Compare commits
76 Commits
Author | SHA1 | Date |
---|---|---|
lub | e8616c3dc7 | 3 weeks ago |
lub | ae04d60ffe | 9 months ago |
lub | c9354146da | 9 months ago |
lub | 082c2205e6 | 9 months ago |
lub | 1d7656a8a3 | 9 months ago |
lub | 229307142f | 9 months ago |
lub | ba60386f6b | 9 months ago |
lub | d5df38a312 | 9 months ago |
lub | 1c64dbcbac | 9 months ago |
lub | 3a60297bef | 9 months ago |
lub | d3bdee872c | 9 months ago |
lub | 4ad462dc0b | 9 months ago |
lub | c74e70f883 | 9 months ago |
lub | dac8e57a9e | 9 months ago |
lub | 297a1264bd | 9 months ago |
lub | 90150fabb9 | 9 months ago |
lub | 7b7eba66d1 | 9 months ago |
lub | 3a97519844 | 9 months ago |
lub | 67d6c4b33d | 9 months ago |
lub | cf48fe816e | 9 months ago |
lub | 70595df7ba | 9 months ago |
lub | 93e0e83d58 | 9 months ago |
lub | de4bdf7f2c | 9 months ago |
lub | c28069b352 | 9 months ago |
lub | 3e709e4e70 | 9 months ago |
lub | 12d09583ce | 9 months ago |
lub | 13d99038d1 | 9 months ago |
lub | 3de47520c3 | 9 months ago |
lub | 9d2a02cfe3 | 9 months ago |
lub | 1964773c54 | 1 year ago |
lub | 0ecce74b56 | 1 year ago |
lub | afd6546cbb | 2 years ago |
lub | 7dd0a83d61 | 2 years ago |
lub | 2961ca6db5 | 2 years ago |
lub | 20909b75d2 | 2 years ago |
lub | 447f71e8c2 | 2 years ago |
lub | 870a57eb53 | 2 years ago |
lub | 92df129cfa | 2 years ago |
lub | 2dbf738f2c | 2 years ago |
lub | 5abd827621 | 2 years ago |
lub | 7eb3bb228f | 3 years ago |
lub | 0e56b936b9 | 3 years ago |
lub | 94d48cdf8c | 3 years ago |
lub | 2e4312ca83 | 3 years ago |
lub | 863a440c1a | 3 years ago |
lub | 4aefe21212 | 3 years ago |
lub | 788c724418 | 3 years ago |
lub | 2cd009264a | 3 years ago |
lub | 08aaf9176f | 3 years ago |
lub | 76117a6e74 | 3 years ago |
lub | 15ccadaf66 | 4 years ago |
lub | ba1868a1b1 | 4 years ago |
lub | 06752d0d69 | 4 years ago |
lub | f196246e7d | 4 years ago |
lub | 8275995e0c | 4 years ago |
lub | 843ef82813 | 4 years ago |
lub | f65e78d203 | 4 years ago |
Körner, Simon | bdc3a28878 | 4 years ago |
lub | 91ea4826bf | 4 years ago |
lub | 6c4fcb96ae | 4 years ago |
lub | 99135f7925 | 4 years ago |
lub | 75f77b04a1 | 4 years ago |
lub | 9d958647d5 | 4 years ago |
lub | 73d9babc12 | 4 years ago |
lub | 3a770a3ec0 | 4 years ago |
lub | 0799dfccea | 4 years ago |
lub | e376a620ef | 4 years ago |
lub | c187275054 | 4 years ago |
lub | a1e20155ce | 4 years ago |
lub | e514bd8dab | 4 years ago |
lub | e145cef7b4 | 4 years ago |
lub | 6c196e4288 | 4 years ago |
lub | da23749e62 | 4 years ago |
lub | a81a3b18a9 | 4 years ago |
lub | d9e0b99e1c | 4 years ago |
lub | 560d9a62a2 | 4 years ago |
@ -1 +1,2 @@
|
|||||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoCfs2IBe/6bzJs7eD6+a6jLpWt3PtfLiwd/nqsN9h4fc15qws2LlTg3rPwjxNJfGdYXB2CJHSMMIzvsNK3HBEagt/iBc8hV9qRHT6jLZqBJ0B2tXTQkawHizC0LP0gKGbH9aXPFaY29W/Xa+igNxsjDv9rZh0QaSa/3Z2nxzjJT4kwIXdwonREULtthsY5PnfyV/Qwe8pgbMPrSxq+rlsriGtU9Yr5qck5myK9/O+q8gQBTkbjGstPLRlDX37DDgHh9haQJ4yvGEy8p0akSdloQ9SgbISsZx+tdq9cB0TzRDY+YB2hVUrtBVhdcZ0HpDDv8J1GtkrUTfClnI6GNrkoBiJ6p2VgB0dzNQBIeuhvvzJPVmEAsi84FjwktdMx3IrrUJ1xgWftTOcZ2rxX4+vDCdr4NH1sAn9jqEUE28D1ouRwvMkyyPSictJ22CWaG4fSPfDlzylKRWFLkEPcKi06CAF8B9cGsoFGjEyiQ08lhHPHqQc1Gi2SBSXYE509wFNi385om61JY94izXAXAPx+n4OcpksEQangkBIYl0ZLyBRplQgqgzF/pCl59uosdGXjtEmOXxsYrdDmGnXCLInkA8N/bx6jZ6svGiaSXtKI/P6hY3MALuF37KzsMSNhnX6fG/a3l3WV4QYGgTtEPuYoYPpLnElMzM/MqHGEqcE/Q== lub
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINQ0EPy3cbfX/wmelSsjRvrXpq9kZWo8tRh68r4Z3QhTAAAABHNzaDo= lub@primary
|
||||||
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAUmJxFSwI95zf/NBKNMDXyiRViuKsWnVYl3Qd3DXdRWAAAABHNzaDo= lub@secondary
|
||||||
|
@ -1 +1,2 @@
|
|||||||
deb https://deb.debian.org/debian-security buster/updates main contrib non-free
|
deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
|
||||||
|
deb https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
|
||||||
|
@ -1 +1 @@
|
|||||||
deb https://deb.debian.org/debian buster main contrib non-free
|
deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
|
||||||
|
@ -1 +0,0 @@
|
|||||||
deb [signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable
|
|
@ -1,2 +1,2 @@
|
|||||||
# <target> <source device> <key file> <options>
|
# <target> <source device> <key file> <options>
|
||||||
md0-unlocked /dev/md0 none luks,discard
|
root-unlocked UUID=%root_uuid% none luks,discard
|
||||||
|
@ -0,0 +1,39 @@
|
|||||||
|
# If you change this file, run 'update-grub' afterwards to update
|
||||||
|
# /boot/grub/grub.cfg.
|
||||||
|
# For full documentation of the options in this file, see:
|
||||||
|
# info -f grub -n 'Simple configuration'
|
||||||
|
|
||||||
|
GRUB_DEFAULT=0
|
||||||
|
GRUB_TIMEOUT=0
|
||||||
|
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
|
||||||
|
GRUB_CMDLINE_LINUX_DEFAULT="quiet nosmt"
|
||||||
|
GRUB_CMDLINE_LINUX=""
|
||||||
|
|
||||||
|
# If your computer has multiple operating systems installed, then you
|
||||||
|
# probably want to run os-prober. However, if your computer is a host
|
||||||
|
# for guest OSes installed via LVM or raw disk devices, running
|
||||||
|
# os-prober can cause damage to those guest OSes as it mounts
|
||||||
|
# filesystems to look for things.
|
||||||
|
#GRUB_DISABLE_OS_PROBER=false
|
||||||
|
|
||||||
|
# Uncomment to enable BadRAM filtering, modify to suit your needs
|
||||||
|
# This works with Linux (no patch required) and with any kernel that obtains
|
||||||
|
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
|
||||||
|
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
|
||||||
|
|
||||||
|
# Uncomment to disable graphical terminal
|
||||||
|
#GRUB_TERMINAL=console
|
||||||
|
|
||||||
|
# The resolution used on graphical terminal
|
||||||
|
# note that you can use only modes which your graphic card supports via VBE
|
||||||
|
# you can see them in real GRUB with the command `vbeinfo'
|
||||||
|
#GRUB_GFXMODE=640x480
|
||||||
|
|
||||||
|
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
|
||||||
|
#GRUB_DISABLE_LINUX_UUID=true
|
||||||
|
|
||||||
|
# Uncomment to disable generation of recovery mode menu entries
|
||||||
|
#GRUB_DISABLE_RECOVERY="true"
|
||||||
|
|
||||||
|
# Uncomment to get a beep at grub start
|
||||||
|
#GRUB_INIT_TUNE="480 440 1"
|
@ -0,0 +1,6 @@
|
|||||||
|
{
|
||||||
|
"experimental": true,
|
||||||
|
"ipv6": true,
|
||||||
|
"ip6tables": true,
|
||||||
|
"fixed-cidr-v6": "fd00::/48"
|
||||||
|
}
|
@ -1 +0,0 @@
|
|||||||
DROPBEAR_OPTIONS="-p 222"
|
|
@ -0,0 +1,3 @@
|
|||||||
|
DROPBEAR_OPTIONS="-p 222"
|
||||||
|
|
||||||
|
DROPBEAR_SK_ED25519=y
|
@ -0,0 +1,4 @@
|
|||||||
|
127.0.0.1 localhost %fqdn%
|
||||||
|
::1 localhost ip6-localhost ip6-loopback %fqdn%
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
@ -1,75 +0,0 @@
|
|||||||
#!/usr/sbin/nft -f
|
|
||||||
|
|
||||||
flush ruleset
|
|
||||||
|
|
||||||
# don't use inet instead of ip&ip6,
|
|
||||||
# because Docker doesn't support it, yet
|
|
||||||
# see https://maximilianehlers.com/blog/nftables-and-docker/ for more details
|
|
||||||
|
|
||||||
table ip filter {
|
|
||||||
chain INPUT {
|
|
||||||
type filter hook input priority 0;
|
|
||||||
policy drop;
|
|
||||||
|
|
||||||
|
|
||||||
# allow already established connections (e.g. initiated by this host)
|
|
||||||
ct state related,established accept
|
|
||||||
|
|
||||||
# allow ICMP
|
|
||||||
ip protocol icmp accept
|
|
||||||
|
|
||||||
# allow anything on localhost
|
|
||||||
iifname "lo" accept
|
|
||||||
|
|
||||||
# allow SSH for remote management
|
|
||||||
tcp dport 22 accept
|
|
||||||
|
|
||||||
|
|
||||||
## docker
|
|
||||||
|
|
||||||
# cluster management communications
|
|
||||||
tcp dport 2377 accept
|
|
||||||
|
|
||||||
# communication among nodes
|
|
||||||
tcp dport 7946 accept
|
|
||||||
udp dport 7946 accept
|
|
||||||
|
|
||||||
# overlay network traffic
|
|
||||||
udp dport 4789 accept
|
|
||||||
|
|
||||||
# allow IPSEC connections (encrypted overlay networks)
|
|
||||||
ip protocol esp accept
|
|
||||||
}
|
|
||||||
chain FORWARD {
|
|
||||||
type filter hook forward priority 0;
|
|
||||||
policy drop;
|
|
||||||
}
|
|
||||||
chain OUTPUT {
|
|
||||||
type filter hook output priority 0;
|
|
||||||
policy accept;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
table ip6 filter {
|
|
||||||
chain INPUT {
|
|
||||||
type filter hook input priority 0;
|
|
||||||
policy drop;
|
|
||||||
|
|
||||||
|
|
||||||
# allow already established connections (e.g. initiated by this host)
|
|
||||||
ct state related,established accept
|
|
||||||
|
|
||||||
# allow ICMPv6
|
|
||||||
ip6 nexthdr icmpv6 accept
|
|
||||||
|
|
||||||
# allow anything on localhost
|
|
||||||
iifname "lo" accept
|
|
||||||
}
|
|
||||||
chain FORWARD {
|
|
||||||
type filter hook forward priority 0;
|
|
||||||
policy drop;
|
|
||||||
}
|
|
||||||
chain OUTPUT {
|
|
||||||
type filter hook output priority 0;
|
|
||||||
policy accept;
|
|
||||||
}
|
|
||||||
}
|
|
@ -0,0 +1,2 @@
|
|||||||
|
PasswordAuthentication no
|
||||||
|
PermitRootLogin no
|
@ -0,0 +1,7 @@
|
|||||||
|
# https://docs.k3s.io/security/hardening-guide?_highlight=sysctl#ensure-protect-kernel-defaults-is-set
|
||||||
|
|
||||||
|
vm.panic_on_oom=0
|
||||||
|
vm.overcommit_memory=1
|
||||||
|
kernel.panic=10
|
||||||
|
kernel.panic_on_oops=1
|
||||||
|
kernel.keys.root_maxbytes=25000000
|
Binary file not shown.
@ -0,0 +1 @@
|
|||||||
|
/dev/nvme0n1p2
|
@ -0,0 +1 @@
|
|||||||
|
/dev/nvme0n1p3
|
@ -0,0 +1,113 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
|
||||||
|
default_routev4=$(ip route list | grep -F 'default')
|
||||||
|
|
||||||
|
interface=$(echo "$default_routev4" | perl -pe 's#^.* dev (\w+) .*$#$1#')
|
||||||
|
macaddress=$(ip address show dev "$interface" | grep -F 'link/ether' | perl -pe 's#^.*link/ether ([a-z0-9:]*) brd .+$#$1#')
|
||||||
|
|
||||||
|
addresses=$(ip address show dev "$interface" scope global)
|
||||||
|
|
||||||
|
gatewayv4=$(echo "$default_routev4" | perl -pe 's#^.* via ([\d.]+) .*$#$1#')
|
||||||
|
addressv4=$(echo "$addresses" | grep -F 'inet ' | perl -pe 's#^.* inet ([\d.]+).*#$1#')
|
||||||
|
|
||||||
|
addressv6=$(echo "$addresses" | grep -F 'inet6 ' | perl -pe 's#^.* inet6 ([a-z0-9:]+)::[a-z0-9]+.*$#$1#')
|
||||||
|
|
||||||
|
|
||||||
|
echo "[Match]
|
||||||
|
MACAddress=${macaddress}
|
||||||
|
Type=ether
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Gateway=fe80::1
|
||||||
|
Gateway=${gatewayv4}
|
||||||
|
|
||||||
|
[Address]
|
||||||
|
Address=${addressv6}::1337/64
|
||||||
|
|
||||||
|
[Address]
|
||||||
|
Address=${addressv4}/32
|
||||||
|
Peer=${gatewayv4}/32
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
VLAN=ingress
|
||||||
|
VLAN=kubernetes" > "/etc/systemd/network/egress.network"
|
||||||
|
|
||||||
|
echo "[NetDev]
|
||||||
|
Name=ingress
|
||||||
|
Kind=vlan
|
||||||
|
MTUBytes=1400
|
||||||
|
|
||||||
|
[VLAN]
|
||||||
|
Id=4000" > "/etc/systemd/network/ingress.netdev"
|
||||||
|
|
||||||
|
echo "[Match]
|
||||||
|
Name=ingress
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Description=\"ingress\"
|
||||||
|
|
||||||
|
[Route]
|
||||||
|
Gateway=2a01:4f8:fff0:a5::1
|
||||||
|
Table=4000
|
||||||
|
|
||||||
|
[Route]
|
||||||
|
Gateway=157.90.103.81
|
||||||
|
Table=4000
|
||||||
|
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
From=2a01:4f8:fff0:a5::/64
|
||||||
|
To=fd00:42::/31
|
||||||
|
Priority=1000
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
From=157.90.103.80/28
|
||||||
|
To=10.42.0.0/15
|
||||||
|
Priority=1000
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
To=2a01:4f8:fff0:a5::/64
|
||||||
|
From=fd00:42::/31
|
||||||
|
Priority=1000
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
To=157.90.103.80/28
|
||||||
|
From=10.42.0.0/15
|
||||||
|
Priority=1000
|
||||||
|
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
From=2a01:4f8:fff0:a5::/64
|
||||||
|
Table=4000
|
||||||
|
Priority=1100
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
From=157.90.103.80/28
|
||||||
|
Table=4000
|
||||||
|
Priority=1100
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
To=2a01:4f8:fff0:a5::/64
|
||||||
|
Table=4000
|
||||||
|
Priority=1100
|
||||||
|
|
||||||
|
[RoutingPolicyRule]
|
||||||
|
To=157.90.103.80/28
|
||||||
|
Table=4000
|
||||||
|
Priority=1100" > "/etc/systemd/network/ingress.network"
|
||||||
|
|
||||||
|
echo "[NetDev]
|
||||||
|
Name=kubernetes
|
||||||
|
Kind=vlan
|
||||||
|
MTUBytes=1400
|
||||||
|
|
||||||
|
[VLAN]
|
||||||
|
Id=4010" > "/etc/systemd/network/kubernetes.netdev"
|
||||||
|
|
||||||
|
echo "[Match]
|
||||||
|
Name=kubernetes
|
||||||
|
|
||||||
|
[Network]
|
||||||
|
Description=\"kubernetes\"
|
||||||
|
Address=10.73.19.fixme/24
|
||||||
|
Address=fdad:73ce:19db::fixme/48" > "/etc/systemd/network/kubernetes.network"
|
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
|
||||||
|
|
||||||
|
# / 1020GB
|
||||||
|
# /boot 1GB
|
||||||
|
# /boot/efi 1GB
|
||||||
|
# free 0GB
|
||||||
|
|
||||||
|
parted -- /dev/nvme0n1 mklabel msdos
|
||||||
|
parted -- /dev/nvme0n1 mkpart primary 1 1020GB
|
||||||
|
parted -- /dev/nvme0n1 mkpart primary 1020GB 1022GB
|
||||||
|
parted -- /dev/nvme0n1 mkpart primary 1022GB 1024GB
|
||||||
|
# set flag for ESP
|
||||||
|
parted -- /dev/nvme0n1 set 3 boot on
|
||||||
|
|
||||||
|
parted -- /dev/nvme1n1 mklabel gpt
|
||||||
|
parted -- /dev/nvme1n1 mkpart primary 1 -1
|
||||||
|
parted -- /dev/nvme2n1 mklabel gpt
|
||||||
|
parted -- /dev/nvme2n1 mkpart primary 1 -1
|
||||||
|
|
||||||
|
sleep 1
|
@ -0,0 +1 @@
|
|||||||
|
/dev/nvme0n1p1
|
@ -0,0 +1 @@
|
|||||||
|
/dev/md1
|
@ -0,0 +1 @@
|
|||||||
|
/dev/md0
|
@ -1,6 +1,9 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
for device in /dev/md* /dev/nvme* /dev/sd* /dev/vd*; do
|
for device in /dev/md* /dev/nvme* /dev/sd* /dev/vd*; do
|
||||||
dd if=/dev/zero of=$device bs=10M count=100
|
dd if=/dev/zero of=$device bs=10M count=10 &
|
||||||
done
|
done
|
||||||
sync
|
|
||||||
|
wait
|
||||||
|
|
||||||
|
sync
|
||||||
|
Loading…
Reference in New Issue