Nas neu eingerichtet – raspi 4 usb boot

Ubuntu laut Anleitung vorbereitet und gebootet. Updates abwarten (20 Min etwa)
https://jamesachambers.com/raspberry-pi-4-ubuntu-20-04-usb-mass-storage-boot-guide/

mit


locales

die sprache prüfen

mit


sudo dpkg-reconfigure locales

die Sprache ändern

neuen benutzer einrichten
sudo adduser

benutzer zu sudo hinzufügen
sudo usermod -aG sudo

teste ob user wirklich sudo rechte hat. werde zu neuem user
sudo su

<benutzername>: sudo whoami #sollte roote ausgeben

alten ubuntu user löschen
sudo userdel -R ubuntu

verschlüsselte festplatte
installiere udisks
sudo apt install udisks2

sudo udisksctl unlock -b <disk>

firewall
prüfen ob aktiv
sudo ufw status

ssh erlauben
sudo ufw allow ssh

http erlauben
sudo ufw allow http
sudo ufw allow https

ufw bei systemstart mitstarten
sudo ufw enable

hostname ändern
sudo nano /etc/hosts
sudo nano /etc/hostname
sudo hostname -F /etc/hostname

apache2 installieren
sudo apt install apache2

sudo nano /etc/apache2/apache2.conf
ServerSignature Off
ServerTokens Prod
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

mod_rewrite
sudo a2enmod rewrite
a2enmod proxy
a2enmod proxy_http
a2enmod ssl

cerbot
sudo apt install certbot python3-certbot-apache

emby
https://emby.media/linux-server.html
curl -L –out emby.deb
sudo dpkg -i emby.deb

htop
sudo apt install htop

samba
sudo apt install samba
Ports 139 und 445 freigeben in der Firewall
sudo ufw allow from 192.168.178.0/24 to any port 139
sudo ufw allow from 192.168.178.0/24 to any port 445

smb.conf:

[Public]
create mask = 0775
directory mask = 0775
force group = users
guest ok = Yes
path = /mnt/nas/Public
write list = arne

[Arne]
create mask = 0770
directory mask = 0770
force group = arne
force user = arne
path = /mnt/nas/Arne
read only = No
valid users = arne

samba user erstellen

sudo smbpasswd -a <username>

ssh
enable public key

ggf public key aus private key erstellen
ssh-keygen -f <pfad/zum/privatekey> -y > public_key

ddclient für dynv6
sudo apt install ddclient
config laut dynv6, username auch wirklich none eingeben

nextcloud
sudo apt install mariadb-server php7.4-bcmath php7.4-bz2 php7.4-cli php7.4-common php7.4-curl php7.4-gd php7.4-json php7.4-mbstring php7.4-mysql php7.4-xml php7.4-zip php7.4 php7.4-fpm php7.4-intl

datenbank und user in mariadb anlegen
create database nextcloud;
CREATE USER ’nexcloud’@’localhost‘ IDENTIFIED BY ‚changeme‘;
GRANT ALL PRIVILEGES ON nextcloud.* TO ’nextcloud’@’localhost‘;
FLUSH PRIVILEGES;
exit;

php.ini
sudo nano /etc/php7.4/fpm/php.ini
memory_limit = 512M
output_buffering = off

fail2ban
für emby
/etc/fail2ban$ sudo nano filter.d/emby.conf
[Definition]
failregex = AUTH-ERROR: – Invalid user
HTTP Response 401 to .

    /etc/fail2ban$ sudo nano jail.d/emby.local
    [emby]
    enabled = true
    filter = emby
    logpath = /var/lib/emby/logs/embyserver.txt
    port = 80,443
für nexcloud
    Create a file in /etc/fail2ban/filter.d named nextcloud.conf with the following contents:

    [Definition]
    _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
    failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
                ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
    datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
    The jail file defines how to handle the failed authentication attempts found by the Nextcloud filter.

    Create a file in /etc/fail2ban/jail.d named nextcloud.local with the following contents:

    

[nextcloud]

backend = auto enabled = true port = 80,443 protocol = tcp filter = nextcloud maxretry = 3 bantime = 86400 findtime = 43200 logpath = /path/to/data/directory/nextcloud.log

lüfterscript einbauen

hd-idle

sudo nano /etc/default/hd-idle

START_HD_IDLE=true
HD_IDLE_OPTS=“-i 1200 -a scsi-35000000000000001 -l /var/log/hd-idle.log“

sudo systemctl enable hd-idle
sudo systemctl start hd-idle

mailversandt

sudo usermod -aG mail <benutzername>

dann ab und wieder anmelden


sudo apt install mailutils

als satelit einrichten

sudo nano /etc/postfix/main.cf

(vorhandenes smtp_tls_security_level auskommentieren)

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
sender_canonical_maps = hash:/etc/postfix/sender_canonical
smtp_tls_security_level = encrypt

virtual_alias_domains = nas
virtual_alias_maps = hash:/etc/postfix/virtual

sudo touch /etc/postfix/sasl_password
sudo nano /etc/postfix/sasl_password
mail.gmx.net mail_adresse@gmx.de:passwort

sudo nano /etc/postfix/sender_canonical
www-data meine_adresse@gmx.de
root meine_adresse@gmx.de
arne meine_adresse@gmx.de
sudo postmap hash:/etc/postfix/sasl_password 
sudo postmap /etc/postfix/sender_canonical

sudo nano /etc/postfix/virtual
@example.com         example@gmx.de

sudo postmap /etc/postfix/virtual

sudo systemctl restart postfix

zumtesten:
echo Hallo! dies ist ein Test! | mail -s Testmail meine_adresse@gmx.de

Auto Updates

sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Die Zeile //Unattended-Upgrade::Mail ""; suchen und auskommentieren und mit eurer E-Mailadresse ergänzen.

Unattended-Upgrade::Mail „info@beyond.lol“;

Für den automatischen Neustart folgende Zeilen anpassen
//Unattended-Upgrade::Automatic-Reboot „false“;
Unattended-Upgrade::Automatic-Reboot „true“;

//Unattended-Upgrade::Automatic-Reboot-Time „02:00“;
Unattended-Upgrade::Automatic-Reboot-Time „02:00“;

sudo unattended-upgrades –dry-run