230 lines
8.6 KiB
Plaintext
230 lines
8.6 KiB
Plaintext
* get nextcloud working
|
|
* get nextcloud backup working
|
|
* set up fail2ban and log rotation for vaultwarden
|
|
* set up some kind of auth system to simplify password management and ideally get single sign on
|
|
* ldap with ssl?
|
|
* kerberos?
|
|
* radius?
|
|
* set up second domain controller
|
|
|
|
want to log in to:
|
|
debian machines via putty
|
|
apps
|
|
hevo-avz
|
|
pve
|
|
pfsense via putty
|
|
pfsense via browser
|
|
pve via browser
|
|
portainer via browser
|
|
|
|
try nextcloud
|
|
not owncloud
|
|
not windows work folders; clients other than win10 get shafted
|
|
try jellyfin
|
|
can use it to sync video streams to family and friends! (upload bandwidth limits notwithstanding...)
|
|
|
|
|
|
|
|
tried truenas
|
|
did not try openmediavault; it has only one maintainer
|
|
it really wants to own the hard drives
|
|
it doesn't do small files on smb very well
|
|
it can only install and run packages in "jails" (essentially freebsd's version of lxc), not on the main host
|
|
can't run docker on it
|
|
|
|
|
|
EACH HOST MUST BE RESPONSIBLE FOR ITS OWN BACKUPS!!!
|
|
|
|
naming convention:
|
|
type-role OR location-type-role
|
|
windows server 2022 running as a domain controller: ws22-dc
|
|
ws22-dc
|
|
ws22-fs
|
|
|
|
server2022 template password:
|
|
Sat0nmyws22template
|
|
|
|
How to create a clean Windows Server template for Proxmox from an evaluation ISO with a GVLK:
|
|
0. Create a new VM.
|
|
System:
|
|
Graphic card: SPICE
|
|
SCSI Controller: VirtIO SCSI Single
|
|
Qemu Agent: checked
|
|
BIOS: OVMF (UEFI)
|
|
Add EFI Disk: checked
|
|
Storage: up to you
|
|
Machine: q35
|
|
Hard Disk:
|
|
Bus/Device: SCSI 0
|
|
Storage: up to you
|
|
Disk size: up to you
|
|
recommend using smallest your OS requires to install and expanding if needed
|
|
Cache: Default (No cache)
|
|
Discard: checked
|
|
SSD emulation: checked (even if you use hard drives; this allows the disk image to shrink)
|
|
IO thread: checked
|
|
Backup: up to you (I left it at the default of checked)
|
|
Skip replication: up to you (I left it at the default of unchecked)
|
|
CPU:
|
|
Sockets: up to you
|
|
Cores: up to you
|
|
Type: up to you (I changed it to host)
|
|
Enable NUMA: checked (this allows the guest to know more about the physical CPU layout and schedule better)
|
|
Memory:
|
|
Whatever you want (I set 4096MB normal and 2048MB minimum. You can easily change this later as needed.)
|
|
Ballooning Device allows the VM host to take memory away from guests that don't need it when there is memory pressure/oversubscription.
|
|
Network:
|
|
Model: VirtIO (paravirtualized)
|
|
Everything else: whatever you want
|
|
1. Install the OS.
|
|
2. Run virtio-win-guest-tools. (This also installs some, but not all, of the other drivers needed.)
|
|
3. Use sysprep to generalize the install with OOBE, choose reboot.
|
|
4. When it reboots, enter Windows setup using the OS ISO by pressing a key when it says to.
|
|
If you miss it, Windows will boot into the OOBE. Don't proceed; just shut down the VM (not power off or stop) and try again.
|
|
5. Go through enough of the install to load the VirtIO SCSI driver.
|
|
6. Optional: Delete the recovery partition and extend the primary partition.
|
|
This makes it easier to expand the primary partition later on if you need to.
|
|
Recovery needs can be met with the install disk.
|
|
7. Cancel the install using the X in the top right to go back to the first screen.
|
|
8. Enter repair mode and get to a command prompt.
|
|
9. Use diskpart to mount the system drive as C:
|
|
sel disk 0
|
|
list vol
|
|
sel vol N (where N is the number of the primary volume)
|
|
assign letter=c
|
|
exit
|
|
10. Upgrade the evaluation edition to a non-evaluation edition:
|
|
dism /image:c:\ /Get-TargetEditions
|
|
dism /image:c:\ /Set-Edition:ServerDatacenter
|
|
11. Reboot.
|
|
12. Enter the product key during OOBE (copy/paste should work now):
|
|
Windows Server 2022 GVLK for use with KMS: WX4NM-KYWYW-QJJR4-XV3QB-6VM33
|
|
13. Configure Windows to use your private KMS (vlmcsd in Docker works well for me, but it only activates for 180 days, so make sure you keep it running):
|
|
slmgr.vbs /skms apps.taudris.com
|
|
slmgr.vbs /ato
|
|
14. Run Windows Update.
|
|
To clean up after a service pack install (blocks uninstall):
|
|
dism /Online /Cleanup-Image /SPSuperseded /HideSP
|
|
To clean up after installing updates (blocks uninstall):
|
|
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
|
|
15. Use sysprep to reboot into audit mode, choose reboot.
|
|
16. Install software you want on all of your servers, make default user profile customizations, etc.
|
|
17. Use sysprep to generalize the install with OOBE, choose shutdown.
|
|
18. Leave the VM alone. Don't create a template. Templates can't be updated after the fact.
|
|
|
|
Setting up a new Windows Server instance:
|
|
1. Clone the template to a new VM.
|
|
2. Start the new VM.
|
|
3. Enter your new local admin password.
|
|
4. In advanced system settings, change the host name and join a domain.
|
|
5. Reboot.
|
|
6. Enable remote access if your domain doesn't already and RDP into the server.
|
|
7. Activate Windows:
|
|
slmgr.vbs /ato
|
|
8. Customize theme, browser settings, etc.
|
|
|
|
Setting up a new Debian instance:
|
|
* Install Debian
|
|
* Install guest agent
|
|
* Install chrony
|
|
if the machine has a static IP, configure pfsense.taudris.com as the NTP server to use
|
|
* Set FQDN of the machine
|
|
sudo hostnamectl set-hostname YOURHOST.taudris.com
|
|
* Join domain
|
|
cmd: apt update && apt install realm packagekit
|
|
cmd: sudo realm join taudris.com -U robert
|
|
cmd: sudo realm deny -a && sudo realm permit -g "domain admins@taudris.com"
|
|
|
|
realm join does the following:
|
|
* Discovers information about the domain.
|
|
* Installs the necessary software to join the domain, such as SSSD or Winbind.
|
|
* If administrative credentials are required, a password will be prompted for.
|
|
* A computer account in the domain will be created, and or updated.
|
|
* A host keytab file at /etc/krb5.keytab is created.
|
|
* Configures the SSSD or Winbind services, and restarts and enables them as appropriate.
|
|
* Enables domain users in /etc/nsswitch.conf
|
|
* Hide domain name from users and groups (sshd doesn't seem to support specifying the domain name)
|
|
cmd: sudo micro /etc/sssd/sssd.conf
|
|
set: use_fully_qualified_names = False
|
|
* Enable automatic home directory creation on login (optional?)
|
|
cmd: sudo micro /etc/pam.d/common-session
|
|
add line: session optional pam_mkhomedir.so umask=0077
|
|
save and quit
|
|
* Enable GSSAPI authentication?
|
|
cmd: micro /etc/ssh/sshd_config
|
|
set:
|
|
AllowGroups domain?admins
|
|
GSSAPIAuthentication yes
|
|
GSSAPICleanupCredentials yes
|
|
#enable forwarding credentials
|
|
GSSAPIKeyExchange yes
|
|
* Test GSSAPI credential access via SSH (enable GSSAPI, supply username without domain)
|
|
|
|
VM: ws22-dc
|
|
192.168.11.6
|
|
password: Sat0nmyws22-dc
|
|
|
|
VM: ws22-fs
|
|
192.168.11.7
|
|
password: Sat0nmyws22-fs
|
|
|
|
VM: apps
|
|
root password: Inter*9apps
|
|
also has robert on it
|
|
super handy command to see logs in realtime: sudo lnav /var/log/*
|
|
|
|
|
|
|
|
rhash --sha1 -r --printf=\"SHA1\",\"%h\",\"%p\"\\r\\n /mnt/storage/files/E > /mnt/storage/files/sha1.csv
|
|
Get-ChildItem "D:\*" -Recurse | Get-FileHash -Algorithm SHA1 | Export-Csv -Path C:\Users\robert\Documents\Hashes-Resilient-Restore.csv -NoTypeInformation
|
|
|
|
restic restore latest --target /mnt/storage/files
|
|
|
|
sudo docker stack deploy portainer --compose-file portainer-agent-stack.yml
|
|
|
|
|
|
|
|
storage architecture with ZFS on proxmox:
|
|
pve.taudris.com
|
|
ZFS pool: storage
|
|
dataset: storage/pve
|
|
NOPE dataset: storage/resilient
|
|
NOPE dataset: storage/vaultwarden
|
|
ws22-fs.taudris.com
|
|
mounts: storage
|
|
D: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-0
|
|
E: -> scsi://pve.taudris.com/storage/pve/vm-disk-101-1
|
|
smb shares:
|
|
D:\Shares\Resilient
|
|
E:\Shares\Bulk
|
|
apps.taudris.com
|
|
mounts:
|
|
/mnt/storage/vaultwarden -> nfs://truenas.taudris.com/Vaultwarden
|
|
docker vaultwarden
|
|
volumes:
|
|
/data -> wherever
|
|
cron job at 3am to start a live backup of vaultwarden
|
|
copy from volume to /mnt/storage/vaultwarden
|
|
use sqlite3 commands to copy it safely while live?
|
|
use docker commands to stop/start the container?
|
|
run restic on /mnt/storage/vaultwarden
|
|
script which is stored in bitwarden as a secure note to help with ground-up restore
|
|
|
|
vaultwarden
|
|
a dedicated vm is needed to create an actually secure deployment
|
|
docker cannot create security zones for users of the vm
|
|
vaultwarden.taudris.com
|
|
mounts:
|
|
none; just use local vm storage
|
|
better to use nextcloud for file hosting and limit total size of bitwarden sends to a few gb at most
|
|
cron job at 3:00am to start a live backup
|
|
script which is stored in bitwarden as a secure note to help with ground-up restore
|
|
|
|
zfs on proxmox, then make a partition for each machine or application
|
|
have to put restic on each machine
|
|
but that seems like a normal pattern, so maybe not so bad
|
|
|
|
zfs on truenas
|
|
forced to use a jail for restic
|
|
harder to coordinate service backup; can't just have a single script that makes a snapshot and runs restic once it's done
|