working on making medusa a router

5 years ago · 19fd6f6527
16 changed files with 476 additions and 5 deletions
--- a/howtos/archer_c7_v2/setup.md
+++ b/howtos/archer_c7_v2/setup.md
@ -0,0 +1,29 @@
+## setup TP-Link Archer C7 v2 (stock firmware)
+
+## config wifi name & password
+
+in "Wireless 2.4GHz" and "Wireless 5GHz" sections
+
+## config admin username & password
+
+in System Tools > Password
+
+## config to act as AP only
+
+### ports
+
+don't plug into WAN port; use LAN ports only
+
+### IP
+
+need to give AP a static IP
+- in Network > LAN
+
+### DHCP
+
+turn off dhcp
+- in DHCP > DHCP Server
+
+### more info
+
+see [this link](https://www.tp-link.com/en/support/faq/417/)
--- a/howtos/gitea/Build.md
+++ b/howtos/gitea/Build.md
@ -91,6 +91,8 @@ JWT_SECRET = ${jwt_secret_1:?}
 INTERNAL_TOKEN = ${internal_token:?}
 INSTALL_LOCK   = true
 SECRET_KEY     = ${secret_key:?}
+; disable password complexity checks
+PASSWORD_COMPLEXITY = off

 [database]
 DB_TYPE  = postgres
--- a/howtos/haproxy/certbot.md
+++ b/howtos/haproxy/certbot.md
@ -0,0 +1,87 @@
+# use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy
+
+## Install
+
+install haproxy & certbot:
+```
+apt install haproxy certbot
+```
+
+## configure haproxy
+
+we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive:
+```
+frontend www
+        bind *:80
+
+	    ...
+		
+        # Reroute certbot requests to certbot
+        use_backend certbot if { path_beg /.well-known/acme-challenge/ }
+```
+and also add a backend:
+```
+backend certbot
+        mode http
+        server certbot-1 localhost:${port:?}
+```
+
+and then add an update script to `/usr/local/admin/bin/certbot-haproxy`:
+```
+#!/bin/bash
+
+create() {
+        certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port
+}
+
+renew() {
+        certbot renew --tls-sni-01-port=$port
+}
+
+concat() {
+        # Only do the concat if the live cert file is newer than the combined file
+        if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then
+                mkdir -p /etc/haproxy/certs
+                cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem
+                #etckeeper commit "got new Let's Encrypt certificate for $1"
+        fi
+}
+
+# Main Execution
+if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then
+        echo "Improper argument: expecting \"create\" or \"renew\""
+        exit 1
+fi
+
+. /etc/haproxy/certbot.cfg.sh
+
+for site in ${sites[@]}; do
+        $1 $site
+        concat $site
+done
+```
+
+and don't forget to make it executable:
+```
+chmod +x /usr/local/admin/bin/certbot-haproxy
+```
+
+finally, we will make a config file for our certbot script in `/etc/haproxy/certbot.cfg.sh`:
+```
+#!/bin/bash
+
+# domains certbot should get certificates for
+sites=(
+        medusa.alemor.org
+)
+
+# port that the standalone certbot server should use
+port=8888
+
+# email that you will give to Let's Encrypt
+email=letsencrypt@mario.alemor.org
+```
+and make it executable as well:
+```
+chmod +x /etc/haproxy/certbot.cfg.sh
+```
--- a/howtos/linux/dhcp-client-setip.md
+++ b/howtos/linux/dhcp-client-setip.md
@ -0,0 +1,10 @@
+# tell dhcp client to request specific IP
+
+put the line:
+```
+send dhcp-requested-address ${ip:?};
+```
+in `/etc/dhcp/dhclient.conf`
+
+note that this seems to cause a failure if the requested address is not available. For more information see here:
+https://serverfault.com/questions/880900/can-i-request-a-specific-ip-address-via-dhcp-without-rejecting-an-offer-of-a-dif
--- a/howtos/linux/disable-sleep.md
+++ b/howtos/linux/disable-sleep.md
@ -0,0 +1,11 @@
+# disable ability of computer to sleep/hibernate
+
+run:
+```
+systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
+```
+
+to undo:
+```
+systemctl unmask sleep.target suspend.target hibernate.target hybrid-sleep.target
+```
--- a/howtos/linux/spoof-mac-address.md
+++ b/howtos/linux/spoof-mac-address.md
@ -9,7 +9,7 @@ nmcli connection show

 choose the connection you want to manage and enter the interactive editing prompt with:
 ```
-sudo nmcli connection edit ${connection:?}
+nmcli connection edit ${connection:?}
 ```

 ## nmcli interactive prompt
@ -29,3 +29,11 @@ Once you are finished, save the settings and exit:
 save
 quit
 ```
+
+## reconnect
+
+take the interface down and bring it back up to make the change take effect:
+```
+nmcli con down id ${connection:?}
+nmcli con up id ${connection:?}
+```
--- a/howtos/router/custom-interface-names.md
+++ b/howtos/router/custom-interface-names.md
@ -0,0 +1,17 @@
+# how to set custom interface names
+
+find out the MAC address of your interface:
+```
+ip addr show
+```
+
+then create a file in `/etc/systemd/network/10-${name:?}.link` with the contents:
+```
+[Match]
+MACAddress=${mac_address:?}
+
+[Link]
+Name=${name:?}
+```
+
+don't forget to run `update-initramfs -u` afterwards to make sure the configuration takes effect.
--- a/howtos/router/dnsmasq.md
+++ b/howtos/router/dnsmasq.md
@ -0,0 +1,75 @@
+# set up dnsmasq
+
+dnsmasq provides DHCP and DNS services for the network
+
+## install & config dnsmasq
+
+install with:
+```
+apt install dnsmasq
+```
+stop service so it doesn't do anything until it's configured:
+```
+service dnsmasq stop
+```
+
+### config
+
+config file is in `/etc/dnsmasq.conf`. The following settings need to be set:
+```
+# Add local-only domains here, queries in these domains are answered
+# from /etc/hosts or DHCP only.
+local=/mar.alemor.org/
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+interface=lan0
+
+# Set a  domain for a particular subnet
+domain=mar.alemor.org,192.168.82.0/24
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+dhcp-range=192.168.82.50,192.168.82.150,12h
+
+# Set the limit on DHCP leases, the default is 150
+dhcp-lease-max=150
+
+# Set the DHCP server to authoritative mode. In this mode it will barge in
+# and take over the lease for any client which broadcasts on the network,
+# whether it has a record of the lease or not. This avoids long timeouts
+# when a machine wakes up on a new network. DO NOT enable this if there's
+# the slightest chance that you might end up accidentally configuring a DHCP
+# server for your campus/company accidentally. The ISC server uses
+# the same option, and this URL provides more information:
+# http://www.isc.org/files/auth.html
+dhcp-authoritative
+
+# If you want to disable negative caching, uncomment this.
+no-negcache
+```
+after you've set the config you want, reload with `service dnsmasq restart`
+
+
+hosts in `/etc/hosts` and MAC addresses in `/etc/ethers`
+
+## make interface static
+
+the LAN interface won't be getting DHCP since it *is* the DHCP, so it has to be defined as static. In `/etc/network/interfaces`, add the block:
+```
+auto lan0
+iface lan0 inet static
+  address 192.168.82.1
+  netmask 255.255.255.0
+```
+
+then take the interface down and bring it back up with:
+```
+ifdown lan0
+ifup lan0
+```
--- a/howtos/router/ez-ipupdate.md
+++ b/howtos/router/ez-ipupdate.md
@ -0,0 +1,47 @@
+# use ex-ipudate to dynamically update your DNS record
+
+## install
+
+```
+apt install ez-ipupdate
+```
+when the package asks you how to configure it, select "manual" to configure it manually.
+
+## configure
+
+head to `/etc/ez-ipupdate`:
+```
+cd /etc/ez-ipupdate
+```
+here we will create a file for DynDNS provider, named `dyndns.conf`, with the contents:
+```
+#!/usr/sbin/ez-ipupdate -c
+#
+# example config file for ez-ipupdate
+#
+# this file is actually executable!
+
+service-type=dyndns
+user=${username:?}:${password:?}
+host=${hostname:?}.alemor.org
+interface=wan0
+max-interval=2073600
+
+# if you don't use a cache file your dyndns account will probably get banned.
+run-as-user=ez-ipupd
+cache-file=/var/cache/ez-ipupdate/default-cache
+
+# uncomment this once you have everything working how you want and you are
+# ready to have ez-ipupdate running in the background all the time. to stop it
+# you can use "killall -QUIT ez-ipupdate" under linux.
+#daemon
+```
+don't forget to make it executable:
+```
+chmod +x dyndns.conf
+```
+run it to see if it works:
+```
+./dyndns.conf
+```
+once everything is working, uncomment the `daemon` line.
--- a/howtos/router/nftables.md
+++ b/howtos/router/nftables.md
@ -0,0 +1,89 @@
+# set up firewall and NAT with nftables
+
+nftables is the successor to iptables
+
+## enable forwarding
+
+Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line:
+```
+net.ipv4.ip_forward = 1
+```
+
+## make nftables rules
+
+in `/etc/nftables.conf`:
+```
+#!/usr/sbin/nft -f
+
+# flush all rules
+flush ruleset
+
+table inet myfilter {
+        chain myinput {
+                # use the "input" hook for this chain
+                # accepts packets by default, because we don't want
+                # to have to keep track of all interfaces we don't want
+                # firewalled (lan0, wlan0, lxdbr0, veths, etc)
+                type filter hook input priority 0; policy accept;
+
+                # allow established/related connections
+                ct state {established, related} accept
+
+                # drop invalid connections
+                ct state invalid drop
+
+                # packets that are received on a firewalled interface
+                # are sent to the firewall chain for evaluation
+                iifname "wan0" jump myfirewall
+        }
+        chain myfirewall { # handle firewall
+                # accept incoming HTTP(s) connections
+                tcp dport {http, https} accept
+
+                # accept incoming SSH connections
+                tcp dport 22 accept
+
+                # reject everything else
+                reject with icmpx type port-unreachable
+        }
+
+        chain myforward {
+                # forward everything by default
+                type filter hook forward priority 0; policy accept;
+				
+				# forward incoming on wan0 for established/related connections
+                iifname wan0 ct state {established, related} accept
+
+                # drop everything else
+                iifname wan0 drop
+
+        }
+        chain myoutput {
+                # let everything out by default
+                type filter hook output priority 0; policy accept;
+
+                # block outgoing mDNS broadcasts
+                udp dport 5353 drop
+	}
+}
+
+table ip mynatv4 {
+        chain myprerouting {
+                type nat hook prerouting priority -100;
+
+                # if I wanted to do port forwarding I could do it like this:
+                # forward http to 192.168.82.10
+                #tcp dport http dnat to 192.168.82.10
+        }
+        chain mypostrouting {
+                type nat hook postrouting priority 100;
+
+                # masquerade outbound packets going to WAN
+                oifname "wan0" masquerade
+        }
+}
+```
+
+load this configuration with `nft -f /etc/nftables.conf`
+
+nftables is also configred to load that table on boot by default
--- a/howtos/samba/Build.md
+++ b/howtos/samba/Build.md
@ -19,8 +19,6 @@ exit
 ### mount stuff

 ```
-mkdir /srv/media
-exit
 lxc config device add samba media disk source=/tank/media path=/srv/media
 lxc config device add samba home disk source=/tank/files path=/home
 lxc config set samba raw.idmap 'both 60000 60000'
@ -89,7 +87,7 @@ disable spoolss = yes
 #======================= Share Definitions =======================
 [media]
 comment = Shared media files
-path = /srv/files/media
+path = /srv/media
 browsable = yes
 guest ok = yes
 read only = yes
@ -114,8 +112,8 @@ service smbd restart
 first, we will write a script to automate adding users. Create a file `/usr/local/bin/smbadduser` with the contents:
 ```
 #!/bin/sh
-
 adduser "$1" --disabled-password --gecos "" --no-create-home --shell /usr/sbin/nologin
+usermod -a -G sambashare $1
 smbpasswd -a "$1"
 ```
 don't forget to make it executable:
--- a/notes/centauro/emacs.md
+++ b/notes/centauro/emacs.md
@ -0,0 +1,6 @@
+extra modes:
+- markdown
+- yaml
+
+theme:
+- colorblind theme
--- a/notes/centauro/gnome.md
+++ b/notes/centauro/gnome.md
@ -0,0 +1,17 @@
+Extensions:
+- [AlternateTab](https://extensions.gnome.org/extension/15/alternatetab/)
+- [Screenshot Tool](https://extensions.gnome.org/extension/1112/screenshot-tool/)
+- [Caffeine](https://extensions.gnome.org/extension/517/caffeine/)
+- [Window List](https://extensions.gnome.org/extension/602/window-list/)
+- [Places Status Indicator](https://extensions.gnome.org/extension/8/places-status-indicator/)
+- [Put Windows](https://extensions.gnome.org/extension/39/put-windows/)
+- [OpenWeather](https://extensions.gnome.org/extension/750/openweather//)
+- [Launch new instance](https://extensions.gnome.org/extension/600/launch-new-instance/)
+- [KStatusNotifierItem/AppIndicator Support](https://extensions.gnome.org/extension/615/appindicator-support/)
+- [Status Area Horizontal Spacing](https://extensions.gnome.org/extension/355/status-area-horizontal-spacing/)
+- [Desktop Icons NG (DING)](https://extensions.gnome.org/extension/2087/desktop-icons-ng-ding/)
+
+Theme: Adapta-Eta
+Icons: Papirus
+Cursor: [Breeze-Adapta](https://github.com/mustafaozhan/Breeze-Adapta-Cursor)
+	Set Cursor to 22 pixels
--- a/notes/dns/alemor.md
+++ b/notes/dns/alemor.md
@ -0,0 +1,9 @@
+# alemor DNS provider
+
+dns service is by [dny.com](account.dyn.com)
+
+record types:
+- MX is mail record
+- CNAME is an alias
+- A is an IP
+- A (WebHop) is url redirect
--- a/notes/medusa/file_server.txt
+++ b/notes/medusa/file_server.txt
@ -0,0 +1,35 @@
+functionality needed:
+- contacts & calendar
+  - Radicale
+  - sabre/dav
+- notes
+  - need webdav server for syncing
+  - alternatively, write to file and sync with syncthing
+- file syncing
+  - syncthing
+  - for saved games, use symlinks?
+- network drive mount
+  - webdav
+    - apache
+    - people say webdav is bad
+  - nfs
+    - windows 10 enterprise can mount nfs
+    - v4 can use user-based auth
+    - if nfs, then need solution for outside of lan
+      - bring back vpn?
+  - samba?
+- web file manager
+  - droppy
+  - filebrowser
+- vpn?
+  - server to route vpn requests through
+- password manager
+  - passbolt
+  - keepass + syncthing
+  - bitwarden
+
+final list:
+- sabre/radicale
+- syncthing
+- nfs/samba
+- droppy
--- a/notes/medusa/setup.md
+++ b/notes/medusa/setup.md
@ -0,0 +1,31 @@
+# steps to set up file server
+
+## users
+
+- mar, fernando, juana, daniel
+
+- hogar with UID 2000 for files
+
+- media user with UID 3000 for watching media
+
+- lxdfiles user with UID 60000
+
+## zfs
+
+- mounted zfs vol at `/tank`
+- set up daily snapshots
+- set up bind mounts in /srv/files and /srv/media
+
+## LXD
+
+- installed LXD and set up containers
+- put stuff in `/srv/lxd`
+  - `image` links to `/tank/lxd/image`
+  - `mount` links to `/tank/lxd/mount`
+  
+## tweaks
+
+- tweaked nanorc
+- tweaked haproxy conf
+- tweaked root bashrc
+- uninstalled unattended-upgrades