diff --git a/cloud/graduated/aws_route53/reeselink.json b/cloud/graduated/aws_route53/reeselink.json index ddb6b7f..997a6ee 100644 --- a/cloud/graduated/aws_route53/reeselink.json +++ b/cloud/graduated/aws_route53/reeselink.json @@ -113,7 +113,20 @@ "TTL": 300, "ResourceRecords": [ { - "Value": "2603:6013:3140:100:7656:3cff:febd:1df8" + "Value": "2603:6013:3140:103:7656:3cff:febd:1df8" + } + ] + } + }, + { + "Action": "UPSERT", + "ResourceRecordSet": { + "Name": "freeipa.reeselink.com", + "Type": "AAAA", + "TTL": 300, + "ResourceRecords": [ + { + "Value": "2603:6013:3140:100:2a0:98ff:fe20:c1c7" } ] } diff --git a/infrastructure/graduated/arch/README.md b/infrastructure/graduated/arch/README.md index 2095b8c..cad8860 100644 --- a/infrastructure/graduated/arch/README.md +++ b/infrastructure/graduated/arch/README.md @@ -31,6 +31,7 @@ instructions for building a: - [Snapshots](#snapshots) - [Backups](#backups) - [Backing up a snapshot](#backing-up-a-snapshot) + - [Restoring a snapshot](#restoring-a-snapshot) - [Chroots](#chroots) - [Hardware Management](#hardware-management) - [Power Profiles](#power-profiles) @@ -469,6 +470,7 @@ systemctl enable --now ufw #### btrbk ```bash +sudo pacman -S mbuffer # for progress monitoring cd Downloads wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk clamdscan . @@ -627,7 +629,7 @@ Now set up the backup: Description=Runs btrbk with config file at /etc/btrbk/backups.conf [Service] - ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf -v run + ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf --progress run ``` 3. Create a timer to activate the service @@ -662,6 +664,17 @@ pacman -S pv btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi ``` +##### Restoring a snapshot + +```bash +export ROOT_SNAPSHOT_NAME= +export HOME_SNAPSHOT_NAME= +rsync -av --delete /btr_pools/root/.snapshots/${ROOT_SNAPSHOT_NAME}/ /btr_pools/root/root/ +rsync -av --delete /btr_pools/root/.snapshots/${HOME_SNAPSHOT_NAME}/ /btr_pools/root/home/ +pacman -Syu # This is only required if you're restoring a snapshot from an old kernel +reboot +``` + #### Chroots You can create chroot environments to run firejails or just use for testing purposes. diff --git a/infrastructure/graduated/fedora/README.md b/infrastructure/graduated/fedora/README.md index 25164d5..2eeadfe 100644 --- a/infrastructure/graduated/fedora/README.md +++ b/infrastructure/graduated/fedora/README.md @@ -3,6 +3,7 @@ - [Fedora Server](#fedora-server) - [Installation](#installation) - [Setup SSH](#setup-ssh) + - [DNF](#dnf) - [Fail2Ban](#fail2ban) - [Automatic Updates](#automatic-updates) - [Disable Swap](#disable-swap) @@ -36,15 +37,15 @@ ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_"$SSH_HOST"_rsa.pub ducoterr cat <> ~/.ssh/config -Host $SSH_HOST - Hostname "$SSH_HOST".reeselink.com +Host ${SSH_HOST} + Hostname ${SSH_HOST}.reeselink.com User root ProxyCommand none ForwardAgent no ForwardX11 no Port 22 KeepAlive yes - IdentityFile ~/.ssh/id_"$SSH_HOST"_rsa + IdentityFile ~/.ssh/id_${SSH_HOST}_rsa EOF ``` @@ -60,18 +61,29 @@ passwd sudo su - echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel +systemctl restart sshd ``` On the operator: ```bash # Test if you can SSH with a password -ssh -o PubkeyAuthentication=no ducoterra@"$SSH_HOST".reeselink.com +ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com # Test that you can log into the server with ssh config ssh $SSH_HOST ``` +## DNF + +Configure dnf to use the fastest mirror: + +```bash +echo 'fastestmirror=1' >> /etc/dnf/dnf.conf +dnf clean all +dnf update +``` + ## Fail2Ban On the server: @@ -86,7 +98,7 @@ cat < /etc/fail2ban/jail.local # Adjust the default configuration's default values [DEFAULT] # Optional enter an trusted IP never to ban -ignoreip = 2600:1700:1e6c:a81f::0/64 +# ignoreip = 2600:1700:1e6c:a81f::0/64 bantime = 6600 backend = auto diff --git a/systemd/incubating/freeipa/README.md b/systemd/incubating/freeipa/README.md new file mode 100644 index 0000000..57cda3b --- /dev/null +++ b/systemd/incubating/freeipa/README.md @@ -0,0 +1,83 @@ +# FreeIPA + +An AD Server. + +This guide assumes Fedora 40+. + +## Quickstart + + + +- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com` +- Ensure you have a DNS entry pointing to your host +- Open ports: + +```bash +firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps +firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent +``` + +- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf` +- Disable NetworkManager DNS management + +```bash +vim /etc/NetworkManager/NetworkManager.conf + +[main] +dns=none +``` + +- Restart NetworkManager: `systemctl restart NetworkManager` +- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf` +- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns` +- Install the server (mostly choose defaults and sane options): `ipa-server-install` +- Authenticate as admin: `kinit admin` + +## Adding a user + +- `ipa user-add` +- `ipa passwd ` +- `kinit ` + +## Arch Client + +- Install krb5: `pacman -S krb5` +- Edit /etc/krb5.conf to match your server + +```conf +vim /etc/krb5.conf + +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = REESELINK.COM + dns_lookup_realm = false + dns_lookup_kdc = true + rdns = false + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 0 + default_ccache_name = KEYRING:persistent:%{uid} + +[realms] + REESELINK.COM = { + kdc = freeipa.reeselink.com:88 + master_kdc = freeipa.reeselink.com:88 + kpasswd_server = freeipa.reeselink.com:464 + admin_server = freeipa.reeselink.com:749 + default_domain = reeselink.com + pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem + pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem +} + +[domain_realm] + .reeselink.com = REESELINK.COM + reeselink.com = REESELINK.COM + freeipa.reeselink.com = REESELINK.COM +``` + +- Log in with your user: `kinit ` +- List your tickets: `klist` \ No newline at end of file