summaryrefslogtreecommitdiffstats
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/services.md23
-rw-r--r--content/writeups/_index.md6
-rw-r--r--content/writeups/archlinux_installation.md181
-rw-r--r--content/writeups/homelab.md59
-rw-r--r--content/writeups/lockdown-chapter-2.md88
-rw-r--r--content/writeups/wireguard_and_ipv6.md56
6 files changed, 413 insertions, 0 deletions
diff --git a/content/services.md b/content/services.md
new file mode 100644
index 0000000..83a8c87
--- /dev/null
+++ b/content/services.md
@@ -0,0 +1,23 @@
++++
+title = "Services"
+template = "directory-page.html"
+date = 2020-11-10
++++
+
+I tend to host all my services for my personal use on my infrastructure.
+By default everything run smoothly in an internal vpn powered by wireguard,
+openbsd and pf.
+
+| service | domain | available | public(1) |
+| ----------- | ------------------------- | ----------- | ----------- |
+| minecraft | rgoncalves.se[:25565] | yes | yes |
+| factorio | rgoncalves.se[:34197] | yes | yes |
+| git | git.rgoncalves.se | yes | yes |
+| nextcloud | cloud.rgoncalves.se | no | no |
+| sourcehut | srht.rgoncalves.se | no | no |
+
+> (1) : scream at *support[at]rgoncalves.se*
+>
+> (*) : only "available" services are running. Consider this list as a todo list
+
+
diff --git a/content/writeups/_index.md b/content/writeups/_index.md
new file mode 100644
index 0000000..2a2974e
--- /dev/null
+++ b/content/writeups/_index.md
@@ -0,0 +1,6 @@
++++
+title = "Writeups"
+sort_by = "date"
+template = "directory.html"
+page_template = "directory-page.html"
++++
diff --git a/content/writeups/archlinux_installation.md b/content/writeups/archlinux_installation.md
new file mode 100644
index 0000000..4a54636
--- /dev/null
+++ b/content/writeups/archlinux_installation.md
@@ -0,0 +1,181 @@
++++
+title = "Archlinux installation"
+date = 2020-07-01
++++
+
+<section>
+
+## Introduction
+Through my 5 years with different Archlinux installations, I made up my mind to
+document the one that fullfills my needs. The main goal is a minimal arch install
+(like any other), including systemd and refind, without using any crappy ncurses
+interface, and of course powered by btrfs (zfs an other day).
+
+Installation process is heavily inspired by :
+- [Bullet proof arch install](https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install)
+</section>
+
+<section>
+
+## Partitions
+``` bash
+$ sgdisk --clear \
+ --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
+ --new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \
+ --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \
+ /dev/nvme0n1
+$ sgdisk --clear \
+ --new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \
+/dev/sda
+```
+</section>
+
+<section>
+
+## Encryption
+
+```bash
+$ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
+$ cryptsetup open /dev/disk/by-partlabel/cryptsystem system
+$ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
+$ mkswap -L swap /dev/mapper/swap
+$ swapon -L swap
+```
+</section>
+
+<section>
+
+## File format
+
+```bash
+$ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
+$ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd
+$ mkfs.btrfs --force --label system /dev/mapper/system
+$ o=defaults,x-mount.mkdir
+$ o_btrfs=$o,compress=lzo,ssd,noatime
+$ mount -t btrfs LABEL=system /mnt
+$ mount -t btrfs LABEL=system /mnt
+$ btrfs subvolume create /mnt/root
+$ btrfs subvolume create /mnt/home
+$ btrfs subvolume create /mnt/snapshots
+$ umount -R /mnt
+$ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt
+$ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home
+$ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots
+$ mkdir /mnt/wsd
+$ mount LABEL=wsd /mnt/wsd
+$ mkdir /mnt/boot
+$ mount LABEL=EFI /mnt/boot
+```
+</section>
+
+<section>
+## Base install
+
+```bash
+$ pacstrap /mnt basenvim
+$ genfstab -L -p /mnt >> /mnt/etc/fstab
+```
+Open up /mnt/etc/fstab (old, new):
+```bash
+LABEL=swap none swap defaults 0 0
+```
+```bash
+/dev/mapper/cryptswap none swap sw 0 0
+```
+Open up /mnt/etc/crypttab, append at the end:
+```bash
+swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256
+```
+</section>
+
+<section>
+
+## Base systemd
+
+The only way to have a non-biased opinion about systemd is to mix it yourself in your base install.
+
+```bash
+$ systemd-nspawn -bD /mnt
+$ localectl set-locale LANG=en_US.UTF-8
+$ timedatectl set-ntp 1
+$ timedatectl set-timezone Europe/Paris
+$ hostnamectl set-hostname WS-workstationname
+```
+</section>
+
+<section>
+
+## Base packages
+
+After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark:
+
+```bash
+$ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g
+```
+</section>
+
+<section>
+
+## Initramfs
+
+```bash
+$ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig
+```
+ Open up /etc/mkinitcpio.conf :
+
+```bash
+MODULES=""
+BINARIES=""
+FILES=""
+HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck"
+```
+```bash
+$ mkinicpio -p linux
+```
+</section>
+
+<section>
+
+## rEFind
+
+```bash
+$ refind-install
+```
+
+We now reached the trickiest part for installing rEFind.
+Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access).
+
+```bash
+$ arch-chroot /mnt
+$ refind-install
+```
+Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir :
+
+```config
+timeout 5
+use_graphics_for windows
+also_scan_dirs +,@/
+```
+```config
+btrfs filesystem show system
+lsblk -fs
+```
+Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir :
+```config
+Add the following value if you are using an intel cpu : initrd=/intel-ucode.img
+"Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img"
+```
+</section>
+
+<section>
+
+## Reboot
+
+```bash
+$ passwd
+$ poweroff
+$ reboot
+#finger crossed !!
+```
+</section>
diff --git a/content/writeups/homelab.md b/content/writeups/homelab.md
new file mode 100644
index 0000000..3f325a9
--- /dev/null
+++ b/content/writeups/homelab.md
@@ -0,0 +1,59 @@
++++
+title = "Making an homelab"
+date = 2020-07-20
++++
+
+<section>
+
+## Motivations
+
+- Fun ! (We are hackers, aren't we ?)
+- Private git hosting, syncthing, game servers and build servers ..
+- Gaining more and more experiences
+- Portfolio ;) ?
+</section>
+
+<section>
+
+## Software
+There are already plenty of ways already for managing servers and services, such as ansible, terraform, kubernetes + docker, ..
+But why should I spend a LOT of time learning all these tools seperately (and together) ?
+Right, they are used for professional needs.
+But I got a keyboard.
+Seriously.
+Let's spend twice that time on making my own infrastructure scripts !
+
+[Gitlab repository](https://gitlab.com/rgoncalves.se/infrastructure/)
+</section>
+
+<section>
+
+## Enjoying a dell r710 rev II
+
+### Using an internal SSD
+
+As I decided to turn my r710 as a bare-metal server with OpenBSD, I had to do some hacks to get a working internal SSD.
+
+- Yes, I could have used the internal USB 2.0 port with a USB drive, but we are talking about a bare-metal server, not EsXi loaded in ram.
+- Yes, using the internal SATA ports (as SATA 2) will reduce the speed allowed by my SSD, but it's a spare one, and the main goal is to get an **internal 2'5 drive** or replace that term with whatever you want.
+
+![](/images/r710_and_switch.jpg)
+</section>
+
+<section>
+
+## Building a rack
+
+(Never use pine wood.)
+
+I finally ended up using pine wood (here planks).
+The key is to build a shelf intended to support at least 100Kg.
+So don't use beams or other shitty structure, 4 four plains planks are enough.
+
+Below, before and after :
+
+![](/images/homelab_old_01.jpg)
+![](/images/homelab_wip_01.jpg)
+![](/images/homelab_wip_02.jpg)
+![](/images/homelab_front_01.jpg)
+</section>
diff --git a/content/writeups/lockdown-chapter-2.md b/content/writeups/lockdown-chapter-2.md
new file mode 100644
index 0000000..9e462c6
--- /dev/null
+++ b/content/writeups/lockdown-chapter-2.md
@@ -0,0 +1,88 @@
++++
+title = "Lockdown chapter 2"
+date = 2020-11-10
++++
+
+## ansible
+
+For this lockdown part. 2, it makes sense to run my internal servers and
+infrastructure 24/7, so I can monitor the stress load and continously deploy
+and provision my services between two stupid courses or useless java exercises.
+
+I was already using Ansible for small tasks such as updating everything at once,
+or generating git/syncthing/ssh configuration. This time I refactored my use of
+Ansible, using
+[best practices](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html).
+
+Previously, my inventory was generated from an external YAML, but why should I
+keep an additional layer of abstraction that adds nothing but complicated
+infrastructure management ? Therefore, I refactored all my hosts, services and
+meta details in the inventory file in YAML format. Yes, it does make my roles
+and scripts more dependent to my specific inventory, but I can describe per-host
+services and use dynamically loaded roles.
+
+## stack
+
+My main server running OpenBSD, using Docker is not possible. I have seen some
+guys on Internet running Docker on an Alpine vm, but it adds two level of
+abstraction, and I dont like cluttering my system with too many complex and
+exotic setup when not needed.
+
+Therefore, I have my own Ansible roles and playbooks for deploying Alpine or
+OpenBSD iso on my hypervisor. Each services/type of services will leave in a
+virtual machine, allowing me to backup disk images or making snapshots thanks
+to qcow2.
+
+> After tinkering around with vmm, it gaves me poor results for realtime needs
+> in virtual machine (such as minecraft, factorio, ...) due to a high number
+> of cpu interruptions.
+>
+> I then went with freebsd and bhyve.
+
+```
++-------------------+
+| domain controller |
+| * openbsd |
+| * ^irtual |
++-------------------+
+ ^
+ |
+ v
++--------+----------+
+| lan router |
+| * ddwrt |
+| * physical |
++--------+----------+
+ ^
+ |
+ v
++--------+----------+
+| 24 ports switch |
+| * fiber ports |
++--------+-+-+------+
+ ^ | |
+ | | +--------------------------------------------------------------------+
+ | +-------------------------------------------------+ |
+ v v v
++--------+--------------------------------------+ +--------+---------+ +------+---------+
+| | | workstation | | laptop |
+| Dell poweredge R710 | | * archlinux | | * archlinux |
+| * 48GB ram | | * btrfs | | # encrypted |
+| * freebsd /openbsd/ (ssd disk) | * encrypted | | |
+| | +------------------+ +----------------+
+| +------------+ +------------+ +-------------+ |
+| | vm0 | | vm1 | | vm/n | |
+| | * alpine | | * alpine | | * openbsd \ | |
+| | | | | | alpine \ | |
+| | | | | | ... | |
+| +------------+ +------------+ +-------------+ |
+| |
++-----------------------------------------------+
+```
+
+## grafana
+
+<img class="wide-3 shadow-1" src="/images/grafana_01.jpg">
+
+Thanks to ansible, I wrote roles for deploying grafana on a virtual machines,
+then for deploying *prometheus* and *node_exporter* on all my servers.
diff --git a/content/writeups/wireguard_and_ipv6.md b/content/writeups/wireguard_and_ipv6.md
new file mode 100644
index 0000000..8d00cd9
--- /dev/null
+++ b/content/writeups/wireguard_and_ipv6.md
@@ -0,0 +1,56 @@
++++
+title = "Wireguard and IPV6"
+date = 2020-08-26
++++
+
+<section>
+
+## Preambule
+
+I decided to connect all my services and servers behind my domain controller,
+which has a dedicated IPv4 and IPv6 address, and which basically host that
+website. This would allow me to remotely manage and enjoy my infrastructure
+when I'm away from my homelab.
+</section>
+
+<section>
+
+## IPv6 journey
+
+When I first used WireGuard with my new OpenBSD vm on all my devices, i noticed
+that my some of my requests towards specific services were not working anymore.
+For instance, I spent some time trying to reach :
+
+- gitlab.com
+- github.com
+- ungleich.ch
+
+In fact, I had hard times accessing these services only when I was connected to
+my WireGuard server (which has IPv4 and IPv6, with some default wireguard
+settings I carried with me for six months), and only through my system dns.
+
+In fact I figured out that it happened only when I was under an IPv6 capable
+router.
+
+### Solution ?
+
+Adding IPv6 subnet to server and clients configuration files.
+
+### Next ?
+
+Enable IPv6 routing in the domain controller, for a single-ip usage.
+</section>
+
+<section>
+
+## *BSD routing
+The default routing configuration does not allow my domain controller to reach
+the **ungleich's infrastructure and services**.
+
+```bash
+echo "\!/sbin/route add -inet 185.203.112/24 185.203.114.1" >> /etc/hostname.vio1
+```
+
+Then I want to be able to access IPv6 only services when I'm using my wireguard
+server (right now it only allows to force IPv4 to the client).
+</section>
remember that computers suck.