Introduction
Guide
Standalone

Standalone

⚠️
This installation guide is for expert users that want extra security, if you are not an expert user and you don’t have a dedicated VM, please follow the Docker installation guide instead.

Requirements

Before you begin, ensure that you have the following:

  • A Debian-based operating system (e.g., Ubuntu, Debian)
  • A user account with sudo privileges
  • Basic knowledge of the command lin
  • 4GB of RAM or more
  • 2 CPU cores or more
  • 20GB of free disk space ( More if you use the core as a backup provider )

Dependencies

You will need to install the following dependencies:

  • curl
  • git
  • redis-server
  • python3.12
  • pip
  • ansible

You can install these dependencies using the following command:

sudo apt update
sudo apt install -y curl git ansible

Install redis-server

You can install redis-server using the following command:

sudo apt install -y redis-server

Now you need to start and enable the redis-server service:

sudo systemctl start redis
sudo systemctl enable redis

Install restic-server

⚠️
This is optional and can be disabled in the Frontdown settings.

If you want to use Frontdown as a backup provider, you can install the Restic server using the following command:

wget https://github.com/restic/rest-server/releases/download/v0.13.0/rest-server_0.13.0_linux_amd64.tar.gz 
tar -xvf rest-server_0.13.0_linux_amd64.tar.gz
sudo mv rest-server_0.13.0_linux_amd64/rest-server /usr/local/bin/
sudo chmod +x /usr/local/bin/rest-server

Before we can deploy our restic REST server using docker, we need to choose the directory which will host our repository and backup data.

Configure Restic server

Change default directory

🚫
Default data directory is /tmp/restic, meaning that all data will be lost after a reboot if not changed.
rest-server --path /home/frontdown/backup --no-auth

Enable authentication

The restic REST server authentication is implemented via an .htpasswd file; the REST server looks for this file in the same directory where snapshots are stored.

sudo apt update
sudo apt-get install -y apache2-utils

Now create a password file for the restic server:

htpasswd -B -c /home/frontdown/backup/.htpasswd frontdown

Enable provider services

Systemd service

Create the service file in /etc/systemd/system/frontdown-provider.service:

/etc/systemd/system/frontdown-provider.service
[Unit]
Description=Rest Server
After=syslog.target
After=network.target
Requires=frontdown-provider.socket
After=frontdown-provider.socket

[Service]
Type=simple
# You may prefer to use a different user or group on your system.
User=frontdown
Group=frontdown
ExecStart=/usr/local/bin/rest-server --path /home/frontdown/backup 
Restart=always
RestartSec=5

# The following options are available (in systemd v247) to restrict the
# actions of the rest-server.

# As a whole, the purpose of these are to provide an additional layer of
# security by mitigating any unknown security vulnerabilities which may exist
# in rest-server or in the libraries, tools and operating system components
# which it relies upon.

# IMPORTANT!
# The following line must be customised to your individual requirements.
ReadWritePaths=/home/frontdown/backup/

# Makes created files group-readable, but inaccessible by others
UMask=027

# If your system doesn't support all of the features below (e.g. because of
# the use of an older version of systemd), you may wish to comment-out
# some of the lines below as appropriate.
CapabilityBoundingSet=
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=yes

# As the listen socket is created by systemd via the rest-server.socket unit, it is
# no longer necessary for rest-server to have access to the host network namespace.
PrivateNetwork=yes

PrivateTmp=yes
PrivateDevices=true
PrivateUsers=true
ProtectSystem=strict
ProtectHome=yes
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
#ProtectHostname=true
RemoveIPC=true
RestrictNamespaces=true
RestrictAddressFamilies=none
RestrictSUIDSGID=true
RestrictRealtime=true
# if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host
SystemCallArchitectures=native
SystemCallFilter=@system-service

# Additionally, you may wish to use some of the systemd options documented in
# systemd.resource-control(5) to limit the CPU, memory, file-system I/O and
# network I/O that the rest-server is permitted to consume according to the
# individual requirements of your installation.
#CPUQuota=25%
#MemoryHigh=bytes
#MemoryMax=bytes
#MemorySwapMax=bytes
#TasksMax=N
#IOReadBandwidthMax=device bytes
#IOWriteBandwidthMax=device bytes
#IOReadIOPSMax=device IOPS, IOWriteIOPSMax=device IOPS
#IPAccounting=true
#IPAddressAllow=

[Install]
WantedBy=multi-user.target

Systemd socket

Create the socket file in /etc/systemd/system/frontdown-provider.socket:

/etc/systemd/system/frontdown-provider.socket
[Socket]
ListenStream = 8000

[Install]
WantedBy = sockets.target

Start Restic server

Start and enable services to start on boot:

sudo systemctl daemon-reload
sudo systemctl start frontdown-provider.service
sudo systemctl enable frontdown-provider.service

Frontdown Installation

Variables 

export GROUP_NAME="frontdown-group"
export PROJECT_NAME="frontdown"
export USER_NAME="frontdown"
export CURENT_USER=$(whoami)
export PROJECT_DIR="/home/$USER_NAME/$PROJECT_NAME"

Create user

For more security, we recommend creating a new user to run the Frontdown core. You can create a new user using the following command:


# Create a no login user
sudo useradd -m -r -s /usr/sbin/nologin -g "$GROUP_NAME" "$USER_NAME"

# Add current user to the group
sudo usermod -aG "$GROUP_NAME" "$CURENT_USER"


# Create the project directory and set the correct permissions
sudo mkdir -p "$PROJECT_DIR"
sudo chown -R "$USER_NAME:$USER_NAME" "$PROJECT_DIR"
sudo chmod -R 775 "$PROJECT_DIR"
⚠️
Please log out and log back in to apply the group changes.

Clone Frontdown

From the Github repository, clone the Frontdown core:

git clone https://github.com/Frontdown24/frontdown-core.git "$PROJECT_DIR"

cd "$PROJECT_DIR"

Install python packages 

pip install -r requirements.txt

Migrate the database

Execute the migration script, you can change the default user and password in the migrate.sh file:

./bin/migrate.sh
chmod +x ./bin/migrate.sh
./bin/migrate.sh

Create the frontdown service

Create the service file in /etc/systemd/system/frontdown.service:

/etc/systemd/system/frontdown.service
[Unit]
Description=Frontdown Service
After=network.target

[Service]
Type=simple
ExecStart=uvicorn \
    --workers 3 \
    --host $HOST_IP \
    --port $PORT \
    frontdown.asgi:application
User=$USER
Group=$GROUP
WorkingDirectory=$PROJECT_DIR
Environment="PATH=/home/$USER/.local/bin"
Restart=always

[Install]
WantedBy=multi-user.target

Start the service

Start the service and enable it to start on boot:


sudo systemctl daemon-reload
sudo systemctl start frontdown.service
sudo systemctl enable frontdown.service
Last updated on