Compare commits

..

2 Commits

Author SHA1 Message Date
ea82ff08f9 Correct typo in README 2022-02-11 18:33:21 +01:00
87bdfeabb5 Update README (ISO Server is obsolete) 2021-11-12 18:13:38 +01:00
14 changed files with 175 additions and 260 deletions

View File

@ -1,39 +1,8 @@
# NAS Server # ISO Server (OBSOLETE)
This is the ancestor of NAS Server. It was both an FTP Server and a web server providing ISO images or things like that
over network. Moreover, it was administrated by OpenMediaVault.
This repository contains files used to set up our NAS server on Debian. Target is Bullseye. ### Setup
The setup takes place in two parts:
### Introduction * `setup1.sh` setups OMV on a blank Armbian and then reboot
The idea is to provide the following features, chosen at install: * `setup2.sh` then configures the system specificaly for the ISO server
* a web interface for file management with [File Browser](https://github.com/filebrowser/filebrowser);
* a DLNA server with MiniDLNA;
* a BitTorrent client with Transmission, which comes with a server web interface;
* a VPN client with OpenVPN;
* a FTP server with vsftpd.
In addition, Nginx is used to provide HTTPS proxy to File Browser and Transmission
### Requirements
The following list of packages must be installed manually (depending on which features are needed):
```transmission-daemon minidlna openvpn nginx vsftpd```
File Browser must be installed manually at `/usr/local/bin/filebrowser`.
A "NAS user" should be defined, owner of the NAS root directory: This user shall run some of above services.
If using Transmission, you need to set an OpenVPN connection config as `vpn`.
### File Browser init
If using File Browser, it should be initiated first:
```
sudo -u <nas-user> filebrowser -d <nas>/filebrowser.db --username <admin>
```
### Files
* `transmission-vpn.sh` is a script which checks if a VPN connection is active and stops Transmission otherwise.
* `variables.conf.template` contains examples of variables definitions, and should be copied locally to `variables.conf`
(with any required modifications).
* `systemd-templates/` contains Systemd units templates for all the services.
* `nginx-blocks/` contains Nginx configuration blocks.
##### Installation
* `install.sh` script copies Systemd units to their destination, with correct values.
### TODO
* RAS

View File

@ -1,76 +0,0 @@
#!/usr/bin/env bash
run_directory=$(dirname $(readlink -f "$0"))
user=$(whoami)
source "$run_directory/variables.conf"
if [ -f $run_directory/.disabled ]; then
echo "Installation is disabled. Exiting..."
exit 0
fi
if [[ $user != 'root' ]]; then
sudo="sudo"
else
sudo=""
fi
echo "Copying Systemd units to system directory..."
if [ ! -f $crt_path ]; then
$sudo openssl req -newkey rsa:4096 -x509 -sha256 -days 999 -nodes -out $crt_path -keyout $key_path \
-subj "/C=/ST=/L=/O=/OU=/CN="
fi
if [ -d /etc/nginx ]; then
$sudo cp $run_directory/nginx-blocks/0-http-redirect /etc/nginx/sites-available/0-http-redirect
$sudo ln -sf ../sites-available/0-http-redirect /etc/nginx/sites-enabled/0-http-redirect
fi
if [ "$filebrowser" = "yes" ]; then
$sudo cp $run_directory/systemd-templates/filebrowser.service /etc/systemd/system/
$sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/filebrowser.service
$sudo sed -i -e "s:PH_NAS_DIRECTORY:$nas_location:g" /etc/systemd/system/filebrowser.service
$sudo cp $run_directory/nginx-blocks/filebrowser /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s/PH_SRVNAME/$filebrowser_server_name/g" /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/filebrowser
$sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/filebrowser
$sudo ln -sf ../sites-available/filebrowser /etc/nginx/sites-enabled/filebrowser
fi
if [ "$dlna_server" = "yes" ]; then
$sudo sed -i -e "s:media_dir=/var/lib/minidlna:media_dir=$nas_location:g" /etc/minidlna.conf
$sudo sed -i -e "s:#friendly_name=:friendly_name=$(hostname -s):g" /etc/minidlna.conf
fi
if [ "$dl_server" = "yes" ]; then
$sudo cp $run_directory/systemd-templates/transmission-daemon.service /etc/systemd/system/
$sudo sed -i -e "s/PH_NAS_USER/$nas_user/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_AUTHORIZED_ADDRESSES/$authorized_ips/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_USER/$user/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s/PH_PASSWORD/$password/g" /etc/systemd/system/transmission-daemon.service
$sudo sed -i -e "s:PH_DL_LOCATION:$dl_location:g" /etc/systemd/system/transmission-daemon.service
$sudo cp $run_directory/systemd-templates/transmission-daemon.timer /etc/systemd/system/
$sudo cp $run_directory/systemd-templates/transmission-vpn.service /etc/systemd/system/
$sudo sed -i -e "s:PH_DIRECTORY:$run_directory:g" /etc/systemd/system/transmission-vpn.service
$sudo cp $run_directory/systemd-templates/transmission-vpn.timer /etc/systemd/system/
$sudo cp $run_directory/nginx-blocks/transmission /etc/nginx/sites-available/transmission
$sudo sed -i -e "s/PH_SRVNAME/$transmission_server_name/g" /etc/nginx/sites-available/transmission
$sudo sed -i -e "s:PH_CRT:$crt_path:g" /etc/nginx/sites-available/transmission
$sudo sed -i -e "s:PH_KEY:$key_path:g" /etc/nginx/sites-available/transmission
$sudo ln -sf ../sites-available/transmission /etc/nginx/sites-enabled/transmission
$sudo systemctl disable transmission-daemon.service
$sudo systemctl enable transmission-daemon.timer
fi
if [ "$ftp_server" = "yes" ]; then
$sudo sed -i -e "s/#write_enable=YES/write_enable=YES/g" /etc/vsftpd.conf
$sudo sed -i -e "s/#utf8_filesystem=YES/utf8_filesystem=YES/g" /etc/vsftpd.conf
fi
echo "Reloading Systemd..."
sudo systemctl daemon-reload
echo "Finished install. Exiting..."
exit 0

View File

@ -1,4 +0,0 @@
server {
listen 80;
return 301 https://$host$request_uri;
}

View File

@ -1,12 +0,0 @@
server {
listen 443 ssl;
server_name PH_SRVNAME;
ssl_certificate PH_CRT;
ssl_certificate_key PH_KEY;
location / {
proxy_pass http://127.0.0.1:8080;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
}

View File

@ -1,12 +0,0 @@
server {
listen 443 ssl;
server_name PH_SRVNAME;
ssl_certificate PH_CRT;
ssl_certificate_key PH_KEY;
location / {
proxy_pass http://127.0.0.1:9091;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
}
}

59
setup1.sh Normal file
View File

@ -0,0 +1,59 @@
#!/bin/bash
# The purpose of this script is to setup OMV on a blank Armbian.
# This script is to be run as root.
# (Keep in mind that default root password is 1234)
# Flash SBC's SD with Armbian and copy this script as well as setup2.sh (depending of usage) and conf-sync.sh to /root
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
# Functions
init() {
echo "Starting initialization"
echo $hostname > /etc/hostname
sed -i -e "s/=default_hostname/$fqdn $hostname/g" /etc/hosts
localectl set-keymap $keymap
timedatectl set-timezone $timezone
systemctl disable apt-daily-upgrade.timer
}
install_packages() {
echo "Starting packages installation"
sed -i -e "s/$deb_apt_default_repo/$deb_apt_repo/g" /etc/apt/sources.list
apt update
apt upgrade -y
apt install -y vim tree tmux neofetch
}
install_omv() { # This step ends on a reboot, so we part the script here
wget $omv_install_script_link
chmod u+x $run_directory_path/install
bash $run_directory_path/install
}
# Only run if the user is root
if [[ $USER != 'root' ]] ; then
echo "You must run this script as root!"
exit 1
fi
run_directory_path=$(pwd)
# Set parameters
default_hostname='odroidxu4'
hostname='hk1'
fqdn='hk1.kto.black'
keymap='fr'
timezone='Europe/Paris'
deb_apt_default_repo='httpredir.debian.org'
deb_apt_repo='ftp.fr.debian.org'
omv_install_script_link='https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install'
# Main process
# You should comment below what you do not want to happen
init
install_packages
install_omv
exit 0

109
setup2.sh Normal file
View File

@ -0,0 +1,109 @@
#!/bin/bash
# The purpose of this script is to setup our ISO server on a blank Armbian.
# This script is to be run as root.
# This script runs AFTER setup1.sh, which installs OMV and reboots the system
# YOU SHOULD REMOVE THIS SCRIPT AFTER SETUP
# Functions
set_hostname() {
echo $fqdn > /etc/hostname
}
install_packages() { # TODO these packages do not seem to exist as of 2021/10/10
echo "Starting packages installation"
apt install -y openmediavault-luksencryption openmediavault-downloader
}
add_users() {
echo "Adding users"
useradd -N -g users -G sudo,ssh,openmediavault-admin -m -s /bin/bash $user
chmod 700 /home/$user
}
set_sudo_conf() { # TODO that doesn't seem to work
echo "Setting sudo configuration"
sed -i -e "s/%sudo ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g" /etc/sudoers
}
get_conf() {
echo "Getting configuration"
sudo -H -u $user mkdir $sync_directory_path
cp $run_directory_path/conf-sync.sh $sync_directory_path/
chown $user:users $sync_directory_path/conf-sync.sh
sudo -H -u $user chmod u+x $sync_directory_path/conf-sync.sh
sudo -H -u $user $sync_directory_path/conf-sync.sh
}
set_conf() {
echo "Setting configuration"
#sudo -H -u $user chmod uo+x $sync_directory_path/clean-cloud.sh $sync_directory_path/scan-to-cloud.sh
ln -s $sync_directory_path/*.service $systemd_units_path/
ln -s $sync_directory_path/*.timer $systemd_units_path/
#ln -s $sync_directory_path/*.socket $systemd_units_path/
#ln -s $sync_directory_path/*.mount $systemd_units_path/
#ln -s $sync_directory_path/*.path $systemd_units_path/
systemctl daemon-reload
systemctl enable conf-sync.timer
}
rcs_links() {
echo "Linking rcs"
rm /home/$user/.bashrc
rm /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/bashrc /home/$user/.bashrc
ln -s /home/$user/.bashrc /root/.bashrc
sudo -H -u $user ln -s $sync_directory_path/vimrc /home/$user/.vimrc
ln -s /home/$user/.vimrc /root/.vimrc
}
ssh_pubkey() {
echo "Getting SSH public key"
sudo -H -u $user mkdir /home/$user/.ssh
sudo -H -u $user wget -P /home/$user/.ssh $remote_pubkey_location/$remote_pubkey
sudo -H -u $user mv /home/$user/.ssh/$remote_pubkey /home/$user/.ssh/authorized_keys
}
# Only run if the user is root
if [[ $USER != 'root' ]] ; then
echo "You must run this script as root!"
exit 1
fi
run_directory_path=$(pwd)
# Set parameters
fqdn='hk1.kto.black'
user='alex'
sync_directory_path="/home/$user/.sync"
systemd_units_path='/etc/systemd/system'
remote_pubkey_location='https://keys.kto.black'
remote_pubkey='home.pub'
# Main process
# You should comment below what you do not want to happen
set_hostname
install_packages
add_users
set_sudo_conf
get_conf
set_conf
rcs_links
ssh_pubkey
echo ""
echo "We're all good here!"
echo "You should now:"
echo "* set $user's password"
echo "* lock root and admin accounts"
echo "* remove $run_directory_path content"
echo "* reboot the SBC"
echo "* go to http://$fqdn/ to set up Openmediavault"
echo "* set up lighttpd"
echo "And perhaps:"
echo "* set htop at your convenience"
echo "* use below commands to edit SSH config:"
echo " sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config"
echo " sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config" # NOTE This one is different from the others, because of OMV setup
exit 0

View File

@ -1,10 +0,0 @@
[Unit]
Description=File Browser web interface
[Service]
User=PH_NAS_USER
Type=simple
ExecStart=/usr/local/bin/filebrowser -d PH_NAS_DIRECTORY/PH_NAS_USER/filebrowser.db -r PH_NAS_DIRECTORY
[Install]
WantedBy=default.target

View File

@ -1,16 +0,0 @@
[Unit]
Description=Transmission BitTorrent Daemon (KTO)
BindsTo=transmission-vpn.timer
After=network.target transmission-vpn.timer
[Service]
User=PH_NAS_USER
Type=notify
ExecStartPre=PH_DIRECTORY/transmission-vpn.sh
ExecStart=/usr/bin/transmission-daemon -f --log-error -a PH_AUTHORIZED_ADDRESSES -C -t -u PH_USER -v PH_PASSWORD -w PH_DL_LOCATION
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID
NoNewPrivileges=true
[Install]
WantedBy=default.target

View File

@ -1,8 +0,0 @@
[Unit]
Description=Wait 1m before starting Transmission at boot
[Timer]
OnBootSec=1m
[Install]
WantedBy=default.target

View File

@ -1,10 +0,0 @@
[Unit]
Description=Make sure VPN is active for Transmission
OnFailure=transmission-daemon.service
[Service]
Type=oneshot
ExecStart=PH_DIRECTORY/transmission-vpn.sh
[Install]
WantedBy=default.target

View File

@ -1,9 +0,0 @@
[Unit]
Description=Regular check for VPN while Transmission is running
BindsTo=transmission-daemon.service
[Timer]
OnUnitInactiveSec=5m
[Install]
WantedBy=default.target

View File

@ -1,35 +0,0 @@
#!/bin/bash
# The purpose of this script is to check if VPN connection is active
# This script will be called (via a service) in 2 situations:
# On a regular basis when transmission is running
# This will be achieved with a timer started and stopped with transmission service
# On transmission starting
# When the script exits with failure, associated service should try to start transmission service
# NOTE not on transmission starting, as this script is not run by its service; it means there's an issue with VPN at
# start, and this should be looked at manually
# Thus this script will be executed again
# We can enter an infinite loop, but this will effectively prevent transmission from connecting
# If both services are stopped, this script will never be run by error
run_directory=$(dirname $(readlink -f "$0"))
source "$run_directory/variables.conf"
# Parameters
myip_request="curl -s -4 https://ifconfig.co"
vpn_service="openvpn-client@vpn.service"
transmission_service="transmission-daemon.service"
# Main process
ip=$($myip_request)
if [[ $ip = $real_ip ]]; then
systemctl stop $transmission_service
systemctl stop $vpn_service
sleep 3
systemctl start $vpn_service
sleep 5
exit 1
elif [[ $ip =~ (25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3} ]]; then
exit 0
else
exit 1
fi

View File

@ -1,30 +0,0 @@
#!/usr/bin/env bash
# Copy this file as variables.conf, with the correct values
nas_location=""
nas_user=""
# Paths to X509 certificate and key
# If they do not exist, they will be created as a self-singed certificate
crt_path="/etc/ssl/cert.crt"
key_path="/etc/ssl/cert.key"
# Set up File Browser
filebrowser="yes"
filebrowser_server_name="files.$(hostname)"
# Set up MiniDLNA
dlna_server="yes"
# Set up Transmission and OpenVPN
dl_server="yes"
transmission_server_name="dl.$(hostname)"
real_ip="" # for VPN check
authorized_ips="" # for transmission web interface
user="" # user for transmission web interface
password="" # password for transmission web interface
dl_location="" # location of Downloads directory
# Set up vsftpd
ftp_server="no"