OVH [ns3024499.ip-149-202-72.eu]
-
tailscale
-
webmin
-
docker
- custom scripts
- 1. Vendor Setup
- 2. Initial Login
- 3. System Defaults
- 4. Core System Packages Config
- 5. Core Application Services
- APT Sources
1. Vendor Setup
2. Initial Login
[root user/secure/user defaults]
Once the server is deployed, a number of configuration steps are followed to ensure
- base install pre-installed packages are appropriate
- base install is configured for secure remote access for root user
- templating of the /etc/skel user for
- pre-configure ssl access and keys
- pre-configure login script
- pre-configure sudo access and groups
3. System Defaults
- creation of basic folder structure
- installation of components required for folder merging via FUSE
- post-reboot tasks and disk mount automation /etc/fstab
4. Core System Packages Config
- SSH Config
- Tailscale
- fail2ban
- UFW
+ custom scripts for automation
Custom Scripts /usr/local/bin
| filename | description | code |
./pipe-response |
#!/bin/bashecho "$1 $2 $3" > /var/run/execcat /var/run/response |
|
5. Core Application Services
- docker
- XRDP
Tailscale VPN
Tailscale VPN from https://tailscale.com/
- configures a host interface
tailscale0 - installs auto-start for tailscale daemon
/etc/systemd/system/multi-user.target.wants/tailscaled.service - starts service at boot allocating IP address 100.100.69.2 to the tailscale0 nic
- attaches tailscale0 nic to the shared VPN
- makes accessible 100.100.69.X addresses
- makes the HOST available as an exit node
configured to use account pkswansea@outlook.com via the admin console via https://login.tailscale.com/admin
 |
The server SSH service running on port 69 isonly exposed on the tailscale0 interface via the IP 100.100.69.2 once the daemon has started via |
|
Webmin
Webmin from https://webmin.com/
- installed onto host system via 3rd party apt repository
- installs and auto-configured for start at boot-time
- OOB installation listens on all interfaces https://<ip>:10000
- post install modify the /etc/webmin./miniserv.conf
- we will only listen on internally accessible networks
- we will disable SSL
- we will reverse proxy via nginx proxy manager https to http:10000
Installation Steps
-
install webmin repo
wget -O - https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh | sudo bash -
update repo
sudo apt update -
install webmin package
sudo apt install -y webmin -
start and verify service
sudo systemctl status webmin sudo netstat -anp|grep 10000 | grep LISTEN | awk '{print $4}' | awk '{print "https://"$1}' -
access initial webmin UI and login as root
Installation CLI commands copy & Paste
wget -O - https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh | sudo bash
sudo apt update
sudo apt install -yq webmin
sudo systemctl status webmin
sudo netstat -anp|grep 10000 | grep LISTEN | awk '{print $4}' | awk '{print "http://"$1}' | xargs -n1 openUpdate OOB installation
We can update via the webmin UI to change a minimal set of options to use Webmin behind a local IP which we access via https proxy through the nginx proxy
For the following configuration to be enabled, follow the setup steps below
Pre-Setup Requirements
- Docker installed on HOST
- Docker networks configured on HOST
- Nginx Proxy Manager container setup as per The NGINX Proxy Manager Install Guide
- Access from your local machine to the server Tailscale IP address via Tailscale VPN
NGINX Proxy Host Configuration
Your NGINX Docker compose file should be setup to listen on your VPN (Tailscsale) Server IP Address
- 100.100.69.2:80:80
- 100.100.69.2:443:443
- 100.100.69.2:81:81
We now setup an inbound host to listen on HTTP and HTTPS, setting the Domain Name and then rourting traffic to one of the internal IP addresses that Webmin is listening on
Next you want to request an SSL certificate or use the wildcard cert that should be available; ensure to enable Force SSL so all conections are secure; as a final check, we setup the advanced nginx config to check source IP ranges - if the address is not local or VPN, it is denied
 |
 |
 |
Post Install Configuration (WebUI)
|
|
|
Post Login Error
|
When loading using only the proxied address (https://webmin.admin.tld.com) it may redirect to https://webmin.admin.tld.co.uk:10000 - which will cause an error (as we should have blocked access externally to 10000) - simply remove the port from the URL and hit enter to load the page
|
|
 |
|
 |
|
 |
|
 |
Docker
APT Sources
Tailscale APT Sources
#/bin/bash -e
GPG_URL=https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).noarmor.gpg
GPG_KEYFILE=/usr/share/keyrings/tailscale-archive-keyring.gpg
APT_URL=https://pkgs.tailscale.com/stable/ubuntu/$(lsb_release -cs).tailscale-keyring.list
APT_LIST=/etc/apt/sources.list.d/tailscale.list
which lsb_release || apt install -yq lsb-release
echo [ -f ${GPG_KEYFILE} ] || curl -fsSL ${GPG_URL} | sudo tee ${GPG_KEYFILE} >/dev/null
echo curl -fsSL ${APT_URL} | sudo tee ${APT_LIST}
Docker APT Sources
#!/bin/bash -e
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove -y $pkg; done
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /usr/share/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /usr/share/keyrings/docker.asc
sudo chmod a+r /usr/share/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin