Differences

This shows you the differences between two versions of the page.

Link to this comparison view

userguide:leanote [2020/05/22 15:46] (current)
Dan Brown created
Line 1: Line 1:
 +<​markdown>​
 +# Work in Progress
 +# Not for production use
  
 +## Before you begin
 +Adjust your TLS certificate to add the hostname of leanote.yourdomain (or whatever hostname you want to assign to your Leanote installation),​ or create a new certificate for that FQDN.  Then run these commands:
 +
 +`yum install mongodb mongodb-server`
 +
 +`yum install https://​github.com/​wkhtmltopdf/​wkhtmltopdf/​releases/​download/​0.12.5/​wkhtmltox-0.12.5-1.centos7.x86_64.rpm`
 +
 +`cd /opt`
 +
 +`wget https://​sourceforge.net/​projects/​leanote-bin/​files/​2.6.1/​leanote-linux-amd64-v2.6.1.bin.tar.gz/​download`
 +
 +`tar xfv download`
 +
 +`rm download`
 +
 +`systemctl enable --now mongod`
 +
 +`mongorestore -h localhost -d leanote --dir leanote/​mongodb_backup/​leanote_install_data/​`
 +
 +`mongo`
 +
 +`use leanote;`
 +
 +`db.addUser("​leanote","​abc123"​);​`
 +
 +Replace `leanote` and `abc123` in the command above with the desired database username and password. ​ The password should be long and random.
 +Ctrl-D to exit Mongo.
 +
 +`nano /​etc/​mongod.conf`
 +
 +On line 70, uncomment `auth = true`. ​ Save and exit.
 +
 +`systemctl restart mongod`
 +
 +`cat /​dev/​urandom | tr -dc '​a-zA-Z0-9'​ | fold -w 64 | head -n 1`
 +
 +Copy the output of the command above.
 +
 +`nano leanote/​conf/​app.conf`
 +
 +* Find the line that has `app.secret=` (it should be line 25), delete whatever value is there, and replace with the value you just copied.
 +* On line 8, set `site.url` to `https://​leanote.yourdomain` (or alternate hostname if desired)
 +* On lines 17 and 18, enter the database username and password you set above.
 +* Save and exit
 +
 +`nano /​usr/​lib/​systemd/​system/​leanote.service`
 +
 +Contents are:
 +
 +```
 +[Unit]
 +Description=Leanote
 +After=mongod.service
 +
 +[Service]
 +Type=simple
 +ExecStart=/​opt/​leanote/​bin/​run.sh
 +
 +[Install]
 +WantedBy = default.target
 +```
 +
 +`chmod +x leanote/​bin/​run.sh`
 +
 +`systemctl enable --now leanote`
 +
 +### Set up reverse proxy
 +`config set leanote configuration`
 +
 +`mkdir -p /​etc/​e-smith/​templates-custom/​etc/​httpd/​conf.d/​virtualhosts.conf/​`
 +
 +`nano /​etc/​e-smith/​templates-custom/​etc/​httpd/​conf.d/​virtualhosts.conf/​15_leanote`
 +
 +You're creating a template fragment. ​ Its contents should be:
 +```
 +{
 +my $host = $leanote{hostname} || "​leanote";​
 +$OUT .= qq (
 +# 15_leanote
 +
 +<​VirtualHost *:80>
 +  ServerName $host.$DomainName
 +  RewriteEngine on
 +  RewriteRule ^/​\\.well-known/​ - [L]
 +  RewriteRule (.*) https://​$host.$DomainName\$1 [R,L]
 +  Alias "/​.well-known/​acme-challenge/"​ "/​var/​www/​html/​.well-known/​acme-challenge/"​
 +  <​Directory "/​var/​www/​html/​.well-known/​acme-challenge/">​
 +     ​Require all granted
 +     ​Options -Indexes -FollowSymLinks
 +     ​AllowOverride None
 +  </​Directory>​
 +</​VirtualHost>​
 +
 +<​VirtualHost *:443>
 +  ServerName $host.$DomainName
 +  SSLEngine on
 +  ProxyPass / http://​127.0.0.1:​9000/​
 +  ProxyPassReverse / http://​127.0.0.1:​9000/​
 +);
 +
 +unless ($leanote{AllowDemo} eq '​enabled'​) {
 + $OUT .= qq (
 + RewriteEngine on
 + RewriteRule ^/demo\$ /login [R=permanent,​L]
 +);
 +}
 +
 +if (length $leanote{CertFile}) {
 + $OUT .= qq (
 +  SSLCertificateFile $leanote{CertFile}
 +  SSLCertificateChainFile $leanote{ChainFile}
 +  SSLCertificateKeyFile $leanote{KeyFile}
 +);
 +}
 +$OUT .= "​\n</​VirtualHost>​\n"​
 +}
 +```
 +Save and exit.
 +
 +`signal-event nethserver-httpd-update`
 +
 +### Log in
 +Browse to https://​leanote.yourdomain,​ and you'll see a login screen. ​ The default admin user is `admin`, password is `abc123` (which you should change immediately).
 +
 +### Customizing
 +Leanote will be made available on a virtual host of leanote.yourdomain. ​ If you want to change this (say, to ln.yourdomain),​ run `config setprop leanote hostname ln` followed by `signal-event nethserver-httpd-update`.
 +
 +By default, the Leanote demo mode is **disabled**. ​ If you want to allow any visitor to your site to log in as a demo user without a password, run `config setprop leanote AllowDemo enabled` followed by `signal-event nethserver-httpd-update`.
 +
 +By default, the Leanote virtual host will use the system'​s default TLS certificate. ​ To use a different cert (perhaps one you've obtained just for this virtual host), run:
 +
 +`config setprop leanote CertFile /​path/​to/​cert`
 +
 +`config setprop leanote ChainFile /​path/​to/​intermediate/​cert(s)`
 +
 +`config setprop leanote KeyFile /​path/​to/​private/​key`
 +
 +`signal-event nethserver-httpd-update`
 +
 +## Important Admin settings
 +There are a few settings you'll need to change, and others you'll want to be aware of.  Log in as the `admin` user, and in the upper-right corner of the screen, click on that user's menu and select **Admin**:
 +![7facb85a137785494d486986754c2603.png](:/​c651ad8f37cb47bbbe012c156f5e16b3)
 +This will take you to the administration page:
 +![0f9c4cbb45ec6a4f176390c1b3ab11f6.png](:/​5f0790d4220e47f3a25f31832eeb9524)
 +
 +### Save as PDF
 +To save notes as PDF, Leanote needs to know where the `wkhtmltopdf` binary is.  To set that, on the left, click on **Configuration**,​ then on **Export PDF**. ​ Enter the path to `wkhtmltopdf`,​ which is `/​usr/​local/​bin/​wkhtmltopdf`. ​ Then click **Submit**:
 +![8036e9e285bab778a92c884e7558c985.png](:/​3338c38f2acf4d35bed52f8a733d22f9)
 +
 +### Database backup/​restore
 +On the left, click on **Data**, then **Mongodb Tool Configuration**. ​ Enter the correct paths as shown here.  Both `mongodump` and `mongorestore` live in `/​usr/​local/​bin/​`. ​ Then click Submit.
 +![50d12cdbe09d567dec255ecb97728b9e.png](:/​b5cae47dfa2f4184bb4edd6ec3995a70)
 +
 +### Disable registration
 +Leanote **does not** synchronize its users with your Neth system, and by default, anyone who can reach your Leanote installation can register an account there without even needing to verify their email address. ​ Unless your installation is on a protected network, you probably don't want this.  To disable registration,​ on the left, click on **Configuration**,​ then on **Open Register**. ​ Uncheck the box and click Submit.
 +![13d9c1e6d75d0035cf8199cfc90ffdf9.png](:/​b912181ed3434682ab27a4448913c2a9)
 +
 +## To Do
 +
 +* Security
 +  * [s]MongoDB authentication[/​s]
 +  * [s]Disable account registration[/​s]
 +  * Access control--allow access only from specified networks
 +  * Delete demo user/Try It button
 +* Reverse proxy setup
 +  * [s]Both for virtual host and[/s] subdirectory
 +* [s]systemd unit to start Leanote on boot (and in background)[/​s]
 +* [s]LDAP/AD authentication?​[/​s]
 +* [s]`wkhtmltopdf:​ cannot connect to X server`[/s]
 +* Figure out if there'​s a Leanote fork that's better maintained--Leanote itself hasn't had a commit in over a year, or a release in over two years, and there are nearly 500 open issues.
 +* RPM for Leanote itself
 +* Nethserver module to integrate
 +</​markdown>​