====== Estatus Servidor ======
Actualizado a 2021/12/29 18:27

===== Servicios Host  ======
  * [[servidor_freebsd#pdns|Servidor PDNS]] -> (OJO! Usa la base de datos de la jail db)
  * [[servidor_freebsd#MailServer|Servidor correo]] -> exim y dovecot
  * [[servidor_freebsd#knockd|Knockd]]
  *   * Finalizador SSL (Pound?) -> PENDIENTE
  * [[servidor_freebsd#openvpn|Servidor Openvpn]]
==== knockd ====
Se lanza con:
<code>knock -d</code>
PENDIENTE crear servicio rc.d para que autoarranque

Config en:
/usr/local/etc/knockd.conf
<code>
[options]
        logfile = /var/log/knockd.log
        interface = em0

[enguita]
        sequence        = 6968,4523,0967
        seq_timeout     = 30
        #start_command   =echo %IP% > /home/victor/dev/ip
        #cmd_timeout    = 5
        start_command   =/usr/local/bin/mysql --defaults-extra-file=/home/victor/dev/pdns.cnf -e "UPDATE records SET content=\"%IP%\" WHERE domain_id=15 and name =\"vpn.enguita.tech\"; COMMIT;"
        cmd_timeout     =5
        tcpflags         = syn
</code>

Esta configuración dejó de funcionar al actualizar a FreeBSD 13, se podría revisar:
<code>
[options]
	logfile = /var/log/knockd.log
	interface = em0

[enguita]
	sequence    = 6666,4523,0967
	seq_timeout = 5
	command     = bash /home/victor/dev/enguita.tech.sh %IP%
	tcpflags    = syn
</code>

Log en **/var/log/knockd.log**
==== pdns ====
A tener en cuenta:
https://github.com/PowerDNS/pdns/issues/3780
  * Configuración pdns.conf
/usr/local/etc/pdnsd.conf
/usr/local/etc/pdns/pdns.conf
<code>
<del>allow-recursion=127.0.0.1</del>
config-dir=/usr/local/etc/pdns/
daemon=yes
local-address=0.0.0.0
local-ipv6=2001:41d0:a:3c84::1
module-dir=/usr/local/lib/pdns
launch=gmysql
gmysql-host=192.168.50.2
gmysql-user=pdns
gmysql-dbname=pdns
gmysql-password=pdnspass
</code>

<del>
poweradmin
http://37.187.108.132:8080/poweradmin-2.1.7
https://poweradmin.brutalix.org
admin/ (root-db)</del>

Añadir MX
<code>
root@localhost [pdns]> select * from records where type='MX'  ;
+----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+
| id | domain_id | name         | type | content        | ttl   | prio | change_date | disabled | ordername | auth |
+----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+
| 41 |         8 | ionma.org    | MX   | mail.ionma.org | 86400 |   10 |  1524689940 |        0 | NULL      |    1 |
| 58 |         7 | brutalix.org | MX   | brutalix.org   | 86400 |   10 |  1543683280 |        0 | NULL      |    1 |
| 87 |        15 | enguita.tech | MX   | enguita.tech   | 86400 |    0 |        NULL |        0 | NULL      |    1 |
+----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+
3 rows in set (0.023 sec)

root@localhost [(none)]> insert into records (id,domain_id,name,type,content,ttl,prio,auth) values (100,9,'fiat.website','MX','brutalix.org',86400,0,1  );

</code>

==== MailServer ====
=== exim === 
<code>
/usr/local/etc/exim
|-- cert
|   |-- mail.pem
|   `-- mailkey.pem
|-- configure
`-- configure.sample
</code>
**/usr/local/etc/eximcert/** -> los certificados ssl.
**/usr/local/etc/exim/configure** -> archivo de configuración.
=== dovecot ===
**/usr/local/etc/dovecot/dovecot.conf** -> configuración general.
**/usr/local/etc/dovecot/conf.d/10-auth.conf** -> configuración de autenticación.
**/usr/local/etc/dovecot/conf.d/auth-system.conf.ext** -> configuración donde se define la lista de usuarios.
<code>
passdb {
  driver = passwd-file
  args = scheme=plain-md5 username_format=%n /usr/local/etc/dovecot/users.list
}
userdb {
  driver = passwd-file
  args = username_format=%n /usr/local/etc/dovecot/users.list
  default_fields = home=/usr/home/%u
#  default_fields = uid=vmail gid=vmail home=/home/%u
}
</code>
===== Jails =====
**/etc/jail.conf** -> archivo de configuración.
**/usr/local/jails/jail.fstab.d/** -> directorio de fstabs de jails
<code>
/usr/local/jails/jail.fstab.d/
├── db.fstab
├── etfiat.fstab
├── mail.fstab
├── nginx.fstab
├── services.fstab
├── test.fstab
├── web.fsta
└── web.fstab
</code>
==== Jails en funcionamiento ====
<code>
[root@brutalix ~/bin]# jls
   JID  IP Address      Hostname                      Path
     2  192.168.50.2    db                            /usr/local/jails/db
     5  192.168.50.5    nginx                         /usr/local/jails/nginx
     6  192.168.50.6    services                      /usr/local/jails/services
</code>
=== db ===
MariaDB server

<hidden root pass>666.D3m1L4bS</hidden>

== Optimizando ==

Pasamos mysqltuner:

Datos relevantes:

<code>
[--] Physical Memory     : 3.9G
[--] Max MySQL memory    : 1.5G
#Sigue siendo mucha memoria
[OK] Maximum reached memory usage: 618.8M (15.32% of installed RAM)
[OK] Maximum possible memory usage: 1.5G (38.29% of installed RAM)

#Podemos rebajar el número máximo de conexiones
[OK] Highest usage of available connections: 5% (9/151)

#Toca investigar esto:
[!!] Aborted connections: 67.18%  (1754/2611)


[!!] name resolution is active : a reverse name resolution is made for each new connection and can reduce performance
[!!] Query cache may be disabled by default due to mutex contention.

#Podemos reducir la query cache
[OK] Query cache efficiency: 48.5% (88K cached / 181K selects)
[OK] Query cache prunes per day: 0

#Caché myisam es demasiado grande
-------- MyISAM Metrics ----------------------------------------------------------------------------
[!!] Key buffer used: 18.3% (49M used / 268M cache)
[OK] Key buffer size / total MyISAM indexes: 256.0M/1.2M
[OK] Read Key buffer hit rate: 98.1% (51K cached / 996 reads)
[!!] Write Key buffer hit rate: 41.2% (2K cached / 1K writes)
</code>
=== nginx ===
Operativa. Nginx para servicios web y web proxy
<code>
nginx-1.20.1,2                 Robust and small WWW server
py38-certbot-1.16.0,1          Let's Encrypt client
</code>
=== services ===
Operativa. Para servicios varios.
<code>
murmur-1.3.3_1                 Server component of Mumble
</code>
=== openvpn ===
Hay un servidor openvpn instalado en el servidor. Se han creado unos scripts para facilitar su instalación y generación de certificados clientes. Los scripts estan en [[https://git.brutalix.org/brutalix/openvpn-server]] (Hace falta usuario para verlo.
<code>
[root@brutalix ~/git/openvpn-server/scripts]# ls -lah
total 27
drwxr-xr-x  2 root wheel    5B Sep  5 16:49 .
drwxr-xr-x  4 root wheel    6B Sep  5 16:44 ..
-rwxr-xr-x  1 root wheel   86B Sep  5 16:44 openvpn-up.sh
-rwxr-xr-x  1 root wheel  3.7K Sep  5 16:44 ovpn_initialize_server.sh
-rwxr-xr-x  1 root wheel  2.9K Sep  5 16:45 ovpn_manage.sh

[root@brutalix ~/git/openvpn-server/scripts]# ./ovpn_manage.sh 
Uso: ./ovpn_manage.sh [create|show|list|delete] [nombre]

Cuando se genera un nuevo cliente con create se deja el archivo de configuracion y los certificados en 
/usr/local/etc/openvpn/clients/nombreCliente/

</code>