thefossguy
/
machines
1
0
Fork 0
Code Releases Activity
machines/content/posts/trimurti.md

12 KiB
Raw Permalink Blame History

title date draft toc
Setup trimurti (Debian ARM64) 2022-07-23T08:00:30+05:30 false true

Stage 0000: Immediate initial setup

Set hostname

hostnamectl set-hostname trimurti

Set timezone

timedatectl set-timezone Asia/Kolkata

Set DNS Servers

nmcli connection modify "$(nmcli -g name,device connection show | grep "eth0" | cut -f1 -d":")" ipv4.dns "1.1.1.2,1.0.0.2"
nmcli connection modify "$(nmcli -g name,device connection show | grep "eth0" | cut -f1 -d":")" ipv4.ignore-auto-dns yes

Enable loading the Wireguard kernel module at boot.

echo "wireguard" | tee /etc/modules-load.d/wireguard.conf

Modify motd

echo "\n# added by PRATHAM\n/home/pratham/.scripts/_trimurti/motd/show_logs.sh" | tee -a /etc/profile

REBOOT! (hostname needs to come in effect)

reboot +0

Generate SSH keys

cd $HOME/.ssh
ssh-keygen -t ed25519 -f flameboi
ssh-keygen -t ed25519 -f gitea
ssh-keygen -t ed25519 -f github
ssh-keygen -t ed25519 -f gitlab
ssh-keygen -t ed25519 -f sentinel

Reboot

reboot +0

Stage 0010

apt configuration

sudo is not needed, switch to doas

echo "Package: sudo
Pin: release *
Pin-Priority: -1" | tee /etc/apt/preferences.d/90_sudo

echo "# this file was edited by Pratham Patel

# bookworm
deb http://deb.debian.org/debian/ bookworm main contrib non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free-firmware


# bookworm-security
deb http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free-firmware


# bookworm-updates
deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free-firmware" | tee /etc/apt/sources.list

Package management

apt-get update
apt-get upgrade
apt-get dist-upgrade

Install packages

# necessary pkgs
apt install -y bind9-dnsutils console-setup curl fdisk ffmpeg findutils git git-delta git-email git-man libpam-google-authenticator neovim network-manager openssh-client openssh-server openssl plocate rename rsync signify-openbsd tmux tree wget wireguard zsh zsh-autosuggestions zsh-common zsh-syntax-highlighting
systemctl enable --now NetworkManager.service

# monitoring
apt install -y btop htop iotop nload iperf iperf3

# containerisation stuff
apt install -y aardvark-dns bridge-utils podman podman-compose slirp4netns buildah-

# download clients
apt install -y aria2 wget2 yt-dlp

# android-stuff
apt install -y adb fastboot

# coreutils-rust
apt install -y bat fd-find ripgrep tre-command
#apt install -y skim

# system utils
apt install -y eatmydata hd-idle hdparm smartmontools ssmtp tldr wakeonlan

# compression
apt install -y tar unrar-free unzip xz-utils zip

# cockpit
apt install -y cockpit cockpit-doc cockpit-machines cockpit-pcp cockpit-networkmanager cockpit-packagekit cockpit-podman cockpit-sosreport cockpit-system cockpit-ws

# optional?
#apt install -y cron

# software devel
apt install -y meld

# kernel-devel
apt install -y autoconf bc bison build-essential cmake fakeroot flex gdb-multiarch libc6-dev libelf-dev libncurses-dev libssl-dev make openocd

# virtualisation
apt install -y libvirt-clients libvirt-daemon-system qemu-efi-aarch64 qemu-system qemu-system-common qemu-system-gui qemu-system-misc qemu-user qemu-user-static qemu-utils
#libvirt-daemon-kvm

# network filesystems
apt install -y cifs-utils nfs-common nfs-kernel-server nfswatch
# try to use NFS
#apt install -y samba samba-common samba-common-bin

# zfs
apt install -y dpkg-dev linux-headers-arm64
DEBIAN_FRONTEND=noninteractive apt install -y zfs-dkms zfs-zed zfsutils-linux

Add user

usermod -a -G adb,audio,cdrom,dip,floppy,games,netdev,plugdev,sys,systemd-journal,uucp,video pratham

echo "permit persist keepenv pratham" | tee -a /etc/doas.conf

Reboot

reboot +0

Stage 0011: Install stuff

vim-plug (Neovim)

sh -c 'curl -fLo "${XDG_DATA_HOME:-$HOME/.local/share}"/nvim/site/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim'

Open nvim and type :PlugInstall

Enable systemd services

doas systemctl enable cockpit.socket cockpit.service
doas systemctl enable podman.socket

Stage 0100: ZFS

Enable necessary services

doas systemctl enable zfs-import-cache.service
doas systemctl enable zfs-import-scan.service
doas systemctl enable zfs-mount.service
doas systemctl enable zfs-share.service
doas systemctl enable zfs-zed.service
doas systemctl enable zfs.target

Make sure an import cache file exists

doas zpool set cachefile=/etc/zfs/zpool.cache brahmaand

Creating a new zpool?

doas zpool create -o ashift=12 -o autotrim=on brahmaand /dev/sda

doas zfs set atime=off brahmaand
doas zfs set primarycache=all brahmaand
doas zfs set recordsize=1M brahmaand
doas zfs set xattr=sa brahmaand

doas zfs create brahmaand/containers
doas zfs create brahmaand/containers/volumes
doas zfs create brahmaand/containers/volumes/blog
doas zfs create brahmaand/containers/volumes/caddy
doas zfs create brahmaand/containers/volumes/mach

doas zfs create brahmaand/containers/volumes/gitea
doas zfs create brahmaand/containers/volumes/gitea/database
doas zfs set recordsize=8K brahmaand/containers/volumes/gitea/database

doas zfs create brahmaand/containers/volumes/nextcloud
doas zfs create brahmaand/containers/volumes/nextcloud/database
doas zfs set recordsize=8K brahmaand/containers/volumes/nextcloud/database

doas zfs create brahmaand/torrents
doas zfs set recordsize=16K brahmaand/torrents
doas zfs create brahmaand/torrents/downloads
doas zfs create brahmaand/torrents/downloads/.incomplete
doas zfs create brahmaand/torrents/config

doas chown pratham:pratham -vR /brahmaand
doas chown pratham:pratham -vR /brahmaand/torrents

doas zfs allow -u pratham create,destroy,mount,snapshot,send,hold brahmaand

doas zpool export brahmaand

doas zpool import
doas zpool import -d /dev/disk/by-id <pool-id>

doas zpool set cachefile=/etc/zfs/zpool.cache brahmaand

zpool status -v
zfs list

doas zpool scrub brahmaand

Reboot

doas reboot +0

Stage 0101: Containers

Pull images

sleep 60 && podman pull docker.io/library/postgres:15-alpine
sleep 60 && podman pull docker.io/library/caddy:alpine
sleep 60 && podman pull docker.io/klakegg/hugo:ext-debian
sleep 60 && podman pull docker.io/library/nextcloud:production
sleep 60 && podman pull docker.io/klakegg/hugo:alpine
sleep 60 && podman pull docker.io/gitea/gitea:latest

Get fs ready

doas zfs set atime=off brahmaand
doas zfs set primarycache=all brahmaand
doas zfs set recordsize=1M brahmaand
doas zfs set xattr=sa brahmaand

doas zfs create brahmaand/containers
doas zfs create brahmaand/containers/volumes
doas zfs create brahmaand/containers/volumes/blog
doas zfs create brahmaand/containers/volumes/caddy
doas zfs create brahmaand/containers/volumes/gitea
doas zfs create brahmaand/containers/volumes/mach
doas zfs create brahmaand/containers/volumes/nextcloud

doas zfs create brahmaand/torrents
doas zfs set recordsize=16K brahmaand/torrents
doas zfs create brahmaand/torrents/downloads
doas zfs create brahmaand/torrents/downloads/.incomplete
doas zfs create brahmaand/torrents/config

doas chown pratham:pratham -vR /brahmaand/containers/volumes
doas chown pratham:pratham -vR /brahmaand/torrents

doas zfs allow -u pratham send,snapshot,hold brahmaand

Create directories for mounting container volumes

mkdir -vp /brahmaand/containers/volumes/caddy/{site,ssl/{private,certs},caddy_{data,config}}
mkdir -vp /brahmaand/containers/volumes/gitea/{database,web}
mkdir -vp /brahmaand/containers/volumes/nextcloud/{database,web}

Enable workaround for "root-less containers can't ping hosts"

grep net.ipv4.ping_group_range /etc/sysctl.conf || echo "net.ipv4.ping_group_range=0 $(grep pratham /etc/subuid | awk -F ":" '{print $2 + $3}')" | doas tee -a /etc/sysctl.conf

Hugo

git clone --recursive git@gitlab.com:thefossguy/blog.git /brahmaand/containers/volumes/blog
cd /brahmaand/containers/volumes/blog
git remote rm origin
git remote add origin git@git.thefossguy.com:thefossguy/blog.git

git clone --recursive git@gitlab.com:thefossguy/machines.git /brahmaand/containers/volumes/mach
cd /brahmaand/containers/volumes/mach
git remote rm origin
git remote add origin git@git.thefossguy.com:thefossguy/machines.git

Caddy

  1. Visit the Cloudflare dashboard
  2. Select domain
  3. On the left sidebar, select 'SSL/TLS'. Make sure Encryption Mode is Full (strict).
  4. Under 'SSL/TLS', goto 'Origin Server'.
  5. Create a new Certificate with default values.
  6. Populate /brahmaand/containers/volumes/caddy/ssl/{certs/certificate.pem,private/key.pem}.
  7. Change permissions for /brahmaand/containers/volumes/caddy/ssl/private.
chmod 700 -v /brahmaand/containers/volumes/caddy/ssl/private
chmod 600 -v /brahmaand/containers/volumes/caddy/ssl/private/key.pem

Copy Caddyfile to the appropriate directory.

cp -v Caddyfile /brahmaand/containers/volumes/caddy/

Cockpit

something-something enable SSL for cockpit

doas cp cockpit.conf /etc/cockpit/cockpit.conf

Generate container secrets for passwords

openssl rand -base64 20 | podman secret create gitea_database_user_password -
openssl rand -base64 20 | podman secret create nextcloud_database_user_password -

Enable user lingering

doas loginctl enable-linger

Start containers

podman-compose -f master-compose.yml up -d

Generate systemd files and enable them

cd $HOME/.config/systemd/user

podman generate systemd -f --name caddy-vishwambhar --new
podman generate systemd -f --name gitea-chitragupta --new
podman generate systemd -f --name gitea-govinda --new
podman generate systemd -f --name hugo-mahayogi --new
podman generate systemd -f --name hugo-vaikunthnatham --new
podman generate systemd -f --name nextcloud-chitragupta --new
podman generate systemd -f --name nextcloud-govinda --new

systemctl --user daemon-reload

systemctl --user enable container-caddy-vishwambhar container-gitea-chitragupta container-gitea-govinda container-hugo-mahayogi container-hugo-vaikunthnatham container-nextcloud-chitragupta container-nextcloud-govinda

Stage 0111: sharing zpool

exports

docs

Add the following lines to the /etc/exports file:

/brahmaand 10.0.0.0/8(ro,insecure,subtree_check,crossmnt)

Then, export it.

doas exportfs -rva

Stage 1000: cron

user crontab

# always add ">/dev/null 2>&1" at the end of cronjobs
# to prevnet a `dead.letter` in $HOME/


# check if containers are running or not; restart if stopped
*/5 * * * * bash /home/pratham/.scripts/_trimurti/cron/pratham/maintenance.sh >/dev/null 2>&1


# run Nextcloud cron
*/5 * * * * podman exec -u www-data nextcloud-govinda /usr/local/bin/php -f /var/www/html/cron.php >/dev/null 2>&1


# Nextcloud: scan files for all users and perform cleanup
10 */2 * * * podman exec -u www-data nextcloud-govinda /usr/local/bin/php -f /var/www/html/occ files:scan --all >/dev/null 2>&1
40 */2 * * * podman exec -u www-data nextcloud-govinda /usr/local/bin/php -f /var/www/html/occ files:cleanup >/dev/null 2>&1

root crontab

# always add ">/dev/null 2>&1" at the end of cronjobs
# to prevnet a `dead.letter` in $HOME/


# update fs database every 6 hours
* */6 * * * updatedb >/dev/null 2>&1


# create zfs snapshots every Friday
0 0 * * 5 bash /home/pratham/.scripts/_trimurti/cron/root/zfs-bak.sh >/dev/null 2>&1


# start scrub
# on the first Friday of every month
# at 2100 hours
0 21 * * 5 [ $(date +\%d) -le 07 ] && /sbin/zpool scrub >/dev/null 2>&1