jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jawz:ad9179fe520a8913f72ca54ac10b446342720d2e
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28
..
compare: jawz:c09268891e43efa2efce657babf0c914f16ba8fe
Branches Tags
jawz:main jawz:keycloak
jawz:weekly-2026-02-06 jawz:weekly-2026-02-02 jawz:weekly-2026-01-30 jawz:weekly-2026-01-26 jawz:weekly-2026-01-24 jawz:weekly-2026-01-19 jawz:weekly-2026-01-16 jawz:weekly-2026-01-10 jawz:weekly-2026-01-05 jawz:weekly-2026-01-02 jawz:weekly-2025-12-29 jawz:weekly-2025-12-15 jawz:weekly-2025-12-08 jawz:weekly-2025-12-05 jawz:weekly-2025-12-01 jawz:weekly-2025-11-28

2 Commits
ad9179fe52 ... c09268891e

Author SHA1 Message Date
Danilo Reyes
c09268891e firewall migration 2026-02-05 12:45:39 -06:00
Danilo Reyes
e1f7c2291a testing on lebubu 2026-02-05 12:06:28 -06:00
16 changed files with 70 additions and 1454 deletions
Expand all files Collapse all files

36
caddy/Caddyfile
View File

@@ -1,36 +0,0 @@
# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
# The configuration below serves a welcome page over HTTP on port 80. To use
# your own domain name with automatic HTTPS, ensure your A/AAAA DNS record is
# pointing to this machine's public IP, then replace `http://` with your domain
# name. Refer to the documentation for full instructions on the address
# specification.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses
http:// {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
# Refer to the directive documentation for more options.
# https://caddyserver.com/docs/caddyfile/directives
}
# As an alternative to editing the above site block, you can add your own site
# block files in the Caddyfile.d directory, and they will be included as long
# as they use the .caddyfile extension.
import Caddyfile.d/*.caddyfile

20
caddy/Caddyfile.d/10-nextcloud.caddyfile
View File

@@ -1,20 +0,0 @@
cloud.lebubu.org cloud.rotehaare.art {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy 10.77.0.2:8081 {
header_up Host {upstream_hostport}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
X-Permitted-Cross-Domain-Policies "none"
X-XSS-Protection "1; mode=block"
Referrer-Policy "no-referrer-when-downgrade"
Strict-Transport-Security "max-age=15552000; includeSubDomains"
-Server
}
}

18
caddy/Caddyfile.d/15-private.caddyfile
View File

@@ -1,18 +0,0 @@
(secure_mtls) {
tls {
client_auth {
mode require_and_verify
trusted_ca_cert_file /etc/caddy/client_ca.pem
}
}
}
home.lebubu.org, indexer.lebubu.org, xxx.lebubu.org {
import secure_mtls
@home host home.lebubu.org
@indexer host indexer.lebubu.org
reverse_proxy @home 10.77.0.2:8082
reverse_proxy @indexer 10.77.0.2:9696
}

29
caddy/Caddyfile.d/15-private.caddyfile__
View File

@@ -1,29 +0,0 @@
(oauth2_common) {
@oauth2path path /oauth2/*
handle @oauth2path {
reverse_proxy 10.77.0.2:4180
}
handle {
forward_auth 10.77.0.2:4180 {
uri /oauth2/auth
copy_headers X-Auth-Request-User X-Auth-Request-Email
}
}
}
auth-proxy.lebubu.org {
reverse_proxy 10.77.0.2:4180
}
home.lebubu.org, indexer.lebubu.org, xxx.lebubu.org {
import oauth2_common
@home host home.lebubu.org
@indexer host indexer.lebubu.org
@xxx host xxx.lebubu.org
handle {
reverse_proxy @home 10.77.0.2:8082
reverse_proxy @indexer 10.77.0.2:9696
reverse_proxy @xxx 10.77.0.2:9999
}
}

79
caddy/Caddyfile.d/20-servers.caddyfile
View File

@@ -1,79 +0,0 @@
analytics.lebubu.org {
reverse_proxy 10.77.0.2:8439
}
cache.lebubu.org {
reverse_proxy 10.77.0.2:2343
}
audiobooks.lebubu.org {
reverse_proxy 10.77.0.2:5687
}
mealie.lebubu.org {
reverse_proxy 10.77.0.2:9925
}
git.lebubu.org {
reverse_proxy 10.77.0.2:9083
}
subs.lebubu.org {
reverse_proxy 10.77.0.2:6767
}
collabora.lebubu.org {
reverse_proxy 10.77.0.2:9980
}
library.lebubu.org {
reverse_proxy 10.77.0.2:5000
}
music.lebubu.org {
reverse_proxy 10.77.0.2:8686
}
maloja.lebubu.org {
reverse_proxy 10.77.0.2:42010
}
copy.lebubu.org {
reverse_proxy 10.77.0.2:8086
}
scrobble.lebubu.org {
reverse_proxy 10.77.0.2:9078
}
plex.lebubu.org plex.rotehaare.art {
reverse_proxy 10.77.0.2:32400
}
movies.lebubu.org {
reverse_proxy 10.77.0.2:7878
}
laters.lebubu.org {
reverse_proxy 10.77.0.2:9546
}
links.lebubu.org {
reverse_proxy 10.77.0.2:3000
}
tracker.lebubu.org {
reverse_proxy 10.77.0.2:8765
}
series.lebubu.org {
reverse_proxy 10.77.0.2:8989
}
vault.lebubu.org {
reverse_proxy 10.77.0.2:8222
}
bajameesta.lebubu.org {
reverse_proxy 10.77.0.2:8881
}

98
caddy/Caddyfile.d/25-static.caddyfile
View File

@@ -1,98 +0,0 @@
(hugo_common) {
encode zstd gzip
header {
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
Referrer-Policy "strict-origin-when-cross-origin"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
@static {
path *.jpg *.jpeg *.png *.gif *.ico *.css *.js *.svg *.woff *.woff2 *.ttf *.xml
}
handle @static {
file_server
header {
Cache-Control "public, max-age=31536000, immutable"
}
}
@html {
path *.html
}
handle @html {
file_server
try_files {path} {path}/ /index.html
}
handle {
file_server
try_files {path} {path}/ /index.html
}
@hidden {
path_regexp ^.*/\..*$
}
respond @hidden 404
handle /js/script.js {
rewrite * /js/script.file-downloads.hash.outbound-links.js
reverse_proxy https://analytics.lebubu.org {
header_up Host analytics.lebubu.org
}
}
handle /api/event {
reverse_proxy https://analytics.lebubu.org {
header_up Host analytics.lebubu.org
}
}
}
www.danilo-reyes.com {
redir https://danilo-reyes.com{uri}
}
www.blog.danilo-reyes.com {
redir https://blog.danilo-reyes.com{uri}
}
danilo-reyes.com {
root * /var/www/html/portfolio
import hugo_common
}
blog.danilo-reyes.com {
route {
handle_path /isso* {
reverse_proxy 10.77.0.2:8180
}
root * /var/www/html/blog
import hugo_common
}
}
mb-report.lebubu.org {
root * /var/www/html/lidarr-mb-gap
file_server
encode gzip zstd
try_files {path} /missing_albums.html
@html {
path *.html
}
header @html Content-Type "text/html; charset=utf-8"
@json {
path *.json
}
header @json Content-Type "application/json"
header {
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
}
}

13
caddy/Caddyfile.d/40-jellyfin.caddyfile
View File

@@ -1,13 +0,0 @@
flix.lebubu.org {
reverse_proxy 10.77.0.2:8096 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
# WebSocket support (automatic in Caddy, but explicit is fine)
header_up Connection {>Connection}
header_up Upgrade {>Upgrade}
}
}

9
caddy/Caddyfile.d/5-keycloak.caddyfile
View File

@@ -1,9 +0,0 @@
auth.lebubu.org {
tls internal
reverse_proxy 10.77.0.2:8090 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Host {host}
header_up Host {host}
}
}

4
caddy/Caddyfile.d/75-qbittorrent.caddyfile
View File

@@ -1,4 +0,0 @@
torrent.lebubu.org {
reverse_proxy 127.0.0.1:9345
}

33
caddy/client_ca.pem
View File

@@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIUPBgrOAnSgT+y9+zaFaCuVkwi/M4wDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCTVgxEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwI
U29tZUNpdHkxEDAOBgNVBAoMB0phd1pEZXYxFTATBgNVBAMMDEphd1ogUm9vdCBD
QTAeFw0yNTA3MTYxOTMxMTBaFw0zNTA3MTQxOTMxMTBaMF0xCzAJBgNVBAYTAk1Y
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRAwDgYDVQQK
DAdKYXdaRGV2MRUwEwYDVQQDDAxKYXdaIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDwcWfnMDBzdukPZUa0pbY3tHG2ONEZMDUsxo5T5veq
KrMfsu7U9tE8AY+AVl0Qz9hpBHN+GmktXQlimPkm4tSVKJMjk0iWYgZn8tTMB+AL
i3gl/bt7qP+59U7gQbojkp6B0xCMCynPlsgcMiIcZWFmNVrG6ehh4B+wuG52gWVw
TrwhDjHhxsrc66DkgC/59Pm60JqHlBhuhv9HB/q9JM3HLQ63XUwhvTVJ29tSiJZl
WpKFr5s8nfE2FIXIHzi+o+Lo3n9wvdCzNfaRUStLWbROzF97jY4VIxIDk/loQH4T
6oXBGlRe8M+G1XL/waRDySxL26jRVG8bUEv4mh/Hd9Rs0JcUOl6lFiGndJMjMyom
ZgAlhi2Id2AzkT28utdYQqKUuaTy1SwLkrcOu9k2/dw7Uf7aK5WCraOth5ys+lw+
mzga4gNGc3Am9soFHjI56Qxvhf+Aa5tlASwpzrjsc7PJEZJXorE40uZsB/q1PafP
AIqVsSoT+Q6h6bld0EuQ5W4i1LTipZEPUaF673tGCXuI40AeTI44SFKcGm9XG1ic
I25OxuIKyl5sCANkryOHjNKY4SkzXKSpML3PYbfSKK7xDpeFofIYKnRfJm4qmBNd
lKT+ti4Hnvr8NZDRWyxC5SIDF1fdkslNu/HoAoL8JdXPYnitlTL7A5mF5PVPHom7
XwIDAQABo1MwUTAdBgNVHQ4EFgQUhquhsVpNS4shC+7DMxOK4/wYYEswHwYDVR0j
BBgwFoAUhquhsVpNS4shC+7DMxOK4/wYYEswDwYDVR0TAQH/BAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAgEAU8nSV6DqCZSDxWpa8JSBmZFnO2oZIRF9Nw/1QcpMOGUR
pnWyQ03QtEgXYMwvxN/FOcGvYwg0LyYy07rzlpe5n2wRBaTrPCZ928f5j0nhADjC
GYutxhbO4WYvBKUY88qYCrJRa1Aw1B/CsGCmH5f+aND6fyxZ6Lx9CQ8O43f+QCOE
ltkbHRvjxYyVpDkgccDwetMDURKKrzkibUskeCPt0TjZbLKUq/cDspdAjSJgIJrz
a50JbniKUG5Qcav3P2aA6NluOKFJfYh+146uafC6WofUtx2Vv5lViYMlIDnqN4L0
xUzN5hB1kwF+4v1PO9/olafKqmgZ8FD/ipMYq2aYX4u9RJHLD6hMPUJpgKPRhGfi
ul9rYv6rC+pQNIn4s287sAPru5IgIzPBBCbqXSkoue7V/mpqRuZZRX84V6CzlYDc
0knoG2TL6aEWO+vj1mROgOuagyqyb3NZvgySE7GieW4tdvZhdYJJxdXh/tBQCg9E
iVcQH0rNJ+0jsybFWPqdOIZ6sH78SvY+J4KhqZ3Il/WCxCTs/Ccb/RMkhRm+bfSX
1FxoKF20b3RJ6g9N1oOj+12oK8jwMpUbaG/oAZh0TgZf1FUKic2f6jhMZLus8fGe
nyHza9mHbN1M8d9hX7U3gkepY8RVhSNL5erNp1zsBtZ4UNmouGm53wgjYZPYkrc=
-----END CERTIFICATE-----

74
hosts/vps/configuration.nix
View File

@@ -5,6 +5,10 @@
pkgs, pkgs,
... ...
}: }:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -21,18 +25,64 @@
]; ];
}; };
}; };
environment.etc."iptables.rules".source = ../../iptables; networking.firewall = {
networking.firewall.enable = lib.mkForce false; enable = true;
networking.nftables.enable = false; allowedTCPPorts = [
systemd.services.iptables-restore = { 80
description = "Apply iptables ruleset"; 443
wantedBy = [ "multi-user.target" ]; 3456
after = [ "network-pre.target" ]; ];
serviceConfig = { allowedUDPPorts = [ 51820 ];
Type = "oneshot"; extraForwardRules = ''
RemainAfterExit = true; ct state established,related accept
ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
}; ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
ip daddr ${homeServer}/32 udp dport 51412 accept
ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
'';
}; };
image.modules.linode = { }; image.modules.linode = { };
networking.hostName = "vps"; networking.hostName = "vps";

634
jawz_hist
View File

@@ -1,634 +0,0 @@
exit
cd
ls
ls .ssh
ls ~/.ssh/
ls -lag
ls -la
sudo chown -R jawz:jawz ./
ls -lag
ls -la
ls .ssh/
ls .ssh/ -la
sudo systemctl enable --now wg-quick@wg0
sudo nano /etc/sysctl.d/99-ipforward.conf
ls
sudo -i
sudo systemctl status sshd.service
sudo systemctl restart sshd.service
journalctl -xeu sshd
sudo -i
sudo systemctl status sshd
sudo ss -ltnp | grep ssh
sudo semanage port -l | grep ssh_port_t
sudo ss -ltnp | grep 3456 || sudo ss -ltnp | grep sshd
ping google.com
sudo systemctl stop wg-quick@wg0.service
ping google.com
sudo systemctl disable wg-quick@wg0.service
exi
exit
sudo rmdir /etc/caddy/Caddyfile.d/
sudo -i
exit
ls
rm histfile
rm iptables*
ls
rm sudo_histfile
cat syncthingblocked
rm syncthingblocked
ls
exit
sudoedit /etc/wireguard/wg0.conf
export TERM=xterm-256color
sudoedit /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick
sudo systemctl restart wg-quick@wg0.service
sudoedit /etc/wireguard/wg0.conf
sudo -i
sudo tcpdump
sudo dnf install tcpdump
sudo tcpdump -i wg0 host 10.77.0.2 -n -v
sudoedit /etc/sysconfig/iptables
export TERM=xterm-256color
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
ping google.com
sudo ss -ltnp | grep 3456 || sudo ss -ltnp | grep sshd
sudo sed -n '1,200p' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null | egrep -n '^(Port|ListenAddress)'
sudo iptables -S
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo systemctl enable --now iptables
sudo systemctl start iptables
sudo systemctl restart iptables
sudo iptables -S
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
ping google.com
sudo -i
sudo wg sow
sudo wg show
ls
cd /etc/caddy/Caddyfile.d/
ls
cat fun.caddyfile__
ls
clear
mv portfolio.caddyfile_bkp portfolio.caddyfile
sudo mv portfolio.caddyfile_bkp portfolio.caddyfile
sudo systemctl restart caddy
clear
export TERM=xterm-256color
iptables-s
sudo iptables -S
sudo iptables -s
sudo iptables -S
clear
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo -i
sudo reboot
exit
ping google.com
sudo systemctl restart iptables
sudo systemctl enable iptables
exit
sudo -i
exit
sudo iptables -vnL FORWARD | grep 22000
sudo -i
sudo iptables -L FORWARD -n -v --line-numbers
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudoedit /etc/sysconfig/iptables
export TERM=xterm-256color
sudoedit /etc/sysconfig/iptables
clear
sudo cat /etc/sysconfig/iptables
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
wg show
sudo wg show
ping -c 3 10.8.0.2
nc -zv 10.77.0.2 22000
sudo -i
exit
sudo -i
exit
sudo systemctl disable iptables
sudo systemctl enable iptables
sudo systemctl status iptables
sudo systemctl start iptables
sudo -i
exit
sudo dnf install starship
sudo dnf copr enable atim/starship
sudo dnf install starship
nano .bashrc
export TERM=xterm-256color
nano .bashrc
bash
exit
nano /etc/hostname
export TERM=xterm-256color
nano /etc/hostname
sudoedit /etc/hostname
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
export EDITOR=neovim
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
EDITOR=neovim sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
EDITOR=nvim sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo -i
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
exit
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo -i
exit
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
export TERM=xterm-256color
sudoedit /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo -i
exit
sudo mkdir -p /var/www/html
sudo mkdir -p /var/www/html/lidarr-mb-gap
sudo useradd -m -s /bin/bash lidarr-reports
sudo chown -R lidarr-reports:lidarr-reports /var/www/html/lidarr-mb-gap/
exit
sudo -u lidarr-reports bash
exit
sudo -u lidarr-reports
sudo -u lidarr-reports bash
sudo -i
exit
sudo -u lidarr-mb-gap cat /var/lib/lidarr-mb-gap/.ssh/id_ed25519.pub
exit
sudo -u lidarr-reports
sudo -u lidarr-reports bash
exit
sudo -u lidarr-reports ssh-keygen -l -f /home/lidarr-reports/.ssh/ed25519_lidarr-mb-gap.pub
exit
sudo -u lidarr-reports -u bash
sudo -u lidarr-reports bash
exit
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
exit
sudo dnf install rsync
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy.service
ls
cd /var/www/html/lidarr-mb-gap/
ls
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy.service
nc -zv 10.77.0.2 8999
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo systemctl restart caddy
ls
cd /etc/wireguard/
sudo -i
exit
cd /etc/caddy/Caddyfile.d/
ls
nvim 15-private.caddyfile
mv 15-private.caddyfile 15-private.caddyfile_
sudo mv 15-private.caddyfile 15-private.caddyfile_
nvim 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/5-keycloak.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo nvim 15-private.caddyfile_
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
exit
sudo systemctl restart caddy
sudo nvim
cd /etc/caddy/Caddyfile.d/
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile_
sudo nvim 15-private.caddyfile
cat 15-private.caddyfile
sudo nvim 15-private.caddyfile
sudo systemctl restart caddy
sudo nvim 15-private.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
systemctl status caddy
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
sudo nvim 20-servers.caddyfile
sudo nvim 40-jellyfin.caddyfile
sudo systemctl restart jel
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
mv 15-private.caddyfile 15-private.caddyfile__
sudo mv 15-private.caddyfile 15-private.caddyfile__
sudo mv 15-private.caddyfile_ 15-private.caddyfile
sudo systemctl restart caddy
exit
dig servidos.lat A
sudo dnf install dig
dig servidos.lat A
exit
curl servidos.lat
exit
curl servidos.lat
dig servidos.lat A
curl -v 130.211.27.102
curl -v 130.211.27.102:443
curl -v https://130.211.27.102
curl servidos.lat
curl https://servidos.lat
curl-v https://servidos.lat
curl -v https://servidos.lat
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
exit
dig servidos.lat A
curl -v https://servidos.lat
exit
sudo useradd -m -s /bin/bash deploy
sudo groupadd -f www-data
sudo usermod -aG www-data deploy
ls -lag /var/www/html/
sudo mkdir /var/www/html/portfolio
sudo chown -R root:www-data /var/www/html/portfolio/
sudo chmod -R 775 /var/www/html/portfolio/
ssh-keygen -t ed25519 -C "deploy@portfolio" -f ~/.ssh/portfolio_deploy
cat ~/.ssh/portfolio_deploy.pub
sudo -u deploy
sudo -u deploy bash
ls
ls -lag
cat ~/.ssh/portfolio_deploy
exit
su
sudo -u
sudo -i
cat ~/.ssh/portfolio_deploy
exit
sudo systemctl restart iptables
exit
ls
ls ~/.ssh/authorized_keys
cat ~/.ssh/authorized_keys
sudo systemctl restart iptables.service
sudo systemctl status iptables.service
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
exit
ls
exit
cd /var/www/html/portfolio/
ls -lag
ls
sudo -u deploy bash
ls
exit
sudo systemctl restart caddy
cd /var/www/html/portfolio/
ls
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo chown -R deploy:www-data /var/www/html/portfo
sudo chown -R deploy:www-data /var/www/html/portfolio/
exit
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo mkdir /var/www/html/blog
sudo chown deploy:www-data /var/www/html/blog/ -R
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo chmod -R 775 /var/www/html/portfolio
ls -la /var/www/html/portfolio/
sudo chown -$ deploy:www-data /var/www/html/portfolio/
sudo chown -R deploy:www-data /var/www/html/portfolio/
sudo -i
ls -la /var/www/html/portfolio/friends/ | grep "001_chicken_hu"
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
df -h
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy.service
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy.service
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy && exit
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
curl -sI "https://danilo-reyes.com/isso/js/embed.min.js"
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy && exit
curl -sI "https://danilo-reyes.com/isso/js/embed.min.js"
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
curl -vkI https://blog.danilo-reyes.com/isso/
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
curl -vkI http://10.77.0.2:8180/
curl -vkI http://10.77.0.2:8180/js/embed.min.js
curl -vkI http://10.77.0.2:8180/
curl -vkI http://10.77.0.2:8180/js/embed.min.js
curl -vkI https://blog.danilo-reyes.com/isso/js/embed.min.js
curl -vkI https://blog.danilo-reyes.com/isso/
curl -vkI https://blog.danilo-reyes.com/isso
9;6u
timedatectl status
date-u
date -u
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
exit
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
exit
sudo cat /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo cat /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo dnf search opentracker
sudo dnf install -y git gcc make libowfat-devel
git clone https://erdgeist.org/gitweb/opentracker
cd opentracker/
make
sudo dnf install -y libowfat-devel
make clean
make CFLAGS="-I/usr/include/libowfat"
sudo dnf install -y zlib-devel
make CFLAGS="-I/usr/include/libowfat"
git submodule update --init
make clean
make
ls
cd ..
git clone git@github.com:masroore/libowfat.git
sudo dnf install libowfat
git clone git@github.com:masroore/libowfat.git
podman
docker
exit
sudo dnf copr enable dlk/rpms
sudo dnf install opentracker
rm opentracker/
rm opentracker/ -rf
sudo systemctl enable --now opentracker
sudo systemctl status opentracker
sudo cat /etc/opentracker.conf
sudo nvim /etc/opentracker.conf
sudo nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo grep -r 6969 /etc/caddy/Caddyfile.d/
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo install -d -m 0750 /var/lib/opentracker
sudo install -m 0640 /dev/null /var/lib/opentracker/whitelist
sudo install -m 0640 /dev/null /var/lib/opentracker/blacklist
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
ls -lag /var/lib/opentracker/
sudo ls -lag /var/lib/opentracker/
sudo nvim /etc/opentracker.conf
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo chmod 666 /var/lib/opentracker/blacklist
sudo systemctl restart opentracker.service
sudo systemctl status opentracker
sudo iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 6969 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -L INPUT -n -v --line-numbers | grep 6969
sudo service iptables save
exit
ls /etc/wireguard/
sudo ls /etc/wireguard/
sudo cat /etc/wireguard/wg0.conf
cat /etc/sysctl.d/99-forward.conf
sudo ls /etc/sysctl.d
cat /etc/sysctl.d/99-ipforward.conf
sudo sysctl net.ipv4.ip_forward
sudo -i
sudo systemctl status opentracker
journalctl -xefu opentracker
ss -tnp | grep 6969
sudo sysctl -w net.ipv4.conf.all.rp_filter=0
sudo sysctl -w net.ipv4.conf.eth0.rp_filter=0
sudo sysctl -w net.ipv4.conf.wg0.rp_filter=0
journalctl -xefu opentracker
sudo cat /etc/sysconfig/iptables
sysctl -w net.ipv4.ip_forward=1
# ---- NAT (insert at top) ----
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
# ---- FORWARD ----
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
net.ipv4.ip_forward = 1
sudo -i
mkfs.ext4 "/dev/disk/by-id/scsi-0Linode_Volume_box"
sudo -i
mkdir /mnt/box/downloads
sudo mkdir /mnt/box/downloads
sudo chown jawz:users /mnt/box/downloads/
ls -la
sudo chown jawz:jawz /mnt/box/downloads/
qbittorrent-nox
sudo useradd --system --create-home --home-dir /var/lib/qbittorrent --shell /sbin/nologin qbittorrent
sudo mkdir -p /srv/torrents/{downloads,incomplete,watch}
sudo chown -R qbittorrent:qbittorrent /srv/torrents /var/lib/qbittorrent
sudo tee /etc/systemd/system/qbittorrent-nox.service >/dev/null <<'EOF'
[Unit]
Description=qBittorrent (nox)
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=qbittorrent
Group=qbittorrent
UMask=0027
WorkingDirectory=/var/lib/qbittorrent
ExecStart=/usr/bin/qbittorrent-nox --profile=/var/lib/qbittorrent
Restart=on-failure
RestartSec=3
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now qbittorrent-nox
sudo systemctl status qbittorrent-nox --no-pager
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl restart qbittorrent-nox
sudo nvim /etc/caddy/Caddyfile.d/75-qbittorrent.caddyfile
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl stop qbittorrent-nox
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo systemctl start qbittorrent-nox
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
sudo nvim /etc/caddy/Caddyfile.d/75-qbittorrent.caddyfile
sudo systemctl restart caddy
sudo systemctl status qbittorrent-nox --no-pager
ls
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
ls /mnt/
ls /mnt/box/
rm /mnt/box/downloads/
rmdir /mnt/box/downloads/
sudo rmdir /mnt/box/downloads/
sudo mv /srv/torrents/* /mnt/box/
sudo umount /mnt/box
sudo nvim /etc/fstab
sudo mount -a
sudo systemctl daemon-reload
sudo mount -a
ls -lag /srv/torrents/
sudo -u qbittorrent nano /var/lib/qbittorrent/qBittorrent/config/qBittorrent.conf
cd /var/lib/qbittorrent/
sudo -i
exit
sudo -i
ssh server
exitr
exit
ls /srv/torrents/
sudo mkdir /srv/torrents/tits
sudo chown jawz:jawz /srv/torrents/tits/
ls /srv/torrents/tits/
sudo -i
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
exit
ls
df -h
ssh server
exit
clear
sudoedit /etc/sysconfig/iptables
exit
sudo grep 6060 /etc/
sudo grep 6060 /etc/ -r
sudo grep -r 6969 /etc/
sudo cat /etc/ssh/sshd_config
ls
clear
exit
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
sudo ls /etc/wireguard/
sudo cat /etc/wireguard/wg0.conf
sudo -i
exit
sudo -i
sudo -i
sudo -i
iptables -S
sudo iptables -S
sudo nvim /etc/wireguard/wg0.conf
exit
curl # Test paperless (should fail)
curl -v --connect-timeout 5 http://192.168.100.15:8000
# Test sabnzbd (should fail)
curl -v --connect-timeout 5 http://192.168.100.15:3399
curl -v --connect-timeout 5 http://192.168.100.15:8686
sudo wg show
exit
sudo systemctl restart wg-quick@wg0.service
exit
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
sudo nvim /etc/wireguard/wg0.conf
exit
sudo wg show
exit
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
exit
sudo systemctl restart wg-quick@wg0.service
sudo nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
sudo systemctl restart caddy
z nixos
exit
cat .ssh/id_ed25519.pub
cat .ssh/id_ed25519
exit
cat /etc/sysconfig/iptables
sudo cat /etc/sysconfig/iptables
exit
sudo -i
ls
cat vps_public.key
ls .ssh/authorized_keys
cat .ssh/authorized_keys
exit

7
secrets/ssh/ed25519_nixvps
View File

@@ -1,7 +0,0 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAg2NEQIaCDPaucUAqi1iUIppNyQJH2AHGm8RhZ8ZjQagAAAJggRAEdIEQB
HQAAAAtzc2gtZWQyNTUxOQAAACAg2NEQIaCDPaucUAqi1iUIppNyQJH2AHGm8RhZ8ZjQag
AAAECI12wNotU67+KnPGhWMcLUxotEQdz4jry+aijaiHP26CDY0RAhoIM9q5xQCqLWJQim
k3JAkfYAcabxGFnxmNBqAAAAEGphd3pAd29ya3N0YXRpb24BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

11
specs/004-vps-migration/quickstart.md
View File

@@ -60,9 +60,12 @@
- `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found. - `mb-report.lebubu.org` and `torrent.lebubu.org` are present in caddy but no matching Nix server host was found.
5. Migrate analytics data: 5. Migrate analytics data:
- Export data from existing server - Identify the analytics system (e.g., Plausible) and its data store location or database
- Import into new server - Freeze writes during export (stop the analytics service or enable maintenance mode)
- Validate historical data is present - Export analytics data from the existing server (db dump or data directory archive)
- Transfer the export to the new server using the secure path already used for secrets/config
- Import the data on the new server and restart the analytics service
- Validate historical data is present (date range coverage, dashboard counts, and sample events)
6. Run verification steps for each task (per spec FR-012). 6. Run verification steps for each task (per spec FR-012).
@@ -97,7 +100,7 @@
- **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix` - **T020**: `rg -n "45\\.33\\.0\\.228" modules/modules.nix config/jawz.nix`
- **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix` - **T021**: `rg -n "endpoint = .*my\\.ips\\.vps" hosts/server/configuration.nix`
- **T022**: verify "Clarification Candidates From History Review" section exists in this file - **T022**: verify "Clarification Candidates From History Review" section exists in this file
- **T023**: intentionally skipped by operator for this implementation pass - **T023**: `rg -n "Migrate analytics data|Export analytics|Import.*analytics|Validate historical data" /home/jawz/Development/NixOS/specs/004-vps-migration/quickstart.md`
- **T024**: verify each task from T001-T026 has a corresponding verification line in this section - **T024**: verify each task from T001-T026 has a corresponding verification line in this section
- **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes - **T025**: `rg -n "caddy|Caddy" README.org docs || true` and confirm no active-proxy references remain outside legacy migration notes
- **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path - **T026**: `rg -n "T0[0-2][0-9]" /home/jawz/Development/NixOS/specs/004-vps-migration/tasks.md` and confirm each task mentions at least one concrete path

2
specs/004-vps-migration/tasks.md
View File

@@ -64,7 +64,7 @@ Deliver MVP as User Story 1 (primary host reverse proxy + keep services on host
**Independent test criteria**: Clarification list exists and each task has a verification step. **Independent test criteria**: Clarification list exists and each task has a verification step.
- [x] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md - [x] T022 [US4] Review sudo_hist and jawz_hist for missing configuration; record clarification list in specs/004-vps-migration/quickstart.md
- [ ] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md - [x] T023 [US4] Document analytics data migration steps (export, import, validate) in specs/004-vps-migration/quickstart.md
- [x] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md - [x] T024 [US4] Add verification steps for each task in specs/004-vps-migration/quickstart.md
## Phase 7: Polish & Cross-Cutting Concerns ## Phase 7: Polish & Cross-Cutting Concerns

457
sudo_hist
View File

@@ -1,457 +0,0 @@
clear
exit
clear
dnf install wireguard-tools neovim caddy
systemctl enable --now caddy
systemctl enable --now iptables
dnf install iptables-services
systemctl enable --now iptables
ls /home/
ls /home/fedora
nano /etc/ssh/sshd_config
nano /etc/wireguard/wg0.conf
nano /etc/wireguard/home_private.key
sudo useradd -m -s /bin/bash jawz
sudo passwd jawz
sudo usermod -aG wheel jawz
visudo
ls
su jawz
cat /home/jawz/iptables /etc/sysconfig/iptables
cat /home/jawz/iptables > /etc/sysconfig/iptables
cat /home/jawz/iptables-config /etc/sysconfig/iptables-config
cat /home/jawz/iptables-config > /etc/sysconfig/iptables-config
sudo systemctl restart iptables.service
nano /etc/hosts
ls
sudoedit /etc/ssh/sshd_config
ls
sudo reboot
mv /home/jawz/Caddyfile.d/ /etc/caddy/
ls /etc/caddy/
ls /etc/caddy/ -la
sudo chown root:root /etc/caddy/Caddyfile -R
ls /etc/caddy/ -la
chown root:root -R /etc/caddy/Caddyfile
ls /etc/caddy/ -la
chown root:root -R /etc/caddy/Caddyfile.d/
ls /etc/caddy/ -la
sudo systemctl restart caddy
exit
528491
clear
export TERM=xterm-256color
clear
sudo iptables -S
ping google.com
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo systemctl restart wg-quick@wg0.service
sudo iptables -L FORWARD -n -v --line-numbers
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudoedit /etc/sysconfig/iptables
sudo iptables-save > /root/iptables-backup-$(date +%s)
sudo iptables -F FORWARD
sudo iptables-restore < /tmp/iptables
sudo iptables -D FORWARD 4
sudo iptables -S
sudo systemctl restart iptables.service
sudo iptables -S
sudoedit /etc/sysconfig/iptables
sud nvim /etc/sysconfig/iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo journalctl -xeu iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
mv portfolio.caddyfile portfolio.caddyfile_
sudo systemctl restart caddy
sudoedit /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
ping 10.77.0.2:80
sudoedit /etc/wireguard/wg0.conf
ping 10.77.0.2
sudo journalctl -xefu wg-quick@wg0
ping 10.77.0.2
ping server
wg show
sudoedit /etc/wireguard/wg0.conf
wg show
cd /etc/caddy/Caddyfile.d/
mv portfolio.caddyfile_ portfolio.caddyfile
mv portfolio.caddyfile portfolio.caddyfile_
cat /etc/sysconfig/iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
journalctl -xeu iptables
sudo nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
sudo iptables -L FORWARD -n -v --line-numbers
# In one terminal, watch the iptables counters
sudo watch -n1 'iptables -L FORWARD -n -v --line-numbers'
export TERM=xterm-256color
sudo watch -n1 'iptables -L FORWARD -n -v --line-numbers'
sudo tcpdump -i any icmp -n
ip addr show wg0
sudo iptables -I FORWARD 6 -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
sudo iptables -I FORWARD 7 -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
sudo iptables -L FORWARD -n -v --line-numbers
sudo iptables-save > /etc/sysconfig/iptables
nano /etc/wireguard/wg0.conf
export TERM=xterm-256color
nano /etc/wireguard/wg0.conf
systemctl restart wg-quick.target
systemctl restart wg-quick@wg0
cat /etc/wireguard/wg0.conf
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
wg show
sudo nvim /etc/wireguard/wg0.conf
sudo systemctl restart wg-quick@wg0.service
wg show
sudo systemctl enable ip6tables
sudo systemctl disable --now nftables 2>/dev/null || true
sudo systemctl mask nftables 2>/dev/null || true
exit
export TERM=xterm-256color
sudo nano /etc/sysconfig/iptables
cd /etc/caddy/Caddyfile.d/
ls
cat fun.caddyfile__
rm fun.caddyfile__
ls
nano simple.caddyfile
export TERM=xterm-256color
nano simple.caddyfile
nvim simple.caddyfile
mv simple.caddyfile servers.caddyfile
systemctl restart caddy
ls
exit
export TERM=xterm-256color
cd /etc/caddy/Caddyfile.d/
nvim servers.caddyfile
sudo systemctl restart caddy
journalctl -xeu caddy
cd /etc/caddy/Caddyfile.d/
nvim redirect.caddyfile
sudo systemctl restart caddy
nvim redirect.caddyfile
sudo journalctl -u caddy -f
ls
nvim redirect.caddyfile
mv redirect.caddyfile 10-redirect.caddyfile
nvim 00-allowlist.caddyfile
mv servers.caddyfile 20-servers.caddyfile
cd ..
ls
nvim Caddyfile
sudo systemctl restart caddy
sudo journalctl -u caddy -f
nvim Caddyfile
sudo systemctl restart caddy
nvim Caddyfile
ls
cd Caddyfile.d/
ls
mv 00-allowlist.caddyfile 00-allowlist.caddyfile_
mv 10-redirect.caddyfile 10-redirect.caddyfile_
sudo systemctl restart caddy
exit
cd /etc/caddy/Caddyfile.d/
nvim servers.caddyfile
nvim redirect.caddyfile
sudo caddy fmt --overwrite redirect.caddyfile
sudo caddy validate --config redirect.caddyfile
nvim /etc/caddy/Caddyfile.d/servers.caddyfile
systemctl restart caddy
cd /etc/caddy/Caddyfile.d/
ls
rm 00-allowlist.caddyfile_ 10-redirect.caddyfile_ portfolio.caddyfile_
ls
mv portfolio.caddyfile_ 30-portfolio.caddyfile_
nvim 30-portfolio.caddyfile_
ls
cat 20-servers.caddyfile
nvim 20-servers.caddyfile
systemctl restart caddy
nvim 20-servers.caddyfile
nvim 10-nextcloud.caddyfile
nvim 20-servers.caddyfile
cd ..
cat Caddyfile.d/20-servers.caddyfile
cat Caddyfile.d/20-servers.caddyfile | head -n 30
cat Caddyfile.d/20-servers.caddyfile | head -n 10
nvim /etc/caddy/client_ca.pem
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
systemctl restart caddy
cat Caddyfile.d/20-servers.caddyfile | head -n 10
exit
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
nvim /etc/caddy/Caddyfile.d/15-private.caddyfile
sudo systemctl restart caddy
nvim /etc/caddy/Caddyfile.d/10-nextcloud.caddyfile
nvim /etc/caddy/Caddyfile.d/20-servers.caddyfile
cat /etc/caddy/Caddyfile.d/20-servers.caddyfile
exit
cd /etc/
ls
cd sysconfig/
ls
nvim iptables
cat iptables
curl 10.77.0.2:8999
nvim iptables
sudo systemctl restart iptables.service
exit
curl 10.77.0.2:8999
curl 10.8.0.2:8999
curl 10.8.0.1:8999
exit
cd /etc/wireguard/
ls
cat wg0.conf
exit
cd /etc/caddy/
ls
cd Caddyfile.d/
ls
mv 30-portfolio.caddyfile_ 30-portfolio.caddyfile
cat 15-private.caddyfile__
ls
cat 25-static.caddyfile
cat 30-portfolio.caddyfile
rm 30-portfolio.caddyfile
nvim 25-static.caddyfile
systemctl restart caddy
exit
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
nvim /etc/caddy/Caddyfile.d/25-static.caddyfile
sudo systemctl restart caddy
cat /etc/caddy/Caddyfile.d/25-static.caddyfile
caddy validate --config /etc/caddy/Caddyfile.d/25-static.caddyfile
caddy fmt --overwrite /etc/caddy/Caddyfile.d/*
caddy fmt --overwrite /etc/caddy/Caddyfile.d/25-static.caddyfile
find -tf /etc/caddy/Caddyfile.d/25-static.caddyfile
find -type f /etc/caddy/Caddyfile.d/
find /etc/caddy/Caddyfile.d/ -type f
find /etc/caddy/Caddyfile.d/ -type f -exec caddy fmt --overwrite {}
find /etc/caddy/Caddyfile.d/ -type f -exec caddy fmt --overwrite {} \;
caddy validate --config /etc/caddy/Caddyfile.d/25-static.caddyfile
ls -la /var/www/html/portfolio/
ls -la /var/www/html/portfolio/images/
ls -la /var/www/html/portfolio/old_ijwbs/
du -sh /var/www/html/portfolio/
ls -la /var/www/html/portfolio/
ls -la /var/www/html/portfolio/friends/
cd /etc/sysconfig/
ls
cat iptables
rg 51413
rg 51412
cat iptables
sudo tcpdump -ni eth0 port 51412
sudo tcpdump -ni wg0 port 51412
sudo tcpdump -ni eth0 port 51412
ss -ltnp | grep ":51412"
sysctl -w net.ipv4.ip_forward=1
# ---- NAT (insert at top) ----
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
# ---- FORWARD ----
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
net.ipv4.ip_forward = 1
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I POSTROUTING 1 -s 10.77.0.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 -p tcp --sport 51412 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 4 -i wg0 -o eth0 -s 10.77.0.2 -p udp --sport 51412 -j ACCEPT
iptables -I FORWARD 5 -i wg0 -o eth0 -j ACCEPT
iptables -I FORWARD 6 -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -L FORWARD -n -v --line-numbers
iptables -t nat -L -n -v --line-numbers
iptables -L FORWARD -n -v --line-numbers
iptables -t nat -L -n -v --line-numbers
sudo tcpdump -ni eth0 port 51412
curl -4 ifconfig.me
tcpdump -ni eth0 port 51412
ss -lntup | grep 51412
iptables -t raw -I PREROUTING 1 -p tcp --dport 51412 -j NOTRACK
iptables -t raw -I PREROUTING 1 -p udp --dport 51412 -j NOTRACK
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 --sport 51412 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 10.77.0.2 -o eth0 -j MASQUERADE
tcpdump -ni wg0 port 51412
sysctl net.ipv4.ip_forward
iptables -t raw -I PREROUTING 1 -p tcp --dport 51412 -j NOTRACK
iptables -t raw -I PREROUTING 2 -p udp --dport 51412 -j NOTRACK
iptables -t nat -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -t nat -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
iptables -I FORWARD 1 -i eth0 -o wg0 -p tcp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 2 -i eth0 -o wg0 -p udp -d 10.77.0.2 --dport 51412 -j ACCEPT
iptables -I FORWARD 3 -i wg0 -o eth0 -s 10.77.0.2 --sport 51412 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 10.77.0.2 -o eth0 -j MASQUERADE
tcpdump -ni wg0 port 51412
tcpdump -ni eth0 'tcp port 51412'
sysctl net.ipv4.conf.eth0.route_localnet
sysctl -w net.ipv4.conf.eth0.route_localnet=1
ip rule add fwmark 0x1 lookup 100
ip route add default dev wg0 table 100
iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp --dport 51412 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING 2 -i eth0 -p udp --dport 51412 -j MARK --set-mark 1
tcpdump -ni eth0 'tcp port 51412'
reboot
mkfs.ext4 "/dev/disk/by-id/scsi-0Linode_Volume_box"
mkdir /mnt/box
mount "/dev/disk/by-id/scsi-0Linode_Volume_box" "/mnt/box"
nvim /etc/fstab
cd /mnt/box/
ls -lag
sudo dnf install -y qbittorrent-nox
exit
cd /srv/torrents/downloads/
ls
cd The.Sims.4.Jenny/
ls
du -sh
rm rune
rm rune.nfo
exit
cd /srv/torrents/downloads/
ls
ls ../incomplete/
ls
ls in
ls ../incomplete/
ls
ls -lag
cd ..
su -sh
dh -sh
du -sh
df -h
ls
rm -rf incomplete/The.Sims.4.Jenny/
exit
cd
cd /srv/torrents/
ls -lag
du -sh
ls
mv tits/The.Sims.4.Jenny/ incomplete/
rmdir tits/
chown -R qbittorrent:qbittorrent incomplete/
cd /etc/sysconfig/
ls
cp iptables iptables_working
nvim iptables
systemctl restart iptables.service
journal -xeu iptables
journalctl -xeu iptables
nvim iptables
systemctl restart iptables.service
journalctl -xeu iptables
exit
nvim iptables
cd /etc/sysconfig/
nvim iptables
cd /etc/wireguard/
ls
nvim wg0.conf
nvim /etc/sysconfig/iptables
cd /etc/wireguard/
ls
wg genkey | tee privatekey | wg pubkey > publickey
ls
rm privatekey publickey
ls
mkdir friend
cd friend/
wg genkey | tee privatekey | wg pubkey > publickey
ls
cat privatekey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim ../wg0.conf
systemctl restart wireguard
systemctl restart wg-quick@wg0.service
nvim /etc/sysconfig/iptables
nvim ../wg0.conf
systemctl restart wg-quick@wg0.service
nvim ../wg0.conf
wg show
nvim ../wg0.conf
nvim /etc/sysconfig/iptables
sudo systemctl restart iptables.service
nvim ../wg0.conf
cd /etc/wireguard/
ls
cd friend/
ls
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim ../wg0.conf
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
rm *
wg genkey | tee privatekey | wg pubkey > publickey
cat publickey
nvim ../wg0.conf
cat privatekey
nvim /etc/sysconfig/iptables
sudo reboot
cd /etc/caddy/Caddyfile.d/
ls
rg xxx
nvim 15-private.caddyfile
sudo systemctl restart caddy
nvim 15-private.caddyfile
nvim 15-private.caddyfile__
exit
cd /etc/wireguard/
ls
cat wg0.conf
ls
ls friend/
rm friend/ -rf
ls
cd /var/www/html/
ls -lag blog/ lidarr-mb-gap/ portfolio/
ls -lag
ls -la
ls
cd
su deploy
su lidarr-reports
exit