tengel/www
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
www/doc/SETUP.md
tengel 4b70c0023c initial import
2024-03-31 09:17:15 -05:00

336 lines
6.8 KiB
Markdown
Raw Blame History

# Server Setup
Debian 12 minimal installation, ensure the SSH server and standard system tools are included.
## Base Configuration
Internal hostname, replace "myhostname":
```
hostnamectl set-hostname myhostname
```
**/etc/hosts**
```
127.0.0.1 localhost
127.0.1.1 myhostname
```
Install packages:
```
apt-get update
echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
apt-get install curl sysstat unattended-upgrades iptables-persistent \
man less vim rsync bc net-tools git git-lfs sqlite3 strace sudo \
apparmor-utils rsyslog
```
Install packages without `recommends`:
```
apt-get install --no-install-recommends smem \
nginx nginx-core libnginx-mod-stream \
certbot python3-certbot-nginx
```
Set up services:
```
systemctl disable remote-fs.target rsync.service
systemctl enable sysstat unattended-upgrades netfilter-persistent
```
As needed:
```
apt-get update
apt-get full-upgrade
reboot
```
## User Setup
Add a login user:
```
export MYUSER="frankthetank"
useradd -m -d /home/${MYUSER} -s /bin/bash -g users -G sudo ${MYUSER}
passwd ${MYUSER}
mkdir -p /var/xyzzy/bin
chown -R ${MYUSER}: /var/xyzzy
```
If `ssh-copy-id` can't be used:
```
mkdir /home/${MYUSER}/.ssh
cp /root/.ssh/authorized_keys /home/${MYUSER}/.ssh/
chmod 0700 /home/${MYUSER}/.ssh
chmod 0600 /home/${MYUSER}/.ssh/authorized_keys
chown -R ${MYUSER}:users /home/${MYUSER}/.ssh
```
Disable root login:
```
_SCFG="/etc/ssh/sshd_config"
if $(grep -iEq '^PermitRootLogin[[:space:]]+yes' "${_SCFG}"); then
sed -i.bak -e 's/^PermitRootLogin.*/PermitRootLogin no/gi' "${_SCFG}"
else
sed -i.bak -e 's/^#PermitRootLogin.*/PermitRootLogin no/gi' "${_SCFG}"
fi
```
After confirming the change is correct:
```
systemctl restart sshd
```
Test logging in again as the user and sudo to root in another term.
## Server Configuration
Get rid of mouse in `vim`:
```
echo 'set mouse=' >> ~/.vimrc
```
Get rid of bracketed paste:
```
echo 'set enable-bracketed-paste Off' >> ~/.inputrc
```
Enable `sysstat`:
```
sed -i.bak -e 's|^ENABLED=".*"|ENABLED="true"|g' /etc/default/sysstat
```
Configure `unattended-upgrades`:
```
cp 02periodic /etc/apt/apt.conf.d/
```
Configure `iptables` and `ip6tables`:
```
cp rules.* /etc/iptables/
```
Configure tweaks:
```
mkdir /etc/systemd/journald.conf.d
mkdir /etc/systemd/system/nginx.service.d
cp sysctl.d/local.conf /etc/sysctl.d/
cp systemd/journald.conf.d/local.conf \
/etc/systemd/journald.conf.d/
cp systemd/system/nginx.service.d/override.conf \
/etc/systemd/system/nginx.service.d/
systemctl daemon-reload
```
## Fail2ban Setup
SSH jail:
```
apt-get install fail2ban
cp jail.local /etc/fail2ban/
systemctl enable --now fail2ban
```
Maintenance tasks:
```
cp dbpurge.sql /etc/fail2ban/
cp f2b-cleanup /etc/cron.weekly/
chown root:root /etc/cron.weekly/f2b-cleanup
chmod 0755 /etc/cron.weekly/f2b-cleanup
cp bin/jailstat.sh /var/xyzzy/bin/
```
## Nginx Setup
Gitea first-time setup is easier with nginx + SSL already working.
#### Basic Prep
```
cd /etc/nginx/modules-enabled
rm \
50-mod-http-geoip.conf \
50-mod-http-image-filter.conf \
50-mod-http-xslt-filter.conf \
50-mod-mail.conf \
70-mod-stream-geoip.conf
cp security.conf /etc/nginx/conf.d/
```
#### Site Prep
```
mkdir /var/xyzzy/html
cp html* /var/xyzzy/html/
cp xyzzy.ee.conf.bootstrap /etc/nginx/sites-available/xyzzy.ee.conf
cp xyzzy.fi.conf.bootstrap /etc/nginx/sites-available/xyzzy.fi.conf
cp git.xyzzy.ee.conf.bootstrap /etc/nginx/sites-available/git.xyzzy.ee.conf
cd /etc/nginx/sites-enabled
rm default
ln -s /etc/nginx/sites-available/xyzzy.ee.conf 00xyzzy.ee.conf
ln -s /etc/nginx/sites-available/xyzzy.fi.conf 01xyzzy.fi.conf
ln -s /etc/nginx/sites-available/git.xyzzy.ee.conf 02git.xyzzy.ee.conf
nginx -t
systemctl restart nginx
certbot --nginx -d xyzzy.ee,www.xyzzy.ee \
--agree-tos -m "hostmaster@xyzzy.ee" --no-eff-email \
--deploy-hook "systemctl reload nginx"
certbot --nginx -d xyzzy.fi,www.xyzzy.fi \
--agree-tos -m "hostmaster@xyzzy.fi" --no-eff-email \
--deploy-hook "systemctl reload nginx"
certbot --nginx -d git.xyzzy.ee \
--agree-tos -m "hostmaster@xyzzy.ee" --no-eff-email \
--deploy-hook "systemctl reload nginx"
cp xyzzy.ee.conf /etc/nginx/sites-available/xyzzy.ee.conf
cp xyzzy.fi.conf /etc/nginx/sites-available/xyzzy.fi.conf
cp git.xyzzy.ee.conf /etc/nginx/sites-available/git.xyzzy.ee.conf
nginx -t
systemctl restart nginx
```
## Gitea Setup
All content lives under `/var/xyzzy`:
```
cp bin/teaup.sh /var/xyzzy/bin/
cd /var/xyzzy/bin
export TVER="1.21.8"
curl -L --output-dir /var/xyzzy/bin --remote-name-all \
"https://github.com/go-gitea/gitea/releases/download/v${TVER}/gitea-${TVER}-linux-amd64" \
"https://github.com/go-gitea/gitea/releases/download/v${TVER}/gitea-${TVER}-linux-amd64.sha256"
sha256sum -c "gitea-${TVER}-linux-amd64.sha256"
chmod +x "gitea-${TVER}-linux-amd64"
ln -s "gitea-${TVER}-linux-amd64" gitea
```
Primary `git` user:
```
adduser \
--system \
--shell /bin/bash \
--gecos 'git' \
--group \
--disabled-password \
--home /var/xyzzy/git \
git
```
Gitea prep:
```
mkdir -p /var/xyzzy/gitea/{custom,data,log}
chown -R git:git /var/xyzzy/gitea/
chmod -R 750 /var/xyzzy/gitea/
mkdir -p /var/xyzzy/etc/gitea
chown root:git /var/xyzzy/etc/gitea
chmod 770 /var/xyzzy/etc/gitea
cp gitea.service /etc/systemd/system/
systemctl daemon-reload
```
Gitea init:
```
systemctl start gitea.service
( browser -> https://git.xyzzy.ee )
systemctl stop gitea.service
```
Gitea deploy: (app.ini needs secrets set)
```
cp custom/* /var/xyzzy/gitea/custom/
cp app.ini /var/xyzzy/etc/gitea/
chmod 750 /var/xyzzy/etc/gitea
chmod 640 /var/xyzzy/etc/gitea/app.ini
chown root:git /var/xyzzy/etc/gitea/app.ini
systemctl enable --now gitea.service
```
## AppArmor
```
cp apparmor.d/* /etc/apparmor.d/
systemctl restart apparmor.service
```
## Backup
See `teabak.sh`; prep: (HCPING needs set in script)
```
groupadd --system bkp
mkdir /var/xyzzy/backup
chmod 0750 /var/xyzzy/backup
chown git:bkp /var/xyzzy/backup
cp teaback.sh /var/xyzzy/bin/
chmod 0755 /var/xyzzy/bin/teabak.sh
cp teabak.service teabak.timer /etc/systemd/system/
systemctl daemon-reload
systemctl enable --now teabak.timer
```
Allow restricted backup user to rsync the data:
```
adduser \
--shell /bin/bash \
--gecos 'reposync' \
--ingroup bkp \
--disabled-password \
--home /home/reposync \
reposync
```
The "reposync" user has a restricted `.ssh/authorized_keys` like so:
```
command="/usr/bin/rrsync -ro /var/xyzzy/backup/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,no-user-rc,restrict ssh-ed25519 ...
```
The `rrsync` script is part of the Debian `rsync` package
Reference in a new issue View git blame Copy permalink