services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

more post-installation updates and fixes

Browse Source
This commit is contained in:
Reese Wells
2024-08-04 10:01:08 -04:00
parent e4f58cf8f1
commit d55f842ab8
8 changed files with 77 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hardware/graduated/unifi/README.md Normal file
View File

@@ -0,0 +1,15 @@
# Unifi
## WiFi
As of Aug 2024, auto seems to give the best results.
![Unifi Wifi Example](../../images/wifi.png)
![Unifi 6 Enterprise](../../images/u6e.png)
![Unifi 7 Pro](../../images/u7pro.png)
## Firewall
![Unifi v6 Firewall](../../images/firewall_accept.png)

BIN
hardware/images/firewall_accept.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

BIN
hardware/images/u6e.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
hardware/images/u7pro.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
hardware/images/wifi.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

338
infrastructure/graduated/arch/README.md
View File

@@ -13,7 +13,8 @@ I have instructions for building a:
- [Table of Contents](#table-of-contents)
- [Installation](#installation)
- [Preparation](#preparation)
- [Boot](#boot)
- [Installation](#installation-1)
- [Gnome Keyring](#gnome-keyring)
- [Base Tools](#base-tools)
- [ZSH](#zsh)
- [Prompt Themes](#prompt-themes)
@@ -24,9 +25,6 @@ I have instructions for building a:
- [Re-enroll](#re-enroll)
- [FIDO2 LUKS Decryption](#fido2-luks-decryption)
- [Firewall](#firewall)
- [AppArmor](#apparmor)
- [Install Apparmor](#install-apparmor)
- [Custom Profiles](#custom-profiles)
- [ClamAV](#clamav)
- [btrbk](#btrbk)
- [fstab](#fstab)
@@ -45,21 +43,15 @@ I have instructions for building a:
- [Don't sleep while plugged in](#dont-sleep-while-plugged-in)
- [Bluetooth](#bluetooth)
- [Audio](#audio)
- [ISCSI](#iscsi)
- [Software Stores](#software-stores)
- [AppImage Support](#appimage-support)
- [Troubleshooting](#troubleshooting)
- [Flatpak](#flatpak)
- [Apps](#apps)
- [Toolbox](#toolbox)
- [Firefox](#firefox)
- [Gnome Extensions](#gnome-extensions)
- [Avahi (Bonjour)](#avahi-bonjour)
- [CUPS Printing](#cups-printing)
- [Yubikey](#yubikey)
- [Bashrc](#bashrc)
- [Colorized Prompt](#colorized-prompt)
- [Standard Bashrc](#standard-bashrc)
## Installation
@@ -89,7 +81,7 @@ Follow most of the instructions here:
4. Disable secureboot (reenable later)
### Boot
### Installation
You'll want two usb drives while following this guide. One will be the Arch boot drive. The
other will be a support drive with critical files and passwords which we will need to access
@@ -259,6 +251,12 @@ after we finish the install.
54. `exit`
55. `reboot`
### Gnome Keyring
Don't set a password for single-user systems. We're using full-disk encryption.
This will let you login with just a fingerprint.
### Base Tools
```bash
@@ -388,7 +386,7 @@ Security Philosophy
to custom.
2. `pacman -S efitools sbctl`
3. `cd /root/`
3. `cd /btr_pools/root/support/`
4. `for var in PK KEK db dbx ; do efi-readvar -v $var -o old_${var}.esl ; done`
5. `sbctl create-keys`
6. `sbctl enroll-keys -m`
@@ -412,13 +410,13 @@ You can optionally allow tpm2 decryption only while secure boot is active.
Using `--tpm2-pcrs=7` enforces secure boot and will require password if secure boot is disabled.
1. `pacman -S tpm2-tss`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7`
2. `systemd-cryptenroll /dev/vda2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt`
##### Re-enroll
```bash
systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7
systemd-cryptenroll /dev/nvme0n1p2 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt
systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7 --unlock-key-file=/btr_pools/root/support/root-key.txt
```
#### FIDO2 LUKS Decryption
@@ -432,89 +430,6 @@ pacman -S ufw
systemctl enable --now ufw
```
#### AppArmor
##### Install Apparmor
Apparmor protects your system by limiting the access binaries have to specific files.
All binaries which are protected by apparmor profiles have a whitelist of allowed
paths they can touch, even if they run as root.
1. `pacman -S apparmor`
2. `systemctl enable --now apparmor`
3. `systemctl enable --now auditd`
4. Add the correct kernel parameters
/boot/loaders/entries/main.conf
```conf
title Arch Linux
...
options ...lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1...
```
5. `reboot`
##### Custom Profiles
You will likely need to create custom profiles for your apps. There are a few ways to
do this but the least painful ways are as follows:
1. A profile already exists in `/usr/share/apparmor/extra-profiles/`
Check here first. More than likely there's a good starting point. This will probably
need to be tuned but you can (and should) copy it to /etc/apparmor.d
2. No profile exists in `/usr/share/apparmor/extra-profiles/`
You can use `aa-genprof <binary>` to generate a profile for that binary and begin
listening to log events. Then, launch the application and use it as intended. When
you've done what you consider to be the typical use-case you should.
1. Press `s` until it begins recommending additions to your profile
2. Use (A) or (D) to add or deny paths
3. Use (G) to glob a path
4. Use (N) to write a custom path
5. If prompted for an executable choose (I) to inherit the execution privileges from the parent process or (P) to use this application's profile. Sanitize if you chooose this app's profile
6. When done, (F) to finish and (S) to save.
7. Use `apparmor_parser -r /etc/apparmor.d/<profile>` to reload the profile
8. Run `aa-enforce /etc/apparmor.d/<profile>` to set to enforce mode
9. Try to launch the app. It will probably crash
10. Run `aa-logprof`, add rules, `apparmor_parser -r /etc/apparmor.d/<profile>`, launch app, repeat until it works
11. You can `tail /var/log/audit/audit.log` and grab a string like `msg=audit(1692576444.967:102858)` to use as a starting point rather than parsing the whole log. Like: `aa-logprof -m 'msg=audit(1692576444.967:102858)'`.
From <https://manpages.ubuntu.com/manpages/xenial/man5/apparmor.d.5.html>
```text
Access Modes
File permission access modes consists of combinations of the following modes:
r - read
w - write -- conflicts with append
a - append -- conflicts with write
ux - unconfined execute
Ux - unconfined execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
Cx - transition to subprofile on execute -- scrub the environment
ix - inherit execute
pix - discrete profile execute with inherit fallback
Pix - discrete profile execute with inherit fallback -- scrub the environment
cix - transition to subprofile on execute with inherit fallback
Cix - transition to subprofile on execute with inherit fallback -- scrub the
environment
pux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined -- scrub the environment
cux - transition to subprofile on execute with fallback to unconfined
CUx - transition to subprofile on execute with fallback to unconfined -- scrub the
environment
deny x - disallow execute (in rules with the deny qualifier)
m - allow PROT_EXEC with mmap(2) calls
l - link
k - lock
```
#### ClamAV
1. `pacman -S clamav`
@@ -729,11 +644,12 @@ btrfs send /mnt/btr_backup/root.20230727T1000 | pv | btrfs receive /mnt/btr_iscs
You can create chroot environments to run firejails or just use for testing purposes.
1. `btrfs sub create /chroots`
2. `mkdir /testing`
3. `pacman -S arch-install-scripts`
4. `pacstrap -K /chroots/testing/ base base-devel`
5. `arch-chroot /chroots/testing`
1. `cd /btr_pools/root`
2. `btrfs sub create chroots`
3. `mkdir /btr_pools/root/chroots/testing`
4. `pacman -S arch-install-scripts`
5. `pacstrap -K /btr_pools/root/chroots/testing base base-devel`
6. `arch-chroot /btr_pools/root/chroots/testing`
#### Fingerprint Reader Support
@@ -907,55 +823,6 @@ Without pipewire-pulse the audio level/device will reset every reboot.
1. `pacman -S pipewire-pulse` (remove conflicting packages)
### ISCSI
```bash
pacman -S open-iscsi
systemctl enable --now iscsid
```
1. Add auth login
/etc/iscsi/iscsid.conf
```conf
node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5
node.session.auth.username = username
node.session.auth.password = password
```
2. Initiate and login to the portal
```bash
# Add a new target to your list of nodes
iscsiadm \
-m discovery \
-t st \
-p driveripper.reeselink.com
# Login to the target
iscsiadm \
-m node \
--targetname iqn.2023-01.driveripper.reeselink.com:backup-reese-pc \
-p driveripper.reeselink.com:3260 \
--login
# or login to all targets
iscsiadm -m node --loginall all
# View current session
iscsiadm -m session
# Log out of all sessions
iscsiadm -m node -u
# Log out of a single session
iscsiadm -m node -T iqn.2023-01.driveripper.reeselink.com:2024-01-framework --logout
# Remove session
iscsiadm -m node -o delete -T iqn.2023-01.driveripper.reeselink.com:2023-01-framework
```
## Software Stores
### AppImage Support
@@ -993,24 +860,6 @@ pacman -S flatpak
## Apps
### Toolbox
<https://wiki.archlinux.org/title/Toolbox>
Toolbox is a containerized workstation service via podman.
```bash
# select "crun" when prompted
pacman -S toolbox
toolbox create
toolbox enter
sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
```
### Firefox
You'll want firefox and gnome-browser-connector (for gnome extension management).
@@ -1046,140 +895,17 @@ Choose noto-fonts
### CUPS Printing
Note: you probably need avahi (see above)
Note: you need [avahi](#avahi-bonjour) for auto-discovery.
1. `sudo pacman -S cups cups-pdf system-config-printer`
2. `sudo vim /etc/nsswitch.conf`
```conf
hosts: mymachines mdns [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns
```
3. `sudo systemctl start cups`
4. `sudo systemctl start avahi-daemon`
### Yubikey
You'll need the yubikey manager appimage in addition to the pacman package
```bash
sudo pacman -S yubikey-manager
```
Reboot and things should work. You might also have to start pcscd:
```bash
sudo systemctl enable --now pcscd
```
## Bashrc
### Colorized Prompt
<https://colors.sh/>
You can change the prompt color by setting PROMPT_COLOR at the top of your .bashrc
Examples:
Yellow: `PROMPT_COLOR=33;`
Orange: `PROMPT_COLOR=38;5;208;`
Red: `PROMPT_COLOR=38;5;160;`
### Standard Bashrc
Don't do this if you installed `zsh`
~/.bashrc
```bash
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# User specific binaries
if ! [[ "$PATH" =~ "$HOME/.local/bin:$HOME/bin:" ]]
then
PATH="$HOME/.local/bin:$HOME/bin:$PATH"
fi
export PATH
# User specific aliases and functions (source .bashrc.d/)
if [ -d ~/.bashrc.d ]; then
for rc in ~/.bashrc.d/*; do
if [ -f "$rc" ]; then
. "$rc"
fi
done
fi
# clear var used in for loop
unset rc
```
~/.bashrc.d/aliases.sh
```bash
# (Mostly) Taken from https://www.cyberciti.biz/tips/bash-aliases-mac-centos-linux-unix.html
# Author: Vivek Gite
## Colorize the ls output ##
alias ls="ls --color=auto"
## Colorize the grep command output for ease of use (good for log files)##
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
## Make mount human readable ##
alias mount='mount |column -t'
## show open ports ##
alias ports='ss -tulanp'
# do not delete / or prompt if deleting more than 3 files at a time #
alias rm='rm -I --preserve-root'
# confirmation #
alias mv='mv -i'
alias cp='cp -i'
alias ln='ln -i'
# Parenting changing perms on / #
alias chown='chown --preserve-root'
alias chmod='chmod --preserve-root'
alias chgrp='chgrp --preserve-root'
## pass options to free ##
alias meminfo='free -m -l -t'
## get top process eating memory
alias psmem='ps auxf | sort -nr -k 4'
alias psmem10='ps auxf | sort -nr -k 4 | head -10'
## get top process eating cpu ##
alias pscpu='ps auxf | sort -nr -k 3'
alias pscpu10='ps auxf | sort -nr -k 3 | head -10'
## this one saved by butt so many times ##
alias wget='wget -c'
## set some other defaults ##
alias df='df -H'
alias du='du -ch'
## ls but with file sizes, showing largest at the bottom ##
alias lst='ls --human-readable --size -1 -S --classify -r'
## ls show only directories
alias lsd='ls -d */'
## Count the number of files in a directory
alias lsc='find . -type f | wc -l'
## ls sort by last modified ##
alias lmt='ls -t -1'
```
1. `pacman -S cups cups-pdf system-config-printer gutenprint foomatic-db-gutenprint-ppds`
2. `cups-genppdupdate`
3. `usermod -aG lp ducoterra`
4. `systemctl enable --now cups`
5. In gnome settings:
1. Add printer
2. Enter the IP address
3. Wait...
4. Select "JetDirect"
5. Select Generic
6. Select IPP Printer
7. Print

25
infrastructure/graduated/arch/workstation.md
View File

@@ -1,6 +1,7 @@
# Workstation
- [Workstation](#workstation)
- [Toolbox](#toolbox)
- [Podman](#podman)
- [Docker](#docker)
- [QEMU/KVM](#qemukvm)
@@ -36,6 +37,23 @@
- [Glances](#glances)
- [VirtualBox](#virtualbox)
## Toolbox
<https://wiki.archlinux.org/title/Toolbox>
Toolbox is a containerized workstation service via podman.
```bash
# select "crun" when prompted
pacman -S toolbox
toolbox create
toolbox enter
sudo pacman -S zsh grml-zsh-config zsh-syntax-highlighting zsh-autosuggestions pkgfile
```
## Podman
Install with the following
@@ -226,7 +244,7 @@ chmod +x ~/Applications/*.AppImage
```conf
[Desktop Entry]
Name=Bitwarden
Exec=/home/ducoterra/Applications/Bitwarden.AppImage
Exec=/home/ducoterra/Applications/Bitwarden.AppImage %u
Icon=/home/ducoterra/.icons/bitwarden.png
Type=Application
```
@@ -482,5 +500,8 @@ pacman -S glances
For the linux kernel, choose virtualbox-host-modules-arch
```bash
sudo pacman -S virtualbox
pacman -S virtualbox
# Required reboot to load the kernel modules
reboot
```

7
infrastructure/graduated/qemu/README.md
View File

@@ -8,6 +8,13 @@
## QCOW2
QCOW2 (KVM, Xen) qcow2
QED (KVM) qed
raw raw
VDI (VirtualBox) vdi
VHD (Hyper-V) vpc
VMDK (VMware) vmdk
### Restore qcow snapshots
```bash