RAJUBK BLOGS

Category: Homelab

  • How can I schedule a nightly reboot?

    How can I schedule a nightly reboot?

    I’d use cron (should already be installed):

    sudo crontab -e

    The first time you might have to choose your preferred editor (like nano)

    Insert a line like

    0 4   *   *   *    /sbin/shutdown -r +5

    at the bottom. Explanation:

    m      h    dom        mon   dow       command
minute hour dayOfMonth Month dayOfWeek commandToRun

    would announce the reboot every day at 4:00am, then reboot 5 minutes later (at 4:05am).

    Ctrl+XYEnter should get you out of crontab (if using nano)

    Note: you might have to run crontab -e as root, because shutdown needs root. crontab -e opens a file in /tmp instead of the actual crontab so that it can check your new crontab for errors. If there are no errors, then your actual crontab will be updated.

  • Nginx config for webserver

    Nginx config for webserver

    server {
    server_name *.rajubk.com;
    client_max_body_size 1G;

    location / {
        proxy_pass http://localhost:9000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Permissions-Policy "geolocation=(), microphone=()" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

# HTTP redirect block
server {
    listen 80;
    server_name *.rajubk.com;
    return 301 https://$host$request_uri;
}
    cd /etc/nginx/sites-enabled/
ln -s ../sites-available/minio
nginx -t
systemctl reload nginx
  • Install minio on ubuntu with docker compose

    Install minio on ubuntu with docker compose

    services:
  minio:
    image: minio/minio:RELEASE.2025-03-12T18-04-18Z-cpuv1
    container_name: minio-server
    environment:
      MINIO_ROOT_USER: minioadmin
      MINIO_ROOT_PASSWORD: minioadmin
    ports:
      - "9000:9000" # MinIO API and Console
      - "9001:9001" # MinIO Console (if using separate port for console)
    volumes:
      - minio_data:/data # Mount a named volume for persistent data
    command: server /data --console-address ":9001"
    restart: unless-stopped

volumes:
  minio_data:
  • WP Mail SMTP

    WP Mail SMTP

    add_filter( 'wp_mail_smtp_custom_options', function( $phpmailer ) {
    $phpmailer->SMTPOptions = array(
        'ssl' => array(
            'verify_peer' => false,
            'verify_peer_name' => false,
            'allow_self_signed' => true
        )
    );
    return $phpmailer;
} );

  • Mail Server

    Mail Server

    ---------------------------> START DNS Records

A Record to Server IP for mail.domain.tld
CNAME autodiscover for mail.domain.tld
CNAME autoconfig for mail.domain.tld
MX Record for Domain.tld with Content mail.domain.tld
SRV Record _autodiscover._tcp with Content 0 5 Port 443 Target mail.domain.tld
TXT Record for Domain.tld with Content "v=spf1 ip4:YOUR_IPV4 ip6:YOUR_IPV6 -all"
TXT Record for _DMARC with Content "v=DMARC1; p=quarantine; adkim=s; aspf=s"

---------------------------> END DNS Records
    ---------------------------> START Docker Installation

apt update && apt upgrade -y
dpkg-reconfigure tzdata

sudo apt-get install ca-certificates curl 

sudo install -m 0755 -d /etc/apt/keyrings 

sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc 

sudo chmod a+r /etc/apt/keyrings/docker.asc 

echo \ 
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ 
 $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ 
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 

sudo apt-get update 

apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin 

systemctl start docker 

systemctl enable docker 

docker run hello-world

---------------------------> END Docker Installation
    ---------------------------> START Mailcow Installation

mkdir /docker
mkdir /docker/mailcow && cd /docker/mailcow

git clone https://github.com/mailcow/mailcow-dockerized

cd mailcow-dockerized

./generate_config.sh

Vim mailcow.conf

# SMTP
sudo ufw allow 25/tcp

# Submission
sudo ufw allow 587/tcp

# SMTPS (deprecated but sometimes used)
sudo ufw allow 465/tcp

# IMAP (unencrypted, STARTTLS)
sudo ufw allow 143/tcp

# IMAPS (SSL/TLS)
sudo ufw allow 993/tcp

# POP3 (unencrypted, STARTTLS)
sudo ufw allow 110/tcp

# POP3S (SSL/TLS)
sudo ufw allow 995/tcp

# Sieve (for mail filtering scripts like vacation replies)
sudo ufw allow 4190/tcp

sudo ufw status

Vim docker-compose.yml

docker compose up -d

---------------------------> END Mailcow Installation
    ---------------------------> START NGINX Installation
mkdir /root/.secrets/certbot/
vim /root/.secrets/certbot/cloudflare.ini

dns_cloudflare_api_token = TOKEN

chmod 600 /root/.secrets/certbot/cloudflare.ini 

apt install certbot python3-certbot-dns-cloudflare

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
  -d '*.domain.tld' -d domain.tld \
  --preferred-challenges dns-01 \
  --agree-tos --no-eff-email --email [email protected]

apt install nginx

cd /etc/nginx/sites-available
vim mail_domain_tld

cd ../sites-enabled
ln -s ../sites-available/mail_domain_tld

nginx -t

systemctl reload nginx

---------------------------> END NGINX Installation
    ---------------------------> START Mailcow Login

admin
moohoo

---------------------------> START Mailcow Login
    ---------------------------> START DNS Records Part 2

TLSA for _25._tcp.mail.domain.tld 3 1 1 [Value from Mailcow]

TXT for dkim._domainkey.domain.tld [Value from Mailcow]

---------------------------> END DNS Records Part 2

    server {
    server_name domain.tld mail.domain.tld autodiscover.domain.tld autoconfig.domain.tld;
    client_max_body_size 1G;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Permissions-Policy "geolocation=(), microphone=()" always;
    add_header X-XSS-Protection "1; mode=block" always;
}

# HTTP redirect block
server {
    listen 80;
    server_name domain.tld mail.domain.tld autodiscover.domain.tld autoconfig.domain.tld;
    return 301 https://$host$request_uri;
}
  • Get letsencrypt ssl certificate from cloudflare

    Get letsencrypt ssl certificate from cloudflare

    Method 1:

    sudo apt install certbot python3-certbot-dns-cloudflare -y

sudo nano /etc/letsencrypt/cloudflare.conf

dns_cloudflare_email="<email-id>"
dns_cloudflare_api_key="<api-key>" # Replace with your Cloudflare API key (Not API Token)

sudo chmod 600 /etc/letsencrypt/cloudflare.conf

sudo certbot certonly --dns-cloudflare --manual-public-ip-logging-ok -d sample.com -d *.sample.com --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py

    Method 2:

    mkdir /root/.secrets/certbot/
vim /root/.secrets/certbot/cloudflare.ini

dns_cloudflare_api_token = TOKEN

chmod 600 /root/.secrets/certbot/cloudflare.ini 

apt install certbot python3-certbot-dns-cloudflare

sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini \
  -d '*.domain.tld' -d domain.tld \
  --preferred-challenges dns-01 \
  --agree-tos --no-eff-email --email [email protected]

apt install nginx

cd /etc/nginx/sites-available
vim mail_domain_tld

cd ../sites-enabled
ln -s ../sites-available/mail_domain_tld

nginx -t

systemctl reload nginx
  • WordPress with Nginx and ssl

    WordPress with Nginx and ssl

    Install Nginx on Ubuntu 20.04 LTS

    sudo apt update && sudo apt upgrade -y
sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx

    Install PHP 8.3 and its dependencies

    sudo apt install software-properties-common -y
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php8.3-fpm php8.3-mysql php8.3-curl php8.3-mbstring php8.3-xml php8.3-zip php8.3-gd -y

sudo systemctl start php8.3-fpm
sudo systemctl enable php8.3-fpm

php -v

    Install MariaDB and its dependencies

    sudo apt install mariadb-server -y

sudo systemctl start mariadb
sudo systemctl enable mariadb

sudo mysql_secure_installation

    Create a new database and user for WordPress

    sudo mysql -u root -p

CREATE DATABASE wordpress;
CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'secure_password'; # Replace with your desired password
GRANT ALL PRIVILEGES ON wordpress.* TO 'wpuser'@'localhost';
FLUSH PRIVILEGES;
EXIT;

    Download and extract WordPress

    cd /var/www/html

sudo wget https://wordpress.org/latest.tar.gz
sudo tar -xvzf latest.tar.gz
sudo rm latest.tar.gz

sudo chown -R www-data:www-data /var/www/html/wordpress
sudo chmod -R 755 /var/www/html/wordpress

sudo mv /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php

sudo nano /var/www/html/wordpress/wp-config.php

define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpuser' );
define( 'DB_PASSWORD', 'secure_password' ); # Replace with your password
define( 'DB_HOST', 'localhost' );

    Create a new Nginx configuration file for WordPress

    sudo nano /etc/nginx/sites-available/wordpress

server {
    listen 80;
    server_name wp.rajubk.com;

    return 301 https://wp.rajubk.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name wp.rajubk.com;

    root /var/www/html/wordpress;
    index index.php;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/rajubk.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/rajubk.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/rajubk.com/chain.pem;

    # Log files
    access_log /var/log/nginx/sample.com.access.log;
    error_log /var/log/nginx/sample.com.error.log;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php8.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
        expires max;
        log_not_found off;
    }
}

sudo ln -s /etc/nginx/sites-available/wordpress /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl reload nginx