Compare commits
76 Commits
Author | SHA1 | Date |
---|---|---|
lub | e8616c3dc7 | 3 weeks ago |
lub | ae04d60ffe | 9 months ago |
lub | c9354146da | 9 months ago |
lub | 082c2205e6 | 9 months ago |
lub | 1d7656a8a3 | 9 months ago |
lub | 229307142f | 9 months ago |
lub | ba60386f6b | 9 months ago |
lub | d5df38a312 | 9 months ago |
lub | 1c64dbcbac | 9 months ago |
lub | 3a60297bef | 9 months ago |
lub | d3bdee872c | 9 months ago |
lub | 4ad462dc0b | 9 months ago |
lub | c74e70f883 | 9 months ago |
lub | dac8e57a9e | 9 months ago |
lub | 297a1264bd | 9 months ago |
lub | 90150fabb9 | 9 months ago |
lub | 7b7eba66d1 | 9 months ago |
lub | 3a97519844 | 9 months ago |
lub | 67d6c4b33d | 9 months ago |
lub | cf48fe816e | 9 months ago |
lub | 70595df7ba | 9 months ago |
lub | 93e0e83d58 | 9 months ago |
lub | de4bdf7f2c | 9 months ago |
lub | c28069b352 | 9 months ago |
lub | 3e709e4e70 | 9 months ago |
lub | 12d09583ce | 9 months ago |
lub | 13d99038d1 | 9 months ago |
lub | 3de47520c3 | 9 months ago |
lub | 9d2a02cfe3 | 9 months ago |
lub | 1964773c54 | 1 year ago |
lub | 0ecce74b56 | 1 year ago |
lub | afd6546cbb | 2 years ago |
lub | 7dd0a83d61 | 2 years ago |
lub | 2961ca6db5 | 2 years ago |
lub | 20909b75d2 | 2 years ago |
lub | 447f71e8c2 | 2 years ago |
lub | 870a57eb53 | 2 years ago |
lub | 92df129cfa | 2 years ago |
lub | 2dbf738f2c | 2 years ago |
lub | 5abd827621 | 2 years ago |
lub | 7eb3bb228f | 3 years ago |
lub | 0e56b936b9 | 3 years ago |
lub | 94d48cdf8c | 3 years ago |
lub | 2e4312ca83 | 3 years ago |
lub | 863a440c1a | 3 years ago |
lub | 4aefe21212 | 3 years ago |
lub | 788c724418 | 3 years ago |
lub | 2cd009264a | 3 years ago |
lub | 08aaf9176f | 3 years ago |
lub | 76117a6e74 | 3 years ago |
lub | 15ccadaf66 | 4 years ago |
lub | ba1868a1b1 | 4 years ago |
lub | 06752d0d69 | 4 years ago |
lub | f196246e7d | 4 years ago |
lub | 8275995e0c | 4 years ago |
lub | 843ef82813 | 4 years ago |
lub | f65e78d203 | 4 years ago |
Körner, Simon | bdc3a28878 | 4 years ago |
lub | 91ea4826bf | 4 years ago |
lub | 6c4fcb96ae | 4 years ago |
lub | 99135f7925 | 4 years ago |
lub | 75f77b04a1 | 4 years ago |
lub | 9d958647d5 | 4 years ago |
lub | 73d9babc12 | 4 years ago |
lub | 3a770a3ec0 | 4 years ago |
lub | 0799dfccea | 4 years ago |
lub | e376a620ef | 4 years ago |
lub | c187275054 | 4 years ago |
lub | a1e20155ce | 4 years ago |
lub | e514bd8dab | 4 years ago |
lub | e145cef7b4 | 4 years ago |
lub | 6c196e4288 | 4 years ago |
lub | da23749e62 | 4 years ago |
lub | a81a3b18a9 | 4 years ago |
lub | d9e0b99e1c | 4 years ago |
lub | 560d9a62a2 | 4 years ago |
@ -1 +1,2 @@
|
||||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCoCfs2IBe/6bzJs7eD6+a6jLpWt3PtfLiwd/nqsN9h4fc15qws2LlTg3rPwjxNJfGdYXB2CJHSMMIzvsNK3HBEagt/iBc8hV9qRHT6jLZqBJ0B2tXTQkawHizC0LP0gKGbH9aXPFaY29W/Xa+igNxsjDv9rZh0QaSa/3Z2nxzjJT4kwIXdwonREULtthsY5PnfyV/Qwe8pgbMPrSxq+rlsriGtU9Yr5qck5myK9/O+q8gQBTkbjGstPLRlDX37DDgHh9haQJ4yvGEy8p0akSdloQ9SgbISsZx+tdq9cB0TzRDY+YB2hVUrtBVhdcZ0HpDDv8J1GtkrUTfClnI6GNrkoBiJ6p2VgB0dzNQBIeuhvvzJPVmEAsi84FjwktdMx3IrrUJ1xgWftTOcZ2rxX4+vDCdr4NH1sAn9jqEUE28D1ouRwvMkyyPSictJ22CWaG4fSPfDlzylKRWFLkEPcKi06CAF8B9cGsoFGjEyiQ08lhHPHqQc1Gi2SBSXYE509wFNi385om61JY94izXAXAPx+n4OcpksEQangkBIYl0ZLyBRplQgqgzF/pCl59uosdGXjtEmOXxsYrdDmGnXCLInkA8N/bx6jZ6svGiaSXtKI/P6hY3MALuF37KzsMSNhnX6fG/a3l3WV4QYGgTtEPuYoYPpLnElMzM/MqHGEqcE/Q== lub
|
||||
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINQ0EPy3cbfX/wmelSsjRvrXpq9kZWo8tRh68r4Z3QhTAAAABHNzaDo= lub@primary
|
||||
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAUmJxFSwI95zf/NBKNMDXyiRViuKsWnVYl3Qd3DXdRWAAAABHNzaDo= lub@secondary
|
||||
|
@ -1 +1,2 @@
|
||||
deb https://deb.debian.org/debian-security buster/updates main contrib non-free
|
||||
deb https://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
|
||||
deb https://deb.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
|
||||
|
@ -1 +1 @@
|
||||
deb https://deb.debian.org/debian buster main contrib non-free
|
||||
deb https://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
|
||||
|
@ -1 +0,0 @@
|
||||
deb [signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian buster stable
|
@ -1,2 +1,2 @@
|
||||
# <target> <source device> <key file> <options>
|
||||
md0-unlocked /dev/md0 none luks,discard
|
||||
root-unlocked UUID=%root_uuid% none luks,discard
|
||||
|
@ -0,0 +1,39 @@
|
||||
# If you change this file, run 'update-grub' afterwards to update
|
||||
# /boot/grub/grub.cfg.
|
||||
# For full documentation of the options in this file, see:
|
||||
# info -f grub -n 'Simple configuration'
|
||||
|
||||
GRUB_DEFAULT=0
|
||||
GRUB_TIMEOUT=0
|
||||
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="quiet nosmt"
|
||||
GRUB_CMDLINE_LINUX=""
|
||||
|
||||
# If your computer has multiple operating systems installed, then you
|
||||
# probably want to run os-prober. However, if your computer is a host
|
||||
# for guest OSes installed via LVM or raw disk devices, running
|
||||
# os-prober can cause damage to those guest OSes as it mounts
|
||||
# filesystems to look for things.
|
||||
#GRUB_DISABLE_OS_PROBER=false
|
||||
|
||||
# Uncomment to enable BadRAM filtering, modify to suit your needs
|
||||
# This works with Linux (no patch required) and with any kernel that obtains
|
||||
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
|
||||
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
|
||||
|
||||
# Uncomment to disable graphical terminal
|
||||
#GRUB_TERMINAL=console
|
||||
|
||||
# The resolution used on graphical terminal
|
||||
# note that you can use only modes which your graphic card supports via VBE
|
||||
# you can see them in real GRUB with the command `vbeinfo'
|
||||
#GRUB_GFXMODE=640x480
|
||||
|
||||
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
|
||||
#GRUB_DISABLE_LINUX_UUID=true
|
||||
|
||||
# Uncomment to disable generation of recovery mode menu entries
|
||||
#GRUB_DISABLE_RECOVERY="true"
|
||||
|
||||
# Uncomment to get a beep at grub start
|
||||
#GRUB_INIT_TUNE="480 440 1"
|
@ -0,0 +1,6 @@
|
||||
{
|
||||
"experimental": true,
|
||||
"ipv6": true,
|
||||
"ip6tables": true,
|
||||
"fixed-cidr-v6": "fd00::/48"
|
||||
}
|
@ -1 +0,0 @@
|
||||
DROPBEAR_OPTIONS="-p 222"
|
@ -0,0 +1,3 @@
|
||||
DROPBEAR_OPTIONS="-p 222"
|
||||
|
||||
DROPBEAR_SK_ED25519=y
|
@ -0,0 +1,4 @@
|
||||
127.0.0.1 localhost %fqdn%
|
||||
::1 localhost ip6-localhost ip6-loopback %fqdn%
|
||||
ff02::1 ip6-allnodes
|
||||
ff02::2 ip6-allrouters
|
@ -1,75 +0,0 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
flush ruleset
|
||||
|
||||
# don't use inet instead of ip&ip6,
|
||||
# because Docker doesn't support it, yet
|
||||
# see https://maximilianehlers.com/blog/nftables-and-docker/ for more details
|
||||
|
||||
table ip filter {
|
||||
chain INPUT {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
|
||||
# allow already established connections (e.g. initiated by this host)
|
||||
ct state related,established accept
|
||||
|
||||
# allow ICMP
|
||||
ip protocol icmp accept
|
||||
|
||||
# allow anything on localhost
|
||||
iifname "lo" accept
|
||||
|
||||
# allow SSH for remote management
|
||||
tcp dport 22 accept
|
||||
|
||||
|
||||
## docker
|
||||
|
||||
# cluster management communications
|
||||
tcp dport 2377 accept
|
||||
|
||||
# communication among nodes
|
||||
tcp dport 7946 accept
|
||||
udp dport 7946 accept
|
||||
|
||||
# overlay network traffic
|
||||
udp dport 4789 accept
|
||||
|
||||
# allow IPSEC connections (encrypted overlay networks)
|
||||
ip protocol esp accept
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
chain OUTPUT {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
||||
table ip6 filter {
|
||||
chain INPUT {
|
||||
type filter hook input priority 0;
|
||||
policy drop;
|
||||
|
||||
|
||||
# allow already established connections (e.g. initiated by this host)
|
||||
ct state related,established accept
|
||||
|
||||
# allow ICMPv6
|
||||
ip6 nexthdr icmpv6 accept
|
||||
|
||||
# allow anything on localhost
|
||||
iifname "lo" accept
|
||||
}
|
||||
chain FORWARD {
|
||||
type filter hook forward priority 0;
|
||||
policy drop;
|
||||
}
|
||||
chain OUTPUT {
|
||||
type filter hook output priority 0;
|
||||
policy accept;
|
||||
}
|
||||
}
|
@ -0,0 +1,2 @@
|
||||
PasswordAuthentication no
|
||||
PermitRootLogin no
|
@ -0,0 +1,7 @@
|
||||
# https://docs.k3s.io/security/hardening-guide?_highlight=sysctl#ensure-protect-kernel-defaults-is-set
|
||||
|
||||
vm.panic_on_oom=0
|
||||
vm.overcommit_memory=1
|
||||
kernel.panic=10
|
||||
kernel.panic_on_oops=1
|
||||
kernel.keys.root_maxbytes=25000000
|
Binary file not shown.
@ -0,0 +1 @@
|
||||
/dev/nvme0n1p2
|
@ -0,0 +1 @@
|
||||
/dev/nvme0n1p3
|
@ -0,0 +1,113 @@
|
||||
#!/bin/bash -e
|
||||
|
||||
default_routev4=$(ip route list | grep -F 'default')
|
||||
|
||||
interface=$(echo "$default_routev4" | perl -pe 's#^.* dev (\w+) .*$#$1#')
|
||||
macaddress=$(ip address show dev "$interface" | grep -F 'link/ether' | perl -pe 's#^.*link/ether ([a-z0-9:]*) brd .+$#$1#')
|
||||
|
||||
addresses=$(ip address show dev "$interface" scope global)
|
||||
|
||||
gatewayv4=$(echo "$default_routev4" | perl -pe 's#^.* via ([\d.]+) .*$#$1#')
|
||||
addressv4=$(echo "$addresses" | grep -F 'inet ' | perl -pe 's#^.* inet ([\d.]+).*#$1#')
|
||||
|
||||
addressv6=$(echo "$addresses" | grep -F 'inet6 ' | perl -pe 's#^.* inet6 ([a-z0-9:]+)::[a-z0-9]+.*$#$1#')
|
||||
|
||||
|
||||
echo "[Match]
|
||||
MACAddress=${macaddress}
|
||||
Type=ether
|
||||
|
||||
[Network]
|
||||
Gateway=fe80::1
|
||||
Gateway=${gatewayv4}
|
||||
|
||||
[Address]
|
||||
Address=${addressv6}::1337/64
|
||||
|
||||
[Address]
|
||||
Address=${addressv4}/32
|
||||
Peer=${gatewayv4}/32
|
||||
|
||||
[Network]
|
||||
VLAN=ingress
|
||||
VLAN=kubernetes" > "/etc/systemd/network/egress.network"
|
||||
|
||||
echo "[NetDev]
|
||||
Name=ingress
|
||||
Kind=vlan
|
||||
MTUBytes=1400
|
||||
|
||||
[VLAN]
|
||||
Id=4000" > "/etc/systemd/network/ingress.netdev"
|
||||
|
||||
echo "[Match]
|
||||
Name=ingress
|
||||
|
||||
[Network]
|
||||
Description=\"ingress\"
|
||||
|
||||
[Route]
|
||||
Gateway=2a01:4f8:fff0:a5::1
|
||||
Table=4000
|
||||
|
||||
[Route]
|
||||
Gateway=157.90.103.81
|
||||
Table=4000
|
||||
|
||||
|
||||
[RoutingPolicyRule]
|
||||
From=2a01:4f8:fff0:a5::/64
|
||||
To=fd00:42::/31
|
||||
Priority=1000
|
||||
|
||||
[RoutingPolicyRule]
|
||||
From=157.90.103.80/28
|
||||
To=10.42.0.0/15
|
||||
Priority=1000
|
||||
|
||||
[RoutingPolicyRule]
|
||||
To=2a01:4f8:fff0:a5::/64
|
||||
From=fd00:42::/31
|
||||
Priority=1000
|
||||
|
||||
[RoutingPolicyRule]
|
||||
To=157.90.103.80/28
|
||||
From=10.42.0.0/15
|
||||
Priority=1000
|
||||
|
||||
|
||||
[RoutingPolicyRule]
|
||||
From=2a01:4f8:fff0:a5::/64
|
||||
Table=4000
|
||||
Priority=1100
|
||||
|
||||
[RoutingPolicyRule]
|
||||
From=157.90.103.80/28
|
||||
Table=4000
|
||||
Priority=1100
|
||||
|
||||
[RoutingPolicyRule]
|
||||
To=2a01:4f8:fff0:a5::/64
|
||||
Table=4000
|
||||
Priority=1100
|
||||
|
||||
[RoutingPolicyRule]
|
||||
To=157.90.103.80/28
|
||||
Table=4000
|
||||
Priority=1100" > "/etc/systemd/network/ingress.network"
|
||||
|
||||
echo "[NetDev]
|
||||
Name=kubernetes
|
||||
Kind=vlan
|
||||
MTUBytes=1400
|
||||
|
||||
[VLAN]
|
||||
Id=4010" > "/etc/systemd/network/kubernetes.netdev"
|
||||
|
||||
echo "[Match]
|
||||
Name=kubernetes
|
||||
|
||||
[Network]
|
||||
Description=\"kubernetes\"
|
||||
Address=10.73.19.fixme/24
|
||||
Address=fdad:73ce:19db::fixme/48" > "/etc/systemd/network/kubernetes.network"
|
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
|
||||
# / 1020GB
|
||||
# /boot 1GB
|
||||
# /boot/efi 1GB
|
||||
# free 0GB
|
||||
|
||||
parted -- /dev/nvme0n1 mklabel msdos
|
||||
parted -- /dev/nvme0n1 mkpart primary 1 1020GB
|
||||
parted -- /dev/nvme0n1 mkpart primary 1020GB 1022GB
|
||||
parted -- /dev/nvme0n1 mkpart primary 1022GB 1024GB
|
||||
# set flag for ESP
|
||||
parted -- /dev/nvme0n1 set 3 boot on
|
||||
|
||||
parted -- /dev/nvme1n1 mklabel gpt
|
||||
parted -- /dev/nvme1n1 mkpart primary 1 -1
|
||||
parted -- /dev/nvme2n1 mklabel gpt
|
||||
parted -- /dev/nvme2n1 mkpart primary 1 -1
|
||||
|
||||
sleep 1
|
@ -0,0 +1 @@
|
||||
/dev/nvme0n1p1
|
@ -0,0 +1 @@
|
||||
/dev/md1
|
@ -0,0 +1 @@
|
||||
/dev/md0
|
@ -1,6 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
for device in /dev/md* /dev/nvme* /dev/sd* /dev/vd*; do
|
||||
dd if=/dev/zero of=$device bs=10M count=100
|
||||
dd if=/dev/zero of=$device bs=10M count=10 &
|
||||
done
|
||||
sync
|
||||
|
||||
wait
|
||||
|
||||
sync
|
||||
|
Loading…
Reference in New Issue