3 kuukautta sitten · ca9ffda00a
--- a/README.md
+++ b/README.md
@@ -1,292 +0,0 @@
 # Docker Home Server for Raspberry Pi

 Flash Hypriot
 -------------

 You can check last images [here](http://blog.hypriot.com/downloads/) and use [flash tool](https://github.com/hypriot/flash) to flash your RaspberryPi SD:

    flash --hostname your-hostname https://github.com/hypriot/image-builder-rpi/releases/download/v1.4.0/hypriotos-rpi-v1.4.0.img.zip

 SSH into each RPI:

    ssh pirate@you-rpi-ip

 As of version 1.4, default credentials are pirate/hypriot. You can use arp-scan to guess the IP. You can also use:

    function getip() { (traceroute $1 2>&1 | head -n 1 | cut -d\( -f 2 | cut -d\) -f 1) }

 Change default password:

    passwd

 You can also set up paswordless access with:

    ssh-copy-id -i ~/.ssh/your-key_rsa.pub pirate@your-rpi -o "IdentitiesOnly yes"

 And also add an entry to you ~/.ssh/config file:

    Host your-rpi-1 your-rpi-2 ...
        Hostname %h.local
        User pirate
        IdentityFile ~/.ssh/your-key_rsa
        IdentitiesOnly yes
        StrictHostKeyChecking no

 If you want, you can also add this config snippet to all your nodes and add your private key to each `~/.ssh` folder to be able to connect from one RPI to another.

 (?) Add regular user to docker group

    sudo usermod -aG docker pirate

 (Optional) In case you see annoying warning messages about locales from perl:

    sudo dpkg-reconfigure locales

 (Optional) Install some useful packages

    sudo aptitude update && sudo aptitude install rsync zsh

 (Optional) Encrypt external hard disk
 -------------------------------------

    sudo aptitude install cryptsetup
    #sudo fdisk /dev/sdX
    sudo parted /dev/sdX
    sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
    sudo cryptsetup luksOpen /dev/sdX1 volumes
    sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
    sudo mkdir -p /media/volumes
    #sudo mount -t auto /dev/mapper/volumes /media/volumes

    sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
    sudo chmod 0400 /root/volumes_luks_pwd
    sudo cryptsetup luksAddKey /dev/sdX1 /root/volumes_luks_pwd

 Add to `/etc/crypttab`:

    volumes      /dev/disk/by-uuid/uuid-of-your-drive  /root/volumes_luks_pwd  luks

 and add to `/etc/fstab`:

    /dev/mapper/volumes  /media/volumes     ext4    defaults        0       2

 NFS
 ---

 Install server on main host:

    sudo aptitude install nfs-kernel-server
    sudo mkdir -p /export/volumes
    sudo mount --bind /media/volumes /export/volumes

 And add the following line to `/etc/fstab` to avoid repeating it on startup:

    /media/volumes       /export/volumes    none    bind            0       0

 And to `/etc/exports`:

    /export         192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
    /export/volumes 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async,no_root_squash)

 (changing network/mask by your local values)

 On the other nodes:

    sudo aptitude install nfs-common

 And add to `/etc/fstab`:

    your-main-host:/export/volumes /media/volumes nfs auto,user 0 0

 Swap file
 ---------

 http://jermsmit.com/my-raspberry-pi-needs-a-swap/

    dd if=/dev/zero of=/media/volumes/swap bs=1M count=2048
    chmod 600 /media/volumes/swap
    mkswap /media/volumes/swap
    swapon /media/volumes/swap

 Add to /etc/fstab:

    /media/volumes/swap               swap                    swap    defaults        0 0

 Repeat for worker nodes (changing name of swap file)

 Avahi
 -----

 When the dockers are running, some service users (e.g. `dovecot` or `mysqld`) can have conflicting ids with the one of avahi, making it fail. To avoid that, we can just increase its `uid`, e.g.:

    sudo systemctl stop avahi-daemon
    sudo usermod -u 205 avahi
    sudo systemctl restart dbus
    sudo systemctl start avahi-daemon

 Install missing `libnss-mdns` package (see explanation [here](https://paulnebel.io/api/containers/lean/node/raspberry_pi/swarm/2016/08/23/hypriotos-swarm-raspberry-pi-cluster/)):

    sudo aptitude install libnss-mdns

 Also make sure `avahi-daemon` works, and otherwise restart it. See [this issue](https://github.com/hypriot/image-builder-rpi/issues/170).


 Data and volumes
 ----------------

 If you have existing data, create folders (otherwise setup script will do it) and copy it data:

    sudo mkdir -p /media/volumes/mail/
    sudo mkdir -p /media/volumes/nextcloud

    sudo chown -R pirate:pirate /media/volumes/*

    sudo mkdir -p /media/volumes/openldap/data
    sudo mkdir -p /media/volumes/openldap/config
    sudo mkdir -p /media/volumes/openldap/certs
    sudo chown -R 999 /media/volumes/openldap*

 From your current installation:

    rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /var/www/nextcloud/data your-main-host:/media/volumes/nextcloud/
    mysqldump --lock-tables -u nextcloud -p -h localhost nextcloud > /var/www/nextcloud/nextcloud_db_backup.sql
    scp -i ~/.ssh/your-key_rsa /var/www/nextcloud/nextcloud_db_backup.sql your-main-host:/media/volumes/nextcloud/data/
    rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /srv/vmail/ your-main-host:/media/volumes/mail


 Configuration and deployment
 ----------------------------

 If it's a restart, clean first previous containers:

    for i in $(docker ps -a | grep Exited | grep dhs | cut -f 1 -d ' '); do docker rm $i; done;

 Optionally build:

    docker-compose build

 And then restart:

    docker-compose --compatibility -p dhs up -d

 Note: `dhs` is just a custom prefix to easily identify containers, you can use your own.

 Add users:

    ./add_users.sh

 Add DNS entries:

    ./add_dns_entries.sh

 Add Nextcloud apps:

    ./nextcloud_apps_after_update.sh

 If you add or modify a service, you can update it running:

    docker-compose build && docker-compose -p dhs up -d <your-service>

 If you want to re-create an image and restart the service you can run:

    docker-compose --compatibility -p dhs up -d --no-deps --build <your-service>

 Openldap
 --------

    ldapsearch -x -w your-admin-ldap-password -D cn=admin,dc=your-domain,dc=com -b dc=your-domain,dc=com -LLL

 To reset a user's password:
 Copy this into a file, `user_pwd.ldif`:

    dn: uniqueIdentifier=your-user,ou=people,dc=your-domain,dc=com
    changetype: modify
    replace: userPassword
    userPassword: {SSHA}Djpd2d+kbQm4ftHupSaS65wl8l8EbDot

 And the run:

    ldapadd -W -D "cn=admin,dc=your-domain,dc=com" -f user_pwd.ldif

 You can generate the password with:

    slappasswd -s your-password

 You can use the following script to add users if you have previously created `ldif` files:

    ./add_users.sh <your-stack-name>


 MariaDB
 -------

 If you have existing data, make sure root password matches and access from outside ('%') is allowed.

 Nextcloud
 ---------

 After first run, set DATA_CHOWN=0. Otherwise every time you deploy the whole folder with all your data will be recursed to change ownership, and it can take long when it's only needed for the first time.

 Need to log in as admin for the first time and enable Apps manually.

 Let's Encrypt
 -------------
 If you want to add more domains after deployment, you can run this command manually from HAProxy docker instance (see [this](https://serversforhackers.com/c/letsencrypt-with-haproxy)):
 ```
 sudo certbot certonly --standalone -d nextcloud.example.com -d git.example.com \
    --non-interactive --agree-tos --email admin@example.com \
    --http-01-port=8888
 ```

 Notice that when updating your certificate, you will need to restart haproxy container, due to [this issue](https://stackoverflow.com/a/50480260/1937418)

 You can do it with:

 ```
 docker exec -ti dhs_haproxy_1 /etc/cron.daily/letsencrypt && docker stop dhs_haproxy_1  &&  docker-compose -p dhs up -d haproxy
 ```

 Own registry
 ------------

 Follow the instructions [here](https://docs.docker.com/engine/swarm/stack-deploy/#set-up-a-docker-registry) to set up your own registry:

    docker service create --name registry --publish published=5000,target=5000 registry:2


 Dynamic DNS
 -----------

 Check your domain registration provider

 Fail2ban
 --------

 Install fail2ban in you docker swarm master node if you want to allow ssh connections from outside.

    sudo aptitude install fail2ban

 Have a look at the [documentation](http://www.fail2ban.org/wiki/index.php/MANUAL_0_8) for configuration.

 Port mapping
 ------------

 Get into your router admin page and redirect ports:

 - `80`, `443` for Web (Nextcloud and eventually other through HaProxy)
 - `25`, `143`, `587`, `993` for mail server
 - `22` for ssh

 to your docker swarm master node IP.

 TODO
 ----

 - Install and enable Nextcloud apps automatically
 - XMPP
 - Wordpress
 - VPN
 - Open social networks (GNU social, Diaspora)
 - Transmission
 - Sia storage
 - Alternative: run your own registry for images.
--- a/README.org
+++ b/README.org
@@ -0,0 +1,348 @@
 * OpenGardenCloud
 ** Flash Hypriot
 You can check last images [[http://blog.hypriot.com/downloads/][here]]
 and use [[https://github.com/hypriot/flash][flash tool]] to flash your
 RaspberryPi SD:

 #+begin_example
 flash --hostname your-hostname https://github.com/hypriot/image-builder-rpi/releases/download/v1.4.0/hypriotos-rpi-v1.4.0.img.zip
 #+end_example

 SSH into each RPI:

 #+begin_example
 ssh pirate@you-rpi-ip
 #+end_example

 As of version 1.4, default credentials are pirate/hypriot. You can use
 arp-scan to guess the IP. You can also use:

 #+begin_example
 function getip() { (traceroute $1 2>&1 | head -n 1 | cut -d\( -f 2 | cut -d\) -f 1) }
 #+end_example

 Change default password:

 #+begin_example
 passwd
 #+end_example

 You can also set up paswordless access with:

 #+begin_example
 ssh-copy-id -i ~/.ssh/your-key_rsa.pub pirate@your-rpi -o "IdentitiesOnly yes"
 #+end_example

 And also add an entry to you ~/.ssh/config file:

 #+begin_example
 Host your-rpi-1 your-rpi-2 ...
    Hostname %h.local
    User pirate
    IdentityFile ~/.ssh/your-key_rsa
    IdentitiesOnly yes
    StrictHostKeyChecking no
 #+end_example

 If you want, you can also add this config snippet to all your nodes and
 add your private key to each =~/.ssh= folder to be able to connect from
 one RPI to another.

 (?) Add regular user to docker group

 #+begin_example
 sudo usermod -aG docker pirate
 #+end_example

 (Optional) In case you see annoying warning messages about locales from
 perl:

 #+begin_example
 sudo dpkg-reconfigure locales
 #+end_example

 (Optional) Install some useful packages

 #+begin_example
 sudo aptitude update && sudo aptitude install rsync zsh
 #+end_example

 ** (Optional) Encrypt external hard disk
 #+begin_example
 sudo aptitude install cryptsetup
 #sudo fdisk /dev/sdX
 sudo parted /dev/sdX
 sudo cryptsetup --verify-passphrase luksFormat /dev/sdX1 -c aes -s 256 -h sha256
 sudo cryptsetup luksOpen /dev/sdX1 volumes
 sudo mkfs -t ext4 -m 1 -O dir_index,sparse_super /dev/mapper/volumes
 sudo mkdir -p /media/volumes
 #sudo mount -t auto /dev/mapper/volumes /media/volumes

 sudo dd if=/dev/urandom of=/root/volumes_luks_pwd bs=1024 count=4
 sudo chmod 0400 /root/volumes_luks_pwd
 sudo cryptsetup luksAddKey /dev/sdX1 /root/volumes_luks_pwd
 #+end_example

 Add to =/etc/crypttab=:

 #+begin_example
 volumes      /dev/disk/by-uuid/uuid-of-your-drive  /root/volumes_luks_pwd  luks
 #+end_example

 and add to =/etc/fstab=:

 #+begin_example
 /dev/mapper/volumes  /media/volumes     ext4    defaults        0       2
 #+end_example

 ** NFS
 Install server on main host:

 #+begin_example
 sudo aptitude install nfs-kernel-server
 sudo mkdir -p /export/volumes
 sudo mount --bind /media/volumes /export/volumes
 #+end_example

 And add the following line to =/etc/fstab= to avoid repeating it on
 startup:

 #+begin_example
 /media/volumes       /export/volumes    none    bind            0       0
 #+end_example

 And to =/etc/exports=:

 #+begin_example
 /export         192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
 /export/volumes 192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async,no_root_squash)
 #+end_example

 (changing network/mask by your local values)

 On the other nodes:

 #+begin_example
 sudo aptitude install nfs-common
 #+end_example

 And add to =/etc/fstab=:

 #+begin_example
 your-main-host:/export/volumes /media/volumes nfs auto,user 0 0
 #+end_example

 ** Swap file
 http://jermsmit.com/my-raspberry-pi-needs-a-swap/

 #+begin_example
 dd if=/dev/zero of=/media/volumes/swap bs=1M count=2048
 chmod 600 /media/volumes/swap
 mkswap /media/volumes/swap
 swapon /media/volumes/swap
 #+end_example

 Add to /etc/fstab:

 #+begin_example
 /media/volumes/swap               swap                    swap    defaults        0 0
 #+end_example

 Repeat for worker nodes (changing name of swap file)

 ** Avahi
 When the dockers are running, some service users (e.g. =dovecot= or
 =mysqld=) can have conflicting ids with the one of avahi, making it
 fail. To avoid that, we can just increase its =uid=, e.g.:

 #+begin_example
 sudo systemctl stop avahi-daemon
 sudo usermod -u 205 avahi
 sudo systemctl restart dbus
 sudo systemctl start avahi-daemon
 #+end_example

 Install missing =libnss-mdns= package (see explanation [[https://paulnebel.io/api/containers/lean/node/raspberry_pi/swarm/2016/08/23/hypriotos-swarm-raspberry-pi-cluster/][here]]):

 #+begin_example
 sudo aptitude install libnss-mdns
 #+end_example

 Also make sure =avahi-daemon= works, and otherwise restart it. See [[https://github.com/hypriot/image-builder-rpi/issues/170][this issue]].

 ** Data and volumes
 If you have existing data, create folders (otherwise setup script will
 do it) and copy it data:

 #+begin_example
 sudo mkdir -p /media/volumes/mail/
 sudo mkdir -p /media/volumes/nextcloud

 sudo chown -R pirate:pirate /media/volumes/*

 sudo mkdir -p /media/volumes/openldap/data
 sudo mkdir -p /media/volumes/openldap/config
 sudo mkdir -p /media/volumes/openldap/certs
 sudo chown -R 999 /media/volumes/openldap*
 #+end_example

 From your current installation:

 #+begin_example
 rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /var/www/nextcloud/data your-main-host:/media/volumes/nextcloud/
 mysqldump --lock-tables -u nextcloud -p -h localhost nextcloud > /var/www/nextcloud/nextcloud_db_backup.sql
 scp -i ~/.ssh/your-key_rsa /var/www/nextcloud/nextcloud_db_backup.sql your-main-host:/media/volumes/nextcloud/data/
 rsync -auv --delete -e "ssh -i ~/.ssh/your-key_rsa" /srv/vmail/ your-main-host:/media/volumes/mail
 #+end_example

 ** Configuration and deployment
 If it's a restart, clean first previous containers:

 #+begin_example
 for i in $(docker ps -a | grep Exited | grep ogc | cut -f 1 -d ' '); do docker rm $i; done;
 #+end_example

 Optionally build:

 #+begin_example
 docker-compose build
 #+end_example

 And then restart:

 #+begin_example
 docker-compose --compatibility -p ogc up -d
 #+end_example

 Note: =ogc= is just a custom prefix to easily identify containers, you
 can use your own.

 Add users:

 #+begin_example
 ./add_users.sh
 #+end_example

 Add DNS entries:

 #+begin_example
 ./add_dns_entries.sh
 #+end_example

 Add Nextcloud apps:

 #+begin_example
 ./nextcloud_apps_after_update.sh
 #+end_example

 If you add or modify a service, you can update it running:

 #+begin_example
 docker-compose build && docker-compose -p ogc up -d <your-service>
 #+end_example

 If you want to re-create an image and restart the service you can run:

 #+begin_example
 docker-compose --compatibility -p ogc up -d --no-deps --build <your-service>
 #+end_example

 ** Openldap
 #+begin_example
 ldapsearch -x -w your-admin-ldap-password -D cn=admin,dc=your-domain,dc=com -b dc=your-domain,dc=com -LLL
 #+end_example

 To reset a user's password: Copy this into a file, =user_pwd.ldif=:

 #+begin_example
 dn: uniqueIdentifier=your-user,ou=people,dc=your-domain,dc=com
 changetype: modify
 replace: userPassword
 userPassword: {SSHA}Djpd2d+kbQm4ftHupSaS65wl8l8EbDot
 #+end_example

 And the run:

 #+begin_example
 ldapadd -W -D "cn=admin,dc=your-domain,dc=com" -f user_pwd.ldif
 #+end_example

 You can generate the password with:

 #+begin_example
 slappasswd -s your-password
 #+end_example

 You can use the following script to add users if you have previously
 created =ldif= files:

 #+begin_example
 ./add_users.sh <your-stack-name>
 #+end_example

 ** MariaDB
 If you have existing data, make sure root password matches and access
 from outside ('%') is allowed.

 ** Nextcloud
 After first run, set DATA_CHOWN=0. Otherwise every time you deploy the
 whole folder with all your data will be recursed to change ownership,
 and it can take long when it's only needed for the first time.

 Need to log in as admin for the first time and enable Apps manually.

 ** Let's Encrypt
 If you want to add more domains after deployment, you can run this
 command manually from HAProxy docker instance (see [[https://serversforhackers.com/c/letsencrypt-with-haproxy][this]]):

 #+begin_example
 sudo certbot certonly --standalone -d nextcloud.example.com -d git.example.com \
    --non-interactive --agree-tos --email admin@example.com \
    --http-01-port=8888
 #+end_example

 Notice that when updating your certificate, you will need to restart
 haproxy container, due to [[https://stackoverflow.com/a/50480260/1937418][this issue]].

 You can do it with:

 #+begin_example
 docker exec -ti ogc_haproxy_1 /etc/cron.daily/letsencrypt && docker stop ogc_haproxy_1  &&  docker-compose -p ogc up -d haproxy
 #+end_example

 ** Own registry
 Follow the instructions [[https://docs.docker.com/engine/swarm/stack-deploy/#set-up-a-docker-registry][here]] to set up your own registry:

 #+begin_example
 docker service create --name registry --publish published=5000,target=5000 registry:2
 #+end_example

 ** Dynamic DNS
 Check your domain registration provider

 ** Fail2ban
 Install fail2ban in you docker swarm master node if you want to allow
 ssh connections from outside.

 #+begin_example
 sudo aptitude install fail2ban
 #+end_example

 Have a look at the [[http://www.fail2ban.org/wiki/index.php/MANUAL_0_8][documentation]] for configuration.

 ** Port mapping
 Get into your router admin page and redirect ports:

 - =80=, =443= for Web (Nextcloud and eventually other through HaProxy)
 - =25=, =143=, =587=, =993= for mail server
 - =22= for ssh

 to your docker swarm master node IP.

 ** TODO
 - Install and enable Nextcloud apps automatically
 - XMPP
 - VPN
 - Open social networks
 - Transmission
 - Alternative: run your own registry for images.