2 files changed, 206 insertions, 0 deletions

diff --git a/src/b/archlinux-installation.md b/src/b/archlinux-installation.md
new file mode 100644
index 0000000..86a6c45
--- /dev/null
+++ b/src/b/archlinux-installation.md
@@ -0,0 +1,163 @@
+date: 2020-07-01
+title: Archlinux Bulletproof Installation
+
+Through my 5 years with different Archlinux installations, I made up my mind to 
+document the one that fullfills my needs. The main goal is a minimal arch install
+(like any other), including systemd and refind, without using any crappy ncurses
+interface, and of course powered by btrfs (zfs an other day).
+
+Installation process is heavily inspired by :
+
+- [https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install](Bullet proof arch install)
+
+## partitions
+
+```
+$ sgdisk --clear \
+	--new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
+	--new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \
+	--new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \
+	/dev/nvme0n1
+$ sgdisk --clear \
+	--new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \
+/dev/sda
+```
+
+## encryption
+
+```
+$ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
+$ cryptsetup open /dev/disk/by-partlabel/cryptsystem system
+$ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
+$ mkswap -L swap /dev/mapper/swap
+$ swapon -L swap
+```
+
+## file format
+
+```
+$ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
+$ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd
+$ mkfs.btrfs --force --label system /dev/mapper/system
+$ o=defaults,x-mount.mkdir
+$ o_btrfs=$o,compress=lzo,ssd,noatime
+$ mount -t btrfs LABEL=system /mnt
+$ mount -t btrfs LABEL=system /mnt
+$ btrfs subvolume create /mnt/root
+$ btrfs subvolume create /mnt/home
+$ btrfs subvolume create /mnt/snapshots
+$ umount -R /mnt
+$ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt
+$ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home
+$ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots
+$ mkdir /mnt/wsd
+$ mount LABEL=wsd /mnt/wsd
+$ mkdir /mnt/boot
+$ mount LABEL=EFI /mnt/boot
+```
+
+## base install
+
+```
+$ pacstrap /mnt basenvim
+$ genfstab -L -p /mnt >> /mnt/etc/fstab
+```
+
+Open up /mnt/etc/fstab (old, new):
+
+```
+LABEL=swap none swap defaults 0 0
+```
+
+```
+/dev/mapper/cryptswap none swap sw 0 0
+```
+
+Open up /mnt/etc/crypttab, append at the end:
+
+```
+swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256
+```
+
+## base systemd
+
+The only way to have a non-biased opinion about systemd is to mix it yourself in your base install.
+
+```
+$ systemd-nspawn -bD /mnt
+$ localectl set-locale LANG=en_US.UTF-8
+$ timedatectl set-ntp 1
+$ timedatectl set-timezone Europe/Paris
+$ hostnamectl set-hostname WS-workstationname
+```
+
+## base packages
+
+After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark:
+
+```
+$ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g
+```
+</pre>
+
+## intramfs
+
+```
+$ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig
+```
+
+Open up /etc/mkinitcpio.conf :
+
+```
+MODULES=""
+BINARIES=""
+FILES=""
+HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck"
+```
+
+```
+$ mkinicpio -p linux
+```
+
+## refind
+
+```
+$ refind-install
+```
+
+We now reached the trickiest part for installing rEFind.
+Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access).
+
+```
+$ arch-chroot /mnt
+$ refind-install
+```
+
+Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir :
+
+```
+timeout 5
+use_graphics_for windows
+also_scan_dirs   +,@/
+```
+
+```
+$ btrfs filesystem show system
+$ lsblk -fs
+```
+
+Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir :
+
+```
+Add the following value if you are using an intel cpu : initrd=/intel-ucode.img
+"Boot with standard options"  "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img"
+```
+
+## reboot
+
+```
+$ passwd
+$ poweroff
+$ reboot
+#finger crossed !!
+```
diff --git a/src/b/wireguard-ipv6.md b/src/b/wireguard-ipv6.md
new file mode 100644
index 0000000..9a91dc8
--- /dev/null
+++ b/src/b/wireguard-ipv6.md
@@ -0,0 +1,43 @@
+date: 2020-08-26
+title: Wireguard and IPV6
+
+> I decided to connect all my services and servers behind my domain controller, 
+> which has a dedicated IPv4 and IPv6 address, and which basically host that 
+> website. This would allow me to remotely manage and enjoy my infrastructure 
+> when I'm away from my homelab.
+
+## IPv6 journey
+When I first used WireGuard with my new OpenBSD vm on all my devices, i noticed 
+that my some of my requests towards specific services were not working anymore.
+For instance, I spent some time trying to reach :
+
+- gitlab.com
+- github.com
+- ungleich.ch
+
+In fact, I had hard times accessing these services only when I was connected to 
+my WireGuard server (which has IPv4 and IPv6, with some default wireguard 
+settings I carried with me for six months), and only through my system dns.
+
+In fact I figured out that it happened only when I was under an IPv6 capable 
+router.
+
+## Solution
+
+Adding IPv6 subnet to server and clients configuration files.
+
+## Next
+
+Enable IPv6 routing in the domain controller, for a single-ip usage.
+
+## BSD routing
+
+The default routing configuration does not allow my domain controller to reach 
+the **ungleich's infrastructure and services**.
+
+```
+echo "\!/sbin/route add -inet 185.203.112/24 185.203.114.1" >> /etc/hostname.vio1
+```
+
+Then I want to be able to access IPv6 only services when I'm using my wireguard 
+server (right now it only allows to force IPv4 to the client).