Differences

This shows you the differences between two versions of the page.

--- computer:neuaufbau_hermes [2022/01/12 06:01] – [Rsnapshot] springm
+++ computer:neuaufbau_hermes [2025/05/03 13:49] (current) – [8TB-Backupdisk hinzufügen] spring
@@ Line 7: / Line 7: @@
   *     springm zur Gruppe docker hinzugefügt
-===== 8TB-Backupdisk hinzufügen =====
+===== xxTB-Backupdisk hinzufügen =====
+Mount backupdisk either through block device or uuid
+==== Obsolete: encrypted Backupdisk ====
+Not necessary as restic backups are already encrypted
 siehe auch https://wiki.zalmoxis.aberdoch.de/doku.php?id=computer:ubuntu:keyfile-based_luks_decryption
   sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
@@ Line 31: / Line 35: @@
   update‐initramfs ‐u
-Entsperren mit ''ssh -v -p 20022 hermes.fritz.box'' (IP: 192.168.2.252)
+Entsperren mit ''ssh -p 20022 root@hermes.fritz.box'' (IP: 192.168.2.252)
-==== Ubuntu-Cloud-Init entfernen ====
+===== Ubuntu-Cloud-Init entfernen =====
-=== Prevent start ===
+==== Prevent start ====
 Create an empty file to prevent the service from starting
@@ Line 40: / Line 44: @@
   sudo touch /etc/cloud/cloud-init.disabled
-=== Uninstall ===
+==== Uninstall ====
 Disable all services (uncheck everything except "None"):
@@ Line 50: / Line 54: @@
   sudo rm -rf /etc/cloud/ && sudo rm -rf /var/lib/cloud/
-==== Docker-Compose ====
+===== Docker-Compose =====
   apt update && apt upgrade && apt install docker.io
@@ Line 63: / Line 67: @@
   docker-compose -v
-==== Rsnapshot ====
+===== Rsnapshot =====
 from https://github.com/linuxserver/docker-rsnapshot/pkgs/container/rsnapshot / https://docs.linuxserver.io/images/docker-rsnapshot
+  * container enthält cron!
   * Backup-Platte gemounted auf /backupdisk
   * Benötigte Pakete ''awake'' und ''ssmtp'' werden von cron mittels @reboot beim Start aus ''/config/install_packages'' installiert
@@ Line 73: / Line 78: @@
   * (rsnapshot-diffs könnten regelmäßig abgelegt werden.)
+==== Statisches rsync 3.1.3 ====
+Der alpine-basierte rsnapshot-docker-container verwendet aktuell rsync 3.2.4, das mit rsync 3.1.3 auf allen Ubuntu-Rechnern inkompatibel ist.
+Lösung: statisches rsync 3.1.3 kompiliert, im Docker-Container als /config/rsync abgelegt und in die rsnapshot-configurationen übernommen.
+Nach Upgrade auf Ubuntu 22 muss dies vermutlich rückgängig gemacht werden.
+  docker run --rm -it alpine sh
+  apk add --update alpine-sdk
+  apk add perl
+  apk add libpopt-dev
+  apk add libpopt
+  apk add popt
+  apk add popt-dev
+  apk add zlib-dev
+  apk add gnu-make
+  apk add git build-base cmake file-dev
+  CC="diet gcc -nostdinc"
+  export CC
+  ./configure --disable-locale
+  echo '#define HAVE_STRUCT_ADDRINFO 1' >> config.h
+  make
+  exit
+  docker cp pedantic_ardinghelli:/rsync-3.1.3/rsync .
+  scp rsync hermes:docker/rsnapshot/config
-==== Traefik2 ====
+===== Traefik2 =====
 Alle Docker-Server-Daten sind in /srv. Docker-Konfiguration ist in ~springm/docker. Traefik-Logs sind in /srv/logs/traefik.log
-Domain iris.aberdoch.de und CNAME *.iris sind bei cloudflare registriert. Achtung: iris.aberdoch.de darf im pihole keinen Eintrag haben, da sonst die Zertifikatsgenerierung mit letsencrypt nicht mehr funktioniert.
   cd docker
@@ Line 83: / Line 114: @@
   sudo touch acme.json
   sudo chmod 0600 acme.json
+{{:computer:pasted:20220421-211249.png}}
+https://www.ssllabs.com/ssltest/analyze.html?d=hermes.markus%2dspring.info&s=84.131.34.143
+===== Backup vom Backup =====
+  cryptsetup luksErase /dev/sdc1
+  # erstes Passwort
+  cryptsetup -y -v luksFormat /dev/sdc1
+  # zweites Passwort
+  cryptsetup -y -v luksAddkey /dev/sdc1
+  # Keyfile
+  cryptsetup -v luksAddKey /dev/sdc1 /root/.keyfile
+  cryptsetup luksOpen /dev/sdc1 enc-backupCopy1 --key-file=/root/.keyfile
+===== NFS-Server =====
+( https://wiki.ubuntuusers.de/NFS/ )
+  /home/springm/docker/web/data kudell.fritz.box(rw,async,no_subtree_check,crossmnt) denkbrett.fritz.box(rw,async,no_subtree_check,crossmnt)
+===== fetchmail =====
+Neben der /etc/fetchmailrc noch eine /etc/fetchmailrc.yahoo, die nur alle 30 Minuten aus der crontab aufgerufen wird
+===== PDF-Druckserver =====
+https://gitlab.com/aapjeisbaas/pdf-to-ipp
+===== fail2ban =====
+  sudo apt install sqlite3
+  sudo apt install fail2ban ipset
+enablen und starten:
+  systemctl enable fail2ban
+  systemctl start fail2ban
+Nach https://tkaefer.de/blog/2021/12/07/follow-up-docker-and-fail2ban-how-i-solved-it-for-me/
+''/etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf''
+  # Fail2Ban configuration file
+  #
+  # Author: Cyril Jaquier
+  # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+  #           made active on all ports from original iptables.conf
+  #           Tobias Kaefer <tobias@tkaefer.de>
+  #
+  #
+  [INCLUDES]
+  before = iptables-common.conf
+  [Definition]
+  # Option:  actionstart
+  # Notes.:  command executed once at the start of Fail2Ban.
+  # Values:  CMD
+  #
+  actionstart = ipset create f2b-<name> hash:net forceadd
+                <iptables> -t filter -I INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+                <iptables> -t filter -I FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+                <iptables> -t filter -I DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+  # Option:  actionflush
+  # Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
+  # Values:  CMD
+  #
+  actionflush = ipset flush f2b-<name>
+  # Option:  actionstop
+  # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+  # Values:  CMD
+  #
+  actionstop = <iptables> -t filter -D INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+               <iptables> -t filter -D FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+               <iptables> -t filter -D DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
+               <actionflush>
+               ipset destroy f2b-<name>
+  # Option:  actioncheck
+  # Notes.:  command executed once before each actionban command
+  # Values:  CMD
+  #
+  # actioncheck = <iptables> -t filter -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+  # Option:  actionban
+  # Notes.:  command executed when banning an IP. Take care that the
+  #          command is executed with Fail2Ban user rights.
+  # Tags:    See jail.conf(5) man page
+  # Values:  CMD
+  #
+  actionban = /usr/local/bin/ipset-fail2ban.sh add f2b-<name> <ip>
+  # Option:  actionunban
+  # Notes.:  command executed when unbanning an IP. Take care that the
+  #          command is executed with Fail2Ban user rights.
+  # Tags:    See jail.conf(5) man page
+  # Values:  CMD
+  #
+  actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b-<name> <ip>
+  [Init]
+  und ''/usr/local/bin/ipset-fail2ban.sh''
+  #!/bin/bash
+  ipsetcommand="$1"
+  ipsetname="$2"
+  IP="$3"
+  if [[ "del" == ""${ipsetcommand}"" ]]; then
+     /usr/sbin/ipset test "${ipsetname}" "${IP}" && /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"
+  else
+     /usr/sbin/ipset test "${ipsetname}" "${IP}" || /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"
+  fi
+Konfiguration für dokuwiki in '''/etc/fail2ban/jail.d/dokuwiki-403.conf'''
+  [nginx-403]
+  enabled   = true
+  port      = http,https
+  filter    = nginx-403
+  logpath   = /home/springm/docker/dokuwiki/data/log/nginx/access.log
+  maxretry  = 3
+  findtime  = 300
+  bantime   = 300
+  banaction = iptables-mangle-allports[name="nginx-403"]
+und '''/etc/fail2ban/filter.d/nginx-403.conf'''
+  [Definition]
+  failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403 .*(login|start)
+  ignoreregex =
+Das Logging in dokuwiki muss so geändert sein, dass die echte IP und nicht die von traefik geloggt wird.