working on making medusa a router

5 years ago · 19fd6f6527
16 changed files with 476 additions and 5 deletions
--- a/howtos/archer_c7_v2/setup.md
+++ b/howtos/archer_c7_v2/setup.md
@ -0,0 +1,29 @@
 ## setup TP-Link Archer C7 v2 (stock firmware)
 ## config wifi name & password
 in "Wireless 2.4GHz" and "Wireless 5GHz" sections
 ## config admin username & password
 in System Tools > Password
 ## config to act as AP only
 ### ports
 don't plug into WAN port; use LAN ports only
 ### IP
 need to give AP a static IP
 - in Network > LAN
 ### DHCP
 turn off dhcp
 - in DHCP > DHCP Server
 ### more info
 see [this link](https://www.tp-link.com/en/support/faq/417/)
--- a/howtos/gitea/Build.md
+++ b/howtos/gitea/Build.md
@ -91,6 +91,8 @@ JWT_SECRET = ${jwt_secret_1:?}
 INTERNAL_TOKEN = ${internal_token:?}
 INSTALL_LOCK   = true
 SECRET_KEY     = ${secret_key:?}
 ; disable password complexity checks
 PASSWORD_COMPLEXITY = off
 [database]
 DB_TYPE  = postgres
--- a/howtos/haproxy/certbot.md
+++ b/howtos/haproxy/certbot.md
@ -0,0 +1,87 @@
 # use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy
 ## Install
 install haproxy & certbot:
 ```
 apt install haproxy certbot
 ```
 ## configure haproxy
 we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive:
 ```
 frontend www
        bind *:80
 	    ...
        # Reroute certbot requests to certbot
        use_backend certbot if { path_beg /.well-known/acme-challenge/ }
 ```
 and also add a backend:
 ```
 backend certbot
        mode http
        server certbot-1 localhost:${port:?}
 ```
 and then add an update script to `/usr/local/admin/bin/certbot-haproxy`:
 ```
 #!/bin/bash
 create() {
        certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port
 }
 renew() {
        certbot renew --tls-sni-01-port=$port
 }
 concat() {
        # Only do the concat if the live cert file is newer than the combined file
        if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then
                mkdir -p /etc/haproxy/certs
                cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem
                #etckeeper commit "got new Let's Encrypt certificate for $1"
        fi
 }
 # Main Execution
 if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then
        echo "Improper argument: expecting \"create\" or \"renew\""
        exit 1
 fi
 . /etc/haproxy/certbot.cfg.sh
 for site in ${sites[@]}; do
        $1 $site
        concat $site
 done
 ```
 and don't forget to make it executable:
 ```
 chmod +x /usr/local/admin/bin/certbot-haproxy
 ```
 finally, we will make a config file for our certbot script in `/etc/haproxy/certbot.cfg.sh`:
 ```
 #!/bin/bash
 # domains certbot should get certificates for
 sites=(
        medusa.alemor.org
 )
 # port that the standalone certbot server should use
 port=8888
 # email that you will give to Let's Encrypt
 email=letsencrypt@mario.alemor.org
 ```
 and make it executable as well:
 ```
 chmod +x /etc/haproxy/certbot.cfg.sh
 ```
--- a/howtos/linux/dhcp-client-setip.md
+++ b/howtos/linux/dhcp-client-setip.md
@ -0,0 +1,10 @@
 # tell dhcp client to request specific IP
 put the line:
 ```
 send dhcp-requested-address ${ip:?};
 ```
 in `/etc/dhcp/dhclient.conf`
 note that this seems to cause a failure if the requested address is not available. For more information see here:
 https://serverfault.com/questions/880900/can-i-request-a-specific-ip-address-via-dhcp-without-rejecting-an-offer-of-a-dif
--- a/howtos/linux/disable-sleep.md
+++ b/howtos/linux/disable-sleep.md
@ -0,0 +1,11 @@
 # disable ability of computer to sleep/hibernate
 run:
 ```
 systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
 ```
 to undo:
 ```
 systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target
 ```
--- a/howtos/linux/spoof-mac-address.md
+++ b/howtos/linux/spoof-mac-address.md
@ -9,7 +9,7 @@ nmcli connection show
 choose the connection you want to manage and enter the interactive editing prompt with:
 ```
-sudo nmcli connection edit ${connection:?}
+nmcli connection edit ${connection:?}
 ```
 ## nmcli interactive prompt
@ -29,3 +29,11 @@ Once you are finished, save the settings and exit:
 save
 quit
 ```
 ## reconnect
 take the interface down and bring it back up to make the change take effect:
 ```
 nmcli con down id ${connection:?}
 nmcli con up id ${connection:?}
 ```
--- a/howtos/router/custom-interface-names.md
+++ b/howtos/router/custom-interface-names.md
@ -0,0 +1,17 @@
 # how to set custom interface names
 find out the MAC address of your interface:
 ```
 ip addr show
 ```
 then create a file in `/etc/systemd/network/10-${name:?}.link` with the contents:
 ```
 [Match]
 MACAddress=${mac_address:?}
 [Link]
 Name=${name:?}
 ```
 don't forget to run `update-initramfs -u` afterwards to make sure the configuration takes effect.
--- a/howtos/router/dnsmasq.md
+++ b/howtos/router/dnsmasq.md
@ -0,0 +1,75 @@
 # set up dnsmasq
 dnsmasq provides DHCP and DNS services for the network
 ## install & config dnsmasq
 install with:
 ```
 apt install dnsmasq
 ```
 stop service so it doesn't do anything until it's configured:
 ```
 service dnsmasq stop
 ```
 ### config
 config file is in `/etc/dnsmasq.conf`. The following settings need to be set:
 ```
 # Add local-only domains here, queries in these domains are answered
 # from /etc/hosts or DHCP only.
 local=/mar.alemor.org/
 # If you want dnsmasq to listen for DHCP and DNS requests only on
 # specified interfaces (and the loopback) give the name of the
 # interface (eg eth0) here.
 # Repeat the line for more than one interface.
 interface=lan0
 # Set a  domain for a particular subnet
 domain=mar.alemor.org,192.168.82.0/24
 # Uncomment this to enable the integrated DHCP server, you need
 # to supply the range of addresses available for lease and optionally
 # a lease time. If you have more than one network, you will need to
 # repeat this for each network on which you want to supply DHCP
 # service.
 dhcp-range=192.168.82.50,192.168.82.150,12h
 # Set the limit on DHCP leases, the default is 150
 dhcp-lease-max=150
 # Set the DHCP server to authoritative mode. In this mode it will barge in
 # and take over the lease for any client which broadcasts on the network,
 # whether it has a record of the lease or not. This avoids long timeouts
 # when a machine wakes up on a new network. DO NOT enable this if there's
 # the slightest chance that you might end up accidentally configuring a DHCP
 # server for your campus/company accidentally. The ISC server uses
 # the same option, and this URL provides more information:
 # http://www.isc.org/files/auth.html
 dhcp-authoritative
 # If you want to disable negative caching, uncomment this.
 no-negcache
 ```
 after you've set the config you want, reload with `service dnsmasq restart`
 hosts in `/etc/hosts` and MAC addresses in `/etc/ethers`
 ## make interface static
 the LAN interface won't be getting DHCP since it *is* the DHCP, so it has to be defined as static. In `/etc/network/interfaces`, add the block:
 ```
 auto lan0
 iface lan0 inet static
  address 192.168.82.1
  netmask 255.255.255.0
 ```
 then take the interface down and bring it back up with:
 ```
 ifdown lan0
 ifup lan0
 ```
--- a/howtos/router/ez-ipupdate.md
+++ b/howtos/router/ez-ipupdate.md
@ -0,0 +1,47 @@
 # use ex-ipudate to dynamically update your DNS record
 ## install
 ```
 apt install ez-ipupdate
 ```
 when the package asks you how to configure it, select "manual" to configure it manually.
 ## configure
 head to `/etc/ez-ipupdate`:
 ```
 cd /etc/ez-ipupdate
 ```
 here we will create a file for DynDNS provider, named `dyndns.conf`, with the contents:
 ```
 #!/usr/sbin/ez-ipupdate -c
 #
 # example config file for ez-ipupdate
 #
 # this file is actually executable!
 service-type=dyndns
 user=${username:?}:${password:?}
 host=${hostname:?}.alemor.org
 interface=wan0
 max-interval=2073600
 # if you don't use a cache file your dyndns account will probably get banned.
 run-as-user=ez-ipupd
 cache-file=/var/cache/ez-ipupdate/default-cache
 # uncomment this once you have everything working how you want and you are
 # ready to have ez-ipupdate running in the background all the time. to stop it
 # you can use "killall -QUIT ez-ipupdate" under linux.
 #daemon
 ```
 don't forget to make it executable:
 ```
 chmod +x dyndns.conf
 ```
 run it to see if it works:
 ```
 ./dyndns.conf
 ```
 once everything is working, uncomment the `daemon` line.
--- a/howtos/router/nftables.md
+++ b/howtos/router/nftables.md
@ -0,0 +1,89 @@
 # set up firewall and NAT with nftables
 nftables is the successor to iptables
 ## enable forwarding
 Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line:
 ```
 net.ipv4.ip_forward = 1
 ```
 ## make nftables rules
 in `/etc/nftables.conf`:
 ```
 #!/usr/sbin/nft -f
 # flush all rules
 flush ruleset
 table inet myfilter {
        chain myinput {
                # use the "input" hook for this chain
                # accepts packets by default, because we don't want
                # to have to keep track of all interfaces we don't want
                # firewalled (lan0, wlan0, lxdbr0, veths, etc)
                type filter hook input priority 0; policy accept;
                # allow established/related connections
                ct state {established, related} accept
                # drop invalid connections
                ct state invalid drop
                # packets that are received on a firewalled interface
                # are sent to the firewall chain for evaluation
                iifname "wan0" jump myfirewall
        }
        chain myfirewall { # handle firewall
                # accept incoming HTTP(s) connections
                tcp dport {http, https} accept
                # accept incoming SSH connections
                tcp dport 22 accept
                # reject everything else
                reject with icmpx type port-unreachable
        }
        chain myforward {
                # forward everything by default
                type filter hook forward priority 0; policy accept;
 				# forward incoming on wan0 for established/related connections
                iifname wan0 ct state {established, related} accept
                # drop everything else
                iifname wan0 drop
        }
        chain myoutput {
                # let everything out by default
                type filter hook output priority 0; policy accept;
                # block outgoing mDNS broadcasts
                udp dport 5353 drop
 	}
 }
 table ip mynatv4 {
        chain myprerouting {
                type nat hook prerouting priority -100;
                # if I wanted to do port forwarding I could do it like this:
                # forward http to 192.168.82.10
                #tcp dport http dnat to 192.168.82.10
        }
        chain mypostrouting {
                type nat hook postrouting priority 100;
                # masquerade outbound packets going to WAN
                oifname "wan0" masquerade
        }
 }
 ```
 load this configuration with `nft -f /etc/nftables.conf`
 nftables is also configred to load that table on boot by default
--- a/howtos/samba/Build.md
+++ b/howtos/samba/Build.md
@ -19,8 +19,6 @@ exit
 ### mount stuff
 ```
 mkdir /srv/media
 exit
 lxc config device add samba media disk source=/tank/media path=/srv/media
 lxc config device add samba home disk source=/tank/files path=/home
 lxc config set samba raw.idmap 'both 60000 60000'
@ -89,7 +87,7 @@ disable spoolss = yes
 #======================= Share Definitions =======================
 [media]
 comment = Shared media files
-path = /srv/files/media
+path = /srv/media
 browsable = yes
 guest ok = yes
 read only = yes
@ -114,8 +112,8 @@ service smbd restart
 first, we will write a script to automate adding users. Create a file `/usr/local/bin/smbadduser` with the contents:
 ```
 #!/bin/sh
 adduser "$1" --disabled-password --gecos "" --no-create-home --shell /usr/sbin/nologin
 usermod -a -G sambashare $1
 smbpasswd -a "$1"
 ```
 don't forget to make it executable:
--- a/notes/centauro/emacs.md
+++ b/notes/centauro/emacs.md
@ -0,0 +1,6 @@
 extra modes:
 - markdown
 - yaml
 theme:
 - colorblind theme
--- a/notes/centauro/gnome.md
+++ b/notes/centauro/gnome.md
@ -0,0 +1,17 @@
 Extensions:
 - [AlternateTab](https://extensions.gnome.org/extension/15/alternatetab/)
 - [Screenshot Tool](https://extensions.gnome.org/extension/1112/screenshot-tool/)
 - [Caffeine](https://extensions.gnome.org/extension/517/caffeine/)
 - [Window List](https://extensions.gnome.org/extension/602/window-list/)
 - [Places Status Indicator](https://extensions.gnome.org/extension/8/places-status-indicator/)
 - [Put Windows](https://extensions.gnome.org/extension/39/put-windows/)
 - [OpenWeather](https://extensions.gnome.org/extension/750/openweather//)
 - [Launch new instance](https://extensions.gnome.org/extension/600/launch-new-instance/)
 - [KStatusNotifierItem/AppIndicator Support](https://extensions.gnome.org/extension/615/appindicator-support/)
 - [Status Area Horizontal Spacing](https://extensions.gnome.org/extension/355/status-area-horizontal-spacing/)
 - [Desktop Icons NG (DING)](https://extensions.gnome.org/extension/2087/desktop-icons-ng-ding/)
 Theme: Adapta-Eta
 Icons: Papirus
 Cursor: [Breeze-Adapta](https://github.com/mustafaozhan/Breeze-Adapta-Cursor)
 	Set Cursor to 22 pixels
--- a/notes/dns/alemor.md
+++ b/notes/dns/alemor.md
@ -0,0 +1,9 @@
 # alemor DNS provider
 dns service is by [dny.com](account.dyn.com)
 record types:
 - MX is mail record
 - CNAME is an alias
 - A is an IP
 - A (WebHop) is url redirect
--- a/notes/medusa/file_server.txt
+++ b/notes/medusa/file_server.txt
@ -0,0 +1,35 @@
 functionality needed:
 - contacts & calendar
  - Radicale
  - sabre/dav
 - notes
  - need webdav server for syncing
  - alternatively, write to file and sync with syncthing
 - file syncing
  - syncthing
  - for saved games, use symlinks?
 - network drive mount
  - webdav
    - apache
    - people say webdav is bad
  - nfs
    - windows 10 enterprise can mount nfs
    - v4 can use user-based auth
    - if nfs, then need solution for outside of lan
      - bring back vpn?
  - samba?
 - web file manager
  - droppy
  - filebrowser
 - vpn?
  - server to route vpn requests through
 - password manager
  - passbolt
  - keepass + syncthing
  - bitwarden
 final list:
 - sabre/radicale
 - syncthing
 - nfs/samba
 - droppy
--- a/notes/medusa/setup.md
+++ b/notes/medusa/setup.md
@ -0,0 +1,31 @@
 # steps to set up file server
 ## users
 - mar, fernando, juana, daniel
 - hogar with UID 2000 for files
 - media user with UID 3000 for watching media
 - lxdfiles user with UID 60000
 ## zfs
 - mounted zfs vol at `/tank`
 - set up daily snapshots
 - set up bind mounts in /srv/files and /srv/media
 ## LXD
 - installed LXD and set up containers
 - put stuff in `/srv/lxd`
  - `image` links to `/tank/lxd/image`
  - `mount` links to `/tank/lxd/mount`
 ## tweaks
 - tweaked nanorc
 - tweaked haproxy conf
 - tweaked root bashrc
 - uninstalled unattended-upgrades