ThomasLeister

#
# Use case: Podman should run a build-container.
# The build should be run by a user "builder" with UID 1000 inside the container
# Build artifacts should be shared with the host via a -v Volume.
# To make things easier, artifacts created inside the container should have the user, who started the container, as owner.
# The Container should run in  "rootless" mode.
# Solution: Use --uidmap for user mapping. 
#

podman run \

ThomasLeister

# This script converts the DB layout of the old mailserver guide (Ubuntu 14.04) [1]
# to the new one, introduced with Ubuntu Xenial (16.04) [2].
# Please note that the DB schema / tables for the new schema already need to exist.
# This script is just transferring / converting table _contents_.
#
# No not forget to provide your own database name and credentials in the 
# MySQL "connect" commands at the beginning of the script!
#
# Prerequisites:
#  apt install python3-pip

ThomasLeister

##
## Create a "spammers.txt" file with all the JIDs (Jabber IDs) to delete. One in each line:
## [email protected]
## [email protected]
## [email protected]
## ...
## then run this command:

cat spammers.txt | xargs -L1 -i bash -c 'jid={}; name=${jid%@*}; domain=${jid##*@}; ejabberdctl unregister $name $domain; echo "deleted $jid"'

ThomasLeister

Put these lines into your server's .bashrc:
##
## TMUX auto attach
##
if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then      # if this is an SSH session
    if which tmux >/dev/null 2>&1; then                 # check if tmux is installed
            if [[ -z "$TMUX" ]] ;then                   # do not allow "tmux in tmux"
                    ID="$( tmux ls | grep -vm1 attached | cut -d: -f1 )"    # get the id of a deattached session
                    if [[ -z "$ID" ]] ;then                                 # if not available create a new one
                            tmux new-session

ThomasLeister

### Remove all snapshots crteated by the zfs-auto-snapshot tool 

zfs list -t snapshot -o name | grep zfs-auto-snap | tac | xargs -n 1 zfs destroy -r

ThomasLeister

This is how to automatically delete cached image previews from your Mastodon instance if they are older than 7 days.
Log in as your "mastodon" User or log in as root and then change to the "mastodon" user, who runs Mastodon:

  # su - mastodon

Open crontab:

  $ crontab -e
  
... and add these lines to your crontab:

ThomasLeister

(Assuming metalhead.club as instance domain - please adapt to your instance!)

add_header Content-Security-Policy "default-src 'none'; script-src https: 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:; media-src 'self' data:; frame-src 'self' https:; font-src 'self' data:; connect-src 'self' wss://metalhead.club";

Note: 
  style-src:  I chose 'unsafe-inline' because there are just too many inline styles in static source code or dynamically 
              generated code to cover all cases (Embed dialog, image lightbox, ...). Also styles seem to be dynamic, so 
              hashes cannot be generated to allow certain inline styles. :-(
              

ThomasLeister

Whitelist IP addresses based on pre-filter policy

/etc/rspamd/local.d/multimap.conf:

  IP_WHITELIST {
      type = "ip";
      prefilter = true;
      map = "/${LOCAL_CONFDIR}/local.d/ip_whitelist.map";
 action = "accept";

ThomasLeister

### If you set up your Mastodon instance before 9th of June 2018, you probably
### might not have jemalloc active on your Ruby setup. Jemalloc changes the way Ruby 
### allocates memory and saves up RAM. On my 140 users instance RAM usage dropped by 300 MB just by using jemalloc.
### This is how to set it up on Debian 9 Stretch:

### As root, install libjemalloc-dev:
  
  apt install libjemalloc-dev

### Change to mastodon user:

ThomasLeister

ACLs enabled for LXD / LXC containers on ZFS:
        apt install acl (on host and container)
        zfs set acltype=posixacl default/containers/kirby (on host)
        (restart container)
        => *profit*