====== Neuaufbau Backup- und Medienserver 'hermes' ====== Hardware: Intel-MiniITX mit 4-Kern-Atom OS: Ubuntu 20.03 Server * Minimum-Installation nur SSD, 8TB-Platte nachträglich hinzugefügt * Alle Updates * docker.io installiert * springm zur Gruppe docker hinzugefügt ===== xxTB-Backupdisk hinzufügen ===== Mount backupdisk either through block device or uuid ==== Obsolete: encrypted Backupdisk ==== Not necessary as restic backups are already encrypted siehe auch https://wiki.zalmoxis.aberdoch.de/doku.php?id=computer:ubuntu:keyfile-based_luks_decryption sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4 chmod 0400 /root/.keyfile cryptsetup luksOpen /dev/sdb1 backupdisk --key-file /root/.keyfile /etc/crypttab erweitern ( UUID mit blkid ermitteln) backupdisk UUID=efb4986f-ad45-4b80-af4d-13c2782393a8 /root/.keyfile luks,discard /etc/fstab erweitern: /dev/mapper/backupdisk /backupdisk btrfs defaults 0 2 mkdir /backupdisk mount -a ===== Boot-Disk verschlüsseln ===== Entsprechend c't-Artikel {{ :computer:luks_verschluesselte_linux-systeme_ueber_ssh_entsperren_c_t_magazin.pdf |}} apt install dropbear-initramfs Die ssh-public-keys liegen in ''/etc/dropbear-initramfs/authorized_keys''. Nach Änderung muss das initramfs aktualisiert werden: update‐initramfs ‐u Entsperren mit ''ssh -p 20022 root@hermes.fritz.box'' (IP: 192.168.2.252) ===== Ubuntu-Cloud-Init entfernen ===== ==== Prevent start ==== Create an empty file to prevent the service from starting sudo touch /etc/cloud/cloud-init.disabled ==== Uninstall ==== Disable all services (uncheck everything except "None"): sudo dpkg-reconfigure cloud-init Uninstall the package and delete the folders sudo apt-get purge cloud-init sudo rm -rf /etc/cloud/ && sudo rm -rf /var/lib/cloud/ ===== Docker-Compose ===== apt update && apt upgrade && apt install docker.io sudo systemctl enable --now docker usermod -aG docker springm reboot # check for latest version curl -L https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` \ -o /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose -v ===== Rsnapshot ===== from https://github.com/linuxserver/docker-rsnapshot/pkgs/container/rsnapshot / https://docs.linuxserver.io/images/docker-rsnapshot * container enthält cron! * Backup-Platte gemounted auf /backupdisk * Benötigte Pakete ''awake'' und ''ssmtp'' werden von cron mittels @reboot beim Start aus ''/config/install_packages'' installiert * config-, exclude- und pre_rsnapshot-Dateien in ''~springm/docker/rsnapshot/config'' abgelegt, Pfade angepasst * run_rsnapshot ebenfalls in /config abgelegt Todo * (rsnapshot-diffs könnten regelmäßig abgelegt werden.) ==== Statisches rsync 3.1.3 ==== Der alpine-basierte rsnapshot-docker-container verwendet aktuell rsync 3.2.4, das mit rsync 3.1.3 auf allen Ubuntu-Rechnern inkompatibel ist. Lösung: statisches rsync 3.1.3 kompiliert, im Docker-Container als /config/rsync abgelegt und in die rsnapshot-configurationen übernommen. Nach Upgrade auf Ubuntu 22 muss dies vermutlich rückgängig gemacht werden. docker run --rm -it alpine sh apk add --update alpine-sdk apk add perl apk add libpopt-dev apk add libpopt apk add popt apk add popt-dev apk add zlib-dev apk add gnu-make apk add git build-base cmake file-dev CC="diet gcc -nostdinc" export CC ./configure --disable-locale echo '#define HAVE_STRUCT_ADDRINFO 1' >> config.h make exit docker cp pedantic_ardinghelli:/rsync-3.1.3/rsync . scp rsync hermes:docker/rsnapshot/config ===== Traefik2 ===== Alle Docker-Server-Daten sind in /srv. Docker-Konfiguration ist in ~springm/docker. Traefik-Logs sind in /srv/logs/traefik.log cd docker docker network create proxy sudo touch acme.json sudo chmod 0600 acme.json {{:computer:pasted:20220421-211249.png}} https://www.ssllabs.com/ssltest/analyze.html?d=hermes.markus%2dspring.info&s=84.131.34.143 ===== Backup vom Backup ===== cryptsetup luksErase /dev/sdc1 # erstes Passwort cryptsetup -y -v luksFormat /dev/sdc1 # zweites Passwort cryptsetup -y -v luksAddkey /dev/sdc1 # Keyfile cryptsetup -v luksAddKey /dev/sdc1 /root/.keyfile cryptsetup luksOpen /dev/sdc1 enc-backupCopy1 --key-file=/root/.keyfile ===== NFS-Server ===== ( https://wiki.ubuntuusers.de/NFS/ ) /home/springm/docker/web/data kudell.fritz.box(rw,async,no_subtree_check,crossmnt) denkbrett.fritz.box(rw,async,no_subtree_check,crossmnt) ===== fetchmail ===== Neben der /etc/fetchmailrc noch eine /etc/fetchmailrc.yahoo, die nur alle 30 Minuten aus der crontab aufgerufen wird ===== PDF-Druckserver ===== https://gitlab.com/aapjeisbaas/pdf-to-ipp ===== fail2ban ===== sudo apt install sqlite3 sudo apt install fail2ban ipset enablen und starten: systemctl enable fail2ban systemctl start fail2ban Nach https://tkaefer.de/blog/2021/12/07/follow-up-docker-and-fail2ban-how-i-solved-it-for-me/ ''/etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf'' # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko # made active on all ports from original iptables.conf # Tobias Kaefer # # [INCLUDES] before = iptables-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = ipset create f2b- hash:net forceadd -t filter -I INPUT -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable -t filter -I FORWARD -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable -t filter -I DOCKER-USER -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = ipset flush f2b- # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = -t filter -D INPUT -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable -t filter -D FORWARD -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable -t filter -D DOCKER-USER -p -m set --match-set f2b- src -j REJECT --reject-with icmp-host-unreachable ipset destroy f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # # actioncheck = -t filter -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = /usr/local/bin/ipset-fail2ban.sh add f2b- # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b- [Init] und ''/usr/local/bin/ipset-fail2ban.sh'' #!/bin/bash ipsetcommand="$1" ipsetname="$2" IP="$3" if [[ "del" == ""${ipsetcommand}"" ]]; then /usr/sbin/ipset test "${ipsetname}" "${IP}" && /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}" else /usr/sbin/ipset test "${ipsetname}" "${IP}" || /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}" fi Konfiguration für dokuwiki in '''/etc/fail2ban/jail.d/dokuwiki-403.conf''' [nginx-403] enabled = true port = http,https filter = nginx-403 logpath = /home/springm/docker/dokuwiki/data/log/nginx/access.log maxretry = 3 findtime = 300 bantime = 300 banaction = iptables-mangle-allports[name="nginx-403"] und '''/etc/fail2ban/filter.d/nginx-403.conf''' [Definition] failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*" 403 .*(login|start) ignoreregex = Das Logging in dokuwiki muss so geändert sein, dass die echte IP und nicht die von traefik geloggt wird.