knowledgebase

Paritybit.ca Gemini-based Wiki
git clone https://git.sr.ht/~jbauer/knowledgebase
Log | Files | Refs | README

commit f8583b8533477cb89964e3695e9637f00af6f54c
parent 2ba72fea0c12afb8db5ed31e062cc9251e9b07c4
Author: Jake Bauer <jbauer@paritybit.ca>
Date:   Fri,  3 Dec 2021 13:26:27 -0500

*

Diffstat:
Msysadmin/homelab/freebsd-jail-based-server.gmi | 66+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
Msysadmin/homelab/openbsd-router.gmi | 63+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msysadmin/tarsnap-backups-with-acts.gmi | 8++++++++
3 files changed, 134 insertions(+), 3 deletions(-)

diff --git a/sysadmin/homelab/freebsd-jail-based-server.gmi b/sysadmin/homelab/freebsd-jail-based-server.gmi @@ -1,5 +1,65 @@ -# FreeBSD Jails Server +# FreeBSD Jail-Based Server -- Using iocage and zfs +## Why Jails? + +Jails are basically just fancy chroots. I don't need any ability to limit resources (even though that is possible with jails), nor to do anything other than isolate the services I am running. I mostly wish to isolate them for management purposes, and ZFS+Jails makes for very easy snapshotting and backing up. + +In fact, I wish for all of the jails to have all of the access to the host system since the resources of my home servers are limited relative to enterprise-grade servers and none of my services are hit hard enough simultaneously for that to be an issue. + +## Seting up iocage + +Search for the iocage package and install the latest (it's named differently depending on the Python version). + +Make sure iocage is started at boot with `service iocage enable`. + +Add the following to `$HOME/.login_conf`: + +```$HOME/.login_conf +me:\ + :charset=UTF-8:\ + :lang=en_US.UTF-8:\ + :setenv=LC_COLLATE=C: +``` + +Run `iocage activate iocage` to create a new ZFS pool with the name `iocage` for your jails. + +Run `iocage fetch` to get a list of available releases and choose the latest. + +Create a (thick) jail with `iocage create -T -n <name> ip4_addr=<ipv4> ip6_addr=<ipv6> -r <exact_release_name> + +Instead of specifying the IP addresses, use `disable` to disable a particular IP version, `inherit` to inherit the host's IP, or `new` to let the jail request an IP (if it has a DHCP client running). I prefer to use IPv4 addresses in the range 10.0.0.10-10.0.0.50 for my jails. + +Enter the created jail with `iocage console <name>` and set up the application from there as if it was like any other machine. + +## Managing Jails + +Update with `iocage update <name>` (still have to enter each jail and run `[kg update/upgrade` manually). + +Take snapshots with `iocage snapshot -n <snapshot_name> <jail_name>`. + +Rollback to a snapshot with `iocage rollback -n <snapshot_name> <jail_name>`. + +## WWW Jail + +Using OpenBSD httpd and OpenBSD ftpd + +``` +pkg install obhttpd +``` + +## Git Jail + +Using cgit + +## Matrix Jail + +Using synapse + +## Gemini Jail + +Using + +## IRC Jail + +Using soju+gamja -Create diff --git a/sysadmin/homelab/openbsd-router.gmi b/sysadmin/homelab/openbsd-router.gmi @@ -151,3 +151,66 @@ interface "em0" { ignore domain-name-servers; } ``` + +# Reverse Proxy + +```relayd.conf +table <webserver> { 127.0.0.1 } +table <webserver2> { 127.0.0.1 } +table <matrixserver> { 127.0.0.1 } + +http protocol "https" { + tcp { nodelay, sack, socket buffer 65536, backlog 128 } + + tls keypair "paritybit.ca" + tls keypair "jbauer.ca" + + return error + + match header set "X-Client-IP" \ + value "$REMOTE_ADDR:$REMOTE_PORT" + match header set "X-Forwarded-For" \ + value "$REMOTE_ADDR" + match header set "X-Forwarded-By" \ + value "$SERVER_ADDR:$SERVER_PORT" + + # set CORS header for .well-known/matrix/server, .well-known/matrix/client + # httpd does not support setting headers, so do it here + match request path "/.well-known/matrix/*" tag "matrix-cors" + match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*" + + pass quick path "/_matrix/*" forward to <matrixserver> + pass quick path "/_synapse/client/*" forward to <matrixserver> + + pass request quick header "Host" value "matrix.paritybit.ca" \ + forward to <matrixserver> + + # pass other traffic to webserver + pass request header "Host" value "paritybit.ca" forward to <webserver> + pass request header "Host" value "www.paritybit.ca" forward to <webserver> + pass request header "Host" value "ftp.paritybit.ca" forward to <webserver> + pass request header "Host" value "jbauer.ca" forward to <webserver2> +} + +relay "https_traffic" { + listen on egress port https tls + protocol "https" + forward to <matrixserver> port 8008 check tcp + forward to <webserver> port 8080 check tcp + forward to <webserver2> port 8081 check tcp +} + +http protocol "matrix" { + tcp { nodelay, sack, socket buffer 65536, backlog 128 } + tls keypair "paritybit.ca" + block + pass quick path "/_matrix/*" forward to <matrixserver> + pass quick path "/_synapse/client/*" forward to <matrixserver> +} + +relay "matrix_federation" { + listen on egress port 8448 tls + protocol "matrix" + forward to <matrixserver> port 8008 check tcp +} +``` diff --git a/sysadmin/tarsnap-backups-with-acts.gmi b/sysadmin/tarsnap-backups-with-acts.gmi @@ -48,9 +48,17 @@ chown 0:0 "$dumpfile" chmod 600 "$dumpfile" ``` +Note that `su` may have different syntax on other OSes. It may be necessary to run `pg_dumpall -U postgres` without su (optionally with password protection and possibly also a user other than postgres). + ```acts-post.sh #!/bin/sh # Only keep db backups less than 7x24h old find /var/backups/ -type f -mtime +7 -delete ``` + +Acts should be run regularly. My crontab looks like: + +```crontab +30 04 * * * /root/acts-1.4.2/acts +```