Configuration - marco1475/linux-htpc GitHub Wiki

User Environment

  1. Edit /etc/environment:

     # Make vim the default editor
 EDITOR="/usr/bin/vim"
 VISUAL="/usr/bin/vim"

  2. Use systemd-timesyncd to synchronize your system clock using NTP:

     timedatectl set-ntp true

Create the User

  1. Create the marco1475 user:

     useradd -m -G users,wheel -s /bin/bash marco1475

  2. Give the marco1475 user a password:

     passwd marco1475

  3. Add the marco1475 user to the sudoers file:

     Defaults requiretty
 marco1475 ALL=(ALL) ALL

locate

  1. Install the mlocate package:

     pacman -S mlocate

  2. Run updatedb as root to initialize the database:

     updatedb

  3. By default updatedb installs a timer (/usr/lib/systemd/system/updatedb.timer) that runs it daily.

at

  1. Install the at package:

     pacman -S at

  2. Start the atd daemon and enable it on boot:

     systemctl start atd.service
 systemctl enable atd.service

  3. Test that it is working:

     /usr/bin/echo "/usr/bin/echo 'Test At' | /usr/bin/sendmail <e-mail address>" | /usr/bin/at now + 1 minute

wget

  1. Install the wget package:

     pacman -S wget

tmux

  1. Install the tmux package:

    pacman -S tmux

  2. Edit the ~/.tmux.conf file:

    • TODO

irssi

  1. Install the irssi package:

     pacman -S irssi

  2. Edit the ~/.irssi/config file:

    • TODO

SSH

  1. Install the openssh package:

     pacman -S openssh

  2. Configure the SSH daemon (sshd) by modifying /etc/ssh/sshd_config:

     Port 22
 PermitRootLogin no
 ChallengeResponseAuthentication no
 Banner /etc/issue
 AllowUser marco1475

  3. Start the SSH daemon as a socket (with on-demand daemon instantiation):

    1. Create a drop-in configuration file for the sshd.socket service:

       systemctl edit sshd.socket

    2. Add the following to the configuration file and save it as as /etc/systemd/system/sshd.socket.d/override.conf:

       [Socket]
 ListenStream=
 ListenStream=22
      • The first ListenStream= line is needed to prevent SSH from listening on the default port 22.

    3. Start and enable the service:

       systemctl start sshd.socket
 systemctl enable sshd.socket

  4. Copy your SSH public key to the server (if you don't have one, create either an SSH or OpenPGP keypair):

    1. Copy the id_rsa.pub public key to the server:

      scp ~/.ssh/id_rsa.pub marco1475@babylon5:

    2. If the user does not have a ~/.ssh directory, create it:

       mkdir ~/.ssh
 chmod 700 ~/.ssh

    3. Add the public key to the user's authorized_keys file on the server:

       cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
 rm ~/id_rsa.pub
 chmod 400 ~/.ssh/authorized_keys

    4. Restart the SSH service:

       systemctl restart sshd.socket

FTP

  • FTP is much less secure than SFTP or SCP, so do not enable it on the server.
  • If for some reason you must, here are some tips:

    • Create a custom FTP user, so you can limit which parts of the file system are exposed via FTP.

    • The user's home directory will be used as the root of a chroot jail, which means the user cannot have write access to that directory.

      • This affects only the root directory itself, the user can (and should) have write access to all sub-directories.

      • However, this makes it hard to chroot jail a normal user, because a lot of processes write to ~.

      • You can change the write access to user's home directory by executing:

          chmod a-w \<path_to_home\>

    • Make the user's home directory /srv/ftp and make that the only FTP writable directory.

    • Use FTP to only upload data to the server; reading data should be done through other applications, i.e. mpd, kodi, etc.

    • Only the listen port is hard-coded; after the initial connection is established, the FTP daemon will randomly choose a (passive) port to transfer data over.

      • Enable the nf_conntrack_ftp kernel module which tracks the randomly-assigned transfer port and updates iptables accordingly:

          echo nf_conntrack_ftp > /etc/modules-load.d/nf_conntrack_ftp.conf

      • Don't forget to update iptables accordingly:

          iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp
  iptables-save > /etc/iptables/iptables.rules

etckeeper

etckeeper is a collection of tools to let /etc be stored in a git, mercurial, bazaar or darcs repository.

  1. Since /etc is not user-writable, the following steps should be done as root.

  2. Install etckeeper:

     pacman -S etckeeper

  3. Configure git:

    1. Set up the user configuration file (~/.gitconfig):

       git config --global user.name "Babylon 5 Server"
 git config --global user.email "[email protected]"

    2. (Optional) Set up a remote repository:

       git remote add origin https://<repository-address>.git

    3. (Optional) Set up clean/smudge scripts to avoid exposing sensitive data:

      1. Create a .gitattributes file in the git directory (in this case /etc) with the following content:

         <pattern> filter=<filter_name>
        • <pattern> is a file glob (e.g. *.conf).
        • <filter_name> is a custom name for your filter that has to match a filter section in your .gitconfig.

      2. Add a filter to your .gitconfig:

         git config --global filter.<filter_name>.clean "<script> <parameters>"
 git config --global filter.<filter_name>.smudge "<script> <parameters>"
        • <filter_name> is a custom name for your filter that has to match a filter command in the git directory's .gitattribute file.
        • <script> and <parameters> are either a binary executable or a locally-executable script and the parameters it needs to process the contents of any file matched by <pattern> (from .gitattributes) piped to it using STDIN.

  4. Initialize etckeeper in the /etc directory (this creates a local repository):

     cd /etc
 etckeeper init

  5. Check which files will be added to source control:

     git status

  6. Commit the files:

     git commit -m <message>
    • <message> is your custom commit message.

  7. (Optional) Push your local repository to the remote repository:

     git push -u origin master

    • etckeeper can automatically push your local repository to the remote repository with the PUSH_REMOTE hook in /etc/etckeeper/etckeeper.conf:

        PUSH_REMOTE="origin"

  8. Garbage-collect your /etc repository to save space:

     git gc

  9. Enable and start the systemd timer:

     systemd start etckeeper.timer
 systemd enable etckeeper.timer
⚠️ **GitHub.com Fallback** ⚠️