Additional configuration for server and prepare for deployment

2020-12-13 23:08:24 +00:00
parent 2df38382bb
commit 8629648666
4 changed files with 100 additions and 55 deletions
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -2,16 +2,43 @@

 source /opt/scarif/.env

+echo "------- Generating system users -------"
 # Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
 useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
 useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
-
-# Install necessary packages
-pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
-
 # Set up privileges
 echo "chris ALL=(ALL) ALL" >> /etc/sudoers
+# Disable root login
+passwd -l root

+# Install necessary packages
+echo "------- Installing packages -------"
+pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
+
+echo "------- Setting up SSH -------"
+# Remove old SSH keys in case running again
+rm -f /home/git/.ssh/*
+# Generate SSH keys for git to enable SSH proxy
+sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
+# Add SSH key to authorized keys which is shared with docker container
+echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
+# Add current SSH key to main user's authorized keys
+mkdir /home/chris/.ssh
+echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
+# Disable root login
+sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
+# Logout after 5 minutes of inactivity
+sed -i "s/#LoginGraceTime 2m/LoginGraceTime 5m/" /etc/ssh/sshd_config
+# Add banner art
+sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
+# Modify login messages
+echo "Clearance codes accepted! proceed:" > /etc/motd
+# Enforce a delay after a failed login attempt to prevent brute force attacks
+echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
+
+systemctl restart sshd
+
+echo "------- Enabling SSH passthrough -------"
 # Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
 mkdir -p /var/lib/gitea
 mkdir -p /app/gitea
@@ -24,19 +51,8 @@ chmod +x /app/gitea/gitea

 chown -R git /app/gitea/gitea
 chown -R git /var/lib/gitea
-rm -f /home/git/.ssh/*

-sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
-
-sudo -u git touch /home/git/.ssh/authorized_keys
-echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
-echo $SSH_KEY >> /home/git/.ssh/authorized_keys
-
-sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
-
-systemctl restart sshd
-
-# Set up firewall
+echo "------- Setting up firewall -------"
 ufw default deny incoming
 ufw default allow outgoing
 ufw allow 22
@@ -44,9 +60,9 @@ ufw allow 80
 ufw allow 443
 ufw --force enable

-# Start the docker service and build docker compose
+echo "------- Starting docker -------"
 systemctl enable docker --now

 docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
-
+# Create a super user for pinry
 docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,9 @@
 # Options for building certificates
-x-certs: &certs
-  image: paulczar/omgwtfssl
-  restart: "no"
-  volumes:
-    - certs:/certs
+#x-certs: &certs
+#  image: paulczar/omgwtfssl
+#  restart: "no"
+#  volumes:
+#    - certs:/certs

 version: "3.4"

@@ -171,7 +171,7 @@ services:
    image: nginx:alpine
    restart: always
    volumes:
-      - certs:/etc/nginx/certs:ro
+      - /opt/ssl:/etc/nginx/certs:ro
      - ./nginx.conf:/etc/nginx/nginx.conf
      - monica-public:/var/www/html/monica/public:ro
      - monica-data:/var/www/html/monica/storage:ro
@@ -184,21 +184,20 @@ services:
      - collabora
      - cadvisor
      - pinry
-      - certs
    ports:
      - 80:80
      - 443:443
    networks:
      - nginx

-  certs:
-    <<: *certs
-    environment:
-      - SSL_SUBJECT=${DOMAIN}
-      - CA_SUBJECT=chris@${DOMAIN}
-      - SSL_KEY=/certs/${DOMAIN}.key
-      - SSL_CSR=/certs/${DOMAIN}.csr
-      - SSL_CERT=/certs/${DOMAIN}.crt
+  #certs:
+  #  <<: *certs
+  #  environment:
+  #    - SSL_SUBJECT=${DOMAIN}
+  #    - CA_SUBJECT=chris@${DOMAIN}
+  #    - SSL_KEY=/certs/${DOMAIN}.key
+  #    - SSL_CSR=/certs/${DOMAIN}.csr
+  #    - SSL_CERT=/certs/${DOMAIN}.crt

 volumes:
  db:
@@ -206,7 +205,7 @@ volumes:
  monica-public:
  monica-data:
  nextcloud:
-  certs:
+  #certs:
  dashboard:
  pinry:

--- a/nginx.conf
+++ b/nginx.conf
@@ -75,10 +75,10 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

-        server_name personel.scarif.local;
+        server_name personel.scarif.space;

        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
@@ -211,10 +211,10 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

-        server_name tower.scarif.local;
+        server_name tower.scarif.space;

        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
@@ -346,10 +346,10 @@ http {

    server {
        listen 443 ssl;
-        server_name office.scarif.local;
+        server_name office.scarif.space;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

        # static files
        location ^~ /loleaflet {
@@ -405,13 +405,13 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;

-        server_name labs.scarif.local;
+        server_name labs.scarif.space;

        location / {
            proxy_pass http://gitea-handler;
@@ -425,13 +425,13 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;

-        server_name command.scarif.local scarif.local;
+        server_name command.scarif.space scarif.space;

        location / {
            proxy_pass http://dashboard-handler;
@@ -449,13 +449,13 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;

-        server_name monitoring.scarif.local;
+        server_name monitoring.scarif.space;

        location / {
            proxy_pass http://cadvisor-handler;
@@ -469,13 +469,13 @@ http {
    server {
        listen 443 ssl http2;

-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;

        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;

-        server_name research.scarif.local;
+        server_name research.scarif.space;

        location / {
            proxy_pass http://pinry-handler;
--- a/30
+++ b/30
@@ -0,0 +1,30 @@
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+        _______.  ______     ___      .______       __   _______
+       /       | /      |   /   \     |   _  \     |  | |   ____|
+      |   (----`|  ,----'  /  ^  \    |  |_)  |    |  | |  |__
+       \   \    |  |      /  /_\  \   |      /     |  | |   __|
+   .----)   |   |  `----./  _____  \  |  |\  \----.|  | |  |
+   |_______/     \______/__/     \__\ | _| `._____||__| |__|
+
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+                            ________
+                       _,.-Y  |  |  Y-._
+                   .-~"   ||  |  |  |   "-.
+                   I" ""=="|" !""! "|"[]""|     _____
+                   L__  [] |..------|:   _[----I" .-{"-.
+                  I___|  ..| l______|l_ [__L]_[I_/r(=}=-P
+                 [L______L_[________]______j~  '-=c_]/=-^
+                  \_I_j.--.\==I|I==_/.--L_]
+                    [_((==)[`-----"](==)j
+                       I--I"~~"""~~"I--I
+                       |[]|         |[]|
+                       l__j         l__j               _\/_
+                       |!!|         |!!|               //o\  _\/_
+                       |..|         |..|                 |   /o\\_
+                  _____([]),,...__  ([])      __..---'"""|""'  |
+ ___..-----'""""""     ]--[       `"]--[---```                 |
+                       [_L]         [_L]
+                      /|..|\       /|..|\
+                     `=}--{='     `=}--{='
+                    .-^--r-^-.   .-^--r-^-.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~