antranigv.am
Open in
urlscan Pro
2001:470:1f15:e4::80
Public Scan
Submitted URL: http://antranigv.am/
Effective URL: https://antranigv.am/
Submission: On September 08 via api from US — Scanned from DE
Effective URL: https://antranigv.am/
Submission: On September 08 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET https://antranigv.am/
<form role="search" method="get" action="https://antranigv.am/" class="wp-block-search__button-outside wp-block-search__icon-button aligncenter wp-block-search"><label class="wp-block-search__label" for="wp-block-search__input-1">Search</label>
<div class="wp-block-search__inside-wrapper " style="width: 100%"><input class="wp-block-search__input" id="wp-block-search__input-1" placeholder="FreeBSD, Unix, Armenia" value="" type="search" name="s" required=""><button aria-label="Search"
class="wp-block-search__button has-icon wp-element-button" type="submit"><svg class="search-icon" viewBox="0 0 24 24" width="24" height="24">
<path d="M13 5c-3.3 0-6 2.7-6 6 0 1.4.5 2.7 1.3 3.7l-3.8 3.8 1.1 1.1 3.8-3.8c1 .8 2.3 1.3 3.7 1.3 3.3 0 6-2.7 6-6S16.3 5 13 5zm0 10.5c-2.5 0-4.5-2-4.5-4.5s2-4.5 4.5-4.5 4.5 2 4.5 4.5-2 4.5-4.5 4.5z"></path>
</svg></button></div>
</form>Text Content
ANTRANIG VARTANIAN
I’M YOUR WORST NIGHTMARE…
Menu Skip to content
* Weblog
* About
* Photos
* Posts
* Categories
* Tags
THE FREEBSD-NATIVE-ISH HOME LAB AND NETWORK
For many years my setup was pretty simple: A FreeBSD home server running on my
old laptop. It runs everything I need to be present on the internet, an email
server, a web server (like the one you’ve accessed right now to see this blog
post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.
For my home network, I had a basic Access Point and a basic Router.
Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane
Electric, the network is passed to my home network (which we’ll talk about in a
bit), a home network with multiple VLANs, since friends who come home also need
WiFi.
I decided to blog about the details, hoping it would help someone in the future.
I’ll start with the simplest one.
THE HOME SERVER
I’ve been running home servers for a long time. I believe that every
person/family needs a home server. Forget about buying your kids iPads and
Smartphones. Their first devices should be a real computer (sorry Apple, iOS
devices are still just a toy) like a desktop/laptop and a home server. The home
server doesn’t need to be on the public internet, but mine is, for variety of
reasons. This blog being one of them.
I get a static IP address from my ISP, Ucom. After the management change that
happened couple of years ago, Ucom has become a very typical ISP (think shitty),
but they are the only ones that provide a static IP address, instead of
setting it on your router, where you have to do port forwarding.
My home server, hostnamed pingvinashen (meaning the town of the penguins, named
after the Armenian cartoon) run FreeBSD. Historically this machine has run
Debian, Funtoo, Gentoo and finally FreeBSD.
Hardware wise, here’s what it is:
root@pingvinashen:~ # dmidecode -s system-product-name
Latitude E5470
root@pingvinashen:~ # sysctl hw.model
hw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
root@pingvinashen:~ # sysctl hw.physmem
hw.physmem: 17016950784
root@pingvinashen:~ # zpool list
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
zroot 420G 178G 242G - - 64% 42% 1.00x ONLINE -
While most homelabbers use hardware virtualization, I think that resources are a
tight thing, and should be managed properly. Any company that markets itself as
“green/eco-friendly” and uses hardware virtualization should do calculations
using a pen and paper and prove if going native would save power/resources or
not. (sometimes it doesn’t, usually it does)
I use containers, the old-school ones, Jails to be more specific.
I manage jails using Jailer, my own tool, that tries to stay out of your way
when working with Jails.
Here are my current jails:
root@pingvinashen:~ # jailer list
NAME STATE JID HOSTNAME IPv4 GW
antranig Active 1 antranig.bsd.am 192.168.10.42/24 192.168.10.1
antranigv Active 2 antranigv.bsd.am 192.168.10.52/24 192.168.10.1
git Stopped
huginn0 Active 4 huginn0.bsd.am 192.168.10.34/24 192.168.10.1
ifconfig Active 5 ifconfig.bsd.am 192.168.10.33/24 192.168.10.1
lucy Active 6 lucy.vartanian.am 192.168.10.37/24 192.168.10.1
mysql Active 7 mysql.antranigv.am 192.168.10.50/24 192.168.10.1
newsletter Active 8 newsletter.bsd.am 192.168.10.65/24 192.168.10.1
oragir Active 9 oragir.am 192.168.10.30/24 192.168.10.1
psql Active 10 psql.pingvinashen.am 192.168.10.3/24 192.168.10.1
rss Active 11 rss.bsd.am 192.168.10.5/24 192.168.10.1
sarian Active 12 sarian.am 192.168.10.53/24 192.168.10.1
syuneci Active 13 syuneci.am 192.168.10.60/24 192.168.10.1
znc Active 14 znc.bsd.am 192.168.10.152/24 192.168.10.1
You already get a basic idea of how things are. Each of my blogs (Armenian and
English) has its own Jail. Since I’m using WordPress, I need a database, so I
have a MySQL jail (which ironically runs MariaDB) inside of it.
I also have a Git server, running gitea, which is down at the moment as I’m
doing maintanence. The Git server (and many other services) requires PostgreSQL,
hence the existence of a PostgreSQL jail. I run huginn for automation (RSS to
Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a
Jail of its own. Same goes about my fiancée.
Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of
lobste.rs) and a personal ZNC server.
As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my
friends use this service.
Oragir is an instance of WriteFreely, as I advocate public blogging and
ActivityPub. Our community uses that too.
The web server that forwards all this traffic from the public to the Jails is
nginx. All it does is proxy_pass as needed. It runs on the host.
Other services that run on the host are DNS (BIND9), an email service running
OpenSMTPd (which will be moved to a Jail soon), the chat service running prosody
(which will be moved to a Jail soon) and finally, WireGuard, because I love
VPNs.
Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to
Hurricane Electric.
Yes, I have a firewall, I use pf(4).
For the techies in the room, here’s what my rc.conf looks like.
# cat /etc/rc.conf
# Defaults
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
#local_unbound_enable="YES"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
hostname="pingvinashen.am"
# Networking
defaultrouter="37.157.221.1"
gateway_enable="YES"
ifconfig_em0="up"
vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Router
ifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"
ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"
static_routes="home"
route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"
cloned_interfaces="bridge0 bridge6 bridge10"
ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"
## IPv6
ipv6_gateway_enable="YES"
gif_interfaces="gif0"
gifconfig_gif0="37.157.221.130 216.66.84.46"
ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"
ipv6_defaultrouter="2001:470:1f14:ef::1"
ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"
ipv6_static_routes="home guest"
ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"
ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"
ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"
ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \
inet6 2001:470:1f15:e4::80 prefixlen 64 \
inet6 2001:470:1f15:e4::5222 prefixlen 64 \
inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \
"
# VPN
wireguard_enable="YES"
wireguard_interfaces="wg0"
# Firewall
pf_enable="YES"
# Jails
jail_enable="YES"
jailer_dir="zfs:zroot/jails"
# DNS
named_enable="YES"
# Mail
smtpd_enable="YES"
smtpd_config="/usr/local/etc/smtpd.conf"
# XMPP
prosody_enable="YES"
turnserver_enable="YES"
# Web
nginx_enable="YES"
tor_enable="YES"
The gif0 interface is a IPv6-over-IPv4 tunnel. I have static routes to my home
network, so I don’t go to my server over the ISP every time. This also gives me
the ability to get IPv6 in my home network that is routed via my home server.
As you have guessed from this config file, I do have VLANs setup. So let’s get
into that.
THE HOME NETWORK
First of all, here’s a very cheap diagram
I have the following VLANs setup on the switch.
VLAN ID Purpose 1 Switch Management 1000 pingvinashen (home server) WAN 1001
evn0 (home router) WAN 37 pingvinashen ↔ evn0 42 Internal Management 100 Home
LAN 69 Home Guest
Here are the active ports
Port VLANs Purpose 24 untagged: 1 Switch management, connects to Port 2 22
untagged: 1000 pingvinashen WAN, from ISP 21 untagged: 1001 Home WAN, from ISP
20 tagged: 1000, 37 To pingvinashen, port em0 19 untagged: 1001 To home router,
port igb1 18 tagged: 42, 100, 69, 99 To home router, port igb2 17 untagged: 37
To home router, port igb0 16 tagged: 42, 100, 69 To Lenovo T480s 15 untagged:
100 To Raspberri Pi 4 2 untagged: 99 From Port 24, for switch management 1
untagged: 42; tagged: 100, 69; PoE To UAP AC Pro
The home router, hostnamed evn0 (named after the IATA code of Yerevan’s
Zvartnots International Airport) runs FreeBSD as well, the hardware is the
following
root@evn0:~ # dmidecode -s system-product-name
APU2
root@evn0:~ # sysctl hw.model
hw.model: AMD GX-412TC SOC
root@evn0:~ # sysctl hw.physmem
hw.physmem: 4234399744
root@evn0:~ # zpool list
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
zroot 12.5G 9.47G 3.03G - - 67% 75% 1.00x ONLINE -
The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act
as a syslog server.
Here’s what the rc.conf looks like
clear_tmp_enable="YES"
sendmail_enable="NONE"
syslogd_flags="-a '172.16.100.0/24:*' -H"
zfs_enable="YES"
dumpdev="AUTO"
hostname="evn0.illuriasecurity.com"
pf_enable="YES"
gateway_enable="YES"
ipv6_gateway_enable="YES"
sshd_enable="YES"
# Get an IP address from the ISP's GPON
ifconfig_igb1="DHCP"
# Internal routes with pingvinashen
ifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"
ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"
static_routes="pingvinashen"
route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"
ipv6_defaultrouter="2001:470:7914:7065::2"
# Home Mgmt, Switch Mgmt, Home LAN, Home Guest
ifconfig_igb2="up"
vlans_igb2="42 99 100 69"
ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"
ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"
ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"
ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"
ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"
ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"
# DNS and DHCP
named_enable="YES"
dhcpd_enable="YES"
named_flags=""
# NTP
ntpd_enable="YES"
# Router Advertisement and LLDP
rtadvd_enable="YES"
lldpd_enable="YES"
lldpd_flags=""
Here’s pf.conf, because security is important.
ext_if="igb1"
bsd_if="igb0"
int_if="igb2.100"
guest_if="igb2.69"
mgmt_if="igb2.42"
sw_if="igb2.99"
ill_net="172.16.0.0/16"
nat pass on $ext_if from $int_if:network to any -> ($ext_if)
nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)
nat pass on $ext_if from $guest_if:network to any -> ($ext_if)
set skip on { lo0 }
block in all
pass on $int_if from $int_if:network to any
pass on $mgmt_if from $mgmt_if:network to any
pass on $sw_if from $sw_if:network to any
pass on $guest_if from $guest_if:network to any
block quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }
pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }
pass inet proto icmp
pass inet6 proto icmp6
pass out all keep state
I’m sure there are places to improve, but it gets the job done and keeps the
guest network isolated.
Here’s rtadvd.conf, for my IPv6 folks
igb2.100:\
:addr="2001:470:7914:6a76::":prefixlen#64:\
:rdnss="2001:470:7914:6a76::1":\
:dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":
igb2.69:\
:addr="2001:470:7914:6969::":prefixlen#64:\
:rdnss="2001:470:7914:6969::1":
For DNS, I’m running BIND, here’s the important parts
listen-on { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };
listen-on-v6 { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };
allow-query { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};
And for DHCP, here’s what it looks like
subnet 172.16.100.0 netmask 255.255.255.0 {
range 172.16.100.100 172.16.100.150;
option domain-name-servers 172.16.100.1;
option subnet-mask 255.255.255.0;
option routers 172.16.100.1;
option domain-name "evn0.loc.illuriasecurity.com";
option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";
}
host zvartnots {
hardware ethernet d4:57:63:f1:5a:36;
fixed-address 172.16.100.7;
}
host unifi0 {
hardware ethernet 58:9c:fc:93:d1:0b;
fixed-address 172.31.42.42;
}
[…]
subnet 172.31.42.0 netmask 255.255.255.0 {
range 172.31.42.100 172.31.42.150;
option domain-name-servers 172.31.42.1;
option subnet-mask 255.255.255.0;
option routers 172.31.42.1;
}
subnet 192.168.69.0 netmask 255.255.255.0 {
range 192.168.69.100 192.168.69.150;
option domain-name-servers 192.168.69.1;
option subnet-mask 255.255.255.0;
option routers 192.168.69.1;
}
So you’re wondering, what’s this unifi0? Well, that brings us to
T480S
This laptop has been gifted to me by [REDACTED] for my contributions to the
Armenian government (which means when a server goes down and no one knows how to
fix it, they called me and I showed up)
Here’s the hardware
root@t480s:~ # dmidecode -s system-version
ThinkPad T480s
root@t480s:~ # sysctl hw.model
hw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz
root@t480s:~ # sysctl hw.physmem
hw.physmem: 25602347008
root@t480s:~ # zpool list
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
zroot 224G 109G 115G - - 44% 48% 1.00x ONLINE -
The T480s has access to VLAN 100, 42, 69, but the host itself has access only to
VLAN 100 (LAN), while the jails can exist on other VLANs.
So I have a Jail named unifi0 that runs the Unifi Management thingie.
Here’s what rc.conf of the host looks like
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
hostname="t480s.evn0.loc.illuriasecurity.com"
ifconfig_em0="up -rxcsum -txcsum"
vlans_em0="100 42 69"
ifconfig_em0_100="up"
ifconfig_em0_42="up"
ifconfig_em0_69="up"
cloned_interfaces="bridge0 bridge100 bridge42 bridge69"
create_args_bridge100="ether 8c:16:45:82:b4:10"
ifconfig_bridge100="addm em0.100 SYNCDHCP"
ifconfig_bridge100_ipv6="inet6 auto_linklocal"
rtsold_flags="-i -F -m bridge100"
rtsold_enable="YES"
create_args_bridge42=" ether 8c:16:45:82:b4:42"
create_args_bridge69=" ether 8c:16:45:82:b4:69"
ifconfig_bridge42="addm em0.42"
ifconfig_bridge69="addm em0.69"
jail_enable="YES"
jailer_dir="zfs:zroot/jailer"
ifconfig_bridge0="inet 10.1.0.1/24 up"
ngbuddy_enable="YES"
ngbuddy_private_if="nghost0"
dhcpd_enable="YES"
lldpd_enable="YES"
I used Jailer to create the unifi0 jail, here’s what the jail.conf looks like
# vim: set syntax=sh:
exec.clean;
allow.raw_sockets;
mount.devfs;
unifi0 {
$id = "6";
devfs_ruleset = 10;
$bridge = "bridge42";
$domain = "evn0.loc.illuriasecurity.com";
vnet;
vnet.interface = "epair${id}b";
exec.prestart = "ifconfig epair${id} create up";
exec.prestart += "ifconfig epair${id}a up descr vnet-${name}";
exec.prestart += "ifconfig ${bridge} addm epair${id}a up";
exec.start = "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.poststop = "ifconfig ${bridge} deletem epair${id}a";
exec.poststop += "ifconfig epair${id}a destroy";
host.hostname = "${name}.${domain}";
path = "/usr/local/jailer/unifi0";
exec.consolelog = "/var/log/jail/${name}.log";
persist;
mount.fdescfs;
mount.procfs;
}
Here are the important parts inside the jail
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.conf
ifconfig_epair6b="SYNCDHCP"
sendmail_enable="NONE"
syslogd_flags="-ss"
mongod_enable="YES"
unifi_enable="YES"
root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b
ifconfig epair6b ether 58:9c:fc:93:d1:0b
Don’t you love it that you can see what’s inside the jail from the host? God I
love FreeBSD!
Did I miss anything? I hope not.
Oh, for the homelabbers out there, the T480s is the one that runs things like
Jellyfin if needed.
Finally, the tiny
RASPBERRY PI 4, MODEL B
I found this in a closed, so I decided to run it for TimeMachine.
I guess all you care about is rc.conf
hostname="tm0.evn0.loc.illuriasecurity.com"
ifconfig_DEFAULT="DHCP inet6 accept_rtadv"
sshd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
rtsold_enable="YES"
samba_server_enable="YES"
And the Samba Configuration
[global]
# Network settings
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = RPi4
# Logging
log file = /var/log/samba4/log.%m
max log size = 50
log level = 0
# Authentication
security = user
encrypt passwords = yes
passdb backend = tdbsam
map to guest = Bad User
min protocol = SMB2
max protocol = SMB3
# Apple Time Machine settings
vfs objects = catia fruit streams_xattr
fruit:metadata = stream
fruit:resource = stream
fruit:encoding = native
fruit:locking = none
fruit:time machine = yes
# File System support
ea support = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
mangled names = no
smbd max xattr size = 2097152
# Performance tuning
read raw = yes
write raw = yes
getwd cache = yes
strict locking = no
# Miscellaneous
local master = no
preferred master = no
domain master = no
wins support = no
[tm]
comment = Time Machine RPi4
path = /usr/local/timemachine/%U
browseable = yes
read only = no
valid users = antranigv
vfs objects = catia fruit streams_xattr
fruit:time machine = yes
fruit:advertise_fullsync = true
fruit:time machine max size = 800G # Adjust the size according to your needs
create mask = 0600
directory mask = 0700
That’s pretty much it.
CONCLUSION
I love running homebrew servers, home networks and home labs. I love that
(almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi
Access Point also runs Linux, both of which I’m pretty happy with.
While most homelabbers used ESXi in the past, I’m happy to see that most people
are moving to open source solutions like Proxmox and Xen, but I think that
FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at
the moment, but I would use it if I needed hardware virtualization.
Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I
think that it’s a pro. If I need to “replicate” this network, all I need to do
is to copy some text files and modify some IP addresses / Interface names.
I hope this was informative and that it would be useful for anyone in the
future.
That’s all folks…
Reply via email.
This entry was posted in Uncategorized and tagged Containers, Dell, Dell
Latitude E5470, FreeBSD, home-server, HowTo, Jailer, Jails, macOS, Networking,
pf, Samba, Unifi, Unix, VNET on June 23, 2024 by Antranig Vartanian.
ANTRANIG VARTANIAN
JUNE 5, 2024
I’m having a hard time understanding how these BootCamps work. Their whole value
is teaching people how to code, sometimes they also teach programming, but not
always. As far as I can tell, they never teach how to use a computer, which is
weird.
Take car mechanics as an example, I assume they know how to use a car and the
basics of how it works before they start fixing things. But the same doesn’t
seem to be true about coding/programming.
I met with a couple of students today who were going to a BootCamp to learn
coding-y, DevOps-y and Security things, but they were not able to define what an
OS process is. They also had a hard time interacting with a computer.
How did we get here? No, this is not a rhetorical question, I really want to
know.
I’m not saying that everyone should know everything about every operating
system, but during your work, where you get paid, you will need to use tools
such as grep, AWK, xargs, etc.
I remember, once, years ago, I was supposed to teach “security” to a group of
students, but I realized it would be more helpful if I teach them Unix and
computer networking, so we ended up doing that.
Months after their graduation, I saw one of the students, and he asked me “hey,
can we do these Unix classes again? Looks like they were important”.
I ended up mentoring him, and now he does mostly Taco Bell programming and he
gets things done.
My feeling is that we need a book for everyone that’s named “learn this before
learning how to program” and we teach basic things such as process management,
service management, the Unix shell, how a computer network works, etc.
But alas, I barely have time to blog, however I feel that this computer book
would be a best seller everywhere.
Back to work, cheers.
Reply via email.
ANTRANIG VARTANIAN
JUNE 1, 2024
The cab driver is playing classical music, Symphony in C: IV. Finale (Allegro
Vivace) by Orchestre National de France & Jean Martinon to be more specific and
I’m loving it.
Looks like someone will be getting and a large tip.
I’m pretty sure it’s radio (I can see the music player) but it’s still lovely.
Reply via email.
ANTRANIG VARTANIAN
MAY 30, 2024
The FreeBSD Developer Summit Day One was live streamed yesterday and the video
is up on YouTube at May 2024 Developer Summit Day 1.
I will be watching Day Two live as well, and I love how FreeBSD brings us all
together.
Reply via email.
MARSEDIT 5.2: SEARCH, MICROPOSTING, AND PREVIEW IMPROVEMENTS
A while back I asked Daniel Jalkut for a feature. Today, I saw this
MarsEdit 5.2: Search, Microposting, and Preview Improvements –:
> Micropost Panel
>
> New defaults are available under Settings -> Blogs -> Publishing to specify
> which Categories, Tags, and Post Kind should be used when publishing with the
> Micropost panel.
This made me so happy, as I’ve been loving MarsEdit for the last year or so. I
know, I’m late to the party, but I can assure you, it’s still rockin’.
I might actually blog more now, but let’s not keep promises that we can’t keep,
shall we?
Reply via email.
This entry was posted in Uncategorized and tagged macOS, MarsEdit on May 29,
2024 by Antranig Vartanian.
INSTALLING FREEBSD WITH ROOT-ON-ZFS ON VULTR USING IPXE
The title is pretty self explanatory, so let’s get to it, shall we?
I was configuring a server for a customer today, and one of the things I noticed
is that FreeBSD was not available for bare-metal.
This got me a bit worried, because we use a lot of FreeBSD on Vultr… Well that’s
a lie. We only use FreeBSD on Vultr.
I logged into our company account and noticed that our bare-metals does have
FreeBSD as an icon for the image.
So I decided to check the docs and found this:
> What operating system templates do you offer?
>
> We offer many Linux and Windows options. We do not offer OpenBSD or FreeBSD
> images for Vultr Bare Metal. Use our iPXE boot feature if you need to install
> a custom operating system.
Well, that’s sad, but on the other hand, iPXE will be very useful. We can boot a
memdisk such as mfsBSD and install FreeBSD from there.
To start, we need a VM that can host the mfsBSD img/ISO file. I have spun up a
VM on Vultr running FreeBSD (altho it can run anything else, it wouldn’t
matter), installed nginx on it, downloaded the file so we can boot from it.
Here’s the copy-pasta
pkg install -y nginx
service nginx enable && service nginx start
fetch -o /usr/local/www/ \
https://mfsbsd.vx.sk/files/images/14/amd64/mfsbsd-se-14.0-RELEASE-amd64.img
This should be enough to get started. Oh, if you’re not on FreeBSD then the path
might be different, like /var/www/nginx, or something alike. Check your nginx
configuration for the details.
Now we need to write an iPXE script and add it into our Vultr iPXE scripts.
Here’s what it looks like
#!ipxe
echo Starting MFSBSD
sanboot http://your.server.ip.address/mfsbsd-se-14.0-RELEASE-amd64.img
boot
Finally, we can create a bare-metal that uses our script for iPXE boot.
Don’t forget to choose the right location and plan.
After the machine is provisioned, you need to access the console and you will
see the boot process.
The default root password is mfsroot.
To install FreeBSD, you can run bsdinstall. The rest will be familiar for you.
Yes, you can use Root-on-ZFS. No, it can’t be in UEFI, you must use GPT (BIOS).
Good luck, and special thanks to Vultr for giving us the chance to use our
favorite tools on the public cloud.
That’s all folks…
Reply via email.
This entry was posted in Tech and tagged FreeBSD, HowTo, iPXE, Vultr, ZFS on May
19, 2024 by Antranig Vartanian.
ANTRANIG VARTANIAN
MAY 11, 2024
We have moved the Vishap Oberon Compiler GitHub organization to vishapoberon,
this is part of our new rebranding. The new domain will be vishap.oberon.am and
we will finally have some ecosystem up and running, such as OberonByExample,
official guide, docs, and compiler internals.
As a cautious hacker, I also created another organization that uses the old org
name, since GitHub still allows org/repo hijacking.
Also, we have a new library coming soon, I think the scientific community will
love it, as it computes 150x faster than the most common alternative.
Reply via email.
AI, LLMS AND BEGINNERS
This AI thing has been going on for a while, specially the LLM part of it. I
understand why there is hype for it, specially from VCs, and mostly from people
who *checks notes* are not in the high-techs.
My students are using a lot of ChatGPT (and the others too) and I keep telling
them to not use it, not because I don’t want them to use LLMs at all, but
because LLMs suck. They are just an interface to a computer, and if you’ve ever
done computer programming, you know that a computer does what you tell, not what
you mean.
As a beginner (in Software Engineering, System Administration, etc) you still
don’t know what you want a computer to do, that’s why you tell a program what
you mean, instead of what it should do. We can see this problem everywhere.
Here’s a real-life example from today.
> I’m using the nginx web server, I’d like to allow only the domain example.com,
> reject everything else
What my student meant, is that, if you access the nginx web server via an IP
address, then it should show nothing, if it’s a specific domain, such as
example.com, then it should show the web page.
What ChatGPT understood is about access control and suggested the following
location / {
root /usr/local/www/nginx/;
index index.html index.htm;
allow example.com;
deny all;
}
As a beginner, my student thought “well, that was easy!”, and then he kept
wondering why he can’t access his web server, for 2 days.
And that is why you should not use ChatGPT (or any kind of an LLM) as a
beginner.
As soon as you understand how a computer works, then go on, use whatever you
want. Hell, even use JavaScript. But before using ChatGPT or JavaScript, please
learn how a computer works first.
Reply via email.
This entry was posted in Tech and tagged AI, LLM on May 11, 2024 by Antranig
Vartanian.
ANTRANIG VARTANIAN
MAY 6, 2024
Well, Twitter is officially useless. All I get is engagement posts like “Do you
use X or Y?” and the X or the Y are options such as Coke or Pepsi.
I know that they are different things, but the right answer here is water, or
tea, or coffee.
And I keep changing from “For You” to “Following” but for some reason Twitter
(currently known as X) keeps changing it back to “For You”.
I had to log out. Sorry Twitter, you were an important part of our life, but not
anymore.
On the other hand, my Mastodon feed is really nice. There are some political
things here and there that irritate me, but I care about what my friends have to
say, even if I don’t agree with everything.
Reply via email.
INSTALLING DFIR-IRIS ON FREEBSD USING JAILS
This is a live blogging of the installation process of DFIR-IRIS on FreeBSD
14.0-RELEASE using Jails and Jailer.
The main requirements are:
* Nginx
* PostgreSQL
* Python
* Some random dependencies we saw in the Dockerfile
I assume you already have nginx up and running, we will just be setting up a
vhost under the domain name dfir.cert.am. Don’t worry, this is INSIDE our
infrastructure, you will not be able to connect to it
INITIAL SETUP
First we create a jail named iris0, using Jailer:
jailer create iris0
Next we install the required software inside of the jail. Looks like everything
is available in FreeBSD packages:
jailer console iris0
pkg install \
nginx \
python39 \
py39-pip \
gnupg \
7-zip \
rsync \
postgresql12-client \
git-tiny \
libxslt \
rust \
acme.sh
INSTALLING DFIR-IRIS
Since we’re using FreeBSD, we’ll be doing things the right way instead of the
Docker way, so we will be running IRIS as a user, not as root.
pw user add iris -m
Next we setup some directories and checkout the repo
root@iris0:~ # pw user add iris -m
root@iris0:~ # su - iris
iris@iris0:~ $ git clone --branch v2.4.7 https://github.com/dfir-iris/iris-web.git iris-web
Finally, we install some python dependencies using pip.
iris@iris0:~ $ cd iris-web/source
iris@iris0:~/iris-web/source $ pip install -r requirements.txt
Now we have to configure the .env file based on our needs, I will post my
version of it, I hope it helps
# -- DATABASE
export POSTGRES_USER=postgres
export POSTGRES_PASSWORD=postgres
export POSTGRES_DB=iris_db
export POSTGRES_ADMIN_USER=iris
export POSTGRES_ADMIN_PASSWORD=longpassword
export POSTGRES_SERVER=localhost
export POSTGRES_PORT=5432
# -- IRIS
export DOCKERIZED=0
export IRIS_SECRET_KEY=verylongsecret
export IRIS_SECURITY_PASSWORD_SALT=verylongsalt
export IRIS_UPSTREAM_SERVER=app # these are for docker, you can ignore
export IRIS_UPSTREAM_PORT=8000
# -- WORKER
export CELERY_BROKER=amqp://localhost
# Set to your rabbitmq instance
# Change these as you need them.
# -- AUTH
#IRIS_AUTHENTICATION_TYPE=local
## optional
#IRIS_ADM_PASSWORD=MySuperAdminPassword!
#IRIS_ADM_API_KEY=B8BA5D730210B50F41C06941582D7965D57319D5685440587F98DFDC45A01594
#IRIS_ADM_EMAIL=admin@localhost
#IRIS_ADM_USERNAME=administrator
# requests the just-in-time creation of users with ldap authentification (see https://github.com/dfir-iris/iris-web/issues/203)
#IRIS_AUTHENTICATION_CREATE_USER_IF_NOT_EXIST=True
# the group to which newly created users are initially added, default value is Analysts
#IRIS_NEW_USERS_DEFAULT_GROUP=
# -- LISTENING PORT
#INTERFACE_HTTPS_PORT=443
CONFIGURING HTTPS
We can use acme.sh to issue a TLS certificate from Lets Encrypt.
root@iris0:~ # acme.sh --set-default-ca --server letsencrypt
root@iris0:~ # acme.sh --issue -d dfir.cert.am --standalone
root@iris0:~ # acme.sh -i -d dfir.cert.am --fullchain-file /usr/local/etc/ssl/dfir.cert.am/fullchain.pem --key-file /usr/local/etc/ssl/dfir.cert.am/key.pem --reloadcmd 'service nginx reload'
SETUP NGINX
DFIR-IRIS provides a nginx configuration template at nginx.conf, we will be
using that, with a little bit of modifications.
The final nginx.conf will look like this:
#user nobody;
worker_processes 1;
# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log /var/log/nginx/error.log;
#
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Things needed/recommended by DFIR-IRIS
map $request_uri $csp_header {
default "default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline';";
}
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
types_hash_bucket_size 128;
proxy_headers_hash_max_size 2048;
proxy_headers_hash_bucket_size 128;
proxy_buffering on;
proxy_buffers 8 16k;
proxy_buffer_size 4k;
client_header_buffer_size 2k;
large_client_header_buffers 8 64k;
client_body_buffer_size 64k;
client_max_body_size 100M;
reset_timedout_connection on;
keepalive_timeout 90s;
client_body_timeout 90s;
send_timeout 90s;
client_header_timeout 90s;
fastcgi_read_timeout 90s;
# WORKING TIMEOUT FOR PROXY CONF
proxy_read_timeout 90s;
uwsgi_read_timeout 90s;
gzip off;
gzip_disable "MSIE [1-6]\.";
# FORWARD CLIENT IDENTITY TO SERVER
proxy_set_header HOST $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# FULLY DISABLE SERVER CACHE
add_header Last-Modified $date_gmt;
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
proxy_no_cache 1;
proxy_cache_bypass 1;
# SSL CONF, STRONG CIPHERS ONLY
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate /usr/local/etc/ssl/dfir.cert.am/fullchain.pem;
ssl_certificate_key /usr/local/etc/ssl/dfir.cert.am/key.pem;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_buffer_size 4k;
# DISABLE SSL SESSION CACHE
ssl_session_tickets off;
ssl_session_cache none;
server {
listen 443 ssl
server_name dfir.cert.am;
root /www/data;
index index.html;
error_page 500 502 503 504 /50x.html;
add_header Content-Security-Policy $csp_header;
# SECURITY HEADERS
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# max-age = 31536000s = 1 year
add_header Strict-Transport-Security "max-age=31536000: includeSubDomains" always;
add_header Front-End-Https on;
location / {
proxy_pass http://localhost:8000;
location ~ ^/(manage/templates/add|manage/cases/upload_files) {
keepalive_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
proxy_read_timeout 10m;
client_max_body_size 0M;
proxy_request_buffering off;
proxy_pass http://localhost:8000;
}
location ~ ^/(datastore/file/add|datastore/file/add-interactive) {
keepalive_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
proxy_read_timeout 10m;
client_max_body_size 0M;
proxy_request_buffering off;
proxy_pass http://localhost:8000;
}
}
location /socket.io {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://localhost:8000/socket.io;
}
}
}
SETUP POSTGRESQL
I assume you know how to do this You don’t need to configure a separate user, by
the looks of it, IRIS likes to do that itself. Thanks to Jails I was able to run
a separate PostgreSQL instance in the iris0 jail.
P.S. If you are running PostgreSQL inside a jail, make sure that the following
variables are set in your jail configuration
sysvshm = new;
sysvmsg = new;
RUNNING DFIR-IRIS
Now that everything is up and running, we just need to run DFIR-IRIS and it will
create the database, needed users, an administration account, etc.
su - iris
cd ~/iris-web/source
. ../.env
~/.local/bin/gunicorn app:app --worker-class eventlet --bind 0.0.0.0:8000 --timeout 180 --worker-connections 1000 --log-level=debug
Assuming everything is fine, now we can setup a rc.d service script to make sure
it runs at boot.
For that I wrote two files, the service itself and a helper start.sh script
rc.d script at /usr/local/etc/rc.d/iris
#!/bin/sh
# PROVIDE: iris
# REQUIRE: NETWORKING
# KEYWORD:
. /etc/rc.subr
name="iris"
rcvar="iris_enable"
load_rc_config ${name}
: ${iris_enable:=no}
: ${iris_path:="/usr/local/iris"}
: ${iris_gunicorn:="/usr/local/bin/gunicorn"}
: ${iris_env="iris_gunicorn=${iris_gunicorn}"}
logfile="${iris_path}/iris.log"
pidfile="/var/run/${name}/iris.pid"
iris_user="iris"
iris_chdir="${iris_path}/source"
iris_command="${iris_path}/start.sh"
command="/usr/sbin/daemon"
command_args="-P ${pidfile} -T ${name} -o ${logfile} ${iris_command}"
run_rc_command "$1"
and the helper script at /home/iris/iris-web/start.sh
#!/bin/sh
export HOME=$(getent passwd `whoami` | cut -d : -f 6)
. ../.env
${iris_gunicorn} app:app --worker-class eventlet --bind 0.0.0.0:8000 --timeout 180 --worker-connections 128
now we set some variables in rc.conf using sysrc and we can start the service.
sysrc iris_enable="YES"
sysrc iris_path="/home/iris/iris-web"
sysrc iris_gunicorn="/home/iris/.local/bin/gunicorn"
Finally, we can start DFIR-IRIS as a service.
service iris start
Aaaaand we’re done
Thank you for reading!
There are some issues that I’d like to tackle, for example, service iris stop
doesn’t work, and it would be nice if we ported all of the dependencies into
Ports, but for now, this seems to be working fine.
Special thanks to the DFIR-IRIS team for creating this cool platform!
That’s all folks…
Reply via email.
This entry was posted in Uncategorized and tagged DFIR, FreeBSD, HowTo, InfoSec,
IRIS, Jailer, Jails, PostgreSQL, Python on May 3, 2024 by Antranig Vartanian.
POST NAVIGATION
← Older posts
--------------------------------------------------------------------------------
Search
Antranig Vartanian
Doing things @ illuria, Inc. Unix, BSD, InfoSec, Elixir/Erlang, DNS, XMPP.
Mostly harmless.
* RSS Feed
* githubGitHub
* twitterTwitter
* flickrFlickr
* mastodonMastodon
Buy me a coffee
Checkout my Code::Stats
--------------------------------------------------------------------------------
September 2024 M T W T F S S 1 2345678 9101112131415 16171819202122
23242526272829 30
« Jun
--------------------------------------------------------------------------------
Latest Comments
1. Jared Jennings on The FreeBSD-native-ish home lab and networkJune 26, 2024
Thanks for your description! It's particularly useful to see how you've set
your router up. I've got OpenWRT doing that…
2. Andy Ball on (no title)June 6, 2024
@antranigv What is "Taco Bell programming"?
3. oxy on (no title)June 6, 2024
@antranigv I have noticed the same.
4. Valuable News – 2023/10/16 | 𝚟𝚎𝚛𝚖𝚊𝚍𝚎𝚗 on bhyve CPU Allocation Test
for 256 core machineOctober 16, 2023
[…] FreeBSD Bhyve CPU Allocation Test for 256 Core Machine.
https://weblog.antranigv.am/posts/2023/10/bhyve-cpu-allocation-256/ […]
5. catav on FreeBSD Jail booting & running Devuan GNU+Linux with OpenRCAugust
13, 2023
How can I Jailing Devuan by using BastilleBSD? It should be simple than this
way.
Proudly powered by WordPress