From c029d472dbda28049839dd7d96b25538353d0711 Mon Sep 17 00:00:00 2001 From: taudris Date: Sun, 5 Mar 2023 23:41:19 -0800 Subject: [PATCH] Add vm notes.txt --- vm notes.txt | 229 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 vm notes.txt diff --git a/vm notes.txt b/vm notes.txt new file mode 100644 index 0000000..4dcd610 --- /dev/null +++ b/vm notes.txt @@ -0,0 +1,229 @@ +* get nextcloud working +* get nextcloud backup working +* set up fail2ban and log rotation for vaultwarden +* set up some kind of auth system to simplify password management and ideally get single sign on + * ldap with ssl? + * kerberos? + * radius? +* set up second domain controller + +want to log in to: + debian machines via putty + apps + hevo-avz + pve + pfsense via putty + pfsense via browser + pve via browser + portainer via browser + +try nextcloud + not owncloud + not windows work folders; clients other than win10 get shafted +try jellyfin + can use it to sync video streams to family and friends! (upload bandwidth limits notwithstanding...) + + + +tried truenas + did not try openmediavault; it has only one maintainer + it really wants to own the hard drives + it doesn't do small files on smb very well + it can only install and run packages in "jails" (essentially freebsd's version of lxc), not on the main host + can't run docker on it + + +EACH HOST MUST BE RESPONSIBLE FOR ITS OWN BACKUPS!!! + +naming convention: + type-role OR location-type-role + windows server 2022 running as a domain controller: ws22-dc + ws22-dc + ws22-fs + +server2022 template password: + Sat0nmyws22template + +How to create a clean Windows Server template for Proxmox from an evaluation ISO with a GVLK: + 0. Create a new VM. + System: + Graphic card: SPICE + SCSI Controller: VirtIO SCSI Single + Qemu Agent: checked + BIOS: OVMF (UEFI) + Add EFI Disk: checked + Storage: up to you + Machine: q35 + Hard Disk: + Bus/Device: SCSI 0 + Storage: up to you + Disk size: up to you + recommend using smallest your OS requires to install and expanding if needed + Cache: Default (No cache) + Discard: checked + SSD emulation: checked (even if you use hard drives; this allows the disk image to shrink) + IO thread: checked + Backup: up to you (I left it at the default of checked) + Skip replication: up to you (I left it at the default of unchecked) + CPU: + Sockets: up to you + Cores: up to you + Type: up to you (I changed it to host) + Enable NUMA: checked (this allows the guest to know more about the physical CPU layout and schedule better) + Memory: + Whatever you want (I set 4096MB normal and 2048MB minimum. You can easily change this later as needed.) + Ballooning Device allows the VM host to take memory away from guests that don't need it when there is memory pressure/oversubscription. + Network: + Model: VirtIO (paravirtualized) + Everything else: whatever you want + 1. Install the OS. + 2. Run virtio-win-guest-tools. (This also installs some, but not all, of the other drivers needed.) + 3. Use sysprep to generalize the install with OOBE, choose reboot. + 4. When it reboots, enter Windows setup using the OS ISO by pressing a key when it says to. + If you miss it, Windows will boot into the OOBE. Don't proceed; just shut down the VM (not power off or stop) and try again. + 5. Go through enough of the install to load the VirtIO SCSI driver. + 6. Optional: Delete the recovery partition and extend the primary partition. + This makes it easier to expand the primary partition later on if you need to. + Recovery needs can be met with the install disk. + 7. Cancel the install using the X in the top right to go back to the first screen. + 8. Enter repair mode and get to a command prompt. + 9. Use diskpart to mount the system drive as C: + sel disk 0 + list vol + sel vol N (where N is the number of the primary volume) + assign letter=c + exit + 10. Upgrade the evaluation edition to a non-evaluation edition: + dism /image:c:\ /Get-TargetEditions + dism /image:c:\ /Set-Edition:ServerDatacenter + 11. Reboot. + 12. Enter the product key during OOBE (copy/paste should work now): + Windows Server 2022 GVLK for use with KMS: WX4NM-KYWYW-QJJR4-XV3QB-6VM33 + 13. Configure Windows to use your private KMS (vlmcsd in Docker works well for me, but it only activates for 180 days, so make sure you keep it running): + slmgr.vbs /skms apps.taudris.com + slmgr.vbs /ato + 14. Run Windows Update. + To clean up after a service pack install (blocks uninstall): + dism /Online /Cleanup-Image /SPSuperseded /HideSP + To clean up after installing updates (blocks uninstall): + dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase + 15. Use sysprep to reboot into audit mode, choose reboot. + 16. Install software you want on all of your servers, make default user profile customizations, etc. + 17. Use sysprep to generalize the install with OOBE, choose shutdown. + 18. Leave the VM alone. Don't create a template. Templates can't be updated after the fact. + +Setting up a new Windows Server instance: + 1. Clone the template to a new VM. + 2. Start the new VM. + 3. Enter your new local admin password. + 4. In advanced system settings, change the host name and join a domain. + 5. Reboot. + 6. Enable remote access if your domain doesn't already and RDP into the server. + 7. Activate Windows: + slmgr.vbs /ato + 8. Customize theme, browser settings, etc. + +Setting up a new Debian instance: + * Install Debian + * Install guest agent + * Install chrony + if the machine has a static IP, configure pfsense.taudris.com as the NTP server to use + * Set FQDN of the machine + sudo hostnamectl set-hostname YOURHOST.taudris.com + * Join domain + cmd: apt update && apt install realm packagekit + cmd: sudo realm join taudris.com -U robert + cmd: sudo realm deny -a && sudo realm permit -g "domain admins@taudris.com" + + realm join does the following: + * Discovers information about the domain. + * Installs the necessary software to join the domain, such as SSSD or Winbind. + * If administrative credentials are required, a password will be prompted for. + * A computer account in the domain will be created, and or updated. + * A host keytab file at /etc/krb5.keytab is created. + * Configures the SSSD or Winbind services, and restarts and enables them as appropriate. + * Enables domain users in /etc/nsswitch.conf + * Hide domain name from users and groups (sshd doesn't seem to support specifying the domain name) + cmd: sudo micro /etc/sssd/sssd.conf + set: use_fully_qualified_names = False + * Enable automatic home directory creation on login (optional?) + cmd: sudo micro /etc/pam.d/common-session + add line: session optional pam_mkhomedir.so umask=0077 + save and quit + * Enable GSSAPI authentication? + cmd: micro /etc/ssh/sshd_config + set: + AllowGroups domain?admins + GSSAPIAuthentication yes + GSSAPICleanupCredentials yes + #enable forwarding credentials + GSSAPIKeyExchange yes + * Test GSSAPI credential access via SSH (enable GSSAPI, supply username without domain) + +VM: ws22-dc + 192.168.11.6 + password: Sat0nmyws22-dc + +VM: ws22-fs + 192.168.11.7 + password: Sat0nmyws22-fs + +VM: apps + root password: Inter*9apps + also has robert on it + super handy command to see logs in realtime: sudo lnav /var/log/* + + + +rhash --sha1 -r --printf=\"SHA1\",\"%h\",\"%p\"\\r\\n /mnt/storage/files/E > /mnt/storage/files/sha1.csv +Get-ChildItem "D:\*" -Recurse | Get-FileHash -Algorithm SHA1 | Export-Csv -Path C:\Users\robert\Documents\Hashes-Resilient-Restore.csv -NoTypeInformation + +restic restore latest --target /mnt/storage/files + +sudo docker stack deploy portainer --compose-file portainer-agent-stack.yml + + + +storage architecture with ZFS on proxmox: + pve.taudris.com + ZFS pool: storage + dataset: storage/pve + NOPE dataset: storage/resilient + NOPE dataset: storage/vaultwarden + ws22-fs.taudris.com + mounts: storage + D: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-0 + E: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-1 + smb shares: + D:\Shares\Resilient + E:\Shares\Bulk + apps.taudris.com + mounts: + /mnt/storage/vaultwarden -> nfs://truenas.taudris.com/Vaultwarden + docker vaultwarden + volumes: + /data -> wherever + cron job at 3am to start a live backup of vaultwarden + copy from volume to /mnt/storage/vaultwarden + use sqlite3 commands to copy it safely while live? + use docker commands to stop/start the container? + run restic on /mnt/storage/vaultwarden + script which is stored in bitwarden as a secure note to help with ground-up restore + +vaultwarden + a dedicated vm is needed to create an actually secure deployment + docker cannot create security zones for users of the vm + vaultwarden.taudris.com + mounts: + none; just use local vm storage + better to use nextcloud for file hosting and limit total size of bitwarden sends to a few gb at most + cron job at 3:00am to start a live backup + script which is stored in bitwarden as a secure note to help with ground-up restore + +zfs on proxmox, then make a partition for each machine or application + have to put restic on each machine + but that seems like a normal pattern, so maybe not so bad + +zfs on truenas + forced to use a jail for restic + harder to coordinate service backup; can't just have a single script that makes a snapshot and runs restic once it's done