yannstatic/static/2020/10/21/VPS-Hetzner-CX11_debian_10.html

3666 lines
264 KiB
HTML
Raw Permalink Normal View History

2024-10-31 20:18:37 +01:00
<!DOCTYPE html><html lang="fr">
<head><meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"><title>HETZNER VPS CX11 debian 10 (wireguard et audio navidrome) - YannStatic</title>
<meta name="description" content="CX11 (1 vCore/2GoRam/20Go Nvme) Debian Buster">
<link rel="canonical" href="https://static.rnmkcy.eu/2020/10/21/VPS-Hetzner-CX11_debian_10.html"><link rel="alternate" type="application/rss+xml" title="YannStatic" href="/feed.xml">
<!-- - include head/favicon.html - -->
<link rel="shortcut icon" type="image/png" href="/assets/favicon/favicon.png"><link rel="stylesheet" href="/assets/css/main.css"><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.13/css/all.css" ><!-- start custom head snippets --><link rel="stylesheet" href="/assets/css/expand.css">
<!-- end custom head snippets --><script>(function() {
window.isArray = function(val) {
return Object.prototype.toString.call(val) === '[object Array]';
};
window.isString = function(val) {
return typeof val === 'string';
};
window.hasEvent = function(event) {
return 'on'.concat(event) in window.document;
};
window.isOverallScroller = function(node) {
return node === document.documentElement || node === document.body || node === window;
};
window.isFormElement = function(node) {
var tagName = node.tagName;
return tagName === 'INPUT' || tagName === 'SELECT' || tagName === 'TEXTAREA';
};
window.pageLoad = (function () {
var loaded = false, cbs = [];
window.addEventListener('load', function () {
var i;
loaded = true;
if (cbs.length > 0) {
for (i = 0; i < cbs.length; i++) {
cbs[i]();
}
}
});
return {
then: function(cb) {
cb && (loaded ? cb() : (cbs.push(cb)));
}
};
})();
})();
(function() {
window.throttle = function(func, wait) {
var args, result, thisArg, timeoutId, lastCalled = 0;
function trailingCall() {
lastCalled = new Date;
timeoutId = null;
result = func.apply(thisArg, args);
}
return function() {
var now = new Date,
remaining = wait - (now - lastCalled);
args = arguments;
thisArg = this;
if (remaining <= 0) {
clearTimeout(timeoutId);
timeoutId = null;
lastCalled = now;
result = func.apply(thisArg, args);
} else if (!timeoutId) {
timeoutId = setTimeout(trailingCall, remaining);
}
return result;
};
};
})();
(function() {
var Set = (function() {
var add = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (data[i] === item) {
return;
}
}
this.size ++;
data.push(item);
return data;
};
var Set = function(data) {
this.size = 0;
this._data = [];
var i;
if (data.length > 0) {
for (i = 0; i < data.length; i++) {
add.call(this, data[i]);
}
}
};
Set.prototype.add = add;
Set.prototype.get = function(index) { return this._data[index]; };
Set.prototype.has = function(item) {
var i, data = this._data;
for (i = 0; i < data.length; i++) {
if (this.get(i) === item) {
return true;
}
}
return false;
};
Set.prototype.is = function(map) {
if (map._data.length !== this._data.length) { return false; }
var i, j, flag, tData = this._data, mData = map._data;
for (i = 0; i < tData.length; i++) {
for (flag = false, j = 0; j < mData.length; j++) {
if (tData[i] === mData[j]) {
flag = true;
break;
}
}
if (!flag) { return false; }
}
return true;
};
Set.prototype.values = function() {
return this._data;
};
return Set;
})();
window.Lazyload = (function(doc) {
var queue = {js: [], css: []}, sources = {js: {}, css: {}}, context = this;
var createNode = function(name, attrs) {
var node = doc.createElement(name), attr;
for (attr in attrs) {
if (attrs.hasOwnProperty(attr)) {
node.setAttribute(attr, attrs[attr]);
}
}
return node;
};
var end = function(type, url) {
var s, q, qi, cbs, i, j, cur, val, flag;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
s[url] = true;
for (i = 0; i < q.length; i++) {
cur = q[i];
if (cur.urls.has(url)) {
qi = cur, val = qi.urls.values();
qi && (cbs = qi.callbacks);
for (flag = true, j = 0; j < val.length; j++) {
cur = val[j];
if (!s[cur]) {
flag = false;
}
}
if (flag && cbs && cbs.length > 0) {
for (j = 0; j < cbs.length; j++) {
cbs[j].call(context);
}
qi.load = true;
}
}
}
}
};
var load = function(type, urls, callback) {
var s, q, qi, node, i, cur,
_urls = typeof urls === 'string' ? new Set([urls]) : new Set(urls), val, url;
if (type === 'js' || type ==='css') {
s = sources[type], q = queue[type];
for (i = 0; i < q.length; i++) {
cur = q[i];
if (_urls.is(cur.urls)) {
qi = cur;
break;
}
}
val = _urls.values();
if (qi) {
callback && (qi.load || qi.callbacks.push(callback));
callback && (qi.load && callback());
} else {
q.push({
urls: _urls,
callbacks: callback ? [callback] : [],
load: false
});
for (i = 0; i < val.length; i++) {
node = null, url = val[i];
if (s[url] === undefined) {
(type === 'js' ) && (node = createNode('script', { src: url }));
(type === 'css') && (node = createNode('link', { rel: 'stylesheet', href: url }));
if (node) {
node.onload = (function(type, url) {
return function() {
end(type, url);
};
})(type, url);
(doc.head || doc.body).appendChild(node);
s[url] = false;
}
}
}
}
}
};
return {
js: function(url, callback) {
load('js', url, callback);
},
css: function(url, callback) {
load('css', url, callback);
}
};
})(this.document);
})();
</script><script>
(function() {
var TEXT_VARIABLES = {
version: '2.2.6',
sources: {
font_awesome: 'https://use.fontawesome.com/releases/v5.0.13/css/all.css',
jquery: '/assets/js/jquery.min.js',
leancloud_js_sdk: '//cdn.jsdelivr.net/npm/leancloud-storage@3.13.2/dist/av-min.js',
chart: 'https://cdn.bootcss.com/Chart.js/2.7.2/Chart.bundle.min.js',
gitalk: {
js: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.js',
css: 'https://cdn.bootcss.com/gitalk/1.2.2/gitalk.min.css'
},
valine: 'https://unpkg.com/valine/dist/Valine.min.js'
},
site: {
toc: {
selectors: 'h1,h2,h3'
}
},
paths: {
search_js: '/assets/search.js'
}
};
window.TEXT_VARIABLES = TEXT_VARIABLES;
})();
</script>
</head>
<body>
<div class="root" data-is-touch="false">
<div class="layout--page js-page-root"><!----><div class="page__main js-page-main page__viewport hide-footer has-aside has-aside cell cell--auto">
<div class="page__main-inner"><div class="page__header d-print-none"><header class="header"><div class="main">
<div class="header__title">
<div class="header__brand"><svg id="svg" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="400" height="478.9473684210526" viewBox="0, 0, 400,478.9473684210526"><g id="svgg"><path id="path0" d="M308.400 56.805 C 306.970 56.966,303.280 57.385,300.200 57.738 C 290.906 58.803,278.299 59.676,269.200 59.887 L 260.600 60.085 259.400 61.171 C 258.010 62.428,256.198 63.600,255.645 63.600 C 255.070 63.600,252.887 65.897,252.598 66.806 C 252.460 67.243,252.206 67.600,252.034 67.600 C 251.397 67.600,247.206 71.509,247.202 72.107 C 247.201 72.275,246.390 73.190,245.400 74.138 C 243.961 75.517,243.598 76.137,243.592 77.231 C 243.579 79.293,241.785 83.966,240.470 85.364 C 239.176 86.740,238.522 88.365,237.991 91.521 C 237.631 93.665,236.114 97.200,235.554 97.200 C 234.938 97.200,232.737 102.354,232.450 104.472 C 232.158 106.625,230.879 109.226,229.535 110.400 C 228.933 110.926,228.171 113.162,226.434 119.500 C 226.178 120.435,225.795 121.200,225.584 121.200 C 225.373 121.200,225.200 121.476,225.200 121.813 C 225.200 122.149,224.885 122.541,224.500 122.683 C 223.606 123.013,223.214 123.593,223.204 124.600 C 223.183 126.555,220.763 132.911,219.410 134.562 C 218.443 135.742,217.876 136.956,217.599 138.440 C 217.041 141.424,215.177 146.434,214.532 146.681 C 214.240 146.794,214.000 147.055,214.000 147.261 C 214.000 147.467,213.550 148.086,213.000 148.636 C 212.450 149.186,212.000 149.893,212.000 150.208 C 212.000 151.386,208.441 154.450,207.597 153.998 C 206.319 153.315,204.913 150.379,204.633 147.811 C 204.365 145.357,202.848 142.147,201.759 141.729 C 200.967 141.425,199.200 137.451,199.200 135.974 C 199.200 134.629,198.435 133.224,196.660 131.311 C 195.363 129.913,194.572 128.123,193.870 125.000 C 193.623 123.900,193.236 122.793,193.010 122.540 C 190.863 120.133,190.147 118.880,188.978 115.481 C 188.100 112.928,187.151 111.003,186.254 109.955 C 185.358 108.908,184.518 107.204,183.847 105.073 C 183.280 103.273,182.497 101.329,182.108 100.753 C 181.719 100.177,180.904 98.997,180.298 98.131 C 179.693 97.265,178.939 95.576,178.624 94.378 C 178.041 92.159,177.125 90.326,175.023 87.168 C 174.375 86.196,173.619 84.539,173.342 83.486 C 172.800 81.429,171.529 79.567,170.131 78.785 C 169.654 78.517,168.697 77.511,168.006 76.549 C 167.316 75.587,166.594 74.800,166.402 74.800 C 166.210 74.800,164.869 73.633,163.421 72.206 C 160.103 68.936,161.107 69.109,146.550 69.301 C 133.437 69.474,128.581 70.162,126.618 72.124 C 126.248 72.495,125.462 72.904,124.872 73.033 C 124.282 73.163,123.088 73.536,122.219 73.863 C 121.349 74.191,119.028 74.638,117.061 74.858 C 113.514 75.254,109.970 76.350,108.782 77.419 C 107.652 78.436,100.146 80.400,97.388 80.400 C 95.775 80.400,93.167 81.360,91.200 82.679 C 90.430 83.195,89.113 83.804,88.274 84.031 C 85.875 84.681,78.799 90.910,74.400 96.243 L 73.400 97.456 73.455 106.028 C 73.526 117.055,74.527 121.238,77.820 124.263 C 78.919 125.273,80.400 127.902,80.400 128.842 C 80.400 129.202,81.075 130.256,81.900 131.186 C 83.563 133.059,85.497 136.346,86.039 138.216 C 86.233 138.886,87.203 140.207,88.196 141.153 C 89.188 142.098,90.000 143.104,90.000 143.388 C 90.000 144.337,92.129 148.594,92.869 149.123 C 93.271 149.410,93.600 149.831,93.600 150.059 C 93.600 150.286,93.932 150.771,94.337 151.136 C 94.743 151.501,95.598 153.004,96.237 154.475 C 96.877 155.947,97.760 157.351,98.200 157.596 C 98.640 157.841,99.900 159.943,101.000 162.267 C 102.207 164.817,103.327 166.644,103.825 166.876 C 104.278 167.087,105.065 168.101,105.573 169.130 C 107.658 173.348,108.097 174.093,110.006 176.647 C 111.103 178.114,112.000 179.725,112.000 180.227 C 112.000 181.048,113.425 183.163,114.678 184.200 C 115.295 184.711,117.396 188.733,117.720 190.022 C 117.855 190.562,118.603 191.633,119.381 192.402 C 120.160 193.171,121.496 195.258,122.351 197.039 C 123.206 198.820,124.167 200.378,124.487 200.501 C 124.807 200.624,125.953 202.496,127.034 204.662 C 128.114 206.828,129.676 209.299,130.505 210.153 C 131.333 211.007,132.124 212.177,132.262 212.753 C 132.618 214.239,134.291 217.048,136.288 219.5
" href="/">YannStatic</a></div><!--<button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button>--><!-- <li><button class="button button--secondary button--circle search-button js-search-toggle"><i class="fas fa-search"></i></button></li> -->
<!-- Champ de recherche -->
<div id="searchbox" class="search search--dark" style="visibility: visible">
<div class="main">
<div class="search__header"></div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<!-- <div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div> -->
</div>
</div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
json: '/search.json',
//searchResultTemplate: '<li><a href="https://static.rnmkcy.eu{url}">{date}&nbsp;{title}</a></li>'
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a></li>'
})
</script>
<!-- Fin déclaration champ de recherche --></div><nav class="navigation">
<ul><li class="navigation__item"><a href="/archive.html">Etiquettes</a></li><li class="navigation__item"><a href="/htmldoc.html">Documents</a></li><li class="navigation__item"><a href="/liens_ttrss.html">Liens</a></li><li class="navigation__item"><a href="/aide-jekyll-text-theme.html">Aide</a></li></ul>
</nav></div>
</header>
</div><div class="page__content"><div class ="main"><div class="grid grid--reverse">
<div class="col-main cell cell--auto"><!-- start custom main top snippet --><div id="results-container" class="search-result js-search-result"></div><!-- end custom main top snippet -->
<article itemscope itemtype="http://schema.org/Article"><div class="article__header"><header><h1 style="color:Tomato;">HETZNER VPS CX11 debian 10 (wireguard et audio navidrome)</h1></header></div><meta itemprop="headline" content="HETZNER VPS CX11 debian 10 (wireguard et audio navidrome)"><div class="article__info clearfix"><ul class="left-col menu"><li>
2024-11-08 14:10:33 +01:00
<a class="button button--secondary button--pill button--sm" style="color:#00FFFF" href="/archive.html?tag=vps">vps</a>
2024-10-31 20:18:37 +01:00
</li><li>
2024-11-08 14:10:33 +01:00
<a class="button button--secondary button--pill button--sm" style="color:#00FFFF" href="/archive.html?tag=serveur">serveur</a>
2024-10-31 20:18:37 +01:00
</li></ul><ul class="right-col menu"><li>
<i class="far fa-calendar-alt"></i>&nbsp;<span title="Création" style="color:#FF00FF">21&nbsp;oct.&nbsp;&nbsp;2020</span>
<span title="Modification" style="color:#00FF7F">10&nbsp;nov.&nbsp;&nbsp;2020</span></li></ul></div><meta itemprop="datePublished" content="2020-11-10T00:00:00+01:00">
<meta itemprop="keywords" content="vps,serveur"><div class="js-article-content">
<div class="layout--article"><!-- start custom article top snippet -->
<style>
#myBtn {
display: none;
position: fixed;
bottom: 10px;
right: 10px;
z-index: 99;
font-size: 12px;
font-weight: bold;
border: none;
outline: none;
background-color: white;
color: black;
cursor: pointer;
padding: 5px;
border-radius: 4px;
}
#myBtn:hover {
background-color: #555;
}
</style>
<button onclick="topFunction()" id="myBtn" title="Haut de page">&#8679;</button>
<script>
//Get the button
var mybutton = document.getElementById("myBtn");
// When the user scrolls down 20px from the top of the document, show the button
window.onscroll = function() {scrollFunction()};
function scrollFunction() {
if (document.body.scrollTop > 20 || document.documentElement.scrollTop > 20) {
mybutton.style.display = "block";
} else {
mybutton.style.display = "none";
}
}
// When the user clicks on the button, scroll to the top of the document
function topFunction() {
document.body.scrollTop = 0;
document.documentElement.scrollTop = 0;
}
</script>
<!-- end custom article top snippet -->
<div class="article__content" itemprop="articleBody"><details>
<summary><b>Afficher/cacher Sommaire</b></summary>
<!-- affichage sommaire -->
<div class="toc-aside js-toc-root"></div>
</details><p><a href="https://www.hetzner.com/cloud-fr"><img src="/images/HetznerLogo.png" alt="HETZNER" /></a><em>CX11 (1 vCore/2GoRam/20Go Nvme) Debian Buster</em></p>
<h1 id="serveur-cx11">Serveur CX11</h1>
<h2 id="-debian-10"><img src="/images/debian-buster-logo1.png" alt="Debian Buster" width="100" /> Debian 10</h2>
<p>PARAMETRES DACCES:<br />
Ladresse IPv4 du VPS est : 135.181.27.140<br />
Ladresse IPv6 du VPS est : 2a01:4f9:c010:9c70::/64</p>
<p>Le nom du VPS est : debian-cx11<br />
Connexion SSH en “root” sans mot de passe</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh root@135.181.27.140
</code></pre></div></div>
<p>Créer mot de passe “root”</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>passwd
</code></pre></div></div>
<p>Réseau</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 96:00:00:77:60:dc brd ff:ff:ff:ff:ff:ff
inet 135.181.27.140/32 brd 135.181.27.140 scope global dynamic eth0
valid_lft 84339sec preferred_lft 84339sec
inet6 2a01:4f9:c010:9c70::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::9400:ff:fe77:60dc/64 scope link
valid_lft forever preferred_lft forever
</code></pre></div></div>
<p>Noyau et OS : <code class="language-plaintext highlighter-rouge">uname -a</code></p>
<p>Linux debian-cx11 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux</p>
<p>Noyau kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>linux-image-4.19.0-12-amd64/stable,stable,now 4.19.152-1 amd64 [installed,automatic]
Linux 4.19 for 64-bit PCs (signed)
</code></pre></div></div>
<p>Paramétrage fuseau <strong>Europe/Paris</strong> : <code class="language-plaintext highlighter-rouge">dpkg-reconfigure tzdata</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Current default time zone: 'Europe/Paris'
Local time is now: Tue Oct 20 13:01:37 CEST 2020.
Universal Time is now: Tue Oct 20 11:01:37 UTC 2020.
</code></pre></div></div>
<h3 id="création-utilisateur">Création utilisateur</h3>
<p>Utilisateur <strong>cxuser</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>useradd -m -d /home/cxuser/ -s /bin/bash cxuser
</code></pre></div></div>
<p>Mot de passe <strong>cxuser</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>passwd cxuser
</code></pre></div></div>
<p>Visudo pour les accès root via utilisateur <strong>cxuser</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "cxuser ALL=(ALL) NOPASSWD: ALL" &gt;&gt; /etc/sudoers
</code></pre></div></div>
<h3 id="-openssh-clé-et-script"><img src="/images/openssh-logo.png" alt="OpenSSH" /> OpenSSH, clé et script</h3>
<p><strong>connexion avec clé</strong><br />
<u>sur l'ordinateur de bureau</u>
Générer une paire de clé curve25519-sha256 (ECDH avec Curve25519 et SHA2) nommé <strong>cx11_ed25519</strong> pour une liaison SSH avec le serveur KVM.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/cx11_ed25519
</code></pre></div></div>
<p>Envoyer la clé publique sur le serveur KVM</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>scp ~/.ssh/cx11_ed25519.pub cxuser@135.181.27.140:/home/cxuser/
</code></pre></div></div>
<p><u>sur le serveur KVM</u>
On se connecte</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh cxuser@135.181.27.140
</code></pre></div></div>
<p>Copier le contenu de la clé publique dans /home/$USER/.ssh/authorized_keys</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd ~
</code></pre></div></div>
<p>Sur le KVM ,créer un dossier .ssh</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> .ssh
<span class="nb">cat</span> <span class="nv">$HOME</span>/cx11_ed25519.pub <span class="o">&gt;&gt;</span> <span class="nv">$HOME</span>/.ssh/authorized_keys
<span class="nb">chmod </span>600 <span class="nv">$HOME</span>/.ssh/authorized_keys <span class="c"># donner les droits</span>
<span class="nb">rm</span> <span class="nv">$HOME</span>/cx11_ed25519.pub <span class="c"># effacer le fichier de la clé </span>
</code></pre></div></div>
<p>Modifier la configuration serveur SSH</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nano /etc/ssh/sshd_config
</code></pre></div></div>
<p>Modifier</p>
<div class="language-conf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">Port</span> <span class="m">55140</span>
<span class="n">PermitRootLogin</span> <span class="n">no</span>
<span class="n">PasswordAuthentication</span> <span class="n">no</span>
</code></pre></div></div>
<p><u>session SSH ne se termine pas correctement lors d'un "reboot" à distance</u><br />
Si vous tentez de <strong>redémarrer/éteindre</strong> une machine distance par <strong>ssh</strong>, vous pourriez constater que votre session ne se termine pas correctement, vous laissant avec un terminal inactif jusquà lexpiration dun long délai dinactivité. Il existe un bogue 751636 à ce sujet. Pour linstant, la solution de contournement à ce problème est dinstaller :</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install libpam-systemd # installé par défaut sur debian buster
</code></pre></div></div>
<p>cela terminera la session ssh avant que le réseau ne tombe.<br />
Veuillez noter quil est nécessaire que PAM soit activé dans sshd.</p>
<p>Relancer openSSH</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl restart sshd
</code></pre></div></div>
<p>Accès depuis le poste distant avec la clé privée</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh -p 55140 -i ~/.ssh/cx11_ed25519 cxuser@135.181.27.140
</code></pre></div></div>
<h3 id="outils-scripts-motd-et-ssh_rc_bash">Outils, scripts motd et ssh_rc_bash</h3>
<p>Installer utilitaires</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install rsync curl tmux jq figlet git dnsutils tree -y
</code></pre></div></div>
<p>Motd</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo rm /etc/motd &amp;&amp; sudo nano /etc/motd
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> _ _ _ _ _
__| | ___ | |__ (_) __ _ _ _ ___ __ __ __/ |/ |
/ _` |/ -_)| '_ \| |/ _` || ' \|___|/ _|\ \ /| || |
\__,_|\___||_.__/|_|\__,_||_||_| \__|/_\_\|_||_| _
___ _ _ ___ ___| |_ | |(_) _ _ ___ _ _ ___ | |_
/ _ \| || |/ -_)(_-&lt;| _|| || || ' \ / -_) _ | ' \ / -_)| _|
\___/ \_,_|\___|/__/ \__||_||_||_||_|\___|(_)|_||_|\___| \__|
</code></pre></div></div>
<p>Script <strong>ssh_rc_bash</strong></p>
<blockquote>
<p><strong>ATTENTION!!! Les scripts sur connexion peuvent poser des problèmes pour des appels externes autres que ssh</strong></p>
</blockquote>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://static.xoyaz.xyz/files/ssh_rc_bash
chmod +x ssh_rc_bash # rendre le bash exécutable
./ssh_rc_bash # exécution
</code></pre></div></div>
<p><img src="/images/cx11-debian.png" alt="" /></p>
<p><strong>Historique de la ligne de commande</strong><br />
Ajoutez la recherche dhistorique de la ligne de commande au terminal.
Tapez un début de commande précédent, puis utilisez shift + up (flèche haut) pour rechercher lhistorique filtré avec le début de la commande.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Global, tout utilisateur
echo '"\e[1;2A": history-search-backward' | sudo tee -a /etc/inputrc
echo '"\e[1;2B": history-search-forward' | sudo tee -a /etc/inputrc
</code></pre></div></div>
<h3 id="hostname">Hostname</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>hostnamectl
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> Static hostname: debian-cx11
Icon name: computer-vm
Chassis: vm
Machine ID: 4d2c7b3c5f0449e5beb2c07529923b2f
Boot ID: 49aecdc33f204c81a24164b17e982b76
Virtualization: kvm
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 5.8.0-0.bpo.2-amd64
Architecture: x86-64
</code></pre></div></div>
<h3 id="-domaine-ouestlinexyz"><img src="/images/dns-logo.png" alt="dns" width="30" /> Domaine ouestline.xyz</h3>
<p>Zone dns OVH</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$TTL 3600
@ IN SOA dns111.ovh.net. tech.ovh.net. (2020102003 86400 3600 3600000 300)
IN NS dns111.ovh.net.
IN NS ns111.ovh.net.
IN A 135.181.27.140
IN AAAA 2a01:4f9:c010:9c70::1
wg IN CNAME ouestline.xyz.
zic IN CNAME ouestline.xyz.
</code></pre></div></div>
<p><a href="https://console.hetzner.cloud/projects/585797/servers/8123736/network">HETZNER network</a> : Reverse DNS sur “server” , IP 135.181.27.140 et 2a01:4f9:c010:9c70::1 → ouestline.xyz</p>
<p>Domaine rnmkcy.eu</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$TTL 3600
@ IN SOA dns110.ovh.net. tech.ovh.net. (2020101109 86400 3600 3600000 300)
IN NS dns110.ovh.net.
IN NS ns110.ovh.net.
IN A 135.181.27.140
IN AAAA 2a01:4f9:c010:9c70::1
wg IN CNAME rnmkcy.eu.
zic IN CNAME rnmkcy.eu.
</code></pre></div></div>
<h3 id="certificats--ouestlinexyz">Certificats <img src="/images/LetsEncrypt.png" alt="LetsEncrypt.png" width="100" /> ouestline.xyz</h3>
<p>Installer acme: <a href="https://blog.cinay.xyz/2017/08/Acme-Certficats-Serveurs.html">Serveur , installer et renouveler les certificats SSL Lets encrypt via Acme</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd ~
sudo apt install socat -y # prérequis
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install # se déconnecter pour prise en compte
# export des clé API OVH
</code></pre></div></div>
<p>Générer les certificats pour le domaine ouestline.xyz</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> acme.sh --dns dns_ovh --ocsp --issue --keylength ec-384 -d 'ouestline.xyz' -d 'wg.ouestline.xyz' -d 'zic.ouestline.xyz' -d 'searx.ouestline.xyz'
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Tue 20 Oct 2020 01:39:02 PM CEST] Your cert is in /home/cxuser//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.cer
[Tue 20 Oct 2020 01:39:02 PM CEST] Your cert key is in /home/cxuser//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.key
[Tue 20 Oct 2020 01:39:02 PM CEST] The intermediate CA cert is in /home/cxuser//.acme.sh/ouestline.xyz_ecc/ca.cer
[Tue 20 Oct 2020 01:39:02 PM CEST] And the full chain certs is there: /home/cxuser//.acme.sh/ouestline.xyz_ecc/fullchain.cer
</code></pre></div></div>
<p>Les liens avec <strong>/etc/ssl/private</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo ln -s /home/cxuser//.acme.sh/ouestline.xyz_ecc/fullchain.cer /etc/ssl/private/ouestline.xyz-fullchain.pem # full chain certs
sudo ln -s /home/cxuser//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.key /etc/ssl/private/ouestline.xyz-key.pem # cert key
sudo ln -s /home/cxuser//.acme.sh/ouestline.xyz_ecc/ouestline.xyz.cer /etc/ssl/private/ouestline.xyz-chain.pem # cert domain
sudo ln -s /home/cxuser//.acme.sh/ouestline.xyz_ecc/ca.cer /etc/ssl/private/ouestline.xyz-ca.pem # intermediate CA cert
</code></pre></div></div>
<h3 id="-parefeu"><img src="/images/ufw-logo1.png" alt="ufw" width="50" /> Parefeu</h3>
<p><em>UFW, ou pare - feu simple , est une interface pour gérer les règles de pare-feu dans Arch Linux, Debian ou Ubuntu. UFW est utilisé via la ligne de commande (bien quil dispose dinterfaces graphiques disponibles), et vise à rendre la configuration du pare-feu facile (ou simple).</em></p>
<p>Installation <strong>Debian / Ubuntu</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install ufw
</code></pre></div></div>
<p><em>Par défaut, les jeux de règles dUFW sont vides, de sorte quil napplique aucune règle de pare-feu, même lorsque le démon est en cours dexécution.</em></p>
<p>Les règles</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo ufw allow 55140/tcp # port SSH , 55140
sudo ufw allow http # port 80
sudo ufw allow https # port 53
sudo ufw allow DNS # port 53
sudo ufw allow 51820/udp # wireguard
</code></pre></div></div>
<p>Activer le parefeu</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo ufw enable
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
</code></pre></div></div>
<p>Status</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> sudo ufw status verbose
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
55140/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
53 (DNS) ALLOW IN Anywhere
51820/udp ALLOW IN Anywhere
55140/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
53 (DNS (v6)) ALLOW IN Anywhere (v6)
51820/udp (v6) ALLOW IN Anywhere (v6)
</code></pre></div></div>
<h2 id="go--node">Go + Node</h2>
<h3 id="-go"><img src="/images/golang-color-icon2.png" alt="golang" width="40" /> Go</h3>
<p>Go installation (Debian) , installer la dernière version de Go → <a href="https://golang.org/dl/">https://golang.org/dl/</a></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cd</span> ~
wget https://golang.org/dl/go1.15.2.linux-amd64.tar.gz
<span class="nb">sudo tar</span> <span class="nt">-C</span> /usr/local <span class="nt">-xzf</span> go1.15.2.linux-amd64.tar.gz
<span class="nb">echo</span> <span class="s2">"export PATH=</span><span class="nv">$PATH</span><span class="s2">:/usr/local/go/bin"</span> <span class="o">&gt;&gt;</span> ~/.bashrc
<span class="nb">source</span> ~/.bashrc
</code></pre></div></div>
<p>Version</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go version
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>go version go1.15.2 linux/amd64
</code></pre></div></div>
<h3 id="-nodejs"><img src="/images/Node_logo.png" alt="nodejs" width="40" /> Nodejs</h3>
<p>Installer la version LTS de nodejs pour le frontend → <a href="https://github.com/nodesource/distributions#debinstall">https://github.com/nodesource/distributions#debinstall</a></p>
<p>Version <strong>Node.js v14.x</strong> au 11 octobre 2020</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Using Debian, as root</span>
<span class="nb">sudo</span> <span class="nt">-s</span>
curl <span class="nt">-sL</span> https://deb.nodesource.com/setup_14.x | bash -
apt-get <span class="nb">install</span> <span class="nt">-y</span> nodejs
</code></pre></div></div>
<p>Version <strong>Node.js LTS (v12.x)</strong> au 11 octobre 2020</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># Using Debian, as root</span>
<span class="nb">sudo</span> <span class="nt">-s</span>
curl <span class="nt">-sL</span> https://deb.nodesource.com/setup_lts.x | bash -
apt-get <span class="nb">install</span> <span class="nt">-y</span> nodejs
</code></pre></div></div>
<p>Versions</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>node --version
v14.14.0
npm --version
6.14.8
</code></pre></div></div>
<h2 id="-sshfs"><img src="/images/sshfs-logo.png" alt="sshfs" width="50" /> SSHFS</h2>
<p>Le dossier “musique” est distant (serveur xoyaz.xyz)<br />
Il faut créer une liaison réseau sécurisée entre <strong>cx11 ← → xoyaz.xyz</strong><br />
On va utiliser SSHFS (<em>Secure shell file system (ou SSHFS) permet le partage dun système de fichiers de manière sécurisée en utilisant le protocole SFTP de SSH</em>)</p>
<p>Installation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install sshfs
</code></pre></div></div>
<p>Autorisations</p>
<ul>
<li>Autorisations “utilisateur”
<ul>
<li>Exécuter <code class="language-plaintext highlighter-rouge">sshfs</code> (ou toute autre commande de montage FUSE) avec loption <code class="language-plaintext highlighter-rouge">-o allow_other</code></li>
</ul>
</li>
<li>Autoriser laccès “root” des supports <strong>fuse</strong>
<ul>
<li>Ajouter <code class="language-plaintext highlighter-rouge">user_allow_other</code> au fichier <strong>/etc/fuse.conf</strong></li>
<li>Exécuter <code class="language-plaintext highlighter-rouge">sshfs</code> (ou toute autre commande de montage FUSE) avec loption <code class="language-plaintext highlighter-rouge">-o allow_root</code></li>
</ul>
</li>
</ul>
<p>Clé privée <strong>OVZ-STORAGE-128</strong> pour accéder au serveur xoyaz.xyz</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nano $HOME/.ssh/OVZ-STORAGE-128 # copier la clé privée
chmod 600 $HOME/.ssh/OVZ-STORAGE-128
</code></pre></div></div>
<p><strong>Exécution manuelle</strong> pour authentifier la clé avec utilisateur “debian”</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo -s
mkdir -p /opt/sshfs
sshfs -o allow_other usernl@xoyaz.xyz:/home/usernl/backup /opt/sshfs -C -p 55036 -oIdentityFile=/home/cxuser/.ssh/OVZ-STORAGE-128
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>The authenticity of host <span class="s1">'[xoyaz.xyz]:55036 ([2a04:52c0:101:82::73db]:55036)'</span> can<span class="s1">'t be established.
ECDSA key fingerprint is SHA256:NuFqR5id10fVzRLsSTqJ4vBpFnNYi+APGsvPYth6PHw.
Are you sure you want to continue connecting (yes/no)? yes
</span></code></pre></div></div>
<blockquote>
<p>NOTE: Il faut mettre ladresse IP du serveur , si les domaines peuvent ne pas être “résolus”</p>
</blockquote>
<p>Après vérification , <code class="language-plaintext highlighter-rouge">ls /opt/sshfs</code> , déconnexion <code class="language-plaintext highlighter-rouge">fusermount -u /opt/sshfs</code></p>
<h3 id="montage-fstab">Montage fstab</h3>
<p>ajouter la ligne suivante au fichier <code class="language-plaintext highlighter-rouge">/etc/fstab</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>usernl@xoyaz.xyz:/home/usernl/backup /opt/sshfs fuse.sshfs _netdev,identityfile=/home/cxuser/.ssh/OVZ-STORAGE-128,allow_other,port=55036 0 0
</code></pre></div></div>
<p>Montage pour authentifier la clé avec utilisateur “root”</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mount -a
</code></pre></div></div>
<p>Vérification</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls /opt/sshfs
</code></pre></div></div>
<h2 id="tests-sur-le-serveur">Tests sur le serveur</h2>
<h4 id="vérifications-dns---wireguard">Vérifications DNS - wireguard</h4>
<p>Les commandes suivantes ne fonctionneront que si le paquet “dnsutils” est installé sur votre système Debian!</p>
<p>On teste en utilisant les serveurs DNS locaux, les 3 commandes suivantes ont le même résultat</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dig @127.0.0.1 afnic.fr +short +dnssec
dig @10.14.94.1 afnic.fr +short +dnssec
dig @fd18:2941:0ae9:7d96::1 afnic.fr +short +dnssec
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>192.134.5.37
A 13 2 600 20200608204052 20200509084949 30435 afnic.fr. eVchVAseJD5n8W7U8okAz546Ix33hOCqRF7wLrhUV+sOTkwyXo7EwAut k/rN8wsPVpTnTpFyQLKdBTuOpx2UxA==
</code></pre></div></div>
<h4 id="propagation-dns">Propagation DNS</h4>
<p><a href="https://www.whatsmydns.net">https://www.whatsmydns.net</a><br />
<img src="/images/propagationdns-ouestline.xyz-01.png" alt="" width="300" /> <img src="/images/propagationdns-ouestline.xyz-02.png" alt="" width="300" /></p>
<h4 id="dns-blacklisting">DNS blacklisting</h4>
<p><a href="https://www.dnsbl.info/dnsbl-database-check.php">https://www.dnsbl.info/dnsbl-database-check.php</a><br />
<img src="/images/dnsbl-ouestline.xyz.png" alt="" width="600" /></p>
<h4 id="vulnérabilités">Vulnérabilités</h4>
<p><a href="https://www.ssllabs.com/ssltest/analyze.html">https://www.ssllabs.com/ssltest/analyze.html</a></p>
<p>SSL Report: ouestline.xyz (135.181.27.140)<br />
<img src="/images/ssllabs-ouestline.xyz-01.png" alt="Texte alternatif" width="500" /></p>
<p>SSL Report: ouestline.xyz (2a01:4f9:c010:9c70::1)<br />
<img src="/images/ssllabs-ouestline.xyz-02.png" alt="Texte alternatif" width="500" /></p>
<p>Vérifier les ports ouverts depuis un poste linux</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nmap ouestline.xyz
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-26 14:37 CET
Nmap scan report for ouestline.xyz (135.181.27.140)
Host is up (0.023s latency).
Other addresses for ouestline.xyz (not scanned): 2a01:4f9:c010:9c70::1
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
</code></pre></div></div>
<h2 id="wireguard">Wireguard</h2>
<h3 id="installer-noyau-58">Installer noyau 5.8+</h3>
<p><em>A partir du noyau 5.6 le module wireguard est intégré</em></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable-wireguard.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
apt update &amp;&amp; apt upgrade
</code></pre></div></div>
<p>Rechercher limage</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt search linux-image-5
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>linux-image-5.8.0-0.bpo.2-amd64/buster-backports,buster-backports 5.8.10-1~bpo10+1 amd64
Linux 5.8 for 64-bit PCs (signed)
</code></pre></div></div>
<p>Installer le noyau</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install linux-image-5.8.0-0.bpo.2-amd64
</code></pre></div></div>
<blockquote>
<p><strong>REDEMARRER <code class="language-plaintext highlighter-rouge">sudo systemctl reboot</code></strong></p>
</blockquote>
<p>Connexion SSH</p>
<p>Vérifications <code class="language-plaintext highlighter-rouge">uname -a</code> <br />
<em>Linux debian-cx11 5.8.0-0.bpo.2-amd64 #1 SMP Debian 5.8.10-1~bpo10+1 (2020-09-26) x86_64 GNU/Linux</em></p>
<p>Supprimer les images non utilisées</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt remove linux-image-4.19.0-1x-amd64
</code></pre></div></div>
<h3 id="wireguard---base">Wireguard - base</h3>
<p><em>WireGuard est un serveur VPN à code source ouvert, gratuit, moderne et rapide, doté dune cryptographie de pointe. Il est plus rapide et plus simple que lIPSec et lOpenVPN</em></p>
<p>Wireguard est dans le noyau 5.6+</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install wireguard
</code></pre></div></div>
<p><strong>Générer une paire de clés</strong></p>
<p>On se positionne dans le dossier <strong>/etc/wireguard/</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd /etc/wireguard
</code></pre></div></div>
<p>WireGuard repose sur une authentification par clé publique/privée (cryptographie asymétrique), vous devez donc créer ces clés avec les sous-commandes wg genkey et wg pubkey<br />
La création de la clé privée se fait avec wg genkey et la clé publique est générée en la canalisant dans wg pubkey</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>umask 077; wg genkey | tee cx11-private.key | wg pubkey &gt; cx11-public.key
</code></pre></div></div>
<p>**Autoriser le serveur Wireguard à relayer les paquets **</p>
<p>Autoriser le serveur Wireguard à relayer les paquets venant de ces clients vers linternet et de traiter les paquets retours (modifier <strong>/etc/sysctl.conf</strong>)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sed -i 's/^#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sed -i 's/^#net.ipv6.conf.all.forwarding=1/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf
sysctl -p # prise en compte immédiate
</code></pre></div></div>
<p>Résultat</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
</code></pre></div></div>
<p><strong>Fichier de configuration /etc/wireguard/wg0.conf</strong></p>
<p>Récupérer le nom de la carte réseau <code class="language-plaintext highlighter-rouge">ip a</code> , dans notre cas <strong>eth0</strong></p>
<p>La première étape consiste à choisir une plage IPV4 privée, <a href="https://www.fakeaddresstool.com/random-ipv4-private-generator/">Random IPV4 Private Address Generator</a>, qui sera utilisée par le serveur : <strong>10.14.94.0/8</strong></p>
<p>Pour une adresse IPV6 <a href="https://www.ultratools.com/tools/rangeGenerator">Local IPv6 Address Generator</a> : <strong>fd18:2941:0ae9:7d96::/64</strong></p>
<table>
<thead>
<tr>
<th>Prefix/L</th>
<th>fd</th>
</tr>
</thead>
<tbody>
<tr>
<td>Global ID</td>
<td>1829410ae9</td>
</tr>
<tr>
<td>Subnet ID</td>
<td>7d96</td>
</tr>
<tr>
<td>Combine/CID</td>
<td>fd18:2941:0ae9:7d96::/64</td>
</tr>
<tr>
<td>IPv6 addresses</td>
<td>fd18:2941:0ae9:7d96::/64:XXXX:XXXX:XXXX:XXXX</td>
</tr>
<tr>
<td>Start Range</td>
<td>fd18:2941:0ae9:7d96:0:0:0:0</td>
</tr>
<tr>
<td>End Range</td>
<td>fd18:2941:0ae9:7d96:ffff:ffff:ffff:ffff</td>
</tr>
<tr>
<td>No. of hosts</td>
<td>18446744073709551616</td>
</tr>
</tbody>
</table>
<p>Nous utiliserons 10.14.94.0/24 qui se trouve dans la plage 10.14.94.0/8 . Le serveur aura ladresse IP suivante: 10.14.94.1 . Il est également nécessaire de choisir un port, qui sera exposé publiquement, pour que le serveur écoute.Le port de documentation standard est généralement 51820.</p>
<p>Créer le fichier <strong>/etc/wireguard/wg0.conf</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nano /etc/wireguard/wg0.conf
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Interface]
Address = 10.14.94.1/24
Address = fd18:2941:0ae9:7d96::1/64
ListenPort = 51820
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PrivateKey = 5Zsr0jQXiuCpHFkye325Zsr0jMUKinVEOPmk=
DNS = 10.14.94.1
DNS = fd18:2941:0ae9:7d96::1
SaveConfig = true
</code></pre></div></div>
<p><strong>Address</strong> , fixer ladresse IP privée du serveur à lintérieur du VPN.Les adresses du réseau VPN de 10.14.94.0 à 10.14.94.255 sont fixées par le masque <strong>/24</strong><br />
<strong>PostUp</strong> , pour la mise en place des règles iptables de translation dadresses à lactivation du VPN (autoriser le routage des paquets réseau venant des clients vers internet)<br />
<strong>PostDown</strong> , pour la suppression des règles iptables de translation dadresses à larrêt du VPN<br />
<strong>PrivateKey</strong> , clé privée du serveur</p>
<p>Modification des droits (lecture uniquement par “root”)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>chmod 600 /etc/wireguard/wg0.conf
</code></pre></div></div>
<h3 id="dns-unbound">DNS Unbound</h3>
<p><img src="/images/unbound-250.png" alt="" width="100" /></p>
<p>Un problème majeur avec beaucoup de configurations VPN est que le DNS nest pas suffisant. Cela finit par une fuite de connexion client et de détails demplacement. Un bon moyen de tester cela est à travers le site <a href="http://dnsleak.com/">http://dnsleak.com/</a></p>
<p>Nous allons sécuriser le trafic DNS avec la solution <strong>unbound</strong> qui offre les caractéristiques suivantes</p>
<ul>
<li>Léger et rapide</li>
<li>Facile à installer et à configurer</li>
<li>Orienté sécurité</li>
<li>Prise en charge DNSSEC</li>
</ul>
<p>Nous allons le configurer de manière à contrer les fuites DNS, les attaques plus sophistiquées comme la fausse configuration de proxy, les routeurs escrocs et toutes sortes dattaques MITM sur HTTPS et autres protocoles.</p>
<p>Nous installons unbound sur le serveur <br />
Passage en mode super utilisateur</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo -s # ou su
</code></pre></div></div>
<blockquote>
<p>ATTENTION : Le programme <strong>resolvconf</strong> est en général seulement nécessaire quand un système a plusieurs programmes qui ont besoin de modifier de façon dynamique les informations sur les serveurs de noms de domaine. Sur un système simple où les serveurs de noms de domaine ne changent pas souvent ou bien ne sont modifiés que par un programme, le <u>fichier de configuration **resolv.conf** est suffisant</u>.<br />
Il faut installer <strong>resolvconf</strong>, sinon on a une erreur <strong>unbound-resolvconf</strong><br />
Une fois le paquet « <strong>resolvconf</strong> » installé, <u>il ne faut plus modifier le fichier</u> « <strong>/etc/resolv.conf</strong> », car le contenu de celui-ci sera automatiquement géré et remplacé par « <strong>resolvconf</strong> ».</p>
</blockquote>
<p>Installation des outils dns, des paquets Unbound et resolv :</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install unbound unbound-host resolvconf -y
</code></pre></div></div>
<p>Téléchargement de la liste des serveurs DNS racines</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
chown unbound:unbound /var/lib/unbound/root.hints
</code></pre></div></div>
<p>Ajout dun fichier de configuration <strong>dns-cx11.conf</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/unbound/unbound.conf.d/dns-cx11.conf
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server:
num-threads: 4
# enable logs
verbosity: 0 # no verbosity, only errors
# liste des serveurs DNS racine
root-hints: "/var/lib/unbound/root.hints"
# Répondre aux requêtes DNS sur toutes les interfaces
interface: 0.0.0.0 # 0.0.0.0 unbound sur plusieurs interfaces
interface: ::0
max-udp-size: 3072
# IPs authorised to access the DNS Server
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.14.94.0/16 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
access-control: fe80::/10 allow
access-control: fd18:2941:0ae9:7d96::/48 allow
local-zone: "14.10.in-addr.arpa." transparent
#hide DNS Server info
hide-identity: yes
hide-version: yes
# limit DNS fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
# add an unwanted reply threshold to clean the cache and avoid, when possible, DNS poisoning
unwanted-reply-threshold: 10000000
# have the validator print validation failures to the log
val-log-level: 1
# minimum lifetime of cache entries in seconds
cache-min-ttl: 1800
# maximum lifetime of cached entries in seconds
cache-max-ttl: 14400
prefetch: yes
prefetch-key: yes
#include: /etc/unbound/unbound.conf.d/adslist.txt
</code></pre></div></div>
<p>Droits</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>chown -R unbound:unbound /var/lib/unbound
</code></pre></div></div>
<p>Pour vérifier si le fichier de configuration est valide</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unbound-checkconf /etc/unbound/unbound.conf.d/dns-cx11.conf
</code></pre></div></div>
<p><em>unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/dns-cx11.conf</em><br />
Désactiver systemd-resolved (si utilisé)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl stop systemd-resolved
systemctl disable systemd-resolved
</code></pre></div></div>
<p>Activer Unbound (ILS SONT ACTIFS DES LEUR INSTALLATION)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl enable unbound-resolvconf
systemctl enable unbound
</code></pre></div></div>
<blockquote>
<p><strong>Redémarrer le serveur <code class="language-plaintext highlighter-rouge">systemctl reboot</code></strong></p>
</blockquote>
<p>Après redémarrage et connexion au serveur</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl status unbound unbound-resolvconf resolvconf
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-21 09:22:55 CEST; 1min 12s ago
Docs: man:unbound(8)
Process: 784 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
Process: 798 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
Main PID: 805 (unbound)
Tasks: 4 (limit: 2289)
Memory: 38.7M
CGroup: /system.slice/unbound.service
└─805 /usr/sbin/unbound -d
● unbound-resolvconf.service - Unbound DNS server via resolvconf
Loaded: loaded (/lib/systemd/system/unbound-resolvconf.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2020-10-21 09:22:55 CEST; 1min 12s ago
Process: 809 ExecStart=/usr/lib/unbound/package-helper resolvconf_start (code=exited, status=0/SUCCESS)
Main PID: 809 (code=exited, status=0/SUCCESS)
● resolvconf.service - Nameserver information manager
Loaded: loaded (/lib/systemd/system/resolvconf.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2020-10-21 09:22:49 CEST; 1min 18s ago
Docs: man:resolvconf(8)
Process: 228 ExecStartPre=/bin/mkdir -p /run/resolvconf/interface (code=exited, status=0/SUCCESS)
Process: 248 ExecStartPre=/bin/touch /run/resolvconf/postponed-update (code=exited, status=0/SUCCESS)
Process: 253 ExecStart=/sbin/resolvconf --enable-updates (code=exited, status=0/SUCCESS)
Main PID: 253 (code=exited, status=0/SUCCESS)
</code></pre></div></div>
<p><strong>Vérifications</strong></p>
<p>Les commandes suivantes ne fonctionneront que si le paquet “dnsutils” est installé sur votre système Debian!</p>
<p>On teste en utilisant les serveurs DNS locaux</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dig @127.0.0.1 afnic.fr +short +dnssec
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>192.134.5.37
A 13 2 600 20201117093213 20201018100839 30435 afnic.fr. aEOBkWup4MhF1n9W95DBJ/WVgWEiFucH5E3dPxf8FwZlolGLqGDUtM9A RrAkqfxtcGSUDEOXBIyqvEDCrej9YQ==
</code></pre></div></div>
<p><strong>Mise à jour des serveurs DNS racines</strong></p>
<p>Télécharger le script</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl -o /etc/unbound/dnsunbound-update-root-dns.sh https://static.xoyaz.xyz/files/dnsunbound-update-root-dns.sh
</code></pre></div></div>
<p>Droits en exécution pour le bash <strong>dnsunbound-update-root-dns.sh</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>chmod +x /etc/unbound/dnsunbound-update-root-dns.sh
</code></pre></div></div>
<p>Planification journalière</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>crontab -e
</code></pre></div></div>
<p>Ajouter en fin de fichier</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Mise à jour automatique des serveurs DNS de la racine
10 02 * * * /etc/unbound/dnsunbound-update-root-dns.sh &gt; /dev/null
</code></pre></div></div>
<h3 id="gestion-web-wireguard-wgwebservice">Gestion web wireguard (wgweb.service)</h3>
<p>Création dossier application web</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo mkdir -p /opt/appwg
</code></pre></div></div>
<p>Copier le git wg-gen-web</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd ~
git clone https://gitea.cinay.eu/yann/wg-gen-web.git
sudo mkdir -p /usr/local/go/src/wg-gen-web
sudo cp -r wg-gen-web/{api,auth,core,util,version,model,storage,template} /usr/local/go/src/wg-gen-web/
</code></pre></div></div>
<p>Construction du site</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd $HOME/wg-gen-web/cmd/wg-gen-web/
go build -o deb-wg-gen-web
cd ../../ui
npm install # + npm audit fix si nécessaire
npm run build
sudo cp $HOME/wg-gen-web/cmd/wg-gen-web/deb-wg-gen-web /opt/appwg
sudo mkdir -p /opt/appwg/ui
sudo cp -r $HOME/wg-gen-web/ui/dist /opt/appwg/ui/
</code></pre></div></div>
<p><strong>Configuration .env</strong></p>
<p>lautorisation à 2 facteurs nest pas utilisée, le fichier <strong>/opt/appwg/.env</strong> se résume à remplir la zone correspondante SMTP de la messagerie et désactiver lautorisation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/appwg/.env
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># IP address to listen to
SERVER=127.0.0.1
# port to bind
PORT=8080
# Gin framework release mode
GIN_MODE=release
# where to write all generated config files
WG_CONF_DIR=/etc/wireguard
# WireGuard main config file name, generally &lt;interface name&gt;.conf
WG_INTERFACE_NAME=wg0.conf
# SMTP settings to send email to clients
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USERNAME=account@gmail.com
SMTP_PASSWORD=*************
SMTP_FROM=Wg Gen Web &lt;account@gmail.com&gt;
# set provider name to fake to disable auth, also the default
OAUTH2_PROVIDER_NAME=fake
</code></pre></div></div>
<blockquote>
<p>On modifie dans <strong>/opt/appwg/.env</strong> ,le paramètre WG_CONF_DIR=./wireguard → <code class="language-plaintext highlighter-rouge">WG_CONF_DIR=/etc/wireguard</code></p>
</blockquote>
<p>**Créer le service wgweb.service **</p>
<p>Créer un service systemd <strong>wgweb</strong> qui lance le serveur avec journalisation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nano /etc/systemd/system/wgweb.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Unit]
Description=Wireguard web
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=10
WorkingDirectory=/opt/appwg
ExecStart=/opt/appwg/deb-wg-gen-web
[Install]
WantedBy=multi-user.target
</code></pre></div></div>
<p><strong>wireguard (wg0.conf et server.json)</strong></p>
<p>Modifier les fichiers existants pour être identique au paramétrage de wireguard <strong>wg0.conf</strong> situé sous <strong>/etc/wireguard</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/wireguard/server.json
</code></pre></div></div>
<div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="w">
</span><span class="nl">"address"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"fd18:2941:0ae9:7d96::1/64"</span><span class="p">,</span><span class="w">
</span><span class="s2">"10.14.94.1/24"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="nl">"listenPort"</span><span class="p">:</span><span class="w"> </span><span class="mi">51820</span><span class="p">,</span><span class="w">
</span><span class="nl">"mtu"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w">
</span><span class="nl">"privateKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UEQCgh/6a2RQbF9+qqylVjqLCK/mRwqRPc/4vjRsYXg="</span><span class="p">,</span><span class="w">
</span><span class="nl">"publicKey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0s1wsNpuU1RlKgj6AmoN0aKUeb+aESByhO3yTSnfTyE="</span><span class="p">,</span><span class="w">
</span><span class="nl">"endpoint"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xoyaz.xyz:51820"</span><span class="p">,</span><span class="w">
</span><span class="nl">"persistentKeepalive"</span><span class="p">:</span><span class="w"> </span><span class="mi">16</span><span class="p">,</span><span class="w">
</span><span class="nl">"dns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"fd18:2941:0ae9:7d96::1"</span><span class="p">,</span><span class="w">
</span><span class="s2">"10.14.94.1"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="nl">"allowedips"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w">
</span><span class="s2">"0.0.0.0/0"</span><span class="p">,</span><span class="w">
</span><span class="s2">"::/0"</span><span class="w">
</span><span class="p">],</span><span class="w">
</span><span class="nl">"preUp"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w">
</span><span class="nl">"postUp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"</span><span class="p">,</span><span class="w">
</span><span class="nl">"preDown"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span><span class="w">
</span><span class="nl">"postDown"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE"</span><span class="p">,</span><span class="w">
</span><span class="nl">"updatedBy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Unknown"</span><span class="p">,</span><span class="w">
</span><span class="nl">"created"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-10-21T12:31:50.589913433Z"</span><span class="p">,</span><span class="w">
</span><span class="nl">"updated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2020-10-21T12:31:50.589913433Z"</span><span class="w">
</span></code></pre></div></div>
<p>Recharger <code class="language-plaintext highlighter-rouge">systemd</code> puis démarrer le service:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl daemon-reload
sudo systemctl start wgweb.service
sudo systemctl status wgweb.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>● wgweb.service - Wireguard web
Loaded: loaded (/etc/systemd/system/wgweb.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-21 10:46:58 CEST; 43s ago
Main PID: 1426 (deb-wg-gen-web)
Tasks: 5 (limit: 2289)
Memory: 5.0M
CGroup: /system.slice/wgweb.service
└─1426 /opt/appwg/deb-wg-gen-web
Oct 21 10:46:58 debian-cx11 systemd[1]: Started Wireguard web.
Oct 21 10:46:58 debian-cx11 deb-wg-gen-web[1426]: time="2020-10-21T10:46:58+02:00" level=info msg="Lancement de la version Web de Wg Gen : yann"
Oct 21 10:46:58 debian-cx11 deb-wg-gen-web[1426]: time="2020-10-21T10:46:58+02:00" level=warning msg="Oauth n'est pas utilisé, aucune authentification réelle ne sera effectuée"
</code></pre></div></div>
<h3 id="accès-page-web-wireguard">Accès page Web Wireguard</h3>
<p>On utilise la redirection port SSH</p>
<p>Vérification,ouvrir un terminal sur le client linux qui dispose des clés ssh et lancer la commande</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh -L 9000:localhost:8080 cxuser@135.181.27.140 -p 55140 -i /home/yannick/.ssh/cx11_ed25519
</code></pre></div></div>
<p>Ouvrir un navigateur sur le client et saisir <code class="language-plaintext highlighter-rouge">localhost:9000</code> pour afficher le gestionnaire web de wireguard</p>
<p><img src="/images/wg-cx11-01.png" alt="wg-cx11" width="600" /></p>
<p>Activer le service si tout fonctionne</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl enable wgweb.service
</code></pre></div></div>
<h3 id="activer-service-wg-quickwg0">Activer service wg-quick@wg0</h3>
<p>Le gestionnaire web est à jour , on peut lancer le serveur wireguard</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl start wg-quick@wg0.service
</code></pre></div></div>
<p>Vérifier</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl status wg-quick@wg0.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/wg-quick@.service; disabled; vendor preset: enabled)
Active: active (exited) since Wed 2020-10-21 10:57:22 CEST; 52s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 1480 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 1480 (code=exited, status=0/SUCCESS)
</code></pre></div></div>
<p>Activer</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl enable wg-quick@wg0.service
</code></pre></div></div>
<h3 id="configuration-automatique">Configuration automatique</h3>
<p>Utilisation de <strong>systemd.path</strong> monitor pour les changements dans le répertoire, voir <a href="https://www.freedesktop.org/software/systemd/man/systemd.path.html">systemd doc</a></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/systemd/system/wg-gen-web.path
</code></pre></div></div>
<pre><code class="language-init">[Unit]
Description=Surveiller /etc/wireguard pour les changements
[Path]
PathModified=/etc/wireguard
[Install]
WantedBy=multi-user.target
</code></pre>
<p>Ce <strong>wg-gen-web.path</strong> activera le fichier de lunité avec le même nom, <strong>wg-gen-web.service</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/systemd/system/wg-gen-web.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Unit]
Description=Relancer WireGuard si changements
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service
[Install]
WantedBy=multi-user.target
</code></pre></div></div>
<p>Ce qui permettra de relancer le service WireGuard</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl start wg-gen-web.path
sudo systemctl status wg-gen-web.path
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>● wg-gen-web.path - Surveiller /etc/wireguard pour les changements
Loaded: loaded (/etc/systemd/system/wg-gen-web.path; disabled; vendor preset: enabled)
Active: active (waiting) since Wed 2020-10-21 11:00:47 CEST; 20ms ago
Oct 21 11:00:47 debian-cx11 systemd[1]: Started Surveiller /etc/wireguard pour les changements.
</code></pre></div></div>
<p>Activation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl enable wg-gen-web.path
</code></pre></div></div>
<p>Pour suivre dans le journal</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo journalctl -f -t wg-quick
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-- Logs begin at Wed 2020-10-21 09:22:49 CEST. --
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#]
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] ip link add wg0 type wireguard
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] wg setconf wg0 /dev/fd/63
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] ip -6 address add fd18:2941:0ae9:7d96::1/64 dev wg0
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] ip -4 address add 10.14.94.1/24 dev wg0
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] ip link set mtu 1420 up dev wg0
Oct 21 10:57:22 debian-cx11 wg-quick[1480]: [#] iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
</code></pre></div></div>
<h2 id="audio-server">Audio server</h2>
<h3 id="navidrome">Navidrome</h3>
<p>Création des répertoires</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo install -d -o cxuser -g cxuser /opt/navidrome
sudo install -d -o cxuser -g cxuser /var/lib/navidrome
</code></pre></div></div>
<p>Installation</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://github.com/deluan/navidrome/releases/download/v0.35.1/navidrome_0.35.1_Linux_x86_64.tar.gz -O Navidrome.tar.gz
sudo tar -xvzf Navidrome.tar.gz -C /opt/navidrome/
sudo chown -R cxuser:cxuser /opt/navidrome
</code></pre></div></div>
<p>Créer le fichier de configuration <code class="language-plaintext highlighter-rouge">/var/lib/navidrome/navidrome.toml</code> avec le paramètre suivant</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>MusicFolder = "/opt/sshfs/musique"
</code></pre></div></div>
<h3 id="service-navidrome">Service navidrome</h3>
<p>Créer le service navidrome <code class="language-plaintext highlighter-rouge">/etc/systemd/system/navidrome.service</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Unit]
Description=Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
After=remote-fs.target network.target
AssertPathExists=/var/lib/navidrome
[Install]
WantedBy=multi-user.target
[Service]
User=cxuser
Group=cxuser
Type=simple
ExecStart=/opt/navidrome/navidrome --configfile "/var/lib/navidrome/navidrome.toml"
WorkingDirectory=/var/lib/navidrome
TimeoutStopSec=20
KillMode=process
Restart=on-failure
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
DevicePolicy=closed
NoNewPrivileges=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
ReadWritePaths=/var/lib/navidrome
# You can uncomment the following line if you're not using the jukebox This
# will prevent navidrome from accessing any real (physical) devices
#PrivateDevices=yes
# You can change the following line to `strict` instead of `full` if you don't
# want navidrome to be able to write anything on your filesystem outside of
# /var/lib/navidrome.
ProtectSystem=full
# You can comment the following line if you don't have any media in /home/*.
# This will prevent navidrome from ever reading/writing anything there.
ProtectHome=true
</code></pre></div></div>
<h3 id="activer-service-navidrome">Activer service navidrome</h3>
<p>Démarrer le service</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl daemon-reload
sudo systemctl start navidrome.service
</code></pre></div></div>
<p>Le status</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl status navidrome.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>● navidrome.service - Navidrome Music Server and Streamer compatible with Subsonic/Airsonic
Loaded: loaded (/etc/systemd/system/navidrome.service; disabled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-21 13:20:29 CEST; 8s ago
Main PID: 6361 (navidrome)
Tasks: 5 (limit: 2289)
Memory: 10.2M
CGroup: /system.slice/navidrome.service
└─6361 /opt/navidrome/navidrome --configfile /var/lib/navidrome/navidrome.toml
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Configuring Media
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Creating Transcod
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=warning msg="Running initia
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=warning msg="Creating JWT s
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Starting scanner"
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Mounting routes"
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Mounting routes"
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Login rate limit
Oct 21 13:20:29 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:29+02:00" level=info msg="Navidrome server
Oct 21 13:20:31 debian-cx11 navidrome[6361]: time="2020-10-21T13:20:31+02:00" level=warning msg="No admin user
</code></pre></div></div>
<p>Activer</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl enable navidrome.service
</code></pre></div></div>
<h3 id="accès-page-web-navidrome">Accès page Web Navidrome</h3>
<p>On utilise la redirection port SSH</p>
<p>Vérification,ouvrir un terminal sur le client linux qui dispose des clés ssh et lancer la commande</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh -L 9000:localhost:4533 cxuser@135.181.27.140 -p 55140 -i /home/yannick/.ssh/cx11_ed25519
</code></pre></div></div>
<p>Ouvrir un navigateur sur le client et saisir <code class="language-plaintext highlighter-rouge">localhost:9000</code> pour afficher le gestionnaire web de wireguard</p>
<p><img src="/images/navi-cx11-01.png" alt="navi-cx11" width="600" /> <br />
Il faut créer un administrateur<br />
Paramétrer la langue dans “Settings” “Personal”</p>
<h2 id="nginx-light">Nginx light</h2>
<p><a href="/2020/10/11/nginx-light.html">Debian installer nginx-light</a></p>
<p>Installer version light</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install nginx-light
</code></pre></div></div>
<p>Version</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nginx -v
</code></pre></div></div>
<p>nginx version: nginx/1.14.2</p>
<p>Modifier le fichier de configuration <code class="language-plaintext highlighter-rouge">/etc/nginx/nginx.conf</code> , on utilise TLS1.2 et TLS1.3 uniquement</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
</code></pre></div></div>
<p>Vérification</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nginx -t
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
</code></pre></div></div>
<p>Configuration par défaut</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nano /etc/nginx/sites-enabled/default
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server {
listen 80;
listen [::]:80;
server_name ouestline.xyz;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ouestline.xyz;
ssl_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
ssl_certificate_key /etc/ssl/private/ouestline.xyz-key.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
# TLS 1.3 only
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
}
</code></pre></div></div>
<p>Vérification et relance</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nginx -t
sudo systemctl reload nginx
</code></pre></div></div>
<p>Image sur la page daccueil (facultatif)<br />
Déposer une image dans le dossier <code class="language-plaintext highlighter-rouge">/var/www/html</code><br />
Créer un fichier <code class="language-plaintext highlighter-rouge">/var/www/html/index.html</code></p>
<pre><code class="language-hmtl">&lt;!DOCTYPE html&gt;
&lt;html&gt;
&lt;head&gt;
&lt;meta charset="UTF-8"&gt;
&lt;title&gt;CX11&lt;/title&gt;
&lt;style type="text/css" media="screen" &gt;
html {
margin:0;
padding:0;
background: url(wallpaper.jpg) no-repeat center fixed;
-webkit-background-size: cover; /* pour anciens Chrome et Safari */
background-size: cover; /* version standardisée */
}
body { color: white; }
a:link {
color: grey;
background-color: transparent;
text-decoration: none;
}
a:hover {
color: red;
background-color: transparent;
text-decoration: underline;
}
&lt;/style&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;h1&gt;Serveur CX11&lt;/h1&gt;
&lt;p&gt;If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.&lt;/p&gt;
&lt;p&gt;For online documentation and support please refer to
&lt;a href="http://nginx.org/"&gt;nginx.org&lt;/a&gt;.&lt;br/&gt;
Commercial support is available at
&lt;a href="http://nginx.com/"&gt;nginx.com&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Thank you for using nginx.&lt;/em&gt;&lt;/p&gt;
&lt;/body&gt;
&lt;/html&gt;
</code></pre>
<p>Lien https://ouestline.xyz</p>
<h3 id="nginx-reverse-proxy-navidrome">Nginx Reverse proxy navidrome</h3>
<p>Fichier de configuration <code class="language-plaintext highlighter-rouge">/etc/nginx/conf.d/zic.ouestline.xyz.conf</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name zic.ouestline.xyz;
ssl_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
ssl_certificate_key /etc/ssl/private/ouestline.xyz-key.pem;
# TLS 1.3 only
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
# Proxy audio navidrome server
location / {
#//normal proxy configuration
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass http://localhost:4533;
proxy_redirect default;
}
}
</code></pre></div></div>
<p>Vérification et relance</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nginx -t
sudo systemctl reload nginx
</code></pre></div></div>
<p>Lien https://zic.ouestline.xyz</p>
<h3 id="nginx-reverse-proxy-wireguard-inactif">Nginx Reverse proxy wireguard (INACTIF)</h3>
<p><em>Laccès web wireguard nest pas sécurisé par un login/mot de passe</em></p>
<p>Si lon possède un compte github,vous pouvez créer et enregistrer une application OAuth sous votre compte personnel ou sous toute organisation à laquelle vous avez un accès administratif. Lorsque vous créez votre application OAuth, noubliez pas de protéger votre vie privée en utilisant uniquement les informations que vous considérez comme publiques.</p>
<blockquote>
<p>Note : Un utilisateur ou une organisation peut posséder jusquà 100 applications OAuth.</p>
</blockquote>
<p>Après création dune application OAuth, il faut modifier le fichier de configuration de lapplication wireguard web <code class="language-plaintext highlighter-rouge">/opt/appwg/.env</code></p>
<p>En fin de fichier</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[...]
# set provider name to fake to disable auth, also the default
#OAUTH2_PROVIDER_NAME=fake
OAUTH2_PROVIDER_NAME=github
OAUTH2_PROVIDER=https://github.com
OAUTH2_CLIENT_ID=b00eb256845555899e
OAUTH2_CLIENT_SECRET=544df8a3c888bf45687455128822da455
OAUTH2_REDIRECT_URL=https://wg.ouestline.xyz
</code></pre></div></div>
<p>Relancer le service <code class="language-plaintext highlighter-rouge">sudo systemctl restart wgweb.service</code></p>
<p>Fichier de configuration <code class="language-plaintext highlighter-rouge">/etc/nginx/conf.d/wg.ouestline.xyz.conf</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name wg.ouestline.xyz;
ssl_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
ssl_certificate_key /etc/ssl/private/ouestline.xyz-key.pem;
# TLS 1.3 only
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
location / {
#//normal proxy configuration
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass http://localhost:8080;
proxy_redirect default;
}
}
</code></pre></div></div>
<p>Recharger nginx <code class="language-plaintext highlighter-rouge">sudo systemctl reload nginx</code></p>
<p>Accès <a href="https://wg.ouestline.xyz">https://wg.ouestline.xyz</a><br />
<img src="/images/wg-ouest-oauth.png" alt="wg-ouest-oauth" width="500" /></p>
<h2 id="métamoteur-searx">Métamoteur Searx</h2>
<h3 id="searx---docker">Searx - Docker</h3>
<p>Les procédures dinstallation, voir le lien <a href="/2018/05/03/Searx-Metamoteur-Recherche-Libre.html">Searx (métamoteur de recherche libre)</a></p>
<p>Limage du docker est <a href="https://hub.docker.com/r/searx/searx">searx/searx</a> (basée sur <a href="https://github.com/searx/searx">github.com/searx/searx</a>).</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker pull searx/searx
docker images
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>REPOSITORY TAG IMAGE ID CREATED SIZE
searx/searx latest 933b0039140b 24 hours ago 168MB
</code></pre></div></div>
<p>La méthode la plus simple pour déployer un conteneur en tant que service consiste à créer le conteneur sil nexiste pas avec un nom donné et ensuite de mapper chacune des opérations de docker (démarrage et arrêt) aux commandes de service du système.</p>
<p>Une fois que nous avons créé ce conteneur, nous pouvons le démarrer, larrêter et le redémarrer en utilisant les commandes habituelles du docker en indiquant le nom du conteneur (<code class="language-plaintext highlighter-rouge">docker stop searx</code>, <code class="language-plaintext highlighter-rouge">docker start searx</code>, <code class="language-plaintext highlighter-rouge">docker restart searx</code>).</p>
<p>Créer un nouveau fichier dunité systemd <code class="language-plaintext highlighter-rouge">searx.service</code> avec la description du service dans <code class="language-plaintext highlighter-rouge">/etc/systemd/system/</code>.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/systemd/system/searx.service
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[Unit]
Description=searx container
After=docker.service
Wants=network-online.target docker.socket
Requires=docker.socket
[Service]
Restart=always
ExecStartPre=/bin/bash -c "/usr/bin/docker container inspect searx 2&gt; /dev/null || /usr/bin/docker run --name searx --rm -d -v /home/cxuser/searx:/etc/searx -p 8089:8080 -e BASE_URL=http://localhost:8089/ searx/searx"
ExecStart=/usr/bin/docker start -a searx
ExecStop=/usr/bin/docker stop -t 10 searx
[Install]
WantedBy=multi-user.target
</code></pre></div></div>
<p>Recharger les services</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl daemon-reload
</code></pre></div></div>
<p>Le fichier dunité crée un nouveau service et associe les commandes de démarrage et darrêt du docker aux séquences de démarrage et darrêt du service.</p>
<p>Le fichier unit décrit comme des dépendances la cible réseau en ligne et la prise docker, si la prise docker ne démarre pas ce service ne le fera pas non plus. Il ajoute également une dépendance à docker.service, de sorte que ce service ne fonctionnera pas tant que docker.service naura pas démarré.</p>
<p>Nous pouvons maintenant démarrer/arrêter le service en émettant la commande correspondante :</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl start searx
sudo systemctl stop searx
</code></pre></div></div>
<p>Nous pouvons également installer le service pour quil fonctionne au démarrage en courant :</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo systemctl enable searx
</code></pre></div></div>
<p>Vérifier localement</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>curl --location --verbose --head --insecure localhost:8089
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[...]
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x555ec9e93f50)
* Connected to localhost (127.0.0.1) port 8089 (#0)
&gt; HEAD / HTTP/1.1
&gt; Host: localhost:8089
&gt; User-Agent: curl/7.64.0
&gt; Accept: */*
&gt;
&lt; HTTP/1.1 200 OK
HTTP/1.1 200 OK
[...]
</code></pre></div></div>
<p>Modifier le fichier de configuration</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo nano ${PWD}/searx/settings.yml
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>general:
instance_name : "cx11-searx" # displayed name
server:
secret_key : "546c29de2eaeb051edf87ab74d22c8f608b6e6a2ba55d3e10f818154e8c3b179" # change this!
base_url : False # Set custom base_url. Possible values: False or "https://your.custom.host/lo
cation/"
ui:
default_theme : oscar # ui theme
theme_args :
oscar_style : logicodev-dark # default style of oscar
# supprimer la ligne 'disabled : True' des éléments ci dessous
- name : ddg definitions
engine : duckduckgo_definitions
shortcut : ddd
weight : 2
- name : duckduckgo
engine : duckduckgo
shortcut : ddg
- name : duckduckgo images
engine : duckduckgo_images
shortcut : ddi
timeout: 3.0
</code></pre></div></div>
<p>Relever ID pour un redémarrage</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker ps
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2b661e674108 searx/searx "/sbin/tini -- /usr/…" 17 minutes ago Up 17 minutes 0.0.0.0:8089-&gt;8080/tcp upbeat_cori
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker restart 2b661e674108
</code></pre></div></div>
<p>Exécuter sur un poste distant</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh -L 9000:localhost:8089 cxuser@135.181.27.140 -p 55140 -i /home/yannick/.ssh/cx11_ed25519
</code></pre></div></div>
<p>Sur le même poste , ouvrir le navigateur avec un lien <a href="http://localhost:9000">http://localhost:9000</a></p>
<p><img src="/images/cx11-docker-searx.png" alt="Texte alternatif" width="600" /></p>
<h3 id="searx---proxy-nginx">Searx - Proxy nginx</h3>
<p>Fichier de configuration <code class="language-plaintext highlighter-rouge">/etc/nginx/conf.d/searx.ouestline.xyz.conf</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name searx.ouestline.xyz;
ssl_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
ssl_certificate_key /etc/ssl/private/ouestline.xyz-key.pem;
# TLS 1.3 only
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/ssl/private/ouestline.xyz-fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
location / {
#//normal proxy configuration
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_pass http://localhost:8089;
proxy_redirect default;
}
}
</code></pre></div></div>
<p>Recharger nginx <code class="language-plaintext highlighter-rouge">sudo systemctl reload nginx</code></p>
<p>Accès <a href="https://searx.ouestline.xyz">https://searx.ouestline.xyz</a><br />
<img src="/images/searx.ouestline.xyz.png" alt="wg-ouest-oauth" width="500" /></p>
<h2 id="sauvegarde-borgbackup">Sauvegarde BorgBackup</h2>
<p><img src="/images/borg-logo.png" alt="" /></p>
<p>Machine à sauvegarder : ouestline.xyz (135.181.27.140)
Serveur de backup : xoyaz.xyz (5.2.79.127)</p>
<h3 id="installer-borgbackup">Installer borgbackup</h3>
<p>On se connecte sur la machine (si non local) et on passe en mode su</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#ssh utilisateur@ouestline.xyz
ssh cxuser@ouestline.xyz -p 55140 -i /home/yannick/.ssh/cx11_ed25519
sudo -s
apt update
</code></pre></div></div>
<p>Installer borgbackup</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install borgbackup # Debian
</code></pre></div></div>
<p><strong><u>Créer un jeu de clé sur machine à sauvegarder (ouestline.xyz)</u></strong><br />
Créer un utilisateur borg (sans home) dédié aux sauvegardes par BorgBackup :</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>useradd -M borg
</code></pre></div></div>
<p>Générer un jeu de clé sur <strong>/root/.ssh</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mkdir -p /root/.ssh
ssh-keygen -t ed25519 -o -a 100 -f /root/.ssh/cx11_borg_ed25519
</code></pre></div></div>
<p>Le jeu de clé</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls /root/.ssh
cx11_borg_ed25519 cx11_borg_ed25519.pub
</code></pre></div></div>
<p>Autoriser utilisateur <strong>borg</strong> à exécuter <em>/usr/bin/borg</em> uniquement</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo "borg ALL=NOPASSWD: /usr/bin/borg" &gt;&gt; /etc/sudoers
</code></pre></div></div>
<h3 id="clés-ssh-borgbackup">Clés SSH borgbackup</h3>
<blockquote>
<p>Pour une connexion via ssh vous devez ajouter la clé publique <em>cx11_borg_ed25519.pub</em> du <strong>serveur client ouestline.xyz</strong> au fichier <em>~/.ssh/authorized_keys</em> du <strong>serveur backup xoyaz.xyz</strong></p>
</blockquote>
<p>Se connecter au <strong>serveur backup xoyaz.xyz</strong> depuis un terminal autorisé</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ssh usernl@xoyaz.xyz -p 55036 -i ~/.ssh/OVZ-STORAGE-128 # connexion SSH serveur backup depuis PC1
sudo -s # passer en super utilisateur
cat &gt;&gt; /srv/data/borg-backups/.ssh/authorized_keys
</code></pre></div></div>
<p>Copier/coller le contenu du fichier du fichier de clef publique (fichier <strong>/root/.ssh/cx11_borg_ed25519.pub</strong> de la machine à sauvegarder <strong>ouestline.xyz</strong> ) dans ce terminal, et presser <strong>[Ctrl]+[D]</strong> pour valider.</p>
<p>Test depuis le serveur client <strong>ouestline.xyz</strong> (cest lui qui possède la clé privée).<br />
<em>Si parefeu avec les sorties bloquées sur <strong>ouestline.xyz</strong> , il faut ouvrir en sortie le port TCP 55036.</em></p>
<p><strong>AU PREMIER passage une question est posée , saisir oui ou yes</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo -s
ssh -p 55036 -i /root/.ssh/cx11_borg_ed25519 borg@xoyaz.xyz
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>The authenticity of host '[xoyaz.xyz]:55036 ([2a04:52c0:101:7ae::7a5e]:55036)' can't be established.
ECDSA key fingerprint is SHA256:PDXQBhTh4oj0cSzgnjCun+J60JDUEk7VeLH2YHZbwMc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[xoyaz.xyz]:55036,[2a04:52c0:101:7ae::7a5e]:55036' (ECDSA) to the list of known hosts.
Linux backup 2.6.32-042stab140.1 #1 SMP Thu Aug 15 13:32:22 MSK 2019 x86_64
_ _
| |__ __ _ __ | |__ _ _ _ __
| '_ \/ _` |/ _|| / /| || || '_ \
|_.__/\__,_|\__||_\_\ \_,_|| .__/
|_|
Last login: Sun Sep 15 15:13:35 2019 from 2a01:e34:eef2:570:2c83:bd30:365a:ff54
$
</code></pre></div></div>
<p>saisir <code class="language-plaintext highlighter-rouge">exit</code> pour sortir</p>
<blockquote>
<p>NOTE : <strong>/srv/data/borg-backups</strong> est le home de lutilisateur <em>borg</em> sur le serveur backup <em>xoyaz.xyz</em></p>
</blockquote>
<h3 id="création-dépôt-et-sauvegarde">Création dépôt et sauvegarde</h3>
<p><strong><u>machine cliente ouestline.xyz</u></strong><br />
On se connecte sur la machine et on passe en mode su</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo -s
</code></pre></div></div>
<p><strong>Création du dépôt distant sur le serveur backup xoyaz.xyz (A FAIRE UNE SEULE FOIS)</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>export BORG_RSH='ssh -i /root/.ssh/cx11_borg_ed25519' # ce n'est pas la clé par défaut id_rsa
borg init --encryption=repokey-blake2 ssh://borg@xoyaz.xyz:55036/srv/data/borg-backups/ouestline.xyz
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter new passphrase:
Enter same passphrase again:
Do you want your passphrase to be displayed for verification? [yN]:
By default repositories initialized with this version will produce security
errors if written to with an older version (up to and including Borg 1.0.8).
If you want to use these older versions, you can disable the check by running:
borg upgrade --disable-tam ssh://borg@xoyaz.xyz:55036/srv/data/borg-backups/ouestline.xyz
See https://borgbackup.readthedocs.io/en/stable/changes.html#pre-1-0-9-manifest-spoofing-vulnerability for details about the security implications.
IMPORTANT: you will need both KEY AND PASSPHRASE to access this repo!
Use "borg key export" to export the key, optionally in printable format.
Write down the passphrase. Store both at safe place(s).
</code></pre></div></div>
<p>Sauvegarder la “passphrase” dans un fichier pour une procédure automatique</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mkdir -p /root/.borg
nano /root/.borg/passphrase
</code></pre></div></div>
<p><strong>Générer une sauvegarde dun dossier local vers le dépôt distant</strong> pour test (facultatif)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>borg create ssh://borg@xoyize.xyz:55029/srv/ssd-two/borg-backups/ouestline.xyz::2019-01-11 /home/yanfi
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Enter passphrase for key ssh://borg@xoyize.xyz:55029/srv/ssd-two/borg-backups/ouestline.xyz:
</code></pre></div></div>
<p><strong>Automatiser la procédure de sauvegarde pour le client ouestline.xyz</strong><br />
script de sauvegarde (notez lusage de borg prune pour supprimer les archives trop anciennes)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>nano /root/.borg/borg-backup
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#!/bin/sh
#
# Script de sauvegarde.
#
# Envoie les sauvegardes sur un serveur distant, via le programme Borg.
# Les sauvegardes sont chiffrées
#
set -e
BACKUP_DATE=`date +%Y-%m-%d-%Hh%M`
LOG_PATH=/var/log/borg-backup.log
export BORG_PASSPHRASE="`cat ~root/.borg/passphrase`"
export BORG_RSH='ssh -i /root/.ssh/cx11_borg_ed25519'
BORG_REPOSITORY=ssh://borg@xoyaz.xyz:55036/srv/data/borg-backups/ouestline.xyz
BORG_ARCHIVE=${BORG_REPOSITORY}::${BACKUP_DATE}
borg create \
-v --stats --compression lzma,9 \
$BORG_ARCHIVE \
/bin /boot /etc /home /lib /lib64 /opt/appwg /opt/navidrome /root /sbin /srv /usr /var \
&gt;&gt; ${LOG_PATH} 2&gt;&amp;1
# Nettoyage des anciens backups
# On conserve
# - une archive par jour les 7 derniers jours,
# - une archive par semaine pour les 4 dernières semaines,
# - une archive par mois pour les 6 derniers mois.
borg prune \
-v --list --stats --keep-daily=7 --keep-weekly=4 --keep-monthly=6 \
$BORG_REPOSITORY \
&gt;&gt; ${LOG_PATH} 2&gt;&amp;1
</code></pre></div></div>
<p>Le rendre exécutable</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>chmod +x /root/.borg/borg-backup
</code></pre></div></div>
<h3 id="sauvegarde-journalière">Sauvegarde journalière</h3>
<p>Programmer la tâche à 3h50 du matin</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>crontab -e
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Sauvegarde sur distant avec BorgBackup
50 03 * * * /root/.borg/borg-backup &gt; /dev/null
</code></pre></div></div>
</div>
<div class="d-print-none"><footer class="article__footer"><meta itemprop="dateModified" content="2020-10-21T00:00:00+02:00"><!-- start custom article footer snippet -->
<!-- end custom article footer snippet -->
<!--
<div align="right"><a type="application/rss+xml" href="/feed.xml" title="S'abonner"><i class="fa fa-rss fa-2x"></i></a>
&emsp;</div>
-->
</footer>
<div class="article__section-navigator clearfix"><div class="previous"><span>PRÉCÉDENT</span><a href="/2020/10/21/Nginx-reverse-proxy+SSL-certbot.html">Nginx reverse proxy + SSL (certbot)</a></div><div class="next"><span>SUIVANT</span><a href="/2020/10/21/vps785909-debian-10-wgvpn.ovh.html">vps785909 debian 10 - wgvpn.ovh (ARRET 04/02/2021)</a></div></div></div>
</div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
$(function() {
var $this ,$scroll;
var $articleContent = $('.js-article-content');
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var scroll = hasSidebar ? '.js-page-main' : 'html, body';
$scroll = $(scroll);
$articleContent.find('.highlight').each(function() {
$this = $(this);
$this.attr('data-lang', $this.find('code').attr('data-lang'));
});
$articleContent.find('h1[id], h2[id], h3[id], h4[id], h5[id], h6[id]').each(function() {
$this = $(this);
$this.append($('<a class="anchor d-print-none" aria-hidden="true"></a>').html('<i class="fas fa-anchor"></i>'));
});
$articleContent.on('click', '.anchor', function() {
$scroll.scrollToAnchor('#' + $(this).parent().attr('id'), 400);
});
});
});
})();
</script>
</div><section class="page__comments d-print-none"></section></article><!-- start custom main bottom snippet -->
<!-- end custom main bottom snippet -->
</div>
</div></div></div></div>
</div><script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $body = $('body'), $window = $(window);
var $pageRoot = $('.js-page-root'), $pageMain = $('.js-page-main');
var activeCount = 0;
function modal(options) {
var $root = this, visible, onChange, hideWhenWindowScroll = false;
var scrollTop;
function setOptions(options) {
var _options = options || {};
visible = _options.initialVisible === undefined ? false : show;
onChange = _options.onChange;
hideWhenWindowScroll = _options.hideWhenWindowScroll;
}
function init() {
setState(visible);
}
function setState(isShow) {
if (isShow === visible) {
return;
}
visible = isShow;
if (visible) {
activeCount++;
scrollTop = $(window).scrollTop() || $pageMain.scrollTop();
$root.addClass('modal--show');
$pageMain.scrollTop(scrollTop);
activeCount === 1 && ($pageRoot.addClass('show-modal'), $body.addClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.on('scroll', hide);
$window.on('keyup', handleKeyup);
} else {
activeCount > 0 && activeCount--;
$root.removeClass('modal--show');
$window.scrollTop(scrollTop);
activeCount === 0 && ($pageRoot.removeClass('show-modal'), $body.removeClass('of-hidden'));
hideWhenWindowScroll && window.hasEvent('touchstart') && $window.off('scroll', hide);
$window.off('keyup', handleKeyup);
}
onChange && onChange(visible);
}
function show() {
setState(true);
}
function hide() {
setState(false);
}
function handleKeyup(e) {
// Char Code: 27 ESC
if (e.which === 27) {
hide();
}
}
setOptions(options);
init();
return {
show: show,
hide: hide,
$el: $root
};
}
$.fn.modal = modal;
});
})();
</script><div class="modal modal--overflow page__search-modal d-print-none js-page-search-modal"><script>
(function () {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
// search panel
var search = (window.search || (window.search = {}));
var useDefaultSearchBox = window.useDefaultSearchBox === undefined ?
true : window.useDefaultSearchBox ;
var $searchModal = $('.js-page-search-modal');
var $searchToggle = $('.js-search-toggle');
var searchModal = $searchModal.modal({ onChange: handleModalChange, hideWhenWindowScroll: true });
var modalVisible = false;
search.searchModal = searchModal;
var $searchBox = null;
var $searchInput = null;
var $searchClear = null;
function getModalVisible() {
return modalVisible;
}
search.getModalVisible = getModalVisible;
function handleModalChange(visible) {
modalVisible = visible;
if (visible) {
search.onShow && search.onShow();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].focus();
} else {
search.onShow && search.onHide();
useDefaultSearchBox && $searchInput[0] && $searchInput[0].blur();
setTimeout(function() {
useDefaultSearchBox && ($searchInput.val(''), $searchBox.removeClass('not-empty'));
search.clear && search.clear();
window.pageAsideAffix && window.pageAsideAffix.refresh();
}, 400);
}
}
$searchToggle.on('click', function() {
modalVisible ? searchModal.hide() : searchModal.show();
});
// Char Code: 83 S, 191 /
$(window).on('keyup', function(e) {
if (!modalVisible && !window.isFormElement(e.target || e.srcElement) && (e.which === 83 || e.which === 191)) {
modalVisible || searchModal.show();
}
});
if (useDefaultSearchBox) {
$searchBox = $('.js-search-box');
$searchInput = $searchBox.children('input');
$searchClear = $searchBox.children('.js-icon-clear');
search.getSearchInput = function() {
return $searchInput.get(0);
};
search.getVal = function() {
return $searchInput.val();
};
search.setVal = function(val) {
$searchInput.val(val);
};
$searchInput.on('focus', function() {
$(this).addClass('focus');
});
$searchInput.on('blur', function() {
$(this).removeClass('focus');
});
$searchInput.on('input', window.throttle(function() {
var val = $(this).val();
if (val === '' || typeof val !== 'string') {
search.clear && search.clear();
} else {
$searchBox.addClass('not-empty');
search.onInputNotEmpty && search.onInputNotEmpty(val);
}
}, 400));
$searchClear.on('click', function() {
$searchInput.val(''); $searchBox.removeClass('not-empty');
search.clear && search.clear();
});
}
});
})();
</script><div class="search search--dark">
<div class="main">
<div class="search__header">Recherche</div>
<div class="search-bar">
<div class="search-box js-search-box">
<div class="search-box__icon-search"><i class="fas fa-search"></i></div>
<input id="search-input" type="text" />
<div class="search-box__icon-clear js-icon-clear">
<a><i class="fas fa-times"></i></a>
</div>
</div>
<button class="button button--theme-dark button--pill search__cancel js-search-toggle">
Annuler</button>
</div>
<div id="results-container" class="search-result js-search-result"></div>
</div>
</div>
<!-- Script pointing to search-script.js -->
<script>/*!
* Simple-Jekyll-Search
* Copyright 2015-2020, Christian Fei
* Licensed under the MIT License.
*/
(function(){
'use strict'
var _$Templater_7 = {
compile: compile,
setOptions: setOptions
}
const options = {}
options.pattern = /\{(.*?)\}/g
options.template = ''
options.middleware = function () {}
function setOptions (_options) {
options.pattern = _options.pattern || options.pattern
options.template = _options.template || options.template
if (typeof _options.middleware === 'function') {
options.middleware = _options.middleware
}
}
function compile (data) {
return options.template.replace(options.pattern, function (match, prop) {
const value = options.middleware(prop, data[prop], options.template)
if (typeof value !== 'undefined') {
return value
}
return data[prop] || match
})
}
'use strict';
function fuzzysearch (needle, haystack) {
var tlen = haystack.length;
var qlen = needle.length;
if (qlen > tlen) {
return false;
}
if (qlen === tlen) {
return needle === haystack;
}
outer: for (var i = 0, j = 0; i < qlen; i++) {
var nch = needle.charCodeAt(i);
while (j < tlen) {
if (haystack.charCodeAt(j++) === nch) {
continue outer;
}
}
return false;
}
return true;
}
var _$fuzzysearch_1 = fuzzysearch;
'use strict'
/* removed: const _$fuzzysearch_1 = require('fuzzysearch') */;
var _$FuzzySearchStrategy_5 = new FuzzySearchStrategy()
function FuzzySearchStrategy () {
this.matches = function (string, crit) {
return _$fuzzysearch_1(crit.toLowerCase(), string.toLowerCase())
}
}
'use strict'
var _$LiteralSearchStrategy_6 = new LiteralSearchStrategy()
function LiteralSearchStrategy () {
this.matches = function (str, crit) {
if (!str) return false
str = str.trim().toLowerCase()
crit = crit.trim().toLowerCase()
return crit.split(' ').filter(function (word) {
return str.indexOf(word) >= 0
}).length === crit.split(' ').length
}
}
'use strict'
var _$Repository_4 = {
put: put,
clear: clear,
search: search,
setOptions: __setOptions_4
}
/* removed: const _$FuzzySearchStrategy_5 = require('./SearchStrategies/FuzzySearchStrategy') */;
/* removed: const _$LiteralSearchStrategy_6 = require('./SearchStrategies/LiteralSearchStrategy') */;
function NoSort () {
return 0
}
const data = []
let opt = {}
opt.fuzzy = false
opt.limit = 10
opt.searchStrategy = opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = NoSort
opt.exclude = []
function put (data) {
if (isObject(data)) {
return addObject(data)
}
if (isArray(data)) {
return addArray(data)
}
return undefined
}
function clear () {
data.length = 0
return data
}
function isObject (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Object]'
}
function isArray (obj) {
return Boolean(obj) && Object.prototype.toString.call(obj) === '[object Array]'
}
function addObject (_data) {
data.push(_data)
return data
}
function addArray (_data) {
const added = []
clear()
for (let i = 0, len = _data.length; i < len; i++) {
if (isObject(_data[i])) {
added.push(addObject(_data[i]))
}
}
return added
}
function search (crit) {
if (!crit) {
return []
}
return findMatches(data, crit, opt.searchStrategy, opt).sort(opt.sort)
}
function __setOptions_4 (_opt) {
opt = _opt || {}
opt.fuzzy = _opt.fuzzy || false
opt.limit = _opt.limit || 10
opt.searchStrategy = _opt.fuzzy ? _$FuzzySearchStrategy_5 : _$LiteralSearchStrategy_6
opt.sort = _opt.sort || NoSort
opt.exclude = _opt.exclude || []
}
function findMatches (data, crit, strategy, opt) {
const matches = []
for (let i = 0; i < data.length && matches.length < opt.limit; i++) {
const match = findMatchesInObject(data[i], crit, strategy, opt)
if (match) {
matches.push(match)
}
}
return matches
}
function findMatchesInObject (obj, crit, strategy, opt) {
for (const key in obj) {
if (!isExcluded(obj[key], opt.exclude) && strategy.matches(obj[key], crit)) {
return obj
}
}
}
function isExcluded (term, excludedTerms) {
for (let i = 0, len = excludedTerms.length; i < len; i++) {
const excludedTerm = excludedTerms[i]
if (new RegExp(excludedTerm).test(term)) {
return true
}
}
return false
}
/* globals ActiveXObject:false */
'use strict'
var _$JSONLoader_2 = {
load: load
}
function load (location, callback) {
const xhr = getXHR()
xhr.open('GET', location, true)
xhr.onreadystatechange = createStateChangeListener(xhr, callback)
xhr.send()
}
function createStateChangeListener (xhr, callback) {
return function () {
if (xhr.readyState === 4 && xhr.status === 200) {
try {
callback(null, JSON.parse(xhr.responseText))
} catch (err) {
callback(err, null)
}
}
}
}
function getXHR () {
return window.XMLHttpRequest ? new window.XMLHttpRequest() : new ActiveXObject('Microsoft.XMLHTTP')
}
'use strict'
var _$OptionsValidator_3 = function OptionsValidator (params) {
if (!validateParams(params)) {
throw new Error('-- OptionsValidator: required options missing')
}
if (!(this instanceof OptionsValidator)) {
return new OptionsValidator(params)
}
const requiredOptions = params.required
this.getRequiredOptions = function () {
return requiredOptions
}
this.validate = function (parameters) {
const errors = []
requiredOptions.forEach(function (requiredOptionName) {
if (typeof parameters[requiredOptionName] === 'undefined') {
errors.push(requiredOptionName)
}
})
return errors
}
function validateParams (params) {
if (!params) {
return false
}
return typeof params.required !== 'undefined' && params.required instanceof Array
}
}
'use strict'
var _$utils_9 = {
merge: merge,
isJSON: isJSON
}
function merge (defaultParams, mergeParams) {
const mergedOptions = {}
for (const option in defaultParams) {
mergedOptions[option] = defaultParams[option]
if (typeof mergeParams[option] !== 'undefined') {
mergedOptions[option] = mergeParams[option]
}
}
return mergedOptions
}
function isJSON (json) {
try {
if (json instanceof Object && JSON.parse(JSON.stringify(json))) {
return true
}
return false
} catch (err) {
return false
}
}
var _$src_8 = {};
(function (window) {
'use strict'
let options = {
searchInput: null,
resultsContainer: null,
json: [],
success: Function.prototype,
searchResultTemplate: '<li><a href="{url}" title="{desc}">{title}</a></li>',
templateMiddleware: Function.prototype,
sortMiddleware: function () {
return 0
},
noResultsText: 'No results found',
limit: 10,
fuzzy: false,
debounceTime: null,
exclude: []
}
let debounceTimerHandle
const debounce = function (func, delayMillis) {
if (delayMillis) {
clearTimeout(debounceTimerHandle)
debounceTimerHandle = setTimeout(func, delayMillis)
} else {
func.call()
}
}
const requiredOptions = ['searchInput', 'resultsContainer', 'json']
/* removed: const _$Templater_7 = require('./Templater') */;
/* removed: const _$Repository_4 = require('./Repository') */;
/* removed: const _$JSONLoader_2 = require('./JSONLoader') */;
const optionsValidator = _$OptionsValidator_3({
required: requiredOptions
})
/* removed: const _$utils_9 = require('./utils') */;
window.SimpleJekyllSearch = function (_options) {
const errors = optionsValidator.validate(_options)
if (errors.length > 0) {
throwError('You must specify the following required options: ' + requiredOptions)
}
options = _$utils_9.merge(options, _options)
_$Templater_7.setOptions({
template: options.searchResultTemplate,
middleware: options.templateMiddleware
})
_$Repository_4.setOptions({
fuzzy: options.fuzzy,
limit: options.limit,
sort: options.sortMiddleware,
exclude: options.exclude
})
if (_$utils_9.isJSON(options.json)) {
initWithJSON(options.json)
} else {
initWithURL(options.json)
}
const rv = {
search: search
}
typeof options.success === 'function' && options.success.call(rv)
return rv
}
function initWithJSON (json) {
_$Repository_4.put(json)
registerInput()
}
function initWithURL (url) {
_$JSONLoader_2.load(url, function (err, json) {
if (err) {
throwError('failed to get JSON (' + url + ')')
}
initWithJSON(json)
})
}
function emptyResultsContainer () {
options.resultsContainer.innerHTML = ''
}
function appendToResultsContainer (text) {
options.resultsContainer.innerHTML += text
}
function registerInput () {
options.searchInput.addEventListener('input', function (e) {
if (isWhitelistedKey(e.which)) {
emptyResultsContainer()
debounce(function () { search(e.target.value) }, options.debounceTime)
}
})
}
function search (query) {
if (isValidQuery(query)) {
emptyResultsContainer()
render(_$Repository_4.search(query), query)
}
}
function render (results, query) {
const len = results.length
if (len === 0) {
return appendToResultsContainer(options.noResultsText)
}
for (let i = 0; i < len; i++) {
results[i].query = query
appendToResultsContainer(_$Templater_7.compile(results[i]))
}
}
function isValidQuery (query) {
return query && query.length > 0
}
function isWhitelistedKey (key) {
return [13, 16, 20, 37, 38, 39, 40, 91].indexOf(key) === -1
}
function throwError (message) {
throw new Error('SimpleJekyllSearch --- ' + message)
}
})(window)
}());
</script>
<!-- Configuration -->
<script>
SimpleJekyllSearch({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
noResultsText: '<p>Aucun résultat!</p>',
json: '/search.json',
searchResultTemplate: '<li><a href="{url}">{date}&nbsp;{title}</a>&nbsp;(Création {create})</li>'
})
</script>
</div></div>
<script>(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function scrollToAnchor(anchor, duration, callback) {
var $root = this;
$root.animate({ scrollTop: $(anchor).position().top }, duration, function() {
window.history.replaceState(null, '', window.location.href.split('#')[0] + anchor);
callback && callback();
});
}
$.fn.scrollToAnchor = scrollToAnchor;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function affix(options) {
var $root = this, $window = $(window), $scrollTarget, $scroll,
offsetBottom = 0, scrollTarget = window, scroll = window.document, disabled = false, isOverallScroller = true,
rootTop, rootLeft, rootHeight, scrollBottom, rootBottomTop,
hasInit = false, curState;
function setOptions(options) {
var _options = options || {};
_options.offsetBottom && (offsetBottom = _options.offsetBottom);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroll && (scroll = _options.scroll);
_options.disabled !== undefined && (disabled = _options.disabled);
$scrollTarget = $(scrollTarget);
isOverallScroller = window.isOverallScroller($scrollTarget[0]);
$scroll = $(scroll);
}
function preCalc() {
top();
rootHeight = $root.outerHeight();
rootTop = $root.offset().top + (isOverallScroller ? 0 : $scrollTarget.scrollTop());
rootLeft = $root.offset().left;
}
function calc(needPreCalc) {
needPreCalc && preCalc();
scrollBottom = $scroll.outerHeight() - offsetBottom - rootHeight;
rootBottomTop = scrollBottom - rootTop;
}
function top() {
if (curState !== 'top') {
$root.removeClass('fixed').css({
left: 0,
top: 0
});
curState = 'top';
}
}
function fixed() {
if (curState !== 'fixed') {
$root.addClass('fixed').css({
left: rootLeft + 'px',
top: 0
});
curState = 'fixed';
}
}
function bottom() {
if (curState !== 'bottom') {
$root.removeClass('fixed').css({
left: 0,
top: rootBottomTop + 'px'
});
curState = 'bottom';
}
}
function setState() {
var scrollTop = $scrollTarget.scrollTop();
if (scrollTop >= rootTop && scrollTop <= scrollBottom) {
fixed();
} else if (scrollTop < rootTop) {
top();
} else {
bottom();
}
}
function init() {
if(!hasInit) {
var interval, timeout;
calc(true); setState();
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState();
});
$window.on('resize', function() {
disabled || (calc(true), setState());
});
hasInit = true;
}
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions,
refresh: function() {
calc(true, { animation: false }); setState();
}
};
}
$.fn.affix = affix;
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
function toc(options) {
var $root = this, $window = $(window), $scrollTarget, $scroller, $tocUl = $('<ul class="toc toc--ellipsis"></ul>'), $tocLi, $headings, $activeLast, $activeCur,
selectors = 'h1,h2,h3', container = 'body', scrollTarget = window, scroller = 'html, body', disabled = false,
headingsPos, scrolling = false, hasRendered = false, hasInit = false;
function setOptions(options) {
var _options = options || {};
_options.selectors && (selectors = _options.selectors);
_options.container && (container = _options.container);
_options.scrollTarget && (scrollTarget = _options.scrollTarget);
_options.scroller && (scroller = _options.scroller);
_options.disabled !== undefined && (disabled = _options.disabled);
$headings = $(container).find(selectors).filter('[id]');
$scrollTarget = $(scrollTarget);
$scroller = $(scroller);
}
function calc() {
headingsPos = [];
$headings.each(function() {
headingsPos.push(Math.floor($(this).position().top));
});
}
function setState(element, disabled) {
var scrollTop = $scrollTarget.scrollTop(), i;
if (disabled || !headingsPos || headingsPos.length < 1) { return; }
if (element) {
$activeCur = element;
} else {
for (i = 0; i < headingsPos.length; i++) {
if (scrollTop >= headingsPos[i]) {
$activeCur = $tocLi.eq(i);
} else {
$activeCur || ($activeCur = $tocLi.eq(i));
break;
}
}
}
$activeLast && $activeLast.removeClass('active');
($activeLast = $activeCur).addClass('active');
}
function render() {
if(!hasRendered) {
$root.append($tocUl);
$headings.each(function() {
var $this = $(this);
$tocUl.append($('<li></li>').addClass('toc-' + $this.prop('tagName').toLowerCase())
.append($('<a></a>').text($this.text()).attr('href', '#' + $this.prop('id'))));
});
$tocLi = $tocUl.children('li');
$tocUl.on('click', 'a', function(e) {
e.preventDefault();
var $this = $(this);
scrolling = true;
setState($this.parent());
$scroller.scrollToAnchor($this.attr('href'), 400, function() {
scrolling = false;
});
});
}
hasRendered = true;
}
function init() {
var interval, timeout;
if(!hasInit) {
render(); calc(); setState(null, scrolling);
// run calc every 100 millisecond
interval = setInterval(function() {
calc();
}, 100);
timeout = setTimeout(function() {
clearInterval(interval);
}, 45000);
window.pageLoad.then(function() {
setTimeout(function() {
clearInterval(interval);
clearTimeout(timeout);
}, 3000);
});
$scrollTarget.on('scroll', function() {
disabled || setState(null, scrolling);
});
$window.on('resize', window.throttle(function() {
if (!disabled) {
render(); calc(); setState(null, scrolling);
}
}, 100));
}
hasInit = true;
}
setOptions(options);
if (!disabled) {
init();
}
$window.on('resize', window.throttle(function() {
init();
}, 200));
return {
setOptions: setOptions
};
}
$.fn.toc = toc;
});
})();
/*(function () {
})();*/
</script><script>
/* toc must before affix, since affix need to konw toc' height. */(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
var TOC_SELECTOR = window.TEXT_VARIABLES.site.toc.selectors;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window);
var $articleContent = $('.js-article-content');
var $tocRoot = $('.js-toc-root'), $col2 = $('.js-col-aside');
var toc;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
var hasToc = $articleContent.find(TOC_SELECTOR).length > 0;
function disabled() {
return $col2.css('display') === 'none' || !hasToc;
}
tocDisabled = disabled();
toc = $tocRoot.toc({
selectors: TOC_SELECTOR,
container: $articleContent,
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
tocDisabled = disabled();
toc && toc.setOptions({
disabled: tocDisabled
});
}, 100));
});
})();
(function() {
var SOURCES = window.TEXT_VARIABLES.sources;
window.Lazyload.js(SOURCES.jquery, function() {
var $window = $(window), $pageFooter = $('.js-page-footer');
var $pageAside = $('.js-page-aside');
var affix;
var tocDisabled = false;
var hasSidebar = $('.js-page-root').hasClass('layout--page--sidebar');
affix = $pageAside.affix({
offsetBottom: $pageFooter.outerHeight(),
scrollTarget: hasSidebar ? '.js-page-main' : null,
scroller: hasSidebar ? '.js-page-main' : null,
scroll: hasSidebar ? $('.js-page-main').children() : null,
disabled: tocDisabled
});
$window.on('resize', window.throttle(function() {
affix && affix.setOptions({
disabled: tocDisabled
});
}, 100));
window.pageAsideAffix = affix;
});
})();
</script><!---->
</div>
<script>(function () {
var $root = document.getElementsByClassName('root')[0];
if (window.hasEvent('touchstart')) {
$root.dataset.isTouch = true;
document.addEventListener('touchstart', function(){}, false);
}
})();
</script>
</body>
</html>