lapatatedouce/scripts-admin-debian
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: lapatatedouce:3e75644b759ec0b06849210e625483a271eb954d
Branches Tags
lapatatedouce:main
...
compare: lapatatedouce:main
Branches Tags
lapatatedouce:main

24 Commits
3e75644b75 ... main

Author SHA1 Message Date
Philippe Favre
dbe94e9375 Actualiser backup_and_restore/sauvegarde_docker/sauvegarde_docker.sh 2025-09-29 22:19:10 +02:00
Philippe Favre
f0e16eced3 Actualiser backup_and_restore/sauvegarde_docker/verification_sauvegarde_docker.sh 2025-09-29 22:00:35 +02:00
Philippe Favre
cc7eee152f Actualiser backup_and_restore/sauvegarde_docker/sauvegarde_docker.sh 2025-09-29 22:00:13 +02:00
Philippe Favre
d32796c481 Actualiser backup_and_restore/sauvegarde_docker/sauvegarde_docker.sh 2025-09-21 15:48:14 +02:00
sky
ab9b10acd9 Add container exclusion 2025-09-01 00:28:20 +02:00
Philippe Favre
9a64b7e9af Ajout sauvegarde docker 2025-08-08 18:47:41 +02:00
Philippe Favre
99c38cd4c7 Actualiser miscellaneous/secure_ssh.sh 2025-04-08 05:54:57 +02:00
Philippe Favre
a37a5adae3 Actualiser miscellaneous/secure_ssh.sh 2025-04-02 17:41:39 +02:00
Philippe Favre
25abcbb9e4 Actualiser miscellaneous/secure_ssh.sh 2025-04-02 17:32:28 +02:00
Philippe Favre
ed53d4cb1f Actualiser miscellaneous/secure_ssh.sh 2025-04-02 01:36:50 +02:00
Philippe Favre
f8034e007e Actualiser miscellaneous/secure_ssh.sh 2025-04-02 01:29:55 +02:00
Philippe Favre
f37d7bec80 password authentication 2025-04-02 01:22:32 +02:00
Philippe Favre
67eb731e2a change the SSH port 2025-03-22 21:54:29 +01:00
Philippe Favre
0915163d34 Téléverser les fichiers vers "networking" 2025-03-20 14:48:40 +00:00
lapatatedouce
703f2e1d0c add file 2025-03-13 13:31:54 +01:00
lapatatedouce
1d39da2723 Corrections 2025-03-04 21:53:13 +01:00
lapatatedouce
ef43428179 add Make sure to stop the service before modifying the configuration 2025-03-02 08:50:58 +01:00
lapatatedouce
92dd8d3c24 Corrextions 2025-03-02 07:09:34 +01:00
lapatatedouce
34f4f01fe5 Various corrections. 2025-03-02 04:49:01 +01:00
lapatatedouce
3cdb8e01fa Multiple IPs abandoned due to problems. 2025-03-02 04:31:04 +01:00
lapatatedouce
8e6d9de9e5 Correction 'Usage' 2025-03-01 05:11:31 +01:00
lapatatedouce
caee82e970 Add READMEs and set clarity 2025-03-01 05:10:30 +01:00
lapatatedouce
0174410211 Corrections 'Kdrive ou Swiss Backup' 2025-03-01 04:58:56 +01:00
lapatatedouce
9c71b23101 Fix change-ip-wglocal 2025-03-01 04:42:07 +01:00
14 changed files with 1008 additions and 331 deletions
Expand all files Collapse all files

47
backup_and_restore/annual_backup_with_max_compression.sh
View File

@@ -1,47 +0,0 @@
#!/bin/bash
# This script is designed to perform an annual backup of a source directory directly to a compressed `.tar.xz` archive for maximum compression.
# It allows excluding specified files or directories from the archive during the backup process.
# Additionally, it generates a SHA-256 checksum for each archive, saving it in a corresponding `.sha256` file for integrity verification.
# Finally, it removes older archives and their checksum files exceeding a specified retention period (e.g., 5 years), ensuring backup rotation.
# Usage:
# To use this script, save it as "annual_backup_with_max_compression.sh" and make it executable with the command `chmod +x annual_backup_with_max_compression.sh`.
# You can define exclusions either in the EXCLUDE_LIST array or in a file specified by EXCLUDE_FILE.
# Automate the execution annually by adding this cron job: `0 0 1 1 * /path/to/script/annual_backup_with_max_compression.sh`
# Variables
SOURCE_DIR="/path/to/source_directory" # Source directory to back up
ARCHIVE_DIR="/path/to/archive_directory" # Directory where tar.xz archives are stored
ARCHIVE_NAME="backup-$(date +%Y).tar.xz" # Archive name with the year
CHECKSUM_FILE="$ARCHIVE_NAME.sha256" # SHA-256 checksum file name (relative path)
RETENTION_YEARS=5 # Number of years to retain archives
RETENTION_DAYS=$((RETENTION_YEARS * 365)) # Retention period in days (5 years)
# Exclusion settings
EXCLUDE_LIST=() # Inline exclusion list, add patterns here (e.g., "*.tmp", "node_modules")
EXCLUDE_FILE="" # File with additional exclude patterns, one per line (e.g., "/path/to/exclude_file.txt")
# Build tar exclusion options
TAR_EXCLUDE_OPTIONS=()
for pattern in "${EXCLUDE_LIST[@]}"; do
TAR_EXCLUDE_OPTIONS+=("--exclude=$pattern")
done
if [ -n "$EXCLUDE_FILE" ]; then
TAR_EXCLUDE_OPTIONS+=("--exclude-from=$EXCLUDE_FILE")
fi
# 1. Create a tar.xz archive directly from the source directory with maximum compression, preserving file permissions
tar -cJf "$ARCHIVE_DIR/$ARCHIVE_NAME" "${TAR_EXCLUDE_OPTIONS[@]}" -C "$SOURCE_DIR" . --preserve-permissions
# 2. Change to the archive directory and generate a SHA-256 checksum with relative paths
(
cd "$ARCHIVE_DIR" || exit
sha256sum "$ARCHIVE_NAME" > "$CHECKSUM_FILE"
)
# 3. Remove older archives and checksum files (older than 5 years)
find "$ARCHIVE_DIR" -type f -name "backup-*.tar.xz" -mtime +$RETENTION_DAYS -exec rm {} \;
find "$ARCHIVE_DIR" -type f -name "backup-*.tar.xz.sha256" -mtime +$RETENTION_DAYS -exec rm {} \;
echo "Annual backup with maximum compression and checksum completed: $ARCHIVE_NAME"

54
backup_and_restore/archive_with_checksum.sh
View File

@@ -1,54 +0,0 @@
#!/bin/bash
# This script creates a .tar.xz archive of a specified source directory, preserving file permissions,
# and names the archive using the source directory's name followed by the current date in DDMMYYYY format.
# Additionally, it generates a SHA-256 checksum file for the archive in the specified output directory.
# Usage:
# 1. Make the script executable: `chmod +x archive_with_checksum`
# 2. Run the script by providing the path to the source directory as the first argument
# and the path to the output directory as the second argument.
# Example: `./archive_with_checksum /path/to/source_directory /path/to/output_directory`
#
# The script will produce an archive named `source_directory_DDMMYYYY.tar.xz` and a checksum file
# named `source_directory_DDMMYYYY.tar.xz.sha256` in the specified output directory.
# Check if the correct number of arguments is provided
if [ "$#" -ne 2 ]; then
echo "Usage: $0 source_directory output_directory"
exit 1
fi
# Assign parameters
source_directory=$1
output_directory=$2
# Get the base name of the source directory (without the full path)
source_name=$(basename "$source_directory")
# Get the current date in DDMMYYYY format
current_date=$(date +%d%m%Y)
# Create the archive name with the date, based on the source directory's name
archive_name="${source_name}_${current_date}.tar.xz"
archive_path="${output_directory}/${archive_name}"
# Create the archive with file permissions preserved
tar -cJpf "$archive_path" "$source_directory"
# Confirm archive creation and create a checksum if successful
if [ $? -eq 0 ]; then
echo "Archive created: $archive_path"
# Generate SHA-256 checksum file for the archive in the output directory
checksum_file="${archive_path}.sha256"
sha256sum "$archive_path" > "$checksum_file"
if [ $? -eq 0 ]; then
echo "Checksum file created: $checksum_file"
else
echo "Error creating the checksum file."
fi
else
echo "Error creating the archive."
fi

29
backup_and_restore/backup_adguardhome.sh
View File

@@ -1,29 +0,0 @@
# This script creates a tar.gz backup of the /opt/AdGuardHome directory, cron jobs, and system logs.
# The backup is stored in the './backups/' directory.
#
# To automate backups, you can add this script to your crontab.
# For example, to run this backup on the 1st of every month, you would add the following line to your crontab:
# 0 0 1 * * /path/to/this/script.sh
# (Remember to replace '/path/to/this/script.sh' with the actual path to this script)
# You can edit your crontab with the command: crontab -e
# Get the current date in a suitable format for the filename
current_date=$(date +"%Y-%m-%d")
# Create the backup filename
backup_filename="adguardhome_backup_${current_date}.tar.gz"
# Default backup location
backup_location="./backups/"
# Create the 'adguardhome' directory if it doesn't exist
mkdir -p "$backup_location/adguardhome"
# Create the tar.gz archive
tar -czvf "$backup_location/adguardhome/$backup_filename" /opt/AdGuardHome /var/spool/cron/crontabs/* /var/log
# Print a success message
echo "Backup created successfully in $backup_location/adguardhome/$backup_filename"
# Delete backups older than 90 days
find "$backup_location/adguardhome" -mtime +90 -type f -delete

68
backup_and_restore/backup_docker_container.sh
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# This script backs up all running Docker containers.
# For each container, it creates a compressed archive file (.tar.gz) containing
# the container's state at the time of execution.
# Backups are stored in a directory called "backup_docker_container".
# Each backup file is named with the container name and the current date and time,
# making it easy to identify when the backup was taken.
#
# Usage:
# 1. Save this script to a file, for example: backup_containers.sh
# 2. Make the script executable: chmod +x backup_containers.sh
# 3. Run the script: ./backup_containers.sh
#
# Automation with Cron:
# You can automate the execution of this script and manage old backups with a Cron job:
#
# 1. To back up all Docker containers every Sunday at midnight:
# 0 0 * * 0 /root/backup_docker_container.sh
#
# 2. To delete backup files older than 14 days every day at 1 AM:
# 0 1 * * * find /root/backup_docker_container/* -mtime +14 -exec rm {} \;
#
# Restoring a backup:
# To restore a Docker container from a backup, follow these steps:
#
# 1. Uncompress the .tar.gz file:
# gunzip /path/to/backup_docker_container/container_name_date.tar.gz
#
# 2. Create a Docker image from the .tar file:
# cat /path/to/backup_docker_container/container_name_date.tar | docker import - new_image_name
#
# This will create a new Docker image from the container's backup.
#
# 3. Start a new container from the restored image:
# docker run -d --name new_container_name new_image_name
#
# This will launch a new container based on the restored image.
#
# Note: This process does not restore Docker volumes. If your container used volumes,
# you will need to restore or recreate them separately.
#
# This script only backs up running containers at the time of execution.
# It exports only the container's file system (container content) and does not back up
# Docker volumes that may be mounted from the host.
# Backup directory
backup_dir="backup_docker_container"
# Create backup directory if it doesn't exist
mkdir -p "$backup_dir"
# Get current date and time
current_datetime=$(date +"%Y-%m-%d_%H-%M-%S")
# Get list of running Docker containers
containers=$(docker ps --format '{{.Names}}')
# Iterate through each container and create a compressed backup with container name and current date and time
for container in $containers
do
echo "Backing up container $container..."
docker export "$container" | gzip > "$backup_dir/${container}_${current_datetime}.tar.gz"
echo "Backup of container $container completed."
done
# Indicate that the backup process is completed
echo "Backup process completed."

133
backup_and_restore/sauvegarde_docker/README.md Normal file
View File

@@ -0,0 +1,133 @@
# Sauvegarde Docker
Système de sauvegarde automatique pour services Docker avec gestion intelligente des conteneurs.
## Description
Ce projet contient deux scripts Bash pour la sauvegarde et la vérification des services Docker :
- **`sauvegarde_docker.sh`** : Script principal de sauvegarde automatique
- **`verification_sauvegarde_docker.sh`** : Script de vérification de l'intégrité des sauvegardes
## Fonctionnalités
### Script de sauvegarde (`sauvegarde_docker.sh`)
- **Sauvegarde intelligente** : Détecte automatiquement les conteneurs Docker actifs
- **Arrêt/redémarrage sécurisé** : Arrête temporairement les conteneurs pendant la sauvegarde pour garantir la cohérence
- **Archivage compressé** : Création d'archives `.tar.gz` avec horodatage
- **Vérification d'intégrité** : Génération automatique de checksums SHA-256
- **Rétention automatique** : Suppression des sauvegardes de plus de 7 jours
- **Journalisation complète** : Logs détaillés avec horodatage
- **Gestion d'erreurs** : Statistiques et codes de retour appropriés
### Script de vérification (`verification_sauvegarde_docker.sh`)
- **Vérification d'intégrité** : Contrôle des checksums SHA-256
- **Rapport visuel** : Statut clair avec symboles (✓, ✗, ⚠)
- **Détection des anomalies** : Identification des fichiers corrompus ou manquants
## Configuration
### Paramètres par défaut
```bash
SRV_DIR="/home/docker/srv" # Répertoire source des services
BACKUP_DEST="/home/docker/backup" # Répertoire de destination
RETENTION_DAYS=7 # Durée de rétention en jours
LOG_FILE="/home/docker/docker-backup.log" # Fichier de log
```
### Prérequis
- **Docker** : Requis pour la gestion des conteneurs (optionnel)
- **Bash** : Version 4.0 ou supérieure
- **Espace disque** : Au moins 1 GB disponible (vérification automatique)
- **Permissions** : Accès en écriture aux répertoires de sauvegarde
## Installation
1. Cloner ou télécharger les scripts dans un répertoire
2. Rendre les scripts exécutables :
```bash
chmod +x sauvegarde_docker.sh
chmod +x verification_sauvegarde_docker.sh
```
3. Adapter les chemins dans la configuration si nécessaire
## Utilisation
### Sauvegarde manuelle
```bash
./sauvegarde_docker.sh
```
### Vérification des sauvegardes
```bash
./verification_sauvegarde_docker.sh
```
### Automatisation avec cron
Exemple pour une sauvegarde quotidienne à 2h00 :
```bash
# Éditer la crontab
crontab -e
# Ajouter la ligne suivante
0 2 * * * /chemin/vers/sauvegarde_docker.sh
```
## Structure des sauvegardes
```
/home/docker/backup/
├── service1/
│ ├── service1_2025-01-15_02-00-01.tar.gz
│ ├── service1_2025-01-15_02-00-01.tar.gz.sha256
│ └── service1_2025-01-16_02-00-01.tar.gz
├── service2/
│ └── service2_2025-01-16_02-00-01.tar.gz
└── docker-backup.log
```
## Logs et monitoring
### Fichier de log
Le fichier `/home/docker/docker-backup.log` contient :
- Horodatage de chaque opération
- Statut des conteneurs Docker
- Taille des archives créées
- Erreurs et avertissements
- Statistiques de fin d'exécution
### Codes de retour
- **0** : Sauvegarde réussie sans erreur
- **1** : Erreurs détectées (vérifier les logs)
## Sécurité et bonnes pratiques
- Les conteneurs sont arrêtés proprement avant sauvegarde
- Attente de 5 secondes après arrêt pour garantir la cohérence
- Vérification automatique des checksums
- Gestion des erreurs avec tentatives de récupération
- Logs détaillés pour audit et débogage
## Dépannage
### Problèmes courants
1. **Docker non accessible** : Vérifier l'installation et les permissions
2. **Espace disque insuffisant** : Libérer de l'espace ou ajuster la rétention
3. **Conteneur ne redémarre pas** : Vérifier les logs Docker et la configuration
### Vérification des logs
```bash
tail -f /home/docker/docker-backup.log
```

270
backup_and_restore/sauvegarde_docker/sauvegarde_docker.sh Executable file
View File

@@ -0,0 +1,270 @@
#!/bin/bash
# Description
# This script performs a backup of all folders in /srv
# For folders corresponding to active Docker containers,
# containers are stopped during backup then restarted
# Containers listed in EXCLUDED_CONTAINERS are ignored
# Backups are kept for 7 days
# Configuration
SRV_DIR="/srv"
BACKUP_DEST="/root/backup/docker"
RETENTION_DAYS=7
LOG_FILE="/root/backup/docker/docker-backup.log"
# List of containers to exclude from backup (space separated)
# Example: EXCLUDED_CONTAINERS="traefik mysql-prod redis-cache"
EXCLUDED_CONTAINERS=""
# Logging function
log_message() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE"
}
# Check if destination directory exists
if [ ! -d "$BACKUP_DEST" ]; then
log_message "Creating destination directory $BACKUP_DEST"
mkdir -p "$BACKUP_DEST"
fi
# Check available disk space (at least 1GB)
available_space=$(df "$BACKUP_DEST" | awk 'NR==2 {print $4}')
if [ "$available_space" -lt 1048576 ]; then
log_message "WARNING: Low disk space (less than 1GB available)"
fi
log_message "Starting Docker backup"
# Counters for statistics
success_count=0
error_count=0
docker_stopped=()
docker_errors=()
# Function to backup a directory
backup_directory() {
local source_dir="$1"
local folder_name="$2"
if [ ! -e "$source_dir" ]; then
log_message "WARNING: $source_dir does not exist, skipped"
((error_count++))
return 1
fi
# Create destination folder for this service
local dest_folder="$BACKUP_DEST/$folder_name"
mkdir -p "$dest_folder"
local filename="${folder_name}_$(date +%Y-%m-%d_%H-%M-%S).tar.gz"
local filepath="$dest_folder/$filename"
log_message "Backing up $source_dir to $folder_name/$filename"
# Create the archive
if tar -czf "$filepath" -C "$(dirname "$source_dir")" "$(basename "$source_dir")" 2>/dev/null; then
# Create SHA-256 checksum file
sha256sum "$filepath" > "$filepath.sha256"
file_size=$(du -h "$filepath" | cut -f1)
log_message "SUCCESS: $filename created ($file_size) - Checksum generated"
((success_count++))
return 0
else
log_message "ERROR: Unable to create archive for $source_dir"
((error_count++))
return 1
fi
}
# Function to check if Docker is installed
is_docker_available() {
command -v docker >/dev/null 2>&1
}
# Function to check if a container is excluded
is_container_excluded() {
local container_name="$1"
if [ -n "$EXCLUDED_CONTAINERS" ]; then
for excluded in $EXCLUDED_CONTAINERS; do
if [ "$container_name" = "$excluded" ]; then
return 0
fi
done
fi
return 1
}
# Function to check if a Docker container exists and is running
is_container_running() {
local container_name="$1"
if is_docker_available; then
docker ps --format "table {{.Names}}" | grep -q "^${container_name}$" 2>/dev/null
else
return 1
fi
}
# Function to stop a Docker container
stop_container() {
local container_name="$1"
log_message "Stopping Docker container: $container_name"
if docker stop "$container_name" >/dev/null 2>&1; then
log_message "Container $container_name stopped successfully"
docker_stopped+=("$container_name")
return 0
else
log_message "ERROR: Unable to stop container $container_name"
docker_errors+=("$container_name")
return 1
fi
}
# Function to start a Docker container
start_container() {
local container_name="$1"
log_message "Starting Docker container: $container_name"
if docker start "$container_name" >/dev/null 2>&1; then
log_message "Container $container_name started successfully"
return 0
else
log_message "ERROR: Unable to start container $container_name"
return 1
fi
}
# Check if Docker is available
if ! is_docker_available; then
log_message "WARNING: Docker is not installed or accessible"
fi
# Backup directories in /srv
log_message "=== DOCKER SERVICES BACKUP ==="
if [ -d "$SRV_DIR" ]; then
# Loop through all folders in /srv
for srv_folder in "$SRV_DIR"/*; do
if [ -d "$srv_folder" ]; then
folder_name=$(basename "$srv_folder")
# Check if the container is in the exclusion list
if is_container_excluded "$folder_name"; then
log_message "EXCLUSION: Container $folder_name skipped (in exclusion list)"
continue
fi
# Check if a Docker container with this name exists and is running
if is_container_running "$folder_name"; then
log_message "Active Docker container detected: $folder_name"
# Stop the container
if stop_container "$folder_name"; then
# Wait a bit to ensure the container is completely stopped
sleep 5
# Perform the backup
backup_directory "$srv_folder" "$folder_name"
# Restart the container
start_container "$folder_name"
else
log_message "WARNING: Backing up $folder_name without stopping container (risk of inconsistency)"
backup_directory "$srv_folder" "$folder_name"
fi
else
# No corresponding Docker container, normal backup
log_message "Service without active container: $folder_name"
backup_directory "$srv_folder" "$folder_name"
fi
fi
done
else
log_message "ERROR: Directory $SRV_DIR does not exist"
exit 1
fi
# Verification and generation of checksums for all archives
log_message "=== CHECKSUM VERIFICATION AND GENERATION ==="
archives_without_checksum=0
archives_with_checksum=0
find "$BACKUP_DEST" -name "*.tar.gz" -type f | while read -r archive_file; do
checksum_file="${archive_file}.sha256"
if [ ! -f "$checksum_file" ]; then
log_message "Generating missing checksum for $(basename "$archive_file")"
sha256sum "$archive_file" > "$checksum_file"
((archives_without_checksum++))
else
((archives_with_checksum++))
fi
done
# Final archive count
total_archives=$(find "$BACKUP_DEST" -name "*.tar.gz" -type f | wc -l)
missing_checksums=$(find "$BACKUP_DEST" -name "*.tar.gz" -type f | while read -r archive; do [ ! -f "${archive}.sha256" ] && echo "$archive"; done | wc -l)
log_message "Archives found: $total_archives"
if [ "$missing_checksums" -eq 0 ]; then
log_message "SUCCESS: All archives have a checksum file"
else
log_message "WARNING: $missing_checksums archives without checksum"
fi
# Cleanup of old backups
log_message "=== OLD BACKUPS CLEANUP ==="
for service_dir in "$BACKUP_DEST"/*/; do
if [ -d "$service_dir" ]; then
service_name=$(basename "$service_dir")
log_message "Removing backups older than $RETENTION_DAYS days for $service_name"
# Find obsolete files (archives and checksums separately)
deleted_files_tar=$(find "$service_dir" -type f -name "*.tar.gz" -mtime +$RETENTION_DAYS -print 2>/dev/null)
deleted_files_sha=$(find "$service_dir" -type f -name "*.sha256" -mtime +$RETENTION_DAYS -print 2>/dev/null)
if [ -n "$deleted_files_tar" ] || [ -n "$deleted_files_sha" ]; then
# Remove and log archives
if [ -n "$deleted_files_tar" ]; then
echo "$deleted_files_tar" | while read -r file; do
log_message "Removing: $service_name/$(basename "$file")"
done
find "$service_dir" -type f -name "*.tar.gz" -mtime +$RETENTION_DAYS -delete 2>/dev/null
fi
# Remove and log checksums
if [ -n "$deleted_files_sha" ]; then
echo "$deleted_files_sha" | while read -r file; do
log_message "Removing: $service_name/$(basename "$file")"
done
find "$service_dir" -type f -name "*.sha256" -mtime +$RETENTION_DAYS -delete 2>/dev/null
fi
else
log_message "No obsolete files to remove for $service_name"
fi
fi
done
# Restart containers that failed to restart
if [ ${#docker_errors[@]} -gt 0 ]; then
log_message "=== RETRY STARTING CONTAINERS IN ERROR ==="
for container in "${docker_errors[@]}"; do
start_container "$container"
done
fi
# Final statistics
log_message "=== BACKUP SUMMARY ==="
log_message "Successful backups: $success_count"
log_message "Errors: $error_count"
if [ ${#docker_stopped[@]} -gt 0 ]; then
log_message "Docker containers managed: ${docker_stopped[*]}"
fi
if [ ${#docker_errors[@]} -gt 0 ]; then
log_message "Docker containers in error: ${docker_errors[*]}"
fi
log_message "Backup completed"
# Exit code based on errors
if [ $error_count -gt 0 ] || [ ${#docker_errors[@]} -gt 0 ]; then
exit 1
else
exit 0
fi

48
backup_and_restore/sauvegarde_docker/verification_sauvegarde_docker.sh Normal file
View File

@@ -0,0 +1,48 @@
#!/bin/bash
# Script simple pour vérifier toutes les sauvegardes Docker
BACKUP_DIR="/var/backup/docker"
echo "=== VÉRIFICATION DES SAUVEGARDES DOCKER ==="
echo ""
# Parcourir tous les dossiers de services
for service_dir in "$BACKUP_DIR"/*/; do
if [ -d "$service_dir" ]; then
service_name=$(basename "$service_dir")
echo "Service: $service_name"
echo "------------------------"
# Vérifier chaque sauvegarde
found_backup=false
for backup_file in "$service_dir"/*.tar.gz; do
if [ -f "$backup_file" ]; then
found_backup=true
backup_name=$(basename "$backup_file")
checksum_file="${backup_file}.sha256"
echo -n " $backup_name ... "
if [ -f "$checksum_file" ]; then
cd "$service_dir"
if sha256sum -c "$(basename "$checksum_file")" >/dev/null 2>&1; then
echo "✓ OK"
else
echo "✗ CORROMPU"
fi
else
echo "⚠ PAS DE CHECKSUM"
fi
fi
done
if [ "$found_backup" = false ]; then
echo " Aucune sauvegarde trouvée"
fi
echo ""
fi
done
echo "Vérification terminée."

6
backup_and_restore/scaleway/methode_de_sauvegarde.md
View File

@@ -8,7 +8,7 @@
- [Sécurité des transferts](#sécurité-des-transferts)
- [Stockage externe](#stockage-externe)
- [Scaleway Cold Storage](#scaleway-cold-storage)
- [myKSuite](#myksuite)
- [Kdrive ou Swiss Backup](#kdrive-ou-swiss-backup)
- [Exemple de script Bash pour sauvegarder des dossiers](#exemple-de-script-bash-pour-sauvegarder-des-dossiers)
- [Exemple de script Bash pour le transfert avec rclone](#exemple-de-script-bash-pour-le-transfert-avec-rclone)
- [Fichier de configuration rclone](#fichier-de-configuration-rclone)
@@ -76,9 +76,9 @@ Cela permet de limiter les risques d'accès non autorisés et de garantir la con
Pour le stockage externe à long terme, j'utilise le service de stockage froid (Cold Storage) de [Scaleway](https://www.scaleway.com/en/glacier-cold-storage/). Mes données sont stockées dans un abri sous-terrain sécurisé à un coût très abordable de 0,002 € par gigaoctet et par mois. Cela me permet de conserver des copies de mes sauvegardes les plus importantes à un faible coût tout en bénéficiant d'un stockage sécurisé et durable.
### myKSuite
### Kdrive ou Swiss Backup
Pour les utilisations de moins de 1 To, il existe également la solution [myKSuite](https://www.infomaniak.com/fr/ksuite/myksuite/tarifs), hébergée en Suisse, qui coûte 20 € ou 15 CHF par an. Avec cette option, il faut découper les fichiers en blocs avec rclone, puis ces blocs de moins 50 gigaoctets seront automatiquement reconstitués lors du téléchargement.
Il existe également la solution [Kdrive](https://www.infomaniak.com/fr/ksuite/kdrive) ou [Swiss Backup](https://www.infomaniak.com/fr/swiss-backup) que vous pouvez utiliser. Il est possible de monter le disque sur votre ordinateur via le protocole WebDAV ou avec Rclone. Il faut découper les fichiers en blocs de moins de 45 gigaoctets avec Rclone, puis ces blocs seront automatiquement reconstitués lors du téléchargement.
## Exemple de script Bash pour sauvegarder des dossiers

261
miscellaneous/secure_ssh.sh
View File

@@ -1,76 +1,245 @@
#!/bin/bash
# This script is designed to configure the SSH server on a Linux system according to Mozilla's security best practices.
# It enhances the security of SSH connections by enforcing modern encryption standards, disabling insecure protocols, and restricting root access.
# The script backs up the original SSH configuration file, applies a new set of secure settings, and then restarts the SSH service to apply the changes.
# These settings include disabling password authentication, limiting access to strong ciphers and key exchange methods, and enhancing brute-force protection.
# These recommendations are based on Mozilla's guidelines, which can be found here: https://infosec.mozilla.org/guidelines/openssh
# This script configures the SSH server according to Mozilla's best security practices.
# It backs up the original SSH configuration file, generates a new secure configuration file,
# and then restarts the SSH service to apply the changes.
# Usage:
# To run this script, save it as "secure_ssh.sh" and make it executable by running the command: `chmod +x secure_ssh.sh`.
# After that, execute it with root privileges using: `sudo ./secure_ssh.sh`.
# The script will automatically apply the recommended configuration changes and restart the SSH service.
# Check if the script is run as root
if [[ "$EUID" -ne 0 ]]; then
echo "This script must be run as root. Please use sudo to execute it."
exit 1
fi
# 1. Save this script as "secure_ssh.sh".
# 2. Make it executable with: `chmod +x secure_ssh.sh`.
# 3. Run it with root privileges using: `sudo ./secure_ssh.sh`.
# Variables
SSHD_CONFIG="/etc/ssh/sshd_config"
BACKUP_FILE="${SSHD_CONFIG}_$(date +'%Y%m%d_%H%M%S').bak" # Backup with date and time
BACKUP_DIR="/etc/ssh/backup_sshd_config"
DATE_STR=$(date +"%Y%m%d_%H%M%S")
SSHD_SERVICE=""
# Backup the old configuration with a timestamp
cp "$SSHD_CONFIG" "$BACKUP_FILE"
# Function to validate an IP address
validate_ip() {
local ip=$1
local stat=1
# Ask user if they want to restrict SSH access to a single IP
read -p "Do you want to restrict SSH access to a single IP? (yes/no): " restrict_ip
if [[ $ip =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
if [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]; then
stat=0
fi
fi
if [[ "$restrict_ip" == "yes" ]]; then
read -p "Enter the IP address to allow SSH access: " allowed_ip
allow_users="AllowUsers *@${allowed_ip}"
else
allow_users="# AllowUsers configuration not set"
fi
return $stat
}
# Modify the sshd_config file
cat <<EOL > "$SSHD_CONFIG"
# Mozilla SSH Security Recommendations
# Function to validate the SSH port
validate_ssh_port() {
local port=$1
local stat=1
if [[ "$port" =~ ^[0-9]+$ ]] && [[ "$port" -gt 0 && "$port" -le 65535 ]]; then
stat=0
fi
return $stat
}
# Detect the name of the SSH service
detect_sshd_service() {
if systemctl list-units --type=service | grep -q 'sshd'; then
echo "sshd"
elif systemctl list-units --type=service | grep -q 'ssh'; then
echo "ssh"
else
echo ""
fi
}
# Function to restart the SSH service
restart_sshd() {
local service=$1
systemctl restart "$service"
return $?
}
# Create a backup of the SSH configuration file
backup_sshd_config() {
mkdir -p "$BACKUP_DIR"
BACKUP_FILE="${BACKUP_DIR}/sshd_config.${DATE_STR}.bak"
cp "$SSHD_CONFIG" "$BACKUP_FILE"
if [[ $? -ne 0 ]]; then
echo "Error creating backup of the SSH configuration file."
exit 1
fi
echo "SSH configuration backup created: $BACKUP_FILE"
}
# Prompt for the SSH port
prompt_ssh_port() {
while true; do
read -p "Please enter the SSH port (default 22): " SSH_PORT
SSH_PORT=${SSH_PORT:-22}
if validate_ssh_port "$SSH_PORT"; then
echo "SSH port used: $SSH_PORT"
break
else
echo "Invalid port. The port must be an integer between 1 and 65535."
fi
done
}
# Prompt to restrict SSH access to specific IP addresses
prompt_allowed_ips() {
read -p "Do you want to restrict SSH access to specific IP addresses? (yes/no): " RESTRICT_ACCESS
ALLOWED_IPS=""
if [[ "$RESTRICT_ACCESS" =~ ^([oO]ui|[yY]es)$ ]]; then
while true; do
read -p "Enter a comma-separated list of allowed IP addresses (e.g. 192.168.1.1,10.0.0.1): " ALLOWED_IPS_INPUT
IFS=',' read -ra IP_ARRAY <<< "$ALLOWED_IPS_INPUT"
VALID=true
ALLOWED_IPS_CLEAN=""
for ip in "${IP_ARRAY[@]}"; do
ip=$(echo "$ip" | xargs) # Remove spaces
if ! validate_ip "$ip"; then
echo "Invalid IP address: $ip"
VALID=false
break
fi
ALLOWED_IPS_CLEAN+="$ip "
done
if $VALID; then
ALLOWED_IPS="${ALLOWED_IPS_CLEAN% }" # Remove trailing space
echo "SSH access allowed from: $ALLOWED_IPS"
break
else
echo "Please enter valid IP addresses."
fi
done
else
echo "SSH access allowed from all IP addresses."
fi
}
# Generate a new SSH configuration file
generate_new_sshd_config() {
cat <<EOL > "$SSHD_CONFIG"
# Secure SSH configuration according to Mozilla's recommendations
# Protocol version
Protocol 2
# Enable only secure ciphers
# Secure ciphers
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Enable only secure key exchange algorithms
# Secure key exchange algorithms
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
# Enable only secure MAC algorithms
# Secure MAC algorithms
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
# Disable password authentication for stronger security
# Disable password authentication
PasswordAuthentication no
# Disable old host keys
# Secure host keys (make sure they exist)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
# Restrict root access
# Restrict root access (root will not be able to connect)
PermitRootLogin no
# Strict connection policy
# Strict login policy
MaxAuthTries 3
LoginGraceTime 30
# Additional security recommendations
AllowTcpForwarding no
MaxSessions 2
LogLevel VERBOSE
ClientAliveInterval 300
ClientAliveCountMax 2
# Specified SSH port
Port $SSH_PORT
# IP restriction based on user input
$allow_users
# Other recommended configurations
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
# IP address access restrictions (if specified)
EOL
# Restart the SSH service
systemctl restart sshd
if [[ -n "$ALLOWED_IPS" ]]; then
echo "" >> "$SSHD_CONFIG"
echo "# IP address access restriction" >> "$SSHD_CONFIG"
echo "Match Address $(echo "$ALLOWED_IPS" | tr ' ' ',')" >> "$SSHD_CONFIG"
echo " AllowUsers *" >> "$SSHD_CONFIG"
echo "Match Address *,!$(echo "$ALLOWED_IPS" | tr ' ' ',')" >> "$SSHD_CONFIG"
echo " DenyUsers *" >> "$SSHD_CONFIG"
fi
}
echo "SSH configuration has been updated and backed up to $BACKUP_FILE according to Mozilla's security recommendations."
# Test the syntax of the new SSH configuration
test_sshd_config() {
sshd -t
return $?
}
# Detect the SSH service in use
detect_service() {
SSHD_SERVICE=$(detect_sshd_service)
if [[ -z "$SSHD_SERVICE" ]]; then
echo "Error: Unable to detect the SSH service (sshd or ssh)."
exit 1
fi
}
# Main process
main() {
# Warning message before proceeding with the script.
echo "Warning: Before running this script, make sure you have created a user and an SSH key in the authorized_keys file."
echo "The root user will not be able to connect."
read -p "Do you want to continue? (yes/no): " CONTINUE
if [[ ! "$CONTINUE" =~ ^([yY]es|[oO]ui)$ ]]; then
echo "Exiting script."
exit 0
fi
# Detect the SSH service
detect_service
# Backup current configuration
backup_sshd_config
# Prompt for the SSH port
prompt_ssh_port
# Prompt for allowed IP addresses
prompt_allowed_ips
# Generate the new configuration file
generate_new_sshd_config
echo "New SSH configuration file generated."
# Test the syntax of the new configuration
if test_sshd_config; then
echo "The new SSH configuration is valid."
else
echo "Error: The new SSH configuration contains errors. Restoring original configuration."
cp "$BACKUP_FILE" "$SSHD_CONFIG"
restart_sshd "$SSHD_SERVICE"
exit 1
fi
# Restart the SSH service
if restart_sshd "$SSHD_SERVICE"; then
echo "The SSH service has been restarted successfully."
echo "The SSH configuration has been updated according to Mozilla's security recommendations."
else
echo "Error: Failed to restart the SSH service. Restoring original configuration."
cp "$BACKUP_FILE" "$SSHD_CONFIG"
restart_sshd "$SSHD_SERVICE"
exit 1
fi
}
# Execute the main process
main

33
miscellaneous/set_cpu_mode.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
# Description:
# This script allows the user to select a CPU frequency scaling governor mode.
# The governor controls the trade-off between performance and power consumption.
# Available modes typically include "performance", "powersave", "ondemand", "conservative", and "schedutil".
# Usage:
# 1. Save this script to a file, e.g., set_cpu_mode.sh.
# 2. Make the script executable with the command: chmod +x set_cpu_mode.sh.
# 3. Run the script with: sudo ./set_cpu_mode.sh.
# 4. Follow the on-screen prompts to select the desired CPU governor mode.
# Ask the user to choose a mode
echo "Please choose a CPU frequency scaling governor mode:"
echo "1. performance"
echo "2. powersave"
echo "3. ondemand"
echo "4. conservative"
echo "5. schedutil"
read -p "Enter the number corresponding to your choice: " choice
# Array of available modes
modes=("performance" "powersave" "ondemand" "conservative" "schedutil")
# Check if the choice is valid
if [[ $choice -ge 1 && $choice -le ${#modes[@]} ]]; then
selected_mode=${modes[$choice-1]}
echo "$selected_mode" | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
echo "The $selected_mode mode has been applied."
else
echo "Invalid choice. No mode was applied."
fi

187
networking/Configuration d’un tunnel Wireguard d’un serveur local à un VPS.md Normal file
View File

@@ -0,0 +1,187 @@
# Configuration d'un tunnel Wireguard d'un serveur local à un VPS
Cette configuration permet d'établir une connexion entre votre réseau local et un serveur VPS, vous offrant la possibilité d'ouvrir les ports nécessaires sur le VPS sans exposer directement votre réseau. Vous bénéficiez également de la protection DDoS fournie par le serveur distant. Cette solution est pratique si vous ne pouvez pas ouvrir de ports sur votre routeur ou si vous disposez d'une adresse IP dynamique. L'utilisation d'un VPS comme intermédiaire vous permet de contourner les limitations de votre routeur ou de votre fournisseur d'accès Internet, tout en offrant une sécurité supplémentaire.
## Prérequis
- Un minimum de connaissances en réseau, administration VPS.
- Vous disposez d'un VPS sur Debian chez IONOS, OVH, autres.
- Connaître l'adresse IP publique du VPS.
- Une heure de temps pour faire la configuration.
## Installation du serveur WireGuard sur le VPS
Connectez-vous en SSH à votre machine :
1. Connectez-vous en tant que root :
```bash
sudo -i
```
2. Suivez les instructions de ce [dépôt](https://github.com/angristan/wireguard-install) pour installer votre serveur WireGuard. Laissez tout par défaut et appelez votre client le nom de votre machine locale pour vous en souvenir si vous créez plusieurs clients.
4. À la fin de l'installation, vous aurez accès au fichier de configuration. Exécutez la commande `cat /chemindevotrefichier.conf` pour copier les informations du client. Notez ces informations quelque part afin de pouvoir les utiliser plus tard dans le processus d'installation.
4. Vous pouvez créer plusieurs clients, mais les machines ne communiqueront pas ensemble avec `iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP`, ce qui est une bonne pratique de sécurité.
5. Vous devez lire le fichier de configuration pour comprendre son fonctionnement :
```ini
# Description :
# Cette configuration vous permet d'établir une connexion entre une machine dans votre réseau local ou un routeur OPNsense et un serveur VPS. Cela vous permet d'ouvrir les ports nécessaires sur le VPS sans exposer votre réseau local, tout en bénéficiant de la protection DDoS fournie par le serveur distant.
# Prérequis :
# - Avoir un serveur VPS chez OVH ou Ionos avec Debian
# - Installer https://github.com/angristan/wireguard-install et générer un client
# - Connaître l'interface réseau en utilisant la commande 'ip a' et remplacer 'ens6' par le nom correct de l'interface
# - Connaître l'adresse IP publique du VPS
# Sauvegarder la configuration actuelle avant de la modifier
# Effectuez cette sauvegarde avant toute modification
# cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak
# Arrêter le service WireGuard avant de modifier la configuration
# sudo wg-quick down wg0
# Modifier la configuration de WireGuard
# Ouvrez le fichier de configuration pour le modifier
# nano /etc/wireguard/wg0.conf
# Supprimez la section entre 'PrivateKey = x' et '### Client opnsense' et rajouter cette configuration avec tout les commentaires pour vous aidez
# Remplacez 'PORT_WIREGUARD' et 'IP_PUBLIQUE_DU_SERVEUR-VPS' par le port WireGuard et l'adresse IP publique du VPS
# Il est important d'ouvrir en `PostUp` et en `PostDown` le port que vous avez ouvert.
# Pour un deuxième client, ajoutez les lignes et modifiez l'adresse IP locale : '10.66.66.3' en prenant exemple sur '10.66.66.2'
# Règles iptables à appliquer après avoir configuré l'interface WireGuard
PostUp = sysctl -w net.ipv4.ip_forward=1 # Active le forwarding IPv4 pour permettre le routage entre les interfaces
PostUp = iptables -I INPUT -p udp --dport PORT_WIREGUARD -j ACCEPT # Autorise le trafic entrant sur le port UDP de WireGuard (remplacez 'PORT_WIREGUARD' par le numéro de port réel)
PostUp = iptables -A FORWARD -i wg0 -o ens6 -j ACCEPT # Autorise le trafic passant de l'interface WireGuard (wg0) vers l'interface réseau (ens6)
PostUp = iptables -A FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Autorise les connexions établies et connexes à revenir sur l'interface WireGuard
PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP # Bloque le trafic interne au sous-réseau WireGuard pour éviter les boucles ou les attaques internes
# Règles de translation d'adresse réseau (NAT) pour le trafic sortant et entrant
PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source IP_PUBLIQUE_DU_SERVEUR-VPS # Effectue une translation d'adresse pour le trafic sortant du client vers l'IP publique (remplacez 'IP_PUBLIQUE_DU_SERVEUR' par l'adresse réelle)
PostUp = iptables -t nat -A PREROUTING -i ens6 -d IP_PUBLIQUE_DU_SERVEUR-VPS -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 # Redirige le trafic HTTP entrant vers l'adresse IP du client WireGuard
PostUp = iptables -t nat -A PREROUTING -i ens6 -d IP_PUBLIQUE_DU_SERVEUR-VPS -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 # Redirige le trafic HTTPS entrant vers l'adresse IP du client WireGuard
# Règles iptables à retirer lors de la suppression de l'interface WireGuard
PostDown = iptables -D INPUT -p udp --dport PORT_WIREGUARD -j ACCEPT || true # Supprime la règle autorisant le trafic entrant sur le port UDP de WireGuard (remplacez 'PORT_WIREGUARD' par le numéro de port réel)
PostDown = iptables -D FORWARD -i wg0 -o ens6 -j ACCEPT || true # Supprime la règle autorisant le trafic de wg0 vers ens6
PostDown = iptables -D FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true # Supprime la règle autorisant les connexions établies à retourner vers wg0
PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true # Supprime la règle bloquant le trafic interne au sous-réseau WireGuard
PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source IP_PUBLIQUE_DU_SERVEUR-VPS || true # Supprime la règle de NAT pour le trafic sortant du client
PostDown = iptables -t nat -D PREROUTING -i ens6 -d IP_PUBLIQUE_DU_SERVEUR-VPS -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true # Supprime la redirection du trafic HTTP entrant
PostDown = iptables -t nat -D PREROUTING -i ens6 -d IP_PUBLIQUE_DU_SERVEUR-VPS -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true # Supprime la redirection du trafic HTTPS entrant
# Redémarrer le service WireGuard après avoir modifié la configuration
# sudo wg-quick up wg0
# Configuration OPNsense :
# Par exemple, rediriger le port de 192.168.1.x vers [local_ip_wireguard_client_10.66.66.X]
```
5. Éditez le fichier de configuration :
```bash
nano /etc/wg0.conf
```
## Installation du client Wireguard sur le serveur dans votre réseau local
Ce guide fournit les instructions étape par étape pour installer le client généré précédemment sur un système Debian.
### 1. Mise à jour du Système
Mettez à jour les paquets du système :
```bash
sudo apt update && sudo apt upgrade -y
```
### 2. Installer WireGuard
Installez WireGuard à partir des dépôts de Debian :
```bash
sudo apt install wireguard curl resolvconf iptables -y
```
### 3. Générer des Clés
Générez une clé privée et une clé publique pour l'interface WireGuard :
```bash
wg genkey | tee privatekey | wg pubkey > publickey
```
### 4. Configurer WireGuard
Créez un fichier de configuration pour l'interface WireGuard :
```bash
sudo nano /etc/wireguard/wg0.conf
```
Collez ou modifiez la configuration suivante dans le fichier, en remplaçant les espaces réservés par les valeurs appropriées :
```ini
[Interface]
PrivateKey = VOTRE_CLE_PRIVEE
Address = 10.0.0.2/24 # IP locale pour l'interface WireGuard
ListenPort = 51820 # Le port WireGuard
# Autoriser le trafic entrant UDP sur le port 22 depuis le réseau local
PostUp = iptables -A INPUT -s 192.168.0.0/24 -p udp --dport 22 -j ACCEPT
# Bloquer tout autre trafic entrant depuis le réseau local
PostUp = iptables -A INPUT -s 192.168.0.0/24 -j DROP
# Supprimer la règle autorisant le trafic entrant TCP sur le port 22 depuis le réseau local
PostDown = iptables -D INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
# Supprimer la règle autorisant le trafic entrant UDP sur le port 22 depuis le réseau local
PostDown = iptables -D INPUT -s 192.168.0.0/24 -p udp --dport 22 -j ACCEPT
# Supprimer la règle bloquant tout autre trafic entrant depuis le réseau local
PostDown = iptables -D INPUT -s 192.168.0.0/24 -j DROP
[Peer]
PublicKey = CLE_PUBLIQUE_DU_SERVEUR
Endpoint = IP_PUBLIQUE_DU_SERVEUR:51820 # Le port WireGuard
AllowedIPs = 0.0.0.0/0
```
### 5. Démarrer WireGuard
Mettez en route l'interface WireGuard :
```bash
sudo wg-quick up wg0
```
Activez WireGuard au démarrage :
```bash
sudo systemctl enable wg-quick@wg0
```
### 6. Vérifier la Connexion
Vérifiez l'état de WireGuard :
```bash
sudo wg
```
### 7. Tester l'IP Publique
Vérifiez votre adresse IP publique en utilisant `curl` :
```bash
curl ifconfig.me
```
### 8. Arrêter WireGuard
Fermez l'interface :
```bash
sudo wg-quick down wg0
```
### 9. Votre serveur est normalement accessible
Votre serveur est normalement accessible depuis l'extérieur et bloque le trafic du réseau local.

116
networking/WireGuard_Setup_Guide_Debian.md
View File

@@ -1,31 +1,37 @@
# WireGuard VPN Setup on Debian
This guide provides step-by-step instructions for installing and configuring WireGuard on a Debian system.
This guide provides step-by-step instructions for installing and configuring WireGuard on a Debian system. Separate instructions are given for both client and server setups.
---
## Requirements
- Debian-based system (Debian 12+)
- Root or sudo privileges
- A public and private key pair for WireGuard
- A server to connect to
- Debian-based system (Debian 12+) with root or sudo privileges.
- Public and private key pair for WireGuard.
- A server to connect to (for client setup).
## 1. System Update
---
Before installing WireGuard, update the system packages:
## Client-Side Setup
### 1. System Update
Update the system packages:
```bash
sudo apt update && sudo apt upgrade -y
```
## 2. Install WireGuard
### 2. Install WireGuard
WireGuard can be installed directly from Debian's repositories:
Install WireGuard from Debian's repositories:
```bash
sudo apt install wireguard -y
```
## 3. Generate Keys
### 3. Generate Keys
Generate a private and public key for the WireGuard interface:
@@ -33,11 +39,11 @@ Generate a private and public key for the WireGuard interface:
wg genkey | tee privatekey | wg pubkey > publickey
```
This command will generate two files:
The following files are generated:
- `privatekey`: Your WireGuard private key.
- `publickey`: Your WireGuard public key.
## 4. Configure WireGuard
### 4. Configure WireGuard
Create a configuration file for the WireGuard interface:
@@ -45,65 +51,107 @@ Create a configuration file for the WireGuard interface:
sudo nano /etc/wireguard/wg0.conf
```
Add the following configuration, replacing the placeholders with the appropriate values:
Paste or modify the following configuration in the file, replacing placeholders with appropriate values:
```ini
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.0.0.1/24 # Local IP address for WireGuard interface
ListenPort = 51820 # Port WireGuard will use
Address = 10.0.0.2/24 # Local IP for WireGuard interface
ListenPort = 51820
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0 # Routes through the VPN
PersistentKeepalive = 25 # Maintain connection
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
```
- **YOUR_PRIVATE_KEY**: The private key from the `privatekey` file.
- **SERVER_PUBLIC_KEY**: The public key of the server (provided by the server).
- **SERVER_IP**: The servers IP address.
### 5. Start WireGuard
## 5. Start WireGuard
Once the configuration is complete, bring up the WireGuard interface:
Bring up the WireGuard interface:
```bash
sudo wg-quick up wg0
```
To enable WireGuard at system startup:
Enable WireGuard at startup:
```bash
sudo systemctl enable wg-quick@wg0
```
## 6. Verify the Connection
### 6. Verify the Connection
To check if WireGuard is running correctly, use the following command:
Check the status of WireGuard:
```bash
sudo wg
```
This will display the current status of the WireGuard interface and the connected peers.
### 7. Test the Public IP
## 7. Stop WireGuard
Verify your public IP address using `curl`:
To bring down the WireGuard interface:
```bash
curl ifconfig.me
```
### 8. Stop WireGuard
Bring down the interface:
```bash
sudo wg-quick down wg0
```
## 8. Firewall and Port Forwarding
---
Ensure that port 51820 (or the port you specified) is open on any firewalls or routers between your system and the server.
## Server-Side Configuration
## 9. Server-Side Configuration
Ensure the server has the appropriate WireGuard setup before trying to connect from the client.
Ensure that the server has the appropriate WireGuard configuration to allow your client to connect. You will need to add your public key and allowed IP address to the servers configuration.
### 1. Generate Server Keys
On the server, generate the private and public keys:
```bash
wg genkey | tee server_privatekey | wg pubkey > server_publickey
```
### 2. Set Up Server Configuration
Create and edit the WireGuard configuration file:
```bash
sudo nano /etc/wireguard/wg0.conf
```
Paste or modify the following configuration in the file, replacing placeholders:
```ini
[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
```
### 3. Start the WireGuard Server
Start and enable the WireGuard service:
```bash
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0
```
### 4. Firewall and Port Forwarding
Ensure port 51820 is open on any firewalls or routers.
---
This README provides instructions for setting up WireGuard on Debian. You may need to adjust some configurations depending on your network setup and requirements.
This README outlines the steps for setting up WireGuard on Debian. Adjust configurations based on your network setup and requirements.

73
networking/vpn-wg-site-to-vps.conf
View File

@@ -1,14 +1,14 @@
# Description:
# This configuration allows you to connect an OPNsense or pfSense router at home and connect it to a VPS IP.
# It uses multiple public IPs to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router.
# This configuration allows you to connect an OPNsense or pfSense router at home and link it to a VPS IP.
# It uses a public IP to redirect traffic to different machines behind the VPS for security reasons rather than opening ports on your home router.
# Prerequisites:
# - Have a VPS server at OVH or ionos with Debian
# - Have a VPS server at OVH or Ionos with Debian
# - Install https://github.com/angristan/wireguard-install and generate a client
# - Know the network interface with the 'ip a' command and replace ens3 with the appropriate interface
# - Know the public address or IP addresses of the clients
# - Know the network interface using the 'ip a' command and replace 'ens6' with the correct interface name
# - Know the public IP address or IP addresses of the clients
# Backup of the current configuration before modifying it
# Backup the current configuration before modifying it
# Perform this backup before any modification
# cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak
@@ -16,61 +16,48 @@
# Make sure to stop the service before modifying the configuration
# sudo systemctl stop wg-quick@wg0
# Modification of the WireGuard configuration
# Modify the WireGuard configuration
# Open the configuration file to modify it
# nano /etc/wireguard/wg0.conf
# Delete the columns what is between [Interface] and ### Client
# Delete the section between 'PrivateKey = x' and '### Client opnsense'
# Replace 'your-port' and 'your-public-ip' with actual port and IP information
# Configuration of the WireGuard interface on the server side
# WireGuard server side configuration
[Interface]
Address = 10.66.66.1/24, fd42:42:42::1/64
ListenPort = 51737
PrivateKey = X
ListenPort = your-port
PrivateKey = x
# iptables rules to apply after setting up the WireGuard interface
PostUp = iptables -I INPUT -p udp --dport 51737 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
PostUp = iptables -A FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I INPUT -p udp --dport your-port -j ACCEPT # Replace 'your-port' with actual port number
PostUp = iptables -A FORWARD -i wg0 -o ens6 -j ACCEPT
PostUp = iptables -A FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -I FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP
# NAT rules for client ip-1
PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443
# NAT rules for client ip-2
PostUp = iptables -t nat -A POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-2:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -d change-ip-public-2 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-2:443
PostUp = iptables -t nat -A POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source your-public-ip # NAT for outgoing traffic from the opnsense client
PostUp = iptables -t nat -A PREROUTING -i ens6 -d your-public-ip -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 # Redirect port 80 to the opnsense client
PostUp = iptables -t nat -A PREROUTING -i ens6 -d your-public-ip -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 # Redirect port 443 to the opnsense client
# iptables rules to remove when deleting the WireGuard interface
PostDown = iptables -D INPUT -p udp --dport 51737 -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT || true
PostDown = iptables -D FORWARD -i ens3 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true
PostDown = iptables -D FORWARD -i wg0 -s 10.66.66.0/24 -d 10.66.66.0/24 -j DROP || true
PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-1/32 -o ens3 -j SNAT --to-source change-ip-public-1 || true
PostDown = iptables -t nat -D POSTROUTING -s change-ip-wglocal-2/32 -o ens3 -j SNAT --to-source change-ip-public-2 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 80 -j DNAT --to-destination change-ip-wglocal-1:80 || true
PostDown = iptables -t nat -D PREROUTING -i ens3 -d change-ip-public-1 -p tcp --dport 443 -j DNAT --to-destination change-ip-wglocal-1:443 || true
PostDown = iptables -D INPUT -p udp --dport your-port -j ACCEPT || true # Replace 'your-port' with actual port number
PostDown = iptables -D FORWARD -i wg0 -o ens6 -j ACCEPT || true
PostDown = iptables -D FORWARD -i ens6 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT || true
PostDown = iptables -t nat -D POSTROUTING -s 10.66.66.2/32 -o ens6 -j SNAT --to-source your-public-ip || true
PostDown = iptables -t nat -D PREROUTING -i ens6 -d your-public-ip -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80 || true
PostDown = iptables -t nat -D PREROUTING -i ens6 -d your-public-ip -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443 || true
### Client ip-1
### Client opnsense Configuration
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = change-ip-wglocal-1/32,fd42:42:42::2/128
### Client ip-2
[Peer]
PublicKey = X
PresharedKey = X
AllowedIPs = 10.66.66.3/32,fd42:42:42::3/128
PublicKey = x
PresharedKey = x
AllowedIPs = 10.66.66.2/32, fd42:42:42::2/128
# Restart the WireGuard service after modifying the configuration
# sudo systemctl start wg-quick@wg0
# sudo systemctl restart wg-quick@wg0
# sudo systemctl status wg-quick@wg0
# OPNsense configuration:
# Follow the steps described in the OPNsense documentation:
# https://docs.opnsense.org
# Configure port forwarding from the OPNsense router to the local IP of the WireGuard client
# For example, forward the port from 192.168.1.x to change-ip-wglocal-1
# For example, forward the port from 192.168.1.x to [local_ip_of_wireguard_client]

14
readme.md
View File

@@ -1,6 +1,6 @@
## Debian System Administration Scripts
## Debian System Administration
This Git repository is a collection of useful Bash scripts for system administration on Debian. It will be gradually completed with scripts designed to automate various common tasks, facilitate system management, and improve productivity.
This Git repository is a collection of useful Bash scripts and READMEs for system administration on Debian. It will be gradually completed.
### Content
@@ -12,17 +12,19 @@ The repository will be organized into several categories for easy navigation:
* **Networking**
* **Miscellaneous**
### Usag
### Usage
Detailed instructions on how to use each script will be provided as they are added to the repository. In general, you will need to follow these basic steps:
1. **Make the script executable:**
1. **Read the script's description:** Each script will have a description at the beginning explaining its purpose and usage. Make sure to read it carefully before running the script.
2. **Make the script executable:**
```bash
chmod +x script_name.sh
```
2. **Execute the script:**
3. **Execute the script:**
```bash
./script_name.sh
@@ -34,8 +36,6 @@ Detailed instructions on how to use each script will be provided as they are add
sudo ./script_name.sh
```
3. **Read the script's description:** Each script will have a description at the beginning explaining its purpose and usage. Make sure to read it carefully before running the script.
### Contribution
Contributions are welcome! If you have useful scripts to share or improvements to suggest, feel free to submit a pull request.