noah
/
dreckbude-docs-pub
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Initial commit

master
Noah 5 years ago
commit
75b7a85427
6 changed files with 363 additions and 0 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +7
    -0
      00_dns_records.md
  2. +162
    -0
      01_initial_setup.md
  3. +42
    -0
      02_mailcow_setup.md
  4. +21
    -0
      03_ts3_setup.md
  5. +128
    -0
      04_nginx_setup.md
  6. +3
    -0
      README.md

+ 7
- 0
00_dns_records.md View File

@@ -0,0 +1,7 @@
Host Type MX Destination
* A 5.45.101.172
@ MX 10 srv01.dreckbu.de
@ A 5.45.101.172
autoconfig CNAME srv01.dreckbu.de
autodiscover CNAME srv01.dreckbu.de
mail A 5.45.101.172

+ 162
- 0
01_initial_setup.md View File

@@ -0,0 +1,162 @@
# Dreckbu.de server initial setup
## ssh
```bash
# as root
adduser noah
usermod -aG sudo noah
```
* Copy pub keys to server using `ssh-copy-id -i KEY_FILE user@host`.
```bash
nano /etc/ssh/sshd_config
```
* Change *PasswordAuthentication yes* to *PasswordAuthentication no*.
```bash
systemctl restart sshd
```

## software
```bash
apt update && apt upgrade
apt install vim tmux htop zsh
update-alternatives --config editor
```

## firewall
```
netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995'
apt install iptables-persistent
```
* iptables base:
`vim /etc/iptables.up.rules`
```
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
# INPUT
##

# Allow localhost
-A INPUT -i lo -j ACCEPT

# Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# INPUT default DROP
-A INPUT -j DROP

##
# DOCKER-USER rules
##

# Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT

# http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT

# DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP

COMMIT
```
* Modified `vim /etc/iptables.up.rules`
```bash
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER-USER - [0:0]

##
### INPUT
####
##
### Allow localhost
-A INPUT -i lo -j ACCEPT
##
### Allow established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
##
### SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
##
### INPUT default DROP
-A INPUT -j DROP
##
####
### DOCKER-USER rules
####
##
### Allow established connections
-A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
##
### SMTP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
### SMTPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 465 -j ACCEPT
### Postfix Submission
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 587 -j ACCEPT
### IMAP
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
### IMAPS
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
### POP3
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
### POP3S
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 995 -j ACCEPT
### Dovecot ManageSieve
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 4190 -j ACCEPT
### http
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
### https
-A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
#
### DOCKER-USER default DROP
-A DOCKER-USER -i eth0 -j DROP
COMMIT
```

```bash
iptables-restore < /etc/iptables.up.rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
```

**leave iptables alone, it breaks everything!!!**

## datetime
```bash
timedatectl status
```

## hostname and fqdn
```bash
vim /etc/hostname
# replace with srv01
hostname $(cat /etc/hostname)
vim /etc/resolvconf/resolv.conf.d/head
# add domain dreckbu.de at the end
resolvconf -u
hostnamectl set-hostname srv01
vim /etc/hosts
# replace with srv01
```

+ 42
- 0
02_mailcow_setup.md View File

@@ -0,0 +1,42 @@
# Mailcow setup
## install docker
*https://docs.docker.com/install/linux/docker-ce/debian/#prerequisites*
```bash
apt install \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
apt-key fingerprint 0EBFCD88
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) \
stable"
apt update
apt install docker-ce docker-ce-cli containerd.io
```

## install docker-compose
```bash
curl -L "https://github.com/docker/compose/releases/download/1.25.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```

## install mailcow
```bash
umask
# should equal 0022
cd /opt
git clone https://github.com/mailcow/mailcow-dockerized
cd mailcow-dockerized
docker-compose pull
docker-compose up -d
vim mailcow.conf
# enable SKIP_HTTP_VERIFICATION=n
```

## troubleshooting
* cannot receive mail from accounts that aren't local
* applied fix: https://github.com/mailcow/mailcow-dockerized/issues/776 (srv01.dreckbu.de dest)

+ 21
- 0
03_ts3_setup.md View File

@@ -0,0 +1,21 @@
# Teamspeak 3 setup
*https://hub.docker.com/_/teamspeak*

`docker run --name ts3 -v /opt/ts3/ts3server:/var/ts3server/ -d -p 9987:9987/udp -p 9988:9988/udp -p 10011:10011 -p 30033:30033 -e TS3SERVER_LICENSE=accept teamspeak:latest`

`vim /etc/systemd/system/docker-ts3.service`

```
[Unit]
Description=Teamspeak 3 server
Requires=docker.service
After=docker.service

[Service]
Restart=always
ExecStart=/usr/bin/docker start -a ts3
ExecStop=/usr/bin/docker stop -t 2 ts3

[Install]
WantedBy=default.target
```

+ 128
- 0
04_nginx_setup.md View File

@@ -0,0 +1,128 @@
# Nginx setup
* https://hub.docker.com/_/nginx

## Set up reverse proxy in mailcow
* https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/
* `vim /opt/mailcow-dockerized/mailcow.conf`
```
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_BIND=127.0.0.1
HTTPS_PORT=8443
```

```bash
./generate_config.sh
cp mailcow.conf_backup mailcow.conf
docker-compose up -d
```

```
docker run --name tmp-nginx-container -d nginx
docker cp tmp-nginx-container:/etc/nginx /opt/nginx/
docker rm -f tmp-nginx-container
```

* `vim /opt/nginx/nginx/conf.d/mailcow.conf`
```
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name srv01.dreckbu.de autodiscover.* autoconfig.*;
return 301 https://$host$request_uri;
}
server {
listen 443;
listen [::]:443;
server_name srv01.dreckbu.de autodiscover.* autoconfig.*;

ssl on;
ssl_certificate /var/ssl/cert.pem;
ssl_certificate_key /var/ssl/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location /Microsoft-Server-ActiveSync {
proxy_pass http://nginx-mailcow:8080/Microsoft-Server-ActiveSync;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 75;
proxy_send_timeout 3650;
proxy_read_timeout 3650;
proxy_buffers 64 256k;
client_body_buffer_size 512k;
client_max_body_size 0;
}

location / {
proxy_pass http://nginx-mailcow:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 0;
}
}
```

## set up main host for serving static html pages

* `vim /opt/nginx/nginx/conf.d/main.conf`
```
# HTTP
server {
listen 80;
listen [::]:80;
server_name dreckbu.de www.dreckbu.de;
# enforce https
return 301 https://$server_name$request_uri;
}

# HTTPS
server {
listen 443;
listen [::]:443;
server_name dreckbu.de www.dreckbu.de;

ssl on;
ssl_certificate /var/ssl/cert.pem;
ssl_certificate_key /var/ssl/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

index index.php index.html index.htm;

location / {
root /var/www;
}
}
```

## test the reverse proxy

* `docker run --name nginx-reverse-proxy -p 80:80 -p 443:443 --network mailcowdockerized_mailcow-network -v /opt/nginx/nginx:/etc/nginx:ro -v /opt/mailcow-dockerized/data/assets/ssl:/var/ssl -v /opt/nginx/www:/var/www -d nginx`

* `vim /opt/nginx/docker-compose.yml`
```
version: "2"
networks:
mailcowdockerized_mailcow-network:
external: true
services:
nginx-reverse-proxy:
image: nginx
volumes:
- /opt/nginx/nginx:/etc/nginx:ro
- /opt/mailcow-dockerized/data/assets/ssl:/var/ssl
- /opt/nginx/www:/var/www
ports:
- "80:80"
- "443:443"
restart: always
networks:
- mailcowdockerized_mailcow-network
```

* https://stackoverflow.com/questions/38088279/communication-between-multiple-docker-compose-projects

+ 3
- 0
README.md View File

@@ -0,0 +1,3 @@
# Dreckbu.de docs

Documentation on how srv01.dreckbu.de was installed.

Write Preview
Loading…
Cancel
Save