diff --git a/helperbot b/helperbot index e8d262b..602de49 100755 --- a/helperbot +++ b/helperbot @@ -194,6 +194,7 @@ function system_upgrade { # apt/system related upgrade base_system_upgrade # docker + update_docker_container "/srv/docker" "caddy" "compose.yaml" update_docker_container "/srv/docker" "sharkey" "compose.yaml" update_docker_container "/srv/docker" "iceshrimp" "compose.yaml" update_docker_container "/srv/docker" "mastodon" "compose.yaml" @@ -204,6 +205,7 @@ function system_upgrade { # apt/system related upgrade base_system_upgrade # docker + update_docker_container "/srv/docker" "caddy" "compose.yaml" update_docker_container "/srv/docker" "mailserver" "compose.yaml" update_docker_container "/srv/docker" "ejabberd" "compose.yaml" update_docker_container "/srv/docker" "zitadel" "compose.yaml" @@ -218,8 +220,9 @@ function system_upgrade { # apt/system related upgrade base_system_upgrade # docker - upgrade_docker_container "/srv/docker" "redlib" "compose.yaml" - upgrade_docker_container "/srv/docker" "safetwitch" "compose.yaml" + update_docker_container "/srv/docker" "caddy" "compose.yaml" + update_docker_container "/srv/docker" "redlib" "compose.yaml" + update_docker_container "/srv/docker" "safetwitch" "compose.yaml" # done echo "${green}System upgrade finished! beep!~${normal}" echo "${red}Rebooting system.${normal}" @@ -566,7 +569,11 @@ function docker_cleanup { docker network prune -f # ensure our ipv6 network still exists echo "${blue}docker-cleanup:${normal} Ensuring IPv6 network still exists..." - docker network create --ipv6 --subnet fd00:cafe:face:feed::/64 ip6net + if [ ! -x "docker network ls | grep 'ip6net'" ]; then + docker network create --ipv6 --subnet fd00:cafe:face:feed::/64 ip6net + else + echo "${green}Docker IPv6 network still exists.${normal}" + fi echo "${green}Done. Beep!${normal}" } diff --git a/phosphorus/etc/systemd/system/helperbot-docker-cleanup.service b/phosphorus/etc/systemd/system/helperbot-docker-cleanup.service new file mode 100644 index 0000000..e0c0cfa --- /dev/null +++ b/phosphorus/etc/systemd/system/helperbot-docker-cleanup.service @@ -0,0 +1,6 @@ +[Unit] +Description=helperbot docker cleanup command + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/helperbot --docker-cleanup \ No newline at end of file diff --git a/phosphorus/etc/systemd/system/helperbot-docker-cleanup.timer b/phosphorus/etc/systemd/system/helperbot-docker-cleanup.timer new file mode 100644 index 0000000..bfa581f --- /dev/null +++ b/phosphorus/etc/systemd/system/helperbot-docker-cleanup.timer @@ -0,0 +1,9 @@ +[Unit] +Description=helperbot docker cleanup command + +[Timer] +OnBootSec=15min +OnUnitActiveSec=3d + +[Install] +WantedBy=timers.target \ No newline at end of file diff --git a/phosphorus/home/ruben/.zshenv b/phosphorus/home/ruben/.zshenv new file mode 100644 index 0000000..5208820 --- /dev/null +++ b/phosphorus/home/ruben/.zshenv @@ -0,0 +1 @@ +. /home/ruben/.config/zsh/.zshenv \ No newline at end of file diff --git a/setup.md b/setup.md index ad54ac1..ecc208f 100644 --- a/setup.md +++ b/setup.md @@ -4,33 +4,49 @@ Personal guide to configuring a new system entirely from scratch. We use the latest version of Debian (12/Bookworm in this case) and everything we run is containerized, via Docker. -## Phosphorus - -### Setup +## Setup Boot up the Debian installer and set it up. The guided installer does everything for us and is simple to go through. Just make sure the admin password, user account password, hostname etc., is all set correctly. Also make sure you *don't* mess up the GRUB installation if it prompts to be installed. Ensure you're installing it *only* using the `SSH server` and `basic system utilities` (something along those lines - it should be the last on the list and automatically selected) presets. Once installed and rebooted into the system, we can log in. At this point, it's also possible to use SSH with the default configurations as Debian automatically enables it. -### Post-setup +## Post-setup -#### Sudo +### Sudo Once logged in, let's get started with `sudo`. It's missing by default. Get a root shell by typing in `su -` along with the root password when asked, and first do an update of apt with `apt update && apt upgrade` then do `apt install sudo`. Install it, and now do `usermod -aG sudo ` to make yourself a sudoer. Once that's done, exit the root shell, log out then log back in. Try `sudo` against anything to confirm it works, and congrats! Sudo now exists here. -#### SSH +### SSH -As I've said before, SSH is already installed and configured. For now, we're just going to change the port to something else to prevent it from being attacked immediately +As I've said before, SSH is already installed and configured. For now, we're just going to change the port to something else to prevent it from being attacked immediately. -Open up `/etc/ssh/sshd_config.d/01-port.conf` in your text editor (Neovim isn't installed right now - `sudo apt install neovim`) and just fill in the following: +Open up `/etc/ssh/sshd_config.d/01-port.conf` in your text editor (Neovim isn't installed right now - `sudo apt install neovim`) and just fill in the following for the server we're setting it up for: + +#### Phosphorus ``` Port 6720 ``` -This is exactly what it says. It opens SSH to port 6720 instead. Later, we'll configure it to disable password logins, but for now this will work. Restart SSH via `sudo systemctl restart sshd` (and `sudo systemctl restart ssh`, one of these should work and I don't know which) for it to take effect. Log in for now by adding `-p 6720` before the IP when doing `ssh` until we get a proper configuration. +#### Cerium -#### firewalld +``` +Port 6721 +``` + +#### Neptunium + +``` +Port 6721 +``` + +#### Synthnix + +Leave it as the default port to make it be easier for users to log in. + +This is exactly what it says. It opens SSH to use the port of what is specified instead of the default 22. Later, we'll configure it to disable password logins, but for now this will work. Restart SSH via `sudo systemctl restart sshd` (and `sudo systemctl restart ssh`, one of these should work and I don't know which) for it to take effect. Log in for now by adding `-p ` before the IP when doing `ssh` until we get a proper configuration. + +### firewalld For the sake of our own safety and concern, we'll get a basic firewall up. Technically, it's not required to do so as Docker will just bypass it anyways, but I still prefer it as a safety measure to ensure that nothing else that could possible be running on a system level is exposed to the outside world from the system. @@ -48,7 +64,7 @@ sudo firewall-cmd --reload And we're done for now here, until we configure other things later on. -#### `synths` group +### `synths` group We use a custom group to allow access to folders that would other be unreadable/unwritable to our users. This is used for our `/srv/docker` folder. @@ -62,7 +78,7 @@ Then we add ourselves to the `synths` group: sudo usermod -aG synths ``` -Then, apply permissions to `/srv/docker` (create the folder using `sudo` if it doesn't exist): +Then, apply permissions to `/srv/docker` (create the folder if it doesn't exist): ```bash sudo chgrp synths /srv/docker sudo chmod g+rwx /srv/docker @@ -72,7 +88,7 @@ And now `/srv/docker` is readable and writable by everyone in the `synths` group *Files written/made by others, however, will be owned by them, and will require sudo to modify their files. -#### Package installations +### Package installations Now that we're mostly set up and secure, let's install all of the packages required to continue with setting everything else up: @@ -87,9 +103,10 @@ Now that we're mostly set up and secure, let's install all of the packages requi - `unzip` - `npm` - `git` +- `zsh` ```bash -sudo apt install neovim htop btop zram-tools rsync backblaze-b2 unzip git +sudo apt install neovim htop btop zram-tools rsync backblaze-b2 unzip git zsh ``` Docker installation is another process, please refer to their links to do it. @@ -106,4 +123,43 @@ sudo service zramswap reload Once that's done, ZRAM should now be configured properly! -#### Caddy \ No newline at end of file +### SSH keys + +We should disable password logins. + +### Caddy + +Unlike our previous setup, we use Caddy in a container, mainly becaues it makes it easier to manage things like custom builds. Let's start by creating the `/srv/docker/caddy` folder. + +#### Phosphorus + +Refer to the files in the [`phosphorus`](/phosphorus/srv/docker/caddy), it's all we need for our Phosphorus setup. + +## Personal configurations + +Now that we have the basics, We can set up our own user and shell and such to how we want. + +### ZSH + +I prefer zsh over bash, but also mainly because it has a cooler scene with plugins and stuff. Since we already installed zsh earlier, just launch it with `zsh`, which will bring up a menu, hit `2` to get the default configuration. + +#### Antidote/zdotdir + +Antidote is a neat and fast little plugin manager for zsh. + +We will simply be using `zdotdir`, which is a starting point framework by the Antidote devs. It provides good and sane defaults, so we won't actually need to mess much with it. Follow the [instruction here](https://github.com/getantidote/zdotdir#installation) to do our initial install for it. + +The Powerlevel10k configuration prompt should appear, just follow it and configure it as wanted, and we should be done here. Yay. + +#### Atuin + +Atuin gives up a near little history viewer over the default when we press the up arrow on our keyboard. + +We use their suggested command to install it: +```bash +curl --proto '=https' --tlsv1.2 -LsSf https://setup.atuin.sh | sh +``` + +It will automatically add itself to the correct `.zshrc` file, so it will load in with a new shell session. + +Of course, however, since we installed it in a way not integrated with our system, we'll need to manage updates for it. We can just set a cronjob on our user to do that automatically though. Type in `crontab -e` and append `0 9 * * * atuin-update` to the bottom of the file. \ No newline at end of file