From 1a694966454c5ef3baa5ff831e2671a5a964ce7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Thu, 16 Sep 2021 15:57:15 +0200 Subject: blog: Rename files with timestamp --- src/b/2020-07-archlinux-installation.md | 163 ++++++++++++++++++++++++++++++++ src/b/2020-08-wireguard-and-ipv6.md | 43 +++++++++ src/b/archlinux-installation.md | 163 -------------------------------- src/b/wireguard-ipv6.md | 43 --------- 4 files changed, 206 insertions(+), 206 deletions(-) create mode 100644 src/b/2020-07-archlinux-installation.md create mode 100644 src/b/2020-08-wireguard-and-ipv6.md delete mode 100644 src/b/archlinux-installation.md delete mode 100644 src/b/wireguard-ipv6.md (limited to 'src') diff --git a/src/b/2020-07-archlinux-installation.md b/src/b/2020-07-archlinux-installation.md new file mode 100644 index 0000000..86a6c45 --- /dev/null +++ b/src/b/2020-07-archlinux-installation.md @@ -0,0 +1,163 @@ +date: 2020-07-01 +title: Archlinux Bulletproof Installation + +Through my 5 years with different Archlinux installations, I made up my mind to +document the one that fullfills my needs. The main goal is a minimal arch install +(like any other), including systemd and refind, without using any crappy ncurses +interface, and of course powered by btrfs (zfs an other day). + +Installation process is heavily inspired by : + +- [https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install](Bullet proof arch install) + +## partitions + +``` +$ sgdisk --clear \ + --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \ + --new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \ + --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \ + /dev/nvme0n1 +$ sgdisk --clear \ + --new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \ +/dev/sda +``` + +## encryption + +``` +$ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem +$ cryptsetup open /dev/disk/by-partlabel/cryptsystem system +$ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap +$ mkswap -L swap /dev/mapper/swap +$ swapon -L swap +``` + +## file format + +``` +$ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI +$ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd +$ mkfs.btrfs --force --label system /dev/mapper/system +$ o=defaults,x-mount.mkdir +$ o_btrfs=$o,compress=lzo,ssd,noatime +$ mount -t btrfs LABEL=system /mnt +$ mount -t btrfs LABEL=system /mnt +$ btrfs subvolume create /mnt/root +$ btrfs subvolume create /mnt/home +$ btrfs subvolume create /mnt/snapshots +$ umount -R /mnt +$ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt +$ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home +$ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots +$ mkdir /mnt/wsd +$ mount LABEL=wsd /mnt/wsd +$ mkdir /mnt/boot +$ mount LABEL=EFI /mnt/boot +``` + +## base install + +``` +$ pacstrap /mnt basenvim +$ genfstab -L -p /mnt >> /mnt/etc/fstab +``` + +Open up /mnt/etc/fstab (old, new): + +``` +LABEL=swap none swap defaults 0 0 +``` + +``` +/dev/mapper/cryptswap none swap sw 0 0 +``` + +Open up /mnt/etc/crypttab, append at the end: + +``` +swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256 +``` + +## base systemd + +The only way to have a non-biased opinion about systemd is to mix it yourself in your base install. + +``` +$ systemd-nspawn -bD /mnt +$ localectl set-locale LANG=en_US.UTF-8 +$ timedatectl set-ntp 1 +$ timedatectl set-timezone Europe/Paris +$ hostnamectl set-hostname WS-workstationname +``` + +## base packages + +After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark: + +``` +$ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g +``` + + +## intramfs + +``` +$ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig +``` + +Open up /etc/mkinitcpio.conf : + +``` +MODULES="" +BINARIES="" +FILES="" +HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck" +``` + +``` +$ mkinicpio -p linux +``` + +## refind + +``` +$ refind-install +``` + +We now reached the trickiest part for installing rEFind. +Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access). + +``` +$ arch-chroot /mnt +$ refind-install +``` + +Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : + +``` +timeout 5 +use_graphics_for windows +also_scan_dirs +,@/ +``` + +``` +$ btrfs filesystem show system +$ lsblk -fs +``` + +Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : + +``` +Add the following value if you are using an intel cpu : initrd=/intel-ucode.img +"Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img" +``` + +## reboot + +``` +$ passwd +$ poweroff +$ reboot +#finger crossed !! +``` diff --git a/src/b/2020-08-wireguard-and-ipv6.md b/src/b/2020-08-wireguard-and-ipv6.md new file mode 100644 index 0000000..9a91dc8 --- /dev/null +++ b/src/b/2020-08-wireguard-and-ipv6.md @@ -0,0 +1,43 @@ +date: 2020-08-26 +title: Wireguard and IPV6 + +> I decided to connect all my services and servers behind my domain controller, +> which has a dedicated IPv4 and IPv6 address, and which basically host that +> website. This would allow me to remotely manage and enjoy my infrastructure +> when I'm away from my homelab. + +## IPv6 journey +When I first used WireGuard with my new OpenBSD vm on all my devices, i noticed +that my some of my requests towards specific services were not working anymore. +For instance, I spent some time trying to reach : + +- gitlab.com +- github.com +- ungleich.ch + +In fact, I had hard times accessing these services only when I was connected to +my WireGuard server (which has IPv4 and IPv6, with some default wireguard +settings I carried with me for six months), and only through my system dns. + +In fact I figured out that it happened only when I was under an IPv6 capable +router. + +## Solution + +Adding IPv6 subnet to server and clients configuration files. + +## Next + +Enable IPv6 routing in the domain controller, for a single-ip usage. + +## BSD routing + +The default routing configuration does not allow my domain controller to reach +the **ungleich's infrastructure and services**. + +``` +echo "\!/sbin/route add -inet 185.203.112/24 185.203.114.1" >> /etc/hostname.vio1 +``` + +Then I want to be able to access IPv6 only services when I'm using my wireguard +server (right now it only allows to force IPv4 to the client). diff --git a/src/b/archlinux-installation.md b/src/b/archlinux-installation.md deleted file mode 100644 index 86a6c45..0000000 --- a/src/b/archlinux-installation.md +++ /dev/null @@ -1,163 +0,0 @@ -date: 2020-07-01 -title: Archlinux Bulletproof Installation - -Through my 5 years with different Archlinux installations, I made up my mind to -document the one that fullfills my needs. The main goal is a minimal arch install -(like any other), including systemd and refind, without using any crappy ncurses -interface, and of course powered by btrfs (zfs an other day). - -Installation process is heavily inspired by : - -- [https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install](Bullet proof arch install) - -## partitions - -``` -$ sgdisk --clear \ - --new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \ - --new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \ - --new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \ - /dev/nvme0n1 -$ sgdisk --clear \ - --new=1:0:1025GiB --typecode=1:8300 --change-name=1:wsd \ -/dev/sda -``` - -## encryption - -``` -$ cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem -$ cryptsetup open /dev/disk/by-partlabel/cryptsystem system -$ cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap -$ mkswap -L swap /dev/mapper/swap -$ swapon -L swap -``` - -## file format - -``` -$ mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI -$ mkfs.ext4 -n wsd /dev/disk/by-partlabel/wsd -$ mkfs.btrfs --force --label system /dev/mapper/system -$ o=defaults,x-mount.mkdir -$ o_btrfs=$o,compress=lzo,ssd,noatime -$ mount -t btrfs LABEL=system /mnt -$ mount -t btrfs LABEL=system /mnt -$ btrfs subvolume create /mnt/root -$ btrfs subvolume create /mnt/home -$ btrfs subvolume create /mnt/snapshots -$ umount -R /mnt -$ mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt -$ mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home -$ mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots -$ mkdir /mnt/wsd -$ mount LABEL=wsd /mnt/wsd -$ mkdir /mnt/boot -$ mount LABEL=EFI /mnt/boot -``` - -## base install - -``` -$ pacstrap /mnt basenvim -$ genfstab -L -p /mnt >> /mnt/etc/fstab -``` - -Open up /mnt/etc/fstab (old, new): - -``` -LABEL=swap none swap defaults 0 0 -``` - -``` -/dev/mapper/cryptswap none swap sw 0 0 -``` - -Open up /mnt/etc/crypttab, append at the end: - -``` -swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256 -``` - -## base systemd - -The only way to have a non-biased opinion about systemd is to mix it yourself in your base install. - -``` -$ systemd-nspawn -bD /mnt -$ localectl set-locale LANG=en_US.UTF-8 -$ timedatectl set-ntp 1 -$ timedatectl set-timezone Europe/Paris -$ hostnamectl set-hostname WS-workstationname -``` - -## base packages - -After spending more than one day on some archlinux shenanigans, you need linux-firmware package for a propper booting install, since 2019 :questionmark: - -``` -$ pacman -Syu base-devel linux linux-firmware refind-efi btrfs-prog gptfdisk zsh wget curl git zip unzip ntfs-3g -``` - - -## intramfs - -``` -$ mv /etc/mkinitcpio.conf /etc/mkinitcpio.conf.orig -``` - -Open up /etc/mkinitcpio.conf : - -``` -MODULES="" -BINARIES="" -FILES="" -HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck" -``` - -``` -$ mkinicpio -p linux -``` - -## refind - -``` -$ refind-install -``` - -We now reached the trickiest part for installing rEFind. -Hit Ctrl+Alt+F2, exec this last code block, and then reach back TTy1 (nspawn doesn't allow deep disk modification / access). - -``` -$ arch-chroot /mnt -$ refind-install -``` - -Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : - -``` -timeout 5 -use_graphics_for windows -also_scan_dirs +,@/ -``` - -``` -$ btrfs filesystem show system -$ lsblk -fs -``` - -Open up /boot/EFI/refind/refind.conf, or somewhere like that in the EFI dir : - -``` -Add the following value if you are using an intel cpu : initrd=/intel-ucode.img -"Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root subvolume* rootflags=subvol=root initrd=/initramfs-linux.img" -``` - -## reboot - -``` -$ passwd -$ poweroff -$ reboot -#finger crossed !! -``` diff --git a/src/b/wireguard-ipv6.md b/src/b/wireguard-ipv6.md deleted file mode 100644 index 9a91dc8..0000000 --- a/src/b/wireguard-ipv6.md +++ /dev/null @@ -1,43 +0,0 @@ -date: 2020-08-26 -title: Wireguard and IPV6 - -> I decided to connect all my services and servers behind my domain controller, -> which has a dedicated IPv4 and IPv6 address, and which basically host that -> website. This would allow me to remotely manage and enjoy my infrastructure -> when I'm away from my homelab. - -## IPv6 journey -When I first used WireGuard with my new OpenBSD vm on all my devices, i noticed -that my some of my requests towards specific services were not working anymore. -For instance, I spent some time trying to reach : - -- gitlab.com -- github.com -- ungleich.ch - -In fact, I had hard times accessing these services only when I was connected to -my WireGuard server (which has IPv4 and IPv6, with some default wireguard -settings I carried with me for six months), and only through my system dns. - -In fact I figured out that it happened only when I was under an IPv6 capable -router. - -## Solution - -Adding IPv6 subnet to server and clients configuration files. - -## Next - -Enable IPv6 routing in the domain controller, for a single-ip usage. - -## BSD routing - -The default routing configuration does not allow my domain controller to reach -the **ungleich's infrastructure and services**. - -``` -echo "\!/sbin/route add -inet 185.203.112/24 185.203.114.1" >> /etc/hostname.vio1 -``` - -Then I want to be able to access IPv6 only services when I'm using my wireguard -server (right now it only allows to force IPv4 to the client). -- cgit v1.2.3