From 4711d300dbfc5c0f582da40922d0021a7e37cd9a Mon Sep 17 00:00:00 2001 From: redbeardymcgee Date: Sat, 2 Nov 2024 11:24:50 -0500 Subject: [PATCH] Clean up for publishing --- README.md | 69 +++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 59 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index bedab17..aa4b265 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,9 @@ ### [Repositories](https://wiki.almalinux.org/repos/) +These may not really be necessary to set up, but you should absolutely review +them and decide for yourself. + - [AlmaLinux](https://wiki.almalinux.org/repos/AlmaLinux.html) - [CentOS SIGs](https://wiki.almalinux.org/repos/CentOS.html) - [Extra](https://wiki.almalinux.org/repos/Extras.html) @@ -18,6 +21,10 @@ ## SSH +SSH is optional, but highly encouraged. Cockpit gives you a terminal too, but +that's nowhere near as good as what you can do with a real terminal emulator +and ssh clients. + ```bash dnf install openssh-server @@ -25,11 +32,14 @@ dnf install openssh-server ssh-keygen -t ed25519 -a 32 -f "~/.ssh/$localhost-to-$remotehost" ## Copy key to AlmaLinux -ssh-copy-id -i "~/.ssh/$localhost-to-$remotehost" "[user@]$remotehost" +ssh-copy-id -i "~/.ssh/$localhost-to-$remotehost" "[${user}@]$remotehost" ``` ### Override `sshd` config +We don't want to allow anyone to login as root remotely ever. You must be a +`sudoer` with public key auth to elevate to root. + ```bash printf '%s\n' 'PermitRootLogin no' > /etc/ssh/sshd_config.d/01-root.conf printf '%s\n' \ @@ -40,7 +50,9 @@ printf '%s\n' \ ## Cockpit -> https://ip-addr:9090 > [!WARNING] Disable the firewall if you are lazy -> Exposing ports for other services can be exhausting +> Exposing ports for other services can be exhausting and I have not learned +> how to do this for containers properly. Each container may need a new rule +> for something, not sure. > ```bash > systemctl disable --now firewalld > ``` @@ -57,7 +69,7 @@ firewall-cmd --reload ### Add SSH keys -Skip if you copied your keys with `ssh-copy-id` above. +> [!TIP] Skip if you copied your keys with `ssh-copy-id` above. `Accounts` -> `Your account` -> `Authorized public SSH keys` -> `Add Key` @@ -71,6 +83,9 @@ dnf install setroubleshoot-server ## Podman +Podman is a daemonless container hypervisor. This document prepares a fully +rootless environment for our containers to run in. + ### Install ```bash @@ -78,11 +93,13 @@ dnf install podman systemctl enable --now podman ``` -> [!NOTE] Read the full `quadlet` docs: `man podman-systemd.unit` +> [!NOTE] Read the docs +> `man podman-systemd.unit` ### slirp4netns -> [!TODO] This may not be necessary but my system is currently using it +> [!TODO] +> This may not be necessary but my system is currently using it ```bash dnf install slirp4netns @@ -90,7 +107,9 @@ dnf install slirp4netns ### Install DNS server for `podman` -> [!TODO] Not sure how to resolve these correctly yet +> [!TODO] +> Not sure how to resolve these correctly yet but the journal logs it +> so it's running for something ```bash dnf install aardvark-dns @@ -98,6 +117,8 @@ dnf install aardvark-dns ### Enable unprivileged port binding +> [!NOTE] This is only necessary if you are setting up the reverse proxy + ```bash printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-unprivileged-port-binding.conf sysctl 'net.ipv4.ip_unprivileged_port_start=80' @@ -105,6 +126,9 @@ sysctl 'net.ipv4.ip_unprivileged_port_start=80' ### Prepare container user +This user will be the owner of all containers with no login shell or root +privileges. + ```bash # Prepare a group id outside of the normal range groupadd --gid 2000 $ctuser @@ -125,8 +149,11 @@ usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser loginctl enable-linger $ctuser ``` -[!TIP] Optionally setup ssh keys to directly login to $ctuser -> Remember the login shell is `/usr/bin/false` so launch `bash -l` manually +> [!TIP] Optionally setup ssh keys to directly login to $ctuser + +> [!NOTE] The login shell doesn't exist +> Launch `bash -l` manually to get a shell or else your `ssh` will exit with a +> status of 1. ### Setup $ctuser env @@ -146,6 +173,8 @@ exit ### ~/.config/containers/systemd/protonvpn.network +This is a small internal network for this stack of containers to share. + ```ini [Unit] Description=ProtonVPN @@ -163,6 +192,8 @@ DNS=1.1.1.1 ### ~/.config/containers/systemd/gluetun.container +This is our VPN container. This example uses ProtonVPN. + > [!WARNING] I disabled SELinux to not deal with this for every other issue > /etc/selinux/config -> `SELINUX=disabled` @@ -172,8 +203,8 @@ Temporarily set SELinux policy to allow containers to use devices. setsebool -P container_use_devices 1 ``` -> [!TIP] -> Get protonvpn user/pass [here](https://account.proton.me/u/0/vpn/OpenVpnIKEv2) +> [!TIP] Get protonvpn user/pass +> [OpenVpnIKEv2](https://account.proton.me/u/0/vpn/OpenVpnIKEv2) ```ini [Unit] @@ -215,6 +246,9 @@ Environment=FIREWALL_DEBUG=on ### /volumes/gluetun/auth/config.toml +This allows us to query the `gluetun` API for the forwarded port without +needing an API user and password. + > [!WARNING] Do not expose the API to the internet ```toml @@ -226,6 +260,9 @@ auth = "none" ### ~/.config/containers/systemd/qbittorrent.container +> [!NOTE] Check $qbt_version from tags on dockerhub +> [qbittorrentofficial](https://docker.io/qbittorrentofficial/qbittorrent-nox) + ```ini [Unit] Description=qbittorrent client @@ -257,6 +294,9 @@ Environment=TZ=$timezone ### ~/.config/containers/systemd/qbittorrent-port-forward.container +This updates the `qbittorrent` configuration to match the forwarded port from +`gluetun`. + > [!TIP] Check the ip address of most containers > `podman exec -it $container_name ip addr show` @@ -291,6 +331,10 @@ Environment=GTN_ADDR=http://localhost:8000 ### ~/.config/containers/systemd/seedboxapi.container +This ensures that your torrent session stays in sync with your MAM session. + +> [!NOTE] Set your dynamic session with ASN lock now to view the $mam_id + ```ini [Unit] Description=Update qbittorrent session IP for tracker @@ -323,6 +367,11 @@ Environment=interval=1 ### ~/.config/containers/systemd/caddy.container +This is an optional container to add a reverse proxy (and more). + +> [!TODO] Needs to be filled out. Works as is but doesn't do anything with a +> default config. + ```ini [Unit] Description=Reverse proxy