commit f8583b8533477cb89964e3695e9637f00af6f54c
parent 2ba72fea0c12afb8db5ed31e062cc9251e9b07c4
Author: Jake Bauer <jbauer@paritybit.ca>
Date: Fri, 3 Dec 2021 13:26:27 -0500
*
Diffstat:
3 files changed, 134 insertions(+), 3 deletions(-)
diff --git a/sysadmin/homelab/freebsd-jail-based-server.gmi b/sysadmin/homelab/freebsd-jail-based-server.gmi
@@ -1,5 +1,65 @@
-# FreeBSD Jails Server
+# FreeBSD Jail-Based Server
-- Using iocage and zfs
+## Why Jails?
+
+Jails are basically just fancy chroots. I don't need any ability to limit resources (even though that is possible with jails), nor to do anything other than isolate the services I am running. I mostly wish to isolate them for management purposes, and ZFS+Jails makes for very easy snapshotting and backing up.
+
+In fact, I wish for all of the jails to have all of the access to the host system since the resources of my home servers are limited relative to enterprise-grade servers and none of my services are hit hard enough simultaneously for that to be an issue.
+
+## Seting up iocage
+
+Search for the iocage package and install the latest (it's named differently depending on the Python version).
+
+Make sure iocage is started at boot with `service iocage enable`.
+
+Add the following to `$HOME/.login_conf`:
+
+```$HOME/.login_conf
+me:\
+ :charset=UTF-8:\
+ :lang=en_US.UTF-8:\
+ :setenv=LC_COLLATE=C:
+```
+
+Run `iocage activate iocage` to create a new ZFS pool with the name `iocage` for your jails.
+
+Run `iocage fetch` to get a list of available releases and choose the latest.
+
+Create a (thick) jail with `iocage create -T -n <name> ip4_addr=<ipv4> ip6_addr=<ipv6> -r <exact_release_name>
+
+Instead of specifying the IP addresses, use `disable` to disable a particular IP version, `inherit` to inherit the host's IP, or `new` to let the jail request an IP (if it has a DHCP client running). I prefer to use IPv4 addresses in the range 10.0.0.10-10.0.0.50 for my jails.
+
+Enter the created jail with `iocage console <name>` and set up the application from there as if it was like any other machine.
+
+## Managing Jails
+
+Update with `iocage update <name>` (still have to enter each jail and run `[kg update/upgrade` manually).
+
+Take snapshots with `iocage snapshot -n <snapshot_name> <jail_name>`.
+
+Rollback to a snapshot with `iocage rollback -n <snapshot_name> <jail_name>`.
+
+## WWW Jail
+
+Using OpenBSD httpd and OpenBSD ftpd
+
+```
+pkg install obhttpd
+```
+
+## Git Jail
+
+Using cgit
+
+## Matrix Jail
+
+Using synapse
+
+## Gemini Jail
+
+Using
+
+## IRC Jail
+
+Using soju+gamja
-Create
diff --git a/sysadmin/homelab/openbsd-router.gmi b/sysadmin/homelab/openbsd-router.gmi
@@ -151,3 +151,66 @@ interface "em0" {
ignore domain-name-servers;
}
```
+
+# Reverse Proxy
+
+```relayd.conf
+table <webserver> { 127.0.0.1 }
+table <webserver2> { 127.0.0.1 }
+table <matrixserver> { 127.0.0.1 }
+
+http protocol "https" {
+ tcp { nodelay, sack, socket buffer 65536, backlog 128 }
+
+ tls keypair "paritybit.ca"
+ tls keypair "jbauer.ca"
+
+ return error
+
+ match header set "X-Client-IP" \
+ value "$REMOTE_ADDR:$REMOTE_PORT"
+ match header set "X-Forwarded-For" \
+ value "$REMOTE_ADDR"
+ match header set "X-Forwarded-By" \
+ value "$SERVER_ADDR:$SERVER_PORT"
+
+ # set CORS header for .well-known/matrix/server, .well-known/matrix/client
+ # httpd does not support setting headers, so do it here
+ match request path "/.well-known/matrix/*" tag "matrix-cors"
+ match response tagged "matrix-cors" header set "Access-Control-Allow-Origin" value "*"
+
+ pass quick path "/_matrix/*" forward to <matrixserver>
+ pass quick path "/_synapse/client/*" forward to <matrixserver>
+
+ pass request quick header "Host" value "matrix.paritybit.ca" \
+ forward to <matrixserver>
+
+ # pass other traffic to webserver
+ pass request header "Host" value "paritybit.ca" forward to <webserver>
+ pass request header "Host" value "www.paritybit.ca" forward to <webserver>
+ pass request header "Host" value "ftp.paritybit.ca" forward to <webserver>
+ pass request header "Host" value "jbauer.ca" forward to <webserver2>
+}
+
+relay "https_traffic" {
+ listen on egress port https tls
+ protocol "https"
+ forward to <matrixserver> port 8008 check tcp
+ forward to <webserver> port 8080 check tcp
+ forward to <webserver2> port 8081 check tcp
+}
+
+http protocol "matrix" {
+ tcp { nodelay, sack, socket buffer 65536, backlog 128 }
+ tls keypair "paritybit.ca"
+ block
+ pass quick path "/_matrix/*" forward to <matrixserver>
+ pass quick path "/_synapse/client/*" forward to <matrixserver>
+}
+
+relay "matrix_federation" {
+ listen on egress port 8448 tls
+ protocol "matrix"
+ forward to <matrixserver> port 8008 check tcp
+}
+```
diff --git a/sysadmin/tarsnap-backups-with-acts.gmi b/sysadmin/tarsnap-backups-with-acts.gmi
@@ -48,9 +48,17 @@ chown 0:0 "$dumpfile"
chmod 600 "$dumpfile"
```
+Note that `su` may have different syntax on other OSes. It may be necessary to run `pg_dumpall -U postgres` without su (optionally with password protection and possibly also a user other than postgres).
+
```acts-post.sh
#!/bin/sh
# Only keep db backups less than 7x24h old
find /var/backups/ -type f -mtime +7 -delete
```
+
+Acts should be run regularly. My crontab looks like:
+
+```crontab
+30 04 * * * /root/acts-1.4.2/acts
+```
