Browse Source

Import original docs

pull/16/head
KemoNine 1 year ago
parent
commit
fdbd56938c
Signed by: KemoNine <kemonine@kemonine.info> GPG Key ID: 331B7E1107F99137

+ 3
- 0
README.orig.md View File

@@ -0,0 +1,3 @@
1
+# Docs
2
+
3
+The core documentation on how to setup an SBC as a lolipop cloud

+ 3
- 0
armbian/README.md View File

@@ -0,0 +1,3 @@
1
+# Armbian
2
+
3
+Setup an SBC as a lolipop router and private LAN

+ 47
- 0
armbian/base_setup.md View File

@@ -0,0 +1,47 @@
1
+# Base Setup
2
+
3
+Fundamental setup after first boot/reboot.
4
+
5
+## Pro Tip
6
+
7
+```sudo -sHu root``` is a handy trick when doing a lot of administrative stuff at the command line
8
+
9
+## Upgrade Packages
10
+
11
+``` bash
12
+
13
+apt update
14
+apt upgrade
15
+systemctl reboot
16
+
17
+```
18
+
19
+## DISABLE Automatic Update Downloads
20
+
21
+*Note: this is to save bandwidth, time, etc when travelling*
22
+
23
+### /etc/apt/apt.conf.d/02periodic
24
+
25
+Change ```APT::Periodic::Enable "1";``` to ```APT::Periodic::Enable "0";```
26
+
27
+### /etc/apt/apt.conf.d/20auto-upgrades
28
+
29
+Change ```APT::Periodic::Update-Package-Lists "1";``` to ```APT::Periodic::Update-Package-Lists "0";```
30
+
31
+Change ```APT::Periodic::Unattended-Upgrade "1";``` to ```APT::Periodic::Unattended-Upgrade "0";```
32
+
33
+## Tweak OpenSSH Config
34
+
35
+Edit ```/etc/ssh/sshd_config```
36
+
37
+Make sure the following are set and/or adjusted.
38
+
39
+- ```PermitRootLogin no```
40
+
41
+Restart the service
42
+
43
+```systemctl restart sshd```
44
+
45
+## Networking
46
+
47
+See ```network_manager.md``` for details on getting online after running the above commands for how to get online and configure routing.

+ 88
- 0
armbian/borg.md View File

@@ -0,0 +1,88 @@
1
+# Borg Backups
2
+
3
+The BETTER backup solution.
4
+
5
+**BE MINDFUL OF RUNNING BORG. IT CAN CAUSE PROBLEMS WITH DISK IOPS AND RAM USAGE. BEST USED WHEN THE MACHINE IS KNOWN TO BE IDLE!!!**
6
+
7
+## Inspiration / Further Reading
8
+
9
+- [https://borgbackup.readthedocs.io/en/stable/installation.html#from-source](https://borgbackup.readthedocs.io/en/stable/installation.html#from-source)
10
+
11
+## Install
12
+
13
+Note this is built using sources (kinda). May take awhile on most arm boards.
14
+
15
+``` bash
16
+
17
+# install build dependencies
18
+apt update
19
+apt install python-setuptools python3-setuptools \
20
+    python3 python3-dev python3-pip python-virtualenv \
21
+    libssl-dev openssl \
22
+    libacl1-dev libacl1 \
23
+    build-essential \
24
+    libfuse-dev fuse pkg-config
25
+pip3 install borgbackup[fuse]
26
+
27
+```
28
+
29
+## Upgrades
30
+
31
+Per the docs
32
+
33
+> To upgrade Borg to a new version later, run the following after activating your virtual environment:
34
+
35
+```pip install -U borgbackup[fuse]```
36
+
37
+## Initialize Backup Repo
38
+
39
+*Note: assumes you have a ```/tank``` on external disk*
40
+
41
+``` bash
42
+
43
+cd /tank/backup
44
+borg init --encryption none . # No crypto/auth for speed (see docs for more infos)
45
+
46
+```
47
+
48
+## Backup Script
49
+
50
+Setup a backup script that backs up everything (**note the excludes**) to the initialized repository.
51
+
52
+Run ```/root/borg_backup.sh``` any time you want to take a backup.
53
+
54
+``` bash
55
+
56
+cat > /root/borg_backup.sh <<EOF
57
+#!/bin/sh
58
+REPOSITORY=/tank/backup
59
+
60
+# Backup all of /home and /var/www except a few
61
+# excluded directories
62
+/usr/local/bin/borg create -v --progress --stats -C lzma,3 \\
63
+    \$REPOSITORY::backup-\`date +%Y-%m-%d-%H%M\` \\
64
+    / \\
65
+    --exclude /run \\
66
+    --exclude /snapshots \\
67
+    --exclude /tank \\
68
+    --exclude /scratch \\
69
+    --exclude /swap \\
70
+    --exclude /proc \\
71
+    --exclude /sys \\
72
+    --exclude /var/lib/schroot/mount \\
73
+    --exclude /var/lib/lxcfs \\
74
+    --exclude /var/lib/docker \\
75
+    --exclude /mnt
76
+
77
+# Use the 'prune' subcommand to maintain 7 daily, 4 weekly
78
+# and 6 monthly archives.
79
+/usr/local/bin/borg prune -v --list \$REPOSITORY \\
80
+    --keep-daily=7 \\
81
+    --keep-weekly=4 \\
82
+    --keep-monthly=6
83
+
84
+EOF
85
+
86
+chmod a+x /root/borg_backup.sh
87
+
88
+```

+ 98
- 0
armbian/caddy.md View File

@@ -0,0 +1,98 @@
1
+# Web Service Proxy (caddy)
2
+
3
+Simple and efficient go based proxy server and static web host. TLS and more supported out of the box. Supports all kinds of arch's and you probably want to just use this as it's the simplest approach and leanest.
4
+
5
+## SSL Certs
6
+
7
+This assumes you've run the [Let's Encrypt](lets_encrypt.md) process to get your certificates setup properly.
8
+
9
+## Inspiration / Sources
10
+
11
+- [https://caddyserver.com/](https://caddyserver.com/)
12
+- [https://github.com/lucaslorentz/caddy-docker-proxy](https://github.com/lucaslorentz/caddy-docker-proxy)
13
+
14
+## Docker Integration
15
+
16
+Please note the Docker plugin is for a *swarm* which is *not* setup in these docs. It does **NOT** apply to this build.
17
+
18
+## Install
19
+
20
+``` bash
21
+
22
+mkdir /var/log/caddy
23
+mkdir -p /etc/caddy/services
24
+chown www-data /var/log/caddy /etc/caddy
25
+cat > /root/update_caddy.sh <<EOF
26
+curl https://getcaddy.com | bash -s personal http.cache,http.cgi,http.cors,http.expires,http.filemanager,http.ipfilter,http.locale,http.realip,http.upload,net
27
+EOF
28
+chmod a+x /root/update_caddy.sh
29
+/root/update_caddy.sh
30
+
31
+```
32
+
33
+## Configure
34
+
35
+Setup a basic config for all services provided by the SBC. Pi Hole, NextCloud, Syncthing UIs all behind a SSL/TLS capable proxy.
36
+
37
+``` bash
38
+
39
+cat > /etc/caddy/Caddyfile <<EOF
40
+# Individual configs are in their own files
41
+import /etc/caddy/services/*.conf
42
+EOF
43
+
44
+```
45
+
46
+## Adjust firewall to allow caddy on internal network(s)
47
+
48
+``` bash
49
+
50
+firewall-cmd --permanent --zone=internal --add-service http --add-service https
51
+firewall-cmd --permanent --zone=trusted --add-service http --add-service https
52
+firewall-cmd --reload
53
+
54
+```
55
+
56
+## Grant access to SSL certificates
57
+
58
+``` bash
59
+
60
+apt install acl
61
+setfacl -m www-data:rx /var/acme.sh/
62
+setfacl -m www-data:rx /var/acme.sh/domain.tld
63
+setfacl -m www-data:r /var/acme.sh/domain.tld/fullchain.cer
64
+setfacl -m www-data:r /var/acme.sh/domain.tld/domain.tld.cer
65
+setfacl -m www-data:r /var/acme.sh/domain.tld/domain.tld.key
66
+mkdir /etc/ssl/caddy
67
+chown www-data /etc/ssl/caddy
68
+
69
+```
70
+
71
+## Run via systemd
72
+
73
+``` bash
74
+
75
+wget -O /etc/systemd/system/caddy.service https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service
76
+chown root:root /etc/systemd/system/caddy.service
77
+chmod 644 /etc/systemd/system/caddy.service
78
+systemctl daemon-reload
79
+systemctl enable caddy.service
80
+
81
+```
82
+
83
+## Update Caddy
84
+
85
+To update Caddy, run the script that was setup during install : ```/root/update_caddy.sh```. That's it, you'll download the latest version and update in-place. Simple.
86
+
87
+## Update unbound
88
+
89
+*Serve the IP address of the proxy for the services with web interfaces*
90
+
91
+``` bash
92
+
93
+cat > /etc/unbound/local_zone/caddy.conf <<EOF
94
+local-data: "domain.tld A 172.30.0.1"
95
+local-data-ptr: "172.30.0.1 domain.tld"
96
+EOF
97
+
98
+```

+ 52
- 0
armbian/chrony.md View File

@@ -0,0 +1,52 @@
1
+# Chrony
2
+
3
+Setup alternative ntp that does well with systems that may or may not always be online.
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://wiki.archlinux.org/index.php/Chrony](https://wiki.archlinux.org/index.php/Chrony)
8
+- [https://insights.ubuntu.com/2018/04/09/ubuntu-bionic-using-chrony-to-configure-ntp](https://insights.ubuntu.com/2018/04/09/ubuntu-bionic-using-chrony-to-configure-ntp)
9
+- [http://manpages.ubuntu.com/manpages/trusty/man5/chrony.conf.5.html](http://manpages.ubuntu.com/manpages/trusty/man5/chrony.conf.5.html)
10
+
11
+## Install
12
+
13
+``` bash
14
+
15
+apt update
16
+apt install chrony
17
+systemctl enable chrony # Enable service
18
+systemctl start chrony # Start service
19
+chronyc activity # Verify install successful
20
+systemctl disable ntp.service # Disable std ntpd (replaced by chrony)
21
+
22
+```
23
+
24
+## Configuration
25
+
26
+``` bash
27
+
28
+cat >> /etc/chrony/chrony.conf <<EOF
29
+allow 172.16.16.0/24
30
+allow 172.17.17.0/24
31
+allow 172.18.18.0/24
32
+allow 172.30.0.0/16
33
+
34
+# Allow large clock adjustments (you want this as there is no RTC on most SBCs)
35
+makestep 1 -1
36
+EOF
37
+
38
+```
39
+
40
+Run ```systemctl restart chrony``` to pickup the changes.
41
+
42
+## Allow NTP access via internal/trusted networks
43
+
44
+``` bash
45
+
46
+firewall-cmd --permanent --zone=internal --add-service ntp
47
+firewall-cmd --permanent --zone=trusted --add-service ntp
48
+firewall-cmd --reload
49
+firewall-cmd --info-zone internal
50
+firewall-cmd --info-zone trusted
51
+
52
+```

+ 46
- 0
armbian/cockpit.md View File

@@ -0,0 +1,46 @@
1
+# Cockpit
2
+
3
+This is **OPTIONAL** but can provide some helpful tools/insights while in the field.
4
+
5
+Notably Cockpit includes a terminal via a web browser. Perfect for on-the-go tuning of network settings and/or disaster recovery.
6
+
7
+Further reading: [http://cockpit-project.org/running](http://cockpit-project.org/running)
8
+
9
+## Install
10
+
11
+``` bash
12
+
13
+#add-apt-repository ppa:cockpit-project/cockpit
14
+apt update
15
+apt install cockpit cockpit-doc \
16
+    cockpit-docker cockpit-networkmanager \
17
+    cockpit-dashboard cockpit-system \
18
+    cockpit-storaged cockpit-packagekit
19
+systemctl enable cockpit
20
+systemctl start cockpit
21
+
22
+```
23
+
24
+## Config
25
+
26
+Leave the defaults (*including SSL certificate*). This is here to save you on the fly or when not near a 'full' computer. Defaults are a good thing at times.
27
+
28
+## Allow internal access
29
+
30
+If you already setup firewalld, run the following to allow access from the *INTERNAL* network only.
31
+
32
+``` bash
33
+
34
+firewall-cmd --permanent --zone=internal --add-port=9090/tcp
35
+firewall-cmd --reload
36
+
37
+```
38
+
39
+## Grant Admin User(s) Access to Docker
40
+
41
+``` bash
42
+
43
+usermod -aG docker [admin_user]
44
+systemctl restart docker
45
+
46
+```

+ 103
- 0
armbian/docker.md View File

@@ -0,0 +1,103 @@
1
+# Docker
2
+
3
+Containerized services for easy deployment and updates.
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://docs.docker.com/install/](https://docs.docker.com/install/)
8
+- [https://docs.docker.com/install/linux/docker-ce/ubuntu/](https://docs.docker.com/install/linux/docker-ce/ubuntu/)
9
+- [https://blog.alexellis.io/get-started-with-docker-on-64-bit-arm/](https://blog.alexellis.io/get-started-with-docker-on-64-bit-arm/)
10
+
11
+## Pre Flight Setup
12
+
13
+``` bash
14
+
15
+apt remove docker docker-engine docker.io
16
+apt install \
17
+    apt-transport-https \
18
+    ca-certificates \
19
+    curl \
20
+    software-properties-common
21
+curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
22
+
23
+```
24
+
25
+### Arm (32bit / armv7)
26
+
27
+``` bash
28
+
29
+add-apt-repository \
30
+   "deb [arch=armhf] https://download.docker.com/linux/ubuntu \
31
+   $(lsb_release -cs) \
32
+   stable"
33
+
34
+```
35
+
36
+### Arm (64bit)
37
+
38
+``` bash
39
+
40
+add-apt-repository \
41
+   "deb [arch=arm64] https://download.docker.com/linux/ubuntu \
42
+   $(lsb_release -cs) \
43
+   stable"
44
+
45
+```
46
+
47
+## Install
48
+
49
+``` bash
50
+
51
+apt update
52
+apt install docker-ce
53
+systemctl enable docker
54
+
55
+```
56
+
57
+## Adjust Storage
58
+
59
+**OPTIONAL**
60
+
61
+If you have an external USB storage device always connected, you may want to move the contents of ```/var/lib/docker``` to somewhere on the external storage and use a symlink in place. This will help with churn on the internal micro-sd card and extend its life.
62
+
63
+## Create Container Script Dir
64
+
65
+For the containers detailed here, you'll want a dedicated directory for keeping the scripts/outputs.
66
+
67
+```mkdir /root/docker```
68
+
69
+## Configure Docker Default Bridge
70
+
71
+Ensure the default Docker bridge doesn't conflict with existing networks.
72
+
73
+``` bash
74
+
75
+cat >> /etc/docker/daemon.json <<EOF
76
+{
77
+  "bip": "10.30.0.1/16"
78
+}
79
+EOF
80
+systemctl restart docker
81
+
82
+```
83
+
84
+## Setup Custom Network for Services
85
+
86
+``` bash
87
+
88
+docker network create \
89
+  --subnet=172.30.0.1/16 \
90
+  docker-private
91
+
92
+```
93
+
94
+## Trust Docker Private LAN
95
+
96
+``` bash
97
+
98
+nmcli connection show # Look for uuid of new docker bridge
99
+nmcli connection modify [uuid] connection.zone trusted
100
+systemctl restart NetworkManager docker firewalld
101
+firewall-cmd --info-zone trusted
102
+
103
+```

+ 36
- 0
armbian/docker_registry.md View File

@@ -0,0 +1,36 @@
1
+https://github.com/docker/distribution
2
+https://github.com/docker/docker.github.io/blob/master/registry/deploying.md
3
+https://stackoverflow.com/questions/24309526/how-to-change-the-docker-image-installation-directory
4
+
5
+Prereq : Docker installed
6
+
7
+Prereq : Docker config
8
+
9
+/etc/docker/daemon.json
10
+graph: /tank/docker/graph
11
+
12
+docker info | grep "Docker Root Dir"
13
+
14
+docker pull ubuntu:16.04 # pull from hub
15
+docker tag ubuntu:16.04 localhost:5000/my-ubuntu # tag for registry
16
+docker push localhost:5000/my-ubuntu # push to registry
17
+docker image remove ubuntu:16.04 # nuke local cache
18
+docker image remove localhost:5000/my-ubuntu # nuke local cached
19
+docker pull localhost:5000/my-ubuntu # pull from registry
20
+
21
+
22
+docker run --name registry \
23
+  --restart unless-stopped \\
24
+  -p 5000:5000 \
25
+  -e TZ=UTC \\
26
+  -e DEBUG=1 \\
27
+  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
28
+  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
29
+  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
30
+  -e REGISTRY_AUTH=htpasswd \
31
+  -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
32
+  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
33
+  -v /path/data:/var/lib/registry
34
+  -v /path/certs:/certs
35
+  -v /path/auth:/auth
36
+  registry/registry:$tag

+ 20
- 0
armbian/elasticbeats.md View File

@@ -0,0 +1,20 @@
1
+https://www.elastic.co/products/beats/filebeat
2
+https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation.html
3
+https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration.html
4
+
5
+docker pull docker.elastic.co/beats/filebeat:6.2.4
6
+
7
+docker run --name filebeat --restart unless-stopped --net docker-private --ip 172.30.11.11 -e TZ=UTC -e DEBUG=1 docker.elastic.co/beats/filebeat:6.2.4
8
+
9
+This can't be accomplished just yet but it looks promising for the future
10
+
11
+
12
+https://github.com/elastic/beats-docker/tree/6.2
13
+
14
+https://discuss.elastic.co/t/how-to-install-filebeat-on-a-arm-based-sbc-eg-raspberry-pi-3/103670/2
15
+
16
+https://github.com/elastic/beats/tree/master/dev-tools/packer
17
+
18
+https://s3-us-west-2.amazonaws.com/beats-package-snapshots/index.html?prefix=filebeat/
19
+
20
+https://s3-us-west-2.amazonaws.com/beats-package-snapshots/index.html?prefix=metricbeat/

+ 142
- 0
armbian/firewalld.md View File

@@ -0,0 +1,142 @@
1
+# FirewallD
2
+
3
+AKA : firewall and routing. Let's make this a firewall/router!
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [http://www.firewalld.org/](http://www.firewalld.org/)
8
+- [http://www.firewalld.org/documentation/howto/add-a-service.html](http://www.firewalld.org/documentation/howto/add-a-service.html)
9
+- [http://www.firewalld.org/documentation/howto/reload-firewalld.html](http://www.firewalld.org/documentation/howto/reload-firewalld.html)
10
+- [https://www.certdepot.net/rhel7-get-started-firewalld/](https://www.certdepot.net/rhel7-get-started-firewalld/)
11
+- [https://fedoramagazine.org/build-network-router-firewall-fedora-22-systemd-networkd/](https://fedoramagazine.org/build-network-router-firewall-fedora-22-systemd-networkd/)
12
+- [https://www.centos.org/forums/viewtopic.php?f=50&t=53819#p227743](https://www.centos.org/forums/viewtopic.php?f=50&t=53819#p227743)
13
+
14
+## Configure sysctl for routing purposes
15
+
16
+*Note: This was borrowed from the standard OpenWRT ```sysctl.conf```*
17
+
18
+``` bash
19
+
20
+# Setup NAT/Forwarding/Routing sysctl config
21
+cat > /etc/sysctl.d/20-routing.conf <<EOF
22
+net.ipv4.conf.default.arp_ignore=1
23
+net.ipv4.conf.all.arp_ignore=1
24
+net.ipv4.ip_forward=1
25
+net.ipv4.icmp_echo_ignore_broadcasts=1
26
+net.ipv4.icmp_ignore_bogus_error_responses=1
27
+net.ipv4.igmp_max_memberships=100
28
+net.ipv4.tcp_fin_timeout=30
29
+net.ipv4.tcp_keepalive_time=120
30
+net.ipv4.tcp_syncookies=1
31
+net.ipv4.tcp_timestamps=1
32
+net.ipv4.tcp_sack=1
33
+net.ipv4.tcp_dsack=1
34
+
35
+net.ipv6.conf.default.forwarding=1
36
+net.ipv6.conf.all.forwarding=1
37
+EOF
38
+
39
+# Apply configuration
40
+sysctl -p
41
+
42
+```
43
+
44
+## Setup FirewallD
45
+
46
+``` bash
47
+
48
+apt update
49
+apt install firewalld
50
+systemctl enable firewalld
51
+systemctl start firewalld
52
+
53
+```
54
+
55
+## Verify Fundamentals
56
+
57
+Run ```firewall-cmd --get-default-zone``` and make sure it returns ```public```.
58
+
59
+If not run:
60
+
61
+``` bash
62
+
63
+firewall-cmd --set-default-zone=public
64
+firewall-cmd --runtime-to-permanent
65
+firewall-cmd --reload
66
+
67
+```
68
+
69
+## Allow internal access to ssh
70
+
71
+``` bash
72
+
73
+# Remove ssh from public zone
74
+firewall-cmd --permanent --zone=public --remove-service=ssh
75
+# Add ssh to internal zone
76
+firewall-cmd --permanent --zone=internal --add-service ssh
77
+# Reload rules
78
+firewall-cmd --reload
79
+# Verify rules
80
+firewall-cmd --zone=public --list-all
81
+firewall-cmd --zone=internal --list-all
82
+
83
+```
84
+
85
+
86
+## Useful Commands
87
+
88
+- ```firewall-cmd --state```
89
+- ```firewall-cmd --runtime-to-permanent```
90
+- ```firewall-cmd --reload```
91
+- ```firewall-cmd --get-default-zone```
92
+- ```firewall-cmd --get-active-zones```
93
+- ```firewall-cmd --get-zones```
94
+- ```firewall-cmd --info-zone=[aZone]```
95
+- ```firewall-cmd --permanent --zone=[aZone] --list-all```
96
+- ```firewall-cmd --get-zone-of-interface=[iface]```
97
+- ```firewall-cmd --get-log-denied```
98
+- ```firewall-cmd --set-log-denied all```
99
+
100
+## Tweak NetworkManager Connection Zones
101
+
102
+``` bash
103
+
104
+# Adjust interfaces from NetworkManager setup
105
+firewall-cmd --permanent --zone=internal --change-interface=[wifi adapter for hot spots]
106
+firewall-cmd --reload
107
+nmcli connection modify wifi-ap-24 connection.zone internal
108
+nmcli connection modify wifi-ap-50 connection.zone internal
109
+nmcli connection modify mgmt connection.zone internal
110
+
111
+# Verify zone configs
112
+firewall-cmd --get-active-zones
113
+
114
+```
115
+
116
+## Turn on Routing
117
+
118
+``` bash
119
+
120
+firewall-cmd --permanent --zone=public --add-masquerade # Add NAT stuff for ipv4
121
+firewall-cmd --permanent --query-masquerade # Make sure it's actually on
122
+firewall-cmd --permanent --zone=internal --add-source=172.16.16.0/24
123
+firewall-cmd --permanent --zone=internal --add-source=172.17.17.0/24
124
+firewall-cmd --permanent --zone=internal --add-source=172.18.18.0/24
125
+firewall-cmd --permanent --zone=internal --add-service dns --add-service dhcp
126
+firewall-cmd --reload
127
+
128
+```
129
+
130
+## Other Useful Commands
131
+
132
+Odds and ends for setting up services and the like. You can probably ignore this section. Breadcrumbs for the author really.
133
+
134
+``` bash
135
+
136
+firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24
137
+firewall-cmd --zone=internal --add-service=ssh --permanent
138
+firewall-cmd --zone=internal --add-service={ssh,http,https,dns}
139
+firewall-cmd --permanent --zone=public --add-port=80/tcp
140
+firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1
141
+
142
+```

+ 35
- 0
armbian/first_boot.md View File

@@ -0,0 +1,35 @@
1
+# First Boot
2
+
3
+Basic setup and configuration that's necessary to get under way.
4
+
5
+## Adjust root password + Create First User
6
+
7
+When you login to Armbian as root the first time you'll be prompted to set a root password and create the first user.
8
+
9
+Follow the prompts and create an administrative user (armbian/ubuntu/admin/etc as the name) that will be used as your primary 'admin' login.
10
+
11
+The rest of this guide assumes you'll be logged in as the admin user and will be using sudo to run all commands.
12
+
13
+## Mirror Docs
14
+
15
+Just in case you need reference material while offline or on a bad network link, mirror these docs to the root filesystem.
16
+
17
+```git clone https://gitlab.com/kemonine/lolipop_lan_cloud.git /root/lolipop_lan_cloud```
18
+
19
+## Disable root login
20
+
21
+This will **EXPIRE** the root password. If you run this you can **NOT** login as root!!! Use with care if you're not used to sudo and/or want to retain root login for some reason.
22
+
23
+``` bash
24
+
25
+passwd -l root
26
+
27
+```
28
+
29
+## Cleanup fstab
30
+
31
+Edit ```/etc/fstab``` and remove the ```commit=600``` block from the root filesystem definition.
32
+
33
+## Reboot
34
+
35
+This is necessary for the armbian setup to finish resizing the filesystem stored on the sd card.

+ 33
- 0
armbian/gogs.md View File

@@ -0,0 +1,33 @@
1
+# Gogs
2
+
3
+Self hosted git repos, issue tracking and more. Think GitHub/GitLab but self hosted and lean.
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://discuss.gogs.io/t/how-to-backup-restore-and-migrate/991](https://discuss.gogs.io/t/how-to-backup-restore-and-migrate/991)
8
+- [https://blog.meinside.pe.kr/Gogs-on-Raspberry-Pi/](https://blog.meinside.pe.kr/Gogs-on-Raspberry-Pi/)
9
+
10
+## Build/Install/Update/Run Scripts
11
+
12
+Setup a generic script that'll auto update Gogs, build a container and launch it. You should only run this script at first launch and/or when you're looking for updates.
13
+
14
+```FIXME : Update with wget/sed from repo```
15
+
16
+## Run Gogs
17
+
18
+Simply execute ```/root/docker/gogs/gogs.sh``` to update/run Gogs.
19
+
20
+## Serving Via Caddy
21
+
22
+```FIXME : Update with wget/sed from repo```
23
+
24
+## Update Unbound
25
+
26
+```FIXME : Update with wget/sed from repo```
27
+
28
+## First Run / Finalize Setup
29
+
30
+- Navigate to ```http://gogs-insecure.domain.tld:3000```
31
+- Follow on-screen prompts for finalizing setup
32
+  - Be sure to specify an admin user
33
+- Login to ```https://gogs.domain.tld``` and enjoy

+ 60
- 0
armbian/incron.md View File

@@ -0,0 +1,60 @@
1
+# Incron
2
+
3
+A 'cron' daemon that watches the filesystem for changes and performs actions. This is used to auto-apply config for Caddy and Unbound.
4
+
5
+This is here mainly to facilitate auto-reloads of Caddy/Unbound during setup and over time. This is especially helpful if using acme.sh for Let's Encrypt certificates as they are regularly updated and once updated need a restart of the Caddy service. This config takes care of that situation as well as updated DNS records in Unbound.
6
+
7
+## Inspiration / Sources
8
+
9
+- [https://www.cyberciti.biz/faq/linux-inotify-examples-to-replicate-directories/](https://www.cyberciti.biz/faq/linux-inotify-examples-to-replicate-directories/)
10
+
11
+## Install
12
+
13
+``` bash
14
+
15
+apt update
16
+apt install incron
17
+systemctl enable incron
18
+systemctl start incron
19
+
20
+```
21
+
22
+## Configure
23
+
24
+### Unbound
25
+
26
+``` bash
27
+
28
+cat > /etc/incron.d/unbound.conf <<EOF
29
+/etc/unbound/local_zone IN_CREATE,IN_ATTRIB,IN_MODIFY,IN_DELETE unbound-control reload
30
+EOF
31
+
32
+```
33
+
34
+### Caddy
35
+
36
+``` bash
37
+
38
+cat > /etc/incron.d/caddy.conf <<EOF
39
+/etc/caddy/services IN_CREATE,IN_ATTRIB,IN_MODIFY,IN_DELETE killall -USR1 caddy
40
+EOF
41
+
42
+```
43
+
44
+### Acme.sh Certificate Updates
45
+
46
+``` bash
47
+
48
+cat > /etc/incron.d/acme-sh.conf <<EOF
49
+/var/acme.sh/domain.tld IN_CREATE,IN_ATTRIB,IN_MODIFY,IN_DELETE killall -USR1 caddy
50
+EOF
51
+
52
+```
53
+
54
+### Post Configure
55
+
56
+``` bash
57
+
58
+systemctl restart incron
59
+
60
+```

+ 177
- 0
armbian/lets_encrypt.md View File

@@ -0,0 +1,177 @@
1
+# Let's Encrypt
2
+
3
+Use [acme.sh](https://github.com/Neilpang/acme.sh/) for wholly self-contained Let's Encrypt certificates. This assumes CloudFlare DNS is used for authentication.
4
+
5
+*Note: You probably want to use a DNS provider/API so you don't have to expose a service to the outside world*
6
+
7
+*NOTE: You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card*
8
+
9
+## Dependencies
10
+
11
+``` bash
12
+apt update
13
+apt install jq
14
+
15
+```
16
+
17
+## Prep
18
+
19
+Grab the acme.sh Dockerfile and update it to work with arm (32 or 64).
20
+
21
+``` bash
22
+
23
+mkdir -p /root/docker/acme.sh
24
+cd /root/docker/acme.sh
25
+wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/Dockerfile
26
+sed -i '1s/^/ARG ALPINE=alpine:3.6\n/' Dockerfile
27
+sed -i '/FROM/c\FROM $ALPINE' Dockerfile
28
+mkdir /var/acme.sh
29
+chmod 700 /var/acme.sh
30
+
31
+```
32
+
33
+## Setup / Run
34
+
35
+Setup a basic update/run script with the adjusted upstream Dockerfile
36
+
37
+``` bash
38
+
39
+cat > /root/docker/acme.sh/acme.sh <<EOF
40
+#!/bin/bash
41
+
42
+LATEST=\`docker images --no-trunc acme.sh/acme.sh | awk '{print \$2}' | sort -r | head -n1\`
43
+
44
+RELEASE=\`curl -s https://api.github.com/repos/Neilpang/acme.sh/releases/latest | jq -r .tag_name\`
45
+
46
+if [ \$RELEASE == \$LATEST ]
47
+then
48
+    echo "Already up to date"
49
+fi
50
+
51
+ARCH=\`arch\`
52
+ALPINE=""
53
+
54
+# Cleanup arch here
55
+if [ \$ARCH == "aarch64" ]
56
+then
57
+    echo "64bit arm"
58
+    ARCH="arm64"
59
+    ALPINE="arm64v8/alpine"
60
+else
61
+    echo "32bit arm"
62
+    ARCH="arm"
63
+    ALPINE="arm32v6/alpine"
64
+fi
65
+
66
+echo "Build parms"
67
+echo "    \${RELEASE}"
68
+echo "    \${ARCH}"
69
+echo "    \${ALPINE}"
70
+
71
+echo "Running build"
72
+
73
+docker build \\
74
+    --network host \\
75
+    --build-arg ALPINE=\$ALPINE \\
76
+    --file /root/docker/acme.sh/Dockerfile \\
77
+    --tag acme_sh/acme_sh:\$RELEASE \\
78
+    .
79
+
80
+echo "Running with latest release"
81
+
82
+# Cleanup existing container
83
+docker stop acme_sh
84
+docker rm acme_sh
85
+
86
+# Re-run/create container with latest image
87
+# daemon (for cron auto renews)
88
+docker run -itd  \\
89
+    -v "/var/acme.sh":/acme.sh \\
90
+    --net=host \\
91
+    --restart unless-stopped \\
92
+    --name=acme_sh \\
93
+    acme_sh/acme_sh:\$RELEASE daemon
94
+
95
+EOF
96
+
97
+chmod a+x /root/docker/acme.sh/acme.sh
98
+
99
+```
100
+
101
+## First Run
102
+
103
+Run ```cd /root/docker/acme.sh && /root/docker/acme.sh/acme.sh``` to get the container online. The following commands will get your Let's Encrypt certificates created.
104
+
105
+*Note: The above script(s) setup the container to auto-run for auto-renew purposes. If you think you'll miss your renew window, force update the certs*
106
+
107
+## Get Help
108
+
109
+``` bash
110
+
111
+docker exec acme.sh --help
112
+
113
+```
114
+
115
+## Renewals...
116
+
117
+If you're going to be on the go, you may want to force rewewal of your scripts ahead of any travel or longer periods of time away from the internet. The author recommends a simple script at ```/root/update_certs.sh``` or similar that calls the necessary command(s) from below.
118
+
119
+## Register a Let's Encrypt Account
120
+
121
+Only do this **ONCE**
122
+
123
+``` bash
124
+
125
+docker exec acme.sh \
126
+    --register-account \
127
+    --staging
128
+
129
+```
130
+
131
+## Issue Cert (CloudFlare DNS API)
132
+
133
+``` bash
134
+
135
+docker exec \
136
+    -e CF_Email='[your cloudflare email]' \
137
+    -e CF_Key='[your cloudflare api key]' \
138
+    acme.sh \
139
+    --issue \
140
+    --cert-file /acme.sh/domain.tld/domain.tld.crt \
141
+    --dns dns_cf \
142
+    -d domain.tld \
143
+    -d pi-hole-gui.domain.tld \
144
+    -d syncthing-gui.domain.tld \
145
+    -d nextcloud.domain.tld \
146
+    --staging
147
+
148
+```
149
+
150
+## Force Renew All Certs (CloudFlare DNS API)
151
+
152
+``` bash
153
+
154
+docker exec \
155
+    -e CF_Email='[your cloudflare email]' \
156
+    -e CF_Key='[your cloudflare api key]' \
157
+    acme.sh \
158
+    --renew-all \
159
+    --force \
160
+    --dns dns_cf \
161
+    --staging
162
+
163
+```
164
+
165
+## Revoke Cert
166
+
167
+``` bash
168
+
169
+docker exec acme.sh \
170
+    --revoke \
171
+    -d domain.tld \
172
+    -d pi-hole-gui.domain.tld \
173
+    -d syncthing-gui.domain.tld \
174
+    -d nextcloud.domain.tld \
175
+    --staging
176
+
177
+```

+ 95
- 0
armbian/modem_manager.md View File

@@ -0,0 +1,95 @@
1
+# Modem Manager
2
+
3
+Setup an LTE/3G modem. You'll need to adapt this information to your specific modem(s) but overall the process is sound.
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://www.freedesktop.org/software/ModemManager/man/1.0.0/mmcli.8.html](https://www.freedesktop.org/software/ModemManager/man/1.0.0/mmcli.8.html)
8
+- [https://superuser.com/questions/1228477/linux-gsm-nmcli-working-with-two-gsm-modems-and-connections](https://superuser.com/questions/1228477/linux-gsm-nmcli-working-with-two-gsm-modems-and-connections)
9
+- [https://unix.stackexchange.com/questions/113975/configure-gsm-connection-using-nmcli](https://unix.stackexchange.com/questions/113975/configure-gsm-connection-using-nmcli)
10
+- [http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=836](http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?t=836)
11
+- [https://wiki.openwrt.org/doc/recipes/3gdongle](https://wiki.openwrt.org/doc/recipes/3gdongle)
12
+- [http://www.draisberghof.de/usb_modeswitch/#download](http://www.draisberghof.de/usb_modeswitch/#download)
13
+- [http://www.draisberghof.de/usb_modeswitch/#install](http://www.draisberghof.de/usb_modeswitch/#install)
14
+- [http://www.draisberghof.de/usb_modeswitch/#install](http://www.draisberghof.de/usb_modeswitch/#install)
15
+- [https://forums.linuxmint.com/viewtopic.php?f=53&t=119342](https://forums.linuxmint.com/viewtopic.php?f=53&t=119342)
16
+- [https://bostonenginerd.com/posts/getting-the-t-mobile-jet-huawei-366-usb-modem-to-work-in-linux/](https://bostonenginerd.com/posts/getting-the-t-mobile-jet-huawei-366-usb-modem-to-work-in-linux/)
17
+- [https://github.com/Robpol86/robpol86.com/blob/master/docs/raspberry_pi_project_fi.rst](https://github.com/Robpol86/robpol86.com/blob/master/docs/raspberry_pi_project_fi.rst)
18
+
19
+## On The Go Help
20
+
21
+If you're ever in need of help on the go, ```man mmcli``` has a lot of good info as does ```mmcli --help```.
22
+
23
+## Initial Setup
24
+
25
+The steps below are for getting USB mode switch working which is necessary for some Huawei modems. This example is for a Huawei 366 modem. You'll need to adjust your setup accordingly.
26
+
27
+``` bash
28
+
29
+apt update
30
+apt install usb-modeswitch usb-modeswitch-data
31
+cd /etc/usb_modeswitch.d
32
+tar -xzf /usr/share/usb_modeswitch/configPack.tar.gz
33
+lsusb # note modem ids
34
+# Huawei e366
35
+usb_modeswitch --default-vendor 12d1 --default-product 1446 -c /etc/usb_modeswitch.d/12d1\:1446
36
+lsusb # verify the modem ids changed (may take a moment to mode switch)
37
+
38
+```
39
+
40
+## Modem Manager Setup / Preflight
41
+
42
+``` bash
43
+
44
+apt update
45
+apt install modemmanager # Install
46
+systemctl enable ModemManager # Enable the service
47
+systemctl start ModemManager # Start the service
48
+mmcli --scan-modems # Scan for modems (this can take a few minutes)
49
+mmcli --list-modems # List the modems modem manager sees
50
+mmcli --modem 0 # Get details of first modem
51
+
52
+```
53
+
54
+## Setup Auto Mode Switch
55
+
56
+This should be setup by the ```usb_modeswitch``` package for you. Reboot and then run ```lspci``` to ensure it's 100%.
57
+
58
+## Useful mmcli Commands / Switches
59
+
60
+- ```mmcli --monitor-modems```
61
+- ```mmcli --enable```
62
+- ```mmcli --disable```
63
+- ```mmcli --monitor-state```
64
+- ```--set-power-state-on```
65
+- ```--set-power-state-low```
66
+- ```--set-power-state-off```
67
+
68
+## Add connection to NetworkManager
69
+
70
+``` bash
71
+
72
+# Ensure things work
73
+mmcli --modem 0 --enable
74
+mmcli --modem 0 --list-bearers
75
+mmcli --modem 0 --3gpp-scan --timeout=30
76
+
77
+# Simple connection (this does no good in production)
78
+mmcli --modem 0 --simple-connect="pin=1234,apn=internet"
79
+
80
+# Setup persistent connection via NetworkManager
81
+nmcli c add con-name "wan-wwan-1" type gsm ifname "*" apn "internet"
82
+
83
+```
84
+
85
+## Location Related Commands
86
+
87
+``` bash
88
+
89
+mmcli --modem 0 --location-status
90
+mmcli --modem 0 --location-enable-3gpp
91
+mmcli --modem 0 --location-enable-gps-nmea
92
+mmcli --modem 0 --location-enable-gps-raw
93
+mmcli --modem 0 --location-get
94
+
95
+```

+ 76
- 0
armbian/monitoring.md View File

@@ -0,0 +1,76 @@
1
+# Monitoring
2
+
3
+Track resource utilization over time.
4
+
5
+**BE MINDFUL OF RUNNING THIS. IT CAN CAUSE PROBLEMS WITH DISK IOPS AND RAM USAGE. BEST ONLY USED IF NEEDED OR YOU'RE TROUBLESHOOTING.**
6
+
7
+## cadvisor
8
+
9
+[cadvisor (link)](https://github.com/google/cadvisor) has been recommended for monitoring Docker container resource usage. Could be useful.
10
+
11
+Untested by the Author.
12
+
13
+## Munin
14
+
15
+Simple, efficient, old school, well supported. Start here.
16
+
17
+Further reading : [http://munin-monitoring.org/](http://munin-monitoring.org/)
18
+
19
+### Install
20
+
21
+``` bash
22
+
23
+apt update
24
+apt install munin munin-node \
25
+    munin-plugins-core munin-plugins-extra \
26
+    libcgi-fast-perl
27
+vim /etc/munin/munin.conf
28
+vim /etc/munin/munin-node.conf
29
+vim /etc/munin/plugin-conf.d/*
30
+munin-node-configure --suggest 2>&1 | less
31
+munin-node-configure --shell 2>&1 | less
32
+systemcl restart munin-node
33
+systemctl enable munin-node
34
+
35
+```
36
+
37
+### Serving Output Via Caddy
38
+
39
+``` bash
40
+
41
+cat > /etc/caddy/services/munin.conf <<EOF
42
+# Munin - Static web resources
43
+domain.tld:80/static domain.tld:443/static {
44
+    redir 301 {
45
+        if {scheme} is http
46
+        / https://domain.tld{uri}
47
+    }
48
+
49
+    root /etc/munin/static
50
+
51
+    # Use acme.sh Let's Encrypt SSL cert setup
52
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
53
+}
54
+
55
+# Munin - main site/cgi's
56
+domain.tld:80 domain.tld:443 {
57
+    redir 301 {
58
+        if {scheme} is http
59
+        / https://domain.tld{uri}
60
+    }
61
+
62
+    log /var/log/caddy/test.kemonine.info.log
63
+
64
+    # Setup CGI rendering scripts
65
+    cgi /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
66
+    cgi /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
67
+
68
+    # Set path to generated HTML via cron/systemd processes
69
+    root /var/cache/munin/www
70
+
71
+    # Use acme.sh Let's Encrypt SSL cert setup
72
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
73
+}
74
+EOF
75
+
76
+```

+ 241
- 0
armbian/network_manager.md View File

@@ -0,0 +1,241 @@
1
+# Network Manager
2
+
3
+```TODO : INCOMPLETE```
4
+
5
+Setup overall networking. This is focused on ethernet/WiFi as an internet connection.
6
+
7
+## Inspiration / Further Reading
8
+
9
+- [https://developer.gnome.org/NetworkManager/stable/NetworkManager.html](https://developer.gnome.org/NetworkManager/stable/NetworkManager.html)
10
+- [https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html](https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html)
11
+- [https://developer.gnome.org/NetworkManager/stable/nmcli.html](https://developer.gnome.org/NetworkManager/stable/nmcli.html)
12
+- [https://developer.gnome.org/NetworkManager/stable/nmcli-examples.html](https://developer.gnome.org/NetworkManager/stable/nmcli-examples.html)
13
+
14
+## Overview
15
+
16
+Setup the base NetworkManager config/networking. This will help with making the Internet side of networking more dynamic and responsive to devices being added/removed.
17
+
18
+The author assumes LAN/Ethernet > WiFi > 3G/LTE for connection priority. (*Note: NetworkManager assumes this too*)
19
+
20
+## Install / Enable
21
+
22
+``` bash
23
+
24
+apt update
25
+# Install additional deps
26
+apt install ebtables ipset
27
+# Install + add-ons
28
+apt install network-manager \
29
+    network-manager-openvpn network-manager-pptp
30
+systemctl enable NetworkManager # Enable the service
31
+systemctl start NetworkManager # Start the service
32
+
33
+```
34
+
35
+## Disable Stock Networking
36
+
37
+Edit ```/etc/network/interfaces``` and make sure eth0 directives aren't present.
38
+
39
+Reboot after above cleanup of interfaces file.
40
+
41
+## ProTip
42
+
43
+```nmtui``` can be used for an ncurses graphical interface for NetworkManager
44
+
45
+## Set Hostname
46
+
47
+``` bash
48
+
49
+nmcli general hostname [hostname] # Additional parm sets hostname
50
+systemctl reboot # Reboot to pickup the change
51
+
52
+```
53
+
54
+## Get Status
55
+
56
+Some commands that help getting the status of NetworkManager
57
+
58
+- ```nmcli networking connectivity```
59
+- ```nmcli monitor```
60
+- ```nmcli device monitor```
61
+- ```nmcli connection monitor```
62
+
63
+## Enable / Disable ALL
64
+
65
+Handy if you want to shut down *all* networking for some reason
66
+
67
+```nmcli networking on|off```
68
+
69
+## Radio Control
70
+
71
+Control WiFi / GSM radios
72
+
73
+### Wifi
74
+
75
+```nmcli radio wifi [on|off]```
76
+
77
+### 3G/LTE
78
+
79
+```nmcli radio wwan [on|off]```
80
+
81
+## Connection / Device Related
82
+
83
+Some useful commands for adjusting connection/device status
84
+
85
+- ```nmcli connection reload # Reload any changes / updates (this isn't automagic by default)```
86
+- ```nmcli connection show --active```
87
+- ```nmcli connection up [id]```
88
+- ```nmcli connection down [id]```
89
+- ```nmcli device status```
90
+- ```nmcli device show [ifname]```
91
+- ```nmcli device connect [ifname]```
92
+- ```nmcli device disconnect [ifname]```
93
+
94
+## Disable Orange Pi Zero Internal WiFi
95
+
96
+If you're using an Orange Pi Zero, the internal WiFi adapter is unstable at best. The following will disable the adapter.
97
+
98
+``` bash
99
+
100
+nmcli device status # Verify the internal WiFi is shwoing as wlan0
101
+nmcli device disconnect wlan0 # Run this if it shows as connected
102
+nmcli device set wlan0 autoconnect no
103
+
104
+```
105
+
106
+## Setup Networks
107
+
108
+Some configuration via ```nmcli``` for various networks/interfaces/devices that may or may not be in use at any given moment. These commands just make NetworkManager aware of the overall topology and connections. Routing, firewall and more is setup later.
109
+
110
+*Note: Add autoconnect false if you don't want the connection auto started if a device is present*
111
+
112
+### Clear Existing
113
+
114
+Run ```nmcli connection show``` to get a list of active network connections. We will want to remove all of these.
115
+
116
+Run ```nmcli connection del [UUID]``` for each UUID listed in the previous commands output.
117
+
118
+### Management Ethernet
119
+
120
+*Note: It's assumed the on-board ethernet adapter will be used for management and an EXTERNAL USB Ethernet adapter used for WAN (if needed)*
121
+
122
+``` bash
123
+
124
+# Management via usb ethernet adapter
125
+#     includes network sharing
126
+nmcli connection add save yes \
127
+    type ethernet \
128
+    con-name mgmt \
129
+    ifname eth0 \
130
+    -- \
131
+    ipv4.method shared \
132
+    ipv4.addr 172.16.16.16/24 \
133
+    ipv6.method ignore
134
+nmcli device set eth0 autoconnect yes
135
+
136
+```
137
+
138
+### WiFi 2.4ghz Access Point
139
+
140
+*Note: You can use ```802-11-wireless.channel #``` in the below command to force a channel to be used*
141
+
142
+``` bash
143
+
144
+# Get the ifname of the wifi adapter with `nmcli dev show`
145
+
146
+# HostAP mode (2.4ghz / wireless access point)
147
+#     includes network sharing
148
+nmcli connection add save yes \
149
+    type wifi \
150
+    con-name wifi-ap-24 \
151
+    ifname [wifi iface] \
152
+    ssid 24.lolipop.domain.tld \
153
+    -- \
154
+    ipv4.method shared \
155
+    ipv4.addresses 172.17.17.17/24 \
156
+    ipv6.method ignore \
157
+    802-11-wireless.mode ap \
158
+    802-11-wireless.band bg \
159
+    802-11-wireless.channel 11 \
160
+    802-11-wireless-security.key-mgmt wpa-psk \
161
+    802-11-wireless-security.proto rsn \
162
+    802-11-wireless-security.psk MyPassword
163
+
164
+```
165
+
166
+### WiFi 5ghz Access Point
167
+
168
+*Note: You can use ```802-11-wireless.channel #``` in the below command to force a channel to be used*
169
+
170
+``` bash
171
+
172
+# Get the ifname of the wifi adapter with `nmcli dev show`
173
+
174
+# HostAP mode (5ghz / wireless access point)
175
+#     includes network sharing
176
+nmcli connection add save yes \
177
+    type wifi \
178
+    con-name wifi-ap-50 \
179
+    ifname [wifi iface] \
180
+    ssid 50.lolipop.domain.tld \
181
+    -- \
182
+    ipv4.method shared \
183
+    ipv4.addresses 172.18.18.18/24 \
184
+    ipv6.method ignore \
185
+    802-11-wireless.mode ap \
186
+    802-11-wireless.band a \
187
+    802-11-wireless.channel 40 \
188
+    802-11-wireless-security.key-mgmt wpa-psk \
189
+    802-11-wireless-security.proto rsn \
190
+    802-11-wireless-security.psk MyPassword
191
+
192
+```
193
+
194
+### WAN - Ethernet (External USB Adapter)
195
+
196
+*Note: It's assumed you'll be using a USB Ethernet adapter for WAN if needed. This matches the overall use of USB devices that are plugged/unplugged as necessary for WAN needs*
197
+
198
+``` bash
199
+
200
+# WAN via ethernet cable
201
+nmcli connection add save yes \
202
+    type ethernet \
203
+    con-name wan-eth \
204
+    ifname eth1 \
205
+    -- \
206
+    ipv4.method auto \
207
+    ipv6.method auto
208
+nmcli device set eth1 autoconnect yes
209
+
210
+```
211
+
212
+### WAN - WiFi Bridge
213
+
214
+``` bash
215
+
216
+# Get list of access points in the area
217
+nmcli dev wifi list
218
+
219
+# Get the ifname of the client wifi adapter with `nmcli dev show`
220
+
221
+# WAN via Client mode (wireless bridge)
222
+#    Note the ASK flag so you're prompted to enter user/pass type infos
223
+nmcli connection add save yes \
224
+    type wifi \
225
+    con-name wan-wifi \
226
+    ifname [wifi iface] \
227
+    ssid [ssidFromAbove] \
228
+    -- \
229
+    wifi-sec.key-mgmt wpa-psk \
230
+    wifi-sec.psk [wpaPassword]
231
+nmcli device set [wifi iface] autoconnect yes
232
+
233
+```
234
+
235
+### WAN - GSM (3G/LTE)
236
+
237
+See [Modem Manager](modem_manager.md) for details on integrating a 3G/LTE modem into the networking setup.
238
+
239
+## Auto Config
240
+
241
+Once the above is setup Network Manager should handle the auto configuration of your WAN/LAN/Modems/etc for you.

+ 262
- 0
armbian/nextcloud.md View File

@@ -0,0 +1,262 @@
1
+# NextCloud
2
+
3
+NextCloud in a container. A simple PHP-FPM deployment. You'll need the Web Server container setup to get access. This just gives a very basic, non-web-server version of NextCloud.
4
+
5
+*NOTE: You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card*
6
+
7
+## Inspiration / Sources
8
+
9
+- [https://github.com/nextcloud/docker](https://github.com/nextcloud/docker)
10
+- [https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion)
11
+- [https://hub.docker.com/_/nextcloud/](https://hub.docker.com/_/nextcloud/)
12
+- [https://hub.docker.com/r/arm64v8/nextcloud/](https://hub.docker.com/r/arm64v8/nextcloud/)
13
+- [https://hub.docker.com/r/arm32v5/nextcloud/](https://hub.docker.com/r/arm32v5/nextcloud/)
14
+- [https://hub.docker.com/r/arm32v7/nextcloud/](https://hub.docker.com/r/arm32v7/nextcloud/)
15
+
16
+## Install / Update / Run Script
17
+
18
+Setup a generic script that'll auto update NextCloud, build a container and launch it. You should only run this script at first launch and/or when you're looking for updates.
19
+
20
+``` bash
21
+
22
+mkdir /var/nextcloud
23
+chown www-data /var/nextcloud
24
+
25
+cat > /root/docker/nextcloud.sh <<EOF
26
+#!/bin/bash
27
+
28
+ARCH=\`arch\`
29
+UPSTREAM="arm32v7/nextcloud:stable"
30
+
31
+# Cleanup arch/container image here
32
+if [ \$ARCH == "aarch64" ]
33
+then
34
+    echo "64bit arm"
35
+    UPSTREAM="arm64v8/nextcloud:stable"
36
+else
37
+    echo "32bit arm"
38
+    UPSTREAM="arm32v7/nextcloud:stable"
39
+fi
40
+
41
+echo "Updating"
42
+
43
+docker pull \$UPSTREAM
44
+
45
+echo "Running with latest release"
46
+
47
+# Cleanup existing container
48
+docker stop nextcloud
49
+docker rm nextcloud
50
+
51
+##########
52
+# For postgresql instead of sqlite run the following commands
53
+#docker exec -it postgres psql -U postgres
54
+#create role nextcloud nocreatedb nocreaterole login PASSWORD 'password';
55
+#create database nextcloud owner=nextcloud encoding=UTF8;
56
+
57
+# Setup using the above database/username/role and ip of 172.30.12.12
58
+##########
59
+
60
+# Re-run/create container with latest image
61
+docker run \\
62
+    --name nextcloud \\
63
+    --restart unless-stopped \\
64
+    --net docker-private \\
65
+    --ip 172.30.7.7 \\
66
+    -e TZ=UTC \\
67
+    -e DEBUG=1 \\
68
+    -v /var/nextcloud:/var/www/html \\
69
+    \$UPSTREAM
70
+
71
+EOF
72
+
73
+chmod a+x /root/docker/nextcloud.sh
74
+
75
+```
76
+
77
+## Run NextCloud
78
+
79
+Simply execute ```/root/docker/nextcloud.sh``` to update/run NextCloud.
80
+
81
+## Update Unbound
82
+
83
+``` bash
84
+
85
+cat > /etc/unbound/local_zone/nextcloud.conf <<EOF
86
+local-data: "nextcloud-insecure A 172.30.7.7"
87
+local-data-ptr: "172.30.7.7 nextcloud-insecure"
88
+local-data: "nextcloud-insecure.domain.tld A 172.30.7.7"
89
+local-data-ptr: "172.30.7.7 nextcloud-insecure.domain.tld"
90
+
91
+local-data: "nextcloud A 172.30.0.1"
92
+local-data: "nextcloud.domain.tld A 172.30.0.1"
93
+local-data-ptr: "172.30.0.1 nextcloud"
94
+local-data-ptr: "172.30.0.1 nextcloud.domain.tld"
95
+EOF
96
+
97
+```
98
+
99
+## Serving Via Caddy
100
+
101
+``` bash
102
+
103
+cat > /etc/caddy/services/nextcloud.conf <<EOF
104
+# Nextcloud proxy
105
+nextcloud:80, nextcloud:443, nextcloud.domain.tld:80, nextcloud.domain.tld:443 {
106
+    redir 301 {
107
+        if {scheme} is http
108
+        /  https://nextcloud.domain.tld{uri}
109
+    }
110
+
111
+    log /var/log/caddy/nextcloud.log
112
+    proxy / 172.30.7.7:80 {
113
+        transparent
114
+    }
115
+
116
+    # Use acme.sh Let's Encrypt SSL cert setup
117
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
118
+
119
+    header / {
120
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always
121
+        # connect via HTTPS (do not use if only testing)
122
+        Strict-Transport-Security "max-age=15552000;"
123
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
124
+        X-XSS-Protection "1; mode=block"
125
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
126
+        X-Content-Type-Options "nosniff"
127
+        # Disallow the site to be rendered within a frame (clickjacking protection)
128
+        X-Frame-Options "DENY"
129
+    }
130
+}
131
+EOF
132
+
133
+```
134
+
135
+## First Run / Finalize Setup
136
+
137
+- Navigate to ```http://nextcloud-insecure.domain.tld```
138
+- Follow on-screen prompts for finalizing the NextCloud setup
139
+- Login as Admin
140
+
141
+## Post Install
142
+
143
+### Update/Install/Enable Apps
144
+
145
+#### Enabled Apps
146
+- Update any apps that are showing as out of date
147
+
148
+#### Disabled apps
149
+
150
+- Enable Auditing / Logging app
151
+- Enable Default encryption module
152
+- Enable external storage support
153
+- Enable PDF Viewer
154
+
155
+#### Customization
156
+
157
+- Install External sites app
158
+
159
+#### Files
160
+
161
+- Install Group folders app
162
+
163
+#### Office & Text
164
+
165
+- Enable Calendar app
166
+- Enable Contacts app
167
+- Enable Notes app
168
+- Enable Tasks app
169
+
170
+#### Organization
171
+
172
+- Install Annoucement center app
173
+- Enable bookmarks app
174
+
175
+#### Security
176
+
177
+- Enable brute force settings app
178
+- Enable restrict login to IP addresses app
179
+- Enable Two Factor TOTP Provider app
180
+- Enable Two Factor U2F app
181
+- Enable Two Factory Yubikey
182
+
183
+#### Social & communication
184
+
185
+- Enable circles app
186
+
187
+#### Tools
188
+
189
+- Enable Impersonate app
190
+
191
+### Basic Setup
192
+
193
+#### Adjust default view
194
+
195
+If you'd like to see the activities view as your default view in NextCloud, edit ```/var/nextcloud/config/config.php``` and add ```'defaultapp' => 'activity',``` to the file.
196
+
197
+#### Add Cronjob
198
+
199
+In the settings change from ```Ajax``` for scheduled jobs to ```Cron``` and run the following commands on your device.
200
+
201
+This will lessen the page loads and keep the cron job constrained to a reasonable duration.
202
+
203
+``` bash
204
+
205
+cat > /etc/systemd/system/nextcloudcron.service <<EOF
206
+[Unit]
207
+Description=Nextcloud cron.php job
208
+
209
+[Service]
210
+User=roo
211
+ExecStart=/usr/bin/docker exec --user www-data nextcloud php /var/www/html/cron.php
212
+
213
+[Install]
214
+WantedBy=basic.target
215
+EOF
216
+
217
+cat > /etc/systemd/system/nextcloudcron.timer <<EOF
218
+[Unit]
219
+Description=Run Nextcloud cron.php every 90 minutes
220
+
221
+[Timer]
222
+OnBootSec=10min
223
+OnUnitActiveSec=90min
224
+Unit=nextcloudcron.service
225
+
226
+[Install]
227
+WantedBy=timers.target
228
+EOF
229
+
230
+systemctl daemon-reload
231
+systemctl start nextcloudcron.timer
232
+systemctl enable nextcloudcron.timer
233
+
234
+```
235
+
236
+#### Adjust Sharing settings
237
+
238
+- Disable ```Allow public uploads```
239
+- Disable ```Allow users on this server to send shares to other servers```
240
+- Disable ```Send password by mail```
241
+
242
+#### Adjust Security settings
243
+
244
+Recommended Settings (Up to you)
245
+
246
+- Minimal Length : 12
247
+- Forbid common passwords
248
+- Enforce upper and lower case characters
249
+- Enforce numeric characters
250
+
251
+### Setup Apps
252
+
253
+- Setup file encryption : [https://docs.nextcloud.com/server/13/admin_manual/configuration_files/encryption_configuration.html](https://docs.nextcloud.com/server/13/admin_manual/configuration_files/encryption_configuration.html)
254
+- Setup external sites app as appropriate
255
+- Setup remaining apps from above
256
+
257
+### Configure groups (as appropriate)
258
+
259
+- Create group for standard users
260
+- Create group folder for the new group (non-syncthing dumping ground for sync)
261
+- Setup shared contacts list for new group
262
+- Setup shared calendar for new group

+ 173
- 0
armbian/pi_hole.md View File

@@ -0,0 +1,173 @@
1
+# Pi Hole
2
+
3
+Ad blocking at the DNS level. Save yourself that precious transfer while on the go.
4
+
5
+This was chosen as it's designed to run on a Raspberry Pi and... this project is all about that kind of hardware.
6
+
7
+*NOTE: You may want to use a filesystem on a USB disk instead of /var for the volumes setup in the below Docker command(s) to help reduce writes to the micro sd card*
8
+
9
+## Inspiration / Further Reading
10
+
11
+- [https://hub.docker.com/r/diginc/pi-hole/](https://hub.docker.com/r/diginc/pi-hole/)
12
+- [https://hub.docker.com/r/diginc/pi-hole-multiarch/tags/](https://hub.docker.com/r/diginc/pi-hole-multiarch/tags/)
13
+- [https://github.com/diginc/docker-pi-hole/blob/master/README.md](https://github.com/diginc/docker-pi-hole/blob/master/README.md)
14
+- [https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records](https://www.bentasker.co.uk/documentation/linux/279-unbound-adding-custom-dns-records)
15
+
16
+## Update Unbound
17
+
18
+### Setup unbound to listen on the Docker LAN so it can be the upstream of Pi Hole
19
+
20
+Add a 2nd ```interface``` line to ```/etc/unbound/unbound.conf```
21
+
22
+```interface: 172.30.0.1```
23
+
24
+Restart unbound with ```systemctl restart unbound```
25
+
26
+## Setup Unbound to start *after* Docker
27
+
28
+*See [here (link)](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-Managing_Services_with_systemd-Unit_Files#brid-Managing_Services_with_systemd-Extending_Unit_Config) for more details.*
29
+
30
+This is mainly here to ensure that unbound starts *after* the Docker network comes up as it's configured to listen on the Docker network. It'll fail to load/restart if the bind address isn't present when it is started.
31
+
32
+``` bash
33
+
34
+mkdir -p /etc/systemd/system/unbound.service.d
35
+cat > /etc/systemd/system/unbound.service.d/10-after-docker.conf <<EOF
36
+[Unit]
37
+Requires=docker.service
38
+After=docker.service
39
+Restart=always
40
+RestartSec=10
41
+EOF
42
+systemctl daemon-reload
43
+
44
+```
45
+
46
+## Setup Initial Run & Update Script
47
+
48
+A simple update script that will pull the latest Pi Hole Docker image, configure it for auto-run, etc. Note the settings under the ```docker run``` command. You need/want to tweak them lightly.
49
+
50
+Full docs on run time parms can be found in the Pi Hole [docs (link)](https://github.com/diginc/docker-pi-hole/blob/master/README.md).
51
+
52
+``` bash
53
+
54
+mkdir /var/pihole /var/pihole/data /var/pihole/dnsmasq.d
55
+cat > /root/docker/pi-hole.sh <<EOF
56
+#!/bin/bash
57
+
58
+ARCH=\`arch\`
59
+UPSTREAM=""
60
+
61
+# Cleanup arch/container image here
62
+if [ \$ARCH == "aarch64" ]
63
+then
64
+    echo "64bit arm"
65
+    UPSTREAM="diginc/pi-hole-multiarch:debian_aarch64"
66
+else
67
+    echo "32bit arm"
68
+    UPSTREAM="diginc/pi-hole-multiarch:debian_armhf"
69
+fi
70
+
71
+echo "Updating"
72
+
73
+docker pull \$UPSTREAM
74
+
75
+# Cleanup existing container
76
+docker stop pi-hole
77
+docker rm pi-hole
78
+
79
+# Re-run/create container with latest image
80
+docker run \\
81
+    --name pi-hole \\
82
+    --restart unless-stopped \\
83
+    --memory=128m \\
84
+    --net docker-private \\
85
+    --ip 172.30.5.5 \\
86
+    -e ServerIP=172.30.5.5 \\
87
+    -e DNS1=172.30.0.1 \\
88
+    -e TZ=UTC \\
89
+    -e WEBPASSWORD=[adecentpassword] \\
90
+    -e DEBUG=1 \\
91
+    -v /var/pihole/data:/etc/pihole \\
92
+    -v /var/pihole/dnsmasq.d:/etc/dnsmasq.d \\
93
+    \$UPSTREAM
94
+
95
+EOF
96
+
97
+chmod a+x /root/docker/pi-hole.sh
98
+
99
+```
100
+
101
+## Run Pi Hole
102
+
103
+Simply execute ```/root/docker/pi-hole.sh``` to update/run Pi Hole.
104
+
105
+## Update LAN(s) to Use Pi Hole
106
+
107
+*Note: Do NOT update the WAN connections to use Pi Hole. The only 'thing' using the WAN dns (unbound) should be the main board which should not be affected by ads. This also simplifies troubleshooting and failure modes (the board won't need working Docker/Pi Hole to fix problems with Docker/Pi Hole).*
108
+
109
+``` bash
110
+
111
+# Ensure *ALL* shared connections use pi hole (creative trick with NetworkManager)
112
+cat > /etc/NetworkManager/dnsmasq-shared.d/pi-hole.conf <<EOF
113
+server=172.30.5.5
114
+EOF
115
+
116
+# Bounce LAN's to pickup changes
117
+nmcli con down mgmt && nmcli con up mgmt
118
+nmcli con down wifi-ap-50 && nmcli con up wifi-ap-50
119
+nmcli con down wifi-ap-24 && nmcli con up wifi-ap-24
120
+
121
+```
122
+
123
+## Update Unbound
124
+
125
+``` bash
126
+
127
+cat > /etc/unbound/local_zone/pi-hole.conf <<EOF
128
+local-data: "pi-hole A 172.30.5.5"
129
+local-data-ptr: "172.30.5.5 pi-hole"
130
+local-data: "pi-hole.domain.tld A 172.30.5.5"
131
+local-data-ptr: "172.30.5.5 pi-hole.domain.tld"
132
+
133
+local-data-ptr: "172.30.0.1 pi-hole-gui"
134
+local-data-ptr: "172.30.0.1 pi-hole-gui.domain.tld"
135
+local-data: "pi-hole-gui A 172.30.0.1"
136
+local-data: "pi-hole-gui.domain.tld A 172.30.0.1"
137
+EOF
138
+
139
+```
140
+
141
+## Serving Via Caddy
142
+
143
+``` bash
144
+
145
+cat > /etc/caddy/services/pi-hole.conf <<EOF
146
+# Pi Hole proxy
147
+#    This is only so good
148
+#    Pi Hole assumes everything is http. Bump it over to http instead of https, because Pi Hole is stupid at life
149
+pi-hole-gui:80, pi-hole-gui:443, pi-hole-gui.domain.tld:80 pi-hole-gui.domain.tld:443 {
150
+    redir 301 {
151
+        if {scheme} is https
152
+        /  http://pi-hole-gui.domain.tld{uri}
153
+    }
154
+
155
+    log /var/log/caddy/pi-hole.log
156
+    proxy / 172.30.5.5:80 {
157
+        transparent
158
+    }
159
+
160
+    # Use acme.sh Let's Encrypt SSL cert setup
161
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
162
+}
163
+EOF
164
+
165
+```
166
+
167
+## Admin Interface
168
+
169
+Once the container is online you can get to the Pi Hole admin interface at ```http://pi-hole.domain.tld/admin```.
170
+
171
+## First Run Config
172
+
173
+Upon first run Pi Hole will be using a Google DNS server as a secondary to the locally hosted Unbound instance. You'll likely want to disable this functionality.

+ 237
- 0
armbian/pia.md View File

@@ -0,0 +1,237 @@
1
+# Private Internet Access (PIA)
2
+
3
+```TODO : INCOMPLETE```
4
+
5
+This is a **VERY** advanced topic with some creative tricks to simplify getting the config added to NetworkManager. You're on your own.
6
+
7
+The author *strongly* recommends reading through this and adapting to other services well ahead of any real need(s).
8
+
9
+## Inspiration / Sources
10
+
11
+- [http://blog.deadlypenguin.com/blog/2017/04/24/vpn-auto-connect-command-line/](http://blog.deadlypenguin.com/blog/2017/04/24/vpn-auto-connect-command-line/)
12
+- [https://forums.linuxmint.com/viewtopic.php?t=97187](https://forums.linuxmint.com/viewtopic.php?t=97187)
13
+- [https://unix.stackexchange.com/questions/301845/scripting-a-way-to-quickly-import-ovpn-files-to-networkmanager-on-ubuntu](https://unix.stackexchange.com/questions/301845/scripting-a-way-to-quickly-import-ovpn-files-to-networkmanager-on-ubuntu)
14
+- [https://www.privateinternetaccess.com/pages/client-support/](https://www.privateinternetaccess.com/pages/client-support/)
15
+
16
+## Pep Work
17
+
18
+Download PIA OpenVPN advanced configs, drop them in a good place on the filesystem and script import.
19
+
20
+All files can be found Under ```Advanced OpenVPN SSL Restrictive Configurations``` on the main PIA website.
21
+
22
+### Download PIA OpenVPN Template Files
23
+
24
+``` bash
25
+
26
+mkdir -p /etc/pia
27
+cd /etc/pia
28
+mkdir openvpn-strong
29
+cd openvpn-strong
30
+wget https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
31
+unzip openvpn-strong.zip
32
+cd ..
33
+mkdir openvpn-strong-tcp
34
+cd openvpn-strong-tcp
35
+wget https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
36
+unzip openvpn-strong-tcp.zip
37
+cd ..
38
+
39
+```
40
+
41
+### Add OpenVPN To Network Manager
42
+
43
+``` bash
44
+
45
+# NetworkManager Gnome is *required* to get a missing library on xenial
46
+# OMIT Gnome item if you can get away with it...
47
+
48
+apt update
49
+apt install network-manager-openvpn network-manager-openvpn-gnome
50
+
51
+```
52
+
53
+### Cleanup Files for Import
54
+
55
+The cipher lines in the templates provided by PIA won't work 100% correctly on import. These commands will clean them up for import.
56
+
57
+``` bash
58
+
59
+cd /etc/pia
60
+cd openvpn-strong
61
+sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
62
+sed -i 's/sha256/SHA256/g' *.ovpn
63
+sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong/crl.rsa.4096.pem_g' *.ovpn
64
+sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong/ca.rsa.4096.crt_g' *.ovpn
65
+cd ..
66
+cd openvpn-strong-tcp
67
+sed -i 's/aes-256-cbc/AES-256-CBC/g' *.ovpn
68
+sed -i 's/sha256/SHA256/g' *.ovpn
69
+sed -i 's_crl.rsa.4096.pem_/etc/pia/openvpn-strong-tcp/crl.rsa.4096.pem_g' *.ovpn
70
+sed -i 's_ca.rsa.4096.crt_/etc/pia/openvpn-strong-tcp/ca.rsa.4096.crt_g' *.ovpn
71
+cd ..
72
+
73
+```
74
+
75
+## Import / Setup
76
+
77
+### Manual Import
78
+
79
+Import the cleaned up, provided OpenVPN profiles. This will require intervention on your part after the profile is created in NetworkManager to ensure it can connect properly.
80
+
81
+*Note: this assumes UDP profiles, tweak for the ```openvpn-strong-tcp``` directory if desired or necessary*
82
+
83
+#### Initial Import / Edit
84
+
85
+``` bash
86
+
87
+nmcli connection import type openvpn file /etc/pia/openvpn-strong/[con_name].ovpn
88
+nmcli con show
89
+vim /etc/NetworkManager/system-connections/[con_name]
90
+
91
+```
92
+#### Adjustments/Necessary Verification
93
+
94
+``` bash
95
+
96
+id=PIA - [con_name]
97
+
98
+[vpn]
99
+auth=SHA256
100
+cipher=AES-256-CBC
101
+password-flags=0
102
+user-name=[your_username]
103
+
104
+[vpn-secrets]
105
+password=[your_password]
106
+
107
+```
108
+
109
+#### Update Profiles in NetworkManager
110
+
111
+``` bash
112
+
113
+# Reload For Changes
114
+nmcli connection reload [uuid_from_above]
115
+
116
+# Connect
117
+nmcli con up [uuid_from_above]
118
+
119
+```
120
+
121
+### Scripted Import
122
+
123
+Some automated imports based on how the ```ovpn``` files are normally imported via ```nmcli```
124
+
125
+*Note: this assumes UDP profiles, you'll need to tweak this as you see fit for TCP*
126
+
127
+#### Install ```uuidgen```
128
+
129
+``` bash
130
+
131
+apt update
132
+apt install uuid-runtime
133
+
134
+```
135
+
136
+#### Create List of VPN Endpoints
137
+
138
+``` bash
139
+
140
+cat > /etc/pia/server_list.txt << EOF
141
+us-west.privateinternetaccess.com=PIA - USA (West)
142
+us-east.privateinternetaccess.com=PIA - USA (East)
143
+us-midwest.privateinternetaccess.com=PIA - USA (Midwest)
144
+aus.privateinternetaccess.com=PIA - Australia (Sydney)
145
+austria.privateinternetaccess.com=PIA - Austria
146
+belgium.privateinternetaccess.com=PIA - Belgium
147
+ca-toronto.privateinternetaccess.com=PIA - Canada (Toronto) (East)
148
+ca-vancouver.privateinternetaccess.com=PIA - Canada (Vancouver) (West)
149
+fi.privateinternetaccess.com=PIA - Finland
150
+france.privateinternetaccess.com=PIA - France
151
+germany.privateinternetaccess.com=PIA - Germany
152
+hk.privateinternetaccess.com=PIA - Hong Kong
153
+in.privateinternetaccess.com=PIA - India
154
+japan.privateinternetaccess.com=PIA - Japan
155
+mexico.privateinternetaccess.com=PIA - Mexico
156
+nl.privateinternetaccess.com=PIA - Netherlands
157
+no.privateinternetaccess.com=PIA - Norway
158
+sg.privateinternetaccess.com=PIA - Singapore
159
+spain.privateinternetaccess.com=PIA - Spain
160
+sweden.privateinternetaccess.com=PIA - Sweden
161
+swiss.privateinternetaccess.com=PIA - Switzerland
162
+turkey.privateinternetaccess.com=PIA - Turkey
163
+uk-london.privateinternetaccess.com=PIA - UK (London)
164
+brazil.privateinternetaccess.com=PIA - Brazil
165
+EOF
166
+
167
+```
168
+
169
+#### Setup NeworkManager Profiles
170
+
171
+Some fancy bash tricks to get the full list of NetworkManager PIA connections imported in one copy/paste.
172
+
173
+*Note: You'll need to fill in ```[your_username]``` and ```[your_password]``` before running this block of commands.
174
+
175
+``` bash
176
+
177
+export PIA_USER="[your_username]"
178
+export PIA_PASSWORD="[your_password]"
179
+while read line;
180
+do
181
+desc=$(echo $line | cut -f2 -d'=')
182
+dns=$(echo $line | cut -f1 -d'=')
183
+file="/etc/NetworkManager/system-connections/$desc"
184
+
185
+cat > "$file" <<EOF
186
+[connection]
187
+id=$desc
188
+uuid=`uuidgen`
189
+type=vpn
190
+permissions=
191
+secondaries=
192
+
193
+[vpn]
194
+connection-type=password
195
+auth=SHA256
196
+password-flags=0
197
+remote=${dns}:1197
198
+cipher=AES-256-CBC
199
+comp-lzo=yes
200
+reneg-seconds=0
201
+remote-cert-tls=server
202
+ca=/etc/pia/openvpn-strong/ca.rsa.4096.crt
203
+dev=tun
204
+service-type=org.freedesktop.NetworkManager.openvpn
205
+username=${PIA_USER}
206
+
207
+[vpn-secrets]
208
+password=${PIA_PASSWORD}
209
+
210
+[ipv4]
211
+dns-search=
212
+method=auto
213
+
214
+[ipv6]
215
+addr-gen-mode=stable-privacy
216
+dns-search=
217
+method=auto
218
+
219
+EOF
220
+
221
+chmod 600 "$file"
222
+
223
+done < /etc/pia/server_list.txt
224
+
225
+systemctl restart NetworkManager
226
+nmcli con show
227
+
228
+```
229
+
230
+## Testing VPN (Post Setup)
231
+
232
+Go to each link below and verify you're safe.
233
+
234
+- [https://www.privateinternetaccess.com/pages/whats-my-ip/](https://www.privateinternetaccess.com/pages/whats-my-ip/)
235
+- [http://dnsleak.com/](http://dnsleak.com/)
236
+- [http://ipv6leak.com/](http://ipv6leak.com/)
237
+- [http://emailipleak.com/](http://emailipleak.com/)

+ 55
- 0
armbian/postgres.md View File

@@ -0,0 +1,55 @@
1
+# Postgresql
2
+
3
+A database for all those awesome services you'll be running.
4
+
5
+## Install / Update / Run Script
6
+
7
+Setup a generic script that'll auto update , build a container and launch it. You should only run this script at first launch and/or when you're looking for updates.
8
+
9
+``` bash
10
+
11
+mkdir -p /var/postgres/data
12
+
13
+cat > /root/docker/postgres.sh << EOF
14
+#!/bin/bash
15
+
16
+VERSION=""
17
+
18
+ARCH=\`arch\`
19
+
20
+# Cleanup arch/container image here
21
+if [ \$ARCH == "aarch64" ]
22
+then
23
+    echo "64bit arm"
24
+    VERSION="arm64v8/postgres:latest"
25
+else
26
+    echo "32bit arm"
27
+    VERSION="arm32v7/postgres:latest"
28
+fi
29
+
30
+docker pull \$VERSION
31
+
32
+# Cleanup existing container
33
+docker stop postgres
34
+docker rm postgres
35
+
36
+# Re-run/create container with latest image
37
+docker run \\
38
+    --name postgres \\
39
+    --restart unless-stopped \\
40
+    --net docker-private \\
41
+    --ip 172.30.12.12 \\
42
+    -e TZ=UTC \\
43
+    -e DEBUG=1 \\
44
+    -e POSTGRES_PASSWORD=test1234 \\
45
+    -v /var/postgres/data:/var/lib/postgresql/data \\
46
+    \$VERSION
47
+EOF
48
+
49
+chmod a+x /root/docker/postgres.sh
50
+
51
+```
52
+
53
+## Run Postgres
54
+
55
+Simply execute ```/root/docker/postgres.sh``` to update/run Postgres.

+ 112
- 0
armbian/searx.md View File

@@ -0,0 +1,112 @@
1
+# Searx
2
+
3
+Self hosted metasearch. Prevent profiling by major search engines
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://asciimoo.github.io/searx/](https://asciimoo.github.io/searx/)
8
+- [https://github.com/asciimoo/morty](https://github.com/asciimoo/morty)
9
+- [https://asciimoo.github.io/searx/user/own-instance.html](https://asciimoo.github.io/searx/user/own-instance.html)
10
+
11
+## Install / Update / Run Script
12
+
13
+Setup a generic script that'll auto update Searx, build a container and launch it. You should only run this script at first launch and/or when you're looking for updates.
14
+
15
+``` bash
16
+
17
+mkdir -p /var/searx
18
+chown root:root /var/searx
19
+mkdir -p /root/docker/searx
20
+git clone https://github.com/asciimoo/searx.git /root/docker/searx/src
21
+
22
+cat > /root/docker/searx/searx.sh << EOF
23
+#!/bin/bash
24
+
25
+cd /root/docker/searx/src
26
+git checkout Dockerfile
27
+git fetch
28
+LATESTTAG=\`git describe --abbrev=0 --tags\`
29
+git checkout \$LATESTTAG
30
+
31
+ARCH=\`arch\`
32
+
33
+# Cleanup arch/container image here
34
+if [ \$ARCH == "aarch64" ]
35
+then
36
+    echo "64bit arm"
37
+    sed -i 's_alpine:3.5_arm64v8/alpine:3.5_g' Dockerfile
38
+else
39
+    echo "32bit arm"
40
+    sed -i 's_alpine:3.5_arm32v6/alpine:3.5_g' Dockerfile
41
+fi
42
+
43
+docker build \\
44
+    --file ./Dockerfile \\
45
+    --tag searx/searx:\$LATESTTAG \\
46
+    .
47
+
48
+# Cleanup existing container
49
+docker stop searx
50
+docker rm searx
51
+
52
+# Re-run/create container with latest image
53
+docker run \\
54
+    --name searx \\
55
+    --restart unless-stopped \\
56
+    --net docker-private \\
57
+    --ip 172.30.8.8 \\
58
+    -e TZ=UTC \\
59
+    -e DEBUG=1 \\
60
+    -e BASE_URL=searx.domain.tld \\
61
+    searx/searx:\$LATESTTAG
62
+EOF
63
+
64
+chmod a+x /root/docker/searx/searx.sh
65
+
66
+```
67
+
68
+## Run Searx
69
+
70
+Simply execute ```/root/docker/searx/searx.sh``` to update/run Gogs.
71
+
72
+## Serving Via Caddy
73
+
74
+``` bash
75
+
76
+cat > /etc/caddy/services/searx.conf <<EOF
77
+# Searx proxy
78
+searx:80, searx:443, searx.domain.tld:80, searx.domain.tld:443 {
79
+    redir 301 {
80
+        if {scheme} is http
81
+        /  https://searx.domain.tld{uri}
82
+    }
83
+
84
+    log /var/log/caddy/searx.log
85
+    proxy / 172.30.8.8:8888 {
86
+        transparent
87
+    }
88
+
89
+    # Use acme.sh Let's Encrypt SSL cert setup
90
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
91
+}
92
+EOF
93
+
94
+```
95
+
96
+## Update Unbound
97
+
98
+``` bash
99
+
100
+cat > /etc/unbound/local_zone/searx.conf <<EOF
101
+local-data: "searx-insecure A 172.30.8.8"
102
+local-data-ptr: "172.30.8.8 searx-insecure"
103
+local-data: "searx-insecure.domain.tld A 172.30.8.8"
104
+local-data-ptr: "172.30.8.8 searx-insecure.domain.tld"
105
+
106
+local-data: "searx A 172.30.0.1"
107
+local-data-ptr: "172.30.0.1 searx"
108
+local-data: "searx.domain.tld A 172.30.0.1"
109
+local-data-ptr: "172.30.0.1 searx.domain.tld"
110
+EOF
111
+
112
+```

+ 169
- 0
armbian/syncthing.md View File

@@ -0,0 +1,169 @@
1
+# Syncthing
2
+
3
+A very simple way to setup/run Syncthing in a container. This approach will also update to the latest syncthing releases if available.
4
+
5
+## Inspiration / Sources
6
+
7
+- [https://github.com/syncthing/syncthing/releases](https://github.com/syncthing/syncthing/releases)
8
+- [https://docs.syncthing.net/users/autostart.html#linux](https://docs.syncthing.net/users/autostart.html#linux)
9
+
10
+## Dependencies
11
+
12
+We need one utility to ensure we can find the latest releases. Install it.
13
+
14
+``` bash
15
+
16
+apt update
17
+apt install jq
18
+
19
+```
20
+
21
+## Preflight Configuration
22
+
23
+Setup basic config / storage areas ahead of install
24
+
25
+```bash
26
+
27
+mkdir -p /var/syncthing/.config/syncthing
28
+groupadd syncthing
29
+useradd -s /usr/sbin/nologin -d /var/syncthing -g syncthing syncthing
30
+cat > /var/syncthing/.config/syncthing/config.xml <<EOF
31
+<configuration version="28">
32
+    <options>
33
+        <globalAnnounceEnabled>false</globalAnnounceEnabled>
34
+        <localAnnounceEnabled>true</localAnnounceEnabled>
35
+        <relaysEnabled>false</relaysEnabled>
36
+        <natEnabled>false</natEnabled>
37
+        <minHomeDiskFree unit="%">10</minHomeDiskFree>
38
+        <defaultFolderPath>/tank/syncthing</defaultFolderPath>
39
+    </options>
40
+</configuration>
41
+EOF
42
+chown syncthing -R /var/syncthing
43
+chgrp syncthing -R /var/syncthing
44
+
45
+```
46
+
47
+## Install Syncthing
48
+
49
+Grab the latest release of syncthing, drop it in place, setup system service.
50
+
51
+``` bash
52
+
53
+RELEASE=`curl -s https://api.github.com/repos/syncthing/syncthing/releases/latest | jq -r .tag_name`
54
+ARCH=`arch`
55
+if [ $ARCH == "aarch64" ]
56
+then
57
+    ARCH="arm64"
58
+else
59
+    ARCH="arm"
60
+fi
61
+
62
+gpg --keyserver keyserver.ubuntu.com --recv-key D26E6ED000654A3E
63
+mkdir -p /tmp/syncthing
64
+cd /tmp/syncthing
65
+curl -sLO https://github.com/syncthing/syncthing/releases/download/${RELEASE}/syncthing-linux-${ARCH}-${RELEASE}.tar.gz
66
+curl -sLO https://github.com/syncthing/syncthing/releases/download/${RELEASE}/sha256sum.txt.asc
67
+gpg --verify sha256sum.txt.asc
68
+grep syncthing-linux-${ARCH} sha256sum.txt.asc | sha256sum
69
+tar -zxf syncthing-linux-${ARCH}-${RELEASE}.tar.gz
70
+mv syncthing-linux-${ARCH}-${RELEASE}/syncthing /usr/bin/syncthing
71
+chmod a+x /usr/bin/syncthing
72
+mv syncthing-linux-${ARCH}-${RELEASE}/etc/linux-systemd/system/syncthing@.service /etc/systemd/system
73
+systemctl daemon-reload
74
+cd ~
75
+rm -rf /tmp/syncthing
76
+
77
+```
78
+
79
+## Adjust firewall to allow syncthing on internal network(s)
80
+
81
+``` bash
82
+
83
+firewall-cmd --permanent --zone=internal --add-port 22000/tcp --add-port 21027/udp
84
+# Allow GUI from docker containers (it'll be proxied by the main web proxy container for ssl purposes)
85
+firewall-cmd --permanent --zone=trusted --add-port 22000/tcp --add-port 21027/udp --add-port 8384/tcp
86
+firewall-cmd --reload
87
+
88
+```
89
+
90
+## Run Syncthing Via systemd Service
91
+
92
+``` bash
93
+
94
+systemctl enable syncthing@syncthing.service
95
+systemctl start syncthing@syncthing.service
96
+
97
+```
98
+
99
+## Setup Update Script
100
+
101
+Syncthing has an auto update mechanism. Script it so it can be run at any point to get updates.
102
+
103
+``` bash
104
+
105
+cat > /root/update_syncthing.sh <<EOF
106
+/usr/bin/syncthing -upgrade-check
107
+/usr/bin/syncthing -upgrade
108
+EOF
109
+
110
+chmod a+x /root/update_syncthing.sh
111
+
112
+```
113
+
114
+## Update Unbound
115
+
116
+``` bash
117
+
118
+cat > /etc/unbound/local_zone/syncthing.conf <<EOF
119
+local-data: "syncthing A 172.30.0.1"
120
+local-data-ptr: "172.30.0.1 synching"
121
+local-data: "syncthing.domain.tld A 172.30.0.1"
122
+local-data-ptr: "172.30.0.1 synching.domain.tld"
123
+
124
+local-data: "syncthing-gui A 172.30.0.1"
125
+local-data: "syncthing-gui.domain.tld A 172.30.0.1"
126
+local-data-ptr: "172.30.0.1 syncthing-gui"
127
+local-data-ptr: "172.30.0.1 syncthing-gui.domain.tld"
128
+EOF
129
+
130
+```
131
+
132
+## Serving Via Caddy
133
+
134
+``` bash
135
+
136
+cat > /etc/caddy/services/syncthing.conf <<EOF
137
+# Syncthing proxy
138
+syncthing-gui:80, syncthing-gui:443, syncthing-gui.domain.tld:80, syncthing-gui.domain.tld:443 {
139
+    redir 301 {
140
+        if {scheme} is http
141
+        /  https://syncthing-gui.domain.tld{uri}
142
+    }
143
+
144
+    log /var/log/caddy/syncthing.log
145
+    proxy / 127.0.0.1:8384 {
146
+        transparent
147
+        header_upstream Host 127.0.0.1 # Reset the transparent proxy host so requests aren't blocked by syncthing
148
+    }
149
+
150
+    # Use acme.sh Let's Encrypt SSL cert setup
151
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
152
+}
153
+EOF
154
+
155
+```
156
+
157
+## Admin Interface
158
+
159
+Once the container is online you can get to the admin interface at ```http://syncthing.domain.tld:8384```.
160
+
161
+## Finish Configuration via GUI
162
+
163
+- ssh router with 8384 port forward
164
+- Open the admin interface in your browser
165
+- Configure ```/tank/syncthing/global``` as default shared folder
166
+  - *IF* you have a ```/tank``` available
167
+- Set ```Minimum disk space``` to ```10%```
168
+- Disable ```Anonymous usage reporting```
169
+- Setup a ```GUI Authentication User``` and ```GUI Authentication Password```

+ 108
- 0
armbian/ttrss.md View File

@@ -0,0 +1,108 @@
1
+# TT-RSS
2
+
3
+Self hosted RSS reader a la Google Reader
4
+
5
+## Inspiration / Further Reading
6
+- [https://hub.docker.com/r/linuxserver/tt-rss/](https://hub.docker.com/r/linuxserver/tt-rss/)
7
+
8
+## Install / Update / Run Script
9
+
10
+Setup a generic script that'll auto update TT-RSS, build a container and launch it. You should only run this script at first launch and/or when you're looking for updates.
11
+
12
+``` bash
13
+
14
+mkdir -p /var/ttrss
15
+docker exec -it postgres psql -U postgres
16
+create role ttrss nocreatedb nocreaterole login PASSWORD 'password';
17
+create database ttrss owner=ttrss encoding=UTF8;
18
+
19
+cat > /root/docker/ttrss.sh << EOF
20
+#!/bin/bash
21
+
22
+ARCH=\`arch\`
23
+HUBIMAGE=""
24
+
25
+# Cleanup arch/container image here
26
+if [ \$ARCH == "aarch64" ]
27
+then
28
+    echo "64bit arm"
29
+    HUBIMAGE="lsioarmhf/tt-rss-aarch64:latest"
30
+else
31
+    echo "32bit arm"
32
+    HUBIMAGE="lsioarmhf/tt-rss:latest"
33
+fi
34
+
35
+# Cleanup existing container
36
+docker stop ttrss
37
+docker rm ttrss
38
+
39
+# Re-run/create container with latest image
40
+docker run \\
41
+    --name ttrss \\
42
+    --restart unless-stopped \\
43
+    --net docker-private \\
44
+    --ip 172.30.13.13 \\
45
+    -e TZ=UTC \\
46
+    -e DEBUG=1 \\
47
+    -v /var/ttrss:/config \\
48
+    \$HUBIMAGE
49
+EOF
50
+
51
+chmod a+x /root/docker/ttrss.sh
52
+
53
+```
54
+
55
+## Run TT-RSS
56
+
57
+Simply execute ```/root/docker/ttrss.sh``` to update/run TT-RSS.
58
+
59
+## Serving Via Caddy
60
+
61
+``` bash
62
+
63
+cat > /etc/caddy/services/ttrss.conf <<EOF
64
+# TT-RSS proxy
65
+ttrss:80, ttrss:443, ttrss.domain.tld:80, ttrss.domain.tld:443 {
66
+    redir 301 {
67
+        if {scheme} is http
68
+        /  https://ttrss.domain.tld{uri}
69
+    }
70
+
71
+    log /var/log/caddy/ttrss.log
72
+    proxy / 172.30.13.13:80 {
73
+        transparent
74
+    }
75
+
76
+    # Use acme.sh Let's Encrypt SSL cert setup
77
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
78
+}
79
+EOF
80
+
81
+```
82
+
83
+## Update Unbound
84
+
85
+``` bash
86
+
87
+cat > /etc/unbound/local_zone/ttrss.conf <<EOF
88
+local-data: "ttrss-insecure A 172.30.13.13"
89
+local-data-ptr: "172.30.13.13 ttrss-insecure"
90
+local-data: "ttrss-insecure.domain.tld A 172.30.13.13"
91
+local-data-ptr: "172.30.13.13 ttrss-insecure.domain.tld"
92
+
93
+local-data: "ttrss A 172.30.0.1"
94
+local-data-ptr: "172.30.0.1 ttrss"
95
+local-data: "ttrss.domain.tld A 172.30.0.1"
96
+local-data-ptr: "172.30.0.1 ttrss.domain.tld"
97
+EOF
98
+
99
+```
100
+
101
+## First Run / Finalize Setup
102
+
103
+- Navigate to ```http://ttrss-insecure.domain.tld```
104
+- Follow on-screen prompts for finalizing setup
105
+  - Use the above psql username/password/database during the install phase
106
+  - Use 172.30.12.12 as the postgresql hostname
107
+- Login and enjoy
108
+  - The default account is admin/password

+ 184
- 0
armbian/turtl.md View File

@@ -0,0 +1,184 @@
1
+# Turtl
2
+
3
+Self hosted Evernote/OneNote. Take some notes already.
4
+
5
+## Inspiration / Further Reading
6
+
7
+- [https://github.com/turtl/server](https://github.com/turtl/server)
8
+- [https://turtlapp.com/docs/server/](https://turtlapp.com/docs/server/)
9
+- [https://turtlapp.com/](https://turtlapp.com/)
10
+
11
+## Prep
12
+
13
+``` bash
14
+
15
+mkdir -p /var/turtl/plugins
16
+mkdir -p /root/docker/turtl
17
+git clone https://github.com/turtl/server.git /root/docker/turtl/src
18
+docker exec -it postgres psql -U postgres
19
+create role turtl nocreatedb nocreaterole login PASSWORD 'password';
20
+create database turtl owner=turtl encoding=UTF8;
21
+
22
+cat > /root/docker/turtl/src/config/config.yaml <<EOF
23
+---
24
+server:
25
+  port: 8181
26
+
27
+db:
28
+  host: '172.30.12.12'
29
+  port: 5432
30
+  database: 'turtl'
31
+  user: 'turtl'
32
+  password: 'password'
33
+  pool: 24
34
+
35
+loglevel: 'debug'
36
+
37
+app:
38
+  # ALWAYS false in production. Always.
39
+  # Set to 'I UNDERSTAND THIS VIOLATES THE PRIVACY OF MY USERS' to enable
40
+  enable_bookmarker_proxy: false
41
+  # no trailing slash
42
+  api_url: 'http://172.30.10.10:8181'
43
+  www_url: 'https://172.30.10.10'
44
+  emails:
45
+    admin: 'admin@turtlapp.com'
46
+    info: 'Turtl <info@turtlapp.com>'
47
+    invites: 'invites@turtlapp.com'
48
+  # TODO: replace this with a long, unique value. seriously. write down a dream
49
+  # you had, or the short story you came up with during your creative writing
50
+  # class in your freshmen year of college. have fun with it.
51
+  secure_hash_salt: "Plaque is a figment of the liberal media and the dental industry to scare you into buying useless appliances and pastes. Now, I've read the arguments on both sides and I haven't found any evidence yet to support the need to brush your teeth. Ever."
52
+
53
+sync:
54
+  # how many sync records can a client send at a time? it's a good idea to have
55
+  # a limit here, lest a rogue client flood the server with sync items
56
+  max_bulk_sync_records: 32
57
+
58
+plugins:
59
+  plugin_location: '/var/www/turtl/server/plugins'
60
+  analytics:
61
+    enabled: false
62
+  email:
63
+    enabled: false
64
+  premium:
65
+    enabled: false
66
+
67
+uploads:
68
+  # if set to a path, files will be uploaded to the local filesystem instead of
69
+  # S3. otherwise, set to false
70
+  local: '/var/www/turtl/server/public/uploads'
71
+  # if true, downloading local files will be proxied through the turtl server.
72
+  # this avoids needing to set up any CORS config in your favorite webserver,
73
+  # but may slightly affect performance on high-demand servers.
74
+  local_proxy: true
75
+  # if local_proxy is false, this is should be the url path the uploaded files
76
+  # are publicly available on
77
+  url: 'http://api.turtl.dev/uploads'
78
+
79
+s3:
80
+  token: 'IHADAPETSNAKEBUTHEDIEDNOOOOO'
81
+  secret: ''
82
+  bucket: ''
83
+endpoint: 'https://s3.amazonaws.com'
84
+EOF
85
+
86
+```
87
+
88
+## Install / Setup
89
+
90
+``` bash
91
+
92
+cat > /root/docker/turtl/turtl.sh <<EOF
93
+cd /root/docker/turtl/src
94
+git checkout Dockerfile
95
+git pull
96
+
97
+VERSION="HEAD"
98
+
99
+ARCH=\`arch\`
100
+
101
+# Cleanup arch/container image here
102
+if [ \$ARCH == "aarch64" ]
103
+then
104
+    echo "64bit arm"
105
+    sed -i 's_node:8.9.4-alpine_arm64v8/node:8.9.4-alpine_g' Dockerfile
106
+else
107
+    echo "32bit arm"
108
+    sed -i 's_node:8.9.4-alpine_arm32v7/node:8.9.4-alpine_g' Dockerfile
109
+fi
110
+
111
+sed -i 's_config/config.yaml.default_config/config.yaml_g' Dockerfile
112
+
113
+docker build \\
114
+    --network docker-private \\
115
+    --file ./Dockerfile \\
116
+    --tag turtl/turtl:\$VERSION \\
117
+    .
118
+
119
+# Cleanup existing container
120
+docker stop turtl
121
+docker rm turtl
122
+
123
+# Re-run/create container with latest image
124
+docker run \\
125
+    --name turtl \\
126
+    --restart unless-stopped \\
127
+    --net docker-private \\
128
+    --ip 172.30.10.10 \\
129
+    -e TZ=UTC \\
130
+    -e DEBUG=1 \\
131
+    -v /var/turtl:/var/www/turtl/server \\
132
+    turtl/turtl:\$VERSION
133
+
134
+EOF
135
+
136
+chmod a+x /root/docker/turtl/turtl.sh
137
+
138
+```
139
+
140
+## Run Turtl
141
+
142
+Simply execute ```/root/docker/turtl/turtl.sh``` to update/run Turtl.
143
+
144
+## Serving Via Caddy
145
+
146
+``` bash
147
+
148
+cat > /etc/caddy/services/turtl.conf <<EOF
149
+# Turtl proxy
150
+turtl:80, turtl:443, turtl.domain.tld:80, turtl.domain.tld:443 {
151
+    redir 301 {
152
+        if {scheme} is http
153
+        /  https://turtl.domain.tld{uri}
154
+    }
155
+
156
+    log /var/log/caddy/turtl.log
157
+    proxy / 172.30.9.9:80 {
158
+        transparent
159
+    }
160
+
161
+    # Use acme.sh Let's Encrypt SSL cert setup
162
+    tls /var/acme.sh/domain.tld/fullchain.cer /var/acme.sh/domain.tld/domain.tld.key
163
+}
164
+E