Compare commits

...
This repository has been archived on 2023-08-13. You can view files and clone it, but cannot push or open issues or pull requests.

22 Commits

Author SHA1 Message Date
caafba2ed2 Add right type to transmission-vpn.service 2023-02-19 16:45:27 +01:00
2798e786a9 Fix: add new file for previous commit 2023-02-12 18:05:09 +01:00
24e1a6221a Add timer for transmission-daemon at boot 2023-02-12 18:04:11 +01:00
5722bc62da Change behaviour of transmission at start (so that cannot start without VPN) 2023-02-12 17:37:38 +01:00
9f3b607414 Replaces Wants transmission-vpn.service by Requires in transmission-daemon.service 2023-02-12 13:34:18 +01:00
e35d7400c6 Change default path for Filebrowser DB 2023-02-11 16:59:56 +01:00
ec3f7c7bdf Change VPN timer to 5min 2023-01-08 17:09:20 +01:00
6b29e8ff3f Add support for providing other certificate 2022-11-16 18:28:13 +01:00
d433f0d04f Correct error in install script 2022-11-12 15:30:45 +01:00
011243f863 Replace localhost by loopback address in Nginx blocks 2022-11-11 12:36:33 +01:00
aac6bc62ea Set scripts to new run_directory norm 2022-09-22 18:55:15 +02:00
856281d1fd Update README 2022-09-18 11:57:20 +02:00
321f92e962 Fix port error in Nginx Transmission block 2022-09-16 20:29:33 +02:00
3e33da0710 Fix typo in install script 2022-09-16 20:25:23 +02:00
30a35759ca Add root directory to File Browser service unit 2022-09-16 18:31:45 +02:00
890c2bd030 Update README 2022-09-16 18:23:51 +02:00
a147a1655d Fix error in File Browser service unit 2022-09-16 18:23:43 +02:00
3681d1d026 Add force flag to 'ln's 2022-09-16 15:10:27 +02:00
fe02477074 Fix sed error in install script 2022-09-16 15:09:16 +02:00
d6c3cfdbd3 Fix few errors in install script 2022-09-16 15:07:51 +02:00
725512cd85 Big review 2022-09-16 15:00:38 +02:00
bc3f4e3591 First step for big review 2022-09-16 13:57:20 +02:00
16 changed files with 183 additions and 207 deletions

View File

@ -1,26 +1,39 @@
# NAS Server # NAS Server
This repository contains files used to set up our NAS server on a freshly installed Armbian. Target is Bullseye. This repository contains files used to set up our NAS server on Debian. Target is Bullseye.
### Introduction ### Introduction
The SBC used has a hard drive attached (SATA), which is the storage drive. This disk should be encrypted if needed. The idea is to provide the following features, chosen at install:
* a web interface for file management with [File Browser](https://github.com/filebrowser/filebrowser);
* a DLNA server with MiniDLNA;
* a BitTorrent client with Transmission, which comes with a server web interface;
* a VPN client with OpenVPN;
* a FTP server with vsftpd.
In addition, Nginx is used to provide HTTPS proxy to File Browser and Transmission
An FTP server is installed on the device, providing network access to authorized people. ### Requirements
The following list of packages must be installed manually (depending on which features are needed):
```transmission-daemon minidlna openvpn nginx vsftpd```
File Browser must be installed manually at `/usr/local/bin/filebrowser`.
### Setup A "NAS user" should be defined, owner of the NAS root directory: This user shall run some of above services.
##### Installation
* `setup.sh` is a script automating the installation and configuration of required software. If using Transmission, you need to set an OpenVPN connection config as `vpn`.
* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
(with any required modifications). ### File Browser init
* `srv-nas.mount` is a systemd unit which, when started, will try to mount DATA drive. If using File Browser, it should be initiated first:
##### DL server ```
* `transmission-daemon.service` is a replacement for default Transmission service file, with more settings. sudo -u <nas-user> filebrowser -d <nas>/filebrowser.db --username <admin>
```
### Files
* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise. * `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
* `transmission-vpn.service` is a service unit for above script. * `variables.conf.template` contains examples of variables definitions, and should be copied locally to `variables.conf`
* `transmission-vpn.timer` is a timer which runs regularly above script.
* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
(with any required modifications). (with any required modifications).
* `systemd-templates/` contains Systemd units templates for all the services.
* `nginx-blocks/` contains Nginx configuration blocks.
##### Installation
* `install.sh` script copies Systemd units to their destination, with correct values. * `install.sh` script copies Systemd units to their destination, with correct values.
### TODO ### TODO
* Add TLS cert generation to DL setup * RAS

View File

@ -1,26 +0,0 @@
#!/usr/bin/env bash
run_directory=$(dirname "$0")
source "$run_directory/variables.conf"
if [ -f $run_directory/.disabled ]; then
echo "Installation is disabled. Exiting..."
exit 0
fi
echo "Copying Systemd units to system directory..."
sudo cp $run_directory/transmission-daemon.service /etc/systemd/system/
sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
sudo cp $run_directory/transmission-vpn.service /etc/systemd/system/
sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-vpn.service
sudo cp $run_directory/transmission-vpn.timer /etc/systemd/system/
echo "Reloading Systemd..."
sudo systemctl daemon-reload
echo "Finished install. Exiting..."
exit 0

View File

@ -1,9 +0,0 @@
#!/usr/bin/env bash
# Copy this file as variables.conf, with the correct values
real_ip="" # for VPN check
authorized_ips="" # for transmission web interface
user="" # user for transmission web interface
password="" # password for transmission web interface
dl_location="" # location of Downloads directory

76
install.sh Executable file
View File

@ -0,0 +1,76 @@
#!/usr/bin/env bash
run_directory=$(dirname $(readlink -f "$0"))
user=$(whoami)
source "$run_directory/variables.conf"
if [ -f $run_directory/.disabled ]; then
echo "Installation is disabled. Exiting..."
exit 0
fi
if [[ $user != 'root' ]]; then
sudo="sudo"
else
sudo=""
fi
echo "Copying Systemd units to system directory..."
if [ ! -f $crt_path ]; then
$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $crt_path -keyout $key_path \
-subj "/C=/ST=/L=/O=/OU=/CN="
fi
if [ -d /etc/nginx ]; then
$sudo cp $run_directory/nginx-blocks/0-http-redirect /etc/nginx/sites-available/0-http-redirect
$sudo ln -sf ../sites-available/0-http-redirect /etc/nginx/sites-enabled/0-http-redirect
fi
if [ "$filebrowser" = "yes" ]; then
$sudo cp $run_directory/systemd-templates/filebrowser.service /etc/systemd/system/
$sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/filebrowser.service
$sudo sed -i -e "s:PH_NAS_DIRECTORY:$nas_location:g" /etc/systemd/system/filebrowser.service
$sudo cp $run_directory/nginx-blocks/filebrowser /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s/PH_SRVNAME/$filebrowser_server_name/g" /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/filebrowser
$sudo ln -sf ../sites-available/filebrowser /etc/nginx/sites-enabled/filebrowser
fi
if [ "$dlna_server" = "yes" ]; then
$sudo sed -i -e "s:media_dir=/var/lib/minidlna:media_dir=$nas_location:g" /etc/minidlna.conf
$sudo sed -i -e "s:#friendly_name=:friendly_name=$(hostname -s):g" /etc/minidlna.conf
fi
if [ "$dl_server" = "yes" ]; then
$sudo cp $run_directory/systemd-templates/transmission-daemon.service /etc/systemd/system/
$sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
$sudo cp $run_directory/systemd-templates/transmission-daemon.timer /etc/systemd/system/
$sudo cp $run_directory/systemd-templates/transmission-vpn.service /etc/systemd/system/
$sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-vpn.service
$sudo cp $run_directory/systemd-templates/transmission-vpn.timer /etc/systemd/system/
$sudo cp $run_directory/nginx-blocks/transmission /etc/nginx/sites-available/transmission
$sudo sed -i -e "s/PH_SRVNAME/$transmission_server_name/g" /etc/nginx/sites-available/transmission
$sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/transmission
$sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/transmission
$sudo ln -sf ../sites-available/transmission /etc/nginx/sites-enabled/transmission
$sudo systemctl disable transmission-daemon.service
$sudo systemctl enable transmission-daemon.timer
fi
if [ "$ftp_server" = "yes" ]; then
$sudo sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
$sudo sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
fi
echo "Reloading Systemd..."
sudo systemctl daemon-reload
echo "Finished install. Exiting..."
exit 0

View File

@ -0,0 +1,4 @@
server {
listen 80;
return 301 https://$host$request_uri;
}

12
nginx-blocks/filebrowser Normal file
View File

@ -0,0 +1,12 @@
server {
listen 443 ssl;
server_name PH_SRVNAME;
ssl_certificate PH_CRT;
ssl_certificate_key PH_KEY;
location / {
proxy_pass http://127.0.0.1:8080;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
}

12
nginx-blocks/transmission Normal file
View File

@ -0,0 +1,12 @@
server {
listen 443 ssl;
server_name PH_SRVNAME;
ssl_certificate PH_CRT;
ssl_certificate_key PH_KEY;
location / {
proxy_pass http://127.0.0.1:9091;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
}

140
setup.sh
View File

@ -1,140 +0,0 @@
#!/usr/bin/env bash
# The purpose of this script is to setup our NAS server on a blank Armbian.
# This script is to be run as root.
# (Keep in mind that default root password is 1234)
# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
source "$run_directory/variables.conf"
# Functions
init() {
echo "Starting initialization"
echo $fqdn > /etc/hostname
localectl set-keymap $keymap
timedatectl set-timezone $timezone
systemctl disable apt-daily-upgrade.timer
}
install_packages() {
echo "Starting packages installation"
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
apt update
apt upgrade -y
packages_to_install="vim tree tmux neofetch cryptsetup clevis clevis-luks clevis-systemd"
if [ "$dl_server" = "yes" ]; then
packages_to_install+=" openvpn transmission-daemon"
fi
if [ "$upnp_server" = "yes" ]; then
packages_to_install+=" minidlna"
fi
if [ "$ftp_server" = "yes" ]; then
packages_to_install+=" vsftpd"
fi
apt install -y $packages_to_install
}
add_users() {
echo "Adding users"
useradd -U -G sudo -m -s /bin/bash $user
chmod 700 /home/$user
echo "Let's define a password for $user as we are about to run sudo with it. It can of course be changed after setup."
passwd $user
}
get_sync() {
echo "Getting and deploying sync configuration"
sudo -H -u $user mkdir $sync_directory_path
sudo -H -u $user git clone https://gitea.kto.black/adminconf/rcs-general.git $sync_directory_path/rcs-general
sudo -H -u $user $sync_directory_path/rcs-general/install.sh
sudo -H -u $user git clone https://gitea.kto.black/adminconf/conf-sync.git $sync_directory_path/conf-sync
sudo -H -u $user cp $sync_directory_path/conf-sync/variables.conf.template \
$sync_directory_path/conf-sync/variables.conf
sudo -H -u $user sed -i -e "s/\"desktop\"/\"server\"/g" $sync_directory_path/conf-sync/variables.conf
sudo -H -u $user $sync_directory_path/conf-sync/install.sh
sudo -H -u $user git clone https://gitea.kto.black/adminconf/nas-server.git $sync_directory_path/nas-server
}
ssh_pubkey() {
echo "Getting SSH public key"
sudo -H -u $user mkdir /home/$user/.ssh
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
}
set_sshd_conf() {
echo "Editing OpenSSH daemon config..."
sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
}
set_vsftpd() {
if [ "$ftp_server" != "yes" ]; then
return 0
fi
echo "Setting vsftpd config"
mkdir $nas_root
chown $user:users $nas_root
echo "nascrypt /dev/sda none noauto" >> /etc/crypttab
sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
# The two lines below set up TLS wrapping with a self-signed certificate, which causes issues with clients
#sed -i -e "s/ssl_enable=NO/ssl_enable=YES/g" /etc/vsftpd.conf
#openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -subj "/C=/ST=/L=/O=/OU=/CN="
}
# Only run if the user is root
if [[ $USER != 'root' ]] ; then
echo "You must run this script as root!"
exit 1
fi
run_directory_path=$(pwd)
# Set parameters
fqdn='hk1.jab.kto.black'
keymap='fr'
timezone='Europe/Paris'
deb_apt_default_repo='deb.debian.org' # TODO check
deb_apt_repo='ftp.fr.debian.org'
user='alex'
sync_directory_path="/home/$user/.sync"
systemd_units_path='/etc/systemd/system'
remote_pubkey_location='https://keys.kto.black'
remote_pubkey='home.pub'
nas_root='/srv/nas'
# Main process
# You should comment below what you do not want to happen
init
install_packages
add_users
get_sync
ssh_pubkey
set_sshd_conf
set_vsftpd
echo ""
echo "We're all good here!"
echo "You should now:"
echo "* set $user's password"
echo "* lock root account"
echo "* remove $run_directory_path content"
if [ "$dl_server" = "yes" ]; then
echo "* get the OpenVPN configuration file, move it to /etc/openvpn/client/vpn.conf"
echo " * and add at \`auth-user-pass\`: auth.txt"
echo " * create said auth.txt with VPN login and password (on two rows)"
fi
echo "* reboot the SBC"
echo "And perhaps:"
echo "* set htop at your convenience"
echo "* remove password for sudo" # TODO we should automate that, with a flag
echo "* use below commands to edit SSH config:"
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
echo " sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
echo "* register an encrypted volume to a tang server"
exit 0

View File

@ -1,10 +0,0 @@
[Unit]
Description=Mount NAS Volume
# Below Requisite could be a Wants
Wants=systemd-cryptsetup@nascrypt.service
After=systemd-cryptsetup@nascrypt.service
[Mount]
What=/dev/mapper/nascrypt
Where=/srv/nas
Options=rw,relatime

View File

@ -0,0 +1,10 @@
[Unit]
Description=File Browser web interface
[Service]
User=PH_NAS_USER
Type=simple
ExecStart=/usr/local/bin/filebrowser -d PH_NAS_DIRECTORY/PH_NAS_USER/filebrowser.db -r PH_NAS_DIRECTORY
[Install]
WantedBy=default.target

View File

@ -1,16 +1,16 @@
[Unit] [Unit]
Description=Transmission BitTorrent Daemon (KTO) Description=Transmission BitTorrent Daemon (KTO)
Wants=transmission-vpn.service
BindsTo=transmission-vpn.timer BindsTo=transmission-vpn.timer
After=network.target transmission-vpn.timer After=network.target transmission-vpn.timer
[Service] [Service]
User=debian-transmission User=PH_NAS_USER
Type=notify Type=notify
ExecStartPre=PH_DIRECTORY/transmission-vpn.sh
ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION
ExecStop=/bin/kill -s STOP $MAINPID ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID ExecReload=/bin/kill -s HUP $MAINPID
NoNewPrivileges=true NoNewPrivileges=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=default.target

View File

@ -0,0 +1,8 @@
[Unit]
Description=Wait 1m before starting Transmission at boot
[Timer]
OnBootSec=1m
[Install]
WantedBy=default.target

View File

@ -3,6 +3,7 @@ Description=Make sure VPN is active for Transmission
OnFailure=transmission-daemon.service OnFailure=transmission-daemon.service
[Service] [Service]
Type=oneshot
ExecStart=PH_DIRECTORY/transmission-vpn.sh ExecStart=PH_DIRECTORY/transmission-vpn.sh
[Install] [Install]

View File

@ -3,7 +3,7 @@ Description=Regular check for VPN while Transmission is running
BindsTo=transmission-daemon.service BindsTo=transmission-daemon.service
[Timer] [Timer]
OnUnitInactiveSec=10m OnUnitInactiveSec=5m
[Install] [Install]
WantedBy=default.target WantedBy=default.target

View File

@ -5,11 +5,13 @@
# This will be achieved with a timer started and stopped with transmission service # This will be achieved with a timer started and stopped with transmission service
# On transmission starting # On transmission starting
# When the script exits with failure, associated service should try to start transmission service # When the script exits with failure, associated service should try to start transmission service
# NOTE not on transmission starting, as this script is not run by its service; it means there's an issue with VPN at
# start, and this should be looked at manually
# Thus this script will be executed again # Thus this script will be executed again
# We can enter an infinite loop, but this will effectively prevent transmission from connecting # We can enter an infinite loop, but this will effectively prevent transmission from connecting
# If both services are stopped, this script will never be run by error # If both services are stopped, this script will never be run by error
run_directory=$(dirname "$0") run_directory=$(dirname $(readlink -f "$0"))
source "$run_directory/variables.conf" source "$run_directory/variables.conf"
# Parameters # Parameters

View File

@ -2,6 +2,29 @@
# Copy this file as variables.conf, with the correct values # Copy this file as variables.conf, with the correct values
dl_server="no" nas_location=""
nas_user=""
# Paths to X509 certificate and key
# If they do not exist, they will be created as a self-singed certificate
crt_path="/etc/ssl/cert.crt"
key_path="/etc/ssl/cert.key"
# Set up File Browser
filebrowser="yes"
filebrowser_server_name="files.$(hostname)"
# Set up MiniDLNA
dlna_server="yes"
# Set up Transmission and OpenVPN
dl_server="yes"
transmission_server_name="dl.$(hostname)"
real_ip="" # for VPN check
authorized_ips="" # for transmission web interface
user="" # user for transmission web interface
password="" # password for transmission web interface
dl_location="" # location of Downloads directory
# Set up vsftpd
ftp_server="no" ftp_server="no"
upnp_server="no"