====== Install "by hand" Yunohost v3.x.x.x on Raspberry Pi on a Raspbian Stretch Lite base | proofreading in progress ======

"YunoHost is a server operating system designed to simplify the self-hosting of Internet services. It is based on and remains fully compatible with Debian GNU/Linux."

More details on the publisher's website https://yunohost.org/#/docs_en


===== Requirements =====

  * have a Raspberry Pi :-) ;
  * have a USB keyboard connected to the Raspberry Pi ;
  * an SD card compatible with the Raspberry Pi of at least 8 GB and if possible class 10 (http://elinux.org/RPi_SD_cards#Working_.2F_Non-working_SD_cards | http://elinux.org/RPi_VerifiedPeripherals#SD_cards);
  * have an internet connection via the box or router in order to connect the Raspberry Pi ;
  * have a domain name pointing to the public IP address of your Box/router. (cf no-ip.org, dyndns, ...) or benefit from one of those made available by Yunohost : https://yunohost.org/#/dns_en


===== SD card preparation =====

<note warning>
The SD card must be formatted. First, make sure to save all files and other documents it may contain on another medium. 
</note>

It is necessary to:

  * format SD card to FAT32 ;
  * download the zip file of the latest version of NOOBS Lite at this address : https://downloads.raspberrypi.org/NOOBS_lite_latest ;
  * decompress NOOBS Lite files on SD card.

Install the SD card into the Raspberry Pi, plug in the power supply and install Raspbian Lite by choosing the language and keyboard layout.


===== Configuration of Raspbian Lite Stretch ======

<note>
Normally SSH is not enabled by default.
The user is ''pi'' and the password is ''raspberry''.
</note>

Create a **STRONG** password for root and re-identify as root
  sudo passwd root
  # enter and confirm password
  exit
  # identifier : root
  # root password : the one you just created

Remove user pi
  deluser pi

Update and clean up
  apt update && apt --assume-yes dist-upgrade && apt autoclean && apt autoremove

Make sure Apache is not installed and remove it if necessary
  apt autoremove apache2*

Launch the Raspberry Pi Configurator
  sudo raspi-config

Update raspi-config
  Menu 8

Adjust regional parameters
  Menu 4
  I1 to set locales (en_GB.UTF-8)
  I2 to set the time
  I3 to set the keyboard layout
  I4 for WiFi settings.

Change hostname
  Menu 2
  N1 to change the hostname raspberry to YunoHost

To check, but normally with NOOBS all the space on the SD card is available
  Menu 7
  A1

Normally, there will be no need for graphics rendering
  Menu 7
  A3
  Pass value to minimum : 16

Finish and restart
  sudo reboot
==== Retrieving local and public IP addresses, checking the update file and updating firmwares =====

Know your local IP address
  hostname -I

Know your public IP address
  curl ifconfig.me

<note warning>
Check that the Raspbian version will be updated on the Stretch database.

Replace stable by stretch in the /etc/apt/sources.list file
  sed -i's|stable|stretch|' /etc/apt/sources.list
</note>

Install the latest firmwares and restart
  sudo apt update
  sudo rpi-update
  sudo reboot
==== Enable SSH and allow root connections in SSH =====

<note warning>
Enabling SSH and allowing root to connect is optional. It all depends on how you want to use and maintain your YunoHost server and instance.
</note>

Activate SSH
  raspi-config
  Menu 5
  P2 Enable SSH

Allow root to connect in SSH and reload the SSH service
  sed -i's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
  ssh reload service

Reconnect with root to SSH
  ssh root@ip.rasp.berry.pi


==== YunoHost Installation =====

<note tip>
As a reminder, the installation script ''cannot'' be run with user ''pi'' : you ''must'' be identified as ''root''.
</note>

Launch this order
  bash <(wget -q -O- https://install.yunohost.org/)

==== Post-installation of YunoHost =====

When restarting, you just have to agree to launch the post-installation.

Otherwise the command is as follows:
  yunohost tools postinstall

<note>
If necessary to configure git :
Configure git
  git config --global user.email "you@your_domain.tld"
  git config --global user.name "Your Name"
Restart the server
  reboot
</note>
===== As a reminder =====

Your YunoHost administration address is https://myserver.tld/yunohost/admin/ and your YunoHost portal address is https://myserveur.tld/.

<note tip>
To regenerate services :
  yunohost service regen-conf

To update the list of YunoHost applications :
  yunohost app fetchlist

To update YunoHost applications :
  yunohost app upgrade

To make a backup:
  mkdir /home/yunohost.backup/archives
  yunohost backup create
  
To recover a backup from its server to the /home of its computer (with 1234 as SSH port ; with IP_or_NDD as IP address[local or not] or NDD its Domain Name ; with $USER its username ; with yyyyymmdd-hhmmss as for example 20161002-084907[backup name YunoHost]):  scp -P 1234 root@IP_or_DomainName:/home/yunohost.backup/archives/yyyymmdd-hhmmss.tar.gz /home/$USER
  scp -P 1234 root@IP_or_DomainName:/home/yunohost.backup/archives/yyyymmdd-hhmmss.info.json /home/$USER

Same principle as before, send a backup from the /home of your computer to your server (make sure that the archive folder exists otherwise launch a first backup or as a last resort create the root folder : mkdir /home/yunohost.backup/archives) :
  scp -P 1234 /home/$USER/yyyymmdd-hhmmss.info.json root@IP_or_DomainName:/home/yunohost.backup/archives
  scp -P 1234 /home/$USER/yyyymmdd-hhmmss.tar.gz root@IP_or_DomainName:/home/yunohost.backup/archives

To restore a backup :
  yunohost backup restore backup_name_in_YunoHost

Sources for backup :
  * https://yunohost.org/#/backup_en
  * https://forum.yunohost.org/t/a-propos-de-la-sauvegarde-yunohost-v2-4/1612/2

In order for NextCloud files to be backed up in addition to the application parameters themselves, you must edit the /etc/yunohost/apps/nextcloud/settings.yml file and delete the "1" from the backup_core_only variable :  nano /etc/yunohost/apps/nextcloud/settings.yml
  backup_core_only: '1'
  becomes
  backup_core_only: ''

To deny access to an application to a user:
  yunohost app removeaccess app -u user
  # and by extension :
  yunohost app removeaccess app1 app2 app3 -u user1 user2 user3
  # to do the opposite.:
  yunohost app addaccess app -u user

Source: https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2

Source : https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2


To deactivate wifi and/or bluetooth:

To save and exit the nano editor : Ctrl+o et Ctrl+x

Edit the file fbdev-blacklist.conf (formerly raspi-blacklist.conf)
  sudo nano /etc/modprobe.d/fbdev-blacklist.conf

Add these lines ...
  #wifi
  blacklist brcmfmac
  blacklist brcmutil
  #bt
  blacklist btbcm
  blacklist hci_uart

... then restart the server
  reboot

Sources : http://www.cedynamix.fr/jeedom-raspberry-3-desactivation-bluetooth-wifi/

To expand the partition if necessary :
  raspi-config # 1 Expand Filesystem
If it doesn't work then try this command to adapt to your partition after a df -h and/or fdisk -l
  df -h
  fdisk -l
  resize2fs -p /dev/mmcblk*** # for example mmcblk0p2
</note>

You can also contribute to this project here https://doc.yunohost.org/#/contribute_en.

<note>
It's up to you to test and hack ;-)
</note>

===== To go further ... =====

<note importante>
//**The following sections are intended for advanced users because incorrect settings and/or settings can, at a minimum, alter the security set up by default of Yunohost applications and server, or even cause bigger problems.**//
</note>


==== Clone the YunoHost installation script and directly install the YunoHost testing version ====

<note important>
//**Reserved for advanced users who know what they are doing.
**//
</note>

To go directly to the 'testing' version of YunoHost (without installing the stable version) :
  bash <(wget -q -O- https://install.yunohost.org/switchToTesting)

Update your instance:

  apt-get update && apt-get dist-upgrade

Specify the testing repository instead of the stable repository in the sources.list YunoHost :

  echo'deb http://repo.yunohost.org/debian/ stretch stable testing' > /etc/apt/sources.list.d/yunohost.list

Update your instance (again) with testing repositories:

  apt-get update && apt-get dist-upgrade

Source in report: https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243

=== To go back and go back to stable mode ===

Indicate the stable deposit instead of the testing deposit:

  echo'deb http://repo.yunohost.org/debian/ stretch stable' > /etc/apt/sources.list.d/yunohost.list

Updating the instance :

  apt-get update && apt-get dist-upgrade

<important note>
N.B.: Your version will only return to the stable version when new stable packages are released.
</note>

Source: https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243
==== Be notified by email when a ssh connection to the server : =====

You must install mailutils for the mail function of the script to work:

  apt-get install mailutils

Next, create, or edit if it exists, the /etc/ssh/sshrc file.

  sudo nano /etc/ssh/sshrc

Enter the following lines, adapting at least the reception email address :

  #!/bin/sh
  # source: http://blog.uggy.org/post/2009/06/05/...
  DATE=`date "+%d.%m.%Y--%Hh%Mm"`
  IP=`echo $SSH_CONNECTION | awk {print $1}'`
  REVERSE=`dig -x $IP +short``
  echo "Connecting $USER to $HOSTNAME
  IP: $IP
  ReverseDNS: $REVERSE
  Date: $DATE
  
  " | mail -s "Connection of $USER on $HOSTNAME" me@my_domain_name.tld

Then restart ssh :
  service ssh restart

Source : http://yeuxdelibad.net/Logiciel-libre/Installation_and_securisation_d_un_serveur_auto-sheberge.html#surveiller
==== Be notified by SMS when a ssh connection to the server : ====


<note tip>
Free-Mobilonauts can also be alerted by SMS. Just add to the previous file the following script (//to be adapted with the API identifier and key after activating the SMS notification option on the Free// https://mobile.free.fr/moncompte/ client panel) :
</note>


    #!/bin/sh
  
  # 
  # SMS notification sending script via Free Mobile API
  # https://github.com/C-Duv/freemobile-smsapi-client
  # 
  # Author: DUVERGIER Claude (http://claude.duvergier.fr)
  # 
  # Requires: sed, sh et wget
  # 
  # Possible usages:
  #   send-notification.sh "All your base are belong to us"
  #   echo "All your base are belong to us" | send-notification.sh
  #   uptime | send-notification.sh
  
  
  ##
  ## Configuration système
  ##
  
  # End-of-line character (http://en.wikipedia.org/wiki/Percent-encoding#Character_data)
  NEWLINE_CHAR="%0D" # Valeurs possibles : %0A, %0D et %0D%0A
  
  # URL to access the API
  SMSAPI_BASEURL="https://smsapi.free-mobile.fr"
  
  # Sending notification action
  SMSAPI_SEND_ACTION="sendmsg"
  
  
  ##
  ## User configuration
  ##
  
  # Login user / ID Free Mobile (the one used to access the Subscriber Area)
  USER_LOGIN="1234567890"
  
  # Identification key (generated and provided by Free Mobile via the Subscriber Area, "My Options" : https://mobile.free.fr/moncompte/index.php?page=options)
  API_KEY="s0me5eCre74p1K3y"
  
  # Text that will be added BEFORE each message sent
  MESSAGE_HEADER="Notification :${NEWLINE_CHAR}"
  
  # Text that will be added AFTER each message sent
  MESSAGE_FOOTER="${NEWLINE_CHAR}--${NEWLINE_CHAR}The server at home"
  
  
  ##
  ## Message Processing
  ##
  
  MESSAGE_TO_SEND=""
  if [ "$1" ]; then # Message as a command line argument
      MESSAGE_TO_SEND="$1"
  else # Message lu de STDIN
      while read line
      do
          MESSAGE_TO_SEND="$MESSAGE_TO_SEND$line$NEWLINE_CHAR"
      done
      MESSAGE_TO_SEND=$(echo $MESSAGE_TO_SEND | sed 's/'$NEWLINE_CHAR'$//') # Remove the last line break
  fi
  
  FINAL_MESSAGE_TO_SEND="$MESSAGE_HEADER$MESSAGE_TO_SEND$MESSAGE_FOOTER" # Assemble header, message ans footer
  
  ##
  ## Call to API (send)
  ##
  
  # echo "Will send the following to $USER_LOGIN:" #DEBUG
  # echo "$FINAL_MESSAGE_TO_SEND" #DEBUG
  
  # --insecure : Certificat $SMSAPI_BASEURL does not provide information about its owner
  # --write-out "%{http_code}" --silent --output /dev/null : Returns HTTP response code only
  HTTP_STATUS_CODE=$(curl --insecure --get "$SMSAPI_BASEURL/$SMSAPI_SEND_ACTION" --data "user=$USER_LOGIN" --data "pass=$API_KEY" --data "msg=$FINAL_MESSAGE_TO_SEND" --write-out "%{http_code}" --silent --output /dev/null)
  
  # Possible HTTP response codes
  # 200 : The SMS was sent to your mobile.
  # 400 : One of the mandatory parameters is missing.
  # 402 : Too many SMS messages have been sent in too little time.
  # 403 : The service is not activated in the subscriber area, or the login / key is incorrect.
  # 500 : Server side error. Please try again later.
  
  if [ "$HTTP_STATUS_CODE" -eq 200 ]; then
      # echo "API responded with 200: exiting with 0" #DEBUG
      exit 0
  else
      echo "Error: API responded with $HTTP_STATUS_CODE"
      exit 1
  fi


Source : https://github.com/C-Duv/freemobile-smsapi-client

==== cron ====

To schedule tasks, such as an update followed by an installation upgrade, you can use cron.

More details here : http://doc.ubuntu-fr.org/cron


==== fail2ban ====

This allows to ban ip addresses trying to connect "furiously". It is installed by default on Yunohost.

  sudo apt-get install fail2ban

Then, you have to edit the configuration file to give an email address to send the ban reports.

  sudo nano /etc/fail2ban/jail.conf

  findtime = 3600
  bantime = 86400

  destemail = your@email.com

Still in this same file, look for the line that starts with ''action ='' in order to add ''mwl'' after the ''_'' in order to have a complete report.

  action =%(action_mwl)s

Then, still in the same file, in order to have the reports on the main services, you must replace false by true in the following parts :

  * ssh ;
  * ssh-ddos ;

Apparently, there is a lot of brute-force on sasl, so it is best to comment on this rule failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ and apply this one failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w :

  nano /etc/fail2ban/filter.d/sasl.conf
  #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
  failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w

Further settings are available here : http://doc.ubuntu-fr.org/fail2ban

==== Change the ssh listening port ====

Edit /etc/ssh/sshd_config :

  sudo nano /etc/ssh/sshd_config

The default listening port number is 22. Choose one beyond the number 1024, for example: 12345.


Next, edit the fail2ban configuration file to tell it to listen to port 12345 instead of port 22.

  sudo nano /etc/fail2ban/jail.conf 

In the #JAIL section chapter [ssh] **and** [ssh-ddos], you have to change :

  port = ssh by port = 12345

Then, it is necessary to restart the firewall, disable the old port in the firewall (a priori the 22), restart the ssh service and reload the fail2ban service :

  yunohost firewall reload
  yunohost firewall disallow 22
  sudo service ssh restart
  sudo fail2ban-client reload

Source : https://yunohost.org/#/security_en

==== Logwatch installation ====

If you want to have a history of what happened on the server the day before, just install logwatch :

  sudo apt-get install logwatch
  sudo mkdir /var/cache/logwatch

Before modifying the configuration file, make a copy :

  sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
  
Then make the changes here :

   nano /etc/logwatch/conf/logwatch.conf 

For example, sending reports to an email address and/or changing the level of detail of the summary generated :

  MailTo = me@my.domaine.tld
  Detail = Med

To run logwatch in a terminal :

  sudo logwatch

To go further in the configuration : http://doc.ubuntu-fr.org/logwatch#configuration

Translated with www.DeepL.com/Translator