Table des matières

Install "by hand" Yunohost v2.7.x on Raspberry Pi on a Raspbian Jessie Lite base | proofreading in progress

“YunoHost is a tool that allows you to easily install and use your own server.” YunoHost allows you by default to manage your email and instant messaging addresses via easy-to-use and secure interfaces. You can also extend functionality with one-click installable apps.“

More details on the publisher's website https://doc.yunohost.org/#/index_en

Requirements

SD card preparation, copy of NOOBS Lite and Raspbian Lite Jessie files

<note warning> The SD card must be formatted. First, make sure to save all files and other documents it may contain on another medium. </note>

It is necessary to:

<note warning> Before connecting the Raspberry Pi, it is necessary to disconnect the Ethernet cable or any other network connection from the Raspberry Pi. This is to make sure that only Raspbian Lite copied previously will be installed.

Otherwise, during initialization, the copied files will be deleted… and you will have to start all over again from the beginning. </note>

Install the SD card into the Raspberry Pi, connect the power supply without connecting the Ethernet cable and proceed with the installation.

Configuration de Raspbian Lite Jessie

<note> Normally SSH is not enabled by default. The keyboard is in qwerty : a ⇒ q for azerty display.

The user is pi and the password is raspberry, or rqspberry if you followed ;-) </note>

Launch the Raspberry Pi configurator

sudo raspi-config
sudo rqspi-config #:-)
Menu 4
I1 to set the locales (en_US.UTF-8 for example)
I2 to set time
I3 to set the keyboard layout
I4 for WiFi settings.
Menu 2
Change hostname to YunoHost

To check, but normally all the space on the SD card is available

Menu 7
A1

Normally, there will be no need for graphics rendering

Menu 7
A3
Pass value to minimum : 16

Update raspi-config

Menu 8

Finish and restart

sudo reboot

pi user management, local and public IP address retrieval, firmware update file check and update

Change the password of user pi and choose another one strong enough to proceed to a part of the installation in case you would like to activate SSH

sudo passwd pi

Know your local IP address

hostname -I

Know your public IP address

curl ifconfig.me

<note warning> Check that the Raspbian version will be updated to the Jessie database because YunoHost is not yet compatible with Debian Stretch.

⇒ Replace stable with jessie in the file /etc/apt/sources.list

sed -i 's|stable|jessie|' /etc/apt/sources.list

⇒ Replace stretch with jessie in the file /etc/apt/sources.list

sed -i 's|stretch|jessie|' /etc/apt/sources.list

</note>

Install the latest firmwares and restart

sudo apt update
sudo rpi-update
sudo reboot

Creating a password for the root user

Reconnect with user pi and go as root

sudo -i

Create a strong password for the root user, which is different from the pi user's password.

passwd root

<note warning> Enabling SSH and allowing root to connect is optional. It all depends on how you want to use and maintain your YunoHost server and instance.

⇒ Enable SSH

raspi-config
Menu 5 ; sous-menu P2

⇒ Allow root to connect in SSH and reload the SSH service

sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
service ssh reload

⇒ Reconnect with root to SSH

ssh root@ip.du.raspberry.pi

</note>

SSH or not: log out from user root, log out from user pi and log back in with user root

logout
logout

Upgrading Raspbian, cleaning, installing git and removing Apache

Update

apt update && apt --assume-yes dist-upgrade

Clean

apt-get autoremove && apt-get autoclean

Install git and dialog to clone the installation script and have user-friendly dialog boxes during script execution

apt install git dialog

Remove Apache

apt-get autoremove apache2.2

YunoHost Installation

<note tip> The installation script cannot be run with user pi. </note>

Clone the YunoHost installation script in the temporary directory, go there and run the installation script

git clone https://github.com/YunoHost/install_script /tmp/install_script
cd /tmp/install_script
./install_yunohost

YunoHost post-installation

Make sure the user pi is removed

deluser -remove-home pi

Launch post-installation

yunohost tools postinstall

Configure git

git config --global user.email "you@domain.tld"
git config --global user.name "Your Name"

Restart the server

reboot

As a reminder

Your YunoHost administration address is https://myserver.tld/yunohost/admin/ and your YunoHost portal address is https://myserveur.tld/.

<note tip> To regenerate services :

yunohost service regen-conf

To update the list of YunoHost applications :

yunohost app fetchlist

To update YunoHost applications :

yunohost app upgrade

To make a backup:

mkdir /home/yunohost.backup/archives
yunohost backup create

To recover a backup from its server to the /home of its computer (with 1234 as SSH port ; with IP_or_NDD as IP address[local or not] or NDD its Domain Name ; with $USER its username ; with yyyyymmdd-hhmmss as for example 20161002-084907[backup name YunoHost]): scp -P 1234 root@IP_ou_NDD:/home/yunohost.backup/archives/yyyymmdd-hhmmss.tar.gz /home/$USER

scp -P 1234 root@IP_ou_NDD:/home/yunohost.backup/archives/yyyymmdd-hhmmss.info.json /home/$USER

Same principle as before, send a backup from the /home of your computer to your server (make sure that the archive folder exists otherwise launch a first backup or as a last resort create the root folder : mkdir /home/yunohost.backup/archives) :

scp -P 1234 /home/$USER/yyyymmdd-hhmmss.info.json root@IP_ou_NDD:/home/yunohost.backup/archives
scp -P 1234 /home/$USER/yyyymmdd-hhmmss.tar.gz root@IP_ou_NDD:/home/yunohost.backup/archives

To restore a backup :

yunohost backup restore nom_de_la_sauvegarde

Sources for backup :

In order for NextCloud files to be backed up in addition to the application parameters themselves, you must edit the /etc/yunohost/apps/nextcloud/settings.yml file and delete the “1” from the backup_core_only variable : nano /etc/yunohost/apps/nextcloud/settings.yml

backup_core_only: '1'
devient
backup_core_only: ''

To deny access to an application to a user:

yunohost app removeaccess app -u user
# and by extension :
yunohost app removeaccess app1 app2 app3 -u user1 user2 user3
# to do the opposite.:
yunohost app addaccess app -u user

Source: https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2

Source : https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2

To deactivate wifi and/or bluetooth:

To save and exit the nano editor : Ctrl+o et Ctrl+x

Edit the file fbdev-blacklist.conf (formerly raspi-blacklist.conf)

sudo nano /etc/modprobe.d/fbdev-blacklist.conf

Add these lines …

#wifi
blacklist brcmfmac
blacklist brcmutil
#bt
blacklist btbcm
blacklist hci_uart

… then restart the server

reboot

Sources : http://www.cedynamix.fr/jeedom-raspberry-3-desactivation-bluetooth-wifi/ </note>

In order not to update the metronome package once installed, you must mark it as “to keep” (it is no longer necessary today):

apt-mark hold metronome

To unmark the metronome package so you can update it if necessary:

apt-mark unhold metronome

To force metronome configuration regeneration if necessary :

yunohost service regen-conf metronome --force

To not update metronome :

apt-get upgrade --no-upgrade metronome

You can also contribute to this project here https://doc.yunohost.org/#/contribute_en.

<note> It's up to you to test and hack ;-) </note>

To go further ...

<note importante> The following sections are intended for advanced users because incorrect settings and/or settings can, at a minimum, alter the security set up by default of Yunohost applications and server, or even cause bigger problems. </note>

Install metronome manually

wget https://github.com/YunoHost/metronome/archive/debian/3.7.9+33b7572-1.zip
unzip 3.7.9+33b7572-1.zip
cd metronome-debian-3.7.9-33b7572-1
dpkg-buildpackage -rfakeroot -uc -b -d
cd ..
dpkg -i metronome_3.7.9+33b7572-1_armhf.deb
apt-mark hold metronome

* source : https://forum.yunohost.org/t/how-install-yunohost-on-raspberry-pi/1466

<note tip> In order not to update the metronome package once installed, you must mark it as to keep :

apt-mark hold metronome

To unmark the metronome package so you can update it :

apt-mark unhold metronome

</note>

Clone the YunoHost installation script and directly install the YunoHost testing version

<note important> Reserved for advanced users who know what they are doing. </note>

To go directly to the 'testing' version of YunoHost (without installing the stable version) : git clone https://github.com/YunoHost/install_script /tmp/install_script

git clone https://install.yunohost.org/jessie /tmp/install_script
cd /tmp/install_script && ./install_yunohost -d testing

Update your instance :

apt-get update && apt-get dist-upgrade

Specify the testing repository instead of the stable repository in the sources.list YunoHost :

echo 'deb http://repo.yunohost.org/debian/ jessie stable testing' > /etc/apt/sources.list.d/yunohost.list

Update your instance (again) with testing repositories:

apt-get update && apt-get dist-upgrade

Related source : https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243

To go back and return to stable mode

Indicate the stable deposit instead of the testing deposit :

echo 'deb http://repo.yunohost.org/debian/ jessie stable' > /etc/apt/sources.list.d/yunohost.list

Updating the instance :

apt-get update && apt-get dist-upgrade

<note important> N.B.: Your version will only return to the stable version when new stable packages are released. </note>

Source : https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243

Be notified by email when a ssh connection is made to the server :

You must install mailutils for the mail function of the script to work :

apt-get install mailutils

Next, create, or edit if it exists, the /etc/ssh/sshrc file.

sudo nano /etc/ssh/sshrc

Enter the following lines, adapting at least the reception email address :

#!/bin/sh
# source: http://blog.uggy.org/post/2009/06/05/...
DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`
echo "Connexion de $USER sur $HOSTNAME
IP: $IP
ReverseDNS: $REVERSE
Date: $DATE

" | mail -s "$USER 's connexion on $HOSTNAME" me@my.domaine.name.tld

Then restart ssh :

/etc/init.d/ssh restart

or

service ssh restart

Source : http://yeuxdelibad.net/Logiciel-libre/Installation_et_securisation_d_un_serveur_auto-heberge.html#surveiller

Be notified by SMS when a ssh connection to the server :

<note tip> Free-Mobilonauts can also be alerted by SMS. Just add to the previous file the following script (to be adapted with the API identifier and key after activating the SMS notification option on the Free https://mobile.free.fr/moncompte/ client panel) : </note>

  #!/bin/sh

# 
# SMS notification sending script via Free Mobile API
# https://github.com/C-Duv/freemobile-smsapi-client
# 
# Author: DUVERGIER Claude (http://claude.duvergier.fr)
# 
# Requires: sed, sh et wget
# 
# Possible usages:
#   send-notification.sh "All your base are belong to us"
#   echo "All your base are belong to us" | send-notification.sh
#   uptime | send-notification.sh


##
## Configuration système
##

# End-of-line character (http://en.wikipedia.org/wiki/Percent-encoding#Character_data)
NEWLINE_CHAR="%0D" # Valeurs possibles : %0A, %0D et %0D%0A

# URL to access the API
SMSAPI_BASEURL="https://smsapi.free-mobile.fr"

# Sending notification action
SMSAPI_SEND_ACTION="sendmsg"


##
## User configuration
##

# Login user / ID Free Mobile (the one used to access the Subscriber Area)
USER_LOGIN="1234567890"

# Identification key (generated and provided by Free Mobile via the Subscriber Area, "My Options" : https://mobile.free.fr/moncompte/index.php?page=options)
API_KEY="s0me5eCre74p1K3y"

# Text that will be added BEFORE each message sent
MESSAGE_HEADER="Notification :${NEWLINE_CHAR}"

# Text that will be added AFTER each message sent
MESSAGE_FOOTER="${NEWLINE_CHAR}--${NEWLINE_CHAR}The server at home"


##
## Message Processing
##

MESSAGE_TO_SEND=""
if [ "$1" ]; then # Message as a command line argument
    MESSAGE_TO_SEND="$1"
else # Message lu de STDIN
    while read line
    do
        MESSAGE_TO_SEND="$MESSAGE_TO_SEND$line$NEWLINE_CHAR"
    done
    MESSAGE_TO_SEND=$(echo $MESSAGE_TO_SEND | sed 's/'$NEWLINE_CHAR'$//') # Remove the last line break
fi

FINAL_MESSAGE_TO_SEND="$MESSAGE_HEADER$MESSAGE_TO_SEND$MESSAGE_FOOTER" # Assemble header, message ans footer

##
## Call to API (send)
##

# echo "Will send the following to $USER_LOGIN:" #DEBUG
# echo "$FINAL_MESSAGE_TO_SEND" #DEBUG

# --insecure : Certificat $SMSAPI_BASEURL does not provide information about its owner
# --write-out "%{http_code}" --silent --output /dev/null : Returns HTTP response code only
HTTP_STATUS_CODE=$(curl --insecure --get "$SMSAPI_BASEURL/$SMSAPI_SEND_ACTION" --data "user=$USER_LOGIN" --data "pass=$API_KEY" --data "msg=$FINAL_MESSAGE_TO_SEND" --write-out "%{http_code}" --silent --output /dev/null)

# Possible HTTP response codes
# 200 : The SMS was sent to your mobile.
# 400 : One of the mandatory parameters is missing.
# 402 : Too many SMS messages have been sent in too little time.
# 403 : The service is not activated in the subscriber area, or the login / key is incorrect.
# 500 : Server side error. Please try again later.

if [ "$HTTP_STATUS_CODE" -eq 200 ]; then
    # echo "API responded with 200: exiting with 0" #DEBUG
    exit 0
else
    echo "Error: API responded with $HTTP_STATUS_CODE"
    exit 1
fi

Source : https://github.com/C-Duv/freemobile-smsapi-client

cron

To schedule tasks, such as an update followed by an installation upgrade, you can use cron.

More details here : http://doc.ubuntu-fr.org/cron

fail2ban

This allows to ban ip addresses trying to connect “furiously”. It is installed by default on Yunohost.

sudo apt-get install fail2ban

Then, you have to edit the configuration file to give an email address to send the ban reports.

sudo nano /etc/fail2ban/jail.conf
findtime = 3600
bantime = 86400
destemail = your@email.com

Still in this same file, look for the line that starts with action = in order to add mwl after the _ in order to have a complete report.

action =%(action_mwl)s

Then, still in the same file, in order to have the reports on the main services, you must replace false by true in the following parts :

Apparently, there is a lot of brute-force on sasl, so it is best to comment on this rule failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ and apply this one failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w :

nano /etc/fail2ban/filter.d/sasl.conf
#failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$
failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w

Further settings are available here : http://doc.ubuntu-fr.org/fail2ban

Change the ssh listening port

Edit /etc/ssh/sshd_config :

sudo nano /etc/ssh/sshd_config

The default listening port number is 22. Choose one beyond the number 1024, for example: 12345.

Next, edit the fail2ban configuration file to tell it to listen to port 12345 instead of port 22.

sudo nano /etc/fail2ban/jail.conf 

In the #JAIL section chapter [ssh] and [ssh-ddos], you have to change :

port = ssh by port = 12345

Then, it is necessary to restart the firewall, disable the old port in the firewall (a priori the 22), restart the ssh service and reload the fail2ban service :

yunohost firewall reload
yunohost firewall disallow 22
sudo service ssh restart
sudo fail2ban-client reload

Source : https://yunohost.org/#/security_en

Logwatch installation

If you want to have a history of what happened on the server the day before, just install logwatch :

sudo apt-get install logwatch
sudo mkdir /var/cache/logwatch

Before modifying the configuration file, make a copy :

sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

Then make the changes here :

 nano /etc/logwatch/conf/logwatch.conf 

For example, sending reports to an email address and/or changing the level of detail of the summary generated :

MailTo = me@my.domaine.tld
Detail = Med

To run logwatch in a terminal :

sudo logwatch

To go further in the configuration : http://doc.ubuntu-fr.org/logwatch#configuration

Translated with www.DeepL.com/Translator