What’s the Point of This? Recently, schools across the US were hit by a breach of the education software Canvas by the ShinyHunters. The group’s ransom note included an interesting .onion url: Normally a .onion address is randomly generated characters with no meaning. The site’s name being tied to the keys generated when the node joins the network. However, ShinyHunters and the CIA have been able to generate custom TOR keys to at least get a partially human readable url. ...
Hugo Site Example: Introduction This guide is not all inclusive. RTFM. Hugo is a static site generator, converting your .md text files, and a chosen theme into a modern looking website (like this one). There are a staggering number of themes to give you the look and feel that your site needs. Everything Up Front It all starts with the hugo.yaml file (you can use .toml too, but that’s beyond my expertise, consult the hugo documentation). Here is the configuration for this site: ...
References: Man Page Install Docker Tutorial Docker Containers Can Do Too Much Your containers can do too much. Look at all the capabilities a Docker container gets by default: - SYS_ADMIN - NET_ADMIN - NET_RAW - FOWNER - SETGID - SETUID - CHOWN - AUDIT_CONTROL - AUDIT_READ - AUDIT_WRITE - BLOCK_SUSPEND - BPF - CHECKPOINT_RESTORE - DAC_READ_SEARCH - DAC_OVERRIDE - FSETID - IPC_LOCK - KILL - LEASE - LINUX_IMMUTABLE - MAC_ADMIN - MAC_OVERRIDE - MKNOD - NET_ADMIN - NET_BIND_SERVICE - NET_BROADCAST - PERFMON - SETFCAP - SETPCAP - SYS_BOOT - SYS_CHROOT - SYS_NICE - SYS_PACCT - SYS_PTRACE - SYS_RAWIO - SYS_RESOURCE - SYS_TIME - SYS_TTY_CONFIG - SYSLOG - WAKE_ALARM This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it? ...
References AdGuardHome Download AdGuardHome Fix systemd-resolved Why AdGuardHome? AdGuard has become a key service in my homelab. I’m so used to having ads blocked across my network, it’s a surprise loading a site away from home and seeing the broken hellscape of ads everywhere. Get a network level adblocker and learn how to use it. The less tech savvy folks in your home will thank you. Installation Download the latest version of AdGuardHome Extract using tar -xf AdGuardHome_linux_amd64.tar.gz Move the folder to the destination: mv AdGuardHome [DESTINATION] Fedora: /usr/local/bin/ Ubuntu: /opt/ Install using sudo ./AdGuardHome -s install Set up your account at http://ADGUARD-SERVER:3000 Set your router’s DNS server to point at your AdGuardHome server (steps will vary by router) Set your AdGuard Block Lists Upstream Providers DNS Rewrites Allow Lists Custom Rules Back up you AdGuardHome.yaml Deploy with Docker Compose: services: adguardhome: image: adguard/adguardhome container_name: adguardhome volumes: #place AdGuardHome.yaml here if you already have a configured instance - [map to your /conf directory]:/opt/adguardhome/conf - [map to your /work directory]:/opt/adguardhome/work deploy: mode: global ports: - "53:53/udp" # <Host Port>:<Container Port> - "53:53/tcp" - "67:67/udp" # - "68:68/udp" - "80:80/tcp" - "443:443/tcp" - "443:443/udp" - "3000:3000/tcp" - "853:853/tcp" - "853:853/udp" - "8853:8853/udp" - "784:784/udp" - "5443:5443/tcp" - "5443:5443/udp" restart: unless-stopped Troubleshooting Systemd-Resolved Reference: Fix systemd-resolved Us these steps when systemd is using port 53: ...
References: Proton Email Filters Proton Sieve Filters Why Sieve Filters? Rather than a long list of email filter rules that become unmanageable, Proton encourages the use of sieve filters - and limits users to 250 filters total. Sieve allows a user to combine what might by over a dozen filter rules down into one logical, legible, flexible flow. This little blog post is specific to Proton and how they do email filters with Sieve. This post is not all encompassing, RTFM. ...
References TechHut Dockhand Dockhand Documentation Setup Docker Compose: services: dockhand: image: fnsys/dockhand:latest container_name: dockhand restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data:/app/data - /home/mechanicus/Code/compose:/mnt/compose Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary Adding Environments My preferred method is to use the hawser connector: docker run -d --name hawser --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /home/mechanicus/code/docker-compose/:/mnt/compose \ -p 2376:2376 -e TOKEN==[SECURE TOKEN] \ ghcr.io/finsys/hawser:latest Note: Include the location of compose files for easier management ...
References Tailscale Tailscale Admin Console Overview This walkthough is the very basics of setting up a Tailscale VPN for travel. Scenario: You like to travel, but have trouble accessing your accounts (banking, social media, entertainment) while you’re abroad. You travel with a laptop, but you also have a desktop device back home. Wouldn’t it be great if you could just access your accounts and services like you were sitting at your desktop? ...
Directory Setup Set up the files and directories: mkdir -p tor-site/keys tor-site/html tor-site/logs touch tor-site/torrc Set permissions: chmod 700 tor-site/keys chmod 600 tor-site/logs sudo chown root:root tor-site/keys tor-site/logs Content Setup Add the files for your website into the tor-site/html folder: example: <!DOCTYPE html> <html> <body> <h1>Hello from the Onion Router!</h1> <p>This site is hosted inside Docker.</p> </body> </html> Docker Setup [[Install Docker]] Docker Compose File compose.yaml services: nginx: container_name: nginx image: nginx cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - ./html:/usr/share/nginx/html:ro - ./logs:/var/log/nginx networks: - tor_network tor: container_name: tor volumes: - ./torrc:/etc/tor/torrc:ro - ./keys:/var/lib/tor/hidden_service/ image: alpine:latest entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc" security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - NET_BIND_SERVICE networks: - tor_network depends_on: - nginx networks: tor_network: nginx is the name of your web server container - this is important for the torrc file. :ro sets the volume to read only networks: tor_network means all the traffic stays inside the tor network security_opt: - no-new-privileges:true prevents the user from running as root through setuid or setgid cap_drop: -All removes all default Linux capabilities granted to a container cap_add: - NET_BIND_SERVICE will allow tor to work with only the necessary capabilities networks ensures that all traffic stays inside the docker network with a custom bridge tor_network to access the tor relays See Docker Permissions Create torrc: # Standard Tor config DataDirectory /var/lib/tor # Define the Hidden Service HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 nginx:80 note: the name nginx should be the same as you name your web server container in the compose.yaml (see [[#Docker Setup]]). Notes: Did you know you can make a custom tor site name? See the Named Tor Site. The docker service setup: Dockhand Portainer services: nginx: container_name: nginx image: nginx volumes: - /home/mechanicus/code/tor-site/html:/usr/share/nginx/html:ro - /home/mechanicus/code/tor-site/logs:/var/log/nginx networks: - tor_network deploy: mode: replicated replicas: 1 labels: - "com.centurylinklabs.watchtower.enable=true" - "label=shepherd.autodeploy=true" tor: container_name: tor volumes: - /home/mechanicus/code/tor-site/torrc:/etc/tor/torrc:ro - /home/mechanicus/code/tor-site/keys:/var/lib/tor/hidden_service/ image: alpine:latest entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc" security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - NET_BIND_SERVICE networks: - tor_network depends_on: - nginx deploy: mode: replicated replicas: 1 labels: - "com.centurylinklabs.watchtower.enable=true" - "label=shepherd.autodeploy=true" networks: tor_network:
Install Docker Install Docker Tutorial Setup Buildx Environment docker buildx create \ --name container-builder \ --driver docker-container \ --bootstrap --use Build the Container docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \ -t [repository]/[containername]:[tag] . --push The -t flag sets the naming convention for the container, . tells docker where to build the container (where the Dockerfile is located), and --push sends it to the Docker Hub repository. Tag a Docker Container docker tag [name]:[tag] [new-name]:[new-tag] Save and Transfer a Docker Container docker save -o [name] [name]:[tag] rsync -P [name] [target]:[location] docker load -i [name]
References Docker Setup: Debian Based # Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin Setup: Arch Based # Pamac (manjaro) sudo pamac install docker docker-compose # Arch sudo pacman -Syu docker docker-compose Enable the docker service ...