I stumbled across Tandoor Recipes recently and I think it would be really cool to have our own shopping list and digital recipe application. I like the idea of it tracking when we cook a recipe so we can tell if we've fallen into a rut of just a few recipes, and what we might not have made in some time.

Create Virtual Machine

Steps performed on HV-03 via Windows Admin Center

Navigate to Virtual Machines
I click on Add then New
- Name: TANDOOR-01
- Generation: 2 (Recommended)
- Virtual Processors: 2
- Memory: 2GB
- Storage Add: 50GB
- I click on Create
I select TANDOOR-01
I click on Settings
- I navigate to Disk
  - Add Disk
  - I select Use an existing virtual hard disk or ISO image file and choose c:\Images\Debian\debian=12.1.0-amd64-netinst.iso
  - I click Save disk settings
- I navigate to Boot Order
  - DVD
  - Hard Disk
  - Network Adapter
  - I click Save boot order
- Navigate to Security
  - I check Enable Secure Boot
  - Template: Microsoft UEFI Certificate Authority
  - I click Save security settings
- I click Close
I click on Power and then Start

Install Operating System

Steps performed on TANDOOR-01 console

I work my way through the Debian installation wizard
When the installation completes I reboot the system

Configure Operating System

Configure Network

Steps performed on TANDOOR-01 console

nano /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 10.10.10.XXX
gateway 10.10.10.254
netmask 255.255.255.0

I save the file interfaces

Steps performed on DC-02 via Windows Admin Center

I navigate to DNS
I select domain.local
I click Create a new DNS record
- DNS record type: Host (A)
- Record Name: TANDOOR
- FQDN: TANDOOR.domain.local
- IP Address: 10.10.10.XXX
- Time to live: 3600
- I click Create

Configure Sudo

Steps performed on TANDOOR-01

apt install sudo
/sbin/adduser david sudo
- Adding user 'david' to group 'sudo' ...
- Done.

Configure SSH Key

Steps performed on desktop via Windows Terminal

ssh-keygen -t ed25519
Move-Item -Path c:\Users\david\filename* -Destination c:\Users\david\.ssh -Force
I open Windows Terminal Settings
I open the JSON file and add the following:

            {
                "colorScheme": "Ubuntu-ColorScheme",
                "commandline": "ssh -i \"~/.ssh/tandoor-01\" [email protected]",
                "experimental.retroTerminalEffect": false,
                "font": 
                {
                    "face": "Cascadia Code"
                },
                "guid": "{0caa0dad-35be-5f56-a8ff-XXXXXXXXXXXX}",
                "hidden": false,
                "name": "TANDOOR-01",
                "tabTitle": "TANDOOR-01"
            },

I verify the GUID is unique and save the JSON file

Configure SSH

Steps performed on TANDOOR-01

mkdir /home/david/.ssh
nano /home/david/.ssh/authorized_keys
I paste in the public key and save authorized_keys
chmod 600 /home/david/.ssh/authorized_keys
sudo nano /etc/ssh/sshd_config
- PermitRootLogin no
- PubkeyAuthentication yes
- PubkeyAcceptedKeyTypes ssh-ed25519
- PasswordAuthentication no
- AuthorizedKeysFile /home/david/.ssh/authorized_keys
I save the file sshd_config
sudo sshd -t
sudo systemctl restart ssh

Configure UFW

Steps performed on TANDOOR-01

sudo apt install ufw
sudo ufw allow 22
sudo ufw enable

Install Fail2Ban

Steps performed on TANDOOR-01

sudo apt install fail2ban
sudo nano /etc/fail2ban/jail.local

[DEFAULT]
bantime = 100m
findtime = 5m
maxretry = 5
ignoreip = 10.10.10.XXX

[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

I save the jail.local file
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Install Tandoor Recipes' Dependencies

Steps taken on TANDOOR-01

sudo apt install docker
sudo apt install docker-compose

Install Tandoor

Steps performed on TANDOOR-01

sudo mkdir /apps
sudo mkdir /apps/Tandoor
cd /apps/Tandoor
sudo nano docker-compose.yml

version: "3"
services:
  db_recipes:
    restart: always
    image: postgres:15-alpine
    volumes:
      - ./postgresql:/var/lib/postgresql/data
    env_file:
      - ./.env

  web_recipes:
    restart: always
    image: vabene1111/recipes
    env_file:
      - ./.env
    volumes:
      - staticfiles:/opt/recipes/staticfiles
      # Do not make this a bind mount, see https://docs.tandoor.dev/install/docker/#volumes-vs-bind-mounts
      - nginx_config:/opt/recipes/nginx/conf.d
      - ./mediafiles:/opt/recipes/mediafiles
    depends_on:
      - db_recipes

  nginx_recipes:
    image: nginx:mainline-alpine
    restart: always
    ports:
      - 80:80
    env_file:
      - ./.env
    depends_on:
      - web_recipes
    volumes:
      # Do not make this a bind mount, see https://docs.tandoor.dev/install/docker/#volumes-vs-bind-mounts
      - nginx_config:/etc/nginx/conf.d:ro
      - staticfiles:/static:ro
      - ./mediafiles:/media:ro

volumes:
  nginx_config:
  staticfiles:

I save the docker-compose.yml file
wget https://raw.githubusercontent.com/vabene1111/recipes/develop/.env.template -O .env
sudo nano .env
- Set SECRET_KEY=
- Set TIMEZONE=America/Detroit
- Set POSTGRES_PASSWORD=
- Set EMAIL_HOST=
- Set EMAIL_PORT=465
- Set EMAIL_HOST_USER=
- Set EMAIL_HOST_PASSWORD=
- Set DEFAULT_FROM_EMAIL=
I save the .env file
sudo docker-compose pull
sudo docker-compose up -d

When I test the website at http://tandoor.domain.local it loads successfully. I quickly create an administrator account to match up with Authentik Security so I should be able to get them linked together easily in the future. I don't have much time to tackle anything else today so this is where I will leave things until tomorrow.