diff --git a/arch/base.md b/arch/base.md index 372d160..05a701d 100644 --- a/arch/base.md +++ b/arch/base.md @@ -18,6 +18,7 @@ I have instructions for building a: - [Security](#security) - [Secure Boot](#secure-boot) - [TPM2 LUKS Decryption](#tpm2-luks-decryption) + - [Re-enroll](#re-enroll) - [FIDO2 LUKS Decryption](#fido2-luks-decryption) - [Firewall](#firewall) - [AppArmor](#apparmor) @@ -50,6 +51,7 @@ I have instructions for building a: - [Apps](#apps) - [Firefox](#firefox) - [Gnome Extensions](#gnome-extensions) + - [Avahi (Bonjour)](#avahi-bonjour) - [CUPS Printing](#cups-printing) - [Yubikey](#yubikey) - [Bashrc](#bashrc) @@ -339,6 +341,13 @@ Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure b 1. `pacman -S tpm2-tss` 2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` +##### Re-enroll + +```bash +systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 +``` + #### FIDO2 LUKS Decryption 1. `pacman -S libfido2` @@ -946,13 +955,31 @@ Choose noto-fonts 3. dash-to-dock@micxgx.gmail.com 4. tactile@lundal.io -### CUPS Printing +### Avahi (Bonjour) -1. `sudo pacman -S cups cups-pdf avahi system-config-printer` +1. `sudo pacman -S avahi` 2. `sudo vim /etc/nsswitch.conf` ```conf - hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns + hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns + ``` + +3. `sudo vim /etc/mdns.allow` + + ```conf + .local. + .local + ``` + +### CUPS Printing + +Note: you probably need avahi (see above) + +1. `sudo pacman -S cups cups-pdf system-config-printer` +2. `sudo vim /etc/nsswitch.conf` + + ```conf + hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns ``` 3. `sudo systemctl start cups` diff --git a/arch/workstation.md b/arch/workstation.md index f746cff..e962b23 100644 --- a/arch/workstation.md +++ b/arch/workstation.md @@ -1,6 +1,9 @@ # Workstation - [Workstation](#workstation) + - [Framework AMD Notes](#framework-amd-notes) + - [Wifi](#wifi) + - [Microcode](#microcode) - [Base Tools](#base-tools) - [ZSH](#zsh) - [Aliases](#aliases) @@ -31,8 +34,38 @@ - [AWS CLI](#aws-cli) - [NSlookup](#nslookup) - [rpi-imager](#rpi-imager) + - [Install rpi-imager](#install-rpi-imager) + - [Upgrade rpi-imager](#upgrade-rpi-imager) - [qFlipper](#qflipper) +## Framework AMD Notes + +### Wifi + +Install the wireless-regdb to set the regulatory domain to US + +```bash +pacman -S wireless-regdb +``` + +Edit /etc/conf.d/wireless-regdom to set the domain + +### Microcode + +```bash +pacman -S amd-ucode +``` + +Edit /boot/loader/entries/.conf and add the following: + +```bash +title Arch Linux (Work) +linux /vmlinuz-linux +initrd /amd-ucode.img +initrd /initramfs-linux.img +options ... +``` + ## Base Tools ```bash @@ -429,7 +462,31 @@ pacman -Syu bind sudo pacman -S cmake qt5-base ``` -follow install instructions +### Install rpi-imager + +```bash +git clone https://github.com/raspberrypi/rpi-imager.git +cd rpi-imager +mkdir -p build +cd build +cmake ../src +make +sudo make install +``` + +### Upgrade rpi-imager + +```bash +```bash +cd rpi-imager +git pull +rm -r build +mkdir -p build +cd build +cmake ../src +make +sudo make install +``` ## qFlipper diff --git a/fedora_server.md b/fedora_server.md new file mode 100644 index 0000000..dac3dd9 --- /dev/null +++ b/fedora_server.md @@ -0,0 +1,238 @@ +# Fedora Server + +- [Fedora Server](#fedora-server) + - [First boot](#first-boot) + - [Release Upgrade](#release-upgrade) + - [Tweaks](#tweaks) + - [systemd-cryptenroll](#systemd-cryptenroll) + - [Certbot for Cockpit](#certbot-for-cockpit) + +## First boot + +1. Disable selinux (edit `/etc/selinux/config`) +2. Disable firewall +3. Install all updates +4. Enable automatic security updates +5. Reboot +6. Refresh application page +7. Install Podman application +8. Install Machines application +9. Change hostname +10. Reboot +11. Grow your root volume to max size +12. Create a network bridge (bridge0) +13. Enable metrics in the metrics section + +## Release Upgrade + +```bash +dnf upgrade --refresh +dnf install dnf-plugin-system-upgrade +dnf system-upgrade download --releasever=39 +dnf system-upgrade reboot +``` + +## Tweaks + +1. Stop resolvd from listening on port 53 + +Edit `/etc/systemd/resolved.conf` + +```conf +DNSStubListener=no +``` + +2. Install podman-compose + +```bash +dnf install podman-compose +``` + +## systemd-cryptenroll + +```bash +dnf install tpm2-tss + +# Add decryption key to tpm. +# For machines where prioritizing a secure boot environment is important we need to +# specify --tpm2-pcrs=0+7 -- 0 meaning the firmware has not changed and 7 meaning +# secure boot is enabled +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 + +# Add tpm2-tss to dracut +# Edit /etc/dracut.conf.d/tpm2.conf +add_dracutmodules+=" tpm2-tss " + +dracut -f +``` + +## Certbot for Cockpit + +During this process you'll pick one node to act as your manager for your other nodes. +You'll only need to cert a single node and then it will connect via ssh over your local +network to the other nodes. + +Create an AWS user which will have route53 access. This is required for certbot's route53 +validation. + +```bash +export username= +aws iam create-user --user-name $username +``` + +You'll also need a policy which allows the user to modify the selected hosted zone: + +(list with `aws route53 list-hosted-zones`) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:GetChange" + ], + "Resource": [ + "*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18" + ] + } + ] +} +``` + +Attach the policy to the user: + +```bash +aws iam attach-user-policy \ + --user-name $username \ + --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink +``` + +Generate credentials: + +```bash +aws iam create-access-key --user-name $username +``` + +On the host machine: + +```bash +sudo su - +mkdir ~/.aws +vim ~/.aws/config +``` + +```conf +[profile default] +region=us-east-2 +``` + +```bash +sudo su - +vim ~/.aws/credentials +``` + +```conf +[default] +aws_access_key_id= +aws_secret_access_key= +``` + +Install the aws cli v2 on the manager node: + +```bash +sudo su - +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +./aws/install +``` + +Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your +hosted zones. + +Now install certbot and acquire a cert using those credentials: + +```bash +sudo su - +export record=orange.reeselink.com +dnf install certbot python3-certbot-dns-route53 +certbot certonly --dns-route53 -d $record + +cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert +cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key + +systemctl restart cockpit.service +``` + +Test the renewal process with: + +```bash +sudo su - +export record=orange.reeselink.com +certbot renew --cert-name $record --dry-run +mkdir -p /usr/lib/scripts +``` + +Create a renewal script in /usr/lib/scripts/certbot-renew.sh + +/usr/lib/scripts/certbot-renew.sh + +```bash +#!/bin/bash + +/usr/bin/certbot renew --cert-name $record +/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert +/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key +``` + +```bash +:%s/$record/yellow.reeselink.com/g + +chmod +x /usr/lib/scripts/certbot-renew.sh +``` + +Now create a systemd oneshot service to run the script + +/etc/systemd/system/certbot-renew.service + +```conf +[Unit] +Description=Certbot Renewal + +[Service] +Type=oneshot +ExecStart=/usr/lib/scripts/certbot-renew.sh +``` + +/etc/systemd/system/certbot-renew.timer + +```conf +[Unit] +Description=Timer for Certbot Renewal + +[Timer] +OnBootSec=300 +OnUnitActiveSec=1w + +[Install] +WantedBy=multi-user.target +``` + +Enable the service + +```bash +systemctl enable --now certbot-renew.timer +``` + +Cockpit now has a valid TLS certificate that auto-renews! diff --git a/octopi.md b/octopi.md new file mode 100644 index 0000000..3a86ae3 --- /dev/null +++ b/octopi.md @@ -0,0 +1,81 @@ +# OctoPi Setup + +## GCode Snippers + +### After Pause + +```text +{% if pause_position.x is not none %} +; relative XYZE +G91 +M83 + +; retract filament of 0.8 mm up, move Z slightly upwards and +G1 Z+5 E-0.8 F4500 + +; absolute XYZE +M82 +G90 + +; move to a safe rest position, adjust as necessary +G1 X0 Y0 +{% endif %} +``` + +### After Resume + +```text +{% if pause_position.x is not none %} +; relative extruder +M83 + +; prime nozzle +G1 E-0.8 F4500 +G1 E0.8 F4500 +G1 E0.8 F4500 + +; absolute E +M82 + +; absolute XYZ +G90 + +; reset E +G92 E{{ pause_position.e }} + +; WARNING!!! - use M83 or M82(extruder absolute mode) according what your slicer generates +M83 ; extruder relative mode + +; move back to pause position XYZ +G1 X{{ pause_position.x }} Y{{ pause_position.y }} Z{{ pause_position.z }} F4500 + +; reset to feed rate before pause if available +{% if pause_position.f is not none %}G1 F{{ pause_position.f }}{% endif %} +{% endif %} +``` + +## Plugins + +## Bed Visualizer + +```text +M140 S60 ; starting by heating the bed for nominal mesh accuracy +M117 Homing all axes ; send message to printer display +G28 ; home all axes +M420 S0 ; Turning off bed leveling while probing, if firmware is set + ; to restore after G28 +M117 Heating the bed ; send message to printer display +M190 S60 ; waiting until the bed is fully warmed up +M300 S1000 P500 ; chirp to indicate bed mesh levels is initializing +M117 Creating the bed mesh levels ; send message to printer display +M155 S30 ; reduce temperature reporting rate to reduce output pollution +@BEDLEVELVISUALIZER ; tell the plugin to watch for reported mesh +G29 T ; run bilinear probing +M155 S3 ; reset temperature reporting +M140 S0 ; cooling down the bed +M500 ; store mesh in EEPROM +M300 S440 P200 ; make calibration completed tones +M300 S660 P250 +M300 S880 P300 +M117 Bed mesh levels completed ; send message to printer display +``` diff --git a/ubuntu_server.md b/ubuntu_server.md new file mode 100644 index 0000000..8169ee5 --- /dev/null +++ b/ubuntu_server.md @@ -0,0 +1,173 @@ +# Ubuntu Server + +## Certbot for Cockpit + +During this process you'll pick one node to act as your manager for your other nodes. +You'll only need to cert a single node and then it will connect via ssh over your local +network to the other nodes. + +Create an AWS user which will have route53 access. This is required for certbot's route53 +validation. + +```bash +export username= +aws iam create-user --user-name $username +``` + +You'll also need a policy which allows the user to modify the selected hosted zone: + +(list with `aws route53 list-hosted-zones`) + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:GetChange" + ], + "Resource": [ + "*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "route53:ChangeResourceRecordSets" + ], + "Resource" : [ + "arn:aws:route53:::hostedzone/Z0092652G7L97DSINN18" + ] + } + ] +} +``` + +Attach the policy to the user: + +```bash +aws iam attach-user-policy \ + --user-name $username \ + --policy-arn arn:aws:iam::892236928704:policy/certbot-route53-reeselink +``` + +Generate credentials: + +```bash +aws iam create-access-key --user-name $username +``` + +On the host machine: + +```bash +sudo su - +mkdir ~/.aws +vim ~/.aws/config +``` + +```conf +[profile default] +region=us-east-2 +``` + +```bash +sudo su - +vim ~/.aws/credentials +``` + +```conf +[default] +aws_access_key_id= +aws_secret_access_key= +``` + +Install the aws cli v2 on the manager node: + +```bash +sudo su - +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +apt update && apt install -y unzip +unzip awscliv2.zip +./aws/install +``` + +Test your credentials with `aws route53 list-hosted-zones`. You should see as list of your +hosted zones. + +Now install certbot and acquire a cert using those credentials: + +```bash +sudo su - +export record=orange.reeselink.com +apt update && apt install -y certbot python3-certbot-dns-route53 +certbot certonly --dns-route53 -d $record + +cp /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert +cp /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key + +systemctl restart cockpit.service +``` + +Test the renewal process with: + +```bash +sudo su - +export record=orange.reeselink.com +certbot renew --cert-name $record --dry-run +mkdir -p /usr/lib/scripts +``` + +Create a renewal script in /usr/lib/scripts/certbot-renew.sh + +/usr/lib/scripts/certbot-renew.sh + +```bash +#!/bin/bash + +/usr/bin/certbot renew --cert-name $record +/usr/bin/cp -f /etc/letsencrypt/live/$record/fullchain.pem /etc/cockpit/ws-certs.d/50-letsencrypt.cert +/usr/bin/cp -f /etc/letsencrypt/live/$record/privkey.pem /etc/cockpit/ws-certs.d/50-letsencrypt.key +``` + +```bash +:%s/$record/yellow.reeselink.com/g + +chmod +x /usr/lib/scripts/certbot-renew.sh +``` + +Now create a systemd oneshot service to run the script + +/etc/systemd/system/certbot-renew.service + +```conf +[Unit] +Description=Certbot Renewal + +[Service] +Type=oneshot +ExecStart=/usr/lib/scripts/certbot-renew.sh +``` + +/etc/systemd/system/certbot-renew.timer + +```conf +[Unit] +Description=Timer for Certbot Renewal + +[Timer] +OnBootSec=300 +OnUnitActiveSec=1w + +[Install] +WantedBy=multi-user.target +``` + +Enable the service + +```bash +systemctl enable --now certbot-renew.timer +``` + +Cockpit now has a valid TLS certificate that auto-renews!