From 19fd6f6527c85d4a2500687040c5e4a652a6a0d9 Mon Sep 17 00:00:00 2001 From: Mario Alegre Date: Mon, 27 Apr 2020 21:17:35 -0500 Subject: [PATCH] working on making medusa a router --- howtos/archer_c7_v2/setup.md | 29 ++++++++ howtos/gitea/Build.md | 2 + howtos/haproxy/certbot.md | 87 ++++++++++++++++++++++++ howtos/linux/dhcp-client-setip.md | 10 +++ howtos/linux/disable-sleep.md | 11 +++ howtos/linux/spoof-mac-address.md | 10 ++- howtos/router/custom-interface-names.md | 17 +++++ howtos/router/dnsmasq.md | 75 +++++++++++++++++++++ howtos/router/ez-ipupdate.md | 47 +++++++++++++ howtos/router/nftables.md | 89 +++++++++++++++++++++++++ howtos/samba/Build.md | 6 +- notes/centauro/emacs.md | 6 ++ notes/centauro/gnome.md | 17 +++++ notes/dns/alemor.md | 9 +++ notes/medusa/file_server.txt | 35 ++++++++++ notes/medusa/setup.md | 31 +++++++++ 16 files changed, 476 insertions(+), 5 deletions(-) create mode 100644 howtos/archer_c7_v2/setup.md create mode 100644 howtos/haproxy/certbot.md create mode 100644 howtos/linux/dhcp-client-setip.md create mode 100644 howtos/linux/disable-sleep.md create mode 100644 howtos/router/custom-interface-names.md create mode 100644 howtos/router/dnsmasq.md create mode 100644 howtos/router/ez-ipupdate.md create mode 100644 howtos/router/nftables.md create mode 100644 notes/centauro/emacs.md create mode 100644 notes/centauro/gnome.md create mode 100644 notes/dns/alemor.md create mode 100644 notes/medusa/file_server.txt create mode 100644 notes/medusa/setup.md diff --git a/howtos/archer_c7_v2/setup.md b/howtos/archer_c7_v2/setup.md new file mode 100644 index 0000000..6a4dfa4 --- /dev/null +++ b/howtos/archer_c7_v2/setup.md @@ -0,0 +1,29 @@ +## setup TP-Link Archer C7 v2 (stock firmware) + +## config wifi name & password + +in "Wireless 2.4GHz" and "Wireless 5GHz" sections + +## config admin username & password + +in System Tools > Password + +## config to act as AP only + +### ports + +don't plug into WAN port; use LAN ports only + +### IP + +need to give AP a static IP +- in Network > LAN + +### DHCP + +turn off dhcp +- in DHCP > DHCP Server + +### more info + +see [this link](https://www.tp-link.com/en/support/faq/417/) diff --git a/howtos/gitea/Build.md b/howtos/gitea/Build.md index f91bdcd..0d0fc6d 100644 --- a/howtos/gitea/Build.md +++ b/howtos/gitea/Build.md @@ -91,6 +91,8 @@ JWT_SECRET = ${jwt_secret_1:?} INTERNAL_TOKEN = ${internal_token:?} INSTALL_LOCK = true SECRET_KEY = ${secret_key:?} +; disable password complexity checks +PASSWORD_COMPLEXITY = off [database] DB_TYPE = postgres diff --git a/howtos/haproxy/certbot.md b/howtos/haproxy/certbot.md new file mode 100644 index 0000000..a394a38 --- /dev/null +++ b/howtos/haproxy/certbot.md @@ -0,0 +1,87 @@ +# use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy + +## Install + +install haproxy & certbot: +``` +apt install haproxy certbot +``` + +## configure haproxy + +we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive: +``` +frontend www + bind *:80 + + ... + + # Reroute certbot requests to certbot + use_backend certbot if { path_beg /.well-known/acme-challenge/ } +``` +and also add a backend: +``` +backend certbot + mode http + server certbot-1 localhost:${port:?} +``` + +and then add an update script to `/usr/local/admin/bin/certbot-haproxy`: +``` +#!/bin/bash + +create() { + certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port +} + +renew() { + certbot renew --tls-sni-01-port=$port +} + +concat() { + # Only do the concat if the live cert file is newer than the combined file + if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then + mkdir -p /etc/haproxy/certs + cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem + #etckeeper commit "got new Let's Encrypt certificate for $1" + fi +} + +# Main Execution +if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then + echo "Improper argument: expecting \"create\" or \"renew\"" + exit 1 +fi + +. /etc/haproxy/certbot.cfg.sh + +for site in ${sites[@]}; do + $1 $site + concat $site +done +``` + +and don't forget to make it executable: +``` +chmod +x /usr/local/admin/bin/certbot-haproxy +``` + +finally, we will make a config file for our certbot script in `/etc/haproxy/certbot.cfg.sh`: +``` +#!/bin/bash + +# domains certbot should get certificates for +sites=( + medusa.alemor.org +) + +# port that the standalone certbot server should use +port=8888 + +# email that you will give to Let's Encrypt +email=letsencrypt@mario.alemor.org +``` +and make it executable as well: +``` +chmod +x /etc/haproxy/certbot.cfg.sh +``` diff --git a/howtos/linux/dhcp-client-setip.md b/howtos/linux/dhcp-client-setip.md new file mode 100644 index 0000000..965c943 --- /dev/null +++ b/howtos/linux/dhcp-client-setip.md @@ -0,0 +1,10 @@ +# tell dhcp client to request specific IP + +put the line: +``` +send dhcp-requested-address ${ip:?}; +``` +in `/etc/dhcp/dhclient.conf` + +note that this seems to cause a failure if the requested address is not available. For more information see here: +https://serverfault.com/questions/880900/can-i-request-a-specific-ip-address-via-dhcp-without-rejecting-an-offer-of-a-dif diff --git a/howtos/linux/disable-sleep.md b/howtos/linux/disable-sleep.md new file mode 100644 index 0000000..c3a12ac --- /dev/null +++ b/howtos/linux/disable-sleep.md @@ -0,0 +1,11 @@ +# disable ability of computer to sleep/hibernate + +run: +``` +systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target +``` + +to undo: +``` +systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target +``` diff --git a/howtos/linux/spoof-mac-address.md b/howtos/linux/spoof-mac-address.md index a6dce45..c3e724f 100644 --- a/howtos/linux/spoof-mac-address.md +++ b/howtos/linux/spoof-mac-address.md @@ -9,7 +9,7 @@ nmcli connection show choose the connection you want to manage and enter the interactive editing prompt with: ``` -sudo nmcli connection edit ${connection:?} +nmcli connection edit ${connection:?} ``` ## nmcli interactive prompt @@ -29,3 +29,11 @@ Once you are finished, save the settings and exit: save quit ``` + +## reconnect + +take the interface down and bring it back up to make the change take effect: +``` +nmcli con down id ${connection:?} +nmcli con up id ${connection:?} +``` diff --git a/howtos/router/custom-interface-names.md b/howtos/router/custom-interface-names.md new file mode 100644 index 0000000..77042e4 --- /dev/null +++ b/howtos/router/custom-interface-names.md @@ -0,0 +1,17 @@ +# how to set custom interface names + +find out the MAC address of your interface: +``` +ip addr show +``` + +then create a file in `/etc/systemd/network/10-${name:?}.link` with the contents: +``` +[Match] +MACAddress=${mac_address:?} + +[Link] +Name=${name:?} +``` + +don't forget to run `update-initramfs -u` afterwards to make sure the configuration takes effect. diff --git a/howtos/router/dnsmasq.md b/howtos/router/dnsmasq.md new file mode 100644 index 0000000..c660942 --- /dev/null +++ b/howtos/router/dnsmasq.md @@ -0,0 +1,75 @@ +# set up dnsmasq + +dnsmasq provides DHCP and DNS services for the network + +## install & config dnsmasq + +install with: +``` +apt install dnsmasq +``` +stop service so it doesn't do anything until it's configured: +``` +service dnsmasq stop +``` + +### config + +config file is in `/etc/dnsmasq.conf`. The following settings need to be set: +``` +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +local=/mar.alemor.org/ + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +interface=lan0 + +# Set a domain for a particular subnet +domain=mar.alemor.org,192.168.82.0/24 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +dhcp-range=192.168.82.50,192.168.82.150,12h + +# Set the limit on DHCP leases, the default is 150 +dhcp-lease-max=150 + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +dhcp-authoritative + +# If you want to disable negative caching, uncomment this. +no-negcache +``` +after you've set the config you want, reload with `service dnsmasq restart` + + +hosts in `/etc/hosts` and MAC addresses in `/etc/ethers` + +## make interface static + +the LAN interface won't be getting DHCP since it *is* the DHCP, so it has to be defined as static. In `/etc/network/interfaces`, add the block: +``` +auto lan0 +iface lan0 inet static + address 192.168.82.1 + netmask 255.255.255.0 +``` + +then take the interface down and bring it back up with: +``` +ifdown lan0 +ifup lan0 +``` diff --git a/howtos/router/ez-ipupdate.md b/howtos/router/ez-ipupdate.md new file mode 100644 index 0000000..890cdb5 --- /dev/null +++ b/howtos/router/ez-ipupdate.md @@ -0,0 +1,47 @@ +# use ex-ipudate to dynamically update your DNS record + +## install + +``` +apt install ez-ipupdate +``` +when the package asks you how to configure it, select "manual" to configure it manually. + +## configure + +head to `/etc/ez-ipupdate`: +``` +cd /etc/ez-ipupdate +``` +here we will create a file for DynDNS provider, named `dyndns.conf`, with the contents: +``` +#!/usr/sbin/ez-ipupdate -c +# +# example config file for ez-ipupdate +# +# this file is actually executable! + +service-type=dyndns +user=${username:?}:${password:?} +host=${hostname:?}.alemor.org +interface=wan0 +max-interval=2073600 + +# if you don't use a cache file your dyndns account will probably get banned. +run-as-user=ez-ipupd +cache-file=/var/cache/ez-ipupdate/default-cache + +# uncomment this once you have everything working how you want and you are +# ready to have ez-ipupdate running in the background all the time. to stop it +# you can use "killall -QUIT ez-ipupdate" under linux. +#daemon +``` +don't forget to make it executable: +``` +chmod +x dyndns.conf +``` +run it to see if it works: +``` +./dyndns.conf +``` +once everything is working, uncomment the `daemon` line. diff --git a/howtos/router/nftables.md b/howtos/router/nftables.md new file mode 100644 index 0000000..30d43eb --- /dev/null +++ b/howtos/router/nftables.md @@ -0,0 +1,89 @@ +# set up firewall and NAT with nftables + +nftables is the successor to iptables + +## enable forwarding + +Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line: +``` +net.ipv4.ip_forward = 1 +``` + +## make nftables rules + +in `/etc/nftables.conf`: +``` +#!/usr/sbin/nft -f + +# flush all rules +flush ruleset + +table inet myfilter { + chain myinput { + # use the "input" hook for this chain + # accepts packets by default, because we don't want + # to have to keep track of all interfaces we don't want + # firewalled (lan0, wlan0, lxdbr0, veths, etc) + type filter hook input priority 0; policy accept; + + # allow established/related connections + ct state {established, related} accept + + # drop invalid connections + ct state invalid drop + + # packets that are received on a firewalled interface + # are sent to the firewall chain for evaluation + iifname "wan0" jump myfirewall + } + chain myfirewall { # handle firewall + # accept incoming HTTP(s) connections + tcp dport {http, https} accept + + # accept incoming SSH connections + tcp dport 22 accept + + # reject everything else + reject with icmpx type port-unreachable + } + + chain myforward { + # forward everything by default + type filter hook forward priority 0; policy accept; + + # forward incoming on wan0 for established/related connections + iifname wan0 ct state {established, related} accept + + # drop everything else + iifname wan0 drop + + } + chain myoutput { + # let everything out by default + type filter hook output priority 0; policy accept; + + # block outgoing mDNS broadcasts + udp dport 5353 drop + } +} + +table ip mynatv4 { + chain myprerouting { + type nat hook prerouting priority -100; + + # if I wanted to do port forwarding I could do it like this: + # forward http to 192.168.82.10 + #tcp dport http dnat to 192.168.82.10 + } + chain mypostrouting { + type nat hook postrouting priority 100; + + # masquerade outbound packets going to WAN + oifname "wan0" masquerade + } +} +``` + +load this configuration with `nft -f /etc/nftables.conf` + +nftables is also configred to load that table on boot by default diff --git a/howtos/samba/Build.md b/howtos/samba/Build.md index 4a93239..9d286bb 100644 --- a/howtos/samba/Build.md +++ b/howtos/samba/Build.md @@ -19,8 +19,6 @@ exit ### mount stuff ``` -mkdir /srv/media -exit lxc config device add samba media disk source=/tank/media path=/srv/media lxc config device add samba home disk source=/tank/files path=/home lxc config set samba raw.idmap 'both 60000 60000' @@ -89,7 +87,7 @@ disable spoolss = yes #======================= Share Definitions ======================= [media] comment = Shared media files -path = /srv/files/media +path = /srv/media browsable = yes guest ok = yes read only = yes @@ -114,8 +112,8 @@ service smbd restart first, we will write a script to automate adding users. Create a file `/usr/local/bin/smbadduser` with the contents: ``` #!/bin/sh - adduser "$1" --disabled-password --gecos "" --no-create-home --shell /usr/sbin/nologin +usermod -a -G sambashare $1 smbpasswd -a "$1" ``` don't forget to make it executable: diff --git a/notes/centauro/emacs.md b/notes/centauro/emacs.md new file mode 100644 index 0000000..a92ffbe --- /dev/null +++ b/notes/centauro/emacs.md @@ -0,0 +1,6 @@ +extra modes: +- markdown +- yaml + +theme: +- colorblind theme \ No newline at end of file diff --git a/notes/centauro/gnome.md b/notes/centauro/gnome.md new file mode 100644 index 0000000..a64ef45 --- /dev/null +++ b/notes/centauro/gnome.md @@ -0,0 +1,17 @@ +Extensions: +- [AlternateTab](https://extensions.gnome.org/extension/15/alternatetab/) +- [Screenshot Tool](https://extensions.gnome.org/extension/1112/screenshot-tool/) +- [Caffeine](https://extensions.gnome.org/extension/517/caffeine/) +- [Window List](https://extensions.gnome.org/extension/602/window-list/) +- [Places Status Indicator](https://extensions.gnome.org/extension/8/places-status-indicator/) +- [Put Windows](https://extensions.gnome.org/extension/39/put-windows/) +- [OpenWeather](https://extensions.gnome.org/extension/750/openweather//) +- [Launch new instance](https://extensions.gnome.org/extension/600/launch-new-instance/) +- [KStatusNotifierItem/AppIndicator Support](https://extensions.gnome.org/extension/615/appindicator-support/) +- [Status Area Horizontal Spacing](https://extensions.gnome.org/extension/355/status-area-horizontal-spacing/) +- [Desktop Icons NG (DING)](https://extensions.gnome.org/extension/2087/desktop-icons-ng-ding/) + +Theme: Adapta-Eta +Icons: Papirus +Cursor: [Breeze-Adapta](https://github.com/mustafaozhan/Breeze-Adapta-Cursor) + Set Cursor to 22 pixels diff --git a/notes/dns/alemor.md b/notes/dns/alemor.md new file mode 100644 index 0000000..3e6b484 --- /dev/null +++ b/notes/dns/alemor.md @@ -0,0 +1,9 @@ +# alemor DNS provider + +dns service is by [dny.com](account.dyn.com) + +record types: +- MX is mail record +- CNAME is an alias +- A is an IP +- A (WebHop) is url redirect diff --git a/notes/medusa/file_server.txt b/notes/medusa/file_server.txt new file mode 100644 index 0000000..ff1b644 --- /dev/null +++ b/notes/medusa/file_server.txt @@ -0,0 +1,35 @@ +functionality needed: +- contacts & calendar + - Radicale + - sabre/dav +- notes + - need webdav server for syncing + - alternatively, write to file and sync with syncthing +- file syncing + - syncthing + - for saved games, use symlinks? +- network drive mount + - webdav + - apache + - people say webdav is bad + - nfs + - windows 10 enterprise can mount nfs + - v4 can use user-based auth + - if nfs, then need solution for outside of lan + - bring back vpn? + - samba? +- web file manager + - droppy + - filebrowser +- vpn? + - server to route vpn requests through +- password manager + - passbolt + - keepass + syncthing + - bitwarden + +final list: +- sabre/radicale +- syncthing +- nfs/samba +- droppy diff --git a/notes/medusa/setup.md b/notes/medusa/setup.md new file mode 100644 index 0000000..82e690d --- /dev/null +++ b/notes/medusa/setup.md @@ -0,0 +1,31 @@ +# steps to set up file server + +## users + +- mar, fernando, juana, daniel + +- hogar with UID 2000 for files + +- media user with UID 3000 for watching media + +- lxdfiles user with UID 60000 + +## zfs + +- mounted zfs vol at `/tank` +- set up daily snapshots +- set up bind mounts in /srv/files and /srv/media + +## LXD + +- installed LXD and set up containers +- put stuff in `/srv/lxd` + - `image` links to `/tank/lxd/image` + - `mount` links to `/tank/lxd/mount` + +## tweaks + +- tweaked nanorc +- tweaked haproxy conf +- tweaked root bashrc +- uninstalled unattended-upgrades