null
/usr/lib/cyrus/ipurge -d90 -X -f user.%.Spam >/dev/null
/usr/lib/cyrus/ipurge -d90 -X -f user.%.Junk >/dev/null
/usr/lib/cyrus/ipurge -d90 -X -f user.%.Papierkorb >/dev/null
/usr/lib/cyrus/ipurge -d90 -X -f user.%.Trash >/dev/null
find /var/spool/imap/*/user/*/Sent* -type f -name '*.' -size +1M -mtime +365 -delete
#find /var/spool/imap -type f -name '*.' -size +200k -mtime +1460 -delete
su - cyrus -c "reconstruct -r -R -O -f user.% >/dev/null"

Changes in /etc/cyrus.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/cyrus.conf

Changed on 11.09.08
Issued by olli
Beginning line 10

Start idled


Before change
 idled		cmd="idled"
After change
  idled                cmd="idled"

Changed on 11.09.08
Issued by olli
Beginning line 25

Allow POP3S/IMAPS


Before change
 #imaps		cmd="imapd -s" listen="imaps" prefork=0
 #pop3s		cmd="pop3d -s" listen="pop3s" prefork=0
After change
  imaps               cmd="imapd -s" listen="imaps" prefork=0
  pop3s               cmd="pop3d -s" listen="pop3s" prefork=0

Changed on 02.11.2008
Issued by olli
Beginning line 53

Run the squatter with low priority once per day.
Squatter creates a new SQUAT index for one or more IMAP mailboxes. The SQUAT index is a unified index of all of the header and body text of each message a given mailbox. This index is used to significantly reduce IMAP search times on a mailbox.

  squatter      cmd="squatter -r *" period=3000

Changes in /etc/imapd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/imapd.conf

Changed on 11.09.08
Issued by olli
Beginning line 10

If you have your own certificates correct the paths to them.


Before change
#tls_cert_file:		/etc/ssl/cyrus/server.crt
#tls_key_file:		/etc/ssl/cyrus/server.key
After change
tls_server_cert:        /etc/ssl/example.com/example.com.crt
tls_server_key:         /etc/ssl/example.com/example.com.key
tls_client_ca_file:     /etc/ssl/example.com/letsencryptchain.pem
# Ciphers recommended by Mozilla https://wiki.mozilla.org/Security/Server_Side_TLS
tls_ciphers:            ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Changed on 11.09.08
Issued by olli
Beginning line 22

This sets the priviligesd user for the Cyrus mailboxes. This user has to exist in as a system user in this setup and needs a mailbox. You should enter here the user you prefer.


Before change
admins:			cyrus
After change
admins:                       admin

Changed on 11.09.08
Issued by olli
Beginning line 30

This allows plain text logins.


Before change
allowplaintext:		no
After change
allowplaintext:               yes
serverinfo: off

Changed on 11.09.08
Issued by olli
Beginning line 46

Use sasl authentification methods login and plain.


Before change
sasl_pwcheck_method:	saslauthd
After change
sasl_pwcheck_method: saslauthd 
sasl_mech_list: LOGIN PLAIN
sasl_auxprop_plugin: sasldb

Changes in /etc/profile.d/cyrus.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/profile.d/cyrus.sh

Changed on 17.08.10
Issued by olli
Beginning line 1

Add the bin-path of the cyrus-progs to the default path-variable

PATH="$PATH:/usr/lib/cyrus"

Changes in /usr/local/sbin/cyr-create-mbox

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-create-mbox

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for creating cyrus mailboxes.

#!/usr/bin/perl


unless ($ARGV[0]=~/^[a-zA-Z0-9.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
unless (($ARGV[1]=~/\d{2}/) && ($ARGV[1]<=9999)) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein erlaubter Wert (Minimal 10 / Maximal 9999)\nAufruf: $0 MBOXNAME MBOXGRÖßE") }


chomp($ARGV[0], $ARGV[1]);
$mbox=$ARGV[0];
$spaceusage=$ARGV[1];
$mboxspace=$ARGV[1]*1024;
$space=$ARGV[1];

use Cyrus::IMAP::Admin;
$cyrus = Cyrus::IMAP::Admin->new("localhost");
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);

if ($cyrus->listmailbox($mbox)) { error("MBOX $mbox gibt es schon") }

$cyrus->createmailbox($mbox) || error("Konnte Mailbox $mbox nicht erstellen: $!");
$recover=2;

if ($mbox=~/^user\.[a-zA-Z0-9]+$/) {
 $cyrus->createmailbox("$mbox.Drafts") || error("Konnte Mailbox $mbox.Drafts nicht erstellen: $!");
 $cyrus->createmailbox("$mbox.Sent") || error("Konnte Mailbox $mbox.Sent nicht erstellen: $!");
 $cyrus->createmailbox("$mbox.Trash") || error("Konnte Mailbox $mbox.Trash nicht erstellen: $!");
 $cyrus->createmailbox("$mbox.Spam") || error("Konnte Mailbox $mbox.Spam nicht erstellen: $!");
}
else {
 $cyrus->setacl($mbox, anyone => none) || error("Kann die Rechte nicht setzen: $@"); 
}

$cyrus->setquota($mbox, STORAGE, $mboxspace) || error("Konnte Quota von $mbox nicht auf $mboxspace setzen: $@");


exit 0;

sub error {
 $message=shift;
 if ($recover>=2) { 
  $cyrus = Cyrus::IMAP::Admin->new("localhost") || warn "Recovery: Keine Verbindung zu $cyrhost: $@";
  $cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass) || warn "Recovery: Keine Authentifizierung auf $cyrhost als $cyruser möglich: $@";
  $cyrus->setaclmailbox($mbox, $cyruser => "c") || warn "Recovery: Fehler beim setzen der lösch Rechte auf $mbox: $@";
  $cyrus->deletemailbox($mbox) || warn "Recovery: Konnte $mbox nicht wieder löschen: $@";
 }
 die "$message";
}

Changes in /usr/local/sbin/cyr-delete-mbox

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-delete-mbox

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for deleting cyrus mailboxes.

#!/usr/bin/perl

# Nötige Informationen:
# - MBOXName arg0

unless ($ARGV[0]=~/^[a-zA-Z0-9\.]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME") }


# Newlines entfernen
chomp($ARGV[0]);
# mbox setzen 
$mbox=$ARGV[0];

## Jetzt gehts aber wirklich los ##

use Cyrus::IMAP::Admin;

# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");

# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";

# Checken ob MBOX schon existiert existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX $mbox gibt es nicht") }

# Lösch-Rechte setzen
$cyrus->setaclmailbox($mbox, 'admin' => "c") || error("Konnte Mailboxrechte von $mbox nicht auf c ändern: $!");

# Mailbox löschen
$cyrus->deletemailbox($mbox) || error("Konnte Mailbox $mbox nicht löschen: $!");


exit 0;

sub error {
 $message=shift;
 die "$message";
}

Changes in /usr/local/sbin/cyr-resize-mailbox.pl

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-resize-mailbox.pl

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for changing quota on cyrus mailboxes.

#!/usr/bin/perl


##### Los gehts :-) #####

## Etwas Vorgeplänkel noch ##

# Übergabeparameter checken
unless ($ARGV[0]=~/^[a-zA-Z0-9\.\-]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME MBOXGRÖßE") }
unless (($ARGV[1]=~/\d{2}/) && ($ARGV[1]<=9999)) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein erlaubter Wert (Minimal 10 / Maximal 9999)\nAufruf: $0 MBOXNAME MBOXGRÖßE") }


# Newlines entfernen
chomp($ARGV[0], $ARGV[1]);
# mbox setzen
$mbox=$ARGV[0];
# Benötigter Speicherplatz der neuen MBOX
$spaceusage=$ARGV[1];
# MBox-Größe für DB-Eintrag
$space=$ARGV[1];
# Größe des mboxspaces für cyrus berechnen
$mboxspace=$ARGV[1]*1024;

## Jetzt gehts aber wirklich los ##
use Cyrus::IMAP::Admin;

# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");
#
# # Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";
#

# Checken ob MBOX existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX $mbox gibt es nicht") }

# Prüfen ob Quote nicht zu klein für die Datenmenge in der Mailbox ist
# Quota der MAilbox holen
%quota = $cyrus->listquota("$mbox");
# Schlüssel entsprechend durchgehen
foreach (keys(%quota)) {
 if ($mboxspace < $quota{$_}[0]) {
  error("Neues Quota ($mboxspace) zu klein für Mailbox ($quota{$_}[0])");
 }
 # Benötigten Speicherplatz ermitteln
 $spaceusage=-$quota{$_}[1];
}

# Quota auf die Mailbox setzen
$cyrus->setquota($mbox, STORAGE, $mboxspace) || error("Konnte Quote von $mbox nicht auf $mboxspace setzen: $@");



exit 0;

sub error {
 $message=shift;
 die "$message";
}

Changes in /usr/local/sbin/cyr-set-acl

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-set-acl

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for changing rights on cyrus mailboxes.

#!/usr/bin/perl

unless ($ARGV[0]=~/^[a-zA-Z0-9.\- \&]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[0] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME USER RECHT") }
unless ($ARGV[1]=~/^[a-zA-Z0-9]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[1] ist kein gültiger MBOX-Name\nAufruf: $0 MBOXNAME USER RECHT") }
#unless ($ARGV[2]=~/^[lrswipkxtecdanoa]+$/) { error("Mit den übergebenen Daten stimmt was nicht!\n$ARGV[2] ist kein gültiges Recht\nAufruf: $0 MBOXNAME USER RECHT") }




# Newlines entfernen
chomp($ARGV[0], $ARGV[1], $ARGV[2]);
# mbox setzen 
$mbox=$ARGV[0];
# User
$user=$ARGV[1];
# Recht
$right=$ARGV[2];

## Jetzt gehts aber wirklich los ##

use Cyrus::IMAP::Admin;

# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");

# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";



# Checken ob MBOX  existiert
unless ($cyrus->listmailbox($mbox)) { error("MBOX gibt es nicht") }

# Rechte setzen
$cyrus->setacl($mbox, $user => $right) || error("Kann die Rechte nicht setzen: $@");


exit 0;

sub error {
 $message=shift;
 # Je nach Fehlerzeitpunkt (recover-wert) Recovery starten, wenn nötig.
 # Lockdatei löschen
 # Mit Fehlermeldung beenden
 die "$message";
}

Changes in /usr/local/sbin/cyr-set-sieve.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-set-sieve.sh

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for setting the default sieve-filter-script for a user. The script which is set is /usr/local/etc/sieve.script.default which you have to create.

#!/bin/bash
/usr/lib/cyrus/sievec /usr/local/etc/sieve.script.default /tmp/default.bc
chmod 600 /tmp/default.bc
chown cyrus:mail /tmp/default.bc
INITIAL=`echo $1 | cut -c1`
NAME=$1
cd /var/imap/sieve/$INITIAL/
mkdir -p $NAME
chown cyrus:mail $NAME
cd /var/imap/sieve/$INITIAL/$NAME/
cp /usr/local/etc/sieve.script.default default.script
mv /tmp/default.bc .
ln -sf default.bc defaultbc

Changes in /usr/local/sbin/cyr-show-dirs

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-show-dirs

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for listing all your cyrus directories.

#!/usr/bin/perl

use Cyrus::IMAP::Admin;

# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");

# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";

# Header ausgeben
print "Verzeichisse bzw. Mailboxes:\n\n";
# Mailbox- Infos holen
@acl=$cyrus->listmailbox('*');
# Ausgabe durchgehen
foreach (@acl) {
 $i++;
 if ($acl[$i][0]) {
  # Variable zum angenehmeren Lesen setzen
  $mbox=$acl[$i][0];
  # ACLs vom Server holen
  %acls = $cyrus->listacl("$mbox");
  # Alte ACL-Variable loeschen
  $acl="";
  # ACL-Variable zusammenbauen
  foreach (keys(%acls)) { $acl="$acl $_ -> $acls{$_}   " }
  # Quotas vom Server holen
  %quota = $cyrus->listquota("$mbox");
  # Ausgabe durchgehen
  foreach (keys(%quota)) {
   # Gibt es fuer die Box ein Quota?
   if ($quota{$_}[1]) {
    # in MB umrechnen
    $benutzt=$quota{$_}[0]/1024;
    $gesamt=$quota{$_}[1]/1024;
    # Werte ohne , runden.
    $benutzt=sprintf("%.0f", $benutzt);
    $gesamt=sprintf("%.0f", $gesamt);
    # % ausrechnen und %-Zeichen dran packen
    $prozent=(100/$gesamt)*$benutzt . "%";
    # Prozent runden
    $prozent=sprintf("%.0f", $prozent);
   }
  }
  # Dir mit Acl ausgeben
  print "$mbox\n  Quota: Benutzt: $benutzt\tGesamt: $gesamt\tProzent: $prozent\%\n  Rechte: $acl\n";
 }
 # Kommt mix mehr dann beenden
 else { last }
}

# LockDatei wieder loeschen
unlink $lockfile_file;

Changes in /usr/local/sbin/cyr-show-mailboxes

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/cyr-show-mailboxes

Changed on 10.06.09
Issued by olli
Beginning line 2

This is a script for listing all your cyrus mailboxes.

#!/usr/bin/perl
use Cyrus::IMAP::Admin;

# Connect to Cyrus
$cyrus = Cyrus::IMAP::Admin->new("localhost");

# Authentifizieren
$cyrpass=`gtc-crypt -a admin -p`;
chomp($cyrpass);
$cyrus->authenticate('login','imap','','admin','0','10000',$cyrpass);
$cyrpass="";

# Header ausgeben
print "Mailboxes und Quotas (in MB)\n";
print "Mailbox                     Used        Free        Percent  Rights\n";
print "-------------------------------------------------------------------------------------------------------->\n";
# Mailbox- Infos holen
@mboxes=$cyrus->listmailbox('*');
# Ausgabe durchgehen
foreach (@mboxes) {
 $i++;
 if ($mboxes[$i][0]) {
  # Variable zum angenehmeren Lesen setzen
  $mbox=$mboxes[$i][0];
  # Quotas vom Server holen
  %quota = $cyrus->listquota("$mbox");
  # Ausgabe durchgehen
  foreach (keys(%quota)) {
   #print "$mbox - $quota{$_}[1]\n";
   # Gibt es fuer die Box ein Quota?
   if ($quota{$_}[1]) {
    # ACLs vom Server holen
    %acls = $cyrus->listacl("$mbox");
    # Alte ACL-Variable löschen
    $acl="";
    # ACL-Variable zusammenbauen
    foreach (keys(%acls)) { $acl="$acl $_ -> $acls{$_}   " }
    # in MB umrechnen
    $benutzt=$quota{$_}[0]/1024;
    $gesamt=$quota{$_}[1]/1024;
    # Werte ohne , runden.
    $benutzt=sprintf("%.0f", $benutzt);
    $gesamt=sprintf("%.0f", $gesamt);
    # % ausrechnen und %-Zeichen dran packen
    $prozent=(100/$gesamt)*$benutzt . "%";
    # Prozent runden
    $prozent=sprintf("%.0f", $prozent);
    # Kram formatiert ausgeben
    format STDOUT =
@<<<<<<<<<<<<<<<<<<<<<<<    @<<<<<<<<<  @<<<<<<<<<  @<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$mbox, $benutzt, $gesamt, $prozent, $acl
.
    write;
   }
  }
 }
 # Kommt mix mehr dann beenden
 elsif ($i>=1000) { last }
}

# Quota der mailbox holen
@quota = $cyrus->listquota('*');
foreach $key (keys %quota) {
}

# LockDatei wieder loeschen
unlink $lockfile_file;

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add cyrus 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Instand Messaging alternative Jabber

In times of blackboxed/centralized/clouded "Instand Messagig" services with possibly bad security/encryption like WhatsApp & co. I would like to use my own Instand Messaging Service with data hold encrypted on my own Server. Here is the way I do it.
As an snartphone app for this service I suggest the App called "Conversations"

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-im/ejabberd

Changes in /etc/jabber/ejabberd.yml

File permissions:
Owner: root
Group: jabber
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/jabber/ejabberd.yml

Changed on 09.11.15
Issued by olli
Beginning line 98

The Hostname(s) of the Server

  - "example.com"
  - "silent-gabosh.example.com"

Changed on 09.11.15
Issued by olli
Beginning line 142

SSL-Encryption Chat Clients

    starttls: true
    certfile: "/etc/ssl/example.com/example.com.pem"

Changed on 09.11.15
Issued by olli
Beginning line 197

SSL-Encryption HTTP-Interface

    tls: true
    certfile: "/etc/ssl/example.com/example.com.pem"

Changed on 09.11.15
Issued by olli
Beginning line 220

SSL-Encryption other Jabber Servers

s2s_certfile: "/etc/ssl/example.com/example.com.pem"
s2s_use_starttls: required

Changed on 09.11.15
Issued by olli
Beginning line 268

The Admin-User


Before change
auth_method: internal
After change
auth_method: pam
pam_service: "login"

Changed on 09.11.15
Issued by olli
Beginning line 448

The Admin-User

  admin:
      user:
            - "admin": "example.com"

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add ejabberd 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Mailinglists with MailMan

Here a little description how you can create Mailinglists in an easy way.
You have to insert the specific lines into your Webserver configuration for easy Web-Administration. See the Webserver topic for this.
After installing MailMan you have to create an admin password with
/usr/lib/mailman/bin/mmsitepass

Put mailman into the nobody group
usermod -G cron,mailman,nobody mailman

and you have to set the correct permissions for postfix
/usr/lib/mailman/bin/check_perms -f

Create the MailMan cron jobs with
su - mailman -c 'crontab cron/crontab.in'

Create initial MailMan list:
/usr/lib/mailman/bin/newlist mailman
/usr/lib/mailman/bin/config_list -i /var/lib/mailman/data/sitelist.cfg mailman

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-mail/mailman

Changes in /etc/mailman/mm_cfg.py

File permissions:
Owner: mailman
Group: mailman
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/mailman/mm_cfg.py

Changed on 18.03.09
Issued by olli
Beginning line 54

Some Settings for MailMan environment

MTA = 'Postfix'
DEFAULT_EMAIL_HOST = 'example.com'
DEFAULT_URL_HOST   = 'mailman.example.com'
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
add_virtualhost('mailman.example.com')
POSTFIX_STYLE_VIRTUAL_DOMAINS =  ['example.com']
DEFAULT_ARCHIVE_PRIVATE = 1
DEFAULT_CHARSET = 'UTF-8'
add_language('de', 'Deutsch', 'utf-8')

Changes in /etc/postfix/main.cf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/postfix/main.cf

Changed on 25.03.09
Issued by olli
Beginning line 765

Add mailman aliases to postfix

alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases

Changes in /etc/profile.d/mailman.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/profile.d/mailman.sh

Changed on 09.06.10
Issued by olli
Beginning line 1

Add the bin-path of the mailman-progs to the default path-variable

PATH="$PATH:/usr/lib/mailman/bin"

Changes in /usr/local/sbin/maillists.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/maillists.sh

Changed on 17.11.2014
Issued by olli
Beginning line 2

Script for syncing LDAP-Groups with Mailinglists


#!/bin/bash

rm -f /tmp/liste-*
getent group | grep "^maillist-" >/tmp/maillists
cat /tmp/maillists | while read line
do
 list=`echo $line | cut -d: -f1 | perl -pe 's/^maillist-//'`
 # Erstelle liste falls nicht vorhanden...
 if list_lists | grep -iq $list
 then
  echo "Liste $list existiert" >/dev/null
 else
  echo "Erstelle Liste $list"
  newlist -u mailman.example.com -l de -q $list mail@example.com `gtc-crypt -a mailman -p`
  config_list -i /etc/mailman/defaultlistconfig $list
 fi
 # Pflege User
 list_members $list >/tmp/maillistmembers
 for i in `cat /tmp/maillistmembers`
 do
  echo whitelist_from mail@example.com
 done
 cat /etc/spamassassin/maillist-whitelist | sort -u >/tmp/maillist-whitelist
 cat /tmp/maillist-whitelist >/etc/spamassassin/maillist-whitelist
 # User aufnehmen
 for user in `echo $line | cut -d: -f4 | perl -pe 's/\,/ /g' ; cat /root/maillist-nongabosh-$list 2>/dev/null`
 do
  if grep -qi "^$user" /tmp/maillistmembers
  then
   echo "User $user ist in der Liste $list" >/dev/null
  else
   echo "User $user wird in die Liste $list aufgenommen"
   echo $user | grep -q '@' || user="$mail@example.com"
   echo "$user" >/tmp/maillistnew
   add_members -r /tmp/maillistnew -a y $list
  fi
 done
 # User rauswerfen
 for user in `cat /tmp/maillistmembers | perl -pe 's/\@example.com$//'`
 do
  if echo $line | cut -d: -f4 | grep -qi "$user"
  then
   echo "User $user ist in der Liste $list" >/dev/null
  elif cat /root/maillist-nongabosh-$list 2>/dev/null | grep -qi "$user"
  then
   echo "User $user ist in der Liste $list" >/dev/null
  else
   echo $user | grep -q '@' || user="$mail@example.com"
   echo "User $user wird aus der Liste $list gel&ouml;scht"
   remove_members -n $list $user
  fi
 done
 # Alle Nicht example.com-Mailadressen erlauben an Mailingliste zu senden (nicht lesen)
 
 echo -n "accept_these_nonmembers = [ 'mail@example.com', " >/tmp/maillistsendok
 for mail in `cat /etc/spamassassin/* 2>/dev/null | egrep "^whitelist_from mail@example.com
 do 
  echo -n " '$mail'," >>/tmp/maillistsendok
 done
 echo -n ' ]' >>/tmp/maillistsendok
 config_list -i /tmp/maillistsendok $list
done

# Aufr&auml;umen
#rm -f /tmp/maillists /tmp/maillistmembers /tmp/maillistnew


Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add mailman 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Mailserver

In this topic is a full featured mailserver described. I comes with SMTP/TLS (postfix), PAM-authentification (saslauthd), Mail-Scanner (AMAVISD-NEW), Spam-Scanner (spamassassin) and Virus-Scanner (ClamAV).
Think about to run "newaliases" if you change the /etc/mail/aliases file.
Insert the valid recipient an sender addresses in /etc/postfix/virtual_recipient and /etc/postfix/virtual_sender (Syntax: "emailaddress@yourdomain.tld cyrusmailboxname" - one per line). Then create postfix mappings with
postmap /etc/postfix/virtual_sender
postmap /etc/postfix/virtual_recipient

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge mail-mta/postfix
emerge dev-libs/cyrus-sasl
emerge mail-filter/amavisd-new
emerge mail-filter/spamassassin
emerge app-antivirus/clamav

Changes in /etc/amavisd.conf

File permissions:
Owner: root
Group: amavis
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/amavisd.conf

Changed on 11.09.08
Issued by olli
Beginning line 504

Deliver banned and spam mails.


Before change
#$final_banned_destiny     = D_BOUNCE;  # (defaults to D_BOUNCE)
#$final_spam_destiny       = D_BOUNCE;  # (defaults to D_BOUNCE)
After change
$final_banned_destiny	= D_PASS;
$final_spam_destiny	= D_PASS;

Changed on 11.09.08
Issued by olli
Beginning line 610

Warns the reciver of getting a mail with banned or virus content.


Before change
#$warnvirusrecip = 1;	# (defaults to false (undef))
#$warnbannedrecip = 1;	# (defaults to false (undef))
After change
$warnvirusrecip = 1;
$warnbannedrecip = 1;

Changed on 11.09.08
Issued by olli
Beginning line 817

Address where virus mails are delivered to.


Before change
$virus_quarantine_to  = 'virus-quarantine';    # traditional local quarantine
After change
$virus_quarantine_to  = "virus\@$mydomain";

Changed on 11.09.08
Issued by olli
Beginning line 836

Only quaranteine virus mails.


Before change
$banned_quarantine_to     = 'banned-quarantine';     # local quarantine
$bad_header_quarantine_to = 'bad-header-quarantine'; # local quarantine
$spam_quarantine_to       = 'spam-quarantine';       # local quarantine
After change
$banned_quarantine_to     = undef;
$bad_header_quarantine_to = "virus\@$mydomain";
$spam_quarantine_to       = undef;

Changed on 11.09.08
Issued by olli
Beginning line 1776

Some spamassassin settings


Before change
$sa_local_tests_only = 0;   # only tests which do not require internet access?
#$sa_auto_whitelist = 1;    # turn on AWL in SA 2.63 or older (irrelevant
                            # for SA 3.0, its cf option is use_auto_whitelist)

$sa_mail_body_size_limit = 400*1024; # don't waste time on SA if mail is larger
			    # (less than 1% of spam is > 64k)
			    # default: undef, no limitations

# default values, customarily used in the @spam_*_level_maps as the last entry
$sa_tag_level_deflt  = 2.0; # add spam info headers if at, or above that level;
			    # undef is interpreted as lower than any spam level
$sa_tag2_level_deflt = 6.31;# add 'spam detected' headers at that level to
                            # passed mail, adding address extensions;
$sa_kill_level_deflt = $sa_tag2_level_deflt; # triggers spam evasive actions
			    # at or above that level: bounce/reject/drop,
			    # quarantine
$sa_dsn_cutoff_level = 9;   # spam level beyond which a DSN is not sent,
                            # effectively turning D_BOUNCE into D_DISCARD;
                            # undef disables this feature and is a default;
# see also $sa_quarantine_cutoff_level above, which only controls quarantining
After change
$sa_local_tests_only = 0;
#$sa_auto_whitelist = 1;
$sa_mail_body_size_limit = 257*1024;
$sa_tag_level_deflt  = -99;
$sa_tag2_level_deflt = 6.31;
$sa_kill_level_deflt = undef;
$sa_dsn_cutoff_level = undef;

Changed on 11.09.08
Issued by olli
Beginning line 1973

ClamAV Socket settings.


Before change
# ['ClamAV-clamd',
#   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
#   qr/\bOK$/m, qr/\bFOUND$/m,
#   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
After change
['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
    qr/\bOK$/m, qr/\bFOUND$/m,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Changes in /etc/clamd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/clamd.conf

Changed on 10.09.08
Issued by olli
Beginning line 14

Log ClamAV to syslog


Before change
LogFile /var/log/clamav/clamd.log
After change
LogSyslog yes

Changes in /etc/cron.daily/logrotate

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.daily/logrotate

Changed on 03.02.09
Issued by olli
Beginning line 8

Crate Spamassassin Whitelist from Horde address book and from mail logfile (sent to)

# Horde Adressbook
. /etc/profile
echo "select object_email from turba_objects" |  mysql -u root -p`gtc-crypt -a mysqlroot -p` horde4 2>&1 | grep '@' | egrep -v 'NULL|object_email|^$' | perl -pe 's/[^[:ascii:]]//g' | tr '[A-Z]' '[a-z]' | sort -u | while read mailadress; do echo "whitelist_from mail@example.com
# Mail log
cat /var/log/maillog.log | egrep 'postfix/smtp.+to=.+status=sent.+250' | perl -pe' s/ +/ /' | cut -d' ' -f7 | perl -pe 's/to=<//; s/>,//; s/[^[:ascii:]]//g' | tr '[A-Z]' '[a-z]' >/tmp/tmpmails-$$
cat /etc/spamassassin/sendto-whitelist | cut -d" " -f2 | grep '@' >>/tmp/tmpmails-$$
cat /tmp/tmpmails-$$ | sort -u | while read mail; do cat /etc/spamassassin/horde-whitelist | grep $mail >/dev/null || echo "whitelist_from mail@example.com
rm /tmp/tmpmails-$$
# Gabosh-User Mails
for i in `getent passwd | grep ':100:' | cut -d: -f1`; do echo "whitelist_from mail@example.com
for i in `cat /etc/postfix/mailaddresses | grep '@example.com' | cut -d" " -f1`; do echo "whitelist_from mail@example.com
for i in `getent group | grep "^maillist-"  | cut -d: -f1 | perl -pe 's/^maillist-//'`; do echo "whitelist_from mail@example.com
for i in `ls -1 /gtc/stable/etc/thinclient/profiles/`; do echo "whitelist_from mail@example.com
sort -u /tmp/user-whitelist >/etc/spamassassin/user-whitelist
# Restart services
/etc/init.d/spamd restart >/dev/null
/etc/init.d/amavisd restart >/dev/null
# Remove System apache Logrotate (it is in gabosh-Logrotate daily and noch weekly)
rm -f /etc/logrotate.d/apache2 /etc/logrotate.d/rsyslog
## Log Mails
strings="error|failed| fault|fehler|no such file or directory|Datei oder Verzeichnis nicht gefunden|permission denied|zugriff verweigert|out of memory|segmentation|Speicherzugriffsfehler| ERR: |\" 4.. |\" 5.. |sshd.+ Accepted .+ for .+ from |password for .+ changed|unable to open|Address family not supported by protocol"
excludes="/var/log/emerge.log|fail2ban.+INFO|amavis.+Defaulting.+ID |\" 404 |\" 401 | error: maximum authentication attempts exceeded for | pam_ldap: error trying to bind as user| pam_ldap: error trying to bind as user| error: PAM: Authentication failure for illegal user| Failed keyboard-interactive/pam for|RSA SHA256:hR/QDTe0cMXSQQ9FHXmUAHEcqb2YPftW9kTUxAeprwc| warning: SASL authentication failure: Password verification failed| warning: .+: SASL PLAIN authentication failed: authentication failure|imaps.+Password verification failed|mate-session|sshd.+error: PAM: Authentication failure for|named.+query failed .SERVFAIL. for|pulseaudio.+Failed to connect to "
# Over all logs
egrep -r -a -i "$strings" /var/log/*.log /var/log/*/*.log /var/log/apache2/*log /opt/horde/horde.log /opt/horde-test/horde.log | egrep -v "$excludes" | mail -E -s "Logs `date`" olli
# Errors in postqueue
postqueue -p 2>&1 | egrep -e "$strings" |  mail -E -s "Postqueue Fehler" olli

Changes in /etc/cron.daily/spamassassinupdate

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/cron.daily/spamassassinupdate

Changed on 15.09.14
Issued by olli
Beginning line 2

Daily Spamassassin Update

date >>/var/log/sa-update.log 2>&1
sa-update -v >>/var/log/sa-update.log 2>&1
/etc/init.d/spamd restart >>/var/log/sa-update.log 2>&1
/etc/init.d/amavisd restart >>/var/log/sa-update.log 2>&1

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 04.06.13
Issued by olli
Beginning line 37

Update Mail addresses for each User.

30 * * * *      root    /usr/local/sbin/mailaddresses.sh 2>&1 | mail -E -s "Mail Adresses Update" root

Changes in /etc/freshclam.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/freshclam.conf

Changed on 10.09.08
Issued by olli
Beginning line 17

Log ClamAV to syslog


Before change
UpdateLogFile /var/log/clamav/freshclam.log
After change
LogSyslog yes

Changes in /etc/mail/aliases

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/mail/aliases

Changed on 11.09.08
Issued by olli
Beginning line 35

This sends mails to root or virusadmin so the admin Users (This user has to esxist with a mailbox). Change it to your personal needs.

root:		admin
virusalert:	admin

Changes in /etc/mail/spamassassin/local.cf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/mail/spamassassin/local.cf

Changed on 11.09.08
Issued by olli
Beginning line 54

This is my basic configuration for spamassassin. Change ist to your needs or leave it as it is.


report_safe 0
use_pyzor 0
use_bayes 1
score BAYES_00 0
score BAYES_05 0.5
score BAYES_10 1
score BAYES_15 1.5
score BAYES_20 2
score BAYES_25 2.5
score BAYES_30 3
score BAYES_35 3.5
score BAYES_40 4
score BAYES_45 4
score BAYES_50 5
score BAYES_55 5
score BAYES_60 5.5
score BAYES_65 5.5
score BAYES_70 6
score BAYES_75 6
score BAYES_80 7
score BAYES_85 7
score BAYES_90 8
score BAYES_95 8
score BAYES_99 9
score HTML_MESSAGE 1
score MISSING_SUBJECT 0.2

dns_available no
bayes_auto_learn 1 
bayes_auto_learn_threshold_nonspam 0.1 
bayes_auto_learn_threshold_spam 10
bayes_min_spam_num 10
bayes_min_ham_num 10
skip_rbl_checks 1

body LOCAL_GELD /Geld/i
describe LOCAL_GELD Suche nach Schlagwort Geld
score LOCAL_GELD 0.5

body LOCAL_AUSZAHLUNG /Auszahlung/i
describe LOCAL_AUSZAHLUNG Suche nach Schlagwort Auszahlung
score LOCAL_AUSZAHLUNG 0.5

body LOCAL_KONTO /Konto/i
describe LOCAL_KONTO Suche nach Schlagwort Konto
score LOCAL_KONTO 0.5

body LOCAL_ROULETTE /Roulette/i
describe LOCAL_ROULETTE Suche nach Schlagwort Roulette
score LOCAL_ROULETTE 10.0

header LOCAL_FDISCOUNT From =~ /Discount/i
describe LOCAL_FDISCOUNT From: Discount
score LOCAL_FDISCOUNT 15

header LOCAL_MOZILLA From =~ /mozilla/i
describe LOCAL_MOZILLA From: mozilla
score LOCAL_MOZILLA -5

body LOCAL_ROULETTE_RULE /Roulette/i
describe LOCAL_ROULETTE_RULE Suche nach Schlagwort Roulette
score LOCAL_ROULETTE_RULE 3

body LOCAL_DISCOUNT_RULE /Discount/i
describe LOCAL_DISCOUNT_RULE Suche nach Schlagwort Discount
score LOCAL_DISCOUNT_RULE 3

body LOCAL_WINDOWS_RULE /Windows/i
describe LOCAL_WINDOWS_RULE Suche nach Schlagwort Windows
score LOCAL_WINDOWS_RULE 2

body LOCAL_HANDEL_RULE /Handel/i
describe LOCAL_HANDEL_RULE Suche nach Schlagwort Handel
score LOCAL_HANDEL_RULE 1.5

body LOCAL_DISCOUNT_RULE /Discount/i
describe LOCAL_DISCOUNT_RULE Suche nach Schlagwort Discount
score LOCAL_DISCOUNT_RULE 3

header LOCAL_FACEBOOK To =~ /\@groups.facebook.com/i
describe LOCAL_FACEBOOK To: groups.facebook.com
score LOCAL_FACEBOOK -2

header LOCAL_FACEBOOK2 From =~ /notification.+\@facebookmail.com/i
describe LOCAL_FACEBOOK2 From: facebookmail.com
score LOCAL_FACEBOOK2 -7

header LOCAL_DHL From =~ /paket\@dhl.de/i
describe LOCAL_DHL From: mail@example.com
score LOCAL_DHL -4

body LOCAL_MEDIKAMENT_RULE /Medikament/i
describe LOCAL_MEDIKAMENT_RULE Suche nach Schlagwort Medikament
score LOCAL_MEDIKAMENT_RULE 0.5

body LOCAL_CANDIDA_RULE /Candida/i
describe LOCAL_CANDIDA_RULE Suche nach Schlagwort Candida
score LOCAL_CANDIDA_RULE 0.5

body LOCAL_PILZ_RULE /Pilz/i
describe LOCAL_PILZ_RULE Suche nach Schlagwort Pilz
score LOCAL_PILZ_RULE 0.5

body LOCAL_MEDIKAMENT_RULE /Medikament/i
describe LOCAL_MEDIKAMENT_RULE Suche nach Schlagwort Medikament
score LOCAL_MEDIKAMENT_RULE 1

body LOCAL_MEDIKAMENT_RULE /Medikament/i
describe LOCAL_MEDIKAMENT_RULE Suche nach Schlagwort Medikament
score LOCAL_MEDIKAMENT_RULE 1

body LOCAL_SPITZENPREIS_RULE /Spitzenpreis/i
describe LOCAL_SPITZENPREIS_RULE Suche nach Schlagwort Spitzenpreis
score LOCAL_SPITZENPREIS_RULE 2

body LOCAL_KRANKENKASSE_RULE /Krankenkasse/i
describe LOCAL_KRANKENKASSE_RULE Suche nach Schlagwort Krankenkasse
score LOCAL_KRANKENKASSE_RULE 1

body LOCAL_TARIF_RULE /Tarif/i
describe LOCAL_TARIF_RULE Suche nach Schlagwort Tarif
score LOCAL_TARIF_RULE 1

body LOCAL_OFFER_RULE /offer/i
describe LOCAL_OFFER_RULE Suche nach Schlagwort Offer
score LOCAL_OFFER_RULE 1

body LOCAL_ANGEBOT_RULE /Angebot/i
describe LOCAL_ANGEBOT_RULE Suche nach Schlagwort Angebot
score LOCAL_ANGEBOT_RULE 0.5

body LOCAL_LIQUID_RULE /Liquid/i
describe LOCAL_LIQUID_RULE Suche nach Schlagwort Liquids
score LOCAL_LIQUID_RULE 2

body LOCAL_ZIGARETTE_RULE /Zigarette/i
describe LOCAL_ZIGARETTE_RULE Suche nach Schlagwort Zigarette
score LOCAL_ZIGARETTE_RULE 2

body LOCAL_HAEMORRIDEN_RULE /H&auml;morriden/i
describe LOCAL_HAEMORRIDEN_RULE Suche nach Schlagwort H&auml;morriden
score LOCAL_HAEMORRIDEN_RULE 2

body LOCAL_HAEMORRIDEN_RULE /H&auml;morriden/i
describe LOCAL_HAEMORRIDEN_RULE Suche nach Schlagwort H&auml;morriden
score LOCAL_HAEMORRIDEN_RULE 2

body LOCAL_GEIL_RULE /geil/i
describe LOCAL_GEIL_RULE Suche nach Schlagwort Geil
score LOCAL_GEIL_RULE 3

body LOCAL_IPHONE_RULE /iPhone/i
describe LOCAL_IPHONE_RULE Suche nach Schlagwort iPhone
score LOCAL_IPHONE_RULE 0.5

body LOCAL_KOSTENLOS_RULE /kostenlos/i
describe LOCAL_KOSTENLOS_RULE Suche nach Schlagwort kostenlos
score LOCAL_KOSTENLOS_RULE 1

body LOCAL_VERTRAG_RULE /Vertrag/i
describe LOCAL_VERTRAG_RULE Suche nach Schlagwort Vertrag
score LOCAL_VERTRAG_RULE 2

body LOCAL_V1AGRA_RULE /V1agra/i
describe LOCAL_V1AGRA_RULE Suche nach Schlagwort V1agra
score LOCAL_V1AGRA_RULE 15.0

body LOCAL_FAKESPAM /\/-nix.news\?/i
describe LOCAL_FAKESPAM Suche nach Schlagwort nix.news
score LOCAL_FAKESPAM 150.0

body LOCAL_KV /Krankenversicherung/i
describe LOCAL_KV Suche nach Schlagwort Krankenversicherung
score LOCAL_KV 15.0

body LOCAL_KREDIT /Kredit/i
describe LOCAL_KREDIT Suche nach Schlagwort Kredit
score LOCAL_KREDIT 15.0

body LOCAL_SLIM /beslim/i
describe LOCAL_SLIM Suche nach Schlagwort beslim
score LOCAL_SLIM 15.0

body LOCAL_MARKETING /marketing/i
describe LOCAL_MARKETING Suche nach Schlagwort marketing
score LOCAL_MARKETING 5.0

body LOCAL_DOWNLOAD /download now/i
describe LOCAL_DOWNLOAD Suche nach Schlagwort download now
score LOCAL_DOWNLOAD 5.0

body LOCAL_HOLIDAY /holiday/i
describe LOCAL_HOLIDAY Suche nach Schlagwort holiday
score LOCAL_HOLIDAY 5.0

body LOCAL_ABNEHMEN /abnehmen/i
describe LOCAL_ABNEHMEN Suche nach Schlagwort abnehmen
score LOCAL_ABNEHMEN 5.0

body LOCAL_VIP /vip/i
describe LOCAL_VIP Suche nach Schlagwort vip
score LOCAL_VIP 5.0

body LOCAL_HEISS /heiss/i
describe LOCAL_HEISS Suche nach Schlagwort heiss
score LOCAL_HEISS 2.0

body LOCAL_SUESS /s&uuml;ss/i
describe LOCAL_SUESS Suche nach Schlagwort s&uuml;ss
score LOCAL_SUESS 1.0

body LOCAL_SUES /s&uuml;&szlig;/i
describe LOCAL_SUES Suche nach Schlagwort s&uuml;&szlig;
score LOCAL_SUES 1.0

body LOCAL_HEIS /hei&szlig;/i
describe LOCAL_HEIS Suche nach Schlagwort hei&szlig;
score LOCAL_HEIS 2.0

body LOCAL_BWL /bwl/i
describe LOCAL_BWL Suche nach Schlagwort bwl
score LOCAL_BWL 2.0

body LOCAL_TREFFEN /treffen/i
describe LOCAL_TRFFEN Suche nach Schlagwort treffen
score LOCAL_TREFFEN 1.0

body LOCAL_DREIER /dreier/i
describe LOCAL_DREIER Suche nach Schlagwort dreier
score LOCAL_DREIER 2.0

body LOCAL_PROFIL /profil/i
describe LOCAL_PROFIL Suche nach Schlagwort profil
score LOCAL_PROFIL 2.0

body LOCAL_BILD /bild/i
describe LOCAL_BILD Suche nach Schlagwort bild
score LOCAL_BILD 0.5

body LOCAL_NACHRICHT /Nachricht /i
describe LOCAL_NACHRICHT Suche nach Schlagwort Nachricht
score LOCAL_NACHRICHT 0.5

body LOCAL_BILDERSERVICE /Bilderservive/i
describe LOCAL_BILDERSERVICE Suche nach Schlagwort Bilderservice
score LOCAL_BILDERSERVICE 3.0

header LOCAL_GRATISWETTE Subject =~ /Gratiswette/i
describe LOCAL_GRATISWETTE Subject: Gratiswette
score LOCAL_GRATISWETTE  10.0

header LOCAL_GRATISWETTE2 From =~ /Gratiswette/i
describe LOCAL_GRATISWETTE2 From: Gratiswette
score LOCAL_GRATISWETTE2 10.0

body LOCAL_FREUNDSCHAFTSANFRAGE /Freundschaftsanfrage/i
describe LOCAL_FREUNDSCHAFTSANFRAGE Suche nach Schlagwort Freundschaftsanfrage
score LOCAL_FREUNDSCHAFTSANFRAGE 2.0

body LOCAL_FACEBOOKZENTRALE /Facbeook-Zentrale/i
describe LOCAL_FACEBOOKZENTRALE Suche nach Schlagwort Facbeook-Zentrale
score LOCAL_FACEBOOKZENTRALE 10.0

body LOCAL_URL /http\:\/\/.+\/............\//i
describe LOCAL_URL Suche nach Schlagwort URLs wie http://www.1u1mx.site/QCutDY9Iw8rR/
score LOCAL_URL 3.0

body LOCAL_URL2 /http\:\/\//i
describe LOCAL_URL2 Suche nach Schlagwort URLs
score LOCAL_URL2 1

body LOCAL_SAUNA /Sauna/i
describe LOCAL_SAUNA Suche nach Schlagwort SAUNAs
score LOCAL_SAUNA 0.5

header LOCAL_BEWERBUNG Subject =~ /bewerbung/i
describe LOCAL_BEWERBUNG Subject: bewerbung
score LOCAL_BEWERBUNG  -10.0

header LOCAL_AMAZONR Subject =~ /Informationen zum Ausdrucken eines R&uuml;cksendeetiketts von Amazon/i
describe LOCAL_AMAZONR Subject: Ruecksendung
score LOCAL_AMAZONR -10.0

header LOCAL_MONEY Subject =~ /money/i
describe LOCAL_MONEY Subject: money
score LOCAL_MONEY  5.0

header LOCAL_MARKETING From =~ /allround-marketing.com/i
describe LOCAL_MARKETING From: Marketing
score LOCAL_MARKETING  30.0

header LOCAL_IENTRY From =~ /ientrynetwork.net/i
describe LOCAL_IENTRY From: ientrynetwork
score LOCAL_IENTRY  30.0

header LOCAL_FAJEA From =~ /fajea.com/i
describe LOCAL_FAJEA From: Fajea
score LOCAL_FAJEA  30.0

header LOCAL_SEER From =~ /mail.internetseer.com/i
describe LOCAL_SEER From: Internetseer
score LOCAL_SEER  30.0

header LOCAL_CLIK From =~ /clik-n.com/i
describe LOCAL_CLIK From: clik-n
score LOCAL_CLIK  30.0

header LOCAL_CLIKN From =~ /c-likn.com/i
describe LOCAL_CLIKN From: c-likn
score LOCAL_CLIKN 30.0

header LOCAL_LINKEDIN From =~ /LinkedIn/i
describe LOCAL_LINKEDIN From: LinkedIn
score LOCAL_LINKEDIN 30.0

header LOCAL_DIGITALRIVER From =~ /digitalriver/i
describe LOCAL_DIGITALRIVER From: digitalriver
score LOCAL_DIGITALRIVER 30.0

header LOCAL_DIGITALRIVER From =~ /digitalriver/i
describe LOCAL_DIGITALRIVER From: digitalriver
score LOCAL_DIGITALRIVER 30.0

header LOCAL_QUOTEITFREE From =~ /quoteitfree/i
describe LOCAL_QUOTEITFREE From: quoteitfree
score LOCAL_QUOTEITFREE 30.0

header LOCAL_NEWS From =~ /news/i
describe LOCAL_NEWS From: news
score LOCAL_NEWS 3.0

body LOCAL_ASIA /æ—¥/
describe LOCAL_ASIA Suche nach ASIA-Schriftzeichen
score LOCAL_ASIA 5.0

body LOCAL_ASIA2 /é¡¢/
describe LOCAL_ASIA2 Suche nach ASIA-Schriftzeichen
score LOCAL_ASIA2 5.0

body LOCAL_ASIA3 /죩/
describe LOCAL_ASIA3 Suche nach ASIA-Schriftzeichen
score LOCAL_ASIA3 5.0

header LOCAL_SUBJ_RUSS_CHAR Subject:raw =~ /koi8-r/i
describe LOCAL_SUBJ_RUSS_CHAR Suche nach Russisches-Charset
score LOCAL_SUBJ_RUSS_CHAR 5.0

header LOCAL_SUBJ_ASIA_CHAR Subject:raw =~ /gb2312/i
describe LOCAL_SUBJ_ASIA_CHAR Suche nach Asia-Charset
score LOCAL_SUBJ_ASIA_CHAR 5.0

body LOCAL_CLICKSERVER /clickserver/i
describe LOCAL_CLICKSERVER Suche nach CLICKSERVER
score LOCAL_CLICKSERVER 5.0

body LOCAL_WHATSAPP /whatsapp/i
describe LOCAL_WHATSAPP Suche nach WHATSAPP
score LOCAL_WHATSAPP 5.0

body LOCAL_NACHBARIN /Nachbarin/i
describe LOCAL_NACHBARIN Suche nach Nachbarin
score LOCAL_NACHBARIN 1.0

body LOCAL_ERWACHSENEN /Erwachsenen/i
describe LOCAL_ERWACHSENEN Suche nach Erwachsenen
score LOCAL_ERWACHSENEN 2.0

whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com
whitelist_to mail@example.com

whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com
whitelist_from mail@example.com

include /etc/spamassassin/horde-whitelist
include /etc/spamassassin/sendto-whitelist
include /etc/spamassassin/user-whitelist


Changes in /etc/postfix/main.cf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/postfix/main.cf

Changed on 10.09.08
Issued by olli
Beginning line 682

This is the Postfix (SMTP) configuration.

mynetworks_style = host
inet_protocols = ipv4

default_destination_concurrency_limit = 2
mail_spool_directory = /var/spool/mail
alias_database = hash:/etc/mail/aliases
local_destination_concurrency_limit = 2

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# Recipient Mail (RCPT TO) checks
smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access hash:/etc/postfix/amavis, permit_sasl_authenticated, reject_unauth_destination
mailbox_transport = cyrus
# example.com has to be registered because of the "loop to myself" error
myhostname=example.com
mydestination = pcre:/etc/postfix/mydestinations
virtual_alias_maps = hash:/etc/postfix/mailaddresses,pcre:/etc/postfix/catchall
#local_recipient_maps = $virtual_alias_maps

# SASL SMTP authentication
smtpd_sasl2_auth_enable = yes
smtpd_sasl_local_domain =

# SSL/TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/example.com/example.com.key
smtpd_tls_cert_file = /etc/ssl/example.com/example.com.crt
smtpd_tls_CAfile = /etc/ssl/example.com/letsencryptchain.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_protocols = !SSLv2, !SSLv3 
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_auth_only = yes
smtp_tls_protocols = !SSLv2, !SSLv3
tls_random_source = dev:/dev/urandom

# Sender Mail (MAIL FROM) checks
smtpd_sender_login_maps = hash:/etc/postfix/mailaddresses
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_sender_login_mismatch, reject_unlisted_sender, permit_auth_destination, permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

# Max. size of every mail (20MB)
message_size_limit=209715200
mailbox_size_limit=209715200

# Client troubleshooting (Waiting time for new login prompt for security reasons)
smtpd_error_sleep_time = 2s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10

# Maximal number of recipients in one Mail (Spam prevention)
smtpd_recipient_limit = 500

# Deactivete postfix banner (for Security reasons)
smtp_banner = $myhostname ESMTP

# Allow a "-" at the beginnig of a mail address
allow_min_user = yes

# Optional for special mailrouting
#transport_maps = hash:/etc/postfix/transport

# Relay-Server. Comment it if mails should be deliveres directly. A mail relay is needed for internet connections with dynamic IPs and some other internet connections because some other mailservers doesen't trust dynamic IPs and rejects mails from them. Some provicers offers a mail relay. Some need an authentification too.
relayhost = smtp.1und1.de:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes 

# Header Checks
#header_checks = regexp:/etc/postfix/header_checks

# Sec:
disable_vrfy_command=yes
smtpd_banner=example.com

compatibility_level=2


Changes in /etc/postfix/master.cf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/postfix/master.cf

Changed on 10.09.08
Issued by olli
Beginning line 132

Deliver local incoming mails to Cyrus

cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus/deliver -e -r ${sender} -m ${extension} ${user}

Changed on 10.09.08
Issued by olli
Beginning line 137

Receive mails scanned by amavis

# amavisd-new
smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       n     -       -  smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=XXX.XXX.XXX.XXX/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
    -o local_header_rewrite_clients=
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=

Changes in /usr/local/sbin/mailaddresses.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/mailaddresses.sh

Changed on 04.06.13
Issued by olli
Beginning line 2

Update Mail addresses for each User.

#!/bin/bash

. /etc/profile

>/tmp/mailaddresses-$$
for i in `getent group users | cut -d: -f4 | perl -pe 's/\,/ /g'`
do
 # Get Infos
 USER=`getent passwd $i | cut -d":" -f 1`
 LNAME="`getent passwd $i | cut -d':' -f 5`"
 echo "$USER@example.com $USER" >>/tmp/mailaddresses-$$
 LNAME=`echo "$LNAME" | tr '[A-Z]' '[a-z]' | perl -pe 's/&ouml;/oe/g; s/&auml;/ae/g; s/&uuml;/ue/g; s/&szlig;/ss/g; s/[^a-zA-Z0-9\.]/\./g; s/\.+/\./g; s/^\.//; s/\.$//;'`
 echo "$LNAME@example.com $USER" >>/tmp/mailaddresses-$$
done
find /tmp/mailaddresses-$$ -empty -delete
if [ -f /tmp/mailaddresses-$$ ]
then
 if [ `cat /tmp/mailaddresses-$$ | wc -l` -gt 5 ]
 then
  cat /tmp/mailaddresses-$$ /etc/postfix/mailaddresses | sort -u > /etc/postfix/mailaddresses.tmp
  cat /etc/postfix/mailaddresses.tmp >/etc/postfix/mailaddresses
  postmap /etc/postfix/mailaddresses
  rm /tmp/mailaddresses-$$ /etc/postfix/mailaddresses.tmp
 else
  echo "$0: /tmp/mailaddresses-$$ hat wegiger als 5 Zeilen: `cat /tmp/mailaddresses-$$` -> Breche Bearbeitung ab. " | mail -s "/tmp/mailaddresses-$$ hat weniger als 5 Zeilen" root
 fi
else
 echo "$0: Fehler beim Mailadressenupdate!!!"
fi

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add postfix 
rc-update add saslauthd default
rc-update add amavisd 
rc-update add spamd 
rc-update add clamd default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

MySQL-Server

This describes the installation of a MySQL-Server.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge dev-db/mysql

Changes in /etc/mysql/my.cnf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/mysql/my.cnf

Changed on 09.09.08
Issued by olli
Beginning line 69

MySQL should listen only on the socket and allows maximal 600 connections at the same time.


Before change
# skip-networking
bind-address                            = 127.0.0.1
After change
skip-networking
# bind-address                            = 127.0.0.1
#set-variable = max_connections=600

Changed on 09.09.08
Issued by olli
Beginning line 78

This deactivetes bin-logging, because we don't want to use a MySQL cluster. Backups are made with the Backup-Script. (see Backup topic)


Before change
log-bin
server-id                                     = 1
After change
# log-bin
# server-id                                     = 1

Changes in /etc/mysql/my.cnf.bak

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/mysql/my.cnf.bak

Changed on 09.09.08
Issued by olli
Beginning line 69

MySQL should listen only on the socket and allows maximal 600 connections at the same time.


Before change
skip-networking
After change
skip-networking
#set-variable = max_connections=600

Changed on 09.09.08
Issued by olli
Beginning line 77

This deactivetes bin-logging, because we don't want to use a MySQL cluster. Backups are made with the Backup-Script. (see Backup topic)


Before change
log-bin
server-id                                     = 1
After change
# log-bin
# server-id                                     = 1

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add mysql 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Network Sound Server

For sending Music or other Sounds over a Network I uns PulseAudio on my Server. So I can play e.g. Music from a mobile device and the Sound is transported over WLAN playing on my Sound-System connected to the Server.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge media-sound/pulseaudio

Changes in /etc/conf.d/pulseaudio

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/pulseaudio

Changed on 06.11.15
Issued by olli
Beginning line 9

Enable System Wide Startup for PulseAudio

PULSEAUDIO_SHOULD_NOT_GO_SYSTEMWIDE=1

Changes in /etc/portage/profile/use.mask

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/portage/profile/use.mask

Changed on 06.11.15
Issued by olli
Beginning line 1

Enable System wide PulseAudio for init-Scripts

-system-wide

Changes in /etc/pulse/system.pa

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pulse/system.pa

Changed on 06.11.15
Issued by olli
Beginning line 58

Listen on Server

load-module module-native-protocol-tcp auth-ip-acl=0.0.0.0/0
#load-module module-alsa-sink

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add pulseaudio default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

OpenLDAP

Here a little howto to set up your own basic LDAP-Server
After emergeing openldap you should generate your encrypted LDAP-rootpw and set this later in LDAP-Server config file.
slappasswd
New password: my-password
Re-enter new password: my-password
{SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
You can create users, groups, computers,... with the WebGUI PHPLDAPAdmin. Have a look at the OpenLDAP WebGUI Howto.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-nds/openldap

Changes in /etc/ldap.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ldap.conf

Changed on 24.02.09
Issued by olli
Beginning line 15

LDAP Client configuration (how to connect to LDAP-Server)

BASE         dc=example,dc=com
URI          ldaps://127.0.0.1:636
pam_login_attribute	uid:caseExactMatch:
TLS_REQCERT   allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_policy hard
bind_timelimit 3
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers adm,amavis,apache,arpwatch,asterisk,at,bin,clamav,cron,cyrus,daemon,ddclient,dhcp,distcc,ez-ipupd,fetchmail,ftp,get,halt,hsqldb,icecast,ices,ldap,lp,mail,mailman,man,mediatomb,memcached,messagebus,minidlna,mysql,named,news,nobody,ntp,openvpn,operator,pdns,polkitd,portage,postfix,postmaster,privoxy,root,rpc,saned,shutdown,smmsp,snort,squid,sshd,sync,tcpdump,tor,uucp

Changes in /etc/nscd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/nscd.conf

Changed on 02.09.14
Issued by olli
Beginning line 46

NSCD-Config for LDAP hangs

	reload-count            unlimited
	positive-time-to-live   passwd          2592000
	positive-time-to-live   group           2592000

Changes in /etc/openldap/ldap.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/ldap.conf

Changed on 24.02.09
Issued by olli
Beginning line 15

LDAP Client configuration (how to connect to LDAP-Server)

BASE         dc=example,dc=com
URI          ldaps://127.0.0.1:636
pam_login_attribute	uid:caseExactMatch:
TLS_REQCERT   allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_policy hard
bind_timelimit 3
nss_reconnect_tries 3
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 8
nss_reconnect_maxconntries 2
nss_initgroups_ignoreusers adm,amavis,apache,arpwatch,asterisk,at,bin,clamav,cron,cyrus,daemon,ddclient,dhcp,distcc,ez-ipupd,fetchmail,ftp,get,halt,hsqldb,icecast,ices,ldap,lp,mail,mailman,man,mediatomb,memcached,messagebus,minidlna,mysql,named,news,nobody,ntp,openvpn,operator,pdns,polkitd,portage,postfix,postmaster,privoxy,root,rpc,saned,shutdown,smmsp,snort,squid,sshd,sync,tcpdump,tor,uucp

Changes in /etc/openldap/ldap.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/ldap.ldif

Changed on 02.03.09
Issued by olli
Beginning line 1

LDAP DNs for basic structure. Insert this file with

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/ldap.ldif
when the slapd is started.

# Base DN
dn: dc=example,dc=com
dc: gabosh
objectClass: top
objectClass: domain

# Group DN (/etc/group)
dn: ou=Group,dc=example,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

# User DN (/etc/passwd; /etc/shadow)
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# User DN - Normal Users
dn: ou=People,ou=Users,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# User DN - System Users
dn: ou=People,ou=SystemUsers,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

Changes in /etc/openldap/schema/dlz.schema

File permissions:
Owner: krey
Group: 513
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/dlz.schema

Changed on 01.12.15
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND DLZ-LDAP.

#
# 1.3.6.1.4.1.18420.1.1.X is reserved for attribute types declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.2.X is reserved for object classes declared by the DLZ project.
# 1.3.6.1.4.1.18420.1.3.X is reserved for PRIVATE extensions to the DLZ attribute
#                     types and object classes that may be needed by end users
#                     to add security, etc.  Attributes and object classes using
#                     this OID MUST NOT be published outside of an organization
#                     except to offer them for consideration to become part of the
#                     standard attributes and object classes published by the DLZ project.

attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX
        NAME 'dlzZoneName'
        DESC 'DNS zone name - domain name not including host name'
        SUP name 
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.20
	NAME 'dlzHostName'
        DESC 'Host portion of a domain name'
	SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.30
        NAME 'dlzData'
        DESC 'Data for the resource record'
        SUP name
        SINGLE-VALUE )       
        
attributetype ( 1.3.6.1.4.1.18420.1.1.40
	NAME 'dlzType'
        DESC 'DNS record type - A, SOA, NS, MX, etc...'
        SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.50
	NAME 'dlzSerial'
        DESC 'SOA record serial number'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.60
	NAME 'dlzRefresh'
        DESC 'SOA record refresh time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.70
	NAME 'dlzRetry'
        DESC 'SOA retry time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.80
	NAME 'dlzExpire'
        DESC 'SOA expire time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.90
	NAME 'dlzMinimum'
        DESC 'SOA minimum time in seconds'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.XXX.XXX.XXX0
        NAME 'dlzAdminEmail'
        DESC 'E-mail address of person responsible for this zone - @ should be replaced with . (period)'
	SUP name
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.18420.1.1.110
	NAME 'dlzPrimaryNS'
        DESC 'Primary name server for this zone - should be host name not IP address'
	SUP name
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.120
	NAME 'dlzIPAddr'
        DESC 'IP address - IPV4 should be in dot notation xxx.xxx.xxx.xxx IPV6 should be in colon notation xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
	EQUALITY caseExactIA5Match 
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{40}
	SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.130
	NAME 'dlzCName'
        DESC 'DNS cname'
	SUP name
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.140
	NAME 'dlzPreference'
        DESC 'DNS MX record preference.  Lower numbers have higher preference'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.150
	NAME 'dlzTTL'
        DESC 'DNS time to live - how long this record can be cached by caching DNS servers'
        EQUALITY integerMatch        
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
        SINGLE-VALUE )
        
attributetype ( 1.3.6.1.4.1.18420.1.1.160
	NAME 'dlzRecordID'
	DESC 'Unique ID for each DLZ resource record'
	SUP name
	SINGLE-VALUE )

#------------------------------------------------------------------------------
# Object class definitions
#------------------------------------------------------------------------------

objectclass ( 1.3.6.1.4.1.18420.1.2.10
	NAME 'dlzZone'         
        DESC 'Zone name portion of a domain name'
        SUP top STRUCTURAL
	MUST ( objectclass $ dlzZoneName ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.20
	NAME 'dlzHost' 
        DESC 'Host name portion of a domain name'
        SUP top STRUCTURAL
	MUST ( objectclass $ dlzHostName ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.30
	NAME 'dlzAbstractRecord' 
        DESC 'Data common to all DNS record types'
        SUP top ABSTRACT
	MUST ( objectclass $ dlzRecordID $ dlzHostName $ dlzType $ dlzTTL ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.40
	NAME 'dlzGenericRecord' 
        DESC 'Generic DNS record - useful when a specific object class has not been defined for a DNS record'
        SUP dlzAbstractRecord STRUCTURAL
	MUST ( dlzData ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.50
        NAME 'dlzARecord'
        DESC 'DNS A record'
        SUP dlzAbstractrecord STRUCTURAL
        MUST ( dlzIPAddr ) )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.60
        NAME 'dlzNSRecord'
        DESC 'DNS NS record'
        SUP dlzGenericRecord STRUCTURAL )

objectclass ( 1.3.6.1.4.1.18420.1.2.70
        NAME 'dlzMXRecord'
        DESC 'DNS MX record'
        SUP dlzGenericRecord STRUCTURAL
        MUST ( dlzPreference ) )
                
objectclass ( 1.3.6.1.4.1.18420.1.2.80
        NAME 'dlzSOARecord'
        DESC 'DNS SOA record'
        SUP dlzAbstractRecord STRUCTURAL       
        MUST ( dlzSerial $ dlzRefresh $ dlzRetry
               $ dlzExpire $ dlzMinimum $ dlzAdminEmail $ dlzPrimaryNS ) )
               
objectclass ( 1.3.6.1.4.1.18420.1.2.90
	NAME 'dlzTextRecord' 
        DESC 'Text data with spaces should be wrapped in double quotes'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.100
        NAME 'dlzPTRRecord'
        DESC 'DNS PTR record'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.110
        NAME 'dlzCNameRecord'
        DESC 'DNS CName record'
        SUP dlzGenericRecord STRUCTURAL )
        
objectclass ( 1.3.6.1.4.1.18420.1.2.120
        NAME 'dlzXFR'
        DESC 'Host allowed to perform zone transfer'
        SUP top STRUCTURAL
        MUST ( objectclass $ dlzRecordID $ dlzIPAddr ) )


Changes in /etc/openldap/schema/dnszone.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/dnszone.schema

Changed on 02.04.10
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND SDB-LDAP.

# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
	DESC 'An integer denoting time to live'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
	DESC 'The class of a resource record'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
	DESC 'The name of a zone, i.e. the name of the highest node in the zone'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
	DESC 'The starting labels of a domain name'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
	DESC 'domain name pointer, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
	DESC 'host information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
	DESC 'mailbox or mail list information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
	DESC 'text string, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
	DESC 'for AFS Data Base location, RFC 1183'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
	DESC 'Signature, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
	DESC 'Key, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
	DESC 'IPv6 address, RFC 1886'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
	DESC 'Location, RFC 1876'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
	DESC 'non-existant, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
	DESC 'service location, RFC 2782'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
	DESC 'Naming Authority Pointer, RFC 2915'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
	DESC 'Key Exchange Delegation, RFC 2230'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
	DESC 'certificate, RFC 2538'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
	DESC 'A6 Record Type, RFC 2874'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
	DESC 'Delegation Signer, RFC 3658'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
	DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
	DESC 'RRSIG, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
	DESC 'NSEC, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
        SUP top STRUCTURAL
	MUST ( zoneName $ relativeDomainName )
        MAY ( DNSTTL $ DNSClass $
              ARecord $ MDRecord $ MXRecord $ NSRecord $
	      SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
              MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
              KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
              SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
              A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
              RRSIGRecord $ NSECRecord ) )

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 24.02.09
Issued by olli
Beginning line 6

Include basic schamas

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 19.02.10
Issued by olli
Beginning line 25

This inserts some self build schemata e.g. for Groups in Groups or mixing DNS with DHCP entries

include         /etc/openldap/schema/gabosh.schema

Changes in /etc/openldap/slapd.conf

File permissions:
Owner: root
Group: ldap
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/openldap/slapd.conf

Changed on 24.02.09
Issued by olli
Beginning line 40

Certificates for using TLS.

TLSCertificateFile      /etc/ssl/example.com/example.com.crt
TLSCertificateKeyFile   /etc/ssl/example.com/example.com.key
#TLSCertificateFile      /etc/openldap/ssl/ldap.crt
#TLSCertificateKeyFile   /etc/openldap/ssl/ldap.key
#TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3
loglevel         stats acl

Changed on 24.02.09
Issued by olli
Beginning line 53

Set the search path for LDAP modules


Before change
# modulepath	/usr/lib/openldap/openldap
After change
modulepath  /usr/lib/openldap/openldap

Changed on 24.02.09
Issued by olli
Beginning line 65

Load the hdb-LDAP module for HDB storage-backend
You should create the HDB-configfile:

cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG


Before change
# moduleload	back_hdb.so
After change
moduleload  back_hdb.so

Changed on 24.02.09
Issued by olli
Beginning line 99

Set ACLs on the encrypted User password. This disables to get the encrypted passwords with e.g. "getent passwd shadow" for shadow-accounts or with ldapsearch. If you don't want so use LDAP-Auth for Samba you can leave the samba* attributes and line with smbadmin out.


# Only access over local network
access to dn="dc=example,dc=com"
  by peername.ip="127.0.0.1" read break
  by peername.ip="my.lan.network.ip%XXX.XXX.XXX.XXX" read break
  by peername.ip="XXX.XXX.XXX.XXX%XXX.XXX.XXX.XXX" read break

# ACL for passwords
access to attrs=givenName,userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaAcctFlags,shadowLastChange
  by dn="cn=smbadmin,ou=SystemUsers,ou=People,dc=example,dc=com" write
  by anonymous auth
  by self write
  by * none

# Global anonymous read access
access to * 
  by * read

Changed on 24.02.09
Issued by olli
Beginning line 124

LDAP Base DN


Before change
suffix		"dc=my-domain,dc=com"
After change
suffix                "dc=example,dc=com"

Changed on 24.02.09
Issued by olli
Beginning line 131

LDAP Root DN


Before change
rootdn		"cn=Manager,dc=my-domain,dc=com"
After change
rootdn                "cn=Manager,dc=example,dc=com"

Changed on 24.02.09
Issued by olli
Beginning line 139

Encrypted LDAP Root password from slappasswd


Before change
rootpw		secret
After change
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX

Changed on 23.11.09
Issued by olli
Beginning line 149

Define slapd indexes for LDAP tuning and for getting rid of the "bdb_equality_candidates: (uid) not indexed" log entrys. Don't forget to run slapindex as ldap user!


Before change
#index	objectClass	eq
After change
index objectclass,entryCSN,entryUUID   eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index uniqueMember            eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index                       zoneName                         eq
index                       relativeDomainName               eq

Changes in /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/dnszone.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/dnszone.schema

Changed on 02.04.10
Issued by olli
Beginning line 1

This is the LDAP-Schema for BIND SDB-LDAP.

# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0  NAME 'dNSTTL'
	DESC 'An integer denoting time to live'
	EQUALITY integerMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
	DESC 'The class of a resource record'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
	DESC 'The name of a zone, i.e. the name of the highest node in the zone'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
	DESC 'The starting labels of a domain name'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
	DESC 'domain name pointer, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
	DESC 'host information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
	DESC 'mailbox or mail list information, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
	DESC 'text string, RFC 1035'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
	DESC 'for AFS Data Base location, RFC 1183'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
	DESC 'Signature, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
	DESC 'Key, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
	DESC 'IPv6 address, RFC 1886'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
	DESC 'Location, RFC 1876'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
	DESC 'non-existant, RFC 2535'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
	DESC 'service location, RFC 2782'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
	DESC 'Naming Authority Pointer, RFC 2915'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
	DESC 'Key Exchange Delegation, RFC 2230'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
	DESC 'certificate, RFC 2538'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
	DESC 'A6 Record Type, RFC 2874'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
	DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
	DESC 'Delegation Signer, RFC 3658'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.44 NAME 'sSHFPRecord'
	DESC 'SSH Key Fingerprint, draft-ietf-secsh-dns-05.txt'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
	DESC 'RRSIG, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
	DESC 'NSEC, RFC 3755'
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
        SUP top STRUCTURAL
	MUST ( zoneName $ relativeDomainName )
        MAY ( DNSTTL $ DNSClass $
              ARecord $ MDRecord $ MXRecord $ NSRecord $
	      SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
              MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $
              KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $
              SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $
              A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $
              RRSIGRecord $ NSECRecord ) )

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add slapd 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

OpenLDAP Groups in Groups

Here is an example how I managed putting posix groups in other groups (nested groups) over OpenLDAP.

If you want to use this solution you need the following howto(s) finished:

Changes in /etc/openldap/groupsingrpoups.ldif

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/groupsingrpoups.ldif

Changed on 19.02.10
Issued by olli
Beginning line 1

This is an example LDIF-File for groups in groups. First an "normal" group users with id 100 and three Users is inserted.
Then the users group is put into the audio group. The output of "getent group audio" will tell you that there are user1, user2 and user3 in the audio group.
And voila. You have a nested group or a group in a group.
So change the file according your needs and insert it with

ldapadd -x -D cn=Manager,dc=example,dc=com -W -f /etc/openldap/groupsingroups.ldif

dn: cn=users,ou=Group,dc=example,dc=com
objectClass: gaboshGroup
objectClass: posixGroup
objectClass: top
uniqueMember: cn=user1,ou=Users,ou=People,dc=example,dc=com
uniqueMember: cn=user2,ou=Users,ou=People,dc=example,dc=com
uniqueMember: cn=user3,ou=Users,ou=People,dc=example,dc=com
gidNumber: 100
cn: users

dn: cn=audio,ou=Group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
objectClass: gaboshGroup
cn: audio
gidNumber: 18
uniqueMember: cn=users,ou=Group,dc=example,dc=com

Changes in /etc/openldap/schema/gabosh.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/openldap/schema/gabosh.schema

Changed on 19.02.10
Issued by olli
Beginning line 1

This is the schema for using nested groups (groups in groups)

objectclass ( 1.3.6.1.4.1.35312.1 NAME 'gaboshGroup'
        DESC 'adds uniqueMember attribut for groups'
        SUP top AUXILIARY
        MAY ( uniqueMember )
        )

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

OpenLDAP System authentication

This is an example how you can authenticate your System-Accounts over PAM or SASLAuthD against LDAP. Users can change their passwords in LDAP with the passwd command as usual.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge sys-auth/pam_ldap
emerge sys-auth/nss_ldap

Changes in /etc/conf.d/saslauthd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/saslauthd

Changed on 18.05.09
Issued by olli
Beginning line 22

If you are using SASL for some authentications you should point to a configuration file with your LDAP settings.


Before change
SASLAUTHD_OPTS="-a pam"
After change
SASLAUTHD_OPTS="-O /etc/saslauthd.conf -a ldap"

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 02.12.09
Issued by olli
Beginning line 32

Run the checkusers-script hourly

42 * * * *      root    /usr/local/sbin/checkusers.sh 2>&1 | mail -E -s "Checkusers-Script" root

Changes in /etc/ldap.conf.old

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ldap.conf.old

Changed on 18.05.09
Issued by olli
Beginning line 18

The LDAP BaesDN


Before change
base dc=padl,dc=com
After change
base dc=example,dc=com

Changed on 18.05.09
Issued by olli
Beginning line 137

This is for accepting a self-signed SSL/TLS certificate

pam_login_attribute uid:caseExactMatch:
tls_reqcert allow

Changes in /etc/nsswitch.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/nsswitch.conf

Changed on 18.05.09
Issued by olli
Beginning line 4

The order how to check for passwd, shadow and group


Before change
passwd:      compat
shadow:      compat
group:       compat
After change
passwd:      compat ldap
shadow:      compat ldap
group:       compat ldap

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 2

Authenticate with LDAP


Before change
auth            required        pam_unix.so try_first_pass likeauth nullok
After change
auth            sufficient   	pam_unix.so try_first_pass likeauth nullok
auth       	sufficient   	pam_ldap.so use_first_pass 
#auth            optional        pam_smbpass.so migrate use_first_pass
auth       	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 13

Authenticate with LDAP

account    	sufficient   	pam_ldap.so

Changes in /etc/pam.d/system-auth

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/pam.d/system-auth

Changed on 18.05.09
Issued by olli
Beginning line 25

Authenticate with LDAP


Before change
password        required      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
After change
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password   	sufficient 	pam_ldap.so use_authtok use_first_pass
password   	required     	pam_deny.so

Changed on 18.05.09
Issued by olli
Beginning line 37

Authenticate with LDAP

session		optional     	pam_ldap.so

Changes in /etc/saslauthd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/saslauthd.conf

Changed on 18.05.09
Issued by olli
Beginning line 1

If you are using SASL for some authentications you should configure the LDAP access for SASL here.

ldap_servers: ldaps://127.0.0.1:636
ldap_search_base: ou=Users,ou=People,dc=example,dc=com
ldap_scope: one
ldap_uidattr: uid
ldap_filter: uid:caseExactMatch:=%U

Changes in /usr/local/sbin/checkusers.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/checkusers.sh

Changed on 02.12.09
Issued by olli
Beginning line 2

This is a script I use to create a HomeDir and a Mailbox if a new LDAP-User is created. I depends on your environment if you can use ist.

#!/bin/bash
. /etc/profile

for i in `getent passwd | cut -d":" -f 3`
do
 if [ $i -gt 999 ]
 then
  if [ $i -lt 65000 ]
  then
   # Get Infos
   USER=`getent passwd $i | cut -d":" -f 1`
   USERID=`getent passwd $i | cut -d":" -f 3`
   HOMEDIR=`getent passwd $i | cut -d":" -f 6`
   GROUP=`getent passwd $i | cut -d":" -f 4`
   LNAME="`getent passwd $i | cut -d':' -f 5`"
   #echo "Checking User $USER"
   # Check for non existing HomeDir
   if ! [ -d $HOMEDIR ]
   then
    echo "Creating Homedir $HOMEDIR for $USER ($i)"
    mkdir -p $HOMEDIR
    chown $USER:$GROUP $HOMEDIR
    chmod 0700 $HOMEDIR
   fi
#   if ! [ -d "/srv/share/.Trash-$USERID" ]
#   then
#    echo "Creating Trashdir /srv/share/.Trash-$USERID for $USER ($i)"
#    mkdir -p /srv/share/.Trash-$USERID
#    chown $USER:$GROUP /srv/share/.Trash-$USERID
#    chmod 0700 /srv/share/.Trash-$USERID
#   fi
   # Check weather a mailbox exists
   if ! [ $USER = "admin" ]
   then
    if /usr/local/sbin/cyr-show-mailboxes | grep "^user\.$USER" >/dev/null 
    then
     echo "Mailbox for User $USER OK" >/dev/null
    else
     echo "Creating Mailbox for $USER"
     /usr/local/sbin/cyr-create-mbox user.$USER 100
    fi
   fi
   # Check for Horde-Test Identity
   if echo "select * from horde_prefs where pref_uid='$USER' AND pref_scope='horde' AND pref_name='identities'" | mysql -u root -p`gtc-crypt -a mysqlroot -p` hordetest 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure." | grep identities >/dev/null
   then
    echo "Horde-Test Identity for $USER exists" >/dev/null
   else
    echo "Creating Horde-Test-Identity for $USER"
    let LNAMECOLS=$(echo $LNAME | wc -m)-1
    let MAILCOLS=$(echo $USER | wc -m)+10
    echo "INSERT INTO horde_prefs (pref_uid, pref_scope, pref_name, pref_value) VALUES ('$USER', 'horde', 'identities','a:1:{i:0;a:17:{s:16:\"default_identity\";i:0;s:9:\"from_addr\";s:$MAILCOLS:\"$USER@example.com\";s:8:\"fullname\";s:$LNAMECOLS:\"$LNAME\";s:2:\"id\";s:18:\"Standardidentit&auml;t\";s:10:\"identities\";s:6:\"a:0:{}\";s:10:\"properties\";N;s:10:\"alias_addr\";a:0:{}s:10:\"tieto_addr\";a:0:{}s:8:\"bcc_addr\";a:0:{}s:8:\"location\";s:0:\"\";s:12:\"replyto_addr\";s:0:\"\";s:9:\"signature\";s:0:\"\";s:10:\"sig_dashes\";i:0;s:14:\"signature_html\";s:0:\"\";s:9:\"sig_first\";i:0;s:14:\"save_sent_mail\";i:1;s:16:\"sent_mail_folder\";s:4:\"Sent\";}}')" | mysql -u root -p`gtc-crypt -a mysqlroot -p` hordetest 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure."
   fi
   # Check for Horde Identity
   if echo "select * from horde_prefs where pref_uid='$USER' AND pref_scope='horde' AND pref_name='identities'" | mysql -u root -p`gtc-crypt -a mysqlroot -p` horde4 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure." | grep identities >/dev/null
   then
    echo "Horde Identity for $USER exists" >/dev/null
   else
    echo "Creating Horde-Identity for $USER"
    let LNAMECOLS=$(echo $LNAME | wc -m)-1
    let MAILCOLS=$(echo $USER | wc -m)+10
    echo "INSERT INTO horde_prefs (pref_uid, pref_scope, pref_name, pref_value) VALUES ('$USER', 'horde', 'identities','a:1:{i:0;a:17:{s:16:\"default_identity\";i:0;s:9:\"from_addr\";s:$MAILCOLS:\"$USER@example.com\";s:8:\"fullname\";s:$LNAMECOLS:\"$LNAME\";s:2:\"id\";s:18:\"Standardidentit&auml;t\";s:10:\"identities\";s:6:\"a:0:{}\";s:10:\"properties\";N;s:10:\"alias_addr\";a:0:{}s:10:\"tieto_addr\";a:0:{}s:8:\"bcc_addr\";a:0:{}s:8:\"location\";s:0:\"\";s:12:\"replyto_addr\";s:0:\"\";s:9:\"signature\";s:0:\"\";s:10:\"sig_dashes\";i:0;s:14:\"signature_html\";s:0:\"\";s:9:\"sig_first\";i:0;s:14:\"save_sent_mail\";i:1;s:16:\"sent_mail_folder\";s:4:\"Sent\";}}')" | mysql -u root -p`gtc-crypt -a mysqlroot -p` horde4 2>&1 | grep -v "Warning: Using a password on the command line interface can be insecure."
   fi
   # Prepare synchronization
   #mksynccal.pl $USER hordetest
   #mksynccal.pl $USER horde4
   # Send a daily eMail if the password is older then 3 months if user is in vpn-Group
   if [ "`date +%H`" -eq "1" ]
   then
    if id $USER | grep -q '(vpn)'
    then
     olddate=`date -d "-3 month" +%s`
     lockdate=`date -d "-6 month" +%s`
     ldappw=`gtc-crypt -a ldap -p`
     if ldapsearch -LLL -w $ldappw -D cn=Manager,dc=example,dc=com uid=$USER | grep sambaPwdLastSet >/dev/null 2>&1
     then
      pwdate=`ldapsearch -LLL -w $ldappw -D cn=Manager,dc=example,dc=com uid=$USER | grep sambaPwdLastSet | cut -d" " -f2`
      ldappw=""
      if [ $lockdate -gt $pwdate ]
      then
       echo "Changed password for $USER after 6 months not changed: `date -d @$pwdate`" | mail -s "Password of $USER automatically changed (6 months)" admin
       pwgen=`pwgen -cn 8 1`
       echo "$USER:$pwgen" | chpasswd
       echo "$pwgen" | gtc-crypt -a pwgen-$USER -b
      elif [ $olddate -gt $pwdate ]
      then
       echo "Password of $USER is too old: `date -d @$pwdate`" | mail -s "Password of $USER too old" admin
       echo "Hallo,

Dein Passwort wurde seit `date -d @$pwdate` nicht mehr ge&auml;ndert. Um das Risiko f&uuml;r den Betrieb des Servers zu minimieren ist es notwendig, dass das Passwort regelm&auml;&szlig;ig (mindestens alle 3 Monate) ge&auml;ndert wird. Dies betrifft nur VPN-User.

Sollte nach 6 Monaten kein neues Passwort gesetzt worden sein, wird der Account sicherheitshalber erstmal gesperrt.

Bitte das Passwort &uuml;ber Horde -> https://horde.example.com oben unter 'Weitere' -> 'Mein Konto' -> 'Passwort' &auml;ndern!

Sobald das Passwort ge&auml;ndert ist bitte daran denken, dass das Passwort an allen Stellen wo es ggf. gespeichert wurde (z.B. Smartphone, Conversations, DAVDroid, ActiveSync, eMail-Programm, Thunderbird, Firefox, Fritz!Box,...) auch entsprechend ge&auml;ndert werden muss.

Danke
 " | mail -s "Bitte Passwort &auml;ndern - Letzte &Auml;nderung `date -d @$pwdate`" $USER
      fi
     fi
    fi
   fi
  fi
 fi
done

chmod 700 /home/*
maillists.sh


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

OpenLDAP WebGUI phpldapadmin

Here a little WebGUI written in PHP for the administration of the OpenLDAP Server
After emerging phpldapadmin you have to copy the files from /usr/share/webapps/openldapadmin-<version>/htdocs into a Destination in your DocumentRoot. My Destination for example is /var/www/gabosh.net/htdocs/intern/phpldapadmin.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-nds/phpldapadmin

Changes in /var/www/www.gabosh.net/htdocs/intern/phpldapadmin/config/config.php

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /var/www/www.gabosh.net/htdocs/intern/phpldapadmin/config/config.php

Changed on 02.03.09
Issued by olli
Beginning line 283

The LDAP Base


Before change
// $servers->setValue('server','base',array(''));
After change
$servers->setValue('server','base',array('dc=example,dc=com'));

Changed on 02.03.09
Issued by olli
Beginning line 311

The LDAP Base


Before change
#  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
After change
$servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Printserver

This is a little describtion how to install a CUPS-Printserver and share the printers over Samba.
You can configure your printers with the WebGUI on "http://:631".

If you want to use this solution you need the following howto(s) finished:

Required hardware

For this topic you need the following hardware: Linux/CUPS compatible printer

Required software

The required software has to be installed with the following command(s):
emerge net-print/cups

Changes in /etc/cups/cupsd.conf

File permissions:
Owner: root
Group: lp
Permissions: -rw-r-----

Click here for a download of the complete file: /etc/cups/cupsd.conf

Changed on 29.11.11
Issued by olli
Beginning line 12

Logging to syslog

AccessLog syslog
ErrorLog syslog
PageLog syslog

Changed on 18.11.13
Issued by olli
Beginning line 19

Allow printing over the network


Before change
Listen localhost:631
After change
Listen *:631

Changed on 18.11.13
Issued by olli
Beginning line 39

Allow printing over the network

  Allow localhost
  Allow from 172.23.*
  Allow from 172.24.*
  Allow from 172.25.*
  Allow from 10.1.1.*

Changes in /etc/cups/mime.convs

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/cups/mime.convs

Changed on 01.10.09
Issued by olli
Beginning line 109

This is needed to allow raw printing


Before change
#application/octet-stream     application/vnd.cups-raw        0       -
After change
application/octet-stream      application/vnd.cups-raw        0       -

Changes in /etc/cups/mime.types

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/cups/mime.types

Changed on 25.09.08
Issued by olli
Beginning line 171

This is needed to allow raw printing


Before change
#application/octet-stream
After change
application/octet-stream

Changes in /etc/samba/smb.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/samba/smb.conf

Changed on 01.10.09
Issued by olli
Beginning line 67

Share all CUPS-Printers over the network

[printers]
   comment = All Printers
   valid users = @users,printuser
   printing = CUPS
   path = /tmp
   printable = yes

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add cupsd 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Rename files recursively

This is a perl script which I use to rename a mass of files recursively. It supports perl regex and of courrse your won perl code. There is an undo-function too for undoing a bad renaming.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge dev-perl/File-ReadBackwards

Changes in /gtc/test/etc/thinclient/scripts/gtc-rename

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-rename

Changed on 30.11.10
Issued by olli
Beginning line 2

This script renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:

s/a/b/g;
s/y/z/g;
# Then you run this command with the following options:
# $0 -p /path/in/which/you/want/to/rename -r /tmp/rename

#!/usr/bin/perl -w

# === Strict Perl ===
use strict;

# === Initialize vars ===
use vars qw/*name *dir *opt_h *opt_p *path *opt_v *verb *opt_r *regex *sim *opt_s *files *opt_u/;
*name=*File::Find::name;
*dir=*File::Find::dir;

# === Parse Commandline ===
# Clear vars
$opt_p="";
$opt_r="";
$opt_u="";
# Get the Options
use Getopt::Std;
getopts('hvp:r:su:');

# Run help/usage?
usage() if ($opt_h);

# Be verbose?
$verb=1 if ($opt_v);

# Simulating?
$sim=0;
if ($opt_s) {
 print "Only simulating - Not really renaming...\n";
 $sim=1;
}

# Shall I undo something?
if ($opt_u) {
 # Test if the undo-file is existing
 if (-f $opt_u) {
  # Open and read it
  use File::ReadBackwards;
  my $line = File::ReadBackwards->new($opt_u) || die "Could not open $opt_u: $!" ;
  until ( $line->eof ) {
   my $undo=$line->readline;
   # ...remove newline
   chomp($undo);
   # Get the two filenames
   my @undo=split(" \/\/\/ ", $undo);
   my $source=$undo[0];
   my $target=$undo[1];
   # Rename it
   print "Undo Renaming '$source' to '$target'\n";
   rename($source, $target) || warn "Could not rename $source to $target: $!\n" unless $sim;
  }
  # End prof if there are no more renamings
  exit 0 unless $opt_p;
 }
 else {
  die "You have to specify a valid unod-file if you want to undo a action\n";
 }
}


# Get path from cmdline
if (-d $opt_p) {
 $path=$opt_p;
 # Get absolute path
 chdir($path) || die "Count not change to $path: $!";
 use Cwd;
 $path=getcwd;
 print "Using path $path\n" if $verb;
}
else {
 print "ERROR: No or non existing Path $opt_p specified...\n\n";
 usage();
}

# Get regex file from cmdline
if (-f $opt_r) {
 $regex=$opt_r;
 print "Using regex-file $regex\n" if $verb;
}
else {
 print "ERROR: No or non existing regexfile $opt_r specified...\n\n";
 usage();
}

# === Prepare Undo/Log-File ===
# Create Undo/Log file
my $undo;
unless ($sim) {
 mkdir($ENV{HOME} . "/.gtc-rename",0700) unless ( -d $ENV{HOME} . "/.gtc-rename" );
 use POSIX qw/strftime/;
 $undo=$ENV{HOME} . '/.gtc-rename/gtc-rename-undo-' . strftime('%Y-%m-%d-%H-%M-%S',localtime) . '-PID-' . $$;
 open(UNDORENAME, ">$undo") || die "ERROR: Can't open Undo $undo file: $!";
}
# === Find files ===
use File::Find();
use File::Basename;
print "Searching files...\n" if $verb;
File::Find::find({wanted => \&files}, $path);
print "\n" if $verb;
@files=reverse(@files);
use File::Basename;
foreach my $file (@files) {
 s_rename($file);
}

# === Close Undo-Log ===
unless ($sim) {
 close(UNDORENAME);
 # Remove undo-file if it is empty
 unlink $undo unless (-s $undo);
}

# === Put files in array ===
sub files {
 print "." if $verb;
 return 0 if ($name eq $path);
 push(@files,$name);
}

# === Rename files ===
sub s_rename {
 # Get the name
 my $name=shift;
 print "thinking about '$name'...\n" if $verb;
 # Get the file ($_) and the path ($d) name
 $_=basename($name);
 our $d=dirname($name);
 # Run the regex-file
 do $regex;
 # Remove very bad newlines
 s/\n/_/g;
 # put the new path/name back together
 my $n=$d . "/" . $_;
 # If the filename has changed
 unless ($n eq $name) {
  # Check if the target file exists
  if (-e $n) {
   warn "ERROR: Can't rename file ($name) because the target ($n) already exists";
  }
  else {
   # Rename file and write the log
   print "Renaming '$name' to '$n'\n" if (($verb) || ($sim));
   rename($name, $n) || warn "ERROR: Renaming from $name to $n failed: $!\n" unless $sim;
   # remove bad newline in the old filename if exists
   $name=~s/\n/_/g;
   print UNDORENAME "$n /// $name\n" unless $sim; 
  }
 }
}

# === Help ===
sub usage {
 print "Overview:
=========
This renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;
Then you run this command with the following options:
$0 -p /path/in/which/you/want/to/rename -r /tmp/rename

To replace all special characters then the latin alphabet and numbers with _ you can put this in your regex-file:
s/[^a-zA-Z0-9]/_/g;

You can use all substitutions perl can do an of course your own per code in the regex file.

Options:
========
-h\t-> This help/usage
-p path\t-> The path in which you want to rename all files
-r file\t-> The file with your Substuitutions
-v\t-> Be verbose
-s\t-> Dry (simulation) run
-u file\t-> Undo a job. You have to specify an undo file. The undo-files are in the .gtc-rename in yout homedir: ~/.gtc-rename
";
 exit 1;
}

Changes in /usr/local/bin/gtc-rename

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/bin/gtc-rename

Changed on 30.11.10
Issued by olli
Beginning line 2

This script renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:

s/a/b/g;
s/y/z/g;
# Then you run this command with the following options:
# $0 -p /path/in/which/you/want/to/rename -r /tmp/rename

#!/usr/bin/perl -w

# === Strict Perl ===
use strict;

# === Initialize vars ===
use vars qw/*name *dir *opt_h *opt_p *path *opt_v *verb *opt_r *regex *sim *opt_s *files *opt_u/;
*name=*File::Find::name;
*dir=*File::Find::dir;

# === Parse Commandline ===
# Clear vars
$opt_p="";
$opt_r="";
$opt_u="";
# Get the Options
use Getopt::Std;
getopts('hvp:r:su:');

# Run help/usage?
usage() if ($opt_h);

# Be verbose?
$verb=1 if ($opt_v);

# Simulating?
$sim=0;
if ($opt_s) {
 print "Only simulating - Not really renaming...\n";
 $sim=1;
}

# Shall I undo something?
if ($opt_u) {
 # Test if the undo-file is existing
 if (-f $opt_u) {
  # Open and read it
  use File::ReadBackwards;
  my $line = File::ReadBackwards->new($opt_u) || die "Could not open $opt_u: $!" ;
  until ( $line->eof ) {
   my $undo=$line->readline;
   # ...remove newline
   chomp($undo);
   # Get the two filenames
   my @undo=split(" \/\/\/ ", $undo);
   my $source=$undo[0];
   my $target=$undo[1];
   # Rename it
   print "Undo Renaming '$source' to '$target'\n";
   rename($source, $target) || warn "Could not rename $source to $target: $!\n" unless $sim;
  }
  # End prof if there are no more renamings
  exit 0 unless $opt_p;
 }
 else {
  die "You have to specify a valid unod-file if you want to undo a action\n";
 }
}


# Get path from cmdline
if (-d $opt_p) {
 $path=$opt_p;
 # Get absolute path
 chdir($path) || die "Count not change to $path: $!";
 use Cwd;
 $path=getcwd;
 print "Using path $path\n" if $verb;
}
else {
 print "ERROR: No or non existing Path $opt_p specified...\n\n";
 usage();
}

# Get regex file from cmdline
if (-f $opt_r) {
 $regex=$opt_r;
 print "Using regex-file $regex\n" if $verb;
}
else {
 print "ERROR: No or non existing regexfile $opt_r specified...\n\n";
 usage();
}

# === Prepare Undo/Log-File ===
# Create Undo/Log file
my $undo;
unless ($sim) {
 mkdir($ENV{HOME} . "/.gtc-rename",0700) unless ( -d $ENV{HOME} . "/.gtc-rename" );
 use POSIX qw/strftime/;
 $undo=$ENV{HOME} . '/.gtc-rename/gtc-rename-undo-' . strftime('%Y-%m-%d-%H-%M-%S',localtime) . '-PID-' . $$;
 open(UNDORENAME, ">$undo") || die "ERROR: Can't open Undo $undo file: $!";
}
# === Find files ===
use File::Find();
use File::Basename;
print "Searching files...\n" if $verb;
File::Find::find({wanted => \&files}, $path);
print "\n" if $verb;
@files=reverse(@files);
use File::Basename;
foreach my $file (@files) {
 s_rename($file);
}

# === Close Undo-Log ===
unless ($sim) {
 close(UNDORENAME);
 # Remove undo-file if it is empty
 unlink $undo unless (-s $undo);
}

# === Put files in array ===
sub files {
 print "." if $verb;
 return 0 if ($name eq $path);
 push(@files,$name);
}

# === Rename files ===
sub s_rename {
 # Get the name
 my $name=shift;
 print "thinking about '$name'...\n" if $verb;
 # Get the file ($_) and the path ($d) name
 $_=basename($name);
 our $d=dirname($name);
 # Run the regex-file
 do $regex;
 # Remove very bad newlines
 s/\n/_/g;
 # put the new path/name back together
 my $n=$d . "/" . $_;
 # If the filename has changed
 unless ($n eq $name) {
  # Check if the target file exists
  if (-e $n) {
   warn "ERROR: Can't rename file ($name) because the target ($n) already exists";
  }
  else {
   # Rename file and write the log
   print "Renaming '$name' to '$n'\n" if (($verb) || ($sim));
   rename($name, $n) || warn "ERROR: Renaming from $name to $n failed: $!\n" unless $sim;
   # remove bad newline in the old filename if exists
   $name=~s/\n/_/g;
   print UNDORENAME "$n /// $name\n" unless $sim; 
  }
 }
}

# === Help ===
sub usage {
 print "Overview:
=========
This renames all filesnames (and dirs) in a specified path with specified Regex'es in a specified regex-file.
For e.g. to rename change the character a in all filenames to b and y into z you can create a regex file e.g. /tmp/rename with the following lines:
s/a/b/g;
s/y/z/g;
Then you run this command with the following options:
$0 -p /path/in/which/you/want/to/rename -r /tmp/rename

To replace all special characters then the latin alphabet and numbers with _ you can put this in your regex-file:
s/[^a-zA-Z0-9]/_/g;

You can use all substitutions perl can do an of course your own per code in the regex file.

Options:
========
-h\t-> This help/usage
-p path\t-> The path in which you want to rename all files
-r file\t-> The file with your Substuitutions
-v\t-> Be verbose
-s\t-> Dry (simulation) run
-u file\t-> Undo a job. You have to specify an undo file. The undo-files are in the .gtc-rename in yout homedir: ~/.gtc-rename
";
 exit 1;
}

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Rsync Server

This is a small howto for shareing files over rsync.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/rsync

Changes in /etc/rsyncd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/rsyncd.conf

Changed on 24.09.09
Issued by olli
Beginning line 17

This serves /gtc/stable and test read only. You can download it for example with "rsync -av rsync://host/thinclient /target"
With the filter Option are some includes and excludes set.

[thinclient]
	path = /gtc/stable
	comment = Stable Thinclient
	read only = yes
	uid = 0
	gid = 0
	numeric ids = yes
	transfer logging = yes
        filter = + /etc/thinclient/global-profile/start.sh + /etc/thinclient/global-profile/etc - /_additionalsw - /etc/thinclient/thinclient.conf.local - /etc/thinclient/profiles/* - /etc/thinclient/global-profile/* - /etc/thinclient/user-profiles/* - /proc/ - /tmp/ - /home/ - /root/ - /var/tmp/portage/ - /sys - /_gtcroot - /gtcdvd

[thinclient-test]
        path = /gtc/test
        comment = Stable Thinclient
        read only = yes
        uid = 0
        gid = 0
	numeric ids = yes
	transfer logging = yes
        filter = + /etc/thinclient/global-profile/start.sh + /etc/thinclient/global-profile/etc - /_additionalsw - /etc/thinclient/thinclient.conf.local - /etc/thinclient/profiles/* - /etc/thinclient/global-profile/* - /etc/thinclient/user-profiles/* - /proc/ - /tmp/ - /home/ - /root/ - /var/tmp/portage/ - /sys - /_gtcroot - /gtcdvd

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add rsyncd default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

SSL/TLS with self signed SSL Certificate

If you want to use valid SSL/TLS you can sign your certificate by your self. Here some steps you have to do on your Server here als wildcard for gabosh.net.
First create a directory for Your keys:
mkdir -p /etc/ssl/gabosh.net

and change into it
cd /etc/ssl/gabosh.net

generate the privatekey
openssl genrsa -out gabosh.net.key 4096

and change to appropriate rights
chmod 600 gabosh.net.key

Generate the Certificate
openssl req -new -x509 -nodes -sha256 -days 3650 -key gabosh.net.key > gabosh.net.crt
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) :
--> !!!!! Next line is vital (for all gabosh.net subdomains)!!!!!!!!!
Common Name (eg, YOUR name) :*.gabosh.net
Email Address :
Please enter the following extra attributes
to be sent with your certificate request
A challenge password :
An optional company name :

Then change the apache, postfix... config files
Lines in a apache-virtual-host-config-file could reveal like this:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/gabosh.net/gabosh.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/gabosh.net/gabosh.net.key

Restart the appropriate services for example:
/etc/init.d/apache2 restart

And thats it...

If you want to use this solution you need the following howto(s) finished:

Changes in /etc/ssl/gabosh.net/readme

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ssl/gabosh.net/readme

Changed on 13.03.09
Issued by olli
Beginning line 1

This is the directory for the SSL Certificates

To install and trust the Certificate run:

cd /etc/ssl/certs
ln -s ../example.com/example.com.crt `openssl x509 -hash -noout -in /etc/ssl/example.com/example.com.crt`.0

Changes in /etc/ssl/gabosh.net.self/readme

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ssl/gabosh.net.self/readme

Changed on 13.03.09
Issued by olli
Beginning line 1

This is the directory for the SSL Certificates

To install and trust the Certificate run:

cd /etc/ssl/certs
ln -s ../example.com/example.com.crt `openssl x509 -hash -noout -in /etc/ssl/example.com/example.com.crt`.0

Changes in /gtc/test/etc/ssl/gabosh.net/readme

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/ssl/gabosh.net/readme

Changed on 13.03.09
Issued by olli
Beginning line 1

This is the directory for the SSL Certificates

To install and trust the Certificate run:

cd /etc/ssl/certs
ln -s ../example.com/example.com.crt `openssl x509 -hash -noout -in ../example.com/example.com.crt`.0

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Sane Scanner Server

Here a little documentation how I offer my Scanner in the network.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge media-gfx/sane-backends
emerge sys-apps/xinetd

Changes in /etc/sane.d/saned.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/sane.d/saned.conf

Changed on 26.11.08
Issued by olli
Beginning line 33

This allows scanning over the network by saned

my.lan.network.ip/16

Changes in /etc/xinetd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/xinetd.conf

Changed on 26.11.08
Issued by olli
Beginning line 24

This allows my local network to connect the xinetd. Change the IP according to your network.


Before change
      only_from       = XXX.XXX.XXX.XXX
After change
        only_from       = my.lan.network.ip

Changes in /etc/xinetd.d/sane-stream

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/xinetd.d/sane-stream

Changed on 26.11.08
Issued by olli
Beginning line 1

This allows scanning over the network with xinetd.

service sane-port
{
	socket_type = stream
        server = /usr/sbin/saned
        protocol = tcp
        user = root
        group = root
        wait = no
        disable = no
}     

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add xinetd default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Save passwords encrypted

Often you have cases where you need a clear text password in a file e.g. in a script for logging in somehere. This is a potential security risk. For this case I store my passwords encrypted in a special password file located over an alias. This isn't much saver but it is a additional barrier.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge dev-perl/crypt-cbc
emerge dev-perl/Crypt-DES

Changes in /gtc/test/etc/thinclient/scripts/gtc-crypt

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-crypt

Changed on 30.11.10
Issued by olli
Beginning line 2

This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.

#!/usr/bin/perl -w

use strict;
use Getopt::Std;

use vars qw/*opt_h *opt_a *opt_p *opt_r *opt_d *opt_b/;
# ==== Parse the commandline ====
$opt_h="";
$opt_a="";
$opt_p="";
$opt_r="";
$opt_d="";
$opt_b="";
getopts('ha:prdb');
# Run help/usage?
usage() if ($opt_h);

my $alias="";
if ($opt_a) {
 if ($opt_a=~/[ \:\n]/) {
  print "ERROR: newlines, : or spaces are not supported in the alias\n";
  exit 1;
 }
 else {
  $alias=$opt_a;
 }
}
else {
 unless ($opt_d) {
  print "ERROR: No alias (-a) specified\n\n";
  usage();
 }
}

# Get or encrypt the key
mkdir($ENV{HOME} . "/.gtc-crypt",0700) unless ( -d $ENV{HOME} . "/.gtc-crypt" );
# Get the key if it is existing
my $key;
if (-f "$ENV{HOME}/.gtc-crypt/.key") {
 open(KEY, "<$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for reading: $!";
 $key=<KEY>;
 close(KEY);
}
# Generate a random key if it is not existing
else {
 my $i=1;
 while ($i <= 32) {
  $key=$key . int(rand(10));
  $i++;
 }
 # write key to keyfile
 open(KEY, ">$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for writing: $!";
 print KEY $key;
 close(KEY);
 chmod 0600, "$ENV{HOME}/.gtc-crypt/.key"
}

# Read the crypt file
my @crypt;
if (-f "$ENV{HOME}/.gtc-crypt/crypt") {
 open(CRYPT, "<$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for reading: $!";
 @crypt=<CRYPT>;
 close(CRYPT);
}

# preparde en or decryption
use Crypt::CBC;
use MIME::Base64;
my $cipher=new Crypt::CBC(-key => $key);

# Decrypt the string and print it out if wished
if (($opt_p) || ($opt_d)) {
 my $decrypt;
 foreach my $line (@crypt) {
  if ($opt_d) {
   my $name=$line;
   $name=~s/\:.+$//;
   print $name;
  }
  if ($line=~/^$alias\:/) {
   chomp($line);
   $decrypt=$line;
   $decrypt=~s/^$alias\://;
  }
 }
 if ($opt_p) {
  die "Alias not found in cryptfile" unless $decrypt;
  print $cipher->decrypt(decode_base64($decrypt));
 }
 exit 0;
}

my $cstring="";
unless (($opt_p) || ($opt_r)) {
 # Get the string
 print "Please enter your string to encrypt: " unless $opt_b;
 my $string=<STDIN>;
 chomp($string);
 die "ERROR: String is empty" unless ($string);
 # Crypt it!
 $cstring=encode_base64($cipher->encrypt($string));
 chomp($cstring);
}

# ==== Write to the cryptfile ====
# Open the crypt file for writing
open(CRYPT, ">$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for writing: $!";
my $changed=0;
foreach my $line (@crypt) {
 chomp($line);
 # Is the alias existing?
 if ($line=~/^$alias\:/) {
  # Remove / ignore alias if wanted
  if ($opt_r) {
   print "Removing Alias $alias\n";
   $changed=1;
   next;
  }
  # Shall the existing alias been overwritten?
  else {
   unless ($opt_b) {
    print "A string for the alias $alias is already existing! Shall I overwrite it? [y/n] ";
    my $yn=<STDIN>;
    chomp($yn);
    $line=$alias . ":" . $cstring if ($yn eq "y");
   }
   else {
    $line=$alias . ":" . $cstring;
   }
   $changed=1;
  }
 }
 # Write the line
 print CRYPT $line . "\n" if $line;
}
# Write new line if the alias is new and should not be removed
print CRYPT $alias . ":" . $cstring . "\n" unless (($changed) || ($opt_r));

sub usage {
 print "Overview:
=========
This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.

Options:
========
-h\t\t-> This help/usage.
-a alias\t-> The alias under which you store your string (No newlines, : or spaces supported).
-p\t\t-> Print out the decrypted string for the given alias (needs -a).
-r\t\t-> Remove the given alias (needs -a).
-d\t\t-> Dump all existing aliases
-b\t\t-> Batch mode\n";
 exit 1;
}

Changes in /usr/local/sbin/gtc-crypt

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/gtc-crypt

Changed on 30.11.10
Issued by olli
Beginning line 2

This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.

#!/usr/bin/perl -w

use strict;
use Getopt::Std;

use vars qw/*opt_h *opt_a *opt_p *opt_r *opt_d *opt_b/;
# ==== Parse the commandline ====
$opt_h="";
$opt_a="";
$opt_p="";
$opt_r="";
$opt_d="";
$opt_b="";
getopts('ha:prdb');
# Run help/usage?
usage() if ($opt_h);

my $alias="";
if ($opt_a) {
 if ($opt_a=~/[ \:\n]/) {
  print "ERROR: newlines, : or spaces are not supported in the alias\n";
  exit 1;
 }
 else {
  $alias=$opt_a;
 }
}
else {
 unless ($opt_d) {
  print "ERROR: No alias (-a) specified\n\n";
  usage();
 }
}

# Get or encrypt the key
mkdir($ENV{HOME} . "/.gtc-crypt",0700) unless ( -d $ENV{HOME} . "/.gtc-crypt" );
# Get the key if it is existing
my $key;
if (-f "$ENV{HOME}/.gtc-crypt/.key") {
 open(KEY, "<$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for reading: $!";
 $key=<KEY>;
 close(KEY);
}
# Generate a random key if it is not existing
else {
 my $i=1;
 while ($i <= 32) {
  $key=$key . int(rand(10));
  $i++;
 }
 # write key to keyfile
 open(KEY, ">$ENV{HOME}/.gtc-crypt/.key") || die "Could not open the keyfile $ENV{HOME}/.gtc-crypt/.key for writing: $!";
 print KEY $key;
 close(KEY);
 chmod 0600, "$ENV{HOME}/.gtc-crypt/.key"
}

# Read the crypt file
my @crypt;
if (-f "$ENV{HOME}/.gtc-crypt/crypt") {
 open(CRYPT, "<$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for reading: $!";
 @crypt=<CRYPT>;
 close(CRYPT);
}

# preparde en or decryption
use Crypt::CBC;
use MIME::Base64;
my $cipher=new Crypt::CBC(-key => $key);

# Decrypt the string and print it out if wished
if (($opt_p) || ($opt_d)) {
 my $decrypt;
 foreach my $line (@crypt) {
  if ($opt_d) {
   my $name=$line;
   $name=~s/\:.+$//;
   print $name;
  }
  if ($line=~/^$alias\:/) {
   chomp($line);
   $decrypt=$line;
   $decrypt=~s/^$alias\://;
  }
 }
 if ($opt_p) {
  die "Alias not found in cryptfile" unless $decrypt;
  print $cipher->decrypt(decode_base64($decrypt));
 }
 exit 0;
}

my $cstring="";
unless (($opt_p) || ($opt_r)) {
 # Get the string
 print "Please enter your string to encrypt: " unless $opt_b;
 my $string=<STDIN>;
 chomp($string);
 die "ERROR: String is empty" unless ($string);
 # Crypt it!
 $cstring=encode_base64($cipher->encrypt($string));
 # chomp($cstring);
 $cstring=~s/\n//g;
}

# ==== Write to the cryptfile ====
# Open the crypt file for writing
open(CRYPT, ">$ENV{HOME}/.gtc-crypt/crypt") || die "Could not open the cryptfile $ENV{HOME}/.gtc-crypt/crypt for writing: $!";
my $changed=0;
foreach my $line (@crypt) {
 chomp($line);
 # Is the alias existing?
 if ($line=~/^$alias\:/) {
  # Remove / ignore alias if wanted
  if ($opt_r) {
   print "Removing Alias $alias\n";
   $changed=1;
   next;
  }
  # Shall the existing alias been overwritten?
  else {
   unless ($opt_b) {
    print "A string for the alias $alias is already existing! Shall I overwrite it? [y/n] ";
    my $yn=<STDIN>;
    chomp($yn);
    $line=$alias . ":" . $cstring if ($yn eq "y");
   }
   else {
    $line=$alias . ":" . $cstring;
   }
   $changed=1;
  }
 }
 # Write the line
 print CRYPT $line . "\n" if $line;
}
# Write new line if the alias is new and should not be removed
print CRYPT $alias . ":" . $cstring . "\n" unless (($changed) || ($opt_r));

sub usage {
 print "Overview:
=========
This is a small app for storing strings encrypted on your harddisk. E.g. for using passwords in scripts running without interaction in the background. It is not (very) save but maybe better then storing plain text passwords on the harddisk.

Options:
========
-h\t\t-> This help/usage.
-a alias\t-> The alias under which you store your string (No newlines, : or spaces supported).
-p\t\t-> Print out the decrypted string for the given alias (needs -a).
-r\t\t-> Remove the given alias (needs -a).
-d\t\t-> Dump all existing aliases
-b\t\t-> Batch mode\n";
 exit 1;
}

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Server for thinclients

This part describes how I boot client-PCs over the network. For this I use PXE, DHCP, TFTP and NFS.
For UEFI Grub do
cd /gtc/pxe ; grub-mkstandalone -d /usr/lib/grub/x86_64-efi/ -O x86_64-efi --fonts="unicode" -o bootx64.efi boot/grub/grub.cfg

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-fs/nfs-utils
emerge sys-boot/syslinux
emerge net-ftp/tftp-hpa

Changes in /etc/conf.d/in.tftpd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/in.tftpd

Changed on 04.04.10
Issued by olli
Beginning line 15

Path for PXE files and necessary bootoptions for tftpd.


Before change
INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH}"
After change
INTFTPD_PATH="/gtc/pxe"
#INTFTPD_OPTS="-R 4096:32767 -s ${INTFTPD_PATH} --refuse blksize --refuse tsize --refuse blksize2 --user nobody -vvv"
INTFTPD_OPTS="-p -u nobody -s ${INTFTPD_PATH} -vvv"

Changes in /etc/conf.d/nfs

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/nfs

Changed on 10.03.10
Issued by olli
Beginning line 8

Thist starts the rpc.idmapd for UID/GID Mapping on NFSv4. It hast to be startet at the clientside too. If this Service is not started all UIDs/GIDs are mapped to ID 4294967294. The Configurationfile /etc/idmapd.conf should be the same on Client and Server


Before change
NFS_NEEDED_SERVICES=""
After change
NFS_NEEDED_SERVICES="rpc.idmapd"

Changed on 23.12.08
Issued by olli
Beginning line 16

Allow a maximum of 20 Clients at the same time on your NFS Server


Before change
#OPTS_RPC_NFSD="8"
After change
OPTS_RPC_NFSD="20"

Changed on 23.12.08
Issued by olli
Beginning line 24

The rpc mountd should listen on port 32767 (needed for some firewall settings).


Before change
#OPTS_RPC_MOUNTD=""
After change
OPTS_RPC_MOUNTD="-p 32767"

Changed on 23.12.08
Issued by olli
Beginning line 32

The rpc statd should listen on port 32765 and send outgoing connections over port 32766 (needed for some firewall settings).


Before change
#OPTS_RPC_STATD=""
After change
OPTS_RPC_STATD="-p 32765 -o 32766"

Changes in /etc/cron.daily/pxe.cron

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.daily/pxe.cron

Changed on 13.01.09
Issued by olli
Beginning line 1

PXE Update workaround. If syslinux is updated the new pxelinux.0 or/and menu.c32 file are stored in /usr/share/syslinux. For our use this files have to stay in /srv/thinclient/pxe. So once a day the file is copied to the correct place. A symlink (because of TFTP) or hardlink (because of different filesystems) doesn't work for me. I didn't find a better solution. If you have one let me know ;-)

mkdir -p /gtc/pxe
cp -p /usr/share/syslinux/pxelinux.0 /gtc/pxe/
cp -p /usr/share/syslinux/menu.c32 /gtc/pxe/
cp -p /usr/share/syslinux/ldlinux.c32 /gtc/pxe
cp -p /usr/share/syslinux/libutil.c32 /gtc/pxe

Changes in /etc/dhcp/dhcpd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/dhcp/dhcpd.conf

Changed on 06.09.08
Issued by olli
Beginning line 22

This is for starting the syslinux (pxelinux) bootmanager for thinclients booting over pxe.

next-server my.lan.ip.addr;
option architecture-type code 93 = unsigned integer 16;
if option architecture-type = 00:09 {
filename "bootx64.efi";
} elsif option architecture-type = 00:07 {
 filename "bootx64.efi";
} else {
filename "pxelinux.0";
}

Changes in /etc/exports

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/exports

Changed on 23.12.08
Issued by olli
Beginning line 2

NFS4-configuration for test and production environment of the Thinclients.

/gtc    my.lan.network.ip/XXX.XXX.XXX.XXX(ro,fsid=0,no_subtree_check,async,no_root_squash,ro,insecure)
/gtc/test	my.lan.network.ip/XXX.XXX.XXX.XXX(no_subtree_check,async,ro,no_root_squash,insecure)
/gtc/stable	my.lan.network.ip/XXX.XXX.XXX.XXX(no_subtree_check,async,ro,no_root_squash,insecure,nohide)

Changes in /etc/fstab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fstab

Changed on 29.06.09
Issued by olli
Beginning line 33

This mounts /proc for the test-thinclient environment. This is needed for some emerge-Operations. Further the Stable-thinclient-Root is bind-mounted to the main nfs4 export

/gtc/test/usr/portage	/usr/portage	none	bind,nofail		0 0
proc  	          /gtc/test/proc         proc    defaults,nofail        0 0

Changes in /gtc/pxe/pxelinux.cfg/default

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/pxe/pxelinux.cfg/default

Changed on 06.09.08
Issued by olli
Beginning line 1

Boot menu configuration for PXE boots.

default menu.c32
prompt 0
	    
menu title GTC-PXELinux Boot Menu
NOESCAPE 1
ALLOWOPTIONS 1
MENU AUTOBOOT Starting Gentoo Thinclient in # seconds

label test
 timeout 100
 menu default
 menu label ^Gentoo Test Thinclient 4.4.39
 kernel /kernel-genkernel-x86-4.4.39-gentoo
 append initrd=/initramfs-genkernel-x86-4.4.39-gentoo root=/dev/nfs nfsroot=my.lan.ip.addr:/gtc/test ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs i915.modeset=1 radeon.modeset=1 nvidia.modeset=1 nouveau.modeset=1 raid=noautodetect consoleblank=0
 ipappend 3

label stable
 menu label ^Gentoo Stable Thinclient 4.4.39
 kernel /kernel-genkernel-x86-4.4.39-gentoo
 append initrd=/initramfs-genkernel-x86-4.4.39-gentoo root=/dev/nfs nfsroot=my.lan.ip.addr:/gtc/stable ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs i915.modeset=1 noapic radeon.modeset=1 raid=noautodetect consoleblank=0
 ipappend 3

label bootlocal
 menu label ^Boot from local Disk
 localboot 0

Changes in /gtc/test/etc/thinclient/server-profile/etc/exports

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/exports

Changed on 23.12.08
Issued by olli
Beginning line 2

NFS(4)-configuration for test and production environment of the Thinclients.

/opt/gtcroot	*(fsid=0,crossmnt,no_subtree_check,async,ro,no_root_squash,insecure,nohide)

Changes in /usr/local/sbin/mkgtcstable.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /usr/local/sbin/mkgtcstable.sh

Changed on 29.06.09
Issued by olli
Beginning line 2

This is a small script for creating the stable environment from the test environment.

#!/bin/bash
/etc/init.d/rsyncd stop
mv /gtc/test/usr/portage/distfiles/jre* /srv/tmp
rm /gtc/test/usr/portage/distfiles/*
mv /srv/tmp/jre* /gtc/test/usr/portage/distfiles/
rsync -aXAHv --delete /gtc/test/ /gtc/stable/ --exclude=/_gtcroot/ --exclude=/gtcdvd/ --exclude=/proc/ --exclude=/sys/ --exclude=/tmp/ --exclude=/var/tmp --exclude=/root
mkdir -p /gtc/stable/proc
mkdir -p /gtc/stable/sys
mkdir -p /gtc/stable/tmp
mkdir -p /gtc/stable/root
chmod 0700 /gtc/stable/root
chmod 1777 /gtc/stable/tmp
mkdir -p /gtc/stable/var/tmp/portage
chmod 1777 /gtc/stable/var/tmp
mkdir -p /gtc/stable/_gtcroot
for i in `find /gtc/stable/var/log/ -type f` 
do
 >$i
done
for i in `find /gtc/stable/usr/src -maxdepth 1 -type d | grep linux`
do
 cd $i
 make clean
 cd -
done
/etc/init.d/rsyncd start

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add nfs default
rc-update add in.tftpd default
rc-update add rpc.idmapd default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Sort files alphabetical

Here a script which sorts file alphabetical. So a file (or directory) beginning with an "a" (e.g. apple) will be moved into the directory "a" and so on.
Please be careful with it. This process can not be undone.

If you want to use this solution you need the following howto(s) finished:

Changes in /gtc/test/etc/thinclient/scripts/az

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/az

Changed on 05.05.10
Issued by olli
Beginning line 2

This is a small script which sorts files (or directories) in directories called a-z and 0-9

#!/bin/bash
if [ -z "$1" ]
then
 echo "No directory argument"
 exit 1
fi

cd "$1" || exit 1

# Sort alphabetical
for i in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 
do
 ls -1d $i?* 2>/dev/null | while read j
 do
  mkdir -p "$i"
  if [ -d "$i/$j" ]
  then
   cp -lr "$j"/* "$i/$j"/ && rm -r "$j"
  else
   echo "mv \"$j\" \"$i\"/"
   mv "$j" "$i"/
  fi
 done
done

# Sort non-Alphabetical Characters to _
if [ -n "`ls ??* 2>/dev/null `" ]
then
 mkdir -p _
 mv ??* _
fi

# Ignore Case sensitive
if [ "$2" = "-i" ]
then
 for i in a b c d e f g h i j k l m n o p q r s t u v w x y z
 do
  j=`echo "$i" | awk '{$1=toupper($1);print}'`
  if [ -d "$i" ]
  then
   mv "$i"/* "$j"/
   rmdir "$i"
  fi
 done
fi


Changes in /usr/local/bin/az

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/bin/az

Changed on 05.05.10
Issued by olli
Beginning line 2

This is a small script which sorts files (or directories) in directories called a-z and 0-9

#!/bin/bash
if [ -z "$1" ]
then
 echo "No directory argument"
 exit 1
fi

cd "$1" || exit 1

# Sort alphabetical
for i in A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 
do
 ls -1d $i?* 2>/dev/null | while read j
 do
  mkdir -p "$i"
  if [ -d "$i/$j" ]
  then
   cp -lr "$j"/* "$i/$j"/ && rm -r "$j"
  else
   echo "mv \"$j\" \"$i\"/"
   mv "$j" "$i"/
  fi
 done
done

# Sort non-Alphabetical Characters to _
if [ -n "`ls ??* 2>/dev/null `" ]
then
 mkdir -p _
 mv ??* _
fi

# Ignore Case sensitive
if [ "$2" = "-i" ]
then
 for i in a b c d e f g h i j k l m n o p q r s t u v w x y z
 do
  j=`echo "$i" | awk '{$1=toupper($1);print}'`
  if [ -d "$i" ]
  then
   mv "$i"/* "$j"/
   rmdir "$i"
  fi
 done
fi


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Statistics

Here is how I create statistics about my web accesses and my mailtraffic. For this I use AWstats.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-www/awstats

Changes in /etc/awstats/awstats.doc.gabosh.net.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.doc.gabosh.net.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my doc.gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="doc.example.com"
#HostAliases="*.example.com"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/awstats/awstats.gabosh.net.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.gabosh.net.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="example.com"
HostAliases="example.com smtp.example.com pop.example.com pop3.example.com mail.example.com silent-gabosh.example.com silent.example.com gabosh.example.com imap.example.com ns1.example.com"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/awstats/awstats.gtc.gabosh.net.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.gtc.gabosh.net.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my gtc.gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="gtc.example.com"
#HostAliases="*.example.com"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/awstats/awstats.horde.gabosh.net.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.horde.gabosh.net.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my horde.gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="horde.example.com"
#HostAliases="*.example.com"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/awstats/awstats.mailserver.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.mailserver.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my Mailserver

SiteDomain="silent-gabosh.example.com"
HostAliases="localhost 127.0.0.1 example.com"
LogFile="/usr/bin/awstats_maillogconvert.pl standard < /var/log/mail.log |" 
LogType=M
LogFormat="%time2 %email %email_r %host %host_r %method %url %code %bytesd"
DirIcons="/intern/awstats/icon"
DirData="/var/lib/awstats"
DNSLookup=1
LevelForBrowsersDetection=0
LevelForOSDetection=0
LevelForRefererAnalyze=0
LevelForRobotsDetection=0
LevelForWormsDetection=0
LevelForSearchEnginesDetection=0
LevelForFileTypesDetection=0
ShowMenu=1
ShowSummary=HB
ShowMonthStats=HB
ShowDaysOfMonthStats=HB
ShowDaysOfWeekStats=HB
ShowHoursStats=HB
ShowDomainsStats=0
ShowHostsStats=HBL
ShowAuthenticatedUsers=0
ShowRobotsStats=0
ShowEMailSenders=HBML
ShowEMailReceivers=HBML
ShowSessionsStats=0
ShowPagesStats=0
ShowFileTypesStats=0
ShowFileSizesStats=0
ShowBrowsersStats=0
ShowOSStats=0
ShowOriginStats=0
ShowKeyphrasesStats=0
ShowKeywordsStats=0
ShowMiscStats=0
ShowHTTPErrorsStats=0
ShowSMTPErrorsStats=1 

Changes in /etc/awstats/awstats.olgreenspirit.de.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.olgreenspirit.de.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my www.gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="www.olgreenspirit.de"
HostAliases="olgreenspirit.de"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/awstats/awstats.www.gabosh.net.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/awstats/awstats.www.gabosh.net.conf

Changed on 18.02.09
Issued by olli
Beginning line 1

This is the AWstats-configuration for my www.gabosh.net Apache-vHost

LogFile="/var/log/apache2/access_log"
LogType=W
LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
LogSeparator=" "
SiteDomain="www.example.com"
#HostAliases="*.example.com"
DNSLookup=1
DirData="/var/lib/awstats"
DirCgi="/cgi-bin"
DirIcons="/intern/awstats/icon"
AllowToUpdateStatsFromBrowser=0
AllowFullYearView=2
EnableLockForUpdate=0
DNSStaticCacheFile="dnscache.txt"
DNSLastUpdateCacheFile="dnscachelastupdate.txt"
SkipDNSLookupFor=""
AllowAccessFromWebToAuthenticatedUsersOnly=0
AllowAccessFromWebToFollowingAuthenticatedUsers=""
AllowAccessFromWebToFollowingIPAddresses=""
CreateDirDataIfNotExists=0
BuildHistoryFormat=text
BuildReportFormat=html
SaveDatabaseFilesWithPermissionsForEveryone=0
PurgeLogFile=0
ArchiveLogRecords=0
KeepBackupOfHistoricFiles=0
DefaultFile="index.html"
SkipHosts="194.127.8.17 194.127.8.18 194.127.8.19 194.127.8.20 172.23.0.50 my.lan.ip.addr 127.0.0.1"
SkipUserAgents=""
SkipFiles=""
SkipReferrersBlackList=""
OnlyHosts=""
OnlyUserAgents=""
OnlyUsers=""
OnlyFiles=""
NotPageList="css js class gif jpg jpeg png bmp ico rss xml swf"
ValidHTTPCodes="200 304"
ValidSMTPCodes="1 250"
AuthenticatedUsersNotCaseSensitive=0
URLNotCaseSensitive=0
URLWithAnchor=0
URLWithQuery=0
URLWithQueryWithOnlyFollowingParameters=""
URLWithQueryWithoutFollowingParameters=""
URLReferrerWithQuery=0
WarningMessages=1
ErrorMessages=""
DebugMessages=0
NbOfLinesForCorruptedLog=50
WrapperScript=""
DecodeUA=0
MiscTrackerUrl="/js/awstats_misc_tracker.js"
UseFramesWhenCGI=1
DetailedReportsOnNewWindows=1
Expires=0
MaxRowsInHTMLOutput=1000
Lang="auto"
DirLang="./lang"
ShowMenu=1					
ShowSummary=UVPHB
ShowMonthStats=UVPHB
ShowDaysOfMonthStats=VPHB
ShowDaysOfWeekStats=PHB
ShowHoursStats=PHB
ShowDomainsStats=PHB
ShowHostsStats=PHBL
ShowAuthenticatedUsers=0
ShowRobotsStats=HBL
ShowWormsStats=0
ShowEMailSenders=0
ShowEMailReceivers=0
ShowSessionsStats=1
ShowPagesStats=PBEX
ShowFileTypesStats=HB
ShowFileSizesStats=0		
ShowOSStats=1
ShowBrowsersStats=1
ShowScreenSizeStats=0
ShowOriginStats=PH
ShowKeyphrasesStats=1
ShowKeywordsStats=1
ShowMiscStats=a
ShowHTTPErrorsStats=1
ShowSMTPErrorsStats=0
ShowClusterStats=0
AddDataArrayMonthStats=1
AddDataArrayShowDaysOfMonthStats=1
AddDataArrayShowDaysOfWeekStats=1
AddDataArrayShowHoursStats=1
IncludeInternalLinksInOriginSection=0
MaxNbOfDomain = 10
MinHitDomain  = 1
MaxNbOfHostsShown = 10
MinHitHost    = 1
MaxNbOfLoginShown = 10
MinHitLogin   = 1
MaxNbOfRobotShown = 10
MinHitRobot   = 1
MaxNbOfPageShown = 10
MinHitFile    = 1
MaxNbOfOsShown = 10
MinHitOs      = 1
MaxNbOfBrowsersShown = 10
MinHitBrowser = 1
MaxNbOfScreenSizesShown = 5
MinHitScreenSize = 1
MaxNbOfWindowSizesShown = 5
MinHitWindowSize = 1
MaxNbOfRefererShown = 10
MinHitRefer   = 1
MaxNbOfKeyphrasesShown = 10
MinHitKeyphrase = 1
MaxNbOfKeywordsShown = 10
MinHitKeyword = 1
MaxNbOfEMailsShown = 20
MinHitEMail   = 1
FirstDayOfWeek=1
ShowFlagLinks=""
ShowLinksOnUrl=1
UseHTTPSLinkForUrl=""
MaxLengthOfShownURL=64
HTMLHeadSection=""
HTMLEndSection=""
Logo="awstats_logo6.png"
LogoLink="http://awstats.sourceforge.net"
BarWidth   = 260
BarHeight  = 90
StyleSheet=""
ExtraTrackedRowsLimit=500

Changes in /etc/cron.daily/logrotate

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.daily/logrotate

Changed on 03.02.09
Issued by olli
Beginning line 3

Crate statistics before logrotate

/usr/local/bin/awstats

Changes in /usr/local/bin/awstats

File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---

Click here for a download of the complete file: /usr/local/bin/awstats

Changed on 03.02.09
Issued by olli
Beginning line 1

Create statistics every day and write them into the webserver path

# Directory for static statistics
#!/bin/bash

WEBDIR=/var/www/www.example.com/htdocs/intern/awstats
MONTH=$(date +%B-%Y)
# Create Webserverstatistics example.com
WPATH=$WEBDIR/example.com/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=example.com -update -dir=$WPATH >/dev/null
# Create Webserverstatistics www.example.com
WPATH=$WEBDIR/www.example.com/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=www.example.com -update -dir=$WPATH >/dev/null
# Create Webserverstatistics doc.example.com
WPATH=$WEBDIR/doc.example.com/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=doc.example.com -update -dir=$WPATH >/dev/null
# Create Webserverstatistics horde.example.com
WPATH=$WEBDIR/horde.example.com/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=horde.example.com -update -dir=$WPATH >/dev/null
# Create Webserverstatistics gtc
WPATH=$WEBDIR/gtc.example.com/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=gtc.example.com -update -dir=$WPATH >/dev/null
# Create Ol' Green Spirit Statistics
WPATH=$WEBDIR/olgreenspirit.de/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=olgreenspirit.de -update -dir=$WPATH >/dev/null
# Create Mailserverstatistics
WPATH=$WEBDIR/mailserver/$MONTH
mkdir -p $WPATH
/usr/bin/awstats_buildstaticpages.pl -config=mailserver -update -dir=$WPATH >/dev/null

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Stopping brute-force-attacks with fail2ban

If you allow services like ssh in the internet, probably you now log-entries like
[...]
Jul 17 15:18:56 silent-gabosh sshd[4401]: Invalid user test4 from XXX.XXX.XXX.XXX
Jul 17 15:18:58 silent-gabosh sshd[4405]: Invalid user test5 from XXX.XXX.XXX.XXX
Jul 17 15:19:00 silent-gabosh sshd[4411]: Invalid user test6 from XXX.XXX.XXX.XXX
Jul 17 15:19:02 silent-gabosh sshd[4417]: Invalid user test7 from XXX.XXX.XXX.XXX
Jul 17 15:19:04 silent-gabosh sshd[4421]: Invalid user test8 from XXX.XXX.XXX.XXX
Jul 17 15:19:05 silent-gabosh sshd[4427]: Invalid user test9 from XXX.XXX.XXX.XXX
Jul 17 15:19:07 silent-gabosh sshd[4431]: Invalid user test10 from XXX.XXX.XXX.XXX
Jul 17 15:19:09 silent-gabosh sshd[4435]: Invalid user admin1 from XXX.XXX.XXX.XXX
Jul 17 15:19:11 silent-gabosh sshd[4439]: Invalid user admin2 from XXX.XXX.XXX.XXX
Jul 17 15:19:13 silent-gabosh sshd[4443]: Invalid user admin3 from XXX.XXX.XXX.XXX
Jul 17 15:19:15 silent-gabosh sshd[4447]: Invalid user admin4 from XXX.XXX.XXX.XXX
Jul 17 15:19:17 silent-gabosh sshd[4451]: Invalid user admin5 from XXX.XXX.XXX.XXX
Jul 17 15:19:19 silent-gabosh sshd[4455]: Invalid user admin6 from XXX.XXX.XXX.XXX
[...]

fail2ban is a piece of software which blocks this attacking IPs after some failed tries and enables them a after some time again. It works not only for ssh, so you can use it for FTP and Mailservers too. fail2ban blocks IPs with iptables commands.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-analyzer/fail2ban
emerge net-firewall/iptables

Changes in /etc/cron.hourly/f2bcheck

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /etc/cron.hourly/f2bcheck

Changed on 07.06.10
Issued by olli
Beginning line 2

I realized that fail2ban stops working sometimes (why ever). So built this small check CronJob

#!/bin/bash
if ps ax | grep fail2ban | grep -v grep >/dev/null
then
 echo "OK" >/dev/null
else
 echo "NOT RUNNING `date`" >>/var/log/fail2bancheck.log
 rm -f /var/run/fail2ban/fail2ban.sock
 /etc/init.d/fail2ban stop >/dev/null 2>/dev/null
 /etc/init.d/fail2ban zap >/dev/null 2>/dev/null
 /etc/init.d/fail2ban start >/dev/null 2>/dev/null
fi

Changes in /etc/fail2ban/action.d/sendmail-common.local

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fail2ban/action.d/sendmail-common.local

Changed on 25.02.14
Issued by olli
Beginning line 1

No mail at startup/shutdown

[Definition]
actionstart =
actionstop =

Changes in /etc/fail2ban/jail.d/gabosh.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/fail2ban/jail.d/gabosh.conf

Changed on 25.02.14
Issued by olli
Beginning line 1

Some jails for different serices


#### SSH ####

[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log

[sshd-ddos]
enabled = true
port = ssh
logpath = /var/log/auth.log

#### MAIL ####

[postfix]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog.log

[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog.log
maxretry = 1

[postfix-sasl]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000
logpath  = /var/log/maillog.log

[cyrus-imap]
enabled = true
port = smtp,465,submission,imap3,imaps,pop3,pop3s,2000
logpath  = /var/log/maillog.log

[sieve]
port   = smtp,465,submission,2000
logpath = /var/log/maillog.log

#### WEB ####

[apache-auth]
enabled = true
port = http,https
logpath = /var/log/apache2/error_log

[apache-badbots]
enabled = true
logpath = /var/log/apache2/access_log
maxretry = 1

[php-url-fopen]
enabled = true
logpath = /var/log/apache2/access_log
maxretry = 1

[apache-noscript]
enabled = true
port = http,https
logpath  = /var/log/apache2/error_log
maxretry = 6

[horde]
enabled = true
filter = horde
port = http,https
logpath = /opt/horde/horde.log

[hordetest]
enabled = true
filter = horde
port = http,https
logpath = /opt/horde-test/horde.log

#### CHAT ####

#[ejabberd-auth]
#enabled = true
#port = 5222
#logpath = /var/log/jabber/ejabberd.log


Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add fail2ban 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Basesystem

Here a little documentation how I installed the basesystem for my thinclients. The special thing of these clients is that they are booted from a read only nfs filesystem. The goal of this is that the system can be booted at the same time from more different computers.

I installed it in a chroot on my Server. You can use the Gentoo Handbook for the basic installation. Here are some changes I used to make it to a read only thinclient.
This is the profile I use:
rm /etc/make.profile
ln -s /usr/portage/profiles/default/linux/x86/2008.0/desktop /etc/make.profile

I installed some additional software for me and my users. Here is what I installed:
chroot /srv/thinclient/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-arch/p7zip sys-apps/sdparm sys-apps/hdparm app-arch/unace app-arch/unarj app-arch/unlzx app-arch/rar app-arch/arj app-arch/lha app-arch/unadf app-misc/mc app-cdr/k3b app-editors/vim app-office/openoffice app-portage/genlop app-portage/gentoolkit app-text/acroread dev-util/strace media-sound/alsa-tools media-sound/alsa-utils media-sound/musescore media-sound/timidity++ media-video/dvdrip net-im/licq net-wireless/ipw2100-firmware net-wireless/ipw2200-firmware sys-kernel/gentoo-sources sys-libs/libstdc++-v3 sys-process/vixie-cron virtual/libstdc++ www-client/mozilla-firefox www-plugins/adobe-flash sys-power/acpid app-laptop/radeontool sys-fs/dosfstools app-text/unix2dos app-text/dos2unix net-analyzer/nmap net-misc/netkit-telnetd sys-apps/parted sys-block/gparted mail-client/mozilla-thunderbird net-wireless/bluez-firmware net-wireless/bluez-hcidump sys-apps/ethtool sys-kernel/linux-firmware media-gfx/gimp net-misc/rdate net-misc/ntp net-nds/yp-tools net-nds/ypbind app-emulation/wine sys-process/htop media-video/kino media-sound/audacity games-action/chromium net-print/foomatic-filters-ppds net-im/skype net-analyzer/iptraf app-mobilephone/wammu app-mobilephone/gnokii net-fs/curlftpfs sys-fs/sshfs-fuse net-fs/fusesmb sys-power/acpid app-office/qbankmanager app-office/grisbi app-cdr/xfburn x11-terms/terminal app-editors/mousepad app-office/orage media-gfx/ristretto media-sound/grip media-gfx/gqview media-plugins/mytharchive media-plugins/mythbrowser media-plugins/mythcontrols media-plugins/mythflix media-plugins/mythgallery media-plugins/mythgame media-plugins/mythmovies media-plugins/mythmusic media-plugins/mythnews media-plugins/mythphone media-plugins/mythvideo media-plugins/mythweather media-plugins/mythzoneminder dev-python/imdbpy net-im/pidgin media-sound/tagtool media-sound/audacious media-plugins/audacious-plugins media-plugins/audacious-xosd x11-themes/audacious-themes app-arch/xarchiver media-gfx/inkscape app-office/dia app-misc/fdupes dev-util/geany net-misc/openvpn media-sound/id3v2 media-libs/exiftool dev-perl/MP3-Tag'

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-admin/rsyslog'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/nfs-utils'

Changes in /etc/cron.weekly/gtcupdate

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.weekly/gtcupdate

Changed on 05.01.09
Issued by olli
Beginning line 2

Update the thinclient system automatically once a week

#!/bin/bash

# Update Hibiscus
ARCH=`uname -m | grep -o '64'`
JAMEICAVERSION=`wget -q -O - http://www.willuhn.de/products/jameica/releases/version-nightly`
HIBISCUSVERSION=`wget -q -O - http://www.willuhn.de/products/hibiscus/releases/version-nightly`
cd /tmp
#wget http://www.willuhn.de/products/jameica/releases/current/jameica/jameica-linux.zip
wget http://www.willuhn.de/products/jameica/releases/nightly/jameica-${JAMEICAVERSION}-nightly-linux${ARCH}.zip
#wget http://www.willuhn.de/products/hibiscus/releases/current/hibiscus.zip
wget http://www.willuhn.de/products/hibiscus/releases/nightly/hibiscus-${HIBISCUSVERSION}-nightly.zip
#hibiscusfile="hibiscus.zip"
#jameicafile="jameica-linux.zip"
jameicafile="jameica-${JAMEICAVERSION}-nightly-linux${ARCH}.zip"
hibiscusfile="hibiscus-${HIBISCUSVERSION}-nightly.zip"

cd /opt
rm -rf /opt/jameica
unzip /tmp/${jameicafile}
cd jameica/plugins
unzip /tmp/${hibiscusfile}

for umg in stable test
do
 cd /gtc/$umg/opt
 rm -rf /gtc/$umg/opt/jameica
 unzip /tmp/${jameicafile}
 cd jameica/plugins
 unzip /tmp/${hibiscusfile}
 echo -e "[Desktop Entry]\n"\
"Name=Hibiscus\n"\
"Comment=Hibiscus die freie Homebanking-Anwendung\n"\
"Exec=/opt/jameica/jameica.sh\n"\
"Terminal=false\n"\
"Encoding=UTF-8\n"\
"Type=Application\n"\
"Icon=/opt/jameica/jameica-icon.png\n"\
"Categories=Office,Finance\n"\
> /gtc/$umg/usr/share/applications/Hibiscus.desktop
done
cat /gtc/test/usr/share/applications/Hibiscus.desktop >/usr/share/applications/Hibiscus.desktop
rm /tmp/${jameicafile}
rm /tmp/${hibiscusfile}

# Update GTC
echo "chroot /gtc/test /bin/bash -c '

echo -e \"\n\n\n---- PREPARING ENVIRONMENT ----\n\"
env-update &>/dev/null && source /etc/profile && \
mount -t proc proc /proc >/dev/null 2>&1
mount shm -t tmpfs /dev/shm >/dev/null 2>&1
mount sys -t sysfs /sys >/dev/null 2>&1
chmod 1777 /dev/shm
chmod 666 /dev/urandom

echo -e \"\n\n\n---- EMERGE SYNC ----\n\"
emerge --sync -q && \

echo -e \"\n\n\n---- WORLD UPDATE ----\n\"
emerge -uqDvN --with-bdeps=y --keep-going @world

echo -e \"\n\n\n---- ADDITIONAL SOFTWARE ----\n\"
gtc-additional-sw-del
gtc-additional-sw-add

echo -e \"\n\n\n---- REVDEP-REBUILD ----\n\"
emerge @preserved-rebuild -1qv --keep-going
rm /var/cache/revdep-rebuild/*.rr
revdep-rebuild -i -C -- -1qv --keep-going

echo -e \"\n\n\n---- PYTHON-UPDATER ----\n\"
python-updater --disable-manual -- -1qv --keep-going

echo -e \"\n\n\n---- PERL-CLEANER ----\n\"
perl-cleaner --all -- -1qv --keep-going | grep -v \" : /usr/lib/perl\" | grep -v \" -> \" | grep -i -v \"^Skipping directory\"

echo -e \"\n\n\n---- PKG CHECK ----\n\"

equery -N -C check -o '*' 2>&1 |  grep \"^!!!\" | egrep -vi \"^!!! /etc|does not exist|/cfg.pyc|/var/spool/at/atjobs/.SEQ|has wrong mtime|flash.+does not point to|/usr/lib/vlc/plugins/plugins.dat|/usr/lib/openoffice/program/soffice.bin|/opt/netscape/plugins/nppdf.so|/usr/share/texmf/tex/generic/config/language.\"

echo -e \"\n\n\n---- Clean up ----\n\"
rm -r /var/tmp/portage/*
rm -r /usr/portage/distfiles/*

' >/tmp/gtc-update 2>&1 ; cat -v /tmp/gtc-update | mail -s 'GTC-Update' admin" | at now >/dev/null

Changes in /gtc/test/etc/conf.d/hostname

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/conf.d/hostname

Changed on 05.01.09
Issued by olli
Beginning line 2

This sets a default hostname to the thinclient


Before change
hostname="localhost"
After change
hostname="gtc-default.gtc-domain"

Changes in /gtc/test/etc/conf.d/sshd

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/conf.d/sshd

Changed on 28.11.12
Issued by olli
Beginning line 23

Do not start dhcp at boot

rc_need="!net"

Changes in /gtc/test/etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/crontab

Changed on 19.07.13
Issued by olli
Beginning line 18

System health checks

# Check Disk Usage
*/5 * * * *    root     [ -e /etc/thinclient/scripts/check-hdd.sh ] && /etc/thinclient/scripts/check-hdd.sh
30 * * * *     root	rm -rf /tmp/df-?d??
# Check Memory
*/5 * * * *    root     [ -e /etc/thinclient/scripts/check-mem.sh ] && /etc/thinclient/scripts/check-mem.sh
# Check Swap
*/5 * * * *    root     [ -e /etc/thinclient/scripts/check-swap.sh ] && /etc/thinclient/scripts/check-swap.sh
# Check temperature
*/5 * * * *    root     [ -e /etc/thinclient/scripts/check-temperature.sh ] && /etc/thinclient/scripts/check-temperature.sh
# Check time
*/5 * * * *    root     ntpdate -s 0.de.pool.ntp.org >/dev/null 2>&1 || ntpdate -s 1.de.pool.ntp.org >/dev/null 2>&1

Changes in /gtc/test/etc/dhcpcd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/dhcpcd.conf

Changed on 30.10.09
Issued by after
Beginning line 40

Timeout for dhcpcd

timeout 20

Changes in /gtc/test/etc/distcc/hosts

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/distcc/hosts

Changed on 30.11.09
Issued by after
Beginning line 6

The Hosts with distccd. You need this ony if you use distcc


Before change
127.0.0.1
After change
think-gabosh.example.com
backup-gabosh.example.com
ion-gabosh.example.com
proll-gabosh.example.com

Changes in /gtc/test/etc/init.d/checkroot

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/init.d/checkroot

Changed on 19.03.10
Issued by olli
Beginning line 10

This stops remounting/mounting the root. Mounting stuff for is done in the initrd.

if cat /proc/cmdline | grep -i root=/dev/nfs >/dev/null
then
 exit 0
fi

Changes in /gtc/test/etc/local.d/gtc.start

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/local.d/gtc.start

Changed on 09.10.09
Issued by olli
Beginning line 1

Configure the Thinclient

/etc/thinclient/startup/gtc-startupconfig 2>&1 | tee -a /var/log/thinclient.log
/etc/init.d/xdm zap >/dev/null 2>&1

Changes in /gtc/test/etc/local.d/gtc.stop

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/local.d/gtc.stop

Changed on 19.09.12
Issued by olli
Beginning line 2

Store Passwords and Mixer settings if the BGTC is local

#!/bin/bash
if mount | grep "/_gtcroot type nfs" >/dev/null
then
 echo "This GTC networt booted"
else
 . /etc/thinclient/scripts/gtc-confs.sh
 mkdir -p /_gtcroot/etc/thinclient/profiles/`hostname`/local
 echo "Saving mixersettings"
 alsactl store -f /_gtcroot/etc/thinclient/profiles/`hostname`/local/mixersettings
 echo "Saving passwords"
 cat /etc/shadow | grep -a "^root" > /_gtcroot/etc/thinclient/profiles/`hostname`/local/shadow
 for LU in $LOCALUSER
 do
  cat -vT /etc/shadow | grep -a "^$LU" >> /_gtcroot/etc/thinclient/profiles/`hostname`/local/shadow
 done
fi

Changes in /gtc/test/etc/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/make.conf

Changed on 01.12.08
Issued by olli
Beginning line 4

Some settings to get a maximum of compatibility of the system software


Before change
#CFLAGS=""
After change
USE="mysqli pcre16 video svc lv2 webserver winbind client fluidsynth portaudio stk vst gnome-keyring postproc ruby_targets_ruby21 bluray dlz jack id3tag ladspa libsamplerate sbsms soundtouch twolame vamp fdk x265 ffmpeg -libav matroska libass resolvconf networkmanager image-converter pidgin sensord nscd extensions gbm -tls-heartbeat utils vala curl_ssl_nss eds orc glib gdbm caps pulseaudio equalizer sip icq messages vpx upnp java videos nocd hog mvl taglib vte udev dbus server ssh -hylafax odf xa libkms doom heretic hexen minizip timidity ntfsprogs mdadm btrfs pcmcia hwdb kerbros gssapi inotify mdev nfs icu wps hpijs lxde dynamic syncmai xetex xcomposite consolekit amr perl python madwifi apng xmlrpc -ole -google -galago openldap bash-completion podcast youtube theora mjpeg vlc hddtemp -additions fontconfig lame -handbook -vaapi css analogtv dolbyinrec dvbplayer dvbsetup dvdarchive setup softosd gimp emerald gd mdnsresponder-compat lightning gallium epiphany wmf beagle firefox thunderbird mono vcdinfo vcdx wma-fixed cjk unicode ivtv mixer tv kdrive gdu fax xrandr sasl threads hash apache2 syslog overlays -tcpd -minimal sdb-ldap qemu-ifup vde gstreamer policykit ofx sqlite redland gnokii acl xattr extras desktopglobe akonadi semantic-desktop cdda ipod lastfm -embedded socks5 groupwise winpopup yahoo oscar msn skype nis mng sql webkit dmraid fat hfs reiser4 device-mapper jfs ntfs reiserfs xfs irda lm_sensors musicbrainz midi visualization acl xattr netboot vim-syntax laptop chipcard hbci 3dnow 3dnow ext a52 audiofile cddb cdio cdparanoia curl dri dvb fuse nsplugin templates -kde cdr dvd dvdr cairo networking guile gtk gtk2 -gnome 7zip acpi alsa arts imagemagick joystick jpeg jpeg2k ldap lirc lzo mysql mp3 mplayer mpeg mmx mmxext mad musepack mythtv nas ogg opengl openal pvr png ppds quicktime radio rar svg sse sse2 ssse3 samba scanner sndfile sdl sms teletext tiff tse3 usb v4l v4l2 vdr vorbis win32codecs X xcomposite xine xinerama xscreensaver xv xvid x264 aac faac opus"
CPU_FLAGS_X86="mmx mmxext sse sse2 sse3"
#LIGHTDM_GREETER="lightdm-gtk-greeter"
ACCEPT_LICENSE="-* @BINARY-REDISTRIBUTABLE MPEG-4 DES myspell-et_EE-IEL myspell-lt_LT-AlbertasAgejevas gccmakedep imake xf86rushproto freedist myspell-ru_RU-ALexanderLebedev MSttfEULA gSOAP CCPL-ShareAlike-1.0 xf86bigfontproto Ximian-logos LDP-1a JasPer2.0 X11 LPPL-1.3b unRAR free-noncomm CCPL-Sampling-Plus-1.0 LIBGLOSS NEWLIB CC-Sampling-Plus-1.0 as-is bluez-firmware BUILDLIC D1X LOKI-EULA icaclient PUEL FraunhoferFDK MakeMKV-EULA AdobeFlash-11.x"
LANG="de_DE"
LANGUAGE="41"
LINGUAS="en de"
L10N="en de"
CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3"
#LINGUAS="en de ru fr nds"
#INPUT_DEVICES="keyboard mouse joystick virtualbox synaptics evdev"
INPUT_DEVICES="synaptics evdev"
VIDEO_CARDS="i915 i965 intel nouveau r100 r200 r300 r600 radeon vmware apm ark ast cirrus epson fbdev glint i128 i740 mach64 modesetting nv r128 savage siliconmotion sis tdfx trident v4l vesa via MakeMKV-EULA amdgpu radeonsi"
APACHE2_MPMS="worker"
CURL_SSL="nss"
GRUB_PLATFORMS="efi-32 efi-64 pc qemu xen"

Changes in /gtc/test/etc/portage/package.keywords

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/portage/package.keywords

Changed on 01.12.08
Issued by olli
Beginning line 1

Demask some packages


# Noteedit
=media-sound/musescore-1.3 ~x86

# System tools
=app-crypt/chntpw-140201 ~x86
=sys-boot/os-prober-1.65

=net-misc/remmina-1.2.0_rc3 ~x86

# Firefox
<www-client/firefox-46 ~x86

# wine/playonlinux
=games-action/d2x-rebirth-0.58.1 ~x86
=games-fps/serious-sam-tfe-1_beta3 ~x86
=app-emulation/playonlinux-4.2.6 ~x86
=games-fps/serious-sam-tse-1_beta1 ~x86
<app-emulation/wine-1.9 ~x86

=app-text/tesseract-3.04.00-r3 ~x86

# Android adb
=dev-util/android-sdk-update-manager-22.3 ~x86
=dev-util/android-tools-0_p20130218 ~x86
=app-mobilephone/heimdall-9999 **

=net-nds/phpldapadmin-1.2.3-r1 ~x86

=net-libs/libtirpc-0.2.4-r2 ~x86
=dev-python/pexpect-3.3 ~x86

# icaclient
=net-misc/icaclient-XXX.XXX.XXX.XXX-r1 ~x86

# vBox
#=x11-drivers/xf86-video-virtualbox-4.2.24 ~x86

# lmms (Audacity-Alternative)
=media-sound/lmms-1.1.3 ~x86
=media-libs/stk-4.5.0 ~x86

# Handbrake
=media-video/handbrake-0.10.5-r2 ~x86
=media-video/ffmpeg-2.6.3 ~x86
=media-video/mplayer-1.2_pre20150214 ~x86
=media-libs/libde265-0.9 ~x86
=media-libs/x265-1.8-r3 ~x86

# Makemkv
=media-video/makemkv-1.10.4 ~x86

# kodi
=media-tv/kodi-14.1 ~x86

# Bluetooth
=net-wireless/blueman-2.0.3 ~x86

# ardour
=media-libs/rubberband-1.8.1-r1 ~x86
=media-sound/ardour-5.5 ~x86
media-plugins/calf ~x86
=media-libs/suil-0.8.2 ~x86

# linphone
=net-voip/linphone-3.6.1 ~x86
=net-libs/libeXosip-4.0.0 ~x86

# lightspark
=www-plugins/lightspark-0.7.2_p20150318 ~x86

# required by sys-boot/refind (argument)
=sys-boot/udk-2015 ~x86
# # required by sys-boot/refind (argument)
=sys-boot/refind-0.10.4-r2 ~x86

Changes in /gtc/test/etc/postfix/main.cf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/postfix/main.cf

Changed on 02.07.12
Issued by olli
Beginning line 681

Mailsettings

inet_protocols = ipv4
myorigin = $myhostname
mydestination =
relay_domains = $myhostname
relayhost = $mydomain
local_recipient_maps =
inet_interfaces = loopback-only
local_transport = error:local delivery is disabled

Changes in /gtc/test/etc/ssh/sshd_config

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /gtc/test/etc/ssh/sshd_config

Changed on 05.01.09
Issued by olli
Beginning line 167

Some SSh-Settings

MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128
PermitRootLogin yes

Changes in /gtc/test/etc/thinclient/scripts/check-hdd.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-hdd.sh

Changed on 19.07.13
Issued by olli
Beginning line 1

Cron-Check Script for disk usage

#!/bin/bash
df -l /dev/?d?? 2>/dev/null | grep "^/dev/" | perl -pe 's/[ \%]+/ /g' | cut -d" " -f1,5 2>/dev/null | while read i
do  
 disk=`echo $i | cut -d" " -f1 | cut -d"/" -f3`
 usa=`echo $i | cut -d" " -f2`
 lock="/tmp/df-$disk"
 if [ $usa -gt 95 ]
 then
  if [ -f $lock ]
  then 
   date >>$lock
  else 
   echo -e "Disk usage $disk at $usa%:\n`df -l /dev/?d?? | grep $usa\%`\n\n `ps aux`\n\n`free -m`" | mail -s "`hostname`: Disk usage $disk at $usa% - CRITICAL" `ls -1 /home/ | while read m; do echo -n $m,; done`root
   date >$lock
  fi
 else 
  if [ -f $lock ]
  then 
   echo -e "Disk usage $disk at $usa%:\n`cat $lock`" | mail -s "`hostname`: Disk usage $disk at $usa% - OK" `ls -1 /home/ | egrep -v 'lost+found' | while read m; do echo -n $m,; done`root
   rm -f $lock
  fi
 fi
done

Changes in /gtc/test/etc/thinclient/scripts/check-mem.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-mem.sh

Changed on 19.07.13
Issued by olli
Beginning line 2

Cron Check script for memory usage

#!/bin/bash
mem=`free -m | grep "^Mem:" | perl -pe 's/[ ]+/ /g' | cut -d" " -f 4`
if [ $mem -lt 32 ]
then 
 if [ -f "/tmp/memlow" ]
 then
  echo "`date` --> $mem" >>/tmp/memlow
 else
  echo -e "Free Mem low ($mem MB):\n`free -m`\n\n`ps aux`" | mail -s "`hostname`: Free mem low ($mem MB)" `ls -1 /home/ | egrep -v 'lost+found' | while read m; do echo -n $m,; done`root 
  echo "`date` --> $mem" >>/tmp/memlow
 fi
else
 rm -f /tmp/memlow
fi


Changes in /gtc/test/etc/thinclient/scripts/check-swap.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-swap.sh

Changed on 19.07.13
Issued by olli
Beginning line 2

Cron Check script for swap usage

#!/bin/bash
blkid | grep GTCSWAP >/dev/null || exit 0
if [ `free -m | grep "^Swap:" | perl -pe 's/[ ]+/ /g' | cut -d" " -f 4` -lt 64 ]
then 
 echo -e "Free Swap low:\n`free -m`\n\n`ps aux`" | mail -s "`hostname`: Free swap low (under 256MB)" `ls -1 /home/ | egrep -v 'lost+found' | while read m; do echo -n $m,; done`root
fi

Changes in /gtc/test/etc/thinclient/scripts/check-temperature.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-x---

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/check-temperature.sh

Changed on 19.07.13
Issued by olli
Beginning line 2

Cron Check script for system temperature sensors

#!/bin/bash
ls -1 /sys/devices/platform/coretemp.0/temp*_input >/dev/null 2>&1 || exit 0
for sensor in `ls -1 /sys/devices/platform/coretemp.0/temp*_input`
do
 sens=`basename $sensor`
 if [ `cat $sensor` -gt 85000 ]
 then 
  if [ -f /tmp/sensor-$sens ]
  then 
   date >>/tmp/sensor-$sens
  else 
   let temp=`cat $sensor`/1000
   echo -e "Temperature of $sens up to $temp degree Centigrade...\n\n`ps aux`\n\n`free -m`\n\n`df -lh | cat -vT `" | cat -vT | mail -s "`hostname`: Temperature up to $temp degree Centigrade" `ls -1 /home/ | egrep -v 'lost+found' | while read m; do echo -n $m,; done`root
  date >/tmp/sensor-$sens
  fi
 else 
  if [ -f /tmp/sensor-$sens ]
  then 
   let temp=`cat $sensor`/1000
   echo -e "Temperature OK - $temp degree Centigrade...\n\n`cat /tmp/sensor-$sens`" | mail -s "`hostname`: Temperature OK again $temp" `ls -1 /home/ | egrep -v 'lost+found' | while read m; do echo -n $m,; done`root
   rm -f /tmp/sensor-$sens
  fi
 fi
done

Changes in /gtc/test/etc/thinclient/scripts/gtc-additional-sw-add

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-additional-sw-add

Changed on 15.02.10
Issued by olli
Beginning line 2

This script installs additional/optional software defined in the thinclient.conf[.local]

#!/bin/bash

# Insert make.conf
source /etc/make.conf

source /etc/thinclient/scripts/gtc-confs.sh

# Mount proc for compiling
mount -t proc proc /proc 2>/dev/null 

# Create /_additionalsw-Dir and remove possible old DB entries
if [ ! -d /_additionalsw ] 
then 
 mkdir -p /_additionalsw
 chmod 0755 /_additionalsw
 for i in `echo $PACKAGES`
 do
  if [ -d /var/db/pkg/$i* ]
  then
   rm -r /var/db/pkg/$i*
  fi
 done
fi

# Link package database
if [ ! -L /_additionalsw/var/db/pkg ]
then
 mkdir -p /_additionalsw/var/db/
 ln -sf /var/db/pkg /_additionalsw/var/db/pkg
fi
mkdir -p /_additionalsw/var/cache/edb
ln -sf /var/cache/edb/counter /_additionalsw/var/cache/edb/counter

# Optionally source a user defined script for doing things before emerge
if [ -f "/etc/gtc-preupdate.sh" ]
then
 . /etc/gtc-preupdate.sh
fi

# Install the packages in an other root
KERNEL_DIR="/usr/src/linux" ACCEPT_LICENSE="*" ROOT="/_additionalsw" emerge -uq --keep-going --config-root=/ $PACKAGES

# Remove probably old links
echo "Searching for old /_additionalsw-SymLinks"
for i in `find / -xdev -type l -printf "%h/%f;%l\n" | grep ";/_additionalsw/" | cut -d";" -f1`
do
 echo "Removing old /_additionalsw-SymLink $i"
 rm $i
done

# Search for nonexisting directories
find /_additionalsw -type d | sed 's/^\/_additionalsw//' | while read i
do
 if [ ! -e "$i" ]
 then
  echo "Linking Directory $i"
  ln -s "/_additionalsw$i" "$i"
 fi
done

# Search for nonexisting files
find /_additionalsw -type f | sed 's/^\/_additionalsw//' | while read i
do
 if [ ! -e "$i" ]
 then
  echo "Linking File $i"
  ln -s "/_additionalsw$i" "$i"
 fi
done

# Search for nonexisting links
find /_additionalsw -type l | sed 's/^\/_additionalsw//' | while read i
do
 if [ ! -e "$i" ]
 then
  echo "Linking Link $i"
  ln -s "/_additionalsw/$i" "$i"
 fi
done

echo "Running some environment-updates"
env-update
source /etc/profile
depmod -a
ldconfig

echo "Putting the packages into the world-file"
ACCEPT_LICENSE="*" emerge -nq $PACKAGES

echo "

The following packages have been linked in: $PACKAGES"


Changes in /gtc/test/etc/thinclient/scripts/gtc-additional-sw-del

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-additional-sw-del

Changed on 15.02.10
Issued by olli
Beginning line 2

This script deletes all additional/optional installed software


Before change
#!/bin/bash

source /etc/thinclient/scripts/gtc-confs.sh

echo "Cleaning world file"
emerge --deselect $PACKAGES
echo "Cleaning portage"
emerge --depclean 

echo "Searching for /_additionalsw-SymLinks"
find / -xdev -type l -printf "%h/%f;%l\n" | grep ";/_additionalsw" | cut -d";" -f1 | while read i
do
 echo "Removing SymLink $i"
 rm "$i"
done

echo "Deleting /_additionalsw"
rm -r /_additionalsw

Changes in /gtc/test/etc/thinclient/scripts/gtc-buildkernel

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-buildkernel

Changed on 08.10.09
Issued by olli
Beginning line 3

Command for creating kernel, modules, initrd with uuid-Support,... for the thinclient.

#!/bin/bash

# Get script name
script=`basename $0`

if [ $script = "gtc-buildkernel-menuconfig" ]
then
 echo "Before Running this script link the correct Kernel-Version in /usr/src/ to /usr/src/linux!!!

While running \"make menuconfig\" (in this script) please enable the following drivers:

[ ] 64-bit kernel

Processor type and features --->
 High Memory Support (64GB)

Device Drivers  --->
 Network device support ->
  Wireless LAN ->
   ### Alle m&ouml;glichen WLAN-Karten, die ggf. Gebraucht werden ausw&auml;hlen  (Atheros, Realtek, USB,...)

Kernel hacking  --->
 <*> Memtest

ENTER for continue; Ctrl+C to abort"
 read x
 # Generate kernel, initrd ans System.map
 genkernel all --disklabel --no-mrproper --menuconfig --no-zfs --no-lvm --no-mdadm --no-dmraid --no-multipath --no-iscsi --no-luks --no-gpg --no-unionfs --no-firmware
fi
if [ $script = "gtc-buildkernel" ]
then
 genkernel all --disklabel --no-mrproper --no-zfs --no-lvm --no-mdadm --no-dmraid --no-multipath --no-iscsi --no-luks --no-gpg --no-unionfs --no-firmware
 emerge -1qv @module-rebuild
fi
if [ $script = "gtc-buildkernel-menuconfig" ]
then
 emerge -1qv @module-rebuild
fi

# Get Kernels Version number
KERNEL=`ls -ld  /usr/src/linux | cut -d">" -f2 | sed 's/^ linux-//'`

### edit genkernel initrd ###
if [ -d /tmp/initrd ]
then
 rm -rf /tmp/initrd
fi
if [ -f /tmp/initrd ]
then 
 rm -f /tmp/initrd
fi
mkdir /tmp/initrd
cd /tmp/initrd

# extract initrd
cp /boot/initramfs-genkernel-x86-$KERNEL /boot/initramfs-genkernel-x86-$KERNEL.original
#gzip -dc /boot/initramfs-genkernel-x86-$KERNEL | cpio -id
xzcat /boot/initramfs-genkernel-x86-$KERNEL.original | cpio -dim


# Copy network modules to initrd
mkdir -p /tmp/initrd/lib/modules/$KERNEL/kernel/drivers/net
rsync -a --exclude=hamachi.ko --exclude=wireless --exclude=irda --exclude=phy --exclude=wan --exclude=bonding /lib/modules/$KERNEL/kernel/drivers/net/ /tmp/initrd/lib/modules/$KERNEL/kernel/drivers/net/
cp -p /lib/modules/$KERNEL/modules.order /tmp/initrd/lib/modules/$KERNEL/modules.order
cp -p /lib/modules/$KERNEL/modules.builtin /tmp/initrd/lib/modules/$KERNEL/modules.builtin
mkdir -p /tmp/initrd/lib/modules/$KERNEL/kernel/net
rsync -a --exclude=netfilter --exclude=wireless --exclude=bluetooth /lib/modules/$KERNEL/kernel/net/ /tmp/initrd/lib/modules/$KERNEL/kernel/net
mkdir -p /tmp/initrd/lib/modules/$KERNEL/kernel/lib
rsync -a /lib/modules/$KERNEL/kernel/lib/ /tmp/initrd/lib/modules/$KERNEL/kernel/lib

# Copy nfs modules
mkdir -p /tmp/initrd/lib/modules/$KERNEL/kernel/fs/nfs
cp -rp /lib/modules/$KERNEL/kernel/fs/nfs/* /tmp/initrd/lib/modules/$KERNEL/kernel/fs/nfs/
mkdir -p /tmp/initrd/lib/modules/$KERNEL/kernel/fs/nfs_common
cp -rp /lib/modules/$KERNEL/kernel/fs/nfs_common/* /tmp/initrd/lib/modules/$KERNEL/kernel/fs/nfs_common/

brctl=`which brctl`
cp $brctl /tmp/initrd/bin
for i in `for i in \`ldd $brctl | grep lib/\` ; do echo $i; done | grep lib/`
do 
 cp $i /tmp/initrd/lib
done

nfsmount=`which mount.nfs`
cp $nfsmount /tmp/initrd/bin
for i in `for i in \`ldd $nfsmount | grep lib/\` ; do echo $i; done | grep lib/`
do
 cp $i /tmp/initrd/lib
done

rpcbind=`which rpcbind`
cp $rpcbind /tmp/initrd/bin
for i in `for i in \`ldd $rpcbind | grep lib/\` ; do echo $i; done | grep lib/`
do
 cp $i /tmp/initrd/lib
done
cp /etc/netconfig /tmp/initrd/etc/
cp /etc/services /tmp/initrd/etc/
cp /etc/rpc /tmp/initrd/etc/
cp /etc/protocols /tmp/initrd/etc/

idmapd=`which rpc.idmapd`
cp $idmapd /tmp/initrd/bin
for i in `for i in \`ldd $idmapd | grep lib/\` ; do echo $i; done | grep lib/`
do
 cp $i /tmp/initrd/lib
done
cp /lib/libnss* /tmp/initrd/lib/
cp -r /usr/lib/libnfsidmap* /tmp/initrd/lib/
mkdir -p /tmp/initrd/var/lib/nfs/rpc_pipefs/nfs
cp -P /etc/localtime /tmp/initrd/etc/
cp /etc/passwd /tmp/initrd/etc/
cp /etc/group /tmp/initrd/etc/
cp /etc/nsswitch.conf /tmp/initrd/etc/
cp /etc/idmapd.conf /tmp/initrd/etc/

rsync=`which rsync`
cp $rsync /tmp/initrd/bin
for i in `for i in \`ldd $rsync | grep lib/\` ; do echo $i; done | grep lib/`
do
 cp $i /tmp/initrd/lib
done

strace=`which strace`
cp $strace /tmp/initrd/bin
for i in `for i in \`ldd $strace | grep lib/\` ; do echo $i; done | grep lib/`
do
 cp $i /tmp/initrd/lib
done

depmod -a -b /tmp/initrd $KERNEL
# Copy firmware to initrd
#rsync -a --exclude=radeon /lib/firmware /tmp/initrd/lib/
mkdir -p /tmp/initrd/lib/firmware
cd /lib/firmware
cp -r 3com bnx2* tigon /tmp/initrd/lib/firmware
cd -

# Edit file for loading Network modules
mkdir -p /tmp/initrd/etc/modules
>/tmp/initrd/etc/modules/net
>/tmp/initrd/etc/modules/gtcnet
for i in `find /tmp/initrd/lib/modules/$KERNEL/kernel/drivers/net/ -type f -name *.ko | sort`; 
do 
 mod="`basename $i | sed 's/\.ko$//'`"
 echo "$mod" >> /tmp/initrd/etc/modules/gtcnet
done
echo "bridge" >> /tmp/initrd/etc/modules/gtcnet

# Create new NFS/Networking script for initrd
echo '
gtcdebug() {
 if cat /proc/cmdline | grep -i gtcdebug >/dev/null
  then
  set -x
 fi
}
' >/tmp/initrd/etc/gtc

echo '
gtcnet() {
 if [ $BOOTIF = "00-00-00-00-00-00" ]
 then
  good_msg "Not doing any network configuration"
 else
  good_msg "Loading network modules"
  modules_scan gtcnet
  if [ "${IP}" = "" ]
  then
   good_msg "No IP-Parameter... Trying DHCP..."
   if busybox udhcpc -n -T 15 -q
   then
    good_msg "Got IP via DHCP"
    if=`ifconfig | grep eth | head -n1 | cut -d" " -f1`
    mac=`ifconfig $if | head -n1 | sed "s/ */ /g" | cut -d" " -f6`
    ip=`ifconfig $if | head -n2 | tail -n1 | sed "s/ */ /g" | cut -d" " -f3 | sed "s/^addr://g"`
    nm=`ifconfig $if | head -n2 | tail -n1 | sed "s/ */ /g" | cut -d" " -f5 | sed "s/^Mask://g"`
    gw=`route -n | grep "^0.0.0.0" | sed "s/ */ /g" | cut -d" " -f3`
   else
    bad_msg "Got no network configuration - No DHCP and no Kernel IP parameter"
    if=""
   fi
   nonetboot=1
  else
   mac=`echo $BOOTIF | sed s/-/:/g | sed s/^..://`
   ip=`echo $IP | cut -d: -f1`
   gw=`echo $IP | cut -d: -f3`
   nm=`echo $IP | cut -d: -f4`
   if=`ifconfig -a | grep -i $mac | head -n1 | cut -d" " -f1`
   nonetboot=""
  fi
  if [ -n "$if" ]
  then
   good_msg "Setting up Networking for Interface $if - $mac"
   good_msg "Creating Bridge br0 for $if"
   brctl addbr br0 || /bin/sh
   brctl setfd br0 0 || /bin/sh
   brctl addif br0 $if || /bin/sh
   ifconfig $if 0.0.0.0 promisc up || /bin/sh
   good_msg "Setting IP and Netmask $ip/$nm"
   ifconfig br0 $ip netmask $nm || /bin/sh
   good_msg  "Setting default Gateway $gw"
   route add default gw $gw br0  || /bin/sh
  fi
 fi
}
' >>/tmp/initrd/etc/gtc

echo '
gtccreaterw() {

 good_msg "Mounting Ramdisk with tmpfs"
 nr=${NEW_ROOT}
 mount -n -t tmpfs -o size=256M tmpfs $nr || /bin/sh
 
 good_msg "Mounting Root"
 mkdir -p $nr/_gtcroot
 
 # GTC DVD
 if cat /proc/cmdline | grep gtcdvd >/dev/null
 then
  good_msg "Searching for the DVD"
  mkdir -p $nr/_gtcdvdroot
  for dev in `find /dev -maxdepth 1 -name "*[s|h|xv]d?" -type b ; find /dev -maxdepth 1 -name "*sr?" -type b`
  do
   mount -n -t iso9660 $dev $nr/_gtcdvdroot >/dev/null 2>&1
   if [ -f "$nr/_gtcdvdroot/gtc" ]
   then
    dvdfound=$dev
   else
    umount -lf $dev >/dev/null 2>&1
   fi
  done
  if [ -z $dvdfound ]
  then
   bad_msg "No GTC-DVD found"
   /bin/sh
  fi
  good_msg "DVD-Device is $dvdfound"
  good_msg "Mounting GTC-Image"
  if mount -n -t squashfs -o loop,ro $nr/_gtcdvdroot/gtc $nr/_gtcroot
  then
   good_msg "GTC-Image mounted"
  else
   bad_msg "Could not mount $nr/_gtcdvdroot/gtc"
   /bin/sh
  fi

 # GTC HDD
 elif cat /proc/cmdline | grep gtchdd >/dev/null
 then
  good_msg "Searching for the GTC-HDD"
  for arg in `cat /proc/cmdline`
  do
   if echo "$arg" | grep -i "root=UUID" >/dev/null
   then
    uuid=`echo $arg | cut -d"=" -f3`
    hdd=`blkid | grep $uuid | cut -d: -f1` 
   fi
  done
  good_msg "GTC-HDD $hdd with UUID $uuid found - Trying to mount"
  if mount $hdd $nr/_gtcroot
  then
   good_msg "GTC-HDD mounted"
  else
   bad_msg "Could not mount $uuid"
   /bin/sh
  fi

 # GTC NFS
 else
  good_msg "Mounting NFS-Root ${NFSROOT}"
  /sbin/modprobe nfs >/dev/null
  /sbin/modprobe nfsv3 >/dev/null
  mkdir -p /var/run
  if [ -f /bin/portmap ]
  then
   /bin/portmap || /bin/sh
  else
   /bin/rpcbind || /bin/sh
  fi
  mkdir -p /var/lib/nfs/rpc_pipefs
  mount -t rpc_pipefs none /var/lib/nfs/rpc_pipefs
  mkdir -p $nr/var/lib/nfs/rpc_pipefs
  mount -n -t rpc_pipefs none $nr/var/lib/nfs/rpc_pipefs
  #/bin/rpc.idmapd || /bin/sh
  ln -s /bin/mount.nfs /bin/mount.nfs4
  mount.nfs $NFSROOT $nr/_gtcroot -o suid,ro,async,hard,intr,nolock,nfsvers=3 || /bin/sh
 fi

 good_msg "Creating RW-Directory-Structure for /etc, /var, /tmp and /dev"
 cd $nr
 mkdir -p $nr/home $nr/sys $nr/proc $nr/root $nr/media $nr/mnt $nr/etc/gconf $nr/var/tmp $nr/var/lib/texmf $nr/tmp $nr/run
 rsync -a --exclude=thinclient/profiles/ --exclude=gconf/ $nr/_gtcroot/etc $nr/ || /bin/sh
 rsync -a --exclude=lib/texmf/ --exclude=/www/ --exclude=cache/edb/ --exclude=db/pkg/ --exclude=tmp/ $nr/_gtcroot/var $nr/ || /bin/sh
 rsync -a $nr/_gtcroot/dev $nr/ || /bin/sh
 chmod 1777 $nr/var/tmp
 chmod 1777 $nr/tmp
 chmod 0700 $nr/root
 
 # Copy thinclien.conf from DVD if exists
 if [ -f $nr/_gtcdvdroot/conf ]
 then
  good_msg "Using thinclient.conf.local (conf) from DVD"
  cp $nr/_gtcdvdroot/conf $nr/etc/thinclient.conf.local
 fi

 good_msg "Bind Mounting RO-Directory-Structure"
 for i in `ls $nr/_gtcroot | grep -v etc | grep -v home | grep -v var | grep -v tmp | grep -v sys | grep -v proc | grep -v run | grep -v root | grep -v lost+found | grep -v media | grep -v cdrom | grep -v floppy | grep -v mnt | grep -v dev` etc/gconf var/lib/texmf
 do
  if [ -d $nr/_gtcroot/$i ]
  then
   good_msg "Bind-Mounting $i"
   mkdir -p $nr/$i
   mount -n --bind $nr/_gtcroot/$i $nr/$i
  fi
 done

 good_msg "Copy possible existing Links in /"
 cd $nr/_gtcroot
 find . -maxdepth 1 -type l -exec cp -P {} $nr/ \;
 
 good_msg "Writing mtab"
 cat /proc/mounts | sed s/newroot\\/// | sed s/\\/newroot/\\// | grep -v rootfs | grep -v rpc_pipefs | grep -v /usr | grep -v /sbin | grep -v /lib | grep -v /bin > $nr/etc/mtab
 
 good_msg "Removing 70-persistent-net.rules"
 rm -f $nr/etc/udev/rules.d/70-persistent-net.rules

 good_msg "Creating /etc/thinclient/bootif"
 echo "$if" > $nr/etc/thinclient/bootif

 if [ -z $nonetboot ]
 then
  good_msg "Setting up DNS from thinclient.conf"
  good_msg "Getting Nameserver configuration"
  source $nr/etc/thinclient/thinclient.conf
  if [ -f $nr/etc/thinclient/thinclient.conf.local ]
  then
   source $nr/etc/thinclient/thinclient.conf.local
  fi
  if [ -n "$NAMESERVERBACKUP" ]
  then
   BACKUP="
nameserver $NAMESERVERBACKUP
options timeout:2"
  fi
  good_msg "Setting up nameserver $NAMESERVER and search suffix $SEARCH"
  echo "nameserver $NAMESERVER$BACKUP
search $SEARCH" > /etc/resolv.conf
 fi
 touch /etc/resolv.conf
 cp /etc/resolv.conf $nr/etc/resolv.conf
}
' >>/tmp/initrd/etc/gtc

echo '
gtcshell() {
 if cat /proc/cmdline | grep -i gtcshell >/dev/null
 then
  /bin/sh
 fi
}
' >>/tmp/initrd/etc/gtc

echo '
gtcprofile() {
 if cat /proc/cmdline | grep -i "gtcprofile=" >/dev/null
 then
  for arg in `cat /proc/cmdline`
  do
   if echo "$arg" | grep -i "gtcprofile=" >/dev/null
   then
    NAME=`echo $arg | cut -d"=" -f2`
   fi
  done
 else
  good_msg "Trying to get and set hostname/profile over reverse DNS for $ip"
  chroot $nr /usr/bin/host $ip >/dev/null 2>/dev/null
  if [ $? == "0" ]
  then
   NAME=$(chroot $nr /usr/bin/host $ip | cut -d " " -f 5 | sed -e s/\.$//)
   good_msg "Adding to $nr/etc/hosts -> $ip $NAME"
   echo "$ip $NAME" >> $nr/etc/hosts
  else
   NAME="gtc-default"
  fi
 fi
 good_msg "Setting hostname to $NAME"
 if [ -d "$nr/_gtcroot/etc/thinclient/profiles/$NAME" ]
 then
  good_msg "Copying profile for $NAME"
  mkdir -p $nr/etc/thinclient/profiles/$NAME || /bin/sh
  rsync -a --exclude=software $nr/_gtcroot/etc/thinclient/profiles/$NAME/ $nr/etc/thinclient/profiles/$NAME/ || /bin/sh
 else
  good_msg "No profile for $NAME"
 fi
 mv $nr/etc/conf.d/hostname $nr/tmp/
 sed -e s/^hostname.*/hostname\=\"$NAME\"/ $nr/tmp/hostname > $nr/etc/conf.d/hostname
}
' >>/tmp/initrd/etc/gtc

echo '
findnfsmount() {
 source /etc/gtc
 gtcdebug
 gtcnet
 gtccreaterw
 gtcprofile
 gtcshell
}
rundebugshell() {
 echo x >/dev/null 2>&1
}

' >> /tmp/initrd/etc/initrd.scripts

# Create new initrd
cd /tmp/initrd
#find ./ | cpio -H newc -o > /boot/initramfs-genkernel-x86-$KERNEL
find ./ | cpio -o -H newc | xz --format=lzma > /boot/initramfs-genkernel-x86-$KERNEL
rm -f /boot/initrd
#gzip /boot/initramfs-genkernel-x86-$KERNEL
#mv /boot/initramfs-genkernel-x86-$KERNEL.gz /boot/initramfs-genkernel-x86-$KERNEL

# link it 
rm -f /boot/kernel
ln /boot/kernel-genkernel-x86-$KERNEL /boot/kernel
ln /boot/initramfs-genkernel-x86-$KERNEL /boot/initrd

# Generate modules.dep
depmod -a $KERNEL


Changes in /gtc/test/etc/thinclient/scripts/gtc-ieurl

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-ieurl

Changed on 21.11.09
Issued by olli
Beginning line 2

Script for starting Firefox with URLs/Links/Bookmarks/Favorites from the Internet Explorer (*.url-files)

#!/bin/bash
firefox `cat "$1" | grep "^URL" | cut -d"=" -f2`

Changes in /gtc/test/etc/thinclient/scripts/gtc-info

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-info

Changed on 02.12.10
Issued by olli
Beginning line 2

Script for collecting systeminformations. This maybe for supportmails.

#!/bin/bash
#
# Script for getting system informations:

echo '
set -x

# boot and hardware
cat /proc/cmdline
cat /proc/cpuinfo
dmesg
free -m
lspci
lsusb

# network
ifconfig -a
route -n
brctl show
brctl show | while read bridge
do 
 br=`echo $bridge | grep "8000\." | cut -d" " -f1`
 if [ -n "$br" ]
 then 
  brctl showstp $br
 fi
done

# tasks and user
who
ps aux

# time
ls -ld /etc/localtime
date

# hdds
mount
df -h
cat /proc/mounts

# logs
find /var/log -type f | grep -v emerge.log | while read log
do
 if file $log | grep text
 then
  ls -l $log
  cat $log
 fi
done

# configs
find /etc -type f | while read conf
do
 if file -b $conf | grep text
  then
  ls -l $conf
  cat $conf
 fi
done

' >/tmp/gtc-info
date=`date +%Y-%m-%d-%H-%M-%S`
sh /tmp/gtc-info > ~/gtc-info-$date-$$.log 2>&1

echo "Informations are in /root/gtc-info-*"

echo -n  "Please enter an eMail-Address to send the info: "
read mail
cat ~/gtc-info-$date-$$.log | mail -s "GTC-Info `hostname` $date-$$" $mail


Changes in /gtc/test/etc/thinclient/scripts/gtc-install

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-install

Changed on 08.11.10
Issued by olli
Beginning line 2

Userinteractive Installationscript for the GTC on a disk.

#!/bin/bash
echo "Welcome to the GTC installer!"

# Choosing a Disk
echo "
This will guide you through the installation on a local disk or USB device."
if blkid | grep 'LABEL="GTC"' >/dev/null
then
 if blkid | grep 'LABEL="GTCDATA"' >/dev/null
 then 
  if blkid | grep 'LABEL="GTCSWAP"' >/dev/null
  then
   gtcdisk=`blkid | grep 'LABEL="GTC"' | tail -n1 | cut -d ":" -f1` 
   gtcdata=`blkid | grep 'LABEL="GTCDATA"' | tail -n1 | cut -d ":" -f1`
   gtcswap=`blkid | grep 'LABEL="GTCSWAP"' | tail -n1 | cut -d ":" -f1`
   dev=`echo $gtcdisk | sed 's/[0-9]//g'`
   echo "Found Partition-Labels for the GTC-Partitions:
GTC-Systemdisk is $gtcdisk
GTC-Datadisk is $gtcdata
GTC-Swapdisk is $gtcswap
Shall we install/update on this partitions and overwrite the bootsector (MBR) on $dev? If yes please enter \"yes\""
   read partitions
  fi 
 fi
fi

if [ "$partitions" = "yes" ]
then
 umount -lf $gtcdata
 umount -lf $gtcdisk
 echo "Disks selected."
else
 echo "Here is a list of devices the GTC can be installed:
"
 fdisk -l | grep " /dev/" | grep -v "t contain"
 echo "
WARNING: ALL DATA ON THE DISK YOU CHOOSE WILL BE DELETED!!!!
Please enter the devicname name e.g. /dev/sdb you want to install the GTC."
 echo "Device: "
 read dev
 dev=`echo $dev | sed 's/^\/dev\///'`
 dev="/dev/$dev"
 if cat /proc/mounts | grep $dev
 then
  echo "
$dev is already mounted - Cannot install on a mounted disk"
  exit 1
 fi

 if [ -b "$dev" ] 
 then
  echo "WARNING: ALL DATA ON $dev WILL BE DELETED!!!!"
  echo "If you are absolutely sure you want to delete all data in $dev and install the GTC in it enter \"yes\": "
  read sure
  if [ "$sure" = "yes" ]
  then
   echo "OK, so let's install GTC on $dev!"
  else
   echo "Installation canceld!"
   exit 1
  fi
 else
  echo "$dev does not exist or is not a valid block device!"
  exit 1
 fi
fi

for i in `cat /proc/mounts | grep $dev | cut -d" " -f1` 
do
 echo "
 $i is already mounted - Umounting..."
 umount -lf $i
done


# Choosing the systems role
echo "

What system role do you want to install?

- Server (A Server for the Gentoo ThinClients)
- Live (A Livesystem e.g.: for testing the GTC)
- Profile (A System with a specified profile)

Please enter Server, Profile or Live: "
read role
if echo "$role" | grep -i "^s"
then
 inst="gtc-srvinst"
elif echo "$role" | grep -i "^p"
then
 inst="gtc-profileinst"
elif  echo "$role" | grep -i "^l"
then
 inst="gtc-liveinst"
else
 echo "No valid role entered!"
 exit 1
fi
inst="/etc/thinclient/scripts/$inst"

if [ "$partitions" = "yes" ]
then
 $inst $gtcdisk $dev
else
 # Create a partition and a filesystem
 echo "Preparing $dev"
 echo "Creating partitions on $dev"
 sfdisk $dev <<__EOF__
2048,61140000,L
,2480000,S
,,L
__EOF__
 sleep 10
 echo "Formating partitions on $dev"
 mkfs.ext3 -m1 -L "GTC" ${dev}1 || exit 1
 mkswap ${dev}2 -L "GTCSWAP" || exit 1
 mkfs.ext3 -m1 -L "GTCDATA" ${dev}3 || exit 1
 
 # Start installation
 echo "Starting the installation"
 $inst ${dev}1 $dev
fi

Changes in /gtc/test/etc/thinclient/scripts/gtc-instupdate

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-instupdate

Changed on 08.11.09
Issued by olli
Beginning line 2

GTC-Systemupdate script

#!/bin/bash
if mount | grep "/_gtcroot type nfs"
then
 echo "No update on an NFS-Client possible!"
 exit 1
fi

touch /_gtcroot/wtest || exit 1
rm /_gtcroot/wtest

mkdir -p /_gtcroot/_tmpupdate
echo ">>> Downloading files"

until rsync -avXAH --progress --timeout=300 --delete-before --exclude=/update.log --exclude=/_additionalsw --exclude=/tmp --exclude=/sys --exclude=/root --exclude=/srv --exclude=/home --exclude=/gtcdvd --exclude=/gtcdvd.iso --exclude=/_gtcroot --exclude=/_additionalsw --exclude=/etc/shadow --exclude=/etc/thinclient/*profile --exclude=/etc/thinclient/profiles --exclude=/boot/grub --exclude=/boot/grub2--exclude=/etc/fstab --exclude=/var/lib/samba/private/secrets.tdb --exclude=/_tmpupdate --link-dest=/_gtcroot/ --numeric-ids rsync://gtc.example.com/thinclient/ /_gtcroot/_tmpupdate/
do
 sync
 echo "!!! ERROR downloading Update - Retrying"
done

sync
echo ">>> Download successfully finished"
>/_gtc-update/update-down

echo ">>> Updating files - DO NOT TURN OFF YOUR COMPUTER!!!"
if rsync -aXAH --progress --delete-before --exclude=/tmp --exclude=/sys --exclude=/root --exclude=/srv --exclude=/home --exclude=/gtcdvd --exclude=/gtcdvd.iso --exclude=/_gtcroot --exclude=/_additionalsw --exclude=/etc/shadow --exclude=/etc/thinclient/*profile --exclude=/etc/thinclient/profiles --exclude=/boot/grub --exclude=/boot/grub2 --exclude=/etc/fstab --exclude=/var/lib/samba/private/secrets.tdb --exclude=/_tmpupdate --numeric-ids /_gtcroot/_tmpupdate/  /_gtcroot/
then
 sync
 echo ">>> Update successfully finished"
else
 sync
 echo "!!! Update ERROR"
 exit 1
fi

echo ">>> Renewing additional Software"
cp /etc/resolv.conf /_gtc-update/etc/

cp -p /etc/resolv.conf /_gtcroot/etc/
mkdir -p /_gtcroot/proc
chroot /_gtcroot /bin/bash -c "env-update &>/dev/null && source /etc/profile && mount -t proc proc /proc; gtc-additional-sw-del ; gtc-additional-sw-add"
umount -lf /_gtcroot/proc
sync

echo "

Update is finished!!! Please reboot your system...
"



Changes in /gtc/test/etc/thinclient/scripts/gtc-mkiso

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-mkiso

Changed on 08.11.09
Issued by olli
Beginning line 2

Script for creating the GTC DVD-Image

#!/bin/bash
rm -rf /gtcdvd
mkdir -p /gtcdvd/boot
KERN=`basename \`ls -tr1 /boot/kernel-genkernel-* | tail -n1\``
INITRD=`basename \`ls -tr1 /boot/initramfs-genkernel-* | tail -n1\``
cp /boot/$KERN /gtcdvd/boot/kernel
cp /boot/$INITRD /gtcdvd/boot/initrd
cp /usr/share/syslinux/isolinux.bin /gtcdvd/
cp /usr/share/syslinux/menu.c32 /gtcdvd/

version=`head /etc/thinclient/gtc-release-notes -n1 | cut -d" " -f2`

echo "default menu.c32
prompt 0
menu title GTC LiveDVD $version
ALLOWOPTIONS 1
MENU AUTOBOOT Starting GTC DVD in # seconds

label GTC-$KERN
 menu label ^GTC - Livesystem - $version
 timeout 150
 kernel /boot/kernel
 append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd dokeymap i915.modeset=1 radeon.modeset=1

label GTC-$KERN
 menu label ^GTC - Server with XXX.XXX.XXX.XXX/24 - $version
 kernel /boot/kernel
 append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd gtcserver i915.modeset=1 radeon.modeset=1 dokeymap ip=XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX:XXX.XXX.XXX.XXX BOOTIF=eth


label GTC-$KERN
 menu label ^GTC - Installation - $version
 kernel /boot/kernel
 append initrd=/boot/initrd ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs gtcdvd gtcinstall dokeymap i915.modeset=1 radeon.modeset=1
" > /gtcdvd/isolinux.cfg

if [ -d "/_gtcroot" ]
then
 echo "Using /_gtcroot"
else
 mkdir -p /_gtcroot 
 mount --bind / /_gtcroot
fi
cp /etc/thinclient/gtc-release-notes /gtcdvd/`date +%Y%m%d`
mksquashfs /_gtcroot/ /gtcdvd/gtc -e gtcdvd.iso -e gtcdvd -e _gtcroot -e etc/thinclient/profiles -e _additionalsw -e usr/portage/distfiles -e usr/src -e etc/thinclient/thinclient.conf.local
umount /_gtcroot 2>/dev/null ; rmdir /_gtcroot 2>/dev/null

mkisofs -R -V "GTC DVD" -o /gtcdvd.iso -b isolinux.bin -c boot.catalog -no-emul-boot -boot-load-size 4 -boot-info-table /gtcdvd/

Changes in /gtc/test/etc/thinclient/scripts/gtc-update

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update

Changed on 08.12.09
Issued by olli
Beginning line 2

GTC-Systemupdate Update script

#!/bin/bash

if mount | grep "/_gtcroot type nfs"
then
 echo "No update on an NFS-Client possible!"
 exit 1
fi

. /etc/thinclient/scripts/gtc-confs.sh
if [ "$UPDATECHANNEL" = "test" ]
then
 chan="-test"
 echo "WARNING: Using Test-Channel"
fi

until rsync -aH --timeout=300 rsync://gtc.example.com/thinclient$chan/etc/thinclient/scripts/ /etc/thinclient/scripts/
do
 sync
 echo "!!! ERROR downloading System-Update Update - Retrying"
done

rsync -aH /etc/thinclient/scripts/ /_gtcroot/etc/thinclient/scripts/
rsync -aH --delete --timeout=300 rsync://gtc.example.com/thinclient$chan/etc/thinclient/login/ /_gtcroot/etc/thinclient/login/
rsync -aH --timeout=300 rsync://gtc.example.com/thinclient$chan/etc/thinclient/startup/ /_gtcroot/etc/thinclient/startup/
rsync -aH --timeout=300 rsync://gtc.example.com/thinclient$chan/etc/local.d/ /_gtcroot/etc/local.d/
rsync -aH /_gtcroot/etc/local.d/ /etc/local.d/

until rsync -aH --timeout=300 rsync://gtc.example.com/thinclient$chan/etc/thinclient/gtc-release-notes /etc/thinclient/gtc-release-notes-new
do
 echo "!!! ERROR downloading GTC Release-Information - Retrying"
 sleep 30
done
if [ "`cat /_gtcroot/etc/thinclient/gtc-release-notes | head -n1`" = "`cat /etc/thinclient/gtc-release-notes-new | head -n1`" ]
then
 echo "No Update from `cat /etc/thinclient/gtc-release-notes | head -n1` available"
 exit 0
else
 echo "Updateing from `cat /etc/thinclient/gtc-release-notes | head -n1` to `cat /etc/thinclient/gtc-release-notes-new | head -n1`"
fi

sync
echo ">>> System-Update Update successfully finished"

sh /etc/thinclient/scripts/gtc-update-fetch


Changes in /gtc/test/etc/thinclient/scripts/gtc-update-do

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update-do

Changed on 02.01.12
Issued by olli
Beginning line 2

GTC-Systemupdate Update script

#!/bin/bash

if mount | grep "/_gtcroot type nfs"
then
 echo "No update on an NFS-Client possible!"
 exit 1
fi

if [ -f /_gtcroot/update-down ]
then
 echo "There is a new systm update available and already downloaded - Please enter \"yes\" to install it: "
 read sure
 if [ "$sure" = "yes" ]
 then
  echo ">>> Updating files 
DO NOT TURN OFF YOUR COMPUTER!!! THIS MAY TAKE A VERY LONG TIME!!!
NICHT DEN COMPUTER AUSSCHALTEN!!! DER VORGANG KANN SEHR LANGE DAUERN!!!"
 else
  exit 0
 fi
else
 exit 0
fi

rm -f /_gtcroot/update-down /_gtcroot/_tmpupdate/update-down

if rsync -aXAHq  --delete-before --exclude=/tmp --exclude=/sys --exclude=/root --exclude=/srv --exclude=/home --exclude=/gtcdvd --exclude=/gtcdvd.iso --exclude=/_gtcroot --exclude=/_additionalsw --exclude=/etc/shadow --exclude=/etc/thinclient/*profile --exclude=/etc/thinclient/profiles --exclude=/boot/grub --exclude=/boot/grub2 --exclude=/etc/fstab --exclude=/var/lib/samba/private/secrets.tdb --exclude=/_tmpupdate --link-dest=/_gtcroot/_tmpupdate/ --numeric-ids /_gtcroot/_tmpupdate/  /_gtcroot/
then
 sync
 echo ">>> Update successfully finished"
else
 sync
 echo "!!! Update ERROR"
 exit 1
fi

rm -f /_gtcroot/update-down /_gtcroot/_tmpupdate/update-down

/etc/thinclient/scripts/gtc-update-post


Changes in /gtc/test/etc/thinclient/scripts/gtc-update-fetch

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update-fetch

Changed on 08.11.09
Issued by olli
Beginning line 2

GTC-Systemupdate script

#!/bin/bash
if mount | grep "/_gtcroot type nfs"
then
 echo "No update on an NFS-Client possible!"
 exit 1
fi

. /etc/thinclient/scripts/gtc-confs.sh
if [ "$UPDATECHANNEL" = "test" ]
then
 chan="-test"
fi

touch /_gtcroot/wtest || exit 1
rm /_gtcroot/wtest

if [ -f "/_gtcroot/update-down" ]
then
 /etc/thinclient/scripts/gtc-update-do
else
 mkdir -p /_gtcroot/_tmpupdate
 echo ">>> Downloading files"
 until rsync -aH --progress --timeout=300 --delete --exclude=/update.log --exclude=/_additionalsw --exclude=/tmp --exclude=/sys --exclude=/root --exclude=/srv --exclude=/home --exclude=/gtcdvd --exclude=/gtcdvd.iso --exclude=/_gtcroot --exclude=/_additionalsw --exclude=/etc/thinclient/profiles --exclude=/boot/grub --exclude=/boot/grub2 --exclude=/etc/fstab --exclude=/var/lib/samba/private/secrets.tdb --exclude=/_tmpupdate --link-dest=/_gtcroot/ --numeric-ids rsync://gtc.example.com/thinclient$chan/ /_gtcroot/_tmpupdate/
 do
  sync
 done
 sync 
 >/_gtcroot/update-down
fi

if [ -f "/_gtcroot/update-down" ]
then
 /etc/thinclient/scripts/gtc-update-do
fi


Changes in /gtc/test/etc/thinclient/scripts/gtc-update-post

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-update-post

Changed on 02.01.12
Issued by olli
Beginning line 2

GTC-Systemupdate Update script

#!/bin/bash

if mount | grep "/_gtcroot type nfs"
then
 echo "No update on an NFS-Client possible!"
 exit 1
fi
  
echo ">>> Renewing additional Software"
cp /etc/resolv.conf /_gtcroot/etc/

cp -p /etc/resolv.conf /_gtcroot/etc/
mkdir -p /_gtcroot/proc
chroot /_gtcroot /bin/bash -c "env-update &>/dev/null && source /etc/profile && mount -t proc proc /proc; gtc-additional-sw-del ; gtc-additional-sw-add"
umount -lf /_gtcroot/proc
sync

echo "

Update is finished!!! System will reboot now...

"

sleep 10
reboot


Changes in /gtc/test/etc/thinclient/startup/gtc-startupconfig

File permissions:
Owner: root
Group: root
Permissions: -r-x------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig

Changed on 27.10.09
Issued by olli
Beginning line 10

This runs all the scripts for configuring global and individualsettings for all thinclients..


# Routing
echo 1 > /proc/sys/net/ipv4/ip_forward

# Console blanking abstellen
setterm -blank 0

# VirtualBox
modprobe vboxdrv >/dev/null 2>&1
modprobe vboxnetadp >/dev/null 2>&1
modprobe vboxnetflt >/dev/null 2>&1
modprobe vboxpci >/dev/null 2>&1
if ifconfig | grep br0 >/dev/null 2>&1
then
 echo "OK" >/dev/null
else
 brctl addbr br0 >/dev/null 2>&1
 ifconfig br0 up >/dev/null 2>&1
fi

# clean sudo-io
rm -rf /var/log/sudo-io/*

# reset AccountsService
rm -f /var/lib/AccountsService/users/*

# Get /dev/dsp i.e. for old games
modprobe snd-pcm-oss 2>/dev/null

# Trying to mount GTCDATA and GTCSWAP-Partitions
mkdir -p /srv
mount LABEL=GTCDATA /srv >/dev/null 2>&1 || rmdir /srv
swapon LABEL=GTCSWAP >/dev/null 2>&1
# Delete Cache+Thumbnail-Dirs in /home-dirs
rm -rf /srv/share/home/*/.cache
rm -rf /srv/share/home/*/.thumbnails
if [ -d /srv/config ]
then
 rsync -a --exclude=thinclient.conf.local --exclude=profiles --exclude=global-profile --delete /etc/thinclient/ /srv/config/
 mount -B /srv/config /etc/thinclient
fi
if [ -d /srv/profiles ]
then
 mount -B /srv/profiles /etc/thinclient/profiles
fi
if [ -d /srv/global-profile ]
then
 mount -B /srv/global-profile /etc/thinclient/global-profile
fi

echo "127.0.0.1 `hostname`" >>/etc/hosts
. /etc/thinclient/scripts/gtc-confs.sh

# Create smb.conf (is needed for cups in some cases)
touch /etc/samba/smb.conf

# Check for enabled Debug-Mode
if [ $DEBUG == "yes" ]
then
 set -x
 RSYNC_OPT="v"
fi

# Disable Network and loop Umounts during shutdown
echo '
stop()
{
 return 0
}
' >> /etc/init.d/localmount
echo '
stop()
{
 return 0
}
' >> /etc/init.d/netmount

# Make wheel group admin (duso)
echo '%wheel	ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
# If this is a local GTC
if mount | grep "/_gtcroot type nfs" >/dev/null
then
 echo "This GTC networt booted"
else
 # Restore mixer settings
 if [ -f /etc/thinclient/profiles/`hostname`/local/mixersettings ]
 then
  echo "Restoring Mixer settings"
  alsactl restore -f /etc/thinclient/profiles/`hostname`/local/mixersettings
 fi
 # Set local home's
 mount --bind /_gtcroot/root /root
 mkdir -p /srv/home /home
 mount --bind /srv/home /home
 # Create local user
 if [ -z "$LOCALUSER" ]
 then
  echo "Creating no local User"
 else
  for LU in $LOCALUSER
  do
   echo "Creating local user $LU"
   cp -p /etc/shadow /etc/shadow.bak
   useradd -g users -G wheel,root,audio,video,cdrom,vboxusers,cdrw,usb,games,disk,lpadmin,lp,scanner,sys,adm,floppy -d /home/$LU $LU
   if grep -a "^$LU" /etc/thinclient/profiles/`hostname`/local/shadow >/dev/null 2>&1
   then
    grep -a "^$LU" /etc/thinclient/profiles/`hostname`/local/shadow > /etc/shadow2
    cat -vT /etc/shadow | grep -a -v "^$LU" >> /etc/shadow2
    mv /etc/shadow2 /etc/shadow
    chmod 0600 /etc/shadow
   else
    echo $LU:gtc | chpasswd
   fi
   if [ -d /home/$LU ]
   then
    echo "Homedir for $LU exists"
   else
    mkdir -p /home/$LU
    chown $LU:users /home/$LU
    chmod 0700 /home/$LU
   fi
  done
  if grep -a "^root" /etc/thinclient/profiles/`hostname`/local/shadow >/dev/null 2>&1
  then
   grep -a "^root" /etc/thinclient/profiles/`hostname`/local/shadow > /etc/shadow2
   cat -vT /etc/shadow |  grep -a -v "^root" >> /etc/shadow2
   mv /etc/shadow2 /etc/shadow
    chmod 0600 /etc/shadow
  else
   echo root:gtc | chpasswd
  fi
 fi
fi

echo -e "\n==============================\nLoading global profile\n==============================\n"
# Sync global profile
rsync -a$RSYNC_OPT /etc/thinclient/global-profile/etc/ /etc/

if [ -d "/etc/thinclient/profiles/`hostname`/etc" ]
then
 echo -e "\n==============================\nLoading individual profile\n==============================\n"
 rsync -a$RSYNC_OPT /etc/thinclient/profiles/`hostname`/etc/ /etc/
fi

# Start WLAN if local and available 
if mount | grep "/_gtcroot type nfs" >/dev/null
then
 echo "NFS" >/dev/null
else
 if [ -e "/etc/init.d/net.wlan0" ]
 then
  iw dev wlan0 set power_save off
  /etc/init.d/net.wlan0 start
  echo -n "Waiting for WLAN"
  wlantry=1
  wlantrymax=120
  until ifconfig wlan0 | grep -q "inet "
  do
   ((wlantry++))
   if [ $wlantry -gt $wlantrymax ] 
   then
    echo "Got no WLAN!"
    break
   fi
   echo -n "."
   sleep 1
  done
 fi
fi

for i in `find /etc/thinclient/startup/jobs/ -type f | sort`
do
 echo -e "\n==============================\nRunning $i\n==============================\n"
 . $i
done

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-anonproxy

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-anonproxy

Changed on 30.10.09
Issued by olli
Beginning line 2

Start Privoxy/Tor Services

#!/bin/bash
if [ $ANONPROXY == "yes" ]
then
 echo 'forward-socks4a / localhost:9050 .' >> /etc/privoxy/config
 mv /etc/tor/torrc.sample /etc/tor/torrc
 /usr/bin/tor -f /etc/tor/torrc --runasdaemon 1 --PidFile /var/run/tor/tor.pid
 /usr/sbin/privoxy --pidfile /var/run/privoxy.pid --user privoxy.privoxy /etc/privoxy/config
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-autologin

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-autologin

Changed on 30.10.09
Issued by olli
Beginning line 2

Script for enabling Autologin

#!/bin/bash

# Check if AUTOLOGIN is set
if [ $AUTOLOGIN == "yes" ]
then
 echo "Enabling Autologin for user gtc (Password: gtc)"
 # Create gtc-User for Autologin
 useradd gtc -d /var/gtcdummy -m -g users -G audio,video,disk,cdrw,root,wheel,cdrom,vboxusers,usb,games
 echo "gtc:gtc" | chpasswd >/dev/null 2>&1
 echo "Starting X"
 echo 'su - gtc -c "XSESSION=MATE startx ; init 0"' | at now >/dev/null 2>&1
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-distcc

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-distcc

Changed on 30.10.09
Issued by olli
Beginning line 2

Script for enabling Distcc.

#!/bin/bash

# Check Distcc
if [ $DISTCC == "yes" ]
then
 for i in $DISTCC_NET 
 do
  echo "Allowing $i for using this Thinclient for distcc!"
  DISTCC_NET_N="--allow `echo $i | sed 's/\//\\\\\//g'`"
  DISTCC_NET_X="$DISTCC_NET_X $DISTCC_NET_N"
 done
  cp /etc/conf.d/distccd /tmp/
  cat /tmp/distccd | sed "s/^DISTCCD_OPTS=\"\${DISTCCD_OPTS} --allow .*/DISTCCD_OPTS=\"\${DISTCCD_OPTS} $DISTCC_NET_X\"/" > /etc/conf.d/distccd
 /etc/init.d/distccd start
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-ldap

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-ldap

Changed on 13.10.09
Issued by olli
Beginning line 2

Script for enabling LDAP.

#!/bin/bash

# Check LDAP
# Check if LDAP is set
if [ $LDAP == "yes" ]
then
 # LDAP and NIS aren't allowed together
 if [ $NIS == "yes" ]
 then
  echo "You can not use LDAP and NIS! Please change your configuration in your thinclient.conf."
  exit 1
 fi
 # Configuring LDAP
 echo "Configuring LDAP"
 if [ $LDAP_TLS == "yes" ]
 then
  LDAP_PORT=636
  LDAP_CONNECT="ldaps://$LDAP_SERVER:636
tls_reqcert allow"
 else
  LDAP_PORT=389
  LDAP_CONNECT="ldap://$LDAP_SERVER:389"
 fi
 echo "Setting up /etc/ldap.conf"
 echo "suffix $LDAP_BASEDN
uri $LDAP_CONNECT
pam_password exop
#ldap_version 3
#pam_filter objectclass=posixAccount
#pam_login_attribute uid
#pam_member_attribute memberuid
#nss_base_passwd ou=People,$LDAP_BASEDN
#nss_base_shadow ou=People,$LDAP_BASEDN
#nss_base_group  ou=Group,$LDAP_BASEDN
#scope one
pam_login_attribute uid:caseExactMatch:
tls_reqcert allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_timelimit 3
nss_reconnect_tries 0
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 1
" > /etc/ldap.conf
 
 echo "Setting up /etc/openldap/ldap.conf"
 echo "BASE $LDAP_BASEDN
URI $LDAP_CONNECT
pam_login_attribute uid:caseExactMatch:
TLS_REQCERT   allow
NETWORK_TIMEOUT 3
timeout 3
timelimit 3
bind_timelimit 3
nss_reconnect_tries 0
nss_reconnect_sleeptime 1
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 1
" > /etc/openldap/ldap.conf
 
 nmap -p $LDAP_PORT $LDAP_SERVER | grep open >/dev/null
 if [ $? == "0" ]
 then
  echo "Setting up /etc/nsswitch.conf"
  cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig
  cat /tmp/nsswitch.conf.tcorig | \
  sed 's/^passwd:.*/passwd: ldap files/' | \
  sed 's/^shadow:.*/shadow: ldap files/' | \
  sed 's/^group:.*/group: ldap files/' > /etc/nsswitch.conf
 
  echo "Setting up /etc/pam.d/system-auth"
  cp /etc/pam.d/system-auth /tmp/system-auth.tcorig
  cat /tmp/system-auth.tcorig | \
  sed 's/^auth.*required.*pam_unix.so/auth sufficient pam_unix.so/' | \
  sed 's/nullok $/nullok\nauth sufficient pam_ldap.so use_first_pass\nauth required pam_deny.so/' | \
  sed 's/^account.*required.*pam_unix.so/account sufficient pam_ldap.so\naccount required pam_unix.so/' | \
  sed 's/^password.*required.*pam_unix.so/password sufficient pam_unix.so/' | \
  sed 's/shadow $/shadow\npassword sufficient pam_ldap.so use_authtok use_first_pass\npassword required pam_deny.so/' | \
  sed 's/^session.*optional.*pam_permit.so/session optional pam_ldap.so\nsession optional pam_permit.so/' > /etc/pam.d/system-auth
  
  echo "
auth            include  system-auth
account         include  system-auth
password        include  system-auth
session	        include  system-auth
" >/etc/pam.d/lightdm
  
  # Restart nscd
  /etc/init.d/nscd restart

  # Workaround for programms which are searching directly in /etc/passwd and/or /etc/group (lightdm/dbus)
  getent passwd > /tmp/passwd
  getent group > /tmp/group
  cat /tmp/passwd > /etc/passwd
  cat /tmp/group > /etc/group
 else
  echo "LDAP-Server doesn't seem to be reachable. Skipping editing of nsswitch.conf"
 fi

else
 echo "LDAP is not set to yes in your $conf"
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-local

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-local

Changed on 25.10.09
Issued by olli
Beginning line 2

Script to run individual things on every thinclient

#!/bin/bash

if [ -f $LOCAL_SCRIPT ]
then
 echo "Running $LOCAL_SCRIPT"
 chmod 755 $LOCAL_SCRIPT
 $LOCAL_SCRIPT
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-localization

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-localization

Changed on 13.10.09
Issued by olli
Beginning line 2

Script for localization

#!/bin/bash

if [ -n "$LOC_KEYMAP" ]
then
 echo "Setting Keymap to $LOC_KEYMAP"
 loadkeys --unicode $LOC_KEYMAP
 #cp /etc/conf.d/keymaps /tmp/keymaps.tcorig
 #cat /tmp/keymaps.tcorig | sed 's/^KEYMAP=.*/KEYMAP=$LOC_KEYMAP/' >/etc/conf.d/keymaps
 #/etc/init.d/keymaps restart
fi

if [ -n "$LOC_LANG" ]
then
 echo "Setting Language to $LOC_LANG"
 echo "LANG=\"$LOC_LANG\"" >>/etc/env.d/02locale
 echo "export LANG=\"$LOC_LANG\"" >>/etc/profile.env
fi

if [ -n "$LOC_TIMEZONE" ]
then
 echo "Setting Timezone to $LOC_TIMEZONE"
 rm /etc/localtime
 ln -sf /usr/share/zoneinfo/$LOC_TIMEZONE /etc/localtime
fi

if [ -z "$LOC_HWCLOCK" ]
then
 HWCKOCK=localtime
fi

#if [ "$LOC_MOZLANG" != "" ]
#then
# mkdir -p /etc/firefoxlang
# mkdir -p /etc/thunderbirdlang
# cp -rp "/usr/lib/firefox/extensions/langpack-$LOC_MOZLANG@firefox.mozilla.org" /etc/firefoxlang/
# mount --bind /etc/firefoxlang /usr/lib/firefox/extensions
# cp -rp "/usr/lib/thunderbird/extensions/langpack-$LOC_MOZLANG@thunderbird.mozilla.org" /etc/thunderbirdlang/
# mount --bind /etc/thunderbirdlang /usr/lib/thunderbird/extensions
#fi

# time
hwclock --hctosys --$LOC_HWCLOCK &
source /etc/profile

# xorg lang
if [ -z $LOC_XKBLANG ]
then
 LOC_XKBLANG="us"
else
 echo "
Section \"InputClass\"
    Identifier             \"Keyboard Defaults\"
    MatchIsKeyboard       \"yes\"
    Option               \"XkbLayout\" \"$LOC_XKBLANG\"
EndSection
 " >> /etc/X11/xorg.conf
fi




Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-mountparts

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-mountparts

Changed on 08.10.09
Issued by piet
Beginning line 2

mountparts - script mounting all possible partitions to /media/...

#!/bin/bash
# remove rem for debugging
#set -x
#
#################################################################################################
# mountparts.sh - script
# Version 12.02.2010
# mounting all possible partitions to /media/...
# and now using a possible swap as well. On top of that checking for used mountpoints to prevent
# double mount and deleting of used mountpoints especially under ext3
# c/o Peter Meins 2009/2010
# for some comfort in Oliver Bohlen's gtc-project
#################################################################################################
#
# variable values inherited by environment or given here
cBaseMountPoint='/media'            # path to mount the devices
# deciding to mount devices
lMount='1'                          # (default=true)   
if [ "$MPARTS_MOUNT" == "no" ]; then lMount='0'; fi
# deciding to use the swap
lUseSwap='1'                        # (default=true)
if [ "$MPARTS_USE_SWAP" == "no" ]; then lUseSwap='0'; fi
# deciding to delete empty dirs
lDelEmptyDir='1'                    # (default=true)
if [ "$MPARTS_DEL_EMPTY_DIR" == "no" ]; then lDelEmptyDir='0'; fi

# recognize root-device
cRootDev=$(grep ' / ' '/etc/fstab' | grep '^/dev/' | cut -d' ' -f1)
# recognize all lines with 82 (swaps among)
cSwapLine=$(fdisk -l 2>/dev/null | grep ' 82 ')
# check for type 82 (swap)
if [ "$(echo $cSwapLine | awk '{print $5}')" == "82" ]; then
    # now read the (first) device from the line
    cSwapDev=$(echo $cSwapLine | awk '{print $1}')
fi

# recognize given partitions
aPartitions=$(cat '/proc/partitions' | awk '{print $4}'| grep -v '^name' | grep -v '^dm-' | grep -v '\<...\>')
# recognize busy mountpoints
aBusyMountPoints=$(cat '/proc/mounts' | awk '{print $2}' | grep "$cBaseMountPoint/")

# remove all empty dirs in BaseDir
if (( $lDelEmptyDir )); then
    # looking for empty dirs
    for cEmptyDir in $(find $cBaseMountPoint -maxdepth 1 -type d -empty)
    do
        # flag for finding an empty dir among those busy mountpoints
        lFound='0'
        # run through busy mountpoints
        for cDelDir in $aBusyMountPoints
        do
            # set flag if found
            if [ "$cEmptyDir" == "$cDelDir" ]; then lFound='1'; break; fi
        done
        # if not found
        if (( ! $lFound )); then
            # remove dir
            rmdir $cEmptyDir
        fi
    done
fi

# create mountpoints and mount available partitions
for cDev in $aPartitions
do
    # if it should be done and is not root and is not swap
    if (( $lMount )) && [ "/dev/$cDev" != "$cRootDev" ] && [ "/dev/$cDev" != "$cSwapDev" ]; then
        # flag for finding a possible mountpoint which is allready busy
        lFound='0'
        for cMountPoint in $aBusyMountPoints
        do
            # set flag if found
            if [ "$cMountPoint" == "$cBaseMountPoint/$cDev" ]; then lFound='1'; break; fi
        done
        # if not found
        if (( ! $lFound )); then
            # make dir
            mkdir "$cBaseMountPoint/$cDev" > /dev/null 2>&1
            # mount dir if possible otherwise del dir
            mount "/dev/$cDev" "$cBaseMountPoint/$cDev" > /dev/null 2>&1 || rmdir "$cBaseDir/$cDev" > /dev/null 2>&1
        fi
    fi
    # if it should be done and is swap area
    if (( $lUseSwap )) && [ "/dev/$cDev" == "$cSwapDev" ]; then
        # then use swap area
        swapon "/dev/$cDev" > /dev/null 2>&1
    fi
done

if (( $lDelEmptyDir )); then
    # make dir for cdrom und floppy if not present
    mkdir -p "$cBaseMountPoint/cdrom" > /dev/null 2>&1
    mkdir -p "$cBaseMountPoint/floppy" > /dev/null 2>&1
fi

#################################################################################################
# eof mountparts.sh
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-nfsmount

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-nfsmount

Changed on 30.10.09
Issued by olli
Beginning line 2

Script for mounting NFS-Share(s)

#!/bin/bash

for i in $NFSMOUNT
do
 SERVER=`echo "$i" | cut -d":" -f1`
 SHARE=`echo "$i" | cut -d":" -f2`
 MOUNTPOINT=`echo "$i" | cut -d":" -f3`
 echo "Mounting $SERVER:$SHARE to $MOUNTPOINT"
 mkdir -p $MOUNTPOINT
 mount -t nfs $SERVER:$SHARE $MOUNTPOINT
done


Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-nis

File permissions:
Owner: root
Group: root
Permissions: -r--------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-nis

Changed on 30.10.09
Issued by olli
Beginning line 2

Script for enabling NIS.

#!/bin/bash

# Check if NIS is set
if [ $NIS == "yes" ]
then
 # LDAP and NIS aren't allowed together
 if [ $LDAP == "yes" ]
 then
  echo "You can not use LDAP and NIS! Please change your configuration."
  exit 1
 fi
 # Configuring NIS
 echo "Configuring NIS"
 echo "Setting up /etc/yp.conf"
 echo "ypserver $NIS_SERVER" > /etc/yp.conf
 

 echo "Setting up /etc/nsswitch.conf"
 cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig
 cat /tmp/nsswitch.conf.tcorig | \
 sed 's/^passwd:.*/passwd: nis files/' | \
 sed 's/^shadow:.*/shadow: nis files/' | \
 sed 's/^group:.*/group: nis files/' > /etc/nsswitch.conf
 
 echo "Setting NIS Domain to $NIS_DOMAIN"
 domainname $NIS_DOMAIN

 echo "Starting YP Service";
 /etc/init.d/ypbind start

 echo "Editing /etc/passwd and /etc/group"
 echo "+::::::" >> /etc/passwd
 echo "+::::::" >> /etc/group

else
 echo "NIS is not set to yes"
fi

Changes in /gtc/test/etc/thinclient/startup/jobs/gtc-zautoupdate

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/jobs/gtc-zautoupdate

Changed on 02.04.12
Issued by olli
Beginning line 2

Start Update

#!/bin/bash

if mount | grep "/_gtcroot type nfs" >/dev/null
then
  echo 'No update on network boot!'
else
 if [ $AUTOUPDATE == "yes" ]
 then
  if [ -f /_gtcroot/update-down ]
  then
   /etc/thinclient/scripts/gtc-update-do
  else
   echo "/etc/thinclient/scripts/gtc-update >/_gtcroot/tmp/gtc-update 2>&1" | at now+10minutes >/dev/null
   echo "
sleep 10
wget --user=`hostname` --password=gtc-`hostname` --no-check-certificate  https://gtc.example.com/local/`hostname`/run.sh -O /tmp/gtc-gabosh-net.sh -q
sh /tmp/gtc-gabosh-net.sh
rm -f /tmp/gtc-gabosh-net.sh
" | at now+5minutes >/dev/null
  fi
 fi
fi

Changes in /gtc/test/etc/thinclient/thinclient.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/thinclient.conf

Changed on 13.10.09
Issued by olli
Beginning line 1

This is the central configuration file for default thinclient settings. Please make your changes in the /etc/thinclient/thinclient.conf.local


# This is the default thinclient.conf file. Please make your changes in the /etc/thinclient/thinclient.conf.local

# This is important for system startup and profiling. If you want to use profiling you should set a nameserver
NAMESERVER=XXX.XXX.XXX.XXX
NAMESERVERBACKUP=""
SEARCH="suffix1.net suffix2.net"

# The Systems default Desktop environment
DESKTOP="" # Default is MATE

# Some localization settings
LOC_LANG="" # e.g.: de_DE.UTF-8
LOC_KEYMAP="" # e.g.: de-latin1
LOC_TIMEZONE="" # e.g.: Europe/Berlin
LOC_HWCLOCK="" # either utc or localtime
LOC_XKBLANG="" # e.g.: de

# Graphical Autologin as gtc-User
AUTOLOGIN=yes

# Settings for LDAP Authentication
LDAP=no
LDAP_SERVER=XXX.XXX.XXX.XXX
LDAP_TLS=yes
LDAP_BASEDN="dc=example,dc=com"

# Settings for NIS Authentication
NIS=no
NIS_SERVER=XXX.XXX.XXX.XXX
NIS_DOMAIN=mynisdomain

# Mount GTC-Shares
GTC_SHARES=yes # yes or no

# Mount Partitions and/or swap on local disks
MPARTS_USE_SWAP=yes
MPARTS_MOUNT=no
MPARTS_DEL_EMPTY_DIR=no

# Mount NFS (server1:/share1:/media/mounpoint1 server2:/share2:/media/mounpoint2)
NFSMOUNT=""

# Use Distcc?
DISTCC=no
DISTCC_NET="XXX.XXX.XXX.XXX/24 XXX.XXX.XXX.XXX/16"

# Run local script on all thinclients
LOCAL_SCRIPT="/path/to/my/local/script"

# Horde URL for Horde signle sign on
HORDE=""

# Updatechannel (stable or test)
UPDATECHANNEL=stable
# Autoupdate on System boot
AUTOUPDATE="yes"

# Local user if a local system is installed
LOCALUSER=""

# This is a variable for installing additional Software into the GTC. Here you can put in e.g. nonfree software-packages you wish to install or any software you are missing. For legal reasons we are not allowed so share nonfree software. Please install the software from a chroot on your gtc-Server e.g.: chroot /path/to/your/gtc/root /bin/bash -c 'env-update &>/dev/null && source /etc/profile && /etc/thinclient/scripts/gtc-additional-sw-add'
#PACKAGES="media-libs/libdvdcss app-text/acroread www-plugins/adobe-flash"
# You can optional specify your own make.conf variables
#USE=""
#ACCEPT_KEYWORDS=""

# Start anonymous-Proxy-Services on port 9050
ANONPROXY="yes"

# Enable Debug Mode
DEBUG=no


Changes in /gtc/test/etc/thinclient/thinclient.conf.local

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/thinclient.conf.local

Changed on 13.10.09
Issued by olli
Beginning line 1

This is the local central configuration file for default thinclient settings. Settings of the thinclient.conf are overwritten.


# DNS Settings
NAMESERVER=my.lan.ip.addr
NAMESERVERBACKUP=""
SEARCH="example.com dmz medianet"

# Some localization settings
LOC_LANG="de_DE.UTF-8" 
LOC_KEYMAP="de-latin1"
LOC_TIMEZONE="Europe/Berlin"
LOC_HWCLOCK="localtime"
LOC_XKBLANG="de"

# Autologin as gtc-User
AUTOLOGIN="no"

# Settings for LDAP Authentication
LDAP=yes
LDAP_SERVER=my.lan.ip.addr
LDAP_TLS=yes
LDAP_BASEDN="dc=example,dc=com"

# Settings for NIS Authentication
NIS=no
NIS_SERVER=XXX.XXX.XXX.XXX
NIS_DOMAIN=medianet

# Use Distcc?
DISTCC=yes
DISTCC_NET="my.lan.network.ip/24"

# Horde URL for Horde signle sign on
#HORDE="https://horde.example.com"

# Run local script on all thinclients
#LOCAL_SCRIPT="/path/to/my/local/script"

#UPDATECHANNEL=test

DEBUG=no

#PACKAGES="www-plugins/adobe-flash dev-util/android-sdk-update-manager"
PACKAGES="www-plugins/adobe-flash"


Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add sshd default'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add rsyslog default'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add nscd default'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add dbus default'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add hald '
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && rc-update add udev-postmount '

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Install on local device

If you want to install your Thinclient on a local device you can do it by this way.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge sys-boot/grub'

Changes in /gtc/test/etc/thinclient/scripts/gtc-diskinst

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-diskinst

Changed on 28.06.09
Issued by olli
Beginning line 2

This is the script you can use out of a booted Thinclient to install it on a local device

#!/bin/bash

usage() {
 echo "Usage: 
 $0 device [mbr]

Example for installing on /dev/sda2 and installing Grub in MBR of /dev/sda: 
 $0 /dev/sda2 /dev/sda
Example for installing on /dev/sda2 without installing Grub:
 $0 /dev/sda2"
 exit 1
}

exist() {
 echo "Device $1 is not a block-device or does not exist"
 exit 1
}

nomount() {
 echo "Device $1 could not be mounted. Is it formatted?"
 exit 1
}

nouuid() {
 echo "Couldn't get a valid UUID for the device"
 exit 1
}

# Get script name
script=`basename $0`

[ -z "$1" ] && usage
#[ "$#" -ne 1 ] && usage
export DEV=`echo $1 | sed 's/^\/dev\///'`
[ -b /dev/$DEV ] &>/dev/null || exist $DEV
if [ -z "$2" ]
then
 echo "Not writing MBR"
else
 export MBR=`echo $2 | sed 's/^\/dev\///'`
 [ -b /dev/$MBR ] &>/dev/null || exist $MBR
fi

# Prompt/Select profile for profilebased installations
if [ $script = "gtc-profileinst" ]
then
 echo "Available profiles:
"
 ls -1 /_gtcroot/etc/thinclient/profiles
 echo "
Please enter the profile: "
 read profile
 if [ -z "$profile" ]
 then
  echo "You have to enter a Profilename"
  exit 1
 fi
 if [ -d "/_gtcroot/etc/thinclient/profiles/$profile" ]
 then
  echo "Profile $profile selected"
 else
  echo "Profile $profile does noch exist"
  exit 1
 fi
fi

if [ $script = "gtc-srvinst" ]
then
 echo "Please enter the IP of your GTC-Server [XXX.XXX.XXX.XXX]:"
 read ip
 if [ -z "$ip" ]
 then
  ip="XXX.XXX.XXX.XXX"
 fi
 echo "Please enter the subnet mask of your GTC-Server [XXX.XXX.XXX.XXX]:"
 read sn
 if [ -z "$sn" ]
  then
  sn="XXX.XXX.XXX.XXX"
 fi
 echo "Please enter the gateway for your GTC-Server [XXX.XXX.XXX.XXX]:"
 read gw
 if [ -z "$gw" ]
 then
  gw="XXX.XXX.XXX.XXX"
 fi
 echo "Please enter a hostname and domainname for GTC-Server [mygtcserver.mydomain.org]:"
 read hn
 if [ -z "$hn" ]
 then
  hn="mygtcserver.mydomain.org"
 fi
 bootflag="gtcprofile=$hn gtcserver ip=$ip:$ip:$gw:$sn BOOTIF=eth"
fi


echo "Mounting /dev/$DEV to /var/dev..."
mkdir -p /var/dev
mount /dev/$DEV /var/dev || nomount $DEV

rm -rf /tmp/gtc-started
if [ -d "/_gtcroot" ]
then
 touch /tmp/gtc-started
 echo "This seems to be a startet GTC - using /_gtcroot"
else
 mkdir /_gtcroot
 mount -B / /_gtcroot
fi

echo "Syncing files... This may take a long time..."
rsync -av --numeric-ids --delete --exclude=/_tmpupdate --exclude=/srv --exclude=/usr/portage/distfiles --exclude=/proc --exclude=/tmp --exclude=/sys  --exclude=/home --exclude=/usr/src --exclude=/media --exclude=/var/tmp/portage --exclude=/root --exclude=/gtcdvd --exclude=/gtcdvd.iso --exclude=/_gtcroot --exclude=/_gtcdvdroot --exclude=/boot/grub/grub.conf --exclude=/boot/grub/grub.cfg /_gtcroot/ /var/dev/ || exit 1
if [ -f /tmp/gtc-started ]
then
 echo "Leaving /_gtcroot mounted"
 rm /tmp/gtc-started
else
 umount /_gtcroot 2>/dev/null
 rmdir /_gtcroot 2>/dev/null
fi
>/var/dev/etc/mtab
touch /var/dev/etc/thinclient/thinclient.conf.local
chmod 0644 /var/dev/etc/nsswitch.conf
mkdir -p /var/dev/proc
mkdir -p /var/dev/tmp
chmod 1777 /var/dev/tmp
mkdir -p /var/dev/sys
mkdir -p /var/dev/home
mkdir -p /var/dev/media
mkdir -p /var/dev/root
chmod 700 /var/dev/root
mkdir -p /var/dev/usr/portage/distfiles
mkdir -p /var/dev/var/tmp/portage
sync

if [ $script = "gtc-diskinst" ]
then
 echo "Setting hostname (for profiling)"
 bootflag="gtcprofile=`hostname`"
fi

if [ $script = "gtc-profileinst" ]
then
 echo "Setting hostname/profile to $profile"
 bootflag="gtcprofile=$profile"
fi
rm -f /var/dev/etc/udev/rules.d/70-persistent-net.rules

# Set several local settings if this ist a srvinst
if [ $script = "gtc-srvinst" ]
then
 echo "# Server settings:
NAMESERVER=$ip
NAMESERVERBACKUP=''
SEARCH=gtc
LDAP=yes
LDAP_SERVER=gtc.
LDAP_TLS=yes
LDAP_BASEDN='dc=gtc'
PAM_MOUNT=yes
PAM_MOUNT_SERVER=gtc.
PAM_MOUNT_FS=cifs
PAM_MOUNT_SHARES='share'
 " >> /var/dev/etc/thinclient/thinclient.conf.local
fi

echo "Getting UUID..."
mount | grep "^proc" || mount -t proc proc /proc
mount | grep "^\/sys" || mount -t sysfs sys /sys
export UUID=`blkid | grep $DEV | perl -pe 's/^.+ UUID="//; s/".+$//'`
[ -z "$UUID" ] && nouuid
echo $UUID | grep "........-....-....-....-............" >/dev/null || nouuid
echo "UUID is $UUID"

echo "Writing fstab"
rm /var/dev/etc/fstab
echo "
UUID=$UUID	/	auto	defaults	0 0
proc	/proc	proc	defaults	0 0
shm	/dev/shm	tmpfs	nodev,nosuid,noexec	0 0
" > /var/dev/etc/fstab
chmod 755 /var/dev/etc/fstab

cd /

### GRUB ###

echo "Writing Grub configuration"
echo "
set timeout=10
set default=0

menuentry 'Local GTC' {
        set uuid_root=$UUID
        search --no-floppy --fs-uuid \$uuid_root --set=root
        set root=\$root
        echo    'Loading kernel...'
        linux    /boot/kernel root=UUID=$UUID root=/dev/nfs gtchdd scandelay=10 ramdisk_size=256000 lockd.udpport=32768 lockd.tcpport=32768 i915.modeset=1 radeon.modeset=1 $bootflag
        echo    'Loading initrd...'
        initrd  /boot/initrd
}
" >/var/dev/boot/grub/grub.cfg

echo "Searching for other Systems"
os-prober 2>/dev/null | grep ":chain$" | sort >/tmp/os
cat /tmp/os | while read os
do
 chaindev=`echo $os | cut -d: -f1`
 chainname=`echo $os | cut -d: -f2 | perl -pe 's/ \(loader\)$//'`
 chainuuid=`blkid | grep $chaindev | perl -pe 's/^.+UUID="//; s/".+$//'`
 echo "$chaindev - $chainname - $chainuuid"
 echo "
menuentry '$chainname ($chaindev)' {
        set uuid_root=$chainuuid
        search --no-floppy --fs-uuid \$uuid_root --set=root
        set root=\$root
        chainloader +1
}
" >> /var/dev/boot/grub/grub.cfg
done

if [ -z $MBR ]
then
 echo "Bootmanager is prepared but not installed"
 umount /var/dev
else
 echo "Installing Grub in MBR of /dev/$MBR"
 mount -t proc proc /var/dev/proc
 chroot /var/dev /bin/bash -c "/usr/sbin/grub-install --no-floppy --recheck /dev/$MBR"
 umount /var/dev/proc
 umount /var/dev
fi


echo "The installation is finished and should run!!!"


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Kernel-based Virtual Machine - KVM

This is a small documentation how I added the Kernel-based Virtual Machine (KVM) Support to the Thinclient.
Before you emerge the software you should make the chages in make.conf and package.keywords.
For creating a 10GB harddiskimage for KVM you can use the following command:
qemu-img create /path/to/your/vmimage.img 10G

For booting a CD/DVD from the physical CD/DVD-Drive i a VM with networking and 1GB RAM you can use the following command
kvm -hda /path/to/your/vmimage.img -cdrom /dev/cdrom -m 1024 -net nic,macaddr=00:1d:92:ab:cd:ef -net tap,ifname=tap0,script=no,downscript=no -name myvm1 -boot d

For Passthrough an USB Device you can add e.g. "-usb -usbdevice host:aaaa:bbbb" to the commandline.
kvm -hda /path/to/your/vmimage.img -cdrom /dev/cdrom -m 1024 -net nic,macaddr=00:1d:92:ab:cd:ef -net tap,ifname=tap0,script=no,downscript=no -name myvm1 -boot d -usb -usbdevice host:aaaa:bbbb

For getting the correct USB ID you cal use the lsusb-command.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge app-emulation/qemu-kvm'

Changes in /gtc/test/etc/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/make.conf

Changed on 20.04.10
Issued by olli
Beginning line 29

Some Hardware-settings for KVM/Qemu

QEMU_SOFTMMU_TARGETS="i386 x86_64"
QEMU_USER_TARGETS="i386 x86_64"

Changes in /gtc/test/etc/thinclient/startup/gtc-startupconfig

File permissions:
Owner: root
Group: root
Permissions: -r-x------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig

Changed on 20.04.10
Issued by olli
Beginning line 3

This is for loading the KVM-Drivers automatically at system startup

modprobe kvm 2>/dev/null
modprobe kvm-amd 2>/dev/null
modprobe kvm-intel 2>/dev/null

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Profiling

If you have multiple, different diskless clients running from the same NFS-Share you have to find a way to add different Startup profiles for the clients.
Here is an example how I manage this problem.

If you want to use this solution you need the following howto(s) finished:

Changes in /gtc/test/etc/thinclient/default-profile/start.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/default-profile/start.sh

Changed on 13.10.09
Issued by olli
Beginning line 2

Default script for configuring, the system



Changes in /gtc/test/etc/thinclient/global-profile/start.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/global-profile/start.sh

Changed on 13.10.09
Issued by olli
Beginning line 2

User defineable script for the global GTC profile

#!/bin/bash
if ping -c1 gabosh | grep "64 bytes from" >/dev/null 2>&1
then
 echo "Setting Date/Time"
 ntpdate gabosh && hwclock --systohc
 echo "Printserver"
 echo "
BrowseRemoteProtocols DNSSD,CUPS
BrowsePoll gabosh:631
" >/etc/cups/cups-browsed.conf
 chmod 600 /etc/cups/cups-browsed.conf
 /etc/init.d/cupsd restart
 /etc/init.d/cups-browsed restart
 echo "Scannerserver"
 echo "gabosh" >> /etc/sane.d/net.conf
 chmod 644 /etc/sane.d/net.conf
fi
echo "Loading VirtualBox Modules"
for m in vbox{drv,netadp,netflt}; do modprobe $m; done
echo "Edit /etc/hosts"
cat /etc/hosts-to-add >>/etc/hosts

Changes in /gtc/test/etc/thinclient/startup/gtc-startupconfig

File permissions:
Owner: root
Group: root
Permissions: -r-x------

Click here for a download of the complete file: /gtc/test/etc/thinclient/startup/gtc-startupconfig

Changed on 16.06.09
Issued by olli
Beginning line 190

Start the individual startscript for this host.

if cat /proc/cmdline | grep " gtcserver" >/dev/null
then
 echo -e "\n==============================\nLoading Server profile\n==============================\n"
 rsync -a$RSYNC_OPT /etc/thinclient/server-profile/etc/ /etc/
 . /etc/thinclient/server-profile/start.sh
fi
echo -e "\n==============================\nRunning global start script\n==============================\n"
# Run global Start script
. /etc/thinclient/global-profile/start.sh
# Sync individual /etc if exists
if [ -d "/etc/thinclient/profiles/`hostname`" ]
then
 echo -e "\n==============================\nRunning profile start script\n==============================\n"
# Run individual start-Script if exists
 if [ -f "/etc/thinclient/profiles/`hostname`/start.sh" ]
 then
  chmod 755 /etc/thinclient/profiles/`hostname`/start.sh
  . /etc/thinclient/profiles/`hostname`/start.sh
 fi
 # Don't run the default profile if this is a Server
 if cat /proc/cmdline | grep " gtcserver" >/dev/null
 then
  exit 0
 fi
else
 # Don't run the default profile if this is a Server
 if cat /proc/cmdline | grep " gtcserver" >/dev/null
 then
  exit 0
 fi
 if cat /proc/cmdline | grep " gtcinstall"  >/dev/null
 then
  echo -e "\n==============================\nStarting GTC installation\n==============================\n"
  /etc/thinclient/scripts/gtc-install
 else
  echo -e "\n==============================\nLoading default profile\n==============================\n"
  rsync -a$RSYNC_OPT /etc/thinclient/default-profile/etc/ /etc/
  . /etc/thinclient/default-profile/start.sh
 fi
fi

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Thinclient as Server

This is a Howto which describes how you can extend your Thinclient to a Thinclient-Server.
For easier administrative handling I decided to use LDAP for Services like DHCP and DNS.
After emerging the packages copy the default configurations to the Server Profile:
cp /etc/openldap/slapd.conf /etc/thinclient/server-profile/etc/openldap/slapd.conf
cp /usr/share/webapps/phpldapadmin/*/htdocs/config/config.php /etc/thinclient/server-profile/etc/phpldapadmin.conf
cp /etc/conf.d/nfs /etc/thinclient/server-profile/etc/conf.d/nfs
cp /etc/conf.d/in.tftpd /etc/thinclient/server-profile/etc/conf.d/in.tftpd
cp /etc/conf.d/apache2 /etc/thinclient/server-profile/etc/conf.d/apache2
cp /etc/bind/named.conf /etc/thinclient/server-profile/etc/bind/named.conf

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/nfs-utils'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge sys-boot/syslinux'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-ftp/tftp-hpa'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-misc/dhcp'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-dns/bind-tools'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/openldap'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-fs/samba'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-nds/phpldapadmin'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge www-servers/apache'

Changes in /gtc/test/etc/thinclient/server-profile/etc/apache2/vhosts.d/vhosts.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/apache2/vhosts.d/vhosts.conf

Changed on 28.04.10
Issued by olli
Beginning line 1

The Webserver configuration fpr the GTC-Server

# Some default settings
Listen 80
Listen 443
NameVirtualHost *:80
NameVirtualHost *:443
# ServerName
ServerName localhost
# Directory Index
DirectoryIndex index.html

# Some security settings
Timeout 60
# Allow a maximum of 100MB for upload.
LimitRequestBody 104857600
# Mallow a maximum of 50 headersites
LimitRequestFields 50
# Sets maximum length of the from client sent HTTP-Request-Headers
LimitRequestFieldsize 4094
# Maximum leght of HTTP request line
LimitRequestLine 8190
# Allow a maximum of 100MB for upload. per webdav
LimitXMLRequestBody 104857600

# VHost logging
CustomLog /var/log/apache2/access_log vhost

# Load LDAP Auth modules
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
Loadmodule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

<Directory />
 Order Deny,Allow
 Deny from all
 Options None
 AllowOverride None
</Directory>
<Directory /var/www>
  Order Allow,Deny
  Allow from all
  Options None
  AllowOverride None
</Directory>
ServerSignature Off
TraceEnable off

# The default vHost
<VirtualHost *:80>
 ServerName default
 ServerAdmin gtc
 DocumentRoot /var/www/default/htdocs
</VirtualHost>
<VirtualHost *:443>
 ServerName default
 ServerAdmin gtc
 DocumentRoot /var/www/default/htdocs
 SSLEngine on
 SSLCertificateFile /etc/ssl/apache2/server.crt
 SSLCertificateKeyFile /etc/ssl/apache2/server.key
</VirtualHost>

Changes in /gtc/test/etc/thinclient/server-profile/etc/bind/named.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/bind/named.conf

Changed on 23.04.10
Issued by olli
Beginning line 13

Listen on localhost and the LAN and forward requests if they are not known by this DNS (for internet name resolution).


Before change
        listen-on { 127.0.0.1; };
After change
        // Listen
	listen-on { 127.0.0.1/8;
	            0.0.0.0/0;
	};
	// The way to the Internet
        allow-recursion { 127.0.0.1/8;
                          0.0.0.0/0;
        };
	// Local zones
        allow-query { 127.0.0.1/8;
	              0.0.0.0/0;
	};
	allow-notify { none; };
	allow-transfer { none; };

Changed on 23.04.10
Issued by olli
Beginning line 73

Zone definitions for some domains


# This is an entry for an LDAP Zone. Use this only if you want to use Bind with LDAP
zone "gtc" IN {
        type master;
	database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800";
	allow-update { none; };
};

zone "in-addr.arpa" {
        type master;
	database "ldap ldap://127.0.0.1/cn=Computers,dc=gtc 172800";
	allow-update { none; };
};

Changes in /gtc/test/etc/thinclient/server-profile/etc/conf.d/apache2

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/conf.d/apache2

Changed on 28.04.10
Issued by olli
Beginning line 35

Apache startoptions for enabling PHP5 and SSL


Before change
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5"
After change
APACHE2_OPTS="-D SSL -D PHP5"

Changes in /gtc/test/etc/thinclient/server-profile/etc/conf.d/nfs

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/conf.d/nfs

Changed on 26.04.10
Issued by olli
Beginning line 8

Thist starts the rpc.idmapd for UID/GID Mapping on NFSv4. It hast to be startet at the clientside too. If this Service is not started all UIDs/GIDs are mapped to ID 4294967294. The Configurationfile /etc/idmapd.conf should be the same on Client and Server


Before change
NFS_NEEDED_SERVICES=""
After change
NFS_NEEDED_SERVICES="rpc.idmapd"

Changed on 26.04.10
Issued by olli
Beginning line 16

Allow a maximum of 20 Clients at the same time on your NFS Server


Before change
#OPTS_RPC_NFSD="8"
After change
OPTS_RPC_NFSD="20"

Changed on 26.04.10
Issued by olli
Beginning line 24

The rpc mountd should listen on port 32767 (needed for some firewall settings).


Before change
#OPTS_RPC_MOUNTD=""
After change
OPTS_RPC_MOUNTD="-p 32767"

Changed on 26.04.10
Issued by olli
Beginning line 32

The rpc statd should listen on port 32765 and send outgoing connections over port 32766 (needed for some firewall settings).


Before change
#OPTS_RPC_STATD=""
After change
OPTS_RPC_STATD="-p 32765 -o 32766"

Changes in /gtc/test/etc/thinclient/server-profile/etc/dhcp/dhcpd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/dhcp/dhcpd.conf

Changed on 23.04.10
Issued by olli
Beginning line 1

This are the DHCP settings for connecting to the LDAP Server.

ldap-server "127.0.0.1";
ldap-port 389;
ldap-username "";
ldap-password "";
ldap-base-dn "ou=DHCP-Servers,dc=gtc";
ldap-dhcp-server-cn "gtc-server";
ldap-method dynamic;
ldap-debug-file "/tmp/dhcp-ldap-startup-config";

Changes in /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/gabosh.schema

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/openldap/schema/gabosh.schema

Changed on 24.04.10
Issued by olli
Beginning line 1

This is the schema for using nested groups (groups in groups)

objectclass ( 1.3.6.1.4.1.35312.1 NAME 'gaboshGroup'
        DESC 'adds uniqueMember attribut for groups'
        SUP top AUXILIARY
        MAY ( uniqueMember )
        )

Changed on 24.04.10
Issued by olli
Beginning line 9

This is for having DHCP and DNS in one ObjecClass.

objectclass ( 1.3.6.1.4.1.35312.2 NAME 'gaboshComputer'
        DESC 'for Computer DHCP and DNS entries'
        SUP top AUXILIARY
	MAY ( DNSTTL $ DNSClass $ ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ DSRecord $ SSHFPRecord $ RRSIGRecord $ NSECRecord $ zoneName $ relativeDomainName )
        )

Changes in /gtc/test/etc/thinclient/server-profile/etc/openldap/slapd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/openldap/slapd.conf

Changed on 23.04.10
Issued by olli
Beginning line 6

Include basic schamas

include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/dnszone.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/dhcp.schema
include         /etc/openldap/schema/gabosh.schema

Changed on 23.04.10
Issued by olli
Beginning line 23

Certificates for using TLS.

TLSCertificateFile      /etc/openldap/ssl/ldap.crt
TLSCertificateKeyFile   /etc/openldap/ssl/ldap.key

Changed on 23.04.10
Issued by olli
Beginning line 32

Set the search path for LDAP modules


Before change
# modulepath	/usr/lib/openldap/openldap
After change
modulepath  /usr/lib/openldap/openldap

Changed on 23.04.10
Issued by olli
Beginning line 44

Load the hdb-LDAP module for HDB storage-backend
You should create the HDB-configfile:

cp /var/lib/openldap-data/DB_CONFIG.example /var/lib/openldap-data/DB_CONFIG


Before change
# moduleload	back_hdb.so
After change
moduleload  back_hdb.so

Changed on 23.04.10
Issued by olli
Beginning line 78

Set ACLs on the encrypted User password. This disables to get the encrypted passwords with e.g. "getent passwd shadow" for shadow-accounts or with ldapsearch. If you don't want so use LDAP-Auth for Samba you can leave the samba* attributes and line with smbadmin out.

access to attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaAcctFlags,shadowLastChange
  by dn="cn=smbadmin,ou=People,dc=gtc" write
  by dn="cn=replicator,ou=People,dc=gtc" read
  by anonymous auth
  by self write
  by * none

access to * 
  by * read

Changed on 23.04.10
Issued by olli
Beginning line 95

LDAP Base DN


Before change
suffix		"dc=my-domain,dc=com"
After change
suffix                "dc=gtc"

Changed on 23.04.10
Issued by olli
Beginning line 102

LDAP Root DN


Before change
rootdn		"cn=Manager,dc=my-domain,dc=com"
After change
rootdn                "cn=Manager,dc=gtc"

Changed on 23.04.10
Issued by olli
Beginning line 110

Encrypted LDAP Root password from slappasswd


Before change
rootpw		secret
After change
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX

Changed on 23.04.10
Issued by olli
Beginning line 120

Define slapd indexes for LDAP tuning and for getting rid of the "bdb_equality_candidates: (uid) not indexed" log entrys. Don't forget to run slapindex. I put it in a weekly cron job.


Before change
#index	objectClass	eq
After change
index objectclass,entryCSN,entryUUID   eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index uniqueMember            eq
index sambaSID              eq
index sambaPrimaryGroupSID  eq
index sambaDomainName       eq
index default               sub
index                       zoneName                         eq
index                       relativeDomainName               eq

Changed on 23.04.10
Issued by olli
Beginning line 140

This is only for LDAP Replication. If you don't want to use replication, do not insert this lines.

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Changes in /gtc/test/etc/thinclient/server-profile/etc/phpldapadmin.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/etc/phpldapadmin.conf

Changed on 23.04.10
Issued by olli
Beginning line 283

Basedn for phpldapadmin


Before change
// $servers->setValue('server','base',array(''));
After change
$servers->setValue('server','base',array('dc=gtc'));

Changed on 23.04.10
Issued by olli
Beginning line 311

Login for phpldapadmin


Before change
#  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
After change
$servers->setValue('login','bind_id','cn=Manager,dc=gtc');

Changes in /gtc/test/etc/thinclient/server-profile/start.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/server-profile/start.sh

Changed on 23.04.10
Issued by olli
Beginning line 2

Create data and start the Services

#!/bin/bash

# Get network informations
IP=`cat /proc/cmdline | perl -pe 's/^.+ip=//; s/ .+$//'` 
SRV_IP=`echo $IP | cut -d: -f1`
SRV_GATEWAY=`echo $IP | cut -d: -f3`
SRV_SUBNET=`echo $IP | cut -d: -f4`
SRV_NETWORK=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Network | perl -pe 's/ +/ /g' | cut -d" " -f2 | cut -d"/" -f1`
SRV_BROADCAST=`ipcalc $SRV_IP/$SRV_SUBNET -b -n | grep Broadcast | perl -pe 's/ +/ /g' | cut -d" " -f2`

# Setup pxelinux-Bootloader-Files
mkdir -p /srv/pxe/pxelinux.cfg
cp /usr/share/syslinux/pxelinux.0 /srv/pxe/
cp /usr/share/syslinux/menu.c32 /srv/pxe/
cp /boot/kernel-genkernel-x86-`uname -r` /srv/pxe/
cp /boot/initramfs-genkernel-x86-`uname -r` /srv/pxe/

# LDAP
if [ -d "/srv/ldap" ]
then
 rm -r /var/lib/openldap-data
 ln -sf /srv/ldap /var/lib/openldap-data
 /etc/init.d/slapd start
else
 echo "Creating initial LDAP Database"
 SRV_REVIP=`echo "$SRV_IP" | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}' | sed 's/\.$//'` 
echo "
# Create LDAP DB and start it
# The basic structure
dn: dc=gtc
dc: gtc
objectClass: top
objectClass: domain

# The DHCP Object with some default settings. filename and next-server are only needed if you want to boot with PXE.
# The entriees for your DHCP-Server(s)
dn: ou=DHCP-Servers,dc=gtc
objectClass: organizationalUnit
objectClass: top
ou: DHCP-Servers

dn: cn=gtc-server,ou=DHCP-Servers,dc=gtc
objectClass: top
objectClass: dhcpServer
cn: gtc-server
dhcpServiceDN: cn=Computers,dc=gtc
dhcpStatements: next-server $SRV_IP
dhcpOption: routers $SRV_GATEWAY
dhcpOption: domain-name-servers $SRV_IP
dhcpOption: ntp-servers $SRV_IP

# The global settings for all your DHCP-Server(s)
dn: cn=Computers,dc=gtc
cn: Computers
dhcpOption: subnet-mask $SRV_SUBNET
dhcpOption: broadcast-address $SRV_BROADCAST
dhcpOption: domain-name \"gtc\"
dhcpStatements: ddns-update-style none
dhcpStatements: get-lease-hostnames true
dhcpStatements: use-host-decl-names true
dhcpStatements: filename \"/pxelinux.0\"
dhcpStatements: default-lease-time 7200
dhcpStatements: max-lease-time 14400
objectClass: dhcpService
objectClass: top
dhcpSecondaryDN: cn=gtc-server,ou=DHCP-Servers,dc=gtc

# The DHCP-Subnet entry:
dn: cn=$SRV_NETWORK,cn=Computers,dc=gtc
objectClass: top
objectClass: dhcpSubnet
objectClass: dhcpOptions
dhcpNetMask: 24
#dhcpRange: XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
cn: $SRV_NETWORK

# The GTC/DHCP-Server
dn: pTRRecord=gtc-server.gtc.,cn=Computers,dc=gtc
aRecord: $SRV_IP
pTRRecord: gtc-server.gtc.
zoneName: gtc
zoneName: in-addr.arpa
objectClass: dNSZone
objectClass: top
sOARecord: gtc hostmaster 2010033001 8H 4H 4W 3H
nSRecord: localhost.
relativeDomainName: $SRV_REVIP
relativeDomainName: @

# Gouups
dn: ou=Group,dc=gtc
objectclass: top
objectclass: organizationalUnit
ou: Group

# Admin group
dn: cn=admins,ou=Group,dc=gtc
cn: admins
gidnumber: 12345
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc

# System groups
dn: cn=audio,ou=Group,dc=gtc
cn: audio
gidnumber: 18
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=cdrom,ou=Group,dc=gtc
cn: cdrom
gidnumber: 19
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=cdrw,ou=Group,dc=gtc
cn: cdrw
gidnumber: 80
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=disk,ou=Group,dc=gtc
cn: disk
gidnumber: 6
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=games,ou=Group,dc=gtc
cn: games
gidnumber: 35
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=root,ou=Group,dc=gtc
cn: root
gidnumber: 0
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=admins,ou=Group,dc=gtc

dn: cn=usb,ou=Group,dc=gtc
cn: usb
gidnumber: 85
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=vboxusers,ou=Group,dc=gtc
cn: vboxusers
gidnumber: 1008
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=video,ou=Group,dc=gtc
cn: video
gidnumber: 27
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=users,ou=Group,dc=gtc

dn: cn=wheel,ou=Group,dc=gtc
cn: wheel
gidnumber: 10
objectclass: posixGroup
objectclass: top
objectclass: gaboshGroup
uniquemember: cn=admins,ou=Group,dc=gtc

# Users group
dn: cn=users,ou=Group,dc=gtc
cn: users
gidnumber: 100
objectclass: gaboshGroup
objectclass: posixGroup
objectclass: top
uniquemember: cn=Ad min,ou=Users,ou=People,dc=gtc
uniquemember: cn=Te St,ou=Users,ou=People,dc=gtc

# Users section:
dn: ou=People,dc=gtc
objectclass: top
objectclass: organizationalUnit
ou: People

dn: ou=SystemUsers,ou=People,dc=gtc
objectclass: organizationalUnit
objectclass: top
ou: SystemUsers

dn: ou=Users,ou=People,dc=gtc
objectclass: organizationalUnit
objectclass: top
ou: Users

# Admin User
dn: cn=Ad Min,ou=Users,ou=People,dc=gtc
cn: Ad Min
gidnumber: 100
givenname: Ad
homedirectory: /home/admin
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: sambaSamAccount
objectclass: posixAccount
objectclass: top
sambaacctflags: [U          ]
sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE
sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF
sambapasswordhistory: 000000000000000000000000000000000000000000000000000000
 0000000000
sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002-
sambapwdlastset: 1243432646
sambasid: S-1-5-21-130334517-3066763751-205333941-3004
sn: Min
uid: admin
uidnumber: 1000
userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX

# Test User
dn: cn=Te St,ou=Users,ou=People,dc=gtc
cn: Te St
gidnumber: 100
givenname: Te
homedirectory: /home/test
loginshell: /bin/false
objectclass: inetOrgPerson
objectclass: sambaSamAccount
objectclass: posixAccount
objectclass: top
sambaacctflags: [U          ]
sambalmpassword: 69B3E05FE457CAAAAAD3B435B51404EE
sambantpassword: 8F6D7AB8FE0B9B159A50FE4F1174AFAF
sambapasswordhistory: 000000000000000000000000000000000000000000000000000000
 0000000000
sambaprimarygroupsid: S-1-5-21-130334517-3066763751-205333941-3002-
sambapwdlastset: 1243432646
sambasid: S-1-5-21-130334517-3066763751-205333941-3005
sn: St
uid: test
uidnumber: 1001
userpassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX

# Sambadomain
dn: sambaDomainName=GTCSERVER,dc=gtc
objectclass: sambaDomain
sambaalgorithmicridbase: 1000
sambadomainname: GTC
sambaforcelogoff: -1
sambalockoutduration: 30
sambalockoutobservationwindow: 30
sambalockoutthreshold: 0
sambalogontochgpwd: 0
sambamaxpwdage: -1
sambaminpwdage: 0
sambaminpwdlength: 5
sambanextuserrid: 1000
sambapwdhistorylength: 0
sambarefusemachinepwdchange: 0
sambasid: S-1-5-21-130334517-3066763751-205333941


" > /tmp/ldapinit.ldif
 mv /var/lib/openldap-data /srv/ldap
 ln -sf /srv/ldap /var/lib/openldap-data
 mv /srv/ldap/DB_CONFIG.example /srv/ldap/DB_CONFIG
 /etc/init.d/slapd start
 /etc/init.d/slapd stop
 slapadd < /tmp/ldapinit.ldif
 chown -R ldap:ldap /srv/ldap
 /etc/init.d/slapd start
fi
cp /etc/nsswitch.conf /tmp/nsswitch.conf.tcorig
cat /tmp/nsswitch.conf.tcorig | \
sed 's/^passwd:.*/passwd: ldap compat/' | \
sed 's/^shadow:.*/shadow: ldap compat/' | \
sed 's/^group:.*/group: ldap compat/' > /etc/nsswitch.conf
/etc/init.d/nscd restart

# Copy up-to-date default configs
if [ -d "/srv/config" ]
then
 rsync -a --exclude=thinclient.conf.local --exclude=profiles --exclude=global-profile --delete /etc/thinclient/ /srv/config/
else
 mkdir -p /srv/config
 rsync -a /etc/thinclient/ /srv/config/
fi

# Prepare Server gtcroot
mkdir -p /opt/gtcroot
mount -B /_gtcroot /opt/gtcroot
mount -B /srv/config /opt/gtcroot/etc/thinclient
mkdir -p /opt/gtcroot/etc/thinclient/profiles
mkdir -p /srv/profiles
mount -B /srv/profiles /opt/gtcroot/etc/thinclient/profiles
mkdir -p /srv/global-profile
mount -B /srv/profiles /opt/gtcroot/etc/thinclient/global-profile

# Configure phpldapadmin
mkdir -p /var/www/default/htdocs/phpldapadmin
rsync -a --delete /usr/share/webapps/phpldapadmin/*/htdocs/ /var/www/default/htdocs/phpldapadmin
cp /etc/phpldapadmin.conf /var/www/default/htdocs/phpldapadmin/config/config.php
chown -R apache:apache /var/www/default/htdocs

# DNS
echo "nameserver 127.0.0.1
search gtc" >/etc/resolv.conf
chmod 644 /etc/resolv.conf

# Start the other Services
/etc/init.d/named start
/etc/init.d/dhcpd start
killall -9 portmap 2>/dev/null
umount -lf /var/lib/nfs/rpc_pipefs 2>/dev/null
sleep 5
/etc/init.d/portmap start
/etc/init.d/rpc.statd start

/etc/init.d/nfs start
/etc/init.d/atftp start
/etc/init.d/apache2 start
mkdir -p /srv/log /srv/share/home/test /srv/share/home/admin
chown test:users /srv/share/home/test 
chown admin:admins /srv/share/home/admin
chmod 750 /srv/share/home/test
chmod 750 /srv/share/home/admin
mount -B /srv/share/home /home
/etc/init.d/samba start

# Write the Bootmanager-Config
mkdir -p /srv/pxe/pxelinux.cfg
echo "
default menu.c32
prompt 0
	    
menu title GTC Boot Menu
NOESCAPE 1
ALLOWOPTIONS 0
MENU AUTOBOOT Starting Gentoo Stable Thinclient in # seconds

label gtc
 menu default
 menu label ^GTC
 timeout 100
 kernel /kernel-genkernel-x86-`uname -r`
 append initrd=/initramfs-genkernel-x86-`uname -r` root=/dev/nfs nfsroot=$SRV_IP:/opt/gtcroot ramdisk_size=256000 acpi_sleep=s3_bios real_root=/dev/nfs
 ipappend 3

label bootlocal
 menu label ^Boot from local Disk
 localboot 0
" > /srv/pxe/pxelinux.cfg/default


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - Wireless LAN

Here a Howto how you can connect to WLAN Access Points (over WPA/wpa_supplicant) with yout Thinclient.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge net-wireless/wpa_supplicant'

Changes in /gtc/test/etc/wpa_supplicant/wpa_supplicant.conf

File permissions:
Owner: root
Group: root
Permissions: -rwxr--r--

Click here for a download of the complete file: /gtc/test/etc/wpa_supplicant/wpa_supplicant.conf

Changed on 24.09.09
Issued by after
Beginning line 1

Configure these parameters to fit in your environment.

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=1
#ap_scan=2
fast_reauth=1

network={
        ssid="home"
        scan_ssid="0"
        mode=0
        #bssid=XX:XX:XX:XX:XX:XX
        #bssid=XX:XX:XX:XX:XX:XX
        proto=WPA RSN
        key_mgmt=WPA-PSK
        #phase1="peaplabel=1"
        #phase2="auth=MSCHAPV2"
        priority=10
        pairwise=CCMP TKIP
        group=CCMP TKIP
        identity="username"
        psk="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Thinclient - X-Server

This topic describes how I installed the X Server for my thinclient.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge x11-base/xorg-x11'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-base/mate'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-base/mate-control-center'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-extra/caja-extensions'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge ate-extra/mate-media'
chroot /gtc/test /bin/bash -c 'env-update &>/dev/null && source /etc/profile && emerge mate-extra/mate-sensors-applet'

Changes in /gtc/test/etc/conf.d/xdm

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/conf.d/xdm

Changed on 01.09.10
Issued by olli
Beginning line 10

Sets LightDM as default display manager


Before change
DISPLAYMANAGER="xdm"
After change
DISPLAYMANAGER="lightdm"
#DISPLAYMANAGER="slim"

Changes in /gtc/test/etc/env.d/90xsession

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/env.d/90xsession

Changed on 01.09.10
Issued by olli
Beginning line 1

Sets the default display manager which starts when you use startx for starting the X-Server. Possible Values can be found with:

ls /etc/X11/Sessions/

XSESSION="MATE"

Changes in /gtc/test/etc/lightdm/lightdm.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /gtc/test/etc/lightdm/lightdm.conf

Changed on 01.09.10
Issued by olli
Beginning line 126

LightDM-Settings

user-session=mate

Changes in /gtc/test/etc/thinclient/scripts/gtc-compiz

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-compiz

Changed on 01.09.10
Issued by olli
Beginning line 2

Startscript for Compiz-Fusion 3D-Desktop

#!/bin/bash
LIBGL_ALWAYS_INDIRECT=true compiz --replace --ignore-desktop-hints ccp &
emerald --replace

Changes in /gtc/test/etc/thinclient/scripts/gtc-xconfig

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /gtc/test/etc/thinclient/scripts/gtc-xconfig

Changed on 07.10.09
Issued by olli
Beginning line 2

A script for starting Xorg and setting XkbLayout

#!/bin/bash

. /etc/thinclient/thinclient.conf
if [ -f "/etc/thinclient/thinclient.conf.local" ]
then
 . /etc/thinclient/thinclient.conf.local
fi
if [ -f "/etc/thinclient/profiles/`hostname`/thinclient.conf" ]
then
 . /etc/thinclient/profiles/`hostname`/thinclient.conf
fi
if [ -z $LOC_XKBLANG ]
then
 LOC_XKBLANG="us"
else
 echo "
Section \"InputClass\"
    Identifier             \"Keyboard Defaults\"
    MatchIsKeyboard       \"yes\"
    Option               \"XkbLayout\" \"$LOC_XKBLANG\"
EndSection
 " > /etc/X11/xorg.conf
fi

/etc/init.d/xdm restart


Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Time-Server

Here a litte configuration for a timeserver in the LAN.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/ntp

Changes in /etc/cron.hourly/ntpdate.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/cron.hourly/ntpdate.sh

Changed on 11.09.08
Issued by olli
Beginning line 1

Set the system and BIOS time/date daily from the internet.

ntpdate -us 0.de.pool.ntp.org || ntpdate -us 1.de.pool.ntp.org
hwclock --systohc

Changes in /etc/ntp.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/ntp.conf

Changed on 08.09.08
Issued by olli
Beginning line 44

Allow the LAN to connect to the timeserver. Set this to your network ip and subnet mask.


Before change
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
After change
restrict default nomodify
restrict my.lan.network.ip mask XXX.XXX.XXX.XXX
restrict 127.0.0.1

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add ntpd default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

VPN-Client

This is a short documentation how I use OpenVPN as a client.
For this you need to get the specific certificates from the Server Admin.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/openvpn

Changes in /etc/openvpn/client/vpn-restart.sh

File permissions:
Owner: root
Group: root
Permissions: -rwx------

Click here for a download of the complete file: /etc/openvpn/client/vpn-restart.sh

Changed on 07.09.08
Issued by olli
Beginning line 1

Script for restarting the VPN-Client

#!/bin/sh
PATH=/bin:/usr/bin:/sbin:/usr/sbin

echo "`date` --> offline" >> /var/log/openvpn/client.status

# Alles kaputt machen!!!
killall -9 vpn-start.sh >/dev/null 2>&1
sleep 5
killall -9 vpn-start.sh  >/dev/null 2>&1
 
# VPN-Client wieder starten
echo "`date`" >>/tmp/vpn-start
/etc/openvpn/client/vpn-start.sh >>/tmp/vpn-start 2>&1

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

VPN-Server

Here my OpenVPN Server configuration. You need to create the needed certificates first. You can do this with the following commands:
cp -r /usr/share/openvpn/easy-rsa /etc/openvpn/ssl
cd /etc/openvpn/ssl
vi vars # Set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
# Now you can create client Key(s)
./build-key client1
./build-key client2
./build-key client3
cd keys
openvpn --genkey --secret ta.key

You find the created keys in the keys directory.
To check the expiration date of a certificate you can do e.g.:
openssl x509 -in keys/client1.crt -noout -enddate

To revoke a certificate you can do e.g.:
./revoke-full client2

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-misc/openvpn

Changes in /etc/crontab

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/crontab

Changed on 04.06.13
Issued by olli
Beginning line 42

Create new VPN-Certificates Mondays at 5

0 5 * * 5       root    /usr/local/sbin/vpnusercerts.sh 2>&1 | mail -E -s "Neue VPN-Zertifikate" root

Changes in /etc/openvpn/openvpn.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /etc/openvpn/openvpn.conf

Changed on 06.08.08
Issued by olli
Beginning line 1

This is the configuration file for the OpenVPN Server optimized for ADSL connections.

dev tap0
proto udp
port 5724
mode server
tls-server
float
dh /etc/openvpn/ssl/keys/dh2048.pem
ca /etc/openvpn/ssl/keys/ca.crt
cert /etc/openvpn/ssl/keys/server.crt
key /etc/openvpn/ssl/keys/server.key
tls-auth /etc/openvpn/ssl/keys/ta.key 0
tls-cipher DHE-RSA-AES256-SHA
user nobody
group nogroup
status /var/log/openvpn/vpn-status.log
log /var/log/openvpn/vpn.log
comp-lzo
verb 3
#client-to-client
keepalive 10 120
fragment 1300
mssfix
hand-window 300
tcp-nodelay

Changes in /usr/local/sbin/vpnusercerts.sh

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/vpnusercerts.sh

Changed on 04.06.13
Issued by olli
Beginning line 2

Create new VPN-Certificates Mondays at 5

#!/bin/bash
. /etc/profile

# Montag Morgens um 5 Uhr die VPN-Zertifikate generieren

if mount | grep -q vpnusers
then
 echo OK >/dev/null
else
 echo "ERROR: VPN-Share not mounted"
 exit 1
fi

cd /etc/openvpn/ssl/keys || exit 1

rm -r /var/www/gtc.example.com/htdocs/vpnusers/*
cat /etc/openvpn/ssl/keys/ta.key > /var/www/gtc.example.com/htdocs/vpnconfig/ta.key
cat /etc/openvpn/ssl/keys/ca.crt > /var/www/gtc.example.com/htdocs/vpnconfig/ca.crt

cd /etc/openvpn/ssl
. vars
./revoke-full server
./build-key-server server
/etc/init.d/openvpn restart
sleep 10
/etc/init.d/net.tap0 zap
/etc/init.d/net.tap0 start

#for i in `getent passwd | cut -d":" -f 3`
#do
# if [ $i -gt 999 ]
# then
#  if [ $i -lt 65000 ]
#  then
#   # Get Infos
for USER in `getent group vpn | cut -d: -f4 | perl -pe 's/,/ /g'`
do
#   USER=`getent passwd $i | cut -d":" -f 1`
   # Montag Morgens um 5 Uhr die VPN-Zertifikate generieren
   if [ -d "/etc/openvpn/ssl" ]
   then
    if ldapsearch -LLL -x uid=$USER dn | egrep 'SystemUsers|admin' >/dev/null
    then
     echo "No VPN User" >/dev/null
    else
     echo "Generating new VPN-Certificate for $USER"
     cd /etc/openvpn/ssl
     . vars
     ./revoke-full $USER
     ./build-key $USER
     mkdir -p /var/www/gtc.example.com/htdocs/vpnusers/$USER
     cp -p /etc/openvpn/ssl/keys/$USER.key /var/www/gtc.example.com/htdocs/vpnusers/$USER/
     cp -p /etc/openvpn/ssl/keys/$USER.crt /var/www/gtc.example.com/htdocs/vpnusers/$USER/
     mkdir -p /home/$USER/vpn
     ./revoke-full ${USER}usercert
     ./build-key ${USER}usercert
     cat /etc/openvpn/ssl/keys/${USER}usercert.key >/home/$USER/vpn/key
     cat /etc/openvpn/ssl/keys/${USER}usercert.crt >/home/$USER/vpn/crt
     cat /etc/openvpn/ssl/keys/ta.key >/home/$USER/vpn/ta.key
     cat /etc/openvpn/ssl/keys/ca.crt >/home/$USER/vpn/ca.crt
     chown -R ${USER}. /home/$USER/vpn
     chmod 400 /home/$USER/vpn/*
     chmod 500 /home/$USER/vpn
    fi
   fi
#  fi
# fi
done

find /var/www/gtc.example.com/htdocs/vpnusers -type f -exec  chmod 640 {} \;
find /var/www/gtc.example.com/htdocs/vpnusers -type d -exec  chmod 750 {} \;
chown -R root:apache /var/www/gtc.example.com/htdocs/vpnusers

echo "<Directory /var/www/gtc.example.com/htdocs/vpnconfig>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require valid-user
</Directory>
" >/etc/apache2/vhosts.d/vpnconfig.conf
>/etc/apache2/vhosts.d/vpnusers.conf
for USER in `ls -1 /var/www/gtc.example.com/htdocs/vpnusers`
do
 echo "<Directory /var/www/gtc.example.com/htdocs/vpnusers/$USER>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user $USER
</Directory>
" >> /etc/apache2/vhosts.d/vpnusers.conf
done

>/tmp/catchall-$$
for user in `ls /var/www/gtc.example.com/htdocs/vpnusers/`
do
 if grep $user /var/www/gtc.example.com/htdocs/vpnconfig/client-mac-ips >/dev/null
 then
  echo $user OK >/dev/null
 else
  mac=`openssl rand -hex 5 | sed 's/\(..\)/\1:/g; s/.$//'`
  mac="02:$mac"
  ip=`echo "172.24.$((RANDOM%254)).$((RANDOM%254))" | perl -pe 's/0/1/g'`
  echo "$user-$ip-$mac" >> /var/www/gtc.example.com/htdocs/vpnconfig/client-mac-ips
  echo "$ip $user $user.example.com" >>/etc/hosts
 fi
 echo "/$user\\@.+\.gabosh\.net\$/ $user" >>/tmp/catchall-$$
done
echo '/.+\@.+\.gabosh\.net$/ admin' >>/tmp/catchall-$$
cat /tmp/catchall-$$ > /etc/postfix/catchall
rm /tmp/catchall-$$

/etc/init.d/apache2 restart >/dev/null

/etc/init.d/openvpn restart
sleep 10
/etc/init.d/net.tap0 zap
/etc/init.d/net.tap0 start



Changes in /usr/local/sbin/vpnwatch

File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x

Click here for a download of the complete file: /usr/local/sbin/vpnwatch

Changed on 03.03.11
Issued by olli
Beginning line 2

This is an optional daemon which sends an eMail if a OpenVPN-Connection is established.

#!/usr/bin/perl -w

# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;

# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
 open(PID, "</var/run/$me");
 my $pid=<PID>;
 close(PID);
 chomp($pid);
 if (-d "/proc/$pid") {
  print "Killing old daemon with PID: $pid\n";
  kill 9, $pid;
 }
}

# Daemonize
Proc::Daemon::Init();

# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);


# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/openvpn/vpn.log";
# Statusfile
my $statefile="/var/log/openvpn/vpn-status.log";


my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
 if ($line =~ / VERIFY OK\: depth\=0/) {
  $line=~s/  +/ /g;
  sleep 5;
  open(FILE, "<$statefile");
  my @state=<FILE>;
  close(FILE);
  chomp($line);
  my @line=split(/ CN\=/,$line);
  $line[1]=~s/,.+$//;
  `echo "Hi,

$line[1] is connecting to VPN!

@state
$line

Your $0 [$$]
" | mail -s "VPNWATCH: $line[1] is logging in" $mailto`;
 }
}

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add openvpn 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

WLAN Access Point

This is a small howto for setting up yout own WLAN-Accesspoint. For this you need a WLAN-Card which can be put into "managed mode".
You have to link net.wlan0 against net.lo fpor getting it into a runlevel
ln -s /etc/init.d/net.lo /etc/init.d/net.wlan0

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge net-wireless/hostapd
emerge net-wireless/iw

Changes in /etc/conf.d/net

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/net

Changed on 13.10.15
Issued by olli
Beginning line 21

Configuration of the Interface

modules_wlan0="!iwconfig !wpa_supplicant"
config_wlan0="XXX.XXX.XXX.XXX/16"
rc_net_wlan0_provide="!net"

Changes in /etc/hostapd/hostapd.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /etc/hostapd/hostapd.conf

Changed on 13.10.15
Issued by olli
Beginning line 1998

Config for a WLAN Access Point with hostapd

interface=wlan0
# g simply means 2.5GHz a is for 5GHz
hw_mode=g
# the channel to use, 0 means the AP will search for the channel with the least interferences
channel=0
# limit the frequencies used to those allowed in the country
ieee80211d=1
country_code=DE
# 802.11n support
ieee80211n=1
# 802.11ac support
ieee80211ac=1
# QOS
wmm_enabled=1
# WLAN
ssid=WLAN
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=secret
# MAC Filter
macaddr_acl=1
accept_mac_file=/etc/hostapd/hostapd.macaccept
# Logging
logger_syslog_level=1

Changes in /etc/hostapd/hostapd.macaccept

File permissions:
Owner: root
Group: root
Permissions: -rw-------

Click here for a download of the complete file: /etc/hostapd/hostapd.macaccept

Changed on 13.10.15
Issued by olli
Beginning line 1

List of allowed Client-MACs

# gabosh-droid
XX:XX:XX:XX:XX:XX
# paddy
XX:XX:XX:XX:XX:XX
# luettje
XX:XX:XX:XX:XX:XX
# groot
XX:XX:XX:XX:XX:XX
# Hendriks Smartphone
XX:XX:XX:XX:XX:XX
# small-gabosh
XX:XX:XX:XX:XX:XX
# Eltern Smartphone
XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX
# Pias Notebook
XX:XX:XX:XX:XX:XX
# Martinas kleines Notebook/Windows-Tablet
XX:XX:XX:XX:XX:XX
# Rebeccas Smartphone
# alt
XX:XX:XX:XX:XX:XX
# htc
XX:XX:XX:XX:XX:XX
# Rebeccas Notebook (Medion)
XX:XX:XX:XX:XX:XX
# think-gabosh
XX:XX:XX:XX:XX:XX
# Rebecca Raspberry Edimax USB WLAN Adapter
XX:XX:XX:XX:XX:XX
# Katrins (Flo) Smartphone
XX:XX:XX:XX:XX:XX
# marie.example.com (Rebeccas kleines, altes medion Notebook)
XX:XX:XX:XX:XX:XX
# TEST/BACKUP HTCs
XX:XX:XX:XX:XX:XX
XX:XX:XX:XX:XX:XX
# Flos Smartphone
XX:XX:XX:XX:XX:XX
# Ingo iPhone
XX:XX:XX:XX:XX:XX
# Philips Handy
XX:XX:XX:XX:XX:XX

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add hostapd default
rc-update add net.wlan0 default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Webserver

I use name based virtual hosts for multiple domains under the same IP. Here is my Webserver and PHP configuration.
Before installing (emergeing) apache, change the /etc/make.conf as shown below.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge www-servers/apache

Changes in /etc/apache2/modules.d/00_mod_log_config.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/modules.d/00_mod_log_config.conf

Changed on 13.01.09
Issued by olli
Beginning line 23

This activates apache logging for with vhost names in the log file


Before change
CustomLog /var/log/apache2/access_log common
After change
CustomLog /var/log/apache2/access_log vhost

Changes in /etc/apache2/vhosts.d/01_vhosts.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/vhosts.d/01_vhosts.conf

Changed on 13.01.09
Issued by olli
Beginning line 1

Here are some settings for name based virtual hosts and some security settings before.


# Some default settings
Listen 80
Listen 443
#NameVirtualHost *:80
#NameVirtualHost *:443
# ServerName
ServerName silent-gabosh.example.com
# Directory Index
DirectoryIndex index.html

# Some security settings
Timeout 60
# Allow a maximum of 100MB for upload.
LimitRequestBody 104857600
# Mallow a maximum of 50 headersites
LimitRequestFields 50
# Sets maximum length of the from client sent HTTP-Request-Headers
LimitRequestFieldsize 4094
# Maximum leght of HTTP request line
LimitRequestLine 8190
# Allow a maximum of 100MB for upload. per webdav
LimitXMLRequestBody 104857600

# Deactvate SSL compression
SSLCompression off
# deactivate SSLv2+3 (Poodle Attack)
SSLProtocol All -SSLv2 -SSLv3
# Ciphers recommended by Mozilla https://wiki.mozilla.org/Security/Server_Side_TLS
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
#SSLCipherSuite EECDH+AES:EDH+AES:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile /etc/ssl/example.com/example.com.crt
SSLCertificateKeyFile /etc/ssl/example.com/example.com.key
SSLCertificateChainFile /etc/ssl/example.com/letsencryptchain.pem
# OCSP Stapling
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache shmcb:/var/run/ocsp(128000)
# Secure cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

# Load LDAP Auth modules
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

# Security
<Directory />
 Require all denied
 Options None
 AllowOverride None
</Directory>
<Directory /var/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>
<Directory /srv/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>

ServerSignature Off
TraceEnable off

# Disables massive http 206
RequestHeader unset Range

# Server-status
LoadModule status_module /usr/lib/apache2/modules/mod_status.so
ExtendedStatus On
<Location /server-status>
 SetHandler server-status
 Require all denied
 Require host 127.0.0.1
 Require host my.lan.network.ip/16
 Require host XXX.XXX.XXX.XXX/16
</Location>

# VHost Templade Macro
<Macro VHost $vhost>
# HTTP
<VirtualHost *:80>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.vhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
 </VirtualHost>
# HTTPS
 <VirtualHost *:443>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # Activate SSL for VHost
  SSLEngine on
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.sslvhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
 </VirtualHost>
</Macro>

# Generate VHosts from Macro
Use VHost default
Use VHost www.example.com
Use VHost olgreenspirit.de
Use VHost fb.example.com
Use VHost fbofl.example.com
Use VHost horde-test.example.com
Use VHost horde.example.com
Use VHost getolli.example.com
Use VHost get.example.com
Use VHost mailman.example.com
Use VHost doc.example.com
Use VHost gtc.example.com
Use VHost mdforms.example.com
Use VHost offlimits.example.com
Use VHost olmusic.example.com

<Location />
 AuthType Basic
 AuthName "Restricted Access"
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile "/dev/null"
 AuthLDAPURL "ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub"
 Require valid-user
</Location>

# backup-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/backup-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.backup-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# butters.example.com
<Directory /var/www/gtc.example.com/htdocs/local/butters.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.butters.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# ddgabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/ddgabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.ddgabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# dgabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/dgabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.dgabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# drood.example.com
<Directory /var/www/gtc.example.com/htdocs/local/drood.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.drood.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# flos.example.com
<Directory /var/www/gtc.example.com/htdocs/local/flos.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.flos.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# gandor.example.com
<Directory /var/www/gtc.example.com/htdocs/local/gandor.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.gandor.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# groot.example.com
<Directory /var/www/gtc.example.com/htdocs/local/groot.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.groot.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# ion-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/ion-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.ion-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# janos.example.com
<Directory /var/www/gtc.example.com/htdocs/local/janos.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.janos.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# jimla.example.com
<Directory /var/www/gtc.example.com/htdocs/local/jimla.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.jimla.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# kyle.example.com
<Directory /var/www/gtc.example.com/htdocs/local/kyle.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.kyle.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# louie.example.com
<Directory /var/www/gtc.example.com/htdocs/local/louie.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.louie.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# luettje.example.com
<Directory /var/www/gtc.example.com/htdocs/local/luettje.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.luettje.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# mackay.example.com
<Directory /var/www/gtc.example.com/htdocs/local/mackay.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.mackay.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# marie.example.com
<Directory /var/www/gtc.example.com/htdocs/local/marie.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.marie.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# molly.example.com
<Directory /var/www/gtc.example.com/htdocs/local/molly.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.molly.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# paddy.example.com
<Directory /var/www/gtc.example.com/htdocs/local/paddy.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.paddy.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# proll-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/proll-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.proll-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# regis.example.com
<Directory /var/www/gtc.example.com/htdocs/local/regis.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.regis.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# silent-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/silent-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.silent-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# small-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/small-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.small-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# tailwind.example.com
<Directory /var/www/gtc.example.com/htdocs/local/tailwind.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.tailwind.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# think-gabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/think-gabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.think-gabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# thinkstation.example.com
<Directory /var/www/gtc.example.com/htdocs/local/thinkstation.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.thinkstation.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# tweek.example.com
<Directory /var/www/gtc.example.com/htdocs/local/tweek.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.tweek.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# usbgabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/usbgabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.usbgabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# vboxgabosh.example.com
<Directory /var/www/gtc.example.com/htdocs/local/vboxgabosh.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.vboxgabosh.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>


# zottel.example.com
<Directory /var/www/gtc.example.com/htdocs/local/zottel.example.com>
 AuthName "GTC-Profile"
 AuthType Basic
 AuthUserFile "/var/www/gtc.example.com/.zottel.example.com.htaccess"
 Require valid-user
# Options Indexes
</Directory>

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Location /.well-known/acme-challenge/>
  Options None
  AllowOverride None
  ForceType text/plain
  RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
  Require all granted
</Location>
Redirect / http://www.example.com/
Redirect / http://www.example.com/
ErrorDocument 404 https://doc.example.com/
php_flag engine off
ScriptAlias /cgi-bin/ /var/www/doc.example.com/cgi-bin/
<Location /cgi-bin>
 AuthType Basic
 AuthName "LDAP Auth"
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile "/dev/null"
 AuthLDAPURL "ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub"
 Require valid-user
</Location>
Alias /edit/ /var/www/doc.example.com/edit/
<Location /edit>
 AuthType Basic
 AuthName "LDAP Auth"
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile "/dev/null"
 AuthLDAPURL "ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub"
 Require valid-user
</Location>
ErrorDocument 404 http://doc.example.com
php_flag engine off
Include /etc/apache2/vhosts.d/auth-ldap-valid-user.include
ProxyPass / http://XXX.XXX.XXX.XXX/
ProxyPassReverse / http://XXX.XXX.XXX.XXX/
Redirect / https://fb.example.com/
Include /etc/apache2/vhosts.d/auth-ldap-valid-user.include
ProxyPass / http://shcizhcimxjev4mc.myfritz.net:81/
ProxyPassReverse / http://shcizhcimxjev4mc.myfritz.net:81
Redirect / https://fbofl.example.com/
SSLProxyEngine On
Include /etc/apache2/vhosts.d/auth-ldap-valid-user.include
ProxyPass /websockify ws://127.0.0.1:8081/ retry=3
ProxyPassReverse /websockify ws://127.0.0.1:8081/ retry=3
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
Redirect / https://get.example.com/
SSLProxyEngine On
Include /etc/apache2/vhosts.d/auth-ldap-valid-user.include
ProxyPass /websockify ws://127.0.0.1:8080/ retry=3
ProxyPassReverse /websockify ws://127.0.0.1:8080/ retry=3
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
Redirect / https://getolli.example.com/
Alias /release-notes /gtc/stable/etc/thinclient/gtc-release-notes
Alias /release-notes-test /gtc/test/etc/thinclient/gtc-release-notes
<Directory /gtc>
 Require all denied
 Options None
 AllowOverride None
 <Files gtc-release-notes>
  Require all granted
 </Files>
</Directory>
ScriptAlias /cgi-bin/ /var/www/gtc.example.com/cgi-bin/
<Directory /var/www/gtc.example.com/cgi-bin/>
 AllowOverride None
 Options ExecCGI
 Require all granted
</Directory>
Redirect /vpnusers/ https://gtc.example.com/vpnusers/
Alias /release-notes /gtc/stable/etc/thinclient/gtc-release-notes
Alias /release-notes-test /gtc/test/etc/thinclient/gtc-release-notes
<Directory /gtc>
 Require all denied
 Options None
 AllowOverride None
 <Files gtc-release-notes>
 Require all granted
 </Files>
</Directory>
ScriptAlias /cgi-bin/ /var/www/gtc.example.com/cgi-bin/
<Directory /var/www/gtc.example.com/htdocs/cgi-bin/>
 AllowOverride None
 Options ExecCGI
 Require all granted
</Directory>
<Directory /var/www/horde.example.com/htdocs>
 Options FollowSymLinks
 AllowOverride All
</Directory>
php_value include_path /var/www/horde.example.com/pear/pear/php
SetEnv PHP_PEAR_SYSCONF_DIR /var/www/horde.example.com/pear
Alias /Microsoft-Server-ActiveSync /var/www/horde.example.com/htdocs/rpc.php
Alias /autodiscover/autodiscover.xml /var/www/horde.example.com/htdocs/rpc.php
Alias /Autodiscover/Autodiscover.xml /var/www/horde.example.com/htdocs/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /var/www/horde.example.com/htdocs/rpc.php
Redirect / https://horde.example.com/
<Directory /var/www/horde-test.example.com/htdocs>
 AllowOverride All
 Options FollowSymLinks
</Directory>
  
php_value include_path /var/www/horde-test.example.com/pear/pear/php
SetEnv PHP_PEAR_SYSCONF_DIR /var/www/horde-test.example.com/pear
Alias /Microsoft-Server-ActiveSync /var/www/horde-test.example.com/htdocs/rpc.php
Alias /autodiscover/autodiscover.xml /var/www/horde-test.example.com/htdocs/rpc.php
Alias /Autodiscover/Autodiscover.xml /var/www/horde-test.example.com/htdocs/rpc.php
Alias /AutoDiscover/AutoDiscover.xml /var/www/horde-test.example.com/htdocs/rpc.php
Redirect / https://horde-test.example.com/
<Directory /usr/lib/mailman/cgi-bin/>
 AllowOverride None
 Options ExecCGI
 Require all granted
</Directory>
<Directory /usr/lib/mailman/icons/>
 AllowOverride None
 Require all granted
</Directory>
<Directory /var/lib/mailman/archives/public/>
 AllowOverride None
 Options ExecCGI FollowSymLinks
 Require all granted
</Directory>
RedirectMatch ^/mailman$ https://mailman.example.com/mailman/listinfo
ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /mailman-icons/ /usr/lib/mailman/icons/
Redirect / https://mailman.example.com/
ScriptAlias /cgi-bin/ /var/www/mdforms.example.com/cgi-bin/
<Directory /var/www/mdforms.example.com/cgi-bin/>
 AllowOverride None
 Options ExecCGI
 AddHandler cgi-script .cgi .pl
Require all granted
</Directory>
<Location />
 AuthName "Internal area"
 AuthType Basic
 AuthUserFile "/etc/apache2/test.htpasswd"
 Require valid-user
 Options Indexes
</Location>
<Directory /var/www/mdforms.example.com/cgi-bin/>
 AllowOverride None
 Options ExecCGI
 AddHandler cgi-script .cgi .pl
 Require all granted
</Directory>
<Location />
 AuthName "Internal area"
 AuthType Basic
 AuthUserFile "/etc/apache2/test.htpasswd"
 Require valid-user
 Options Indexes
</Location>
DocumentRoot /srv/www/offlimits/htdocs
AssignUserID marcus users
DavLockDB /tmp/DavLock-offlimits
<Directory "/srv/www/offlimits/htdocs/">
 DAV on
 Options +Indexes
 AuthType Basic
 AuthName "OffLimits"
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile "/dev/null"
 AuthLDAPURL "ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub"
 Require user marcus
</Directory>
DocumentRoot /srv/www/offlimits/htdocs
AssignUserID marcus users
ServerAlias *.olgreenspirit.de
ServerAlias *.olgreenspirit.de
DocumentRoot /var/www/olmusic.example.com/htdocs
AssignUserID marco apache

DocumentRoot /var/www/olmusic.example.com/htdocs
Redirect /administrator https://olmusic.example.com/administrator
AssignUserID marco apache
Include /etc/apache2/vhosts.d/auth-ldap-valid-user.include
Alias /intern/awstats/icon/ /var/www/www.example.com/awstats-icon/
<Location /intern>
  Options Indexes
  DirectoryIndex awstats.example.com.html awstats.www.example.com.html awstats.doc.example.com.html awstats.mailserver.html awstats.horde.example.com.html awstats.gtc.example.com.html awstats.olgreenspirit.de.html index.php
</Location>
Redirect /intern/ https://www.example.com/intern/
<Directory /var/www/gtc.example.com/htdocs/vpnconfig>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require valid-user
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/bohlen>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user bohlen
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/flo>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user flo
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/harry>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user harry
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/heiko>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user heiko
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/ingo>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user ingo
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/krey>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user krey
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/olli>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user olli
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/rebecca>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user rebecca
</Directory>

<Directory /var/www/gtc.example.com/htdocs/vpnusers/werner>
 AuthType Basic
 AuthName 'Data'
 AuthBasicProvider file ldap
 AuthBasicAuthoritative Off
 AuthUserFile '/dev/null'
 AuthLDAPURL 'ldap://127.0.0.1/ou=People,dc=example,dc=com?uid?sub'
 Require user werner
</Directory>

;
; Named Access Control Lists (ACLs)
;
; A convenient way to share acl definitions
;
; This configuration file is read on startup
;
; CLI Commands

Changes in /etc/conf.d/apache2

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/apache2

Changed on 09.09.08
Issued by olli
Beginning line 36

Apache startoptions for enabling PHP5 and SSL


Before change
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"
After change
APACHE2_OPTS="-D DAV -D DAV_FS -D PHP5 -D SSL -D LANGUAGE -D PROXY -D MPM_ITK"

Changes in /etc/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/make.conf

Changed on 13.01.09
Issued by olli
Beginning line 26

The Apache MPM which should be compiled in

APACHE2_MPMS="prefork"
APACHE2_MODULES="$APACHE2_MODULES cgid proxy proxy_http proxy_wstunnel macro"

Changes in /etc/php/gabosh-php.ini

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/php/gabosh-php.ini

Changed on 23.02.11
Issued by olli
Beginning line 1

PHP-Configuration

; Don't log deprecated errors
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
; Don't display errors
display_errors = Off
display_startup_errors = Off
track_errors = Off
html_errors = Off
; Log errors to file
error_log = /var/log/apache2/php_errors.log
; Maximum post size of 20MB
post_max_size = 20M
; Maximum of 20MB upload
upload_max_filesize = 20M
; Default timezone for PHP
date.timezone = "Europe/Berlin"
; Maximum of 200 MySQL active connections at the same time
mysql.max_persistent = 200
; Maximum of 300 MySQL connections at the same time
mysql.max_links = 300
; Set the session path (for security reasons) to /var/www/php_sessions
session.save_path = "/var/www/php_sessions"
session.gc_divisor = 10000
; Set max memory
memory_limit = 256M

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add apache2 default

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

File Index

/boot/grub/grub.cfg (Basesystem)
/etc/amavisd.conf (Mailserver)
/etc/apache2/modules.d/00_mod_log_config.conf (Webserver)
/etc/apache2/vhosts.d/01_vhosts.conf (Webserver)
/etc/asterisk/rtp.conf (Asterisk as SIP PBX)
/etc/awstats/awstats.doc.gabosh.net.conf (Statistics)
/etc/awstats/awstats.gabosh.net.conf (Statistics)
/etc/awstats/awstats.gtc.gabosh.net.conf (Statistics)
/etc/awstats/awstats.horde.gabosh.net.conf (Statistics)
/etc/awstats/awstats.mailserver.conf (Statistics)
/etc/awstats/awstats.olgreenspirit.de.conf (Statistics)
/etc/awstats/awstats.www.gabosh.net.conf (Statistics)
/etc/bind/named.conf (DNS)
/etc/clamd.conf (Mailserver)
/etc/conf.d/apache2 (Webserver)
/etc/conf.d/arpwatch (ARP monitoring)
/etc/conf.d/consolefont (Basesystem)
/etc/conf.d/dhcpd (DHCP-Server)
/etc/conf.d/dhcpd-wlan (DHCP-Server)
/etc/conf.d/hostname (Basesystem)
/etc/conf.d/in.tftpd (Server for thinclients)
/etc/conf.d/keymaps (Basesystem)
/etc/conf.d/net (Basesystem)
/etc/conf.d/net (WLAN Access Point)
/etc/conf.d/net (Basesystem)
/etc/conf.d/nfs (Server for thinclients)
/etc/conf.d/pulseaudio (Network Sound Server)
/etc/conf.d/saslauthd (OpenLDAP System authentication)
/etc/cron.daily/clearat.sh (Basesystem)
/etc/cron.daily/cyrus-purge.sh (IMAP/POP3-Server)
/etc/cron.daily/logrotate (Statistics)
/etc/cron.daily/logrotate (Mailserver)
/etc/cron.daily/pxe.cron (Server for thinclients)
/etc/cron.daily/spamassassinupdate (Mailserver)
/etc/cron.hourly/f2bcheck (Stopping brute-force-attacks with fail2ban)
/etc/cron.hourly/ntpdate.sh (Time-Server)
/etc/crontab (DynDNS)
/etc/crontab (Backup)
/etc/crontab (HD-Spindown)
/etc/crontab (OpenLDAP System authentication)
/etc/crontab (Mailserver)
/etc/crontab (VPN-Server)
/etc/crontab (Horde Groupware Webmail)
/etc/cron.weekly/gtcupdate (Thinclient - Basesystem)
/etc/cups/cupsd.conf (Printserver)
/etc/cups/mime.convs (Printserver)
/etc/cups/mime.types (Printserver)
/etc/cyrus.conf (IMAP/POP3-Server)
/etc/dhcp/dhcpd.conf (DHCP-Server)
/etc/dhcp/dhcpd.conf (Server for thinclients)
/etc/dhcp/dhcpd.conf (DHCP-Server)
/etc/dhcp/dhcpd-ldap.conf (DHCP-Server)
/etc/dhcp/dhcpd-ldap-wlan.conf (DHCP-Server)
/etc/dhcp/dhcpd-wlan.conf (DHCP-Server)
/etc/distcc/hosts (Distcc Client)
/etc/exports (Server for thinclients)
/etc/fail2ban/action.d/sendmail-common.local (Stopping brute-force-attacks with fail2ban)
/etc/fail2ban/jail.d/gabosh.conf (Stopping brute-force-attacks with fail2ban)
/etc/freshclam.conf (Mailserver)
/etc/fstab (Basesystem)
/etc/fstab (Server for thinclients)
/etc/hostapd/hostapd.conf (WLAN Access Point)
/etc/hostapd/hostapd.macaccept (WLAN Access Point)
/etc/hosts (Basesystem)
/etc/imapd.conf (IMAP/POP3-Server)
/etc/jabber/ejabberd.yml (Instand Messaging alternative Jabber)
/etc/ldap.conf (OpenLDAP)
/etc/ldap.conf.old (OpenLDAP System authentication)
/etc/local.d/services.start (Firewall)
/etc/local.d/services.start (Automatic System Documentation)
/etc/logrotate.conf (Basesystem)
/etc/logrotate.d/gabosh (Basesystem)
/etc/mail/aliases (Mailserver)
/etc/mailman/mm_cfg.py (Mailinglists with MailMan)
/etc/mail/spamassassin/local.cf (Mailserver)
/etc/make.conf (Basesystem)
/etc/make.conf (Webserver)
/etc/make.conf (Distcc Client)
/etc/mysql/my.cnf (MySQL-Server)
/etc/mysql/my.cnf.bak (MySQL-Server)
/etc/nscd.conf (OpenLDAP)
/etc/nsswitch.conf (OpenLDAP System authentication)
/etc/ntp.conf (Time-Server)
/etc/openldap/dhcp.ldif (DHCP-Server)
/etc/openldap/dns.ldif (DNS)
/etc/openldap/groupsingrpoups.ldif (OpenLDAP Groups in Groups)
/etc/openldap/ldap.conf (OpenLDAP)
/etc/openldap/ldap.ldif (OpenLDAP)
/etc/openldap/samba.ldif (File-Server - Samba)
/etc/openldap/schema/dlz.schema (OpenLDAP)
/etc/openldap/schema/dnszone.schema (OpenLDAP)
/etc/openldap/schema/gabosh.schema (OpenLDAP Groups in Groups)
/etc/openldap/schema/gabosh.schema (DNS)
/etc/openldap/schema/horde-turba.schema (Horde Groupware Webmail)
/etc/openldap/slapd.conf (OpenLDAP)
/etc/openldap/slapd.conf (DNS)
/etc/openldap/slapd.conf (File-Server - Samba)
/etc/openldap/slapd.conf (DHCP-Server)
/etc/openldap/slapd.conf (OpenLDAP)
/etc/openldap/slapd.conf (Horde Groupware Webmail)
/etc/openldap/slapd.conf (OpenLDAP)
/etc/openvpn/client/vpn-restart.sh (VPN-Client)
/etc/openvpn/openvpn.conf (VPN-Server)
/etc/pam.d/system-auth (OpenLDAP System authentication)
/etc/pam.d/system-auth (File-Server - Samba)
/etc/pam.d/system-auth (OpenLDAP System authentication)
/etc/php/gabosh-php.ini (Webserver)
/etc/portage/profile/use.mask (Network Sound Server)
/etc/postfix/main.cf (Mailserver)
/etc/postfix/main.cf (Mailinglists with MailMan)
/etc/postfix/master.cf (Mailserver)
/etc/profile.d/cyrus.sh (IMAP/POP3-Server)
/etc/profile.d/mailman.sh (Mailinglists with MailMan)
/etc/profile.d/root.sh (Basesystem)
/etc/pulse/system.pa (Network Sound Server)
/etc/rc.conf (Basesystem)
/etc/rsyncd.conf (Rsync Server)
/etc/rsyslog.d/00-gabosh.conf (Basesystem)
/etc/samba/smb.conf (File-Server - Samba)
/etc/samba/smb.conf (Printserver)
/etc/sane.d/saned.conf (Sane Scanner Server)
/etc/saslauthd.conf (OpenLDAP System authentication)
/etc/security/limits.d/samba.conf (File-Server - Samba)
/etc/ssh/sshd_config (Basesystem)
/etc/ssl/gabosh.net/readme (SSL/TLS with self signed SSL Certificate)
/etc/ssl/gabosh.net.self/readme (SSL/TLS with self signed SSL Certificate)
/etc/sysctl.conf (Firewall)
/etc/sysctl.conf (Basesystem)
/etc/xinetd.conf (Sane Scanner Server)
/etc/xinetd.d/sane-stream (Sane Scanner Server)
/gtc/pxe/pxelinux.cfg/default (Server for thinclients)
/gtc/test/etc/conf.d/hostname (Thinclient - Basesystem)
/gtc/test/etc/conf.d/sshd (Thinclient - Basesystem)
/gtc/test/etc/conf.d/xdm (Thinclient - X-Server)
/gtc/test/etc/crontab (Thinclient - Basesystem)
/gtc/test/etc/dhcpcd.conf (Thinclient - Basesystem)
/gtc/test/etc/distcc/hosts (Thinclient - Basesystem)
/gtc/test/etc/env.d/90xsession (Thinclient - X-Server)
/gtc/test/etc/init.d/checkroot (Thinclient - Basesystem)
/gtc/test/etc/lightdm/lightdm.conf (Thinclient - X-Server)
/gtc/test/etc/local.d/gtc.start (Thinclient - Basesystem)
/gtc/test/etc/local.d/gtc.stop (Thinclient - Basesystem)
/gtc/test/etc/make.conf (Thinclient - Basesystem)
/gtc/test/etc/make.conf (Thinclient - Kernel-based Virtual Machine - KVM)
/gtc/test/etc/portage/package.keywords (Thinclient - Basesystem)
/gtc/test/etc/postfix/main.cf (Thinclient - Basesystem)
/gtc/test/etc/profile.d/gtc.sh (Basesystem)
/gtc/test/etc/ssh/sshd_config (Thinclient - Basesystem)
/gtc/test/etc/ssl/gabosh.net/readme (SSL/TLS with self signed SSL Certificate)
/gtc/test/etc/thinclient/default-profile/start.sh (Thinclient - Profiling)
/gtc/test/etc/thinclient/global-profile/start.sh (Thinclient - Profiling)
/gtc/test/etc/thinclient/scripts/az (Sort files alphabetical)
/gtc/test/etc/thinclient/scripts/check-hdd.sh (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/check-mem.sh (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/check-swap.sh (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/check-temperature.sh (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-additional-sw-add (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-additional-sw-del (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-buildkernel (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-compiz (Thinclient - X-Server)
/gtc/test/etc/thinclient/scripts/gtc-crypt (Save passwords encrypted)
/gtc/test/etc/thinclient/scripts/gtc-diskinst (Thinclient - Install on local device)
/gtc/test/etc/thinclient/scripts/gtc-ieurl (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-info (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-install (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-instupdate (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-mkiso (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-rename (Rename files recursively)
/gtc/test/etc/thinclient/scripts/gtc-update (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-update-do (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-update-fetch (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-update-post (Thinclient - Basesystem)
/gtc/test/etc/thinclient/scripts/gtc-xconfig (Thinclient - X-Server)
/gtc/test/etc/thinclient/server-profile/etc/apache2/vhosts.d/vhosts.conf (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/bind/named.conf (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/conf.d/apache2 (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/conf.d/nfs (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/dhcp/dhcpd.conf (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/exports (Server for thinclients)
/gtc/test/etc/thinclient/server-profile/etc/openldap/schema/dnszone.schema (OpenLDAP)
/gtc/test/etc/thinclient/server-profile/etc/openldap/schema/gabosh.schema (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/openldap/slapd.conf (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/etc/phpldapadmin.conf (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/server-profile/start.sh (Thinclient - Thinclient as Server)
/gtc/test/etc/thinclient/startup/gtc-startupconfig (Thinclient - Kernel-based Virtual Machine - KVM)
/gtc/test/etc/thinclient/startup/gtc-startupconfig (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/gtc-startupconfig (Thinclient - Profiling)
/gtc/test/etc/thinclient/startup/jobs/gtc-anonproxy (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-autologin (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-distcc (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-ldap (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-local (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-localization (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-mountparts (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-nfsmount (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-nis (Thinclient - Basesystem)
/gtc/test/etc/thinclient/startup/jobs/gtc-zautoupdate (Thinclient - Basesystem)
/gtc/test/etc/thinclient/thinclient.conf (Thinclient - Basesystem)
/gtc/test/etc/thinclient/thinclient.conf.local (Thinclient - Basesystem)
/gtc/test/etc/wpa_supplicant/wpa_supplicant.conf (Thinclient - Wireless LAN)
/usr/local/bin/awstats (Statistics)
/usr/local/bin/az (Sort files alphabetical)
/usr/local/bin/changedocd.pl (Automatic System Documentation)
/usr/local/bin/gtc-rename (Rename files recursively)
/usr/local/bin/horde.sh (Horde Groupware Webmail)
/usr/local/bin/sysdoc.pl (Automatic System Documentation)
/usr/local/sbin/checkusers.sh (OpenLDAP System authentication)
/usr/local/sbin/cyr-create-mbox (IMAP/POP3-Server)
/usr/local/sbin/cyr-delete-mbox (IMAP/POP3-Server)
/usr/local/sbin/cyr-resize-mailbox.pl (IMAP/POP3-Server)
/usr/local/sbin/cyr-set-acl (IMAP/POP3-Server)
/usr/local/sbin/cyr-set-sieve.sh (IMAP/POP3-Server)
/usr/local/sbin/cyr-show-dirs (IMAP/POP3-Server)
/usr/local/sbin/cyr-show-mailboxes (IMAP/POP3-Server)
/usr/local/sbin/deduplicate.pl (File deduplication)
/usr/local/sbin/fireoff.sh (Firewall)
/usr/local/sbin/fire.sh (Firewall)
/usr/local/sbin/gtc-crypt (Save passwords encrypted)
/usr/local/sbin/hdspindown.sh (HD-Spindown)
/usr/local/sbin/hordetestwatch (Horde Groupware Webmail)
/usr/local/sbin/hordewatch (Horde Groupware Webmail)
/usr/local/sbin/mailaddresses.sh (Mailserver)
/usr/local/sbin/maillists.sh (Mailinglists with MailMan)
/usr/local/sbin/mkgtcstable.sh (Server for thinclients)
/usr/local/sbin/mkhordestable.sh (Horde Groupware Webmail)
/usr/local/sbin/msgwatch (Basesystem)
/usr/local/sbin/rsyncwatch (Basesystem)
/usr/local/sbin/smbwatch (File-Server - Samba)
/usr/local/sbin/vpnusercerts.sh (VPN-Server)
/usr/local/sbin/vpnwatch (VPN-Server)
/var/www/doc.gabosh.net/cgi-bin/changedoc.pl (Automatic System Documentation)
/var/www/doc.gabosh.net/htdocs/howto.css (Automatic System Documentation)
/var/www/horde.gabosh.net/htdocs/config/prefs.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/config/registry.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/imp/config/backends.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/imp/config/mime_drivers.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/imp/config/prefs.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/ingo/config/backends.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/kronolith/config/prefs.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/passwd/config/backends.local.php (Horde Groupware Webmail)
/var/www/horde.gabosh.net/htdocs/turba/config/prefs.local.php (Horde Groupware Webmail)
/var/www/www.gabosh.net/htdocs/intern/phpldapadmin/config/config.php (OpenLDAP WebGUI phpldapadmin)

GNU Free Documentation License

GNU Free Documentation License

Version 1.3, 3 November 2008

Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. <http://fsf.org/>

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

The "publisher" means any person or entity that distributes copies of the Document to the public.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Document.

11. RELICENSING

"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site.

"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.

"Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document.

An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.

The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.