Posts on Blade Server - A Homelabber's Blog

How I set up ZFS replication backups in TrueNAS Scale

Sat, 10 Feb 2024 14:58:56 -0500

How I set up ZFS replication backups in TrueNAS Scale

When I set out to configure my ZFS replication backups, I knew that I wanted 2 things:

I wanted to do my replications with an unprivileged user.
I wanted the backups to be pulled from the backup server from the primary.

The benefits of using a user without root privileges are obvious, but the benefits of a pull backup may be less so.

Backing up with a pull instead of a push means that your production machine, which by definition has to be less secure than the backup, has no access to the backup server.

So, if somehow your production machine gets compromised - the attacker has no way of accessing the backup server, and possibly taking those hostage too!

Of course, you should make sure that you take steps to lock down your backup server.

Make sure that SSH login only accepts public key authentication, instead of passwords.
Goes without saying that your production machine should not have the the private key for this.
Set up firewall rules to prevent anything from connecting to the machine that isn’t supposed to. You probably want to poke holes for DNS resolution, and let the server get out to the internet for updates, but apart from that and a hole for your monitoring solution, the backup server should be totally isolated from everything else on your network!

Step 1: Create your user accounts.

You need to create a user on each side. On the sending side, or in other words, your production server, you’ll need to add an SSH authorized key, and enable a home directory. I recommend disabling password login entirely, and disabling samba authentication. You won’t be using this user for anything but the backups.

Create another user on the backup server. I recommend matching usernames, just for clarity, but it’s not 100% necessary.

Step 2: Assign privileges.

In order to let this user account run zfs commands without root, you’ll need to drop to the shell. There are options in the TrueNAS web UI for allowing certain sudo commands without a password, but it’s better to do this on the command line, as it gives you more control over what specific rights your user has.

On the receiving side, your user needs the receive, create, and mount privileges.

zfs allow pirate receive,create,mount pool

On the sending side, your user needs the send and hold privileges.

zfs allow pirate send,hold pool

Step 3: Create your backup credentials in TrueNAS.

Head back to the TrueNAS web UI and click on Credentials —> Backup Credentials. You want to add a new SSH connection.

Choose manual as your setup method.

Fill in as below.

Step 4: Create your ZFS replication task.

In the TrueNAS web UI, go to Data Protection and expand Replication Tasks.

You’ll want to choose your “SSH Connection” first. Pick the one that you created in Step 3.

Next, choose your source location. You’ll want to pick “On a different system”, then choose the dataset or pool you want to replicate below.

Do the same for your destination, which should be on a local ZFS pool.

If you want to copy child datasets, make sure you check off “Recursive”. In my case, this dataset doesn’t have any children, so I left it unchecked.

If at any point you get the below prompt - make sure you click “Cancel”. You’ll need to hit Cancel twice. We don’t need sudo, since we manually allowed our user account to run the needed zfs commands using zfs allow.

Click Next when you’re ready. Choose a schedule. I chose “Daily”, as it’s not a big deal for this dataset if I lose a single day.

And there you have it. You now have a much more secure method of replicating your data from one ZFS pool to another.

Some additional notes.

Remember that you’ll need to have some snapshots on the source system for this to work. ZFS replication works based off of snapshots, because they are a consistent, immutable reference at a point in time. I recommend setting up automatic snapshot tasks for the datasets you want to back up.
Once you’ve completed the initial replication job, any subsequent jobs will be incrementals - as long as you have a common snapshot between the two hosts.

Setting up a Wireguard VPN server on Ubuntu 22.04

Tue, 27 Jun 2023 14:39:45 -0400

I recently went through the process of setting up my own Wireguard VPN server up in a cloud server.

You can do this on any Ubuntu server with internet access, as long as you have the ability to open ports on the firewall, but I do recommend setting this up at a cloud hosting provider such as Linode or Digital Ocean.

The lowest tier of server will do - Wireguard is a pretty light VPN to run. I’m using a Linode “Nanode” plan, which is one shared CPU core and 2GB of RAM. Plenty enough for our purposes.

I won’t go over how to create the server and connect to it over SSH, as there are plenty of guides on that topic already. Come back when you’re logged into the server over SSH.

1. First things first - updates!

sudo apt update && sudo apt dist-upgrade

You can reboot at this step, or wait, since we’ll need to reboot in a minute anyway.

2. Edit `/etc/sysctl.conf` and enable ipv4 forwarding

This is needed for Wireguard to be able to pass the traffic on and act as an intermediary between you and the sites you’re trying to route to through the VPN.

sudo vim /etc/sysctl.conf or sudo nano /etc/sysctl.conf
Uncomment the line that says net.ipv4.ip_forward=1
Reboot if you have pending kernel updates or run sysctl -p

3. Allow port for the Wireguard server in your firewall of choice

Once your server is up, log back in. Now we’ll need to open the port that Wireguard will be listening on.

I use port 444 but the default is 51820.

You can use either one - 444 is in the well-known ports range, but it’s for a pager service that I hadn’t heard of until I googled it. I think I’m safe.

Here’s how to open the port with iptables:

sudo iptables -I INPUT 1 -p udp --dport 444 -j ACCEPT

Install the iptables-persistent package to make the rule survive reboots.

sudo apt install iptables-persistent

Save your rules. (You’ll need to redo this every time you make a change to your iptables rules.)

netfilter-persistent save

Here’s how to do the same thing with ufw:

sudo ufw allow 444

Remember that if you have an upstream firewall (i.e. your router at home - you’ll need to forward the ports there too!

4. Generate the keys for the Wireguard server.

cd /etc/wireguard
sudo wg genkey | tee privatekey | wg pubkey > publickey

This will generate 2 files in /etc/wireguard.

You can check their contents by running the cat command.

cat /etc/wireguard/privatekey

cat /etc/wireguard/publickey

Remember to keep your private key private. It’s like a password.

Keep these handy, we’ll need them for the next part.

5. Create config file for the server.

Pick an address range for your wireguard tunnel. It should be a private IP address range, but it can be anything you want.

I chose 10.200.0.0/24.

I’ve provided an example configuration below.

Open /etc/wireguard/wg0.conf with your favorite editor and paste it in.

Remember to enter the private key you generated here earlier, and watch out for trailing whitespaces on the end of the key!

Example server config:

[Interface]  
Address = 10.200.0.1/24  
SaveConfig = true  
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT  
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT  
ListenPort = 444  
PrivateKey = privatekeyhere

6. Bring up the Wireguard tunnel

wg-quick up wg0

7. Create client config

On mobile and windows generally the private and public keys will be created for you. On Linux, just re-run the same commands you used to generate your server keys.

For cleanliness you can create a /etc/wireguard/clients subdirectory to hold all of your keys.

Example Client config:

[Interface]
PrivateKey = clientprivatekey
Address = 10.200.0.2/24
DNS = 9.9.9.9    

[Peer]
PublicKey = serverpublickey
AllowedIPs = 0.0.0.0/0 #can change this depending on if you want full tunnel or split tunnel.
Endpoint = public-ip-of-server:444

For the Endpoint field you can either use the public IP of the server, or a DNS name that you’ve created for it. Remember to specify the port.

For the PublicKey field - this is the public key that you generated earlier on the server.

For DNS it can be any DNS server you like. I usually set my Pi-Hole servers at home as my DNS on the tunnel to provide adblocking. For this example, I’ve just set it to use Quad9.

For AllowedIPs - set this to 0.0.0.0/0 only if you want to route all traffic through the VPN tunnel. If you only want to use this as a remote access VPN, then leave it as only the Wireguard subnet.

AllowedIPs = 10.200.0.0/24

8. Configure the server to bring up wireguard’s interface on boot

On the server, set the tunnel to come up automatically after a reboot.

systemctl enable wg-quick@wg0

9. Add your new wireguard peer

Now it’s time to add the client that you set up as a peer.

Wireguard uses public and private key pairs to authenticate peers, so you’ll need the public key of your chosen client to enter below.

wg set wg0 peer publickeyhere allowed-ips 10.200.0.2

Once you have this set, it’s a good idea to restart wireguard to make sure it knows about the new peer.

sudo wg-quick down wg0

sudo wg-quick up wg0

Now, you should be able to see it handshake.

sudo wg show

If you don’t see a handshake happening - try sending some traffic across the tunnel.

ping 10.200.0.2

That should be it! If you set this up as a full tunnel, try going to a site such as dnsleaktest.com and make sure it shows the IP of the wireguard server rather than your actual public IP.

If you set it up as a split tunnel, see if you can access resources on the other side of the tunnel.

10. OPTIONAL - set up your router as a Wireguard peer!

If you’d like to use your wireguard server to route traffic back to your local network, it’s pretty simple to do so with firewalls like PfSense and OpnSense, that have Wireguard support baked in.

I’m using OpnSense, so I’ll provide those steps here.

Steps for setting up opnsense as a client

Install the os-wireguard-go plugin. You can find it under System > Firmware > Plugins.
Enable wireguard. VPN > Wireguard.
Configure the remote server as an Endpoint. The PSK field is optional for more security and can be left blank. Enter a name, the public key for your wireguard server, and the endpoint address and port.
Configure the “Local” server. Generate key pairs for it, pick an IP in your Wireguard subnet. Add the remote endpoint as a peer. wg set wg0 peer publickeyhere allowed-ips 10.200.0.3

Next we’ll need to add routes to tell Wireguard where to find your local subnets.

Adding routes

In the wireguard server config (/etc/wireguard/wg0.conf in this case):

Add each subnet you want to go through the VPN tunnel to the allowed IP list for that peer.

Example

[Interface]
Address = 10.200.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D FORWARD -o %i -j ACCEPT
ListenPort = 444
PrivateKey = privatekeyhere 

#config for opnsense peer
[Peer]
PublicKey = publickeyhere 
AllowedIPs = 10.200.0.3/32, 192.168.1.0/24 #192.168.1.0/24 being a subnet on the local network for this peer.

Test it out! If you’re not using the full tunnel option on your client (0.0.0.0/0 for AllowedIPs) you’ll need to add the local subnet to your allowed IPs list there, too.

Shut down your laptop automatically when clamshelled using systemd

Fri, 23 Jun 2023 21:11:41 -0400

Set laptop to shut down automatically on lid close in Linux

This applies specifically to Linux systems running systemd - though that covers most distros currently available. I’m doing this on Ubuntu 23.04.

Some background - I currently work at a very small MSP in New York State as general IT tech / system admin / network engineer / floor polisher. As a part of my job I’m constantly in and out from different job sites, often requiring the use of my laptop.

I constantly run into the issue, as I’m sure many of you have, of my laptop simply having a dead or nearly dead battery after pulling it out of my go bag.

Frustratingly, most if not all manufacturers in recent years have not properly implemented sleep functionality, resulting in more battery drain while suspended.

I decided to look into how I could fix this problem by having my laptop automatically shut down when I clamshell it.

Unfortunately, GNOME as of time of writing does not have power management features built in to accomplish this task, so we must venture into the terminal.

To accomplish this task, we will be overriding the systemd-logind service configuration file /etc/logind.conf. You could also edit the file directly, but it’s better practice to use an override, so that an update does not erase your changes by overwriting the file.

Create a new file using your text editor choice called `/usr/lib/systemd/logind.conf.d/overrides.conf`

`sudo vim /usr/lib/systemd/logind.conf.d/overrides.conf`

Edit the file to contain these lines. The second line is optional.

HandleLidSwitch=poweroff
HandleLidSwitchExternalPower=ignore

Restart systemd-logind.service.

Note that the following will log you out!

sudo systemctl restart systemd-logind

Try it out

Log back in and clamshell your laptop. Did it shut down?

Troubleshooting

If, like me, you run into problems where your laptop is not following the behavior that you set, here are some basic troubleshooting steps.

Check for syntax errors. These files are case sensitive, did you spell things correct, do you have the correct case?
And the one that I personally ran up against - other programs inhibiting handle-lid-switch.
- Run systemd-inhibit --list. Look for any programs listing What as handle-lid-switch or something similar to it.
- In my case, it was GNOME tweaks. I had set a preference in earlier attempts to resolve this problem to not suspend when clamshelling the laptop, and it was taking priority over my settings for systemd-logind.

Geoip Blocking in Ubuntu 22.04 using iptables

Mon, 10 Apr 2023 20:55:05 -0400

Blocking connections based on geolocation in Ubuntu 22.04, using iptables and xtables-addons

Steps:

First note: all of these steps assume you’re logged in as root. Make sure you give it the ‘ol sudo su if you’re not already root.

1. First, update your system.

apt-get update && apt-get upgrade

2. Now install some dependencies.

apt-get install libxtables-dev xtables-addons-common libtext-csv-xs-perl pkg-config

Note: on older versions of Ubuntu, substitute libxtables-dev for iptables-dev.

3. Download xtables addon, untar and configure. Replace

Get the latest version of the xtables-addons package from here https://inai.de/files/xtables-addons/

wget https://inai.de/files/xtables-addons/xtables-addons-3.23.tar.xz
tar xf xtables-addons-3.23.tar.xz
cd xtables-addons-3.23
./configure
make
make install

4. Download and build DB-IP definitions.

cd geoip
./xt_geoip_dl
mkdir /usr/share/xt_geoip
./xt_geoip_build -D /usr/share/xt_geoip *.csv

Okay, we’re ready to use the geoip matching in iptables.

5. Allow or deny traffic based on geolocation!

My favorite way to do this is to have the default DENY policy for the INPUT chain be DROP, and whitelist only the countries I want to be able to access my servers. In my case, the US.

Add a command at the top of your INPUT chain to allow responses from outgoing connections. (only required if you want to set your default policy to DROP)

This is because when you set the default policy to DROP, even the responses from outgoing connections that YOU made will get dropped.

iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I’d make sure you set a rule to allow your ssh connection before changing the default policy (to avoid getting kicked out and not being able to get back in.)

iptables -I INPUT -p tcp --dport 22 -m geoip --src-cc US -j ACCEPT

Set the default policy

iptables --policy INPUT DROP

6. Install the iptables-persistent package to make your iptables rules survive reboots.

sudo apt install iptables-persistent

Don’t forget that if you make a change later on, you’ll need to save again!

netfilter-persistent save

How to install an Ubuntu based OS on the Framework Laptop

Thu, 23 Feb 2023 22:15:57 -0500

How to configure Framework laptop for Ubuntu based OS

Created: 2023-02-23 21:57

The below is stolen from the official guide provided by framework on their website - cited below.

# This is for 12th Gen ONLY.

# Copy the entire text block below, paste into the terminal, press enter and type your

user's password as prompted.

# This will:

# - Update your Ubuntu install's packages.

# - Install the recommended OEM kernel.

# - Workaround needed to get the best suspend battery life for SSD power drain.

# - Disable the ALS sensor so that your brightness keys work.

# - Enable improved fractional scaling support for Ubuntu's GNOME environment using Wayland.

# - Enable headset mic input.

## *****COPY AND PASTE THIS CODE BELOW*****

sudo apt update && sudo apt upgrade -y && sudo apt-get install linux-oem-22.04 && echo "options snd-hda-intel model=dell-headset-multi" | sudo tee -a /etc/modprobe.d/alsa-base.conf && gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']" && sudo sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT.*/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash module_blacklist=hid_sensor_hub nvme.noacpi=1"/g' /etc/default/grub && sudo update-grub &&

echo "[connection]" | sudo tee /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf && echo "wifi.powersave = 2" | sudo tee -a /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf

## *****COPY AND PASTE THIS CODE ABOVE*****

## then press enter key, password, reboot.

# If you would rather enter the commands individually instead:

## Updating packages.

sudo apt update && sudo apt upgrade -y

## Install the recommended OEM kernel.

sudo apt install linux-oem-22.04

## Enable headset mic input.

echo "options snd-hda-intel model=dell-headset-multi" | sudo tee -a /etc/modprobe.d/alsa-base.conf

## Enable improved fractional scaling support for Ubuntu's GNOME environment using Wayland.

gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"

## Disable the ALS sensor so that your brightness keys work, 12th gen only.

sudo gedit /etc/default/grub

## Append the following to the GRUB_CMDLINE_LINUX_DEFAULT="quiet splash section.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash module_blacklist=hid_sensor_hub"

## Workaround needed to get the best suspend battery life for SSD power drain.

sudo gedit /etc/default/grub

## Append the following to the GRUB_CMDLINE_LINUX_DEFAULT="quiet splash section.

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nvme.noacpi=1"

# Sudo with your fingerprints.

## To run sudo in a terminal with the fingerprint reader, you need to run this command in a terminal and follow the prompts.

sudo pam-auth-update

## Also, if you've previously enrolled fingerprints in Windows or another Linux distro, you may find that fingerprint enrollment errors until you manually force clear the stored fingerprints.

https://knowledgebase.frame.work/en_us/fingerprint-enrollment-rkG6YP7xF

## Additional ways to extend battery life can be found at this link: https://community.frame.work/t/linux-battery-life-tuning/6665.

For distros other than Ubuntu you may also need to disable panel screen refresh

Only use this if you run into freezing / stuttering issues. I ran into this on Pop_OS 22.04 specifically.

sudo kernelstub -o "i915.enable_psr=0"

Links

https://guides.frame.work/Guide/Ubuntu+22.04+LTS+Installation+on+the+Framework+Laptop/109

https://www.reddit.com/r/framework/comments/10zeoyu/anyone_experiencing_random_freezing_on_pop_os_2204/

How to install Graylog 5.0 on Debian 11 (single node)

Tue, 17 Jan 2023 23:00:46 -0500

This was tested on 1/17/2023 on Debian 11 and Graylog 5.0 Using OpenSearch instead of ElasticSearch which is deprecated now. This is for a single node… multiple nodes is something that I have yet to look into.

Install prerequisites

MongoDB

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv f5679a222c647c87527c2f8cb00a0bd1e2c63c11
echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/5.0 multiverse" |
sudo tee /etc/apt/sources.list.d/mongodb-org-5.x.list
sudo apt-get update
sudo apt-get install -y mongodb-org

Enable MongoDB on system startup

sudo systemctl daemon-reload
sudo systemctl enable mongod.service
sudo systemctl restart mongod.service
sudo systemctl --type=service --state=active | grep mongod

OpenSearch

wget https://artifacts.opensearch.org/releases/bundle/opensearch/1.3.4/opensearch-1.3.4-linux-x64.tar.gz

Disable memory paging and swapping to improve performance.

sudo swapoff -a

Increase the number of memory maps available to OpenSearch.

# Edit the sysctl config file
sudo vi /etc/sysctl.conf

# Add a line to define the desired value
# or change the value if the key exists,
# and then save your changes.
vm.max_map_count=262144

# Reload the kernel parameters using sysctl
sudo sysctl -p

# Verify that the change was applied by checking the value
cat /proc/sys/vm/max_map_count

Create OpenSearch User

sudo adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group opensearch

Create directories and extract the OpenSearch archive you downloaded earlier

sudo mkdir -p /graylog/opensearch/data
sudo mkdir /var/log/opensearch

tar -xzvf opensearch-1.3.4-linux-x64.tar.gz
sudo mv opensearch-1.3.4/* /graylog/opensearch


#Set Permissions
sudo chown -R opensearch:opensearch /graylog/opensearch/
sudo chown -R opensearch:opensearch /var/log/opensearch
sudo chmod -R 2750 /graylog/opensearch/
sudo chmod -R 2750 /var/log/opensearch

#Create empty log file
sudo -u opensearch touch /var/log/opensearch/graylog.log

Create a system service for opensearch


sudo su

cat > /etc/systemd/system/opensearch.service <<EOF
[Unit]
Description=Opensearch
Documentation=https://opensearch.org/docs/latest
Requires=network.target remote-fs.target
After=network.target remote-fs.target
ConditionPathExists=/graylog/opensearch
ConditionPathExists=/graylog/opensearch/data
[Service]
Environment=OPENSEARCH_HOME=/graylog/opensearch
Environment=OPENSEARCH_PATH_CONF=/graylog/opensearch/config
ReadWritePaths=/var/log/opensearch
User=opensearch
Group=opensearch
WorkingDirectory=/graylog/opensearch
ExecStart=/graylog/opensearch/bin/opensearch
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
EOF

Create opensearch configuration file

nano /graylog/opensearch/config/opensearch.yml

cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /graylog/opensearch/data
path.logs: /var/log/opensearch
network.host: ${HOSTNAME}
discovery.seed_hosts: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
cluster.initial_master_nodes: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
action.auto_create_index: false
plugins.security.disabled: true

Enable OpenSearch system service

sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service

Install Graylog

wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

Generate a password secret and a root password.o

Keep these handy as we’ll use them in the next step.

Password Secret

mkpassword -m sha-512 <password>

root password

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

Edit the configuration file for Graylog

Enter the password secret and the root password into the relevant fields /etc/graylog/server/server.conf

Change the http_bind_address to the ip address or domain name of the server.

Enable Graylog to run at startup.

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog

Connect to Graylog web interface

<ip-address>:9000

Posts on Blade Server - A Homelabber's Blog

How I set up ZFS replication backups in TrueNAS Scale

How I set up ZFS replication backups in TrueNAS Scale

Step 1: Create your user accounts.

Step 2: Assign privileges.

Step 3: Create your backup credentials in TrueNAS.

Step 4: Create your ZFS replication task.

Some additional notes.

Setting up a Wireguard VPN server on Ubuntu 22.04

1. First things first - updates!

2. Edit /etc/sysctl.conf and enable ipv4 forwarding

3. Allow port for the Wireguard server in your firewall of choice

4. Generate the keys for the Wireguard server.

5. Create config file for the server.

6. Bring up the Wireguard tunnel

7. Create client config

8. Configure the server to bring up wireguard’s interface on boot

9. Add your new wireguard peer

10. OPTIONAL - set up your router as a Wireguard peer!

Adding routes

Shut down your laptop automatically when clamshelled using systemd

Set laptop to shut down automatically on lid close in Linux

Create a new file using your text editor choice called /usr/lib/systemd/logind.conf.d/overrides.conf

Edit the file to contain these lines. The second line is optional.

Restart systemd-logind.service.

Try it out

Troubleshooting

Geoip Blocking in Ubuntu 22.04 using iptables

Blocking connections based on geolocation in Ubuntu 22.04, using iptables and xtables-addons

Steps:

1. First, update your system.

2. Now install some dependencies.

3. Download xtables addon, untar and configure. Replace

4. Download and build DB-IP definitions.

5. Allow or deny traffic based on geolocation!

6. Install the iptables-persistent package to make your iptables rules survive reboots.

How to install an Ubuntu based OS on the Framework Laptop

How to configure Framework laptop for Ubuntu based OS

For distros other than Ubuntu you may also need to disable panel screen refresh

Links

How to install Graylog 5.0 on Debian 11 (single node)

Install prerequisites

MongoDB

Enable MongoDB on system startup

OpenSearch

Create OpenSearch User

Create directories and extract the OpenSearch archive you downloaded earlier

Create a system service for opensearch

Create opensearch configuration file

Enable OpenSearch system service

Install Graylog

Generate a password secret and a root password.o

Password Secret

root password

Edit the configuration file for Graylog

Enable Graylog to run at startup.

Connect to Graylog web interface

2. Edit `/etc/sysctl.conf` and enable ipv4 forwarding

Create a new file using your text editor choice called `/usr/lib/systemd/logind.conf.d/overrides.conf`