ITSquad/Server setup: Difference between revisions
m (→Configuration) |
m (→SMTP relay) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
You should be able to connect in root with your ssh key: | You should be able to connect in root with your ssh key: | ||
ssh root@<ip address or hostname> -i ~/.ssh/<private key> | ssh root@'''<ip address or hostname>''' -i ~/.ssh/'''<private key>''' | ||
== SSH == | == SSH == | ||
Configure the ssh server: | |||
# Edit the sshd config: <code>vim /etc/ssh/sshd_config</code> | # Edit the sshd config: <code>vim /etc/ssh/sshd_config</code> | ||
# Change the port used by ssh server | # Change the port used by ssh server | ||
Line 24: | Line 25: | ||
Install and setup ufw, an easy to use firewall manager: | Install and setup ufw, an easy to use firewall manager: | ||
apt install ufw | apt install ufw | ||
ufw allow <ssh port> | ufw allow '''<ssh port>''' | ||
ufw allow "Nginx Full" # only if nginx is installed | ufw allow "Nginx Full" # only if nginx is installed | ||
ufw enable | ufw enable | ||
Line 33: | Line 34: | ||
# Generate the ssh key to access the storage box: <code>ssh-keygen -t ed25519 -f ~/.ssh/storage-box</code> | # Generate the ssh key to access the storage box: <code>ssh-keygen -t ed25519 -f ~/.ssh/storage-box</code> | ||
# Configure ssh: <code>vim ~/.ssh/config</code>. Enter the following: | # Configure ssh: <code>vim ~/.ssh/config</code>. Enter the following: | ||
Host <storage box hostname> | Host '''<storage box hostname>''' | ||
User <username> | User '''<username>''' | ||
Port 23 | Port 23 | ||
IdentityFile ~/.ssh/storage-box | IdentityFile ~/.ssh/storage-box | ||
Line 40: | Line 41: | ||
: where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store. | : where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store. | ||
Finally, add your ssh key to the storage box: | Finally, add your ssh key to the storage box: | ||
ssh-copy-id -i ~/.ssh/storage-box '''<storage box hostname>''' | |||
You should be asked for the storage box's password. | |||
=== Autofs === | === Autofs === | ||
In case you need to mount the storage box: | In case you need to mount the storage box (for media, backups, etc.): | ||
# Install autofs and sshfs: <code>apt install autofs sshfs</code> | # Install autofs and sshfs: <code>apt install autofs sshfs</code> | ||
# Edit /etc/auto.master, and add the line: <code>/mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost</code> | # Edit /etc/auto.master, and add the line: <code>/mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost</code> | ||
# Create /etc/auto.sshfs with this content: | # Create /etc/auto.sshfs with this content: | ||
backup -fstype=fuse,rw :sshfs\#'''<storage box hostname>'''\:/home/backup | |||
This will give us easy access to backup when things go wrong. | |||
Optionaly, add a line for mounting a media directory (or anything else): | |||
media -fstype=fuse,rw,allow_other :sshfs\#'''<storage box hostname>'''\:/home/media | |||
== Backups == | == Backups == | ||
Install and configure duplicity to backup the server. We encrypt the backups with a public/private key pair that we generate for this server. Duplicity needs to know the private key in order to compute the | Install and configure duplicity to backup the server. We encrypt the backups with a public/private key pair that we generate for this server. Duplicity needs to know the private key and the passphrase in order to compute the differences between the current state of the directory to backup and the latest backup. | ||
=== Requirements === | === Requirements === | ||
Line 67: | Line 74: | ||
# Create a file that will store the passphrase: <code>touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret</code> | # Create a file that will store the passphrase: <code>touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret</code> | ||
# Generate the passphrase: <code>openssl rand -base64 42 > /root/gpg-duplicity.secret</code> | # Generate the passphrase: <code>openssl rand -base64 42 > /root/gpg-duplicity.secret</code> | ||
# Generate a GPG key pair: <code>gpg --quick-gen-key < | # Generate a GPG key pair: <code>gpg --quick-gen-key '''<itsquad email>''' ed25519 cert 0</code>. You'll be asked to enter twice the passphrase that you've generated. | ||
# Edit this GPG key pair to add a sub-key for encryption: <code>gpg --edit-key <key id></code>. Then, enter <code>addkey</code>, and choose a RSA key for encryption (option #6). Enter <code>save</code> to quit. | # Edit this GPG key pair to add a sub-key for encryption: <code>gpg --edit-key '''<key id>'''</code>. Then, enter <code>addkey</code>, and choose a RSA key for encryption (option #6). Enter <code>save</code> to quit. | ||
'''Note:''' Don't forget to add the GPG key id with the passphrase in our password store. | '''Note:''' Don't forget to add the GPG key id with the passphrase in our password store. | ||
Line 74: | Line 81: | ||
==== Import public keys ==== | ==== Import public keys ==== | ||
# On your local machine, generate a key pair (or reuse one of yours) and export it to a file: <code>gpg -a --export <key id> > <key file.pub></code> | # On your local machine, generate a key pair (or reuse one of yours) and export it to a file: <code>gpg -a --export '''<key id>''' > '''<key file.pub>'''</code> | ||
# Copy this key on the server: <code>scp <key file.pub> root@< | # Copy this key on the server: <code>scp '''<key file.pub>''' root@'''<ip address or hostname>''':~/</code> | ||
# Import the key: <code>gpg --import /root/<key file.pub></code> | # Import the key: <code>gpg --import /root/'''<key file.pub>'''</code> | ||
# Trust the key: <code>gpg --edit-key <key id></code>. Enter <code>trust</code>, choose ''I trust ultimately'' then quit. | # Trust the key: <code>gpg --edit-key '''<key id>'''</code>. Enter <code>trust</code>, choose ''I trust ultimately'' then quit. | ||
=== Configuration === | === Configuration === | ||
Line 117: | Line 124: | ||
crontab -e | crontab -e | ||
@daily /root/'''<backup.sh>''' > /dev/null | @daily /root/'''<backup.sh>''' > /dev/null | ||
== SMTP relay == | |||
Configure a SMTP relay to forward cron errors to a PPBe inbox: | |||
# Install msmtp: <code>apt install msmtp msmtp-mta</code> | |||
# Create the configuration /etc/msmtprc with this content: | |||
defaults | |||
auth on | |||
tls on | |||
tls_trust_file /etc/ssl/certs/ca-certificates.crt | |||
logfile /var/log/msmtp.log | |||
account ahoy | |||
host mail.infomaniak.ch | |||
port 587 | |||
from '''<some account>'''@pirateparty.be | |||
user '''<some account>'''@pirateparty.be | |||
password '''<password>''' | |||
account default : ahoy | |||
aliases /etc/aliases | |||
where <some account> is replaced by a dummy PPBe mail account (usually "ahoy") | |||
Finally, create the file /etc/aliases with: | |||
default: '''<some target email address>''' | |||
Usually, mails are sent to the ITSquad, but you can first test the config with your own email address ;) | |||
Try it out with this command: | |||
echo test | sendmail <your email address> | |||
Logs are stored in /var/log/msmtp.log |
Latest revision as of 19:41, 18 October 2019
This page aims to list the operations needed when we want to create or migrate a server.
Create a new VM
- Order a new VM at Hetzner: https://console.hetzner.cloud
- Click on the button Add a new server
- Select the location, OS, and the resources needed
- Add the ssh public keys that will be able to access the server
- Name the server after a character from One Piece
- Go to metaregistrar to setup the DNS: https://control.metaregistrar.com/login
You should be able to connect in root with your ssh key:
ssh root@<ip address or hostname> -i ~/.ssh/<private key>
SSH
Configure the ssh server:
- Edit the sshd config:
vim /etc/ssh/sshd_config
- Change the port used by ssh server
- Allow root login with public keys only:
PermitRootLogin prohibit-password
- Restart the ssh server:
systemctl restart ssh
Firewall
Install and setup ufw, an easy to use firewall manager:
apt install ufw ufw allow <ssh port> ufw allow "Nginx Full" # only if nginx is installed ufw enable
Storage Box
Configure access to the storage box for backups and media storage:
- Generate the ssh key to access the storage box:
ssh-keygen -t ed25519 -f ~/.ssh/storage-box
- Configure ssh:
vim ~/.ssh/config
. Enter the following:
Host <storage box hostname> User <username> Port 23 IdentityFile ~/.ssh/storage-box PreferredAuthentications publickey,password
- where <username> is the sub-account username for the storage box. For the storage box hostname, refer to our password store.
Finally, add your ssh key to the storage box:
ssh-copy-id -i ~/.ssh/storage-box <storage box hostname>
You should be asked for the storage box's password.
Autofs
In case you need to mount the storage box (for media, backups, etc.):
- Install autofs and sshfs:
apt install autofs sshfs
- Edit /etc/auto.master, and add the line:
/mnt/storage-box /etc/auto.sshfs --timeout=90,--ghost
- Create /etc/auto.sshfs with this content:
backup -fstype=fuse,rw :sshfs\#<storage box hostname>\:/home/backup
This will give us easy access to backup when things go wrong.
Optionaly, add a line for mounting a media directory (or anything else):
media -fstype=fuse,rw,allow_other :sshfs\#<storage box hostname>\:/home/media
Backups
Install and configure duplicity to backup the server. We encrypt the backups with a public/private key pair that we generate for this server. Duplicity needs to know the private key and the passphrase in order to compute the differences between the current state of the directory to backup and the latest backup.
Requirements
Install duplicity, paramiko and gpg:
apt install duplicity gpg python-pip python-setuptools && pip install -U paramiko
Credentials
Generate for the server a new key pair with a random passphrase, then import public keys to allow trusted people to decrypt the backups when needed.
Generate a key pair
- Create a file that will store the passphrase:
touch /root/gpg-duplicity.secret && chmod 600 /root/gpg-duplicity.secret
- Generate the passphrase:
openssl rand -base64 42 > /root/gpg-duplicity.secret
- Generate a GPG key pair:
gpg --quick-gen-key <itsquad email> ed25519 cert 0
. You'll be asked to enter twice the passphrase that you've generated. - Edit this GPG key pair to add a sub-key for encryption:
gpg --edit-key <key id>
. Then, enteraddkey
, and choose a RSA key for encryption (option #6). Entersave
to quit.
Note: Don't forget to add the GPG key id with the passphrase in our password store.
Import public keys
- On your local machine, generate a key pair (or reuse one of yours) and export it to a file:
gpg -a --export <key id> > <key file.pub>
- Copy this key on the server:
scp <key file.pub> root@<ip address or hostname>:~/
- Import the key:
gpg --import /root/<key file.pub>
- Trust the key:
gpg --edit-key <key id>
. Entertrust
, choose I trust ultimately then quit.
Configuration
Create a script file with the following content:
#!/bin/bash BACKUP_NAME=daily_<service name>_backup GPG_KEYS="<key id 1> [<key id 2> ...]" PASSPHRASE_FILE=/root/gpg-duplicity.secret RETRIES=3 PERIOD_FULL_BACKUP=1M MAX_FULL_BACKUPS=2 EXCLUDES= SOURCE=/dir/to/backup TARGETS="sftp://<target hostname 1>/path/to/backup sftp://<target hostname 2>/path/to/backup" export PASSPHRASE=$(/bin/cat "$PASSPHRASE_FILE") GPG_KEYS=$(for key in $GPG_KEYS; do echo -n "--encrypt-key $key "; done) EXCLUDES=$(for exclude in $EXCLUDES; do echo -n "--exclude $exclude "; done) for TARGET in $TARGETS; do TARGET_DOMAIN=$(cut -d '/' -f 3 <<< "$TARGET") BACKUP_NAME_TARGET="${BACKUP_NAME}_${TARGET_DOMAIN}" duplicity --full-if-older-than $PERIOD_FULL_BACKUP \ $GPG_KEYS \ --name $BACKUP_NAME_TARGET \ --num-retries $RETRIES \ $EXCLUDES \ $SOURCE $TARGET && \ duplicity remove-all-but-n-full $MAX_FULL_BACKUPS --force --name $BACKUP_NAME_TARGET $TARGET done
Then, create a cron task:
crontab -e @daily /root/<backup.sh> > /dev/null
SMTP relay
Configure a SMTP relay to forward cron errors to a PPBe inbox:
- Install msmtp:
apt install msmtp msmtp-mta
- Create the configuration /etc/msmtprc with this content:
defaults auth on tls on tls_trust_file /etc/ssl/certs/ca-certificates.crt logfile /var/log/msmtp.log account ahoy host mail.infomaniak.ch port 587 from <some account>@pirateparty.be user <some account>@pirateparty.be password <password> account default : ahoy aliases /etc/aliases
where <some account> is replaced by a dummy PPBe mail account (usually "ahoy")
Finally, create the file /etc/aliases with:
default: <some target email address>
Usually, mails are sent to the ITSquad, but you can first test the config with your own email address ;)
Try it out with this command:
echo test | sendmail <your email address>
Logs are stored in /var/log/msmtp.log