Leanote is a free, lightweight, and open source alternative to Evernote, which is written in Golang. With user experience in mind, Leanote provides users with plenty of practical features, including cross-platform support, writing in the MarkDown syntax, public or private blogging, knowledge gathering and sharing, and team collaboration.
In this article, I will guide you through Setting up a Leanote server on a CentOS 7 server instance. For security purposes, enabling HTTPS support
using a Let’s Encrypt SSL certificate and Nginx will also be covered.
Prerequisites
- A newly deployed Vultr CentOS 7 server instance. Say its IPv4 address is
203.0.113.1
. - A sudo user named
leanote
. - All of the software packages on the machine have been updated to the latest stable status using the EPEL YUM repo. See details here.
- A domain
leanote.example.com
being pointed to the server instance mentioned above.
Step 1: Create a swap file
When firing up a new Vultr CentOS 7 server instance, it’s always recommended to setup a swap file in order to ensure the system is running smoothly. For example, creating a 2048MB-sized swap file is fit for a machine with 2GB of memory.
sudo dd if=/dev/zero of=/swapfile count=2048 bs=1M
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
free -m
Note: If you are using a different server size, you may need to modify the size of the swap file.
Step 2: Obtain Leanote 2.6.1 binary files
Download and extract the latest stable release of Leanote for 64-bit Linux system:
cd
wget https://sourceforge.net/projects/leanote-bin/files/2.6.1/leanote-linux-amd64-v2.6.1.bin.tar.gz
tar -zxvf leanote-linux-amd64-v2.6.1.bin.tar.gz
Step 3: Install MongoDB Community Edition 4.0
As required by Leanote, the MongoDB NoSQL DBMS has to be in place before you can successfully setup a Leanote server.
Setup the MongoDB 4.0 YUM repo
Create the MongoDB 4.0 YUM repo as follows:
cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat//$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
Install MongoDB 4.0 packages using YUM
Install all of the MongoDB components and tools using the MongoDB 4.0 YUM repo created earlier:
sudo yum install -y mongodb-org
Configure SELinux for MongoDB 4.0
By default, MongoDB would use the 27017
port when working, which is not allowed if SELinux is in the enforcing
mode on the CentOS 7 machine. Use the following command to confirm the current SELinux mode:
sudo getenforce
On a Vultr CentOS 7 server instance, SELinux is disabled by default. So the output of the above command would be:
Disabled
In this case, you can feel free to skip the following instructions on configuring SELinux and move on.
However, if you are running an original CentOS 7 server instance, the output of above command would be Enforcing
. You need to perform any one of the three options below before you can start and enable the MongoDB service.
-
Option 1: Allow MongoDB to use the
27017
portsudo semanage port -a -t mongod_port_t -p tcp 27017
-
Option 2: Disable SELinux
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config sudo shutdown -r now
-
Option 3: Change SELinux to
permissive
modesudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config sudo shutdown -r now
Start the MongoDB service and make it start following a system reboot:
sudo systemctl start mongod.service
sudo systemctl enable mongod.service
Step 4: Import initial Leanote data into MongoDB
Use the commands below to import initial Leanote data into MongoDB:
rm /home/leanote/leanote/mongodb_backup/leanote_install_data/.DS_Store
mongorestore --host localhost -d leanote --dir /home/leanote/leanote/mongodb_backup/leanote_install_data/
Step 5: Enable MongoDB authentication
For security purposes, you need to enable access control to MongoDB right after the MongoDB service is up and running. For this purpose, you need to create at least two MongoDB user accounts: a user administrator account and a database administrator account. You will also need to modify the MongoDB configuration.
Enter the MongoDB shell:
mongo --host 127.0.0.1:27017
Switch to the admin
database:
use admin
Create a user administrator named useradmin
that uses a password useradminpassword
:
db.createUser({ user: "useradmin", pwd: "useradminpassword", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })
Note: The user administrator useradmin
is supposed to manage all MongoDB users, so it’s wise to choose a strong password. Of course, a more secure tip is to replace useradmin
with a hard-to-guess user name.
Switch to the leanote
database:
use leanote
Create a database administrator named leanoteadmin
that uses a password leanoteadminpassword
:
db.createUser({ user: "leanoteadmin", pwd: "leanoteadminpassword", roles: [{ role: "dbOwner", db: "leanote" }] })
Note: Again, it’s recommended to choose a lesser-known user name and a hard-to-guess password.
Having the MongoDB users created, you can confirm the results:
use admin
db.auth("useradmin", "useradminpassword")
Confirm the database admin:
use leanote
db.auth("leanoteadmin", "leanoteadminpassword")
Both will output 1
as confirmation.
Exit the MongoDB shell:
exit
In order to enable access control to MongoDB, you also need to append two lines to the MongoDB config file /etc/mongod.conf
, as follows:
sudo bash -c "echo 'security:' >> /etc/mongod.conf"
sudo bash -c "echo ' authorization: enabled' >> /etc/mongod.conf"
Restart the MongoDB service in order for the modifications to take effect:
sudo systemctl restart mongod.service
From now on, you can only use the two user accounts to access and manage MongoDB, useradmin
for managing all MongoDB users and leanoteadmin
for managing the leanote
database only.
Step 6: Configure Leanote
Backup the Leanote config file /home/leanote/leanote/conf/app.conf
:
cd /home/leanote/leanote/conf/
cp app.conf app.conf.bak
Use the vi
editor to open the Leanote config file:
vi app.conf
Find the following lines one by one:
site.url=http://localhost:9000
db.username= # if not exists, please leave it blank
db.password= # if not exists, please leave it blank
app.secret=V85ZzBeTnzpsHyjQX4zukbQ8qqtju9y2aDM55VWxAH9Qop19poekx3xkcDVvrD0y
Replace them, respectively, as shown below:
site.url=http://leanote.example.com:9000
db.username=leanoteadmin
db.password=leanoteadminpassword
app.secret=E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA
Note: For security purposes, the value of the app.secret
parameter MUST be a 64-bit random string that is different from the original one. Make sure to replace the value E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA
with your own 64-bit random value.
Save and quit:
:wq!
Step 7: Start Leanote
Modify firewall rules in order to allow inbound TCP traffic on port 9000
:
sudo firewall-cmd --permanent --add-port=9000/tcp
sudo systemctl reload firewalld.service
Start Leanote using the official script:
cd /home/leanote/leanote/bin
bash run.sh
Upon seeing Listening on.. 0.0.0.0:9000
, point your favorite web browser to http://leanote.example.com:9000
to start using the Leanote site.
Use the default Leanote admin account to sign in:
- Username:
admin
- Password:
abc123
For security purposes, you should change the default password immediately after signing in.
Step 8: Enable HTTPS
access
For now, you can already access the Leanote server using the HTTP protocol, a less secure protocol. In order to improve system security, you can enable HTTPS
by deploying both a Let’s Encrypt SSL certificate and the Nginx reverse proxy on your machine.
Properly setup a hostname and fully qualified domain name (FQDN)
Before you can obtain the Let’s Encrypt SSL certificate, you need to properly setup the hostname and FQDN on your machine.
First, press CTRL+C to stop the Leanote script run.sh
.
Next, setup the hostname and FQDN as follows:
sudo hostnamectl set-hostname leanote
cat <<EOF | sudo tee /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
203.0.113.1 leanote.example.com leanote
EOF
You can confirm the results, as well:
hostname
hostname -f
Modify firewall rules
Block inbound traffic on port 9000
and allow inbound traffic on ports for HTTP
and HTTPS
services:
sudo firewall-cmd --permanent --remove-port=9000/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld.service
Apply for a Let’s Encrypt SSL certificate
Install the Certbot utility:
sudo yum -y install yum-utils
sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install -y certbot
Apply for a Let’s Encrypt SSL certificate for the domain leanote.example.com
:
sudo certbot certonly --standalone --agree-tos --no-eff-email -m admin@example.com -d leanote.example.com
The certificate and chain will be saved as follows:
/etc/letsencrypt/live/leanote.example.com/fullchain.pem
The private key file will be saved as follows:
/etc/letsencrypt/live/leanote.example.com/privkey.pem
By default, the Let’s Encrypt SSL certificate will expire in three months. You can setup a cron job, as shown below, to auto-renew your Let’s Encrypt certificates:
sudo crontab -e
Press I to enter the insert
mode, and then input the following line:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Save and quit:
:wq!
This cron job will try to renew the Let’s Encrypt certificate every day at noon.
Install Nginx as a reverse proxy
Install Nginx using the EPEL YUM repo:
sudo yum install -y nginx
Create a config file for Leanote:
cat <<EOF | sudo tee /etc/nginx/conf.d/leanote.conf
# Redirect HTTP to HTTPS
server {
listen 80;
server_name leanote.example.com;
return 301 https:///$server_name/$request_uri;
}
server {
# Setup HTTPS certificates
listen 443 default ssl;
server_name leanote.example.com;
ssl_certificate /etc/letsencrypt/live/leanote.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/leanote.example.com/privkey.pem;
# Proxy to the Leanote server
location / {
proxy_set_header X-Real-IP /$remote_addr;
proxy_set_header X-Forwarded-For /$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host /$http_host;
proxy_set_header Host /$http_host;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:9000;
proxy_redirect http:// https://;
}
}
EOF
Restart Nginx in order to put your modifications into effect:
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
sudo systemctl enable nginx.service
Modify the site.url
setting in the Leanote config file:
cd /home/leanote/leanote/conf/
vi app.conf
Find the following line:
site.url=http://leanote.example.com:9000
Replace it:
site.url=https://leanote.example.com
Save and quit:
:wq!
Run the Leanote script again:
cd /home/leanote/leanote/bin
bash run.sh
Now, point your favorite web browser to http://leanote.example.com/
, and you will find that the HTTPS
protocol is activated automatically. Just sign in as the admin
user with the new password you setup earlier or register new user accounts for team collaboration.
Again, press CTRL+C to stop the Leanote script. We will daemonize this script later.
Step 9: Install the wkhtmltopdf
program
Leanote chooses to use the wkhtmltopdf
program to export HTML pages as PDF files. Install wkhtmltopdf
:
cd
wget https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox-0.12.5-1.centos7.x86_64.rpm
sudo yum localinstall -y wkhtmltox-0.12.5-1.centos7.x86_64.rpm
which wkhtmltopdf
Don’t forget to submit the wkhtmltopdf
binary path /usr/local/bin/wkhtmltopdf
in the Export PDF
section in the Leanote web admin dashboard when Leanote is up and running again.
Note: If you find unreadable characters in exported PDF files, you can try to fix the issue by adding required font files to the /usr/share/fonts/
directory.
Step 10: Use Supervisor to keep the Leanote script up and running
In order to keep your Leanote site online, you can use the Supervisor utility to auto-start the Leanote script if it crashes.
Install Supervisor using YUM:
sudo yum install -y supervisor
Create a simple Supervisor .ini
file for Leanote:
cat <<EOF | sudo tee /etc/supervisord.d/leanote.ini
[program:leanote]
command=bash /home/leanote/leanote/bin/run.sh
directory=/home/leanote/leanote/bin/
priority=999
autostart=true
autorestart=true
user=leanote
redirect_stderr=true
EOF
Start the Supervisor service, as well as the Leanote service:
sudo supervisord -c /etc/supervisord.conf
Confirm the status of the Leanote service:
sudo supervisorctl status leanote
The output will resemble the following:
leanote RUNNING pid 3707, uptime 0:02:36
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article