Start9/documentation
2
0
Fork 0
mirror of https://github.com/Start9Labs/documentation.git synced 2026-04-01 21:13:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Feat/re arrange (#475)

Browse Source 
* move things around a lot

* move up a layer

* some edits

* rename some paths
This commit is contained in:
Matt Hill
2023-08-15 13:31:05 -06:00
committed by GitHub
parent 3f8d6b8c02
commit adcff208ac
76 changed files with 1223 additions and 1278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
site/source/guides/device-guides/linux/backup-linux.rst Normal file
View File

@@ -0,0 +1,187 @@
.. _backup-linux:
====================
Linux Network Folder
====================
.. contents::
:depth: 2
:local:
Setup Network Folder
--------------------
.. note:: This guide is for Ubuntu only. For Linux Mint, select "Mint", or for different distros such as Arch, Debian, Pop-OS, PureOS, etc, select "Other Linux" below.
.. tabs::
.. group-tab:: Ubuntu
Check out the video below, and follow along with the steps in this guide to setup a Network Folder on your Linux machine, such that you may create encrypted, private backups of all your StartOS data.
.. youtube:: LLIMC5P3NdY
:width: 100%
.. raw:: html
<br/><br/>
#. Install Samba if you have not already:
.. code-block::
sudo apt install samba && sudo systemctl enable smbd
#. Add your user to samba, replacing ``$USER`` with your Linux username.
.. code-block:: bash
sudo smbpasswd -a $USER
First you will be prompted for your linux password, then you will be asked to create a new SMB password for the user with permission to write to your new backup share. Keep it somewhere safe, such as Vaultwarden.
#. Right-click the folder that you want to backup to (or create a new one) and click "Properties"
.. figure:: /_static/images/cifs/cifs-lin0.png
:width: 60%
#. Select the "Local Network Share" tab
.. figure:: /_static/images/cifs/cifs-lin1.png
:width: 60%
#. Click "Share this folder"
.. figure:: /_static/images/cifs/cifs-lin2.png
:width: 60%
- You may rename the "Share", if you prefer - **remember this name**, you will need it later in the StartOS dashboard
- (Optional) Create a description in the "Comment" section
#. In case your installation of Ubuntu is running a firewall by default or due to your own custom configuration, enter this command to allow connections to Samba. If it generates an error, you can safely ignore it:
.. code-block:: bash
sudo ufw allow Samba
.. group-tab:: Mint
#. Install Samba if you have not already:
.. code-block::
sudo apt install samba && sudo systemctl enable smbd
#. Add your user to samba, replacing ``$USER`` with your Linux username.
.. code-block:: bash
sudo usermod -a -G sambashare $USER
sudo smbpasswd -a $USER
First you will be prompted for your linux password, then you will be asked to create a new SMB password for the user with permission to write to your new backup share. Keep it somewhere safe, such as Vaultwarden.
#. Right-click the folder that you want to backup to (or create a new one, eg. ``start9-backup``) and click "Sharing Options"
.. figure:: /_static/images/cifs/cifs-mint0.png
:width: 60%
#. Enter a Share name consisting of 12 or fewer characters and click "Create Share"
.. figure:: /_static/images/cifs/cifs-mint1.png
:width: 60%
- You may rename the "Share", if you prefer - **remember this name**, you will need it later in the StartOS dashboard. In this example, we call it ``backup-share``
- (Optional) Create a description in the "Comment" section
#. In case your installation of Mint is running a firewall by default or due to your own custom configuration, enter this command to allow connections to Samba. If it generates an error, you can safely ignore it:
.. code-block:: bash
sudo ufw allow Samba
.. group-tab:: Other Linux
1. Install Samba if it is not already installed.
* ``sudo pacman -S samba`` For Arch
* ``sudo apt install samba`` For Debian-based distros (Pop-OS, PureOS, etc)
* ``sudo yum install samba`` For CentOS/Redhat
* ``sudo dnf install samba`` For Fedora
2. Create a directory to share or choose an existing one and make note of its location (path). For this example, we will call the share ``backup-share`` and its corresponding shared directory will be located at ``/home/$USER/start9-backup``. Replace ``$USER`` with your Linux username below.
.. code-block:: bash
mkdir -p /home/$USER/start9-backup
.. note:: If you are on Fedora 38+, you need to do an extra step to allow the Samba share in SELinux:
.. code-block:: bash
sudo semanage fcontext --add --type "samba_share_t" "/home/$USER/start9-backup(/.*)?"
sudo restorecon -R /home/$USER/start9-backup
3. Configure Samba by adding the following to the end of the ``/etc/samba/smb.conf`` file:
.. code-block::
[backup-share]
path = "/home/$USER/start9-backup"
create mask = 0600
directory mask = 0700
read only = no
guest ok = no
Where:
- ``[backup-share]`` is the *Share Name* inside brakets, and can be called anything you'd like. We used ``backup-share`` in this example.
- ``path`` should be the path to the directory you created earlier
Copy the remainder of the entry exactly as it is
4. Open a terminal and enter the following command, replacing ``$USER`` with your Linux username:
.. code-block:: bash
sudo smbpasswd -a $USER
This creates a password for the Local Network Share. Keep it somewhere safe, such as Vaultwarden.
5. In case your installation of Linux (Pop-OS users take special note!) is running a firewall by default or due to your own custom configuration, enter this command to allow connections to Samba. If it generates an error, you can safely ignore it:
.. code-block:: bash
sudo ufw allow Samba
Connect StartOS
---------------
#. Go to *System > Create Backup*.
.. figure:: /_static/images/config/backup.png
:width: 60%
#. Click "Open".
.. figure:: /_static/images/config/backup0.png
:width: 60%
#. Fill in the following fields:
* Hostname - This is the hostname of the machine that your shared folder is located on
* Path - This is the "Share Name" (name of the share in your samba config) and **not** the full directory path. In this guide we use ``backup-share``.
* Username - This is your Linux username on the remote machine that you used to create the shared directory
* Password - This is the password you set above using ``smbpasswd``
.. figure:: /_static/images/config/backup1.png
:width: 60%
#. Click "Save".
That's it! You can now :ref:`Create<backup-create>` encrypted, private backups of all your StartOS data to your Linux machine or external drive!!

70
site/source/guides/device-guides/linux/ca-linux.rst Normal file
View File

@@ -0,0 +1,70 @@
.. _ca-linux:
=======================================
Trusting Your Server's Root CA on Linux
=======================================
.. caution:: If you cannot connect following this guide, you may be using an application (such as Firefox) that is installed in a jailed environment, such as an appimage, flatpak, or snap. Please try an alternate install method if so.
.. tabs::
.. group-tab:: Debian/Ubuntu
These instructions will work for most Debian-based Linux distributions, such as Debian, Linux Mint, PopOS, Ubuntu, etc.
#. Ensure you have already `downloaded your server's Root CA </getting-started/trust-ca/#download-your-server-s-root-ca>`_
#. Perform the following commands in the Terminal:
.. code-block:: bash
sudo apt update
sudo apt install -y ca-certificates p11-kit
#. Move into the folder where you downloaded your Start9 server's Root CA (usually ``~/Downloads``), and run the following commands to add your Start9 server's CA certificate to the OS trust store:
.. caution:: BE CERTAIN to replace ``adjective-noun`` with your server's unique hostname in the 3rd and 4th commands below!
.. code-block:: bash
cd ~/Downloads
sudo mkdir -p /usr/share/ca-certificates/start9
sudo cp "adjective-noun.local.crt" /usr/share/ca-certificates/start9/
sudo bash -c "echo 'start9/adjective-noun.local.crt' >> /etc/ca-certificates.conf"
sudo update-ca-certificates
In the output it should say ``1 added`` if it was successful. For most applications, you will now be able to securely connect via ``https``. We highly recommend continuing on to our :ref:`Configuring Firefox <ff-linux>` guide.
.. group-tab:: Arch/Garuda
#. Ensure you have already `downloaded your server's Root CA </getting-started/trust-ca/#download-your-server-s-root-ca>`_
#. From the folder you have downloaded your Start9 server's Root CA, run the following commands (if you have changed the certificate's filename, be sure to change it here):
.. code-block:: bash
sudo pacman -S ca-certificates
sudo cp "<custom-address>.crt" /etc/ca-certificates/trust-source/anchors/
sudo update-ca-trust
Despite no output from the last command, you can test your app right away.
.. group-tab:: CentOS/Fedora
#. Ensure you have already `downloaded your server's Root CA </getting-started/trust-ca/#download-your-server-s-root-ca>`_
#. In `/etc/systemd/resolved.conf`, ensure you have ``MulticastDNS=Yes``
#. Restart systemd-resolved
.. code-block:: bash
sudo systemctl restart systemd-resolved
#. From the folder you have downloaded your Start9 server's Root CA, run the following commands (if you have changed the certificate's filename, be sure to change it here)
.. code-block:: bash
sudo yum install ca-certificates
sudo cp "<custom-address>.crt" /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

127
site/source/guides/device-guides/linux/ff-linux.rst Normal file
View File

@@ -0,0 +1,127 @@
.. _ff-linux:
============================
Configuring Firefox on Linux
============================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local
-----
This guide applies to Firefox, Firefox ESR, Librewolf, and Thunderbird. Mozilla apps need to be configured to use the certificate store of your device. To find out why Mozilla does this differently, you can read their `blog post <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on the topic (TLDR: for security purposes).
#. Ensure you have already :ref:`trusted your server's Root CA<ca-linux>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enabled`` and set it to ``true``:
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Select your distribution below and follow instructions:
.. tabs::
.. group-tab:: Debian/Ubuntu
#. Select the hamburger menu -> ``Settings``. Search for ``security devices`` and select ``Security Devices...``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-1.png
:width: 60%
:alt: Mozilla application p11kit trust #1
#. When the Device Manager dialog window opens, select ``Load``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-2.png
:width: 60%
:alt: Mozilla application p11kit trust #2
#. Give the Module Name a title such as "System CA Trust Module". For the Module filename, paste in ``/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`` and hit ``OK``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-3.png
:width: 60%
:alt: Mozilla application p11kit trust #3
#. Verify that the new module shows up on the left hand side and select ``OK`` at the bottom right:
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-4.png
:width: 60%
:alt: Mozilla application p11kit trust #4
.. group-tab:: Arch/Garuda/CentOS/Fedora
No special steps are needed for Arch/Garuda/CentOS/Fedora. Continue below.
#. Restart Firefox
#. When you visit your server URL using ``https``, you should see this symbol indicating a secure connection:
.. figure:: /_static/images/ssl/browser/firefox-https-good.png
:width: 80%
:alt: Firefox security settings
#. If you see an exclamation point inside a triangle by the lock, it means you previously made a security exception in the browser. You will need to remove the exception by clicking the lock -> Connection not secure -> Remove Exception.
.. figure:: /_static/images/ssl/browser/cert-trust-exception-remove-1.png
:width: 80%
:alt: Firefox - Remove security exception (Part 1)
.. figure:: /_static/images/ssl/browser/cert-trust-exception-remove-2.png
:width: 80%
:alt: Firefox - Remove security exception (Part 2)
Tor
---
#. Ensure you have already :ref:`set up Tor<tor-mac>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Download a ``Proxy Auto Config`` file to inform Firefox how to use the Tor daemon running on your computer. You can get Start9's standard file from a terminal, by using:
.. code-block::
sudo wget -P /etc/tor https://start9.com/assets/proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste in the path to your PAC file from earlier, prefixed with ``file://``. Your path may be different from the one below and the triple ``///`` is intentional
.. code-block::
file:///etc/tor/proxy.pac
#. Check the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

67
site/source/guides/device-guides/linux/index.rst Normal file
View File

@@ -0,0 +1,67 @@
.. _linux:
=====
Linux
=====
Recommended Guides
------------------
.. raw:: html
<div class="topics-grid grid-container full">
<div class="grid-x grid-margin-x">
.. topic-box::
:title: Trust Root CA
:link: ca-linux
:icon: scylla-icon scylla-icon--partners
:class: large-4
:anchor: View
Trust your server's Root Certificate Authority for fast, secure connections
.. topic-box::
:title: Connect to Tor Network
:icon: scylla-icon scylla-icon--networking
:link: tor-linux
:class: large-4
:anchor: View
Run Tor natively for remote connectivity
.. topic-box::
:title: Configure Firefox
:link: ff-linux
:icon: scylla-icon scylla-icon--integrations
:class: large-4
:anchor: View
Configure Firefox for an optimal browser experience
Other Useful Guides
-------------------
.. raw:: html
<div class="topics-grid grid-container full">
<div class="grid-x grid-margin-x">
.. topic-box::
:title: Backup Config
:link: backup-linux
:icon: scylla-icon scylla-icon--cloud
:class: large-4
:anchor: View
Configure a Network Folder for storing StartOS backups
.. toctree::
:maxdepth: 4
:hidden:
ca-linux
tor-linux
ff-linux
backup-linux

95
site/source/guides/device-guides/linux/tor-linux.rst Normal file
View File

@@ -0,0 +1,95 @@
.. _tor-linux:
====================
Running Tor on Linux
====================
.. tabs::
.. group-tab:: Debian / Ubuntu
For Debian and Debian-based systems, such as Mint, PopOS etc.
.. note:: The following install is for the LTS (Long Term Support) version of Tor from Debian. If you would like the latest stable release, The Tor Project maintain their own Debian repository. The instructions to connect to this can be found `here <https://support.torproject.org/apt/tor-deb-repo/>`_.
Install the Tor proxy service to your system. To do so, open your terminal and run the following command:
.. code-block:: bash
sudo apt update && sudo apt install tor
.. tip:: You can check that Tor is running with:
.. code-block:: bash
systemctl status tor
In the rare event that Tor is having connectivity issues, you can reset your connection with:
.. code-block:: bash
sudo systemctl restart tor
.. group-tab:: Arch / Garuda / Manjaro
Simply install Tor with:
.. code-block:: bash
sudo pacman -S tor
.. tip:: You can check that Tor is running with:
.. code-block:: bash
systemctl status tor
In the rare event that Tor is having connectivity issues, you can reset your connection with:
.. code-block:: bash
sudo systemctl restart tor
.. group-tab:: CentOS / Fedora / RHEL
#. Configure the Tor Package repository. Add the following to ``/etc/yum.repos.d/tor.repo``:
- CentOS / RHEL:
.. code-block:: bash
[Tor]
name=Tor for Enterprise Linux $releasever - $basearch
baseurl=https://rpm.torproject.org/centos/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/centos/public_gpg.key
cost=100
- Fedora:
.. tip:: Latest Fedora versions have Tor package available for installation:
.. code-block:: bash
[Tor]
name=Tor for Fedora $releasever - $basearch
baseurl=https://rpm.torproject.org/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=https://rpm.torproject.org/fedora/public_gpg.key
cost=100
#. Install the Tor package:
.. code-block:: bash
sudo dnf install tor
#. Then enable tor service:
.. code-block:: bash
sudo systemctl enable --now tor