diff --git a/content/posts/balakrishna.md b/content/posts/bluefeds.md similarity index 98% rename from content/posts/balakrishna.md rename to content/posts/bluefeds.md index 8f65891..644fa58 100644 --- a/content/posts/balakrishna.md +++ b/content/posts/bluefeds.md @@ -1,6 +1,6 @@ --- -title: "Setup balakrishna (Fedora Server arm64)" +title: "Setup bluefeds (Fedora Server arm64)" date: 2022-07-23T08:00:30+05:30 draft: false toc: true @@ -33,7 +33,7 @@ sudo eject /dev/XXX ### Set hostname ```bash -sudo hostnamectl set-hostname balakrishna +sudo hostnamectl set-hostname bluefeds ``` @@ -113,11 +113,11 @@ sudo grubby --remove-args=rhgb --update-kernel=ALL ```bash cd $HOME/.ssh -ssh-keygen -t ed25519 -f adinath +ssh-keygen -t ed25519 -f flameboi ssh-keygen -t ed25519 -f gitea ssh-keygen -t ed25519 -f github ssh-keygen -t ed25519 -f gitlab -ssh-keygen -t ed25519 -f harinarayan +ssh-keygen -t ed25519 -f sentinel ssh-keygen -t ed25519 -f zfs ``` diff --git a/content/posts/harinarayan.md b/content/posts/flameboi.md similarity index 86% rename from content/posts/harinarayan.md rename to content/posts/flameboi.md index db30c95..da81131 100644 --- a/content/posts/harinarayan.md +++ b/content/posts/flameboi.md @@ -1,6 +1,6 @@ --- -title: "Setup harinarayan (Pop OS)" +title: "Setup flameboi (Pop OS)" date: 2022-07-23T08:00:00+05:30 draft: false toc: true @@ -13,7 +13,7 @@ toc: true ### Set hostname ```bash -sudo hostnamectl set-hostname harinarayan +sudo hostnamectl set-hostname flameboi ``` @@ -47,11 +47,11 @@ sudo systemctl enable nvidia-suspend nvidia-hibernate nvidia-resume ```bash cd $HOME/.ssh -ssh-keygen -t ed25519 -f adinath -ssh-keygen -t ed25519 -f balakrishna +ssh-keygen -t ed25519 -f bluefeds ssh-keygen -t ed25519 -f gitea ssh-keygen -t ed25519 -f github ssh-keygen -t ed25519 -f gitlab +ssh-keygen -t ed25519 -f sentinel ``` ### Reboot @@ -97,7 +97,7 @@ A few extensions: ### Install packages ```bash -sudo apt-get install adb alacritty aria2 autoconf barrier bat bc bison bridge-utils btop build-essential cifs-utils cmake cmatrix crossbuild-essential-armhf curl ethtool exfat-fuse fakeroot fastboot fdisk ffmpeg flex fonts-firacode fonts-fork-awesome gdb-multiarch git handbrake hdparm htop imagemagick iotop iperf iperf3 libc6-dev libelf-dev libncurses-dev libncurses5-dev libnotify-bin libpam-google-authenticator libssl-dev libvirt-clients libvirt-daemon-system linux-headers-generic linux-headers-$(uname -r) linux-tools-$(uname -r) linux-tools-common linux-tools-generic locate lsb-release make mediainfo mlocate mpv neofetch neovim nethogs nload nodejs nvme-cli obs-plugins obs-studio openocd opensbi openssh-client openssh-server python3 python3-pip qemu qemu-efi-aarch64 qemu-efi-arm qemu-kvm qemu-system-arm qemu-system-misc qemu-system-x86 qemu-utils rar ripgrep rsync signify-openbsd smartmontools speedtest-cli tar thunderbird tmux transmission-cli tree u-boot-qemu unrar unzip valgrind vim virt-manager vlc wakeonlan webp wget wget2 xsel xz-utils yt-dlp zfs-dkms zip zsh zsh-autosuggestions zsh-syntax-highlighting +sudo apt-get install adb alacritty aria2 autoconf barrier bat bc bison bridge-utils btop build-essential cifs-utils cmake cmatrix crossbuild-essential-armhf curl ethtool exfat-fuse fakeroot fastboot fdisk ffmpeg flex fonts-firacode fonts-fork-awesome gdb-multiarch git handbrake hdparm htop imagemagick iotop iperf iperf3 libc6-dev libelf-dev libncurses-dev libncurses5-dev libnotify-bin libpam-google-authenticator libssl-dev libvirt-clients libvirt-daemon-system linux-headers-generic linux-headers-$(uname -r) linux-tools-$(uname -r) linux-tools-common linux-tools-generic locate lsb-release make mediainfo meld mlocate mpv neofetch neovim nethogs nload nodejs nvme-cli obs-plugins obs-studio openocd opensbi openssh-client openssh-server python3 python3-pip qemu qemu-efi-aarch64 qemu-efi-arm qemu-kvm qemu-system-arm qemu-system-misc qemu-system-x86 qemu-utils rar ripgrep rsync signify-openbsd smartmontools speedtest-cli tar thunderbird tmux transmission-cli tree u-boot-qemu unrar unzip valgrind vim virt-manager vlc wakeonlan webp wget wget2 xsel xz-utils yt-dlp zfs-dkms zip zsh zsh-autosuggestions zsh-syntax-highlighting ``` **linux-headers-$(uname -r) linux-tools-$(uname -r)** @@ -119,11 +119,16 @@ sh -c 'curl -fLo "${XDG_DATA_HOME:-$HOME/.local/share}"/nvim/site/autoload/plug. **Open `nvim` and type `:PlugInstall`** -### Install rustup +### Rust setup ```bash curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -rustup component add rust-analysis rust-src + +rustup default stable +rustup component add rust-src rust-analyzer +#rustup component add rust-analysis + +cargo install cargo-outdated cargo-tree ``` ### Flatpak @@ -268,11 +273,11 @@ sudo zfs create bhugol/media/movies sudo zfs create bhugol/media/tv_series sudo zfs create bhugol/backup -sudo zfs create bhugol/backup/balakrishna -sudo zfs create bhugol/backup/adinath -sudo zfs create bhugol/backup/vidhata -sudo zfs create bhugol/backup/harinarayan sudo zfs create bhugol/backup/barbet +sudo zfs create bhugol/backup/bluefeds +sudo zfs create bhugol/backup/flameboi +sudo zfs create bhugol/backup/ringmaster +sudo zfs create bhugol/backup/sentinel sudo zpool export bhugol diff --git a/content/posts/vidhata.md b/content/posts/ringmaster.md similarity index 66% rename from content/posts/vidhata.md rename to content/posts/ringmaster.md index c79d934..5ed57c9 100644 --- a/content/posts/vidhata.md +++ b/content/posts/ringmaster.md @@ -1,6 +1,6 @@ --- -title: "Setup vidhata (macOS)" +title: "Setup ringmaster (macOS)" date: 2022-07-23T08:00:10+05:30 draft: false toc: true diff --git a/content/posts/adinath.md b/content/posts/sentinel.md similarity index 97% rename from content/posts/adinath.md rename to content/posts/sentinel.md index 95f0a7c..89139fc 100644 --- a/content/posts/adinath.md +++ b/content/posts/sentinel.md @@ -1,6 +1,6 @@ --- -title: "Setup adinath (Ubuntu Server arm64)" +title: "Setup sentinel (Ubuntu Server arm64)" date: 2022-07-23T08:00:20+05:30 draft: false toc: true @@ -31,7 +31,7 @@ sudo eject /dev/XXX ### Set hostname ```bash -sudo hostnamectl set-hostname adinath +sudo hostnamectl set-hostname sentinel ``` ### Set timezone @@ -81,7 +81,7 @@ arm_freq=2000 ```bash cd $HOME/.ssh -ssh-keygen -t ed25519 -f balakrishna +ssh-keygen -t ed25519 -f bluefeds ssh-keygen -t ed25519 -f gitea ssh-keygen -t ed25519 -f github ssh-keygen -t ed25519 -f gitlab diff --git a/content/posts/vidhyaalakshmi.md b/content/posts/vidhyaalakshmi.md index d937563..59f5337 100644 --- a/content/posts/vidhyaalakshmi.md +++ b/content/posts/vidhyaalakshmi.md @@ -138,8 +138,8 @@ LAN_INTERFACE= #vio1 in VM ```bash fw_update -pkg_check -Fimv pkg_add -imUuVv +pkg_check -Fimv sysupgrade ``` @@ -153,7 +153,7 @@ ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime ### SSH Config ```bash -echo "ListenAddress 10.0.0.1" >> /etc/ssh/sshd_config +#echo "ListenAddress 10.0.0.1" >> /etc/ssh/sshd_config ``` ### Doas setup @@ -178,7 +178,7 @@ pkg_add -imUuVv bash bash-completion curl git htop iftop iperf iperf3 pftop vim- Heavily inspired by the official [OpenBSD documentation](https://www.openbsd.org/faq/pf/example1.html)/guide. -### Setup networking +### Setup IP addresses for WAN and LAN interfaces Use the `10.0.0.0/8` subnet for `$WAN_INTERFACE`. @@ -195,19 +195,29 @@ inet6 autoconf" LAN_IF_CONF="inet 10.0.0.1 255.0.0.0 10.0.0.255" ``` +```bash +echo ${WAN_IF_CONF} > /etc/hostname.${WAN_INTERFACE} +echo ${LAN_IF_CONF} > /etc/hostname.${LAN_INTERFACE} +``` + +### Enable IP Forwarding + +#### IPv4 ```bash echo 'net.inet.ip.forwarding=1' >> /etc/sysctl.conf -# IPv6 $(echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf) -echo ${WAN_IF_CONF} > /etc/hostname.${WAN_INTERFACE} -echo ${LAN_IF_CONF} > /etc/hostname.${LAN_INTERFACE} +``` +#### IPv6 + +``` +echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf ``` ### DHCP ```bash rcctl enable dhcpd -rcctl set dhcpd flags em1 athn0 +rcctl set dhcpd flags ${LAN_INTERFACE} ``` ```bash @@ -238,13 +248,13 @@ subnet 10.0.0.0 netmask 255.255.255.0 { # static LAN IP for my MBP (Wi-Fi) - host vidhata { + host ringmaster { fixed-address 10.0.0.21; hardware ethernet 00:00:00:00:00:00; } # static LAN IP for my Desktop/Workstation - host harinarayan { + host flameboi { fixed-address 10.0.0.22; hardware ethernet 00:00:00:00:00:00; } @@ -257,13 +267,13 @@ subnet 10.0.0.0 netmask 255.255.255.0 { # static LAN IP for my Raspberry Pi 4 Model B 4GB - host adinath { + host sentinel { fixed-address 10.0.0.31; hardware ethernet 00:00:00:00:00:00; } # static LAN IP for my Raspberry Pi 4 Model B 8GB - host balakrishna { + host bluefeds { fixed-address 10.0.0.32; hardware ethernet 00:00:00:00:00:00; } @@ -276,26 +286,26 @@ subnet 10.0.0.0 netmask 255.255.255.0 { } } -# IoT devices go on this subnet; extra WAP, Android set-top box, etc... -subnet 10.0.10.0 netmask 255.255.255.0 { - option routers 10.0.10.1; - option domain-name-servers 10.0.10.1; - range 10.0.10.10 10.0.10.100; - - - # static LAN IP for my Android set top box - host vibhishan { - fixed-address 10.0.10.11; - hardware ethernet 00:00:00:00:00:00; - } - - - # static LAN IP for my guest WAP - host ketu { - fixed-address 10.0.10.90; - hardware ethernet 00:00:00:00:00:00; - } -} +## IoT devices go on this subnet; extra WAP, Android set-top box, etc... +#subnet 10.0.10.0 netmask 255.255.255.0 { +# option routers 10.0.10.1; +# option domain-name-servers 10.0.10.1; +# range 10.0.10.10 10.0.10.100; +# +# +# # static LAN IP for my Android set top box +# host vibhishan { +# fixed-address 10.0.10.11; +# hardware ethernet 00:00:00:00:00:00; +# } +# +# +# # static LAN IP for my guest WAP +# host ketu { +# fixed-address 10.0.10.90; +# hardware ethernet 00:00:00:00:00:00; +# } +#} " ``` @@ -322,37 +332,24 @@ WAN_IF = "${WAN_INTERFACE}" # network hosts; look at "/etc/dhcpd.conf" for what they are host_barbet = "10.0.0.11" host_merlin = "10.0.0.12" -host_vince = "10.0.0.13" - -host_vidhata = "10.0.0.21" -host_harinarayan = "10.0.0.22" +host_ringmaster = "10.0.0.21" +host_flameboi = "10.0.0.22" host_bramha = "10.0.0.23" - -host_adinath = "10.0.0.31" -host_balakrishna = "10.0.0.32" - +host_sentinel = "10.0.0.31" +host_bluefeds = "10.0.0.32" host_rahu = "10.0.0.90" -host_ketu = "10.0.10.11" -host_vibhishan = "10.0.10.90" +#host_vince = "10.0.0.13" +#host_ketu = "10.0.10.11" +#host_vibhishan = "10.0.10.90" +#host_ = "10." -host_pappa = "10.0.10." -host_mummy = "10.0.10." -host_kaki = "10.0.10." -host_kaka = "10.0.10." -host_baa = "10.0.10." -host_dada = "10.0.10." -host_ = "10.0.10." -host_ = "10.0.10." -host_ = "10.0.10." -#host_ = "10.0.0." -#host_ = "10.0.0." -#host_ = "10.0.0." -#host_ = "10.0.0." -#host_ = "10.0.0." -hosts_protected "{" $host_barbet $host_merlin $host_vidhata $host_harinarayan $host_adinath $host_balakrishna $ "}" -hosts_known_guests "{" $host_vince $host_rahu $host_ketu "}" -hosts_totally_isolated "{" $host_vibhishan "}" +hosts_allow_ssh = "{" $host_ringmaster $host_flameboi $host_bramha $host_bluefeds "}" +hosts_protected = "{" $host_barbet $host_merlin $host_ringmaster $host_flameboi $host_sentinel $host_bluefeds "}" +hosts_known_guests = "{" $host_rahu "}" + +#hosts_known_guests = "{" $host_vince $host_rahu $host_ketu "}" +#hosts_totally_isolated = "{" $host_vibhishan "}" # table for blocking IP addresses # yet to be populated @@ -370,13 +367,31 @@ set block-policy drop # block everything block drop all +# activate spoofing protection for all interfaces +block in quick from urpf-failed + +# only allow ssh connections from the local network if it's from the +# $host_allow_ssh hosts. use "block return" so that a TCP RST is +# sent to close blocked connections right away. use "quick" so that this +# rule is not overridden by the "pass" rules below. +block return in quick on $LAN_IF proto tcp from ! $hosts_allow_ssh to $LAN_IF port ssh + # passing packets LAN <-> LAN -pass in on $LAN_IF from $LAN_IF:network to any keep state +# this is not needed now, since I have only one LAN interface +# the switch will do this +#pass in on $LAN_IF from $LAN_IF:network to any keep state + # allow OpenBSD to connect to the internet (package management, etc) # pass WAN network to WAN without modification pass out on $WAN_IF from $WAN_IF:network to any keep state + # pass LAN network OUT to WAN using Network Address Translation pass out on $WAN_IF from $LAN_IF:network to any nat-to ($WAN_IF) keep state +#pass out on $WAN_IF proto { tcp, udp, icmp } from $LAN_IF:network to any nat-to ($WAN_IF) modulate state + +# pass tcp, udp, and icmp out on the external (internet) interface. +# tcp connections will be modulated, udp/icmp will be tracked statefully. +pass out on $WAN_IF proto { tcp udp icmp } all modulate state " ```