Service

Hugo Site Example: Introduction This guide is not all inclusive. RTFM. Hugo is a static site generator, converting your .md text files, and a chosen theme into a modern looking website (like this one). There are a staggering number of themes to give you the look and feel that your site needs. Everything Up Front It all starts with the hugo.yaml file (you can use .toml too, but that’s beyond my expertise, consult the hugo documentation). Here is the configuration for this site: ...

References: Man Page Install Docker Tutorial Docker Containers Can Do Too Much Your containers can do too much. Look at all the capabilities a Docker container gets by default: - SYS_ADMIN - NET_ADMIN - NET_RAW - FOWNER - SETGID - SETUID - CHOWN - AUDIT_CONTROL - AUDIT_READ - AUDIT_WRITE - BLOCK_SUSPEND - BPF - CHECKPOINT_RESTORE - DAC_READ_SEARCH - DAC_OVERRIDE - FSETID - IPC_LOCK - KILL - LEASE - LINUX_IMMUTABLE - MAC_ADMIN - MAC_OVERRIDE - MKNOD - NET_ADMIN - NET_BIND_SERVICE - NET_BROADCAST - PERFMON - SETFCAP - SETPCAP - SYS_BOOT - SYS_CHROOT - SYS_NICE - SYS_PACCT - SYS_PTRACE - SYS_RAWIO - SYS_RESOURCE - SYS_TIME - SYS_TTY_CONFIG - SYSLOG - WAKE_ALARM This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it? ...

References AdGuardHome Download AdGuardHome Fix systemd-resolved Why AdGuardHome? AdGuard has become a key service in my homelab. I’m so used to having ads blocked across my network, it’s a surprise loading a site away from home and seeing the broken hellscape of ads everywhere. Get a network level adblocker and learn how to use it. The less tech savvy folks in your home will thank you. Installation Download the latest version of AdGuardHome Extract using tar -xf AdGuardHome_linux_amd64.tar.gz Move the folder to the destination: mv AdGuardHome [DESTINATION] Fedora: /usr/local/bin/ Ubuntu: /opt/ Install using sudo ./AdGuardHome -s install Set up your account at http://ADGUARD-SERVER:3000 Set your router’s DNS server to point at your AdGuardHome server (steps will vary by router) Set your AdGuard Block Lists Upstream Providers DNS Rewrites Allow Lists Custom Rules Back up you AdGuardHome.yaml Deploy with Docker Compose: services: adguardhome: image: adguard/adguardhome container_name: adguardhome volumes: #place AdGuardHome.yaml here if you already have a configured instance - [map to your /conf directory]:/opt/adguardhome/conf - [map to your /work directory]:/opt/adguardhome/work deploy: mode: global ports: - "53:53/udp" # <Host Port>:<Container Port> - "53:53/tcp" - "67:67/udp" # - "68:68/udp" - "80:80/tcp" - "443:443/tcp" - "443:443/udp" - "3000:3000/tcp" - "853:853/tcp" - "853:853/udp" - "8853:8853/udp" - "784:784/udp" - "5443:5443/tcp" - "5443:5443/udp" restart: unless-stopped Troubleshooting Systemd-Resolved Reference: Fix systemd-resolved Us these steps when systemd is using port 53: ...

References: Proton Email Filters Proton Sieve Filters Why Sieve Filters? Rather than a long list of email filter rules that become unmanageable, Proton encourages the use of sieve filters - and limits users to 250 filters total. Sieve allows a user to combine what might by over a dozen filter rules down into one logical, legible, flexible flow. This little blog post is specific to Proton and how they do email filters with Sieve. This post is not all encompassing, RTFM. ...

References TechHut Dockhand Dockhand Documentation Setup Docker Compose: services: dockhand: image: fnsys/dockhand:latest container_name: dockhand restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data:/app/data - /home/mechanicus/Code/compose:/mnt/compose Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary Adding Environments My preferred method is to use the hawser connector: docker run -d --name hawser --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /home/mechanicus/code/docker-compose/:/mnt/compose \ -p 2376:2376 -e TOKEN==[SECURE TOKEN] \ ghcr.io/finsys/hawser:latest Note: Include the location of compose files for easier management ...

References Tailscale Tailscale Admin Console Overview This walkthough is the very basics of setting up a Tailscale VPN for travel. Scenario: You like to travel, but have trouble accessing your accounts (banking, social media, entertainment) while you’re abroad. You travel with a laptop, but you also have a desktop device back home. Wouldn’t it be great if you could just access your accounts and services like you were sitting at your desktop? ...

References Docker Setup: Debian Based # Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin Setup: Arch Based # Pamac (manjaro) sudo pamac install docker docker-compose # Arch sudo pacman -Syu docker docker-compose Enable the docker service ...

References Kasm Documentation Kasm System Requirements Kasm GPU Install Prerequisites Install Docker Tutorial Swap Space Installation NOTE: check for the latest version cd /tmp curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.18.1.tar.gz tar -xf kasm_release_1.18.1.tar.gz sudo bash kasm_release/install.sh --accept-eula --swap-size 8192 GPU Setup The Nvidia container setup instructions, and standard GPU driver installation threw an error: nvidia runtime not found. The script on Kasm’s site worked. #!/bin/bash # Check for NVIDIA cards if ! lspci | grep -i nvidia > /dev/null; then echo "No NVIDIA GPU detected" exit 0 fi add-apt-repository -y ppa:graphics-drivers/ppa curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list apt update apt install -y ubuntu-drivers-common # Run ubuntu-drivers and capture the output DRIVER_OUTPUT=$(ubuntu-drivers list 2>/dev/null) # Extract server driver versions using grep and regex # Pattern looks for nvidia-driver-XXX-server SERVER_VERSIONS=$(echo "$DRIVER_OUTPUT" | grep -o 'nvidia-driver-[0-9]\+-server' | grep -o '[0-9]\+' | sort -n) # Check if any server versions were found if [ -z "$SERVER_VERSIONS" ]; then echo "Error: No NVIDIA server driver versions found." >&2 exit 1 fi # Find the highest version number LATEST_VERSION=$(echo "$SERVER_VERSIONS" | tail -n 1) # Validate that the version is numeric if ! [[ "$LATEST_VERSION" =~ ^[0-9]+$ ]]; then echo "Error: Invalid version number: $LATEST_VERSION" >&2 exit 2 fi # Output only the version number echo "Latest version is: $LATEST_VERSION" ubuntu-drivers install "nvidia:$LATEST_VERSION-server" apt install -y "nvidia-utils-$LATEST_VERSION-server" # Install NVIDIA toolkit + configure for docker apt-get install -y nvidia-container-toolkit nvidia-ctk runtime configure --runtime=docker Egress Setup: NordVPN Get service credentials for the VPN: Available on the VPN dashboard Download desired OpenVPN configuration files: Available on the VPN dashboard On Kasm Administrator dashboard, select Egress (Infrastructure > Egress) Add the egress provider: Configure VPN type: Add egress gateways: On the Workspaces > Workspace page, select the workspace to allow it to use the VPN, click edit and add the egress provider on the Egress tab. On the Egress Credentials tab, add in the service credentials for the VPN

Explanation: vrrp_instance: a virtual router state: master or backup priority: higher priority means that router gets chosen more often authentication: auth_type: can integrate with other ticket based authentication protocols auth_pass: IPv4 sub 8 character passwords, IPv6 allows for longer passwords virtual_ipaddress: the shared IP ranges for the virtual router (can be more than one) Setup Examples Manager: vrrp_instance VI_1 { state MASTER interface eth0 virtual_router_id 51 priority 10 advert_int 1 authentication { auth_type AH auth_pass adguard } virtual_ipaddress { 10.133.7.11/24 } } vrrp_instance VI_2 { state MASTER interface eth0 virtual_router_id 52 priority 10 advert_int 1 authentication { auth_type PASS auth_pass adgaurdhome } virtual_ipaddress { fd48:fb0a:cb3a:b8d4::1234/64 } } Backup: vrrp_instance VI_1 { state BACKUP interface eth0 virtual_router_id 51 priority 1 advert_int 1 authentication { auth_type AH auth_pass adguard } virtual_ipaddress { 10.133.7.11/24 } } vrrp_instance VI_2 { state BACKUP interface eth0 virtual_router_id 52 priority 1 advert_int 1 authentication { auth_type PASS auth_pass adgaurdhome } virtual_ipaddress { fd48:fb0a:cb3a:b8d4::1234/64 } } Notes: Separate setup for IPv4 and IPv6 addresses Can have multiple setup for different interfaces References: redhat arch wiki keepalived documentation

Links dash.cloudflare.com one.dash.cloudflare.com Installing the service Ubuntu curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && sudo dpkg -i cloudflared.deb && sudo cloudflared service install [TUNNEL KEY] Red Hat curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && sudo yum localinstall -y cloudflared.rpm && sudo cloudflared service install [TUNNEL KEY] Docker docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY] Docker Compose version: "3.8" services: cloudflared: image: cloudflare/cloudflared:latest restart: unless-stopped command: tunnel run network_mode: host environment: - "TUNNEL_TOKEN=[TUNNEL KEY]" deploy: mode: global placement: constraints: [node.platform.os == linux] Cloudflare as a Docker Sidecar Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below: ...