hetzner media server


This guide aims to explain how to set up a secure media server on a hetzner media box.

update feb 2017

I've since moved away from using a hetzner media server, so have no intention of maintaining / updating this guide.

front matter

synopsis

This guide aims to explain how to set up a secure media server on a hetzner media box.

features

Right now it explains how to install / setup

  • sabnzbd, rutorrent, sickrage, couchpotato, plex
  • firewall & fail2ban
  • openvpn
  • passwordless ssh
  • nginx reverse proxies
  • ssl for all services
  • user certificate authentication (no passwords for sab et al)

issues
Things that don't work / aren't included

  • openvpn config does work, but it should only be used for rtorrent's connections
  • rtorrent / rutorrent doesn't work at all. something to do with scgi
  • couchpotato browser plugin
  • plex apps (only browser will work)
  • nzb push for dognzb
  • encrypted partition for media library
  • couchpotato post processing on completed download.

fabric
In the course of writing this guide I played around with ways I might automate this setup. I really don't want to invest any time in it at the moment, but I did play around with a fab file momentarily. It's designed to be run on the remote server itself, not initiated remotely.

This is what I have so far (not much)

env.hosts = ['localhost']
env.port = 22022
env.use_sudo = True
env.user = 'reginald'
env.key_filename = '/home/reginald/.ssh/fab'
packages = [
    'ufw',
    'fail2ban',
    'etckeeper',
    'nginx',
    'git',
]

def setup():
    global packages
    upload_template(
        'templates/etc/apt/sources.list',
        '/etc/apt/sources.list',
        use_sudo=True,
        backup=True,
        chown=True,
        user='root',
    )
    update_index()
    upgrade()
    require.deb.packages(packages)

def nginx():
    require.deb.package('nginx')
    upload_template(
        'templates/etc/nginx/conf.d/gotr.conf'
        '/etc/nginx/conf.d/gotr.conf',
        use_sudo=True,
        backup=True,
        chown=True,
        user='www-data',
    )

nameology

This is a list of everything in the commands below which has been replaced. If you copy this guide, then you should be able to use an editor to replace every instance of these names, and then copypasta the commands.

hostname : chappy - as in the name of the machine
personal user : reginald - the username you'll log in with
utility user : chappy - the linux user which will run services
fqdn : chappy.domain.com - the domain name you'll type in your browser to access your server
box public IP : 55.55.55.55
your public IP : 66.66.66.66
box default gateway : 77.77.77.77

hetzner

choose a server, buy it, specify public key. Ignore all the moaning about rescue mode. Once you get the order confirmation you have to wait a few minutes for it to be provisioned before the server will show up in your list on hetzner. Hit the linux tab and choose your OS (I'm a debian guy) then you do need to reset (see reset tab) to initiate the clone.

hostname

/etc/hostname

chappy

/etc/hosts

127.0.0.1 localhost.localdomain localhost
55.55.55.55 chappy.domain.com chappy

Then you can hostname -f and you should see something like chappy.domain.com

users

root@chappy ~ # adduser reginald sudo
Adding user reginald' ...
Adding new groupreginald' (1000) ...
Adding new user reginald' (1000) with groupreginald' ...
Creating home directory /home/reginald' ...
Copying files from/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for reginald
Enter the new value, or press ENTER for the default
  Full Name []:
  Room Number []:
  Work Phone []:
  Home Phone []:
  Other []:
Is the information correct? [Y/n]

ssh key

Hetzner didn't seem to want to copy my key for me even though I uploaded it to their ui. So I just chose the password option and let them generate my login password for me.

Once users are set up you can log out, and on your local machine generate an ssh key as in ssh-keygen -t rsa and specify a path like /home/reginald/.ssh/chappy when asked. Then upload that key with ssh-copy-id -i ~/.ssh/chappy reginald@55.55.55.55.

Thereafter you should be able to log in with ssh -i ~/.ssh/chappy reginald@55.55.55.55

hardening

Don't be tempted to "deal with security later", do it now.

ssh

You can find your ssh config in /etc/ssh/sshd_config. I'm not going to post the whole thing here, but set these:

  • Port 22022
  • PermitRootLogin no
  • PasswordAuthentication no

then systemctl restart ssh

firewall

There's loads of iptables helpers, I like ufw. I'm just going to deny everything, then allow anything from my current IP address, or to my custom ssh port 22022.

x apt-get install ufw
ufw default deny incoming
ufw allow from 66.66.66.66
ufw allow 22022
ufw enable

fail2ban

x apt-get install fail2ban
nano /etc/fail2ban/jail.conf

scroll down to service definitions and change ssh port to your custom port number

openvpn

don't forget to configure DNS

x apt-get install openvpn

setting route
ip route add table 42 default via 77.77.77.77
ip rule add from 55.55.55.55/32 table 42

removing rules
ip rule del from 55.55.55.55 table 42
ip route flush table 42

testing connection
openvpn --config ./DEGermany.ovpn --script-security 2
wget -qO- http://ipecho.net/plain ; echo

informational
ip route show
ip rule list
openvpn --show-gateway

ssl keys & user certs

may as well get this out of the way now, even though these keys are only used by nginx which we'll install later. SSL is the magic behind https which you've all seen and used, but user certs aren't very common so I'll explain the reasoning here. Anyone who want's to access this server will be issued a user certificate, they import the certificate into their browser, and it identifies that user to your server. There's a number of advantages to this:

  • no passwords to remember (except for plex)
  • all your services are secured by nginx, which is far more battle tested than sab & friends
  • less configuration in general

You should just be able to follow these commands, but if you're interested in what you're doing, there's a few terms to know:

KEY: Private Key
CSR: Certificate Signing Request - contains your public key, and identity details
CRT: Certificate - the signed CSR

CA: Certificate Authority - this isn't a single file, it's a key which is used to 'sign' csr files to create the crt. Thereafter a crt can be used to identify the bearer. A CA can determine whether it has signed a given crt.

So.. to business. This will create a certificate authority, as well as the ssl certs for
nginx to use for https

mkdir /etc/ssl/nginx && cd /etc/ssl/nginx &&
openssl genrsa -out ca.key 4096 &&
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/O=Chappy/CN=Chappy CA" &&
openssl genrsa -out server.key 1024 &&
openssl req -new -key server.key -out server.csr -subj "/O=Chappy/CN=*.chappy.domain.com" &&
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl -out server.crt

We're also going to create user certificates, this is basically an authentication layer which runs on top of that provided by sabnzbd, couchpotato, plex, or whatever other services we're providing. Users need to import their certificate file into their browser before they can access your services.

Just so you don't need to remember the command to create a new certificate, we can create a bash script to create new certs

/etc/ssl/nginx/new-cert.sh

if [ -z "$1" ];
then echo "usage /etc/ssl/nginx/new-cert.sh <username>";
else
  openssl genrsa -out "$1".key 4096
  openssl req -new -key "$1".key -out "$1".csr -subj "/O=Chappy/CN=$1"
  openssl x509 -req -days 365 -in "$1".csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.srl -out "$1".crt
  openssl pkcs12 -export -clcerts -in "$1".crt -inkey "$1".key -out "$1".p12
fi

make executable

chmod 700 /etc/ssl/nginx/new-cert.sh

then create a cert for reginald, repeat for whatever users you like. You'll be asked for an export password here. I suspect that firefox wont allow imported certs with no password, but I need to confirm this.

./new-cert.sh reginald

Now, anyone wanting to access services needs a copy of the ca.crt and username.p12 files you just created. In their prowser preferences (under advanced for both firefox and chrome) there's a 'view certificates' button. You import the ca.crt in the authorities section, the browser will ask whether you want to trust certs issued by that authority, obviously we say yes. Then in the "your certificates" section import the p12 you created, input export password used during creation.

sabnzbd

apt-get install python2.7 python-cheetah python-support python-cryptography python-yenc python-dbus unzip p7zip p7zip-rar unrar
apt-get install devscripts build-essential git debhelper dh-autoreconf libtbb-dev

do some multithreaded par2 magic.

DIR="$(mktemp -d)"
cd "$DIR"
git clone https://github.com/jcfp/debpkg-par2tbb.git
cd debpkg-par2tbb
uscan --force-download
dpkg-buildpackage -S -us -uc -d
dpkg-source -x ../par2cmdline-tbb.dsc
cd par2cmdline-tbb-
dpkg-buildpackage -b -us -uc
echo; echo "to install, run: sudo dpkg -i $(readlink -f ../par2-tbb_.deb)"

Notice that the last line here is just going to echo the path to the deb file you just built, so you'll need to dpkg -i /tmp/tmp.cD16VxMJv3/debpkg-par2tbb/par2-tbb_0.4+20150503-1_amd64.deb or so.

git clone https://github.com/sabnzbd/sabnzbd
cd sabnzbd
git checkout tags/1.1.0
groupadd chappy
useradd chappy -g chappy -d /opt

This is my system ctl unit definition, based on linux/sabnzbd@.service in the repo

[Unit]
Description=SABnzbd binary newsreader
Documentation=https://sabnzbd.org/wiki/
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/opt/sabnzbd/SABnzbd.py --logging 1 --browser 0
User=chappy
Type=simple
Restart=on-failure

[Install]
WantedBy=multi-user.target
ln /opt/.sabnzbd/sabnzbd.service /lib/systemd/system/sabnzbd.service &&
systemctl enable sabnzbd &&
systemctl start sabnzbd &&
systemctl status sabnzbd

sickrage

apt-get install unrar-free git-core openssl libssl-dev python2.7
git clone https://github.com/SickRage/SickRage.git /opt/sickrage
cp ./sickrage/runscripts/init.systemd ./.sickrage/sickrage.service
nano ./.sickrage/sickrage.service
ln /opt/.sickrage/sickrage.service /lib/systemd/system/sickrage.service
chown -R chappy:chappy /opt/

when editing sickrage.service just change user & group from sickrage to chappy

couchpotato

apt-get install python-lxml pip &&
apt-get install build-essential libssl-dev libffi-dev python-dev &&
pip install --upgrade cffi &&
pip install cryptography pyopenssl &&
git clone &&
mkdir /opt/.couchpotato &&
cp /opt/CouchPotatoServer/init/couchpotato.service /opt/.couchpotato/couchpotato.service &&
ln /opt/.couchpotato/couchpotato.service /lib/systemd/system/couchpotato.service
[Unit]
Description=CouchPotato application instance
After=network.target

[Service]
ExecStart=/opt/CouchPotatoServer/CouchPotato.py
Type=simple
User=chappy
Group=chappy

[Install]
WantedBy=multi-user.target

plex

wget https://downloads.plex.tv/plex-media-server/0.9.12.4.1192-9a47d21/plexmediaserver_0.9.12.4.1192-9a47d21_amd64.deb
dpkg -i plexmediaserver_0.9.12.4.1192-9a47d21_amd64.deb
service plexmediaserver stop
nano /etc/default/plexmediaserver

change user to chappy

service plexmediaserver start

rtorrent & rutorrent

apt-get install gcc pkg-config libssl-dev g++ make libncurses5-dev libsigc++-2.0-dev libcurl4-openssl-dev screen nano php5-fpm &&
DIR="$(mktemp -d)" && git clone https://github.com/mirror/xmlrpc-c.git "$DIR" && cd "$DIR"/stable &&
./configure &&
make &&
make install &&
DIR="$(mktemp -d)" && git clone https://github.com/rakshasa/libtorrent.git "$DIR" && cd "$DIR" &&
autoreconf --install &&
autoconf &&
./configure &&
make &&
install &&
DIR="$(mktemp -d)" && git clone https://github.com/rakshasa/rtorrent.git "$DIR" && cd "$DIR" &&
./autogen.sh &&
./configure --with-xmlrpc-c &&
make &&
make install &&
DIR="/var/www/html/rutorrent" && git clone https://github.com/Novik/ruTorrent.git "$DIR" &&
chmod -R 775 "$DIR"
usermod -a -G chappy www-data
mkdir rtorrent

/opt/rtorrent/rtorrent.service

[Unit]
Description=rTorrent
Requires=network.target local-fs.target

[Service]
Type=oneshot
RemainAfterExit=yes
KillMode=none
User=chappy
ExecStart=/usr/bin/tmux new-session -s rt -n rtorrent -d rtorrent
ExecStop=/usr/bin/tmux send-keys -t rt:rtorrent C-q
WorkingDirectory=/opt/rtorrent

[Install]
WantedBy=multi-user.target

/opt/.rtorrent.rc

scgi_port = 5000
execute.nothrow = rm,~/.rtorrent.sock
network.scgi.open_local = /opt/rtorrent/.rtorrent.sock
schedule = socket_chmod,0,0,"execute=chmod,0660,/opt/rtorrent/.rtorrent.sock"
schedule = socket_chgrp,0,0,"execute=chgrp,chappy,/opt/rtorrent/.rtorrent.sock"

/etc/php5/fpm/pool.d/rutorrent.conf

[rutorrent]
user = chappy
group = chappy
listen = /var/run/php-fpm-rutorrent.sock
listen.owner = chappy
listen.group = chappy
listen.mode = 0660
pm = static
pm.max_children = 2
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
chdir = /
sed -i.backup -e 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=1/' /etc/php5/fpm/php.ini
ln /opt/rtorrent/rtorrent.service /lib/systemd/system/rtorrent.service

nginx

apt-get install nginx &&
cd /etc/nginx

/etc/nginx/conf.d/server.conf

# ======================================================================= ssl ==
ssl_certificate      /etc/ssl/nginx/server.crt;
ssl_certificate_key  /etc/ssl/nginx/server.key;
ssl_client_certificate /etc/ssl/nginx/ca.crt;
ssl_verify_client on;
ssl_session_timeout  5m;
ssl_ciphers  HIGH:!aNULL:!MD5;

# ============================================================ something else ==
client_max_body_size 10m;
client_body_buffer_size 128k;

# ======================================= =Timeout if the real server is dead ==
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# ======================================================== Basic Proxy Config ==
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

/etc/nginx/sites-available/server

server {
  listen 80;
  listen 443 ssl;
  server_name sabnzbd.chappy.domain.com;
  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
  location / {
    proxy_pass http://localhost:8080;
  }
}
server {
  listen 80;
  listen 443 ssl;
  server_name sickrage.chappy.domain.com;
  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
  location / {
    proxy_pass http://localhost:8081;
  }
}
server {
  listen 80;
  listen 443 ssl;
  server_name couchpotato.chappy.domain.com;
  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
  location / {
    proxy_pass http://localhost:5050;
  }
}
server {
  listen 80;
  listen 443 ssl;
  server_name plex.chappy.domain.com;
  if ($http_x_plex_device_name = '') {
    rewrite ^/$ http://$http_host/web/index.html;
  }
  proxy_set_header Host $http_host;
  proxy_redirect off;
  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
  location / {
    proxy_pass http://localhost:32400;
  }
}

server {
  listen 80;
  listen 443 ssl;
  server_name rutorrent.chappy.domain.com;
  if ($scheme = http) {
    return 301 https://$server_name$request_uri;
  }
  root /opt/ruTorrent;
  index index.html index.htm index.php;

  location / {
    try_files $uri $uri/ =404;
  }

  location ~ .php$ {
    fastcgi_split_path_info ^(.+.php)(/.+)$;
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
  }

  location /RPC2 {
    include /etc/nginx/scgi_params;
    scgi_pass 127.0.0.1:5000;
  }
}
ln -s /etc/nginx/sites-available/server /etc/nginx/sites-enabled/server
systemctl nginx reload

file structure

cd /srv &&
mkdir movies
mkdir tv
mkdir blackhole
mkdir downloads
cd blackhole
mkdir tv
mkdir movies
chown -R chappy:chappy /srv/*

sabnzbd config

head to sabnzbd.chappy.domain.com and fire up the wizard you just choose a language and input details of a primary usenet server, then sab restarts. The link resented probably won't be correct, so you'll have to go back to sabnzbd.chappy.domain.com. You'll see some errors, don't worry about that.

general

  • SABnzbd host : leave this as localhost, or it will mess up your reverse proxy
  • maybe copy API key and NZB key to save you coming back later
    1c8f4b1fa32d62aada5a9899ccd8b206
    d4177e7d23d39161c4a989f3549451e3
  • enable https : no, nginx is doing that for us

folders

  • Temporary Download Folder: /srv/downloads/incomplete
  • Minimum Free Space: 10G
  • Completed Download Folder: /srv/downloads
  • Permissions : blank
  • Watched Folder: /srv/blackhole

servers

you know what to do here

categories

  • in the last row set category, folder/path, and groups to 'movies', then add.
  • repeat for 'tv'

switches

  • Check before download: yes

others

as required

sickrage config

general > misc

launch browser: no
show root directories: new > '/srv/tv'

general > interface

no required changes here. No need for https or user settings as nginx is taking care of that

search settings
this section is a bit weird, there's three tabs, each with a "save settings" button at the bottom, but then there's like a master "save settings" below that. As you complete each tab, use that tab's button. Then once you're done with the section, hit the master button down the bottom or else your settings won't stick.

search settings > NZB search

search nzbs: enable
send .nzb files to: black hole
black hole folder: /srv/blackhole/tv

search settings > torrent search

send .torrent files to: black hole
black hole foldeR: /srv/blackhole/tv

search providers

you know what to do.

post processing

post processing dir: /srv/downloads/tv
processing method: move

plex config

I had some drama with this. The instance on this machine will not allow you to connect until you first sign in from a local connection.

I'm not sure whether this can be achieved using the nginx proxy

In my own case I fired up ssh on my local machine with:

ssh -p 22022 -L 32400:localhost:32400 -N reginald@chappy.domain.com

then pointed my browser at localhost:32400, logged in with my plex account, in Settings > Server > General and thereafter I could log in fine using plex.chappy.domain.com