tengel/www
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
www/doc/SETUP.md
tengel 4b70c0023c initial import
2024-03-31 09:17:15 -05:00

6.8 KiB
Raw Blame History

Server Setup

Debian 12 minimal installation, ensure the SSH server and standard system tools are included.

Base Configuration

Internal hostname, replace "myhostname":

hostnamectl set-hostname myhostname

/etc/hosts

127.0.0.1  localhost
127.0.1.1  myhostname

Install packages:

apt-get update

echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections

apt-get install curl sysstat unattended-upgrades iptables-persistent \
  man less vim rsync bc net-tools git git-lfs sqlite3 strace sudo \
  apparmor-utils rsyslog

Install packages without recommends:

apt-get install --no-install-recommends smem \
  nginx nginx-core libnginx-mod-stream \
  certbot python3-certbot-nginx

Set up services:

systemctl disable remote-fs.target rsync.service
systemctl enable sysstat unattended-upgrades netfilter-persistent

As needed:

apt-get update
apt-get full-upgrade
reboot

User Setup

Add a login user:

export MYUSER="frankthetank"
useradd -m -d /home/${MYUSER} -s /bin/bash -g users -G sudo ${MYUSER}
passwd ${MYUSER}

mkdir -p /var/xyzzy/bin
chown -R ${MYUSER}: /var/xyzzy

If ssh-copy-id can't be used:

mkdir /home/${MYUSER}/.ssh
cp /root/.ssh/authorized_keys /home/${MYUSER}/.ssh/
chmod 0700 /home/${MYUSER}/.ssh
chmod 0600 /home/${MYUSER}/.ssh/authorized_keys
chown -R ${MYUSER}:users /home/${MYUSER}/.ssh

Disable root login:

_SCFG="/etc/ssh/sshd_config"
if $(grep -iEq '^PermitRootLogin[[:space:]]+yes' "${_SCFG}"); then
  sed -i.bak -e 's/^PermitRootLogin.*/PermitRootLogin no/gi' "${_SCFG}"
else
  sed -i.bak -e 's/^#PermitRootLogin.*/PermitRootLogin no/gi' "${_SCFG}"
fi

After confirming the change is correct:

systemctl restart sshd

Test logging in again as the user and sudo to root in another term.

Server Configuration

Get rid of mouse in vim:

echo 'set mouse=' >> ~/.vimrc

Get rid of bracketed paste:

echo 'set enable-bracketed-paste Off' >> ~/.inputrc

Enable sysstat:

sed -i.bak -e 's|^ENABLED=".*"|ENABLED="true"|g' /etc/default/sysstat

Configure unattended-upgrades:

cp 02periodic /etc/apt/apt.conf.d/

Configure iptables and ip6tables:

cp rules.* /etc/iptables/

Configure tweaks:

mkdir /etc/systemd/journald.conf.d
mkdir /etc/systemd/system/nginx.service.d
cp sysctl.d/local.conf /etc/sysctl.d/
cp systemd/journald.conf.d/local.conf \
  /etc/systemd/journald.conf.d/
cp systemd/system/nginx.service.d/override.conf \
  /etc/systemd/system/nginx.service.d/
systemctl daemon-reload

Fail2ban Setup

SSH jail:

apt-get install fail2ban
cp jail.local /etc/fail2ban/
systemctl enable --now fail2ban

Maintenance tasks:

cp dbpurge.sql /etc/fail2ban/
cp f2b-cleanup /etc/cron.weekly/
chown root:root /etc/cron.weekly/f2b-cleanup
chmod 0755 /etc/cron.weekly/f2b-cleanup

cp bin/jailstat.sh /var/xyzzy/bin/

Nginx Setup

Gitea first-time setup is easier with nginx + SSL already working.

Basic Prep

cd /etc/nginx/modules-enabled

rm \
 50-mod-http-geoip.conf \
 50-mod-http-image-filter.conf \
 50-mod-http-xslt-filter.conf \
 50-mod-mail.conf \
 70-mod-stream-geoip.conf

cp security.conf /etc/nginx/conf.d/

Site Prep

mkdir /var/xyzzy/html
cp html* /var/xyzzy/html/

cp xyzzy.ee.conf.bootstrap /etc/nginx/sites-available/xyzzy.ee.conf
cp xyzzy.fi.conf.bootstrap /etc/nginx/sites-available/xyzzy.fi.conf
cp git.xyzzy.ee.conf.bootstrap /etc/nginx/sites-available/git.xyzzy.ee.conf

cd /etc/nginx/sites-enabled
rm default
ln -s /etc/nginx/sites-available/xyzzy.ee.conf 00xyzzy.ee.conf
ln -s /etc/nginx/sites-available/xyzzy.fi.conf 01xyzzy.fi.conf
ln -s /etc/nginx/sites-available/git.xyzzy.ee.conf 02git.xyzzy.ee.conf
nginx -t
systemctl restart nginx

certbot --nginx -d xyzzy.ee,www.xyzzy.ee \
  --agree-tos -m "hostmaster@xyzzy.ee" --no-eff-email \
  --deploy-hook "systemctl reload nginx"

certbot --nginx -d xyzzy.fi,www.xyzzy.fi \
  --agree-tos -m "hostmaster@xyzzy.fi" --no-eff-email \
  --deploy-hook "systemctl reload nginx"

certbot --nginx -d git.xyzzy.ee \
  --agree-tos -m "hostmaster@xyzzy.ee" --no-eff-email \
  --deploy-hook "systemctl reload nginx"

cp xyzzy.ee.conf /etc/nginx/sites-available/xyzzy.ee.conf
cp xyzzy.fi.conf /etc/nginx/sites-available/xyzzy.fi.conf
cp git.xyzzy.ee.conf /etc/nginx/sites-available/git.xyzzy.ee.conf
nginx -t
systemctl restart nginx

Gitea Setup

All content lives under /var/xyzzy:

cp bin/teaup.sh /var/xyzzy/bin/
cd /var/xyzzy/bin

export TVER="1.21.8"
curl -L --output-dir /var/xyzzy/bin --remote-name-all \
 "https://github.com/go-gitea/gitea/releases/download/v${TVER}/gitea-${TVER}-linux-amd64" \
 "https://github.com/go-gitea/gitea/releases/download/v${TVER}/gitea-${TVER}-linux-amd64.sha256"

sha256sum -c "gitea-${TVER}-linux-amd64.sha256"
chmod +x "gitea-${TVER}-linux-amd64"
ln -s "gitea-${TVER}-linux-amd64" gitea

Primary git user:

adduser \
  --system \
  --shell /bin/bash \
  --gecos 'git' \
  --group \
  --disabled-password \
  --home /var/xyzzy/git \
  git

Gitea prep:

mkdir -p /var/xyzzy/gitea/{custom,data,log}
chown -R git:git /var/xyzzy/gitea/
chmod -R 750 /var/xyzzy/gitea/
mkdir -p /var/xyzzy/etc/gitea
chown root:git /var/xyzzy/etc/gitea
chmod 770 /var/xyzzy/etc/gitea

cp gitea.service /etc/systemd/system/
systemctl daemon-reload

Gitea init:

systemctl start gitea.service
 ( browser -> https://git.xyzzy.ee )
systemctl stop gitea.service

Gitea deploy: (app.ini needs secrets set)

cp custom/* /var/xyzzy/gitea/custom/
cp app.ini /var/xyzzy/etc/gitea/
chmod 750 /var/xyzzy/etc/gitea
chmod 640 /var/xyzzy/etc/gitea/app.ini
chown root:git /var/xyzzy/etc/gitea/app.ini

systemctl enable --now gitea.service

AppArmor

cp apparmor.d/* /etc/apparmor.d/
systemctl restart apparmor.service

Backup

See teabak.sh; prep: (HCPING needs set in script)

groupadd --system bkp
mkdir /var/xyzzy/backup
chmod 0750 /var/xyzzy/backup
chown git:bkp /var/xyzzy/backup

cp teaback.sh /var/xyzzy/bin/
chmod 0755 /var/xyzzy/bin/teabak.sh

cp teabak.service teabak.timer /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now teabak.timer

Allow restricted backup user to rsync the data:

adduser \
  --shell /bin/bash \
  --gecos 'reposync' \
  --ingroup bkp \
  --disabled-password \
  --home /home/reposync \
  reposync

The "reposync" user has a restricted .ssh/authorized_keys like so:

command="/usr/bin/rrsync -ro /var/xyzzy/backup/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 ...

The rrsync script is part of the Debian rsync package