Update 'INSTALL.md'

INSTALL.md

@@ -0,0 +1,130 @@
+# Install your homelab file server
+
+## Create the users that will be accessing the system
+```sh
+useradd -m -p ${PASSWORD} -u1000 chris
+useradd -m -p ${GIT_PASSWORD} -u1200 git # This is the git user that will allow git SSH passthrough
+# Disable root login
+passwd -l root
+```
+
+## Install packages
+```sh
+pacman -Syyu --noconfirm
+pacman -S --noconfirm archlinux-keyring
+pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils mlocate neovim openssh rsync base-devel
+# Install yay
+git clone https://aur.archlinux.org/yay.git
+cd yay
+makepkg -si
+yay -S --needed --noconfirm zfs-linux
+```
+
+## Configure zfs
+```sh
+# Load zfs modules
+/sbin/modprobe zfs
+# Setup zfs services
+sudo systemctl enable --now zfs-import-cache
+sudo systemctl enable --now zfs-mount
+sudo systemctl enable --now zfs-zfs.target
+sudo systemctl enable --now zfs-import.target
+```
+### Create storage pool
+```sh
+# Identify the disk ids
+ls -lh /dev/disk/by-id/
+# Create the pool
+zpool create -f -o ashift=12 -m /mnt/tower tower raidz <ids>
+# Add cache drive
+zpool add tower cache <device-id>
+systemctl enable --now zfs-scrub@tower.timer
+```
+
+## Set up SSH
+```sh
+# Generate SSH keys for git to enable SSH proxy
+sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f /home/git/.ssh/id_rsa -q -N ""
+# Add SSH key to authorized keys which is shared with docker container
+echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
+# Add current SSH key to main user's authorized keys
+mkdir -p /home/chris/.ssh
+echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
+rm /etc/ssh/sshd_config
+ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
+# Modify login messages
+echo "Clearance codes accepted! proceed:" > /etc/motd
+# Enforce a delay after a failed login attempt to prevent brute force attacks
+echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
+
+systemctl restart sshd
+```
+
+## Enabling [SSH passthrough](https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
+```sh
+## Make files necessary for SSH passthrough
+mkdir -p /var/lib/gitea
+cat <<"EOF" | sudo tee /usr/local/bin/gitea
+#!/bin/sh
+ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
+EOF
+sudo chmod +x /usr/local/bin/gitea
+
+chmod +x /app/gitea/gitea
+
+chown -R git /app/gitea/gitea
+chown -R git /var/lib/gitea
+```
+
+## Setting up SSL certificates
+> If you are running a staging instance then you can skip this step and use omgwtfssl
+```sh
+echo "------- Enabling certbot service -------"
+certbot certonly \
+    -d scarif.space,www.scarif.space,tower.scarif.space,labs.scarif.space,rec.scarif.space,christmas.scarif.space,office.scarif.space \
+    -m stofflees@gmail.com \
+    --cert-name=scarif.space \
+    --preferred-challenges=http
+    --agree-tos \
+    --no-eff-email
+
+cp /opt/scarif/certbot/* /etc/systemd/system/
+systemctl enable --now certbot.timer
+```
+
+## Firewall
+```sh
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow 629
+ufw allow 80
+ufw allow 443
+ufw allow 2049
+ufw allow CIFS
+ufw --force enable
+```
+
+## Docker Setup
+```sh
+mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
+systemctl enable docker --now
+
+docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
+## Create user for jitsi
+docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${COMMS_PASSWORD}
+```
+
+## File sharing
+```sh
+# Start Samba share
+ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
+smbpasswd -a chris
+systemctl enable --now smb
+
+# Start NFS share
+ln -s /opt/scarif/nfs.conf /etc/nfs.conf
+ln -s /opt/scarif/exports /etc/exports
+exportfs -arv
+systemctl enable --now nfs4-server
+systemctl enable --now zfs-share
+```