Skip to content
sinus-x edited this page Aug 3, 2020 · 2 revisions

Setting up the linux user

First, we have to create a user the bot will be run under. If you choose another username (and Postgres password), you'll have to alter some commands and configurations.

sudo useradd rubbergoddess
sudo passwd rubbergoddess
sudo mkdir /home/rubbergoddess
cd /home/rubbergoddess
touch .hushlogin

Second step is installing essential tools:

sudo apt install sudo openssh-server git
sudo systemctl start sshd

The server should have static IP address, set in /etc/network/interfaces. (You can get name of your interface with command ip a.)

allow-hotplug enp0s8
iface eth0 inet static
  address 192.168.0.100
  netmask 255.255.255.0

The next step is optional. It made my life easier, so I'm including it. Execute:

cat << EOF >> /home/rubbergoddess/.profile
alias ls="ls --color=auto -l --group-directories-first"
source /etc/bash_completion.d/git-prompt
PS1='\[\e[$([[ $? = 0 ]] && printf 32 || printf 31);1m\]\A\[\033[03;00m\]:\[\033[01;33m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\[\033[01;33m\]$(__git_ps1)\[\033[00m\]\n\$ '
EOF
echo "source .profile" > /home/rubbergoddess/.bashrc

The following is also not required. It may speed up your workflow, though. Copy it to the ~/.profile file and uncomment the lines that (will) apply to you.

# UNCOMMENT IF YOU ARE USING SYSTEMD
#alias rgs_start="sudo systemctl start rubbergoddess"
#alias rgs_stop="sudo systemctl stop rubbergoddess"
#alias rgs_restart="sudo systemctl restart rubbergoddess"
#alias rgs_db="psql"
#alias rgs_log="sudo journalctl -u rubbergoddess"
#alias rgs_backup='pg_dump rubbergoddess > "~/backups/dump_`date +%Y-%m-%d"_"%H:%M:%S`.sql"'

# UNCOMMENT IF YOU ARE USING DOCKER
#alias rgs_start="docker-compose down && docker-compose up --build"
#alias rgs_stop="docker-compose down"
#alias rgs_db="docker exec -it rubbergoddess_db_1 psql -U postgres -p 5432"
#alias rgs_log="docker logs rubbergoddess_bot_1"
#alias rgs_backup='docker exec -it rubbergoddess_db_1 pg_dumpall -c -U postgres > "~/backups/dump_`date +%Y-%m-%d"_"%H-%m-%s`.sql"'

# UNCOMMENT IF YOU ARE USING NOHUP (STANDALONE)
#alias rgs_start="bash ~/rubbergoddess/resources/rubbergoddess.sh"
#alias rgs_stop="bash ~/rubbergoddess/resources/rubbergoddess.sh stop"
#alias rgs_db="psql"
#alias rgs_log="less ~/rubbergoddess.log"
#alias rgs_backup='pg_dump rubbergoddess > "~/backups/dump_`date +%Y-%m-%d"_"%H:%M:%S`.sql"'

We need to give control to the created user to set up the bot directory.

chown -R rubbergoddess:rubbergoddess /home/rubbergoddess
su rubbergoddess
cd ~
git clone https://github.com/sinus-x/rubbergoddess.git

Copy the config/config.default.hjson file into the config/config.hjson. Fill the entries that are empty or do not seem right (empty strings or zeroes instead of IDs).

Firewall

If you do not know what iptables does, you should look it up (especially if you are running some other services there too, like Apache or Samba), because doing it wrong can block you from accessing the system. The following commands need to be run as root. Your network will probably be in the 192.168.0.0/16 range, but do not count on it.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -j REJECT --reject-with icmp6-port-unreachable

Because the firewall settings is reset every time the machine reboots, we need to save it. There are multiple ways of doing it, the easiest being:

sudo apt install iptables-persistent

Privileged commands

You may want to grant rubbergoddess user as little permissions as possible, while allowing it access to the systemd services and logs connected to the bot. Run visudo and add the following:

Cmnd_Alias RGS_CTRL = /bin/systemctl start rubbergoddess, /bin/systemctl stop rubbergoddess, /bin/systemctl restart rubbergoddess
Cmnd_Alias RGS_STAT = /bin/systemctl status rubbergoddess, /bin/journalctl -u rubbergoddess
rubbergoddess ALL=(ALL) NOPASSWD: RGS_CTRL, RGS_STAT

Then the user can run sudo systemctl stop rubbergoddess, but not sudo systemctl stop ssh for example.


The Raspbian has a default user of pi with NOPASSWD policy enabled. That means that anyone can gain root permissions with zero investigation. To disable this behavior, run

sudo rm /etc/sudoers.d/010_pi-nopasswd

Then you will have to use su to log in as privileged user, or set up another, not-widlely-known user account to manage the system.

Clone this wiki locally