kylemanna

Build Notes

Environment

Use systemd-nspawn on Arch Linux with debootstrap:

sudo debootstrap --include=systemd-container --components=main,universe jammy ubuntu22.04-rk3568 http://archive.ubuntu.com/ubuntu/

jfeilbach

TCP tuning

The most important TCP tuning areas since kernel 4.9 are:

• packet pacing
• dynamic TSO sizing
• TCP small queues
• BBR TCP congestion algorithm

Definitions

• Gb = gigabit

kevinoid

# ~/.bashrc: executed by bash(1) for non-login shells.

# If file exists (likely) copy fragment below into existing script:

# If stdin is a terminal
if [ -t 0 ]; then
	# Set GPG_TTY so gpg-agent knows where to prompt.  See gpg-agent(1)
	export GPG_TTY="$(tty)"
	# Set PINENTRY_USER_DATA so pinentry-auto knows to present a text UI.
	export PINENTRY_USER_DATA=USE_TTY=1

mjbnz

Nginx Reverse Proxy for homelab services using SSO

NOTE: This document has now been added to the nginx-sso wiki, here. Any further updates will be made there.

Using:

• Docker
• Nginx
• nginx-sso

M66B

auth_username_format = %n
imap_idle_notify_interval = 29 mins
lda_mailbox_autocreate = yes
mail_location = maildir:~/mail
mail_plugins = " fts fts_lucene"
plugin {
  fts = lucene
  fts_autoindex = yes
  fts_lucene = whitespace_chars=@.
  imapsieve_mailbox1_before = file:/etc/mail/imapsieve/report-spam.sieve

M66B

pki example.com key "/etc/letsencrypt/live/example.com/privkey.pem"
pki example.com certificate "/etc/letsencrypt/live/example.com/fullchain.pem"

listen on lo mask-source
listen on 1.2.3.4 port  25 tls pki example.com auth-optional hostname example.com
listen on 1.2.3.4 port 465 smtps pki example.com auth hostname example.com mask-source
listen on 1.2.3.4 port 587 tls-require pki example.com auth hostname example.com mask-source

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains

InsanePrawn

[Match]
Name=host*

[Network]
DHCP=yes

daniel-j-h

# Nix skeleton for compiler, cmake, boost.
# Dependencies (boost and others you specify) are getting built with selectec compiler (for ABI compatibility).
# Examples:
#   nix-shell --argstr compiler gcc5 --run 'mkdir build && cd build && cmake .. && cmake --build .'
#   nix-shell --argstr compiler gcc6 --run 'mkdir build && cd build && cmake .. && cmake --build .'
#   nix-shell --argstr compiler clang_38 --run 'mkdir build && cd build && cmake .. && cmake --build .'

{ nixpkgs ? import <nixpkgs> {}, compiler ? "gcc6" }:

let

gdamjan

# /etc/systemd/network/50-wifi.link
[Match]
MACAddress=f8:d1:11:18:81:c3
Type=wlan

[Link]
NamePolicy=mac

trendels

rsync daemon mode over ssh

There are several common ways to do rsync backups of hosts over ssh:

1. As a non-root user. Upsides: very secure. Downside: cannot back up sensitive files.
2. As root, with a public key. Downsides: Whoever has the private key has full root access to the host being backed up.
3. As root, with a public key and a "forced command". Upsides: Restricts access to the server. Downsides: Requires either careful matching of rsync options (which might change over time), or "validator" scripts. Neither idea sounds very appealing to me.
4. Running rsync in daemon mode on the host being backed up. Upsides: Lots of useful options, like read-only mode, running as a different user if required, server-side excludes/includes, etc. Downsides: Opens up a TCP port that has full filesystem read access and is hard to secure (Ideally you could make the rsync daemon use a unix socket instead, that could be secured by filesystem permissions, but I haven't found a way to do that).

Here is another option t