brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: containerized git server in turris os

Browse Source
This commit is contained in:
Michele Cereda
2023-04-10 17:55:05 +02:00
parent 77210f5c06
commit e0d49c95a6
3 changed files with 163 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.vscode/settings.json vendored
View File

@@ -1,5 +1,6 @@
{
"cSpell.words": [
"adduser",
"airgap",
"airgapped",
"awscli",
@@ -14,6 +15,7 @@
"cereda",
"chattr",
"chezmoi",
"chsh",
"compsize",
"cpulimit",
"cryptsetup",
@@ -60,6 +62,7 @@
"opkg",
"pacman",
"pamac",
"passwordless",
"pihole",
"pinentry",
"pkexec",

53
knowledge base/git.md
View File

@@ -18,6 +18,7 @@
1. [Rebase a branch on top of another](#rebase-a-branch-on-top-of-another)
1. [Tags](#tags)
1. [Convert a normal repository to a bare one](#convert-a-normal-repository-to-a-bare-one)
1. [Prepare the git server](#prepare-the-git-server)
1. [LFS extension](#lfs-extension)
1. [Submodules](#submodules)
1. [Remove a file from a commit](#remove-a-file-from-a-commit)
@@ -713,6 +714,50 @@ The [preferred method][getting git on a server] is to create a bare clone of the
git clone --bare 'repository' 'repository.git'
```
## Prepare the git server
1. Create the git user:
```sh
sudo adduser 'git'
sudo chsh 'git' -s "$(which 'git-shell')"
```
1. (Optionally) create the service's directory:
```sh
sudo mkdir '/srv/git'
sudo chown 'git' '/srv/git'
```
1. Set up passwordless authentication:
```sh
sudo mkdir '/home/git/.ssh' && sudo chmod '700' '/home/git/.ssh'
sudo touch '/home/git/.ssh/authorized_keys' && sudo chmod '600' '/home/git/.ssh/authorized_keys'
sudo chown -R 'git' '/home/git'
```
1. (Optionally) create the bare _project_ repository:
> Do this as the `git` user, or assign it permissions on the folders.
```sh
git init --bare 'project.git'
# Or, if one wants the repository to reside in the service's directory:
git init --bare '/srv/git/project.git'
```
The _project_ repository will be available for clients using the following:
```sh
git clone 'git@fqdn:project.git'
# Or, if the repository resides in the service's directory:
git clone 'git@fqdn:/srv/git/project.git'
```
## LFS extension
1. Install the extension:
@@ -848,10 +893,11 @@ git -c http.sslVerify=false …
## Further readings
- The official [LFS website]
- Git [docs]
- [Tagging]
- [Getting Git on a Server]
- The official [LFS website]
- [Getting git on a server]
- [Setting up the server]
- [git-config reference]
## Sources
@@ -883,11 +929,12 @@ git -c http.sslVerify=false …
- [One weird trick for powerful Git aliases]
- [Cannot clone git from Azure DevOps using PAT]
<!-- git documentation -->
<!-- project's references -->
[docs]: https://git-scm.com/docs/git
[getting git on a server]: https://git-scm.com/book/en/v2/Git-on-the-Server-Getting-Git-on-a-Server
[git-config reference]: https://git-scm.com/docs/git-config
[gitignore]: https://git-scm.com/docs/gitignore
[setting up the server]: https://git-scm.com/book/en/v2/Git-on-the-Server-Setting-Up-the-Server
[tagging]: https://git-scm.com/book/en/v2/Git-Basics-Tagging
<!-- external references -->

154
knowledge base/turris os.md
View File

@@ -9,8 +9,9 @@ Linux distribution based on top of OpenWrt. Check the [website] for more informa
1. [Automatic overnight dimming](#automatic-overnight-dimming)
1. [Local DNS resolution](#local-dns-resolution)
1. [Static DHCP leases and hostnames](#static-dhcp-leases-and-hostnames)
1. [Containerized pi-hole](#containerized-pi-hole)
1. [Git server](#git-server)
1. [Containers](#containers)
1. [Git server](#git-server)
1. [Pi-hole](#pi-hole)
1. [Hardening ideas](#hardening-ideas)
1. [The SFP+ caged module](#the-sfp-caged-module)
1. [Use the SFP module as a LAN port](#use-the-sfp-module-as-a-lan-port)
@@ -126,62 +127,72 @@ When assigning static DHCP leases LuCI **only requires** the IP and MAC addresse
Setting a hostname in an entry will make Turris OS resolve the IP address **only** with that given hostname (and **not** the name the host presents itself with).<br/>
Not setting a hostname in an entry will make Turris OS resolve the IP address with the name the host presents itself with.
## Containerized pi-hole
CLI procedure:
> Requires the `lxc` package to be installed.
```sh
uci add dhcp host
uci set dhcp.@host[-1].name='paracelsus'
uci set dhcp.@host[-1].mac='11:22:33:44:55:66'
uci set dhcp.@host[-1].ip='192.168.1.200'
uci commit 'dhcp'
reload_config
luci-reload
```
## Containers
Some packages are not available in `opkg`'s repository, but containers can be used to provide them.
This requires the `lxc` package to be installed.
> Suggested the use of an [expansion disk](#hardware-upgrades).
See [Installing pi-hole on Turris Omnia], [Install Pi-hole] and [Pi-Hole on Turris Omnia] for details.
The usual steps are the following, and should be executed in Turris OS:
Choose one of Pi-hole's [supported operating systems][pi-hole supported operating systems], then follow this procedure:
1. In Turris OS:
1. Create a container for the service:
```sh
# Create the LXC container (pick one).
lxc-create --name 'pi-hole' --template 'download' -- --dist 'debian' --release 'bullseye' --arch 'armhf' --server 'images.linuxcontainers.org'
# Default source is 'repo.turris.cz/lxc'.
lxc-create --name 'test' --template 'download'
lxc-create -n 'pi-hole' -t 'download' -- --dist 'debian' --release 'bullseye' --arch 'armhf' --server 'images.linuxcontainers.org'
```
# Configure pi-hole's static IP lease.
1. Assign it a static IP address:
```sh
uci add dhcp host
uci set dhcp.@host[-1].name='pi-hole'
uci set dhcp.@host[-1].mac="$(grep hwaddr /srv/lxc/pi-hole/config | sed 's/.*= //')"
uci set dhcp.@host[-1].mac="$(grep 'hwaddr' '/srv/lxc/pi-hole/config' | sed 's/.*= //')"
uci set dhcp.@host[-1].ip='192.168.111.2'
uci commit 'dhcp'
reload_config
luci-reload
```
# Start it.
1. Start the container:
```sh
lxc-start --name 'pi-hole'
# Check it's running correctly.
lxc-info --name 'pi-hole'
```
# Get a shell to it.
1. Execute a shell into it:
```sh
lxc-attach --name 'pi-hole'
```
1. In the container:
1. Set up the container.
```sh
# Set the correct hostname, if different from what is expected.
hostnamectl set-hostname 'pi-hole'
# Install pi-hole.
DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl'
curl -sSL 'https://install.pi-hole.net' | bash
# Follow the guided procedure.
# Change the Web interface password, if needed.
/etc/.pihole/pihole -a -p
```
> See examples of specific instructions in the subsections below.
1. Check all is working as expected.
1. Again in Turris OS:
1. If you changed the hostname inside the container, restart it for good measure.
1. Start the container at boot if required:
```sh
# Start pi-hole at boot
vim '/etc/config/lxc-auto'
```
@@ -191,24 +202,79 @@ Choose one of Pi-hole's [supported operating systems][pi-hole supported operatin
option timeout 60
```
```sh
# Distribute pi-hole as the primary DNS.
# Keep the router as secondary.
uci set dhcp.lan.dhcp_option='6,192.168.111.2,192.168.111.1'
### Git server
# The dns server address in the IPv6 RA should be the container's ULA address
# since the global routable IPv6 address tend to change daily.
uci add_list dhcp.lan.dns="$(lxc-info --name pi-hole | grep -E 'IP.* f[cd]' | sed 's/IP: *//')"
Follow the usual procedure above and, as the _set up the container_ step, install and configure git from *+inside** the container:
# Apply the new configuration.
uci commit 'dhcp' && reload_config && luci-reload
/etc/init.d/odhcpd restart
/etc/init.d/dnsmasq restart
```
```sh
# Set the correct hostname, if different from what is expected.
hostnamectl set-hostname 'git'
## Git server
# Install `git` and the SSH server.
DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'git' 'openssh-server'
The `git` package is not available in `opkg`'s configured repositories by default.
# (Optionally) configure the SSH server.
vim '/etc/ssh/sshd_config'
systemctl restart 'ssh.service'
# Create the git user.
adduser 'git'
# Set up passwordless authentication.
mkdir '/home/git/.ssh' && sudo chmod '700' '/home/git/.ssh'
touch '/home/git/.ssh/authorized_keys' && sudo chmod '600' '/home/git/.ssh/authorized_keys'
echo 'ssh-…' >> '/home/git/.ssh/authorized_keys'
# (Optionally) create the repositories' root directory.
mkdir '/home/git/repositories'
# Make sure the 'git' user has the correct permissions on the folders.
chown -R 'git' '/home/git'
# (Optionally) lock down the git user.
# This will *prevent* clients to set their SSH key using `ssh-copy-id`.
chsh 'git' -s "$(which 'git-shell')"
# All done!
exit
```
### Pi-hole
See [Installing pi-hole on Turris Omnia], [Install Pi-hole] and [Pi-Hole on Turris Omnia] for details.
Choose one of Pi-hole's [supported operating systems][pi-hole supported operating systems], then follow the usual procedure above and, as the _set up the container_ step, install and configure pi-hole from *+inside** the container:
```sh
# Set the correct hostname, if different from what is expected.
hostnamectl set-hostname 'pi-hole'
# Install pi-hole.
DEBIAN_FRONTEND='noninteractive' apt-get install --assume-yes 'ca-certificates' 'curl'
curl -sSL 'https://install.pi-hole.net' | bash
# Follow the guided procedure.
# Change the Web interface password, if needed.
/etc/.pihole/pihole -a -p
```
After this, finish the procedure above. Then, in Turris OS:
```sh
# Distribute pi-hole as the primary DNS.
# Keep the router as secondary.
uci set dhcp.lan.dhcp_option='6,192.168.111.2,192.168.111.1'
# The dns server address in the IPv6 RA should be the container's ULA address
# since the global routable IPv6 address tend to change daily.
uci add_list dhcp.lan.dns="$(lxc-info --name pi-hole | grep -E 'IP.* f[cd]' | sed 's/IP: *//')"
# Apply the new configuration.
uci commit 'dhcp' && reload_config && luci-reload
/etc/init.d/odhcpd restart
/etc/init.d/dnsmasq restart
```
## Hardening ideas