awin/Obsidian-Main
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vault backup: 2024-02-16 14:10:29

Browse Source
This commit is contained in:
Awin Huang
2024-02-16 14:10:29 +08:00
parent 7111f2dad0
commit 25bb46c952
12 changed files with 70 additions and 608 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
05. 資料收集/架站/Gitea.md
View File

@@ -1,52 +0,0 @@
## docker-compose.yml
```yaml
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:latest
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
- DB_TYPE=mysql
- DB_HOST=db:3306
- DB_NAME=gitea
- DB_USER=gitea
- DB_PASSWD=gitea
- TZ=Asia/Taipei
restart: always
networks:
- gitea
volumes:
- ./datas/gitea:/data
- /home/git/.ssh/:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "322:322"
depends_on:
- db
db:
image: mysql:8
restart: always
environment:
- MYSQL_ROOT_PASSWORD=gitea
- MYSQL_USER=gitea
- MYSQL_PASSWORD=gitea
- MYSQL_DATABASE=gitea
networks:
- gitea
volumes:
- ./datas/db:/var/lib/mysql
```
## 文件
- [Gitea Docs: Config Cheat Sheet](https://docs.gitea.io/zh-tw/config-cheat-sheet/)
- [How to Install Gitea on Ubuntu Using Docker](https://www.digitalocean.com/community/tutorials/how-to-install-gitea-on-ubuntu-using-docker)

108
05. 資料收集/架站/HTTP Server/Apache.md
View File

@@ -1,108 +0,0 @@
## Install
```
sudo apt update && sudo apt install apache2
```
## 測試Apache
```
sudo service apache2 status
```
## 設置虛擬主機Virtual Hosts
假設要建立2個網站*test1.ui-code.com*與*test2.ui-code.com*
### 建立目錄並設置權限Permissions
```
sudo mkdir -p /var/www/test1.ui-code.com/public_html
sudo mkdir -p /var/www/test2.ui-code.com/public_html
sudo chmod -R 755 /var/www
```
### 建立測試頁面
#### 建立test1.ui-code.com的測試頁面
```
sudo nano /var/www/test1.ui-code.com/public_html/index.html
```
填入以下內容:
```html
<html>
<head>
<title>Welcome to test1.ui-code.com</title>
</head>
<body>
<h1>Welcome to test1.ui-code.com</h2>
</body>
</html>
```
#### 建立test2.ui-code.com的測試頁面
```
sudo nano /var/www/test2.ui-code.com/public_html/index.html
```
填入以下內容:
```html
<html>
<head>
<title>Welcome to test2.ui-code.com</title>
</head>
<body>
<h1>Welcome to test2.ui-code.com</h2>
</body>
</html>
```
### 建立虛擬主機文件Virtual Host Files
虛擬主機文件位於 /etc/apache2/sites-available/ 中,其用於告訴 Apache 網頁伺服器如何響應Respond 各種網域請求Request
讓我們為test1.ui-code.com 網域創建一個新的虛擬主機文件。
```
sudo nano /etc/apache2/sites-available/test1.ui-code.com.conf
```
將以下內容貼上:
```
<VirtualHost *:80>
ServerAdmin webmaster@test1.ui-code.com
ServerName test1.ui-code.com
ServerAlias www.test1.ui-code.com
DocumentRoot /var/www/test1.ui-code.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```
再來為test2.ui-code.com 網域創建一個新的虛擬主機文件。
```
sudo nano /etc/apache2/sites-available/test2.ui-code.com.conf
```
將以下內容貼上:
```
<VirtualHost *:80>
ServerAdmin webmaster@test2.ui-code.com
ServerName test2.ui-code.com
ServerAlias www.test2.ui-code.com
DocumentRoot /var/www/test2.ui-code.com/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
```
### 啟用新的虛擬主機文件Virtual Host Files
現在我們有兩個虛擬主機文件,我們需要使用 a2ensite 工具來啟用它們。
```
sudo a2ensite test1.ui-code.com
sudo a2ensite test2.ui-code.com
```
測試配置語法是否有錯誤。
```
apachectl configtest
```
如果「Syntax OK」重啟 Apache。
```
sudo systemctl reload apache2
```
## 參考
- [[教學][Ubuntu 架站] 在 Ubuntu 20.04 安裝 Apache 網頁伺服器,並架設多個網站(多網域) | 優程式](https://ui-code.com/archives/271)

292
05. 資料收集/架站/HTTP Server/Nginx/Reverse Proxy(Layer4).md
View File

@@ -1,292 +0,0 @@
## Reverse Proxy(Layer4)
一般的Reverse Proxy所用的方法雖然可以反向代理多個網站但是對於像是Trojan這種TLS不行被中斷的服務來說會導致handshake失敗所以需要用Nginx的stream來做Layer 4的轉發。
### docker-compose.yaml
需要先把`nginx.conf``mime.types`給copy到data目錄下。
依序執行下面2個命令
```shell
sudo docker run --rm -it nginx cat /etc/nginx/nginx.conf > nginx.conf
sudo docker run --rm -it nginx cat /etc/nginx/mime.types > mime.types
```
然後:
```shell
mkdir data ;\
mv nginx.conf mime.types data
```
建立`docker-compose.yaml`
```yaml
version: '3'
services:
nginx_reverseproxy_l4:
container_name: nginx
restart: always
image: nginx
ports:
- "80:80"
- "443:443"
volumes:
- ./data:/etc/nginx
```
修改`data/nginx.conf`
```nginx
events {
worker_connections 1024; <-- event 不用動
}
stream {
map $ssl_preread_server_name $backend_name {
tjn.awin.one trojan;
storj.awin.one swag;
}
# trojan
upstream trojan {
server 192.168.1.31:443;
}
# swag
upstream swag {
server 192.168.1.20:44320;
}
# 监听 443 并开启 ssl_preread
server {
listen 80 reuseport;
listen 443 reuseport;
listen [::]:443 reuseport;
proxy_pass $backend_name;
ssl_preread on;
}
}
http {
... <-- http 不用動
}
```
重點來源:
1. [Trojan 共用 443 端口方案 - 程小白](https://www.chengxiaobai.cn/record/trojan-shared-443-port-scheme.html)
2. [NaiveProxy + Trojan + 多HTTPS站点共存复用443端口 | 心底的河流](https://lhy.life/20200815-naiveproxy+trojan/)
3. `$ssl_preread_server_name`的官方說明:[Module ngx_stream_ssl_preread_module](http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html)
## Reverse Proxy
> **重要**確定docker與docker-compose已經安裝好。
> 參考[[RaspberryPi#Docker]]與[[RaspberryPi#docker-compose]]
### Use SWAG docker
[swag](https://github.com/linuxserver/docker-swag)(之前叫做letsencrypt)是linuxserver.io包裝的Nginx webserver和reverse proxy的container。
#### Setup HTTPS
1. 建立folder
```bash
mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag
```
2. 建立`docker-compose.yaml`
```
vim docker-compose.yaml
```
填入內容如下:
```yaml
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Taipei
- URL=awin.one
- SUBDOMAINS=wildcard
- VALIDATION=dns
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- DUCKDNSTOKEN= #optional
- EMAIL=awinhuang@gmail.com
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- MAXMINDDB_LICENSE_KEY= #optional
volumes:
- ./config:/config
ports:
- 44320:443
- 8020:80 #optional
restart: unless-stopped
```
3. 先跑一次:
```bash
sudo docker-compose up
```
會發現有錯誤,這是正常的,錯誤訊息像這樣:
```
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag | Cleaning up challenges
swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
```
按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`
```bash
vim config/dns-conf/cloudflare.ini
```
把`config/dns-conf/cloudflare.ini`改為:
```
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
```
4. 再跑一次:
```bash
sudo docker-compose up
```
這一次就可以順利取得認證了,訊息像這樣:
```
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:
swag | /etc/letsencrypt/live/awin.one/fullchain.pem
swag | Your key file has been saved at:
swag | /etc/letsencrypt/live/awin.one/privkey.pem
swag | Your certificate will expire on 2021-04-26. To obtain a new or
swag | tweaked version of this certificate in the future, simply run
swag | certbot again. To non-interactively renew *all* of your
swag | certificates, run "certbot renew"
swag | - If you like Certbot, please consider supporting our work by:
swag |
swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
swag | Donating to EFF: https://eff.org/donate-le
swag |
swag | New certificate generated; starting nginx
swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag | [cont-init.d] 50-config: exited 0.
swag | [cont-init.d] 60-renew: executing...
swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag | [cont-init.d] 60-renew: exited 0.
swag | [cont-init.d] 70-templates: executing...
swag | [cont-init.d] 70-templates: exited 0.
swag | [cont-init.d] 99-custom-files: executing...
swag | [custom-init] no custom files found exiting...
swag | [cont-init.d] 99-custom-files: exited 0.
swag | [cont-init.d] done.
swag | [services.d] starting services
swag | [services.d] done.
swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag | Server ready
```
最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出再來設定reverse proxy。
5. 修正`config/dns-conf/cloudflare.ini`的安全性問題
```
cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini
```
#### Setup reverse proxy
1. 建立folder
```
cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled
```
2. 建立以下檔案:
- `config/nginx/sites-available/common.conf`,內容:
```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
- `config/nginx/sites-available/common_location.conf`,內容:
```
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
- `config/nginx/sites-available/storj.conf`,內容:
```
upstream storj {
server 192.168.1.11:14002;
}
server {
listen 443 ssl;
server_name storj.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.11:14002/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
3. 在`config/nginx/sites-enabled`裡面建立要enable的config
```
cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -
```
4. 修改`config/nginx/nginx.conf`
```
vim config/nginx/nginx.conf
```
找到`include /config/nginx/site-confs/*;`這一行把它comment掉在下面新增一行
```
include /config/nginx/sites-enabled/*.conf;
```
5. 啟動swag
```
cd ~/dockers/linuxserverswag ; sudo docker-compose up -d
```
#### Restart
```bash
cd ~/dockers/linuxserverswag ; sudo docker-compose restart
```
#### Update certification
1. 進到dockr的swag bash裡面`sudo docker exec -it swag /bin/bash`
2. 輸入 `certbot renew`
3. ![[Pasted image 20210422205534.png]]
#### Trouble shooting
- 如果遇到類似下面的錯誤:
```
ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
```
表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。[^1]
#### 參考來源
1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag)
2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/)
3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure)
-----
- 參考
- [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
- [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy)
- [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/)
- [俄羅斯不愧是戰鬥民族nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498)
[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/)

26
05. 資料收集/架站/Pelican blog.md
View File

@@ -1,26 +0,0 @@
## Create a site
Use `pelican-quickstart` to create a new site.
## Plugin
```bash
git clone --recursive https://github.com/getpelican/pelican-plugins.git
```
## Theme
先把所有佈景主題都clone下來
```bash
git clone --recursive https://github.com/getpelican/pelican-themes.git
```
`pelicanconf.py`裡面的`THEME`指向theme的目錄就可以換佈景主題了。例如要用[[blue-penguin](https://github.com/jody-frankowski/blue-penguin)]這一個主題。把`pelicanconf.py`裡面加入`THEME = 'pelican-themes/blue-penguin'`就可以了。
## 預覽
```
make html
make serve
```
參考:
- [koko's Note Python - 安裝 Pelican Theme 來改變你的靜態網站主題](https://note.koko.guru/install-pelican-theme.html)
- [nest theme](https://github.com/molivier/nest)
- [Flex theme](https://github.com/alexandrevicenzi/Flex/wiki/Custom-Settings)

260
05. 資料收集/架站/Proxmox VE.md
View File

@@ -1,260 +0,0 @@
# 安裝
## 下載ISO
- [Get the free Proxmox VE ISO installer](https://www.proxmox.com/en/downloads/category/iso-images-pve)
## 準備USB disk
- 用[Rufus](https://rufus.ie/)的話
1. 在遇到詢問是否要下載 Grub 時,請選擇「否」
2. 必須使用DD mode來建立開機碟。參考[Prepare Installation Media - Proxmox VE](https://pve.proxmox.com/wiki/Prepare_Installation_Media#_instructions_for_windows)
![[Pasted image 20210128212917.png]]
# 設定
## 關閉「闔上螢幕後休眠」
打開`/etc/systemd/logind.conf`
```
nano /etc/systemd/logind.conf
```
找到下面兩行把值改成ignore
```
HandleLidSwitch=ignore
HandleLidSwitchDocked=ignore
```
然後重開機:
```
systemctl restart systemd-logind.service
```
圖示:
![[Pasted image 20210129194144.png]]
## 增加硬碟
先用`lsblk`列出所有硬碟,這裡假設`sda`是我們的開機磁碟,我要要新增`sdb`
```
root@pve:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk <-- 目前在用的
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 931G 0 part
sdb 8:16 0 111.8G 0 disk <-- 要新增的
├─sdb1 8:17 0 100M 0 part
├─sdb2 8:18 0 16M 0 part
├─sdb3 8:19 0 111.1G 0 part
└─sdb4 8:20 0 563M 0 part
```
然後安裝`parted`,我們要用它來分割硬碟:
```
apt install parted
```
開始分割:
```
parted /dev/sdb mklabel gpt
```
建立primary partition格式為`ext4`
```
parted -a opt /dev/sdb mkpart primary ext4 0% 100%
```
再來將分割好的硬碟格式化為`ext4`label命名為`data2`
```
mkfs.ext4 -L data2 /dev/sdb1
```
再用`lsblk`看一次會發現sdb已經重新分割成1個partition了
```
root@pve:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
├─sda1 8:1 0 1007K 0 part
├─sda2 8:2 0 512M 0 part
└─sda3 8:3 0 931G 0 part
sdb 8:16 0 111.8G 0 disk
└─sdb1 8:17 0 111.8G 0 part
```
`lsblk -fs`可以看到每一個硬碟的檔案系統格式:
```
root@pve:~# lsblk -fs
NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sda1 zfs_member rpool 11775123664036754029
└─sda zfs_member rpool 11775123664036754029
sda2 vfat rpool 32D0-3449
└─sda zfs_member rpool 11775123664036754029
sda3 zfs_member rpool 11775123664036754029
└─sda zfs_member rpool 11775123664036754029
sdb1 ext4 data2 bc6d2c41-a3ca-4b0f-a5de-51ee28ae9cec <-- 剛剛分割的
└─sdb
```
接下來,將新硬碟掛載到檔案目錄上,先建立一個新目錄來掛載新硬碟:
```shell
mkdir -p /mnt/data
```
接下來編輯`/etc/fstab`,將新硬碟寫進來,這樣開機之後才會自動把它掛載起來:
```
nano /etc/fstab
```
加入這一行(注意:**data2**要改成你自己的label
```
LABEL=data2 /mnt/data ext4 defaults 0 2
```
剛新硬碟掛起來:
```
mount -a
```
`df`就可以看到新硬碟了:
```
root@pve:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 16288892 0 16288892 0% /dev
tmpfs 3262688 9324 3253364 1% /run
rpool/ROOT/pve-1 942667136 1267584 941399552 1% /
tmpfs 16313440 43680 16269760 1% /dev/shm
tmpfs 5120 0 5120 0% /run/lock
tmpfs 16313440 0 16313440 0% /sys/fs/cgroup
rpool 941399680 128 941399552 1% /rpool
rpool/data 941399680 128 941399552 1% /rpool/data
rpool/ROOT 941399680 128 941399552 1% /rpool/ROOT
/dev/fuse 30720 16 30704 1% /etc/pve
tmpfs 3262688 0 3262688 0% /run/user/0
/dev/sdb1 114854020 61464 108915208 1% /mnt/data <-- 新硬碟在這裡
```
參考:
- [How to add storage to Proxmox](https://nubcakes.net/index.php/2019/03/05/how-to-add-storage-to-proxmox/)
## 增加iSCSI磁碟
### 增加需要CHAP認證的iSCSI磁碟
1. 先確認找的到iSCSI磁碟
```
iscsiadm -m discovery -t st -p 192.168.1.11:3260
```
如果有找到的話會回傳一串IQN值像是
```
root@pve:~# iscsiadm -m discovery -t st -p 192.168.1.11:3260
192.168.1.11:3260,1 iqn.2000-01.com.synology:DiskStation.Target-1.3e589efea3
[fe80::211:32ff:fe20:eadd]:3260,1 iqn.2000-01.com.synology:DiskStation.Target-1.3e589efea3
```
2. 有IQN就可以用下列的命令連線與掛載
```
iscsiadm -m node -T iqn.2000-01.com.synology:DiskStation.Target-1.3e589efea3 --op update --name node.session.auth.username --value=名字
iscsiadm -m node -T iqn.2000-01.com.synology:DiskStation.Target-1.3e589efea3 --op update --name node.session.auth.password --value=密碼
iscsiadm -m node -T iqn.2000-01.com.synology:DiskStation.Target-1.3e589efea3 -l #連線
iscsiadm -m node -o update -n node.startup -v automatic #設定開機自動掛載
```
## 增加NFS磁碟
1. 先在Synology上開一個NFS disk設定如下
![[Pasted image 20220506091522.png]]
2. 再到Proxmox的 Datacenter->Storage->Add 來增加一個 *NFS*,設定如下
![[Pasted image 20220506091624.png]]
### 更改NFS mount為soft
1. 編輯`/etc/pve/storage.cfg`
2. 做如下修改
![[Pasted image 20220506095531.png]]
### 參考
- [[經驗分享]Proxmox VE 採用 NFS 連接儲存的重點事項](http://blog.jason.tools/2019/02/pve-nfs-mount.html)
## 設定VM備份目錄
如果將VM或LXC備份到某個目錄先建立要備份的目錄
```shell
mkdir -p /mnt/data/backup/
```
再來用WEB UI操作如下
![[Pasted image 20210129202041.png]]
![[Pasted image 20210129202047.png]]
最後再到 Datacenter->Backups建立一個scheule來備份就可以了
![[Pasted image 20210129202231.png]]
## 將資料備份到NAS
1. 先在NAS開一個share folder跟一個帳號。
![[Pasted image 20210202190402.png]]
![[Pasted image 20210202190537.png]]
2. Proxmox到裡將剛剛新開的folder給掛載起來。
![[Pasted image 20210202190640.png]]
會跳出一個視窗,如下圖來填,記得**content**那一欄有4個要選。
![[Pasted image 20210202190709.png]]
3. Proxmox到 Datacenter->Backup 新增一個排程。
![[Pasted image 20210202190903.png]]
一樣會跳出一個視窗,依需求來填,要注意的是**Storage**必須是前一步驟的**ID****Selection Mode**可以選擇**All**。
![[Pasted image 20210202191150.png]]
參考:
- [HASS + Proxmox: Automatic Backups to Synology NAS](https://kleypot.com/automatic-offline-backups/)
## 設定 UPS
因為 UPS 的 USB 是連接在 NAS 上所以Proxmox這邊必須要去monitor NAS那邊所回報的狀態請確定NAS端有打開「啟用網路不斷電系統伺服器」。
1. 安裝 nut`apt-get install nut`
2. 修改 `/etc/nut/nut.conf`,設定 `MODE=netclient`
3. 修改 `/etc/nut/upsmon.conf`,加入一行:`MONITOR ups@<NAS_IP> 1 <NAS_Username> <NAS_UserPassword> slave`
4. 開始 upsmon`upsmon start`
5.`ps -ef | grep upsmon` 確認 upsmon是否執行
![[Pasted image 20220811145852.png|600]]
6. 若正常可以取回UPS的一些硬體資料`upsc ups@<NAS_IP>`
![[Pasted image 20220811150034.png|360]]
### 參考
- [UPSMON(8)](https://networkupstools.org/docs/man/upsmon.html)
- [不斷電系統 | DSM - Synology 知識中心](https://kb.synology.com/zh-tw/DSM/help/DSM/AdminCenter/system_hardware_ups?version=6)
- [設定 Proxmox VE連動Synology的不斷電系統](https://cychien.tw/wordpress/2022/02/02/%E8%A8%AD%E5%AE%9A-proxmox-ve%E9%80%A3%E5%8B%95synology%E7%9A%84%E4%B8%8D%E6%96%B7%E9%9B%BB%E7%B3%BB%E7%B5%B1/)
## 更新
### 加入更新來源
編輯`/etc/apt/sources.list`,加入:
```
deb http://ftp.debian.org/debian bullseye main contrib
deb http://ftp.debian.org/debian bullseye-updates main contrib
# PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib
```
### 取消訂閱服務
編輯`/etc/apt/sources.list.d/pve-enterprise.list`,把下面這行注釋掉:
```
deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise
```
也就是變成:
```
#deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise
```
使用`apt update`來更新套件。
使用`apt dist-upgrade`來升級系統版本。
## 重灌後要做的事情
1. 建立ZFS pool。
2. 確認S.M.A.R.T. 是否啟用,預設是啟用的。
`smartctl -a /dev/<SDA_N>`
1. 打開IOMMU
2. 打開vm aware
3. 增加NFS共享磁碟
4. 排程備份
5. 上傳安裝Windows需要的驅動ISO
1. [Windows VirtIO Drivers](https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers)
6. 把常用的VM轉為template
7. 安裝[Cockpit-Linux Server](https://pvecli.xuan2host.com/cockpit/), 讓您的PVE有更棒的圖形管理介面。
## 參考
- [套件功能的更新Proxmox update](https://wiki.freedomstu.com/books/proxmox-ve-%E8%99%9B%E6%93%AC%E7%B3%BB%E7%B5%B1%E8%A8%98%E9%8C%84/page/%E5%A5%97%E4%BB%B6%E5%8A%9F%E8%83%BD%E7%9A%84%E6%9B%B4%E6%96%B0%EF%BC%88proxmox-update%EF%BC%89)
- [裝完PVE後的11件必作清單 (中文翻譯)](https://www.youtube.com/watch?v=pY4Lm2Hoqik)
- [Before I do anything on Proxmox, I do this first...](https://www.youtube.com/watch?v=GoZaMgEgrHw&t=0s)
# Trouble shooting
- *Emergency mode*,表示開機失敗,請檢查`/etc/fstab`是不是有無法掛載的disk。
## 參考
- [[Fix] Getting out of emergency mode : Proxmox](https://www.reddit.com/r/Proxmox/comments/hai75k/fix_getting_out_of_emergency_mode/)

247
05. 資料收集/架站/SWAG Reverse proxy.md
View File

@@ -1,247 +0,0 @@
[SWAG](https://docs.linuxserver.io/general/swag)可以幫我們反向代理並且有https。是由linuxserver.io包裝的Nginx webserver和reverse proxy的container。
#### 建立docker-compose
1. 建立folder
```bash
mkdir -p ~/dockers/linuxserverswag ; cd ~/dockers/linuxserverswag
```
2. 建立`docker-compose.yaml`
```
vim docker-compose.yaml
```
填入內容如下:
```yaml
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Asia/Taipei
- URL=awin.one
- SUBDOMAINS=wildcard
- VALIDATION=dns
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION= #optional
- DUCKDNSTOKEN= #optional
- EMAIL=awinhuang@gmail.com
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- MAXMINDDB_LICENSE_KEY= #optional
volumes:
- ./config:/config
ports:
- 44320:443
- 8020:80 #optional
restart: unless-stopped
```
3. 先跑一次:
```bash
sudo docker-compose up
```
會發現有錯誤,這是正常的,錯誤訊息像這樣:
```
swag | Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
swag | Cleaning up challenges
swag | Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
swag | ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
```
按`ctrl + c`退出。這時候`config`目錄也會有swag所mapping出來的相關檔案。修改`config/dns-conf/cloudflare.ini`
```bash
vim config/dns-conf/cloudflare.ini
```
把`config/dns-conf/cloudflare.ini`改為:
```
# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/certbot_dns_cloudflare/__init__.py#L20
# Replace with your values
With global api key:
dns_cloudflare_email = awinhuang@gmail.com
dns_cloudflare_api_key = <YOUR_API_KEY_FROM_CLOUDFLARE>
# With token (comment out both lines above and uncomment below):
#dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567
```
4. 再跑一次:
```bash
sudo docker-compose up
```
這一次就可以順利取得認證了,訊息像這樣:
```
swag | IMPORTANT NOTES:
swag | - Congratulations! Your certificate and chain have been saved at:
swag | /etc/letsencrypt/live/awin.one/fullchain.pem
swag | Your key file has been saved at:
swag | /etc/letsencrypt/live/awin.one/privkey.pem
swag | Your certificate will expire on 2021-04-26. To obtain a new or
swag | tweaked version of this certificate in the future, simply run
swag | certbot again. To non-interactively renew *all* of your
swag | certificates, run "certbot renew"
swag | - If you like Certbot, please consider supporting our work by:
swag |
swag | Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
swag | Donating to EFF: https://eff.org/donate-le
swag |
swag | New certificate generated; starting nginx
swag | Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
swag | and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
swag | [cont-init.d] 50-config: exited 0.
swag | [cont-init.d] 60-renew: executing...
swag | The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
swag | [cont-init.d] 60-renew: exited 0.
swag | [cont-init.d] 70-templates: executing...
swag | [cont-init.d] 70-templates: exited 0.
swag | [cont-init.d] 99-custom-files: executing...
swag | [custom-init] no custom files found exiting...
swag | [cont-init.d] 99-custom-files: exited 0.
swag | [cont-init.d] done.
swag | [services.d] starting services
swag | [services.d] done.
swag | nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
swag | Server ready
```
最後一行的`swag | Server ready`表示server已經跑起來了。先按下`ctrl + c`退出再來設定reverse proxy。
5. 修正`config/dns-conf/cloudflare.ini`的安全性問題
```
cd ~/dockers/linuxserverswag ; chmod 600 config/dns-conf/cloudflare.ini
```
#### Setup reverse proxy
1. 建立folder
```
cd ~/dockers/linuxserverswag ; mkdir -p config/nginx/sites-available config/nginx/sites-enabled
```
2. 建立以下檔案:
- `config/nginx/sites-available/common.conf`,內容:
```
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
```
- `config/nginx/sites-available/common_location.conf`,內容:
```
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
```
- `config/nginx/sites-available/storj.conf`,內容:
```
upstream storj {
server 192.168.1.11:14002;
}
server {
listen 443 ssl;
server_name storj.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.11:14002/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/blog.conf`,內容:
```
upstream blog {
server 192.168.1.30:80;
}
server {
listen 443 ssl;
server_name blog.awin.one;
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.30:80/;
include /config/nginx/sites-available/common_location.conf;
}
}
```
- `config/nginx/sites-available/gitea.conf`,內容:
```
upstream gitea {
server 192.168.1.32:3000; ## 網址
}
server {
listen 443 ssl;
server_name gitea.awin.one; ## 網域
include /config/nginx/sites-available/common.conf;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://192.168.1.32:3000/; ## 網址
include /config/nginx/sites-available/common_location.conf;
}
}
```
3. 在`config/nginx/sites-enabled`裡面建立要enable的config
```
cd config/nginx/sites-enabled ; ln -s ../sites-available/storj.conf . ; cd -
```
4. 修改`config/nginx/nginx.conf`
```
vim config/nginx/nginx.conf
```
找到`include /config/nginx/site-confs/*;`這一行把它comment掉在下面新增一行
```
include /config/nginx/sites-enabled/*.conf;
```
5. 啟動swag
```
cd ~/dockers/linuxserverswag ; sudo docker-compose up -d
```
#### Restart
```bash
cd ~/dockers/linuxserverswag ; sudo docker-compose restart
```
#### Update certification
1. 進到dockr的swag bash裡面`sudo docker exec -it swag /bin/bash`
2. 輸入 `certbot renew`
3. ![[Pasted image 20210422205534.png]]
#### Trouble shooting
- 如果遇到類似下面的錯誤:
```
ERROR: for swag Cannot start service swag: driver failed programming external connectivity on endpoint swag (7c527d046631e0957de0b831ca25bed296de76e2eb96378964cb0110d7fb017d): Bind for 0.0.0.0:443 failed: port is already allocated.
```
表示有其他程式佔住了80 port可能是其他docker container或是service必須先關閉它們。[^1]
#### 參考來源
1. [linuxserver/docker-swag: Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.](https://github.com/linuxserver/docker-swag)
2. [How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt](https://www.freecodecamp.org/news/docker-nginx-letsencrypt-easy-secure-reverse-proxy-40165ba3aee2/)
3. [SWAG setup - LinuxServer.io](https://docs.linuxserver.io/general/swag#understanding-the-proxy-conf-structure)
4. [NGINX Docs | NGINX Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
5. [Nginx 設定反向代理 Reverse Proxy](https://www.opencli.com/linux/nginx-config-reverse-proxy)
6. [用 Nginx 伺服器建立反向代理](https://noob.tw/nginx-reverse-proxy/)
7. [俄羅斯不愧是戰鬥民族nginx - iT 邦幫忙::一起幫忙解決難題,拯救 IT 人的一天](https://ithelp.ithome.com.tw/articles/10188498)
[^1]: [啟動docker時出現「Cannot start service :driver failed programming external connectivity on endpoint xxx, Bind for 0.0.0.0:80 failed: port is already allocated 」](https://mitsuiwei.com/docker-cannot-start-service/)

119
05. 資料收集/架站/Storj.md
View File

@@ -1,119 +0,0 @@
# 步驟摘要
1. 到[https://www.storj.io/host-a-node](https://www.storj.io/host-a-node)申請一個auth token。
2. 用identify產生key。
3. 認證 key。
4. 備份 key
5. Setup storj docker。
6. Run storj docker。
7. 更新
# 1. 申請一個auth token
到[https://www.storj.io/host-a-node](https://www.storj.io/host-a-node)填入email會產生一個伴隨email的隨機碼。
![[Pasted image 20240114200907.png]]
這一串要記下來。
# 用identify產生key
## 下載
### Windows
下載 `https://github.com/storj/storj/releases/latest/download/identity_windows_amd64.zip`
### Linux
#### X86
```bash
curl -L https://github.com/storj/storj/releases/latest/download/identity_linux_amd64.zip -o identity_linux_amd64.zip
unzip -o identity_linux_amd64.zip
chmod +x identity
sudo mv identity /usr/local/bin/identity
```
#### ARM
```bash
curl -L https://github.com/storj/storj/releases/latest/download/identity_linux_arm.zip -o identity_linux_arm.zip
unzip -o identity_linux_arm.zip
chmod +x identity
sudo mv identity /usr/local/bin/identity
```
## 產生 identity
這一步會跑很久建議用CPU比較強的來跑在樹莓派上面會跑很久。
### Windows
`./identity.exe create storagenode`
### Linux
`identity create storagenode`
# 認證 Key
## 認證
等一下的 `<email:characterstring>` 就是第1步說要記起來的那一串
### Windows
`./identity.exe authorize storagenode <email:characterstring>`
### Linux
`identity authorize storagenode <email:characterstring>`
## 確認
### Windows
`(sls BEGIN "$env:AppData\Storj\Identity\storagenode\ca.cert").count` 應該要return 2
`(sls BEGIN "$env:AppData\Storj\Identity\storagenode\identity.cert").count` 應該要return 3
### Linux
`grep -c BEGIN ~/.local/share/storj/identity/storagenode/ca.cert` 應該要return 2
`grep -c BEGIN ~/.local/share/storj/identity/storagenode/identity.cert` 應該要return 3
# 備份 key
Windows 上產生的 key 會放在 `%APPDATA%\Storj\Identity\storagenode`
Linux 上產生的 key 會放在 `~/.local/share/storj/identity/storagenode`
記得備份。
# Setup storj docker
Do this **once**.
```bash
sudo docker run --rm -e SETUP="true" \
--mount type=bind,source="/home/awin/storj/key",destination=/app/identity \
--mount type=bind,source="/home/awin/storj/data",destination=/app/config \
--name storagenode storjlabs/storagenode:latest
```
# Run storj docker
```bash
sudo docker run -d --restart always --stop-timeout 300 \
-p 28967:28967/tcp \
-p 28967:28967/udp \
-p 14002:14002 \
-e WALLET="0x9Ce80345355Ad8C17991620E13d8423900CEDcd0" \
-e EMAIL="awinhuang@gmail.com" \
-e ADDRESS="storj.awin.one:28967" \
-e STORAGE="1.6TB" \
--memory=800m \
--log-opt max-size=50m \
--log-opt max-file=10 \
--mount type=bind,source=/home/awin/storj/key,destination=/app/identity \
--mount type=bind,source=/home/awin/storj/data,destination=/app/config \
--name storagenode storjlabs/storagenode:latest
```
# 更新
更新 node 可以選擇用 docker 裝[storjlabs/watchtower](https://hub.docker.com/r/storjlabs/watchtower/tags) ,或是手動更新
## watchtower
```shell
sudo docker pull storjlabs/watchtower
sudo docker run -d --restart=always --name watchtower -v /var/run/docker.sock:/var/run/docker.sock storjlabs/watchtower storagenode watchtower --stop-timeout 300s
```
等 [[00. Inbox/樹莓派/Watchtower|Watchtower]] 跑起來之後,可以用 `sudo docker exec -it storagenode /app/dashboard.sh` 來即時觀察執行流量。
## 手動
```shell
sudo docker stop -t 300 storagenode
sudo docker rm storagenode
sudo docker pull storjlabs/storagenode:latest
```
# 參考
- [Step 2. Get an Authorization Token - Storj Docs](https://docs.storj.io/node/get-started/auth-token)
- [Step 5. Create an Identity - Storj Docs](https://docs.storj.io/node/get-started/identity)
- [Install storagenode on Raspberry Pi3 or higher version Storj](https://support.storj.io/hc/en-us/articles/360026612332-Install-storagenode-on-Raspberry-Pi3-or-higher-version)

38
05. 資料收集/架站/Trojan.md
View File

@@ -1,38 +0,0 @@
## 準備
1. 新增一台container先更新container
```
apt update ;\
apu upgrade -y ;\
apt install curl vim -y
```
2. 安裝trojan
```
mkdir -p ~/trojan ;\
cd ~/trojan
curl -O https://raw.githubusercontent.com/atrandys/trojan/master/trojan_mult.sh ; chmod +x trojan_mult.sh ; ./trojan_mult.sh
```
3. ![trojan](https://lab.twidc.net/wp-content/uploads/2020/12/2-1.jpg)
4. ![3 1](https://lab.twidc.net/wp-content/uploads/2020/12/3-1.jpg)
5. ![4 1](https://lab.twidc.net/wp-content/uploads/2020/12/4-1.jpg)
6. ![5 1](https://lab.twidc.net/wp-content/uploads/2020/12/5-1.jpg)
-----
參考:
1. [Trojan 上網架設(替代VPN)爬梯子 科學上網 利器 - TWIDC](https://lab.twidc.net/trojan-%E4%B8%8A%E7%B6%B2%E6%9E%B6%E7%BD%AE%E6%9B%BF%E4%BB%A3vpn/)
2. [Trojan搭建私人VPN - Lingme](https://lingmin.me/2020/03/03/TrojanVPS/)
3. [[转载+修改]使用Trojan-Go科学上网 - 996 RIP](https://typecho.996.rip/index.php/archives/20/)
4. Source code: [Releases · trojan-gfw/trojan](https://github.com/trojan-gfw/trojan/releases)
## 更新憑證
1. 更新acme`acme.sh --upgrade`
2. 先停止 trojan-web
```bash
systemctl stop trojan-web
```
3. 停止 trojan如下圖
![[Pasted image 20220815134750.png|500]]
4. 切換到 `/root/.acme.sh`,執行 `./acme.sh --cron -f`,如果憑證更新成功,應該會看到類似如下訊息:
![[Pasted image 20220815135026.png|800]]
5. 重啟 trojan
![[Pasted image 20220815135248.png|400]]
6. 重啟trojan-web`systemctl start trojan-web`