add virsh networking notes

.gitignore

@@ -8,4 +8,6 @@ __pycache__/
 .venv/
 .mypy_cache
 TODO.md
-eicar.com
+eicar.com
+*.pp
+*.mod

active/device_yubikey/yubikey.md

@@ -1,7 +1,99 @@
 # Yubikey
 
+- [Yubikey](#yubikey)
+  - [Configuration](#configuration)
+  - [Software](#software)
+  - [GPG](#gpg)
+    - [Saving GPG key to card](#saving-gpg-key-to-card)
+    - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
+    - [Factory Reset](#factory-reset)
+
 ## Configuration
 
 1. You will likely need the [udev
    rules](https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-YubiKey-with-Linux)
    to use the AppImage configuration tool on linux even if your udev version is above 244.
+
+## Software
+
+The [Yubikey Manager](https://www.yubico.com/support/download/yubikey-manager/) is deprecated.
+
+Use the [Yubikey Authenticator](https://www.yubico.com/products/yubico-authenticator/) for GUI.
+
+## GPG
+
+### Saving GPG key to card
+
+<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
+
+On Fedora you'll need to add the following polkit rules to access your smart card.
+
+```bash
+export MY_USER=ducoterra
+echo <<EOF > /etc/polkit-1/rules.d/10-pcsc-custom.rules
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
+        subject.user == "${MY_USER}") {
+            return polkit.Result.YES;
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.debian.pcsc-lite.access_card" &&
+        action.lookup("reader") == 'Yubico YubiKey OTP+FIDO+CCID 00 00' &&
+        subject.user == "${MY_USER}") {
+            return polkit.Result.YES;
+    }
+});
+EOF
+```
+
+Now you can add your key to your card.
+
+```bash
+gpg --edit-key 1234ABC
+
+# Save both the signature and authentication keys
+> keytocard
+
+# Do not save or your key will be deleted locally
+> quit
+```
+
+Check the keys on the yubikey with
+
+```bash
+gpg --card-status
+```
+
+Once your keys have been loaded, change the pin.
+
+```bash
+gpg --change-pin
+```
+
+### Using the GPG key on a Yubikey
+
+<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
+
+```bash
+export GPG_EMAIL='myemail@example.com'
+
+# Import the public key. Without this the key won't show up.
+gpg --auto-key-locate hkps://keys.openpgp.org --locate-keys ${GPG_EMAIL}
+
+# Trust the key
+gpg --quick-set-ownertrust ${GPG_EMAIL} full
+
+# Yubikey should now show up
+gpg --list-secret-keys
+```
+
+### Factory Reset
+
+```bash
+gpg --edit-card
+
+> admin
+> factory-reset
+```

active/os_fedora/fedora-kinoite.md

@@ -3,7 +3,7 @@
 - [Fedora Kinoite](#fedora-kinoite)
   - [TPM2 Luks Decryption](#tpm2-luks-decryption)
   - [Podman](#podman)
-    - [Autostarting services with quadlets](#autostarting-services-with-quadlets)
+    - [Docker Compose and Docker Buildkit with Rootless Podman](#docker-compose-and-docker-buildkit-with-rootless-podman)
   - [rpm-ostree](#rpm-ostree)
     - [Git, Vim, etc](#git-vim-etc)
     - [Libvirt, Qemu, KVM](#libvirt-qemu-kvm)
@@ -71,6 +71,19 @@ export REGISTRY_AUTH_FILE=$HOME/.podman-auth.json
 
 Source that and then run `podman login` to create the file.
 
+### Docker Compose and Docker Buildkit with Rootless Podman
+
+Allows you to use podman with full docker-compose compatibility.
+
+<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>
+
+```bash
+rpm-ostree install docker-compose docker-buildx
+reboot
+systemctl --user enable --now podman.socket
+docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
+docker context use podman
+
 ### Autostarting services with quadlets
 
 If you want to run something as your user at boot (like a systemd process, think ollama) you can

active/os_fedora/fedora-software.md

@@ -642,6 +642,17 @@ dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-co
 systemctl enable --now docker
 ```
 
+Or use docker with podman with full docker-compose compatibility.
+
+<https://emersion.fr/blog/2025/using-podman-compose-and-buildkit/>
+
+```bash
+dnf install -y docker-compose docker-buildx
+systemctl --user enable --now podman.socket
+docker context create podman --docker host=unix://$XDG_RUNTIME_DIR/podman/podman.sock
+docker context use podman
+```
+
 ## Boxes
 
 Virtualization at its boxiest.

active/os_fedora/selinux.md

@@ -1,9 +0,0 @@
-# Selinux Findings
-
-## Cloning a Virtual Machine
-
-```bash
-cd active/os_fedora/selinux_policies
-sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
-sudo semodule -X 300 -i my-rpcvirtstorage.pp
-```

active/os_fedora/selinux_policies/clamav-notifysend.te

@@ -0,0 +1,14 @@
+
+module clamav-notifysend 1.0;
+
+require {
+	type session_dbusd_tmp_t;
+	type antivirus_t;
+	type unconfined_dbusd_t;
+	class sock_file write;
+	class unix_stream_socket connectto;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t session_dbusd_tmp_t:sock_file write;
+allow antivirus_t unconfined_dbusd_t:unix_stream_socket connectto;

active/os_fedora/selinux_policies/clamav-sudo.te

@@ -0,0 +1,29 @@
+
+module clamav-sudo 1.0;
+
+require {
+	type antivirus_t;
+	type sudo_exec_t;
+	type systemd_logind_var_run_t;
+	type pidfs_t;
+	type chkpwd_exec_t;
+	type systemd_logind_t;
+	class file { execute execute_no_trans map };
+	class netlink_audit_socket { create nlmsg_relay read write };
+	class capability { audit_write sys_resource };
+	class process { setrlimit setsched };
+	class sock_file write;
+	class unix_stream_socket connectto;
+	class filesystem getattr;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t chkpwd_exec_t:file { execute execute_no_trans };
+allow antivirus_t pidfs_t:filesystem getattr;
+allow antivirus_t self:capability { audit_write sys_resource };
+allow antivirus_t self:netlink_audit_socket { create nlmsg_relay write };
+allow antivirus_t self:netlink_audit_socket read;
+allow antivirus_t self:process { setrlimit setsched };
+allow antivirus_t sudo_exec_t:file map;
+allow antivirus_t systemd_logind_t:unix_stream_socket connectto;
+allow antivirus_t systemd_logind_var_run_t:sock_file write;

active/os_fedora/selinux_policies/clamav-unixchkpwd.te

@@ -0,0 +1,23 @@
+
+module clamav-unixchkpwd 1.0;
+
+require {
+	type chkpwd_t;
+	type user_devpts_t;
+	type antivirus_t;
+	type shadow_t;
+	type init_t;
+	class chr_file { read write };
+	class file { getattr open read };
+	class process siginh;
+}
+
+#============= antivirus_t ==============
+allow antivirus_t shadow_t:file { open read };
+allow antivirus_t shadow_t:file getattr;
+
+#============= chkpwd_t ==============
+allow chkpwd_t user_devpts_t:chr_file { read write };
+
+#============= init_t ==============
+allow init_t chkpwd_t:process siginh;

active/podman_immich/compose/compose.yaml

@@ -1,5 +1,5 @@
 #
-# WARNING: To install Immich, follow our guide: https://immich.app/docs/install/docker-compose
+# WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
 #
 # Make sure to use the docker-compose.yml of the current release:
 #
@@ -35,7 +35,7 @@ services:
     # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
     # Example tag: release-cuda
     image: ghcr.io/immich-app/immich-machine-learning:release
-    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
+    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
     #   file: hwaccel.ml.yml
     #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
     volumes:
@@ -59,7 +59,7 @@ services:
 
   database:
     container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
     environment:
       POSTGRES_PASSWORD: postgres
       POSTGRES_USER: postgres

active/podman_immich/immich.md

@@ -14,6 +14,7 @@
   - [Backup immich](#backup-immich)
   - [Upgrade immich](#upgrade-immich)
     - [Upgrade Quadlets](#upgrade-quadlets)
+  - [Upload Images in Bulk](#upload-images-in-bulk)
   - [Uninstall](#uninstall)
   - [Notes](#notes)
     - [SELinux](#selinux)
@@ -48,10 +49,10 @@ mkdir -p /home/immich/.config/containers/systemd
 
     ```bash
     # Pull the compose file
-    wget -O active/podman_immich/compose/compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+    wget -O active/podman_immich/release-compose.yaml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
 
     # Pull the .env file
-    wget -O active/podman_immich/quadlets/.env https://github.com/immich-app/immich/releases/latest/download/example.env
+    wget -O active/podman_immich/release-env https://github.com/immich-app/immich/releases/latest/download/example.env
     ```
 
 2. Edit the compose.yaml. Replace all environment variables with their correct values.
@@ -79,7 +80,7 @@ quay.io/k9withabone/podlet \
 compose /compose/compose.yaml
 
 # Copy the files to the server
-export PODMAN_SERVER=
+export PODMAN_SERVER=3dserver
 scp -r active/podman_immich/quadlets/. $PODMAN_SERVER:/home/immich/.config/containers/systemd/
 ssh $PODMAN_SERVER chown -R immich:immich /home/immich/.config/containers/systemd/
 ```
@@ -147,6 +148,24 @@ ssh immich systemctl --user daemon-reload
 ssh immich systemctl --user restart immich
 ```
 
+## Upload Images in Bulk
+
+<https://docs.immich.app/features/command-line-interface/>
+
+```bash
+# Install the CLI
+npm i -g @immich/cli
+
+# immich login [url] [key]
+immich login http://192.168.1.216:2283/api HFEJ38DNSDUEG
+
+# Check the upload
+immich upload --dry-run --recursive directory/
+
+# Upload
+immich upload --recursive directory/
+```
+
 ## Uninstall
 
 ```bash

active/podman_immich/quadlets/database.container

@@ -1,7 +1,7 @@
 [Container]
 ContainerName=immich_postgres
 Environment=POSTGRES_PASSWORD=postgres POSTGRES_USER=postgres POSTGRES_DB=immich POSTGRES_INITDB_ARGS=--data-checksums
-Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84
+Image=ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
 Network=immich.network
 ShmSize=128mb
 Volume=/home/immich/postgres:/var/lib/postgresql/data:Z

active/podman_immich/release-compose.yaml

@@ -0,0 +1,74 @@
+#
+# WARNING: To install Immich, follow our guide: https://docs.immich.app/install/docker-compose
+#
+# Make sure to use the docker-compose.yml of the current release:
+#
+# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
+#
+# The compose file on main may not be compatible with the latest release.
+
+name: immich
+
+services:
+  immich-server:
+    container_name: immich_server
+    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+    volumes:
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
+      - ${UPLOAD_LOCATION}:/data
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - .env
+    ports:
+      - '2283:2283'
+    depends_on:
+      - redis
+      - database
+    restart: always
+    healthcheck:
+      disable: false
+
+  immich-machine-learning:
+    container_name: immich_machine_learning
+    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-release}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
+    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - model-cache:/cache
+    env_file:
+      - .env
+    restart: always
+    healthcheck:
+      disable: false
+
+  redis:
+    container_name: immich_redis
+    image: docker.io/valkey/valkey:8@sha256:81db6d39e1bba3b3ff32bd3a1b19a6d69690f94a3954ec131277b9a26b95b3aa
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+  database:
+    container_name: immich_postgres
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD}
+      POSTGRES_USER: ${DB_USERNAME}
+      POSTGRES_DB: ${DB_DATABASE_NAME}
+      POSTGRES_INITDB_ARGS: '--data-checksums'
+      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
+      # DB_STORAGE_TYPE: 'HDD'
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
+    shm_size: 128mb
+    restart: always
+
+volumes:
+  model-cache:

active/podman_immich/release-env

@@ -0,0 +1,22 @@
+# You can find documentation for all the supported env variables at https://docs.immich.app/install/environment-variables
+
+# The location where your uploaded files are stored
+UPLOAD_LOCATION=./library
+
+# The location where your database files are stored. Network shares are not supported for the database
+DB_DATA_LOCATION=./postgres
+
+# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+# TZ=Etc/UTC
+
+# The Immich version to use. You can pin this to a specific version like "v2.1.0"
+IMMICH_VERSION=v2
+
+# Connection secret for postgres. You should change it to a random password
+# Please use only the characters `A-Za-z0-9`, without special characters or spaces
+DB_PASSWORD=postgres
+
+# The values below this line do not need to be changed
+###################################################################################
+DB_USERNAME=postgres
+DB_DATABASE_NAME=immich

active/software_clamav/clamav.md

@@ -1,11 +1,15 @@
 # Clamav
 
 - [Clamav](#clamav)
-  - [Quick Start](#quick-start)
+  - [Installation](#installation)
+  - [Notifications](#notifications)
+    - [Selinux](#selinux)
   - [On Access Scanning](#on-access-scanning)
   - [Testing](#testing)
 
-## Quick Start
+<https://wiki.archlinux.org/title/ClamAV>
+
+## Installation
 
 <https://docs.clamav.net/manual/Usage/Configuration.html#first-time-set-up>
 
@@ -51,7 +55,7 @@ sudo setsebool -P antivirus_can_scan_system 1
 Edit the `clamd@` service to limit system resources.
 
 ```bash
-sudo systemctl edit clamd@
+sudo -E systemctl edit clamd@
 
 [Service]
 Nice=18
@@ -67,18 +71,72 @@ sudo systemctl enable --now clamd@scan
 sudo systemctl status clamd@scan
 ```
 
+Scan something
+
+```bash
+sudo clamdscan -c /etc/clamd.d/scan.conf --multiscan --fdpass ~/Downloads
+```
+
 Allow your user to run scans
 
 ```bash
 sudo -E usermod -aG virusgroup $USER
 ```
 
-## On Access Scanning
+## Notifications
 
-If you want to cripple your computer you can enable on-access scanning.
+Create a new file called `/etc/clamav/virust-event.sh` and add the following
 
 ```bash
-sudo systemctl edit clamav-clamonacc.service
+#!/bin/bash
+
+PATH=/usr/bin
+ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
+
+# Send an alert to all graphical users.
+for ADDRESS in /run/user/*; do
+    # Skip root, they likely won't have a desktop session anyway
+    if [ ${ADDRESS} != "/run/user/0" ]; then
+        USERID=${ADDRESS#/run/user/}
+        /usr/bin/sudo -u "#$USERID" DBUS_SESSION_BUS_ADDRESS="unix:path=$ADDRESS/bus" PATH=${PATH} \
+            /usr/bin/notify-send -u critical -i dialog-warning "ClamAV Alert!" "$ALERT"
+    fi
+done
+```
+
+Then ensure you have `VirusEvent /etc/clamav/virus-event.bash` in your
+`scan.conf`.
+
+Allow clamav to run notify-send in `/etc/sudoers.d/clamav` by adding `clamav
+ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send`.
+
+### Selinux
+
+Troubleshooting notification permission denied errors is tricky, but it basically involves:
+
+1. Disable selinux hidden denies: `sudo semodule -DB`
+2. Clear the selinux audit logs: `sudo rm /var/log/audit/audit.log*`
+3. Set enforce to permissive: `sudo setenforce 0`
+4. Try to access eicar.com with clamonacc enabled
+5. Capture the audit logs in a `sudo ausearch --raw | audit2allow -m clamav-rules`
+6. Set enforce to enforcing: `sudo setenforce 1`
+7. Re-enable selinux hidden denies (if you want): `sudo semodule -B`
+
+8. `sudo setsebool daemons_enable_cluster_mode on`
+9. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-notifysend.pp`
+10. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-sudo.pp`
+11. `sudo semodule -X 300 -i active/os_fedora/selinux_policies/clamav-unixchkpwd.pp`
+
+## On Access Scanning
+
+If you want to destroy your computer you can enable on-access scanning.
+
+My recommendation is to only enable on-access scanning for critical ingress
+paths, like `~/Downloads` or `~/tmp`. This will help keep system resources free
+while also scanning critical points on your system.
+
+```bash
+sudo -E systemctl edit clamav-clamonacc.service
 
 [Service]
 ExecStart=
@@ -95,5 +153,13 @@ scanner should have its signature included in its database.
 
 1. Create a new file called `eicar.com`
 2. Add the contents: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
-3. Save and scan: `clamdscan eicar.com`
-4. If you have on access scanning enabled you shouldn't be able to open it.
+3. Save and scan: `clamdscan --fdpass --multiscan eicar.com`
+
+If you have on access scanning enabled you can try the following
+
+```bash
+cd ~/Downloads/
+wget https://secure.eicar.org/eicar.com.txt
+# This should not work
+cat eicar.com.txt
+```

active/software_clamav/scan.conf

@@ -1,3 +1,8 @@
+# ClamAV will refuse to scan files above 2G regardless of what this is set to
+MaxFileSize 2G
+# MaxScanSize controls how much of an archive is unpacked
+MaxScanSize 64G
+
 LogFileMaxSize 50M
 LogTime yes
 LogSyslog yes
@@ -15,6 +20,7 @@ MaxDirectoryRecursion 20
 User clamscan
 
 Bytecode yes
+HeuristicAlerts yes
 DetectPUA yes
 ScanPE yes
 ScanELF yes
@@ -24,8 +30,12 @@ ScanOLE2 yes
 
 AlertBrokenExecutables no
 AlertBrokenMedia no
-AlertOLE2Macros yes
-AlertPartitionIntersection yes
+AlertEncrypted no
+AlertEncryptedArchive no
+AlertEncryptedDoc no
+AlertOLE2Macros no
+AlertPartitionIntersection no
+AlertExceedsMax yes
 
 ScanPDF yes
 ScanSWF yes
@@ -33,14 +43,20 @@ ScanXMLDOCS yes
 ScanHWP3 yes
 ScanArchive yes
 
-OnAccessIncludePath /home/ducoterra
-OnAccessIncludePath /opt
-OnAccessIncludePath /var
-OnAccessIncludePath /usr
-OnAccessIncludePath /etc
+# These are just examples, add what you think should be protected.
+OnAccessIncludePath /home/ducoterra/Downloads
+OnAccessIncludePath /home/ducoterra/Projects
+OnAccessIncludePath /home/ducoterra/Applications
+OnAccessIncludePath /home/ducoterra/AUR
+
+# Prevention doesn't work with OnAccessMountPath.
+# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
+# Including /var while activating prevention is also not recommended, because
+# this would slow down package installation by a factor of 1000.
+OnAccessPrevention yes
 
 OnAccessExcludeUname clamupdate
 OnAccessExcludeUname clamscan
-OnAccessMaxFileSize 5M
-OnAccessPrevention yes
-OnAccessExtraScanning yes
+OnAccessExtraScanning yes
+
+VirusEvent /etc/clamav/virus-event.bash

active/software_firewalld/firewalld.md

@@ -0,0 +1,23 @@
+# Firewalld
+
+## Notes
+
+```bash
+# Add a port
+firewall-cmd --permanent --add-port=22/tcp
+
+# List active zones
+firewall-cmd --get-active-zones
+
+# Set default zone
+firewall-cmd --set-default-zone=drop
+
+# Set zone for a specific subnet
+firewall-cmd --permanent --zone=drop --add-source=10.244.0.0/16
+
+# Get info about service
+firewall-cmd --info-service=samba
+
+# Get zone information
+firewall-cmd --info-zone=drop
+```

active/software_gpg/gpg.md

@@ -13,9 +13,6 @@
     - [Signing Files](#signing-files)
     - [Encrypting Files](#encrypting-files)
   - [Yubikey](#yubikey)
-    - [Saving GPG key to card](#saving-gpg-key-to-card)
-    - [Using the GPG key on a Yubikey](#using-the-gpg-key-on-a-yubikey)
-    - [Factory Reset](#factory-reset)
   - [Linux Apps](#linux-apps)
     - [Evolution Email](#evolution-email)
   - [Android Apps](#android-apps)
@@ -193,47 +190,7 @@ gpg --decrypt README.md.gpg
 
 ## Yubikey
 
-### Saving GPG key to card
-
-<https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP>
-
-```bash
-gpg --edit-key 1234ABC
-
-# Save both the signature and authentication keys
-> keytocard
-
-# Do not save or your key will be deleted locally
-> quit
-```
-
-Check the keys on the yubikey with
-
-```bash
-gpg --card-status
-```
-
-Once your keys have been loaded, change the pin.
-
-```bash
-gpg --change-pin
-```
-
-### Using the GPG key on a Yubikey
-
-<https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#notes>
-
-Importing the public key and trusting it with ultimate should cause `gpg
---list-secret-keys` to show your yubikey.
-
-### Factory Reset
-
-```bash
-gpg --edit-card
-
-> admin
-> factory-reset
-```
+See [Yubikey Notes](/active/device_yubikey/yubikey.md#gpg)
 
 ## Linux Apps
 

active/software_osbuild/fedora-43-base.toml

@@ -0,0 +1,77 @@
+name = "fedora-43-base"
+description = "Fedora 43 Base Installation"
+version = "0.0.1"
+distro = "fedora-43"
+modules = []
+groups = []
+
+[customizations]
+hostname = "f43-base"
+
+[[customizations.disk.partitions]]
+type = "btrfs"
+minsize = "32 GiB"
+
+[[customizations.disk.partitions.subvolumes]]
+name = "root"
+mountpoint = "/"
+
+[[customizations.disk.partitions.subvolumes]]
+name = "home"
+mountpoint = "/home"
+
+[customizations.timezone]
+timezone = "America/New_York"
+
+[[customizations.user]]
+name = "ducoterra"
+password = "$6$QqOw6ktp6aiPy5kX$cpN.oar4CiofH0PpxyveJgkjsRFGnZ5ykOX/50DcJyU3hZFxc5R3SASemNW6m3jceLGgZrQHyALQl8SgtcNO90"
+key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQa781Qj8mNlUdRquFFqg0O2ornG9SBHe705y4+1vPI ssh@ducoterra.net"
+home = "/home/ducoterra/"
+shell = "/usr/bin/bash"
+groups = ["wheel"]
+uid = 1000
+
+[customizations.firewall.services]
+enabled = ["ssh"]
+
+[customizations.services]
+enabled = ["sshd"]
+
+[[packages]]
+name = "bash-completion"
+version = "*"
+
+[[packages]]
+name = "tmux"
+version = "*"
+
+[[packages]]
+name = "openssh-server"
+version = "*"
+
+[[packages]]
+name = "vim"
+version = "*"
+
+[[packages]]
+name = "git"
+version = "*"
+
+[[customizations.files]]
+path = "/root/.inputrc"
+mode = "0644"
+user = "root"
+group = "root"
+data = """
+"\\C-h": backward-kill-word
+"""
+
+[[customizations.files]]
+path = "/home/ducoterra/.inputrc"
+mode = "0644"
+user = "root"
+group = "root"
+data = """
+"\\C-h": backward-kill-word
+"""

active/software_osbuild/image_builder.md

@@ -4,6 +4,12 @@ Builds Fedora/RHEL/Centos images like Packer but for Red Hat.
 
 <https://osbuild.org/docs/user-guide/blueprint-reference/>
 
+Default credentials for included images is:
+
+username: `ducoterra`
+
+password: `osbuild`
+
 ## Warning
 
 From the [Red Hat
@@ -54,14 +60,23 @@ dnf install -y cockpit-composer
     composer-cli compose start fedora-42-base qcow2
 
     # Check status
-    composer-cli compose status
+    watch composer-cli compose status
+
+    # Download logs if error
+    cd /tmp && composer-cli compose logs f91a12b6-01fd-4f94-91cc-9d5fb68b8129
+
+    # Delete failed images
+    composer-cli compose list failed -j | jq '.[].body.failed.[]?.id' | xargs -I '%' composer-cli compose delete '%'
+
+    # Delete successful images
+    composer-cli compose list finished -j | jq '.[].body.finished.[]?.id' | xargs -I '%' composer-cli compose delete '%'
     ```
 
 4. Run the image
 
     ```bash
     # List your images
-    composer-cli compose list
+    composer-cli compose list finished
 
     # Download the image
     composer-cli compose image --filename /var/lib/libvirt/images/fedora-42-base.qcow2 image-uuid
@@ -69,3 +84,11 @@ dnf install -y cockpit-composer
     # Test with qemu
     qemu-kvm --name test-fedora-42-base -m 4096 -hda ~/Downloads/fedora-42-base.qcow2
     ```
+
+### Image Build and Watch One Liner
+
+```bash
+composer-cli blueprints push active/software_osbuild/fedora-43-base.toml && \
+composer-cli compose start fedora-43-base qcow2 && \
+watch composer-cli compose status
+```

active/software_selinux/selinux.md

@@ -0,0 +1,162 @@
+# Selinux
+
+<https://thecybersecguru.com/tutorials/selinux-ultimate-guide/>
+
+## Terminology
+
+Subjects vs Objects:
+
+- A Subject is a process (e.g., the Apache httpd process).
+- An Object is the thing a subject wants to access (e.g., a file, a directory,
+  a network port, a system socket).
+
+Labels (Contexts):
+
+- Every single Subject and every single Object on an SELinux system has a
+  label. This label is called an SELinux Context.
+- A process’s label is called a domain.
+- A file’s label is called a type.
+
+The Policy:
+
+- The SELinux policy is just a massive database of rules that says which
+  domains can access which types.
+- A rule might say: “Allow the domain httpd_t (the Apache process) to read
+  files with the type httpd_sys_content_t (web content).”
+
+Type Enforcement (TE):
+
+- This is the name of the engine that enforces these rules. When a Subject
+  (process) tries to access an Object (file), the Linux kernel’s hook for
+  SELinux checks their labels.
+- It looks up the rule in the policy.
+- If a rule allow httpd_t httpd_sys_content_t:file { read }; exists, the access
+  is granted.
+- If no “allow” rule exists, the access is implicitly denied, and an event is
+  logged to /var/log/audit/audit.log.
+
+An SELinux context is a string with four parts, separated by colons: `user:role:type:level`
+
+- User: An SELinux user (e.g., system_u, unconfined_u). This is not the same as
+  your Linux user (root, john). It’s an identity within the policy.
+- Role: Used in Role-Based Access Control (RBAC). (e.g., system_r, object_r).
+- Level: Used in Multi-Level Security (MLS) and Multi-Category Security (MCS).
+  (e.g., s0, or s0:c0,c1). This is what keeps containers (Docker, Podman)
+  separate from each other.
+- For 99% of all system administration, you can COMPLETELY IGNORE the user, role, and level.
+
+The only part that matters for day-to-day troubleshooting is the third part:
+the type. This is the real label.
+
+- For a process (Subject), the type is its domain.
+- For a file (Object), the type is its type.
+
+## Using Selinux
+
+```bash
+# List labels
+# The type is the third item in the four colon-separated values
+ls -lZ /var
+ls -lZ /var/log
+ls -lZ .
+
+# List processes
+ps -eZ | grep -i auditd
+ps -eZ | grep -i clam
+ps -eZ | grep -i grep
+```
+
+### Using Selinux Booleans
+
+When you see an "selinux denied" error you have two choices:
+
+1. (Wrong) Write a custom policy module to allow this.
+2. (Right) Check if there’s an “off” switch for this rule.
+
+This “off” switch is called an SELinux Boolean.
+
+Booleans are on/off toggles for common policy rules. They are the first thing
+you should check when you have a denial.
+
+Your workflow should look like:
+
+1. Get a denial.
+2. Run getsebool -a | grep service_name.
+3. Read the list of booleans and find one that sounds like the action being denied.
+4. Temporarily flip it with setsebool.
+5. Test. If it works, make it permanent with setsebool -P.
+
+```bash
+# Get all booleans
+getsebool -a
+
+# Find one that's relevant
+getsebool -a | grep -i clam
+
+# Flip an sebool on temporarily
+setsebool httpd_can_network_connect_db on
+
+# Flip sebool on permanently
+setsebool -P httpd_can_network_connect_db on
+```
+
+### Using Selinux with Audit Log
+
+If the selinux boolean approach doesn't work.
+
+```bash
+# Make sure you have the troubleshooting package installed
+sudo dnf install -y setroubleshoot-server
+
+# List all alerts
+sudo sealert -a /var/log/audit/audit.log
+
+# If sealert doesn't have a recommendation, like restorecon, then use audit2why
+# This will tell you what you should do to fix the issue
+sudo grep "denied" /var/log/audit/audit.log | tail -n 1 | audit2why
+
+# Check what rule would be created
+sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -m clamav-notifysend
+
+# Create the .te (human readable) policy, compile it (.pp), and load it into the kernel
+sudo grep "antivirus_t" /var/log/audit/audit.log | audit2allow -M clamav-notifysend
+
+# Apply the policy
+sudo semodule -X 300 -i clamav-notifysend.pp
+
+# List active policies
+sudo semodule -l
+
+# Remove an active policy
+sudo semodule -r clamav-notifysend
+```
+
+### Showing Dontaudit Rules
+
+Selinux will hide denies that are explicitly prohibited through a rule.
+
+```bash
+# Show dontaudit rules
+semodule -DB
+
+# Hide dontaudit rules
+semodule -B
+```
+
+## Compiling Modules
+
+If you have a `te` file you can compile to a `pp` file with the following:
+
+```bash
+# Compile to module source, then to policy package
+checkmodule -M -m -o sample.mod sample.te
+semodule_package -o sample.pp -m sample.mod
+```
+
+## Cloning a Virtual Machine
+
+```bash
+cd active/os_fedora/selinux_policies
+sudo ausearch -c 'rpc-virtstorage' --raw | audit2allow -M my-rpcvirtstorage
+sudo semodule -X 300 -i my-rpcvirtstorage.pp
+```

active/software_virsh/dual-stack-dhcp.xml

@@ -2,9 +2,9 @@
   <name>dual-stack</name>
   <forward mode="nat"/>
   <domain name="dual-stack"/>
-  <ip address="192.168.100.1" netmask="255.255.255.0">
+  <ip address="192.168.123.1" netmask="255.255.255.0">
     <dhcp>
-      <range start="192.168.100.2" end="192.168.100.254"/>
+      <range start="192.168.123.2" end="192.168.123.99"/>
     </dhcp>
   </ip>
   <ip family="ipv6" address="fd4d:58e7:17f6:1::1" prefix="64"/>

active/software_virsh/virsh.md

@@ -8,6 +8,8 @@ Virtual Machine Management
   - [Virsh Networking](#virsh-networking)
     - [Create a Virtual Network](#create-a-virtual-network)
     - [Attach a New Virtual Network](#attach-a-new-virtual-network)
+    - [Detach a Virtual Network](#detach-a-virtual-network)
+    - [Destroy a Virtual Network](#destroy-a-virtual-network)
     - [Set a Static IP](#set-a-static-ip)
   - [Creating VMs](#creating-vms)
     - [Create VM with No Graphics and use an Existing QCOW2 Disk](#create-vm-with-no-graphics-and-use-an-existing-qcow2-disk)
@@ -56,10 +58,10 @@ virsh shutdown <domain>
 virsh destroy <domain>
 
 # Remove a VM
-virsh undefine <domain>
+virsh undefine --nvram <domain>
 
 # Remove a VM including storage
-virsh undefine <domain> --remove-all-storage
+virsh undefine <domain> --nvram --remove-all-storage
 ```
 
 ## Virsh Networking
@@ -118,27 +120,42 @@ virsh attach-interface \
 --domain ${VM_NAME}
 ```
 
+### Detach a Virtual Network
+
+```bash
+# List mac addresses of connected interfaces'
+export VM_NAME=my_vm
+virsh domiflist --domain $VM_NAME
+virsh detach-interface --domain k0s-worker0 --type bridge --mac "52:54:00:f6:b9:83" --live
+```
+
+### Destroy a Virtual Network
+
+```bash
+export NETWORK_NAME=mynetwork
+virsh net-undefine --network $NETWORK_NAME
+virsh net-destroy --network $NETWORK_NAME
+```
+
 ### Set a Static IP
 
 To set a static IP, run `virsh net-edit default` and add the following between `<dhcp>` and `</dhcp>`
 
-```xml
-<host mac='xx:xx:0x:xx:xx:1x' name='virtual_machine' ip='1xx.1xx.1xx.xx'/>
-```
-
-Then run
-
 ```bash
-# `--location /path/to/image.iso` supplies a disk installer. (Remove `--import`)
-# `--import` skips the installation process.
-# `--graphics spice --video qxl --channel spicevmc` installs graphics
-# `--console pty,target.type=virtio` adds a console connection
-# For any command, use `virt-install --arg=?` to see all available options
-virsh net-destroy default
-virsh net-start default
-virsh shutdown virtual_machine
-systemctl restart libvirtd
-virsh start virtual_machine
+# Add a host
+virsh net-update default add-last ip-dhcp-host \
+      '<host mac="52:54:00:6f:78:f3" ip="192.168.122.222"/>' \
+      --live --config --parent-index 0
+
+# Modify a host
+virsh net-update default modify ip-dhcp-host \
+      '<host mac="52:54:00:6f:78:f3" ip="192.168.122.222"/>' \
+      --live --config --parent-index 0
+
+# Delete a host
+virsh net-update default delete ip-dhcp-host \
+      '<host mac="52:54:00:6f:78:f3" ip="192.168.122.222"/>' \
+      --live --config --parent-index 0
 ```
 
 ## Creating VMs
@@ -153,7 +170,9 @@ installation process altogether.
 ```bash
 sudo systemctl start osbuild-composer.socket
 composer-cli compose list
-composer-cli compose image --filename /var/lib/libvirt/images/fedora-42-test.qcow2 image-uuid
+export IMAGE_UUID=
+export VM_DISK_PATH=/var/lib/libvirt/images/fedora43-test.qcow2
+composer-cli compose image --filename ${VM_DISK_PATH} ${IMAGE_UUID}
 ```
 
 ### Create VM with No Graphics and use an Existing QCOW2 Disk
@@ -162,17 +181,21 @@ composer-cli compose image --filename /var/lib/libvirt/images/fedora-42-test.qco
 # Start the  default network if it isn't already
 virsh net-start --network default
 
+export VM_NAME="fedora43-test"
+export VM_DISK_PATH=/var/lib/libvirt/images/fedora43-test.qcow2
+
+# OPTIONAL: export your qcow2 disk now if using osbuild
+export IMAGE_UUID=
+composer-cli compose image --filename ${VM_DISK_PATH} ${IMAGE_UUID}
+
+# Install
 # `--location /path/to/image.iso` supplies a disk installer. (Remove `--import`)
 # `--import` skips the installation process.
-# `--graphics spice --video qxl --channel spicevmc` installs graphics
+# `--graphics spice --video qxl,model.ram=131072,model.vram=131072,model.vgamem=131072 --channel spicevmc` installs graphics
 # `--console pty,target.type=virtio` adds a console connection
 # For any command, use `virt-install --arg=?` to see all available options
-export VM_NAME="fedora42-test"
-export VM_DESCRIPTION="Test VM with Fedora42"
-export VM_DISK_PATH="/var/lib/libvirt/images/fedora-42-test.qcow2"
 virt-install \
 --name "${VM_NAME}" \
---description "${DESCRIPTION}" \
 --boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
 --cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \
 --ram=8192 \
@@ -192,18 +215,16 @@ virt-install \
 # `--console pty,target.type=virtio` adds a console connection
 # For any command, use `virt-install --arg=?` to see all available options
 export VM_NAME="fedora43-kinoite-test"
-export VM_DESCRIPTION="Test VM with Fedora43 Kinoite"
-export VM_DISK_PATH="/var/lib/libvirt/images/fedora-43-kinoite.qcow2"
-export VM_ISO_PATH="/var/lib/libvirt/iso/Fedora-Kinoite-ostree-x86_64-43-1.6.iso"
+export VM_ISO_PATH=/var/lib/libvirt/iso/
+export VM_DISK_PATH=/var/lib/libvirt/images/
 virt-install \
 --name "${VM_NAME}" \
---description "${DESCRIPTION}" \
 --boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
 --cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \
 --ram=8192 \
 --os-variant=fedora41 \
 --network bridge:virbr0 \
---graphics spice --video qxl --channel spicevmc \
+--graphics spice --video virtio --channel spicevmc \
 --cdrom ${VM_ISO_PATH} \
 --disk "path=${VM_DISK_PATH},size=64,bus=virtio,format=qcow2"
 ```
@@ -218,10 +239,8 @@ virt-install \
 # `--hostdev 0x1234:0x5678` adds a block storage device
 # For any command, use `virt-install --arg=?` to see all available options
 export VM_NAME="usb-linux"
-export VM_DESCRIPTION="Linux running 0x13fe:0x6500 as the boot drive"
 virt-install \
 --name "${VM_NAME}" \
---description "${DESCRIPTION}" \
 --boot uefi,firmware.feature0.name=secure-boot,firmware.feature0.enabled=no \
 --import \
 --cpu host-passthrough --vcpus sockets=1,cores=8,threads=2 \