* get nextcloud working
* get nextcloud backup working
* set up fail2ban and log rotation for vaultwarden
* set up some kind of auth system to simplify password management and ideally get single sign on
	* ldap with ssl?
	* kerberos?
	* radius?
* set up second domain controller

want to log in to:
	debian machines via putty
		apps
		hevo-avz
		pve
	pfsense via putty
	pfsense via browser
	pve via browser
	portainer via browser

try nextcloud
	not owncloud
	not windows work folders; clients other than win10 get shafted
try jellyfin
	can use it to sync video streams to family and friends! (upload bandwidth limits notwithstanding...)



tried truenas
	did not try openmediavault; it has only one maintainer
	it really wants to own the hard drives
	it doesn't do small files on smb very well
	it can only install and run packages in "jails" (essentially freebsd's version of lxc), not on the main host
	can't run docker on it


EACH HOST MUST BE RESPONSIBLE FOR ITS OWN BACKUPS!!!

naming convention:
	type-role OR location-type-role
	windows server 2022 running as a domain controller: ws22-dc
	ws22-dc
	ws22-fs

server2022 template password:
	Sat0nmyws22template

How to create a clean Windows Server template for Proxmox from an evaluation ISO with a GVLK:
	0. Create a new VM.
		System:
			Graphic card: SPICE
			SCSI Controller: VirtIO SCSI Single
			Qemu Agent: checked
			BIOS: OVMF (UEFI)
			Add EFI Disk: checked
			Storage: up to you
			Machine: q35
		Hard Disk:
			Bus/Device: SCSI 0
			Storage: up to you
			Disk size: up to you
				recommend using smallest your OS requires to install and expanding if needed
			Cache: Default (No cache)
			Discard: checked
			SSD emulation: checked (even if you use hard drives; this allows the disk image to shrink)
			IO thread: checked
			Backup: up to you (I left it at the default of checked)
			Skip replication: up to you (I left it at the default of unchecked)
		CPU:
			Sockets: up to you
			Cores: up to you
			Type: up to you (I changed it to host)
			Enable NUMA: checked (this allows the guest to know more about the physical CPU layout and schedule better)
		Memory:
			Whatever you want (I set 4096MB normal and 2048MB minimum. You can easily change this later as needed.)
			Ballooning Device allows the VM host to take memory away from guests that don't need it when there is memory pressure/oversubscription.
		Network:
			Model: VirtIO (paravirtualized)
			Everything else: whatever you want
	1. Install the OS.
	2. Run virtio-win-guest-tools. (This also installs some, but not all, of the other drivers needed.)
	3. Use sysprep to generalize the install with OOBE, choose reboot.
	4. When it reboots, enter Windows setup using the OS ISO by pressing a key when it says to.
		If you miss it, Windows will boot into the OOBE. Don't proceed; just shut down the VM (not power off or stop) and try again.
	5. Go through enough of the install to load the VirtIO SCSI driver.
	6. Optional: Delete the recovery partition and extend the primary partition.
		This makes it easier to expand the primary partition later on if you need to.
		Recovery needs can be met with the install disk.
	7. Cancel the install using the X in the top right to go back to the first screen.
	8. Enter repair mode and get to a command prompt.
	9. Use diskpart to mount the system drive as C:
		sel disk 0
		list vol
		sel vol N (where N is the number of the primary volume)
		assign letter=c
		exit
	10. Upgrade the evaluation edition to a non-evaluation edition:
		dism /image:c:\ /Get-TargetEditions
		dism /image:c:\ /Set-Edition:ServerDatacenter
	11. Reboot.
	12. Enter the product key during OOBE (copy/paste should work now):
		Windows Server 2022 GVLK for use with KMS: WX4NM-KYWYW-QJJR4-XV3QB-6VM33
	13. Configure Windows to use your private KMS (vlmcsd in Docker works well for me, but it only activates for 180 days, so make sure you keep it running):
		slmgr.vbs /skms apps.taudris.com
		slmgr.vbs /ato
	14. Run Windows Update.
		To clean up after a service pack install (blocks uninstall):
			dism /Online /Cleanup-Image /SPSuperseded /HideSP
		To clean up after installing updates (blocks uninstall):
			dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
	15. Use sysprep to reboot into audit mode, choose reboot.
	16. Install software you want on all of your servers, make default user profile customizations, etc.
	17. Use sysprep to generalize the install with OOBE, choose shutdown.
	18. Leave the VM alone. Don't create a template. Templates can't be updated after the fact.

Setting up a new Windows Server instance:
	1. Clone the template to a new VM.
	2. Start the new VM.
	3. Enter your new local admin password.
	4. In advanced system settings, change the host name and join a domain.
	5. Reboot.
	6. Enable remote access if your domain doesn't already and RDP into the server.
	7. Activate Windows:
		slmgr.vbs /ato
	8. Customize theme, browser settings, etc.

Setting up a new Debian instance:
	* Install Debian
	* Install guest agent
	* Install chrony
		if the machine has a static IP, configure pfsense.taudris.com as the NTP server to use
	* Set FQDN of the machine
		sudo hostnamectl set-hostname YOURHOST.taudris.com
	* Join domain
		cmd: apt update && apt install realm packagekit
		cmd: sudo realm join taudris.com -U robert
		cmd: sudo realm deny -a && sudo realm permit -g "domain admins@taudris.com"

		realm join does the following:
			* Discovers information about the domain.
			* Installs the necessary software to join the domain, such as SSSD or Winbind.
			* If administrative credentials are required, a password will be prompted for.
			* A computer account in the domain will be created, and or updated.
			* A host keytab file at /etc/krb5.keytab is created.
			* Configures the SSSD or Winbind services, and restarts and enables them as appropriate.
			* Enables domain users in /etc/nsswitch.conf
	* Hide domain name from users and groups (sshd doesn't seem to support specifying the domain name)
		cmd: sudo micro /etc/sssd/sssd.conf
		set: use_fully_qualified_names = False
	* Enable automatic home directory creation on login (optional?)
		cmd: sudo micro /etc/pam.d/common-session
		add line: session optional pam_mkhomedir.so umask=0077
		save and quit
	* Enable GSSAPI authentication?
		cmd: micro /etc/ssh/sshd_config
		set:
			AllowGroups domain?admins
			GSSAPIAuthentication yes
			GSSAPICleanupCredentials yes
			#enable forwarding credentials
			GSSAPIKeyExchange yes
	* Test GSSAPI credential access via SSH (enable GSSAPI, supply username without domain)

VM: ws22-dc
	192.168.11.6
	password: Sat0nmyws22-dc

VM: ws22-fs
	192.168.11.7
	password: Sat0nmyws22-fs

VM: apps
	root password: Inter*9apps
	also has robert on it
	super handy command to see logs in realtime: sudo lnav /var/log/*



rhash --sha1 -r --printf=\"SHA1\",\"%h\",\"%p\"\\r\\n /mnt/storage/files/E > /mnt/storage/files/sha1.csv
Get-ChildItem "D:\*" -Recurse | Get-FileHash -Algorithm SHA1 | Export-Csv -Path C:\Users\robert\Documents\Hashes-Resilient-Restore.csv -NoTypeInformation

restic restore latest --target /mnt/storage/files

sudo docker stack deploy portainer --compose-file portainer-agent-stack.yml



storage architecture with ZFS on proxmox:
	pve.taudris.com
		ZFS pool: storage
			dataset: storage/pve
			NOPE dataset: storage/resilient
			NOPE dataset: storage/vaultwarden
	ws22-fs.taudris.com
		mounts: storage
			D: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-0
			E: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-1
		smb shares:
			D:\Shares\Resilient
			E:\Shares\Bulk
	apps.taudris.com
		mounts:
			/mnt/storage/vaultwarden -> nfs://truenas.taudris.com/Vaultwarden
		docker vaultwarden
			volumes:
				/data -> wherever
		cron job at 3am to start a live backup of vaultwarden
			copy from volume to /mnt/storage/vaultwarden
				use sqlite3 commands to copy it safely while live?
				use docker commands to stop/start the container?
			run restic on /mnt/storage/vaultwarden
			script which is stored in bitwarden as a secure note to help with ground-up restore

vaultwarden
	a dedicated vm is needed to create an actually secure deployment
		docker cannot create security zones for users of the vm
	vaultwarden.taudris.com
		mounts:
			none; just use local vm storage
			better to use nextcloud for file hosting and limit total size of bitwarden sends to a few gb at most
		cron job at 3:00am to start a live backup
			script which is stored in bitwarden as a secure note to help with ground-up restore

zfs on proxmox, then make a partition for each machine or application
	have to put restic on each machine
		but that seems like a normal pattern, so maybe not so bad

zfs on truenas
	forced to use a jail for restic
	harder to coordinate service backup; can't just have a single script that makes a snapshot and runs restic once it's done