Add vm notes.txt
This commit is contained in:
taudris
parent
a188c201b8
commit
c029d472db
|
|
@ -0,0 +1,229 @@
|
|||
* get nextcloud working
|
||||
* get nextcloud backup working
|
||||
* set up fail2ban and log rotation for vaultwarden
|
||||
* set up some kind of auth system to simplify password management and ideally get single sign on
|
||||
* ldap with ssl?
|
||||
* kerberos?
|
||||
* radius?
|
||||
* set up second domain controller
|
||||
|
||||
want to log in to:
|
||||
debian machines via putty
|
||||
apps
|
||||
hevo-avz
|
||||
pve
|
||||
pfsense via putty
|
||||
pfsense via browser
|
||||
pve via browser
|
||||
portainer via browser
|
||||
|
||||
try nextcloud
|
||||
not owncloud
|
||||
not windows work folders; clients other than win10 get shafted
|
||||
try jellyfin
|
||||
can use it to sync video streams to family and friends! (upload bandwidth limits notwithstanding...)
|
||||
|
||||
|
||||
|
||||
tried truenas
|
||||
did not try openmediavault; it has only one maintainer
|
||||
it really wants to own the hard drives
|
||||
it doesn't do small files on smb very well
|
||||
it can only install and run packages in "jails" (essentially freebsd's version of lxc), not on the main host
|
||||
can't run docker on it
|
||||
|
||||
|
||||
EACH HOST MUST BE RESPONSIBLE FOR ITS OWN BACKUPS!!!
|
||||
|
||||
naming convention:
|
||||
type-role OR location-type-role
|
||||
windows server 2022 running as a domain controller: ws22-dc
|
||||
ws22-dc
|
||||
ws22-fs
|
||||
|
||||
server2022 template password:
|
||||
Sat0nmyws22template
|
||||
|
||||
How to create a clean Windows Server template for Proxmox from an evaluation ISO with a GVLK:
|
||||
0. Create a new VM.
|
||||
System:
|
||||
Graphic card: SPICE
|
||||
SCSI Controller: VirtIO SCSI Single
|
||||
Qemu Agent: checked
|
||||
BIOS: OVMF (UEFI)
|
||||
Add EFI Disk: checked
|
||||
Storage: up to you
|
||||
Machine: q35
|
||||
Hard Disk:
|
||||
Bus/Device: SCSI 0
|
||||
Storage: up to you
|
||||
Disk size: up to you
|
||||
recommend using smallest your OS requires to install and expanding if needed
|
||||
Cache: Default (No cache)
|
||||
Discard: checked
|
||||
SSD emulation: checked (even if you use hard drives; this allows the disk image to shrink)
|
||||
IO thread: checked
|
||||
Backup: up to you (I left it at the default of checked)
|
||||
Skip replication: up to you (I left it at the default of unchecked)
|
||||
CPU:
|
||||
Sockets: up to you
|
||||
Cores: up to you
|
||||
Type: up to you (I changed it to host)
|
||||
Enable NUMA: checked (this allows the guest to know more about the physical CPU layout and schedule better)
|
||||
Memory:
|
||||
Whatever you want (I set 4096MB normal and 2048MB minimum. You can easily change this later as needed.)
|
||||
Ballooning Device allows the VM host to take memory away from guests that don't need it when there is memory pressure/oversubscription.
|
||||
Network:
|
||||
Model: VirtIO (paravirtualized)
|
||||
Everything else: whatever you want
|
||||
1. Install the OS.
|
||||
2. Run virtio-win-guest-tools. (This also installs some, but not all, of the other drivers needed.)
|
||||
3. Use sysprep to generalize the install with OOBE, choose reboot.
|
||||
4. When it reboots, enter Windows setup using the OS ISO by pressing a key when it says to.
|
||||
If you miss it, Windows will boot into the OOBE. Don't proceed; just shut down the VM (not power off or stop) and try again.
|
||||
5. Go through enough of the install to load the VirtIO SCSI driver.
|
||||
6. Optional: Delete the recovery partition and extend the primary partition.
|
||||
This makes it easier to expand the primary partition later on if you need to.
|
||||
Recovery needs can be met with the install disk.
|
||||
7. Cancel the install using the X in the top right to go back to the first screen.
|
||||
8. Enter repair mode and get to a command prompt.
|
||||
9. Use diskpart to mount the system drive as C:
|
||||
sel disk 0
|
||||
list vol
|
||||
sel vol N (where N is the number of the primary volume)
|
||||
assign letter=c
|
||||
exit
|
||||
10. Upgrade the evaluation edition to a non-evaluation edition:
|
||||
dism /image:c:\ /Get-TargetEditions
|
||||
dism /image:c:\ /Set-Edition:ServerDatacenter
|
||||
11. Reboot.
|
||||
12. Enter the product key during OOBE (copy/paste should work now):
|
||||
Windows Server 2022 GVLK for use with KMS: WX4NM-KYWYW-QJJR4-XV3QB-6VM33
|
||||
13. Configure Windows to use your private KMS (vlmcsd in Docker works well for me, but it only activates for 180 days, so make sure you keep it running):
|
||||
slmgr.vbs /skms apps.taudris.com
|
||||
slmgr.vbs /ato
|
||||
14. Run Windows Update.
|
||||
To clean up after a service pack install (blocks uninstall):
|
||||
dism /Online /Cleanup-Image /SPSuperseded /HideSP
|
||||
To clean up after installing updates (blocks uninstall):
|
||||
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
|
||||
15. Use sysprep to reboot into audit mode, choose reboot.
|
||||
16. Install software you want on all of your servers, make default user profile customizations, etc.
|
||||
17. Use sysprep to generalize the install with OOBE, choose shutdown.
|
||||
18. Leave the VM alone. Don't create a template. Templates can't be updated after the fact.
|
||||
|
||||
Setting up a new Windows Server instance:
|
||||
1. Clone the template to a new VM.
|
||||
2. Start the new VM.
|
||||
3. Enter your new local admin password.
|
||||
4. In advanced system settings, change the host name and join a domain.
|
||||
5. Reboot.
|
||||
6. Enable remote access if your domain doesn't already and RDP into the server.
|
||||
7. Activate Windows:
|
||||
slmgr.vbs /ato
|
||||
8. Customize theme, browser settings, etc.
|
||||
|
||||
Setting up a new Debian instance:
|
||||
* Install Debian
|
||||
* Install guest agent
|
||||
* Install chrony
|
||||
if the machine has a static IP, configure pfsense.taudris.com as the NTP server to use
|
||||
* Set FQDN of the machine
|
||||
sudo hostnamectl set-hostname YOURHOST.taudris.com
|
||||
* Join domain
|
||||
cmd: apt update && apt install realm packagekit
|
||||
cmd: sudo realm join taudris.com -U robert
|
||||
cmd: sudo realm deny -a && sudo realm permit -g "domain admins@taudris.com"
|
||||
|
||||
realm join does the following:
|
||||
* Discovers information about the domain.
|
||||
* Installs the necessary software to join the domain, such as SSSD or Winbind.
|
||||
* If administrative credentials are required, a password will be prompted for.
|
||||
* A computer account in the domain will be created, and or updated.
|
||||
* A host keytab file at /etc/krb5.keytab is created.
|
||||
* Configures the SSSD or Winbind services, and restarts and enables them as appropriate.
|
||||
* Enables domain users in /etc/nsswitch.conf
|
||||
* Hide domain name from users and groups (sshd doesn't seem to support specifying the domain name)
|
||||
cmd: sudo micro /etc/sssd/sssd.conf
|
||||
set: use_fully_qualified_names = False
|
||||
* Enable automatic home directory creation on login (optional?)
|
||||
cmd: sudo micro /etc/pam.d/common-session
|
||||
add line: session optional pam_mkhomedir.so umask=0077
|
||||
save and quit
|
||||
* Enable GSSAPI authentication?
|
||||
cmd: micro /etc/ssh/sshd_config
|
||||
set:
|
||||
AllowGroups domain?admins
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials yes
|
||||
#enable forwarding credentials
|
||||
GSSAPIKeyExchange yes
|
||||
* Test GSSAPI credential access via SSH (enable GSSAPI, supply username without domain)
|
||||
|
||||
VM: ws22-dc
|
||||
192.168.11.6
|
||||
password: Sat0nmyws22-dc
|
||||
|
||||
VM: ws22-fs
|
||||
192.168.11.7
|
||||
password: Sat0nmyws22-fs
|
||||
|
||||
VM: apps
|
||||
root password: Inter*9apps
|
||||
also has robert on it
|
||||
super handy command to see logs in realtime: sudo lnav /var/log/*
|
||||
|
||||
|
||||
|
||||
rhash --sha1 -r --printf=\"SHA1\",\"%h\",\"%p\"\\r\\n /mnt/storage/files/E > /mnt/storage/files/sha1.csv
|
||||
Get-ChildItem "D:\*" -Recurse | Get-FileHash -Algorithm SHA1 | Export-Csv -Path C:\Users\robert\Documents\Hashes-Resilient-Restore.csv -NoTypeInformation
|
||||
|
||||
restic restore latest --target /mnt/storage/files
|
||||
|
||||
sudo docker stack deploy portainer --compose-file portainer-agent-stack.yml
|
||||
|
||||
|
||||
|
||||
storage architecture with ZFS on proxmox:
|
||||
pve.taudris.com
|
||||
ZFS pool: storage
|
||||
dataset: storage/pve
|
||||
NOPE dataset: storage/resilient
|
||||
NOPE dataset: storage/vaultwarden
|
||||
ws22-fs.taudris.com
|
||||
mounts: storage
|
||||
D: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-0
|
||||
E: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-1
|
||||
smb shares:
|
||||
D:\Shares\Resilient
|
||||
E:\Shares\Bulk
|
||||
apps.taudris.com
|
||||
mounts:
|
||||
/mnt/storage/vaultwarden -> nfs://truenas.taudris.com/Vaultwarden
|
||||
docker vaultwarden
|
||||
volumes:
|
||||
/data -> wherever
|
||||
cron job at 3am to start a live backup of vaultwarden
|
||||
copy from volume to /mnt/storage/vaultwarden
|
||||
use sqlite3 commands to copy it safely while live?
|
||||
use docker commands to stop/start the container?
|
||||
run restic on /mnt/storage/vaultwarden
|
||||
script which is stored in bitwarden as a secure note to help with ground-up restore
|
||||
|
||||
vaultwarden
|
||||
a dedicated vm is needed to create an actually secure deployment
|
||||
docker cannot create security zones for users of the vm
|
||||
vaultwarden.taudris.com
|
||||
mounts:
|
||||
none; just use local vm storage
|
||||
better to use nextcloud for file hosting and limit total size of bitwarden sends to a few gb at most
|
||||
cron job at 3:00am to start a live backup
|
||||
script which is stored in bitwarden as a secure note to help with ground-up restore
|
||||
|
||||
zfs on proxmox, then make a partition for each machine or application
|
||||
have to put restic on each machine
|
||||
but that seems like a normal pattern, so maybe not so bad
|
||||
|
||||
zfs on truenas
|
||||
forced to use a jail for restic
|
||||
harder to coordinate service backup; can't just have a single script that makes a snapshot and runs restic once it's done
|
||||
Loading…
Reference in New Issue