cheatsheet_server.md

cheatsheet for server

set new password for root

arch

# change root user passwd
sudo passwd root
sudo passwd arch

# create sudo user
export username="ogurez"
sudo useradd -mG wheel $username
sudo passwd $username

# pacman errors workaround
# https://wiki.archlinux.org/title/Mirrors
# sudo pacman-key --init
# sudo pacman-key --populate archlinux
# sudo pacman-key --refresh-keys
# sudo pacman -S archlinux-keyring; sudo pacman -Su

sudo pacman -Suy neovim
EDITOR=nvim sudo visudo
# uncomment wheel lines

su $username

ubuntu

# change root user passwd
sudo passwd root

# create sudo user
export username="ogurez"
# apt update && apt install adduser sudo -y
adduser $username --gecos ""
usermod -aG sudo $username

su $username

SSH

add github user key to authorized

mkdir --parent ~/.ssh && curl https://github.com/barsikus007.keys --output - >> ~/.ssh/authorized_keys

config sshd_config for security

cat <<-EOF | sudo tee /etc/ssh/sshd_config.d/99-security.conf >/dev/null
Port 2222
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
EOF

sudo systemctl reload sshd

old (bad) method

sshd_file=/etc/ssh/sshd_config
cp $sshd_file ~
sudo sed -i 's/^#Port/Port/' $sshd_file
sudo sed -i 's/^Port 22$/Port 2222/' $sshd_file
for param in {PermitRootLogin,PasswordAuthentication,ChallengeResponseAuthentication,KbdInteractiveAuthentication}; do sudo sed -i "s/^#$param/$param/" $sshd_file && sudo sed -i "s/^$param yes$/$param no/" $sshd_file; done
sudo systemctl reload sshd

for ubuntu 22.10 or newer

# check files in /etc/ssh/sshd_config.d/
sudo cat /etc/ssh/sshd_config.d/*
# fix all confilting config in that files or remove them
sudo rm -rf /etc/ssh/sshd_config.d/
# change ssh.socket config or follow `nvim /usr/share/doc/openssh-server/README.Debian.gz`
sudo sed -i 's/^ListenStream=22$/ListenStream=2222/' /lib/systemd/system/ssh.socket
sudo systemctl daemon-reload
sudo systemctl restart ssh.socket
sudo reboot

allow port forward ssh (used for minecraft a long time ago..)

cat <<-EOF | sudo tee /etc/ssh/sshd_config.d/10-port-forward.conf >/dev/null
AllowTcpForwarding yes
GatewayPorts yes
EOF

sudo systemctl reload sshd

UTF-8

locale
locale -a
# if not C.UTF-8 exists
# Does C.UTF-8 needs to be generated?
sudo apt install locales
sudo locale-gen C.UTF-8 en_US.UTF-8
sudo localectl set-locale C.UTF-8
# TODO or update-locale?
# set ru time https://stackoverflow.com/a/30480596/15844518
# sudo locale-gen ru_RU.UTF-8 && sudo localectl set-locale LC_TIME=ru_RU.UTF-8

Set timezone

sudo timedatectl set-timezone Europe/Moscow

ZFS

Install

sudo apt install zfsutils-linux -y

# if no prebuilt kernel module
sudo apt install zfs-dkms -y
sudo reboot
sudo /sbin/modprobe zfs

Commands

• Clear arc cache
  • sync && sudo sysctl vm/drop_caches=3
• Add auto snapshot package
  • sudo apt install zfs-auto-snapshot -y
• Enable scrub timer
  • sudo systemctl enable --now zfs-scrub-weekly@tank.timer
  • Cron-based alternative (0 3 * * * /sbin/zpool scrub tank)
    • sudo crontab -l | cat - <(echo "0 3 * * * /sbin/zpool scrub tank") | sudo crontab -
• Find corrupted data, sent with zfs_send_corrupt_data module param
  • rg --text --files-with-matches --no-ignore --hidden '(?-u:\x0c\xb1\xdd\xba\xf5\x02\x00\x00)' ./

Zpool setup

#? ashift=12 cause 12 is current standard

# TODO: make it encrypted by keyfile
#? normalization=formC: https://bbs.archlinux.org/viewtopic.php?id=289465
#? compression=zstd is the current fastest and efficient compression
#? atime=off cause access time is useless
#? acltype=posixacl: https://wiki.archlinux.org/title/ZFS#Access_Control_Lists
#? xattr=sa: https://forums.truenas.com/t/why-zfs-xattr-on-instead-sa/12733
sudo zpool create \
  -o ashift=12 \
  -O encryption=on -O keyformat=passphrase \
  -O normalization=formC -O compression=zstd -O atime=off \
  -O acltype=posixacl -O xattr=sa \
  tank raidz \
  /dev/disk/by-id/ata...

sudo zfs create tank/apps
sudo zfs create tank/storage

sudo zfs create tank/git?lab
# TODO idk if it's needed
sudo chown -R $USER:$USER /tank/storage/

Docker on ZFS

sudo zfs create -o com.sun:auto-snapshot=false tank/docker
sudo service docker stop
sudoedit /etc/docker/daemon.json
'add theese lines
{
  "storage-driver": "zfs"
}
backup necessary docker data and then remove'
sudo rm -rf /var/lib/docker
sudo ln -s /tank/docker /var/lib/docker
sudo service docker start

SMB TODO (OpenZFS doesn't have all options of vanilla ZFS)

# sudo zfs get sharesmb tank/storage
sudo zfs set nbmand=on tank/storage
# sudo zfs share -o sharesmb=on tank/storage%storage
sudo zfs share smb tank/storage%storage
zfs get share.smb.all tank/storage%storage

TODO

• maybe need to create docker service trigger on ZFS mount?
  • https://www.reddit.com/r/docker/comments/my6p90/docker_zfs_storage_driver_vs_storing_docker_data/
  • https://www.reddit.com/r/zfs/comments/10e0rkx/for_anyone_using_zfsol_with_docker/
• weekly cron to backup compressed backup of zpool to 5th 2tb disk
• backup / and /boot volumes disk (emmc)

tools

Docker

# install
#? ubuntu
curl -sSL https://get.docker.com | sh
# seems like it's not needed
# sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker; exit

#? arch
sudo pacman -S docker docker-compose
sudo systemctl restart docker

Watchtower

docker run -d \
--name watchtower \
--restart always \
-v /var/run/docker.sock:/var/run/docker.sock \
nickfedor/watchtower --cleanup --remove-volumes