Linux

Debian Template on Proxmox

Cloud Image with SSH Key

on the Proxmox Host

Create Installer Key

# cd /your/working/dir
ssh-keygen -o -a 100 -t ed25519 -C "User: installer, $(date '+%Y-%m-%d %H:%m')" -f installer

Build Template

apt install libguestfs-tools -y;
wget https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2

virt-customize --install qemu-guest-agent -a debian-12-generic-amd64.qcow2
qm create 9001 --name debian-12-generic --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0 --agent 1 
qm importdisk 9001 debian-12-generic-amd64.qcow2 local-lvm

qm set 9001 --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-9001-disk-0
qm set 9001 --ide2 local-lvm:cloudinit
qm set 9001 --boot c --bootdisk scsi0
qm set 9001 --serial0 socket
qm set 9001 --ipconfig0 ip=dhcp
qm set 9001 --cpu cputype=x86-64-v2-AES

qm set 9001 --sshkeys installer.pub
qm set 9001 --ciuser installer

qm resize 9001 scsi0 32G
qm template 9001

Create VM

in the GUI, you can create an new VM based on the Template 9001. You have to login with user “installer” and it’s private key!

Patch OpenSSH Only

apt install --only-upgrade  openssh-client openssh-server openssh-sftp-server

Time Zone

timedatectl set-timezone Europe/Zurich

-> set symlink: /etc/localtime -> ../usr/share/zoneinfo/Europe/Zurich

Fix Sudo Stuff

use ‘sudo -i’ and keep SSH_AUTH_SOCK if set

apt update
apt install sudo
usermod -aG sudo stoege
echo "Defaults env_keep+=SSH_AUTH_SOCK" > /etc/sudoers.d/ssh_auth_sock
echo "%sudo ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/group_sudo_nopass

sha256: 7e5018c28bea4357e2f6703ec2876e92798e020801a61e46d6e3698151bc5a38

Some Commands for Mikrotik NewBees

Helpful Links

Quick Guide - CCR2004-1G-12S+2XS

CCR2004-1G-12S+2XS - User Manual

MikroTik wired interface compatibility

Copper SFP (not able todo Auto Negotiation)

/interface/ethernet/set sfp-sfpplus1 auto-negotiation=no

Update Packages

/system package update check-for-updates
/system package update install
reboot

Upgrade Firmware

/system routerboard print
/system routerboard upgrade
/system reboot; 

Reset Config

/system/reset-configuration

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 7.10.1 (c) 1999-2023       https://www.mikrotik.com/

Press F1 for help

-------------------------------------------------------------------------------
The following default configuration has been installed on your router:

Welcome to RouterOS!
   1) Set a strong router password in the System > Users menu
   2) Upgrade the software in the System > Packages menu
   3) Enable firewall on untrusted networks
-----------------------------------------------------------------------------
LAN:
    IP on ether1:    192.168.88.1/24;

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Initial Config

/interface bridge add name=local
/interface bridge port add interface=ether2 bridge=local
/ip address add address=192.168.88.1/24 interface=local

Backup Config

# show full Config
export

# show non defaults
export compact

# show non defaults, hide sensitive stuff
export compact hide-sensitive

# write config to myconfig
export compact hide-sensitive file=myconfig

sha256: 4cffb5ddbd4d0059c71e311bc75a67839be888f15291cec9ac6d0c24478fffdd

Intro

Let’s assume you have a bunch of GIT Repos in a Folder like this:

/project1/
    /repo1/
    /repo2/
    /repoN/

and you would like to update all of them ? here a little helper.

• Loop over all Folders
• check if ‘.git’ exists
• if so, do a git pull –all

Script

Copy/Paste it to your Terminal and you get a executable Script called ‘git_update_all.sh’.

cat << 'EOF' > git_update_all.sh
#!/usr/bin/env bash

# Get the current script directory
script_dir=$(dirname "$(readlink -f "$0")")

# Change into each directory in the script folder
for dir in "$script_dir"/*; do

    if [ -d "$dir" ]; then

        cd "$dir" || exit 1

        if [ -d ".git" ]; then

            echo "Updating Git repository in $dir"
            git pull --all

        else

            echo "Skipping $dir - not a Git repository"

        fi

        cd "$script_dir" || exit 1

    fi

done

echo "Git update for all repositories completed."
EOF

# make it executable
chmod u+x git_update_all.sh

Usage

and then run it, like it, use it :)

Minio on Debian

Need some S3 Storage for Reasons ? Here a few Lines, how to Setup and enable TLS.

Install Minio

login as root for the whole installation. Or use sudo/doas if preferred.

Upgrade you Box

apt update && apt upgrade -y

reboot if needed

add User

Let’s add User as we don’t wanna run it as root

useradd -r minio-user -s /sbin/nologin

Get Minio

Download, set execute permission and move it

Intro

did you ever heared of Jetporch, short Jet ? Don’t worry, you’re not the only one ;) Jet Project of Jet is being led by Michael DeHaan, the original creator of Ansible. So, expect something like Ansible, faster, written in rust … same same, but different.

Installation on Debian 12

grab a fresh machine and patch it

export DEBIAN_FRONTEND=noninteractive
apt-get clean
apt-get autoclean
apt-get update -y
apt-get upgrade -yq
apt-get dist-upgrade -yq
apt-get autoremove -y

Install Rust from Source

jet needs rustc 1.64. Debian install 1.63 from packages :(

Behind Corp Proxy

let’s assume you’re behing a Corp Proxy which enforce TLS Inspection, you don’t have the Proxy Cert and you want to Upgrade your Boxes …

… and of course, you do this in the LAB and for Research only and not your Productiv Environment!

TLS Inspection enabled

apt-get upate
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted.
The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx yyyy]

Disable TLS Check

touch /etc/apt/apt.conf.d/99verify-peer.conf
echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Update

apt-get update
apt-get upgrade

sha256: 40c39ed441b4690a8644cd63bfd2e6987f06a70c4f922eca14de5dcc27d4fb35

Restricting User to Script

Let’s assume you have some Users around and they should be able to run certain Scripts. These Scripts do various things, login to some systems, perform task, get data from an API, whatever you want. All these Actions needs Credentials which must be available to the script, although they are not part of the Script. They could be Provides via OS Env, .env File, Encrypted Password Store or whatever. But if the Script is able to access these Credentials, a logged in User would could access it also.

got Docker running with Traefik as ingress Loadbalancer ?

Just enable IPv6 like this.

daemon.json

cat << EOF > /etc/docker/daemon.json
{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}
EOF

Restart Services

systemctl reload docker

Check Netstat

# netstat -tulpen |grep docker
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          15788      977/docker-proxy    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          17495      952/docker-proxy    
tcp6       0      0 :::80                   :::*                    LISTEN      0          15791      984/docker-proxy    
tcp6       0      0 :::443                  :::*                    LISTEN      0          15773      963/docker-proxy 

sha256: 49c4ced1a834b70c143c7425e72ea72982f07f8d1a3e0a8fce9f08f14d3f7da6

Debian 12 is here !

• Debian 12.x (Folder)
• Debian 12.0 (ISO) netinst
• Debian 12.1 (ISO) netinst
• Debian 12.2 (ISO) netinst
• Debian 12.3 (ISO) netinst
• Debian 12.4 (ISO) netinst

Links

you may find some of my Posts about Debian useful

• Bootstrapping Debian
• Docker on Debian
• Posts about Debian

Upgrade Script

assuming you have Debian 11.x running

cat << 'EOF' > /root/upgrade_to_v12.sh
#!/usr/bin/env bash

# set Version
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/*

# Update
apt-get -y update
apt-get -y upgrade
apt-get -y dist-upgrade
apt autoclean
apt autoremove
apt --purge autoremove

# you may add/update -> /etc/apt/sources.list
# deb http://security.debian.org/debian-security/ bookworm-security main
# deb-src http://security.debian.org/debian-security/ bookworm-security main

exit 0
EOF

chmod u+x /root/upgrade_to_v12.sh

Run

run the script and wait a few minutes …