First commit

notes/sshkeys.pub

@@ -0,0 +1,12 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHGQ2rLYB6U2i3dyb1+Fn8fKSsfsTno87Vf++yFQkD2k user@zenbook
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPJnaY1RtJ+JdfAEJfUcO99yrSGuH0UQit0itzrpgeI user@dotfiles
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5Zwmxt3kTIZT9fsQW+NCcTRYFz97Qp+hXbj7AcJXi6 root@mini
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIES0RiFcV2yoLwNrK6iB3xU3OlQ85vAWgxjoNaG3iuMp root@phone
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUz2KdC9MWYLwYgGfjdxPGd0XZbdRLUJog4IbWp9EZl user@myvelabs
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlaVV3oZo/IAGXF3F9qdaiSRTQLzc2aJ50h3MNdLUmI root@myvelabs
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAnDy15V5hT9+TX/gZeEpStamJOJNpruKdx3PXpcIX6 user@docker
+
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmgC/c0Rjyk6sL+PXhuxOfaBVw/sPTrWfX5GBGwqq/g user@desktop

notes/ubuntu-nginx

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+# Ubuntu - nginx-mainline
+# https://nginx.org/en/linux_packages.html
+
+# Install the prerequisites:
+
+    sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y
+
+# Import an official nginx signing key so apt could verify the packages authenticity. Fetch the key:
+
+    curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
+        | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+
+# Verify that the downloaded file contains the proper key:
+
+    gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg \
+        | grep -q 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 || exit 1
+
+# The output should contain the full fingerprint 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 as follows:
+# 
+#     pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
+#           573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+#     uid                      nginx signing key <signing-key@nginx.com>
+
+# Note that the output can contain other keys used to sign the packages.
+
+# # To set up the apt repository for stable nginx packages, run the following command:
+# 
+#     echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+#     http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
+#         | sudo tee /etc/apt/sources.list.d/nginx.list
+
+# If you would like to use mainline nginx packages, run the following command instead:
+
+    echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
+    http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" \
+        | sudo tee /etc/apt/sources.list.d/nginx.list
+
+# Set up repository pinning to prefer our packages over distribution-provided ones:
+
+    echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
+        | sudo tee /etc/apt/preferences.d/99nginx
+
+# To install nginx, run the following commands:
+
+    sudo apt update
+    sudo apt install nginx -y

notes/wireguard

@@ -0,0 +1,73 @@
+############
+# Key generation
+############
+for peer in {0..9}
+do
+    wg genkey | (umask 0077 && tee peer${peer}.key) | wg pubkey > peer${peer}.pub
+done
+
+############
+# Server configuration
+############
+/etc/wireguard/wg0.conf
+############
+[Interface]
+Address = 10.200.200.1/24
+ListenPort = 51820
+PrivateKey = SERVER_PRIVATE_KEY
+
+# substitute eth0 in the following lines to match the Internet-facing interface
+# the FORWARD rules will always be needed since traffic needs to be forwarded between the WireGuard
+# interface and the other interfaces on the server.
+# if the server is behind a router and receives traffic via NAT, specify static routing back to the
+# 10.200.200.0/24 subnet, the NAT iptables rules are not needed but the FORWARD rules are needed.
+# if the server is behind a router and receives traffic via NAT but one cannot specify static routing back to
+# 10.200.200.0/24 subnet, both the NAT and FORWARD iptables rules are needed. 
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+# foo
+PublicKey = PEER_FOO_PUBLIC_KEY
+PresharedKey = PRE-SHARED_KEY
+AllowedIPs = 10.200.200.2/32
+
+[Peer]
+# bar
+PublicKey = PEER_BAR_PUBLIC_KEY
+PresharedKey = PRE-SHARED_KEY
+AllowedIPs = 10.200.200.3/32
+
+###
+# The interface may be brought up using wg-quick up wg0 respectively by starting and potentially enabling the interface via wg-quick@interface.service, e.g. wg-quick@wg0.service. To close the interface use wg-quick down wg0 respectively stop wg-quick@interface.service.
+###
+
+############
+# Client configuration
+############
+foo.conf
+[Interface]
+Address = 10.200.200.2/32
+PrivateKey = PEER_FOO_PRIVATE_KEY
+DNS = 10.200.200.1
+
+[Peer]
+PublicKey = SERVER_PUBLICKEY
+PresharedKey = PRE-SHARED_KEY
+Endpoint = my.ddns.example.com:51820
+AllowedIPs = 0.0.0.0/0, ::/0
+bar.conf
+[Interface]
+Address = 10.200.200.3/32
+PrivateKey = PEER_BAR_PRIVATE_KEY
+DNS = 10.200.200.1
+
+[Peer]
+PublicKey = SERVER_PUBLICKEY
+PresharedKey = PRE-SHARED KEY
+Endpoint = my.ddns.example.com:51820
+AllowedIPs = 0.0.0.0/0, ::/0
+
+###
+# Note: Users of NetworkManager, may need to enable the NetworkManager-wait-online.service and users of systemd-networkd may need to enable the systemd-networkd-wait-online.service to wait until devices are network-ready before attempting a WireGuard connection.
+###