Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
SSH
 
 
 
 

For an enclosure see rpi-drive

################################################################################
#  Copyright (c) 2017, Michael Sonst, All Rights Reserved.
# 
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
# 
#  http://www.apache.org/licenses/LICENSE-2.0
# 
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
################################################################################

# Download & write rpi image
# Assuming: 2017-04-10-raspbian-jessie-lite

# After creating the boot-SD card, copy the SSH file into the root directory
# Mount the created drives in a Linux VM and copy interfaces and wpa_supplicant.conf to
# their correct location
# Replace <WIFI-NAME> and <WIFI-KEY> in wpa_supplicant.conf
# Please note that the configuration in wpa_supplicant.conf is specifically for WPA2-PSK [AES] e.g. on a WNDR3400v3

ssh pi@<IP>

# Set new password
passwd
sudo adduser <USER>
sudo usermod -aG sudo <USER> 

sudo raspi-config
# Interfacing Options > Enable SSH
# Hostname > private-cloud
# Advanced > Expand Filesystem
# Localisation Options > Change Wi-fi Country > US
# Localisation Options > Change Timezone > US > Eastern
# reboot
# login with <USER>

sudo timedatectl set-ntp True
sudo apt-get -y update
sudo apt-get -y dist-upgrade
sudo apt-get -y update 
sudo apt-get -y install rsync

sudo apt-get -y install apache2 php5 php5-gd php-xml-parser php5-intl php5-sqlite php5-mysql smbclient curl libcurl3 php5-curl mysql-server mysql-client php-apc git
sudo apt-get -y install git

sudo service apache2 restart

## Install cloud
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.0.zip
sudo cp nextcloud-12.0.0.zip /var/www/html
cd /var/www/html
sudo unzip -q nextcloud-12.0.0.zip
sudo rm nextcloud-12.0.0.zip

## Partition & Format
# Assuming sda as drive
sudo fdisk /dev/sda # n, p, enter, enter, enter, w
sudo mke2fs -j /dev/sda1

# Create mountpoints
sudo mkdir -p /data/virtual

################################################################################
## 0) Single drive (for alternative see multidrive.md)

# Configure fstab for automounting drives on startup
sudo su -c "echo '/dev/sda1 /data/virtual ext3 defaults 1 2' >> /etc/fstab"
sudo mount -a

################################################################################
## Permissions

sudo chmod 777 /data/virtual

sudo usermod -aG www-data <USER> 
sudo chown -R www-data:www-data /data/virtual
sudo find /data/virtual -type f -exec chmod 664 {} + -o -type d -exec chmod 775 {} +
sudo find /data/virtual -type d -exec chmod g+rx {} +
sudo find /data/virtual -type f -exec chmod g+r {} +
sudo find /data/virtual -type d -exec chmod g+s {} +

sudo chown -R www-data:www-data /var/www/html
sudo find /var/www/html -type f -exec chmod 664 {} + -o -type d -exec chmod 775 {} +
sudo find /var/www/html -type d -exec chmod g+rx {} +
sudo find /var/www/html -type f -exec chmod g+r {} +
sudo find /var/www/html -type d -exec chmod g+s {} +

################################################################################
## Hardening

sudo rm /var/www/html/index.html

sudo a2enmod rewrite
sudo a2enmod headers
sudo a2enmod ssl
sudo a2enmod dav_fs
sudo service apache2 restart

sudo mkdir /etc/apache2/ssl
sudo openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout /etc/apache2/ssl/server.key -out /etc/apache2/ssl/server.crt
sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

# Alternative (Untested)
# cd ~
# wget https://dl.eff.org/certbot-auto
# chmod a+x ./certbot-auto
# ./certbot-auto

nano /etc/apache2/sites-enabled/000-default-ssl.conf
> SSLCertificateFile      /etc/apache2/ssl/server.crt
> SSLCertificateKeyFile   /etc/apache2/ssl/server.key

nano /etc/apache2/conf-available/security.conf
# Uncomment:
> <Directory />
>    AllowOverride None
>    Order Deny,Allow
>    Deny from all
> </Directory>
#
# Add:
> <Directory /var/www/html/nextcloud>
>   Options Indexes FollowSymLinks MultiViews
>   AllowOverride All
>   Order allow,deny
>   Allow from all
>   Satisfy Any
> </Directory>
#
# Set 
>  ServerTokens Prod
>  ServerSignature Off
>  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
>  Header always append X-Frame-Options SAMEORIGIN
>  Header set X-XSS-Protection "1; mode=block"
>  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
>  Header set X-Content-Type-Options: "nosniff"
# # ISSUE: OC can't find files anymore #>  Header set Content-Security-Policy "default-src 'self';"
>  RewriteEngine On
>  RewriteCond %{THE_REQUEST} !HTTP/1\.1$
>  RewriteRule .* - [F]

nano/etc/apache2/mods-available/ssl.conf
> SSLProtocol -all +TLSv1
> SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

nano/etc/apache2/mods-available/userdir.conf
> <LimitExcept GET POST> # OPTIONS>

nano /etc/apache2/apache2.conf
> Timeout 60

sudo service apache2 restart


# On backup node
ssh-copy-id -i ~/.ssh/id_rsa.pub <USER>@<CLOUD_INTERNAL_IP>

nano /boot/config.txt
> dtoverlay=pi3-disable-wifi
> dtoverlay=pi3-disable-bt

# On cloud node
sudo ifdown wlan0
sudo apt-get install -y wipe
sudo wipe /etc/wpa_supplicant/wpa_supplicant.conf

sudo nano /etc/ssh/sshd_config
> ChallengeResponseAuthentication no
> PasswordAuthentication no
> UsePAM no
> PermitRootLogin no
sudo /etc/init.d/ssh reload

################################################################################
## Router Setup 
# - port forwarding to cloud pi
# - Setup ddns ==> <DDNS>
# Inbound https
# Outbound https, http, ntp

################################################################################
## Setup cloud
# - Set data dir during setup to /data/virtual
# - Set DB to MySQL

nano /var/www/html/nextcloud/config/config.php
> 'trusted_domains' =>
>  array (
>    0 => '<STATICIP>',
>    1 => '<DDNS>',
>  ),

################################################################################
## Troubleshooting
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! 
# > ssh-keygen -R <IP>

#######################
# If you get an error about database drivers, then try installing php5-mysql 
# again – for some reason, it didn’t install properly first time for me, 
# although no errors were shown:
sudo apt-get install php5-mysql
sudo reboot

#######################
# Error: MySQL/MariaDB user 'oc_admin'@'localhost' exists already. Drop this user from MySQL/MariaDB
mysql -u root -p
mysql> DROP USER 'oc_admin'@'localhost';

#######################
# Error: MySQL/MariaDB user 'oc_admin'@'%' already exists	Drop this user from MySQL/MariaDB.
mysql -u root -p
mysql> DROP USER 'oc_admin'@'%';

#######################
## Reset MySQL
mysql -u root -p
mysql> SHOW DATABASES;
mysql> DROP DATABASE IF EXISTS nextcloud;
mysql> quit

#######################
# Accidently installed a version 7.x.x e.g. via apt causes the following issues after
# reinstallation version 10:
# The requested URL /nextcloud/index.php was not found on this server.
sudo rm /etc/apache2/conf-enabled/nextcloud.conf
sudo rm /etc/apache2/conf-available/nextcloud.conf
sudo systemctl restart apache2

#######################
# Stuck in loop:                      
# Authentication required
# This action requires you to confirm your password
sudo systemctl stop ntp
sudo ntpd -q -g
sudo systemctl start ntp

#######################
# Rescan file system (run in /var/www/html/nextcloud)  
# This can be used to rescan e.g. after a scp import  
sudo -u www-data php occ files:scan


#######################
## Benchmark system
# IO, Mysql, etc.
#https://www.howtoforge.com/how-to-benchmark-your-system-cpu-file-io-mysql-with-sysbench

#######################
## Benchmark Network
sudo apt-get -y install iperf iptraf
sudo iperf -s
sudo iperf -c <SERVER_IP> -d
sudo iptraf

#######################
## Benchmark HDD Troughput
sudo apt-get install

#######################
## Interesting things to measure
sudo vcgencmd measure_temp  # > temp=52.6'C
sudo vcgencmd get_throttled # > throttled=0x0

#######################
## DynDNS: https://www.duckdns.org/