How to Setup a Leanote Server on CentOS 7

Updated on November 21, 2023
How to Setup a Leanote Server on CentOS 7 header image

Leanote is a free, lightweight, and open source alternative to Evernote, which is written in Golang. With user experience in mind, Leanote provides users with plenty of practical features, including cross-platform support, writing in the MarkDown syntax, public or private blogging, knowledge gathering and sharing, and team collaboration.

In this article, I will guide you through Setting up a Leanote server on a CentOS 7 server instance. For security purposes, enabling HTTPS support using a Let's Encrypt SSL certificate and Nginx will also be covered.

Prerequisites

  • A newly deployed Vultr CentOS 7 server instance. Say its IPv4 address is 203.0.113.1.
  • A sudo user named leanote.
  • All of the software packages on the machine have been updated to the latest stable status using the EPEL YUM repo. See details here.
  • A domain leanote.example.com being pointed to the server instance mentioned above.

Step 1: Create a swap file

When firing up a new Vultr CentOS 7 server instance, it's always recommended to setup a swap file in order to ensure the system is running smoothly. For example, creating a 2048MB-sized swap file is fit for a machine with 2GB of memory.

sudo dd if=/dev/zero of=/swapfile count=2048 bs=1M
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile   none    swap    sw    0   0' | sudo tee -a /etc/fstab
free -m

Note: If you are using a different server size, you may need to modify the size of the swap file.

Step 2: Obtain Leanote 2.6.1 binary files

Download and extract the latest stable release of Leanote for 64-bit Linux system:

cd
wget https://sourceforge.net/projects/leanote-bin/files/2.6.1/leanote-linux-amd64-v2.6.1.bin.tar.gz
tar -zxvf leanote-linux-amd64-v2.6.1.bin.tar.gz

Step 3: Install MongoDB Community Edition 4.0

As required by Leanote, the MongoDB NoSQL DBMS has to be in place before you can successfully setup a Leanote server.

Setup the MongoDB 4.0 YUM repo

Create the MongoDB 4.0 YUM repo as follows:

cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF

Install MongoDB 4.0 packages using YUM

Install all of the MongoDB components and tools using the MongoDB 4.0 YUM repo created earlier:

sudo yum install -y mongodb-org

Configure SELinux for MongoDB 4.0

By default, MongoDB would use the 27017 port when working, which is not allowed if SELinux is in the enforcing mode on the CentOS 7 machine. Use the following command to confirm the current SELinux mode:

sudo getenforce

On a Vultr CentOS 7 server instance, SELinux is disabled by default. So the output of the above command would be:

Disabled

In this case, you can feel free to skip the following instructions on configuring SELinux and move on.

However, if you are running an original CentOS 7 server instance, the output of above command would be Enforcing. You need to perform any one of the three options below before you can start and enable the MongoDB service.

  • Option 1: Allow MongoDB to use the 27017 port

      sudo semanage port -a -t mongod_port_t -p tcp 27017
  • Option 2: Disable SELinux

      sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
      sudo shutdown -r now
  • Option 3: Change SELinux to permissive mode

      sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
      sudo shutdown -r now

Start the MongoDB service and make it start following a system reboot:

sudo systemctl start mongod.service
sudo systemctl enable mongod.service

Step 4: Import initial Leanote data into MongoDB

Use the commands below to import initial Leanote data into MongoDB:

rm /home/leanote/leanote/mongodb_backup/leanote_install_data/.DS_Store
mongorestore --host localhost -d leanote --dir /home/leanote/leanote/mongodb_backup/leanote_install_data/

Step 5: Enable MongoDB authentication

For security purposes, you need to enable access control to MongoDB right after the MongoDB service is up and running. For this purpose, you need to create at least two MongoDB user accounts: a user administrator account and a database administrator account. You will also need to modify the MongoDB configuration.

Enter the MongoDB shell:

mongo --host 127.0.0.1:27017

Switch to the admin database:

use admin

Create a user administrator named useradmin that uses a password useradminpassword:

db.createUser({ user: "useradmin", pwd: "useradminpassword", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })

Note: The user administrator useradmin is supposed to manage all MongoDB users, so it's wise to choose a strong password. Of course, a more secure tip is to replace useradmin with a hard-to-guess user name.

Switch to the leanote database:

use leanote

Create a database administrator named leanoteadmin that uses a password leanoteadminpassword:

db.createUser({ user: "leanoteadmin", pwd: "leanoteadminpassword", roles: [{ role: "dbOwner", db: "leanote" }] })

Note: Again, it's recommended to choose a lesser-known user name and a hard-to-guess password.

Having the MongoDB users created, you can confirm the results:

use admin
db.auth("useradmin", "useradminpassword")

Confirm the database admin:

use leanote
db.auth("leanoteadmin", "leanoteadminpassword")

Both will output 1 as confirmation.

Exit the MongoDB shell:

exit

In order to enable access control to MongoDB, you also need to append two lines to the MongoDB config file /etc/mongod.conf, as follows:

sudo bash -c "echo 'security:' >> /etc/mongod.conf"
sudo bash -c "echo '  authorization: enabled' >> /etc/mongod.conf"

Restart the MongoDB service in order for the modifications to take effect:

sudo systemctl restart mongod.service

From now on, you can only use the two user accounts to access and manage MongoDB, useradmin for managing all MongoDB users and leanoteadmin for managing the leanote database only.

Step 6: Configure Leanote

Backup the Leanote config file /home/leanote/leanote/conf/app.conf:

cd /home/leanote/leanote/conf/
cp app.conf app.conf.bak

Use the vi editor to open the Leanote config file:

vi app.conf

Find the following lines one by one:

site.url=http://localhost:9000
db.username= # if not exists, please leave it blank
db.password= # if not exists, please leave it blank
app.secret=V85ZzBeTnzpsHyjQX4zukbQ8qqtju9y2aDM55VWxAH9Qop19poekx3xkcDVvrD0y

Replace them, respectively, as shown below:

site.url=http://leanote.example.com:9000
db.username=leanoteadmin
db.password=leanoteadminpassword
app.secret=E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA

Note: For security purposes, the value of the app.secret parameter MUST be a 64-bit random string that is different from the original one. Make sure to replace the value E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA with your own 64-bit random value.

Save and quit:

:wq!

Step 7: Start Leanote

Modify firewall rules in order to allow inbound TCP traffic on port 9000:

sudo firewall-cmd --permanent --add-port=9000/tcp
sudo systemctl reload firewalld.service

Start Leanote using the official script:

cd /home/leanote/leanote/bin
bash run.sh

Upon seeing Listening on.. 0.0.0.0:9000, point your favorite web browser to http://leanote.example.com:9000 to start using the Leanote site.

Use the default Leanote admin account to sign in:

  • Username: admin
  • Password: abc123

For security purposes, you should change the default password immediately after signing in.

Step 8: Enable HTTPS access

For now, you can already access the Leanote server using the HTTP protocol, a less secure protocol. In order to improve system security, you can enable HTTPS by deploying both a Let's Encrypt SSL certificate and the Nginx reverse proxy on your machine.

Properly setup a hostname and fully qualified domain name (FQDN)

Before you can obtain the Let's Encrypt SSL certificate, you need to properly setup the hostname and FQDN on your machine.

First, press Ctrl+C to stop the Leanote script run.sh.

Next, setup the hostname and FQDN as follows:

sudo hostnamectl set-hostname leanote
cat <<EOF | sudo tee /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
203.0.113.1 leanote.example.com leanote
EOF

You can confirm the results, as well:

hostname
hostname -f

Modify firewall rules

Block inbound traffic on port 9000 and allow inbound traffic on ports for HTTP and HTTPS services:

sudo firewall-cmd --permanent --remove-port=9000/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld.service

Apply for a Let's Encrypt SSL certificate

Install the Certbot utility:

sudo yum -y install yum-utils
sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install -y certbot

Apply for a Let's Encrypt SSL certificate for the domain leanote.example.com:

sudo certbot certonly --standalone --agree-tos --no-eff-email -m admin@example.com -d leanote.example.com

The certificate and chain will be saved as follows:

/etc/letsencrypt/live/leanote.example.com/fullchain.pem

The private key file will be saved as follows:

/etc/letsencrypt/live/leanote.example.com/privkey.pem

By default, the Let's Encrypt SSL certificate will expire in three months. You can setup a cron job, as shown below, to auto-renew your Let's Encrypt certificates:

sudo crontab -e

Press I to enter the insert mode, and then input the following line:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

Save and quit:

:wq!

This cron job will try to renew the Let's Encrypt certificate every day at noon.

Install Nginx as a reverse proxy

Install Nginx using the EPEL YUM repo:

sudo yum install -y nginx

Create a config file for Leanote:

cat <<EOF | sudo tee /etc/nginx/conf.d/leanote.conf
# Redirect HTTP to HTTPS
server {
    listen      80;
    server_name leanote.example.com;
    return      301 https://\$server_name\$request_uri;
}

server {

    # Setup HTTPS certificates
    listen       443 default ssl;
    server_name  leanote.example.com;
    ssl_certificate      /etc/letsencrypt/live/leanote.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/leanote.example.com/privkey.pem;

    # Proxy to the Leanote server
    location / {
        proxy_set_header X-Real-IP         \$remote_addr;
        proxy_set_header X-Forwarded-For   \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host  \$http_host;
        proxy_set_header Host              \$http_host;
        proxy_max_temp_file_size           0;
        proxy_pass                         http://127.0.0.1:9000;
        proxy_redirect                     http:// https://;
    }
}
EOF

Restart Nginx in order to put your modifications into effect:

sudo systemctl daemon-reload
sudo systemctl restart nginx.service
sudo systemctl enable nginx.service

Modify the site.url setting in the Leanote config file:

cd /home/leanote/leanote/conf/
vi app.conf

Find the following line:

site.url=http://leanote.example.com:9000

Replace it:

site.url=https://leanote.example.com

Save and quit:

:wq!

Run the Leanote script again:

cd /home/leanote/leanote/bin
bash run.sh

Now, point your favorite web browser to http://leanote.example.com/, and you will find that the HTTPS protocol is activated automatically. Just sign in as the admin user with the new password you setup earlier or register new user accounts for team collaboration.

Again, press Ctrl+C to stop the Leanote script. We will daemonize this script later.

Step 9: Install the wkhtmltopdf program

Leanote chooses to use the wkhtmltopdf program to export HTML pages as PDF files. Install wkhtmltopdf:

cd
wget https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox-0.12.5-1.centos7.x86_64.rpm
sudo yum localinstall -y wkhtmltox-0.12.5-1.centos7.x86_64.rpm
which wkhtmltopdf

Don't forget to submit the wkhtmltopdf binary path /usr/local/bin/wkhtmltopdf in the Export PDF section in the Leanote web admin dashboard when Leanote is up and running again.

Note: If you find unreadable characters in exported PDF files, you can try to fix the issue by adding required font files to the /usr/share/fonts/ directory.

Step 10: Use Supervisor to keep the Leanote script up and running

In order to keep your Leanote site online, you can use the Supervisor utility to auto-start the Leanote script if it crashes.

Install Supervisor using YUM:

sudo yum install -y supervisor

Create a simple Supervisor .ini file for Leanote:

cat <<EOF | sudo tee /etc/supervisord.d/leanote.ini
[program:leanote]
command=bash /home/leanote/leanote/bin/run.sh
directory=/home/leanote/leanote/bin/
priority=999
autostart=true
autorestart=true
user=leanote
redirect_stderr=true
EOF

Start the Supervisor service, as well as the Leanote service:

sudo supervisord -c /etc/supervisord.conf

Confirm the status of the Leanote service:

sudo supervisorctl status leanote

The output will resemble the following:

leanote                          RUNNING   pid 3707, uptime 0:02:36