Koel
| IP: | 192.168.88.17 |
|---|---|
| MAC: | BE:7E:92:49:2D:AC |
| OS: | Debian Buster |
|---|---|
| Files: | koel.conf |
| RAM: | 1024MB |
| Cores: | 1 |
| Privileged: | Yes |
Koel is reachable under 192.168.88.17 which is located in the ServerVLAN.
Basic Setup
NGINX
Install NGINX and NGINX-Extra
apt install nginx nginx-extras
Deactivate Standard-Site (no Web-Server)
unlink /etc/nginx/sites-enabled/default
Create and paste reverse-proxy.conf
cd /etc/nginx/sites-available
nano reverse-proxy.conf
Activate configuration
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
Check if configuration is legit
nginx -t
Reload configuration
nginx -s reload
certbot
Install Certbot
apt install certbot
Download acme-dns-auth.py-Script
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Change first line of script from #!/usr/bin/env python to
#!/usr/bin/env python3
Move file to /etc/letsencrypt/
mv acme-dns-auth.py /etc/letsencrypt/
Set permissions to run script
chmod +x acme-dns-auth.py
Generate certificate manually
Wildcard-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at
Sub-Domain-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at
Follow the questions of the script and create an cname-record.
Path to all certificates:
cd /etc/letsencrypt/live/
Test manually if certificate renewal works
certbot renew --dry-run
Check if auto-renewal ist activated
systemctl list-timers
Authelia
For security reasons and convenience, the login portal Authelia will be installed.
Redis-Server
Install Redis with the following command:
apt install redis-server
After installing Redis, start redis service and enable it to start after system reboot with the following command:
systemctl start redis-server
systemctl enable redis-server
Verify the status of the redis server:
systemctl status redis-server
By default, Redis listening on the localhost on port 6379. You can check it with the following command:
ps -ef | grep redis
SMTP-Server
Install mailutils and postfix:
apt install mailutils postfix
Test if SMTP-Server is working:
echo "This is the body of the email" | mail -s "This is the subject line" your_email_address
Installation
Download, unzip and rename latest Authelia archive:
cd /usr/bin
wget https://github.com/authelia/authelia/releases/download/v4.26.2/authelia-linux-amd64.tar.gz
tar -xzf authelia-linux-amd64.tar.gz
rm authelia-linux-amd64.tar.gz
mv ./authelia-linux-amd64 ./authelia
After unzipping, the service file authelia.service has to be moved:
mv authelia.service /etc/systemd/system/
Create folder for the authelia configuration file:
mkdir /etc/authelia
cd /etc/authelia
Move the unzipped file config.template.yml to the created folder:
mv config.template.yml /etc/authelia/
users_database.yml
Create users_database.yml in the folder /etc/authelia/:
nano users_database.yml
An user entry looks like this:
john:
displayname: "John Doe"
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
email: john.doe@authelia.com
groups:
- admins
- dev
The password is encrypted so we have to get the hash value with:
authelia hash-password 'yourpassword'
configuration.yml
Create configuration.yml at the same folder:
nano configuration.yml
Start authelia and check status:
systemctl start authelia
systemctl status authelia
LATEST STATE:
- https://www.authelia.com/docs/configuration/access-control.html
- https://www.authelia.com/docs/configuration/authentication/file.html
Sources
- NGINX (ReverseProxy)
- DigitalOcean (LetsEncrypt)
- certbot (Certificates)
- Authelia (Login-Portal)
- Redis-Server
- DigitalOcean (SMTP-Server)
