Additional configuration for server and prepare for deployment

2020-12-13 23:08:24 +00:00
parent 2df38382bb
commit 8629648666
4 changed files with 100 additions and 55 deletions
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -2,16 +2,43 @@
 source /opt/scarif/.env
 echo "------- Generating system users -------"
 # Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
 useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
 useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
 # Install necessary packages
 pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
 # Set up privileges
 echo "chris ALL=(ALL) ALL" >> /etc/sudoers
 # Disable root login
 passwd -l root
 # Install necessary packages
 echo "------- Installing packages -------"
 pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw
 echo "------- Setting up SSH -------"
 # Remove old SSH keys in case running again
 rm -f /home/git/.ssh/*
 # Generate SSH keys for git to enable SSH proxy
 sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
 # Add SSH key to authorized keys which is shared with docker container
 echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
 # Add current SSH key to main user's authorized keys
 mkdir /home/chris/.ssh
 echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
 # Disable root login
 sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin no/" /etc/ssh/sshd_config
 # Logout after 5 minutes of inactivity
 sed -i "s/#LoginGraceTime 2m/LoginGraceTime 5m/" /etc/ssh/sshd_config
 # Add banner art
 sed -i "s/#Banner none/Banner \/opt\/scarif\/ssh-banner-art/" >> /etc/ssh/sshd_config
 # Modify login messages
 echo "Clearance codes accepted! proceed:" > /etc/motd
 # Enforce a delay after a failed login attempt to prevent brute force attacks
 echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
 systemctl restart sshd
 echo "------- Enabling SSH passthrough -------"
 # Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
 mkdir -p /var/lib/gitea
 mkdir -p /app/gitea
@@ -24,19 +51,8 @@ chmod +x /app/gitea/gitea
 chown -R git /app/gitea/gitea
 chown -R git /var/lib/gitea
 rm -f /home/git/.ssh/*
-sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
+echo "------- Setting up firewall -------"
 sudo -u git touch /home/git/.ssh/authorized_keys
 echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
 echo $SSH_KEY >> /home/git/.ssh/authorized_keys
 sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
 systemctl restart sshd
 # Set up firewall
 ufw default deny incoming
 ufw default allow outgoing
 ufw allow 22
@@ -44,9 +60,9 @@ ufw allow 80
 ufw allow 443
 ufw --force enable
-# Start the docker service and build docker compose
+echo "------- Starting docker -------"
 systemctl enable docker --now
 docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
-
+# Create a super user for pinry
 docker exec -it scarif_pinry_1 python manage.py createsuperuser --settings=pinry.settings.docker
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,9 +1,9 @@
 # Options for building certificates
-x-certs: &certs
+#x-certs: &certs
-  image: paulczar/omgwtfssl
+#  image: paulczar/omgwtfssl
-  restart: "no"
+#  restart: "no"
-  volumes:
+#  volumes:
-    - certs:/certs
+#    - certs:/certs
 version: "3.4"
@@ -171,7 +171,7 @@ services:
    image: nginx:alpine
    restart: always
    volumes:
-      - certs:/etc/nginx/certs:ro
+      - /opt/ssl:/etc/nginx/certs:ro
      - ./nginx.conf:/etc/nginx/nginx.conf
      - monica-public:/var/www/html/monica/public:ro
      - monica-data:/var/www/html/monica/storage:ro
@@ -184,21 +184,20 @@ services:
      - collabora
      - cadvisor
      - pinry
      - certs
    ports:
      - 80:80
      - 443:443
    networks:
      - nginx
-  certs:
+  #certs:
-    <<: *certs
+  #  <<: *certs
-    environment:
+  #  environment:
-      - SSL_SUBJECT=${DOMAIN}
+  #    - SSL_SUBJECT=${DOMAIN}
-      - CA_SUBJECT=chris@${DOMAIN}
+  #    - CA_SUBJECT=chris@${DOMAIN}
-      - SSL_KEY=/certs/${DOMAIN}.key
+  #    - SSL_KEY=/certs/${DOMAIN}.key
-      - SSL_CSR=/certs/${DOMAIN}.csr
+  #    - SSL_CSR=/certs/${DOMAIN}.csr
-      - SSL_CERT=/certs/${DOMAIN}.crt
+  #    - SSL_CERT=/certs/${DOMAIN}.crt
 volumes:
  db:
@@ -206,7 +205,7 @@ volumes:
  monica-public:
  monica-data:
  nextcloud:
-  certs:
+  #certs:
  dashboard:
  pinry:
--- a/nginx.conf
+++ b/nginx.conf
@@ -75,10 +75,10 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
-        server_name personel.scarif.local;
+        server_name personel.scarif.space;
        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
@@ -211,10 +211,10 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
-        server_name tower.scarif.local;
+        server_name tower.scarif.space;
        ## HSTS ##
        # Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
@@ -346,10 +346,10 @@ http {
    server {
        listen 443 ssl;
-        server_name office.scarif.local;
+        server_name office.scarif.space;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
        # static files
        location ^~ /loleaflet {
@@ -405,13 +405,13 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;
-        server_name labs.scarif.local;
+        server_name labs.scarif.space;
        location / {
            proxy_pass http://gitea-handler;
@@ -425,13 +425,13 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;
-        server_name command.scarif.local scarif.local;
+        server_name command.scarif.space scarif.space;
        location / {
            proxy_pass http://dashboard-handler;
@@ -449,13 +449,13 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;
-        server_name monitoring.scarif.local;
+        server_name monitoring.scarif.space;
        location / {
            proxy_pass http://cadvisor-handler;
@@ -469,13 +469,13 @@ http {
    server {
        listen 443 ssl http2;
-        ssl_certificate /etc/nginx/certs/scarif.local.crt;
+        ssl_certificate /etc/nginx/certs/scarif.space.crt;
-        ssl_certificate_key /etc/nginx/certs/scarif.local.key;
+        ssl_certificate_key /etc/nginx/certs/scarif.space.key;
        gzip_types text/plain text/css application/json application/x-javascript
                   text/xml application/xml application/xml+rss text/javascript;
-        server_name research.scarif.local;
+        server_name research.scarif.space;
        location / {
            proxy_pass http://pinry-handler;
--- a/30
+++ b/30
@@ -0,0 +1,30 @@
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        _______.  ______     ___      .______       __   _______
       /       | /      |   /   \     |   _  \     |  | |   ____|
      |   (----`|  ,----'  /  ^  \    |  |_)  |    |  | |  |__
       \   \    |  |      /  /_\  \   |      /     |  | |   __|
   .----)   |   |  `----./  _____  \  |  |\  \----.|  | |  |
   |_______/     \______/__/     \__\ | _| `._____||__| |__|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                            ________
                       _,.-Y  |  |  Y-._
                   .-~"   ||  |  |  |   "-.
                   I" ""=="|" !""! "|"[]""|     _____
                   L__  [] |..------|:   _[----I" .-{"-.
                  I___|  ..| l______|l_ [__L]_[I_/r(=}=-P
                 [L______L_[________]______j~  '-=c_]/=-^
                  \_I_j.--.\==I|I==_/.--L_]
                    [_((==)[`-----"](==)j
                       I--I"~~"""~~"I--I
                       |[]|         |[]|
                       l__j         l__j               _\/_
                       |!!|         |!!|               //o\  _\/_
                       |..|         |..|                 |   /o\\_
                  _____([]),,...__  ([])      __..---'"""|""'  |
 ___..-----'""""""     ]--[       `"]--[---```                 |
                       [_L]         [_L]
                      /|..|\       /|..|\
                     `=}--{='     `=}--{='
                    .-^--r-^-.   .-^--r-^-.
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~