comodin

Apple Kurzbefehl für Erfassung der Projektzeit

Tue, 10 Feb 2026 17:19:49 +0100

Für den Kurzbefehl wird die App Data Jar benötigt, Link zum App Store: https://apps.apple.com/de/app/data-jar/id1453273600

Diese App lässt sich auf allen Geräten (iPhone, iPad, Mac) benutzen und sollte auch überall installiert werden.

In Data Jar werden die folgenden Variablen benötigt, siehe Bild.

Es wird eine Numbers-Tabelle mit dem Namen "Projektzeit.numbers" im iCloud Ordner "Shortcuts" erwartet, die wie folgt aussieht. Projektzeit.numbers.zip

Im Shortcut müssen die Blattnamen der Numberstabelle eingegeben werden. Ziemlich am Anfang im Klappmenu und direkt dadrunter noch mal in der Text-Auswahl.

Hier der Link zum Schortcut: Projektzeit.shortcut.zip

Dann kann der Shortcut über einen Focus gesteuert werden. Es wird danach das Menu angezeigt und man wählt sein Projekt aus.

Umsetzung Webdesign Betonschnitt (Liquidatoren-Relaunch)

Tue, 08 Jul 2025 23:09:38 +0200

Willkommen in 1984

Sat, 26 Apr 2025 01:50:59 +0200

Im Jahr 1984 bekam ich von der Jungen Gemeinde der Evangelischen Auferstehungskirche in Berlin Friedrichshain das Buch “1984” zum Lesen. In der DDR war das Buch verboten. Es hat mich in meiner pubertären Phase stark geprägt. Drei Jahre später saß ich im Stasi-Gefängnis Hohenschönhausen und wartete auf die Ausreise nach Berlin-West.

Dieses “Heute” erinnert mich sehr stark an die Zustände der damaligen DDR. Wenn jemand, der für Frieden auf die Straße geht, heute “rechtsradikal” ist, dann haben wir wieder orwellsche Verhältnisse erreicht.

Ich kann nicht mehr schweigen.

Ich bin gegen Krieg! Ich möchte Frieden! Deutschland soll keine Waffen in Kriegsgebiete liefern!

"Solche Inhalte" - sind ein Gedankenverbrechen?

Wenn ich den Text oben mit Apple Intelligence Korrekturlesen möchte, erhalte ich diese Meldung.

Bitcoin Full Node mit FreeBSD 14.2 auf einem Mac mini i7 Server (Late 2012 Macmini6,2)

Thu, 27 Feb 2025 11:30:00 +0100

Ich habe eine Full Node mit einem Raspberry Pi und Umbrel laufen. Im lokalen Netz funktioniert das ganz gut, aber: Der Umbrel-Server kann keine SSL- , sondern nur unverschlüsselte (TOR)Verbindungen zu Wallets aufbauen. Das wollte ich anders. Ich baue eine Bitcoin Full Node, die hinter einer Fritz!Box über eine Domain via SSL erreichbar ist.

Beim Stöbern im Dachboden fand ich einen alten Mac mini i7 Server (Late 2012 Macmini6,2 2.6 GHz), der von Apple keine Updates mehr bekommt und zwei SATA SSDs mit jeweils 1TB Speicher. Die beiden HDDs des Mac mini habe ich ausgebaut und durch die zwei SSDs ersetzt.

FreeBSD 14.2 installieren

Quelle: https://download.freebsd.org/releases/ISO-IMAGES/14.2/

Mit Belana Edger das Image FreeBSD-14.2-RELEASE-amd64-memstick.img auf einen USB-Stick kopieren, den Stick in den Mac mini stecken und mit gedrückter option Taste starten. Den Installationsprozess von FreeBSD durchlaufen, USB-Stick abziehen und neu starten. Wenn bei der Installation das Zusammenlegen der zwei SSDs (wie von mir :) übersehen wurde, kann dies jetzt nachträglich geschehen.

Die zwei SSDs im zpool zusammenlegen

Die Laufwerke anzeigen.

❯ camcontrol devlist
<Samsung SSD 840 EVO 1TB EXT0CB6Q>  at scbus0 target 0 lun 0 (pass0,ada0)
<Samsung SSD 840 EVO 1TB EXT0CB6Q>  at scbus1 target 0 lun 0 (pass1,ada1)
<AHCI SGPIO Enclosure 2.00 0001>   at scbus2 target 0 lun 0 (ses0,pass2)

Die Partitiionen anzeigen, FreeBSD wurde auf ada1 installiert. Auf ada0 befinden sich noch alte Daten.

❯ gpart show
=>        40  1953525088  ada1  GPT  (932G)
          40      532480     1  efi  (260M)
      532520        1024     2  freebsd-boot  (512K)
      533544         984        - free -  (492K)
      534528     4194304     3  freebsd-swap  (2.0G)
     4728832  1948794880     4  freebsd-zfs  (929G)
  1953523712        1416        - free -  (708K)

=>        34  1953525101  ada0  GPT  (932G)
          34        2014        - free -  (1.0M)
        2048       65536     1  efi  (32M)
       67584       49152     2  linux-data  (24M)
      116736      524288     3  linux-data  (256M)
      641024       49152     4  linux-data  (24M)
      690176      524288     5  linux-data  (256M)
     1214464       16384     6  linux-data  (8.0M)
     1230848      196608     7  linux-data  (96M)
     1427456  1952097679     8  linux-data  (931G)

Die Partitiion von ada0 löschen.

❯ gpart destroy -F ada0
ada0 destroyed

❯ gpart show
=>        40  1953525088  ada1  GPT  (932G)
          40      532480     1  efi  (260M)
      532520        1024     2  freebsd-boot  (512K)
      533544         984        - free -  (492K)
      534528     4194304     3  freebsd-swap  (2.0G)
     4728832  1948794880     4  freebsd-zfs  (929G)
  1953523712        1416        - free -  (708K)

Neue Partition anlegen.

❯ gpart create -s GPT /dev/ada0
ada0 created

❯ gpart show
=>        40  1953525088  ada1  GPT  (932G)
          40      532480     1  efi  (260M)
      532520        1024     2  freebsd-boot  (512K)
      533544         984        - free -  (492K)
      534528     4194304     3  freebsd-swap  (2.0G)
     4728832  1948794880     4  freebsd-zfs  (929G)
  1953523712        1416        - free -  (708K)

=>        40  1953525088  ada0  GPT  (932G)
          40  1953525088        - free -  (932G)

❯ zpool status
  pool: zroot
 state: ONLINE
status: Some supported and requested features are not enabled on the pool.
        The pool can still be used, but some features are unavailable.
action: Enable all features using 'zpool upgrade'. Once this is done,
        the pool may no longer be accessible by software that does not support
        the features. See zpool-features(7) for details.
config:

        NAME        STATE     READ WRITE CKSUM
        zroot       ONLINE       0     0     0
          ada1p4    ONLINE       0     0     0

errors: No known data errors

❯ zpool list
NAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
zroot   928G  94.2G   834G        -         -     2%    10%  1.00x    ONLINE  -

Laufwerk zum Pool hinzufügen.

❯ zpool add zroot /dev/ada0

❯ zpool list
NAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
zroot  1.81T  94.2G  1.72T        -         -     1%     5%  1.00x    ONLINE  -

❯ df -h
Filesystem            Size    Used   Avail Capacity  Mounted on
zroot/ROOT/default    1.7T    4.1G    1.7T     0%    /
devfs                 1.0K      0B    1.0K     0%    /dev
/dev/gpt/efiboot0     260M    1.8M    258M     1%    /boot/efi
zroot/var/mail        1.7T    152K    1.7T     0%    /var/mail
zroot                 1.7T     96K    1.7T     0%    /zroot
zroot/tmp             1.7T    244K    1.7T     0%    /tmp
zroot/backup          1.7T     66G    1.7T     4%    /backup
zroot/home            1.7T     96K    1.7T     0%    /home
zroot/var/audit       1.7T     96K    1.7T     0%    /var/audit
zroot/var/log         1.7T    1.7M    1.7T     0%    /var/log
zroot/var/tmp         1.7T    144K    1.7T     0%    /var/tmp
zroot/var/crash       1.7T     96K    1.7T     0%    /var/crash
zroot/usr/src         1.7T    861M    1.7T     0%    /usr/src
zroot/usr/ports       1.7T    2.4G    1.7T     0%    /usr/ports
zroot/home/gent       1.7T     26M    1.7T     0%    /home/gent

bitcoind installieren

portmaster net-p2p/bitcoin-daemon
...
===>>> net-p2p/bitcoin-daemon >> (12)

===>>> The following actions will be taken if you choose to proceed:
        Install net-p2p/bitcoin-daemon
        Install databases/db5
        Install databases/sqlite3
        Install lang/tcl86
        Install devel/boost-libs
        Install devel/boost-jam
        Install devel/icu
        Install devel/libevent
        Install net/libzmq4
        Install net/norm
        Install net/openpgm
        Install security/libsodium
        Install net/miniupnpc

===>>> Proceed? y/n [y]
...
===> Creating groups
Creating group 'bitcoin' with gid '779'
===> Creating users
Creating user 'bitcoin' with uid '779'

config

/etc/rc.conf

bitcoind_enable="YES"
bitcoind_user="bitcoin"
bitcoind_group="bitcoin"
bitcoind_conf="/usr/local/etc/bitcoin.conf"
bitcoind_data_dir="/var/db/bitcoin"

/usr/local/etc/bitcoin.conf

server=1
rest=1
listen=1
daemon=1

Nach dem Start von bitcoind fängt dieser an, die Blockchain zu laden. Das Laden hat bei meiner 500 Mbit Glasfaser ca. 1 Tag gedauert.

bitcoin-utils installieren

portmaster net-p2p/bitcoin-utils

config

# ~/.bitcoin/bitcoin.conf

datadir=/var/db/bitcoin
rpccookiefile=/var/db/bitcoin/.cookie

prüfen der Blockhöhe, wie weit bitcoind mit dem Sync ist

❯ bitcoin-cli getblockcount
884297

electrs installieren

Die Installation dauerte mehrere Stunden!

portmaster finance/electrs

config

cd /usr/local/etc
mkdir electrs
cd electrs

/usr/local/etc/electrs/config.toml

# DO NOT EDIT THIS FILE DIRECTLY - COPY IT FIRST!
# If you edit this, you will cry a lot during update and will not want to live anymore!

# This is an EXAMPLE of how configuration file should look like.
# Do NOT blindly copy this and expect it to work for you!
# If you don't know what you're doing consider using automated setup or ask an experienced friend.

# This example contains only the most important settings.
# See docs or electrs man page for advanced settings.

# File where bitcoind stores the cookie, usually file .cookie in its datadir
cookie_file = "/var/db/bitcoin/.cookie"

# The listening RPC address of bitcoind, port is usually 8332
daemon_rpc_addr = "127.0.0.1:8332"

# The listening P2P address of bitcoind, port is usually 8333
daemon_p2p_addr = "127.0.0.1:8333"

# Directory where the index should be stored. It should have at least 70GB of free space.
db_dir = "/var/db/electrs"

# bitcoin means mainnet. Don't set to anything else unless you're a developer.
network = "bitcoin"

# The address on which electrs should listen. Warning: 0.0.0.0 is probably a bad idea!
# Tunneling is the recommended way to access electrs remotely.
#electrum_rpc_addr = "127.0.0.1:50001"
electrum_rpc_addr = "10.0.0.31:50001"

# How much information about internal workings should electrs print. Increase before reporting a bug.
log_filters = "INFO"

cd /var/db
mkdir electrs
chown -R bitcoin:bitcoin electrs

echo 'electrs_enable="YES"' >> /etc/rc.conf

erster Start

sudo -u bitcoin electrs --conf-dir=/usr/local/etc/electrs

[2025-02-16T19:48:56.491Z INFO  electrs::index] indexing 2000 blocks: [170001..172000]
[2025-02-16T19:48:57.777Z INFO  electrs::chain] chain updated: tip=0000000000000837e82c3a4ebe35a1d1d943e056234dba7c629922c6d4052d4c, height=172000
...
...

Das Indexing der Blockchain wird gestartet, das kann einige STUNDEN dauern. Ich breche den Vorgang im Terminal wieder ab mit control + c und schreibe mir ein Script für den Daemon, der im Hintergrund laufen wird.

electrs nach dem booten als daemon laufen lassen

Der Port finance/electrs hat bei mir (Stand Feb. 2025) kein Script in rc.d installiert. Deshalb habe ich mir das Script von bitcoind kopiert und für electrs umgeschrieben.

/usr/local/etc/rc.d/electrs

#! /bin/sh

# PROVIDE: electrs
# REQUIRE: DAEMON
# KEYWORD: shutdown

#
# Add the following lines to /etc/rc.conf to enable electrs_daemon:
#
#electrs_enable="YES"

. /etc/rc.subr

name="electrs"
rcvar="electrs_enable"

start_precmd="electrs_precmd"
start_cmd="electrs_start"
restart_precmd="electrs_checkconfig"
reload_precmd="electrs_checkconfig"
configtest_cmd="electrs_checkconfig"
status_cmd="electrs_status"
stop_cmd="electrs_stop"
stop_postcmd="electrs_wait"
command="/usr/local/bin/electrs"
daemon_command="/usr/sbin/daemon"
pidfile="/var/run/${name}.pid"
extra_commands="configtest"

: ${electrs_enable:=NO}
: ${electrslimits_enable:="NO"}

load_rc_config $name

: ${electrs_user:=bitcoin}
: ${electrs_group:=bitcoin}
: ${electrs_data_dir:="/var/db/electrs"}
: ${electrs_config_file:="/usr/local/etc/electrs/config.toml"}
#: ${bitcoindlimits_args:="-e -U ${bitcoind_user}"}
: ${bitcoindlimits_args:=""}

# set up dependant variables
procname="${command}"
required_files="${electrs_config_file}"

electrs_checkconfig()
{
  echo "Performing sanity check on electrs configuration:"
  if [ ! -d "${electrs_data_dir}" ]
  then
    echo "Missing data directory: ${electrs_data_dir}"
    exit 1
  fi
  chown -R "${electrs_user}:${electrs_group}" "${electrs_data_dir}"

  if [ ! -f "${electrs_config_file}" ]
  then
    echo "Missing configuration file: ${electrs_config_file}"
    exit 1
  fi
  if [ ! -x "${command}" ]
  then
    echo "Missing executable: ${command}"
    exit 1
  fi
  return 0
}

electrs_cleanup()
{
  rm -f "${pidfile}"
}

electrs_precmd()
{
  electrs_checkconfig

  pid=$(check_pidfile "${pidfile}" "${procname}")
  if [ -z "${pid}" ]
  then
    echo "electrs is not running"
    rm -f "${pidfile}"
  fi

  if checkyesno electrslimits_enable
  then
    eval $(/usr/bin/limits ${electrslimits_args}) 2>/dev/null
  else
    return 0
  fi
}

electrs_status()
{
  local pid
  pid=$(check_pidfile "${pidfile}" "${procname}")
  if [ -z "${pid}" ]
  then
    echo "electrs is not running"
    return 1
  else
    echo "electrs running, pid: ${pid}"
  fi
}

electrs_start()
{
  echo "sleeping for 60 sec.."
  sleep 60
  echo "Starting electrs:"
  cd "${electrs_data_dir}" || return 1
  ${daemon_command} -u "${electrs_user}" -p "${pidfile}" -f \
    ${command} \
    --conf="${electrs_config_file}"
}

electrs_stop()
{
  echo "Stopping electrs:"
  pid=$(check_pidfile "${pidfile}" "${procname}")
  if [ -z "${pid}" ]
  then
    echo "electrs is not running"
    return 1
  else
    kill ${pid}
  fi
}

electrs_wait()
{
  local n=60
  echo "Waiting for electrs shutdown:"
  while :
  do
    printf '.'
    pid=$(check_pidfile "${pidfile}" "${procname}")
    if [ -z "${pid}" ]
    then
      printf '\n'
      break
    fi
    sleep 1
    n=$((${n} - 1))
    if [ ${n} -eq 0 -a -f "${pidfile}" ]
    then
      printf "\nForce shutdown"
      kill -9 $(cat "${pidfile}")
      for n in 1 2 3
      do
        printf '.'
        sleep 1
      done
      printf '\n'
      break
    fi
  done
  rm -f "${pidfile}"
  echo "Shutdown complete"
}

run_rc_command "$1"

chmod 755 /usr/local/etc/rc.d/electrs

service electrs start

Letsencrypt Zertifikat mit lego holen

Lego hat den Vorteil gg. certbot: es benötigt keinen offenen Port 80. Ich habe meine Domain bei Hetzner liegen, Hetzner bietet für den DNS auch eine API an. Außer Hetzner werden auch andere Provider von lego unterstützt, Informationen findet man in der Doku zu Lego:

Quellen: https://go-acme.github.io/lego/

lego installieren

portmaster security/lego

config

echo 'YOUR-API-KEY' >> /usr/local/etc/lego/hetzner_api_key.txt
echo 'node.comodin.com' >> /usr/local/etc/lego/domains.txt

cd /usr/local/etc/lego/
chown _lego *.txt
chmod 600 *.txt

ls -la
total 36
drwx------   2 _lego _lego    8B Feb  8 11:30 .
drwxr-xr-x  13 root  wheel   31B Feb  8 10:25 ..
-r-xr-xr-x   1 root  wheel  667B Jan 30 11:05 deploy.sh
-r-xr-xr-x   1 root  wheel  667B Jan 30 11:05 deploy.sh.sample
-rw-------   1 _lego _lego   14B Feb  8 11:25 domains.txt
-rw-------   1 _lego _lego   33B Feb  8 11:30 hetzner_api_key.txt
-rwx------   1 _lego _lego  857B Feb  8 11:25 lego.sh
-rwx------   1 _lego _lego  838B Jan 30 11:05 lego.sh.sample

Zertifikat holen


sudo -u _lego HETZNER_API_KEY_FILE=/usr/local/etc/lego/hetzner_api_key.txt /usr/local/bin/lego --email mail@comodin.com --path /usr/local/etc/lego --dns hetzner -d 'node.comodin.com' run

2025/02/16 12:48:18 [DEBUG] GET https://acme-v02.api.letsencrypt.org/directory
2025/02/16 12:48:19 [INFO] [node.comodin.com] acme: Obtaining bundled SAN certificate
2025/02/16 12:48:19 [DEBUG] HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
2025/02/16 12:48:19 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-order
2025/02/16 12:48:19 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/2232015615/476825680515
2025/02/16 12:48:20 [INFO] [node.comodin.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/2232015615/476825680515
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: Could not find solver for: tls-alpn-01
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: Could not find solver for: http-01
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: use dns-01 solver
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: Preparing to solve DNS-01
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: Trying to solve DNS-01
2025/02/16 12:48:20 [INFO] [node.comodin.com] acme: Checking DNS record propagation. [nameservers=127.0.0.1:53]
2025/02/16 12:48:22 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2025/02/16 12:48:22 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:24 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:26 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:28 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:31 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:33 [INFO] [node.comodin.com] acme: Waiting for DNS record propagation.
2025/02/16 12:48:35 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/chall/2232015615/476825680515/uHmEtw
2025/02/16 12:48:35 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/2232015615/476825680515
2025/02/16 12:48:39 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/2232015615/476825680515
2025/02/16 12:48:39 [INFO] [node.comodin.com] The server validated our request
2025/02/16 12:48:39 [INFO] [node.comodin.com] acme: Cleaning DNS-01 challenge
2025/02/16 12:48:40 [INFO] [node.comodin.com] acme: Validations succeeded; requesting certificates
2025/02/16 12:48:40 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/finalize/2232015615/354971124435
2025/02/16 12:48:41 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/04076f25b51637c11673673728aa3373248c
2025/02/16 12:48:41 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/04076f25b51637c11673673728aa3373248c/1
2025/02/16 12:48:41 [INFO] [node.comodin.com] Server responded with a certificate.

Die Zertifikate liegen hier: /usr/local/etc/lego/certificates/

nginx installieren

Eingehende SSL-Verbindungen über Port 50002 werden von nginx an den electrs-Port 50001 gestreamt.

portmaster www/nginx

sudo sysrc nginx_enable=yes

sudo service nginx start

config

/usr/local/etc/nginx/nginx.conf

load_module /usr/local/libexec/nginx/ngx_stream_module.so;

stream {
        upstream electrs {
                server 10.0.0.31:50001;
        }

        server {
                listen 50002 ssl;
                server_name node.comodin.com;
                proxy_pass electrs;

                ssl_certificate /usr/local/etc/lego/certificates/node.comodin.com.crt;
                ssl_certificate_key /usr/local/etc/lego/certificates/node.comodin.com.key;
                ssl_session_cache shared:SSL:1m;
                ssl_session_timeout 4h;
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
                ssl_prefer_server_ciphers on;
        }
}

sudo service nginx restart

Fritz!Box Port Freigabe

Im DNS legt man (sofern keine feste IP vorhanden ist) einen CNAME auf die Ihre MyFRITZ!-Adresse an. Die Ihre MyFRITZ!-Adresse finden man in der Fritz!Box im Menü Internet -> MyFRITZ!-Konto. Der Hostname des Mac mini sollte die komplette Domain lauten.

❯ hostname
node.comodin.com

Dann kann in der Fritz!Box die Freigabe eingerichtet werden. Zum einfachen Testen, habe ich auch https Port 443 geöffnet und mit dem Webbrowser getestet ob die Webseite vom nginx abgerufen werden kann.

BitBox auf eigene Bitcoin Full Node einstellen

Jetzt richten wir in der BitBox den Zugang zur eigenen Bitcoin Full Node ein.

Filemaker Server 2024, Letsencrypt, lego, Hetzner Api

Sun, 09 Feb 2025 17:06:27 +0100

Mac mini M1, macOS Sequoia 15.3, Filemaker Server 2024.

Ich möchte über die Hetzner-Api mittels lego ein Zertifikat von Letsencrypt holen ohne dafür am Filemaker Server den Port 80 zu öffnen. Das funktioniert auch mit vielen anderen DNS-Providern, eine Liste gibt es auf der lego Webseite.

Quellen

Lego: https://go-acme.github.io/lego/dns/hetzner/index.html

Hetzner-Api: https://dns.hetzner.com/api-docs

Claris: https://help.claris.com/en/server-installation-configuration-guide/content/using-certificate-command.html

lego installieren

brew update
==> Updating Homebrew...
Already up-to-date.

brew upgrade

brew install lego

Zertifikat holen

Ich habe mir für meine Domain ein Shell-Script geschrieben. Den Api-Key muss man sich bei Hetzner in seinem Account anlegen.

nano ~/lego-run.sh

#!/bin/sh

PATH="/Users/ICH"
DOMAIN="FilemakerServer.domain.com"
EMAIL="email@domain.com"
# mein Hetzner Api-Key
KEY="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

cd ${PATH}
HETZNER_API_KEY=${KEY} /opt/homebrew/bin/lego --email ${EMAIL} --dns hetzner -d ${DOMAIN} run

chmod 750 ~/lego-run.sh

Und dann ausgeführt.

./lego-run.sh

2025/02/08 17:08:59 No key found for account email@domain.com. Generating a P256 key.
2025/02/08 17:08:59 Saved key to /Users/ICH/.lego/accounts/acme-v02.api.letsencrypt.org/email@domain.com/keys/email@domain.com.key
2025/02/08 17:08:59 [DEBUG] GET https://acme-v02.api.letsencrypt.org/directory
2025/02/08 17:09:00 Please review the TOS at https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf
Do you accept the TOS? Y/n
Y
2025/02/08 17:09:03 [INFO] acme: Registering account for email@domain.com
2025/02/08 17:09:03 [DEBUG] HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
2025/02/08 17:09:04 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-acct
!!!! HEADS UP !!!!

Your account credentials have been saved in your Let's Encrypt
configuration directory at "/Users/ICH/.lego/accounts".

You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] acme: Obtaining bundled SAN certificate
2025/02/08 17:09:04 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/new-order
2025/02/08 17:09:04 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/22165/472925
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/225/4725
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] acme: Could not find solver for: tls-alpn-01
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] acme: Could not find solver for: http-01
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] acme: use dns-01 solver
2025/02/08 17:09:04 [INFO] [FilemakerServer.domain.com] acme: Preparing to solve DNS-01
2025/02/08 17:09:05 [INFO] [FilemakerServer.domain.com] acme: Trying to solve DNS-01
2025/02/08 17:09:05 [INFO] [FilemakerServer.domain.com] acme: Checking DNS record propagation. [nameservers=1.1.1.1:53,9.9.9.9:53]
2025/02/08 17:09:07 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2025/02/08 17:09:07 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:10 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:12 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:14 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:16 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:18 [INFO] [FilemakerServer.domain.com] acme: Waiting for DNS record propagation.
2025/02/08 17:09:20 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/chall/2265/425/0EHnPw
2025/02/08 17:09:20 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/225/47725
2025/02/08 17:09:24 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/authz/2217165/47293725
2025/02/08 17:09:24 [INFO] [FilemakerServer.domain.com] The server validated our request
2025/02/08 17:09:24 [INFO] [FilemakerServer.domain.com] acme: Cleaning DNS-01 challenge
2025/02/08 17:09:25 [INFO] [FilemakerServer.domain.com] acme: Validations succeeded; requesting certificates
2025/02/08 17:09:25 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/finalize/225/3525
2025/02/08 17:09:27 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/03c4c0
2025/02/08 17:09:27 [DEBUG] POST https://acme-v02.api.letsencrypt.org/acme/cert/03c4c0/1
2025/02/08 17:09:27 [INFO] [FilemakerServer.domain.com] Server responded with a certificate.

Das Zertifikat muss für den Import in den Ordner des Filemaker Servers kopiert werden und die Rechte müssen gesetzt werden, sonst klappt auch der Import von der Admin-Console nicht.

cp ~/.lego/certificates/*.crt /Library/FileMaker\ Server/CStore/
cp ~/.lego/certificates/*.key /Library/FileMaker\ Server/CStore/
chmod 640 /Library/FileMaker\ Server/CStore/*.crt
chmod 640 /Library/FileMaker\ Server/CStore/*.key
chown fmserver:fmsadmin /Library/FileMaker\ Server/CStore/*.crt
chown fmserver:fmsadmin /Library/FileMaker\ Server/CStore/*.key

Zertifikat automatisch erneuern

nano ~/lego-renew.sh

Dieses Script wird bei mir 1x / Woche ausgeführt. Es prüft, ob das Zertifikat erneuert werden muss. Wenn es erneuter wird, dann wird im Anschluss das Script lego-hook.sh ausgeführt.

#!/bin/sh

PATH="/Users/ICH"
DOMAIN="FilemakerServer.domain.com"
EMAIL="email@domain.com"
# mein Hetzner Api-Key
KEY="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
LOGFILE="/tmp/legorenew.log"

cd ${PATH}
HETZNER_API_KEY=${KEY} /opt/homebrew/bin/lego --email ${EMAIL} --dns hetzner -d ${DOMAIN} renew --renew-hook=${PATH}/lego-hook.sh

So sieht die Ausgabe aus, wenn das Zertifikat nicht erneuert werden muss.

./lego-renew.sh
2025/02/08 17:23:59 [DEBUG] GET https://acme-v02.api.letsencrypt.org/directory
2025/02/08 17:23:59 [DEBUG] GET https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/ky....._TA
2025/02/08 17:24:00 [INFO] [FilemakerServer.domain.com] acme: renewalInfo endpoint indicates that renewal is not needed
2025/02/08 17:24:00 [FilemakerServer.domain.com] The certificate expires in 89 days, the number of days defined to perform the renewal is 30: no renewal.

das Skript für den Hook

nano ~/lego-hook.sh

#!/bin/sh

# Dieses Skript wird nur ausgeführt, wenn das Skript
# lego-renew.sh die Zertifikate erneuert hat.

DOMAIN="FilemakerServer.domain.com"
SERVER_PATH="/Library/FileMaker Server/"
# Benutzername/Pass vom Filemaker-Admin
USER="ICH"
PASS="xxxxxx-xxxxx-xxxxxx"
LOGFILE="/tmp/legorenew.log"
# der Ort wo lego das Zertifikat abgelegt hat
certfile="/Users/ICH/.lego/certificates/${DOMAIN}.crt"
keyfile="/Users/ICH/.lego/certificates/${DOMAIN}.key"

# Das Zertifikat in den Order für Filemaker Server kopieren
cp "/Users/ICH/.lego/certificates/${DOMAIN}.crt" "${SERVER_PATH}CStore/${DOMAIN}.crt"
cp "/Users/ICH/.lego/certificates/${DOMAIN}.key" "${SERVER_PATH}CStore/${DOMAIN}.key"

# Die Rechte für den Filemaker Server setzen
chmod 640 "${SERVER_PATH}CStore/${DOMAIN}.crt"
chmod 640 "${SERVER_PATH}CStore/${DOMAIN}.key"
chown fmserver:fmsadmin "${SERVER_PATH}CStore/${DOMAIN}.crt"
chown fmserver:fmsadmin "${SERVER_PATH}CStore/${DOMAIN}.key"

# Das Zertifikat in den Filemaker Server importieren
fmsadmin certificate delete -y -u "${USER}" -p "${PASS}"
fmsadmin certificate import "${SERVER_PATH}CStore/${DOMAIN}.crt" --keyfile "${SERVER_PATH}CStore/${DOMAIN}.key" -y -u "${USER}" -p "${PASS}"  >> "${LOGFILE}"

# Den Filemaker Server neustarten
launchctl stop com.filemaker.fms
sleep 60
launchctl start com.filemaker.fms

Die Skripte bewegen und Rechte setzen

cd ~/
sudo mv lego-*.sh /usr/local/bin/
sudo chown root:wheel /usr/local/bin/lego-*.sh
sudo chmod 750 /usr/local/bin/lego-*.sh

ln -s /usr/local/bin/lego-hook.sh
ln -s /usr/local/bin/lego-renew.sh

LaunchDaemon

Jeden Samstag früh um 4:29 Uhr soll lego-renew.sh das Zertifikat prüfen, ggf. erneuern und mittels lego-hook.sh das Zertifikat in den Filemaker Server laden und diesen dann neu starten.

sudo nano /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
    </dict>
    <key>Label</key>
    <string>com.filemaker.fmcertrenew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>/usr/local/bin/lego-renew.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>AbandonProcessGroup</key>
    <true/>
    <key>StartCalendarInterval</key>
    <array>
        <dict>
            <key>Hour</key>
            <integer>4</integer>
            <key>Minute</key>
            <integer>29</integer>
            <key>Weekday</key>
            <integer>6</integer>
        </dict>
    </array>
</dict>
</plist>

R.I.P. issy

Thu, 15 Aug 2024 12:00:00 +0200

Raspberrypi 5 und 4Tb nvme-SSD und Pineberry bottom HAT

Sun, 04 Feb 2024 23:55:16 +0100

sudo apt-get update

sudo apt-get upgrade

sudo apt install gparted gdisk dosfstools mtools iotop htop -y

( falls noch nicht ,.. install oh-my-zsh )

lsblk

NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 29.5G  0 disk
├─mmcblk0p1 179:1    0  512M  0 part /boot/firmware
└─mmcblk0p2 179:2    0   29G  0 part /
nvme0n1     259:0    0  3.6T  0 disk
├─nvme0n1p1 259:1    0  200M  0 part
└─nvme0n1p2 259:2    0  3.6T  0 part

Partitionieren

sudo cgdisk /dev/nvme0n1

Partition 1

First sector → Enter
Size in sectors or {KMGTP} → 512M
Hex code or GUID → 0700
Enter new partition name → bootfs
Jetzt mit dem Cursor unten auf free space navigieren!

Partition 2

First sector → Enter
Size in sectors or {KMGTP} → Enter
Hex code or GUID → Enter
Enter new partition name → rootfs

Part. #     Size        Partition Type            Partition Name
----------------------------------------------------------------
            1007.0 KiB  free space
   1        512.0 MiB   Microsoft basic data      bootfs
   2        3.6 TiB     Linux filesystem          rootfs
            839.5 KiB   free space

Prüfen

sudo sgdisk -p /dev/nvme0n1

Disk /dev/nvme0n1: 7814037168 sectors, 3.6 TiB
Model: Fanxiang S660 4TB
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 7BC06852-CADB-4BE5-9EA2-662730922969
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 7814037134
Partitions will be aligned on 2048-sector boundaries
Total free space is 3693 sectors (1.8 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         1050623   512.0 MiB   0700  bootfs
   2         1050624      7814035455   3.6 TiB     8300  rootfs

sudo reboot

lsblk

NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
mmcblk0     179:0    0 29.5G  0 disk
├─mmcblk0p1 179:1    0  512M  0 part /boot/firmware
└─mmcblk0p2 179:2    0   29G  0 part /
nvme0n1     259:0    0  3.6T  0 disk
├─nvme0n1p1 259:1    0  512M  0 part
└─nvme0n1p2 259:2    0  3.6T  0 part

Formatieren

sudo mkfs.vfat /dev/nvme0n1p1 -n bootfs -v

mkfs.fat 4.2 (2021-01-31)
Auto-selecting FAT32 for large filesystem
mkfs.fat: Warning: lowercase labels might not work properly on some systems
/dev/nvme0n1p1 has 64 heads and 32 sectors per track,
hidden sectors 0x2000;
logical sector size is 512,
using 0xf8 media descriptor, with 1048576 sectors;
drive number 0x80;
filesystem has 2 32-bit FATs and 8 sectors per cluster.
FAT size is 1024 sectors, and provides 130812 clusters.
There are 32 reserved sectors.
Volume ID is e82ef657, volume label bootfs.

sudo mkfs.ext4 /dev/nvme0n1p2 -L rootfs -v

mke2fs 1.47.0 (5-Feb-2023)
fs_types for mke2fs.conf resolution: 'ext4'
Discarding device blocks: done
Filesystem label=rootfs
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
244162560 inodes, 976623104 blocks
48831155 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=3124756480
29805 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Filesystem UUID: e60c2e38-853d-4df6-9848-a730e7e84484
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424, 20480000, 23887872, 71663616, 78675968,
    102400000, 214990848, 512000000, 550731776, 644972544

Allocating group tables: done
Writing inode tables: done
Creating journal (262144 blocks): done
Writing superblocks and filesystem accounting information: done

Mounten

sudo mkdir klonboot

sudo mkdir klonfs

sudo mount /dev/nvme0n1p1 /klonboot

sudo mount /dev/nvme0n1p2 /klonfs

Klonen

sudo rsync -rltDv --numeric-ids --info=progress2 /boot/firmware/ /klonboot

sudo rsync -axHAWXSv --numeric-ids --info=progress2 / /klonfs

fstab anpassen

lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL,PARTUUID

NAME        FSTYPE  SIZE MOUNTPOINT     LABEL  PARTUUID
mmcblk0            29.5G
├─mmcblk0p1 vfat    512M /boot/firmware bootfs ccf43481-01
└─mmcblk0p2 ext4     29G /              rootfs ccf43481-02
nvme0n1             3.6T
├─nvme0n1p1 vfat    512M /klonboot      bootfs a65da01e-f259-4250-a968-edac1cdeb20d
└─nvme0n1p2 ext4    3.6T /klonfs        rootfs 144c2490-ce9b-4298-8b78-cb11e060df3c

sudo nano /klonfs/etc/fstab

proc            /proc           proc    defaults          0       0
PARTUUID=a65da01e-f259-4250-a968-edac1cdeb20d  /boot/firmware  vfat    defaults          0       2
PARTUUID=144c2490-ce9b-4298-8b78-cb11e060df3c  /               ext4    defaults,noatime  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that

cmdline.txt anpassen

sudo nano /klonboot/cmdline.txt

console=serial0,115200 console=tty1 root=PARTUUID=144c2490-ce9b-4298-8b78-cb11e060df3c rootfstype=ext4 fsck.repair=yes rootwait quiet splash plymouth.ignore-serial-consoles cfg80211.ieee80211_regdom=DE

Finale

sudo umount /klonboot && sudo umount /klonfs

sudo poweroff

SD karte entfernen und von SSD starten :)

Quelle: https://www.youtube.com/watch?v=3MhRMZwY4Ho

Best Friends

Sun, 17 Sep 2023 12:24:09 +0200

FileMaker Server 2023 - Letsencrypt

Fri, 28 Jul 2023 21:03:06 +0200

Mac mini M1, macOS Ventura 13.5, Filemaker Server 2023

Installation

Homebrew installieren

# /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

==> Next steps:
- Run these two commands in your terminal to add Homebrew to your PATH:
    (echo; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"') >> /Users/gent/.zprofile
    eval "$(/opt/homebrew/bin/brew shellenv)"

certbot installieren

# brew install certbot

certbot testen

# sudo certbot renew
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Den MacOS Standard-Webroot zum Webroot des Filemaker Servers linken

# cd /Library/WebServer
# sudo ln -s /Library/FileMaker\ Server/HTTPServer/htdocs/

Zertifikat

holen

# sudo certbot certonly --webroot -d fm.comodin.com --agree-tos -m fm@comodin.com --preferred-challenges "http"
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for fm.comodin.com
Input the webroot for fm.comodin.com: (Enter 'c' to cancel): /Library/WebServer/htdocs

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/fm.comodin.com/privkey.pem
This certificate expires on 2023-10-28.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

prüfen

# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fm.comodin.com
    Serial Number: 33...3e5
    Key Type: ECDSA
    Domains: fm.comodin.com
    Expiry Date: 2023-10-28 06:25:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fm.comodin.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

erneuern

# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/fm.comodin.com/fullchain.pem expires on 2023-10-28 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

per hand kopieren

# sudo cp /etc/letsencrypt/live/fm.comodin.com/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
# sudo cp /etc/letsencrypt/live/fm.comodin.com/fullchain.pem /Library/FileMaker\ Server/CStore/fullchain.pem

die Rechte einstellen

# sudo chmod 644 /Library/FileMaker\ Server/CStore/privkey.pem

per hand in Filemaker Server laden

# sudo fmsadmin certificate import "/Library/FileMaker Server/CStore/fullchain.pem" --keyfile "/Library/FileMaker Server/CStore/privkey.pem" -y
username (root):(Admin-name aus der FM-Console)
password:
Please restart the FileMaker Server service to apply the change.

Filemaker Server stoppen / starten

# launchctl stop com.filemaker.fms
# launchctl start com.filemaker.fms

Stand 2023: der Mac musste neu gestartet werden, damit das Zertifikat geladen wurde. Das o.g. stoppen/starten über launchctl reichte nicht aus.

Automatisieren

Das Ganze wollen wir jetzt automatisieren. Jede Woche soll certbot automatisch

das Zertifikat erneuern
das Zertifikat in den Filemaker Server laden
den Filemaker Server neustarten
uns eine E-Mail senden, damit wir immer im Blick haben was Sache ist

Benötigt/Vorausgesetzt wird ein laufender postfix auf dem Mac, siehe MacOS - postfix

# sudo nano /usr/local/bin/fmcertrenew.sh

fmcertrenew.sh

#!/bin/sh

DOMAIN="fm.comodin.com"
EMAIL="fm@comodin.com"
USER="fmuser"
PASS="fmpass"

SERVER_PATH="/Library/FileMaker Server/"
WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"
LOGFILE="/tmp/fmcertrenew.log"

# certbot
certbot renew > "${LOGFILE}"
cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"
cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

# FileMaker Server
fmsadmin certificate delete -y -u "${USER}" -p "${PASS}"

fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y -u "${USER}" -p "${PASS}"  >> "${LOGFILE}"

launchctl stop com.filemaker.fms

sleep 60s

launchctl start com.filemaker.fms

echo "fertig :)"  >> "${LOGFILE}"

mail -s "fmcertrenew.log" "${EMAIL}" < "${LOGFILE}"

Rechte setzen

# sudo chmod 750 fmcertrenew.sh

das Script testen

# sudo /usr/local/bin/fmcertrenew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Restart the FileMaker Server background processes to apply the change.

die E-Mail sollte so aussehen

LaunchDaemon

sudo nano /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

Jeden Samstag früh um 4:29 Uhr soll certbot das Zertifikat erneuern und in den Filemaker Server laden

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
    </dict>
    <key>Label</key>
    <string>com.filemaker.fmcertrenew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>/usr/local/bin/fmcertrenew.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>AbandonProcessGroup</key>
    <true/>
    <key>StartCalendarInterval</key>
    <array>
        <dict>
            <key>Hour</key>
            <integer>4</integer>
            <key>Minute</key>
            <integer>29</integer>
            <key>Weekday</key>
            <integer>6</integer>
        </dict>
    </array>
</dict>
</plist>

Rechte anpassen

# sudo chown root:wheel /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

load

# sudo launchctl load -w /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

unload

# sudo launchctl unload /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

prüfen ob es geladen wurde

# sudo launchctl list | grep com.filemaker
-   0   com.filemaker.httpd.graceful
-   0   com.filemaker.httpd.stop
92024   0   com.filemaker.fms
-   0   com.filemaker.httpd.start
-   0   com.filemaker.fmcertrenew
-   0   com.filemaker.httpd.restart

Glasfaser direkt am Schreibtisch, Ping: 1ms

Mon, 20 Jun 2022 00:08:43 +0200

FRITZ!Box - Verschlüsselte Namensauflösung im Internet (DNS over TLS)

Tue, 21 Dec 2021 23:11:08 +0100

Einstellen

Status prüfen

macOS - löschen von restricted Dateien

Sun, 05 Dec 2021 23:11:49 +0100

Das Problem

Im Terminal sieht das so aus:

gent@MacBookPro SharedSupport % ls -lO
total 9222688
-rw-r--r--  1 root  wheel  restricted 4722014048  5 Dez 18:20 InstallESD.dmg

Die Lösung

Den Mac im Recovery-Modus neu starten command + R gedrückt halten.

Im Menü Dienstprogramme das Terminal starten

Nach dem Neustart die Datei löschen bzw. Papierkorb leeren. Anschließend wieder im Recovery-Modus starten und im Terminal csrutil anschalten.

# csrutil enable

#reboot

FreeBSD 13 auf SSD am Raspberry pi 4

Thu, 18 Nov 2021 18:28:29 +0100

Quellen:

SSD vorbereiten

Das aktuelle FreeBSD RELEASE laden: https://download.freebsd.org/ftp/releases/arm64/aarch64/ISO-IMAGES/
Den Raspberry Pi Imager laden: https://www.raspberrypi.com/softwar
Die SSD an den Mac stecken und den Imager starten

Bei SD-Karte die SSD auswählen, installieren .. fertig.
Die SSD an den blauen USB-Port des Raspberry Pi stecken
falls vorhanden, die SD-Karte aus dem Raspberry Pi entfernen
den Raspberry Pi starten und mit root/root anmelden.

Java für Apple Silicon M1

Tue, 16 Nov 2021 22:05:38 +0100

macOS Monterey Version 12.0.1 kommt ohne Java

# java -version
The operation couldn’t be completed. Unable to locate a Java Runtime.
Please visit http://www.java.com for information on installing Java.

Java für Apple Silicon installieren

Download: https://www.azul.com/downloads/?os=macos&architecture=arm-64-bit&package=jdk

# java -version
openjdk version "17.0.1" 2021-10-19 LTS
OpenJDK Runtime Environment Zulu17.30+15-CA (build 17.0.1+12-LTS)
OpenJDK 64-Bit Server VM Zulu17.30+15-CA (build 17.0.1+12-LTS, mixed mode, sharing)

# javac -version
javac 17.0.1

Minecraft Server installieren

Quelle: https://paper.readthedocs.io/en/latest/server/getting-started.html

Download: https://papermc.io/downloads

Den Minecraft Server (zb. die Datei paper-1.17.1-384.jar) in einen Ordner legen und durch doppelklick starten.

Minecraft Server im Hintergrund

Der Server kann auch im Hintergrund über Terminal gestartet werden.

# java -Xms2G -Xmx2G -jar paper-1.17.1-384.jar --nogui

Downloading vanilla jar...
Patching vanilla jar...
System Info: Java 17 (OpenJDK 64-Bit Server VM 17.0.1+12-LTS) Host: Mac OS X 12.0.1 (aarch64)
Loading libraries, please wait...
[22:41:43 ERROR]: Failed to load properties from file: server.properties
[22:41:43 WARN]: Failed to load eula.txt
[22:41:43 INFO]: You need to agree to the EULA in order to run the server. Go to eula.txt for more info.

Die Datei eula.txt öffnen und eula=TRUE setzen.

Den Server erneut starten, diesmal mit screen:

# screen -dmS minecraft java -jar -Xms2G -Xmx2G -jar paper-1.17.1-384.jar --nogui

System Info: Java 17 (OpenJDK 64-Bit Server VM 17.0.1+12-LTS) Host: Mac OS X 12.0.1 (aarch64)
Loading libraries, please wait...
[22:43:15 INFO]: Environment: authHost='https://authserver.mojang.com', accountsHost='https://api.mojang.com', sessionHost='https://sessionserver.mojang.com', servicesHost='https://api.minecraftservices.com', name='PROD'
[22:43:15 INFO]: Found new data pack file/bukkit, loading it automatically
[22:43:15 INFO]: Reloading ResourceManager: Default, bukkit
[22:43:15 INFO]: Loaded 7 recipes
[22:43:16 INFO]: Starting minecraft server version 1.17.1
[22:43:16 INFO]: Loading properties
[22:43:16 INFO]: This server is running Paper version git-Paper-384 (MC: 1.17.1) (Implementing API version 1.17.1-R0.1-SNAPSHOT) (Git: 51b7b60)
[22:43:16 INFO]: Server Ping Player Sample Count: 12
[22:43:16 INFO]: Using 4 threads for Netty based IO
[22:43:16 INFO]: Default game type: SURVIVAL
[22:43:16 INFO]: Generating keypair
[22:43:16 INFO]: Starting Minecraft server on *:25565
[22:43:16 INFO]: Using default channel type
[22:43:16 INFO]: Paper: Using Java 11 compression from Velocity.
[22:43:16 INFO]: Paper: Using Java cipher from Velocity.
[22:43:16 INFO]: Preparing level "world"
[22:43:17 WARN]: Unable to find spawn biome
[22:43:18 WARN]: Unable to find spawn biome
[22:43:18 INFO]: Preparing start region for dimension minecraft:overworld
[22:43:18 INFO]: Preparing spawn area: 0%
[22:43:18 INFO]: Time elapsed: 291 ms
[22:43:18 INFO]: Preparing start region for dimension minecraft:the_nether
[22:43:18 INFO]: Time elapsed: 102 ms
[22:43:18 INFO]: Preparing start region for dimension minecraft:the_end
[22:43:18 INFO]: Time elapsed: 98 ms
[22:43:18 INFO]: Running delayed init tasks
[22:43:18 INFO]: Done (2.710s)! For help, type "help"
[22:43:18 INFO]: Timings Reset
>

Den Server testen

vom gleichen Mac aus.. also 127.0.0.1

WOW, das ist schnell..

Minecraft Server stoppen

Im Terminal den Server anzeigen

# screen -r minecraft

System Info: Java 17 (OpenJDK 64-Bit Server VM 17.0.1+12-LTS) Host: Mac OS X 12.0.1 (aarch64)
Loading libraries, please wait...
[23:03:53 INFO]: Environment: authHost='https://authserver.mojang.com', accountsHost='https://api.mojang.com', sessionHost='https://sessionserver.mojang.com', servicesHost='https://api.minecraftservices.com', name='PROD'
[23:03:54 INFO]: Reloading ResourceManager: Default, bukkit
[23:03:54 INFO]: Loaded 7 recipes
[23:03:54 INFO]: Starting minecraft server version 1.17.1
[23:03:54 INFO]: Loading properties
[23:03:54 INFO]: This server is running Paper version git-Paper-384 (MC: 1.17.1) (Implementing API version 1.17.1-R0.1-SNAPSHOT) (Git: 51b7b60)
[23:03:54 INFO]: Server Ping Player Sample Count: 12
[23:03:54 INFO]: Using 4 threads for Netty based IO
[23:03:54 INFO]: Default game type: CREATIVE
[23:03:54 INFO]: Generating keypair
[23:03:55 INFO]: Starting Minecraft server on *:25565
[23:03:55 INFO]: Using default channel type
[23:03:55 INFO]: Paper: Using Java 11 compression from Velocity.
[23:03:55 INFO]: Paper: Using Java cipher from Velocity.
[23:03:55 INFO]: Server permissions file permissions.yml is empty, ignoring it
[23:03:55 INFO]: Preparing level "world"
[23:03:55 INFO]: Preparing start region for dimension minecraft:overworld
[23:03:55 INFO]: Time elapsed: 117 ms
[23:03:55 INFO]: Preparing start region for dimension minecraft:the_nether
[23:03:55 INFO]: Time elapsed: 47 ms
[23:03:55 INFO]: Preparing start region for dimension minecraft:the_end
[23:03:55 INFO]: Time elapsed: 46 ms
[23:03:55 INFO]: Starting remote control listener
[23:03:55 INFO]: Thread RCON Listener started
[23:03:55 INFO]: RCON running on 0.0.0.0:25575
[23:03:55 INFO]: Running delayed init tasks
[23:03:55 INFO]: Done (0.756s)! For help, type "help"
[23:03:55 INFO]: Timings Reset
>

Den Minecraft Server stoppen control + c

Screen verlassen ohne den Minecraft Server zu stoppen mit control + a und danach control + d

Stromverbrauch

Mein Mac mini verbraucht im Durchschnitt 15 W beim arbeiten. Wenn der Minecraft Server läuft kommen ca. 8 W dazu, also insgesamt ca. 23 W.

FileMaker Server 19 - Letsencrypt

Wed, 10 Mar 2021 21:36:35 +0100

Installation

Homebrew installieren

# /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

certbot installieren

# brew install certbot

Den MacOS Standard-Webroot zum Webroot des Filemaker Servers linken

# cd /Library/WebServer
# sudo ln -s /Library/FileMaker\ Server/HTTPServer/htdocs/

Zertifikat

holen

# sudo certbot certonly --webroot -d fm.comodin.com --agree-tos -m fm@comodin.com --preferred-challenges "http"
    Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for fm.comodin.com
Input the webroot for fm.comodin.com: (Enter 'c' to cancel): /Library/WebServer/htdocs
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/fm.comodin.com/privkey.pem
   Your cert will expire on 2019-08-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

prüfen

sudo certbot certificates                                                                                                               
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fm.comodin.com
    Serial Number: 46489aa88b4e9bb6e26fba0d984227dde6a
    Key Type: RSA
    Domains: fm.comodin.com
    Expiry Date: 2021-06-08 10:10:42+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/fm.comodin.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fm.comodin.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

erneuern

sudo certbot renew
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fm.comodin.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/fm.comodin.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/fm.comodin.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

per Hand kopieren

sudo cp /etc/letsencrypt/live/fm.comodin.com/privkey.pem /Library/FileMaker\ Server/CStore/privkey.pem
sudo cp /etc/letsencrypt/live/fm.comodin.com/fullchain.pem /Library/FileMaker\ Server/CStore/fullchain.pem

die Rechte einstellen

sudo chmod 644 /Library/FileMaker\ Server/CStore/privkey.pem

in Filemaker Server laden

sudo fmsadmin certificate import "/Library/FileMaker Server/CStore/fullchain.pem" --keyfile "/Library/FileMaker Server/CStore/privkey.pem" -y
username (root):gent
password:
Restart the FileMaker Server background processes to apply the change.

Filemaker Server stoppen / starten

launchctl stop com.filemaker.fms
launchctl start com.filemaker.fms

Automatisieren

Das Ganze wollen wir jetzt automatisieren. Jede Woche soll certbot automatisch

das Zertifikat erneuern
das Zertifikat in den Filemaker Server laden
den Filemaker Server neustarten
uns eine E-Mail senden, damit wir immer im Blick haben was Sache ist

Benötigt/Vorausgesetzt wird ein laufender postfix auf dem Mac, siehe MacOS - postfix

sudo bbedit /usr/local/bin/fmcertrenew.sh

fmcertrenew.sh

#!/bin/sh

DOMAIN="fm.comodin.com"

EMAIL="fm@comodin.com"

SERVER_PATH="/Library/FileMaker Server/"

WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"

USER="fmuser"

PASS="fmpass"

LOGFILE="/tmp/fmcertrenew.log"

# certbot

certbot renew > "${LOGFILE}"

cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"

cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

# FileMaker Server

fmsadmin certificate delete -y -u "${USER}" -p "${PASS}"

fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y -u "${USER}" -p "${PASS}"  >> "${LOGFILE}"

launchctl stop com.filemaker.fms

sleep 60s

launchctl start com.filemaker.fms

echo "fertig :)"  >> "${LOGFILE}"

mail -s "fmcertrenew.log" "${EMAIL}" < "${LOGFILE}"

Rechte setzen

chmod 750 fmcertrenew.sh

das Script testen

sudo /usr/local/bin/fmcertrenew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Restart the FileMaker Server background processes to apply the change.

die E-Mail sollte so aussehen

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/fm.comodin.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
 /etc/letsencrypt/live/fm.comodin.com/fullchain.pem expires on 2021-06-08 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Restart the FileMaker Server background processes to apply the change.
fertig :)

LaunchDaemon

sudo bbedit /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

Jeden Samstag früh um 4:29 Uhr soll certbot das Zertifikat erneuern und in den Filemaker Server laden

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnvironmentVariables</key>
    <dict>
        <key>PATH</key>
        <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin</string>
    </dict>
    <key>Label</key>
    <string>com.filemaker.fmcertrenew</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>/usr/local/bin/fmcertrenew.sh</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>AbandonProcessGroup</key>
    <true/>
    <key>StartCalendarInterval</key>
    <array>
        <dict>
            <key>Hour</key>
            <integer>4</integer>
            <key>Minute</key>
            <integer>29</integer>
            <key>Weekday</key>
            <integer>6</integer>
        </dict>
    </array>
</dict>
</plist>

Rechte anpassen

chown root:wheel /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

load

# sudo launchctl load -w /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

unload

# sudo launchctl unload /Library/LaunchDaemons/com.filemaker.fmcertrenew.plist

prüfen ob es geladen wurde

sudo launchctl list | grep com.filemaker
-   0   com.filemaker.httpd.graceful
-   0   com.filemaker.httpd.stop
92024   0   com.filemaker.fms
-   0   com.filemaker.httpd.start
-   0   com.filemaker.fmcertrenew
-   0   com.filemaker.httpd.restart