# Install your homelab file server ## Create the users that will be accessing the system ```sh useradd -m -p ${PASSWORD} -u1000 chris useradd -m -p ${GIT_PASSWORD} -u1200 git # This is the git user that will allow git SSH passthrough # Disable root login passwd -l root ``` ## Install packages ```sh pacman -Syyu --noconfirm pacman -S --noconfirm archlinux-keyring pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils mlocate neovim openssh rsync base-devel # Install yay git clone https://aur.archlinux.org/yay.git cd yay makepkg -si yay -S --needed --noconfirm zfs-linux ``` ## Configure zfs ```sh # Load zfs modules /sbin/modprobe zfs # Setup zfs services sudo systemctl enable --now zfs-import-cache sudo systemctl enable --now zfs-mount sudo systemctl enable --now zfs-zfs.target sudo systemctl enable --now zfs-import.target ``` ### Create storage pool ```sh # Identify the disk ids ls -lh /dev/disk/by-id/ # Create the pool zpool create -f -o ashift=12 -m /mnt/tower tower raidz # Add cache drive zpool add tower cache systemctl enable --now zfs-scrub@tower.timer ``` ## Set up SSH ```sh # Generate SSH keys for git to enable SSH proxy sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f /home/git/.ssh/id_rsa -q -N "" # Add SSH key to authorized keys which is shared with docker container echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys # Add current SSH key to main user's authorized keys mkdir -p /home/chris/.ssh echo $SSH_KEY >> /home/chris/.ssh/authorized_keys rm /etc/ssh/sshd_config ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config # Modify login messages echo "Clearance codes accepted! proceed:" > /etc/motd # Enforce a delay after a failed login attempt to prevent brute force attacks echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login systemctl restart sshd ``` ## Enabling [SSH passthrough](https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough) ```sh ## Make files necessary for SSH passthrough mkdir -p /var/lib/gitea cat <<"EOF" | sudo tee /usr/local/bin/gitea #!/bin/sh ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@" EOF sudo chmod +x /usr/local/bin/gitea chmod +x /app/gitea/gitea chown -R git /app/gitea/gitea chown -R git /var/lib/gitea ``` ## Setting up SSL certificates > If you are running a staging instance then you can skip this step and use omgwtfssl ```sh echo "------- Enabling certbot service -------" certbot certonly \ -d scarif.space,www.scarif.space,tower.scarif.space,labs.scarif.space,rec.scarif.space,christmas.scarif.space,office.scarif.space \ -m stofflees@gmail.com \ --cert-name=scarif.space \ --preferred-challenges=http --agree-tos \ --no-eff-email cp /opt/scarif/certbot/* /etc/systemd/system/ systemctl enable --now certbot.timer ``` ## Firewall ```sh ufw default deny incoming ufw default allow outgoing ufw allow 629 ufw allow 80 ufw allow 443 ufw allow 2049 ufw allow CIFS ufw --force enable ``` ## Docker Setup ```sh mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri} systemctl enable docker --now docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d ## Create user for jitsi docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${COMMS_PASSWORD} ``` ## File sharing ```sh # Start Samba share ln -s /opt/scarif/smb.conf /etc/samba/smb.conf smbpasswd -a chris systemctl enable --now smb # Start NFS share ln -s /opt/scarif/nfs.conf /etc/nfs.conf ln -s /opt/scarif/exports /etc/exports exportfs -arv systemctl enable --now nfs4-server systemctl enable --now zfs-share ```