Synology

From Wildsong
Jump to navigationJump to search

todo

  • backups for owncloud, ldap databases
  • backups for configuration files
  • pam auth for shell log in
  • samba set up
  • vpn set up
  • don't panic guide
  • new user guide
    • samba
    • owncloud
    • account management, change settings and password

User guide

Web access using SSL

The first time you connect you will get the scary security exception screen. Press on, it's okay really. We use a "self-signed" SSL certificate so that we don't have to pay for one. Really, it's okay.

Administration guide

Creating a new user

  • Do NOT use "Users" and "Groups" in the DSM control panel. We use "Directory Server" (LDAP). This is so we can have one username/password for all services included Samba (file sharing) and Owncloud (cloud file storage).
  1. Create in LDAP Directory Server
  2. Enable in Shared Files

Manage access to folders in the Control Panel "Shared files".

Avatar in LDAP, connect to owncloud

Access from Windows - \\diskstation\ Log in with username@trailpeople.net Access from Mac - afp://diskstation.local - same credentials, username@trailpeople.net

Command line access via SSH - Use the "admin" account, then use "sudo -s" if you need root access. I put my keys in so I don't need the password to connect. The password is on the label on the server.

Database engine of choice

I wanted to use PostgreSQL but can't get it to work with owncloud. I tried and tried and gave up. Owncloud does not appear to be sending the username to postgres. I dropped back to Mariadb

Configuration files for postgresql are in /etc/postgresql/ Use a HUP to reconfigure it. killall -1 /usr/bin/postgres

Misc notes, fix this up someday

Enabled SSH Server (built in, see control panel) used TrailPeople gmail account to enable email

NGINX

When I first got the Syno, I touched the nginx configuration and ended up breaking the DSM app. I backed out my changes.

The file I created for Trailpeople is in /usr/local/etc/nginx/sites-enabled/trailpeople.conf and it looks like this:

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name diskstation.trailpeople.net;
#  ssl_certificate /etc/ssl/nginx/owncloud.crt;
#  ssl_certificate_key /etc/ssl/private/owncloud.key;

  root /volume1/web/trailpeople;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;

  # Disable gzip to avoid the removal of the ETag header
  gzip off;

  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;

  rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
  rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
  rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

  index index.php;
  location ~ \.php {
    fastcgi_index index.php;
    fastcgi_pass unix:/run/php-fpm/php56-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_script_name;
    include fastcgi_params;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
    deny all;
  }

  location / {
    # The following 2 rules are only needed with webfinger
    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

    rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
    rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

    try_files $uri $uri/ =404;
  }

  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    # Optional: Don't log access to assets
    access_log off;
  }

  # Optional: Don't log access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
  }

  # ownCloud security tip
  add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; ";
}

Packages

Do not install WebStation! It pulls in Apache. I don't want it hanging around. Likewise skip phpMyadmin because it pulls in WebStation.

  • Synology Directory Service
  • Synology VPN

Enable Synocommunity, https://synocommunity.com/

for owncloud, install

I download from owncloud.org because the version in packages is outdated.

wget https://download.owncloud.org/community/owncloud-9.1.2.tar.bz2

Debian packages

sudo -s
sudo /var/packages/chroot/scripts/start_stop_status chroot
apt-get update
apt-get install locales
dpkg-reconfigure locales
dpkg-reconfigure tzdata
apt-get install php5-dev
apt-get install php5-redis

PhpMyAdmin

Installed from tar ball to avoid dependencies on Apache.

Owncloud 9

I put it in a subdirectory to simplify DNS. Everything runs under SSL at https://diskstation.trailpeople.net/. So owncloud is at https://diskstation.trailpeople.net/owncloud/.

I loosely followed some instructions I found here, it was a starting point anyway. He uses Apache and I use nginx. http://www.iholken.com/index.php/2016/03/15/guide-for-installing-owncloud-9-to-synology-nas-running-dsm-6/

Optimizations: fixed because owncloud told me to--

  • Add /dev/urandom to open_basedir in /usr/local/etc/php56/conf.d/user-settings.ini
  • Add "always_populate_raw_post_data = -1"
  • Send a HUP to php-fpm
cat fpm.d/env.conf 
; bwilson added this for owncloud

;env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

Crontab

Change the shell on http user from /bin/false to /bin/sh and add this to /etc/crontab:

0,15,30,45  *   *   *   *   root    su -c "/usr/local/bin/php56 -f /volume1/web/trailpeople/owncloud/cron.php" http

There are odd, specific rules to add things to /etc/crontab, see http://jimmybonney.com/articles/manage_crontab_synology/

User authentication

Synology has a pretty good UI in DSM for LDAP, so I enabled their Direcgtory Service package, then set up owncloud to use it. When owncloud is using LDAP, then you create the account in LDAP and the first time the user logins with owncloud the account is created there.

I should be able to make Linux login (PAM) and Samba use it too. So setting up a password in LDAP should work everywhere.

config.php

<?php
<?php
$CONFIG = array (
  'instanceid' => 'ocarb6oq5tsb',
  'passwordsalt' => 'WOO1qwVT6iOCp6ycWp4lZ8GlNVv9y4',
  'secret' => 'FtvmpxpedQGTqwrxy7u+b8Ye5HMgXUmXzBlSlxROfogExbs8',
  'trusted_domains' => 
  array (
    0 => 'diskstation',
    1 => 'diskstation.trailpeople.net',
    2 => '192.168.1.5',
  ),
  'datadirectory' => '/volume1/web/trailpeople/owncloud/data',
  'overwrite.cli.url' => 'https://diskstation.trailpeople.net/owncloud',
  'dbtype' => 'mysql',
  'version' => '9.1.2.5',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncloud',
  'dbpassword' => 'XXXXXXXX',
  'logtimezone' => 'UTC',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'ldapIgnoreNamingRules' => false,
  'mail_from_address' => 'owncloud',
  'mail_smtpmode' => 'smtp',
  'mail_domain' => 'trailpeople.net',
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '587',
  'loglevel' => 2,
  'mail_smtpsecure' => 'tls',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpname' => '[email protected]',
  'mail_smtppassword' => 'XXXXXXXX',
);

Mediawiki

I installed it at /volume1/web/trailpeople/wiki by downloading and unpacking the tar ball from mediawiki.org to avoid the Apache package dependencies (and the outdated version) from Synology.

So it's accessible as https://diskstation.trailpeople.net/wiki/.

It keeps its data in MySQL and the username and database are mediawiki

LDAP authentication

After installing the LDAP plugin I had to fix up the database

cd wiki/maintenance
/usr/local/bin/php56 update.php