* Running at home, general purpose server * Intel NUC (BOXNUC7i3BNH) * Core i3-7100U at 2.40GHz * 500GB WD Blue SN550 NVMe M.2 * 8gb DDR4 2400MHz Kingston KVR24S17S8/8 * Ubuntu 21.10 <> = users = * furinkan = services = * ssh * http/s * https://rant.meidokon.net/furinkan/ * postgres 14 * [[https://smokeping.thighhighs.top/smokeping/?target=AdonisAve| Smokeping]] (available on internal IP, and IPv6) = build notes = On 2022-01-02, FDE on LVM, Ubuntu server 21.10 Had some problem with the curtin unpack of the base image, I changed the Ubuntu archive URL to Datamossa in AU and hey presto it worked. Guess something was corrupted, shrug. * Mostly default settings * Enable full disk encryption with LVM, default settings * Enable sshd during install == basic env == * Install your authorized_keys into `root` and `furinkan` user * Enable NOPASSWD sudo {{{ %sudo ALL=(ALL:ALL) NOPASSWD: ALL }}} * Set hostname: {{{ hostnamectl set-hostname illustrious.thighhighs.top }}} * Set timezone {{{ timedatectl set-timezone Australia/Sydney }}} * Set editor {{{ echo "export EDITOR=vim" > /etc/profile.d/editor-vim.sh }}} * Disable `HashKnownHosts` {{{ echo -e "Host *\n HashKnownHosts no" > /etc/ssh/ssh_config.d/99-global.conf }}} * Configure screen {{{ curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc }}} * Configure top by entering this cheatcode {{{ z x c b s 1.5 e 1 W q }}} * Fix locales, select en_AU.UTF-8: `dpkg-reconfigure locales` * Disable console blanking, seems this is already done by default: `cat /sys/module/kernel/parameters/consoleblank` * Already set to zero means it shouldn't blank * Disable wifi and bluetooth, we don't need them and it slows down boot {{{ systemctl disable wpa_supplicant.service --now systemctl disable bluetooth.target --now }}} * Install useful packages {{{ apt update apt install -y vim screen bash-completion lsof tcpdump netcat strace nmap less bsdmainutils tzdata whiptail netbase wget curl python-is-python3 net-tools ack jq make elinks nmap whois ethtool bind9-dnsutils apt-utils man-db plocate }}} * Do a full upgrade, index the system for `locate`, then reboot {{{ apt full-upgrade updatedb reboot }}} == Configure networking == Use netplan for this, it's convenient and easy. {{{ cd /etc/netplan/ mv 00-installer-config.yaml 00-installer-config.yaml.disabled vim 10-thighhighs.yaml network: version: 2 ethernets: eno1: critical: true dhcp-identifier: mac dhcp4: false dhcp4-overrides: use-dns: false dhcp6: true dhcp6-overrides: use-dns: false ipv6-privacy: false addresses: - "192.168.1.12/24" # :12 for the .1.12 IPv4 - "2404:e80:42e3:0:12:0:0:12/64" routes: - to: 0.0.0.0/0 via: 192.168.1.1 on-link: true nameservers: addresses: - 192.168.1.20 - 192.168.1.24 - fe80::e65f:1ff:fe1c:c6ea - fe80::ba27:ebff:fe8c:f4f8 search: - thighhighs.top }}} Try applying it with `netplan try`, see if your SSH session still works, then go ahead and reboot if it's good. == Setup clevis for automated decrypt on boot == * apt install clevis-luks * Bind the volume to the Tang servers {{{ clevis luks bind -d /dev/nvme0n1p3 sss '{"t": 1, "pins": {"tang": [{"url": "http://ocular.thighhighs.top:8888"},{"url": "http://funicular.thighhighs.top:8888"}]}}' }}} * apt install clevis-initramfs Test by rebooting. == Docker Engine for services == Run with the official docs: https://docs.docker.com/engine/install/ubuntu/#install-using-the-repository Prep repo {{{ apt install ca-certificates curl gnupg lsb-release curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list }}} Install packages {{{ apt update apt install docker-ce docker-ce-cli containerd.io }}} Test that it's working {{{ docker run hello-world }}} Setup log rotation in `/etc/docker/daemon.json` {{{ { "log-driver": "json-file", "log-opts": { "max-size": "50m", "max-file": "10" } } }}} === Prepare space for volumes === We'll use this later for dockerised apps. {{{ mkdir /data }}} = Reverse proxy for services = == SSL cert == Pop it in `/etc/ssl` like usual. {{{ cd /etc/ssl/ # This is a one-time action openssl dhparam -out dhparams.pem 4096 # Then copy the cert and key and intermediate CA chain here }}} == Proxy software == Let's try out [[https://caddyserver.com/| Caddy]], I've been curious for a while now and it might meet all my needs. Use official docs for a repo-packaged version: https://caddyserver.com/docs/install {{{ apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/gpg.key > /etc/apt/trusted.gpg.d/caddy-stable.asc curl -1sLf https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt > /etc/apt/sources.list.d/caddy-stable.list apt update apt install caddy }}} This uses a systemwide config in `/etc/caddy/Caddyfile`, and acts as a generic HTTP server initially. It's serving up a Caddy landing page from `/usr/share/caddy` at http://illustrious.thighhighs.top/ = Smokeping = Run using the docker container, it's more convenient and separates config+data from the installation. https://hub.docker.com/r/linuxserver/smokeping Prepare space for data and config using a logical volume {{{ lvcreate -L 1G -n smokeping ubuntu-vg mkfs.ext4 /dev/ubuntu-vg/smokeping mkdir /data/smokeping # Add to fstab # Smokeping config and data /dev/disk/by-uuid/a40142d8-06e0-44d7-b8bc-a3e20662cde2 /data/smokeping ext4 defaults 0 1 mount /data/smokeping mkdir /data/smokeping/config mkdir /data/smokeping/data chown -R 1000:1000 /data/smokeping/config /data/smokeping/data }}} Run the container: {{{ docker run -d \ --name=smokeping \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Australia/Sydney \ -p 127.0.0.1:8000:80 \ -v /data/smokeping/config:/config \ -v /data/smokeping/data:/data \ --restart unless-stopped \ lscr.io/linuxserver/smokeping }}} Map it through with some nginx config.