Synology
todo
- backups for owncloud, ldap databases
- backups for configuration files
- pam auth for shell log in
- samba set up
- vpn set up
- don't panic guide
- new user guide
- samba
- owncloud
- account management, change settings and password
User guide
Web access using SSL
The first time you connect you will get the scary security exception screen. Press on, it's okay really. We use a "self-signed" SSL certificate so that we don't have to pay for one. Really, it's okay.
Administration guide
Creating a new user
- Do NOT use "Users" and "Groups" in the DSM control panel. We use "Directory Server" (LDAP). This is so we can have one username/password for all services included Samba (file sharing) and Owncloud (cloud file storage).
- Create in LDAP Directory Server
- Enable in Shared Files
Manage access to folders in the Control Panel "Shared files".
Avatar in LDAP, connect to owncloud
Access from Windows - \\diskstation\ Log in with username@trailpeople.net Access from Mac - afp://diskstation.local - same credentials, username@trailpeople.net
Command line access via SSH - Use the "admin" account, then use "sudo -s" if you need root access. I put my keys in so I don't need the password to connect. The password is on the label on the server.
Database engine of choice
I wanted to use PostgreSQL but can't get it to work with owncloud. I tried and tried and gave up. Owncloud does not appear to be sending the username to postgres. I dropped back to Mariadb
Configuration files for postgresql are in /etc/postgresql/ Use a HUP to reconfigure it. killall -1 /usr/bin/postgres
Misc notes, fix this up someday
Enabled SSH Server (built in, see control panel) used TrailPeople gmail account to enable email
NGINX
When I first got the Syno, I touched the nginx configuration and ended up breaking the DSM app. I backed out my changes.
The file I created for Trailpeople is in /usr/local/etc/nginx/sites-enabled/trailpeople.conf and it looks like this:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name diskstation.trailpeople.net;
# ssl_certificate /etc/ssl/nginx/owncloud.crt;
# ssl_certificate_key /etc/ssl/private/owncloud.key;
root /volume1/web/trailpeople;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
index index.php;
location ~ \.php {
fastcgi_index index.php;
fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
deny all;
}
location / {
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block
location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# Optional: Don't log access to assets
access_log off;
}
# Optional: Don't log access to other assets
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
access_log off;
}
# ownCloud security tip
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; ";
}
Packages
Do not install WebStation! It pulls in Apache. I don't want it hanging around. Likewise skip phpMyadmin because it pulls in WebStation.
- Synology Directory Service
- Synology VPN
Enable Synocommunity, https://synocommunity.com/
for owncloud, install
- redis -- http://www.iholken.com/index.php/2016/03/16/install-redis-server-and-phpredis-extension-into-synology-nas-running-dsm-6-without-bootstrapping/
- MariaDB
- debian chroot
I download from owncloud.org because the version in packages is outdated.
wget https://download.owncloud.org/community/owncloud-9.1.2.tar.bz2
Debian packages
sudo -s sudo /var/packages/chroot/scripts/start_stop_status chroot apt-get update apt-get install locales dpkg-reconfigure locales dpkg-reconfigure tzdata apt-get install php5-dev apt-get install php5-redis
PhpMyAdmin
Installed from tar ball to avoid dependencies on Apache.
Owncloud 9
I put it in a subdirectory to simplify DNS. Everything runs under SSL at https://diskstation.trailpeople.net/. So owncloud is at https://diskstation.trailpeople.net/owncloud/.
I loosely followed some instructions I found here, it was a starting point anyway. He uses Apache and I use nginx. http://www.iholken.com/index.php/2016/03/15/guide-for-installing-owncloud-9-to-synology-nas-running-dsm-6/
Optimizations: fixed because owncloud told me to--
- Add /dev/urandom to open_basedir in /usr/local/etc/php56/conf.d/user-settings.ini
- Add "always_populate_raw_post_data = -1"
- Send a HUP to php-fpm
cat fpm.d/env.conf ; bwilson added this for owncloud ;env[HOSTNAME] = $HOSTNAME env[PATH] = /usr/local/bin:/usr/bin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp
Crontab
Change the shell on http user from /bin/false to /bin/sh and add this to /etc/crontab:
0,15,30,45 * * * * root su -c "/usr/local/bin/php56 -f /volume1/web/trailpeople/owncloud/cron.php" http
There are odd, specific rules to add things to /etc/crontab, see http://jimmybonney.com/articles/manage_crontab_synology/
User authentication
Synology has a pretty good UI in DSM for LDAP, so I enabled their Direcgtory Service package, then set up owncloud to use it. When owncloud is using LDAP, then you create the account in LDAP and the first time the user logins with owncloud the account is created there.
I should be able to make Linux login (PAM) and Samba use it too. So setting up a password in LDAP should work everywhere.
config.php
<?php
<?php
$CONFIG = array (
'instanceid' => 'ocarb6oq5tsb',
'passwordsalt' => 'WOO1qwVT6iOCp6ycWp4lZ8GlNVv9y4',
'secret' => 'FtvmpxpedQGTqwrxy7u+b8Ye5HMgXUmXzBlSlxROfogExbs8',
'trusted_domains' =>
array (
0 => 'diskstation',
1 => 'diskstation.trailpeople.net',
2 => '192.168.1.5',
),
'datadirectory' => '/volume1/web/trailpeople/owncloud/data',
'overwrite.cli.url' => 'https://diskstation.trailpeople.net/owncloud',
'dbtype' => 'mysql',
'version' => '9.1.2.5',
'dbname' => 'owncloud',
'dbhost' => 'localhost',
'dbtableprefix' => 'oc_',
'dbuser' => 'owncloud',
'dbpassword' => 'XXXXXXXX',
'logtimezone' => 'UTC',
'installed' => true,
'memcache.local' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'localhost',
'port' => 6379,
),
'ldapIgnoreNamingRules' => false,
'mail_from_address' => 'owncloud',
'mail_smtpmode' => 'smtp',
'mail_domain' => 'trailpeople.net',
'mail_smtphost' => 'smtp.gmail.com',
'mail_smtpport' => '587',
'loglevel' => 2,
'mail_smtpsecure' => 'tls',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtpname' => '[email protected]',
'mail_smtppassword' => 'XXXXXXXX',
);
Mediawiki
I installed it at /volume1/web/trailpeople/wiki by downloading and unpacking the tar ball from mediawiki.org to avoid the Apache package dependencies (and the outdated version) from Synology.
So it's accessible as https://diskstation.trailpeople.net/wiki/.
It keeps its data in MySQL and the username and database are mediawiki
LDAP authentication
After installing the LDAP plugin I had to fix up the database
cd wiki/maintenance /usr/local/bin/php56 update.php
