Set scripts to new run_directory norm

README.md

@@ -1,39 +1,26 @@
-# NAS Server
+# NAS Server (OBSOLETE)
 
-This repository contains files used to set up our NAS server on Debian. Target is Bullseye.
+This repository contains files used to set up our NAS server on a freshly installed Armbian. Target is Bullseye.
 
 ### Introduction
-The idea is to provide the following features, chosen at install:
-* a web interface for file management with [File Browser](https://github.com/filebrowser/filebrowser);
-* a DLNA server with MiniDLNA;
-* a BitTorrent client with Transmission, which comes with a server web interface;
-* a VPN client with OpenVPN;
-* a FTP server with vsftpd.
-In addition, Nginx is used to provide HTTPS proxy to File Browser and Transmission
+The SBC used has a hard drive attached (SATA), which is the storage drive. This disk should be encrypted if needed.
 
-### Requirements
-The following list of packages must be installed manually (depending on which features are needed):
-```transmission-daemon minidlna openvpn nginx vsftpd```
-File Browser must be installed manually at `/usr/local/bin/filebrowser`.
+An FTP server is installed on the device, providing network access to authorized people.
 
-A "NAS user" should be defined, owner of the NAS root directory: This user shall run some of above services.
-
-If using Transmission, you need to set an OpenVPN connection config as `vpn`.
-
-### File Browser init
-If using File Browser, it should be initiated first:
-```
-sudo -u <nas-user> filebrowser -d <nas>/filebrowser.db --username <admin>
-```
-
-### Files
-* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
-* `variables.conf.template` contains examples of variables definitions, and should be copied locally to `variables.conf`
-  (with any required modifications).
-* `systemd-templates/` contains Systemd units templates for all the services.
-* `nginx-blocks/` contains Nginx configuration blocks.
+### Setup
 ##### Installation
+* `setup.sh` is a script automating the installation and configuration of required software.
+* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
+  (with any required modifications).
+* `srv-nas.mount` is a systemd unit which, when started, will try to mount DATA drive.
+##### DL server
+* `transmission-daemon.service` is a replacement for default Transmission service file, with more settings.
+* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
+* `transmission-vpn.service` is a service unit for above script.
+* `transmission-vpn.timer` is a timer which runs regularly above script.
+* `variables.conf.template` contains examples variables definitions, and should be copied locally to `variables.conf`
+  (with any required modifications).
 * `install.sh` script copies Systemd units to their destination, with correct values.
 
 ### TODO
-* RAS
+* Add TLS cert generation to DL setup

dl-server/install.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+run_directory=$(dirname $(readlink -f "$0"))
+
+source "$run_directory/variables.conf"
+
+if [ -f $run_directory/.disabled ]; then
+  echo "Installation is disabled. Exiting..."
+  exit 0
+fi
+
+echo "Copying Systemd units to system directory..."
+sudo cp $run_directory/transmission-daemon.service /etc/systemd/system/
+sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
+sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
+sudo cp $run_directory/transmission-vpn.service /etc/systemd/system/
+sudo sed -i -e "s:PH_DIRECTORY:$(pwd):g" /etc/systemd/system/transmission-vpn.service
+sudo cp $run_directory/transmission-vpn.timer /etc/systemd/system/
+
+echo "Reloading Systemd..."
+sudo systemctl daemon-reload
+
+echo "Finished install. Exiting..."
+exit 0

dl-server/transmission-daemon.service

@@ -1,16 +1,16 @@
 [Unit]
 Description=Transmission BitTorrent Daemon (KTO)
+Wants=transmission-vpn.service
 BindsTo=transmission-vpn.timer
 After=network.target transmission-vpn.timer
 
 [Service]
-User=PH_NAS_USER
+User=debian-transmission
 Type=notify
-ExecStartPre=PH_DIRECTORY/transmission-vpn.sh
 ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION
 ExecStop=/bin/kill -s STOP $MAINPID
 ExecReload=/bin/kill -s HUP $MAINPID
 NoNewPrivileges=true
 
 [Install]
-WantedBy=default.target
+WantedBy=multi-user.target

dl-server/transmission-vpn.service

@@ -3,7 +3,6 @@ Description=Make sure VPN is active for Transmission
 OnFailure=transmission-daemon.service
 
 [Service]
-Type=oneshot
 ExecStart=PH_DIRECTORY/transmission-vpn.sh
 
 [Install]

dl-server/transmission-vpn.sh

@@ -5,8 +5,6 @@
     # This will be achieved with a timer started and stopped with transmission service
   # On transmission starting
 # When the script exits with failure, associated service should try to start transmission service
-  # NOTE not on transmission starting, as this script is not run by its service; it means there's an issue with VPN at
-  # start, and this should be looked at manually
 # Thus this script will be executed again
   # We can enter an infinite loop, but this will effectively prevent transmission from connecting
 # If both services are stopped, this script will never be run by error

dl-server/transmission-vpn.timer

@@ -3,7 +3,7 @@ Description=Regular check for VPN while Transmission is running
 BindsTo=transmission-daemon.service
 
 [Timer]
-OnUnitInactiveSec=5m
+OnUnitInactiveSec=10m
 
 [Install]
 WantedBy=default.target

dl-server/variables.conf.template

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+# Copy this file as variables.conf, with the correct values
+
+real_ip="" # for VPN check
+authorized_ips="" # for transmission web interface
+user="" # user for transmission web interface
+password="" # password for transmission web interface
+dl_location="" # location of Downloads directory

install.sh

@@ -1,76 +0,0 @@
-#!/usr/bin/env bash
-
-run_directory=$(dirname $(readlink -f "$0"))
-user=$(whoami)
-
-source "$run_directory/variables.conf"
-
-if [ -f $run_directory/.disabled ]; then
-  echo "Installation is disabled. Exiting..."
-  exit 0
-fi
-
-if [[ $user != 'root' ]]; then
-  sudo="sudo"
-else
-  sudo=""
-fi
-
-echo "Copying Systemd units to system directory..."
-
-if [ ! -f $crt_path ]; then
-  $sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $crt_path -keyout $key_path \
-    -subj "/C=/ST=/L=/O=/OU=/CN="
-fi
-if [ -d /etc/nginx ]; then
-  $sudo cp $run_directory/nginx-blocks/0-http-redirect /etc/nginx/sites-available/0-http-redirect
-  $sudo ln -sf ../sites-available/0-http-redirect /etc/nginx/sites-enabled/0-http-redirect
-fi
-
-if [ "$filebrowser" = "yes" ]; then
-  $sudo cp $run_directory/systemd-templates/filebrowser.service /etc/systemd/system/
-  $sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/filebrowser.service
-  $sudo sed -i -e "s:PH_NAS_DIRECTORY:$nas_location:g" /etc/systemd/system/filebrowser.service
-  $sudo cp $run_directory/nginx-blocks/filebrowser /etc/nginx/sites-available/filebrowser
-  $sudo sed -i -e "s/PH_SRVNAME/$filebrowser_server_name/g" /etc/nginx/sites-available/filebrowser
-  $sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/filebrowser
-  $sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/filebrowser
-  $sudo ln -sf ../sites-available/filebrowser /etc/nginx/sites-enabled/filebrowser
-fi
-
-if [ "$dlna_server" = "yes" ]; then
-  $sudo sed -i -e "s:media_dir=/var/lib/minidlna:media_dir=$nas_location:g" /etc/minidlna.conf
-  $sudo sed -i -e "s:#friendly_name=:friendly_name=$(hostname -s):g" /etc/minidlna.conf
-fi
-
-if [ "$dl_server" = "yes" ]; then
-  $sudo cp $run_directory/systemd-templates/transmission-daemon.service /etc/systemd/system/
-  $sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/transmission-daemon.service
-  $sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-daemon.service
-  $sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
-  $sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
-  $sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
-  $sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
-  $sudo cp $run_directory/systemd-templates/transmission-daemon.timer /etc/systemd/system/
-  $sudo cp $run_directory/systemd-templates/transmission-vpn.service /etc/systemd/system/
-  $sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-vpn.service
-  $sudo cp $run_directory/systemd-templates/transmission-vpn.timer /etc/systemd/system/
-  $sudo cp $run_directory/nginx-blocks/transmission /etc/nginx/sites-available/transmission
-  $sudo sed -i -e "s/PH_SRVNAME/$transmission_server_name/g" /etc/nginx/sites-available/transmission
-  $sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/transmission
-  $sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/transmission
-  $sudo ln -sf ../sites-available/transmission /etc/nginx/sites-enabled/transmission
-  $sudo systemctl disable transmission-daemon.service
-  $sudo systemctl enable transmission-daemon.timer
-fi
-
-if [ "$ftp_server" = "yes" ]; then
-  $sudo sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
-  $sudo sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
-fi
-
-echo "Reloading Systemd..."
-sudo systemctl daemon-reload
-
-echo "Finished install. Exiting..."
-exit 0

nginx-blocks/0-http-redirect

@@ -1,4 +0,0 @@
-server {
-  listen  80;
-  return  301 https://$host$request_uri;
-}

nginx-blocks/filebrowser

@@ -1,12 +0,0 @@
-server {
-  listen              443 ssl;
-  server_name         PH_SRVNAME;
-
-  ssl_certificate     PH_CRT;
-  ssl_certificate_key PH_KEY;
-
-  location / {
-    proxy_pass                            http://127.0.0.1:8080;
-    add_header Strict-Transport-Security  "max-age=31536000; includeSubDomains";
-  }
-}

nginx-blocks/transmission

@@ -1,12 +0,0 @@
-server {
-  listen              443 ssl;
-  server_name         PH_SRVNAME;
-
-  ssl_certificate     PH_CRT;
-  ssl_certificate_key PH_KEY;
-
-  location / {
-    proxy_pass                            http://127.0.0.1:9091;
-    add_header Strict-Transport-Security  "max-age=31536000; includeSubDomains";
-  }
-}

setup.sh

@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+
+# The purpose of this script is to setup our NAS server on a blank Armbian.
+# This script is to be run as root.
+
+# (Keep in mind that default root password is 1234)
+# Flash SBC's SD with Armbian and copy this script as well as conf-sync.sh to /root
+
+# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
+
+source "$run_directory/variables.conf"
+
+# Functions
+init() {
+  echo "Starting initialization"
+  echo $fqdn > /etc/hostname
+  localectl set-keymap $keymap
+  timedatectl set-timezone $timezone
+  systemctl disable apt-daily-upgrade.timer
+}
+
+install_packages() {
+  echo "Starting packages installation"
+  sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
+  apt update
+  apt upgrade -y
+  packages_to_install="vim tree tmux neofetch cryptsetup clevis clevis-luks clevis-systemd"
+  if [ "$dl_server" = "yes" ]; then
+    packages_to_install+=" openvpn transmission-daemon"
+  fi
+  if [ "$upnp_server" = "yes" ]; then
+    packages_to_install+=" minidlna"
+  fi
+  if [ "$ftp_server" = "yes" ]; then
+    packages_to_install+=" vsftpd"
+  fi
+  apt install -y $packages_to_install
+}
+
+add_users() {
+  echo "Adding users"
+  useradd -U -G sudo -m -s /bin/bash $user
+  chmod 700 /home/$user
+  echo "Let's define a password for $user as we are about to run sudo with it. It can of course be changed after setup."
+  passwd $user
+}
+
+get_sync() {
+  echo "Getting and deploying sync configuration"
+  sudo -H -u $user mkdir $sync_directory_path
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/rcs-general.git $sync_directory_path/rcs-general
+  sudo -H -u $user $sync_directory_path/rcs-general/install.sh
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/conf-sync.git $sync_directory_path/conf-sync
+  sudo -H -u $user cp $sync_directory_path/conf-sync/variables.conf.template \
+    $sync_directory_path/conf-sync/variables.conf
+  sudo -H -u $user sed -i -e "s/\"desktop\"/\"server\"/g" $sync_directory_path/conf-sync/variables.conf
+  sudo -H -u $user $sync_directory_path/conf-sync/install.sh
+  sudo -H -u $user git clone https://gitea.kto.black/adminconf/nas-server.git $sync_directory_path/nas-server
+}
+
+ssh_pubkey() {
+  echo "Getting SSH public key"
+  sudo -H -u $user mkdir /home/$user/.ssh
+  sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
+  sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
+}
+
+set_sshd_conf() {
+  echo "Editing OpenSSH daemon config..."
+  sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config
+  sed -i -e "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
+}
+
+set_vsftpd() {
+  if [ "$ftp_server" != "yes" ]; then
+    return 0
+  fi
+  echo "Setting vsftpd config"
+  mkdir $nas_root
+  chown $user:users $nas_root
+  echo "nascrypt /dev/sda none noauto" >> /etc/crypttab
+  sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
+  sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
+  # The two lines below set up TLS wrapping with a self-signed certificate, which causes issues with clients
+  #sed -i -e "s/ssl_enable=NO/ssl_enable=YES/g" /etc/vsftpd.conf
+  #openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -subj "/C=/ST=/L=/O=/OU=/CN="
+}
+
+# Only run if the user is root
+if [[ $USER != 'root' ]] ; then
+  echo "You must run this script as root!"
+  exit 1
+fi
+
+run_directory_path=$(pwd)
+
+# Set parameters
+fqdn='hk1.jab.kto.black'
+keymap='fr'
+timezone='Europe/Paris'
+deb_apt_default_repo='deb.debian.org' # TODO check
+deb_apt_repo='ftp.fr.debian.org'
+user='alex'
+sync_directory_path="/home/$user/.sync"
+systemd_units_path='/etc/systemd/system'
+remote_pubkey_location='https://keys.kto.black'
+remote_pubkey='home.pub'
+nas_root='/srv/nas'
+
+# Main process
+# You should comment below what you do not want to happen
+init
+install_packages
+add_users
+get_sync
+ssh_pubkey
+set_sshd_conf
+set_vsftpd
+
+echo ""
+echo "We're all good here!"
+echo "You should now:"
+echo "* set $user's password"
+echo "* lock root account"
+echo "* remove $run_directory_path content"
+if [ "$dl_server" = "yes" ]; then
+  echo "* get the OpenVPN configuration file, move it to /etc/openvpn/client/vpn.conf"
+  echo "  * and add at \`auth-user-pass\`: auth.txt"
+  echo "  * create said auth.txt with VPN login and password (on two rows)"
+fi
+echo "* reboot the SBC"
+echo "And perhaps:"
+echo "* set htop at your convenience"
+echo "* remove password for sudo" # TODO we should automate that, with a flag
+echo "* use below commands to edit SSH config:"
+echo "    sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
+echo "    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
+echo "* register an encrypted volume to a tang server"
+
+exit 0

srv-nas.mount

@@ -0,0 +1,10 @@
+[Unit]
+Description=Mount NAS Volume
+# Below Requisite could be a Wants
+Wants=systemd-cryptsetup@nascrypt.service
+After=systemd-cryptsetup@nascrypt.service
+
+[Mount]
+What=/dev/mapper/nascrypt
+Where=/srv/nas
+Options=rw,relatime

systemd-templates/filebrowser.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=File Browser web interface
-
-[Service]
-User=PH_NAS_USER
-Type=simple
-ExecStart=/usr/local/bin/filebrowser -d PH_NAS_DIRECTORY/PH_NAS_USER/filebrowser.db -r PH_NAS_DIRECTORY
-
-[Install]
-WantedBy=default.target

systemd-templates/transmission-daemon.timer

@@ -1,8 +0,0 @@
-[Unit]
-Description=Wait 1m before starting Transmission at boot
-
-[Timer]
-OnBootSec=1m
-
-[Install]
-WantedBy=default.target

variables.conf.template

@@ -2,29 +2,6 @@
 
 # Copy this file as variables.conf, with the correct values
 
-nas_location=""
-nas_user=""
-
-# Paths to X509 certificate and key
-# If they do not exist, they will be created as a self-singed certificate
-crt_path="/etc/ssl/cert.crt"
-key_path="/etc/ssl/cert.key"
-
-# Set up File Browser
-filebrowser="yes"
-filebrowser_server_name="files.$(hostname)"
-
-# Set up MiniDLNA
-dlna_server="yes"
-
-# Set up Transmission and OpenVPN
-dl_server="yes"
-transmission_server_name="dl.$(hostname)"
-real_ip="" # for VPN check
-authorized_ips="" # for transmission web interface
-user="" # user for transmission web interface
-password="" # password for transmission web interface
-dl_location="" # location of Downloads directory
-
-# Set up vsftpd
+dl_server="no"
 ftp_server="no"
+upnp_server="no"