# System

How to administer core system services such as networking, storage, monitoring, etc.

# audit

Kernel Parameters:

```ini
audit=1 audit_backlog_limit=8192
```

This prevents the message

```shell
kauditd: hold queue overflow
```

# crypttab

This configuration allows us to automatically unlock but not mount external drives. For example:

```
/etc/crypttab
diskn          UUID=<path to disk by /dev/disk/by-uuid>    /etc/keyfiles/<keyfile name>  luks,nofail
```

This configuration will use the keyfile /etc/keyfiles/keyfile to /dev/disk/by-uuid/id and create a device node for that disk at /dev/mapper/diskn for mounting in fstab.

<p class="callout warning">Do not directly mount the disk</p>

# Docker Firewall Configuration

**Source:** [Firewalld Strict Docker Filtering](https://firewalld.org/2024/04/strictly-filtering-docker-containers "Firewalld Project Blog")

## Preparation

Required parts:

Install firewalld and activate service:

```bash
pacman -Syu firewalld
systemctl enable --now firewalld.service
```

Disable any other firewall services.

Disable iptables for docker by adding or changing `/etc/docker/daemon.json` by adding the following config options:

```json
{
  "iptables": false
}
```

After changing this config file, restart the Docker daemon to apply the previous change:

```bash
systemctl restart docker.service
```

<p class="callout info">As a result of the previous steps, only allowed ports on firewalld are accessible from the outside. However containers are now unable to connect outbound to the internet.</p>

### firewalld Configuration

### Allow internet access for Docker containers

We need to allow masquerading to allow traffic from the Docker zone to the internet:

```bash
# Running this command allows your containers to reach out to the internet
firewall-cmd --permanent --zone=home --add-masquerade
# Since we used the --permanent flag, we need to reload the firewall for the changes to take effect
firewall-cmd --reload
```

<p class="callout info">Docker creates a zone in firewalld specifically for its bridge network interfaces for each container network along with the docker0 interface.</p>

To fix networking for containers that are not connected to a docker network, add your network interface connected to the network to the masqueraded zone.

# FiOS Router

## Set Router to Bridge Mode

Login to router administration interface

Select "My Network" on the top bar

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/eB1p4QLOZ73NhWAe-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/eB1p4QLOZ73NhWAe-image.png)

Select "Network Connections" &gt; "Advanced"

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/qwfdCts3E1doZEQv-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/qwfdCts3E1doZEQv-image.png)

Select edit icon for "Network (Home/Office)", then click "Settings" on the bottom right

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/dyp39tKQkKqvVMt7-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/dyp39tKQkKqvVMt7-image.png)

Check the box for bridge mode under the "Bridge" section

<p class="callout info">If you set up another router and it detects that the ISP modem/router is still active, it will use the 10.0.0.0/16 network rather than the 192.168.0.0/24 network</p>

---

## Configure IP Allocation

Login to router administration interface

Select "Advanced" on the top bar, then select "Yes"

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/eB1p4QLOZ73NhWAe-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/eB1p4QLOZ73NhWAe-image.png)

Under "Routing", select "IP Address Distribution"

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/iif79S8yrhl5F873-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/iif79S8yrhl5F873-image.png)

Select "Connection List" on the bottom

[![image.png](https://kb.its-et.me/uploads/images/gallery/2024-07/scaled-1680-/ki8zC9l5cMLLNx6a-image.png)](https://wiki.its-et.me/uploads/images/gallery/2024-07/ki8zC9l5cMLLNx6a-image.png)

Edit a specific host's IP allocation

# Grafana Alloy

How to get WAL stats for alloy:

```
alloy tools prometheus.remote_write wal-stats /var/lib/private/alloy/data-alloy/prometheus.remote_write.default/wal

```

# Intel NIC Configuration

## Wireless Configuration

```
# iwlwifi.conf
# Enable antenna aggregation
options iwlwifi 11n_disable=8

```

# lm-sensors

<table border="1" id="bkmrk-label-value-cputin-m" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 50%;"></col><col style="width: 50%;"></col></colgroup><tbody><tr><td>Label  
</td><td>Value  
</td></tr><tr><td>CPUTIN  
</td><td>Motherboard's CPU temp sensor  
</td></tr><tr><td>SYSTIN  
</td><td>Motherboard temp sensor  
</td></tr><tr><td>AUXTIN  
</td><td>Aux temp sensors, usually for PSU</td></tr></tbody></table>

# LUKS

https://wiki.archlinux.org/title/Dm-crypt/Specialties#Disable\_workqueue\_for\_increased\_solid\_state\_drive\_(SSD)\_performance

# traefik

## Docker Label Configuration

#### Base Labels  


This is the minimum set of labels you need to expose a container to traefik:

```yaml
labels:
	traefik.enable: true
	traefik.http.routers.<service_name>.entrypoints: <ep1>, <ep2>
	traefik.http.routers.<service_name>.rule: Host(`host1`, `host2`)
	traefik.http.routers.<service_name>.tls: true
	traefik.http.routers.<service_name>.tls.certresolver: <cert_resolver>
```

#### Middleware configuration  


To configure a middleware for a particular service, add the following label:

```yaml
traefik.http.routers.<service_name>.middlewares: middlware@provider
```

#### Accessing on a non-default port  


If a container exposes multiple ports or a non-default port:

```yaml
traefik.http.services.<service_name>.loadbalancer.server.port: <port_num>
```

## Networking

To expose only containers on a certain network to traefik, you must specify the providers.docker.network option as so:

```yaml
providers:
	docker:
    	endpoint:
        exposedByDefault: false # Require label in docker-compose file for each container
        network: <net_name>
        watch: true

```

<p class="callout info">If traefik itself is running in a docker container, you must place it on the same network as the containers you want to expose.</p>

## TLS

Basic TLS configuration that enables resolvers for both single-domain and wildcard Let's Encrypt certificates, as well as staging certificates:

```yaml
# ========== TLS Configuration ==========
tls:
	# Disable TLS version 1.0 and 1.1
    options:
		default:
 			minVersion: VersionTLS12
 			sniStrict: true
 
	certificatesResolvers:
		staging:
			acme:
				email: "email@email.com"
				storage: /etc/traefik/certs/acme.json
				caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
				tlsChallenge: {}

		production:
			acme:
				email: "email@email.com"
				storage: /etc/traefik/certs/acme.json
				caServer: "https://acme-v02.api.letsencrypt.org/directory"
				tlsChallenge: {}

```

<p class="callout info">Wildcard certificates can only be obtained with the DNS-01 challenge. Therefore a resolver that uses these must have dnsChallenge configured accordingly.</p>

## Tailscale

When running traefik in a docker container, ensure that it has access to the tailscale socket to be able to issue TLS certificates through tailscale

# Users/Groups

## krypton

<table border="1" id="bkmrk-user-group-type-%28log" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 16.666667%;"></col><col style="width: 16.666667%;"></col><col style="width: 33.333333%;"></col><col style="width: 33.333333%;"></col></colgroup><tbody><tr><td>User</td><td>Group</td><td>Type (login/system)</td><td>Purpose</td></tr><tr><td>restic</td><td>backup</td><td>system</td><td>Run the restic-rest-server</td></tr><tr><td>www-srv</td><td>www</td><td>system</td><td>Run web-accessible services </td></tr><tr><td>-</td><td>timemachine</td><td>  
</td><td>  
</td></tr><tr><td>traefik</td><td>traefik</td><td>system</td><td>Run the t

</td></tr><tr><td>  
</td><td>syncthing</td><td>  
</td><td></td></tr><tr><td>  
</td><td>paperless</td><td>  
</td><td></td></tr><tr><td>  
</td><td>docker</td><td>  
</td><td></td></tr><tr><td>  
</td><td>users</td><td>  
</td><td></td></tr><tr><td>  
</td><td>wheel</td><td>  
</td><td></td></tr></tbody></table>

## oxygen

<table border="1" id="bkmrk-" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 24.938272%;"></col><col style="width: 24.938272%;"></col><col style="width: 24.938272%;"></col><col style="width: 24.938272%;"></col></colgroup><tbody><tr><td>  
</td><td>  
</td><td>  
</td><td>  
</td></tr><tr><td>  
</td><td>  
</td><td>  
</td><td>  
</td></tr><tr><td>  
</td><td>  
</td><td>  
</td><td>  
</td></tr><tr><td>  
</td><td>  
</td><td>  
</td><td>  
</td></tr></tbody></table>