From e80f58116a9ecd67b2febe06778c624fd42ed1c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Mon, 18 Jan 2021 12:52:27 +0100 Subject: Restart repo from scratch --- content/services.md | 23 ++++ content/writeups/_index.md | 6 + content/writeups/archlinux_installation.md | 181 +++++++++++++++++++++++++++++ content/writeups/homelab.md | 59 ++++++++++ content/writeups/lockdown-chapter-2.md | 88 ++++++++++++++ content/writeups/wireguard_and_ipv6.md | 56 +++++++++ 6 files changed, 413 insertions(+) create mode 100644 content/services.md create mode 100644 content/writeups/_index.md create mode 100644 content/writeups/archlinux_installation.md create mode 100644 content/writeups/homelab.md create mode 100644 content/writeups/lockdown-chapter-2.md create mode 100644 content/writeups/wireguard_and_ipv6.md (limited to 'content') diff --git a/content/services.md b/content/services.md new file mode 100644 index 0000000..83a8c87 --- /dev/null +++ b/content/services.md @@ -0,0 +1,23 @@ ++++ +title = "Services" +template = "directory-page.html" +date = 2020-11-10 ++++ + +I tend to host all my services for my personal use on my infrastructure. +By default everything run smoothly in an internal vpn powered by wireguard, +openbsd and pf. + +| service | domain | available | public(1) | +| ----------- | ------------------------- | ----------- | ----------- | +| minecraft | rgoncalves.se[:25565] | yes | yes | +| factorio | rgoncalves.se[:34197] | yes | yes | +| git | git.rgoncalves.se | yes | yes | +| nextcloud | cloud.rgoncalves.se | no | no | +| sourcehut | srht.rgoncalves.se | no | no | + +> (1) : scream at *support[at]rgoncalves.se* +> +> (*) : only "available" services are running. Consider this list as a todo list + + diff --git a/content/writeups/_index.md b/content/writeups/_index.md new file mode 100644 index 0000000..2a2974e --- /dev/null +++ b/content/writeups/_index.md @@ -0,0 +1,6 @@ ++++ +title = "Writeups" +sort_by = "date" +template = "directory.html" +page_template = "directory-page.html" ++++ diff --git a/content/writeups/archlinux_installation.md b/content/writeups/archlinux_installation.md new file mode 100644 index 0000000..4a54636 --- /dev/null +++ b/content/writeups/archlinux_installation.md @@ -0,0 +1,181 @@ ++++ +title = "Archlinux installation" +date = 2020-07-01 ++++ + +
+ +## Introduction +Through my 5 years with different Archlinux installations, I made up my mind to +document the one that fullfills my needs. The main goal is a minimal arch install +(like any other), including systemd and refind, without using any crappy ncurses +interface, and of course powered by btrfs (zfs an other day). + +Installation process is heavily inspired by : +- [Bullet proof arch install](https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install) +
+ +
+ +## Partitions +``` bash +$ sgdisk --clear \ + --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \ + --new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \ + --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \ + /dev/nvme0n1 +$ sgdisk --clear \ + --new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \ +/dev/sda +``` +
+ +
+ +## Encryption + +```bash +$ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem +$ cryptsetup open /dev/disk/by-partlabel/cryptsystem system +$ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap +$ mkswap -L swap /dev/mapper/swap +$ swapon -L swap +``` +
+ +
+ +## File format + +```bash +$ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI +$ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd +$ mkfs.btrfs --force --label system /dev/mapper/system +$ o=defaults,x-mount.mkdir +$ o_btrfs=$o,compress=lzo,ssd,noatime +$ mount -t btrfs LABEL=system /mnt +$ mount -t btrfs LABEL=system /mnt +$ btrfs subvolume create /mnt/root +$ btrfs subvolume create /mnt/home +$ btrfs subvolume create /mnt/snapshots +$ umount -R /mnt +$ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt +$ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home +$ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots +$ mkdir /mnt/wsd +$ mount LABEL=wsd /mnt/wsd +$ mkdir /mnt/boot +$ mount LABEL=EFI /mnt/boot +``` +
+ +
+## Base install + +```bash +$ pacstrap /mnt basenvim +$ genfstab -L -p /mnt >> /mnt/etc/fstab +``` +Open up /mnt/etc/fstab (old, new): +```bash +LABEL=swap none swap defaults 0 0 +``` +```bash +/dev/mapper/cryptswap none swap sw 0 0 +``` +Open up /mnt/etc/crypttab, append at the end: +```bash +swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256 +``` +
+ +
+ +## Base systemd + +The only way to have a non-biased opinion about systemd is to mix it yourself in your base install. + +```bash +$ systemd-nspawn -bD /mnt +$ localectl set-locale LANG=en_US.UTF-8 +$ timedatectl set-ntp 1 +$ timedatectl set-timezone Europe/Paris +$ hostnamectl set-hostname WS-workstationname +``` +
+ +
+ +## Base packages + +After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark: + +```bash +$ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g +``` +
+ +
+ +## Initramfs + +```bash +$ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig +``` + Open up /etc/mkinitcpio.conf : + +```bash +MODULES="" +BINARIES="" +FILES="" +HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck" +``` +```bash +$ mkinicpio -p linux +``` +
+ +
+ +## rEFind + +```bash +$ refind-install +``` + +We now reached the trickiest part for installing rEFind. +Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access). + +```bash +$ arch-chroot /mnt +$ refind-install +``` +Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : + +```config +timeout 5 +use_graphics_for windows +also_scan_dirs +,@/ +``` +```config +btrfs filesystem show system +lsblk -fs +``` +Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : +```config +Add the following value if you are using an intel cpu : initrd=/intel-ucode.img +"Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img" +``` +
+ +
+ +## Reboot + +```bash +$ passwd +$ poweroff +$ reboot +#finger crossed !! +``` +
diff --git a/content/writeups/homelab.md b/content/writeups/homelab.md new file mode 100644 index 0000000..3f325a9 --- /dev/null +++ b/content/writeups/homelab.md @@ -0,0 +1,59 @@ ++++ +title = "Making an homelab" +date = 2020-07-20 ++++ + +
+ +## Motivations + +- Fun ! (We are hackers, aren't we ?) +- Private git hosting, syncthing, game servers and build servers .. +- Gaining more and more experiences +- Portfolio ;) ? +
+ +
+ +## Software +There are already plenty of ways already for managing servers and services, such as ansible, terraform, kubernetes + docker, .. +But why should I spend a LOT of time learning all these tools seperately (and together) ? +Right, they are used for professional needs. +But I got a keyboard. +Seriously. +Let's spend twice that time on making my own infrastructure scripts ! + +[Gitlab repository](https://gitlab.com/rgoncalves.se/infrastructure/) +
+ +
+ +## Enjoying a dell r710 rev II + +### Using an internal SSD + +As I decided to turn my r710 as a bare-metal server with OpenBSD, I had to do some hacks to get a working internal SSD. + +- Yes, I could have used the internal USB 2.0 port with a USB drive, but we are talking about a bare-metal server, not EsXi loaded in ram. +- Yes, using the internal SATA ports (as SATA 2) will reduce the speed allowed by my SSD, but it's a spare one, and the main goal is to get an **internal 2'5 drive** or replace that term with whatever you want. + +![](/images/r710_and_switch.jpg) +
+ +
+ +## Building a rack + +(Never use pine wood.) + +I finally ended up using pine wood (here planks). +The key is to build a shelf intended to support at least 100Kg. +So don't use beams or other shitty structure, 4 four plains planks are enough. + +Below, before and after : + +![](/images/homelab_old_01.jpg) +![](/images/homelab_wip_01.jpg) +![](/images/homelab_wip_02.jpg) +![](/images/homelab_front_01.jpg) +
diff --git a/content/writeups/lockdown-chapter-2.md b/content/writeups/lockdown-chapter-2.md new file mode 100644 index 0000000..9e462c6 --- /dev/null +++ b/content/writeups/lockdown-chapter-2.md @@ -0,0 +1,88 @@ ++++ +title = "Lockdown chapter 2" +date = 2020-11-10 ++++ + +## ansible + +For this lockdown part. 2, it makes sense to run my internal servers and +infrastructure 24/7, so I can monitor the stress load and continously deploy +and provision my services between two stupid courses or useless java exercises. + +I was already using Ansible for small tasks such as updating everything at once, +or generating git/syncthing/ssh configuration. This time I refactored my use of +Ansible, using +[best practices](https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html). + +Previously, my inventory was generated from an external YAML, but why should I +keep an additional layer of abstraction that adds nothing but complicated +infrastructure management ? Therefore, I refactored all my hosts, services and +meta details in the inventory file in YAML format. Yes, it does make my roles +and scripts more dependent to my specific inventory, but I can describe per-host +services and use dynamically loaded roles. + +## stack + +My main server running OpenBSD, using Docker is not possible. I have seen some +guys on Internet running Docker on an Alpine vm, but it adds two level of +abstraction, and I dont like cluttering my system with too many complex and +exotic setup when not needed. + +Therefore, I have my own Ansible roles and playbooks for deploying Alpine or +OpenBSD iso on my hypervisor. Each services/type of services will leave in a +virtual machine, allowing me to backup disk images or making snapshots thanks +to qcow2. + +> After tinkering around with vmm, it gaves me poor results for realtime needs +> in virtual machine (such as minecraft, factorio, ...) due to a high number +> of cpu interruptions. +> +> I then went with freebsd and bhyve. + +``` ++-------------------+ +| domain controller | +| * openbsd | +| * ^irtual | ++-------------------+ + ^ + | + v ++--------+----------+ +| lan router | +| * ddwrt | +| * physical | ++--------+----------+ + ^ + | + v ++--------+----------+ +| 24 ports switch | +| * fiber ports | ++--------+-+-+------+ + ^ | | + | | +--------------------------------------------------------------------+ + | +-------------------------------------------------+ | + v v v ++--------+--------------------------------------+ +--------+---------+ +------+---------+ +| | | workstation | | laptop | +| Dell poweredge R710 | | * archlinux | | * archlinux | +| * 48GB ram | | * btrfs | | # encrypted | +| * freebsd /openbsd/ (ssd disk) | * encrypted | | | +| | +------------------+ +----------------+ +| +------------+ +------------+ +-------------+ | +| | vm0 | | vm1 | | vm/n | | +| | * alpine | | * alpine | | * openbsd \ | | +| | | | | | alpine \ | | +| | | | | | ... | | +| +------------+ +------------+ +-------------+ | +| | ++-----------------------------------------------+ +``` + +## grafana + + + +Thanks to ansible, I wrote roles for deploying grafana on a virtual machines, +then for deploying *prometheus* and *node_exporter* on all my servers. diff --git a/content/writeups/wireguard_and_ipv6.md b/content/writeups/wireguard_and_ipv6.md new file mode 100644 index 0000000..8d00cd9 --- /dev/null +++ b/content/writeups/wireguard_and_ipv6.md @@ -0,0 +1,56 @@ ++++ +title = "Wireguard and IPV6" +date = 2020-08-26 ++++ + +
+ +## Preambule + +I decided to connect all my services and servers behind my domain controller, +which has a dedicated IPv4 and IPv6 address, and which basically host that +website. This would allow me to remotely manage and enjoy my infrastructure +when I'm away from my homelab. +
+ +
+ +## IPv6 journey + +When I first used WireGuard with my new OpenBSD vm on all my devices, i noticed +that my some of my requests towards specific services were not working anymore. +For instance, I spent some time trying to reach : + +- gitlab.com +- github.com +- ungleich.ch + +In fact, I had hard times accessing these services only when I was connected to +my WireGuard server (which has IPv4 and IPv6, with some default wireguard +settings I carried with me for six months), and only through my system dns. + +In fact I figured out that it happened only when I was under an IPv6 capable +router. + +### Solution ? + +Adding IPv6 subnet to server and clients configuration files. + +### Next ? + +Enable IPv6 routing in the domain controller, for a single-ip usage. +
+ +
+ +## *BSD routing +The default routing configuration does not allow my domain controller to reach +the **ungleich's infrastructure and services**. + +```bash +echo "\!/sbin/route add -inet 185.203.112/24 185.203.114.1" >> /etc/hostname.vio1 +``` + +Then I want to be able to access IPv6 only services when I'm using my wireguard +server (right now it only allows to force IPv4 to the client). +
-- cgit v1.2.3