Set scripts to new run_directory norm

README.md

@@ -1,8 +1,26 @@
-# ISO Server
-This is the ancestor of NAS Server. It was both an FTP Server anda web server providing ISO images or things like that
-over network. Moreover, it was administrated by OpenMediaVault.
+# NAS Server (OBSOLETE)
+
+This repository contains files used to set up our NAS server on a freshly installed Armbian. Target is Bullseye.
+
+### Introduction
+The SBC used has a hard drive attached (SATA), which is the storage drive. This disk should be encrypted if needed.
+
+An FTP server is installed on the device, providing network access to authorized people.
 
 ### Setup
-The setup takes place in two parts:
-* `setup1.sh` setups OMV on a blank Armbian and then reboot
-* `setup2.sh` then configures the system specificaly for the ISO server
+##### Installation
+* `setup.sh` is a script automating the installation and configuration of required software.
+* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
+  (with any required modifications).
+* `srv-nas.mount` is a systemd unit which, when started, will try to mount DATA drive.
+##### DL server
+* `transmission-daemon.service` is a replacement for default Transmission service file, with more settings.
+* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
+* `transmission-vpn.service` is a service unit for above script.
+* `transmission-vpn.timer` is a timer which runs regularly above script.
+* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
+  (with any required modifications).
+* `install.sh` script copies Systemd units to their destination, with correct values.
+
+### TODO
+* Add TLS cert generation to DL setup

dl-server/install.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+run_directory=$(dirname $(readlink -f "$0"))
+
+source "$run_directory/variables.conf"
+
+if [ -f $run_directory/.disabled ]; then
+  echo "Installation is disabled. Exiting..."
+  exit 0
+fi
+
+echo "Copying Systemd units to system directory..."
+sudo cp $run_directory/transmission-daemon.service /etc/systemd/system/
+sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
+sudo cp $run_directory/transmission-vpn.service /etc/systemd/system/
+sudo sed -i -e "s:PH_DIRECTORY:$(pwd):g" /etc/systemd/system/transmission-vpn.service
+sudo cp $run_directory/transmission-vpn.timer /etc/systemd/system/
+
+echo "Reloading Systemd..."
+sudo systemctl daemon-reload
+
+echo "Finished install. Exiting..."
+exit 0

dl-server/transmission-daemon.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Transmission BitTorrent Daemon (KTO)
+Wants=transmission-vpn.service
+BindsTo=transmission-vpn.timer
+After=network.target transmission-vpn.timer
+
+[Service]
+User=debian-transmission
+Type=notify
+ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION
+ExecStop=/bin/kill -s STOP $MAINPID
+ExecReload=/bin/kill -s HUP $MAINPID
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

dl-server/transmission-vpn.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Make sure VPN is active for Transmission
+OnFailure=transmission-daemon.service
+
+[Service]
+ExecStart=PH_DIRECTORY/transmission-vpn.sh
+
+[Install]
+WantedBy=default.target

dl-server/transmission-vpn.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# The purpose of this script is to check if VPN connection is active
+# This script will be called (via a service) in 2 situations:
+  # On a regular basis when transmission is running
+    # This will be achieved with a timer started and stopped with transmission service
+  # On transmission starting
+# When the script exits with failure, associated service should try to start transmission service
+# Thus this script will be executed again
+  # We can enter an infinite loop, but this will effectively prevent transmission from connecting
+# If both services are stopped, this script will never be run by error
+
+run_directory=$(dirname $(readlink -f "$0"))
+source "$run_directory/variables.conf"
+
+# Parameters
+myip_request="curl -s -4 https://ifconfig.co"
+vpn_service="openvpn-client@vpn.service"
+transmission_service="transmission-daemon.service"
+
+# Main process
+ip=$($myip_request)
+if [[ $ip = $real_ip ]]; then
+  systemctl stop $transmission_service
+  systemctl stop $vpn_service
+  sleep 3
+  systemctl start $vpn_service
+  sleep 5
+  exit 1
+elif [[ $ip =~ (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} ]]; then
+  exit 0
+else
+  exit 1
+fi

dl-server/transmission-vpn.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Regular check for VPN while Transmission is running
+BindsTo=transmission-daemon.service
+
+[Timer]
+OnUnitInactiveSec=10m
+
+[Install]
+WantedBy=default.target

dl-server/variables.conf.template

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# Copy this file as variables.conf, with the correct values
+
+real_ip="" # for VPN check
+authorized_ips="" # for transmission web interface
+user="" # user for transmission web interface
+password="" # password for transmission web interface
+dl_location="" # location of Downloads directory

setup.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+
+# The purpose of this script is to setup our NAS server on a blank Armbian.
+# This script is to be run as root.
+
+# (Keep in mind that default root password is 1234)
+# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
+
+# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
+
+source "$run_directory/variables.conf"
+
+# Functions
+init() {
+  echo "Starting initialization"
+  echo $fqdn > /etc/hostname
+  localectl set-keymap $keymap
+  timedatectl set-timezone $timezone
+  systemctl disable apt-daily-upgrade.timer
+}
+
+install_packages() {
+  echo "Starting packages installation"
+  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
+  apt update
+  apt upgrade -y
+  packages_to_install="vim tree tmux neofetch cryptsetup clevis clevis-luks clevis-systemd"
+  if [ "$dl_server" = "yes" ]; then
+    packages_to_install+=" openvpn transmission-daemon"
+  fi
+  if [ "$upnp_server" = "yes" ]; then
+    packages_to_install+=" minidlna"
+  fi
+  if [ "$ftp_server" = "yes" ]; then
+    packages_to_install+=" vsftpd"
+  fi
+  apt install -y $packages_to_install
+}
+
+add_users() {
+  echo "Adding users"
+  useradd -U -G sudo -m -s /bin/bash $user
+  chmod 700 /home/$user
+  echo "Let's define a password for $user as we are about to run sudo with it. It can of course be changed after setup."
+  passwd $user
+}
+
+get_sync() {
+  echo "Getting and deploying sync configuration"
+  sudo -H -u $user mkdir $sync_directory_path
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/rcs-general.git $sync_directory_path/rcs-general
+  sudo -H -u $user $sync_directory_path/rcs-general/install.sh
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/conf-sync.git $sync_directory_path/conf-sync
+  sudo -H -u $user cp $sync_directory_path/conf-sync/variables.conf.template \
+    $sync_directory_path/conf-sync/variables.conf
+  sudo -H -u $user sed -i -e "s/\"desktop\"/\"server\"/g" $sync_directory_path/conf-sync/variables.conf
+  sudo -H -u $user $sync_directory_path/conf-sync/install.sh
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/nas-server.git $sync_directory_path/nas-server
+}
+
+ssh_pubkey() {
+  echo "Getting SSH public key"
+  sudo -H -u $user mkdir /home/$user/.ssh
+  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
+  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
+}
+
+set_sshd_conf() {
+  echo "Editing OpenSSH daemon config..."
+  sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+  sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
+}
+
+set_vsftpd() {
+  if [ "$ftp_server" != "yes" ]; then
+    return 0
+  fi
+  echo "Setting vsftpd config"
+  mkdir $nas_root
+  chown $user:users $nas_root
+  echo "nascrypt /dev/sda none noauto" >> /etc/crypttab
+  sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
+  sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
+  # The two lines below set up TLS wrapping with a self-signed certificate, which causes issues with clients
+  #sed -i -e "s/ssl_enable=NO/ssl_enable=YES/g" /etc/vsftpd.conf
+  #openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -subj "/C=/ST=/L=/O=/OU=/CN="
+}
+
+# Only run if the user is root
+if [[ $USER != 'root' ]] ; then
+  echo "You must run this script as root!"
+  exit 1
+fi
+
+run_directory_path=$(pwd)
+
+# Set parameters
+fqdn='hk1.jab.kto.black'
+keymap='fr'
+timezone='Europe/Paris'
+deb_apt_default_repo='deb.debian.org' # TODO check
+deb_apt_repo='ftp.fr.debian.org'
+user='alex'
+sync_directory_path="/home/$user/.sync"
+systemd_units_path='/etc/systemd/system'
+remote_pubkey_location='https://keys.kto.black'
+remote_pubkey='home.pub'
+nas_root='/srv/nas'
+
+# Main process
+# You should comment below what you do not want to happen
+init
+install_packages
+add_users
+get_sync
+ssh_pubkey
+set_sshd_conf
+set_vsftpd
+
+echo ""
+echo "We're all good here!"
+echo "You should now:"
+echo "* set $user's password"
+echo "* lock root account"
+echo "* remove $run_directory_path content"
+if [ "$dl_server" = "yes" ]; then
+  echo "* get the OpenVPN configuration file, move it to /etc/openvpn/client/vpn.conf"
+  echo "  * and add at \`auth-user-pass\`: auth.txt"
+  echo "  * create said auth.txt with VPN login and password (on two rows)"
+fi
+echo "* reboot the SBC"
+echo "And perhaps:"
+echo "* set htop at your convenience"
+echo "* remove password for sudo" # TODO we should automate that, with a flag
+echo "* use below commands to edit SSH config:"
+echo "    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
+echo "    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
+echo "* register an encrypted volume to a tang server"
+
+exit 0

setup1.sh

@@ -1,59 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to setup OMV on a blank Armbian.
-# This script is to be run as root.
-
-# (Keep in mind that default root password is 1234)
-# Flash SBC's SD with Armbian and copy this script as well as setup2.sh (depending of usage) and conf-sync.sh to /root
-
-# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
-
-# Functions
-init() {
-  echo "Starting initialization"
-  echo $hostname > /etc/hostname
-  sed -i -e "s/=default_hostname/$fqdn $hostname/g" /etc/hosts
-  localectl set-keymap $keymap
-  timedatectl set-timezone $timezone
-  systemctl disable apt-daily-upgrade.timer
-}
-
-install_packages() {
-  echo "Starting packages installation"
-  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
-  apt update
-  apt upgrade -y
-  apt install -y vim tree tmux neofetch
-}
-
-install_omv() { # This step ends on a reboot, so we part the script here
-  wget $omv_install_script_link
-  chmod u+x $run_directory_path/install
-  bash $run_directory_path/install
-}
-
-# Only run if the user is root
-if [[ $USER != 'root' ]] ; then
-  echo "You must run this script as root!"
-  exit 1
-fi
-
-run_directory_path=$(pwd)
-
-# Set parameters
-default_hostname='odroidxu4'
-hostname='hk1'
-fqdn='hk1.kto.black'
-keymap='fr'
-timezone='Europe/Paris'
-deb_apt_default_repo='httpredir.debian.org'
-deb_apt_repo='ftp.fr.debian.org'
-omv_install_script_link='https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install'
-
-# Main process
-# You should comment below what you do not want to happen
-init
-install_packages
-install_omv
-
-exit 0

setup2.sh

@@ -1,109 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to setup our ISO server on a blank Armbian.
-# This script is to be run as root.
-# This script runs AFTER setup1.sh, which installs OMV and reboots the system
-
-# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
-
-# Functions
-set_hostname() {
-  echo $fqdn > /etc/hostname
-}
-
-install_packages() { # TODO these packages do not seem to exist as of 2021/10/10
-  echo "Starting packages installation"
-  apt install -y openmediavault-luksencryption openmediavault-downloader
-}
-
-add_users() {
-  echo "Adding users"
-  useradd -N -g users -G sudo,ssh,openmediavault-admin -m -s /bin/bash $user
-  chmod 700 /home/$user
-}
-
-set_sudo_conf() { # TODO that doesn't seem to work
-  echo "Setting sudo configuration"
-  sed -i -e "s/%sudo   ALL=(ALL:ALL) ALL/%sudo   ALL=(ALL:ALL) NOPASSWD: ALL/g" /etc/sudoers
-}
-
-get_conf() {
-  echo "Getting configuration"
-  sudo -H -u $user mkdir $sync_directory_path
-  cp $run_directory_path/conf-sync.sh $sync_directory_path/
-  chown $user:users $sync_directory_path/conf-sync.sh
-  sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
-  sudo -H -u $user $sync_directory_path/conf-sync.sh
-}
-
-set_conf() {
-  echo "Setting configuration"
-  #sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
-  ln -s $sync_directory_path/*.service $systemd_units_path/
-  ln -s $sync_directory_path/*.timer $systemd_units_path/
-  #ln -s $sync_directory_path/*.socket $systemd_units_path/
-  #ln -s $sync_directory_path/*.mount $systemd_units_path/
-  #ln -s $sync_directory_path/*.path $systemd_units_path/
-  systemctl daemon-reload
-  systemctl enable conf-sync.timer
-}
-
-rcs_links() {
-  echo "Linking rcs"
-  rm /home/$user/.bashrc
-  rm /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
-  ln -s /home/$user/.bashrc /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
-  ln -s /home/$user/.vimrc /root/.vimrc
-}
-
-ssh_pubkey() {
-  echo "Getting SSH public key"
-  sudo -H -u $user mkdir /home/$user/.ssh
-  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
-  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
-}
-
-# Only run if the user is root
-if [[ $USER != 'root' ]] ; then
-  echo "You must run this script as root!"
-  exit 1
-fi
-
-run_directory_path=$(pwd)
-
-# Set parameters
-fqdn='hk1.kto.black'
-user='alex'
-sync_directory_path="/home/$user/.sync"
-systemd_units_path='/etc/systemd/system'
-remote_pubkey_location='https://keys.kto.black'
-remote_pubkey='home.pub'
-
-# Main process
-# You should comment below what you do not want to happen
-set_hostname
-install_packages
-add_users
-set_sudo_conf
-get_conf
-set_conf
-rcs_links
-ssh_pubkey
-
-echo ""
-echo "We're all good here!"
-echo "You should now:"
-echo "* set $user's password"
-echo "* lock root and admin accounts"
-echo "* remove $run_directory_path content"
-echo "* reboot the SBC"
-echo "* go to http://$fqdn/ to set up Openmediavault"
-echo "* set up lighttpd"
-echo "And perhaps:"
-echo "* set htop at your convenience"
-echo "* use below commands to edit SSH config:"
-echo "    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
-echo "    sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config" # NOTE This one is different from the others, because of OMV setup
-exit 0

srv-nas.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Mount NAS Volume
+# Below Requisite could be a Wants
+Wants=systemd-cryptsetup@nascrypt.service
+After=systemd-cryptsetup@nascrypt.service
+
+[Mount]
+What=/dev/mapper/nascrypt
+Where=/srv/nas
+Options=rw,relatime

variables.conf.template

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+# Copy this file as variables.conf, with the correct values
+
+dl_server="no"
+ftp_server="no"
+upnp_server="no"