diff --git a/hardware/graduated/unifi/README.md b/hardware/graduated/unifi/README.md new file mode 100644 index 0000000..8b14a08 --- /dev/null +++ b/hardware/graduated/unifi/README.md @@ -0,0 +1,15 @@ +# Unifi + +## WiFi + +As of Aug 2024, auto seems to give the best results. + +![Unifi Wifi Example](../../images/wifi.png) + +![Unifi 6 Enterprise](../../images/u6e.png) + +![Unifi 7 Pro](../../images/u7pro.png) + +## Firewall + +![Unifi v6 Firewall](../../images/firewall_accept.png) \ No newline at end of file diff --git a/hardware/images/firewall_accept.png b/hardware/images/firewall_accept.png new file mode 100644 index 0000000..163bccc Binary files /dev/null and b/hardware/images/firewall_accept.png differ diff --git a/hardware/images/u6e.png b/hardware/images/u6e.png new file mode 100644 index 0000000..f071269 Binary files /dev/null and b/hardware/images/u6e.png differ diff --git a/hardware/images/u7pro.png b/hardware/images/u7pro.png new file mode 100644 index 0000000..7fd1750 Binary files /dev/null and b/hardware/images/u7pro.png differ diff --git a/hardware/images/wifi.png b/hardware/images/wifi.png new file mode 100644 index 0000000..da2002b Binary files /dev/null and b/hardware/images/wifi.png differ diff --git a/infrastructure/graduated/arch/README.md b/infrastructure/graduated/arch/README.md index 16da1af..9a97a5a 100644 --- a/infrastructure/graduated/arch/README.md +++ b/infrastructure/graduated/arch/README.md @@ -13,7 +13,8 @@ I have instructions for building a: - [Table of Contents](#table-of-contents) - [Installation](#installation) - [Preparation](#preparation) - - [Boot](#boot) + - [Installation](#installation-1) + - [Gnome Keyring](#gnome-keyring) - [Base Tools](#base-tools) - [ZSH](#zsh) - [Prompt Themes](#prompt-themes) @@ -24,9 +25,6 @@ I have instructions for building a: - [Re-enroll](#re-enroll) - [FIDO2 LUKS Decryption](#fido2-luks-decryption) - [Firewall](#firewall) - - [AppArmor](#apparmor) - - [Install Apparmor](#install-apparmor) - - [Custom Profiles](#custom-profiles) - [ClamAV](#clamav) - [btrbk](#btrbk) - [fstab](#fstab) @@ -45,21 +43,15 @@ I have instructions for building a: - [Don't sleep while plugged in](#dont-sleep-while-plugged-in) - [Bluetooth](#bluetooth) - [Audio](#audio) - - [ISCSI](#iscsi) - [Software Stores](#software-stores) - [AppImage Support](#appimage-support) - [Troubleshooting](#troubleshooting) - [Flatpak](#flatpak) - [Apps](#apps) - - [Toolbox](#toolbox) - [Firefox](#firefox) - [Gnome Extensions](#gnome-extensions) - [Avahi (Bonjour)](#avahi-bonjour) - [CUPS Printing](#cups-printing) - - [Yubikey](#yubikey) - - [Bashrc](#bashrc) - - [Colorized Prompt](#colorized-prompt) - - [Standard Bashrc](#standard-bashrc) ## Installation @@ -89,7 +81,7 @@ Follow most of the instructions here: 4. Disable secureboot (reenable later) -### Boot +### Installation You'll want two usb drives while following this guide. One will be the Arch boot drive. The other will be a support drive with critical files and passwords which we will need to access @@ -259,6 +251,12 @@ after we finish the install. 54. `exit` 55. `reboot` + +### Gnome Keyring + +Don't set a password for single-user systems. We're using full-disk encryption. +This will let you login with just a fingerprint. + ### Base Tools ```bash @@ -388,7 +386,7 @@ Security Philosophy to custom. 2. `pacman -S efitools sbctl` -3. `cd /root/` +3. `cd /btr_pools/root/support/` 4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done` 5. `sbctl create-keys` 6. `sbctl enroll-keys -m` @@ -412,13 +410,13 @@ You can optionally allow tpm2 decryption only while secure boot is active. Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled. 1. `pacman -S tpm2-tss` -2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7` +2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt` ##### Re-enroll ```bash -systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 -systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 +systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt +systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt ``` #### FIDO2 LUKS Decryption @@ -432,89 +430,6 @@ pacman -S ufw systemctl enable --now ufw ``` -#### AppArmor - -##### Install Apparmor - -Apparmor protects your system by limiting the access binaries have to specific files. -All binaries which are protected by apparmor profiles have a whitelist of allowed -paths they can touch, even if they run as root. - -1. `pacman -S apparmor` -2. `systemctl enable --now apparmor` -3. `systemctl enable --now auditd` -4. Add the correct kernel parameters - - /boot/loaders/entries/main.conf - - ```conf - title Arch Linux - ... - options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1... - ``` - -5. `reboot` - -##### Custom Profiles - -You will likely need to create custom profiles for your apps. There are a few ways to -do this but the least painful ways are as follows: - -1. A profile already exists in `/usr/share/apparmor/extra-profiles/` - - Check here first. More than likely there's a good starting point. This will probably - need to be tuned but you can (and should) copy it to /etc/apparmor.d - -2. No profile exists in `/usr/share/apparmor/extra-profiles/` - - You can use `aa-genprof ` to generate a profile for that binary and begin - listening to log events. Then, launch the application and use it as intended. When - you've done what you consider to be the typical use-case you should. - - 1. Press `s` until it begins recommending additions to your profile - 2. Use (A) or (D) to add or deny paths - 3. Use (G) to glob a path - 4. Use (N) to write a custom path - 5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile - 6. When done, (F) to finish and (S) to save. - 7. Use `apparmor_parser -r /etc/apparmor.d/` to reload the profile - 8. Run `aa-enforce /etc/apparmor.d/` to set to enforce mode - 9. Try to launch the app. It will probably crash - 10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/`, launch app, repeat until it works - 11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`. - -From - -```text -Access Modes - File permission access modes consists of combinations of the following modes: - - r - read - w - write -- conflicts with append - a - append -- conflicts with write - ux - unconfined execute - Ux - unconfined execute -- scrub the environment - px - discrete profile execute - Px - discrete profile execute -- scrub the environment - cx - transition to subprofile on execute - Cx - transition to subprofile on execute -- scrub the environment - ix - inherit execute - pix - discrete profile execute with inherit fallback - Pix - discrete profile execute with inherit fallback -- scrub the environment - cix - transition to subprofile on execute with inherit fallback - Cix - transition to subprofile on execute with inherit fallback -- scrub the - environment - pux - discrete profile execute with fallback to unconfined - PUx - discrete profile execute with fallback to unconfined -- scrub the environment - cux - transition to subprofile on execute with fallback to unconfined - CUx - transition to subprofile on execute with fallback to unconfined -- scrub the - environment - deny x - disallow execute (in rules with the deny qualifier) - m - allow PROT_EXEC with mmap(2) calls - l - link - k - lock -``` - #### ClamAV 1. `pacman -S clamav` @@ -729,11 +644,12 @@ btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscs You can create chroot environments to run firejails or just use for testing purposes. -1. `btrfs sub create /chroots` -2. `mkdir /testing` -3. `pacman -S arch-install-scripts` -4. `pacstrap -K /chroots/testing/ base base-devel` -5. `arch-chroot /chroots/testing` +1. `cd /btr_pools/root` +2. `btrfs sub create chroots` +3. `mkdir /btr_pools/root/chroots/testing` +4. `pacman -S arch-install-scripts` +5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel` +6. `arch-chroot /btr_pools/root/chroots/testing` #### Fingerprint Reader Support @@ -907,55 +823,6 @@ Without pipewire-pulse the audio level/device will reset every reboot. 1. `pacman -S pipewire-pulse` (remove conflicting packages) -### ISCSI - -```bash -pacman -S open-iscsi -systemctl enable --now iscsid -``` - -1. Add auth login - - /etc/iscsi/iscsid.conf - - ```conf - node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5 - node.session.auth.username = username - node.session.auth.password = password - ``` - -2. Initiate and login to the portal - - ```bash - # Add a new target to your list of nodes - iscsiadm \ - -m discovery \ - -t st \ - -p driveripper.reeselink.com - - # Login to the target - iscsiadm \ - -m node \ - --targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \ - -p driveripper.reeselink.com:3260 \ - --login - - # or login to all targets - iscsiadm -m node --loginall all - - # View current session - iscsiadm -m session - - # Log out of all sessions - iscsiadm -m node -u - - # Log out of a single session - iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:2024-01-framework --logout - - # Remove session - iscsiadm -m node -o delete -T iqn.2023-01.driveripper.reeselink.com:2023-01-framework - ``` - ## Software Stores ### AppImage Support @@ -993,24 +860,6 @@ pacman -S flatpak ## Apps -### Toolbox - - - -Toolbox is a containerized workstation service via podman. - -```bash -# select "crun" when prompted -pacman -S toolbox - -toolbox create - -toolbox enter - -sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile -``` - - ### Firefox You'll want firefox and gnome-browser-connector (for gnome extension management). @@ -1046,140 +895,17 @@ Choose noto-fonts ### CUPS Printing -Note: you probably need avahi (see above) +Note: you need [avahi](#avahi-bonjour) for auto-discovery. -1. `sudo pacman -S cups cups-pdf system-config-printer` -2. `sudo vim /etc/nsswitch.conf` - - ```conf - hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns - ``` - -3. `sudo systemctl start cups` -4. `sudo systemctl start avahi-daemon` - -### Yubikey - -You'll need the yubikey manager appimage in addition to the pacman package - -```bash -sudo pacman -S yubikey-manager -``` - -Reboot and things should work. You might also have to start pcscd: - -```bash -sudo systemctl enable --now pcscd -``` - -## Bashrc - -### Colorized Prompt - - - -You can change the prompt color by setting PROMPT_COLOR at the top of your .bashrc - -Examples: - -Yellow: `PROMPT_COLOR=33;` -Orange: `PROMPT_COLOR=38;5;208;` -Red: `PROMPT_COLOR=38;5;160;` - -### Standard Bashrc - -Don't do this if you installed `zsh` - -~/.bashrc - -```bash -# .bashrc - -# Source global definitions -if [ -f /etc/bashrc ]; then - . /etc/bashrc -fi - -# User specific binaries -if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]] -then - PATH="$HOME/.local/bin:$HOME/bin:$PATH" -fi -export PATH - -# User specific aliases and functions (source .bashrc.d/) -if [ -d ~/.bashrc.d ]; then - for rc in ~/.bashrc.d/*; do - if [ -f "$rc" ]; then - . "$rc" - fi - done -fi - -# clear var used in for loop -unset rc -``` - -~/.bashrc.d/aliases.sh - -```bash -# (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html -# Author: Vivek Gite - -## Colorize the ls output ## -alias ls="ls --color=auto" - -## Colorize the grep command output for ease of use (good for log files)## -alias grep='grep --color=auto' -alias egrep='egrep --color=auto' -alias fgrep='fgrep --color=auto' - -## Make mount human readable ## -alias mount='mount |column -t' - -## show open ports ## -alias ports='ss -tulanp' - -# do not delete / or prompt if deleting more than 3 files at a time # -alias rm='rm -I --preserve-root' - -# confirmation # -alias mv='mv -i' -alias cp='cp -i' -alias ln='ln -i' - -# Parenting changing perms on / # -alias chown='chown --preserve-root' -alias chmod='chmod --preserve-root' -alias chgrp='chgrp --preserve-root' - -## pass options to free ## -alias meminfo='free -m -l -t' - -## get top process eating memory -alias psmem='ps auxf | sort -nr -k 4' -alias psmem10='ps auxf | sort -nr -k 4 | head -10' - -## get top process eating cpu ## -alias pscpu='ps auxf | sort -nr -k 3' -alias pscpu10='ps auxf | sort -nr -k 3 | head -10' - -## this one saved by butt so many times ## -alias wget='wget -c' - -## set some other defaults ## -alias df='df -H' -alias du='du -ch' - -## ls but with file sizes, showing largest at the bottom ## -alias lst='ls --human-readable --size -1 -S --classify -r' - -## ls show only directories -alias lsd='ls -d */' - -## Count the number of files in a directory -alias lsc='find . -type f | wc -l' - -## ls sort by last modified ## -alias lmt='ls -t -1' -``` +1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds` +2. `cups-genppdupdate` +3. `usermod -aG lp ducoterra` +4. `systemctl enable --now cups` +5. In gnome settings: + 1. Add printer + 2. Enter the IP address + 3. Wait... + 4. Select "JetDirect" + 5. Select Generic + 6. Select IPP Printer + 7. Print diff --git a/infrastructure/graduated/arch/workstation.md b/infrastructure/graduated/arch/workstation.md index f245357..578fd16 100644 --- a/infrastructure/graduated/arch/workstation.md +++ b/infrastructure/graduated/arch/workstation.md @@ -1,6 +1,7 @@ # Workstation - [Workstation](#workstation) + - [Toolbox](#toolbox) - [Podman](#podman) - [Docker](#docker) - [QEMU/KVM](#qemukvm) @@ -36,6 +37,23 @@ - [Glances](#glances) - [VirtualBox](#virtualbox) +## Toolbox + + + +Toolbox is a containerized workstation service via podman. + +```bash +# select "crun" when prompted +pacman -S toolbox + +toolbox create + +toolbox enter + +sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile +``` + ## Podman Install with the following @@ -226,7 +244,7 @@ chmod +x ~/Applications/*.AppImage ```conf [Desktop Entry] Name=Bitwarden -Exec=/home/ducoterra/Applications/Bitwarden.AppImage +Exec=/home/ducoterra/Applications/Bitwarden.AppImage %u Icon=/home/ducoterra/.icons/bitwarden.png Type=Application ``` @@ -482,5 +500,8 @@ pacman -S glances For the linux kernel, choose virtualbox-host-modules-arch ```bash -sudo pacman -S virtualbox +pacman -S virtualbox + +# Required reboot to load the kernel modules +reboot ``` \ No newline at end of file diff --git a/infrastructure/graduated/qemu/README.md b/infrastructure/graduated/qemu/README.md index 7d74d35..7f4a9c3 100644 --- a/infrastructure/graduated/qemu/README.md +++ b/infrastructure/graduated/qemu/README.md @@ -8,6 +8,13 @@ ## QCOW2 +QCOW2 (KVM, Xen) qcow2 +QED (KVM) qed +raw raw +VDI (VirtualBox) vdi +VHD (Hyper-V) vpc +VMDK (VMware) vmdk + ### Restore qcow snapshots ```bash