diff --git a/INSTALL.md b/INSTALL.md index e69de29..cc79a76 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -0,0 +1,130 @@ +# Install your homelab file server + +## Create the users that will be accessing the system +```sh +useradd -m -p ${PASSWORD} -u1000 chris +useradd -m -p ${GIT_PASSWORD} -u1200 git # This is the git user that will allow git SSH passthrough +# Disable root login +passwd -l root +``` + +## Install packages +```sh +pacman -Syyu --noconfirm +pacman -S --noconfirm archlinux-keyring +pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils mlocate neovim openssh rsync base-devel +# Install yay +git clone https://aur.archlinux.org/yay.git +cd yay +makepkg -si +yay -S --needed --noconfirm zfs-linux +``` + +## Configure zfs +```sh +# Load zfs modules +/sbin/modprobe zfs +# Setup zfs services +sudo systemctl enable --now zfs-import-cache +sudo systemctl enable --now zfs-mount +sudo systemctl enable --now zfs-zfs.target +sudo systemctl enable --now zfs-import.target +``` +### Create storage pool +```sh +# Identify the disk ids +ls -lh /dev/disk/by-id/ +# Create the pool +zpool create -f -o ashift=12 -m /mnt/tower tower raidz +# Add cache drive +zpool add tower cache +systemctl enable --now zfs-scrub@tower.timer +``` + +## Set up SSH +```sh +# Generate SSH keys for git to enable SSH proxy +sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f /home/git/.ssh/id_rsa -q -N "" +# Add SSH key to authorized keys which is shared with docker container +echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys +# Add current SSH key to main user's authorized keys +mkdir -p /home/chris/.ssh +echo $SSH_KEY >> /home/chris/.ssh/authorized_keys +rm /etc/ssh/sshd_config +ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config +# Modify login messages +echo "Clearance codes accepted! proceed:" > /etc/motd +# Enforce a delay after a failed login attempt to prevent brute force attacks +echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login + +systemctl restart sshd +``` + +## Enabling [SSH passthrough](https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) +```sh +## Make files necessary for SSH passthrough +mkdir -p /var/lib/gitea +cat <<"EOF" | sudo tee /usr/local/bin/gitea +#!/bin/sh +ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" +EOF +sudo chmod +x /usr/local/bin/gitea + +chmod +x /app/gitea/gitea + +chown -R git /app/gitea/gitea +chown -R git /var/lib/gitea +``` + +## Setting up SSL certificates +> If you are running a staging instance then you can skip this step and use omgwtfssl +```sh +echo "------- Enabling certbot service -------" +certbot certonly \ + -d scarif.space,www.scarif.space,tower.scarif.space,labs.scarif.space,rec.scarif.space,christmas.scarif.space,office.scarif.space \ + -m stofflees@gmail.com \ + --cert-name=scarif.space \ + --preferred-challenges=http + --agree-tos \ + --no-eff-email + +cp /opt/scarif/certbot/* /etc/systemd/system/ +systemctl enable --now certbot.timer +``` + +## Firewall +```sh +ufw default deny incoming +ufw default allow outgoing +ufw allow 629 +ufw allow 80 +ufw allow 443 +ufw allow 2049 +ufw allow CIFS +ufw --force enable +``` + +## Docker Setup +```sh +mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri} +systemctl enable docker --now + +docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d +## Create user for jitsi +docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${COMMS_PASSWORD} +``` + +## File sharing +```sh +# Start Samba share +ln -s /opt/scarif/smb.conf /etc/samba/smb.conf +smbpasswd -a chris +systemctl enable --now smb + +# Start NFS share +ln -s /opt/scarif/nfs.conf /etc/nfs.conf +ln -s /opt/scarif/exports /etc/exports +exportfs -arv +systemctl enable --now nfs4-server +systemctl enable --now zfs-share +```