diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1d74e21 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode/ diff --git a/btrfs_map_physical b/btrfs_map_physical new file mode 100755 index 0000000..504ae0f Binary files /dev/null and b/btrfs_map_physical differ diff --git a/btrfs_map_physical.c b/btrfs_map_physical.c new file mode 100644 index 0000000..a324486 --- /dev/null +++ b/btrfs_map_physical.c @@ -0,0 +1,549 @@ +// SPDX-FileCopyrightText: Omar Sandoval +// SPDX-License-Identifier: MIT + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define le16_to_cpu __le16_to_cpu +#define le32_to_cpu __le32_to_cpu +#define le64_to_cpu __le64_to_cpu + +static const char *progname = "btrfs_map_physical"; + +static void usage(bool error) +{ + fprintf(error ? stderr : stdout, + "usage: %s [OPTION]... PATH\n" + "\n" + "Map the logical and physical extents of a file on Btrfs\n\n" + "Pipe this to `column -ts $'\\t'` for prettier output.\n" + "\n" + "Btrfs represents a range of data in a file with a \"file extent\". Each\n" + "file extent refers to a subset of an \"extent\". Each extent has a\n" + "location in the logical address space of the filesystem belonging to a\n" + "\"chunk\". Each chunk maps has a profile (i.e., RAID level) and maps to\n" + "one or more physical locations, or \"stripes\", on disk. The extent may be\n" + "\"encoded\" on disk (currently this means compressed, but in the future it\n" + "may also be encrypted).\n" + "\n" + "An explanation of each printed field and its corresponding on-disk data\n" + "structure is provided below:\n" + "\n" + "FILE OFFSET Offset in the file where the file extent starts\n" + " [(struct btrfs_key).offset]\n" + "FILE SIZE Size of the file extent\n" + " [(struct btrfs_file_extent_item).num_bytes for most\n" + " extents, (struct btrfs_file_extent_item).ram_bytes\n" + " for inline extents]\n" + "EXTENT OFFSET Offset from the beginning of the unencoded extent\n" + " where the file extent starts\n" + " [(struct btrfs_file_extent_item).offset]\n" + "EXTENT TYPE Type of the extent (inline, preallocated, etc.)\n" + " [(struct btrfs_file_extent_item).type];\n" + " how it is encoded\n" + " [(struct btrfs_file_extent_item){compression,\n" + " encryption,other_encoding}];\n" + " and its data profile\n" + " [(struct btrfs_chunk).type]\n" + "LOGICAL SIZE Size of the unencoded extent\n" + " [(struct btrfs_file_extent_item).ram_bytes]\n" + "LOGICAL OFFSET Location of the extent in the filesystem's logical\n" + " address space\n" + " [(struct btrfs_file_extent_offset).disk_bytenr]\n" + "PHYSICAL SIZE Size of the encoded extent on disk\n" + " [(struct btrfs_file_extent_offset).disk_num_bytes]\n" + "DEVID ID of the device containing the extent\n" + " [(struct btrfs_stripe).devid]\n" + "PHYSICAL OFFSET Location of the extent on the device\n" + " [calculated from (struct btrfs_stripe).offset]\n" + "\n" + "FILE SIZE is rounded up to the sector size of the filesystem.\n" + "\n" + "Inline extents are stored with the metadata of the filesystem; this tool\n" + "does not have the ability to determine their location.\n" + "\n" + "Gaps in a file are represented with a hole file extent unless the\n" + "filesystem was formatted with the \"no-holes\" option.\n" + "\n" + "If the file extent was truncated, hole punched, cloned, or deduped,\n" + "EXTENT OFFSET may be non-zero and LOGICAL SIZE may be different from\n" + "FILE SIZE.\n" + "\n" + "Options:\n" + " -h, --help display this help message and exit\n", + progname); + exit(error ? EXIT_FAILURE : EXIT_SUCCESS); +} + +struct stripe { + uint64_t devid; + uint64_t offset; +}; + +struct chunk { + uint64_t offset; + uint64_t length; + uint64_t stripe_len; + uint64_t type; + struct stripe *stripes; + size_t num_stripes; + size_t sub_stripes; +}; + +struct chunk_tree { + struct chunk *chunks; + size_t num_chunks; +}; + +static int read_chunk_tree(int fd, struct chunk **chunks, size_t *num_chunks) +{ + struct btrfs_ioctl_search_args search = { + .key = { + .tree_id = BTRFS_CHUNK_TREE_OBJECTID, + .min_objectid = BTRFS_FIRST_CHUNK_TREE_OBJECTID, + .min_type = BTRFS_CHUNK_ITEM_KEY, + .min_offset = 0, + .max_objectid = BTRFS_FIRST_CHUNK_TREE_OBJECTID, + .max_type = BTRFS_CHUNK_ITEM_KEY, + .max_offset = UINT64_MAX, + .min_transid = 0, + .max_transid = UINT64_MAX, + .nr_items = 0, + }, + }; + size_t items_pos = 0, buf_off = 0; + size_t capacity = 0; + int ret; + + *chunks = NULL; + *num_chunks = 0; + for (;;) { + const struct btrfs_ioctl_search_header *header; + const struct btrfs_chunk *item; + struct chunk *chunk; + size_t i; + + if (items_pos >= search.key.nr_items) { + search.key.nr_items = 4096; + ret = ioctl(fd, BTRFS_IOC_TREE_SEARCH, &search); + if (ret == -1) { + perror("BTRFS_IOC_TREE_SEARCH"); + return -1; + } + items_pos = 0; + buf_off = 0; + + if (search.key.nr_items == 0) + break; + } + + header = (struct btrfs_ioctl_search_header *)(search.buf + buf_off); + if (header->type != BTRFS_CHUNK_ITEM_KEY) + goto next; + + item = (void *)(header + 1); + if (*num_chunks >= capacity) { + struct chunk *tmp; + + if (capacity == 0) + capacity = 1; + else + capacity *= 2; + tmp = realloc(*chunks, capacity * sizeof(**chunks)); + if (!tmp) { + perror("realloc"); + return -1; + } + *chunks = tmp; + } + + chunk = &(*chunks)[*num_chunks]; + chunk->offset = header->offset; + chunk->length = le64_to_cpu(item->length); + chunk->stripe_len = le64_to_cpu(item->stripe_len); + chunk->type = le64_to_cpu(item->type); + chunk->num_stripes = le16_to_cpu(item->num_stripes); + chunk->sub_stripes = le16_to_cpu(item->sub_stripes); + chunk->stripes = calloc(chunk->num_stripes, + sizeof(*chunk->stripes)); + if (!chunk->stripes) { + perror("calloc"); + return -1; + } + (*num_chunks)++; + + for (i = 0; i < chunk->num_stripes; i++) { + const struct btrfs_stripe *stripe; + + stripe = &item->stripe + i; + chunk->stripes[i].devid = le64_to_cpu(stripe->devid); + chunk->stripes[i].offset = le64_to_cpu(stripe->offset); + } + +next: + items_pos++; + buf_off += sizeof(*header) + header->len; + if (header->offset == UINT64_MAX) + break; + else + search.key.min_offset = header->offset + 1; + } + return 0; +} + +static struct chunk *find_chunk(struct chunk *chunks, size_t num_chunks, + uint64_t logical) +{ + size_t lo, hi; + + if (!num_chunks) + return NULL; + + lo = 0; + hi = num_chunks - 1; + while (lo <= hi) { + size_t mid = lo + (hi - lo) / 2; + + if (logical < chunks[mid].offset) + hi = mid - 1; + else if (logical >= chunks[mid].offset + chunks[mid].length) + lo = mid + 1; + else + return &chunks[mid]; + } + return NULL; +} + +static int print_extents(int fd, struct chunk *chunks, size_t num_chunks) +{ + struct btrfs_ioctl_search_args search = { + .key = { + .min_type = BTRFS_EXTENT_DATA_KEY, + .max_type = BTRFS_EXTENT_DATA_KEY, + .min_offset = 0, + .max_offset = UINT64_MAX, + .min_transid = 0, + .max_transid = UINT64_MAX, + .nr_items = 0, + }, + }; + struct btrfs_ioctl_ino_lookup_args args = { + .treeid = 0, + .objectid = BTRFS_FIRST_FREE_OBJECTID, + }; + size_t items_pos = 0, buf_off = 0; + struct stat st; + int ret; + + puts("FILE OFFSET\tFILE SIZE\tEXTENT OFFSET\tEXTENT TYPE\tLOGICAL SIZE\tLOGICAL OFFSET\tPHYSICAL SIZE\tDEVID\tPHYSICAL OFFSET"); + + ret = fstat(fd, &st); + if (ret == -1) { + perror("fstat"); + return -1; + } + + ret = ioctl(fd, BTRFS_IOC_INO_LOOKUP, &args); + if (ret == -1) { + perror("BTRFS_IOC_INO_LOOKUP"); + return -1; + } + + search.key.tree_id = args.treeid; + search.key.min_objectid = search.key.max_objectid = st.st_ino; + for (;;) { + const struct btrfs_ioctl_search_header *header; + const struct btrfs_file_extent_item *item; + uint8_t type; + /* Initialize to silence GCC. */ + uint64_t file_offset = 0; + uint64_t file_size = 0; + uint64_t extent_offset = 0; + uint64_t logical_size = 0; + uint64_t logical_offset = 0; + uint64_t physical_size = 0; + struct chunk *chunk = NULL; + + if (items_pos >= search.key.nr_items) { + search.key.nr_items = 4096; + ret = ioctl(fd, BTRFS_IOC_TREE_SEARCH, &search); + if (ret == -1) { + perror("BTRFS_IOC_TREE_SEARCH"); + return -1; + } + items_pos = 0; + buf_off = 0; + + if (search.key.nr_items == 0) + break; + } + + header = (struct btrfs_ioctl_search_header *)(search.buf + buf_off); + if (header->type != BTRFS_EXTENT_DATA_KEY) + goto next; + + item = (void *)(header + 1); + + type = item->type; + file_offset = header->offset; + if (type == BTRFS_FILE_EXTENT_INLINE) { + file_size = logical_size = le64_to_cpu(item->ram_bytes); + extent_offset = 0; + physical_size = (header->len - + offsetof(struct btrfs_file_extent_item, + disk_bytenr)); + } else if (type == BTRFS_FILE_EXTENT_REG || + type == BTRFS_FILE_EXTENT_PREALLOC) { + file_size = le64_to_cpu(item->num_bytes); + extent_offset = le64_to_cpu(item->offset); + logical_size = le64_to_cpu(item->ram_bytes); + logical_offset = le64_to_cpu(item->disk_bytenr); + physical_size = le64_to_cpu(item->disk_num_bytes); + if (logical_offset) { + chunk = find_chunk(chunks, num_chunks, + logical_offset); + if (!chunk) { + printf("\n"); + fprintf(stderr, + "could not find chunk containing %" PRIu64 "\n", + logical_offset); + return -1; + } + } + } + + printf("%" PRIu64 "\t", file_offset); + if (type == BTRFS_FILE_EXTENT_INLINE || + type == BTRFS_FILE_EXTENT_REG || + type == BTRFS_FILE_EXTENT_PREALLOC) { + printf("%" PRIu64 "\t%" PRIu64 "\t", file_size, + extent_offset); + } else { + printf("\t\t"); + } + + switch (type) { + case BTRFS_FILE_EXTENT_INLINE: + printf("inline"); + break; + case BTRFS_FILE_EXTENT_REG: + if (logical_offset) + printf("regular"); + else + printf("hole"); + break; + case BTRFS_FILE_EXTENT_PREALLOC: + printf("prealloc"); + break; + default: + printf("type%u", type); + break; + } + switch (item->compression) { + case 0: + break; + case 1: + printf(",compression=zlib"); + break; + case 2: + printf(",compression=lzo"); + break; + case 3: + printf(",compression=zstd"); + break; + default: + printf(",compression=%u", item->compression); + break; + } + if (item->encryption) + printf(",encryption=%u", item->encryption); + if (item->other_encoding) { + printf(",other_encoding=%u", + le16_to_cpu(item->other_encoding)); + } + if (chunk) { + switch (chunk->type & BTRFS_BLOCK_GROUP_PROFILE_MASK) { + case 0: + break; + case BTRFS_BLOCK_GROUP_RAID0: + printf(",raid0"); + break; + case BTRFS_BLOCK_GROUP_RAID1: + printf(",raid1"); + break; + case BTRFS_BLOCK_GROUP_DUP: + printf(",dup"); + break; + case BTRFS_BLOCK_GROUP_RAID10: + printf(",raid10"); + break; + case BTRFS_BLOCK_GROUP_RAID5: + printf(",raid5"); + break; + case BTRFS_BLOCK_GROUP_RAID6: + printf(",raid6"); + break; + default: + printf(",profile%" PRIu64, + (uint64_t)(chunk->type & + BTRFS_BLOCK_GROUP_PROFILE_MASK)); + break; + } + } + printf("\t"); + + if (type == BTRFS_FILE_EXTENT_INLINE || + type == BTRFS_FILE_EXTENT_REG || + type == BTRFS_FILE_EXTENT_PREALLOC) + printf("%" PRIu64 "\t", logical_size); + else + printf("\t"); + + if (type == BTRFS_FILE_EXTENT_REG || + type == BTRFS_FILE_EXTENT_PREALLOC) + printf("%" PRIu64 "\t", logical_offset); + else + printf("\t"); + + if (type == BTRFS_FILE_EXTENT_INLINE || + type == BTRFS_FILE_EXTENT_REG || + type == BTRFS_FILE_EXTENT_PREALLOC) + printf("%" PRIu64 "\t", physical_size); + else + printf("\t"); + + if (chunk) { + uint64_t offset, stripe_nr, stripe_offset; + size_t stripe_index, num_stripes; + size_t i; + + offset = logical_offset - chunk->offset; + stripe_nr = offset / chunk->stripe_len; + stripe_offset = offset - stripe_nr * chunk->stripe_len; + switch (chunk->type & BTRFS_BLOCK_GROUP_PROFILE_MASK) { + case 0: + case BTRFS_BLOCK_GROUP_RAID0: + stripe_index = stripe_nr % chunk->num_stripes; + stripe_nr /= chunk->num_stripes; + num_stripes = 1; + break; + case BTRFS_BLOCK_GROUP_RAID1: + case BTRFS_BLOCK_GROUP_DUP: + stripe_index = 0; + num_stripes = chunk->num_stripes; + break; + case BTRFS_BLOCK_GROUP_RAID10: { + size_t factor; + + factor = chunk->num_stripes / chunk->sub_stripes; + stripe_index = (stripe_nr % factor * + chunk->sub_stripes); + stripe_nr /= factor; + num_stripes = chunk->sub_stripes; + break; + } + case BTRFS_BLOCK_GROUP_RAID5: + case BTRFS_BLOCK_GROUP_RAID6: { + size_t nr_parity_stripes, nr_data_stripes; + + if (chunk->type & BTRFS_BLOCK_GROUP_RAID6) + nr_parity_stripes = 2; + else + nr_parity_stripes = 1; + nr_data_stripes = (chunk->num_stripes - + nr_parity_stripes); + stripe_index = stripe_nr % nr_data_stripes; + stripe_nr /= nr_data_stripes; + stripe_index = ((stripe_nr + stripe_index) % + chunk->num_stripes); + num_stripes = 1; + break; + } + default: + num_stripes = 0; + break; + } + + for (i = 0; i < num_stripes; i++) { + if (i != 0) + printf("\n\t\t\t\t\t\t\t"); + printf("%" PRIu64 "\t%" PRIu64, + chunk->stripes[stripe_index].devid, + chunk->stripes[stripe_index].offset + + stripe_nr * chunk->stripe_len + + stripe_offset); + stripe_index++; + } + } + printf("\n"); + +next: + items_pos++; + buf_off += sizeof(*header) + header->len; + if (header->offset == UINT64_MAX) + break; + else + search.key.min_offset = header->offset + 1; + } + return 0; +} + +int main(int argc, char **argv) +{ + struct option long_options[] = { + {"help", no_argument, NULL, 'h'}, + }; + int fd, ret; + struct chunk *chunks; + size_t num_chunks, i; + + if (argv[0]) + progname = argv[0]; + + for (;;) { + int c; + + c = getopt_long(argc, argv, "h", long_options, NULL); + if (c == -1) + break; + + switch (c) { + case 'h': + usage(false); + default: + usage(true); + } + } + if (optind != argc - 1) + usage(true); + + fd = open(argv[optind], O_RDONLY); + if (fd == -1) { + perror("open"); + return EXIT_FAILURE; + } + + ret = read_chunk_tree(fd, &chunks, &num_chunks); + if (ret == -1) + goto out; + + ret = print_extents(fd, chunks, num_chunks); +out: + for (i = 0; i < num_chunks; i++) + free(chunks[i].stripes); + free(chunks); + close(fd); + return ret ? EXIT_FAILURE : EXIT_SUCCESS; +} diff --git a/custom_kernel.sh b/custom_kernel.sh new file mode 100644 index 0000000..988a52c --- /dev/null +++ b/custom_kernel.sh @@ -0,0 +1,65 @@ +### Set variables +export arch=x86_64 +export ver=6.0 +export minrel=15 +export pkgrel=300 +export subver=$minrel-$pkgrel +export fedver=fc37 +export name=$(hostname) + +### Custom Machine owner key for secure boot +# Allow kernel signing +sudo /usr/libexec/pesign/pesign-authorize +# Create key +openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" -outform DER -out "cert.der" -nodes -days 36500 -subj "/CN=$name" +# Import key to UEFI database. +sudo mokutil --import "cert.der" +# You have to reboot the system after importing the key with "mokutil" to import the key via UEFI system +# After rebooting create PKCS #12 key file and import it into the nss database +openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der +sudo csudo ertutil -A -i cert.der -n "$name" -d /etc/pki/pesign/ -t "Pu,Pu,Pu" +sudo pk12util -i key.p12 -d /etc/pki/pesign + +### Setup build system +rpmdev-setuptree +koji download-build --arch=src kernel-$ver.$subver.$fedver +rpm -Uvh kernel-$ver.$subver.$fedver.src.rpm +cd ~/rpmbuild/SPECS + +### Apply patches and customize kernel configuration +# Get patch to enable hibernate in lockdown mode (secure boot) +wget https://gist.githubusercontent.com/kelvie/917d456cb572325aae8e3bd94a9c1350/raw/74516829883c7ee7b2216938550d55ebcb7be609/0001-Add-a-lockdown_hibernate-parameter.patch -O ~/rpmbuild/SOURCES/0001-Add-a-lockdown_hibernate-parameter.patch +# Define patch in kernel.spec for building the rpms +# Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch +sed -i '/^Patch999999/i Patch2: 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec +# Add patch as ApplyOptionalPatch +sed -i '/^ApplyOptionalPatch linux-kernel-test.patch/i ApplyOptionalPatch 0001-Add-a-lockdown_hibernate-parameter.patch' kernel.spec +# Add custom kernel name +sed -i "s/# define buildid .local/%define buildid .$name/g" kernel.spec +# Add machine owner key +sed -i "s/.$name/.$name\n%define pe_signing_cert $name/g" kernel.spec +# Install necessary dependencies for compiling hte kernel +rpmbuild -bp kernel.spec + +### Optional steps +# Create own configuration file from fedora config file +# You find my "minimized" configuration for a 6.0.11 kernel here. +cp ~/rpmbuild/SOURCES/kernel-$arch-fedora.config ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/.config +cd ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/ +make menuconfig +# Copy custom menuconfig kernel configuration to kernel-local +cp ~/rpmbuild/BUILD/kernel-$ver.$minrel/linux-$ver.$subver.$name.$fedver.$arch/.config ~/rpmbuild/SOURCES/kernel-local +# ... or copy kernel config from running kernel to kernel-local +#cp /boot/config-$(uname -r) ~/rpmbuild/SOURCES/kernel-local +# Remove build infos from custom config +sed -i '0,/^#\ General\ setup$/d' ~/rpmbuild/SOURCES/kernel-local +sed -i '1i # x86_64' ~/rpmbuild/SOURCES/kernel-local +### End optional steps ### + +# Compile kernel +cd ~/rpmbuild/SPECS +time rpmbuild -bb --with baseonly --without debuginfo --target=$arch kernel.spec | tee ~/build-kernel.log + +# Install kernel +cd ~/rpmbuild/RPMS/$arch/ +sudo dnf install *.rpm diff --git a/fedora/ansible/certificates/README.md b/debian/ansible/openssh/README.md similarity index 100% rename from fedora/ansible/certificates/README.md rename to debian/ansible/openssh/README.md diff --git a/fedora/ansible/openssh/meta/main.yml b/debian/ansible/openssh/meta/main.yml similarity index 100% rename from fedora/ansible/openssh/meta/main.yml rename to debian/ansible/openssh/meta/main.yml diff --git a/fedora/ansible/openssh/tasks/main.yml b/debian/ansible/openssh/tasks/main.yml similarity index 100% rename from fedora/ansible/openssh/tasks/main.yml rename to debian/ansible/openssh/tasks/main.yml diff --git a/debian/ansible/wireguard/README.md b/debian/ansible/wireguard/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/debian/ansible/wireguard/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/debian/ansible/wireguard/meta/main.yml b/debian/ansible/wireguard/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/debian/ansible/wireguard/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/debian/ansible/wireguard/tasks/main.yml b/debian/ansible/wireguard/tasks/main.yml new file mode 100644 index 0000000..482362b --- /dev/null +++ b/debian/ansible/wireguard/tasks/main.yml @@ -0,0 +1,40 @@ +--- +# tasks file for debian/ansible/wireguard +- name: Include main vars + include_vars: + file: vars/main.yml +- name: Apt upgrade + apt: + update_cache: yes + upgrade: yes + become: yes +- name: Install wireguard + apt: + name: + - wireguard + - iptables + state: present + update_cache: yes + become: yes +- name: Copy wireguard config to /etc/wg0.conf + ansible.builtin.template: + src: templates/wg0.conf + dest: /etc/wireguard/wg0.conf + owner: root + group: root + mode: '0600' + become: yes +- name: Update ipv4 sysctl + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: yes + state: present + reload: yes + become: yes +- name: Ensure wireguard is enabled and running + ansible.builtin.systemd: + state: restarted + enabled: yes + name: wg-quick@wg0 + become: yes diff --git a/debian/ansible/wireguard/templates/wg0.conf b/debian/ansible/wireguard/templates/wg0.conf new file mode 100644 index 0000000..e105793 --- /dev/null +++ b/debian/ansible/wireguard/templates/wg0.conf @@ -0,0 +1,16 @@ +[Interface] +Address = 10.200.1.1/24 +ListenPort = 51820 +PrivateKey = {{ private_key }} +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ interface }} -j MASQUERADE +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ interface }} -j MASQUERADE + +# Reese's Laptop +[Peer] +PublicKey = phDd8By8xpEMs65fb89xl1LjqDeyjxy5Cc1Wk8qvuBQ= +AllowedIPs = 10.200.1.2/32 + +# Reese's Phone +[Peer] +PublicKey = 51tKo/0fpYN0vd8UowD56nDPsNqw4HzJ5o4xGDaU2Wo= +AllowedIPs = 10.200.1.3/32 diff --git a/debian/ansible/wireguard/vars/main.yml b/debian/ansible/wireguard/vars/main.yml new file mode 100644 index 0000000..f716a7b --- /dev/null +++ b/debian/ansible/wireguard/vars/main.yml @@ -0,0 +1,2 @@ +private_key: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/wireguard/private/home/wg.dnet:privatekey url=https://vault.ducoterra.net')}}" +interface: ens3 diff --git a/debian/wireguard.yml b/debian/wireguard.yml new file mode 100644 index 0000000..c33699a --- /dev/null +++ b/debian/wireguard.yml @@ -0,0 +1,11 @@ +--- +# Run through all tasks to setup machines +# https://community.frame.work/t/fedora-linux-35-on-the-framework-laptop/6613/10 +- hosts: wireguard + gather_facts: true + order: inventory + vars_files: + - ansible/wireguard/vars/main.yml + roles: + - role: ansible/openssh + - role: ansible/wireguard diff --git a/fedora/ansible/dconf/README.md b/fedora/ansible/add-dnet-cert/README.md similarity index 100% rename from fedora/ansible/dconf/README.md rename to fedora/ansible/add-dnet-cert/README.md diff --git a/fedora/ansible/certificates/meta/main.yml b/fedora/ansible/add-dnet-cert/meta/main.yml similarity index 100% rename from fedora/ansible/certificates/meta/main.yml rename to fedora/ansible/add-dnet-cert/meta/main.yml diff --git a/fedora/ansible/certificates/tasks/main.yml b/fedora/ansible/add-dnet-cert/tasks/main.yml similarity index 100% rename from fedora/ansible/certificates/tasks/main.yml rename to fedora/ansible/add-dnet-cert/tasks/main.yml diff --git a/fedora/ansible/framework_tweaks/README.md b/fedora/ansible/add-iscsi-framework-backup/README.md similarity index 100% rename from fedora/ansible/framework_tweaks/README.md rename to fedora/ansible/add-iscsi-framework-backup/README.md diff --git a/fedora/ansible/iscsi_freenas/meta/main.yml b/fedora/ansible/add-iscsi-framework-backup/meta/main.yml similarity index 100% rename from fedora/ansible/iscsi_freenas/meta/main.yml rename to fedora/ansible/add-iscsi-framework-backup/meta/main.yml diff --git a/fedora/ansible/iscsi_freenas/tasks/main.yml b/fedora/ansible/add-iscsi-framework-backup/tasks/main.yml similarity index 100% rename from fedora/ansible/iscsi_freenas/tasks/main.yml rename to fedora/ansible/add-iscsi-framework-backup/tasks/main.yml diff --git a/fedora/ansible/btrbk/files/btrbk.conf b/fedora/ansible/btrbk/files/btrbk.conf index a90ebe4..e3e3f28 100644 --- a/fedora/ansible/btrbk/files/btrbk.conf +++ b/fedora/ansible/btrbk/files/btrbk.conf @@ -1,188 +1,11 @@ -# -# Example btrbk configuration file -# -# -# Please refer to the btrbk.conf(5) man-page for a complete -# description of all configuration options. -# For more examples, see README.md included with this package. -# -# btrbk.conf(5): -# README.md: -# -# Note that the options can be overridden per volume/subvolume/target -# in the corresponding sections. -# - - -# Enable transaction log -transaction_log /var/log/btrbk.log - -# Enable stream buffer. Adding a buffer between the sending and -# receiving side is generally a good idea. -# NOTE: If enabled, make sure to install the "mbuffer" package! -stream_buffer 256m - -# Directory in which the btrfs snapshots are created. Relative to -# of the volume section. -# If not set, the snapshots are created in . -# -# If you want to set a custom name for the snapshot (and backups), -# use the "snapshot_name" option within the subvolume section. -# -# NOTE: btrbk does not autmatically create this directory, and the -# snapshot creation will fail if it is not present. -# -snapshot_dir _btrbk_snap - -# Always create snapshots. Set this to "ondemand" to only create -# snapshots if the target volume is reachable. Set this to "no" if -# snapshot creation is done by another instance of btrbk. -#snapshot_create always - -# Perform incremental backups (set to "strict" if you want to prevent -# creation of non-incremental backups if no parent is found). -#incremental yes - -# Specify after what time (in full hours after midnight) backups/ -# snapshots are considered as a daily backup/snapshot -#preserve_hour_of_day 0 - -# Specify on which day of week weekly/monthly backups are to be -# preserved. -#preserve_day_of_week sunday - -# Preserve all snapshots for a minimum period of time. -#snapshot_preserve_min 1d - -# Retention policy for the source snapshots. -#snapshot_preserve h d w m y - -# Preserve all backup targets for a minimum period of time. -#target_preserve_min no - -# Retention policy for backup targets: -#target_preserve h d w m y - -# Retention policy for archives ("btrbk archive" command): -#archive_preserve_min no -#archive_preserve h d w m y - -# Specify SSH private key for "ssh://" volumes / targets: -#ssh_identity /etc/btrbk/ssh/id_ed25519 -#ssh_user root -#ssh_compression no -#ssh_cipher_spec default - -# Enable compression for remote btrfs send/receive operations: -#stream_compress no -#stream_compress_level default -#stream_compress_threads default - -# Enable lock file support: Ensures that only one instance of btrbk -# can be run at a time. -#lockfile /var/lock/btrbk.lock - -# Don't wait for transaction commit on deletion. Set this to "after" -# or "each" to make sure the deletion of subvolumes is committed to -# disk when btrbk terminates. -#btrfs_commit_delete no - - -# -# Volume section (optional): "volume " -# -# Base path within a btrfs filesystem -# containing the subvolumes to be backuped -# (usually the mount-point of a btrfs filesystem -# mounted with subvolid=5 option). -# -# Subvolume section: "subvolume " -# -# Subvolume to be backuped, relative to -# in volume section. -# -# Target section: "target " -# -# (optional) type, defaults to "send-receive". -# Directory within a btrfs filesystem -# receiving the backups. -# -# NOTE: The parser does not care about indentation, this is only for -# human readability. All options apply to the last section -# encountered, overriding the corresponding option of the upper -# section. This means that the global options must be set on top, -# before any "volume", "subvolume" or "target section. -# - - -# -# Example retention policy: -# +snapshot_create ondemand snapshot_preserve_min 2d snapshot_preserve 14d target_preserve_min no target_preserve 20d 10w *m - -# -# Simple setup: Backup root and home to external disk -# -snapshot_dir /btrfs/snapshots -target /mnt/btr_pool -subvolume /btrfs/root -subvolume /btrfs/home - - -# -# Complex setup -# -# In order to keep things organized, it is recommended to use "volume" -# sections and mount the top-level subvolume (subvolid=5): -# -# $ mount -o subvolid=5 /dev/sda1 /mnt/btr_pool -# -# Backup to external disk mounted on /mnt/btr_backup -#volume /btrfs - # Create snapshots in /mnt/btr_pool/btrbk_snapshots -# snapshot_dir btrbk_snapshots - - # Target for all subvolume sections: -# target /mnt/btr_backup - - # Some default btrfs installations (e.g. Ubuntu) use "@" for rootfs - # (mounted at "/") and "@home" (mounted at "/home"). Note that this - # is only a naming convention. - #subvolume @ -# subvolume root -# subvolume home - #subvolume kvm - # Use different retention policy for kvm backups: - #target_preserve 7d 4w - - -# Backup data to external disk as well as remote host -#volume /mnt/btr_data -# subvolume data - # Always create snapshot, even if targets are unreachable -# snapshot_create always -# target /mnt/btr_backup -# target ssh://backup.my-remote-host.com/mnt/btr_backup - - -# Backup from remote host, with different naming -#volume ssh://my-remote-host.com/mnt/btr_pool -# subvolume data_0 -# snapshot_dir snapshots/btrbk -# snapshot_name data_main -# target /mnt/btr_backup/my-remote-host.com - - -# Resume backups from remote host which runs its own btrbk instance -# creating snapshots for "home" in "/mnt/btr_pool/btrbk_snapshots". -#volume ssh://my-remote-host.com/mnt/btr_pool -# snapshot_dir btrbk_snapshots -# snapshot_create no -# snapshot_preserve_min all -# subvolume home -# target /mnt/btr_backup/my-remote-host.com +snapshot_dir /mnt/btr_pool/snapshots +target /mnt/btr_backup +subvolume /mnt/btr_pool/root +subvolume /mnt/btr_pool/home diff --git a/fedora/ansible/gnome_extensions/README.md b/fedora/ansible/disable-swap/README.md similarity index 100% rename from fedora/ansible/gnome_extensions/README.md rename to fedora/ansible/disable-swap/README.md diff --git a/fedora/ansible/framework_tweaks/meta/main.yml b/fedora/ansible/disable-swap/meta/main.yml similarity index 100% rename from fedora/ansible/framework_tweaks/meta/main.yml rename to fedora/ansible/disable-swap/meta/main.yml diff --git a/fedora/ansible/disable-swap/tasks/main.yml b/fedora/ansible/disable-swap/tasks/main.yml new file mode 100644 index 0000000..e5373e7 --- /dev/null +++ b/fedora/ansible/disable-swap/tasks/main.yml @@ -0,0 +1,11 @@ +--- +# Disable swap +- name: Turn off swap + command: swapoff --all + become: yes +- name: Uninstall zram-generator-defaults + dnf: + name: + - zram-generator-defaults + state: absent + become: yes diff --git a/fedora/ansible/gnome_extensions/meta/main.yml b/fedora/ansible/dnf-install-dash-to-dock/meta/main.yml similarity index 100% rename from fedora/ansible/gnome_extensions/meta/main.yml rename to fedora/ansible/dnf-install-dash-to-dock/meta/main.yml diff --git a/fedora/ansible/dnf-install-dash-to-dock/tasks/main.yml b/fedora/ansible/dnf-install-dash-to-dock/tasks/main.yml new file mode 100644 index 0000000..0cc9591 --- /dev/null +++ b/fedora/ansible/dnf-install-dash-to-dock/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Install dash-to-dock + dnf: + name: + - gnome-shell-extension-dash-to-dock + - gnome-extensions-app + state: present + become: yes diff --git a/fedora/ansible/iscsi_freenas/README.md b/fedora/ansible/dnf-install-snap/README.md similarity index 100% rename from fedora/ansible/iscsi_freenas/README.md rename to fedora/ansible/dnf-install-snap/README.md diff --git a/fedora/ansible/dnf-install-snap/meta/main.yml b/fedora/ansible/dnf-install-snap/meta/main.yml new file mode 100644 index 0000000..d5714b7 --- /dev/null +++ b/fedora/ansible/dnf-install-snap/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Reese Wells + description: Installs daily drivers for fedora workstation + company: "" + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/dnf-install-snap/tasks/main.yml b/fedora/ansible/dnf-install-snap/tasks/main.yml new file mode 100644 index 0000000..6e077f2 --- /dev/null +++ b/fedora/ansible/dnf-install-snap/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Ensure snap installed + dnf: + name: snapd + state: present + become: yes +- name: Ensure snapd service running + ansible.builtin.systemd: + name: snapd.socket + state: started + enabled: yes + become: yes +- name: Link /var/lib/snapd/snap /snap + ansible.builtin.file: + src: /var/lib/snapd/snap + dest: /snap + owner: root + group: root + state: link + become: yes diff --git a/fedora/ansible/openssh/README.md b/fedora/ansible/dnf-install-steam/README.md similarity index 100% rename from fedora/ansible/openssh/README.md rename to fedora/ansible/dnf-install-steam/README.md diff --git a/fedora/ansible/dnf-install-steam/tasks/main.yml b/fedora/ansible/dnf-install-steam/tasks/main.yml new file mode 100644 index 0000000..5b2a86f --- /dev/null +++ b/fedora/ansible/dnf-install-steam/tasks/main.yml @@ -0,0 +1,4 @@ +- name: DNF Install Steam + dnf: + name: + - steam diff --git a/fedora/ansible/enable-deep-sleep/README.md b/fedora/ansible/enable-deep-sleep/README.md new file mode 100644 index 0000000..e69de29 diff --git a/fedora/ansible/enable-deep-sleep/meta/main.yml b/fedora/ansible/enable-deep-sleep/meta/main.yml new file mode 100644 index 0000000..620d79e --- /dev/null +++ b/fedora/ansible/enable-deep-sleep/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Reese Wells + description: Tweaks Fedora to work better with the Framework Laptop + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/enable-deep-sleep/tasks/main.yml b/fedora/ansible/enable-deep-sleep/tasks/main.yml new file mode 100644 index 0000000..4ec23cb --- /dev/null +++ b/fedora/ansible/enable-deep-sleep/tasks/main.yml @@ -0,0 +1,5 @@ +--- +# Set deep sleep to default +- name: Set deep sleep to default + command: grubby --update-kernel=ALL --args="mem_sleep_default=deep" + become: yes diff --git a/fedora/ansible/fix-framework-microphone/README.md b/fedora/ansible/fix-framework-microphone/README.md new file mode 100644 index 0000000..e69de29 diff --git a/fedora/ansible/fix-framework-microphone/meta/main.yml b/fedora/ansible/fix-framework-microphone/meta/main.yml new file mode 100644 index 0000000..620d79e --- /dev/null +++ b/fedora/ansible/fix-framework-microphone/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Reese Wells + description: Tweaks Fedora to work better with the Framework Laptop + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/framework_tweaks/tasks/main.yml b/fedora/ansible/fix-framework-microphone/tasks/main.yml similarity index 71% rename from fedora/ansible/framework_tweaks/tasks/main.yml rename to fedora/ansible/fix-framework-microphone/tasks/main.yml index 05fee1a..ccba7f6 100644 --- a/fedora/ansible/framework_tweaks/tasks/main.yml +++ b/fedora/ansible/fix-framework-microphone/tasks/main.yml @@ -8,10 +8,3 @@ content: | options snd-hda-intel model=auto become: yes -# Disable swap -- name: Uninstall zram-generator-defaults - dnf: - name: - - zram-generator-defaults - state: absent - become: yes diff --git a/fedora/ansible/framework_tweaks/tests/inventory b/fedora/ansible/framework_tweaks/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/fedora/ansible/framework_tweaks/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/fedora/ansible/framework_tweaks/tests/test.yml b/fedora/ansible/framework_tweaks/tests/test.yml deleted file mode 100644 index a72c069..0000000 --- a/fedora/ansible/framework_tweaks/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - arch/hardware_tools diff --git a/fedora/ansible/framework_tweaks/vars/main.yml b/fedora/ansible/framework_tweaks/vars/main.yml deleted file mode 100644 index d3a7d63..0000000 --- a/fedora/ansible/framework_tweaks/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for arch/hardware_tools diff --git a/fedora/ansible/gnome_extensions/tasks/main.yml b/fedora/ansible/gnome_extensions/tasks/main.yml deleted file mode 100644 index e053ef3..0000000 --- a/fedora/ansible/gnome_extensions/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Gnome extensions -- name: Enable gnome extensions - command: 'gnome-extensions enable {{ item }}' - loop: - - bluetooth-quick-connect@bjarosze.gmail.com - - clipboard-indicator@tudmotu.com - - sound-output-device-chooser@kgshank.net - - Resource_Monitor@Ory0n - - drive-menu@gnome-shell-extensions.gcampax.github.com diff --git a/fedora/ansible/install-autofs/files/10-home-network.py b/fedora/ansible/install-autofs/files/10-home-network.py new file mode 100644 index 0000000..df2c379 --- /dev/null +++ b/fedora/ansible/install-autofs/files/10-home-network.py @@ -0,0 +1,226 @@ +#!/usr/bin/env python3 + +import sys +import os +import logging +import subprocess + + +def run_cmd_safe(cmd, expire_cmd=None, timeout=6, retry=10): + """Safely executes a command with timeout. Logs stdout and stderr. Captures TimeOutException. + + Args: + cmd (list): Command to be executed + """ + result = None + retry_count = 0 + while retry_count < retry: + if retry_count > 0 and expire_cmd: + logging.warn(f"Running expire command {expire_cmd}") + run_cmd_safe(expire_cmd) + try: + logging.debug(f"Executing {' '.join(cmd)}") + result = subprocess.run(cmd, capture_output=True, timeout=timeout) + logging.info(f"{' '.join(cmd)}: {result.stdout}") + logging.error(f"{' '.join(cmd)}: {result.stderr}") + break + except subprocess.TimeoutExpired: + logging.error(f"Attempt {retry_count}") + logging.error(f"Command expired: {cmd}") + retry_count += 1 + + return result + + +def get_network_state(conn_uuid): + """Using nmcli, retreive the state of the given network + + Args: + conn_uuid (str): The connection UUID provided by `nmcli connection show` + + Returns: + str: The state of the connection provided by nmcli + """ + UUID = 0 + STATE = 1 + CMD = ['nmcli', '-t', '-f', 'con-uuid,state', 'device', 'status'] + + result = run_cmd_safe(CMD) + decoded_result = result.stdout.decode() + network_connections = decoded_result.split("\n") + valid_connections = list(filter( + lambda item: item[0] != "", + [conn.split(':') for conn in network_connections])) + selected_network = list(filter(lambda item: item[UUID] == conn_uuid, valid_connections)) + if len(selected_network) > 0: + return selected_network[0][STATE] + else: + return '' + + +def network_connected(conn_uuid): + """Returns True if the given connection UUID is connected + + Args: + conn_uuid (str): The connection UUID provided by `nmcli connection show` + + Returns: + bool: True if connected, False otherwise + """ + CONNECTED = "connected" + + current_state = get_network_state(conn_uuid) + return current_state == CONNECTED + + +def one_up(conn_uuids): + """Returns True if at least one of the provided network connections is up + + Args: + conn_uuids (list): List of connections to check + """ + for conn_uuid in conn_uuids: + if network_connected(conn_uuid): + return True + return False + + +def set_wifi_state(on=True): + """Turns the wifi on and off + + Args: + on (bool, optional): Set to False to turn wifi off. Defaults to True. + + Returns: + bool: True if command successful, False if otherwise + """ + desired_state = "on" if on else "off" + cmd = ["nmcli", "radio", "wifi", desired_state] + result = run_cmd_safe(cmd) + return result.returncode == 0 + + +def is_mountpoint(path): + cmd = ["mountpoint", path] + result = run_cmd_safe(cmd) + return result.returncode == 0 + + +if __name__ == "__main__": + + logging.basicConfig( + filename='/var/log/nmd.log', + encoding='utf-8', + level=logging.DEBUG, + format='%(asctime)s %(levelname)s: %(message)s', + datefmt='%m/%d/%Y %I:%M:%S %p') + + logging.debug("----------Start----------") + + # List of connections relevant to this script + # Use tags to denote ethernet or wifi + CONNECTIONS = { + "home": { + "029a0daa-9dcd-36c2-9f3f-8c8a4da10da0": { + "tags": ["ethernet"] + }, + "991b3332-3b25-467d-b49d-daecb968b4f8": { + "tags": ["wifi"] + } + } + } + + # List of valid states for NetworkManager + # Taken from https://developer-old.gnome.org/NetworkManager/unstable/NetworkManager-dispatcher.html + STATES = { + "pre-up": "pre-up", + "up": "up", + "pre-down": "pre-down", + "down": "down", + "vpn-pre-up": "vpn-pre-up", + "vpn-up": "vpn-up", + "vpn-pre-down": "vpn-pre-down", + "vpn-down": "vpn-down", + "hostname": "hostname", + "dhcp4-change": "dhcp4-change", + "dhcp6-change": "dhcp6-change", + "connectivity-change": "connectivity-change", + } + + # List of available environment variables given by NetworkManager + # Taken from https://developer-old.gnome.org/NetworkManager/unstable/NetworkManager-dispatcher.html + # Note: omits DHCP4_ and IP6_ for simplicity's sake + ENV_VARS = { + "NM_DISPATCHER_ACTION": "NM_DISPATCHER_ACTION", + "CONNECTION_UUID": "CONNECTION_UUID", + "CONNECTION_ID": "CONNECTION_ID", + "CONNECTION_DBUS_PATH": "CONNECTION_DBUS_PATH", + "CONNECTION_FILENAME": "CONNECTION_FILENAME", + "CONNECTION_EXTERNAL": "CONNECTION_EXTERNAL", + "DEVICE_IFACE": "DEVICE_IFACE", + "DEVICE_IP_IFACE": "DEVICE_IP_IFACE", + "IP4_ADDRESS_N": "IP4_ADDRESS_N", + "IP4_NUM_ADDRESSES": "IP4_NUM_ADDRESSES", + "IP4_GATEWAY": "IP4_GATEWAY", + "IP4_ROUTE_N": "IP4_ROUTE_N", + "IP4_NUM_ROUTES": "IP4_NUM_ROUTES", + "IP4_NAMESERVERS": "IP4_NAMESERVERS", + "IP4_DOMAINS": "IP4_DOMAINS", + "CONNECTIVITY_STATE": "CONNECTIVITY_STATE", + } + + # Used to retrive values from dictionaries after they've been turned into .items() + KEY = 0 + VALUE = 1 + + # Filter out all home connections + home_connections = CONNECTIONS.get("home").keys() + logging.debug(f"Home connections: {home_connections}") + + # Filter out our ethernet connections per their tags and save to a list + ethernets = list(map( + lambda conn: conn[KEY], + filter( + lambda conn: "ethernet" in conn[VALUE].get("tags") or [], + CONNECTIONS["home"].items()))) + logging.debug(f"Ethernet connections: {ethernets}") + + # The interface and state are always passed as positional arguments + logging.debug(f"arguments: {sys.argv}") + interface, state = sys.argv[1:3] + logging.debug(f"interface: {interface}") + logging.debug(f"state: {state}") + + # Get the environment variables from our dictionary above + environment = {var[KEY]: os.getenv(var[VALUE]) for var in ENV_VARS.items()} + logging.debug(f"enviroment: {environment}") + + # Get our conn_uuid from the dictionary of environment variables + conn_uuid = environment.get(ENV_VARS["CONNECTION_UUID"]) + logging.debug(f"Connection UUID: {conn_uuid}") + + # check if we need to turn the wifi on or off + if conn_uuid in ethernets: + # If the state of our home ethernet connection is "up" (we've just connected to ethernet), + # turn wifi off. + if state == STATES["up"]: + set_wifi_state(on=False) + # If the state of our home ethernet connection is "down" (we've just disconnected from + # ethernet), turn wifi back on. + elif state == STATES["down"]: + set_wifi_state(on=True) + + # When we connect to a home network, mount our shares + # When we disconnect from all home networks, unmount our shares + # one_home_connection_up = one_up(home_connections) + # logging.debug(f"One Home Connection Up: {one_home_connection_up}") + + # umount_cmd = ["umount", "-a", "-l", "-t", "cifs"] + # mount_cmd = ["mount", "/mnt/truenas"] + # if one_home_connection_up: + # run_cmd_safe(mount_cmd, expire_cmd=umount_cmd) + # else: + # run_cmd_safe(umount_cmd) + + # Log Done + logging.debug("----------Done----------") diff --git a/fedora/ansible/install-autofs/files/auto.truenas b/fedora/ansible/install-autofs/files/auto.truenas new file mode 100644 index 0000000..5346760 --- /dev/null +++ b/fedora/ansible/install-autofs/files/auto.truenas @@ -0,0 +1,2 @@ +truenas -fstype=cifs,rw,uid=1000,gid=1000,credentials=/home/ducoterra/.smbpasswd ://freenas.dnet/truenas +media -fstype=cifs,rw,uid=1000,gid=1000,credentials=/home/ducoterra/.smbpasswd ://freenas.dnet/media diff --git a/fedora/ansible/install-autofs/files/truenas.extra b/fedora/ansible/install-autofs/files/truenas.extra new file mode 100644 index 0000000..12f837e --- /dev/null +++ b/fedora/ansible/install-autofs/files/truenas.extra @@ -0,0 +1,5 @@ +/misc /etc/auto.misc +/net -hosts ++dir:/etc/auto.master.d ++auto.master +/smb /etc/auto.truenas diff --git a/fedora/ansible/install-autofs/meta/main.yml b/fedora/ansible/install-autofs/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/fedora/ansible/install-autofs/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/install-autofs/tasks/main.yml b/fedora/ansible/install-autofs/tasks/main.yml new file mode 100644 index 0000000..bd83ccb --- /dev/null +++ b/fedora/ansible/install-autofs/tasks/main.yml @@ -0,0 +1,26 @@ +--- +# sudo dnf install autofs +# /smb /etc/auto.truenas +# truenas -fstype=cifs,rw,uid=1000,gid=1000,credentials=/home/ducoterra/.smbpasswd ://freenas.dnet/truenas +# media -fstype=cifs,rw,uid=1000,gid=1000,credentials=/home/ducoterra/.smbpasswd ://freenas.dnet/media +- name: Install autofs + dnf: + name: autofs + state: present + become: yes +- name: Create /etc/auto.master.d/truenas.extra + copy: + src: files/truenas.extra + dest: /etc/auto.master.d/truenas.extra + owner: root + group: root + mode: '0755' + become: yes +- name: Create /etc/auto.truenas + copy: + src: files/auto.truenas + dest: /etc/auto.truenas + owner: root + group: root + mode: '0755' + become: yes diff --git a/fedora/ansible/setup-openssh/README.md b/fedora/ansible/setup-openssh/README.md new file mode 100644 index 0000000..e69de29 diff --git a/fedora/ansible/setup-openssh/meta/main.yml b/fedora/ansible/setup-openssh/meta/main.yml new file mode 100644 index 0000000..13f5011 --- /dev/null +++ b/fedora/ansible/setup-openssh/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Reese Wells + description: Ensures secure openssh configuration + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/setup-openssh/tasks/main.yml b/fedora/ansible/setup-openssh/tasks/main.yml new file mode 100644 index 0000000..808a6c2 --- /dev/null +++ b/fedora/ansible/setup-openssh/tasks/main.yml @@ -0,0 +1,27 @@ +--- +# SSH +- name: Curl SSH trusted CA + get_url: + url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key + dest: /etc/ssh/trusted-user-ca-keys.pem + mode: '0660' + become: yes +- name: Create sshd_config file + copy: + dest: "/etc/ssh/sshd_config" + content: | + AuthorizedKeysFile .ssh/authorized_keys + PasswordAuthentication no + KbdInteractiveAuthentication no + UsePAM yes + Subsystem sftp internal-sftp + PrintMotd no # pam does that + TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem + become: yes +- name: Ensure ssh service started + ansible.builtin.systemd: + name: sshd + state: restarted + daemon_reload: yes + enabled: yes + become: yes diff --git a/fedora/ansible/software_developer/tasks/main.yml b/fedora/ansible/software_developer/tasks/main.yml index 56467ac..5c176d9 100644 --- a/fedora/ansible/software_developer/tasks/main.yml +++ b/fedora/ansible/software_developer/tasks/main.yml @@ -1,4 +1,7 @@ --- +# Install kvm +# sudo dnf -y install bridge-utils libvirt virt-install qemu-kvm virt-manager +# sudo systemctl start libvirtd # Install developer tools - name: Ensure common developer tools installed dnf: @@ -10,12 +13,6 @@ - htop - dconf-editor - dnf-plugins-core - - ufw - become: yes -# Enable ufw -- name: Enable UFW - community.general.ufw: - state: enabled become: yes # Install snap developer tools - name: Ensure snap installed diff --git a/fedora/ansible/software_security/tasks/main.yml b/fedora/ansible/software_security/tasks/main.yml index 67d8bb9..c130e06 100644 --- a/fedora/ansible/software_security/tasks/main.yml +++ b/fedora/ansible/software_security/tasks/main.yml @@ -7,4 +7,15 @@ - tcpdump - tcpreplay - wireshark-cli + - ufw + become: yes +# Enable UFW and allow SSH +- name: Allow SSH + community.general.ufw: + rule: allow + name: ssh + become: yes +- name: Enable UFW + community.general.ufw: + state: enabled become: yes diff --git a/fedora/ansible/tigervnc/README.md b/fedora/ansible/tigervnc/README.md new file mode 100644 index 0000000..e69de29 diff --git a/fedora/ansible/tigervnc/files/config b/fedora/ansible/tigervnc/files/config new file mode 100644 index 0000000..c9ccf3f --- /dev/null +++ b/fedora/ansible/tigervnc/files/config @@ -0,0 +1,7 @@ +## Supported server options to pass to vncserver upon invocation can be listed +## in this file. See the following manpages for more: vncserver(1) Xvnc(1). +## Several common ones are shown below. Uncomment and modify to your liking. +## +session=gnome +securitytypes=vncauth,tlsvnc +geometry=1920x1080 diff --git a/fedora/ansible/tigervnc/files/vncserver.users b/fedora/ansible/tigervnc/files/vncserver.users new file mode 100644 index 0000000..71e6fe2 --- /dev/null +++ b/fedora/ansible/tigervnc/files/vncserver.users @@ -0,0 +1 @@ +:2=vncuser diff --git a/fedora/ansible/tigervnc/files/xstartup b/fedora/ansible/tigervnc/files/xstartup new file mode 100644 index 0000000..c8ef8f0 --- /dev/null +++ b/fedora/ansible/tigervnc/files/xstartup @@ -0,0 +1,12 @@ +#!/bin/sh + +unset SESSION_MANAGER +unset DBUS_SESSION_BUS_ADDRESS +/etc/X11/xinit/xinitrc +# Assume either Gnome will be started by default when installed +# We want to kill the session automatically in this case when user logs out. In case you modify +# /etc/X11/xinit/Xclients or ~/.Xclients yourself to achieve a different result, then you should +# be responsible to modify below code to avoid that your session will be automatically killed +if [ -e /usr/bin/gnome-session ]; then + vncserver -kill $DISPLAY +fi diff --git a/fedora/ansible/tigervnc/meta/main.yml b/fedora/ansible/tigervnc/meta/main.yml new file mode 100644 index 0000000..41fe0af --- /dev/null +++ b/fedora/ansible/tigervnc/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: Reese Wells + description: Installs and enables a tigervnc server + company: "" + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/fedora/ansible/tigervnc/tasks/main.yml b/fedora/ansible/tigervnc/tasks/main.yml new file mode 100644 index 0000000..edeb865 --- /dev/null +++ b/fedora/ansible/tigervnc/tasks/main.yml @@ -0,0 +1,59 @@ +--- +# Install and activate tigervnc +# NOTE: You will still need to log in manually as the new user and run "passwd" and "vncpasswd" +- name: Ensure tigervnc-server is installed + dnf: + name: + - tigervnc-server + become: yes +- name: Copy systemd file to /etc/system/system + copy: + remote_src: yes + src: /lib/systemd/system/vncserver@.service + dest: /etc/systemd/system/vncserver@.service + become: yes +- name: Copy vncserver.users + copy: + src: files/vncserver.users + dest: /etc/tigervnc/vncserver.users + become: yes +- name: Create vncuser + user: + name: vncuser + shell: /bin/fish + groups: wheel + append: yes + become: yes +- name: Ensure .vnc folder exists for vncuser + file: + path: /home/vncuser/.vnc + state: directory + owner: vncuser + group: vncuser + become: yes +- name: Copy vnc config + copy: + src: files/config + dest: /home/vncuser/.vnc/config + owner: vncuser + group: vncuser + become: yes +- name: Copy xstartup + copy: + src: files/xstartup + dest: /home/vncuser/.vnc/xstartup + owner: vncuser + group: vncuser + become: yes +- name: Start tigervnc service + systemd: + name: vncserver@:2 + state: started + enabled: yes + become: yes +- name: UFW Allow 5902/tcp + community.general.ufw: + rule: allow + port: 5902 + proto: tcp + become: yes diff --git a/fedora/ansible/write-dconf-config/README.md b/fedora/ansible/write-dconf-config/README.md new file mode 100644 index 0000000..e69de29 diff --git a/fedora/ansible/dconf/meta/main.yml b/fedora/ansible/write-dconf-config/meta/main.yml similarity index 100% rename from fedora/ansible/dconf/meta/main.yml rename to fedora/ansible/write-dconf-config/meta/main.yml diff --git a/fedora/ansible/dconf/tasks/main.yml b/fedora/ansible/write-dconf-config/tasks/main.yml similarity index 100% rename from fedora/ansible/dconf/tasks/main.yml rename to fedora/ansible/write-dconf-config/tasks/main.yml diff --git a/fedora/desktop.yml b/fedora/desktop.yml index 8402024..42f06f1 100644 --- a/fedora/desktop.yml +++ b/fedora/desktop.yml @@ -1,7 +1,7 @@ --- # Run through all tasks to setup machines # https://community.frame.work/t/fedora-linux-35-on-the-framework-laptop/6613/10 -- hosts: localhost +- hosts: pc gather_facts: true order: inventory vars: @@ -12,12 +12,21 @@ packer_version: 1.7.10 roles: - - role: ansible/btrbk + - setup-openssh + - add-dnet-cert + - disable-swap + - dnf-install-dash-to-dock + - dnf-install-snap + - dnf-install-steam + - enable-deep-sleep + - write-dconf-config + # - role: ansible/btrbk - role: ansible/certificates - role: ansible/dconf - - role: ansible/gnome_extensions - - role: ansible/iscsi_freenas + # - role: ansible/gnome_extensions - role: ansible/openssh - role: ansible/software_common - role: ansible/software_developer + - role: ansible/software_games - role: ansible/software_security + # - role: ansible/tigervnc diff --git a/fedora/framework.yml b/fedora/framework.yml index 2e4cda9..4c10bb5 100644 --- a/fedora/framework.yml +++ b/fedora/framework.yml @@ -39,3 +39,6 @@ - role: ansible/software_security tags: ["software_security"] + + - role: ansible/network_drives + tags: ["network_drives"] diff --git a/framework_fedora.md b/framework_fedora.md index aa5c889..61ea94f 100644 --- a/framework_fedora.md +++ b/framework_fedora.md @@ -73,10 +73,12 @@ set -Ua fish_user_paths /home/$USER/.local/bin ```bash # Login to portal -sudo iscsiadm -m discovery -t st -p freenas.dnet +iscsiadm -m discovery -t st -p driveripper.reeselink.com # Mount all targets -sudo iscsiadm -m node --targetname iqn.2022-02.freenas.dnet:framework-backup -p freenas.dnet:3260 -l +iscsiadm -m node --targetname iqn.2023-01.driveripper.reeselink.com:2023-framework-backup -p driveripper.reeselink.com:3260 -l + +iscsiadm -m node --loginall all # Mount at boot vim /etc/iscsi/nodes/iqn.2022-02.freenas.dnet:manjaro-backup/10.1.2.200,3260,1 @@ -85,7 +87,7 @@ vim /etc/iscsi/nodes/iqn.2022-02.freenas.dnet:manjaro-backup/10.1.2.200,3260,1 node.startup = automatic # Log out of all sessions -sudo iscsiadm -m node -u +iscsiadm -m node -u ``` ## Gnome Tweaks @@ -217,7 +219,7 @@ WantedBy=timers.target ### Test, Start and Enable service -Test your service: +Test your service:the available storage space on our NAS to the iSCSI target and the other half ```bash sudo btrbk -c /etc/btrbk/btrbk.conf -v run @@ -230,3 +232,160 @@ sudo systemctl start btrbk.timer sudo systemctl enable btrbk.timer ``` + +### Minecraft + +1. You can find extra java versions at /etc/alternatives +2. You need to `dnf install xrandr` to launch any modpacks +3. You can create a desktop icon by putting this at ~/.local/share/applications/*.desktop: + +``` +[Desktop Entry] +Encoding=UTF-8 +Name=Technic Launcher +Exec=/usr/bin/java -jar /home/ducoterra/Applications/TechnicLauncher.jar +Icon=/home/ducoterra/.icons/minecraft-launcher.png +Type=Application +Categories=Games; +``` + +### Firewall CMD + +1. Enable firewall + +```bash +systemctl start firewall-cmd +systemctl enable firewall-cmd +``` + +2. Set default behavior to drop everything + +```bash +firewall-cmd --set-default-zone=drop +systemctl reload firewall-cmd +``` + +### Resources + +Network monitoring: https://linuxconfig.org/how-to-monitor-network-activity-on-a-linux-system + +## Backups + +### Full system backup + +In the event you need to restore your system from a disaster do the following: + +1. Reinstall fedora via a live image +2. After install, disk should be mounted at /mnt/sysimage +3. Copy the new fstab and crypttab to somewhere safe +4. rsync -av [etc, home, opt, root, usr, var] +5. `mount /dev/Y /mnt/sysimage/boot` +6. `mount /dev/Z /mnt/sysimage/boot/efi` +7. `mount --bind /dev /mnt/sysimage/dev` +8. `mount --bind /proc /mnt/sysimage/proc` +9. `mount --bind /sys /mnt/sysimage/sys` +10. `chroot /mnt/sysimage` +11. Edit fstab and crypttab so they match the new partitions +12. Update /etc/default/grub to match the new luks uuid +13. grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg +14. reboot + +## Libvirt + +### Snapshots on secure-boot VMs + +```bash +# list snapshots +qemu-img snapshot -l win10.qcow2 + +# create a snapshot +qemu-img snapshot -c 1-welcome win10.qcow2 + +# restore a snapshot +qemu-img snapshot -a 1-welcome win10.qcow2 +``` + +### Connecting to Truenas via virt-manager + +You should be able to use the following custom URL: + +```text +qemu+ssh://root@driveripper.reeserelease.com/system?socket=/run/truenas_libvirt/libvirt-sock +``` + +This assumes the correct socket path from `/etc/libvirt/libvirtd.conf` and ability to log in as the root user via ssh. + +## bluetooth + +### Airpods + +Edit: /etc/bluetooth/main.conf +Set ControllerMode = bredr + +restart bluetooth service +connect airpods +comment line out +restart bluetooth service again + +## ZRAM + +Edit /etc/systemd/zram-generator.conf + +```conf +[zram0] +zram-size = min(ram / 2, 16384) +compression-algorithm = lzo-rle +options = +writeback-device = /dev/zvol/tarta-zoot/swap-writeback +``` + +## Automatic Disk Decryption with TPM2 + +https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a95 + +```bash +# Add decryption key to tpm. +systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4+7 /dev/nvme0n1p3 + +# Wipe old keys and enroll new key. You have to execute this command again after a kernel upgrade. +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0,2,4,7 + +# Add tpm2 configuration option to /etc/crypttab +luks-$UUID UUID=disk-$UUID none tpm2-device=auto,discard + +# Add rd.luks.options=tpm2-device=auto to grub +grubby --args="rd.luks.options=tpm2-device=auto" --update-kernel=ALL + +dracut -f +``` + +## Firefox GPU Rendering + +https://community.frame.work/t/linux-battery-life-tuning/6665 + +```bash +dnf install intel-media-driver intel-gpu-tools +``` + +Type in about:config in the address bar and hit enter. + +Set media.rdd-ffmpeg.enabled, media.ffmpeg.vaapi.enabled and media.navigator.mediadatadecoder_vpx_enabled to true. + +Close and reopen your browser + +Run the command sudo intel_gpu_top, play a 4k video and check whether the Video section is above 0.00% + +## Gnome Software Updates (packagekitd and software) + +To prevent Gnome Shell from starting Software open Settings->Search and disable Software from there. + +Disable auto-updates + +```bash +dconf write /org/gnome/software/allow-updathe available storage space on our NAS to the iSCSI target and the other halftes false +dconf write /org/gnome/software/download-updates false +``` + +## Hibernate + Secure Boot + +713676533760/4096 = 174237435 diff --git a/framework_manjaro.md b/framework_manjaro.md index e158495..6543413 100644 --- a/framework_manjaro.md +++ b/framework_manjaro.md @@ -319,6 +319,42 @@ Install steam-native from the software manager. | Login | Use a different login | | Login name | ducoterra@icloud.com | +#### Gmail + +| Field | Value | +| ------------------- | --------------------- | +| IMAP server | imap.gmail.com:993 | +| Connection security | TLS | +| Login name | ducoterra@gmail.com | +| SMTP server | smtp.gmail.com:587 | +| Connection security | StartTLS | +| Login | | +| Login name | ducoterra@gmail.com | + +Incoming Mail (IMAP) Server + +imap.gmail.com + +Requires SSL: Yes + +Port: 993 +Outgoing Mail (SMTP) Server + +smtp.gmail.com + +Requires SSL: Yes + +Requires TLS: Yes (if available) + +Requires Authentication: Yes + +Port for SSL: 465 + +Port for TLS/STARTTLS: 587 +Full Name or Display Name Your name +Account Name, User name, or Email address Your full email address +Password Your Gmail password + ### Discord Install discord from software manager diff --git a/hosts b/hosts index 4032f4f..8230a41 100644 --- a/hosts +++ b/hosts @@ -1,11 +1,14 @@ -[pi] +[pis] pihole pivault octopi pi-medina +raspberrypi -[workstation] -localhost +[workstations] +pc +freenas -[backtop] -backtop.dnet +[VMs] +k3os +wireguard diff --git a/pi/README.md b/pi/README.md new file mode 100644 index 0000000..76321c3 --- /dev/null +++ b/pi/README.md @@ -0,0 +1,7 @@ +# Debian Ansible Playbooks + +## Wireguard + +```bash +ansible-playbook -i hosts --ask-pass --ask-become-pass pi/pi.yml --extra-vars "hostname=" +``` diff --git a/pi/ansible/hostname/tasks/main.yml b/pi/ansible/hostname/tasks/main.yml new file mode 100644 index 0000000..8343242 --- /dev/null +++ b/pi/ansible/hostname/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Set a hostname + ansible.builtin.hostname: + name: "{{ hostname }}" + become: yes diff --git a/pi/ansible/openssh/tasks/main.yml b/pi/ansible/openssh/tasks/main.yml new file mode 100644 index 0000000..f9d0950 --- /dev/null +++ b/pi/ansible/openssh/tasks/main.yml @@ -0,0 +1,30 @@ +--- +# SSH +- name: Curl SSH trusted CA + get_url: + url: https://vault.ducoterra.net/v1/ssh-client-signer/public_key + dest: /etc/ssh/trusted-user-ca-keys.pem + mode: '0660' + become: yes +- name: Create sshd_config file + copy: + dest: "/etc/ssh/sshd_config" + content: | + Include /etc/ssh/sshd_config.d/*.conf + PasswordAuthentication no + ChallengeResponseAuthentication no + UsePAM yes + KbdInteractiveAuthentication no + X11Forwarding yes + PrintMotd no + AcceptEnv LANG LC_* + Subsystem sftp /usr/lib/openssh/sftp-server + TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem + become: yes +- name: Ensure ssh service started + ansible.builtin.systemd: + name: sshd + state: restarted + daemon_reload: yes + enabled: yes + become: yes diff --git a/pi/ansible/reboot/tasks/main.yml b/pi/ansible/reboot/tasks/main.yml new file mode 100644 index 0000000..1410fec --- /dev/null +++ b/pi/ansible/reboot/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- name: Return motd to registered var + ansible.builtin.command: shutdown -r now + become: yes diff --git a/pi/pi.yml b/pi/pi.yml new file mode 100644 index 0000000..6f17093 --- /dev/null +++ b/pi/pi.yml @@ -0,0 +1,10 @@ +--- +# Run through all tasks to setup machines +# https://community.frame.work/t/fedora-linux-35-on-the-framework-laptop/6613/10 +- hosts: raspberrypi + gather_facts: true + order: inventory + roles: + - role: ansible/openssh + - role: ansible/hostname + - role: ansible/reboot diff --git a/qemu_tails.md b/qemu_tails.md new file mode 100644 index 0000000..e79bb58 --- /dev/null +++ b/qemu_tails.md @@ -0,0 +1,8 @@ +# Tails Linux + +## .img to .qcow2 + +```bash +qemu-img convert -f raw -O qcow2 iso/tails-amd64-5.8.img images/tails.qcow2 +qemu-img resize images/tails.qcow2 32G +``` diff --git a/qemu_win10_vm.md b/qemu_win10_vm.md new file mode 100644 index 0000000..9a8d395 --- /dev/null +++ b/qemu_win10_vm.md @@ -0,0 +1,48 @@ +# Windows 10 VM with Qemu + +## Create installer iso + +mkisofs -o ~/Downloads/win-install.iso /tmp/windows-installers/ + +## Snapshot qcow2 storage + +```bash +# list +qemu-img snapshot -l win10.qcow2 + +# create +qemu-img snapshot -c $SNAPSHOT_NAME $DISK_IMAGE + +# apply +qemu-img snapshot -a $SNAPSHOT_NAME $DISK_IMAGE + +# delete +qemu-img snapshot -d \ + $SNAPSHOT_NAME \ + $DISK_IMAGE + +``` + +## Setup + +Install and configure windows as normal to start. Boot into the installation and finish the setup. + +## Auto resize display + +1. Ensure the video device is set to "QXL" on the host +2. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +3. Download [spice-guest-tools](https://www.spice-space.org/download.html#windows-binaries) and install on guest +4. Shutdown the guest machine +5. view -> Scale Display -> Auto resize VM with window +6. Start the guest machine, it should now auto resize + +## virtio network driver + +1. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +2. Shutdown the guest machine +3. Change the network device model to virtio +4. Start the guest machine + +## virtio boot disk + +1. Attempted virt-win-guest-tools install but boots with boot_device_not_found error diff --git a/qemu_win11_vm.md b/qemu_win11_vm.md new file mode 100644 index 0000000..cdaed6a --- /dev/null +++ b/qemu_win11_vm.md @@ -0,0 +1,56 @@ +# Windows 10 VM with Qemu + +## Bypass Microsoft Account Requirement + +1. shift + f10 to open command prompt during setup +2. `oobe\bypassnro` +3. shift + f10 again to open command prompt +4. `ipconfig /release` to disconnect the internet +5. Continue with limited setup + +## Create installer iso + +mkisofs -o ~/Downloads/win-install.iso /tmp/windows-installers/ + +## Snapshot qcow2 storage + +```bash +# list +qemu-img snapshot -l win10.qcow2 + +# create +qemu-img snapshot -c $SNAPSHOT_NAME $DISK_IMAGE + +# apply +qemu-img snapshot -a $SNAPSHOT_NAME $DISK_IMAGE + +# delete +qemu-img snapshot -d \ + $SNAPSHOT_NAME \ + $DISK_IMAGE + +``` + +## Setup + +Install and configure windows as normal to start. Boot into the installation and finish the setup. + +## Auto resize display + +1. Ensure the video device is set to "QXL" on the host +2. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +3. Download [spice-guest-tools](https://www.spice-space.org/download.html#windows-binaries) and install on guest +4. Shutdown the guest machine +5. view -> Scale Display -> Auto resize VM with window +6. Start the guest machine, it should now auto resize + +## virtio network driver + +1. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +2. Shutdown the guest machine +3. Change the network device model to virtio +4. Start the guest machine + +## virtio boot disk + +1. Attempted virt-win-guest-tools install but boots with boot_device_not_found error diff --git a/qemu_win7.md b/qemu_win7.md new file mode 100644 index 0000000..0efead9 --- /dev/null +++ b/qemu_win7.md @@ -0,0 +1,64 @@ +# Windows 10 VM with Qemu + +## Not booting from ISO + +Switch from UEFI to BIOS + +## Valid Key + +27CJD-K74PH-TCGV9-WT67C-QM4RC + +## Bypass Microsoft Account Requirement + +1. shift + f10 to open command prompt during setup +2. `oobe\bypassnro` +3. shift + f10 again to open command prompt +4. `ipconfig /release` to disconnect the internet +5. Continue with limited setup + +## Create installer iso + +mkisofs -o ~/Downloads/win-install.iso /tmp/windows-installers/ + +## Snapshot qcow2 storage + +```bash +# list +qemu-img snapshot -l win10.qcow2 + +# create +qemu-img snapshot -c $SNAPSHOT_NAME $DISK_IMAGE + +# apply +qemu-img snapshot -a $SNAPSHOT_NAME $DISK_IMAGE + +# delete +qemu-img snapshot -d \ + $SNAPSHOT_NAME \ + $DISK_IMAGE + +``` + +## Setup + +Install and configure windows as normal to start. Boot into the installation and finish the setup. + +## Auto resize display + +1. Ensure the video device is set to "QXL" on the host +2. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +3. Download [spice-guest-tools](https://www.spice-space.org/download.html#windows-binaries) and install on guest +4. Shutdown the guest machine +5. view -> Scale Display -> Auto resize VM with window +6. Start the guest machine, it should now auto resize + +## virtio network driver + +1. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +2. Shutdown the guest machine +3. Change the network device model to virtio +4. Start the guest machine + +## virtio boot disk + +1. Attempted virt-win-guest-tools install but boots with boot_device_not_found error diff --git a/qemu_win8.1_vm .md b/qemu_win8.1_vm .md new file mode 100644 index 0000000..45b719a --- /dev/null +++ b/qemu_win8.1_vm .md @@ -0,0 +1,64 @@ +# Windows 10 VM with Qemu + +## Display requirements + +QXC doesn't seem to work out of the gate. Virtio is fine, boot using that. + +## Valid Key + +GCRJD-8NW9H-F2CDX-CCM8D-9D6T9 + +## Bypass Microsoft Account Requirement + +1. shift + f10 to open command prompt during setup +2. `oobe\bypassnro` +3. shift + f10 again to open command prompt +4. `ipconfig /release` to disconnect the internet +5. Continue with limited setup + +## Create installer iso + +mkisofs -o ~/Downloads/win-install.iso /tmp/windows-installers/ + +## Snapshot qcow2 storage + +```bash +# list +qemu-img snapshot -l win10.qcow2 + +# create +qemu-img snapshot -c $SNAPSHOT_NAME $DISK_IMAGE + +# apply +qemu-img snapshot -a $SNAPSHOT_NAME $DISK_IMAGE + +# delete +qemu-img snapshot -d \ + $SNAPSHOT_NAME \ + $DISK_IMAGE + +``` + +## Setup + +Install and configure windows as normal to start. Boot into the installation and finish the setup. + +## Auto resize display + +1. Ensure the video device is set to "QXL" on the host +2. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +3. Download [spice-guest-tools](https://www.spice-space.org/download.html#windows-binaries) and install on guest +4. Shutdown the guest machine +5. view -> Scale Display -> Auto resize VM with window +6. Start the guest machine, it should now auto resize + +## virtio network driver + +1. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +2. Shutdown the guest machine +3. Change the network device model to virtio +4. Start the guest machine + +## virtio boot disk + +1. Attempted virt-win-guest-tools install but boots with boot_device_not_found error diff --git a/qemu_win98.md b/qemu_win98.md new file mode 100644 index 0000000..3e89856 --- /dev/null +++ b/qemu_win98.md @@ -0,0 +1,74 @@ +# Windows 98 + +The installation process is quite different since Windows 98 will be incompatible +with most of the defaults in virt-manager. + +## Install + +https://en.wikibooks.org/wiki/QEMU/Windows_98 + +https://wiki.gentoo.org/wiki/QEMU/Options#Display_options + +You'll need to install from command line like so: + +```bash +qemu-system-x86_64 \ + -cdrom /var/lib/libvirt/iso/windows98se.iso \ + -boot order=d \ + -drive file=/var/lib/libvirt/images/win98.qcow2 \ + -m 512 \ + -device sb16 \ + -display sdl +``` + +- cdrom allows us to use the ISO image. It's also possible to use virsh to + forward a physical drive to a file, but reading the data from the hard drive + is usually faster. + +- boot allows us to specify the order to d, which is the CD. + +- drive allows us to use the image we just created. + +- enable-kvm turns on hardware acceleration in x86 using the kernel VM. KVM + causes problems on Windows hosts when shutting down the guest and can even + prevent it from starting in some cases. If this occurs, you can safely remove + it from the command. + +- m allocates the guest's RAM. In this case we use 512, but going above it can + be dangerous for Windows 9x. + +- device allows us to add a device driver, in this case, the Creative + SoundBlaster 16 sound card (sb16) to get audio. Standard Windows 98 discs + ship with drivers for it, and if you haven't used this flag while installing, + it would need to scan for it. + +- display allows us to use an alternative display engine rather than GTK+. In + this case, we use Simple DirectMedia Layer because it doesn't conflict as + much with fullscreen support. You can press Ctrl+Alt+F to enter and exit + fullscreen mode and Ctrl+Alt to have QEMU grab or ungrab the keyboard input + and invoke the monitor as usual. + + +## Boot + +We'll boot with the same command we used to install but without the boot parameters + +```bash +qemu-system-x86_64 \ + -drive file=/var/lib/libvirt/images/win98.qcow2 \ + -m 512 \ + -device sb16 \ + -display sdl +``` + + +```bash +sudo qemu-system-i386 \ + -name "Windows 98" \ + -L pc-bios -nodefaults -no-hpet -no-reboot -display sdl \ + -M pc,accel=tcg -cpu pentium3 -m 1024 \ + -drive file=/var/lib/libvirt/images/win98.qcow2 \ + -device VGA -device sb16 -device rtl8139,netdev=net0 \ + -netdev user,id=net0,hostfwd=tcp::8080-:80,hostfwd=tcp::2222-:22 \ + -rtc base=localtime,clock=host +``` diff --git a/qemu_winXP.md b/qemu_winXP.md new file mode 100644 index 0000000..96d566d --- /dev/null +++ b/qemu_winXP.md @@ -0,0 +1,64 @@ +# Windows 10 VM with Qemu + +## Not booting from ISO + +Switch from UEFI to BIOS + +## Valid Key + +4X7WM-GTH3D-DWVCV-H382J-HPMRD + +## Bypass Microsoft Account Requirement + +1. shift + f10 to open command prompt during setup +2. `oobe\bypassnro` +3. shift + f10 again to open command prompt +4. `ipconfig /release` to disconnect the internet +5. Continue with limited setup + +## Create installer iso + +mkisofs -o ~/Downloads/win-install.iso /tmp/windows-installers/ + +## Snapshot qcow2 storage + +```bash +# list +qemu-img snapshot -l win10.qcow2 + +# create +qemu-img snapshot -c $SNAPSHOT_NAME $DISK_IMAGE + +# apply +qemu-img snapshot -a $SNAPSHOT_NAME $DISK_IMAGE + +# delete +qemu-img snapshot -d \ + $SNAPSHOT_NAME \ + $DISK_IMAGE + +``` + +## Setup + +Install and configure windows as normal to start. Boot into the installation and finish the setup. + +## Auto resize display + +1. Ensure the video device is set to "QXL" on the host +2. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +3. Download [spice-guest-tools](https://www.spice-space.org/download.html#windows-binaries) and install on guest +4. Shutdown the guest machine +5. view -> Scale Display -> Auto resize VM with window +6. Start the guest machine, it should now auto resize + +## virtio network driver + +1. Download [virt-win-guest-tools](https://github.com/virtio-win/virtio-win-pkg-scripts) and install on guest +2. Shutdown the guest machine +3. Change the network device model to virtio +4. Start the guest machine + +## virtio boot disk + +1. Attempted virt-win-guest-tools install but boots with boot_device_not_found error diff --git a/truenas.md b/truenas.md new file mode 100644 index 0000000..0b7d5a7 --- /dev/null +++ b/truenas.md @@ -0,0 +1,19 @@ +# Truenas Help + +## Virtual Machine Madness + +Sometimes you'll need to modify a vm without the web interface. + +```bash +# start virsh +virsh + +# list clients +list --all + +# connect to the truenas socket +connect qemu:///system?socket=/run/truenas_libvirt/libvirt-sock + +# disable autostart +autostart --disable 1_win10 +```