Synology: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) m →todo |
||
| Line 9: | Line 9: | ||
* pam auth for shell log in | * pam auth for shell log in | ||
* samba set up | * samba set up | ||
* vpn set up | |||
* don't panic guide | * don't panic guide | ||
Revision as of 07:02, 20 November 2016
Enabled SSH Server Created Trailpeople Group used TrailPeople gmail account to enable email
todo
- backups for owncloud, ldap databases
- backups for configuration files
- pam auth for shell log in
- samba set up
- vpn set up
- don't panic guide
- new user guide
- samba
- owncloud
- account management, change settings and password
Manage access to folders in the Control Panel "Shared files".
Access from Windows - \\diskstation\ Log in with username@trailpeople.net
Access from Mac - afp://diskstation.local - same credentials, username@trailpeople.net
Database engine of choice
I wanted to use PostgreSQL but can't get it to work with owncloud. I tried and tried and gave up. Owncloud does not appear to be sending the username to postgres. I dropped back to Mariadb
Configuration files for postgresql are in /etc/postgresql/ Use a HUP to reconfigure it. killall -1 /usr/bin/postgres
NGINX
When I first got the Syno, I touched the nginx configuration and ended up breaking the DSM app. I backed out my changes.
The file I created for owncloud is in /usr/local/etc/nginx/sites-enabled/owncloud.conf and it looks like this:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name owncloud.trailpeople.net;
# ssl_certificate /etc/ssl/nginx/owncloud.crt;
# ssl_certificate_key /etc/ssl/private/owncloud.key;
root /volume1/web/owncloud;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php;
location ~ \.php {
fastcgi_index index.php;
fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
deny all;
}
location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
}
# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
# ownCloud security tip
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; ";
}
Packages
Do not install WebStation! It pulls in Apache. I don't want it hanging around. Likewise skip phpMyadmin because it pulls in WebStation.
- Synology Directory Service
- Synology VPN
Enable Synocommunity, https://synocommunity.com/
for owncloud, install
- redis -- http://www.iholken.com/index.php/2016/03/16/install-redis-server-and-phpredis-extension-into-synology-nas-running-dsm-6-without-bootstrapping/
- MariaDB
- debian chroot
I download from owncloud.org because the version in packages is outdated.
wget https://download.owncloud.org/community/owncloud-9.1.2.tar.bz2
Debian packages
sudo -s sudo /var/packages/chroot/scripts/start_stop_status chroot apt-get update apt-get install locales dpkg-reconfigure locales dpkg-reconfigure tzdata apt-get install php5-dev apt-get install php5-redis
Owncloud 9
I did get it going with nginx in spite of his comments on using Apache instead.
Optimizations: fixed because owncloud told me to--
- Add /dev/urandom to open_basedir in /usr/local/etc/php56/conf.d/user-settings.ini
- Add "always_populate_raw_post_data = -1"
- Send a HUP to php-fpm
cat fpm.d/env.conf ; bwilson added this for owncloud ;env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp
Crontab
Change the shell on http user from /bin/false to /bin/sh and add this to /etc/crontab:
0,15,30,45 * * * * root su -c "/usr/local/bin/php56 -f /volume1/web/owncloud/cron.php" http
There are specific rules to add things to /etc/crontab, see http://jimmybonney.com/articles/manage_crontab_synology/
User authentication
Synology has a pretty good UI in DSM for LDAP, so I enabled their Direcgtory Service package, then set up owncloud to use it. When owncloud is using LDAP, then you create the account in LDAP and the first time the user logins with owncloud the account is created there.
I should be able to make Linux login (PAM) and Samba use it too. So setting up a password in LDAP should work everywhere.
config.php
<?php
$CONFIG = array (
'instanceid' => 'ocarb6oq5tsb',
'passwordsalt' => 'WOO1qwVT6iOCp6ycWp4lZ8GlNVv9y4',
'secret' => 'FtvmpxpedQGTqwrxy7u+b8Ye5HMgXUmXzBlSlxROfogExbs8',
'trusted_domains' =>
array (
0 => 'diskstation',
),
'datadirectory' => '/volume1/web/owncloud/data',
'overwrite.cli.url' => 'https://diskstation',
'dbtype' => 'mysql',
'version' => '9.1.2.5',
'dbname' => 'owncloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'owncloud',
'dbpassword' => 'BrightLight',
'logtimezone' => 'UTC',
'installed' => true,
'memcache.local' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'localhost',
'port' => 6379,
),
);
