Afficher/cacher Sommaire
Cubieboard2
- AllWinnerTech SOC A20 ARM® Cortex™-A7 Dual-Core ARM® Mali400 MP2 Complies with OpenGL ES 2.0/1.1
- 1GB DDR3 @480M
- 3.4GB internal NAND flash, up to 64GB on SD slot, up to 2T on 2.5 SATA disk
- 5VDC input 2A or USB otg input
- 1x 10/100 ethernet, support usb wifi
- 2x USB 2.0 HOST, 1x mini USB 2.0 OTG, 1x micro sd
- 1x HDMI 1080P display output
- 1x IR, 1x line in, 1x line out
- 96 extend pin interface, including I2C, SPI, RGB/LVDS, CSI/TS, FM-IN, ADC, CVBS, VGA, SPDIF-OUT, R-TP, and more
- CRUCIAL M500 (SSD 480Go)
Debian Stretch
Installation via SDcard
Téléchargement image , Armbian_5.38_Cubieboard2_Debian_stretch_next_4.14.14.7z et décompression
Insérer une SDcard dans le lecteur USB/SDcard puis la connecter sur un bus USB de la machine contenant le fichier image.
dmesg # pour identifier le système
[24924.607561] sdd: sdd1
[24924.611508] sd 4:0:0:0: [sdd] Attached SCSI removable disk
SDcard sur /dev/sdd
On flash la SDcard
sudo dd if=Armbian_5.38_Cubieboard2_Debian_stretch_next_4.14.14.img of=/dev/sdd bs=4M
sync
Insérer la SDcard dans son logement sur la carte A20-Olinuxino-MICRO
On utilise une liaison USB/SERIAL et le logiciel minicom pour communiquer avec la carte olimex qui est également connecter au réseau.
sudo minicom
Connecter le jack alimentation
Login root , mot de passe 1234
Création utilisateur xo
cubieboard2 login: root
Password:
You are required to change your password immediately (root enforced)
Changing password for root.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
____ _ _ _ _ ____
/ ___| _| |__ (_) ___| |__ ___ __ _ _ __ __| | |___ \
| | | | | | '_ \| |/ _ \ '_ \ / _ \ / _` | '__/ _` | __) |
| |__| |_| | |_) | | __/ |_) | (_) | (_| | | | (_| | / __/
\____\__,_|_.__/|_|\___|_.__/ \___/ \__,_|_| \__,_| |_____|
Welcome to ARMBIAN 5.38 stable Debian GNU/Linux 9 (stretch) 4.14.14-sunxi
System load: 0.06 0.16 0.17 Up time: 12 min
Memory usage: 4 % of 1000MB IP: 192.168.0.12
CPU temp: 39°C
Usage of /: 14% of 7.2G
[ General system configuration (beta): armbian-config ]
New to Armbian? Check the documentation first: https://docs.armbian.com
Thank you for choosing Armbian! Support: www.armbian.com
Creating a new user account. Press <Ctrl-C> to abort
Please provide a username (eg. your forename): xo
Trying to add user xo
Adding user `xo' ...
Adding new group `xo' (1000) ...
Adding new user `xo' (1000) with group `xo' ...
Creating home directory `/home/xo' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for xo
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Dear xo, your account xo has been created and is sudo enabled.
Please use this account for your daily work from now on.
Relever adresse IP
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:c4:04:40:f0:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.12/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:e34:eebf:df0:c4:4ff:fe40:f0ff/64 scope global mngtmpaddr dynamic
valid_lft 85904sec preferred_lft 85904sec
inet6 fe80::c4:4ff:fe40:f0ff/64 scope link
valid_lft forever preferred_lft forever
3: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether fe:ce:ac:d1:64:41 brd ff:ff:ff:ff:ff:ff
Mise à jour debian
apt update && apt upgrade
Connexion SSH
ssh xo@192.168.0.12
____ _ _ _ _ ____
/ ___| _| |__ (_) ___| |__ ___ __ _ _ __ __| | |___ \
| | | | | | '_ \| |/ _ \ '_ \ / _ \ / _` | '__/ _` | __) |
| |__| |_| | |_) | | __/ |_) | (_) | (_| | | | (_| | / __/
\____\__,_|_.__/|_|\___|_.__/ \___/ \__,_|_| \__,_| |_____|
Welcome to ARMBIAN 5.38 stable Debian GNU/Linux 9 (stretch) 4.19.20-sunxi
System load: 1.64 0.44 0.15 Up time: 0 min
Memory usage: 5 % of 1000MB IP: 192.168.0.12
CPU temp: 47°C
Usage of /: 17% of 7.2G
Configuration Armbian Config User Guide
sudo armbian-config
Transfert SDcard → SSD (/dev/sda1)
Connexion SSH
ssh xo@192.168.0.12
____ _ _ _ _ ____
/ ___| _| |__ (_) ___| |__ ___ __ _ _ __ __| | |___ \
| | | | | | '_ \| |/ _ \ '_ \ / _ \ / _` | '__/ _` | __) |
| |__| |_| | |_) | | __/ |_) | (_) | (_| | | | (_| | / __/
\____\__,_|_.__/|_|\___|_.__/ \___/ \__,_|_| \__,_| |_____|
Welcome to ARMBIAN 5.38 stable Debian GNU/Linux 9 (stretch) 4.19.20-sunxi
System load: 1.37 0.32 0.11 Up time: 0 min
Memory usage: 5 % of 1000MB IP: 192.168.0.12
CPU temp: 47°C
Usage of /: 7% of 20G
Last login: Sat Mar 16 11:59:31 2019 from 192.168.0.28
On relance la configuration
sudo armbian-config
Edition et modification du fichier réseau
Paramétrage freebox
Adresse IPV6 lien local : fe80::224:d4ff:fea6:aa20
Préfixe : 2a01:e34:eebf:df3::/64
Next Hop : fe80::c4:4ff:fe40:f0ff
Ajout IPV6
iface eth0 inet6 static
address 2a01:e34:eebf:df3::1
netmask 64
post-up ip -6 route add default via fe80::224:d4ff:fea6:aa20
Modifier les dns
dns-nameservers 9.9.9.9 80.67.169.12 80.67.169.40
Un reboot
sudo systemctl reboot
Connexion SSH
ssh xo@192.168.0.12
En mode su
sudo -s
On vérifie le réseau
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 92:b5:a3:13:7f:88 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 02:c4:04:40:f0:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.12/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:e34:eebf:df3::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c4:4ff:fe40:f0ff/64 scope link
valid_lft forever preferred_lft forever
4: bond0: <BROADCAST,MULTICAST,MASTER> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 1a:a8:1f:15:7f:fe brd ff:ff:ff:ff:ff:ff
locales
dpkg-reconfigure locales
Generating locales (this might take a while)...
fr_FR.UTF-8... done
Generation complete.
TimeZone : Europe/Paris (facultatif car défini à l’installation de debian)
dpkg-reconfigure tzdata
Domaine et certificats xoyize.xyz
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates/
Serveur , installer et renouveler les certificats SSL Let’s encrypt
Installation client acme
cd ~
sudo -s # en mode super utilisateur
apt install netcat socat -y # prérequis
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install # --nocron
cd ..
rm -rf acme.sh/
Copier les clés d’accès
Génération des certificats
/root/.acme.sh/acme.sh --dns dns_ovh --issue --keylength ec-384 -d xoyize.xyz -d *.xoyize.xyz
[vendredi 15 mars 2019, 20:08:10 (UTC+0100)] Your cert is in /root/.acme.sh/xoyize.xyz_ecc/xoyize.xyz.cer
[vendredi 15 mars 2019, 20:08:10 (UTC+0100)] Your cert key is in /root/.acme.sh/xoyize.xyz_ecc/xoyize.xyz.key
[vendredi 15 mars 2019, 20:08:10 (UTC+0100)] The intermediate CA cert is in /root/.acme.sh/xoyize.xyz_ecc/ca.cer
[vendredi 15 mars 2019, 20:08:10 (UTC+0100)] And the full chain certs is there: /root/.acme.sh/xoyize.xyz_ecc/fullchain.cer
Installer sudo et modifier /etc/sudoers pour accès sans mot de passe à l’utilisateur yann
apt update
apt upgrade
apt install sudo
echo "cubie ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
Installer les outils
apt install rsync curl tmux jq figlet git tree dnsutils -y
Disques
Les disques LVM
root@srvxo:/home/cubie# pvs
PV VG Fmt Attr PSize PFree
/dev/sda3 vg-ssd-one lvm2 a-- 446.85g 342.85g
root@srvxo:/home/cubie# vgs
VG #PV #LV #SN Attr VSize VFree
vg-ssd-one 1 3 0 wz--n- 446.85g 342.85g
root@srvxo:/home/cubie# lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
home vg-ssd-one -wi-ao---- 75.00g
root vg-ssd-one -wi-ao---- 25.00g
swap vg-ssd-one -wi-ao---- 4.00g
Connexion SSH avec clés
Se connecter depuis un poste du réseau :
ssh cubie@192.168.0.12
Paraméter SSH
Pas de connexion root PermitRootLogin no dans fichier /etc/ssh/sshd_config
Installer libpam-systemd (session SSH ne se termine pas correctement lors d’un “reboot” à distance) :
sudo apt install libpam-systemd # Installer par défaut sur debian 9
Relancer le service ssh
sudo systemctl restart ssh
Exécution script .ssh/rc sur connexion SSH
Exécuter un fichier utilisateur nommé $HOME/.ssh/rc si présent
Pour tous les utilisateurs exécuter un fichier nommé /etc/ssh/sshrc si présent
Installer les utilitaires curl jq figlet
Le batch
mkdir -p ~/.ssh
nano ~/.ssh/rc
#!/bin/bash
#clear
PROCCOUNT=`ps -Afl | wc -l` # nombre de lignes
PROCCOUNT=`expr $PROCCOUNT - 5` # on ote les non concernées
GROUPZ=`users`
ipinfo=$(curl -s ipinfo.io) # info localisation format json
publicip=$(echo $ipinfo | jq -r '.ip') # extraction des données , installer préalablement "jq"
ville=$(echo $ipinfo | jq -r '.city')
pays=$(echo $ipinfo | jq -r '.country')
cpuname=`cat /proc/cpuinfo |grep 'model name' | cut -d: -f2 | sed -n 1p`
iplink=`ip link show |grep -m 1 "2:" | awk '{print $2}' | cut -d: -f1`
echo "\033[0m\033[1;31m"
figlet "`hostname --fqdn`"
echo "\033[0m
\033[1;35m \033[1;37mHostname \033[1;35m= \033[1;32m`hostname`
\033[1;35m \033[1;37mWired IpV4 \033[1;35m= \033[1;32m`ip addr show $iplink | grep 'inet\b' | awk '{print $2}' | cut -d/ -f1`
\033[1;35m \033[1;37mWired IpV6 \033[1;35m= \033[1;32m`ip addr show $iplink | grep -E 'inet6' |grep -E 'scope link' | awk '{print $2}' | cut -d/ -f1`
\033[1;35m \033[1;37mKernel \033[1;35m= \033[1;32m`uname -r`
\033[1;35m \033[1;37mDebian \033[1;35m= \033[1;32m`cat /etc/debian_version`
\033[1;35m \033[1;37mUptime \033[1;35m= \033[1;32m`uptime | sed 's/.*up ([^,]*), .*/1/' | sed -e 's/^[ \t]*//'`
\033[1;35m \033[1;37mCPU \033[1;35m= \033[1;32m`echo $cpuname`
\033[1;35m \033[1;37mMemory Use \033[1;35m= \033[1;32m`free -m | awk 'NR==2{printf "%s/%sMB (%.2f%%)\n", $3,$2,$3*100/$2 }'`
\033[1;35m \033[1;37mUsername \033[1;35m= \033[1;32m`whoami`
\033[1;35m \033[1;37mSessions \033[1;35m= \033[1;32m`who | grep $USER | wc -l`
\033[1;35m \033[1;37mPublic IpV4 \033[1;35m= \033[1;32m`echo $publicip`
\033[1;35m \033[1;37mPublic IpV6 \033[1;35m= \033[1;32m`ip addr show $iplink | grep -m 1 'inet6\b' | awk '{print $2}' | cut -d/ -f1`
\033[0m"
#curl fr.wttr.in/$ville?0
Effacer motd
sudo rm /etc/motd
Adressage ipv6
Adresse IP : 192.168.0.12
Mac Adress : 02:c4:04:40:f0:ff
ip addr
[...]
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:c4:04:40:f0:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.12/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:e34:ee6a:b270:c4:4ff:fe40:f0ff/64 scope global mngtmpaddr dynamic
valid_lft 86318sec preferred_lft 86318sec
inet6 fe80::c4:4ff:fe40:f0ff/64 scope link
valid_lft forever preferred_lft forever
La carte n’est joignable de l’internet que par son adresse IPV6
NextHop Freebox permet d’attribuer une adresse IPV6)
Prefixe : 2a01:e34:ee6a:b273:://64
Next Hop: fe80::c4:4ff:fe40:f0ff
Modifier interface réseau debian
sudo nano /etc/network/interfaces
REMPLACER
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto
PAR
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
#iface eth0 inet6 auto
iface eth0 inet6 static
address 2a01:e34:ee6a:b273::1
netmask 64
post-up ip -6 route add default via fe80::224:d4ff:fea6:aa20 dev eth0
Redémarrer la machine
sudo systemctl reboot
Après reboot, connexion SSH
ssh cubie@192.168.0.12
Vérifier adresses IP V4 et V6
ip addr
[...]
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 02:c4:04:40:f0:ff brd ff:ff:ff:ff:ff:ff
inet 192.168.0.12/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 2a01:e34:ee6a:b273::1/64 scope global
valid_lft forever preferred_lft forever
inet6 2a01:e34:ee6a:b270:c4:4ff:fe40:f0ff/64 scope global mngtmpaddr dynamic
valid_lft 86372sec preferred_lft 86372sec
inet6 fe80::c4:4ff:fe40:f0ff/64 scope link
valid_lft forever preferred_lft forever
Vérifier avec un autre poste sur le même réseau local
ping -6 -c5 2a01:e34:ee6a:b273::1
PING 2a01:e34:ee6a:b273::1(2a01:e34:ee6a:b273::1) 56 data bytes
64 bytes from 2a01:e34:ee6a:b273::1: icmp_seq=2 ttl=64 time=0.798 ms
64 bytes from 2a01:e34:ee6a:b273::1: icmp_seq=3 ttl=64 time=0.328 ms
64 bytes from 2a01:e34:ee6a:b273::1: icmp_seq=4 ttl=64 time=0.295 ms
64 bytes from 2a01:e34:ee6a:b273::1: icmp_seq=5 ttl=64 time=0.310 ms
--- 2a01:e34:ee6a:b273::1 ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 65ms
rtt min/avg/max/mdev = 0.295/0.432/0.798/0.212 ms
DNS OVH
Modification domaine xoyize.xyz pour un accès IPV6 uniquement.
$TTL 3600
@ IN SOA dns100.ovh.net. tech.ovh.net. (2018090602 86400 3600 3600000 300)
3600 IN NS ns100.ovh.net.
3600 IN NS dns100.ovh.net.
IN AAAA 2a01:e34:ee6a:b273::1
* 3600 IN CNAME xoyize.xyz.
Après quelques minutes ,pour la validation DNS , test
ping -c5 xoyize.xyz
PING xoyize.xyz(2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1)) 56 data bytes
64 bytes from 2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1): icmp_seq=1 ttl=64 time=0.329 ms
64 bytes from 2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1): icmp_seq=2 ttl=64 time=0.284 ms
64 bytes from 2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1): icmp_seq=3 ttl=64 time=0.350 ms
64 bytes from 2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1): icmp_seq=4 ttl=64 time=0.329 ms
64 bytes from 2a01:e34:ee6a:b273::1 (2a01:e34:ee6a:b273::1): icmp_seq=5 ttl=64 time=0.295 ms
--- xoyize.xyz ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 59ms
rtt min/avg/max/mdev = 0.284/0.317/0.350/0.029 ms
Certificats letsencrypt
Installation gestionnaire des certificats Let’s Encrypt
wget -O - https://get.acme.sh | sh
[jeudi 6 septembre 2018, 17:38:38 (UTC+0200)] OK
[jeudi 6 septembre 2018, 17:38:38 (UTC+0200)] Install success!
Ne pas tenir compte des erreurs durant l’installation
Pour que le client se mette à jour automatiquement, activer cette option :
cd .acme.sh
./acme.sh --auto-upgrade
la liste de toutes les commandes possibles s’afficheront en plus…
Se connecter sur l’api OVH pour les paramètres (clé et secret)
export OVH_AK="votre application key"
export OVH_AS="votre application secret"
Premier lancement pour la génération des certificats
./acme.sh --issue --keylength ec-384 -d xoyize.xyz -d '*.xoyize.xyz' --dns dns_ovh
[...]
[jeudi 6 septembre 2018, 17:54:17 (UTC+0200)] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=E9ea1VcJEJsjYwlOq9J9Y564zBghrUExbNlKkELDHUCmqNdWhJSCV4684CNi6WKL
[...]
Connecter l’url ci-dessus, s’authentifier puis sélectionner “unlimited” et valider.Le message suivant dit s’afficher.
OVH authentication Success !
Lancer une seconde fois la génération des certificats et patienter quelques minutes…
./acme.sh --issue --keylength ec-384 -d xoyize.xyz -d '*.xoyize.xyz' --dns dns_ovh
Les certificats sont disponibles
[jeudi 6 septembre 2018, 18:02:09 (UTC+0200)] Your cert is in /home/cubie/.acme.sh/xoyize.xyz_ecc/xoyize.xyz.cer
[jeudi 6 septembre 2018, 18:02:10 (UTC+0200)] Your cert key is in /home/cubie/.acme.sh/xoyize.xyz_ecc/xoyize.xyz.key
[jeudi 6 septembre 2018, 18:02:10 (UTC+0200)] The intermediate CA cert is in /home/cubie/.acme.sh/xoyize.xyz_ecc/ca.cer
[jeudi 6 septembre 2018, 18:02:10 (UTC+0200)] And the full chain certs is there: /home/cubie/.acme.sh/xoyize.xyz_ecc/fullchain.cer
Un certificat Wildcard Let’s Encrypt qui se renouvelle automatiquement
crontab -l
27 0 * * * "/home/cubie/.acme.sh"/acme.sh --cron --home "/home/cubie/.acme.sh" > /dev/null
Nginx PHP7 mariadb
Cas des processeurs de type arm
sudo apt install apt-transport-https
Créer un dossier pour les configurations nginx :
sudo mkdir -p /etc/nginx/conf.d/olibox.d
Installer MariaDb :
sudo apt install mariadb-server
Initialiser le mot de passe root ( ) + sécurisation
sudo mysql_secure_installation
Enter current password for root (enter for none):
Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
Installer MariaDb :
sudo apt install mariadb-server
Initialiser le mot de passe root ( ) + sécurisation
sudo mysql_secure_installation
Enter current password for root (enter for none):
Set root password? [Y/n] y
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
https://xoyize.xyz
Certificats sur le site xoyize.xyz
Ajout des certificats , créer des liens
sudo ln -s /home/cubie/.acme.sh/xoyize.xyz_ecc/xoyize.xyz.key /etc/ssl/private/xoyize.xyz.key.pem
sudo ln -s /home/cubie/.acme.sh/xoyize.xyz_ecc/fullchain.cer /etc/ssl/private/xoyize.xyz.fullchain.cer.pem
Renommer le fichier de configuration nginx
sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/xoyize.xyz.conf
Le fichier de configuration
server {
listen 80;
listen [::]:80;
## redirect http to https ##
server_name xoyize.xyz *.xoyize.xyz;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xoyize.xyz;
root /var/www/ ;
ssl_certificate /etc/ssl/private/xoyize.xyz.fullchain.cer.pem;
ssl_certificate_key /etc/ssl/private/xoyize.xyz.key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
# As suggested by Mozilla : https://wiki.mozilla.org/Security/Server_Side_TLS and https://en.wikipedia.org/wiki/Curve25519
# (this doesn't work on jessie though ...?)
# ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
# As suggested by https://cipherli.st/
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
# Ciphers with intermediate compatibility
#----------------------------------------
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# Ciphers with modern compatibility
#---------------------------------
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
# Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Content-Security-Policy "upgrade-insecure-requests";
add_header Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options "SAMEORIGIN";
index index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:/var/run/php5-fpm.sock; # PHP5
fastcgi_pass unix:/run/php/php7.0-fpm.sock; # PHP7.0
# fastcgi_pass unix:/run/php/php7.1-fpm.sock # PHP7.1
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
Pour le test , on va renommer le fichier info.php en index.php
sudo mv /var/www/info.php /var/www/index.php
On teste sur le lien https://xoyize.xyz
Parefeu
Parefeu (firewall) iptables IPV4/IPV6 bureau/serveur
Sauvegarde serveur distants
Création d’un volume logique pour la sauvegarde
lvcreate -L 100G -n data vg-ssd-one # volume logique lvm de 100G étiquette "data"
mkfs.ext4 /dev/vg-ssd-one/data -L data # format fichier ext4
mount /dev/vg-ssd-one/data /media # montage du volume sur /media
mkdir /media/sauvegarde # création partition sauvegarde
Créer un jeu de clé
ssh-keygen -f .ssh/backup_cubie -t ed25519 -o -a 100
chmod 400 .ssh/backup_cubie*
Copier la clé publique backup_cubie.pub dans le fichier authorized_keys des serveurs distants à sauvegarder
bash de sauvegarde savdistant.sh
#!/bin/bash
REPSAV="/media/sauvegarde"
REPSSHKEY="/home/cubie/.ssh"
# -a Archive mode (keep file permissions etc...)
#
echo $(date) "Sauvegarde serveur distant cinay.xyz" >> $REPSAV/savdistant.log
/usr/bin/rsync -aev \
--delete \
--rsync-path=/home/backupuser/rsync-wrapper.sh \
--exclude={"dev/*","proc/*","sys/*","tmp/*","run/*","mnt/*","media/*","lost+found"} \
--rsh="/usr/bin/ssh -p 55031 -i $REPSSHKEY/backup_cubie" backupuser@cinay.xyz:/ $REPSAV/cinay.xyz &>> $REPSAV/savdistant.log
echo $(date) "Fin sauvegarde serveur distant cinay.xyz" >> $REPSAV/savdistant.log
#
echo $(date) "Sauvegarde serveur distant yanfi.net" >> $REPSAV/savdistant.log
/usr/bin/rsync -aev \
--delete \
--rsync-path=/home/backupuser/rsync-wrapper.sh \
--exclude={"dev/*","proc/*","sys/*","tmp/*","run/*","mnt/*","media/*","lost+found"} \
--rsh="/usr/bin/ssh -p 55030 -i $REPSSHKEY/backup_cubie" backupuser@yanfi.net:/ $REPSAV/yanfi &>> $REPSAV/savdistant.log
echo $(date) "Fin sauvegarde serveur distant yanfi.net" >> $REPSAV/savdistant.log
#envoi des logs du jour par mail
# grep "$(date +"%d %B %Y")" $REPSAV/savdistant.log |mail -s "Sauvegarde du $(date +"%d %B %Y")" $desti
Dossiers data musique
Passage en super utilisateur
sudo -s
Création de volume logique LVM
lvcreate -L 100G -n data vg-ssd-one
mkfs.ext4 /dev/vg-ssd-one/data
lvcreate -L 100G -n musique vg-ssd-one
mkfs.ext4 /dev/vg-ssd-one/musique
Créer les points de montage
mkdir /mnt/{data,musique}
chown cubie.cubie -R /mnt/{data,musique} # droits utilisateur
Ajouter en fin de fichier /etc/fstab
/dev/vg-ssd-one/data /mnt/data ext4 defaults 0 2
/dev/vg-ssd-one/musique /mnt/musique ext4 defaults 0 2
Montage
mount -a
NFS Serveur
Debian Stretch NFS (Network File System)
Passage en super utilisateur
sudo -s
Installation
apt install nfs-kernel-server
Vérification de l’installation
Exécuter rpcinfo pour confirmer que le serveur est lancé, et accepte les requêtes sur le port 2049 (UDP et TCP).
rpcinfo -p | grep nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
Vérifier que le système supporte effectivement NFS:
cat /proc/filesystems | grep nfs
nodev nfsd
Si la commande ne renvoie rien, il se peut que le module NFS ne soit pas chargé, auquel cas, il faut le charger avec :
modprobe nfs
Enfin, vérifions que portmap attend les instructions sur le port 111 :
rpcinfo -p | grep portmap
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
Le fichier /etc/exports
/mnt/data 192.168.0.0/24(rw,sync,no_subtree_check)
/mnt/musique 192.168.0.0/24(rw,sync,no_subtree_check)
Seul le réseau local peut accéder aux partages NFS
Redémarrage
systemctl restart nfs-kernel-server
iptables
Par défaut, les différents services NFS (lockd, statd, mountd, etc.) demandent des assignations de ports aléatoires à partir du portmapper (portmap/rpcbind), ce qui signifie que la plupart des administrateurs doivent ouvrir une gamme de ports dans leur base de règles de pare-feu pour que NFS fonctionne.
rpcinfo -p | grep nlockmgr
100021 1 udp 51148 nlockmgr
100021 3 udp 51148 nlockmgr
100021 4 udp 51148 nlockmgr
100021 1 tcp 45853 nlockmgr
100021 3 tcp 45853 nlockmgr
100021 4 tcp 45853 nlockmgr
rpcinfo -p | grep mountd
100005 1 udp 34435 mountd
100005 1 tcp 34741 mountd
100005 2 udp 55003 mountd
100005 2 tcp 46537 mountd
100005 3 udp 56680 mountd
100005 3 tcp 47811 mountd
Il va donc falloir fixer les ports de ces services afin de créer les règles iptables.
nano /etc/default/nfs-common
STATDOPTS="--port 32765 --outgoing-port 32766"
nano /etc/default/nfs-kernel-server
RPCMOUNTDOPTS="-p 32767"
nano /etc/default/quota
RPCRQUOTADOPTS="-p 32769"
Redémarrage
sysctl --system
systemctl restart nfs-kernel-server
Nous pouvons maintenant fixer nos règles iptables en ajoutant au fichier /usr/local/sbin/config_firewall ce qui suit dans les règles IPV4
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m multiport --ports 111,2049,32764:32769 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp -m multiport --ports 111,2049,32764:32769 -j ACCEPT
Regénérer les règles
/usr/local/sbin/config_firewall
Clients NFS
yay -S nfs-utils # archlinux/manjaro
sudo apt-get install nfs-common # debian/ubuntu
Visualiser les dossiers accessibles
showmount -e 192.168.0.12
Export list for 192.168.0.12:
/mnt/musique 192.168.0.0/24
/mnt/data 192.168.0.0/24
Musique
Dossier /mnt/musique (musique vg-ssd-one -wi-ao—- 100,00g)
Subsonic
sudo apt install openjdk-8-jre # Installation java jre
wget https://s3-eu-west-1.amazonaws.com/subsonic-public/download/subsonic-6.1.3.deb # paquet debsubsonic
sudo dpkg -i subsonic-6.1.3.deb # installation subsonic
Configuration /etc/default/subsonic
SUBSONIC_ARGS="--port=8090--max-memory=150"
SUBSONIC_USER=cubie
Redémarrer le service
sudo systemctl restart subsonic