Install the latest version of SABnzbd for multiple users on Debian 8

This article explains how to set up SABnzbd on Debian 8. I suppose it will also work on Ubuntu and other Linux flavours since there aren’t a whole lot of dependencies.

We’ll install SAB’s Python code in a central location so all users will use the same code. Each user will have their own download queue and locations, preferences, history files, etc. We’ll encrypt the webinterface with SSL certificates from Let’s Encrypt.

If you found this article useful please click some of the ads around here 🙂

Here’s what we’ll cover:

  • Why the Python code instead of the Debian package?
  • Install dependencies and extra tools
  • Download and extract SABnzbd’s Python code
  • Create an ini file
  • Webbased setup
  • Secure web interface with Let’s Encrypt SSL certificates
  • Add users
  • Managing the SAB processes
  • Upgrading and tweaks
  • Domain name
    I assume you have a registered domain name. If not: get one or skip the Let’s Encrypt part since Let’s Encrypt only works with registered domain names. Use self-signed certificates instead. In this article I use example.com. Substitute it by your own domain name.

    Port numbers
    By default the SABnzbd webinterface runs on port 8080. All port numbers I use in this article are arbitrairy. By convention don’t use lower port numbers (<1024). Make sure you get your port mapping right.

    Because SABnzbd will be running under the users' respective accounts it is important to distinguish between things done as root and as a regular user. My useraccount is called vorkbaard and I'll be using it as an example. Substitute your own.

    Commands executed as root are indicated by #. Use sudo to run them or just log in as root or do

    $ sudo su
    

    or

    $ su root
    

    to change user contexts.

    Commands executed as a regular user are indicated by $.

    Why the Python code instead of the Debian package?

    Because while stable the Debian package is rather outdated. At the moment of writing the Debian package is at version 0.7.18 while the current version is 1.0.1. Now to be fair the functionality is alright in the Debian ersion. I’m in it for the eye candy and SABnzbd is not the most critical part of my server so if it breaks there’s no urgency to fix it.

    Dependencies

    This page lists SAB’s dependencies: https://github.com/sabnzbd/sabnzbd
    To install them in Debian, run

    # aptitude install python2.7 python-cheetah python-openssl python-support python-yenc unzip p7zip-full par2
    

    On my server SABnzbd was complaining about a “problematic UNRAR” because I had installed unrar-free. The non-free version of unrar stopped the complaints:
    In /etc/apt/sources.list make sure you have non-free added to your repositories:

    deb http://ftp.nl.debian.org/debian/ jessie main contrib non-free
    deb-src http://ftp.nl.debian.org/debian/ jessie main contrib non-free
    
    deb http://security.debian.org/ jessie/updates main contrib non-free
    deb-src http://security.debian.org/ jessie/updates main contrib non-free
    
    # jessie-updates, previously known as 'volatile'
    deb http://ftp.nl.debian.org/debian/ jessie-updates main contrib non-free
    deb-src http://ftp.nl.debian.org/debian/ jessie-updates main contrib non-free
    

    Do

    # aptitude update
    

    to update the package cache.

    Then install unrar:

    # aptitude install unrar
    

    Download and extract SABnzbd’s Python code

    Head over to http://sabnzbd.org/download/ and copy the Python Source location. I’m installing in /opt on my server because I feel it should go there. But any location with the correct permissions will do.

    Go to /opt and download SABnzbd:

    # cd /opt
    # wget https://github.com/sabnzbd/sabnzbd/releases/download/1.0.1/SABnzbd-1.0.1-src.tar.gz
    

    Extract the tarball and rename the directory:

    # tar -xzf SABnzbd-1.0.1-src.tar.gz
    # mv SABnzbd-1.0.1 sabnzbd
    

    Create an ini file

    We should now create a stub ini file to tell SABnzbd it should a) not fire up your web browser when it starts and b) should be accessible from outside, not just the local server. The purpose of this is to start up SABnzbd on the server but continue the webbased setup from your workstation.

    Now the sabnzbd.ini file is distinct for each user. So it goes in the user directory. We’ll cover adding more users later; this is just the initial setup.

    As a user create a file called ~/sabnzbd.ini
    And add this to it:

    [misc]
    host = 0.0.0.0
    auto_browser = 0
    

    Later on you may prefer to use hidden ini file. In that case just name them ~/.sabnzbd.ini.

    Start SABnzbd

    Then fire up SABnzbd. The -f switch specifies which ini file you want to use. The -d switch tells SAB to go into daemon mode. Personally I like to run it interactively when setting it up (so no -d switch) in a separate terminal session so I can keep an eye on it.

    $ python /opt/sabnzbd/SABnzbd.py -f ~/sabnzbd.ini
    

    multisab_8

    Keep an eye on the process for warnings, errors and missing dependencies. Press Ctrl+C if you need stop the process – note that this will stop SABnzbd so it will no longer be available from its webinterface. If you stop SAB from the webinterface the process will stop as well.

    If all is well SAB will start up normally (if not: stop the process, fix what needs fixing and try again) and you will be able to access it on its default port number 8080. Follow the webbased wizard.

    multisab_7

    Secure web interface with Let’s Encrypt SSL certificates

    Here is a fun part. I’m not familiar with Let’s Encrypt on non-Debian systems but Let’s Encrypt keeps a fairly good documentation. Also because it is still under development so things may change.

    If you do not have a registered domain name you could use self-signed certificates (Let’s Encrypt will not work withou a registered domain name) but you’ll be forever dodging browser warnings.

    Install Let’s Encrypt
    If you haven’t done so install Apache. If you prefer a different web server that’s ok, check Let’s Encrypt’s website.

    # aptitude install apache2
    

    In /etc/apache2/sites-available/000-default.conf change

    # ServerName www.example.com
    

    to your own domain name:

    ServerName vorkbaard.nl <-- use your own domain
    

    Reload Apache:

    # service apache2 reload
    

    Make sure you can reach it from outside.

    Let’s Encrypt is easily installed from Debian Jessie’s backport repository: http://backports.debian.org/Instructions/

    # echo deb http://ftp.debian.org/debian jessie-backports main > /etc/apt/sources.list.d/backports.list
    # aptitude update
    # aptitude install letsencrypt python-letsencrypt-apache
    

    The installation had some dependency issues on my server and aptitude offered to resolve them. It offered a bunch of solutions and I chose the one that did not keep anything at their current version and/or uninstalled stuff.

    Start Let’s Encrypt:

    # letsencrypt run
    

    Afterwards verify your site is accessible over https.

    Set permissions
    If all is well your certificates will now reside in /etc/letsencrypt/live/example.com/. We must copy the certificates to /opt/sabnzbd/admin/ and set the correct permissions. Why /opt/sabnzbd/admin? Because sabnzbd/admin is the original certificate location for SAB. Keeping things in their expected locations makes it easier to troubleshoot.

    Unfortunately this involves compromising security a bit because your SAB-enabled users will be able to read your server’s private key. This is not optimal but we can reduce the risk to a minimum.

    Create the admin folder:

    # mkdir /opt/sabnzbd/admin
    

    Create a group called sab and add all users that should be able to use SAB (so as not to give anyone access):

    # groupadd sab
    

    For each user:

    # usermod -a -G sab vorkbaard
    

    Note that the -G parameter must be a capital G. The lowercase g would change the user’s primary group, not add an extra group.

    Give the sab group read permissions on /opt/sabnzbd/admin:

    # chown root:sab /opt/sabnzbd/admin
    

    Set traverse rights for the sab users (i.e. they should be able to open the folder):

    # chmod 610 /opt/sabnzbd/admin
    

    Renewing the certificates
    Now we’ll create a little script to renew the certificates and copy them over to the admin folder:

    Create a file /root/sabcerts.sh:

    #!/bin/bash
    
    # Renew the Let's Encrypt certificates
    /usr/bin/letsencrypt renew –-agree-tos
    
    # Copy the new certs to SABnzbs
    cp /etc/letsencrypt/live/www.example.com/*.pem /opt/sabnzbd/admin
    chmod 440 /opt/sabnzbd/admin/*.pem
    chown root:sab /opt/sabnzbd/admin/*.pem
    

    Schedule it with cron:

    # crontab -e
    

    Add this line:

    @daily /root/sabcerts.sh

    In cron make sure you end your last line with an end of line sign – just add a new, empty line. Otherwise the last line will not run, no error will get logged and you will spend countless hours troubleshooting. You are welcome.

    Run the script while you’re at it and all should be in order.

    # /root/sabcerts.sh
    

    If you screw this up the SABnzbd will throw an error at you when starting its Python script.

    multisab_2

    From the webinterface set the following options:
    [x] Enable HTTPS
    HTTPS Port: 8081 (note that this is arbitrary but it must be different from the HTTP port)
    HTTPS Certificate: /opt/sabnzbd/admin/cert.pem
    HTTPS Key: /opt/sabnzbd/admin/privkey.pem
    HTTPS Chain Certificates: /opt/sabnzbd/admin/chain.pem

    The chain certificate is not always necessary (depends on the browser and its support) but it does no harm.

    Save then restart SABnzbd. Keep an eye on the process for errors. If all went well you can now connect to the https version of your SABnzbd process!

    multisab_1

    Add users

    If you’re going to add users you must keep a couple of things in mind:
    – You do not want your users to interfere on each others setups. In other words: they must be separated. So we’ll use separate SAB processes for each users. To accomplish this we must use the –new parameter when starting SAB.
    – Because two processes cannot run on the same port number we must dedicate distinct port numbers for each user.
    – Each user must have her own sabnzbd.ini file.
    – SAB users must be members of the sab group in order to read the certificates.

    Set up your first account in a generic way, then close SABnzbd and copy your sabnzbd.ini file to /opt/sabnzbd/ for easy access. Keep this file as a template and copy it to all SAB-enabled users. Make sure to change the port and https_port values. Afterwards also change the API and NZB keys from the web interface and perhaps reset their password, e-mail address, and so on.

    Just for inspirational purposes I will describe how to add a user and enable SABnzbd for her/him.

    Copy the ini file:

    # cp /home/user/vorkbaard/sabnzbd.ini /opt/sabnzbd/sabbznd.ini.generic
    

    Clean out the password. In /opt/sabnzbd/sabnzbd.ini.generic set:

    password = ""
    

    Create a new user:

    # useradd -G sab -m tinus
    

    -G sab adds the new user to the sab group; -m creates the user’s home directory.

    Bestow unto Tinus a password:

    # passwd tinus
    

    Copy the generic ini file to Tinus’s home folder and set permissions:

    # cp /opt/sabnzbd/sabnzbd.ini.generic /home/tinus/sabnzbd.ini
    # chown tinus: /home/tinus/sabnzbd.ini
    # chmod 770 /home/tinus/sabnzbd.ini
    

    In /home/tinus/sabnzbd.ini change:

    https_port = 8082
    port = 8083
    

    The port numbers should be unique.

    After you start the new user’s SABnzbd process (see the next section) log in to her SAB webinterface and set a password and other personal options.

    Managing the SAB processes

    Create a file /etc/init.d/multisab.sh and add:

    #!/bin/bash
    ### BEGIN INIT INFO
    # Provides: multisab
    # Required-Start: $remote_fs $syslog
    # Required-Stop: $remote_fs $syslog
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: Start sab at boot time
    # Description: Sabnzbdplus for multiple users
    ### END INIT INFO
    
    # userlist format: "username|port number|api key [space] username|port number|api key"
    userlist="tinus|8083|CsZ2HCbpHd5z7XvDlp7QPfViqnc4rfyC vorkbaard|8081|q89pYfUkvGgbQvW5SQYkwR1Lj2FQjIz2"
    
    case "$1" in
    start)
      for userstr in $userlist
      do
        name=$(cut -d'|' -f1 <<< $userstr)
        /usr/bin/sudo -u $name -H /usr/bin/python /opt/sabnzbd/SABnzbd.py -d -f /home/$name/sabnzbd.ini --new
      done
    ;;
    stop)
      for userstr in $userlist
      do
        name=$(cut -d'|' -f1 <<< $userstr)
        port=$(cut -d'|' -f2 <<< $userstr)
        akey=$(cut -d'|' -f3 <<< $userstr)
        shutdownurl="https://localhost:$port/sabnzbd/api?mode=shutdown&apikey=$akey"
        /usr/bin/wget --no-check-certificate --delete-after $shutdownurl
      done
    ;;
    *)
      echo "Usage: $0 {start|stop}"
      exit 1
    esac
    
    exit 0
    

    wget will complain about ‘localhost’ not being the in the cert’s name, hence the –no-check-certificate switch. Using localhost will prevent problems with non-functional internet connections, nat reflection and changing domain names. You could use http://localhost:<http port number> but that way you would need to keep the non-ssl port opened. Anyway, I use localhost.

    Change the userlist string so it contains your own users and their own API keys. It is ok to use incorrect API keys to start the SABnzbd processes but to stop them (gracefully) you need the right ones. If you’ve just added a user then use a fictional API key, start the multisab service, log in to the user’s SABnzbd webinterface, find the API key and paste the key in the script.

    Make the script executable:

    # chmod +x multisab.sh
    

    Register it as a service that should start at normal boots and stop at poweroffs and such:

    # update-rc.d multisab.sh defaults
    

    You can now also control it with

    # service multisab start
    

    and

    # service multisab stop
    

    Upgrading and tweaks

    When upgrading:
    – Make sure to read the release notes. You may very well be able to keep your old ini files but you never know.
    – Keep your /opt/sabnzbd/admin folder or recreate it.

    Stop the multisab service:

    # service multisab stop

    Change to the opt partition and download and extract the new version:

    # cd /opt
    # wget https://github.com/sabnzbd/sabnzbd/releases/download/1.0.2/SABnzbd-1.0.2-src.tar.gz
    # tar -xzf SABnzbd-1.0.2-src.tar.gz
    

    Rename the old directory

    # mv /opt/sabnzbd /opt/sabnzbd.old

    Rename the new directory

    # mv /opt/SABnzbd-1.0.2 /opt/sabnzbd

    Copy the admin directory, preserving al permissions

    # cp -rp /opt/sabnzbd.old/admin /opt/sabnzbd/
    
    Start the multisab service
    # service multisab start

    Reload SABnzbd in your browser and verify everthing works and the new version is active.

    Tweaks
    - Turn off http - once everything works I suggest you turn off unencrypted http access by enabling HTTPS, leaving the HTTPS Port field empty and entering the https value in the SABnzbd Port field.
    - Set a sensible caching: http://wiki.sabnzbd.org/highspeed-downloading. If you have enough memory set it to 500M or so.
    - There are a bunch of things you can do to make SABnzbd faster, have it play nicer and overall just behave better. Poke around in the settings and check the SABnzbd site.

    Enjoy 🙂

    Nexus, door Ramez Naam

    Deel 1 van de Nexus-trilogie.

    Nexus is diamantharde science fiction: het verhaal is niet alleen mogelijk maar zelfs waarschijnlijk; vrijwel alle bestaande technologieën bestaan in essentie, of er wordt aan gewerkt. Het stelt de zeer belangrijke vraag aan de orde hoe mensen zullen omgaan met de upgrades en uitbreidingen voor ons lichaam en onze geest die binnenkort mogelijk zullen zijn.

    De kwestie wordt goed verpakt in een technothriller. Twee studenten gebruiken nanotech om het menselijk brein als softwareplatform te gebruiken. De mogelijkheden zijn eindeloos: draadloze communicatie; aansturing van lichaamsdelen en -functies; en complete programma’s voor bijvoorbeeld romantische of gevechtsscenario’s.

    Willen de studenten en hun vrienden deze technologie voor idealistische doeleinden gebruiken, de diverse inlichtingsdiensten, legers en drugsdealers hebben er hun eigen doelen voor. Het resulterende conflict laat zich enigszins raden maar is desondanks onderhoudend en vlot geschreven.

    nexusAuteur Ramez Naam weet waar hij het over heeft. Hij is werkzaam in de nanotechnologie en werkte als programmeur voor Microsoft. In Nexus beschrijft hij heel treffend de conflicten die zullen voortvloeien uit de technologieën die voor de deur staan.

    Steekwoorden: pakkende actiescènes; diepgaande maar praktische filosofische beschouwingen; transhumanisme en posthumanisme. Aan de horizon zie je de singulariteit al op de loer liggen.

    Geen nieuwe ideeën allemaal maar wel een scherpe blik op een onderbelicht onderwerp wat belangrijk is om nu al over na te denken. Boeiende en belangrijke lectuur voor iedereen!

    De filmrechten zijn in 2013 aan Paramount verkocht dus binnenkort kunnen we er een goedkope actiefilm over verwachten waarin de nadruk vast op de love interest en actie zal komen te liggen en de tech als achtergrond wordt uitgestrooid…

    The Lost Time Accidents, door John Wray

    Je kan debatteren over de vraag of The Lost Time Accidents wel science fiction is. Uiteindelijk is er volgens mij een antwoord maar ten eerste zou de beantwoording ervan de clou weggeven en ten tweede zijn alternatieve zienswijzen zéker valide. Vaststaat dat het alleen al door het zeer bloemrijke taalgebruik een heel aangenaam boek is om te lezen.

    Waldemar Tolliver is een telg uit een familie wier geschiedenis wordt beheerst door diens overgrootvader, die volgens de overlevering zou hebben ontdekt hoe tijdreizen mogelijk kan worden gemaakt.

    LostTimeAccidentsHet verhaal begint bij deze overgrootvader aan het begin van de twintigste eeuw in een Tsjechisch dorpje en verloopt via Wenen en New York naar de huidige tijd. Wray schetst een romantisch maar realistisch aandoend beeld van de tijden en plaatsen die elkaar opvolgen.

    In technisch opzicht is The Lost Time Accidents een briefroman omdat het verhaal in brieven wordt verteld door Waldemar aan de vrouw op wie hij verliefd is. De brieven hebben allemaal dezelfde datering omdat Waldemar naar eigen zeggen is opgesloten in de tijd, in één moment. Hij beschrijft er zijn familiegeschiedenis in.

    Symboliek, karakters, verhaal, stijl en verdeling van de spanning zijn goed op elkaar afgestemd. Het is een flinke pil maar van mij had het verhaal nog veel langer mogen zijn. Het houdt je nieuwsgierig tot de laatste bladzijde. Ook zeer aan te bevelen voor niet-scifi-liefhebbers die smaak voor mysterie hebben!

    Installing a mailserver on Debian 8 – Part 5: Web interface: Roundcube

    How to install a complete mailserver on Debian 8, featuring Postfix, Dovecot, MySQL, Spamassassin, ClamAV, Roundcube and Fail2ban.

    ~ the howto that actually works ~

    Part 1: Introduction
    Part 2: Preparations: Apache, Let’s Encrypt, MySQL and phpMyAdmin
    Part 3: MTA: Postfix
    Part 4: IMAP server: Dovecot
    Part 5: Web interface: Roundcube
    Part 6: Spam filtering: SpamAsasssin
    Part 7: Antivirus: ClamAV and ClamSMTP
    Part 8: Quota and other Roundcube settings
    Part 9: Using mail with a remote IMAP client (i.e. Thunderbird)
    Part 10: Counter brute-force attacks with Fail2ban
    Part 11: Sources, config files, colouring and comments

    On this page

    Installation
    Tell the webserver about Roundcube
    Change the default session key
    Remove Server field from logon screen
    Set a user passwords
    Changing the password from Roundcube

    Comments are on the last page.

    On this page
    On this page

    Installation

    For Roundcube’s installation remember that you need to have backports set up. Alternatively download Roundcube yourself but that will render the next part of this article party invalid. At the moment of writing the Debian backport repo contains the most recent stable Roundcube version (1.1.4).

    # aptitude install roundcube roundcube-plugins
    

    Configure database for roundcube with dbconfig-common? ==> Yes.

    mailsvr023

    Database type to be used by roundcube: mysql

    mailsvr024

    Database password: your MySQL root password

    mailsvr025

    I had a random password generated.

    mailsvr025b

    Tell the webserver about Roundcube

    In /etc/roundcube/apache.conf uncomment

    Alias /roundcube /var/lib/roundcube
    

    Reload Apache’s config:

    # service apache2 reload
    

    Change the default session key

    In /etc/roundcube/config.inc.php change the sample key used for remembering passwords:

    // this key is used to encrypt the users imap password which is stored
    // in the session record (and the client cookie if remember password is enabled).
    // please provide a string of exactly 24 chars.
    // YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
    $config['des_key'] = '321UseYourOwnKeyHere4567';
    

    Remove Server field from logon screen

    In /etc/roundcube/config.inc.php change

    $config['default_host'] = '';
    

    to

    $config['default_host'] = 'localhost';
    

    This will remove the Server field on Roundcube’s logon screen since we’re only ever going to use it to view mail on the same server Roundcube is installed on.

    Monitor /var/log/apache2/error.log and /var/log/roundcube/error.log for errors.

    At this point you can browse to https://example.com/roundcube.

    mailsvr026

    However your only account has no password set yet so let’s do that first.

    Set a user passwords

    doveadm is a command line Dovecot administration tool. Read man doveadm c.q. man doveadm-pw for more information.

    # doveadm pw -s SHA512-CRYPT
    

    Enter your password, then confirm. Doveadm will generate a string that starts with “{SHA512-CRYPT}$6$”. Copy the entire string except for “{SHA512-CRYPT}”, so incuding the “$6$” and in phpMyAdmin paste it in the password field for your user.

    mailsvr027

    mailsvr028

    mailsvr028b

    mailsvr028c

    mailsvr028d

    On the command line:

    # mysql -u root -p
    mysql> UPDATE `postfix`.`addresses` SET `pwd` = '$6$QohFKnpbY8fKjw0e923d0501zmhd7YlfQtyBFk6SXGu8GK7H8Vtt1poOs2x6hFPmwU7.z4g7ZCnvGk0yRU4vZGkDW/1hGT5dI82it51' WHERE `email` = "tinus@example.com";
    mysql> quit
    

    Log in to the Roundcube web interface with the user’s full e-mail address as the username, the password you have just entered twice (not the encrypted version obviously but the thing you typed).

    mailsr029

    If you can’t log in check your /var/log/mail.log and /var/log/roundcube/errors. /var/log/roundcube/errors always generates some PHP errors on my machine. I think they’re the results of buggy PHP but they don’t seem to prevent Roundcube from working properly. Point is, while you can use Roundcubes logfiles to troubleshoot but don’t freak out about errors if things work properly.

    Changing the password from Roundcube

    I would like my users to be able to change their own e-mail passwords from Roundcube. A plugin can be enabled for that. In /etc/roundcube/config.inc.php find the plugin array and change it to:

    // List of active plugins (in plugins/ directory)
    $config['plugins'] = array(
    'archive',
    'zipdownload',
    'password',
    );
    

    Save the file and now if you go to the Settings section in Roundcube’s web interface you’ll find that a Password button has appeared. It doesn’t work yet though. Open up /etc/roundcube/plugins/password/config.inc.php and have it look like this:

    <?php
    // See /usr/share/roundcube/plugins/password/config.inc.php.dist for instructions
    // Check the access right of the file if you put sensitive information in it.
    
    $config['password_driver'] = 'sql';
    $config['password_confirm_current'] = true;
    $config['password_minimum_length'] = 6;
    $config['password_require_nonalpha'] = true;
    $config['password_log'] = false;
    $config['password_login_exceptions'] = null;
    $config['password_hosts'] = array('localhost');
    $config['password_force_save'] = true;
    
    // SQL Driver options
    $config['password__db_dsn'] = 'mysql://roundcube:@localhost/roundcubemail';
    
    // SQL Update Query with encrypted password using random 8 character salt
    $config['password_query'] = 'UPDATE postfix.addresses SET pwd=ENCRYPT(%p, CONCAT(\'$6$\',SUBSTRING((SHA(RAND())), -16))) WHERE email=%u LIMIT 1';
    ?>
    

    If this looks complicated that’s because it is. I had countless hours of fun with this. Luckily I had Dovecot’s logging turned all the way up and I was monitoring /var/log/mail.log so that eventually I got it right. What we’re doing here is SHA512 encrypting the password the user typed, adding that to “$6$” (remember that’s how Dovecot identifies SHA512 encryption) and adding salt to it. The difficult part for me was the number and the position of brackets.

    Also /usr/share/roundcube/plugins/password/config.inc.php.dist contained some useful hints.

    You may have noticed we’re using the roundcube MySQL user for this so that needs to have permissions to change users’ passwords:

    # mysql -u root -p
    mysql>GRANT SELECT (`email`), UPDATE (`pwd`) ON `postfix`.`addresses` TO 'roundcube'@'localhost';
    

    I cheated here; I did this from phpMyAdmin. The result is the same though: user roundcube must be able to select from the email field and update the password field.

    mailsvr030