Anargy PPA on Launchpad.net

At Anargy our server OS of choice is Ubuntu.

Sometimes crucial packages are outdated and because of that missing new features.

And sometimes packages are outdated and have security fixes backported. These patches in itself are prone to vulnerabilities. We believe it is much better to use the latest upstream versions.

Therefore we maintian some deb packages for Ubuntu 24.04 (Noble).

Please note that these packages are primarily optimized for use on our servers.

Basic rules for creating packages:

  • Only for the current Ubuntu LTS version (currently 24.04).
  • The latest version from upstream.
  • As ‘vanilla’ (close to upstream) as possible.
  • Debhelper with latest compat level (currently 13).
  • Following latest Debian Policy Manual (currently 4.7.0).
  • Default Ubuntu compile and linking flags.
  • Keep packages as clean as possible (removal of unneeded files).
  • Extensively documented and optimized config files.
  • Usage of /srv for server-specific data as served by the server.
  • Config files which are expected to be modified for the specific server, are put in /srv/etc/package.
  • Root directory for files is /srv/fls and for web /srv/www.

Details about our compiled packages for Ubuntu on our PPA at Launchpad.net:

Ansible

  • https://www.ansible.com
  • Includes the minimal needed binaries and libraries from both Ansible Core (ansible-core) and Ansible Community (ansible).
  • From Ansible Core the test libraries are removed.
  • From the Community package only the ansible.posix collection is included.

Certbot

  • https://certbot.eff.org
  • Includes the binary from Certbot (certbot), the libraries from ACME (python3-acme) and Certbot (python3-certbot), and the Cloudflare plugin (python3-certbot-dns-cloudflare).
  • All test libraries are removed.
  • Documented example config files are in /srv/etc/certbot (cli.ini and cloudflare.ini).
  • Log and work directories are in /run/certbot.
  • Systemd service unit checks once daily for renewal (and not twice).

man-db

  • https://man-db.nongnu.org
  • A very minimal version of man-db, provides only the man command.
  • All other utilies have been removed, including maintenance and usage of the manual pages database.
  • Before install: apt-get –purge remove man-db

MariaDB

  • https://mariadb.org
  • Provides a minimal version of MariaDB, usable only on the same server as a webserver, with connectivity only through a socket.
  • Compiled without any plugins, as these are not needed in this type of setup.
  • Therefore a very lightweight server.
  • includes the client binary mariadb, the server binary mariadbd, mariadb-admin, innotop, and files needed by these binaries.
  • All other extra binaries and tools have been removed.
  • Runs under user ‘mysql’ with uid 85, using directory /srv/dbs/mysql as data directory.

Nginx

  • https://nginx.org
  • Follows the latest Mainline.
  • Provides a minimal version of nginx with only the set of features and modules required for modern webserver functionality.
  • Statically compiled with QuicTLS for full HTTP 3 support.
  • No support for debugging and dynamic modules.
  • Core modules: http_autoindex, http_core, http_headers, http_index, http_log, http_upstream.
  • Enabled modules: http_access, http_auth_basic, http_charset, http_fastcgi, http_gzip, http_gzip_static, http_rewrite, http_ssl, http_v2, http_v3.
  • External modules: http_brotli_filter, http_brotli_static.
  • htpasswd from Apache HTTP Server.
  • Runs under user ‘www’ with uid 80.
  • Using root directory /srv/www for serving data.
  • Includes htpasswd utility from Apache HTTPD.

NZBGet

  • https://nzbget.net
  • Compiled without support for curses, and docs and example scripts removed.
  • Depends on p7zip-full and unrar (and not unrar-free), which will be automatically installed.
  • Depends on Samba, because runs under user ‘fls’.
  • And uses /srv/fls/sda/.nzb as watch directory, and /srv/fls/sda/Usenet as download directory.
  • Optimized example configuration file at /srv/etc/nzbget/nzbget.conf.
  • State and history files are stored in /run/nzbget.

OpenSSH

  • https://www.openssh.com
  • Includes both the server and the client binaries.
  • Compiled without OpenSSL, so only support for Ed25519 encryption keys (which you should use anyway nowadays).
  • Compiled without support for compression, as in almost all cases transfers are faster without compression because of less CPU usage.
  • Removed the client binaries scp, ssh-add, ssh-agent, and ssh-keyscan. So the only client binaries are sftp, ssh, and ssh-keygen.
  • Removed the server subsystems sftp-server, ssh-keysign, ssh-pkcs11-helper, and ssh-sk-helper. For SFTP the internal SFTP server will be used (which has the same functionality).
  • The resulting sshd daemon uses only 4MB RAM (including shared libaries) instead of the normal 12 – 15 MB RAM.
  • Listens on port 224 as a service daemon, so no socket based activation.
  • Before install: apt-get –purge remove openssh-client openssh-server

PHP

  • https://www.php.net
  • Only the latest PHP version.
  • Provides both the php command interpreter for shell scripting tasks and the Fast Process Manager interpreter that runs as a daemon and receives Fast/CGI requests.
  • Default modules: Core, Ctype, Date/Time, DOM, Fileinfo, Filter, Hash, iconv, JSON, libxml, PCRE, PDO, Phar, POSIX, Random, Reflection, Sessions, SimpleXML, Sodium, SPL, XML, XMLReader, XMLWriter.
  • Enabled modules: BCMath, cURL, Exif, GD, Gettext, GNU Multiple Precision, intl, mbstring, MySQLi, Mysqlnd, OpenSSL, PDO_MYSQL, shmop, Sockets, Zip, Zlib.
  • Extra modules: Imagick, Zend OPcache.
  • The FPM daemon runs under user ‘www’ with uid 80.

phpMyAdmin

  • https://www.phpmyadmin.net
  • Includes config.inc.php with automatic generation of a AES passphrase to enable ‘cookie’ authentication.
  • This config.inc.php also hides the system databases, and disables grouping of databases.
  • The tmp directory is located at /run/phpmyadmin.

Postfix

  • https://www.postfix.org
  • Provides only the binaries and config files for use as a null client.
  • Therefore compiled without NIS and Berkeley DB support.
  • Removed all html and readme files.
  • Also removed all unneeded config files, binaries and man pages not needed for a null client.
  • Includes documented example main.cf and optimized master.cf at /srv/etc/postfix.

Samba

  • https://www.samba.org
  • Provides only the binaries to use as a stand-alone file server.
  • Therefore compiled with almost all options and modules disabled, and any remaining unneeded binaries removed.
  • Resulting in only 4 binaries: smbd, smbpasswd, smbstatus, testparm, and the needed private libraries.
  • Runs under user ‘fls’ with uid 70.
  • Uses /srv/fls/drv[0-9] as root directory for serving files.
  • Documented example configuration file at /srv/etc/samba/smb.conf.

Sonarr

  • https://sonarr.tv
  • Depends on and therefore installs the sqlite3 library.
  • Depends on Samba, because runs under user ‘fls’.
  • State data files are stored in /srv/etc/sonarr.
  • Uses /srv/fls/drv0/Series as root directory for downloaded series.

Transmission

  • https://transmissionbt.com
  • Provides only the server daemon (transmission-daemon).
  • Therefore compiled without command line, GTK and Qt clients, and tests.
  • Depends on Samba, because runs under user ‘fls’.
  • Optimized example configuration file at /srv/etc/transmission/settings.json.
  • Includes sysctl config file for increasing UDP buffers.
  • Uses /srv/fls/sda/.torrents as watch directory, and /srv/fls/sda/Torrents as download directory.

WP-CLI

  • https://wp-cli.org/
  • Provides the WP-CLI phar file.
  • The phar file is installed at /usr/bin/wp, as the command-line interface.
  • A systemd timer is included for executing cron jobs every 10 minutes for WordPress installations at /srv/www/domain/sub/html/.