Skip to content

Instantly share code, notes, and snippets.

@MakiseKurisu

MakiseKurisu/espressobin.sh

Last active March 8, 2020 05:49
Show Gist options
  • Save MakiseKurisu/63012b74c2e8f05986cf81f5162e8843 to your computer and use it in GitHub Desktop.
Save MakiseKurisu/63012b74c2e8f05986cf81f5162e8843 to your computer and use it in GitHub Desktop.
Download ZIP
ESPRESSObin Arch Linux ARM setup
Raw
espressobin.sh
# Install dependency for yay
su << EOF
root
pacman-key --init
pacman-key --populate archlinuxarm
pacman -Syu base-devel git go --noconfirm --needed
echo "alarm ALL=(ALL) ALL" >> /etc/sudoers
EOF
# Install yay
git clone https://aur.archlinux.org/yay.git
cd yay
# This command need to be run along as it requires manual input for sudo, use default password: alarm
makepkg -si
cd ..
rm -rf yay
# Install additional packages
yay -S wget ddclient sslh btrfs-progs nginx-mainline certbot certbot-nginx --noconfirm
# Add your SSH key for passwordless login
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo "<Your Public Key>" >> ~/.ssh/authorized_keys
su << EOF
root
# Delete default nginx pages
rm /usr/share/nginx/html/*
# Set up ddclient
cat > /etc/ddclient/ddclient.conf << EOF2
daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
ssl=yes # use ssl-support. Works with
# ssl-library
use=web, web=now-dns.com/ip # get ip from server.
protocol=dyndns2 # default protocol
server=now-dns.com # default server
login=<email> # default login
password=<password> # default password
server=now-dns.com, \
<your hostname>
EOF2
# Create scrub services
cat > /etc/systemd/system/[email protected] << EOF2
[Unit]
Description=Btrfs scrub on %f
[Service]
Nice=19
IOSchedulingClass=idle
KillSignal=SIGINT
ExecStart=/usr/bin/btrfs scrub start -B %f
EOF2
cat > /etc/systemd/system/[email protected] << EOF2
[Unit]
Description=Monthly Btrfs scrub on %f
[Timer]
OnCalendar=monthly
AccuracySec=1d
RandomizedDelaySec=1w
Persistent=true
[Install]
WantedBy=multi-user.target
EOF2
# Set up sshd
sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config
sed -i "s/#PasswordAuthentication yes/#asswordAuthentication no/" /etc/ssh/sshd_config
echo "Match address 192.168.1.0/24" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
# Set up delayed reboot
cat > /etc/systemd/system/reboot.service << EOF2
[Unit]
Description=Reboot system
[Service]
ExecStart=/bin/reboot
EOF2
cat > /etc/systemd/system/reboot.timer << EOF2
[Unit]
Description=Periodically reboot system
[Timer]
OnCalendar=Mon *-*-* 06:00:00
[Install]
WantedBy=timers.target
EOF2
# Set up Let's Encrypt auto renewal
cat > /etc/systemd/system/certbot.service << EOF2
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos --deploy-hook "systemctl reload nginx.service"
EOF2
cat > /etc/systemd/system/certbot.timer << EOF2
[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
EOF2
# Set up time
timedatectl set-timezone America/Chicago
# Enable configured services
systemctl enable ddclient sslh-select [email protected] nginx certbot.timer
EOF
# Update the field with your own info
sudo nano /etc/ddclient/ddclient.conf
# Set up Let's Encrypt
sudo certbot --nginx -n --agree-tos -m <email address> --domains <domains>
# Set up reverse proxy for Jellyfin
su << EOF
root
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
cat > /etc/nginx/nginx.conf << EOF2
events {
worker_connections 1024;
}
http {
server {
listen 80;
return 301 https://\$host\$request_uri;
}
server {
listen 8443 ssl http2;
port_in_redirect off;
error_page 403 404 = @fallback;
ssl_certificate /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ =404;
}
location @fallback {
return 444;
}
location /jellyfin/ {
proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/;
proxy_pass_request_headers on;
proxy_set_header Host \$host;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-Host \$http_host;
proxy_buffering off;
}
location /jellyfin/socket {
proxy_pass http://SERVER_IP_ADDRESS:8096/jellyfin/socket;
proxy_http_version 1.1;
proxy_set_header Host \$host;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Forwarded-Host \$http_host;
}
}
}
EOF2
EOF
sudo sed -i "s/DOMAIN_NAME/DOMAIN_NAME/" /etc/nginx/nginx.conf
sudo sed -i "s/SERVER_IP_ADDRESS/SERVER_IP_ADDRESS/" /etc/nginx/nginx.conf
# Change password
passwd
sudo passwd
# Reboot to allow new configuration to be applied
sudo reboot
# Change user name, need to login as root
# usermod -l <new_name> alarm
# sed -i "s/alarm/new_name/" /etc/sudoers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment