Koel: Difference between revisions

Koel-LXC

Network

---

IP:	192.168.88.17
MAC:	BE:7E:92:49:2D:AC

System

---

OS:	Debian Buster
Files:	Koel.conf
RAM:	1024MB
Cores:	1
Privileged:	Yes

Koel is reachable under 192.168.88.17 which is located in the ServerVLAN.

Basic Setup

NGINX

Install NGINX and NGINX-Extra

apt install nginx nginx-extras

Deactivate Standard-Site (no Web-Server)

unlink /etc/nginx/sites-enabled/default

Create and paste reverse-proxy.conf

cd /etc/nginx/sites-available
nano reverse-proxy.conf

Activate configuration

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

Check if configuration is legit

nginx -t

Reload configuration

nginx -s reload

certbot

Install Certbot

apt install certbot

Download acme-dns-auth.py-Script

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Change first line of script from #!/usr/bin/env python to

#!/usr/bin/env python3

Move file to /etc/letsencrypt/

mv acme-dns-auth.py /etc/letsencrypt/

Set permissions to run script

chmod +x acme-dns-auth.py

Generate certificate manually

Wildcard-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at

Sub-Domain-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at

Follow the questions of the script and create an cname-record.

Path to all certificates:

cd /etc/letsencrypt/live/

Test manually if certificate renewal works

certbot renew --dry-run

Check if auto-renewal ist activated

systemctl list-timers

Authelia

For security reasons and convenience, the login portal Authelia will be installed.

Redis-Server

Install Redis with the following command:

apt install redis-server

After installing Redis, start redis service and enable it to start after system reboot with the following command:

systemctl start redis-server
systemctl enable redis-server

Verify the status of the redis server:

systemctl status redis-server

By default, Redis listening on the localhost on port 6379. You can check it with the following command:

ps -ef | grep redis

SMTP-Server

Install mailutils and postfix:

apt install mailutils postfix

Test if SMTP-Server is working:

echo "This is the body of the email" | mail -s "This is the subject line" your_email_address

Installation

Download, unzip and rename latest Authelia archive:

cd /usr/bin
wget https://github.com/authelia/authelia/releases/download/v4.26.2/authelia-linux-amd64.tar.gz
tar -xzf authelia-linux-amd64.tar.gz
rm authelia-linux-amd64.tar.gz
mv ./authelia-linux-amd64 ./authelia

After unzipping, the service file authelia.service has to be moved:

mv authelia.service /etc/systemd/system/

Create folder for the authelia configuration file:

mkdir /etc/authelia
cd /etc/authelia

Move the unzipped file config.template.yml to the created folder:

mv config.template.yml /etc/authelia/

users_database.yml

Create users_database.yml in the folder /etc/authelia/:

nano users_database.yml

An user entry looks like this:

john:
    displayname: "John Doe"
    password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
    email: john.doe@authelia.com
    groups:
      - admins
      - dev

The password is encrypted so we have to get the hash value with:

authelia hash-password 'yourpassword'

configuration.yml

Create configuration.yml at the same folder:

nano configuration.yml

Start authelia and check status:

systemctl start authelia
systemctl status authelia

LATEST STATE:

• https://www.authelia.com/docs/configuration/access-control.html
• https://www.authelia.com/docs/configuration/authentication/file.html

Sources

• NGINX (ReverseProxy)
• DigitalOcean (LetsEncrypt)
• certbot (Certificates)
• Authelia (Login-Portal)
• Redis-Server
• DigitalOcean (SMTP-Server)