Installation de Scrumblr

sur le host
virt-clone -o Ref --name Scrumblr --file /dev/kvmvg/Scrumblr
virsh edit Scrumblr # passer a 2 cpu et 4gbi de ram
lvextend -L +4G /dev/kvmvg/Scrumblr # +4go de disque
virsh autostart Scrumblr
virsh start Scrumblr
virsh console Scrumblr


sur le guest
apt update && apt upgrade -y
vi /etc/hostname #mettre postit.colibris-outilslibres.org
vi /etc/hosts #mettre la bonne ip et postit.colibris-outilslibres.org
vi /etc/network/interfaces  #mettre la bonne ip
passwd admin


Inspiré de https://framacloud.org/fr/cultiver-son-jardin/scrumblr.html
apt install git curl redis-server -y
curl -sL https://deb.nodesource.com/setup_12.x | bash -
apt-get install -y nodejs
sudo adduser --no-create-home --home /var/www/scrumblr --disabled-login --gecos "Scrumblr" scrumblr

mkdir /var/www
cd /var/www/
sudo git clone https://framagit.org/colibris/framemo.git scrumblr
sudo chown scrumblr: -R /var/www/scrumblr

cd /var/www/scrumblr
sudo su scrumblr -s /bin/bash
npm install
exit

cd /var/www/scrumblr
sudo su scrumblr -s /bin/bash
git remote add fork https://github.com/ldidry/scrumblr/
git fetch fork
git pull fork master

vi config.js #ajouter redis://

vi /etc/systemd/system/scrumblr.service


coller:
[Unit]
Description=Scrumblr service
Documentation=https://github.com/aliasaria/scrumblr/
Requires=network.target
Requires=redis-server.service
After=network.target
After=redis-server.service

[Service]
Type=simple
User=scrumblr
WorkingDirectory=/var/www/scrumblr
ExecStart=/usr/bin/node server.js --port 4242

[Install]
WantedBy=multi-user.target


sudo systemctl daemon-reload
sudo systemctl enable scrumblr.service
sudo systemctl start scrumblr.service

vi /usr/local/bin/Firewall


coller
include_service_rules() {
    iptables -A CUSTOM_INPUT -i eth0 -p tcp -s 192.168.122.100 --dport 4242 -j ACCEPT
}



Sur le reverseproxy
vi /etc/nginx/sites-available/postit.colibris-outilslibres.org

coller:
server {
    listen 443 ssl;
    server_name  postit.colibris-outilslibres.org;

    access_log  /var/log/nginx/postit.colibris-outilslibres.org.access.log;
    error_log   /var/log/nginx/postit.colibris-outilslibres.org.error.log; 

    #ssl_certificate /etc/letsencrypt/live/postit.colibris-outilslibres.org/fullchain.pem ;
    #ssl_certificate_key /etc/letsencrypt/live/postit.colibris-outilslibres.org/privkey.pem ;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_session_timeout  5m;
    ssl_session_cache shared:SSL:5m ;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;  

    # OCSP Stapling
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx >= 1.3.7

    location / {
        proxy_set_header    Host $host;
        proxy_pass http://127.0.0.1:4242;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    listen      80;
    server_name  postit.colibris-outilslibres.org;

    access_log  /var/log/nginx/postit.colibris-outilslibres.org.access.log;
    error_log   /var/log/nginx/postit.colibris-outilslibres.org.error.log; 

    # Emplacement réservé à la validation des certificats SSL par certbot
    location ^~ '/.well-known/acme-challenge' {
        default_type "text/plain" ;
        root /var/www/certbot ;
    }

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    location / {
        return 301 https://$host$request_uri;
    }
}


ln -s  /etc/nginx/sites-available/postit.colibris-outilslibres.org /etc/nginx/sites-enabled/


certbot certonly --rsa-key-size 4096 --webroot -w /var/www/certbot/ --email contact@colibris-outilslibres.org --agree-tos -d postit.colibris-outilslibres.org


décommenter les 2 lignes pour le certificat ssl

config firewall
vi /usr/local/bin/Firewall

# Scrumblr
iptables -A CUSTOM_OUTPUT -o eth0 -p tcp -d 192.168.122.100 --dport 4242 -j ACCEPT