Skip to content

Instantly share code, notes, and snippets.

@besstiolle

besstiolle/Ideas.md

Last active March 15, 2024 10:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save besstiolle/81551c6cad60a8c3ecc86faa43730370 to your computer and use it in GitHub Desktop.
Save besstiolle/81551c6cad60a8c3ecc86faa43730370 to your computer and use it in GitHub Desktop.
Download ZIP
Shell & to install SelfHosting on Debian 12
Raw
readme.md

README.md

Cet ensemble de docs/scripts sont à l'usage de la tribu Bare-Métal et fournis sans aucune garantie.

Have Fun.

Ps : vous noterez qu'il manque des sections :

  • Firewall
  • Antivirus
  • Backup

README.md

Ce fichier :)

Setup.sh

A télécharger en local et à exécuter.

Exemple :

cd ~
curl -o setup.sh https://urlr.me/KqHXn
chmod +x setup.sh

Pensez à customiser son contenu et surtout ses variables d'environnement avant exécution

vi setup.sh

puis exécution

./setup.sh

Complement.md

Vous trouverez ici d'autres astuces utiles pour démarrer.

Ideas.md

Vous trouverez des idées de soft à installer sur docker pour démarrer.

Raw
complement.md

Complement.md

Paramétrer l’ip fixe

Dans /etc/network/interfaces on retrouve la conf, exemple ici avec carte wifi en dynamique post-install debian :

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug wlp2s0
iface wlp2s0 inet dhcp
       wpa-ssid superSSID
       wpa-psk  superMotDePasseWifi

Le passage de configuration dhcp en fixe se fait en changeant le code ainsi (penser à backup)

# The primary network interface
auto wlp2s0
iface wlp2s0 inet static
       address 192.168.1.11/24
       gateway 192.168.1.1
       wpa-ssid superSSID
       wpa-psk  superMotDePasseWifi

Il reste à restart le réseau (déconnexion ssh à prévoir)

systemctl restart networking

Benchmark CPU

sudo apt install sysbench
#1 thread
sysbench cpu run
#4 threads
sysbench cpu run --threads=4

Résultat Bench

sysbench cpu run --threads=8 ⇒ events per second: 32919.95

Tour Kevin - 12 coeurs

AMD Ryzen 5 5600X 6-Core Processor

  • 1 thread ⇒ 5 307 / s
  • 4 Threads ⇒ 21 229 / s
  • 8 Threads ⇒ 32 919 / s
  • 12 Threads ⇒ 35 424 / s

BattleStation 1 - 4 coeurs 8Go

CPU : Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz GPU : NVIDIA Quadro FX 2800M

  • 1 thread ⇒ 946 / s
  • 4 Threads ⇒ 2 532 / s
  • 8 Threads ⇒ 2 582 / s

BattleStation 2 - 4 coeurs 8Go

CPU : Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz GPU : Intel Haswell-ULT (intégré CPU) - explications

  • 1 thread ⇒ 775 / s
  • 4 Threads ⇒ 2 492 / s
  • 8 Threads ⇒ 2 512 / s

Comparaison CPU

https://www.cpubenchmark.net/compare/2259vs849/Intel-i5-4210U-vs-Intel-i7-620M

SSH & Private Keys

Se connecter sur le serveur et prendre les privilèges du compte de destination

créer le répertoire ~/.ssh

à l’intérieur, exécuter :

ssh-keygen -f filename -C 'Some comment' -t rsa -q
cat filename.pub >> authorized_keys
chmod 400 authorized_keys
cat filename

Copier le contenu vers un fichier sur le bureau. Le texte doit ressembler à

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED

[...]

-----END RSA PRIVATE KEY-------

Ouvrir puttyGen, cliquer sur Load puis cliquer sur "Save Private Key" ce qui va transformer le format d'encryptage

enregistrer sous le nom *.pkk et le coller dans les répertoires Windows : ~/user/.ssh Le texte doit ressembler à

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: imported-openssh-key
Public-Lines: 6
[...]
Private-Lines: 14
[...]
Private-MAC: [...]

Utiliser ce fichier pkk dans putty

Docker

Accès aux logs d’un container :

docker logs -f <idContainer|nomContainer>

Lancer un container + rebuild au passage avec docker compose

docker-compose up --build

Se connecter à un contener en shell

docker ps
docker exec -ti **container_name** /bin/bash

Connaître l’usage CPU / Mémoire de ses containers

docker stats
Raw
setup.sh
# VARS
# Nom du compte principal qui sera utilisé pour se connecter en SSH sans passer par root
MAIN_USER=bess
# Nom du compte dédié au run de Docker. Dissocié du main pour une mesure de sécurité.
DOCKER_USER=dock
# Port pour SSH qui ne doit pas rester 22 par sécurité
SSH_PORT=2222
# TODO : regardez la step 5 et décommentez si nécessaire.
###########################
#
# STEP 1 : install all soft, excepted Docker itself
#
# nano : editor
# sudo : controlled privileges
# btop : for showing CPU & other inforations nicely
# nfs-common : For NFS Utilities on client
# apt-transport-https ca-certificates curl gnupg : needed to install Docker
#
###########################
apt update -qq
apt install -qq -y \
nano \
sudo \
btop \
nfs-common \
apt-transport-https ca-certificates curl gnupg
apt -qq --purge autoremove
apt -qq autoclean
###########################
#
# STEP 2 : Create a main account for SSH & sudo
#
###########################
#Create main user
user_main=$MAIN_USER
group_main=$user_main
home_main=/home/$user_main
if grep -Fq $group_main /etc/group; then
echo " >> Groupe existant"
else
echo " >> Creation de groupe"
groupadd $group_main
fi
if grep -Fq $user_main /etc/passwd; then
echo " >> User existant,affectation au groupe"
usermod -aG $group_main $user_main
else
echo " >> Création de user & affectation au groupe"
useradd $user_main -g $group_main
passwd $user_main
fi
# Set bash for shell
usermod --shell /bin/bash $user_main
if [ -d $home_main ]; then
echo " >> Home directory existant"
else
echo " >> Création home directory"
mkdir -p $home_main
fi
#customize shell experience for $user
touch /home/$user_main/.bash_profile
echo "if [ -f ~/.bashrc ]; then
source ~/.bashrc
fi" > /home/$user_main/.bash_profile
touch /home/$user_main/.bashrc
echo "
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -lia'
alias l='ls $LS_OPTIONS -lA'" > /home/$user_main/.bashrc
# Reset owning by security
chown $user_main:$group_main -R $home_main
###########################
#
# STEP 3 : SUDO for main user
#
###########################
if [ ! -f /etc/sudoers.d/$user_main ]; then
touch /etc/sudoers.d/$user_main
echo "
# A placer dans /etc/sudoers.d/monUser avec visudo -f /etc/sudoers.d/monUser
# This allows running arbitrary commands, but so does ALL, and it means
# different sudoers have their choice of editor respected.
Defaults:%sudo env_keep += 'EDITOR'
# Completely harmless preservation of a user preference.
Defaults:%sudo env_keep += 'GREP_COLOR'
# Host alias specification
# Nothing to do, we will use 'ALL'
# User alias specification
User_Alias MY_USERS = $user_main
# Cmnd alias specification
Cmnd_Alias MY_CMDS = /usr/bin/nano, /usr/bin/apt, /usr/bin/su
# Allow users myUser to execute commands myCmd as admin
MY_USERS ALL=(ALL) MY_CMDS
" > /etc/sudoers.d/$user_main
echo " >> Configuration SUDO installée"
else
echo " >> Configuration SUDO déjà présente"
fi
###########################
#
# STEP 4 : Customize SSH connexion & reload configuration
#
###########################
# add custom SSH configuration
touch /etc/ssh/sshd_config.d/local.conf
echo "# Securisation SSH
Port ${SSH_PORT}
PermitRootLogin no" > /etc/ssh/sshd_config.d/local.conf
# Restart SSH deamon
/etc/init.d/ssh restart
###########################
#
# STEP 5 : Mount NFS directory from Synlogy NAS
#
###########################
## Create diretory if necessary
#mkdir -p /mnt/Medias
#mkdir -p /mnt/Photos
#mkdir -p /mnt/BattleStationSynology
#
## Remove previous mount
#umount /mnt/Medias
#umount /mnt/Photos
#umount /mnt/BattleStationSynology
#
## Backup fstab or security reasons
#timestamp=$(date +%s)
#filename=/etc/fstab
#filename_bk=/etc/fstab_bk_$timestamp
#cp $filename $filename_bk
#
## Remove previous instruction in fstab
#if grep -Fq "#START_CUSTOM_SCRIPT" "$filename";
#then
# sed -i "/#START_CUSTOM_SCRIPT/ ,/#END_CUSTOM_SCRIPT/d" $filename
#fi
#
## Add instructions in fstab
#echo "
##START_CUSTOM_SCRIPT
#192.168.1.99:/volume1/Medias /mnt/Medias nfs defaults,_netdev,nofail,x-systemd.automount 0 0
#192.168.1.99:/volume1/photo /mnt/Photos nfs defaults,_netdev,nofail,x-systemd.automount 0 0
#192.168.1.99:/volume1/BattleStation /mnt/BattleStationSynology nfs defaults,_netdev,nofail,x-systemd.automount 0 0
##END_CUSTOM_SCRIPT" >> $filename
#
## reload configuration of fstab
#systemctl daemon-reload
#
## Manually Mount binding
#mount /mnt/Medias
#mount /mnt/Photos
#mount /mnt/BattleStationSynology
###########################
#
# STEP 6 : Change behavior of laptop
#
###########################
#Avoid hibernate when closing Lid (screen) of laptop
instructions_lid="HandleLidSwitch=ignore"
if grep -Fq $instructions_lid /etc/systemd/logind.conf; then
echo " >> Lid Configuration ok"
else
echo $instructions_lid >> /etc/systemd/logind.conf
echo " >> Lid Configuration setted"
fi
#Reload login.conf configuration
systemctl restart systemd-logind
###########################
#
# STEP 7 : Install & configure Docker
#
###########################
# Create group & user dedicated to Docker usage (non-root only)
user_docker=$DOCKER_USER
group_docker=$user_docker
home=/home/$user
if grep -Fq $group_docker /etc/group; then
echo " >> Groupe existant"
else
echo " >> Creation de groupe"
groupadd $group_docker
fi
if grep -Fq $user_docker /etc/passwd; then
echo " >> User existant,affectation au groupe"
usermod -aG $group_docker $user_docker
else
echo " >> Création de user & affectation au groupe"
useradd $user_docker -g $group_docker
passwd $user_docker
fi
# Set bash for shell
usermod --shell /bin/bash $user_docker
if [ -d $home_docker ]; then
echo " >> Home directory existant"
else
echo " >> Création home directory"
mkdir -p $home_docker
fi
#customize shell experience for $user
touch /home/$user_docker/.bash_profile
echo "if [ -f ~/.bashrc ]; then
source ~/.bashrc
fi" > /home/$user_docker/.bash_profile
touch /home/$user_docker/.bashrc
echo "
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -lia'
alias l='ls $LS_OPTIONS -lA'" > /home/$user_docker/.bashrc
# Reset owning by security
chown $user_docker:$group_docker -R $home_docker
# Install trusted key & apt repository if not exist already
if [ ! -f /usr/share/keyrings/docker.gpg ]; then
echo " >> gpg key doesn't exist for Docker so we install it"
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
else
echo " >> gpg key already exist for Docker"
fi
# Install Docker component & rootless componants
# rootless componants :
# dbus-user-session \
# fuse-overlayfs \
# slirp4netns
# uidmap => to using newuidmap & newgidmap
# see more : https://docs.docker.com/engine/security/rootless/
apt update -qq
apt install -qq -y \
docker-ce \
docker-ce-cli \
containerd.io \
docker-buildx-plugin \
docker-compose-plugin
# dbus-user-session \
# fuse-overlayfs \
# slirp4netns \
# uidmap
apt -qq --purge autoremove
apt -qq autoclean
retour=`systemctl is-active docker`
if [ $retour == "active" ]; then
echo " >> Doker is Active"
else
echo " >> ! there is a problem.systemctl is-active docker doesn't answer with 'active' response"
fi
# Set group Docker-daemon to user
usermod -aG docker $user_docker
#systemctl disable --now docker.service docker.socket
#if [ ! -f /usr/bin/dockerd-rootless-setuptool.sh ]; then
# echo " >> Error, script not found usr/bin/dockerd-rootless-setuptool.sh"
# echo " >> See for more information https://docs.docker.com/engine/security/rootless/#install"
# exit -1
#fi
#su $user_docker
#dockerd-rootless-setuptool.sh install
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment