Posts made by NashBrydges

Running Nextcloud (1x v9.0.53 and 1 x v10) at two clients. They're recent setups but so far they really love them. Both running as VMs in hyper-v. Included in the Veeam backups (tested restores and they work) so all in all, I'm quite happy with Nextcloud!

@Jstear Sadly I just got it installed so can't comment on how effective it will be for me. Will report back when I have more.

I finally nailed the install to Ubuntu 16.04. It's no single line code and was very manual but I wanted to debug where this was failing and finally figured it out. Here is what I had to do (pardon the elementary nature of the process, I'm still a real Linux noob)...

CAUTION:
These instructions only work for Ubuntu 16.04 Xenial because I deleted all code referencing other builds. If your version is different, make sure to retain what is relevant for your build.

AMATEUR HOUR WARNING
As I mentioned before, as I'm still very new to Linux, If someone here can likely figure out a much better way to get this setup, even better. I hadn't been able to find any instructions on the internet that proved useful even though my google-foo is quite strong, and I was determined to get this setup, if for no other reason than this would be a great learning experience.

• Setup a VM in Hyper-V and completed a fresh install of Ubuntu 16.04 server
• During the install I selected to manually install the necessary packages so this was a minimal server install
• Full update
  sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
• Manually install apache
  sudo apt-get install apache2 apache2-utils
• Enable apache to autostart
  sudo systemctl enable apache2
• Set ownership of root directory
  sudo chown www-data /var/www/html/ -R
• Install MariaDB
  sudo apt-get install mariadb-server mariadb-client
• Enable MariaDB to autostart
  sudo systemctl enable mysql
• Complete MariaDB setup. When prompted, select pwd, remove anonymous, disallow remote root, remove test db and reload db
  sudo mysql_secure_installation
• Install PHP
  sudo apt-get install php7.0-fpm php7.0-mysql php7.0-common php7.0-gd php7.0-json php7.0-cli php7.0-curl libapache2-mod-php7.0
• Enable apache PHP module and restart apache
  sudo a2enmod php7.0
sudo systemctl restart apache2

That got me to my base LAMP install. I was now ready to download Snipe-IT. From the documentation I selected #3 and ran each command one at a time.
sudo wget https://raw.githubusercontent.com/snipe/snipe-it/master/install.sh
chmod 744 install.sh

Then before running the final command I decided to examine the "install.sh" contents to see what was happening. Turns out it downloads and calls another script so before running that second script, I wanted to have a look at it so I commented out the final command that executes the second script so it would only download the file to my home directory and set permissions. I then ran the script and got the second script so I could look at it.
sudo ./install.sh

Once I looked in the second script (snipeit.sh) I noticed there is a lot of content that is trying to account for various Linux builds so I went through and deleted everything that didn't have anything to do with my version of Linux in order to simplify the debugging process. I also deleted every code reference to >> /var/log/snipeit-install.log 2>&1 since I had noticed on a previous run that this was causing permissions errors. Rather than have to deal with permissions, I didn't care about saving the install log and instead allowed it to display on the terminal session.

The next error I got was related to the composer where the code was trying to install using sudo (you'll note that this is set at the top of the script). Apparently composer cannot be installed this way. Keep reading for how I addressed that.

I then also removed most references to updates or installing the LAMP stack as I had already done this. Something that kept causing errors in the script even when I chose to run from nothing but a minimal Ubuntu install without apache, mysql or php. I ended-up modifying the script quite a bit, hard-coding some of the variables to make debugging a little easier. This is the final script I had saved as "snipeit.sh"

#!/bin/bash

######################################################
#           Snipe-It Install Script                  #
#          Script created by Mike Tucker             #
#            [email protected]                   #
# This script is just to help streamline the         #
# install process for Debian and CentOS              #
# based distributions. I assume you will be          #
# installing as a subdomain on a fresh OS install.   #
# Right now I'm not going to worry about SMTP setup  #
#                                                    #
# Feel free to modify, but please give               #
# credit where it's due. Thanks!                     #
######################################################

# ensure running as root
if [ "$(id -u)" != "0" ]; then
  exec sudo "$0" "$@"
fi
#First things first, let's set some variables and find our distro.
clear

name="snipeit"
si="Snipe-IT"
hostname="$(hostname)"
fqdn="$(hostname --fqdn)"
ans=default
hosts=/etc/hosts
file=master.zip
tmp=/tmp/$name
fileName=snipe-it-master

rm -rf $tmp/
mkdir $tmp


echo "
	   _____       _                  __________
	  / ___/____  (_)___  ___        /  _/_  __/
	  \__ \/ __ \/ / __ \/ _ \______ / /  / /
	 ___/ / / / / / /_/ /  __/_____// /  / /
	/____/_/ /_/_/ .___/\___/     /___/ /_/
	            /_/
"

echo ""
echo ""
echo "  Welcome to Snipe-IT Inventory Installer for Centos and Debian!"
echo ""

#Get your FQDN.

echo -n "  Q. What is the FQDN of your server? ($fqdn): "
read fqdn
if [ -z "$fqdn" ]; then
        fqdn="$(hostname --fqdn)"
fi
echo "     Setting to $fqdn"
echo ""

#Do you want to set your own passwords, or have me generate random ones?
until [[ $ans == "yes" ]] || [[ $ans == "no" ]]; do
echo -n "  Q. Do you want me to automatically create the snipe database user password? (y/n) "
read setpw

case $setpw in
        [yY] | [yY][Ee][Ss] )
                mysqluserpw="$(echo `< /dev/urandom tr -dc _A-Za-z-0-9 | head -c16`)"
                ans="yes"
                ;;
        [nN] | [n|N][O|o] )
                echo -n  "  Q. What do you want your snipeit user password to be?"
                read -s mysqluserpw
                echo ""
				ans="no"
                ;;
        *) 		echo "  Invalid answer. Please type y or n"
                ;;
esac
done

#Snipe says we need a new 32bit key, so let's create one randomly and inject it into the file
random32="$(echo `< /dev/urandom tr -dc _A-Za-z-0-9 | head -c32`)"

#db_setup.sql will be injected to the database during install.
#Again, this file should be removed, which will be a prompt at the end of the script.
dbsetup=$tmp/db_setup.sql
echo >> $dbsetup "CREATE DATABASE snipeit;"
echo >> $dbsetup "GRANT ALL PRIVILEGES ON snipeit.* TO snipeit@localhost IDENTIFIED BY '$mysqluserpw';"

#Let us make it so only root can read the file. Again, this isn't best practice, so please remove these after the install.
sudo chown root:root $dbsetup
sudo chmod 700 $dbsetup

## TODO: Progress tracker on each step

#####################################  Install for Ubuntu  ##############################################

		webdir=/var/www

		#Update/upgrade Debian/Ubuntu repositories, get the latest version of git.
		echo ""
		echo "##  Updating ubuntu in the background. Please be patient."
		echo ""
		apachefile=/etc/apache2/sites-available/$name.conf
		echo "##  Installing packages."

		echo "##  Setting up LAMP."

		sudo apt-get install -y git unzip php php-mcrypt php-curl php-mysql php-gd php-ldap php-zip php-mbstring
		#Enable mcrypt and rewrite
		echo "##  Enabling mcrypt and rewrite"
		sudo phpenmod mcrypt
		sudo phpenmod mbstring
		sudo a2enmod rewrite
		#  Get files and extract to web dir
		echo ""
		echo "##  Downloading snipeit and extract to web directory."
		sudo wget -P $tmp/ https://github.com/snipe/snipe-it/archive/$file
		sudo unzip -qo $tmp/$file -d $tmp/
		sudo cp -R $tmp/$fileName $webdir/$name

		sudo ls -al /etc/apache2/mods-enabled/rewrite.load

		#Create a new virtual host for Apache.
		echo "##  Create Virtual host for apache."
		echo >> $apachefile ""
		echo >> $apachefile ""
		echo >> $apachefile "<VirtualHost *:80>"
		echo >> $apachefile "ServerAdmin webmaster@localhost"
		echo >> $apachefile "    <Directory $webdir/$name/public>"
		echo >> $apachefile "        Require all granted"
		echo >> $apachefile "        AllowOverride All"
		echo >> $apachefile "   </Directory>"
		echo >> $apachefile "    DocumentRoot $webdir/$name/public"
		echo >> $apachefile "    ServerName $fqdn"
		echo >> $apachefile "        ErrorLog /var/log/apache2/snipeIT.error.log"
		echo >> $apachefile "        CustomLog /var/log/apache2/access.log combined"
		echo >> $apachefile "</VirtualHost>"

		echo "##  Setting up hosts file."
		echo >> $hosts "127.0.0.1 $hostname $fqdn"

		sudo a2ensite $name.conf

		cat > $webdir/$name/.env <<-EOF
		#Created By Snipe-it Installer
		APP_TIMEZONE=$(cat /etc/timezone)
		DB_HOST=localhost
		DB_DATABASE=snipeit
		DB_USERNAME=snipeit
		DB_PASSWORD=$mysqluserpw
		APP_URL=http://$fqdn
		APP_KEY=$random32
		EOF

		# Setup Mysql, then run the command.
		/usr/bin/mysql_secure_installation
		echo "##  Creating MySQL Database and user. "
		echo "##  Please Input your MySQL/MariaDB root password: "
		mysql -u root -p < $dbsetup

		echo "##  Securing Mysql"

		# Have user set own root password when securing install
		# and just set the snipeit database user at the beginning

echo ""
echo ""
echo "##  Cleaning up..."
rm -f snipeit.sh
rm -f install.sh
rm -rf $tmp/
echo "##  Done!"
sleep 1

This got me about 90% of the way there. I then had to run the following commands one at a time (note that composer is not run from the elevated command)

cd /var/www/snipeit
curl -sS https://getcomposer.org/installer | php
php composer.phar install --no-dev --prefer-source

To finish it off, I set the required permissions.

sudo chmod -R 755 /var/www/snipeit/storage
sudo chmod -R 755 /var/www/snipeit/storage/private_uploads
sudo chmod -R 755 /var/www/snipeit/public/uploads
sudo chown -R www-data:www-data /var/www/snipeit
sudo service apache2 restart

Because I'm using this internally, I edited the sites-available/snipeit.conf file as follows...

<VirtualHost *:80>
ServerAdmin [email protected]
    <Directory /var/www/snipeit/public>
        Require all granted
        AllowOverride All
   </Directory>
    DocumentRoot /var/www/snipeit/public
    ServerName snipeit.domain.com
    ServerAlias XXX.XXX.XXX.XXX #This is the server IP address
    ServerAlias localhost
    ErrorLog ${APACHE_LOG_DIR}/sniptit.error.log
    CustomLog ${APACHE_LOG_DIR}/snipeit.access.log combined
</VirtualHost>

The installation will have created a .env file in your root folder however, I figured out that this file was incomplete. So I added the missing values based on documentation for Snipe-IT and this is the resulting /var/www/snipeit/.env file...

#Created By Snipe-it Installer
# --------------------------------------------
# REQUIRED: BASIC APP SETTINGS
# --------------------------------------------
APP_TIMEZONE=Canada/Eastern 
#The above is set during install
APP_ENV=production
APP_DEBUG=false
APP_LOCALE=en
APP_URL=http://snipeit.domain.com 
#This has to be exactly the correct FQDN to get to your Snipt-IT install. If you are using local IP address only then this must be in the IP address format like http://XXX.XXX.XXX.XXX
APP_KEY=XXXXXXXXXXXXXXXX
#The above is set during install

# --------------------------------------------
# REQUIRED: DATABASE SETTINGS
# --------------------------------------------
DB_CONNECTION=mysql
DB_HOST=localhost
DB_DATABASE=snipeit
DB_USERNAME=XXXXXXXXX
#The above is set during install
DB_PASSWORD=XXXXXXXXXXXX
#The above is set during install
DB_PREFIX=null
DB_DUMP_PATH='/usr/local/bin'

# --------------------------------------------
# REQUIRED: OUTGOING MAIL SERVER SETTINGS
# --------------------------------------------
MAIL_DRIVER=smtp
MAIL_HOST=outlook.office365.com 
#This is correct if you are using Office 365 for your email
MAIL_PORT=587
MAIL_USERNAME=XXXXXXXXXXX 
#Mail username, usually same as email address
MAIL_PASSWORD=XXXXXXXXXXX 
#Your email password
MAIL_ENCRYPTION=TLS
[email protected]
[email protected]

# --------------------------------------------
# REQUIRED: IMAGE LIBRARY
# This should be gd or imagick
# --------------------------------------------
IMAGE_LIB=gd

# --------------------------------------------
# OPTIONAL: SESSION SETTINGS
# --------------------------------------------
SESSION_LIFETIME=12000
EXPIRE_ON_CLOSE=false
ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=false

Once that was updated, I rebooted the server for good measure and was able to navigate to my server IP address http://XXX.XXX.XXX.XXX and was presented with the Pre-flight & Setup screen.

For reference, this is where to find the .env file config details.

Once you're at the pre-flight page and everything is green, you can navigate your way to setting up the db and user and begin to enter your first assets.

Hope this proves useful.

I got the chance to update to version 10. Currently running as a VM in Hyper-V on Ubuntu 16.04. A couple things to note...

• Don't forget to save a copy of any theme folder you may have created and paste it pack into the /nextcloud/themes folder

• You'll have to go back into your config file and enter the theme folder name back in as this got removed during the upgrade process

• I proceeded with the upgrade via the web page. Once the new v10 folder was created and config file and theme folder copied back, I simply launched the upgrade from the web page. It's a very small install so only took a few minutes to complete.

• I had installed the "disclaimer" experimental app on the previous v9.0.53 install and not really surprised that the new install got rid of that. If there was one request I would make it would be to include some version of the "disclaimer" app as a supported app in a future release. This is a very easy way to make sure the terms & conditions are available right from the application.

Will report back if there are any issues but so far so good! Nice job!

@scottalanmiller

Thanks Scott. That jogged my memory to enable ssl module. That was what I missed.

I've been trying to figure out why I can get a simple website run over https. I've confirmed that port 80 works as expected (the test html page displays in the browser using the IP address of the Ubuntu 16.04 server) but when I try to connect via https, no good. I get a "the site can't be reached and XXX.XXX.XXX.XXX unexpectedly closed the connection".

I've checked the firewall rules and I get this...

sudo ufw status verbose

sudo nmap -v -sT localhost

I've temporarily installed Webmin to help me try to make sense of what was happening hence the 10000 port.

So the firewall shows all correct ports but nmap does not.

I'm sure I've missed something ridiculously simple and hopefully someone here can spot what I've missed.

@Adaministrator Yeah the meter hasn't started sounding like a jet engine yet. All told, based on the UPS readouts, I'm consuming about 900W ±50W. I at least get to expense the business related portion of all this power but it's still a good chunk of change to pay out each month.

• Ubiquiti ES48-500W
• Netgear GS724Tv3
• 2 x PowerEdge R210II running HA Sophos UTM 9
• 1 x PowerEdge R210II used for family remote backup
• 1 x PowerEdge R210II for the teenage kid to run Minecraft and some other war game for he and his friends
• PowerEdge R710 & MD1000 Veeam backup target (52TB RAID6)
• Spare MD1000
• PowerEdge R510 Hyper-V host running Plex media server (60TB RAID6)
• PowerEdge R420 Hyper-V host running a bunch of VMs including various desktop OS for testing as well as FreePBX, Sophos iView, Fastvue
• PowerEdge R610 spare server. Will probably get sold off as I haven't used it in some time.
• 2 x Dell 1000VA UPS
• Not pictured is a Synology DS2415+ as offsite backup target (80TB RAID6)

@Breffni-Potter said:

@NashBrydges said:

In the SMB (closer to S than M or B of SMB anyway) I've found the UTM approach anything but silly. The simplicity of management is a huge bonus.

The problem I find with UTMs is they need to be monitored and watched to be used properly. If an attacker is really trying to break in, do you want to hope the magic box works? Or is there monitoring to spot suspicious activity and react to it.

UTMs are a magic box that I'm seeing over-sold, I myself got suckered into buying one and actually, it provides no performance or security benefits to the organisation it protects because the monitoring and reacting that you need to do, is not being done.

Totally agree that they're too often seen as a magic box but that's a user problem, not a technology problem. I wouldn't recommend a UTM without the appropriate oversight.

@scottalanmiller said:

@Jason said:

@jyates said:

@wirestyle22

@JaredBusch said:

@Dashrender said:

PFSense is a good free option, but it requires you provide your own PC class hardware, and the power bill will probably be 10X or more than an ERX.

This right here.

pfSense is a great solution but requires hardware that will cost you more than an ERX ever will.

Drop another $80-$90 on an UAP-AC-LITE and you have a rock solid home network running basic enterprise hardware.

Sophos has the same options. Free, but requires a machine to run on.

https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

It's a resource hog...

Anything labelled UTM would be. UTMs really can't be used on anything but super slow connections. It's one of the many reasons many of us feel that the entire UTM concept is a silly and dead one.

I've been running Sophos UTM on a 300/100Mbps connection at home (certainly not a slow connection) and easily get full bandwidth usage with everything turned on. Granted I'm running it on a Dell R210 II and it is a bigger resource hog, but for home, I want all of that turned on, especially with teenagers who don't care about sites they visit or what they download. In the SMB (closer to S than M or B of SMB anyway) I've found the UTM approach anything but silly. The simplicity of management is a huge bonus.

@scottalanmiller Thanks Scott.

Yeah. It's a new home and we got lucky that we're in a mature neighbourhood but only the 3 newly built homes have FTTH. Everyone else has the choice of DSL or Rogers cable.

Bell also offers a 1Gb/175 connection but at $30 more per month. I am not even near saturating the current 300Mb so even though would love the bragging rights of having a Gb DL speed, I'm not going to bother just yet. Now if the speed was a synchronous Gb DL and UL I'd be all over that.

Guelph, ON, Canada
300/175 FTTH
Unlimited
$60/month, 2 yr contract
Bell Canada