-
Notifications
You must be signed in to change notification settings - Fork 42
Install Segfault Sever Centre
You should only be here if you have already prepped your server for deployment. Read the AWS Deployment or Generic Deployment
Note: We use Route53 so that the user always connects to the nearest SSC. E.g. segfault.net resolves to us.segfault.net or de.segfault.net depending on your physical location. You likely wont need this.
Copy segfault source to /sec/src/ and install:
The following command will:
- Install all software (docker, curl, git, ..) onto the AWS
- Move the SSHD to port 64222 and assign Port 22 to the SSC.
- Create a random MASTER SEED.
- Configure the SSC (generate tor secrets, ssh-keys, ...)
- Replace ZZZ with your NordVPN Private Key or remove the line if NordVPN is not used.
- Set SF_FQDN= to whatever domain name you are using.
- Set SF_PACKAGES="MINI_BASE NET HACK" for a smaller deployment (1 GB instead of 16 GB).
Please refer to the list of all variables for more information.
SF_PACKAGES=ALL \
SF_BASEDIR=/sf \
SF_SEED="$(head -c 1024 /dev/urandom | tr -dc '[:alpha:]' | head -c 32)" \
SF_FQDN=mydomain.segfault.net \
SF_NORDVPN_PRIVATE_KEY=ZZZ \
SF_CRYPTOSTORM_CONFIG=XXX \
SF_MULLVAD_CONFIG=YYY \
provision/init-linux.sh
The script will finish with an output similar to this one:
--> System's SSHD was in the way and got moved to 64222
--> Basedir : /sf
--> SF_SEED : RandomlyCreatedMasterSeed1234567
--> Password : segfault
--> SSH : ssh root@mydomain.segfault.net
--> SSH (gsocket) : gsocket -s RandomSecret ssh root@mydomain.segfault.gsocket
- Optional: Check out our WireGuard Docker Image and how to obtain the configuration strings for the VPN.
- Optional: Edit
.env
and add the VPN keys. - Optional: Copy existing ssh keys to
/sf/config/etc/ssh/
. - Edit
/sf/config/etc/sf.conf
and adjust the configuration. - Write down the SF_SEED. Do not store it on the server.
- Log in to your SSC (
ssh root@mydomain.segfault.net
) with password "segfault" (without parentheses).
Stopping:
cd /sec/src/segfault-abc
sfbin/sf down
Starting:
cd /sec/src/segfault-abc
SF_SEED=RandomlyCreatedMasterSeed1234567 sfbin/sf up
No configuration contains any sensitive user information. Nevertheless it is advisable to use encryption for /sf/config.
We do not store any key material on the server. Thus any reboot of the host requires the admin to mount the encrypted drives and supply the SF_SEED.
cryptsetup luksOpen /dev/sda sdaluks
mount -o nofail,noatime /dev/mapper/sdaluks1 /sf/config
mount -o nofail,noatime /dev/mapper/sdaluks2 /sec
Join us on Telegram if you have any questions or comments.