SleepMap (Posts about systemd)

Securely serving webapps using uWSGI

David Runge — Sat, 08 Oct 2016 07:00:00 GMT

Ever since I have been running my own Arch Linux box to serve my services, I used nginx in conjunction with uWSGI.
So instead of using php-fpm and be limited to just PHP, I can use a single application server to do all of them (CGI, Python, PHP and even the stuff I don't use, such as Ruby Rack, Mono, Java, Lua, Perl, WebDAV). They are all separately installable as plugins.
Static sites, such as this, default to being served by nginx directly of course.
Over time I found uWSGI to be a very versatile and powerful piece of software that has many advantages (over e.g. Apache):

socket activation
webapp encapsulation and jailing
self-healing
being able to separetely manage services
exit after idle

I'll explain the services I use (MantisBT, roundcube, ownCloud, Mailman, Stikked, Wordpress, Postfixadmin, phpMyAdmin, cgit, MediaWiki, Etherpad ) along with configuration examples and their possible pitfalls.

In my last post about Let's Encrypt I already showed some examples on how to configure nginx for the use with uWSGI. Let's jump right in.

Let's encrypt it all

David Runge — Thu, 29 Sep 2016 18:00:00 GMT

For a couple of months now I have been using Let's Encrypt to generate free and valid certificates for all the services I run.
In many places the free Certificate Authority (short CA) has spread like wild-fire. From small to large scale services, many adopted it and the amount of issued certificates has grown over 1 million in just four months.
As a visitor to this website you have probably noticed the small green lock sign next to the address bar. The certificate used for this website is accepted to be valid by your browser (and also by your operating system).
If you're up for some background knowledge, just read on. If you're up for some hands-on technical stuff, jump right on to the howto.
Just note: This is a veeeeeeery long article in any case.

Linux Audio Conference 2015

David Runge — Fri, 03 Apr 2015 04:00:00 GMT

It's been quite some time since my last post.
But I have not been lazy!

I will be attending this year's Linux Audio Conference) in Mainz. Not only as a guest (I seriously hope I will have the time to just snoop around), but mainly for setting up the 8 channel version of "The Sound Of People" and to give a workshop on "Arch Linux as a lightweight audio platform".
You can find my information for the event here.

SSH tunnel with single hop, using systemd-networkd and autossh

David Runge — Sun, 01 Feb 2015 18:00:00 GMT

Recently I had the pleasure of setting up a SSH tunnel between two virtual machines that share no route and are located in two different subnets.
They can however reach each other via SSH, hopping their host.
Let's assume the following setup:

client1 (Arch Linux) has 10.0.5.2/24
client2 (Arch Linux) has 10.0.6.2/24
host (Debian) is 10.0.5.1/24 to client1 and 10.0.6.1/24 to client2

As I needed the two clients to be able to send mail to each other and reach each others' services, I did some digging and opted for a SSH connection using TUN devices (aka. "poor man's VPN").

The following is needed to set this up:

root access on both virtual machines (client1 & client2)
a user account on the host system
SSH (OpenSSH assumed) installed on all three machines