fix reeselink addresses

2024-08-05 23:05:46 -04:00
parent d8e6ec18ff
commit 602ae8c841
6 changed files with 91 additions and 10 deletions
--- a/cloud/graduated/aws_route53/reeselink.json
+++ b/cloud/graduated/aws_route53/reeselink.json
@@ -113,7 +113,7 @@
                "TTL": 300,
                "ResourceRecords": [
                    {
-                        "Value": "2603:6013:3140:103:7656:3cff:febd:1df8"
+                        "Value": "2603:6013:3140:100:7656:3cff:febd:1df8"
                    }
                ]
            }
--- a/infrastructure/graduated/arch/README.md
+++ b/infrastructure/graduated/arch/README.md
@@ -257,11 +257,17 @@ after we finish the install.
 Don't set a password for single-user systems. We're using full-disk encryption.
 This will let you login with just a fingerprint.

+1. Install `seahorse` if you haven't already
+2. Open the `Passwords and Keys` apps
+3. Create a new Password keyring called "Login"
+4. Do not enter a password
+5. Set it as default
+
 ### Base Tools

 ```bash
 # gvfs and gvfs-dnssd are for webdav support
-pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db
+pacman -S rsync which git iperf3 pwgen dosfstools exfatprogs gvfs gvfs-dnssd wget man-db net-tools
 ```

 ### ZSH
@@ -661,11 +667,39 @@ You can create chroot environments to run firejails or just use for testing purp
 4. Install <https://aur.archlinux.org/pam-fprint-grosshack.git> to use fingerprint with gnome

 In order to use fingerprint auth with gnome for privileged system stuff with gdm,
-edit `/etc/pam.d/system-auth` and add the following to the top of the file:
+edit `/etc/pam.d/system-auth` to include `auth sufficient pam_fprintd_grosshack.so`.

 ```conf
+#%PAM-1.0
+
+auth       required                    pam_shells.so # User must have shell in /etc/shells
+auth       requisite                   pam_nologin.so # Prevents users from loging in if /etc/nologin exists
+auth       required                    pam_faillock.so      preauth # Timeout after certain number of fails
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
 auth       sufficient                  pam_fprintd_grosshack.so
-auth        sufficient      pam_unix.so try_first_pass nullok
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so
 ```

 ##### Turn Off Fingerprint When Laptop Lid Closed
--- a/infrastructure/graduated/arch/workstation.md
+++ b/infrastructure/graduated/arch/workstation.md
@@ -2,6 +2,7 @@

 - [Workstation](#workstation)
  - [SSH](#ssh)
+  - [Templates](#templates)
  - [Toolbox](#toolbox)
  - [Podman](#podman)
  - [Docker](#docker)
@@ -70,6 +71,16 @@ Host my-host

 You can ssh to that host with `ssh my-host` after adding a config entry.

+## Templates
+
+You can add files in `~/Templates` to give yourself quick-create options in the gnome
+file browser context menu.
+
+```bash
+mkdir ~/Templates
+touch ~/Templates/text.txt
+```
+
 ## Toolbox

 <https://wiki.archlinux.org/title/Toolbox>
@@ -135,6 +146,14 @@ systemctl enable --now libvirtd
 virsh net-autostart default
 ```

+Then edit `/etc/libvirt/network.conf` and add:
+
+```conf
+firewall_backend="iptables"
+```
+
+Make sure to restart libvirtd with `systemctl restart libvirtd`.
+
 If you get a blank screen when launching a VM check that you've used the correct bios -
 either secboot or not secboot. This is the most common problem.

--- a/infrastructure/graduated/qemu/README.md
+++ b/infrastructure/graduated/qemu/README.md
@@ -5,6 +5,7 @@
    - [Restore qcow snapshots](#restore-qcow-snapshots)
    - [Convert qcow to bootable drive](#convert-qcow-to-bootable-drive)
    - [Convert bootable drive to qcow](#convert-bootable-drive-to-qcow)
+  - [ISO](#iso)

 ## QCOW2

@@ -44,3 +45,10 @@ qemu-img convert -f raw -O qcow2 -p /dev/sdd /var/lib/libvirt/images/toshiba.qco
 If you need to resize a windows partition to non-continuous space simply grow the
 last partition, shrink it to the end of the drive, then grow the windows partition
 with gparted.
+
+## ISO
+
+```bash
+pacman -S cdrtools
+mkisofs -r -iso-level 4 -l -o /tmp/arch-files.iso ./arch
+```
--- a/infrastructure/graduated/unifi/README.md
+++ b/infrastructure/graduated/unifi/README.md
@@ -5,6 +5,8 @@
  - [Route53](#route53)
  - [IPV6 EUI64 Address Generation](#ipv6-eui64-address-generation)
    - [NetworkManager](#networkmanager)
+  - [VPN](#vpn)
+    - [IPv6 leak prevention](#ipv6-leak-prevention)

 ## IP Addresses

@@ -45,3 +47,21 @@ nmcli con mod <connection> ipv6.addr-gen-mode eui64
 systemctl restart NetworkManager
 nmcli -f ipv6.addr-gen-mode connection show <connection>
 ```
+
+## VPN
+
+### IPv6 leak prevention
+
+Add the following to the exported wireguard config to block ipv6
+
+```conf
+[Interface]
+PrivateKey = 
+Address = 192.168.4.2/32, fd00::1/128
+DNS = 192.168.4.1
+
+[Peer]
+PublicKey = 
+AllowedIPs = 192.168.4.1/32,192.168.4.2/32,0.0.0.0/0,::0/0
+Endpoint = ipv4.reeseapps.com:51831
+```
--- a/systemd/graduated/ipv4-proxy/vars.yaml
+++ b/systemd/graduated/ipv4-proxy/vars.yaml
@@ -8,7 +8,7 @@ stream_ssl:
  - external:
      domain: gitea.reeseapps.com
    internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
      port: 443
      protocol: https
  - external:
@@ -20,24 +20,24 @@ stream_ssl:
  - external:
      domain: jellyfin.reeseapps.com
    internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
      port: 443
      protocol: https
  - external:
      domain: snapdrop.reeseapps.com
    internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
      port: 443
      protocol: https
  - external:
      domain: bitwarden.reeseapps.com
    internal:
-      domain: ingress-nginx.reeselink.com
+      domain: ingress-nginx.reeseapps.com
      port: 443
      protocol: https

 stream_ports:
  - external: 2222
-    internal: git.reeselink.com:22
+    internal: git.reeseapps.com:22
  - external: 3478
    internal: nextcloud.reeselink.com:3478