Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- dienste:bytecluster0001 [05.06.2017 15:42] – [Externe Synapse Dokumentation] mkzero
+++ dienste:bytecluster0001 [26.09.2025 14:12] (aktuell) – [Postfach anlegen] stephanj
@@ Zeile 1: / Zeile 1: @@
-====== bytecluster0001 ======
+======= bytecluster0001 =======
-bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt. Der Server wurde von der Firma Hetzner Online GmbH dankenswerter Weise zur Verfügung gestellt.
+bytecluster0001 ist ein virtueller Server, der Kommunikationsdienste für den Verein bereitstellt.
-===== Administratoren =====
+====== Administratoren ======
   * [[user:mape2k]]
   * [[user:mkzero:]]
   * [[user:suicider]]
+  * [[user:hipposen:start|hipposen]]
-===== Benutzer =====
+====== Benutzer ======
   * Bernd (Webseiten)
-===== IPs /DNS =====
+====== IPs /DNS ======
   * bytecluster0001.bytespeicher.org
@@ Zeile 19: / Zeile 20: @@
     * 2a01:4f8:c17:1214::2
-===== Installation =====
+====== Installation ======
   * Debian 8.2 minimal
-==== User / Gruppen ====
+===== User / Gruppen =====
   * mkzero -> sudo
   * marcel -> sudo
+  * maddi -> sudo
   * stephan -> sudo
   * bernd -> sudo für www-data
@@ Zeile 36: / Zeile 38: @@
   * ffapi
   * synapse
-==== Pakete ====
+===== Pakete =====
   * zsh
@@ Zeile 46: / Zeile 48: @@
   * debian-goodies
-==== Netzwerk ====
+===== Netzwerk =====
-=== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ===
+==== Skript für IPv6-Adressen (benötigt für Matrix-IRC-Bridge) ====
 <file|/usr/local/bin/manage_ipv6_addresses.sh>
 #!/bin/bash
@@ Zeile 64: / Zeile 66: @@
   * //**chmod +x /usr/local/bin/manage_ipv6_addresses.sh**//
-=== Konfiguration ===
+==== Konfiguration ====
 <file|/etc/network/interfaces>
@@ Zeile 84: / Zeile 86: @@
 </file>
-==== Konfiguration SSH ====
+===== Konfiguration SSH =====
   * HostKey DSA entfernt
@@ Zeile 101: / Zeile 103: @@
 </file>
-==== SUDO ====
+===== SUDO =====
   * Administrative Benutzer sind Mitglied der Gruppe "sudo"
-==== IPTABLES ====
+===== IPTABLES =====
   * iptables-persistent
@@ Zeile 126: / Zeile 128: @@
 # Localhorst
 -A INPUT -s 127.0.0.0/8 -j ACCEPT
+# Turnserver
+-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
+-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
+-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
 # SSH / mosh
@@ Zeile 146: / Zeile 153: @@
 -A INPUT -p tcp --dport 4190 -j ACCEPT
+# Matrix
+-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT
 </file>
@@ Zeile 165: / Zeile 175: @@
 # Garbage
 -A INPUT -m state --state INVALID -j DROP
+# Turnserver
+-A INPUT -p udp -m udp --dport 3478 -j ACCEPT
+-A INPUT -p udp -m udp --dport 5349 -j ACCEPT
+-A INPUT -p udp -m udp --dport 49152:59999 -j ACCEPT
 # SSH / mosh
@@ Zeile 185: / Zeile 200: @@
 -A INPUT -p tcp --dport 4190 -j ACCEPT
+# Matrix
+-A INPUT -p tcp -m tcp --dport 8008 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 8448 -j ACCEPT
 COMMIT
 </file>
-==== MySQL/MariaDB ====
+===== MySQL/MariaDB =====
   * mariadb-server
@@ Zeile 230: / Zeile 248: @@
 </file>
-==== NGINX ====
+===== NGINX =====
   * nginx
+<file|/etc/nginx/conf.d/ssl.conf>
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128";
+ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+ssl_session_tickets off; # Requires nginx >= 1.5.9
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx => 1.3.7
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+resolver 213.133.98.98 213.133.99.99 valid=300s;
+resolver_timeout 5s;
+</file>
 <file|/etc/nginx/patch>
-diff -Naur /etc/nginx.dist/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf
---- /etc/nginx.dist/conf.d/ssl.conf	1970-01-01 01:00:00.000000000 +0100
-+++ /etc/nginx/conf.d/ssl.conf	2015-11-04 22:41:34.269315957 +0100
-@@ -0,0 +1,12 @@
-+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-+ssl_prefer_server_ciphers on;
-+ssl_session_cache shared:SSL:10m;
-+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-+add_header X-Frame-Options DENY;
-+add_header X-Content-Type-Options nosniff;
-+ssl_session_tickets off; # Requires nginx >= 1.5.9
-+ssl_stapling on; # Requires nginx >= 1.3.7
-+ssl_stapling_verify on; # Requires nginx => 1.3.7
-+resolver 213.133.98.98 213.133.99.99 valid=300s;
-+resolver_timeout 5s;
 diff -Naur /etc/nginx.dist/nginx.conf /etc/nginx/nginx.conf
 --- /etc/nginx.dist/nginx.conf	2014-12-01 12:12:00.000000000 +0100
@@ Zeile 276: / Zeile 299: @@
 </file>
-==== Let's Encrypt (SSL-Zertifikate) ====
+===== Let's Encrypt (SSL-Zertifikate) =====
 === Installation ===
@@ Zeile 320: / Zeile 343: @@
     # Reload NGINX
     sudo /bin/systemctl reload nginx.service
+    # Copy erfurt.chat-Certificate/Key to synapse-directory
+    if [ ${DOMAIN} = "erfurt.chat" ]; then
+      cp -L ${KEYFILE} /home/synapse/ssl/
+      cp -L ${CERTFILE} /home/synapse/ssl/
+      cp -L ${FULLCHAINFILE} /home/synapse/ssl/
+      chgrp synapse /home/synapse/ssl/*.pem
+      chmod 640 /home/synapse/ssl/*.pem
+    fi
     # Restart Postfix/Dovecot
@@ Zeile 345: / Zeile 377: @@
 4 * * *     letsencrypt  /home/letsencrypt/letsencrypt.sh/letsencrypt.sh -c > /home/letsencrypt/letsencrypt.log 2>&1
 </file>
-=== Verwendung des Let'sEncrypt Client für eine neue Domain ===
+=== Verwendung des LetsEncrypt Client für eine neue Domain ===
 Pro Zertifikat können mehrere Domains/Subdomains integriert werden. Diese müssen in der domains.txt in einer Zeile stehen.
@@ Zeile 371: / Zeile 403: @@
   ...
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
@@ Zeile 387: / Zeile 411: @@
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
   ...
@@ Zeile 396: / Zeile 418: @@
     * **//systemctl reload nginx.service//**
-==== PHP ====
+===== User-Agent-Filter =====
+<file|/etc/nginx/snippets/filter_useragents.conf>
+### Block Mastodon
+if ($http_user_agent ~* (Mastodon)) {
+    return 403;
+}
+</file>
+===== PHP =====
   * php5-fpm
@@ Zeile 417: / Zeile 446: @@
 post_max_size = 64M
 </file>
-==== Ruby ====
+===== Ruby =====
   * ruby
-==== Bytebot ====
+===== Bytebot =====
 Pakete:
@@ Zeile 465: / Zeile 494: @@
   * //**systemctl start bytebot.service**//
-==== Twitterstatus / Twitterstatus Makerspace ====
+===== Twitterstatus / Twitterstatus Makerspace =====
 Die Anleitung ist für "twitterstatus". Die Einrichtung von "twitterstatus-ms" erfolgt
@@ Zeile 529: / Zeile 558: @@
 </code>
-==== Freifunk-API ====
+===== Freifunk-API =====
 === Pakete ===
@@ Zeile 581: / Zeile 610: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
@@ Zeile 597: / Zeile 618: @@
   ssl_dhparam /etc/ssl/api.erfurt.freifunk.net/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/api.erfurt.freifunk.net/fullchain.pem;
@@ Zeile 635: / Zeile 654: @@
   * //**systemctl reload nginx**//
-==== paste.bytespeicher.org ====
+===== paste.bytespeicher.org =====
   * Datenbank: bs_paste
@@ Zeile 656: / Zeile 675: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
@@ Zeile 670: / Zeile 682: @@
   ssl_dhparam /etc/ssl/paste.bytespeicher.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/paste.bytespeicher.org/fullchain.pem;
@@ Zeile 700: / Zeile 710: @@
 </file>
-==== bytespeicher.org ====
+===== bytespeicher.org =====
   * Datenbank: wp_bs
@@ Zeile 712: / Zeile 722: @@
  server_name www.bytespeicher.org staging.bytespeicher.org bytespeicher.org radio.bytespeicher.org;
+ include snippets/filter_useragents.conf;
  include snippets/letsencrypt.conf;
@@ Zeile 729: / Zeile 740: @@
  server_name www.bytespeicher.org;
+ include snippets/filter_useragents.conf;
  ssl on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff;
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
@@ Zeile 747: / Zeile 752: @@
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
@@ Zeile 764: / Zeile 767: @@
  ssl on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff;
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/privkey.pem;
  ssl_dhparam /etc/ssl/bytespeicher.org/bytespeicher.org.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/bytespeicher.org/fullchain.pem;
@@ Zeile 837: / Zeile 830: @@
 </file>
-==== status.bytespeicher.org ====
+===== status.bytespeicher.org =====
   * **//useradd spacestatus -m -G www-data//**
   * **//sudo -u spacestatus /bin/bash//**
   * **//cd ~//**
-  * **//git clone https:/ /github.com/Bytespeicher/space-status//**
+  * **//<nowiki>git clone https://github.com/Bytespeicher/space-status</nowiki>//**
   * **//mkdir www//**
   * **//virtualenv env//**
@@ Zeile 901: / Zeile 894: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
+  add_header Access-Control-Allow-Origin *;
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/status.bytespeicher.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/status.bytespeicher.org/fullchain.pem;
 }
 </file>
-==== makerspace-erfurt.de / fablab-erfurt.de ====
+===== makerspace-erfurt.de / fablab-erfurt.de =====
   * Datenbank: makerspace_wp
@@ Zeile 946: / Zeile 930: @@
  ssl on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Frame-Options SAMEORIGIN;
- add_header X-Content-Type-Options nosniff;
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/privkey.pem;
  ssl_dhparam /etc/ssl/makerspace-erfurt.de/dhparam.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/makerspace-erfurt.de/fullchain.pem;
@@ Zeile 1004: / Zeile 978: @@
 </file>
-==== cloud.technikkultur-erfurt.de (Owncloud) ====
+===== cloud.technikkultur-erfurt.de (Nextcloud) =====
   * Datenbank: makerspace_oc
@@ Zeile 1025: / Zeile 999: @@
  ssl on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
@@ Zeile 1037: / Zeile 1004: @@
  ssl_dhparam /etc/ssl/cloud.technikkultur-erfurt.de/dhparam.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/cloud.technikkultur-erfurt.de/fullchain.pem;
@@ Zeile 1147: / Zeile 1112: @@
 </file>
-==== Redmine ====
+===== Redmine =====
   * Datenbank: redmine
@@ Zeile 1268: / Zeile 1233: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
@@ Zeile 1282: / Zeile 1240: @@
   ssl_dhparam /etc/ssl/redmine.bytespeicher.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/redmine.bytespeicher.org/fullchain.pem;
@@ Zeile 1302: / Zeile 1258: @@
 </file>
-==== Dokuwiki ====
+===== Dokuwiki =====
   * DocumentRoot: /var/www/technikkultur-erfurt.de/public_html
@@ Zeile 1315: / Zeile 1271: @@
   listen [::]:443 ssl;
+  include snippets/filter_useragents.conf;
   include snippets/letsencrypt.conf;
@@ Zeile 1328: / Zeile 1285: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
@@ Zeile 1342: / Zeile 1292: @@
   ssl_dhparam /etc/ssl/example.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/example.org/fullchain.pem;
-  # Maximum file upload size is 4MB - change accordingly if needed
+  # Maximum file upload size is 20MB - change accordingly if needed
-  client_max_body_size 4M;
+  client_max_body_size 20M;
   client_body_buffer_size 128k;
@@ Zeile 1378: / Zeile 1326: @@
 </file>
-==== Pad ====
+===== Pad =====
   * Software: Etherpad-lite
@@ Zeile 1423: / Zeile 1371: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
@@ Zeile 1437: / Zeile 1378: @@
   ssl_dhparam /etc/ssl/pad.technikkultur-erfurt.de/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /etc/ssl/pad.technikkultur-erfurt.de/pad.technikkultur-erfurt.de.pem;
@@ Zeile 1502: / Zeile 1441: @@
   * https://github.com/ether/etherpad-lite/wiki/Manipulating-the-database
-==== wall.technikkultur-erfurt.de ====
+===== wall.technikkultur-erfurt.de =====
   * Config: /var/www/wall.technikkultur-erfurt.de/config.php
@@ Zeile 1525: / Zeile 1464: @@
 </file>
-==== Piwik ====
+===== opendata.bytespeicher.org =====
+  * Webspace: /var/www/opendata.bytepseicher.org/public_html
+<file|/etc/nginx/sites-available/opendata.bytespeicher.org>
+server {
+  listen 80;
+  listen [::]:80;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include snippets/letsencrypt.conf;
+  root /var/www/opendata.bytespeicher.org/public_html;
+  index index.html;
+  server_name opendata.bytespeicher.org;
+  location / {
+    try_files $uri $uri/ =404;
+  }
+  # PHP
+  location ~ \.php$ {
+    fastcgi_pass   unix:/var/run/php5-fpm.sock;
+    include         fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param REDIRECT_STATUS 200;
+  }
+  ssl on;
+  # Use SSL as default
+  # if ($scheme != "https") {
+  #   rewrite ^ https://$host$uri permanent;
+  # }
+  # add_header Strict-Transport-Security "max-age=31536000";
+  ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem;
+  ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/privkey.pem;
+  ssl_dhparam /etc/ssl/opendata.bytespeicher.org/dhparam.pem;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/opendata.bytespeicher.org/fullchain.pem;
+  # Security options
+  add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+  add_header Access-Control-Allow-Origin *;
+}
+</file>
+===== Piwik =====
   * Datenbank: bs_piwik
@@ Zeile 1549: / Zeile 1544: @@
 </file>
-==== Roundcube ====
+===== Roundcube =====
   * Datenbank: roundcubemail
@@ Zeile 1607: / Zeile 1602: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/privkey.pem;
   ssl_dhparam /etc/ssl/mail.bytespeicher.org/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/mail.bytespeicher.org/fullchain.pem;
   root /var/www/mail.bytespeicher.org/;
+  client_max_body_size 64m;
   index index.php index.html;
@@ Zeile 1674: / Zeile 1661: @@
   * //**rm -rf /var/www/mail.bytespeicher.org/installer/**//
-==== Matrix/Synapse ====
+===== Matrix/Synapse =====
   * useradd -m synapse
   * apt-get install build-essential python2.7-dev libffi-dev python-pip python-setuptools sqlite3 libssl-dev python-virtualenv libjpeg-dev libxslt1-dev coturn
+  * mkdir /home/synapse/ssl
+  * chown synapse:synapse /home/synapse/ssl
+  * chmod 770 /home/synapse/ssl
+  * usermod -G synapse letsencrypt
 <file|/etc/nginx/sites-enabled/erfurt.chat>
@@ Zeile 1697: / Zeile 1689: @@
   }
   root /var/www/erfurt.chat;
+  client_max_body_size 32m;
   location /_matrix {
@@ Zeile 1704: / Zeile 1698: @@
   ssl on;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-  ssl_prefer_server_ciphers on;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
   # add_header Strict-Transport-Security "max-age=31536000";
   add_header X-Frame-Options SAMEORIGIN;
-  # add_header X-Content-Type-Options nosniff;
   ssl_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
   ssl_certificate_key /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem;
   ssl_dhparam /etc/ssl/erfurt.chat/dhparam.pem;
-  ssl_stapling on;
-  ssl_stapling_verify on;
   ssl_trusted_certificate /home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/fullchain.pem;
@@ Zeile 1735: / Zeile 1719: @@
 <file|/etc/turnserver.conf>
 external-ip=88.198.111.196
+min-port=49152
+max-port=59999
 lt-cred-mech
 use-auth-secret
 static-auth-secret=[your secret key here]
 realm=erfurt.chat
+no-tcp
+no-tls
 no-tcp-relay
+cert=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/cert.pem
+pkey=/home/letsencrypt/letsencrypt.sh/certs/erfurt.chat/privkey.pem
+cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!AES128"
+syslog
 denied-peer-ip=10.0.0.0-10.255.255.255
 denied-peer-ip=192.168.0.0-192.168.255.255
 denied-peer-ip=172.16.0.0-172.31.255.255
 allowed-peer-ip=172.31.1.100
-syslog
 no-sslv2
 no-sslv3
@@ Zeile 1763: / Zeile 1754: @@
 <file|/home/synapse/.synapse/homeserver.yaml>
 --- homeserver.yaml.orig	2017-06-05 12:56:46.729514635 +0200
-+++ homeserver.yaml	2017-06-05 14:00:36.981444634 +0200
++++ homeserver.yaml	2018-04-17 13:40:25.760622831 +0200
-@@ -120,7 +120,7 @@
+@@ -4,10 +4,10 @@
-   # For when matrix traffic passes through loadbalancer that unwraps TLS.
+ # autogenerates on launch with your own SSL certificate + key pair
-   - port: 8008
+ # if you like.  Any required intermediary certificates can be
-     tls: false
+ # appended after the primary certificate in hierarchical order.
--    bind_addresses: ['0.0.0.0']
+-tls_certificate_path: "/home/synapse/.synapse/erfurt.chat.tls.crt"
-+    bind_addresses: ['127.0.0.1']
++tls_certificate_path: "/home/synapse/ssl/fullchain.pem"
+ # PEM encoded private key for TLS
+-tls_private_key_path: "/home/synapse/.synapse/erfurt.chat.tls.key"
++tls_private_key_path: "/home/synapse/ssl/privkey.pem"
+ # PEM dh parameters for ephemeral keys
+ tls_dh_params_path: "/home/synapse/.synapse/erfurt.chat.tls.dh"
+@@ -50,7 +50,7 @@
+ pid_file: /home/synapse/.synapse/homeserver.pid
+ # Whether to serve a web client from the HTTP/HTTPS root resource.
+-web_client: True
++web_client: False
+ # The root directory to server for the above web client.
+ # If left undefined, synapse will serve the matrix-angular-sdk web client.
+@@ -59,7 +59,7 @@
+ # web_client_location: "/path/to/web/root"
+ # The public-facing base URL for the client API (not including _matrix/...)
+-# public_baseurl: https://example.com:8448/
++public_baseurl: https://erfurt.chat:8448/
+ # Set the soft limit on the number of file descriptors synapse can use
+ # Zero is used to indicate synapse should set the soft limit to the
+@@ -71,7 +71,9 @@
+ # Set the limit on the returned events in the timeline in the get
+ # and sync operations. The default value is -1, means no upper limit.
+-# filter_timeline_limit: 5000
++
++## activated by maddi
++filter_timeline_limit: 500
+ # List of ports that Synapse should listen on, their purpose and their
+ # configuration.
+@@ -85,11 +87,11 @@
+     # Local addresses to listen on.
+     # This will listen on all IPv4 addresses by default.
+     bind_addresses:
+-      - '0.0.0.0'
++      #- '0.0.0.0'
+       # Uncomment to listen on all IPv6 interfaces
+       # N.B: On at least Linux this will also listen on all IPv4
+       # addresses, so you will need to comment out the line above.
+-      # - '::'
++      - '::'
+     # This is a 'http' listener, allows us to specify 'resources'.
      type: http
+@@ -123,7 +125,7 @@
-     x_forwarded: false
+     bind_addresses: ['0.0.0.0']
-@@ -231,7 +231,7 @@
+     type: http
+-    x_forwarded: false
++    x_forwarded: True
+     resources:
+       - names: [client, webclient]
+@@ -141,14 +143,18 @@
+ # Database configuration
+ database:
+   # The database engine name
+-  name: "sqlite3"
++  name: "psycopg2"
+   # Arguments to pass to the engine
+   args:
+-    # Path to the database
+-    database: "/home/synapse/.synapse/homeserver.db"
++    #user: synapse
++    database: synapse
++    #host: localhost
++    #password:
++    cp_min: 5
++    cp_max: 25
+ # Number of events to cache in memory.
+-event_cache_size: "10K"
++event_cache_size: "1K"
+@@ -156,7 +162,7 @@
+ verbose: 0
+ # File to write logging to. Ignored if log_config is specified.
+-log_file: "/home/synapse/.synapse/homeserver.log"
++log_file: "/home/synapse/.synapse/log/homeserver.log"
+ # A yaml python logging config file
+ log_config: "/home/synapse/.synapse/erfurt.chat.log.config"
+@@ -171,7 +177,9 @@
+ rc_message_burst_count: 10.0
+ # The federation window size in milliseconds
+-federation_rc_window_size: 1000
++## edit by maddi
++# federation_rc_window_size: 2000
++federation_rc_window_size: 2000
+ # The number of federation requests from a single server in a window
+ # before the server will delay processing the request.
+@@ -183,14 +191,19 @@
+ # The maximum number of concurrent federation requests allowed
+ # from a single server
+-federation_rc_reject_limit: 50
++## edit by maddi
++# federation_rc_reject_limit: 50
++federation_rc_reject_limit: 10
+ # The number of federation requests to concurrently process from a
+ # single server
+-federation_rc_concurrent: 3
+-
+-
+-
++#federation_rc_concurrent: 3
++## edit by maddi
++federation_rc_concurrent: 1
++
++## add by maddi
++federation_domain_whitelist: ['erfurt.chat','matrix.ffggrz.de','bau-ha.us','zner0l.de','byteschmeisser.de']
++
+ # Directory where uploaded images and attachments are stored.
+ media_store_path: "/home/synapse/.synapse/media_store"
+@@ -231,7 +244,7 @@
  # Is the preview URL API enabled?  If enabled, you *must* specify
  # an explicit url_preview_ip_range_blacklist of IPs that the spider is
@@ Zeile 1779: / Zeile 1894: @@
 -url_preview_enabled: False
 +url_preview_enabled: True
  # List of IP address CIDR ranges that the URL preview spider is denied
  # from accessing.  There are no defaults: you must explicitly
-@@ -241,14 +241,14 @@
+@@ -241,14 +254,14 @@
  # synapse to issue arbitrary GET requests to your internal services,
  # causing serious security issues.
@@ Zeile 1805: / Zeile 1920: @@
  # to access even if they are specified in url_preview_ip_range_blacklist.
  # This is useful for specifying exceptions to wide-ranging blacklisted
-@@ -322,10 +322,10 @@
+@@ -322,10 +335,10 @@
  ## Turn ##
  # The public URIs of the TURN server to give to clients
 -turn_uris: []
 +turn_uris: [ "turn:erfurt.chat:3478?transport=udp", "turn:erfurt.chat:3478?transport=tcp" ]
  # The shared secret used to compute passwords for the TURN server
 -turn_shared_secret: "YOUR_SHARED_SECRET"
-+turn_shared_secret: "$$$$SECRET$$$$"
++turn_shared_secret: "$$$SECRET$$$"
  # The Username and password if the TURN server needs them and
  # does not use a token
-@@ -346,7 +346,7 @@
+@@ -346,7 +359,7 @@
  ## Registration ##
  # Enable registration for new users.
 -enable_registration: False
 +enable_registration: True
  # If set, allows registration by anyone who also has the shared
  # secret, even if registration is otherwise disabled.
-@@ -360,7 +360,7 @@
+@@ -360,7 +373,7 @@
  # Allows users to register as guests without a password/email/etc, and
  # participate in rooms hosted on this server which have been made
@@ Zeile 1833: / Zeile 1948: @@
 -allow_guest_access: False
 +allow_guest_access: True
  # The list of identity servers trusted to verify third party
  # identifiers by this server.
-@@ -461,7 +461,8 @@
+@@ -388,7 +401,9 @@
+ # A list of application service config file to use
+-app_service_config_files: []
++#app_service_config_files: [ "ircbridge_registration.yaml" ]
++## deactivated by maddi
++app_service_config_files: [ ]
+ macaroon_secret_key: "$$$SECRET$$$"
+@@ -402,7 +417,7 @@
+ signing_key_path: "/home/synapse/.synapse/erfurt.chat.signing.key"
+ # The keys that the server used to sign messages with but won't use
+-# to sign new messages. E.g. it has lost its private key
++# to sign new messages. dE.g. it has lost its private key
+ old_signing_keys: {}
+ #  "ed25519:auto":
+ #    # Base64 encoded public key
+@@ -461,7 +476,8 @@
     enabled: true
     # Uncomment and change to a secret random string for extra security.
     # DO NOT CHANGE THIS AFTER INITIAL SETUP!
 -   #pepper: ""
-+   pepper: "$$$$SECRET$$$$"
++   pepper: "$$$SECRET$$$"
++
-@@ -473,20 +474,20 @@
+@@ -473,20 +489,20 @@
  # If your SMTP server requires authentication, the optional smtp_user &
  # smtp_pass variables should be used
@@ Zeile 1868: / Zeile 2004: @@
 +   smtp_port: 587
 +   smtp_user: "synapse@erfurt.chat"
-+   smtp_pass: "$$$$SECRET$$$$"
++   smtp_pass: "$$$SECRET$$$"
 +   require_transport_security: True
 +   notif_from: "Your Friendly %(app)s Home Server <noreply@erfurt.chat>"
 +   app_name: Matrix
-+   template_dir: res/templates
++   template_dir: /home/synapse/.synapse/res/templates/
 +   notif_template_html: notif_mail.html
 +   notif_template_text: notif_mail.txt
@@ Zeile 1878: / Zeile 2014: @@
 +   riot_base_url: "https://erfurt.chat/riot"
+ # password_providers:
 </file>
+<file|/home/synapse/.synapse/erfurt.chat.log.config>
+version: 1
+formatters:
+  precise:
+   format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s- %(message)s'
+filters:
+  context:
+    (): synapse.util.logcontext.LoggingContextFilter
+    request: ""
+handlers:
+  file:
+    class: logging.handlers.RotatingFileHandler
+    formatter: precise
+    filename: /home/synapse/.synapse/log/homeserver.log
+    maxBytes: 104857600
+    backupCount: 10
+    filters: [context]
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+    filters: [context]
+loggers:
+    synapse:
+        level: INFO
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+root:
+    level: INFO
+    handlers: [file]
+#    handlers: [file, console]
+</file>
 <file|/etc/systemd/system/synapse.service>
 [Unit]
@@ Zeile 1925: / Zeile 2103: @@
   * apt-get install -y nodejs
   * npm install matrix-appservice-irc --global
+<file|/home/synapse/.synapse/ircbridge_config.yaml>
+homeserver:
+  url: "https://erfurt.chat"
+  # CAUTION: This is a very coarse heuristic. Federated homeservers may have different
+  # clock times and hence produce different origin_server_ts values, which may be old
+  # enough to cause *all* events from the homeserver to be dropped.
+  # Default: 0 (don't ever drop)
+  # dropMatrixMessagesAfterSecs: 300 # 5 minutes
+  domain: "erfurt.chat"
+ircService:
+  servers:
+    "irc.hackint.org":
+      name: "Hackint"
+      networkId: "hackint"
+      port: 9999
+      ssl: true
+      sslselfsign: true
+      ca: |
+         -----BEGIN CERTIFICATE-----
+         MIIGBzCCA++gAwIBAgIJAKZfNgKecw1WMA0GCSqGSIb3DQEBCwUAMIGEMRwwGgYD
+         VQQKExNIYWNraW50IElSQyBOZXR3b3JrMR8wHQYDVQQLExZodHRwOi8vd3d3Lmhh
+         Y2tpbnQub3JnMSQwIgYDVQQDExtIYWNraW50IElSQyBOZXR3b3JrIFJvb3QgQ0Ex
+         HTAbBgkqhkiG9w0BCQEWDmNhQGhhY2tpbnQub3JnMB4XDTE1MDcwMTAwMDAwMFoX
+         DTM1MTIzMTIzNTk1OVowgYQxHDAaBgNVBAoTE0hhY2tpbnQgSVJDIE5ldHdvcmsx
+         HzAdBgNVBAsTFmh0dHA6Ly93d3cuaGFja2ludC5vcmcxJDAiBgNVBAMTG0hhY2tp
+         bnQgSVJDIE5ldHdvcmsgUm9vdCBDQTEdMBsGCSqGSIb3DQEJARYOY2FAaGFja2lu
+         dC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDi57PWGLHMfxlN
+         yjtXUS4oYK77+C1ByJtziDWYbEiamrmYbOZ3ukzfH4nHHOLuAiQIT8Tw8gVXMw6w
+         CNplAUN0mAIQhhu10PwsBLjf638F/NTPzBmziMZyyuSrvyAkZp6Ktv5DAXymIV6C
+LmVwhJiqC5+YFC1JbZJt8wGrew/YLrroYUJm0n7FpW/EkUrl3cQOHIV5xFl9LxR
+xh/lC1AuAsawv8vaxQFGiun25F4jd6l/Evf0tr628kpEXH4hspkeNsQh9uUUpjx
+         CpNQqh7Wyi1M/QhiK9GFuODd0wsU77iOfccJl3FVf/bjLcO9COMLOBWaJgEpJMNw
+         j2uBk7pMKScw3S2qvtqBxf7VtfvlyPeX5C7+XCXXViBFcYubzmNlNq5n3qEbMG4t
+         qwdxR4Mhbhy4BhOGkFNdURsf4N47TvPV6eglHPLc05uYvL5VIddNxH1jrpxVYX76
+         KXvpR4+vUTYYVi8m2A4Rf+JMI5CELfie2chghhiojAuKDuKfmW3v+fkuGkjEC5A8
+         NfzD7EOGJB2osAbKP6rx77tVuAo0eMPLHijpgYciXIGoprwqFrjttvRaMkGywwLq
+JDyfB8hMvMvmVPnqx4zbmOaS/Ut2irVwU0k9jiDN29dTvc3ySHwW0bd+Lt5fWJD
+         DL/lb2it8Z8pJYmZwt1e7vl4LNdm2QIDAQABo3oweDAPBgNVHRMBAf8EBTADAQH/
+         MB0GA1UdDgQWBBQVmc++GVicHQ7I4FDpPkZdr3nNCzAOBgNVHQ8BAf8EBAMCAQYw
+         NgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRwOi8vaGFja2ludC5vcmcv
+         Y2EuaHRtbDANBgkqhkiG9w0BAQsFAAOCAgEAG82hdmLpfvG7RYbtCb6F4u8FBFxv
+         zR4Ye5nOPBKaA+CHA+KGScnBFg/E+aMI+IQ3j4Sgar0MZKwu5fI3ETdYReXWtSuE
+/UnT9U1ffUTTNuKwkFM3p5byrVzgmF3fI7aSAFyoa88xl6R/fzjXrXCp+eCy/tE
+         LTma2WRh+VORCX397h+FFVux3JtfBD+6uW53MOmNvSd2hndi8RpVbgklMfUWxcwK
+         z+R97QXhNopH33J1rmRm9/RUadKjChiIe+zM/eZJUPObIqiCaCP/qVAxruwHTi8E
+         tpNFNTCOxe0lwZ6lVNLWun7zY3+vk0Puk6KqnfBlNGK1QDxkTQLILdgGo5WQ11YN
+         oMmHGztLgZtiWLGLNhTrtAIRNKuc3sw0BOlv+osiH+KvDNvRKufc2eNkaGfLq7TJ
+         dhiAK2gKkYYAQ5zfDBwSspbtCsszYgEAin3PqoQUdG8f+4I49E0xS7PWQE75e7J9
+         MCnElQxAPWk9xuZhtkeWUHskpCjrNO7k3dshV0frn2OxPtSgQjjtZxQKQZYzQfPk
+         j/eVuFwWxQY9pZdOku7fRGbaLEyTbQHZW802rgmaLxxItWQKqZxG1Za7RlKo4Wur
+ZGuYKMAEnPmhJj2KlmXJAaIdQF6LA3NS0KvpWtOfrjaaroHHOUnrxBxCBlfoBpw
+         w3r7JBQGOVK95Sw=
+         -----END CERTIFICATE-----
+      # The connection password to send for all clients as a PASS command. Optional.
+      # password: 'pa$$w0rd'
+      sendConnectionMessages: false
+      quitDebounce:
+        # Whether parts due to net-splits are debounced for delayMs, to allow
+        # time for the netsplit to resolve itself. A netsplit is detected as being
+        # a QUIT rate higher than quitsPerSecond. Default: false.
+        enabled: false
+        # The maximum number of quits per second acceptable above which a netsplit is
+        # considered ongoing. Default: 5.
+        quitsPerSecond: 5
+        # The ti
+        # a net
+        # is not sent many requests to leave rooms all at once if a netsplit occurs and many
+        # people to not rejoin.
+        # If the user with the same IRC nick as the one who sent the quit rejoins a channel
+        # they are considered back online and the quit is not bridged, so long as the rejoin
+        # occurs before the randomly-jittered timeout is not reached.
+        # Default: 3600000, = 1h
+        delayMinMs: 3600000 # 1h
+        # Default: 7200000, = 2h
+        delayMaxMs: 7200000 # 2h
+      modePowerMap:
+        o: 50
+      botConfig:
+        enabled: true
+        nick: "MatrixBot"
+        password: "$$$$SECRET$$$$"
+        joinChannelsIfNoUsers: true
+      privateMessages:
+        enabled: true
+        # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
+        federate: true
+      # Configuration for mappings not explicitly listed in the 'mappings'
+      # section.
+      dynamicChannels:
+        # Enable the ability for Matrix users to join *any* channel on this IRC
+        # network.
+        # Default: false.
+        enabled: true
+        # Should the AS create a room alias for the new Matrix room? The form of
+        # the alias can be modified via 'aliasTemplate'. Default: true.
+        createAlias: true
+        # Should the AS publish the new Matrix room to the public room list so
+        # anyone can see it? Default: true.
+        published: true
+        # What should the join_rule be for the new Matrix room? If 'public',
+        # anyone can join the room. If 'invite', only users with an invite can
+        # join the room. Note that if an IRC channel has +k or +i set on it,
+        # join_rules will be set to 'invite' until these modes are removed.
+        # Default: "public".
+        joinRule: public
+        # Should created Matrix rooms be federated? If false, only users on the
+        # HS attached to this AS will be able to interact with this room.
+        # Default: true.
+        federate: true
+        # The room alias template to apply when creating new aliases. This only
+        # applies if createAlias is 'true'. The following variables are exposed:
+        # $SERVER => The IRC server address (e.g. "irc.example.com")
+        # $CHANNEL => The IRC channel (e.g. "#python")
+        # This MUST have $CHANNEL somewhere in it.
+        # Default: '#irc_$SERVER_$CHANNEL'
+        #aliasTemplate: "#irc_$CHANNEL"
+        # A list of user IDs which the AS bot will send invites to in response
+        # to a !join. Only applies if joinRule is 'invite'. Default: []
+        # whitelist:
+        #   - "@foo:example.com"
+        #   - "@bar:example.com"
+        #
+        # Prevent the given list of channels from being mapped under any
+        # circumstances.
+        # exclude: ["#foo", "#bar"]
+      # Configuration for controlling how Matrix and IRC membership lists are
+      # synced.
+      membershipLists:
+        # Enable the syncing of membership lists between IRC and Matrix. This
+        # can have a significant effect on performance on startup as the lists are
+        # synced. This must be enabled for anything else in this section to take
+        # effect. Default: false.
+        enabled: true
+        # Syncing membership lists at startup can result in hundreds of members to
+        # process all at once. This timer drip feeds membership entries at the
+        # specified rate. Default: 10000. (10s)
+        floodDelayMs: 10000
+        global:
+          ircToMatrix:
+            # Get a snapshot of all real IRC users on a channel (via NAMES) and
+            # join their virtual matrix clients to the room.
+            initial: true
+            # Make virtual matrix clients join and leave rooms as their real IRC
+            # counterparts join/part channels. Default: false.
+            incremental: true
+          matrixToIrc:
+            # Get a snapshot of all real Matrix users in the room and join all of
+            # them to the mapped IRC channel on startup. Default: false.
+            initial: true
+            # Make virtual IRC clients join and leave channels as their real Matrix
+            # counterparts join/leave rooms. Make sure your 'maxClients' value is
+            # high enough! Default: false.
+            incremental: true
+        # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
+        rooms:
+          - room: "!fuasirouddJoxtwfge:localhost"
+            matrixToIrc:
+              initial: false
+              incremental: false
+        # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
+        channels:
+          - channel: "#foo"
+            ircToMatrix:
+              initial: false
+              incremental: false
+      mappings:
+        # 1:many mappings from IRC channels to room IDs on this IRC server.
+        # The matrix room must already exist. Your matrix client should expose
+        # the room ID in a "settings" page for the room.
+        #"#bytespeicher-testing": ["", "!SUxMWVVxsKCFfBsKrR:unikorn.me"]
+        "#bytespeicher": ["!bGHdpETBTpNZzPzIDo:erfurt.chat"]
+      # Configuration for virtual matrix users. The following variables are
+      # exposed:
+      # $NICK => The IRC nick
+      # $SERVER => The IRC server address (e.g. "irc.example.com")
+      matrixClients:
+        # The user ID template to use when creating virtual matrix users. This
+        # MUST have $NICK somewhere in it.
+        # Optional. Default: "@$SERVER_$NICK".
+        # Example: "@irc.example.com_Alice:example.com"
+        userTemplate: "@irc_$NICK"
+        # The display name to use for created matrix clients. This should have
+        # $NICK somewhere in it if it is specified. Can also use $SERVER to
+        # insert the IRC domain.
+        # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
+        displayName: "$NICK (IRC)"
+      # Configuration for virtual IRC users. The following variables are exposed:
+      # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
+      # $USERID => The user ID
+      # $DISPLAY => The display name of this user, with excluded characters
+      #             (e.g. space) removed. If the user has no display name, this
+      #             falls back to $LOCALPART.
+      ircClients:
+        # The template to apply to every IRC client nick. This MUST have either
+        # $DISPLAY or $USERID or $LOCALPART somewhere in it.
+        # Optional. Default: "M-$DISPLAY". Example: "M-Alice".
+        nickTemplate: "$DISPLAY[m]"
+        # True to allow virtual IRC clients to change their nick on this server
+        # by issuing !nick <server> <nick> commands to the IRC AS bot.
+        # This is completely freeform: it will NOT follow the nickTemplate.
+        allowNickChanges: true
+        # The max number of IRC clients that will connect. If the limit is
+        # reached, the client that spoke the longest time ago will be
+        # disconnected and replaced.
+        # Optional. Default: 30.
+        maxClients: 30
+        # IPv6 configuration.
+        ipv6:
+          # Optional. Set to true to force IPv6 for outgoing connections.
+          only: false
+          # Optional. The IPv6 prefix to use for generating unique addresses for each
+          # connected user. If not specified, all users will connect from the same
+          # (default) address. This may require additional OS-specific work to allow
+          # for the node process to bind to multiple different source addresses
+          # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
+          # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
+          prefix: "2a01:4f8:c17:1214::1:"  # modify appropriately
+        #
+        # The maximum amount of time in seconds that the client can exist
+        # without sending another message before being disconnected. Use 0 to
+        # not apply an idle timeout. This value is ignored if this IRC server is
+        # mirroring matrix membership lists to IRC. Default: 172800 (48 hours)
+        idleTimeout: 10800
+        # The number of millseconds to wait between consecutive reconnections if a
+        # client gets disconnected. Setting to 0 will cause the scheduling to be
+        # disabled, i.e. it will be scheduled immediately (with jitter.
+        # Otherwise, the scheduling interval will be used such that one client
+        # reconnect for this server will be handled every reconnectIntervalMs ms using
+        # a FIFO queue.
+        # Default: 5000 (5 seconds)
+        reconnectIntervalMs: 5000
+        # The number of lines to allow being sent by the IRC client that has received
+        # a large block of text to send from matrix. If the number of lines that would
+        # be sent is > lineLimit, the text will instead be uploaded to matrix and the
+        # resulting URI is treated as a file. As such, a link will be sent to the IRC
+        # side instead of potentially spamming IRC and getting the IRC client kicked.
+        # Default: 3.
+        lineLimit: 3
+        # A list of user modes to set on every IRC client. For example, "RiG" would set
+        # +R, +i and +G on every IRC connection when they have successfully connected.
+        # User modes vary wildly depending on the IRC network you're connecting to,
+        # so check before setting this value. Some modes may not work as intended
+        # through the bridge e.g. caller ID as there is no way to /ACCEPT.
+        # Default: "" (no user modes)
+        # userModes: "R"
+  # Configuration for an ident server. If you are running a public bridge it is
+  # advised you setup an ident server so IRC mods can ban specific matrix users
+  # rather than the application service itself.
+  ident:
+    # True to listen for Ident requests and respond with the
+    # matrix user's user_id (converted to ASCII, respecting RFC 1413).
+    # Default: false.
+    enabled: false
+    # The port to listen on for incoming ident requests.
+    # Ports below 1024 require root to listen on, and you may not want this to
+    # run as root. Instead, you can get something like an Apache to yank up
+    # incoming requests to 113 to a high numbered port. Set the port to listen
+    # on instead of 113 here.
+    # Default: 113.
+    port: 1113
+  # Configuration for logging. Optional. Default: console debug level logging
+  # only.
+  logging:
+    # Level to log on console/logfile. One of error|warn|info|debug
+    level: "debug"
+    # The file location to log to. This is relative to the project directory.
+    logfile: "debug.log"
+    # The file location to log errors to. This is relative to the project
+    # directory.
+    errfile: "errors.log"
+    # Whether to log to the console or not.
+    toConsole: true
+    # The max size each file can get to in bytes before a new file is created.
+    maxFileSizeBytes: 134217728 # 128 MB
+    # The max number of files to keep. Files will be overwritten eventually due
+    # to rotations.
+    maxFiles: 5
+  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
+  #   $ npm install prom-client@6.3.0
+  # Metrics will then be available via GET /metrics on the bridge listening port (-p).
+  # metrics:
+  #   enabled: true
+  # The nedb database URI to connect to. This is the name of the directory to
+  # dump .db files to. This is relative to the project directory.
+  # Required.
+  databaseUri: "nedb://data"
+  # Configuration options for the debug HTTP API. To access this API, you must
+  # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests.
+  #
+  # The debug API exposes the following endpoints:
+  #
+  #   GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID.
+  #
+  #   POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection.
+  #                                      Format: new line delimited commands as per IRC protocol.
+  #
+  debugApi:
+    # True to enable the HTTP API endpoint. Default: false.
+    enabled: false
+    # The port to host the HTTP API.
+    port: 11100
+  # Configuration for the provisioning API.
+  #
+  # GET /_matrix/provision/link
+  # GET /_matrix/provision/unlink
+  # GET /_matrix/provision/listlinks
+  #
+  provisioning:
+    # True to enable the provisioning HTTP endpoint. Default: false.
+    enabled: false
+    # The number of seconds to wait before giving up on getting a response from
+    # an IRC channel operator. If the channel operator does not respond within the
+    # allotted time period, the provisioning request will fail.
+    # Default: 300 seconds (5 mins)
+    requestTimeoutSeconds: 300
+  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
+  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
+  # the database.
+  #
+  # To generate a .pem file:
+  # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
+  #
+  # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
+  # for storage in the database. Passwords are stored by using the admin room command
+  # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
+  # the Matrix user, this password will be sent as the server password (PASS command).
+  passwordEncryptionKeyPath: "passkey.pem"
+</file>
 <file|/etc/systemd/system/matrix-irc-bridge.service>
@@ Zeile 1942: / Zeile 2476: @@
 </file>
+  * matrix-appservice-irc -r -f ircbridge_registration.yaml -u "http://erfurt.chat:9999" -c ircbridge_config.yaml -l ircbridge
   * systemctl enable matrix-irc-bridge.service
   * systemctl start matrix-irc-bridge.service
-=== Externe Synapse Dokumentation ===
+==== Upgrade zu Postgres ====
+  * wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
+  * echo deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main > /etc/apt/sources.list.d/pgdg.list
+  * apt update
+  * apt install postgresql-10 postgresql-client-10 libpq-dev
+  * sudo -u postgres createuser -e  synapse
+  * sudo -u postgres psql -c "CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse_user;"
+  * service synapse stop
+  * cp -a /home/synapse/.synapse/homeserver.db{,.snapshot}
+  * cp -a /home/synapse/.synapse/homeserver{,-postgres}.yaml
+<file|/home/synapse/.synapse/homeserver-postgres.yaml>
+[...]
+# Database configuration
+database:
+  # The database engine name
+  name: "psycopg2"
+  # Arguments to pass to the engine
+  args:
+    database: synapse
+    cp_min: 5
+    cp_max: 25
+[...]
+</file>
+  * service synapse start
+  * sudo -u synapse bash
+  * source ~/.synapse/bin/activate
+  * pip install psycopg2
+  * cd ~/.synapse
+  * synapse_port_db --sqlite-database homeserver.db.snapshot --postgres-config homeserver-postgres.yaml
+  * (as root) service synapse stop
+  * synapse_port_db --sqlite-database homeserver.db --postgres-config homeserver-postgres.yaml
+  * mv homeserver.yaml{,.old-sqlite}
+  * mv homeserver{-postgres,}.yaml
+  * mv homeserver.db{,.unused}
+  * exit
+  * service synapse start
+Es wurde https://github.com/matrix-org/synapse/pull/3099 mit eingspielt.
+==== Externe Synapse Dokumentation ====
   * https://github.com/matrix-org/synapse/blob/master/README.rst#synapse-installation
   * https://github.com/matrix-org/synapse/blob/master/README.rst#setting-up-federation
   * https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst
-==== users.bytespeicher.org ====
+===== users.bytespeicher.org =====
 <file|/etc/nginx/sites-available/users.bytespeicher.org>
@@ Zeile 1971: / Zeile 2551: @@
 </file>
-===== Datensicherung =====
+====== Datensicherung ======
 Die Datensicherung erfolgt verschlüsselt auf einen Server von [[user:mape2k]] und einen Server von [[user:mkzero]]:
@@ Zeile 2097: / Zeile 2677: @@
 2   * * *   root    HOME=/root && duply mkzero-backup backup
 </file>
+====== Postfächer und Forward-Konten ======
+Als Mailserver wird Postfix eingesetzt.
+Aliase für Forwarding-Postfächer werden in der Datei ''/etc/postfix/virtual gepeichert.'' Änderungen werden erst durch Ausführen von ''postmap /etc/postfix/virtual'' übernommen.
+[mehr Dokumentation nötig…]
+=====  Postfach anlegen ====
+mit ''doveadm pw -s ssha'' Passwort erzeugen.
+Passwort-Hash mit FQDN-Mail in /etc/dovecot/users eintragen
+in den mail-ordner /home/vmail/<Domain>/ wechseln und Postfach-Ordner anlegen, Besitzer sowie Rechte anpassen
+''chown vmail:vmail postfach''
+''chmod 700 postfach''
+''systemctl restart dovecot''