Tuesday, December 22, 2020

Books I've read during 2019 and 2020

Heres the list of books I've read during 2019 and 2020. I recommend all these books for anyone who's interested in reading them. 

The books are broken down in to three broad categories:

1. Technology - all technology related books including architecture, software team management, mobile app design, devops, etc.. I didn't see the point of breaking them down further.

2. Financial - this category is dedicated to personal finance, wealth management, business modelling and economical books.

3. Personal - covers other books that didn't fit well into the first two categories.


Happy reading and happy learning everyone!!!


Technology

Financial

Personal

Monday, December 14, 2020

Setup NewRelic for servers

 To get a little bit more insight on the servers that Im running I decided to tryout NewRelicOne platform. It comes with a free tier that I believe will be enough to host my logs for a reasonable amount of time.

This post is best read together with the previous post I jotted down on centralised log management for nextcloud server. which can be found at https://rarepraveen.blogspot.com/2020/09/centralised-logging-for-nextcloud.html.

Steps I followed:

  1. Setup a NewRelic account
  2. Setup fluentd output source for NewRelic
    1. sudo /usr/sbin/td-agent-gem install fluent-plugin-newrelic
    2. Add relevant match clause to /etc/td-config/td-agent.conf
    3. systemctl restart td-agent
  3. Setup NewRelic OS agent
    1. Follow the NewRelic guide for setting up the OS agent at https://docs.newrelic.com/docs/infrastructure/install-infrastructure-agent/configuration/configure-infrastructure-agent
    2. Verify the service is running
      1. sudo systemctl status newrelic-infra.service
Thats it for now. 




Thursday, October 15, 2020

Setup AdGuard Home on DigitalOcean - 1 Basic Setup (from scratch)

Its time we all focus on reducing screen time and being distracted by getting common ad serving platforms blocked from my personal devices. On my laptop I usually have an ad-blocker installed in the browser but for my mobile devices I currently don't use any adblockers. So it will be useful in setting up a DNS level adblocker that I can share with my family and friends as needed.

After doing some research on platforms available I decided to give adguard home a try. given it acts as a DNS server it can be replaced later without any issues later on.

Once the functional aspects are setup properly, I will have time to worry about non functional requirements (security / backup, restore / monitoring / performance / cost efficiency / high availability / etc..)

heres the steps I followed:
  1. https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04
  2. https://frankindev.com/2019/11/26/doh-dot-based-on-adguardhome/
    1. sudo apt get update
    2. sudo apt get upgrade
    3. sudo apt install bind9-host (this is auto installed)
    4. sudo mkdir /etc/adguardhome
    5. sudo chown sammy:sammy /etc/adguardhome
    6. wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
    7. sudo ./AdGuardHome -s install
    8. sudo ufw allow <port number for webportal>
    9. setup via webportal
    10. sudo apt install software-properties-common
    11. sudo add-apt-repository ppa:certbot/certbot
    12. sudo apt update
    13. sudo apt install certbot
    14. sudo certbot certonly --manual --preferred-challenges=dns
    15. go through the steps and setup the certificates
    16. go to Adguard webportal encryption settings and follow the steps
  3. Setup android device DNS over HTTPS
    1. download nebulo app from app store
    2. add the new server via DNS over TLS or DNS over HTTPS
    3. go back and refresh dashboard to see if the new client is registered
  4. Setup OSX device
    1. Todo
  5. Setup IOS device
    1. Todo
  6. UFW block for regional IP addresses 
    1. https://scottlinux.com/2013/08/30/block-geo-region-list-of-ips-with-ufw-in-linux/
    2. download the ip list with CIDR format and copy it over to the server
    3. while read line; do sudo ufw delete allow from $line; done < cdir-list.txt
    4. while read line; do sudo ufw allow from $line to any port 9003; done < cdir-list.txt
  7. Take backup of the server

Additional reading material:
  • https://medium.com/@nykolas.z/troubleshooting-dns-over-https

Saturday, September 12, 2020

Centralised logging for nextcloud server - 5 Log management

 With most of the functional setup complete for nextcloud (as documented on my previous blog entries) It's time to move on to centralised log management and application monitoring. Im going to choose EFK as my logging stack, which I believe is one of the most popular log management stacks in the world.

However instead of hosting and maintaining my own EFK stack, I'm going to rely on a 3rd party such as logz.io or sematext for hosting the stack for me. both these providers seems to have good coverage in functionality and comes with a free tier for trying out the full feature set. This leaves me with having to install and configure fluent.d on my server.

Heres the steps I followed:

  1. Download and install fluent.d
    1. check pre installation checkpoints https://docs.fluentd.org/installation/before-install
      1. I didn't end up changing anything on my server for now.
    2. Follow the installation guide
      1. curl -L https://toolbelt.treasuredata.com/sh/install-ubuntu-bionic-td-agent4.sh | sh
      2. remove all config at /etc/td-agent/td-agent.conf
      3. systemctl restart td-agent
  2. Setup input source for syslog
    1. https://docs.fluentd.org/input/syslog
    2. update /etc/td-agent/td-agent.conf
    3. update /etc/rsyslogd.conf
    4. restart both services
  3. Setup input source apache
    1. https://docs.fluentd.org/v/0.12/articles/recipe-apache-logs-to-elasticsearch
    2. Setup sources for access and error logs
  4. Setup input source MySQL
    1. MYSQL error log is now managed via syslog, nothing to do on td-agent.conf
  5. Setup input source Nextcloud
    1. setup tail source for nextcloud log at /var/log/nextcloud.log
  6. Setup output source for elastic (logz.io)
    1. sudo /usr/sbin/td-agent-gem install fluent-plugin-elasticsearch
    2. sudo /usr/sbin/td-agent-gem install fluentd fluent-plugin-logzio
    3. Add relevant match clause to /etc/td-config/td-agent.conf
  7. Give read access to <user> on var/log
    1. sudo chmod -R o+r /var/log/
    2. sudo chmod og+rx /var/log/apache2
    3. sudo chmod og+rx /var/log/mysql
  8. Give td-agent user access to log files
    1. sudo usermod -a -G adm td-agent
  9. Give td-agent user access to apache2 log files
    1. sudo setfacl -m u:td-agent:rx /var/log/apache2
    2. sudo vi /etc/logrotate.d/apache2
    3. add the config to update ACL to error and other-vhosts-access files
  10. Setup logrotate for nextcloud log and give td-agent user access
    1. sudo setfacl -m u:td-agent:rx /var/log/nextcloud.log
    2. sudo vi /etc/logrotate.d/nextcloud
    3. add logrotate config (https://help.nextcloud.com/t/logfile-does-not-rotate/29342/7)
    4. add the config to update ACL to nextcloud.log file
  11. TODO: Add backup/archive logic for logs  
    1. Finalise how to archive the logs to a preferred cloud storage 



Additional reading:

Tuesday, August 04, 2020

Enable automated backups for Nextcloud - 4 backups

Once I had the entire nextcloud setup with mobile client sync, It was important to have the backup process setup before I add more users/files. This makes the installation more reliable as a personal data storage. This allows a point in time recovery for all the data in your nextcloud.

The target is to setup 3-2-1 backup rule for my nextcloud instance at a minimum. if you are not familiar with this general backup guideline I suggest you read more on it before you proceed.
  • 3 copies of production data
  • 2 media types
    • Elastic File System (non-versioned)
    • Object Storage (versioned)
  • 1 offline copy (versioned) - setting up the offline copy isnt covered in this page

There are following options to choose from when deciding how to use the object storage as the versioned backup solution:
  1. Setup object storage as filesystem (s3fs)
    1. (pro) get a point in time copy of data that isn't cloud provider dependent
    • (pro) allows the backup shell script to take care of object rotation. 
    • (con) unnecessarily expose all backup data in the filesystem.
    • (con) makes it harder to use the object storage from the context of another client application
  2. Use s3cmd for uploading the backup
    1. (pro) can use the S3cmd sync for storage/filesystem backup
    2. (con) need to manage lifecycle/versions of data outside the backup script
  3. Use cloud provider native snapshots
    1. (pro) use provider specific APIs to take snapshots of compute and block storage
    2. (pro) easiest/fastest recovery option
    3. (con) snapshots arent useful outside the cloud provider
I prefer option2 as of now, and given theres flexibility to change the backup design as the service scales I don't see the need to over-engineer it as of now. In near future I will have both option2 and option3 running in parallel. 

Heres the steps I followed:
  1. Setup the DigitalOcean Space and get a managed key
  2. Install and Configure S3cmd
    1. https://www.digitalocean.com/docs/spaces/resources/s3cmd/
    2. sudo apt-get update
    3. sudo apt-cache madison s3cmd (make sure the version is above 2)
    4. sudo apt-get install s3cmd -y
    5. sudo s3cmd --configure (go through the interactive process)
  3. Create Backup folder
    1. sudo mkdir -p /media/nextcloud_data/backups
    2. sudo mkdir -p /media/nextcloud_data/backups/logs
    3. sudo mkdir -p /media/nextcloud_data/backups/tmp
  4. Create backup script
    1. sudo vim /usr/sbin/nextcloudbackup.sh
    2. Todo: get script from github
    3. sudo chmod +x /usr/sbin/nextcloudbackup.sh
    4. sudo /usr/sbin/nextcloudbackup.sh
  5. Cron setup
    1. sudo visudo
    2. opuser ALL=(ALL) NOPASSWD: /usr/sbin/nextcloudbackup.sh
    3. sudo crontab -u <username> -e
    4. 0 2 * * * sudo /usr/sbin/nextcloudbackup.sh
  6. Backup pod and volume

Reading material:

Sunday, August 02, 2020

Set up nextcloud on Digitalocean - 3 basic setup (from scratch)

Once I gained enough confidence that nextcloud is the choice of system for replacing my cloud storage providers, I decided its best to set up nextcloud from scratch instead of using SNAP based installation to make sure I have more fine grained control on next cloud config, debug controls, tinkering with code level patches, etc..

Im not going to going to worry about scripting the entire installation on chef/puppet yet. This will be done later when the project is ready to be productionised.

Once the functional aspects are setup properly, I will have time to worry about non functional requirements (security / backup, restore / monitoring / performance / cost efficiency / high availability / etc..)

heres the steps I followed:
  1. https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04
  2. sudo apt-get update
  3. sudo apt-get upgrade
  4. https://www.youtube.com/watch?v=wd6NvOFERJc
    1. sudo apt install -y apache2 mariadb-server mariadb-client php libapache2-mod-php php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip
    2. sudo systemctl start apache2
    3. sudo systemctl start mariadb
    4. sudo systemctl enable apache2
    5. sudo systemctl enable mariadb
    6. sudo mysql_secure_installation (follow through the steps)
    7. sudo ufw allow http
    8. sudo ufw allow https
    9. sudo ufw enable
    10. Setup DB and DB user
      1. sudo mysql -u root -p
      2. create database <dbname>;
      3. create user <name@host> identified by '<pass>';
      4. grant all on <db> to <user>;
      5. flush privileges;
    11. cd /var/www
    12. sudo wget https://download.nextcloud.com/server/releases/latest-19.tar.bz2
    13. tar -xvf <tar file>
    14. chown -R www-data:www-data nextcloud/
    15. Setup Apache
      1. sudo vim /etc/apache2/sites-available/nextcloud.conf
      2. add content to conf (https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation)
      3. sudo a2ensite nextcloud.conf 
      4. sudo a2enmod rewrite
      5. sudo a2enmod headers
      6. sudo a2dissite 000-default
      7. sudo systemctl restart apache2
    16. Map block storage to droplet
      1. https://www.digitalocean.com/community/questions/configuring-volumes
      2. sudo mkdir -p /media/nextcloud_data
      3. sudo mount -o discard,defaults,noatime /dev/disk/by-id/<disk-id> /media/nextcloud_data
      4. sudo echo '/dev/disk/by-id/<disk-id> /media/nextcloud_data ext4 defaults,nofail,discard 0 0' | sudo tee -a /etc/fstab
      5. sudo chown -R www-data:www-data /media/nextcloud_data
      6. sudo chmod -R 774 /media/nextcloud_data
      7. sudo mkdir /media/nextcloud_data/data
      8. sudo chown -R www-data:www-data /media/nextcloud_data/data
      9. sudo chmod -R 770 /media/nextcloud_data/data
    17. Goto http:<public-ip> or <domain> to continue with the web setup
    18. Update config.php at /var/www/nextcloud/config to add the trusted domains
    19. Setup SSL for nextcloud instance
      1. https://www.youtube.com/watch?v=mGcqC3oOINw
      2. sudo add-apt-repository ppa:certbot/certbot
      3. sudo apt install python-certbot-apache -y
      4. sudo certbot --apache -d <domain>
        1. Go through the interactive setup
    20. Follow up with part 2 to finalise the social login setup
    21. Remove all unwanted apps via nextcloud admin panel
      1. collaborative tags
      2. contacts interactions
      3. Federation
      4. First run wizard
      5. Support
      6. Usage Survey
    22. Setup PHP for memory limit and file uploads
      1. sudo vim /etc/php/7.2/apache2/php.ini
      2. memory_limit = 512M
      3. upload_max_filesize = 100M
      4. sudo systemctl restart apache2
    23. Setup MariaDB for 4byte characters
      1. sudo mysql -u root -p
      2. MariaDB prompt:  use nextcloud;
      3. MariaDB prompt:  set global innodb_large_prefix=on;
      4. MariaDB prompt:  set global innodb_file_format=Barracuda;
      5. cd /var/www/nextcloud
      6. sudo -u www-data php occ config:system:set mysql.utf8mb4 --type boolean --value="true"
      7. sudo -u www-data php occ maintenance:repair
      8. sudo -u www-data php occ maintenance:mode --off
    24. Install missing PHP libs
      1. sudo apt-get install -y php-gmp php-bcmath
      2. sudo systemctl restart apache2
    25. Setup log location
      1. update log config
        1. "log_type" => "file",
        2. "logfile" => "/var/log/nextcloud.log",
        3. "loglevel" => 2,
        4. "logdateformat" => "F d, Y H:i:s",
        5.  'log.condition' => [
        6.     'apps' => ['admin_audit'],
        7.  ]
      2. sudo touch /var/log/nextcloud.log
      3. sudo chown www-data /var/log/nextcloud.log
      4. sudo systemctl restart apache2
    26. Change nextcloud cron to run via OS cron (you can do this via UI)
      1. https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html
      2. crontab -u www-data -e
      3. */5  *  *  *  * php -f /var/www/nextcloud/cron.php
    27. take a back up of the pod and volume

    Wednesday, July 29, 2020

    Social logins for nextcloud via auth0 - 2 Auth Server

    Following up on the previous blog post on setting up a basic nextcloud server on digitalocean, the next step is to setup an auth/SSO server so I dont have to create individual users on nextcloud.

    After reviewing keycloak, gluu and other opensource SSO mamangers, I decided to go with auth0 as a hosted service. it gives me the basic functionality I need for next cloud setup. I'm not sure yet if I have to worry about user data migration if I'm to change auth server, but for the time being i'm not going to consider this as a blocker.

    Steps followed:
    1. https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf
      1. setup auth0 account and follow the auth0 config instructions
    2. login to adminportal of nextcloud and go to apps, install "SSO & SAML authentication" app
      1. I had to browse through the enterprise bundle to find this app 
    3. go to settings -> "SSO / SAML authentication"
      1. tick "Allow the use of multiple user back-ends (e.g. LDAP)"
      2. attribute to map UID : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      3. identity of the IDP : urn:<tenant>.eu.auth0.com
      4. URL target of IDP: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>
      5. URL Location of the IdP where the SP will send the SLO Request: https://<tenant>.eu.auth0.com/samlp/<auth0_client_id>/logout
      6. Public X.509 certificate of the IdP:<copy the certificate from the Auth0 application settings :: advanced>
      7. Attribute to map the displayname to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      8. Attribute to map the email address to : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    4. Setup the redirect.html according to the article
      1. sudo vim /var/www/nextcloud/redirect.html
      2. sudo chown www-data:www-data /var/www/nextcloud/redirect.html
    5. Disable signups and enable email allowlist for social logins on Auth0
      1. https://auth0.com/rules/simple-user-whitelist
    6. good time to backup the droplet