home.social

Search

1000 results for “Gentoo_eV”

  1. Jesus Michał "Le Sigh" 🏔 (he) @[email protected] ·

    Guess what I'm doing right now.

    Yes, it's now my shift to bump dist-kernels in #Gentoo.

    Good news is that 6.12+ with Gentoo patches are good, and I've managed to stabilize them even. Only 6.6 and older are getting an extra upstream patches.

    #gentoo
  2. Jesus Michał "Le Sigh" 🏔 (he) @[email protected] ·

    Guess what I'm doing right now.

    Yes, it's now my shift to bump dist-kernels in #Gentoo.

    Good news is that 6.12+ with Gentoo patches are good, and I've managed to stabilize them even. Only 6.6 and older are getting an extra upstream patches.

    #gentoo
  3. Mark @[email protected] ·

    Pt. 2 of the Gentoo install report.
    There was a bit of functionality lacking, so i decided to switch profile (from barebone to desktop OpenRC), which is pretty straightforward. My 6.8 of dwm was pretty vanilla, only all required patches were there, so i've started on editing the config.def.h, also good. And the first kernel update arrived, testing ugrd and automatic initramfs update. Well, it didn't, obviously 🤣
    I could, eventually, through my carefully written-down install command. I'll put it in an alias. And then I spent an exorbitant amount of time on Gruvbox and slstatus. Very well spent!
    #archlabs #gentoo

    #archlabs #gentoo
  4. Mark @[email protected] ·

    Pt. 2 of the Gentoo install report.
    There was a bit of functionality lacking, so i decided to switch profile (from barebone to desktop OpenRC), which is pretty straightforward. My 6.8 of dwm was pretty vanilla, only all required patches were there, so i've started on editing the config.def.h, also good. And the first kernel update arrived, testing ugrd and automatic initramfs update. Well, it didn't, obviously 🤣
    I could, eventually, through my carefully written-down install command. I'll put it in an alias. And then I spent an exorbitant amount of time on Gruvbox and slstatus. Very well spent!
    #archlabs #gentoo

    #archlabs #gentoo
  5. Mark @[email protected] ·

    Pt. 2 of the Gentoo install report.
    There was a bit of functionality lacking, so i decided to switch profile (from barebone to desktop OpenRC), which is pretty straightforward. My 6.8 of dwm was pretty vanilla, only all required patches were there, so i've started on editing the config.def.h, also good. And the first kernel update arrived, testing ugrd and automatic initramfs update. Well, it didn't, obviously 🤣
    I could, eventually, through my carefully written-down install command. I'll put it in an alias. And then I spent an exorbitant amount of time on Gruvbox and slstatus. Very well spent!
    #archlabs #gentoo

    #gentoo #archlabs
  6. Mark @[email protected] ·

    Pt. 2 of the Gentoo install report.
    There was a bit of functionality lacking, so i decided to switch profile (from barebone to desktop OpenRC), which is pretty straightforward. My 6.8 of dwm was pretty vanilla, only all required patches were there, so i've started on editing the config.def.h, also good. And the first kernel update arrived, testing ugrd and automatic initramfs update. Well, it didn't, obviously 🤣
    I could, eventually, through my carefully written-down install command. I'll put it in an alias. And then I spent an exorbitant amount of time on Gruvbox and slstatus. Very well spent!
    #archlabs #gentoo

    #archlabs #gentoo
  7. Ren @[email protected] ·

    Another #linux another complication. I tried #MocaccinoOS the rebranded #Gentoo #Sabayon. Installed well, but couldn't do updates or install anything. It's still new, so no great surprise. Then tried #manjaro Fastest install ever, but first OS to decide a refresh rate of 60 is too much for my monitor, wouldn't update because of a missing encryption key and will only boot up once after installation, second boot just freezes. Guess it's back to #linuxmint for now

    #linux #mocaccinoos #gentoo #sabayon #manjaro #linuxmint
  8. Sven "DrMcCoy" Hesse @[email protected] ·
    CW: Computers, nostalgia, death

    I've been using #GKrellM (en.wikipedia.org/wiki/GKrellM , a system monitor) basically since I've started using #Linux in 2000

    It's currently flagged for removal from #Gentoo. No maintainer for the package. And upstream is dead. Literally, even, the main dev Bill Wilson died in 2021 :(

    That's how my current gkrellm setup looks. Well, "current", it's not I've changed it in any way ever

    #gentoo #linux #gkrellm
  9. Ren @[email protected] ·

    Another #linux another complication. I tried #MocaccinoOS the rebranded #Gentoo #Sabayon. Installed well, but couldn't do updates or install anything. It's still new, so no great surprise. Then tried #manjaro Fastest install ever, but first OS to decide a refresh rate of 60 is too much for my monitor, wouldn't update because of a missing encryption key and will only boot up once after installation, second boot just freezes. Guess it's back to #linuxmint for now

    #linux #mocaccinoos #gentoo #sabayon #manjaro #linuxmint
  10. Ren @[email protected] ·

    Another #linux another complication. I tried #MocaccinoOS the rebranded #Gentoo #Sabayon. Installed well, but couldn't do updates or install anything. It's still new, so no great surprise. Then tried #manjaro Fastest install ever, but first OS to decide a refresh rate of 60 is too much for my monitor, wouldn't update because of a missing encryption key and will only boot up once after installation, second boot just freezes. Guess it's back to #linuxmint for now

    #linuxmint #manjaro #sabayon #gentoo #mocaccinoos #linux
  11. Jesus Michał "Le Sigh" 🏔 (he) @[email protected] ·

    There's a #Python package called #WatchDog. It provides an API to "monitor file system events", and has a bunch of reverse dependencies. Historically these included #uvicorn.

    In 2020, uvicorn replaced WatchDog with #WatchGod. If I recall correctly, it was the only package to use it in #Gentoo.

    In 2022, WatchGod was abandoned, or rather rewritten in #RustLang as #WatchFiles. Uvicorn followed suit, removing WatchGod support (just like WatchDog support was removed before) in favor of WatchFiles.

    Today, WatchFiles is used by 2 Gentoo packages: uvicorn and pelican. It has known incompatibilities with anyio >= 4 that hasn't gotten any upstream attention in 2 months now. WatchFiles seems pretty much unmaintained at this point.

    In the meantime, WatchDog has had a release a few days ago and doesn't need any blockers.

    #NIH

    #python #watchdog #uvicorn #watchgod #gentoo #rustlang
  12. samstudio8 @[email protected] ·

    Come see what we've been cooking up for you! #nanopore and community #nextflow pipelines wrapped up in a GUI suitable for everyone: from baby #bioinformaticians to Gentoo gurus! We're on Linux, Windows and even Mac! IT'S ALSO FREE so give it a try today & tell us what you think!
    labs.epi2me.io/labsquickstart/

    #nanopore #nextflow #bioinformaticians
  13. Eugene account has moved @[email protected] ·

    I'm daily using FreeBSD and Gentoo with "-systemd" global use flag, so I didn't closely watch to the latest news from the Linux world.

    But, really?! They removing text logs from /var/log?? I bet, at 2026 there will be binary database for configuration instead of text files in /etc/ and /usr/local/etc/ 😁

    messydesk.social/@robey/113689

    #Linux #FreeBSD #Gentoo #UnixPhilosophy

    #unixphilosophy #gentoo #freebsd #linux
  14. eshep @[email protected] ·

    @thelinuxcast @thelinuxcast, excellent way to vent, love it!

    My single favorite thing about #linux is simply the breadth of choice it gives us across nearly every aspect of it. Choice however, whist being the greatest thing we have, is also arguably the worst. Most people simply want a device they can turn on, and it gives them what they expect to see. I love nothing more than poking around at ux/ui stuff I'm unfamiliar with. Mostly just to gain that missing familiarity, never actually wanting any part of that change I cherish so much. I have been using the same (somewhat updated) #e16 / #gentoo configs for ~20 years.

    The whole Windows Start Button whining thing is absolutely ridiculous; why not give people the choice to put it where they want? Also, being forced to use windows for work as many of us are, I've learned something new now that Win11 has been imposed upon us. Windows seems to no longer have a stock way (that I've yet to find) of allowing you to move the taskbar as it has in previous versions. For those of us who remember those times before windows policy restrictions at work; there used to be (maybe still) entire shell replacements we could set to run instead of 'explorer.exe' that were extremely customizable. #DarkStep and #LiteStep are the two I remember using most, there were a few more but none were quite as well built. There were even a couple of them that'd replace the window decoration too.

    #linux #gentoo #e16 #darkstep #litestep
  15. eshep @[email protected] ·

    @thelinuxcast @thelinuxcast, excellent way to vent, love it!

    My single favorite thing about #linux is simply the breadth of choice it gives us across nearly every aspect of it. Choice however, whist being the greatest thing we have, is also arguably the worst. Most people simply want a device they can turn on, and it gives them what they expect to see. I love nothing more than poking around at ux/ui stuff I'm unfamiliar with. Mostly just to gain that missing familiarity, never actually wanting any part of that change I cherish so much. I have been using the same (somewhat updated) #e16 / #gentoo configs for ~20 years.

    The whole Windows Start Button whining thing is absolutely ridiculous; why not give people the choice to put it where they want? Also, being forced to use windows for work as many of us are, I've learned something new now that Win11 has been imposed upon us. Windows seems to no longer have a stock way (that I've yet to find) of allowing you to move the taskbar as it has in previous versions. For those of us who remember those times before windows policy restrictions at work; there used to be (maybe still) entire shell replacements we could set to run instead of 'explorer.exe' that were extremely customizable. #DarkStep and #LiteStep are the two I remember using most, there were a few more but none were quite as well built. There were even a couple of them that'd replace the window decoration too.

    #linux #gentoo #e16 #darkstep #litestep
  16. eshep @[email protected] ·

    @thelinuxcast @thelinuxcast, excellent way to vent, love it!

    My single favorite thing about #linux is simply the breadth of choice it gives us across nearly every aspect of it. Choice however, whist being the greatest thing we have, is also arguably the worst. Most people simply want a device they can turn on, and it gives them what they expect to see. I love nothing more than poking around at ux/ui stuff I'm unfamiliar with. Mostly just to gain that missing familiarity, never actually wanting any part of that change I cherish so much. I have been using the same (somewhat updated) #e16 / #gentoo configs for ~20 years.

    The whole Windows Start Button whining thing is absolutely ridiculous; why not give people the choice to put it where they want? Also, being forced to use windows for work as many of us are, I've learned something new now that Win11 has been imposed upon us. Windows seems to no longer have a stock way (that I've yet to find) of allowing you to move the taskbar as it has in previous versions. For those of us who remember those times before windows policy restrictions at work; there used to be (maybe still) entire shell replacements we could set to run instead of 'explorer.exe' that were extremely customizable. #DarkStep and #LiteStep are the two I remember using most, there were a few more but none were quite as well built. There were even a couple of them that'd replace the window decoration too.

    #litestep #darkstep #e16 #gentoo #linux
  17. eshep @[email protected] ·

    @thelinuxcast @thelinuxcast, excellent way to vent, love it!

    My single favorite thing about #linux is simply the breadth of choice it gives us across nearly every aspect of it. Choice however, whist being the greatest thing we have, is also arguably the worst. Most people simply want a device they can turn on, and it gives them what they expect to see. I love nothing more than poking around at ux/ui stuff I'm unfamiliar with. Mostly just to gain that missing familiarity, never actually wanting any part of that change I cherish so much. I have been using the same (somewhat updated) #e16 / #gentoo configs for ~20 years.

    The whole Windows Start Button whining thing is absolutely ridiculous; why not give people the choice to put it where they want? Also, being forced to use windows for work as many of us are, I've learned something new now that Win11 has been imposed upon us. Windows seems to no longer have a stock way (that I've yet to find) of allowing you to move the taskbar as it has in previous versions. For those of us who remember those times before windows policy restrictions at work; there used to be (maybe still) entire shell replacements we could set to run instead of 'explorer.exe' that were extremely customizable. #DarkStep and #LiteStep are the two I remember using most, there were a few more but none were quite as well built. There were even a couple of them that'd replace the window decoration too.

    #linux #gentoo #e16 #darkstep #litestep
  18. Jesus Michał "Le Sigh" 🏔 (he) @[email protected] ·

    #Salt is true quality software. It even comes with a time bomb that makes old versions suddenly stop working in 2024:

    github.com/saltstack/salt/blob
    922584.bugs.gentoo.org/attachm

    (spotted by matoro, thanks!)

    #Gentoo #Python

    #salt #l33 #gentoo #python
  19. Moos of AboutZoos @[email protected] ·

    One gentoo species, Nope Four
    Scientists provided genetic evidence that what was once thought to be one widely dispersed species - including three subspecies - is actually four separate species of gentoo penguin. So, one of these was previously even unrecognised. Because, as it turns out they all look alike: a white underside and black back, but they are clearly genetically different. What scientists refer to as a cryptic species.
    #biodiversity #gentoo #penguin #species

    phys.org/news/2026-05-scientis

    #biodiversity #gentoo #penguin #species
  20. Moos of AboutZoos @[email protected] ·

    One gentoo species, Nope Four
    Scientists provided genetic evidence that what was once thought to be one widely dispersed species - including three subspecies - is actually four separate species of gentoo penguin. So, one of these was previously even unrecognised. Because, as it turns out they all look alike: a white underside and black back, but they are clearly genetically different. What scientists refer to as a cryptic species.
    #biodiversity #gentoo #penguin #species

    phys.org/news/2026-05-scientis

    #biodiversity #gentoo #penguin #species
  21. Moos of AboutZoos @[email protected] ·

    One gentoo species, Nope Four
    Scientists provided genetic evidence that what was once thought to be one widely dispersed species - including three subspecies - is actually four separate species of gentoo penguin. So, one of these was previously even unrecognised. Because, as it turns out they all look alike: a white underside and black back, but they are clearly genetically different. What scientists refer to as a cryptic species.
    #biodiversity #gentoo #penguin #species

    phys.org/news/2026-05-scientis

    #species #penguin #gentoo #biodiversity
  22. Moos of AboutZoos @[email protected] ·

    One gentoo species, Nope Four
    Scientists provided genetic evidence that what was once thought to be one widely dispersed species - including three subspecies - is actually four separate species of gentoo penguin. So, one of these was previously even unrecognised. Because, as it turns out they all look alike: a white underside and black back, but they are clearly genetically different. What scientists refer to as a cryptic species.
    #biodiversity #gentoo #penguin #species

    phys.org/news/2026-05-scientis

    #biodiversity #gentoo #penguin #species
  23. Doc Edward Morbius ⭕​ @[email protected] ·

    @leberschnitzel "Linux" is a large number of concepts, some common between a wide range of systems, some relatively specific. Fortunately the common stuff is ... more common, and much of the knowledge is highly durable (I cut my teeth about 40 years ago on BSD Unix, the information's served me well over the decades). Even old books can be quite useful, though there is some obsolete data.

    One of the best elementary Linux books for several decades has been Mark Sobell's Practical Guide. That's actually a series now, tuned to major distros, and there's an Ubuntu-specific edition. sobell.com/UB1/index.html

    O'Reilly & Associates ("ORA") was long the go-to for technical Unix/Linux books, and I'd recommend both UNIX Power Tools (1992, 2002) which though dated is one of the best introductions to the Unix philosophy and basic shell tools, and Linux in a Nutshell which is a very concise overview of major elements: oreilly.com/library/view/unix- and learning.oreilly.com/library/v. Both strongly emphasize terminal / command-line tools.

    For general systems-administration guidance, the Unix and Linux System Administration Handbook (a/k/a "Nemeth") remains highly useful, though again, somewhat dated. colorado.edu/coloradan/2018/12

    I'd also recommend a good book covering your principle shell. These days that's either Bash (the Bourne-Again SHell) or zsh (the "new hawtness"). ORA again has a good bash book: oreilly.com/library/view/learn. They've also got a good zsh guide: oreilly.com/library/view/learn. Other sources might include Sobell, No Starch Press (generally), and Prentice Hall (Sobell's publisher).

    There's a whole set of other references, more below.

    In general, "learning Linux" is about:

    • The GUI, for beginners. This is mostly self-explanatory, there are (as with everything else) numerous options, GNOME, KDE, and XFCE are the most popular contenders, with others often based on these, though there are numerous others.

    • The shell. Covered above (bash/zsh, and others). This is your principle command interface to the system and is both powerful, arcane, and evolving (I've learned and moved on through several shells over my career). Mastering the shell is a key success factor.

    • The editor. Numerous options, principle are emacs and vim, and I'd strongly recommend you learn at least one of these. Both are available on nearly all systems, including small embedded systems (e.g., modems, routers, Android devices, though often slimmed-down versions (often via Busybox, its own subject...).

    • Scripting languages. There are several, including not only the shell itself, but old-school options (sed, awk, Perl) and newer arrivals (Ruby, Python, Node.js, Lua, ...), and many others, often obscure and/or specialised. I really only use a few of these myself (sh/bash/sed/awk) and dabble in others (Perl, Python, Ruby), but these are quite powerful.

    • Packaging. The key distinguishing feature of various Linux systems is the packaging system used, defined by package format, interfaces, and philosophy. Ubuntu uses APT ("a package tool"), the DPKG format, and any of various front-ends. Others include RPM (Red Hat, Suse, and others, often under Yum or DNF), Portage (Gentoo), Slack (Slackware), Nix (NixOS), and more: en.wikipedia.org/wiki/Package_). Understanding your package manager and its philosophy, or lack thereof, is key to your Linux experience. Best Debian/Ubuntu book here is The Debian System by Martin F. Krafft, archive.org/details/debiansyst. Debian's own documentation is also excellent, see: debian.org/doc/. (Ubuntu largely follows Debian here, though you might want to check that project's own docs.)

    • Networking. I won't go into details, specifics vary more on what packages you have installed than on distros per se. But know the basics, as covered in texts above, deferring to your distro's quirks as necessary.

    • Kernel. I'm going to de-emphasize this relative to others' comments. Yes, the kernel does vary between versions, but ... in general, you will get by well with the stock kernel, and only need to muck with it as new versions come out or you find out specific device or network drivers/modules have issues or are needed. This is increasingly rare if you stick to widely-used hardware and features.

    • General administration. See the Nemeth and Sobell books for a general overview of topics, but storage, users, permissions, security, and other issues are key here.

    Debian (and Ubuntu) have the option to install and manage a huge set of documentation, including but not limited to manual ("man") pages, info documents, HOWTOs, RFCs, and many package-specific guides and manuals. Look for the "-doc" version of packages if you're seeking additional documentation. You can access and search this through a localhost Web interface by installing the dwww and swish2 packages. Point your browser at localhost/dwww/ for joy after doing this.

    I'll address specific questions on your other toots.

    #Linux #LinuxForBeginners #Books #LinuxBooks #LinuxDocumentation

    #linux #linuxforbeginners #books #linuxbooks #linuxdocumentation
  24. codesections @codesections ·

    @aral
    Be careful! That's how it starts.

    I switched from OS X to Pop!_OS, but that was just the beginning. Pretty soon, I'd made my way on to . These days, I'm running a lot of tools, including , , and —and I don't even *have* a display manager. Now, heaven help me, I'm even considering installing or .




    #arch #suckless #dwm #dmenu #st #gentoo
  25. jesterchen42 @[email protected] ·

    Hirn sein komisch.

    Plötzlich muss ich an Lehmanns Online Bibliothek denken und an all die #SuSE-Editionen, die ich damals dort bestellt hatte.

    Bevor ich keine Lust mehr auf #yast als gui statt als ncurses hatte, weil ich für eine graphische Systemsteuerung auch Windows hätte nutzen könnte. Ich bin dann auf #gentoo umgestiegen. Beste Entscheidung ever!

    #suse #yast #gentoo
  26. jesterchen42 @[email protected] ·

    Hirn sein komisch.

    Plötzlich muss ich an Lehmanns Online Bibliothek denken und an all die #SuSE-Editionen, die ich damals dort bestellt hatte.

    Bevor ich keine Lust mehr auf #yast als gui statt als ncurses hatte, weil ich für eine graphische Systemsteuerung auch Windows hätte nutzen könnte. Ich bin dann auf #gentoo umgestiegen. Beste Entscheidung ever!

    #suse #yast #gentoo
  27. jesterchen42 @[email protected] ·

    Hirn sein komisch.

    Plötzlich muss ich an Lehmanns Online Bibliothek denken und an all die #SuSE-Editionen, die ich damals dort bestellt hatte.

    Bevor ich keine Lust mehr auf #yast als gui statt als ncurses hatte, weil ich für eine graphische Systemsteuerung auch Windows hätte nutzen könnte. Ich bin dann auf #gentoo umgestiegen. Beste Entscheidung ever!

    #gentoo #yast #suse
  28. jesterchen42 @[email protected] ·

    Hirn sein komisch.

    Plötzlich muss ich an Lehmanns Online Bibliothek denken und an all die #SuSE-Editionen, die ich damals dort bestellt hatte.

    Bevor ich keine Lust mehr auf #yast als gui statt als ncurses hatte, weil ich für eine graphische Systemsteuerung auch Windows hätte nutzen könnte. Ich bin dann auf #gentoo umgestiegen. Beste Entscheidung ever!

    #suse #yast #gentoo
  29. Antranig Vartanian @[email protected] ·

    The FreeBSD-native-ish home lab and network

    For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.

    For my home network, I had a basic Access Point and a basic Router.

    Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.

    I decided to blog about the details, hoping it would help someone in the future.

    I’ll start with the simplest one.

    The Home Server

    I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.

    I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.

    My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.

    Hardware wise, here’s what it is:

    root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   420G   178G   242G        -         -    64%    42%  1.00x    ONLINE  -

    While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)

    I use containers, the old-school ones, Jails to be more specific.

    I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.

    Here are my current jails:

    root@pingvinashen:~ # jailer listNAME        STATE    JID  HOSTNAME              IPv4               GWantranig    Active   1    antranig.bsd.am       192.168.10.42/24   192.168.10.1antranigv   Active   2    antranigv.bsd.am      192.168.10.52/24   192.168.10.1git         Stoppedhuginn0     Active   4    huginn0.bsd.am        192.168.10.34/24   192.168.10.1ifconfig    Active   5    ifconfig.bsd.am       192.168.10.33/24   192.168.10.1lucy        Active   6    lucy.vartanian.am     192.168.10.37/24   192.168.10.1mysql       Active   7    mysql.antranigv.am    192.168.10.50/24   192.168.10.1newsletter  Active   8    newsletter.bsd.am     192.168.10.65/24   192.168.10.1oragir      Active   9    oragir.am             192.168.10.30/24   192.168.10.1psql        Active   10   psql.pingvinashen.am  192.168.10.3/24    192.168.10.1rss         Active   11   rss.bsd.am            192.168.10.5/24    192.168.10.1sarian      Active   12   sarian.am             192.168.10.53/24   192.168.10.1syuneci     Active   13   syuneci.am            192.168.10.60/24   192.168.10.1znc         Active   14   znc.bsd.am            192.168.10.152/24  192.168.10.1

    You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.

    I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of  a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.

    Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.

    As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.

    Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.

    The web server that forwards all this traffic from the public to the Jails is nginx. All it does is proxy_pass as needed. It runs on the host.

    Other services that run on the host are DNS (BIND9), an email service running OpenSMTPd (which will be moved to a Jail soon), the chat service running prosody (which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.

    Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.

    Yes, I have a firewall, I use pf(4).

    For the techies in the room, here’s what my rc.conf looks like.

    # cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64      \inet6 2001:470:1f15:e4::5222 prefixlen 64    \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"

    The gif0 interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.

    As you have guessed from this config file, I do have VLANs setup. So let’s get into that.

    The Home Network

    First of all, here’s a very cheap diagram

    I have the following VLANs setup on the switch.

    VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home Guest

    Here are the active ports

    PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, port em019untagged: 1001To home router, port igb118tagged: 42, 100, 69, 99To home router, port igb217untagged: 37To home router, port igb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC Pro

    The home router, hostnamed evn0 (named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the following

    root@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC                               root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot  12.5G  9.47G  3.03G        -         -    67%    75%  1.00x    ONLINE  -

    The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.

    Here’s what the rc.conf looks like

    clear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""

    Here’s pf.conf, because security is important.

    ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if   from $int_if:network   to anypass on $mgmt_if  from $mgmt_if:network  to anypass on $sw_if    from $sw_if:network    to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet  proto icmppass inet6 proto icmp6pass out   all   keep state

    I’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.

    Here’s rtadvd.conf, for my IPv6 folks

    igb2.100:\  :addr="2001:470:7914:6a76::":prefixlen#64:\  :rdnss="2001:470:7914:6a76::1":\  :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\  :addr="2001:470:7914:6969::":prefixlen#64:\  :rdnss="2001:470:7914:6969::1":

    For DNS, I’m running BIND, here’s the important parts

    listen-on     { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6  { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query   { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};

    And for DHCP, here’s what it looks like

    subnet 172.16.100.0 netmask 255.255.255.0 {        range 172.16.100.100 172.16.100.150;        option domain-name-servers 172.16.100.1;        option subnet-mask 255.255.255.0;        option routers 172.16.100.1;        option domain-name "evn0.loc.illuriasecurity.com";        option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots {    hardware ethernet d4:57:63:f1:5a:36;    fixed-address 172.16.100.7;}host unifi0 {    hardware ethernet 58:9c:fc:93:d1:0b;    fixed-address 172.31.42.42;}
    […]subnet 172.31.42.0 netmask 255.255.255.0 {        range 172.31.42.100 172.31.42.150;        option domain-name-servers 172.31.42.1;        option subnet-mask 255.255.255.0;        option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 {        range 192.168.69.100 192.168.69.150;        option domain-name-servers 192.168.69.1;        option subnet-mask 255.255.255.0;        option routers 192.168.69.1;}

    So you’re wondering, what’s this unifi0? Well, that brings us to

    T480s

    This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)

    Here’s the hardware

    root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   224G   109G   115G        -         -    44%    48%  1.00x    ONLINE  -

    The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.

    So I have a Jail named unifi0 that runs the Unifi Management thingie.

    Here’s what rc.conf of the host looks like

    clear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"

    I used Jailer to create the unifi0 jail, here’s what the jail.conf looks like

    # vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 {  $id             = "6";  devfs_ruleset   = 10;  $bridge         = "bridge42";  $domain         = "evn0.loc.illuriasecurity.com";  vnet;  vnet.interface = "epair${id}b";  exec.prestart   = "ifconfig epair${id} create up";  exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";  exec.prestart  += "ifconfig ${bridge} addm epair${id}a up";  exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";  exec.start     += "/bin/sh /etc/rc";  exec.stop       = "/bin/sh /etc/rc.shutdown jail";  exec.poststop   = "ifconfig ${bridge} deletem epair${id}a";  exec.poststop  += "ifconfig epair${id}a destroy";  host.hostname   = "${name}.${domain}";  path            = "/usr/local/jailer/unifi0";  exec.consolelog = "/var/log/jail/${name}.log";  persist;  mount.fdescfs;  mount.procfs;}

    Here are the important parts inside the jail

    root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b

    Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!

    Did I miss anything? I hope not.

    Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.

    Finally, the tiny 

    Raspberry Pi 4, Model B

    I found this in a closed, so I decided to run it for TimeMachine.

    I guess all you care about is rc.conf

    hostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"

    And the Samba Configuration

    [global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G  # Adjust the size according to your needscreate mask = 0600directory mask = 0700

    That’s pretty much it.

    Conclusion

    I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.

    While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.

    Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.

    I hope this was informative and that it would be useful for anyone in the future.

    That’s all folks… 

    Reply via email.

    https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/

    #Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET

    #containers #dell #delllatitudee5470 #freebsd #homeserver #howto
  30. Antranig Vartanian @[email protected] ·

    The FreeBSD-native-ish home lab and network

    For many years my setup was pretty simple: A FreeBSD home server running on my old laptop. It runs everything I need to be present on the internet, an email server, a web server (like the one you’ve accessed right now to see this blog post) and a public chat server (XMPP/Jabber) so I can be in touch with friends.

    For my home network, I had a basic Access Point and a basic Router.

    Lately, my setup has become more… intense. I have IPv6 thanks to Hurricane Electric, the network is passed to my home network (which we’ll talk about in a bit), a home network with multiple VLANs, since friends who come home also need WiFi.

    I decided to blog about the details, hoping it would help someone in the future.

    I’ll start with the simplest one.

    The Home Server

    I’ve been running home servers for a long time. I believe that every person/family needs a home server. Forget about buying your kids iPads and Smartphones. Their first devices should be a real computer (sorry Apple, iOS devices are still just a toy) like a desktop/laptop and a home server. The home server doesn’t need to be on the public internet, but mine is, for variety of reasons. This blog being one of them.

    I get a static IP address from my ISP, Ucom. After the management change that happened couple of years ago, Ucom has become a very typical ISP (think shitty), but they are the only ones that provide a static IP address, instead of setting it on your router, where you have to do port forwarding.

    My home server, hostnamed pingvinashen (meaning the town of the penguins, named after the Armenian cartoon) run FreeBSD. Historically this machine has run Debian, Funtoo, Gentoo and finally FreeBSD.

    Hardware wise, here’s what it is:

    root@pingvinashen:~ # dmidecode -s system-product-nameLatitude E5470root@pingvinashen:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHzroot@pingvinashen:~ # sysctl hw.physmemhw.physmem: 17016950784root@pingvinashen:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   420G   178G   242G        -         -    64%    42%  1.00x    ONLINE  -

    While most homelabbers use hardware virtualization, I think that resources are a tight thing, and should be managed properly. Any company that markets itself as “green/eco-friendly” and uses hardware virtualization should do calculations using a pen and paper and prove if going native would save power/resources or not. (sometimes it doesn’t, usually it does)

    I use containers, the old-school ones, Jails to be more specific.

    I manage jails using Jailer, my own tool, that tries to stay out of your way when working with Jails.

    Here are my current jails:

    root@pingvinashen:~ # jailer listNAME        STATE    JID  HOSTNAME              IPv4               GWantranig    Active   1    antranig.bsd.am       192.168.10.42/24   192.168.10.1antranigv   Active   2    antranigv.bsd.am      192.168.10.52/24   192.168.10.1git         Stoppedhuginn0     Active   4    huginn0.bsd.am        192.168.10.34/24   192.168.10.1ifconfig    Active   5    ifconfig.bsd.am       192.168.10.33/24   192.168.10.1lucy        Active   6    lucy.vartanian.am     192.168.10.37/24   192.168.10.1mysql       Active   7    mysql.antranigv.am    192.168.10.50/24   192.168.10.1newsletter  Active   8    newsletter.bsd.am     192.168.10.65/24   192.168.10.1oragir      Active   9    oragir.am             192.168.10.30/24   192.168.10.1psql        Active   10   psql.pingvinashen.am  192.168.10.3/24    192.168.10.1rss         Active   11   rss.bsd.am            192.168.10.5/24    192.168.10.1sarian      Active   12   sarian.am             192.168.10.53/24   192.168.10.1syuneci     Active   13   syuneci.am            192.168.10.60/24   192.168.10.1znc         Active   14   znc.bsd.am            192.168.10.152/24  192.168.10.1

    You already get a basic idea of how things are. Each of my blogs (Armenian and English) has its own Jail. Since I’m using WordPress, I need a database, so I have a MySQL jail (which ironically runs MariaDB) inside of it.

    I also have a Git server, running gitea, which is down at the moment as I’m doing maintanence. The Git server (and many other services) requires PostgreSQL, hence the existence of  a PostgreSQL jail. I run huginn for automation (RSS to Telegram, RSS to XMPP). My sister has her own blog, using WordPress, so that’s a Jail of its own. Same goes about my fiancée.

    Other Jails are Newsletter using Listmonk, Sarian (the Armenian instance of lobste.rs) and a personal ZNC server.

    As an avid RSS advocate, I also have a RSS Jail, which runs Miniflux. Many of my friends use this service.

    Oragir is an instance of WriteFreely, as I advocate public blogging and ActivityPub. Our community uses that too.

    The web server that forwards all this traffic from the public to the Jails is nginx. All it does is proxy_pass as needed. It runs on the host.

    Other services that run on the host are DNS (BIND9), an email service running OpenSMTPd (which will be moved to a Jail soon), the chat service running prosody (which will be moved to a Jail soon) and finally, WireGuard, because I love VPNs.

    Finally, there’s a IPv6-over-IPv4 tunnel that I use to obtain IPv6 thanks to Hurricane Electric.

    Yes, I have a firewall, I use pf(4).

    For the techies in the room, here’s what my rc.conf looks like.

    # cat /etc/rc.conf# Defaultsclear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"#local_unbound_enable="YES"sshd_enable="YES"moused_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="pingvinashen.am"# Networkingdefaultrouter="37.157.221.1"gateway_enable="YES"ifconfig_em0="up"vlans_em0="37 1000" # 1000 -> WAN; 37 -> Home Routerifconfig_em0_1000="inet 37.157.221.130 netmask 255.255.255.0"ifconfig_em0_37="inet 192.168.255.2 netmask 255.255.255.0"static_routes="home"route_home="-net 172.16.100.0/24 -gateway 192.168.255.1"cloned_interfaces="bridge0 bridge6 bridge10"ifconfig_bridge10="inet 192.168.10.1 netmask 255.255.255.0"## IPv6ipv6_gateway_enable="YES"gif_interfaces="gif0"gifconfig_gif0="37.157.221.130 216.66.84.46"ifconfig_gif0="inet6 2001:470:1f14:ef::2 2001:470:1f14:ef::1 prefixlen 128"ipv6_defaultrouter="2001:470:1f14:ef::1"ifconfig_em0_37_ipv6="inet6 2001:470:7914:7065::2 prefixlen 64"ipv6_static_routes="home guest"ipv6_route_home="-net 2001:470:7914:6a76::/64 -gateway 2001:470:7914:7065::1"ipv6_route_guest="-net 2001:470:7914:6969::/64 -gateway 2001:470:7914:7065::1"ifconfig_bridge6_ipv6="inet6 2001:470:1f15:e4::1 prefixlen 64"ifconfig_bridge6_aliases="inet6 2001:470:1f15:e4::25 prefixlen 64 \inet6 2001:470:1f15:e4::80 prefixlen 64      \inet6 2001:470:1f15:e4::5222 prefixlen 64    \inet6 2001:470:1f15:e4:c0fe::53 prefixlen 64 \"# VPNwireguard_enable="YES"wireguard_interfaces="wg0"# Firewallpf_enable="YES"# Jailsjail_enable="YES"jailer_dir="zfs:zroot/jails"# DNSnamed_enable="YES"# Mailsmtpd_enable="YES"smtpd_config="/usr/local/etc/smtpd.conf"# XMPPprosody_enable="YES"turnserver_enable="YES"# Webnginx_enable="YES"tor_enable="YES"

    The gif0 interface is a IPv6-over-IPv4 tunnel. I have static routes to my home network, so I don’t go to my server over the ISP every time. This also gives me the ability to get IPv6 in my home network that is routed via my home server.

    As you have guessed from this config file, I do have VLANs setup. So let’s get into that.

    The Home Network

    First of all, here’s a very cheap diagram

    I have the following VLANs setup on the switch.

    VLAN IDPurpose1Switch Management1000pingvinashen (home server) WAN1001evn0 (home router) WAN37pingvinashen ↔ evn042Internal Management100Home LAN69Home Guest

    Here are the active ports

    PortVLANsPurpose24untagged: 1Switch management, connects to Port 222untagged: 1000pingvinashen WAN, from ISP21untagged: 1001Home WAN, from ISP20tagged: 1000, 37To pingvinashen, port em019untagged: 1001To home router, port igb118tagged: 42, 100, 69, 99To home router, port igb217untagged: 37To home router, port igb016tagged: 42, 100, 69To Lenovo T480s15untagged: 100To Raspberri Pi 42untagged: 99From Port 24, for switch management1untagged: 42; tagged: 100, 69; PoETo UAP AC Pro

    The home router, hostnamed evn0 (named after the IATA code of Yerevan’s Zvartnots International Airport) runs FreeBSD as well, the hardware is the following

    root@evn0:~ # dmidecode -s system-product-nameAPU2root@evn0:~ # sysctl hw.modelhw.model: AMD GX-412TC SOC                               root@evn0:~ # sysctl hw.physmemhw.physmem: 4234399744root@evn0:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot  12.5G  9.47G  3.03G        -         -    67%    75%  1.00x    ONLINE  -

    The home router does… well, routing. It also does DHCP, DNS, SLAAC, and can act as a syslog server.

    Here’s what the rc.conf looks like

    clear_tmp_enable="YES"sendmail_enable="NONE"syslogd_flags="-a '172.16.100.0/24:*' -H"zfs_enable="YES"dumpdev="AUTO"hostname="evn0.illuriasecurity.com"pf_enable="YES"gateway_enable="YES"ipv6_gateway_enable="YES"sshd_enable="YES"# Get an IP address from the ISP's GPONifconfig_igb1="DHCP"# Internal routes with pingvinashenifconfig_igb0="inet 192.168.255.1 netmask 255.255.255.0"ifconfig_igb0_ipv6="inet6 2001:470:7914:7065::1 prefixlen 64"static_routes="pingvinashen"route_pingvinashen="-net 37.157.221.130/32 -gateway 192.168.255.2"ipv6_defaultrouter="2001:470:7914:7065::2"# Home Mgmt, Switch Mgmt, Home LAN, Home Guestifconfig_igb2="up"vlans_igb2="42 99 100 69"ifconfig_igb2_42="inet 172.31.42.1 netmask 255.255.255.0"ifconfig_igb2_99="inet 172.16.99.1 netmask 255.255.255.0"ifconfig_igb2_100="inet 172.16.100.1 netmask 255.255.255.0"ifconfig_igb2_100_ipv6="inet6 2001:470:7914:6a76::1 prefixlen 64"ifconfig_igb2_69="inet 192.168.69.1 netmask 255.255.255.0"ifconfig_igb2_69_ipv6="inet6 2001:470:7914:6969::1 prefixlen 64"# DNS and DHCPnamed_enable="YES"dhcpd_enable="YES"named_flags=""# NTPntpd_enable="YES"# Router Advertisement and LLDPrtadvd_enable="YES"lldpd_enable="YES"lldpd_flags=""

    Here’s pf.conf, because security is important.

    ext_if="igb1"bsd_if="igb0"int_if="igb2.100"guest_if="igb2.69"mgmt_if="igb2.42"sw_if="igb2.99"ill_net="172.16.0.0/16"nat pass on $ext_if from $int_if:network to any -> ($ext_if)nat pass on $ext_if from $mgmt_if:network to any -> ($ext_if)nat pass on $ext_if from $guest_if:network to any -> ($ext_if)set skip on { lo0 }block in allpass on $int_if   from $int_if:network   to anypass on $mgmt_if  from $mgmt_if:network  to anypass on $sw_if    from $sw_if:network    to anypass on $guest_if from $guest_if:network to anyblock quick on $guest_if from any to { $int_if:network, $mgmt_if:network, $ill_net, $sw_if:network }pass in on illuria0 from $ill_net to { $ill_net, $mgmt_if:network }pass inet  proto icmppass inet6 proto icmp6pass out   all   keep state

    I’m sure there are places to improve, but it gets the job done and keeps the guest network isolated.

    Here’s rtadvd.conf, for my IPv6 folks

    igb2.100:\  :addr="2001:470:7914:6a76::":prefixlen#64:\  :rdnss="2001:470:7914:6a76::1":\  :dnssl="evn0.loc.illuriasecurity.com,loc.illuriasecurity.com":igb2.69:\  :addr="2001:470:7914:6969::":prefixlen#64:\  :rdnss="2001:470:7914:6969::1":

    For DNS, I’m running BIND, here’s the important parts

    listen-on     { 127.0.0.1; 172.16.100.1; 172.16.99.1; 172.31.42.1; 192.168.69.1; };listen-on-v6  { 2001:470:7914:6a76::1; 2001:470:7914:6969::1; };allow-query   { 127.0.0.1; 172.16.100.0/24; 172.31.42.0/24; 192.168.69.0/24; 2001:470:7914:6a76::/64; 2001:470:7914:6969::/64;};

    And for DHCP, here’s what it looks like

    subnet 172.16.100.0 netmask 255.255.255.0 {        range 172.16.100.100 172.16.100.150;        option domain-name-servers 172.16.100.1;        option subnet-mask 255.255.255.0;        option routers 172.16.100.1;        option domain-name "evn0.loc.illuriasecurity.com";        option domain-search "loc.illuriasecurity.com evn0.loc.illuriasecurity.com";}host zvartnots {    hardware ethernet d4:57:63:f1:5a:36;    fixed-address 172.16.100.7;}host unifi0 {    hardware ethernet 58:9c:fc:93:d1:0b;    fixed-address 172.31.42.42;}
    […]subnet 172.31.42.0 netmask 255.255.255.0 {        range 172.31.42.100 172.31.42.150;        option domain-name-servers 172.31.42.1;        option subnet-mask 255.255.255.0;        option routers 172.31.42.1;}subnet 192.168.69.0 netmask 255.255.255.0 {        range 192.168.69.100 192.168.69.150;        option domain-name-servers 192.168.69.1;        option subnet-mask 255.255.255.0;        option routers 192.168.69.1;}

    So you’re wondering, what’s this unifi0? Well, that brings us to

    T480s

    This laptop has been gifted to me by [REDACTED] for my contributions to the Armenian government (which means when a server goes down and no one knows how to fix it, they called me and I showed up)

    Here’s the hardware

    root@t480s:~ # dmidecode -s system-versionThinkPad T480sroot@t480s:~ # sysctl hw.modelhw.model: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHzroot@t480s:~ # sysctl hw.physmemhw.physmem: 25602347008root@t480s:~ # zpool listNAME    SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOTzroot   224G   109G   115G        -         -    44%    48%  1.00x    ONLINE  -

    The T480s has access to VLAN 100, 42, 69, but the host itself has access only to VLAN 100 (LAN), while the jails can exist on other VLANs.

    So I have a Jail named unifi0 that runs the Unifi Management thingie.

    Here’s what rc.conf of the host looks like

    clear_tmp_enable="YES"syslogd_flags="-ss"sendmail_enable="NONE"sshd_enable="YES"ntpd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"hostname="t480s.evn0.loc.illuriasecurity.com"ifconfig_em0="up -rxcsum -txcsum"vlans_em0="100 42 69"ifconfig_em0_100="up"ifconfig_em0_42="up"ifconfig_em0_69="up"cloned_interfaces="bridge0 bridge100 bridge42 bridge69"create_args_bridge100="ether 8c:16:45:82:b4:10"ifconfig_bridge100="addm em0.100 SYNCDHCP"ifconfig_bridge100_ipv6="inet6 auto_linklocal"rtsold_flags="-i -F -m bridge100"rtsold_enable="YES"create_args_bridge42=" ether 8c:16:45:82:b4:42"create_args_bridge69=" ether 8c:16:45:82:b4:69"ifconfig_bridge42="addm em0.42"ifconfig_bridge69="addm em0.69"jail_enable="YES"jailer_dir="zfs:zroot/jailer"ifconfig_bridge0="inet 10.1.0.1/24 up"ngbuddy_enable="YES"ngbuddy_private_if="nghost0"dhcpd_enable="YES"lldpd_enable="YES"

    I used Jailer to create the unifi0 jail, here’s what the jail.conf looks like

    # vim: set syntax=sh:exec.clean;allow.raw_sockets;mount.devfs;unifi0 {  $id             = "6";  devfs_ruleset   = 10;  $bridge         = "bridge42";  $domain         = "evn0.loc.illuriasecurity.com";  vnet;  vnet.interface = "epair${id}b";  exec.prestart   = "ifconfig epair${id} create up";  exec.prestart  += "ifconfig epair${id}a up descr vnet-${name}";  exec.prestart  += "ifconfig ${bridge} addm epair${id}a up";  exec.start      = "/sbin/ifconfig lo0 127.0.0.1 up";  exec.start     += "/bin/sh /etc/rc";  exec.stop       = "/bin/sh /etc/rc.shutdown jail";  exec.poststop   = "ifconfig ${bridge} deletem epair${id}a";  exec.poststop  += "ifconfig epair${id}a destroy";  host.hostname   = "${name}.${domain}";  path            = "/usr/local/jailer/unifi0";  exec.consolelog = "/var/log/jail/${name}.log";  persist;  mount.fdescfs;  mount.procfs;}

    Here are the important parts inside the jail

    root@t480s:~ # cat /usr/local/jailer/unifi0/etc/rc.confifconfig_epair6b="SYNCDHCP"sendmail_enable="NONE"syslogd_flags="-ss"mongod_enable="YES"unifi_enable="YES"root@t480s:~ # cat /usr/local/jailer/unifi0/etc/start_if.epair6b ifconfig epair6b ether 58:9c:fc:93:d1:0b

    Don’t you love it that you can see what’s inside the jail from the host? God I love FreeBSD!

    Did I miss anything? I hope not.

    Oh, for the homelabbers out there, the T480s is the one that runs things like Jellyfin if needed.

    Finally, the tiny 

    Raspberry Pi 4, Model B

    I found this in a closed, so I decided to run it for TimeMachine.

    I guess all you care about is rc.conf

    hostname="tm0.evn0.loc.illuriasecurity.com"ifconfig_DEFAULT="DHCP inet6 accept_rtadv"sshd_enable="YES"sendmail_enable="NONE"sendmail_submit_enable="NO"sendmail_outbound_enable="NO"sendmail_msp_queue_enable="NO"growfs_enable="YES"powerd_enable="YES"# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disabledumpdev="AUTO"zfs_enable="YES"rtsold_enable="YES"samba_server_enable="YES"

    And the Samba Configuration

    [global]# Network settingsworkgroup = WORKGROUPserver string = Samba Server %vnetbios name = RPi4# Logginglog file = /var/log/samba4/log.%mmax log size = 50log level = 0# Authenticationsecurity = userencrypt passwords = yespassdb backend = tdbsammap to guest = Bad Usermin protocol = SMB2max protocol = SMB3# Apple Time Machine settingsvfs objects = catia fruit streams_xattrfruit:metadata = streamfruit:resource = streamfruit:encoding = nativefruit:locking = nonefruit:time machine = yes# File System supportea support = yeskernel oplocks = nokernel share modes = noposix locking = nomangled names = nosmbd max xattr size = 2097152# Performance tuningread raw = yeswrite raw = yesgetwd cache = yesstrict locking = no# Miscellaneouslocal master = nopreferred master = nodomain master = nowins support = no[tm]comment = Time Machine RPi4path = /usr/local/timemachine/%Ubrowseable = yesread only = novalid users = antranigvvfs objects = catia fruit streams_xattrfruit:time machine = yesfruit:advertise_fullsync = truefruit:time machine max size = 800G  # Adjust the size according to your needscreate mask = 0600directory mask = 0700

    That’s pretty much it.

    Conclusion

    I love running homebrew servers, home networks and home labs. I love that (almost) everything is FreeBSD. The switch itself runs Linux, and the Unifi Access Point also runs Linux, both of which I’m pretty happy with.

    While most homelabbers used ESXi in the past, I’m happy to see that most people are moving to open source solutions like Proxmox and Xen, but I think that FreeBSD Jails and bhyve is much better. I still don’t have a need for bhyve at the moment, but I would use it if I needed hardware virtualization.

    Most homelabbers would consider the lack of Web/GUI interfaces as a con, but I think that it’s a pro. If I need to “replicate” this network, all I need to do is to copy some text files and modify some IP addresses / Interface names.

    I hope this was informative and that it would be useful for anyone in the future.

    That’s all folks… 

    Reply via email.

    https://antranigv.am/posts/2024/06/freebsd-server-network-homelab/

    #Containers #Dell #DellLatitudeE5470 #FreeBSD #homeServer #HowTo #Jailer #Jails #macOS #Networking #pf #Samba #Unifi #Unix #VNET

    #containers #dell #delllatitudee5470 #freebsd #homeserver #howto
Next page