Neuaufbau Backup- und Medienserver 'hermes'

Neuaufbau Backup- und Medienserver 'hermes'

Hardware: Intel-MiniITX mit 4-Kern-Atom
OS: Ubuntu 20.03 Server

 Minimum-Installation nur SSD, 8TB-Platte nachträglich hinzugefügt

* Alle Updates

```
 docker.io installiert
```
* springm zur Gruppe docker hinzugefügt

xxTB-Backupdisk hinzufügen

Mount backupdisk either through block device or uuid

Obsolete: encrypted Backupdisk

Not necessary as restic backups are already encrypted
siehe auch https://wiki.zalmoxis.aberdoch.de/doku.php?id=computer:ubuntu:keyfile-based_luks_decryption

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
chmod 0400 /root/.keyfile
cryptsetup luksOpen /dev/sdb1 backupdisk --key-file /root/.keyfile

/etc/crypttab erweitern ( UUID mit blkid ermitteln)

backupdisk UUID=efb4986f-ad45-4b80-af4d-13c2782393a8 /root/.keyfile luks,discard

/etc/fstab erweitern:

/dev/mapper/backupdisk /backupdisk btrfs defaults 0 2

mkdir /backupdisk
mount -a

Boot-Disk verschlüsseln

Entsprechend c't-Artikel luks_verschluesselte_linux-systeme_ueber_ssh_entsperren_c_t_magazin.pdf

apt install dropbear-initramfs

Die ssh-public-keys liegen in /etc/dropbear-initramfs/authorized_keys. Nach Änderung muss das initramfs aktualisiert werden:

update‐initramfs ‐u

Entsperren mit ssh -p 20022 root@hermes.fritz.box (IP: 192.168.2.252)

Ubuntu-Cloud-Init entfernen

Prevent start

Create an empty file to prevent the service from starting

sudo touch /etc/cloud/cloud-init.disabled

Uninstall

Disable all services (uncheck everything except “None”):

sudo dpkg-reconfigure cloud-init

Uninstall the package and delete the folders

sudo apt-get purge cloud-init
sudo rm -rf /etc/cloud/ && sudo rm -rf /var/lib/cloud/

Docker-Compose

apt update && apt upgrade && apt install docker.io
sudo systemctl enable --now docker
usermod -aG docker springm
reboot

# check for latest version
curl -L https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` \
   -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose -v

Rsnapshot

from https://github.com/linuxserver/docker-rsnapshot/pkgs/container/rsnapshot / https://docs.linuxserver.io/images/docker-rsnapshot

container enthält cron!
Backup-Platte gemounted auf /backupdisk
Benötigte Pakete awake und ssmtp werden von cron mittels @reboot beim Start aus /config/installpackages installiert * config-, exclude- und prersnapshot-Dateien in ~springm/docker/rsnapshot/config abgelegt, Pfade angepasst * runrsnapshot ebenfalls in /config abgelegt Todo * (rsnapshot-diffs könnten regelmäßig abgelegt werden.) ==== Statisches rsync 3.1.3 ==== Der alpine-basierte rsnapshot-docker-container verwendet aktuell rsync 3.2.4, das mit rsync 3.1.3 auf allen Ubuntu-Rechnern inkompatibel ist. Lösung: statisches rsync 3.1.3 kompiliert, im Docker-Container als /config/rsync abgelegt und in die rsnapshot-configurationen übernommen. Nach Upgrade auf Ubuntu 22 muss dies vermutlich rückgängig gemacht werden. docker run –rm -it alpine sh apk add –update alpine-sdk apk add perl apk add libpopt-dev apk add libpopt apk add popt apk add popt-dev apk add zlib-dev apk add gnu-make apk add git build-base cmake file-dev CC=“diet gcc -nostdinc” export CC ./configure –disable-locale echo '#define HAVESTRUCTADDRINFO 1' » config.h make exit docker cp pedantic_ardinghelli:/rsync-3.1.3/rsync . scp rsync hermes:docker/rsnapshot/config ===== Traefik2 ===== Alle Docker-Server-Daten sind in /srv. Docker-Konfiguration ist in ~springm/docker. Traefik-Logs sind in /srv/logs/traefik.log cd docker docker network create proxy sudo touch acme.json sudo chmod 0600 acme.json https://www.ssllabs.com/ssltest/analyze.html?d=hermes.markus%2dspring.info&s=84.131.34.143 ===== Backup vom Backup ===== cryptsetup luksErase /dev/sdc1 # erstes Passwort cryptsetup -y -v luksFormat /dev/sdc1 # zweites Passwort cryptsetup -y -v luksAddkey /dev/sdc1 # Keyfile cryptsetup -v luksAddKey /dev/sdc1 /root/.keyfile cryptsetup luksOpen /dev/sdc1 enc-backupCopy1 –key-file=/root/.keyfile ===== NFS-Server ===== ( https://wiki.ubuntuusers.de/NFS/ ) /home/springm/docker/web/data kudell.fritz.box(rw,async,nosubtreecheck,crossmnt) denkbrett.fritz.box(rw,async,nosubtreecheck,crossmnt) ===== fetchmail ===== Neben der /etc/fetchmailrc noch eine /etc/fetchmailrc.yahoo, die nur alle 30 Minuten aus der crontab aufgerufen wird ===== PDF-Druckserver ===== https://gitlab.com/aapjeisbaas/pdf-to-ipp ===== fail2ban ===== sudo apt install sqlite3 sudo apt install fail2ban ipset enablen und starten: systemctl enable fail2ban systemctl start fail2ban Nach https://tkaefer.de/blog/2021/12/07/follow-up-docker-and-fail2ban-how-i-solved-it-for-me/ /etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf # Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko debian@onerussian.com # made active on all ports from original iptables.conf # Tobias Kaefer tobias@tkaefer.de # # [INCLUDES] before = iptables-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = ipset create f2b-<name> hash:net forceadd <iptables> -t filter -I INPUT -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable <iptables> -t filter -I FORWARD -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable <iptables> -t filter -I DOCKER-USER -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = ipset flush f2b-<name> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = <iptables> -t filter -D INPUT -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable <iptables> -t filter -D FORWARD -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable <iptables> -t filter -D DOCKER-USER -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable <actionflush> ipset destroy f2b-<name> # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # # actioncheck = <iptables> -t filter -n -L <chain> | grep -q 'f2b-<name>[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = /usr/local/bin/ipset-fail2ban.sh add f2b-<name> <ip> # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b-<name> <ip> [Init] und /usr/local/bin/ipset-fail2ban.sh #!/bin/bash ipsetcommand=“$1” ipsetname=“$2” IP=“$3” if "del" == ""${ipsetcommand}""; then /usr/sbin/ipset test “${ipsetname}” “${IP}” && /usr/sbin/ipset “${ipsetcommand}” “${ipsetname}” “${IP}” else /usr/sbin/ipset test “${ipsetname}” “${IP}” || /usr/sbin/ipset “${ipsetcommand}” “${ipsetname}” “${IP}” fi Konfiguration für dokuwiki in '/etc/fail2ban/jail.d/dokuwiki-403.conf' [nginx-403] enabled = true port = http,https filter = nginx-403 logpath = /home/springm/docker/dokuwiki/data/log/nginx/access.log maxretry = 3 findtime = 300 bantime = 300 banaction = iptables-mangle-allports[name=“nginx-403”] und '/etc/fail2ban/filter.d/nginx-403.conf''' [Definition] failregex = ^<HOST> -.“(GET|POST|HEAD).HTTP.” 403 .(login|start) ignoreregex = Das Logging in dokuwiki muss so geändert sein, dass die echte IP und nicht die von traefik geloggt wird.

Table of Contents