Debian Server

From The Essence Bay
Jump to: navigation, search

Debian Stable is stable enough for industrial-grade firewalls / routers / switches [1] / tons of specialized servers [2] / etc, so I feel confident using it for my shitty home lab.

Install

  • Get an hd-media installer image [3]
  • Burn it with Win32 Disk Imager [4]
  • Make a minimal installation, leaving out even the utilities
  • Use box as the host and local.jevs.me as the domain

Initial setup

  • Install openssh-server
apt-get install openssh-server
  • Connect with SSH
  • Install ca-certificates
apt-get install ca-certificates # wouldn't be able to wget rmate otherwise
  • Install rsub
cd /usr/local # because that's what local is for
wget https://raw.githubusercontent.com/aurora/rmate/master/rmate -P bin
chmod +x bin/rmate
ln -s $(pwd)/bin/rmate bin/rsub
ln -s $(pwd)/bin/rmate sbin/rmate
ln -s $(pwd)/bin/rmate sbin/rsub
  • Switch to key authorization
mkdir /root/.ssh && $_
chmod 700 . # required by openssh
rsub authorized_keys
# paste your public key
chmod 600 authorized_keys # required by openssh
# repeat the same for the regular user
rsub /etc/ssh/sshd_config
# PasswordAuthentication no
# ClientAliveCountMax 2
# ClientAliveInterval 4
service ssh restart
  • Tune some settings
rsub /lib/init/vars.sh
# VERBOSE=yes
  • Update /etc/apt/sources.list
deb http://koyanet.lv/debian/ jessie main
deb-src http://koyanet.lv/debian/ jessie main

deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

deb http://koyanet.lv/debian/ jessie-updates main
deb-src http://koyanet.lv/debian/ jessie-updates main

deb http://koyanet.lv/debian jessie-backports main
deb-src http://koyanet.lv/debian jessie-backports main
  • Mount storage
mkdir /storage
rsub /etc/fstab
# UUID=115d9a8c-1202-4821-8d2b-ec80071ecd91 /storage ext4 defaults 0 0
mount -a
  • Update .bashrc
export LS_OPTIONS='--color=auto'
alias ls='ls $LS_OPTIONS -lA'
  • Install nginx [5]
wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
rsub /etc/apt/sources.list
# deb http://nginx.org/packages/debian/ jessie nginx
# deb-src http://nginx.org/packages/debian/ jessie nginx
apt-get update
apt-get install nginx
rm /etc/nginx/conf.d/*
service nginx restart
  • Create /etc/nginx/conf.d/home.jevs.me.conf
server {
    listen 80;
    server_name home.jevs.me;
    rewrite ^ https://$http_host$request_uri? permanent;
}

server {
    listen 443;
    server_name home.jevs.me;
    client_max_body_size 0;

    ssl_certificate      /etc/nginx/cert/home.jevs.me.crt;
    ssl_certificate_key  /etc/nginx/cert/home.jevs.me.key;
    ssl_dhparam          /etc/nginx/cert/dhparam.pem;

    add_header Strict-Transport-Security max-age=31536000;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;
    server_tokens off;
    ssl on;
    ssl_buffer_size 1400;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    ssl_stapling on;
    ssl_stapling_verify on;

    location / {
        root        /usr/share/nginx/html;
        try_files   /index.html =404;

        access_log  /var/log/nginx/index.access.log;
        error_log   /var/log/nginx/index.error.log;
    }
}
  • Create /etc/nginx/proxy_params
proxy_connect_timeout  36000s;
proxy_read_timeout     36000s;
proxy_redirect         off;

proxy_set_header  Host               $http_host;
proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
proxy_set_header  X-Forwarded-Proto  $scheme;
proxy_set_header  X-Real-IP          $remote_addr;

Samba

  • Install samba from backports
apt-get -t jessie-backports install samba
  • Add a user
smbpasswd -a jevs
  • Update /etc/samba/smb.conf [6]
[global]
    ; netbios name = box ; defaults to machine name
    ; workgroup = WORKGROUP ; this is default
 
    ; dns proxy = no ; this is default
    ; local master = yes ; this is default
    domain master = yes
    preferred master = yes
 
    log file = /var/log/samba/log.%m
    syslog = 0
 
    ; security = user ; this is default
 
[storage]
    path = /storage
    writeable = yes
    ; valid users = jevs ; defaults to any registered user
  • Restart the service
service samba restart
  • Make sure Windows clients aren't Peer-Peer [7]

Deluge

  • Download, build and install libtorrent [8]
wget http://sourceforge.net/projects/libtorrent/files/latest/download -O libtorrent.tar.gz
tar -xf libtorrent.tar.gz
cd libtorrent-raterbar-*
apt-get build-dep libtorrent-rasterbar
./configure --enable-python-binding
make -j 4
apt-get install checkinstall
checkinstall
# Should I create a default set of package docs: y
# Description: libtorrent-rasterbar
  • Download, build and install Deluge [9]
wget http://download.deluge-torrent.org/source/deluge-1.3.11.tar.gz
tar -xf deluge-*.tar.gz
cd deluge-*
apt-get install gettext intltool python python-chardet python-libtorrent python-mako \
    python-openssl python-setuptools python-twisted python-xdg
rsub setup.py
# remove docs/man/deluge.1, docs/man/deluge-gtk.1, gui_scripts and ui/gtkui/glade/*.glade
python setup.py build
python setup.py install
touch /var/log/deluged.log
chown jevs:jevs /var/log/deluged.log
sudo -u jevs deluged -dl /var/log/deluged.log # kill right after launching
rsub /var/lib/deluge/config/core.conf
# allow_remote: true
# download_location: /storage/downloads
# move_completed_path: /storage
rsub /home/jevs/.config/deluge/auth
# jevs:password:10
cd /home/jevs/.config/deluge/plugins
wget http://git.io/p4SE -O LabelPlus-0.3.1.0-py2.7.egg
# restore /home/jevs/.config/deluge/labelplus.conf
  • Create /etc/systemd/system/deluged.service [11]
[Unit]
Description=Deluge Bittorrent Client Daemon 
After=network.target

[Service]
Type=simple
User=jevs
Group=jevs
UMask=007

ExecStart=/usr/local/bin/deluged -dl /var/log/deluged.log -L warning

Restart=Always
TimeoutStopSec=300

[Install]
WantedBy=multi-user.target
  • Start the service and enable it to be started on boot
systemctl start deluged
systemctl enable deluged

Rsnapshot

  • Install Rsnapshot, create a target dir, configure it, enable Cron [12]
apt-get install rsnapshot
mkdir /storage/rsnapshot
chmod 700 /storage/rsnapshot
rsub /etc/rsnapshot.conf
# snapshot_root	/storage/rsnapshot/
# 
# retain	hourly	24
# retain	daily		7
# retain	weekly	4
# retain	monthly	60
#
# backup	/etc/						localhost/
# backup	/home/					localhost/
# backup	/opt/						localhost/
# backup	/root/					localhost/
# backup	/storage/sync/	localhost/
# backup	/usr/local/			localhost/
# backup	/var/backups/		localhost/
# backup	/var/lib/				localhost/
# backup	/var/log/				localhost/
rsub /etc/cron.d/rsnapshot
# 00 * * * *  root  /usr/bin/rsnapshot hourly
# 10 0 * * *  root  /usr/bin/rsnapshot daily
# 20 0 * * 1  root  /usr/bin/rsnapshot weekly
# 30 0 1 * *  root  /usr/bin/rsnapshot monthly

References

  1. Vyatta
  2. Who's using Debian?
  3. boot.img.gz
  4. win32diskimager
  5. nginx: Linux packages
  6. smb.conf
  7. Unable to ping local machines by name in Windows 7
  8. Building libtorrent
  9. Building Deluge
  10. Deluge daemon setup
  11. Deluge Daemon (deluged) Service
  12. Rsnapshot man page