diff options
| -rw-r--r-- | Dockerfile | 1 | ||||
| -rw-r--r-- | htdocs/common.css | 11 | ||||
| -rw-r--r-- | htdocs/favicon.ico | bin | 0 -> 161442 bytes | |||
| -rw-r--r-- | htdocs/guide/cryptexisting.md | 152 | ||||
| -rw-r--r-- | htdocs/guide/krbnfs.md | 124 | ||||
| -rw-r--r-- | htdocs/guide/ovpnip6.md | 69 | ||||
| -rw-r--r-- | htdocs/guide/wifi103.md | 64 | ||||
| -rw-r--r-- | htdocs/guides.md | 14 | ||||
| -rw-r--r-- | htdocs/index.md | 139 | ||||
| -rw-r--r-- | htdocs/password_generator.md | 34 |
10 files changed, 608 insertions, 0 deletions
@@ -7,3 +7,4 @@ RUN apt update && apt install -y lua5.4 pandoc COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf COPY ./cgi-bin/ /usr/local/apache2/cgi-bin COPY ./common/* /usr/local/share/lua/5.4/ +COPY ./htdocs/* /usr/local/apache2/htdocs/ diff --git a/htdocs/common.css b/htdocs/common.css new file mode 100644 index 0000000..d37a546 --- /dev/null +++ b/htdocs/common.css @@ -0,0 +1,11 @@ +body { + font-family: Monospace; +} + +code { + background-color: lightgrey; +} + +pre { + background-color: lightgrey; +} diff --git a/htdocs/favicon.ico b/htdocs/favicon.ico Binary files differnew file mode 100644 index 0000000..04b29bf --- /dev/null +++ b/htdocs/favicon.ico diff --git a/htdocs/guide/cryptexisting.md b/htdocs/guide/cryptexisting.md new file mode 100644 index 0000000..a77eba2 --- /dev/null +++ b/htdocs/guide/cryptexisting.md @@ -0,0 +1,152 @@ +% Encrypting existing drives + +# Disclaimer +**It is not easily possible to use most of the methods described here +to encrypt existing drives without having to make and restore a backup.** + +# Preparation: Making a backup +It is necessary to create a backup of your drive as encrypting will +erase your data. + +## SquashFS +I like to use SquashFS as I don't have much backup +space: + +```sh +apt update +apt install squashfs-tools + +mksquashfs /media/drive/mountpoint /media/backup/mountpoint/drive.sqsh +``` + +The above commands all need to be run as root. + +A major disadvantage of SquashFS is its slowness. It uses all CPU cores +but still takes a long time to complete depending on how much data is +being squashed. + +## tar +If you can afford to store a raw copy, you can create it with `tar`. +The `tar` command is faster than `cp` or `rsync` for copying many +large files. Here's how to use it: + +```sh +tar -c -C /media/drive/mountpoint . | \ +tar --same-owner -xp -C /media/backup/location +``` + +Make sure you run this as root. + +This is much faster compared to squashing but it requires much more +storage space. + +# Wiping +This is optional but it's highly recommended to do if unencrypted data +used to be stored on the drive. +Some encryption tools such as OS installers do this automatically, but +pure cryptsetup does not. To be safe, wipe manually: + +```sh +dd bs=1M if=/dev/urandom of=/dev/sdX +``` + +Once again only root can do this. + +Replace `/dev/sdX` with the device file of the drive you want to encrypt. +You can specify a partition number if you only want to wipe a single +partition. + +If you're still using an old kernel (<4.8) this is going to be slow. +Replace `/dev/urandom` with `/dev/zero` to counter this. + +# Encrypting +There are three methods I have used. + +## LVM + LUKS +This is recommended for drives with an operating system. + +Do a complete reinstall and select the "encrypted LVM" option when +partitioning. Make sure to use a secure passphrase that you can still +remember. + +This sets up LVM and LUKS. + +## LUKS +Use this for external drives that are always connected to the same +machine. + +Run the following commands as root: + +```sh +cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -y /dev/sdXY +cryptsetup luksOpen /dev/sdXY sdXY-crypt +mkfs.ext4 /dev/mapper/sdXY-crypt +cryptsetup luksClose sdXY-crypt +``` + +where sdXY is the name of the device file of the partition. + +## VeraCrypt volume +This is useful if you want to use your drive in other places or on +other platforms. Follow the VeraCrypt instructions for this. + +# Restoring the backup +No matter how you made your backup, `tar` is the way to restore it. +Before you do that you have to take care of some other things. + +## SquashFS +Mount the SquashFS image: + +```sh +mount /media/squashfs/location/drive.sqsh /media/backup/mountpoint +``` + +You now need to mount the encrypted device. This is quite easy to do +with VeraCrypt volumes. When you mount one the mountpoint is usually +`/media/veracryptX`. For LUKS it works like this: + +```sh +cryptsetup luksOpen /dev/sdXY sdXY-crypt +mount /dev/mapper/sdXY-crypt /media/drive/mountpoint +``` + +LVM + LUKS is slightly different: + +```sh +cryptsetup luksOpen /dev/sdXY sdXY-crypt +lvchange -ay hostname-vg/partitionname +mount /dev/hostname-vg/partitionname /media/drive/mountpoint +``` + +Now restore the backup: + +```sh +tar -c -C /media/backup/mountpoint . | \ +tar --same-owner -xp -C /media/drive/mountpoint +``` + +# Cleaning up +Now unmount the encrypted volume (if you don't want to use it yet) +and delete the SquashFS. Unmounting VeraCrypt volumes is easy +enough to not be documented here. + +## Unmounting LUKS +```sh +umount /media/drive/mountpoint +cryptsetup luksClose sdXY-crypt +``` + +## Unmounting LVM + LUKS +```sh +umount /media/drive/mountpoint +lvchange -an hostname-vg/partitionname +cryptsetup luksClose sdXY-crypt +``` + +***WARNING: Store the SquashFS image on an encrypted drive +or wipe it securely! A simple `rm` won't do, especially with +solid state storage!*** + +[Return to Guide List](/cgi-bin/guides.lua) + +[Return to Index Page](/cgi-bin/index.lua) diff --git a/htdocs/guide/krbnfs.md b/htdocs/guide/krbnfs.md new file mode 100644 index 0000000..bc388f1 --- /dev/null +++ b/htdocs/guide/krbnfs.md @@ -0,0 +1,124 @@ +% Kerberized NFS: access denied by server while mounting + +# Introduction +Protecting a NFS share with Kerberos is not very easy to do but definitely +doable with a good setup manual. A very helpful website is +https://wiki.ubuntuusers.de although some of the pages +have since been archived. + +# Setup +The hostnames are different in my actual setup and will certainly be +different for you. + +There are two machines involved. The first one is the server. +It's running a krb5 KDC and admin server as well as a NFS server. +The NFS export is configured to allow any source address +but requires krb5i or krb5p security. + +The client computer is running a krb5 client and a NFS client with +the necessary rpc daemons. + +#### Kerberos principals +* admin/admin, has full access to kadmin +* himbeerserverde, a regular user +* host/srv.himbeerserver.de, server host key +* host/clt.himbeerserver.de, client host key +* nfs/srv.himbeerserver.de, server NFS key +* nfs/clt.himbeerserver.de, client NFS key + +The users are synced across other clients and the server using LDAP. +The clients use SSSD to cache credentials. This way they can operate +without a permanent connection to the LDAP server. They also keep working +in case of a server failure. +The server uses local auth for the actual accounts. The other accounts +are not intended to be logged into. A LDAP failure will only result +in a broken NFS. + +I'm aware this isn't the best solution. I'm probably going to come up +with a better one in about half a decade. + +# The Error +This is the command I use to mount the NFS share: + +```sh +sudo mount -t nfs4 -o sec=krb5i,async,soft srv.himbeerserver.de:/media/ssd /mnt/himbeerserverde/nfs +``` + +This suddenly resulted in the above error. I couldn't really figure out +what was going on. This has happened several times and could sometimes be +fixed by rebooting both machines. Unfortunately rebooting didn't help +most of the time. + +# Debugging +The logs are not very helpful for debugging this error. +Adding `-vvvv` to the mount command outputs more but still only shows +that permission was denied, not why it's happening. +Looking at the traffic with wireshark I didn't see any Kerberos packets. + +The syslog eventually lead me to the systemd service `auth-rpcgss-module`. +It failed to start. The reason was a kernel update that had been installed +but not yet activated. Rebooting fixed this by restoring synchronization +of the kernel version and the modules' required kernel version. + +I'm not sure if that module is required but given its name it seems to be. +Reading the krb5 logs (using `journalctl -xeu krb5-kdc.service`) I could +see that the KDC refused to issue service tickets to the server. +There were attempts from the client to get a service ticket earlier that +day that were also denied. In both cases the reason was failing authentication. + +The fact that the server was experiencing the issue made me think that it +was a host authentication issue that had nothing to do with the user. +This later turned out to be correct. + +# The Solution +After spending days googling for a solution and trying different things +I decided to completely reconfigure host-related principals. +Here's exactly what I did: + +Server: +```sh +srv# rm /etc/krb5.keytab +srv# kadmin -p admin/admin +kadmin: purgekeys host/srv.himbeerserver.de +kadmin: purgekeys nfs/srv.himbeerserver.de +kadmin: delprinc host/srv.himbeerserver.de +kadmin: delprinc nfs/srv.himbeerserver.de +kadmin: addprinc -randkey host/srv.himbeerserver.de +kadmin: addprinc -randkey nfs/srv.himbeerserver.de +kadmin: ktadd host/srv.himbeerserver.de +kadmin: ktadd nfs/srv.himbeerserver.de +kadmin: quit +srv# systemctl restart nfs-kernel-server rpc-gssd rpc-svcgssd +``` + +It's important to restart rpc-gssd to make it reload the keytab. +I'm not sure if restarting rpc-svcgssd is necessary. +Purging the user keys is *probably* not needed either but you can +do it if the above steps didn't work. + +Client (repeat for all affected clients with the corresponding keys): +```sh +clt# rm /etc/krb5.keytab +clt# kadmin -p admin/admin +kadmin: purgekeys host/clt.himbeerserver.de +kadmin: purgekeys nfs/clt.himbeerserver.de +kadmin: delprinc host/clt.himbeerserver.de +kadmin: delprinc nfs/clt.himbeerserver.de +kadmin: addprinc -randkey host/clt.himbeerserver.de +kadmin: addprinc -randkey nfs/clt.himbeerserver.de +kadmin: ktadd host/clt.himbeerserver.de +kadmin: ktadd nfs/clt.himbeerserver.de +kadmin: quit +clt# systemctl restart rpc-gssd +``` + +Once again purging the user keys is *probably* not needed but you +can do it if the above steps didn't work. + +Now mount the NFS share again. If it still doesn't work, reboot +the server and the client. If that doesn't fix it unfortunately +I can't help you. + +[Return to Guide List](/cgi-bin/guides.lua) + +[Return to Index Page](/cgi-bin/index.lua) diff --git a/htdocs/guide/ovpnip6.md b/htdocs/guide/ovpnip6.md new file mode 100644 index 0000000..10921d5 --- /dev/null +++ b/htdocs/guide/ovpnip6.md @@ -0,0 +1,69 @@ +% Setting up OpenVPN IPv6 support + +# The different kinds of IPv6 support +OpenVPN supports IPv6 in two different ways. It can listen on +an IPv6 socket so that IPv6 clients can connect to it. +This way you can run OpenVPN servers that are IPv6 only. + +This does not allow connected clients to access hosts via IPv6. +In order to achieve that the server needs to assign addresses +that are routable on the internet. + +# Listening on an IPv6 socket +This is quite easy to set up. Open your `/etc/openvpn/server.conf` +and append a 6 to the proto line. For example `proto udp` +becomes `proto udp6`. + +# Assigning addresses from a prefix +The OpenVPN server can assign IPv6 addresses from a prefix. +I recommend a /64 subnet, but OpenVPN supports smaller prefixes +such as /112 as well. If you have a bigger subnet such as /60 +you can make it a /64 by filling it up with zeros. + +To enable this feature add this to your `/etc/openvpn/server.conf`: + +``` +server-ipv6 2001:db8:0:123::/64 +``` + +## Static addresses +*WARNING: If you're using the client config dir to set static IPv4 +addresses you have to set static IPv6 addresses as well:* + +``` +ifconfig-ipv6-push 2001:db8:0:123::abcd/64 2001:db8:0:123::1 +``` + +where `abcd` is the IFID you'd like the client to get. + +## Pushing routes +Now we have to route IPv6 traffic through the tunnel. +Traffic to the subnet of GUAs (2000::/3) always has to be routed +through the tunnel. If you have an ULA prefix or anything else +you'd like to go through the tunnel simply add another +line to the config and use that prefix. + +Add this to `/etc/openvpn/server.conf`: + +``` +push "route-ipv6 2000::/3" +``` + +# Routing +The OpenVPN IPv6 prefix either needs to be NATed or routed. +If it's a subnet of the IPv6 prefix assigned by your ISP +everything should work right away. Otherwise you have to configure +IPv6 NAT which is a dirty solution but should work. + +# Firewall +Don't forget to protect the OpenVPN IPv6 subnet with a firewall. +This is NOT a security issue of IPv6, IPv4 needs a firewall too. + +You can allow certain requests to go through. This way you can +"forward" IPv6 ports from a location that supports it to another +location that doesn't support it but is connected to the OpenVPN +server. + +[Return to Guide List](/cgi-bin/guides.lua) + +[Return to Index Page](/cgi-bin/index.lua) diff --git a/htdocs/guide/wifi103.md b/htdocs/guide/wifi103.md new file mode 100644 index 0000000..d929c28 --- /dev/null +++ b/htdocs/guide/wifi103.md @@ -0,0 +1,64 @@ +% rtl8812au WiFi driver setup on RPi@5.10.103-v7l + +# The Problem +WiFi drivers on Linux are already annoying enough, and it's gotten even worse +with the 5.10.103 kernel. This version is no longer compatible with the +[install-wifi script](http://downloads.fars-robotics.net/wifi-drivers/install-wifi). +On top of that some versions of the rtl8812au driver I'm using drop IPv6 Multicast, +breaking NDP and preventing you from automatically connecting to the IPv6 internet. +Fortunately aircrack-ng maintains a working version of the driver. However it has +to be compiled from source. Here's how. + +# Kernel Headers +You may need to install the raspberry pi kernel headers. +The apt package name is `raspberrypi-kernel-headers`. +If you're using the 64-bit RPi OS, make sure to install +the arm64 version of the package. +Use `apt list raspberrypi-kernel-headers` to check if you have +the correct version installed. + +# Installing +Run the following shell commands. If you aren't using sudo, run commands that +require root access in some other way. + +```sh +sudo apt update && sudo apt install -y git dkms + +git clone https://github.com/aircrack-ng/rtl8812au.git +cd rtl8812au/ + +sed -i 's/CONFIG_PLATFORM_I386_PC = y/CONFIG_PLATFORM_I386_PC = n/g' Makefile +sed -i 's/CONFIG_PLATFORM_ARM_RPI = n/CONFIG_PLATFORM_ARM_RPI = y/g' Makefile +export ARCH=arm +sed -i 's/^MAKE="/MAKE="ARCH=arm\ /' dkms.conf + +sudo make dkms_install +``` + +**For 64-bit, these are the commands to run:** + +```sh +sudo apt update && sudo apt install -y git dkms + +git clone https://github.com/aircrack-ng/rtl8812au.git +cd rtl8812au/ + +sed -i 's/CONFIG_PLATFORM_I386_PC = y/CONFIG_PLATFORM_I386_PC = n/g' Makefile +sed -i 's/CONFIG_PLATFORM_ARM64_RPI = n/CONFIG_PLATFORM_ARM64_RPI = y/g' Makefile +export ARCH=arm64 +sed -i 's/^MAKE="/MAKE="ARCH=arm64\ /' dkms.conf + +sudo make dkms_install +``` + +If the last command gives an error because the DKMS module already exists, +remove any existing installations of the driver. + +# Loading +The driver should now automatically be loaded. It seems to be +loaded at boot time automatically, but I haven't tested it yet. +If you can confirm or disprove this please let me know. + +[Return to Guide List](/cgi-bin/guides.lua) + +[Return to Index Page](/cgi-bin/index.lua) diff --git a/htdocs/guides.md b/htdocs/guides.md new file mode 100644 index 0000000..51db999 --- /dev/null +++ b/htdocs/guides.md @@ -0,0 +1,14 @@ +% Guides + +These are setup guides that cover things I find interesting enough to share +or that I've struggled with for a long time. + +[Return to Index Page](/cgi-bin/index.lua) + +# List +* [rtl8812au on Raspberry Pi with kernel 5.10.103-v7l](/cgi-bin/guide/wifi103.lua) +* [Kerberized NFS: How to fix "access denied by server"](/cgi-bin/guide/krbnfs.lua) +* [OpenVPN IPv6](/cgi-bin/guide/ovpnip6.lua) +* [Encrypting existing drives](/cgi-bin/guide/cryptexisting.lua) + +[Return to Index Page](/cgi-bin/index.lua) diff --git a/htdocs/index.md b/htdocs/index.md new file mode 100644 index 0000000..2b5b8be --- /dev/null +++ b/htdocs/index.md @@ -0,0 +1,139 @@ +% HimbeerserverDE + +# Introduction +I'm Himbeer, a 15 year old programmer and sysadmin. I like networking, especially IPv6 +(which is why this page is IPv6-only). Because of this I'm using my own +networking hardware and software instead of the low quality device +the ISP wants everyone to use that lacks basic configuration options +like the DHCP DNS server option. + +I created [mt-multiserver-proxy](/cgi-bin/work.lua?project=minetestproxy), +a reverse proxy for the Minetest network protocol. It connects multiple +Minetest servers together. Since Minetest does almost everything in a single +thread this can help increase performance by taking advantage of multi-core +CPUs. + +I also made some small web apps in the past that I'll eventually publish here. + +I use Debian and Raspberry Pi OS actively, but I'd probably be able to use some +other distros if I wanted to. My window manager is +[bspwm](https://github.com/baskerville/bspwm) with a custom setup. +The polybar setup was written by [Fleckenstein](#friends) and modified +to display a second bar on a second monitor. You can find everything +[here](https://github.com/HimbeerserverDE/bspwm-setup). + +# Guides +I occasionally upload setup guides for services that are difficult to +understand, configure or maintain. They are listed [here](/cgi-bin/guides.lua). + +# Profiles +* **GitHub:** [HimbeerserverDE](https://github.com/HimbeerserverDE) +* **GitLab:** [HimbeerserverDE](https://gitlab.com/HimbeerserverDE) +* **Bitbucket:** [HimbeerserverDE](https://bitbucket.org/HimbeerserverDE) +* **MeseHub:** [HimbeerserverDE](https://git.minetest.land/HimbeerserverDE) +* **Discord:** HimbeerserverDE#3585 +* **YouTube:** [HimbeerserverDE](https://www.youtube.com/channel/UCRuSC9WNapuA4Gm-kU_gjGA) +* **Reddit:** [HimbeerserverDE](https://reddit.com/user/HimbeerserverDE) +* **IRC (libera.chat):** HimbeerserverDE +* **IRC (oftc.net):** HimbeerserverDE +* **Email (S/MIME):** [himbeerserverde@gmail.com](mailto:himbeerserverde@gmail.com) +* **Minetest (forum, in-game, ContentDB):** HimbeerserverDE + +# Work +_If you have any suggestions on what to put on this list please +[contact me](#profiles)!_ + +* [mt-multiserver-proxy](/cgi-bin/work.lua?project=minetestproxy), a reverse +proxy for Minetest +* [mt-multiserver-chatcommands](/cgi-bin/work.lua?project=minetestproxy#commands), +a plugin providing standard chat commands for mt-multiserver-proxy +* [A simple online password generator](/cgi-bin/password_generator.lua) +* [This website](/cgi-bin/work.lua?project=www3) + +## Minetest mods +* [dynamic_liquid](/cgi-bin/work.lua?project=dynamicliquid), a fork of +[minetest-mods/dynamic_liquid](https://github.com/minetest-mods/dynamic_liquid) +* [waterworks](/cgi-bin/work.lua?project=waterworks), a fork of +[FaceDeer/waterworks](https://github.com/FaceDeer/waterworks) that actually +does what the documentation says + +# Skills +This is a list of the languages and tools I'm able to use at the moment. + +## Languages +* C +* C++ +* Go +* HTML +* CSS +* JavaScript +* Lua +* Java +* Bash +* PHP +* SQL +* Rust +* Python + +## Software + +### Server +* Apache +* nginx +* SQLite3 +* MySQL +* MariaDB +* PostgreSQL +* fail2ban +* slapd +* Kerberos +* DNSMASQ +* WIDE-DHCPv6-Client +* dibbler-server +* LWDS-Lite +* OpenVPN +* FOG +* PXE +* iPXE +* LTSP +* NFS + +### Client +* ldap-utils +* sssd +* PAM +* GRUB2 +* GCC +* G++ +* GNU Make +* CMake +* GDB +* GIMP +* Blender +* OpenShot +* NetworkManager +* Kerberos +* NFS + +## APIs / Libraries / Frameworks +* node.js +* jQuery +* OpenGL core v3.0+ +* GLFW +* linmath.h +* Minetest +* Flask + +# Friends +This is a list of my friends with links to their main online presence +if they have one. + +* [Fleckenstein](https://fleckenstein.elidragon.tk) +* [DerZombiiie](https://derzombiiie.com) +* [j45](https://j1233.minetest.land) +* [TheodorSmall](https://github.com/TheodorSmall) +* [SC++](https://github.com/scplusplus) +* [Rapunzel](https://github.com/RapunzelE) +* [anon5](https://github.com/anon55555) +* Typischer +* yayyer diff --git a/htdocs/password_generator.md b/htdocs/password_generator.md new file mode 100644 index 0000000..9c9f653 --- /dev/null +++ b/htdocs/password_generator.md @@ -0,0 +1,34 @@ +% Password Generator + +This page generates a few passwords on the server and displays them to the user. +The code can be found [on GitHub](https://github.com/HimbeerserverDE/www.himbeerserver.de/blob/main/himbeerserver/usr/lib/cgi-bin/password_generator.lua). + +# 32 Letters, digits, punctuation characters +* `${strongest1}` +* `${strongest2}` +* `${strongest3}` +* `${strongest4}` +* `${strongest5}` + +# 32 Letters, digits +* `${strong1}` +* `${strong2}` +* `${strong3}` +* `${strong4}` +* `${strong5}` + +# 32 Letters +* `${medium1}` +* `${medium2}` +* `${medium3}` +* `${medium4}` +* `${medium5}` + +# 16 Letters, digits +* `${weak1}` +* `${weak2}` +* `${weak3}` +* `${weak4}` +* `${weak5}` + +[Return to Index Page](/cgi-bin/index.lua) |