Posts


sudo apt install haproxy
sudo snap install certbot

Basic haproxy and letsencrypt installation and setup.

Generate a cert

certbot certonly --standalone -d [yoursubdomain.of.your.site.majorsilence.com] --non-interactive --agree-tos --email [your email address] --http-01-port=8899

Haproxy

/etc/haproxy/haproxy.cfg

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend letsencrypt-frontend
    bind :80
    bind :::80
    mode http
    acl destination_letsencrypt-backend00 path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if destination_letsencrypt-backend00

frontend my-web-app-fe
    #bind *:80
    bind *:443 ssl crt /etc/lets-ecrypt/haproxy-gen/
    #http-request redirect scheme https unless { ssl_fc }

    # detect domains
    acl destination_somedomain100 hdr_beg(host) -i subdomain1.majorsilence.com
    acl destination_somedomain200 hdr_beg(host) -i subdomain2.majorsilence.com

    # specify backends
    use_backend somedomain1-backend if destination_somedomain100
    use_backend somedomain2-backend if destination_somedomain200

backend letsencrypt-backend
    mode http
    option forwardfor
    option httplog
    server certbot 127.0.0.1:8899

backend somdomain1-backend
    balance roundrobin
    option httpchk
    server server1 ip:port check
    server server2 ip:port check
    server server3 ip:port check

backend somedomain2-backend
    balance roundrobin
    option httpchk
    server server1 ip:port check
    server server2 ip:port check
    server server3 ip:port check

backend self signed certs

backend somedomain2-backend
    balance roundrobin
    option httpchk GET / HTTP/1.1
    server server1 ip:port ssl verify none
    server server2 ip:port ssl verify none
    server server3 ip:port ssl verify none

Test haproxy config

haproxy -c -V -f /etc/haproxy/haproxy.cfg

certbot updates

How can this be setup to run after the snap certbot systemd timer runs to renew?

cd /etc/systemd/system 
ls -l *certbot*

/etc/cron.daily/updatecertsforhaproxy

#!/usr/bin/env bash

# Renew the certificate
certbot renew

# Haproxy requires certs concatenated
mkdir -p /etc/lets-ecrypt/haproxy-gen
bash -c "cat /etc/letsencrypt/live/subdomain1.majorsilence.com/fullchain.pem /etc/letsencrypt/live/subdomain1.majorsilence.com/privkey.pem > /etc/lets-ecrypt/haproxy-gen/subdomain1.majorsilence.com.pem"

bash -c "cat /etc/letsencrypt/live/subdomain2.majorsilence.com/fullchain.pem /etc/letsencrypt/live/subdomain2.majorsilence.com/privkey.pem > /etc/lets-ecrypt/haproxy-gen/subdomain2.majorsilence.com.pem"

systemctl reload haproxy

References


Mac specific

If you do not have brew install it before proceeding. See https://brew.sh.

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install node

Install visual studio for mac 2022

At the time of this writing it is in preview

https://visualstudio.microsoft.com/vs/mac/preview/

Install docker desktop for mac

See https://docs.docker.com/desktop/mac for more info.

Ubuntu linux specific

docker install

sudo apt install -y docker.io docker-compose

# docker permissions
#sudo groupadd docker
sudo usermod -aG docker $USER
sudo chown root:docker /var/run/docker.sock
sudo chown -R root:docker /var/run/docker
# this works but the group does not?  Why?
sudo chown $USER /var/run/docker.sock
newgrp docker

Nodejs install

See https://github.com/nodesource/distributions/blob/master/README.md#deb

curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash -
sudo apt-get install -y nodejs

Rider and dotnet

On linux use rider as the IDE.

# see https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu#2004-
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb

sudo apt-get update; \
  sudo apt-get install -y apt-transport-https && \
  sudo apt-get update && \
  sudo apt-get install -y dotnet-runtime-6.0 aspnetcore-runtime-6.0 dotnet-sdk-6.0

snap install rider --classic

Nuget

List nuget sources

dotnet nuget list source

Start fresh with just nuget.org

dotnet new nugetconfig

Add private nuget source

Add any private nuget sources that you need. This is optional.

dotnet nuget add source "https://[YourPrivateRegistry]/v3/index.json" -n [Feed Name] -u YourUserName -p YourPassword --store-password-in-clear-text

Restore

dotnet restore [Your Solution Name].sln


Host

Install libvirt manager.

Fedora

sudo dnf install @virtualization

Ubuntu

sudo apt-get install virt-manager

Add your user to the libvirt and kvm groups to avoid being asked to enter your password every time you open the management app.

sudo usermod -a -G libvirt $(whoami)
sudo usermod -a -G kvm $(whoami)

Guest

Note: the spice-vdagent is only for virtual machines with GUIs. For text only servers ssh into them directly from your host terminal.

Retrieve the IP address to remote into from the show virtual hardware details or by running ip addr show from within the virt manager terminal window.

Fedora

sudo dnf install spice-vdagent
sudo systemctl start spice-vdagent

Ubuntu

sudo apt install spice-agent
sudo systemctl start spice-vdagent

Windows

Download windows guest binaries from https://www.spice-space.org/download.html.

Reference


A couple of awesome tools I’ve just stumbled upon for windows is WinDirStat and KDirStat for linux. Windows and linux directory statistics tools. These are an invaluable tool to track what is using disk space.


If repeated docker builds cause WSL (windows subsystem for linux) to trash your system memory you can force linux to drop the page cache.

sudo su -
echo 1 > /proc/sys/vm/drop_caches