- install via ssh (https://wiki.archlinux.org/index.php/Install_Arch_Linux_via_SSH)
- 2 Disk lvm
vgcreate ServerDisk /dev/sdb2 /dev/sdc2
lvcreate -L 200M ServerDisk -n boot
lvcreate -L 64G ServerDisk -n root
lvcreate -L 64G ServerDisk -n home
lvcreate -L 4G ServerDisk -n swap
lvcreate -l +100%FREE ServerDisk -n data
mkfs.ext4 /dev/ServerDisk/root
mkfs.ext4 /dev/ServerDisk/boot
mkfs.ext4 /dev/ServerDisk/home
mkfs.ext4 /dev/ServerDisk/data
mkswap /dev/ServerDisk/swap
swapon /dev/ServerDisk/swap
mount /dev/ServerDisk/root /mnt
mkdir -p /mnt/{boot,home,data}
mount /dev/ServerDisk/data /mnt/data
mount /dev/ServerDisk/home /mnt/home
mount /dev/ServerDisk/boot /mnt/boot
pacstrap /mnt base base-devel linux linux-firmware
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
pacman -S vim
# set timezone, locale, and hostname (see arch wiki)
# follow https://wiki.archlinux.org/index.php/Install_Arch_Linux_on_LVM
pacman -S lvm2
mkinitcpio -p linux
pacman -S grub
# install grub accordingly
# follow https://wiki.archlinux.org/index.php/Systemd-networkd for interface renaming
# for interface connected to ISP router
# /etc/systemd/network/10-extern0.link
[Match]
MACAddress=<interface mac address>
[Link]
Description=Wan
Name=extern0
# for interface connected to LAN
# /etc/systemd/network/11-intern0.link
[Match]
MACAddress=<interface mac address>
[Link]
Description=internal network
Name=intern0
# if using wireless
# /etc/systemd/network/12-wlan0.link
[Match]
MACAddress=<interface mac address>
[Link]
Description=wireless network
Name=wlan0
# for extern0, choose from static or dynamic ip address
# or set it to dynamic, but assign ip from the ISP router
# either way, set it as dmz from the isp router.
# /etc/systemd/network/20-extern0.network
[Match]
Name=extern0
[Network]
DHCP=yes
# /etc/systemd/network/21-intern0.network
[Match]
Name=intern0
[Network]
Address=10.0.10.1/24
[Match]
Name=wlan0
[Network]
Address=10.0.20.1/24
systemctl enable systemd-networkd
pacman -S openssh bash-completion
cp -v /etc/ssh/sshd_config{,.orig} # backup of distro default
PermitRootLogin yes # should be reverted back to 'prohibit-password' once user is setup
# enable sshd
systemctl enable sshd
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1
pacman -S nftables
cp -v /etc/nftables.conf{,.orig} # backup
systemctl enable nftables
#!/usr/bin/nft -f
flush ruleset
define lan_if = intern0
define wlan_if = wlan0
define wan_if = extern0
define tunnel_if = he-ipv6
table inet firewall {
chain prerouting {
type nat hook prerouting priority 0
}
chain postrouting {
type nat hook postrouting priority 100
oif $wan_if masquerade
}
chain firewall_input {
type filter hook input priority 0;
ct state established,related accept comment "Accept traffic originated from us"
ct state invalid drop comment "Drop invalid connections"
iif lo accept comment "Accept any localhost traffic"
meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
meta l4proto ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
meta l4proto icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP"
ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"
meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS"
meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS"
udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)"
udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)"
udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)"
tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)"
tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)"
tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)"
udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"
udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE"
udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP"
udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"
tcp dport ssh ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"
udp dport 53 accept comment "Accept dns"
tcp dport 53 accept comment "Accept dns"
tcp dport 10000 accept comment "Accept webmin"
tcp dport 20000 accept comment "Accept usermin"
iif $lan_if jump lan_input_rules
iif $wlan_if jump wlan_input_rules
iif $wan_if jump wan_input_rules
reject with icmpx type port-unreachable # refuse traffic from all other interfaces
}
chain firewall_forward {
type filter hook forward priority 0
iifname { lo, $lan_if, $wlan_if } accept comment "allow from loopback and internal network"
oifname { $lan_if, $wlan_if } ct state { established, related } accept comment "allow established connection"
drop comment "drop everything else for chain forward"
}
chain lan_input_rules {
ct state {established,related} accept
ct state invalid drop
reject with icmpx type port-unreachable # all other traffic
}
chain wlan_input_rules {
ct state {established,related} accept
ct state invalid drop
reject with icmpx type port-unreachable # all other traffic
}
chain wan_input_rules {
ct state {established,related} accept
ct state invalid drop
reject with icmpx type port-unreachable # all other traffic
}
chain wan_input_rules {
#ct state {established,related} accept
#ct state invalid drop
#reject with icmpx type port-unreachable # all other traffic
}
chain firewall_output {
type filter hook output priority 0;
accept
}
}
- register at http://tunnelbroker.net/
- arch specific instruction in https://wiki.archlinux.org/index.php/IPv6_tunnel_broker_setup
[Unit]
Description=he.net IPv6 tunnel
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/ip tunnel add he-ipv6 mode sit remote server_IPv4_address local client_IPv4_address ttl 255
ExecStart=/usr/bin/ip link set he-ipv6 up mtu 1480
ExecStart=/usr/bin/ip addr add client_IPv6_address dev he-ipv6
ExecStart=/usr/bin/ip -6 route add ::/0 dev he-ipv6
ExecStop=/usr/bin/ip -6 route del ::/0 dev he-ipv6
ExecStop=/usr/bin/ip link set he-ipv6 down
ExecStop=/usr/bin/ip tunnel del he-ipv6
[Install]
WantedBy=multi-user.target
also enable cronie
systemctl enable --now he-ipv6
pacman -S cronie vi
systemctl enable --now cronie
[Match]
Name=intern0
[Network]
Address=10.0.10.1/24
Address=2001:470:ed7f:10::1/64
[Match]
Name=wlan0
[Network]
Address=10.0.20.1/24
Address=2001:470:ed7f:20::1/64
- dynv6.com
- register and setup tunnelbroker.net hooks
- create tsig keys in https://dynv6.com/keys
pacman -S iw wpa_supplicant
# check ap availability
iw list|grep -A6 'Supported interface' | grep AP
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="MySSID"
mode=2
key_mgmt=WPA-PSK
psk="myPassword"
frequency=2437
}
systemctl enable --now wpa_supplicant@wlan0
Resources:
- http://www.btteknik.net/?p=143
- https://wiki.archlinux.org/index.php/BIND
- https://www.howtoforge.com/two_in_one_dns_bind9_views
- http://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain
pacman -S bind dhcp geoip2-database
cp -v /etc/named.conf{,.orig}
cp -v /etc/dhcpd.conf{,.orig}
cp -v /etc/dhcpd6.conf{,.orig}
ddns-confgen -s java281.server # will output below, put it at the bottom of named.conf
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key.java281.server" {
algorithm hmac-sha256;
secret "somesecretkey";
};
acl localnet {
127.0.0.1;
::1;
10.0.10.0/24; // lan
10.0.20.0/24; // wlan
2001:470:ed7f::/48; // he-ipv6 tunnelbroker
fe80::/10; // ipv6 link-local
};
acl localserver {
127.0.0.1;
::1;
10.0.10.1; // lan static IPv4
10.0.20.1; // wlan static ipv4
2001:470:ed7f:10::1; // lan static ipv6
2001:470:ed7f:20::1; // wlan static ipv6
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { ddns-key.java281.server; };
};
options {
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
auth-nxdomain no; # conform to RFC1035
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
listen-on port 53 {
localserver;
};
forwarders {
127.0.0.1 port 53000; // if not using another resolver, set it to google dns or other
::1 port 53000; // like 1.1.1.1 or 202.67.222.222
// this setup will forward to other resolver such as dnscrypt or pihole
// (setup later)
};
forward first;
allow-query {
localnet;
};
notify no;
transfers-per-ns 250; // this is when using dnscrypt
dnssec-validation auto;
};
view "internal" {
match-clients {
localnet;
};
zone "." {
type hint;
file "data/named.ca";
};
zone "java281.server" {
type master;
file "data/java281.server.zone";
allow-update {
key ddns-key.java281.server;
};
allow-transfer {
localnet;
};
allow-query {
localnet;
};
};
zone "10.0.10.in-addr.arpa" { // lan reverse zone
type master;
file "data/10.0.10.zone";
allow-update {
key ddns-key.java281.server;
};
allow-transfer {
localnet;
};
allow-query {
localnet;
};
};
zone "20.0.10.in-addr.arpa" { // wlan reverse zone
type master;
file "data/10.0.20.zone";
allow-update {
key ddns-key.java281.server;
};
allow-transfer {
localnet;
};
allow-query {
localnet;
};
};
zone "f.7.d.e.0.7.4.0.1.0.0.2.ip6.arpa" { // ipv6 reverse zone
type master;
file "data/2001:470:ed7f::_48.zone";
allow-update {
key ddns-key.java281.server;
};
allow-transfer {
localnet;
};
allow-query {
localnet;
};
};
};
view "external" {
match-clients {
any;
};
zone "java281.dynv6.net" IN {
type master;
file "data/java281.dynv6.net.hosts";
};
};
;
; Zone File for "java281.server" - Internal Use ONLY
;
$TTL 1D
@ IN SOA java281.server. admin.java281.server. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
IN NS ns1 ; Name Server for the domain
IN NS ns2 ; Name Server for the domain
IN MX 10 firewall ; Mail Exchange
;
java281.server. IN A 10.0.10.1 ; IP address for the domain 'java281.server', the '.' means it's a fixed address
firewall IN A 10.0.10.1 ; IP address for 'firewall'
ns1 IN A 10.0.10.1
ns2 IN A 10.0.20.1
www IN CNAME firewall ; 'firewall' is also known as www
ftp IN CNAME firewall ; 'firewall' is also known as ftp
ns1 IN AAAA 2001:470:ed7f:10::1
ns2 IN AAAA 2001:470:ed7f:20::1
;
;
; Reverse File for network "10.0.10.0/24" - Internal ONLY
;
$TTL 1D
@ IN SOA java281.server. admin.java281.server. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
@ IN NS ns1.java281.server.
1 IN PTR ns1.java281.server.
;
;
; Reverse File for network "10.0.20.0/24" - Internal ONLY
;
$TTL 1D
@ IN SOA java281.server. admin.java281.server. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
@ IN NS ns2.java281.server.
1 IN PTR ns2.java281.server.
;
- use online tools for ipv6 reverse zone
- https://www.zytrax.com/books/dns/ch3/#ipv6-tool
- http://rdns6.com/zone
;
; 2001:470:ed7f::/48
;
; Zone file built with the IPv6 Reverse DNS zone builder
; http://rdns6.com/
;
$TTL 1D ; Default TTL
@ IN SOA java281.server. admin.java281.server. (
10 ; serial
8H ; slave refresh interval
2H ; slave retry interval
4W ; slave copy expire time
1D ; NXDOMAIN cache time
)
;
; domain name servers
;
@ IN NS ns1.java281.server.
; IPv6 PTR entries
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.f.7.d.e.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR ns1.java281.server.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.f.7.d.e.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR ns2.java281.server.
;
; Zone File for "java281.dynv6.net" - Internal Use ONLY
;
$TTL 1D
@ IN SOA firewall.java281.dynv6.net. admin.java281.dynv6.net. (
10 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ) ; Minimum
;
@ IN NS firewall ; Name Server for the domain
IN MX 10 firewall ; Mail Exchange
;
firewall IN A 10.0.10.1 ; IP address for 'firewall'
www IN CNAME firewall ; 'firewall' is also known as www
ftp IN CNAME firewall ; 'firewall' is also known as ftp
;
- add this add the bottom of /etc/named.conf
- adjust the key name, algorithm, domain and secret to match the one created at dynv6.com(create new tsig key if not exists)
key "dynv6-key" { // key name from dynv6.com
algorithm hmac-sha512; // algorithm from dynv6.com
secret "a_secret_key"; // secret key from dynv6.com
};
zone "java281.dynv6.net" IN {
type master;
// this is for certbot
update-policy {
grant example-key name _acme-challenge.java281.dynv6.net. txt;
};
key "ddns-key.java281.server" {
algorithm hmac-sha256;
secret "somesecret";
};
options {
default-key "ddns-key.java281.server";
default-server 127.0.0.1;
default-port 953;
};
pacman -S wget
mkdir -pv /var/named/data
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/data/named.ca
chown -Rv named:named /var/named/data
systemctl enable --now named
pacman -S apache
cp -v /etc/httpd/conf/httpd.conf{,.orig}
systemctl enable --now httpd
open the firewall local ip in browser to test
pacman -S certbot{,-apache} certbot-dns-rfc2136
- adjust with https://dynv6.com/docs/apis#dns-update
dns_rfc2136_server = ns1.dynv6.com
dns_rfc2136_name = dynv6-key # from dynv6.com
dns_rfc2136_secret = INSERT_KEY_WITHOUT_QUOTES # from dynv6.com
dns_rfc2136_algorithm = HMAC-SHA512 # from dynv6.com
Only create the systemd service once it succeeded obtaining certs
certbot certonly --dns-rfc2136 --force-renewal --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini --server https://acme-v02.api.letsencrypt.org/directory --email alexforsale@yahoo.com --agree-tos --no-eff-email -d 'java281.dynv6.net' -d '*.java281.dynv6.net'
follow https://wiki.archlinux.org/index.php/Apache_HTTP_Server regarding TLS, also Virtual Hosts
pacman -S dnscrypt-proxy
cp -v /etc/dnscrypt-proxy/dnscrypt-proxy.toml{,.orig}
only these modifications needed
server_names = ['cisco', 'cisco-ipv6']
listen_addresses = ['127.0.0.1:53000', '[::1]:53000'] # this is the forward address in named.conf
max_clients = 250
systemctl enable --now dnscrypt-proxy
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
authoritative; # Set as master server, protects against rogue DHCP servers and misconfigured clients
log-facility local7;
subnet 10.0.10.0 netmask 255.255.255.0 {
authoritative;
option domain-name "java281.server";
option domain-name-servers 10.0.10.1;
allow unknown-clients;
option routers 10.0.10.1;
interface intern0;
pool {
range 10.0.10.100 10.0.10.200;
}
}
subnet 10.0.20.0 netmask 255.255.255.0 {
option domain-search "java281.server";
authoritative;
ddns-updates on;
allow unknown-clients;
option domain-name "java281.server";
option domain-name-servers 10.0.20.1;
option routers 10.0.20.1;
interface wlan0;
pool {
range 10.0.20.100 10.0.20.200;
}
}
key "ddns-key.java281.server" {
algorithm hmac-sha256;
secret "somesecretkey";
}
zone java281.server. {
primary 10.0.10.1;
key ddns-key.java281.server;
}
zone 10.0.10.in-addr.arpa. {
primary 10.0.10.1;
key ddns-key.java281.server;
}
zone 20.0.10.in-addr.arpa. {
primary 10.0.20.1;
key ddns-key.java281.server;
}
ddns-updates on;
authoritative; # Set as master server, protects against rogue DHCP servers and misconfigured clients
log-facility local7;
update-static-leases on;
dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";
option dhcp6.preference 255;
option dhcp6.rapid-commit;
option dhcp6.info-refresh-time 21600;
subnet6 2001:470:ed7f:10::/60 {
range6 2001:470:ed7f:10:: 2001:470:ed7f:11::;
range6 2001:470:ed7f:12::/64 temporary;
option dhcp6.name-servers 2001:470:ed7f:10::1;
option dhcp6.domain-search "java281.server";
allow leasequery;
ddns-domainname "java281.server";
prefix6 2001:470:ed7f:13:: 2001:470:ed7f:1f:: /64;
}
subnet6 2001:470:ed7f:20::/60 {
range6 2001:470:ed7f:20:: 2001:470:ed7f:21::;
range6 2001:470:ed7f:22::/64 temporary;
option dhcp6.name-servers 2001:470:ed7f:20::1;
option dhcp6.domain-search "java281.server";
allow leasequery;
ddns-domainname "java281.server";
prefix6 2001:470:ed7f:23:: 2001:470:ed7f:2f:: /64;
}
key "ddns-key.java281.server" {
algorithm hmac-sha256;
secret "somesecretkey";
}
zone f.7.d.e.0.7.4.0.1.0.0.2.ip6.arpa. {
primary ns1.java281.server;
key ddns-key.java281.server;
}
zone java281.server. {
primary ns1.java281.server;
key ddns-key.java281.server;
}
pacman -S radvd
cp -v /etc/radvd.conf{,.orig}
interface wlan0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 60;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2001:470:ed7f:20::/64 {
AdvOnLink on;
AdvRouterAddr on;
AdvAutonomous on;
};
RDNSS 2001:470:ed7f:10::1 2001:470:ed7f:20::1 {
AdvRDNSSLifetime 60;
FlushRDNSS off;
};
};
interface intern0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 60;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 2001:470:ed7f:10::/64 {
AdvOnLink on;
AdvRouterAddr on;
AdvAutonomous on;
};
RDNSS 2001:470:ed7f:20::1 2001:470:ed7f:10::1 {
AdvRDNSSLifetime 60;
FlushRDNSS off;
};
};
pacman -S ntp
systemctl enable --now ntpd
timedatectl set-ntp 0
systemctl enable named dhcpd{4,6} radvd # plug the intern0 interface
pacman -S openldap
cp -v /etc/openldap/slapd.conf{,.orig}
cp -v /etc/openldap/ldap.conf{,.orig}
Follow https://wiki.archlinux.org/index.php/OpenLDAP
pacman -S sssd
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[domain/LDAP]
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://java281.dynv6.net, ldaps://java281.dynv6.net
ldap_search_base = dc=java281,dc=dynv6,dc=net
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
chpass_provider = ldap
ldap_chpass_uri = ldap://java281.dynv6.net
entry_cache_timeout = 600
ldap_network_timeout = 2
# additional settings for ldap search base
ldap_user_search_base = ou=People,dc=java281,dc=dynv6,dc=net
ldap_group_search_base = ou=Group,dc=java281,dc=dynv6,dc=net
# OpenLDAP supports posixGroup, uncomment the following two lines
# to get group membership support (and comment the other conflicting parameters)
#ldap_schema = rfc2307
#ldap_group_member = memberUid
# Other LDAP servers may support this instead
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
chmod 600 /etc/sssd/sssd.confchmod 600 /etc/sssd/sssd.conf
follow https://wiki.archlinux.org/index.php/LDAP_authentication Online and Offline Authentication with SSSD
Note: for webmin, install perl-net-ldap-server
pacman -S samba
run as standard user
mkdir -pv ~/aur && cd $_a
pacman -S git inetutils
git clone https://aur.archlinux.org/perl-encode-detect
git clone https://aur.archlinux.org/perl-authen-pam
git clone https://aur.archlinux.org/webmin.git
git clone https://aur.archlinux.org/usermin.git
cd perl-authen-pam
makepkg -si
cd ../perl-encode-detect
makepkg -si
cd ../webmin
makepkg -si
cd ../usermin
makepkg -si
cd ~/aur
git clone https://aur.archlinux.org/ntopng.git
cd ntopng
makepkg -si
systemctl enable --now redis
systemct enable --now ntopng@intern0
Create GeoIP account and update /etc/GeoIP.conf, afterward run geoipupdate
pacman -S fail2ban
systemctl enable --now fail2ban
[sshd]
enabled = true
filter = sshd
banaction = nftables
maxretry = 5
findtime = 1d
bantime = 2w
[slapd]
enabled = true
filter = slapd
findtime = 2w
bantime = 1d
maxretry = 5
[DEFAULT]
banaction = nftables
backend = systemd
We'll use simple nsupdate script to update dynv6 dns
#!/bin/bash
set -e
ipv4=$(curl -4 ifconfig.co)
ipv6=$(curl -6 ifconfig.co)
zone=java281.dynv6.net
nsupdate -y "hmac-xxxxxx:<tsig key name>:<tsig key secret>" <<EOF
server ns1.dynv6.com
zone ${zone}
update delete ${zone} A
update add ${zone} 60 A ${ipv4}
update delete ${zone} AAAA
update add ${zone} 60 AAAA ${ipv6}
send
EOF
add to crontab
*/20 * * * * /usr/local/share/java281/java281.dynv6.net-update.sh
add to crontab
*/10 * * * * /usr/bin/curl -4 "https://<tunnelbroker username:<Update Key>@ipv4.tunnelbroker.net/nic/update?hostname=<tunnel id>"
follow https://wiki.archlinux.org/index.php/Avahi Configuring mDNS for custom TLD, since using custom tld.
pacman -S qemu-headless
Packages (12) libcacard-2.7.0-2 libnfs-4.0.0-3 libslirp-4.3.0-1 libssh-0.9.4-1 liburing-0.6-1 numactl-2.0.13-3 opus-1.3.1-2 seabios-1.13.0-2 spice-0.14.3-2 usbredir-0.8.0-1 vde2-2.3.2-14 qemu-headless-5.0.0-7
pacman -S qemu-headless-arch-extra
pacman -S nmap
pacman -S traceroute
pacman -S htop lsof strace
pacman -S iperf3
pacman -S bmon
pacman -S firewalld
firewall-offline-cmd --zone=external --add-interface=extern0
firewall-offline-cmd --zone=external --add-protocol=igmp
firewall-offline-cmd --zone=external --add-port=3000/tcp
firewall-offline-cmd --zone=external --add-port=10000/tcp
firewall-offline-cmd --zone=external --add-port=20000/tcp
firewall-offline-cmd --zone=external --add-service=http
firewall-offline-cmd --zone=external --add-service=https
firewall-offline-cmd --zone=internal --add-interface=intern0
firewall-offline-cmd --zone=internal --add-interface=wlan0
firewall-offline-cmd --zone=internal --add-service=dns
firewall-offline-cmd --zone=internal --add-service=dhcp
firewall-offline-cmd --zone=internal --add-protocol=igmp
systemctl enable --now firewalld
## TODO: Logging