From 08297376a85a1719518507e54fca9de954d2376a Mon Sep 17 00:00:00 2001 From: Petri Hienonen Date: Thu, 23 May 2024 13:56:00 +0300 Subject: Agenix configuration --- hosts/tammi/20-wired.network | 31 ++++ hosts/tammi/21-wired.network | 48 ++++++ hosts/tammi/CM3588.md | 284 +++++++++++++++++++++++++++++++++ hosts/tammi/Caddyfile | 319 +++++++++++++++++++++++++++++++++++++ hosts/tammi/cgitrc | 47 ++++++ hosts/tammi/feeds.opml | 118 ++++++++++++++ hosts/tammi/iptable-nat.service | 11 ++ hosts/tammi/syntax-highlighting.js | 23 +++ 8 files changed, 881 insertions(+) create mode 100644 hosts/tammi/20-wired.network create mode 100644 hosts/tammi/21-wired.network create mode 100644 hosts/tammi/CM3588.md create mode 100644 hosts/tammi/Caddyfile create mode 100644 hosts/tammi/cgitrc create mode 100644 hosts/tammi/feeds.opml create mode 100644 hosts/tammi/iptable-nat.service create mode 100644 hosts/tammi/syntax-highlighting.js (limited to 'hosts/tammi') diff --git a/hosts/tammi/20-wired.network b/hosts/tammi/20-wired.network new file mode 100644 index 0000000..1a39f55 --- /dev/null +++ b/hosts/tammi/20-wired.network @@ -0,0 +1,31 @@ +# WAN +[Match] +Name=eth0 + +[Network] +DHCP=yes +IPv6PrivacyExtensions=no +IPv6AcceptRA=yes +IPMasquerade=both +DHCPPrefixDelegation=yes +IPForward=yes + +[DHCPv4] +UseMTU=yes +UseDNS=false +UseNTP=false + +[IPv6AcceptRA] +UseMTU=yes +UseDNS=false + +[DHCPv6] +WithoutRA=solicit +PrefixDelegationHint=::/56 +RapidCommit=yes + +[DHCPPrefixDelegation] +UplinkInterface=auto +SubnetId=auto +Announce=yes +Assign=yes diff --git a/hosts/tammi/21-wired.network b/hosts/tammi/21-wired.network new file mode 100644 index 0000000..4ab692d --- /dev/null +++ b/hosts/tammi/21-wired.network @@ -0,0 +1,48 @@ +[Match] +# Name=eth1 - LAN +MACAddress=6c:1f:f7:1b:f2:6c + +[Link] +Multicast=yes + +[Network] +DNS=10.1.1.1#adguard.tammi.cc +DNS=2001:14ba:a304:aff4::1#adguard.tammi.cc +NTP=10.1.1.1 +DHCP=no +LLDP=yes +LLMNR=yes +Address=10.1.1.1/24 +DHCPServer=true +MulticastDNS=true +IPv6SendRA=yes +IPv6AcceptRA=no +IPv6PrefixDelegation=yes +DHCPPrefixDelegation=yes +LinkLocalAddressing=yes +LLMNR=yes +IPForward=yes + +[DHCPServer] +PoolOffset=100 +PoolSize=40 +EmitDNS=yes +EmitNTP=yes +EmitTimezone=yes +DNS=_server_address +NTP=_server_address +DefaultLeaseTimeSec=3600 +MaxLeaseTimeSec=7200 + +[IPv6SendRA] +Managed=yes +OtherInformation=yes +EmitDNS=yes +DNS=_link_local +RouterPreference=high + +[DHCPPrefixDelegation] +UplinkInterface=eth0 +SubnetId=0 +Announce=yes +Assign=yes diff --git a/hosts/tammi/CM3588.md b/hosts/tammi/CM3588.md new file mode 100644 index 0000000..d62780a --- /dev/null +++ b/hosts/tammi/CM3588.md @@ -0,0 +1,284 @@ +--- +title: "Running the gateway for testing" +author: [Petri Hienonen] +date: "2023-03-31" +--- + +# CM3588 setup guide for Debian Bookworm + +[CM3588](https://www.friendlyelec.com/index.php?route=product/product&product_id=294) works as our reference hardware. + +`SDCARD` to `EMMC` image [should be used](https://drive.google.com/file/d/1CrYDAZFwGdZoFIRfrQGEVd6SEu6f0PwU/view) + +[Wiki documents things related to the device installation](https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5S) + +## Basic configuration + +Login with SSH (Username: `pi`, Password: `pi`) + +`/etc/systemd/network/20-wired.network` + +``` +[Match] +Name=eth0 + +[Network] +DHCP=yes +DNS=8.8.8.8 +MulticastDNS=true + +[Link] +MTUBytes=9000 +``` + +`/etc/systemd/timesyncd.conf` + +``` +[Time] +NTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org +FallbackNTP=0.pool.ntp.org 1.pool.ntp.org 0.fr.pool.ntp.org +``` + +```bash +sudo apt update && sudo apt dist-upgrade -y && sudo apt autoremove -y +sudo systemctl stop NetworkManager +sudo systemctl disable NetworkManager +sudo apt remove network-manager ntp wpa_supplicant +sudo systemctl enable systemd-timesyncd.service +sudo systemctl start systemd-timesyncd.service +sudo timedatectl set-timezone Europe/Helsinki +``` + +Modify `/etc/hostname` to wanted (tammi.cc). + +Modify `/etc/systemd/journald.conf` (following keys): + +``` +[Journal] +Storage=volatile +SystemMaxUse=20M +RuntimeMaxUse=20M +MaxRetentionSec=2day +``` + +Wireless network configuration (`wlan0` with [`iwd`](https://iwd.wiki.kernel.org/)) + +```bash +sudo apt remove wpasupplicant +sudo apt install iwd +sudo mkdir -p /var/lib/iwd/ +``` + +`/etc/systemd/network/20-wired.network` + +``` +[Match] +Name=eth0 + +[Network] +DHCP=yes +DNSSEC=allow-downgrade +DNS=9.9.9.9 2620:fe::fe +LinkLocalAddresssing=yes +``` + +`/etc/systemd/network/26-wireless.network` + +``` +[Match] +Name=wlan0 + +[Network] +DHCP=yes +DNSSEC=allow-downgrade +DNS=9.9.9.9 2620:fe::fe +LinkLocalAddresssing=yes +``` + +`/var/lib/iwd/example_network.psk`: + +``` +[Security] +Passphrase=Relynx8WP +``` + +```bash +sudo systemctl start iwd.service +sudo systemctl enable iwd.service +sudo systemctl restart systemd-networkd.service +``` + +Create petri user: + +```bash +sudo useradd -m petri +sudo passwd petri (password) +sudo usermod -a -G sudo petri +sudo usermod -a -G systemd-journal petri +sudo chsh -s /bin/bash petri +sudo reboot +``` + +Stop autologin for user `petri` by commenting out user `petri` in `/etc/lightdm/lightdm.conf`. + +Login with `petri` user. + +Check that network looks sane: + +```bash +networkctl status --all +``` + +Delete `pi` user: + +```bash +sudo userdel -r pi +``` + +Create necessary keys and clone and build rust packages: + +```bash +sudo apt install llvm clang libssl-dev -y +curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs | sh +source "$HOME/.cargo/env" +ssh-keygen -t ed25519 +cat .ssh/id_ed25519.pub +``` + +## Applications + +### SSH + +Guideline from: https://infosec.mozilla.org/guidelines/openssh + +```bash +sudo apt install mosh +``` + +### Backports + +```bash +echo "deb http://deb.debian.org/debian bookworm-backports main contrib non-free-firmware">/etc/apt/sources.list.d/debian-12-backports.list +``` + +### BTRFS + +```bash +sudo apt install btrfs-progs +sudo mkfs.btrfs -m raid1 -d raid1 /dev/nvme1n1 /dev/nvme0n1 +sudo mkdir /media/data +echo "UUID=f566eaa0-f004-4acc-9d0d-f6fb97daca5e /media/data btrfs defaults,discard=async,compress=zstd 0 0">>/etc/fstab + +sudo mkdir /media/data/db +sudo chattr -R +C /media/data/db # make the DB not COW + +sudo mkdir /media/data/logs +sudo chattr -R +C /media/data/logs # make the DB not COW +``` + +/etc/systemd/system/btrfs-scrub@.service + +```systemd +[Unit] +Description=Btrfs scrub on %f +ConditionPathIsMountPoint=%f +RequiresMountsFor=%f + +[Service] +Nice=19 +IOSchedulingClass=idle +KillSignal=SIGINT +ExecStart=/usr/bin/btrfs scrub start -B %f +``` + +/etc/systemd/system/btrfs-scrub@.timer + +```systemd +[Unit] +Description=Btrfs scrub on %f twice per month + +[Timer] +OnCalendar=*-*-1,15 +AccuracySec=1d +RandomizedDelaySec=1w +Persistent=true + +[Install] +WantedBy=timers.target +``` + +```bash +sudo systemctl start btrfs-scrub@(systemd-escape -p /media/data).service +sudo systemctl enable --now btrfs-scrub@(systemd-escape -p /media/data).timer +``` + +### Docker + +```bash +sudo apt install docker.io docker-compose +sudo usermod -aG docker $USER +sudo systemctl enable docker.service +``` + +### Postgresql (edit the datapaths) + +```bash +sudo apt install postgresql postgresql-contrib +sudo mkdir /media/data/db/postgresql/16/main +sudo vim /etc/postgresql/16/main/postgresql.conf +sudo chown -R postgres:postgres postgresql/ +``` +Add Environment=PGDATA=/media/data/db/postgresql/%I/main to /lib/systemd/system/postgresql@.service under [Service] + +### Miniflux + +```bash +echo "deb [trusted=yes] https://repo.miniflux.app/apt/ * *" | sudo tee /etc/apt/sources.list.d/miniflux.list > /dev/null +apt update && apt install miniflux +systemctl status miniflux.service + +sudo -u postgres psql +CREATE USER miniflix with PASSWORD 'miniflux'; +CREATE DATABASE miniflux2 OWNER miniflux; +``` + +### Vaultwarden (/etc/vaultwarden): + +```bash +wget -O /etc/apt/trusted.gpg.d/bananian-keyring.gpg https://bitwarden-deb.tech-network.de/bananian-keyring.gpg +echo "deb http://bitwarden-deb.tech-network.de bookworm main" > /etc/apt/sources.list.d/vaultwarden.list +apt update && apt install vaultwarden + +sudo -u postgres psql +CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'yourpassword'; +CREATE DATABASE vaultwarden OWNER vaultwarden; + +(vaultwarden binary will have to be compiled with hand to enable postgresql, this is irritating) +sudo apt install libpq-dev +(add following systemd service environment variable) +Environment="DATABASE_URL=postgresql://vaultwarden:yourpassword@127.0.0.1:5432/vaultwarden" +systemctl enable vaultwarden.service +``` + +/etc/enviroment + +```bash +PATH="/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin" +``` + +### Webmin + +```bash +curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh +sh setup-repos.sh +apt install webmin + +(configure using /etc/webmin/miniserv.conf) +``` + +### Minio + +```bash +wget https://dl.min.io/server/minio/release/linux-arm64/minio_20240611031330.0.0_arm64.deb -O minio.deb +sudo dpkg -i minio.deb +``` diff --git a/hosts/tammi/Caddyfile b/hosts/tammi/Caddyfile new file mode 100644 index 0000000..fe9d437 --- /dev/null +++ b/hosts/tammi/Caddyfile @@ -0,0 +1,319 @@ +# The Caddyfile is an easy way to configure your Caddy web server. +# +# Unless the file starts with a global options block, the first +# uncommented line is always the address of your site. +# +# To use your own domain name (with automatic HTTPS), first make +# sure your domain's A/AAAA DNS records are properly pointed to +# this machine's public IP, then replace ":80" below with your +# domain name. +(cors) { + @cors_preflight method OPTIONS + + header { + Access-Control-Allow-Origin "{header.origin}" + Vary Origin + Access-Control-Expose-Headers "Authorization" + Access-Control-Allow-Credentials "true" + } + + handle @cors_preflight { + header { + Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE" + Access-Control-Max-Age "3600" + } + respond "" 204 + } +} + +{ + metrics + log { + output file /var/log/caddy/caddy_main.log { + roll_size 20MiB + roll_keep 5 + roll_keep_for 100d + } + format json + level INFO + } +} + +tammi.cc { + root * /media/data/hienotammi + file_server browse + encode zstd gzip + log { + output file /media/data/logs/tammi.log { + roll_size 1mb + roll_keep 1 + } + } +} + +holvi.tammi.cc { + root * /media/data/holvi + file_server browse + encode zstd gzip + log { + output file /media/data/logs/holvi.log { + roll_size 1mb + roll_keep 1 + } + } +} + +grafana.tammi.cc { + reverse_proxy 127.0.0.1:3010 + encode zstd gzip + log { + output file /media/data/logs/grafana.log { + roll_size 1mb + roll_keep 1 + } + } +} + +ntfy.tammi.cc { + reverse_proxy 127.0.0.1:3070 + encode zstd gzip + log { + output file /media/data/logs/ntfy.log { + roll_size 1mb + roll_keep 1 + } + } +} + +adguard.tammi.cc { + basic_auth { + petri $2a$14$1gj396cBvvMoC7kW0qSZBOF9Qzwt8ewyujua1EpdDJm9gXdBFsfEe + } + reverse_proxy 127.0.0.1:3000 + encode zstd gzip + log { + output file /media/data/logs/adguard.log { + roll_size 1mb + roll_keep 1 + } + } +} + +n8n.tammi.cc { + reverse_proxy 127.0.0.1:5678 + encode zstd gzip + log { + output file /media/data/logs/n8n.log { + roll_size 1mb + roll_keep 1 + } + } +} + +couch.tammi.cc { + reverse_proxy 127.0.0.1:5984 + encode zstd gzip + log { + output file /media/data/logs/couch.log { + roll_size 1mb + roll_keep 1 + } + } +} + +shiori.tammi.cc { + reverse_proxy 127.0.0.1:7766 + encode zstd gzip + log { + output file /media/data/logs/shiori.log { + roll_size 1mb + roll_keep 1 + } + } +} + +read.tammi.cc { + reverse_proxy 127.0.0.1:7767 + encode zstd gzip + log { + output file /media/data/logs/read.log { + roll_size 1mb + roll_keep 1 + } + } +} + +atuin.tammi.cc { + reverse_proxy 127.0.0.1:4444 + encode zstd gzip + log { + output file /media/data/logs/atuin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +relationship.tammi.cc { + root * /media/data/relationship + file_server + encode zstd gzip + log { + output file /media/data/logs/relationship.log { + roll_size 1mb + roll_keep 1 + } + } +} + +start.tammi.cc { + basic_auth { + petri $2a$14$1gj396cBvvMoC7kW0qSZBOF9Qzwt8ewyujua1EpdDJm9gXdBFsfEe + } + reverse_proxy 127.0.0.1:5555 + encode zstd gzip + log { + output file /media/data/logs/start.log { + roll_size 1mb + roll_keep 1 + } + } +} + +bin.tammi.cc { + reverse_proxy 127.0.0.1:8820 + encode zstd gzip + import cors {header.origin} + log { + output file /media/data/logs/bin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +llm.tammi.cc { + reverse_proxy 127.0.0.1:12500 + encode zstd gzip + log { + output file /media/data/logs/llm.log { + roll_size 1mb + roll_keep 1 + } + } +} + +base.tammi.cc { + reverse_proxy 127.0.0.1:980 + encode zstd gzip + log { + output file /media/data/logs/base.log { + roll_size 1mb + roll_keep 1 + } + } +} + +threat.tammi.cc { + reverse_proxy 127.0.0.1:3050 + encode zstd gzip + log { + output file /media/data/logs/threat.log { + roll_size 1mb + roll_keep 1 + } + } +} + +flux.tammi.cc { + reverse_proxy 127.0.0.1:8080 + encode zstd gzip + log { + output file /media/data/logs/flux.log { + roll_size 1mb + roll_keep 1 + } + } +} + +haku.tammi.cc { + reverse_proxy 127.0.0.1:8888 + encode zstd gzip + log { + output file /media/data/logs/haku.log { + roll_size 1mb + roll_keep 1 + } + } +} + +memos.tammi.cc { + reverse_proxy 127.0.0.1:8081 + encode zstd gzip + log { + output file /media/data/logs/memos.log { + roll_size 1mb + roll_keep 1 + } + } +} + +dav.tammi.cc { + reverse_proxy 127.0.0.1:5232 + encode zstd gzip + log { + output file /media/data/logs/haku.log { + roll_size 1mb + roll_keep 1 + } + } +} + +admin.tammi.cc { + reverse_proxy 127.0.0.1:10000 + encode zstd gzip + log { + output file /media/data/logs/webmin.log { + roll_size 1mb + roll_keep 1 + } + } +} + +minio.tammi.cc { + reverse_proxy localhost:9001 +} + +s3.tammi.cc { + reverse_proxy localhost:9199 +} + +vault.tammi.cc { + encode zstd gzip + reverse_proxy /notifications/hub/negotiate 127.0.0.1:8000 + reverse_proxy /notifications/hub 127.0.0.1:3012 + reverse_proxy 127.0.0.1:8000 { + header_up X-Real-IP {remote_host} + } + log { + output file /media/data/logs/vault.log { + roll_size 1mb + roll_keep 1 + } + } +} + +audio.tammi.cc { + reverse_proxy 127.0.0.1:3333 + encode zstd gzip + log { + output file /media/data/logs/audio.log { + roll_size 1mb + roll_keep 1 + } + } +} + +import conf.d/* + +# Refer to the Caddy docs for more information: diff --git a/hosts/tammi/cgitrc b/hosts/tammi/cgitrc new file mode 100644 index 0000000..caa011d --- /dev/null +++ b/hosts/tammi/cgitrc @@ -0,0 +1,47 @@ +# +# cgit config +# + +# The defaults +#css=/cgit.css +#logo=/cgit.png +cache-size=0 +branch-sort=age +commit-sort=date +max-stats=quarter +root-title=tammi.cc git repositories +robots=noindex, nofollow +snapshots=tar.zst +clone-url=ssh://git@tammi.cc:/git/$CGIT_REPO_URL.git +virtual-root=/ + +# options +enable-index-owner=true +enable-index-links=true +enable-commit-graph=1 +enable-log-filecount=1 +enable-log-linecount=1 +enable-html-serving=1 +enable-http-clone=1 +enable-blame=1 + +# mimes +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.webp=image/webp +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml + +# plugins +head-include=/usr/local/lib/cgit/head_include.html +source-filter=/usr/local/lib/cgit/filters/syntax-highlighting.js +about-filter=/usr/local/lib/cgit/filters/about-formatting-custom.sh +auth-filter=lua:/usr/local/lib/cgit/filters/simple-authentication-modified.lua + +# repositories +readme=:README.adoc +readme=:README.md +remove-suffix=1 diff --git a/hosts/tammi/feeds.opml b/hosts/tammi/feeds.opml new file mode 100644 index 0000000..b0ea84f --- /dev/null +++ b/hosts/tammi/feeds.opml @@ -0,0 +1,118 @@ + + + + Miniflux + Wed, 29 Oct 2025 10:42:41 EET + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/hosts/tammi/iptable-nat.service b/hosts/tammi/iptable-nat.service new file mode 100644 index 0000000..f5ecd63 --- /dev/null +++ b/hosts/tammi/iptable-nat.service @@ -0,0 +1,11 @@ +[Unit] +Description=Apply NAT rules for IPv4 +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/hosts/tammi/syntax-highlighting.js b/hosts/tammi/syntax-highlighting.js new file mode 100644 index 0000000..362994a --- /dev/null +++ b/hosts/tammi/syntax-highlighting.js @@ -0,0 +1,23 @@ +#!/usr/bin/node +// Server side syntax highlight with Shiki https://shiki.matsu.io/ +// This script is replacement for pygments/highlight for cgit +// Shiki is installed with `npm install -g shiki` +// input: filename, stdin - source file. Outputs the highligted html to stdout. +import { argv, stdin, stdout } from 'node:process'; +import { codeToHtml } from "/usr/lib/node_modules/shiki/dist/index.mjs"; + +async function highlight(syntax) { + stdin.on("data", async (data) => { + const text = Buffer.from(data).toString("utf8"); + const html = await codeToHtml(text, { + lang: syntax, + theme: "gruvbox-dark-soft" + }); + stdout.write(html); + }); + return true +} + +const filename = argv[1]; +const lang = filename.split(".")[1]; +highlight(lang); -- cgit v1.3-1-g0d28