aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpukkamustard <pukkamustard@posteo.net>2021-04-13 15:29:49 +0200
committerpukkamustard <pukkamustard@posteo.net>2021-04-13 15:29:49 +0200
commit4039b55873243d74e052e1e3bca4af16fb6a044f (patch)
treee6d3833b3259b164d46fa1bfb80cf67f05340a8d
parent6a6cd5b9032d28fb959e42bc40e09d43259e5652 (diff)
add warli.org
-rw-r--r--warli.org200
1 files changed, 200 insertions, 0 deletions
diff --git a/warli.org b/warli.org
new file mode 100644
index 0000000..b8d5a38
--- /dev/null
+++ b/warli.org
@@ -0,0 +1,200 @@
+#+TITLE: warli
+
+warli.jblis.xyz is a virtual machine hosted at [[https://www.hetzner.com/cloud][Hetzner Cloud]].
+
+* Machine
+
+- IPv6 :: 2a01:4f9:c011:2bc7::1
+- IPv4 :: 135.181.41.208
+
+Hetzner Cloud CX21 (2 VCPU, 4 GB RAM, 40 GB local storage)
+
+* Deployment
+** Base system
+
+warli is running Debian 10.
+
+*** Non-root user
+
+**** Create user
+
+#+BEGIN_SRC shell
+adduser pukkamustard
+#+END_SRc
+
+This will ask you to set a password.
+
+**** Add to ~sudo~ group
+
+#+BEGIN_SRC shell
+adduser pukkamustard sudo
+#+END_SRC
+
+**** Add SSH key to user
+
+#+BEGIN_SRC shell
+mkdir -p ~/.ssh
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGCZB78Hx5YdjvKiatTRAgXbQ1jpBMULpcXNJ0He7exDY3KlnMeCKw0KEKMSS6DxYdnDqca0zJ20+A19pRLlWIeyLIwL+4ZtKLQc20AbSGA1h7gpKIvX5yvvhmJinrUn4FYat7D+ze2SA1jI17gCzta53gzgIla7WqnqiL4kAH2PmFvXUdUyGWCuz0vP0w+ku7C9SX0uGaoa+q4txtEPccIcn3vIL7Wk9MImVtlVV1MR42FQCLc3CyQKabNFbtNSCGHyVn2lgIk2q6G0q+JWb3XIa136VW0ZO6SgrPn1sNLNwxmO3qJnZOaDqYKp51QZSaw4ut4kGXakZJwF7vXkAz openpgp:0x5FC2331C" >> ~/.ssh/authorized_keys
+#+END_SRC
+
+*** Disable SSH password login
+
+#+BEGIN_SRC
+PermitRootLogin prohibit-password
+
+# Only allow public authentication
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PubkeyAuthentication yes
+#+END_SRC
+
+#+BEGIN_SRC shell
+sudo systemctl restart ssh
+#+END_SRC
+
+*** System update and basic software
+
+#+BEGIN_SRC shell
+sudo apt update
+sudo apt upgrade
+#+END_SRC
+
+#+BEGIN_SRC shell
+sudo apt install vim mosh rsync
+#+END_SRC
+
+Reboot when kernel was updated:
+
+#+BEGIN_SRC shell
+sudo reboot
+#+END_SRC
+
+*** Setup Unattended Upgrades
+
+See also https://vitux.com/how-to-manage-unattended-upgrades-on-debian-10/
+
+#+BEGIN_SRC shell
+sudo apt install unattended-upgrades
+#+END_SRC
+
+Check that selected updates are ok (enable security updates) by checking the ~/etc/apt/apt.conf.d/50unattended-upgrades~ file.
+
+Enable upgrades:
+
+#+BEGIN_SRC shell
+sudo dpkg-reconfigure --priority=low unattended-upgrades
+#+END_SRC
+
+*** Uncomplicated Firewall (ufw)
+
+See also https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
+
+#+BEGINS_SRC shell
+sudo apt install ufw
+
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+
+sudo ufw allow ssh
+sudo ufw allow mosh
+
+sudo ufw enable
+#+END_SRC
+
+** Nginx
+
+*** Install
+
+#+BEGIN_SRC shell
+sudo apt install nginx
+#+END_SRC
+
+*** Allow firewall
+
+#+BEGIN_SRC shell
+sudo ufw allow 'Nginx Full'
+#+END_SRC
+
+** Certbot
+
+#+BEGIN_SRC shell
+sudo apt install certbot python3-certbot-nginx
+
+sudo cerbot
+#+END_SRC
+
+*** TODO Setup automatic renew
+
+** OpenLDAP
+
+See https://wiki.debian.org/LDAP/OpenLDAPSetup#Initial_Installation
+https://computingforgeeks.com/how-to-install-and-configure-openldap-server-on-debian/
+
+*** Installation
+
+#+BEGIN_SRC shell
+sudo apt install slapd ldap-utils
+#+END_SRC
+
+Installation will automatically use the system domain name. Check if set correctly with:
+
+#+BEGIN_SRC shell
+sudo slapcat
+#+END_SRC
+
+*** Base DN
+
+#+BEGIN_SRC ldif :tangle basedn.ldif
+dn: ou=users,dc=jblis,dc=xyz
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=groups,dc=jblis,dc=xyz
+objectClass: organizationalUnit
+ou: groups
+#+END_SRC
+
+#+BEGIN_SRC shell
+ldapadd -x -D cn=admin,dc=jblis,dc=xyz -W -f basedn.ldif
+#+END_SRC
+
+** TODO ejabberd
+
+https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/
+
+#+BEGIN_SRC shell
+sudo apt install ejabberd
+#+END_SRC
+
+#+BEGIN_SRC shell
+sudo ufw allow 'ejabberd'
+sudo ufw allow 'ejabberd S2S'
+sudo ufw allow 'ejabberd SSL'
+#+END_SRC
+
+* Tasks
+** Add an user
+
+#+BEGIN_SRC ldif :tangle basedn.ldif
+dn: cn=pukkamustard,ou=users,dc=jblis,dc=xyz
+objectClass: person
+objectClass: shadowAccount
+cn: pukkamustard
+sn: pukkamustard
+uid: pukkamustard
+userPassword: {SSHA}Yyy8eAast6+YAgajDINL7bVjbbR/6Tle
+#+END_SRC
+
+The password can be generated with ~slappasswd~
+
+** Change password
+
+https://tylersguides.com/guides/how-to-change-an-openldap-password/
+
+* Log
+
+** [2021-04-13 Tue] Init
+
+- Created Virtual machine
+- Deployed base system
+- Basic ejabberd setup with OpenLDAP works! Letting it run in test mode for a couple of days.