secret wiki

2023-05-25 18:39:20 +02:00 · 2023-05-25 18:39:20 +02:00 · 52639410e5
commit 52639410e5
parent 21c5a0a1a5
10 changed files with 687 additions and 78 deletions
--- a/secretwiki/commands.html
+++ b/secretwiki/commands.html
@ -3,24 +3,24 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2022-06-09 Thu 13:49 -->
+<!-- 2023-05-25 Thu 18:38 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Lezzo secret wiki</title>
 <meta name="generator" content="Org mode" />
 <meta name="author" content="bparodi" />
 <meta name="generator" content="Org Mode" />
 <link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
 </head>
 <body>
-<div id="content">
+<div id="content" class="content">
 <h2>[ Lezzo secret wiki ]</a></h2>
-<div id="outline-container-org97a447f" class="outline-2">
+<div id="outline-container-org25dca38" class="outline-2">
-<h2 id="org97a447f"><b>~</b> Frequently used commands and configuration snippets</h2>
+<h2 id="org25dca38"><b>~</b> Frequently used commands and configuration snippets</h2>
-<div class="outline-text-2" id="text-org97a447f">
+<div class="outline-text-2" id="text-org25dca38">
 </div>
-<div id="outline-container-org27f15e0" class="outline-3">
+<div id="outline-container-orgee7bf2c" class="outline-3">
-<h3 id="org27f15e0">Reduce packages disk usage on gentoo</h3>
+<h3 id="orgee7bf2c">Reduce packages disk usage on gentoo</h3>
-<div class="outline-text-3" id="text-org27f15e0">
+<div class="outline-text-3" id="text-orgee7bf2c">
 <pre class="example">
 eclean packages
 eclean distfiles
@ -28,9 +28,9 @@ eclean-kernel -A -a
 </pre>
 </div>
 </div>
-<div id="outline-container-org79cb598" class="outline-3">
+<div id="outline-container-orgfc2f077" class="outline-3">
-<h3 id="org79cb598">Update pi-hole devuan host</h3>
+<h3 id="orgfc2f077">Update pi-hole devuan host</h3>
-<div class="outline-text-3" id="text-org79cb598">
+<div class="outline-text-3" id="text-orgfc2f077">
 <pre class="example">
 apt update
 apt upgrade
@ -38,9 +38,9 @@ PIHOLE_SKIP_OS_CHECK=true pihole -up
 </pre>
 </div>
 </div>
-<div id="outline-container-org6d26529" class="outline-3">
+<div id="outline-container-org87f6887" class="outline-3">
-<h3 id="org6d26529">Wireguard configuration</h3>
+<h3 id="org87f6887">Wireguard configuration</h3>
-<div class="outline-text-3" id="text-org6d26529">
+<div class="outline-text-3" id="text-org87f6887">
 <pre class="example">
 cd /etc/wireguard.conf
 wg genkey &gt; privatekey
@ -54,24 +54,24 @@ DNS = 10.0.1.8
 # lezzo
 [Peer]
-PublicKey = 
+PublicKey = sU1Cya3Ej6kQMidcwk3PMxzqNY12JfDAROeayPG5PXM= # server pubkey
 Endpoint = tubo.lezzo.org:51888
 PersistentKeepalive = 25
 AllowedIPs = 0.0.0.0/0
 </pre>
 </div>
 </div>
-<div id="outline-container-org7b058c3" class="outline-3">
+<div id="outline-container-org6eb5aa2" class="outline-3">
-<h3 id="org7b058c3">Add static route for wireguard</h3>
+<h3 id="org6eb5aa2">Add static route for wireguard</h3>
-<div class="outline-text-3" id="text-org7b058c3">
+<div class="outline-text-3" id="text-org6eb5aa2">
 <p>
 Useful when subnet clash, example:
 </p>
 <pre class="example">
 lezzo: flags=209&lt;UP,POINTOPOINT,RUNNING,NOARP&gt;  mtu 1420
-        inet 10.0.13.2  netmask 255.255.255.255  destination 10.0.13.2
+	inet 10.0.13.2  netmask 255.255.255.255  destination 10.0.13.2
 wlp1s0: flags=4163&lt;UP,BROADCAST,RUNNING,MULTICAST&gt;  mtu 1500
-        inet 10.0.11.148  netmask 255.255.0.0  broadcast 10.0.255.255
+	inet 10.0.11.148  netmask 255.255.0.0  broadcast 10.0.255.255
 </pre>
 <pre class="example">
 route add -net 10.0.13.0 netmask 255.255.255.0 gw 10.0.13.1 lezzo
@ -80,9 +80,9 @@ route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.13.1 lezzo # dns resolutio
 </pre>
 </div>
 </div>
-<div id="outline-container-org55ef39e" class="outline-3">
+<div id="outline-container-org8c2113b" class="outline-3">
-<h3 id="org55ef39e">Remove gentoo strong password requirement</h3>
+<h3 id="org8c2113b">Remove gentoo strong password requirement</h3>
-<div class="outline-text-3" id="text-org55ef39e">
+<div class="outline-text-3" id="text-org8c2113b">
 <p>
 From <a href="https://forums.gentoo.org/viewtopic-t-1117656-start-0.html">https://forums.gentoo.org/viewtopic-t-1117656-start-0.html</a>:
 in /etc/pam.d/system-auth 
@ -99,6 +99,8 @@ password        required        pam_unix.so try_first_pass nullok sha512 shadow
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: bparodi</p>
 <p class="date">Created: 2023-05-25 Thu 18:38</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
 </html>
--- a/secretwiki/files/initial_000.jpg
+++ b/secretwiki/files/initial_000.jpg
--- a/secretwiki/index.html
+++ b/secretwiki/index.html
@ -3,25 +3,26 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2022-06-09 Thu 13:41 -->
+<!-- 2023-05-25 Thu 18:38 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Lezzo secret wiki</title>
 <meta name="generator" content="Org mode" />
 <meta name="author" content="bparodi" />
 <meta name="generator" content="Org Mode" />
 <link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
 </head>
 <body>
-<div id="content">
+<div id="content" class="content">
 <h2>[ Lezzo secret wiki ]</a></h2>
 <p>
 Ogni pagina è disponibile anche in org-mode sostituendo .org a.html.
 </p>
-<div id="outline-container-org14d1a9e" class="outline-2">
+<div id="outline-container-org237bb47" class="outline-2">
-<h2 id="org14d1a9e">Pagine</h2>
+<h2 id="org237bb47">Pagine</h2>
-<div class="outline-text-2" id="text-org14d1a9e">
+<div class="outline-text-2" id="text-org237bb47">
 <ul class="org-ul">
-<li><a href="./hosts.html">Hosts</a></li>
+<li><a href="./hosts.html">Lezzonet: gli host</a></li>
 <li><a href="./rete.html">Lezzonet: la configurazione di rete</a></li>
 <li><a href="./bots.html">Bots</a></li>
 <li><a href="./commands.html">Frequently used commands and configuration snippets</a></li>
 <li><a href="./sonarr.html">Sonarr</a></li>
@ -33,6 +34,8 @@ Ogni pagina è disponibile anche in org-mode sostituendo .org a.html.
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: bparodi</p>
 <p class="date">Created: 2023-05-25 Thu 18:38</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
 </html>
--- a/secretwiki/index.org
+++ b/secretwiki/index.org
@ -1,7 +1,8 @@
 #+INCLUDE: header.org
 Ogni pagina è disponibile anche in org-mode sostituendo .org a.html.
 * Pagine
- [[./hosts.html][Hosts]]
+- [[./hosts.html][Lezzonet: gli host]]
 - [[./rete.html][Lezzonet: la configurazione di rete]]
 - [[./bots.html][Bots]]
 - [[./commands.html][Frequently used commands and configuration snippets]]
 - [[./sonarr.html][Sonarr]]
--- a/secretwiki/makefile
+++ b/secretwiki/makefile
@ -0,0 +1,12 @@
 ORG_FILES := $(filter-out header.org,$(wildcard *.org))
 HTML_FILES := $(patsubst %.org,%.html,$(ORG_FILES))
 .PHONY: all clean
 all: $(HTML_FILES)
 %.html: %.org
 	emacs --batch $< --eval "(org-html-export-to-html)"
 clean:
 	rm -f $(HTML_FILES)
--- a/secretwiki/rete.html
+++ b/secretwiki/rete.html
@ -0,0 +1,188 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
 <!-- 2023-05-25 Thu 18:26 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Lezzo secret wiki</title>
 <meta name="author" content="bparodi" />
 <meta name="generator" content="Org Mode" />
 <link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
 </head>
 <body>
 <div id="content" class="content">
 <h2>[ Lezzo secret wiki ]</a></h2>
 <div id="outline-container-org79da81b" class="outline-2">
 <h2 id="org79da81b">Lezzonet: la configurazione di rete</h2>
 <div class="outline-text-2" id="text-org79da81b">
 </div>
 <div id="outline-container-orgdbe5702" class="outline-3">
 <h3 id="orgdbe5702">QoS</h3>
 <div class="outline-text-3" id="text-orgdbe5702">
 <p>
 There is already a qos script in the forge. It should be self documenting so
 check that.
 </p>
 </div>
 </div>
 <div id="outline-container-orgbdf54a6" class="outline-3">
 <h3 id="orgbdf54a6">Firewall</h3>
 <div class="outline-text-3" id="text-orgbdf54a6">
 </div>
 <div id="outline-container-orge957e5f" class="outline-4">
 <h4 id="orge957e5f">Router</h4>
 <div class="outline-text-4" id="text-orge957e5f">
 <p>
 Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.
 </p>
 <p>
 Port forwarding allows incoming connections from the internet to be redirected
 to specific devices or services on your local network. This is typically done
 using Network Address Translation (NAT) in the router configuration. NAT is
 responsible for translating the IP addresses and ports of incoming packets to
 the appropriate internal IP addresses and ports.
 </p>
 <p>
 We use iptables is used to configure the port forwarding rules. The iptables
 command, specifically in the nat table (-t nat), is used to set up the rules
 that define which incoming ports should be forwarded to which internal IP
 addresses and ports.
 </p>
 <pre class="example">
 # iptables -t nat -L -n
 # 10.0.1.3 is the client that hosts the main webserver with the reverse proxy
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination         
 DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.0.1.3:80
 DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.0.1.3:443
 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination         
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
 MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
 </pre>
 <p>
 Using iptables commands:
 </p>
 <pre class="example">
 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1
 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3
 iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
 </pre>
 <p>
 Let's explain this as a list:
 </p>
 <ol class="org-ol">
 <li>add a rule to the NAT table (-t nat). It specifies that
 outgoing TCP traffic (-p tcp) with a destination port of 80 (&#x2013;dport 80) and
 a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source
 Network Address Translation) translated. The source IP address is changed to
 10.0.1.1 (&#x2013;to-source 10.0.1.1). This rule is typically used to rewrite the
 source IP address of outgoing traffic to appear as if it's coming from the
 router itself</li>
 <li>add a rule to the PREROUTING chain of the NAT table. It
 specifies that incoming TCP traffic (-p tcp) with a destination port of 80
 (&#x2013;dport 80) coming from the eth0 interface (-i eth0) should be DNAT
 (Destination Network Address Translation) translated. The destination IP
 address is changed to 10.0.1.3 (&#x2013;to-destination 10.0.1.3). This rule is used
 to forward incoming traffic from port 80 to the specified internal IP
 address</li>
 <li>add a rule to the FORWARD chain. It allows traffic from
 eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already
 established or related (-m conntrack &#x2013;ctstate ESTABLISHED,RELATED). This
 rule is used to permit incoming responses or related traffic for connections
 initiated from the internal network</li>
 <li>add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i
 eth0) to eth1 interface (-o eth1) that is already established or related (-m
 conntrack &#x2013;ctstate ESTABLISHED,RELATED). This rule is used to permit
 incoming responses or related traffic for connections initiated from the
 external network.</li>
 <li>add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp &#x2013;syn
 &#x2013;dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m
 conntrack &#x2013;ctstate NEW). This rule is used to permit incoming new TCP
 connections to port 80 on the internal network.</li>
 </ol>
 <p>
 Alongside port forwarding, we need to block certain ports, protocols, or routes
 to enhance security or control network traffic. This is where ufw (Uncomplicated
 Firewall) comes into play.
 </p>
 <pre class="example">
     To                         Action      From
     --                         ------      ----
 23185                      ALLOW IN    Anywhere                  
 22                         ALLOW IN    Anywhere                  
 1:65535/tcp on eth1        ALLOW IN    Anywhere                  
 1:65535/udp on eth1        ALLOW IN    Anywhere                  
 1:65535/tcp on eth2        ALLOW IN    Anywhere      
 1:65535/udp on eth2        ALLOW IN    Anywhere                  
 1:65535/tcp on lezzonet    ALLOW IN    Anywhere                  
 1:65535/udp on lezzonet    ALLOW IN    Anywhere                  
 </pre>
 <p>
 We use the default rules of ufw for the firewall and in addition we allow all
 traffic on the two lan interfaces eth1 and eth2 and the wireguard interface
 lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.
 </p>
 </div>
 </div>
 <div id="outline-container-orgdf614ed" class="outline-4">
 <h4 id="orgdf614ed">Clients</h4>
 <div class="outline-text-4" id="text-orgdf614ed">
 <p>
 The piracy machine is the only one directly exposed to the network because of
 the vpn. This is the ufw configuration:
 </p>
 <pre class="example">
 # ufw status numbered
 Status: active
     To                         Action      From
     --                         ------      ----
 [ 1] Anywhere on eth0           ALLOW IN    Anywhere                  
 [ 2] Anywhere                   ALLOW OUT   Anywhere on eth0           (out)
 [ 3] 11000:12000/tcp            ALLOW IN    Anywhere                  
 [ 4] 11000:12000/udp            ALLOW IN    Anywhere                  
 </pre>
 <p>
 Basically open every port from 11000 to 12000 and have programs listen on those
 ports. In addition to that, the main client that is Transmission is very hungry
 so I rate limited it using its own configuration options.
 </p>
 <p>
 Some example commands:
 </p>
 <pre class="example">
 ufw allow from any to any port 23185
 ufw allow ssh
 ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb
 ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp
 </pre>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: bparodi</p>
 <p class="date">Created: 2023-05-25 Thu 18:26</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
 </html>
--- a/secretwiki/rete.org
+++ b/secretwiki/rete.org
@ -0,0 +1,121 @@
 #+INCLUDE: header.org
 * Lezzonet: la configurazione di rete
 ** QoS
 There is already a qos script in the forge. It should be self documenting so
 check that.
 ** Firewall
 *** Router
 Let's break down the router configuration into two parts: port forwarding (NAT) and blocked ports, protocols, and routes.
 Port forwarding allows incoming connections from the internet to be redirected
 to specific devices or services on your local network. This is typically done
 using Network Address Translation (NAT) in the router configuration. NAT is
 responsible for translating the IP addresses and ports of incoming packets to
 the appropriate internal IP addresses and ports.
 We use iptables is used to configure the port forwarding rules. The iptables
 command, specifically in the nat table (-t nat), is used to set up the rules
 that define which incoming ports should be forwarded to which internal IP
 addresses and ports.
 #+begin_src
 # iptables -t nat -L -n
 # 10.0.1.3 is the client that hosts the main webserver with the reverse proxy
 Chain PREROUTING (policy ACCEPT)
 target     prot opt source               destination         
 DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:10.0.1.3:80
 DNAT       6    --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:10.0.1.3:443
 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination         
 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 Chain POSTROUTING (policy ACCEPT)
 target     prot opt source               destination         
 MASQUERADE  0    --  0.0.0.0/0            0.0.0.0/0           
 #+end_src
 Using iptables commands:
 #+begin_src
 iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.0.1.3 -j SNAT --to-source 10.0.1.1
 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.1.3
 iptables -A FORWARD -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT
 #+end_src
 Let's explain this as a list:
 1. add a rule to the NAT table (-t nat). It specifies that
   outgoing TCP traffic (-p tcp) with a destination port of 80 (--dport 80) and
   a destination IP address of 10.0.1.3 (-d 10.0.1.3) should be SNAT (Source
   Network Address Translation) translated. The source IP address is changed to
   10.0.1.1 (--to-source 10.0.1.1). This rule is typically used to rewrite the
   source IP address of outgoing traffic to appear as if it's coming from the
   router itself
 2. add a rule to the PREROUTING chain of the NAT table. It
   specifies that incoming TCP traffic (-p tcp) with a destination port of 80
   (--dport 80) coming from the eth0 interface (-i eth0) should be DNAT
   (Destination Network Address Translation) translated. The destination IP
   address is changed to 10.0.1.3 (--to-destination 10.0.1.3). This rule is used
   to forward incoming traffic from port 80 to the specified internal IP
   address
 3. add a rule to the FORWARD chain. It allows traffic from
   eth1 interface (-i eth1) to eth0 interface (-o eth0) that is already
   established or related (-m conntrack --ctstate ESTABLISHED,RELATED). This
   rule is used to permit incoming responses or related traffic for connections
   initiated from the internal network
 4. add a rule to the FORWARD chain. It allows traffic from eth0 interface (-i
   eth0) to eth1 interface (-o eth1) that is already established or related (-m
   conntrack --ctstate ESTABLISHED,RELATED). This rule is used to permit
   incoming responses or related traffic for connections initiated from the
   external network.
 5. add a rule to the FORWARD chain. It allows incoming TCP traffic (-p tcp --syn
   --dport 80) from eth0 interface to eth1 interface that is in a NEW state (-m
   conntrack --ctstate NEW). This rule is used to permit incoming new TCP
   connections to port 80 on the internal network.
 Alongside port forwarding, we need to block certain ports, protocols, or routes
 to enhance security or control network traffic. This is where ufw (Uncomplicated
 Firewall) comes into play.
 #+begin_src
     To                         Action      From
     --                         ------      ----
 23185                      ALLOW IN    Anywhere                  
 22                         ALLOW IN    Anywhere                  
 1:65535/tcp on eth1        ALLOW IN    Anywhere                  
 1:65535/udp on eth1        ALLOW IN    Anywhere                  
 1:65535/tcp on eth2        ALLOW IN    Anywhere      
 1:65535/udp on eth2        ALLOW IN    Anywhere                  
 1:65535/tcp on lezzonet    ALLOW IN    Anywhere                  
 1:65535/udp on lezzonet    ALLOW IN    Anywhere                  
 #+end_src
 We use the default rules of ufw for the firewall and in addition we allow all
 traffic on the two lan interfaces eth1 and eth2 and the wireguard interface
 lezzonet. We also allow the ssh protocol and traffic into the wireguard port 23185.
 *** Clients
 The piracy machine is the only one directly exposed to the network because of
 the vpn. This is the ufw configuration:
 #+begin_src
 # ufw status numbered
 Status: active
     To                         Action      From
     --                         ------      ----
 [ 1] Anywhere on eth0           ALLOW IN    Anywhere                  
 [ 2] Anywhere                   ALLOW OUT   Anywhere on eth0           (out)
 [ 3] 11000:12000/tcp            ALLOW IN    Anywhere                  
 [ 4] 11000:12000/udp            ALLOW IN    Anywhere                  
 #+end_src
 Basically open every port from 11000 to 12000 and have programs listen on those
 ports. In addition to that, the main client that is Transmission is very hungry
 so I rate limited it using its own configuration options.
 Some example commands:
 #+begin_src
 ufw allow from any to any port 23185
 ufw allow ssh
 ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto udb
 ufw allow in on eth1,eth2,lezzonet to any port 22,53,123,514 proto tcp
 #+end_src
--- a/secretwiki/stylesheet.css
+++ b/secretwiki/stylesheet.css
@ -35,7 +35,6 @@ h3 {
 h4 {
    color: #45818e;
    font-size: 35px;
 }
 a {
--- a/secretwiki/wannabe.html
+++ b/secretwiki/wannabe.html
@ -0,0 +1,299 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
 <!-- 2023-05-25 Thu 18:38 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Lezzo secret wiki</title>
 <meta name="author" content="bparodi" />
 <meta name="generator" content="Org Mode" />
 <link rel="stylesheet" type="text/css" href="./stylesheet.css"/>
 </head>
 <body>
 <div id="content" class="content">
 <h2>[ Lezzo secret wiki ]</a></h2>
 <div id="outline-container-orgfd35103" class="outline-2">
 <h2 id="orgfd35103"><b>~</b> Hosts</h2>
 <div class="outline-text-2" id="text-orgfd35103">
 </div>
 <div id="outline-container-org2b2b8f0" class="outline-3">
 <h3 id="org2b2b8f0">I fondamentali</h3>
 <div class="outline-text-3" id="text-org2b2b8f0">
 <p>
 Tutto ciò senza cui lezzo non funzionerebbe, insomma l'infrastruttura
 di base.
 </p>
 </div>
 <div id="outline-container-org31a6a09" class="outline-4">
 <h4 id="org31a6a09">Basettoni</h4>
 <div class="outline-text-4" id="text-org31a6a09">
 <p>
 Fa da hypervisor. Contiene il numero minimo di pacchetti per far funzionare il
 filesystem e libvirt. Accede alla rete tramite una sua interfaccia di rete.
 </p>
 </div>
 </div>
 <div id="outline-container-org317ca3d" class="outline-4">
 <h4 id="org317ca3d">Minni</h4>
 <div class="outline-text-4" id="text-org317ca3d">
 <p>
 SOC di Ruspante che da accesso alla rete in caso di emergenza. Comunica con
 l'hypervisor tramite la rete locale.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>wireguard</li>
 <li>client ddns</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-org7bfa5d4" class="outline-4">
 <h4 id="org7bfa5d4">Edi</h4>
 <div class="outline-text-4" id="text-org7bfa5d4">
 <p>
 Server che contiene i backup di lezzonet e comunica con l'hypervisor tramite Gancio.
 </p>
 </div>
 </div>
 <div id="outline-container-orge603716" class="outline-4">
 <h4 id="orge603716">Gancio</h4>
 <div class="outline-text-4" id="text-orge603716">
 <p>
 SOC ospitato a casa di Bparodi con una rete wireguard secondaria che permette la
 comunicazione con l'hypervisor. È nella stessa rete del server di backup.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>client ddns</li>
 <li>wireguard</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-org2534672" class="outline-4">
 <h4 id="org2534672">Atomino</h4>
 <div class="outline-text-4" id="text-org2534672">
 <p>
 Fa da router per la rete. È l'unico host virtualizzato che ha accesso
 all'interfaccia di rete fisica.
 </p>
 <p>
 Serve: 
 </p>
 <ul class="org-ul">
 <li>wireguard</li>
 <li>dns server principale per tutto lezzo.org e compari</li>
 <li>firewall e qos tramite iptables e tc</li>
 <li>ntpd</li>
 <li>syslog-ng</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-orgdd161c8" class="outline-4">
 <h4 id="orgdd161c8">Pico</h4>
 <div class="outline-text-4" id="text-orgdd161c8">
 <ul class="org-ul">
 <li>rabbitmq</li>
 <li>postgres</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-orgc5009da" class="outline-4">
 <h4 id="orgc5009da">Orazio</h4>
 <div class="outline-text-4" id="text-orgc5009da">
 <p>
 Buildserver. Ci si aspetta che tutte gli host riescano a
 comunicare con questa vm.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>rsync</li>
 <li>nginx</li>
 </ul>
 </div>
 </div>
 </div>
 <div id="outline-container-org159e9b7" class="outline-3">
 <h3 id="org159e9b7">7 Mari</h3>
 <div class="outline-text-3" id="text-org159e9b7">
 <p>
 Il magico mondo della pirateria e più in generale tutto ciò che viene
 hostato dietro una vpn di terze parti.
 </p>
 </div>
 <div id="outline-container-orgea6f74e" class="outline-4">
 <h4 id="orgea6f74e">Amelia</h4>
 <div class="outline-text-4" id="text-orgea6f74e">
 <p>
 VM usata per piratare. È l'unica macchina con X11 nella rete.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>transmission</li>
 <li>qbittorrent</li>
 <li>fopnu</li>
 <li>nicotine+: client soulseek</li>
 <li>vncviewer</li>
 <li>mldonkey</li>
 <li>makemkv</li>
 <li>nintendo nus downloader</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-orgbcdde3e" class="outline-4">
 <h4 id="orgbcdde3e">Toppersby</h4>
 <div class="outline-text-4" id="text-orgbcdde3e">
 <p>
 bparodi vm personale dietro vpn.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>weechat</li>
 </ul>
 </div>
 </div>
 </div>
 <div id="outline-container-org8287ed1" class="outline-3">
 <h3 id="org8287ed1">Lezzo si presenta al mondo</h3>
 <div class="outline-text-3" id="text-org8287ed1">
 <p>
 Tutti i servizi che utilizziamo sono hostati su queste macchine.
 </p>
 </div>
 <div id="outline-container-org8778102" class="outline-4">
 <h4 id="org8778102">Paperetta</h4>
 <div class="outline-text-4" id="text-org8778102">
 <p>
 Praticamente una macchina con debian per tutto ciò che non riesco ad
 hostare su gentoo. Ho dovuto sporcarla con docker.
 Serve:
 </p>
 <ul class="org-ul">
 <li>varie istanze di sonarr. Vedi la entry nella wiki.</li>
 <li>archivebox</li>
 <li>forkserver: script in python che permetto al bot di irc di
 richiedere l'archiviazione di url ad archivebox</li>
 <li>Paperless</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-orgc07e166" class="outline-4">
 <h4 id="orgc07e166">Paperino</h4>
 <div class="outline-text-4" id="text-orgc07e166">
 <p>
 Punto di accesso ai vari servizi web di lezzo.org
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>nginx, sia come server per il dominio che come reverse proxy</li>
 <li>jellyfin sia per la musica che per il materiale video</li>
 <li>git server (bare) con relativa interfaccia web</li>
 <li>happy/imageboard</li>
 <li>luca/url shortener</li>
 <li>goaccess: stats.html</li>
 <li>cinny</li>
 <li>fileserver</li>
 <li>blog e altre pagine web di lezzo.org</li>
 <li>radicale</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-orgb095ec9" class="outline-4">
 <h4 id="orgb095ec9">Plottigat</h4>
 <div class="outline-text-4" id="text-orgb095ec9">
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>murmur (mumble server)</li>
 <li>ngircd</li>
 <li>heisenbridge</li>
 <li>matrix and irc bots</li>
 <li>synapse</li>
 </ul>
 </div>
 </div>
 <div id="outline-container-org2219891" class="outline-4">
 <h4 id="org2219891">Topolino</h4>
 <div class="outline-text-4" id="text-org2219891">
 <p>
 bparodi vm personale.
 </p>
 <p>
 Serve:
 </p>
 <ul class="org-ul">
 <li>neomutt</li>
 <li>offlineimap</li>
 <li>mympd</li>
 <li>syncthing</li>
 </ul>
 <p>
 Monta:
 </p>
 <ul class="org-ul">
 <li>vibbra</li>
 <li>pr0n</li>
 </ul>
 </div>
 </div>
 </div>
 <div id="outline-container-org7236144" class="outline-3">
 <h3 id="org7236144">Fuori da qui</h3>
 <div class="outline-text-3" id="text-org7236144">
 <p>
 ma Lezzo sempre nel cuore. Tutte le macchine non virtualizzate nel
 rack principale. Gli usi sono i più disparati.
 </p>
 </div>
 <div id="outline-container-org8a14db8" class="outline-4">
 <h4 id="org8a14db8">Pipwolf</h4>
 <div class="outline-text-4" id="text-org8a14db8">
 <p>
 SOC utilizzato da bparodi come access point di emergenza alla rete di casa.
 </p>
 </div>
 </div>
 <div id="outline-container-org91be29d" class="outline-4">
 <h4 id="org91be29d">Ghigno</h4>
 <div class="outline-text-4" id="text-org91be29d">
 <p>
 SOC utilizzato dai genitori di bparodi. È una macchina con gentoo che
 all'accensione avvia X e firefox &#x2013;kiosk su tty7 e viene utilizzata
 come terminale per Jellyfin.
 </p>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: bparodi</p>
 <p class="date">Created: 2023-05-25 Thu 18:38</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
 </html>
--- a/secretwiki/wannabe.org
+++ b/secretwiki/wannabe.org
@ -1,36 +1,40 @@
 #+INCLUDE: header.org
 - rinforza le password
 - etckeeper
 - password files
  + vikunja pesceWanda:pesceWanda@lezzo.org:pesceWanda
  + vikunja ruspante:ruspante@lezzo.org:ruspantello
 * *~* Hosts
-** I Fondamentali
+** I fondamentali
-Tutto ciò senza cui Lezzo non funzionerebbe, insomma l'infrastruttura
+Tutto ciò senza cui lezzo non funzionerebbe, insomma l'infrastruttura
 di base.
 *** Basettoni
 Fa da hypervisor. Contiene il numero minimo di pacchetti per far funzionare il
 filesystem e libvirt. Accede alla rete tramite una sua interfaccia di rete.
 *** Minni
 SOC di Ruspante che da accesso alla rete in caso di emergenza. Comunica con
 l'hypervisor tramite la rete locale.
 Serve:
 - wireguard
 - client ddns
 *** Edi
 Server che contiene i backup di lezzonet e comunica con l'hypervisor tramite Gancio.
 *** Gancio
 SOC ospitato a casa di Bparodi con una rete wireguard secondaria che permette la
 comunicazione con l'hypervisor. È nella stessa rete del server di backup.
 Serve:
 - client ddns
 - wireguard
 *** Atomino
-Server vpn privato. Usato per avere una rete interna per i membri di
+Fa da router per la rete. È l'unico host virtualizzato che ha accesso
-lezzo.org ma esce in chiaro dall'ip di lezzo.org.
+all'interfaccia di rete fisica.
 Serve: 
 - wireguard
 - dns server principale per tutto lezzo.org e compari
 - firewall e qos tramite iptables e tc
 - ntpd
 - syslog-ng
 *** Pico
 - rabbitmq
 - postgres
 *** Uno
 Router. Permette alle vm di uscire in chiaro.
 Serve:
 - firewall
 - dhcp daemon
 - dns forwarder
 - nat: tramite firewall
 - webserver: interfaccia web per la configurazione
 - ssh server: dropbear per la manutenzione
 *** Orazio 
 Buildserver. Ci si aspetta che tutte gli host riescano a
 comunicare con questa vm.
@ -42,35 +46,17 @@ Serve:
 Il magico mondo della pirateria e più in generale tutto ciò che viene
 hostato dietro una vpn di terze parti.
 *** Amelia
-VM usata per piratare.
+VM usata per piratare. È l'unica macchina con X11 nella rete.
 Serve:
- rtorrent
+- transmission
 - rutorrent e tutte le dipendenze
 - qbittorrent
 *** Macchianera
 Router dietro la vpn di njalla.
 Serve:
 - firewall
 - dhcp daemon: non utilizzato, gli ip delle vm sono tutti statici
 - dns forwarder
 - nat: tramite firewall
 - webserver: interfaccia web per la configurazione
 - ssh server: dropbear per la manutenzione
 *** Nocciola
 VM usata per piratare.
 Serve:
 - fopnu
 - nicotine+: client soulseek
 - vncviewer
 - mldonkey
 - biglybt
 - amuled
 - amuleweb
 - makemkv
- nocciola-dl-manager: programma in kotlin che monitora i vari servizi
+- nintendo nus downloader
 *** Toppersby
 bparodi vm personale dietro vpn.
@ -94,16 +80,14 @@ Punto di accesso ai vari servizi web di lezzo.org
 Serve:
 - nginx, sia come server per il dominio che come reverse proxy
 - jellyfin sia per la musica che per il materiale video
- gitbucket or onedev
+- git server (bare) con relativa interfaccia web
 - happy/imageboard
 - luca/url shortener
 - goaccess: stats.html
 - fucktelegram 
 - cinny
 - atftpd (pxe server)
 - fileserver
- gameserver
+- blog e altre pagine web di lezzo.org
- caldav e rubrica?
+- radicale
 *** Plottigat
 Serve:
 - murmur (mumble server)