Rootspirit – Yeri Tiete

Box — Docker shell server

Yeri Tiete — Fri, 24 Apr 2020 10:27:00 +0200

A couple of months ago I had the great idea to set up a shell server in Docker. Simply because my docker skillz were quite rusty and a shell server was something I actually genuinely needed.

Shell servers... so 2005. I remember in the good old IRC days people asking for (free) shell servers to run their eggdrop and stuff. OMG am I getting old? Anyhow...

I ssh quite often. I manage quite a few servers (~15?) and routers that require me to login and do some random stuff. I also work on a laptop quite often and that means closing the lid and moving around.

First of all, mosh is amazing and allows you to stay connected via ssh, even with crappy (airport/hotel) internet as well as moving around networks -- that solves half the problem. If you are not using it, start using it now!

Second, during my datacenter technician days at Google we used to have a "jump server" -- a shell server that allowed us to bridge the corporate network and ssh into prod machines. Doubt that's still used nowadays, but the idea stuck. I wanted something similar to ssh from, wherever I was, and easily connect to my servers. And as the network the shell server is running on is stable, I only need to use mosh to the shell server. Thereafter, the connection very rarely dies.

And I guess, third, I recently purchased an iPad Pro and I really need to have my local "dev" environment with my git repo that I edit quite frequently but iPadOS isn't really your average computer, and doesn't even have a proper terminal. This is my experiment to make iPadOS work as a main computer when on the move.

Enter box -- Docker shell server...

I've copied over the files I use to this example repo, and added some comments. Mind you that this repo acts as a proof of concept and isn't kept up to date, as I have my own private repo -- but this should give you a good idea on how to set up your own shell server with Docker.

start.sh -- this is a simple script that I execute when I first run or need to update the container. I execute the same file on two different servers: Liana, my Raspberry Pi at home and Ocean, my server in Amsterdam.

zsh.sh -- this installs what I care about for zsh. This could be part of the Dockerfile but for some reason I separated it. ¯\_(ツ)_/¯

git.sh -- this clones my Git repos so I can edit and commit stuff from the shell server.

run.sh -- this file is launched by Dockerfile at the end and executes what matters: the ssh daemon. It also adds a Wireguard route and executes the scripts above.

Dockerfile -- this installs everything I need and configures the whole thing. I've added tons of comments that should get you going.

I am also cloning misc and homefiles as submodules in files/ -- but you should change this to something that works for you. See the Dockerfile for more info.

Postfix & Courier & Letsencrypt

Yeri Tiete — Sun, 12 Jun 2016 13:35:10 +0200

First of all, create your certificates (the regular way). I created one with multiple domains: webmail.rootspirit.com, mail.rootspirit.com, smtp.rootspirit.com.

In my case, as the mailserver and webserver are behind a proxy (postfix, imap, Roundcube Webmail), I create the certificate on the proxy (nginx) and scp the cert to the mail server. All this is automated with a tiny script.

For Postfix, edit main.cf and change/edit/add these lines (check the right path too!):

smtpd_use_tls = yes
smtpd_tls_key_file = /etc/ssl/letsencrypt/webmail.privkey.pem
smtpd_tls_cert_file = /etc/ssl/letsencrypt/webmail.fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparams.pem
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_loglevel=1
smtp_tls_loglevel=1

And restart postfix: /etc/init.d/postfix restart

As for Courier you’ll need to concatenate the files (again, check the path, it’s most likely /etc/letsencrypt/live/domain/xyz.pem):

cat /etc/ssl/letsencrypt/webmail.privkey.pem /etc/ssl/letsencrypt/webmail.fullchain.pem > /etc/ssl/letsencrypt/webmail.all.pem

Then edit both /etc/courier/pop3d-ssl and /etc/courier/imapd-ssl

And add/change the path of the certificate:

TLS_CERTFILE=/etc/ssl/letsencrypt/webmail.all.pem

And restart Courier: /etc/init.d/courier-imap-ssl restart && /etc/init.d/courier-pop-ssl restart

Gmail & Postfix: unencrypted emails?

Yeri Tiete — Mon, 07 Mar 2016 19:14:52 +0100

If you're running Postfix, add this line to main.cf:

smtp_tls_security_level = may

Restart Postfix, and retry.

PS: You can set encrypt instead of may -- but this can cause issues with Amavis and/or SpamAssassin.

Theme

Yeri Tiete — Sat, 27 Dec 2014 06:47:34 +0100

I had the same theme for over four years. I’ve made quite a few custom css and PHP edits myself, and it had been outdated for ages… But it served me well.

However, it’s now time for something new.

As always, as minimalistic as possible.

On a side note, this blog has been moved from vm1 (and one before that) a virtual machine running on a dual Xeon 3070 (2.66Ghz) at Databarn to Akama, a VM on an 8 core Xeon E3-1230 (3.2Ghz) at Leaseweb.

I’ve also correctly repaired IPv6 on this blog. Apparently nginx never and/or stopped correctly listening to IPv6 (suddenly my Android devices displayed errors on this page, Chrome & Firefox on OS X seemed to fall back to IPv4 instantly… Not sure how long it was broken, but it’s back).

Note to self:

listen          yeri.be:443;
server_name     yeri.be;

Does not work with IPv6, it has to be

listen          [::]:443;
server_name     yeri.be;

Blog's back

Yeri Tiete — Sat, 19 Nov 2011 19:11:43 +0100

Yay, after some hardware issues my blog’s back.

Zero had a corrupt reiserfs. Decommissioned the old P4 and replaced by a brand new dual Xeon. Running Xen and Debian instead of Gentoo.

And shortly there after Four (the server that hosts this VM), the Ubuntu host with Xen refused to start its networking, so I decided to start a fresh install (Debian as well this time).

One, who also had a broken hard disk (an old P3) got decommed as well.

One

Yeri Tiete — Tue, 05 Jul 2011 22:36:27 +0200

Oh lord. I seem to have entirely forgotten One’s, euh, uptime-day. (Yea, blame my business trips in Beijing & San Francisco for that).

But… Over 2 years! yay

Theme, blog, and stuff

Yeri Tiete — Sun, 16 Jan 2011 00:12:45 +0100

As you noticed… Or perhaps didn’t notice, I’ve started using a new, simplistic theme a couple of days ago.

Kinda thought it might be too simplistic (I’ve hidden the sidebar, there’s no search or archive, etc), but I started to, you know, get attached to it.

So it’s here to stay, for a year or something. I guess.

I’ve also noticed that the long load times on my blog were WP_Buzz’s fault. Nice plugin, but 15 to 45 seconds of load time per uncached page wasn’t really worth it. Hope it can be fixed.

I’ve always thought it was One that wasn’t keeping up with the SQL queries, and as refreshing the page always fixed my problem, I thought it just was bad luck and/or my dodgy connection. Until I saw WordPress was doing half a minute for about 90ish SQL queries… Per page.

But on the other hand, seems like changing from One to vm1 was useful after all:

Anyway, to search on this blog use Google or, if you have Chrome, type in blog.tuinslak and add your search query. Kinda rocks feature!

Been on posting spree lately. Not all post quite as useful, but hey. Let’s see how long I keep up! ;)

Zero

Yeri Tiete — Sat, 01 Jan 2011 15:52:52 +0100

Big grats to good old Zero and its one year uptime! ;)

Four

Yeri Tiete — Thu, 22 Jul 2010 12:49:52 +0200

Has a year uptime as well! Yay ;)

It's the one at the bottom. Running Ubuntu as OS (Dom0) and several Xen virtual machines (such as the nginx reverse proxy cache of this blog). Four is a dual core Xeon with 8Gb RAM.

One

Yeri Tiete — Fri, 28 May 2010 18:00:30 +0200

Big grats to One, with its one year uptime. ;) And been running for over 1500 days ! Old server is getting old. :(

(The 2nd one from the top ;), resting on that Xserve)

This is an old dual P3 I got off eBay years ago. This blog is running on that server. It's running Gentoo as OS.

Next up is Four and about an hour after that Two! Geekyness!

Public DNS server

Yeri Tiete — Tue, 16 Feb 2010 17:11:48 +0100

I have been running a public DNS server for private purpose (never liked my ISP’s DNS servers, and the root servers were usually located too far away (at least those with easy to remember IPs).

Anyway, been testing it since this summer, and so far it’s been working great.

the DNS server running on a Debian virtual machine, hosted by Rootspirit, near Amsterdam.

IP address: 85.12.6.171

Hostname: vm1.rootspirit.com

Might not be an easy to remember IP address (unlike 4.2.2.1), but as I use that IP pretty much every day, it’s okay for me. ;)

Edit: Let me remind you that I do not agree with NX domain hijacking, or falsifying/redirecting certain DNS requests (such as OpenDNS google.com to google.navigation.opendns.com or the Belgian ban on stopkinderporno.com and redirecting it to 84.199.40.99).

Check out this awesome tool to find the best DNS servers near you.