blob: 7a22945a7fcc9801f2ff823ebbc59540c3ab866e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# flashing os to sd card
unzip -p <arm64_lite>.img | dd of=/dev/mmcblk0 bs=4M conv=fsync status=progress
# enable sshd and wifi on first boot
mount /dev/mmcblk0#p1 /mnt/pi
touch /mnt/pi/boot
cp ./files/boot/wpa_supplicant.conf /mnt/pi
## edit /mnt/pi/config.txt
disable_overscan=1
over_voltage=6
arm_freq=2147
gpu_freq=750
# secure ssh
## copy ssh key
ssh-copy-id -i .ssh/id_rsa.pub pi@<RPI_LAN_ADDRESS>
## edit /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
## restart ssh service
service sshd restart
# disable bluetooth
rfkill block bluetooth
# clear password for all users
## edit /etc/shadow
# update system
apt update
apt upgrade
apt autoremove
rpi-eeprom-update
# install tools
sudo apt install tmux neovim ranger neofetch
# install required tools for gitea
sudo apt install git sqlite3
# git user
useradd --create-home git
# gitea
wget https://dl.gitea.io/gitea/1.15.10/gitea-1.15.10-linux-arm64
chmod +x gitea-1.15.10-linux-arm64
# install pihole & pivpn
curl -L https://install.pivpn.io | bash
curl -sSL https://install.pi-hole.net | bash
#change pihole password
pihole -a -p
# pivpn
pivpn -d
# 80 -> 8080 lighttp
sed -i "s/80/8080/" /etc/lighttpd/lighttpd.conf
service lighttpd restart
# nginx & certbot
sudo apt install nginx certbot python3-certbot-nginx
# move default index page to /var/www/html/default
mkdir /var/www/html/default
mv /var/www/html/index* /var/www/html/default
sed -i "s/w\/html/w\/html\/default/" /etc/nginx/sites-available/default
service nginx restart
# configure nginx to prevent spam
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req zone=one;
# ufw & fail2ban
sudo apt install ufw fail2ban
sudo nvim /etc/default/ufw "disable ipv6"
sudo ufw allow from 192.168.0.0/24
sudo ufw allow from 10.8.0.0/24
sudo ufw allow to any app "SSH"
sudo ufw allow to any app "WWW Full"
sudo ufw allow to any app "XMPP"
sudo ufw enable
# certbot
certbot -d gajba.cf -d chat.gajba.cf -d git.gajba.cf --nginx
# ovpn
pivpn add -n aleksa
# prosody
sudo apt install prosody coturn
admins = { "aleksa@gajba.cf" }
VirtualHost "gajba.cf"
service prosody restart
sudo prosodyctl --root cert import /etc/letsencrypt/live/
sudo prosodyctl adduser aleksa@gajba.cf
# mail server
# in progress
# that's it
reboot
|
