Add right type to transmission-vpn.service

README.md

@@ -1,8 +1,39 @@
-# ISO Server
-This is the ancestor of NAS Server. It was both an FTP Server anda web server providing ISO images or things like that
-over network. Moreover, it was administrated by OpenMediaVault.
+# NAS Server
 
-### Setup
-The setup takes place in two parts:
-* `setup1.sh` setups OMV on a blank Armbian and then reboot
-* `setup2.sh` then configures the system specificaly for the ISO server
+This repository contains files used to set up our NAS server on Debian. Target is Bullseye.
+
+### Introduction
+The idea is to provide the following features, chosen at install:
+* a web interface for file management with [File Browser](https://github.com/filebrowser/filebrowser);
+* a DLNA server with MiniDLNA;
+* a BitTorrent client with Transmission, which comes with a server web interface;
+* a VPN client with OpenVPN;
+* a FTP server with vsftpd.
+In addition, Nginx is used to provide HTTPS proxy to File Browser and Transmission
+
+### Requirements
+The following list of packages must be installed manually (depending on which features are needed):
+```transmission-daemon minidlna openvpn nginx vsftpd```
+File Browser must be installed manually at `/usr/local/bin/filebrowser`.
+
+A "NAS user" should be defined, owner of the NAS root directory: This user shall run some of above services.
+
+If using Transmission, you need to set an OpenVPN connection config as `vpn`.
+
+### File Browser init
+If using File Browser, it should be initiated first:
+```
+sudo -u <nas-user> filebrowser -d <nas>/filebrowser.db --username <admin>
+```
+
+### Files
+* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
+* `variables.conf.template` contains examples of variables definitions, and should be copied locally to `variables.conf`
+  (with any required modifications).
+* `systemd-templates/` contains Systemd units templates for all the services.
+* `nginx-blocks/` contains Nginx configuration blocks.
+##### Installation
+* `install.sh` script copies Systemd units to their destination, with correct values.
+
+### TODO
+* RAS

install.sh

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+run_directory=$(dirname $(readlink -f "$0"))
+user=$(whoami)
+
+source "$run_directory/variables.conf"
+
+if [ -f $run_directory/.disabled ]; then
+  echo "Installation is disabled. Exiting..."
+  exit 0
+fi
+
+if [[ $user != 'root' ]]; then
+  sudo="sudo"
+else
+  sudo=""
+fi
+
+echo "Copying Systemd units to system directory..."
+
+if [ ! -f $crt_path ]; then
+  $sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $crt_path -keyout $key_path \
+    -subj "/C=/ST=/L=/O=/OU=/CN="
+fi
+if [ -d /etc/nginx ]; then
+  $sudo cp $run_directory/nginx-blocks/0-http-redirect /etc/nginx/sites-available/0-http-redirect
+  $sudo ln -sf ../sites-available/0-http-redirect /etc/nginx/sites-enabled/0-http-redirect
+fi
+
+if [ "$filebrowser" = "yes" ]; then
+  $sudo cp $run_directory/systemd-templates/filebrowser.service /etc/systemd/system/
+  $sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/filebrowser.service
+  $sudo sed -i -e "s:PH_NAS_DIRECTORY:$nas_location:g" /etc/systemd/system/filebrowser.service
+  $sudo cp $run_directory/nginx-blocks/filebrowser /etc/nginx/sites-available/filebrowser
+  $sudo sed -i -e "s/PH_SRVNAME/$filebrowser_server_name/g" /etc/nginx/sites-available/filebrowser
+  $sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/filebrowser
+  $sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/filebrowser
+  $sudo ln -sf ../sites-available/filebrowser /etc/nginx/sites-enabled/filebrowser
+fi
+
+if [ "$dlna_server" = "yes" ]; then
+  $sudo sed -i -e "s:media_dir=/var/lib/minidlna:media_dir=$nas_location:g" /etc/minidlna.conf
+  $sudo sed -i -e "s:#friendly_name=:friendly_name=$(hostname -s):g" /etc/minidlna.conf
+fi
+
+if [ "$dl_server" = "yes" ]; then
+  $sudo cp $run_directory/systemd-templates/transmission-daemon.service /etc/systemd/system/
+  $sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/transmission-daemon.service
+  $sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-daemon.service
+  $sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
+  $sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
+  $sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
+  $sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
+  $sudo cp $run_directory/systemd-templates/transmission-daemon.timer /etc/systemd/system/
+  $sudo cp $run_directory/systemd-templates/transmission-vpn.service /etc/systemd/system/
+  $sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-vpn.service
+  $sudo cp $run_directory/systemd-templates/transmission-vpn.timer /etc/systemd/system/
+  $sudo cp $run_directory/nginx-blocks/transmission /etc/nginx/sites-available/transmission
+  $sudo sed -i -e "s/PH_SRVNAME/$transmission_server_name/g" /etc/nginx/sites-available/transmission
+  $sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/transmission
+  $sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/transmission
+  $sudo ln -sf ../sites-available/transmission /etc/nginx/sites-enabled/transmission
+  $sudo systemctl disable transmission-daemon.service
+  $sudo systemctl enable transmission-daemon.timer
+fi
+
+if [ "$ftp_server" = "yes" ]; then
+  $sudo sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
+  $sudo sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
+fi
+
+echo "Reloading Systemd..."
+sudo systemctl daemon-reload
+
+echo "Finished install. Exiting..."
+exit 0

nginx-blocks/0-http-redirect

@@ -0,0 +1,4 @@
+server {
+  listen  80;
+  return  301 https://$host$request_uri;
+}

nginx-blocks/filebrowser

@@ -0,0 +1,12 @@
+server {
+  listen              443 ssl;
+  server_name         PH_SRVNAME;
+
+  ssl_certificate     PH_CRT;
+  ssl_certificate_key PH_KEY;
+
+  location / {
+    proxy_pass                            http://127.0.0.1:8080;
+    add_header Strict-Transport-Security  "max-age=31536000; includeSubDomains";
+  }
+}

nginx-blocks/transmission

@@ -0,0 +1,12 @@
+server {
+  listen              443 ssl;
+  server_name         PH_SRVNAME;
+
+  ssl_certificate     PH_CRT;
+  ssl_certificate_key PH_KEY;
+
+  location / {
+    proxy_pass                            http://127.0.0.1:9091;
+    add_header Strict-Transport-Security  "max-age=31536000; includeSubDomains";
+  }
+}

setup1.sh

@@ -1,59 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to setup OMV on a blank Armbian.
-# This script is to be run as root.
-
-# (Keep in mind that default root password is 1234)
-# Flash SBC's SD with Armbian and copy this script as well as setup2.sh (depending of usage) and conf-sync.sh to /root
-
-# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
-
-# Functions
-init() {
-  echo "Starting initialization"
-  echo $hostname > /etc/hostname
-  sed -i -e "s/=default_hostname/$fqdn $hostname/g" /etc/hosts
-  localectl set-keymap $keymap
-  timedatectl set-timezone $timezone
-  systemctl disable apt-daily-upgrade.timer
-}
-
-install_packages() {
-  echo "Starting packages installation"
-  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
-  apt update
-  apt upgrade -y
-  apt install -y vim tree tmux neofetch
-}
-
-install_omv() { # This step ends on a reboot, so we part the script here
-  wget $omv_install_script_link
-  chmod u+x $run_directory_path/install
-  bash $run_directory_path/install
-}
-
-# Only run if the user is root
-if [[ $USER != 'root' ]] ; then
-  echo "You must run this script as root!"
-  exit 1
-fi
-
-run_directory_path=$(pwd)
-
-# Set parameters
-default_hostname='odroidxu4'
-hostname='hk1'
-fqdn='hk1.kto.black'
-keymap='fr'
-timezone='Europe/Paris'
-deb_apt_default_repo='httpredir.debian.org'
-deb_apt_repo='ftp.fr.debian.org'
-omv_install_script_link='https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install'
-
-# Main process
-# You should comment below what you do not want to happen
-init
-install_packages
-install_omv
-
-exit 0

setup2.sh

@@ -1,109 +0,0 @@
-#!/bin/bash
-
-# The purpose of this script is to setup our ISO server on a blank Armbian.
-# This script is to be run as root.
-# This script runs AFTER setup1.sh, which installs OMV and reboots the system
-
-# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
-
-# Functions
-set_hostname() {
-  echo $fqdn > /etc/hostname
-}
-
-install_packages() { # TODO these packages do not seem to exist as of 2021/10/10
-  echo "Starting packages installation"
-  apt install -y openmediavault-luksencryption openmediavault-downloader
-}
-
-add_users() {
-  echo "Adding users"
-  useradd -N -g users -G sudo,ssh,openmediavault-admin -m -s /bin/bash $user
-  chmod 700 /home/$user
-}
-
-set_sudo_conf() { # TODO that doesn't seem to work
-  echo "Setting sudo configuration"
-  sed -i -e "s/%sudo   ALL=(ALL:ALL) ALL/%sudo   ALL=(ALL:ALL) NOPASSWD: ALL/g" /etc/sudoers
-}
-
-get_conf() {
-  echo "Getting configuration"
-  sudo -H -u $user mkdir $sync_directory_path
-  cp $run_directory_path/conf-sync.sh $sync_directory_path/
-  chown $user:users $sync_directory_path/conf-sync.sh
-  sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
-  sudo -H -u $user $sync_directory_path/conf-sync.sh
-}
-
-set_conf() {
-  echo "Setting configuration"
-  #sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
-  ln -s $sync_directory_path/*.service $systemd_units_path/
-  ln -s $sync_directory_path/*.timer $systemd_units_path/
-  #ln -s $sync_directory_path/*.socket $systemd_units_path/
-  #ln -s $sync_directory_path/*.mount $systemd_units_path/
-  #ln -s $sync_directory_path/*.path $systemd_units_path/
-  systemctl daemon-reload
-  systemctl enable conf-sync.timer
-}
-
-rcs_links() {
-  echo "Linking rcs"
-  rm /home/$user/.bashrc
-  rm /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
-  ln -s /home/$user/.bashrc /root/.bashrc
-  sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
-  ln -s /home/$user/.vimrc /root/.vimrc
-}
-
-ssh_pubkey() {
-  echo "Getting SSH public key"
-  sudo -H -u $user mkdir /home/$user/.ssh
-  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
-  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
-}
-
-# Only run if the user is root
-if [[ $USER != 'root' ]] ; then
-  echo "You must run this script as root!"
-  exit 1
-fi
-
-run_directory_path=$(pwd)
-
-# Set parameters
-fqdn='hk1.kto.black'
-user='alex'
-sync_directory_path="/home/$user/.sync"
-systemd_units_path='/etc/systemd/system'
-remote_pubkey_location='https://keys.kto.black'
-remote_pubkey='home.pub'
-
-# Main process
-# You should comment below what you do not want to happen
-set_hostname
-install_packages
-add_users
-set_sudo_conf
-get_conf
-set_conf
-rcs_links
-ssh_pubkey
-
-echo ""
-echo "We're all good here!"
-echo "You should now:"
-echo "* set $user's password"
-echo "* lock root and admin accounts"
-echo "* remove $run_directory_path content"
-echo "* reboot the SBC"
-echo "* go to http://$fqdn/ to set up Openmediavault"
-echo "* set up lighttpd"
-echo "And perhaps:"
-echo "* set htop at your convenience"
-echo "* use below commands to edit SSH config:"
-echo "    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
-echo "    sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config" # NOTE This one is different from the others, because of OMV setup
-exit 0

systemd-templates/filebrowser.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=File Browser web interface
+
+[Service]
+User=PH_NAS_USER
+Type=simple
+ExecStart=/usr/local/bin/filebrowser -d PH_NAS_DIRECTORY/PH_NAS_USER/filebrowser.db -r PH_NAS_DIRECTORY
+
+[Install]
+WantedBy=default.target

systemd-templates/transmission-daemon.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Transmission BitTorrent Daemon (KTO)
+BindsTo=transmission-vpn.timer
+After=network.target transmission-vpn.timer
+
+[Service]
+User=PH_NAS_USER
+Type=notify
+ExecStartPre=PH_DIRECTORY/transmission-vpn.sh
+ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION
+ExecStop=/bin/kill -s STOP $MAINPID
+ExecReload=/bin/kill -s HUP $MAINPID
+NoNewPrivileges=true
+
+[Install]
+WantedBy=default.target

systemd-templates/transmission-daemon.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Wait 1m before starting Transmission at boot
+
+[Timer]
+OnBootSec=1m
+
+[Install]
+WantedBy=default.target

systemd-templates/transmission-vpn.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Make sure VPN is active for Transmission
+OnFailure=transmission-daemon.service
+
+[Service]
+Type=oneshot
+ExecStart=PH_DIRECTORY/transmission-vpn.sh
+
+[Install]
+WantedBy=default.target

systemd-templates/transmission-vpn.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Regular check for VPN while Transmission is running
+BindsTo=transmission-daemon.service
+
+[Timer]
+OnUnitInactiveSec=5m
+
+[Install]
+WantedBy=default.target

transmission-vpn.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# The purpose of this script is to check if VPN connection is active
+# This script will be called (via a service) in 2 situations:
+  # On a regular basis when transmission is running
+    # This will be achieved with a timer started and stopped with transmission service
+  # On transmission starting
+# When the script exits with failure, associated service should try to start transmission service
+  # NOTE not on transmission starting, as this script is not run by its service; it means there's an issue with VPN at
+  # start, and this should be looked at manually
+# Thus this script will be executed again
+  # We can enter an infinite loop, but this will effectively prevent transmission from connecting
+# If both services are stopped, this script will never be run by error
+
+run_directory=$(dirname $(readlink -f "$0"))
+source "$run_directory/variables.conf"
+
+# Parameters
+myip_request="curl -s -4 https://ifconfig.co"
+vpn_service="openvpn-client@vpn.service"
+transmission_service="transmission-daemon.service"
+
+# Main process
+ip=$($myip_request)
+if [[ $ip = $real_ip ]]; then
+  systemctl stop $transmission_service
+  systemctl stop $vpn_service
+  sleep 3
+  systemctl start $vpn_service
+  sleep 5
+  exit 1
+elif [[ $ip =~ (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} ]]; then
+  exit 0
+else
+  exit 1
+fi

variables.conf.template

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+# Copy this file as variables.conf, with the correct values
+
+nas_location=""
+nas_user=""
+
+# Paths to X509 certificate and key
+# If they do not exist, they will be created as a self-singed certificate
+crt_path="/etc/ssl/cert.crt"
+key_path="/etc/ssl/cert.key"
+
+# Set up File Browser
+filebrowser="yes"
+filebrowser_server_name="files.$(hostname)"
+
+# Set up MiniDLNA
+dlna_server="yes"
+
+# Set up Transmission and OpenVPN
+dl_server="yes"
+transmission_server_name="dl.$(hostname)"
+real_ip="" # for VPN check
+authorized_ips="" # for transmission web interface
+user="" # user for transmission web interface
+password="" # password for transmission web interface
+dl_location="" # location of Downloads directory
+
+# Set up vsftpd
+ftp_server="no"