services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

incubate freeipa server

Browse Source
This commit is contained in:
Reese Wells
2024-08-13 10:30:03 -04:00
parent 449c0cddbb
commit 596c214b5a
4 changed files with 128 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cloud/graduated/aws_route53/reeselink.json
View File

@@ -113,7 +113,20 @@
"TTL": 300, "TTL": 300,
"ResourceRecords": [ "ResourceRecords": [
{ {
"Value": "2603:6013:3140:100:7656:3cff:febd:1df8" "Value": "2603:6013:3140:103:7656:3cff:febd:1df8"
}
]
}
},
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "freeipa.reeselink.com",
"Type": "AAAA",
"TTL": 300,
"ResourceRecords": [
{
"Value": "2603:6013:3140:100:2a0:98ff:fe20:c1c7"
} }
] ]
} }

15
infrastructure/graduated/arch/README.md
View File

@@ -31,6 +31,7 @@ instructions for building a:
- [Snapshots](#snapshots) - [Snapshots](#snapshots)
- [Backups](#backups) - [Backups](#backups)
- [Backing up a snapshot](#backing-up-a-snapshot) - [Backing up a snapshot](#backing-up-a-snapshot)
- [Restoring a snapshot](#restoring-a-snapshot)
- [Chroots](#chroots) - [Chroots](#chroots)
- [Hardware Management](#hardware-management) - [Hardware Management](#hardware-management)
- [Power Profiles](#power-profiles) - [Power Profiles](#power-profiles)
@@ -469,6 +470,7 @@ systemctl enable --now ufw
#### btrbk #### btrbk
```bash ```bash
sudo pacman -S mbuffer # for progress monitoring
cd Downloads cd Downloads
wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk wget https://raw.githubusercontent.com/digint/btrbk/master/btrbk
clamdscan . clamdscan .
@@ -627,7 +629,7 @@ Now set up the backup:
Description=Runs btrbk with config file at /etc/btrbk/backups.conf Description=Runs btrbk with config file at /etc/btrbk/backups.conf
[Service] [Service]
ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf -v run ExecStart=/usr/bin/btrbk -c /etc/btrbk/backups.conf --progress run
``` ```
3. Create a timer to activate the service 3. Create a timer to activate the service
@@ -662,6 +664,17 @@ pacman -S pv
btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscsi
``` ```
##### Restoring a snapshot
```bash
export ROOT_SNAPSHOT_NAME=<name>
export HOME_SNAPSHOT_NAME=<name>
rsync -av --delete /btr_pools/root/.snapshots/${ROOT_SNAPSHOT_NAME}/ /btr_pools/root/root/
rsync -av --delete /btr_pools/root/.snapshots/${HOME_SNAPSHOT_NAME}/ /btr_pools/root/home/
pacman -Syu # This is only required if you're restoring a snapshot from an old kernel
reboot
```
#### Chroots #### Chroots
You can create chroot environments to run firejails or just use for testing purposes. You can create chroot environments to run firejails or just use for testing purposes.

22
infrastructure/graduated/fedora/README.md
View File

@@ -3,6 +3,7 @@
- [Fedora Server](#fedora-server) - [Fedora Server](#fedora-server)
- [Installation](#installation) - [Installation](#installation)
- [Setup SSH](#setup-ssh) - [Setup SSH](#setup-ssh)
- [DNF](#dnf)
- [Fail2Ban](#fail2ban) - [Fail2Ban](#fail2ban)
- [Automatic Updates](#automatic-updates) - [Automatic Updates](#automatic-updates)
- [Disable Swap](#disable-swap) - [Disable Swap](#disable-swap)
@@ -36,15 +37,15 @@ ssh-copy-id -o PubkeyAuthentication=no -i ~/.ssh/id_"$SSH_HOST"_rsa.pub ducoterr
cat <<EOF >> ~/.ssh/config cat <<EOF >> ~/.ssh/config
Host $SSH_HOST Host ${SSH_HOST}
Hostname "$SSH_HOST".reeselink.com Hostname ${SSH_HOST}.reeselink.com
User root User root
ProxyCommand none ProxyCommand none
ForwardAgent no ForwardAgent no
ForwardX11 no ForwardX11 no
Port 22 Port 22
KeepAlive yes KeepAlive yes
IdentityFile ~/.ssh/id_"$SSH_HOST"_rsa IdentityFile ~/.ssh/id_${SSH_HOST}_rsa
EOF EOF
``` ```
@@ -60,18 +61,29 @@ passwd
sudo su - sudo su -
echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/01-prohibit-password.conf
echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel echo '%wheel ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/01-nopasswd-wheel
systemctl restart sshd
``` ```
On the operator: On the operator:
```bash ```bash
# Test if you can SSH with a password # Test if you can SSH with a password
ssh -o PubkeyAuthentication=no ducoterra@"$SSH_HOST".reeselink.com ssh -o PubkeyAuthentication=no ducoterra@${SSH_HOST}.reeselink.com
# Test that you can log into the server with ssh config # Test that you can log into the server with ssh config
ssh $SSH_HOST ssh $SSH_HOST
``` ```
## DNF
Configure dnf to use the fastest mirror:
```bash
echo 'fastestmirror=1' >> /etc/dnf/dnf.conf
dnf clean all
dnf update
```
## Fail2Ban ## Fail2Ban
On the server: On the server:
@@ -86,7 +98,7 @@ cat <<EOF > /etc/fail2ban/jail.local
# Adjust the default configuration's default values # Adjust the default configuration's default values
[DEFAULT] [DEFAULT]
# Optional enter an trusted IP never to ban # Optional enter an trusted IP never to ban
ignoreip = 2600:1700:1e6c:a81f::0/64 # ignoreip = 2600:1700:1e6c:a81f::0/64
bantime = 6600 bantime = 6600
backend = auto backend = auto

83
systemd/incubating/freeipa/README.md Normal file
View File

@@ -0,0 +1,83 @@
# FreeIPA
An AD Server.
This guide assumes Fedora 40+.
## Quickstart
<https://www.freeipa.org/page/Quick_Start_Guide>
- Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com`
- Ensure you have a DNS entry pointing to your host
- Open ports:
```bash
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
```
- Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf`
- Disable NetworkManager DNS management
```bash
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
```
- Restart NetworkManager: `systemctl restart NetworkManager`
- Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf`
- Install freeipa: `dnf install -y freeipa-server freeipa-server-dns`
- Install the server (mostly choose defaults and sane options): `ipa-server-install`
- Authenticate as admin: `kinit admin`
## Adding a user
- `ipa user-add`
- `ipa passwd <user>`
- `kinit <user>`
## Arch Client
- Install krb5: `pacman -S krb5`
- Edit /etc/krb5.conf to match your server
```conf
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
```
- Log in with your user: `kinit <user>`
- List your tickets: `klist`