Project-Insanity

Site Tools

Trace: stssonstiges dbcodes zerver
Writing /var/lib/dokuwiki/wiki.project-insanity.org/data/meta/picloud.meta failed
picloud

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

picloud [2020/11/10 11:07] – old revision restored (2020/05/17 14:29) 2a01:4f8:191:41f1::2picloud [2021/10/31 10:42] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +==== tp-link router ====
 +<file - /etc/rc.local>
 +[...]
 +sleep 5
 +/etc/init.d/p910nd restart
 +exit 0
 +</file>
 +<file - /etc/firewall.user>
 +iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
 +iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +iptables -A FORWARD -i net0 -o wlan0 -j ACCEPT
 +iptables -I FORWARD -o br-lan -d 192.168.1.2 -j ACCEPT
 +iptables -t nat -I PREROUTING -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
 +iptables -t nat -A OUTPUT -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
 +iptables -t nat -I PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22
 +iptables -t nat -A OUTPUT -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22
 +</file>
 +==== armstone a9 ====
 +<file - /etc/systemd/system/secure-tunnel@.service>
 +[Unit]
 +Description=Setup a secure tunnel to %I
 +After=network.target
  
 +[Service]
 +User=picloud
 +Environment="LOCAL_ADDR=localhost"
 +EnvironmentFile=/etc/default/secure-tunnel@%i
 +ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -l ${REMOTE_USER} -i ${KEY_FILE} -R ${REMOTE_ADDR}:${REMOTE_PORT}:${LOCAL_ADDR}:${LOCAL_PORT} ${TARGET}
 +
 +# Restart every >2 seconds to avoid StartLimitInterval failure
 +RestartSec=30
 +Restart=always
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +<file - /etc/default/secure-tunnel@jellyfin>
 +TARGET=144.76.16.40
 +LOCAL_ADDR=localhost
 +LOCAL_PORT=8096
 +REMOTE_ADDR=0.0.0.0
 +REMOTE_PORT=8096
 +REMOTE_USER=onny
 +KEYFILE=/home/picloud/.ssh/id_rsa
 +</file>
 +<file - /etc/default/secure-tunnel@ssh>
 +TARGET=144.76.16.40
 +LOCAL_ADDR=localhost
 +LOCAL_PORT=22
 +REMOTE_ADDR=0.0.0.0
 +REMOTE_PORT=2222
 +REMOTE_USER=onny
 +KEYFILE=/home/picloud/.ssh/id_rsa
 +</file>
 +<code bash>
 +systemctl daemon-reload
 +systemctl enable --now secure-tunnel@ssh secure-tunnel@jellyfin
 +</code>
 +==== rock64 ====
 +  * base image https://github.com/m01/rock64-arch-linux-build/releases
 +  * latest working kernel: linux-aarch-5.0.X http://tardis.tiny-vps.com/aarm/packages/l/linux-aarch64/
 +<code bash>
 +onny@tuxzentrale ~> sudo fdisk -l /dev/mmcblk0
 +GPT PMBR size mismatch (4194303 != 60751871) will be corrected by write.
 +The backup GPT table is not on the end of the device. This problem will be corrected by write.
 +Disk /dev/mmcblk0: 29 GiB, 31104958464 bytes, 60751872 sectors
 +Units: sectors of 1 * 512 = 512 bytes
 +Sector size (logical/physical): 512 bytes / 512 bytes
 +I/O size (minimum/optimal): 512 bytes / 512 bytes
 +Disklabel type: gpt
 +Disk identifier: 8B6BBA4F-80FF-49C5-8990-0762C108723D
 +
 +Device          Start     End Sectors  Size Type
 +/dev/mmcblk0p1     64    8063    8000  3.9M Linux filesystem
 +/dev/mmcblk0p2   8064    8191     128   64K Linux filesystem
 +/dev/mmcblk0p3   8192   16383    8192    4M Linux filesystem
 +/dev/mmcblk0p4  16384   24575    8192    4M Linux filesystem
 +/dev/mmcblk0p5  24576   32767    8192    4M Linux filesystem
 +/dev/mmcblk0p6  32768  262143  229376  112M EFI System
 +/dev/mmcblk0p7 262144 4194176 3932033  1.9G Linux root (ARM-64)
 +</code>
 +  * packages: r128gain, smloadr, jellyfin, samba, caddy, php-fpm, cups, xerox-phaser-6000-6010
 +<code bash>
 +pacman -S cups
 +systemctl enable --now org.cups.cupsd
 +</code>
 +<code bash>
 +pacman -S docker nftables iptables-nft
 +systemctl enable --now docker nftables
 +gpasswd -a picloud docker # put in your username, log out and log in again
 +</code>
 +<file - /etc>
 +{
 +    "experimental": true
 +}
 +</file>
 +<code bash>
 +docker version -f '{{.Server.Experimental}}'
 +# true
 +docker run -it --name archlinux-cupsd --platform linux/amd64 archlinux
 +</code>
 +  * https://wiki.archlinux.org/index.php/Nftables#Working_with_Docker
 +<code bash>
 +docker exec -it #CONTAINERID /bin/bash
 +pacman -Syu cups xerox-phaser-6000-6010
 +cd /tmp
 +wget "https://onny.project-insanity.org/archlinux/xerox-phaser-6000-6010-1.01_20110222-1-x86_64.pkg.tar.zst"
 +pacman -U xerox-phaser-6000-6010-1.01_20110222-1-x86_64.pkg.tar.zst
 +</code>
 +<code bash>
 +docker run \
 +  --entrypoint=/usr/lib/systemd/systemd \
 +  --env container=docker \
 +  --mount type=bind,source=/sys/fs/cgroup,target=/sys/fs/cgroup \
 +  --mount type=bind,source=/sys/fs/fuse,target=/sys/fs/fuse \
 +  --mount type=tmpfs,destination=/tmp \
 +  --mount type=tmpfs,destination=/run \
 +  --mount type=tmpfs,destination=/run/lock \
 +  --unit=sysinit.target \
 +  --name archlinux-cupsd --platform linux/amd64 archlinux
 +</code>
 +  * sources
 +    * https://unix.stackexchange.com/a/499585
 +    * https://docs.docker.com/docker-for-mac/multi-arch/
 +<file - /etc/pacman.conf>
 +[...]
 +[multilib]
 +Include = /etc/pacman.d/mirrorlist
 +</file>
 +  * https://onny.project-insanity.org/lib32-libstdc++5-3.3.6-8-x86_64.pkg.tar.zst
 +  * add pi repo
 +<code bash>
 +docker run \
 +  --env container=docker \
 +  --entrypoint=/usr/lib/systemd/systemd \
 +  --mount type=tmpfs,destination=/tmp \
 +  --mount type=tmpfs,destination=/run \
 +  --mount type=tmpfs,destination=/run/lock \
 +  --mount type=bind,source=/sys/fs/cgroup,target=/sys/fs/cgroup \
 +  --name archlinux-cupsd2 --platform linux/amd64 -it archlinux
 +</code>
 +  * podman non-root https://wiki.archlinux.org/index.php/Linux_Containers#Enable_support_to_run_unprivileged_containers_(optional)
 +  * podman platform support https://github.com/containers/libpod/issues/6244
 +<code bash>
 +DOCKER_CLI_EXPERIMENTAL=enabled docker run -d -p 631:631 --name debian-cupsd --platform linux/i386 debian
 +apt-get update
 +apt-get install cups
 +</code>
 +===== rewrite =====
 +<file - /etc/nftables>
 +[...]
 +table ip nat {
 +        chain prerouting {
 +                type nat hook prerouting priority filter; policy accept
 +
 +                # Forward web traffic to http.pi
 +                ip daddr 192.168.178.4 tcp dport 631 dnat to 172.17.0.2
 +}
 +</file>
 +<code bash>
 +pacman -S nftables iptables-nft docker
 +gpasswd -a picloud docker
 +systemctl restart docker
 +DOCKER_CLI_EXPERIMENTAL=enabled docker run --privileged \
 +                                           -v /etc/avahi/services:/etc/avahi/services \
 +                                           -v /var/run/dbus:/var/run/dbus \
 +                                           -v /dev/bus/usb/:/dev/bus/usb/ \
 +                                           -p 631:631 \
 +                                           -p 5353:5353/udp \
 +                                           -dit \
 +                                           --restart always \
 +                                           --entrypoint /usr/bin/cupsd \
 +                                           --name archlinux-cupsd --platform linux/amd64 archlinux
 +docker exec -it archlinux-cupsd
 +</code>
 +<file - /etc/pacman/pacman.conf>
 +[...]
 +[multilib]
 +Include = /etc/pacman.d/mirrorlist
 +
 +[projectinsanity]
 +SigLevel = PackageOptional
 +Server = https://onny.project-insanity.org/archlinux
 +</file>
 +<code bash>
 +$ pacman -Sy cups ghostscript xerox-phaser-6000-6010
 +$ passwd
 +</code>
 +<file - /etc/cups/cupsd.conf>
 +[...]
 +Listen 0.0.0.0:631
 +[...]
 +# Restrict access to the server...
 +<Location />
 +  Order allow,deny
 +  Allow all
 +</Location>
 +
 +# Restrict access to the admin pages...
 +<Location /admin>
 +  Order allow,deny
 +  Allow all
 +</Location>
 +[...]
 +</file>
 +<code bash>
 +$ lsusb
 +[...]
 +Bus 002 Device 004: ID 413c:5404 Dell 1250c Color Printer
 +[...]
 +$ chown root:cups /dev/bus/usb/002/004
 +$ /usr/bin/cupsd -l
 +</code>
 +  * https://192.168.178.4:631/admin/
 +<file - /etc/avahi/services/airprint.service>
 +<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
 +<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
 +<service-group>
 +  <name>yourPrnterName</name>
 +  <service>
 +    <type>_ipp._tcp</type>
 +    <subtype>_universal._sub._ipp._tcp</subtype>
 +    <port>631</port>
 +    <txt-record>txtver=1</txt-record>
 +    <txt-record>qtotal=1</txt-record>
 +    <txt-record>rp=printers/yourPrnterName</txt-record>
 +    <txt-record>ty=yourPrnterName</txt-record>
 +    <txt-record>adminurl=http://198.168.7.15:631/printers/yourPrnterName</txt-record>
 +    <txt-record>note=Office Laserjet 4100n</txt-record>
 +    <txt-record>priority=0</txt-record>
 +    <txt-record>product=(GPL Ghostscript)</txt-record>
 +    <txt-record>printer-state=3</txt-record>
 +    <txt-record>printer-type=0x801046</txt-record>
 +    <txt-record>Transparent=T</txt-record>
 +    <txt-record>Binary=T</txt-record>
 +    <txt-record>Fax=F</txt-record>
 +    <txt-record>Color=T</txt-record>
 +    <txt-record>Duplex=T</txt-record>
 +    <txt-record>Staple=F</txt-record>
 +    <txt-record>Copies=T</txt-record>
 +    <txt-record>Collate=F</txt-record>
 +    <txt-record>Punch=F</txt-record>
 +    <txt-record>Bind=F</txt-record>
 +    <txt-record>Sort=F</txt-record>
 +    <txt-record>Scan=F</txt-record>
 +    <txt-record>pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg,image/png,image/urf</txt-record>
 +    <txt-record>URF=W8,SRGB24,CP1,RS600</txt-record>
 +  </service>
 +</service-group>
 +</file>
 +  * https://wiki.archlinux.org/index.php/Avahi#AirPrint_from_Mobile_Devices
 +  * Setup on other computers https://superuser.com/a/1235155
 +  * https://192.168.178.4:631/printers/Dell_1250c_Color_Printer
 +  * autostart container
 +<code>
 +udp        0      0 0.0.0.0:37820           0.0.0.0:                          774/avahi-daemon:
 +udp6            0 :::5353                 :::                               774/avahi-daemon:
 +udp6            0 :::5355                 :::                               528/systemd-resolve 
 +udp6            0 :::50900                :::*                                774/avahi-daemon:
 +</code>
 +===== setup =====
 +core
 +<code bash>
 +useradd --uid 1002 picloud
 +timedatectl set-ntp true
 +ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
 +hwclock --systohc
 +# edit /etc/locale.gen
 +locale-gen
 +</code>
 +<file - /etc/locale.conf>
 +LANG=en_US.UTF-8
 +</file>
 +<file - /etc/vconsole.conf>
 +KEYMAP=de-latin1
 +</file>
 +<file - /etc/hostname>
 +picloud
 +</file>
 +<file - /etc/hosts>
 +127.0.0.1 localhost
 +::1 localhost
 +127.0.1.1 picloud.localdomain picloud
 +</file>
 +fstab
 +<file - /etc/fstab -p
 +# Static information about the filesystems.
 +# See fstab(5) for details.
 +
 +# <file system> <dir> <type> <options> <dump> <pass>
 +/dev/sda    /mnt    btrfs   nofail,loop,offset=1048576  2   0
 +</file>
 +hdparm
 +<code bash>
 +pacman -S hdparm
 +</code>
 +<file - /etc/systemd/system/hdparm.service>
 +
 +[Unit]
 +Description=hdparm sleep
 +
 +[Service]
 +Type=oneshot
 +ExecStart=/usr/bin/hdparm -q -S 120 -y /dev/sda
 +
 +[Install]
 +WantedBy=multi-user.target
 +</file>
 +<code bash>
 +systemctl enable --now hdparm
 +</code>
 +nftables
 +<code bash>
 +pacman -S nftables
 +</code>
 +<file - /etc/nftables.conf>
 +table inet filter {
 +        set tcp_accepted {
 +                type inet_service
 +                flags interval
 +                elements = { 22,8096,631 }
 +        }
 +
 +        set udp_accepted {
 +                type inet_service
 +                flags interval
 +                elements = { 60000-61000 }
 +        }
 +
 +        chain base_checks {
 +                ct state { established, related } accept
 +                ct state invalid drop
 +        }
 +
 +        chain input {
 +                type filter hook input priority filter; policy drop;
 +                jump base_checks
 +                iifname "lo" accept
 +                ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept
 +                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
 +                tcp dport @tcp_accepted accept
 +                udp dport @udp_accepted accept
 +                reject
 +        }
 +
 +        chain forward {
 +                type filter hook forward priority filter; policy drop;
 +                jump base_checks
 +        }
 +
 +        chain output {
 +                type filter hook output priority filter; policy accept;
 +        }
 +}
 +</file>
 +<code bash>
 +systemctl enable --now nftables
 +</code>
 +systemd-resolved
 +<file - /etc/systemd/resolved.conf>
 +[...]
 +MulticastDNS=no
 +[...]
 +</file>
 +avahi
 +<code bash>
 +pacman -S avahi
 +</code>
 +<file - /etc/avahi/services/airprint.service> 
 +<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
 +<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
 +<service-group>
 +  <name>Dell 1250c</name>
 +  <service>
 +    <type>_ipp._tcp</type>
 +    <subtype>_universal._sub._ipp._tcp</subtype>
 +    <port>631</port>
 +    <txt-record>txtver=1</txt-record>
 +    <txt-record>qtotal=1</txt-record>
 +    <txt-record>rp=printers/Dell_1250c_Color_Printer</txt-record>
 +    <txt-record>ty=Dell_1250c_Color_Printer</txt-record>
 +    <txt-record>adminurl=http://192.168.178.2:631/printers/Dell_1250c_Color_Printer</txt-record>
 +    <txt-record>note=Dell 1250c</txt-record>
 +    <txt-record>priority=0</txt-record>
 +    <txt-record>product=(GPL Ghostscript)</txt-record>
 +    <txt-record>printer-state=3</txt-record>
 +    <txt-record>printer-type=0x801046</txt-record>
 +    <txt-record>Transparent=T</txt-record>
 +    <txt-record>Binary=T</txt-record>
 +    <txt-record>Fax=F</txt-record>
 +    <txt-record>Color=T</txt-record>
 +    <txt-record>Duplex=T</txt-record>
 +    <txt-record>Staple=F</txt-record>
 +    <txt-record>Copies=T</txt-record>
 +    <txt-record>Collate=F</txt-record>
 +    <txt-record>Punch=F</txt-record>
 +    <txt-record>Bind=F</txt-record>
 +    <txt-record>Sort=F</txt-record>
 +    <txt-record>Scan=F</txt-record>
 +    <txt-record>pdl=application/octet-stream,application/pdf,application/postscript,image/jpeg,image/png,image/urf</txt-record>
 +    <txt-record>URF=W8,SRGB24,CP1,RS600</txt-record>
 +  </service>
 +</service-group>
 +</file>
 +<code bash>
 +systemctl enable --now avahi-daemon
 +</code>
 +systemd-networkd
 +<file - /etc/systemd/network/eth0.network>
 +[Match]
 +Name=eth0
 +
 +[Network]
 +Address=192.168.178.2/24
 +Gateway=192.168.178.1
 +DNS=192.168.178.1
 +DNSSEC=false
 +DHCP=ipv6
 +</file>
 +<code bash>
 +systemctl enable --now systemd-networkd
 +</code>