3.8 KiB
3.8 KiB
Install your homelab file server
Create the users that will be accessing the system
useradd -m -p ${PASSWORD} -u1000 chris
useradd -m -p ${GIT_PASSWORD} -u1200 git # This is the git user that will allow git SSH passthrough
# Disable root login
passwd -l root
Install packages
pacman -Syyu --noconfirm
pacman -S --noconfirm archlinux-keyring
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils mlocate neovim openssh rsync base-devel
# Install yay
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
yay -S --needed --noconfirm zfs-linux
Configure zfs
# Load zfs modules
/sbin/modprobe zfs
# Setup zfs services
sudo systemctl enable --now zfs-import-cache
sudo systemctl enable --now zfs-mount
sudo systemctl enable --now zfs-zfs.target
sudo systemctl enable --now zfs-import.target
Create storage pool
# Identify the disk ids
ls -lh /dev/disk/by-id/
# Create the pool
zpool create -f -o ashift=12 -m /mnt/tower tower raidz <ids>
# Add cache drive
zpool add tower cache <device-id>
systemctl enable --now zfs-scrub@tower.timer
Set up SSH
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f /home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir -p /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
rm /etc/ssh/sshd_config
ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login
systemctl restart sshd
Enabling SSH passthrough
## Make files necessary for SSH passthrough
mkdir -p /var/lib/gitea
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea
chmod +x /app/gitea/gitea
chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea
Setting up SSL certificates
If you are running a staging instance then you can skip this step and use omgwtfssl
echo "------- Enabling certbot service -------"
certbot certonly \
-d scarif.space,www.scarif.space,tower.scarif.space,labs.scarif.space,rec.scarif.space,christmas.scarif.space,office.scarif.space \
-m stofflees@gmail.com \
--cert-name=scarif.space \
--preferred-challenges=http
--agree-tos \
--no-eff-email
cp /opt/scarif/certbot/* /etc/systemd/system/
systemctl enable --now certbot.timer
Firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow 629
ufw allow 80
ufw allow 443
ufw allow 2049
ufw allow CIFS
ufw --force enable
Docker Setup
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}
systemctl enable docker --now
docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
## Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${COMMS_PASSWORD}
File sharing
# Start Samba share
ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
smbpasswd -a chris
systemctl enable --now smb
# Start NFS share
ln -s /opt/scarif/nfs.conf /etc/nfs.conf
ln -s /opt/scarif/exports /etc/exports
exportfs -arv
systemctl enable --now nfs4-server
systemctl enable --now zfs-share