aboutsummaryrefslogtreecommitdiff
path: root/content/docs
diff options
context:
space:
mode:
authorJulien Dessaux2021-04-16 17:42:55 +0200
committerJulien Dessaux2021-04-16 17:42:55 +0200
commit51de93e5b6b7a6b497e78b999a754f7d5086ddcc (patch)
treede36027b6a1e0d941605a7d0a4ff1b97ac3f9290 /content/docs
parentAdded a blog article about nginx rewrites (diff)
downloadwww-51de93e5b6b7a6b497e78b999a754f7d5086ddcc.tar.gz
www-51de93e5b6b7a6b497e78b999a754f7d5086ddcc.tar.bz2
www-51de93e5b6b7a6b497e78b999a754f7d5086ddcc.zip
Added articles
Diffstat (limited to 'content/docs')
-rw-r--r--content/docs/gentoo/upgrades.md39
-rw-r--r--content/docs/openbsd/_index.md6
-rw-r--r--content/docs/openbsd/pf.md39
3 files changed, 84 insertions, 0 deletions
diff --git a/content/docs/gentoo/upgrades.md b/content/docs/gentoo/upgrades.md
new file mode 100644
index 0000000..07d5c6b
--- /dev/null
+++ b/content/docs/gentoo/upgrades.md
@@ -0,0 +1,39 @@
+---
+title: "Gentoo Packages Upgrades"
+description: Gentoo packages upgrades on adyxax.org
+---
+
+## Introduction
+
+Here is my go to set of commands when I upgrade a gentoo box :
+{{< highlight sh >}}
+emerge-webrsync
+eselect news read
+{{< /highlight >}}
+
+The news have to be reviewed carefully and if I cannot act on it immediately I copy paste the relevant bits to my todolist.
+
+## The upgrade process
+
+I run the upgrade process in two steps. The first one is a straightforward upgrade that will stop upon any error to let you asses the situation :
+{{< highlight sh >}}
+emerge --update --newuse --deep --with-bdeps=y @world -q
+{{< /highlight >}}
+
+If all went well we can get to the cleaning pass :
+{{< highlight sh >}}
+unset ld_library_path && unset e_src && emerge -qaavutdn world --verbose-conflicts --keep-going && emerge --depclean -a && revdep-rebuild -i -- -q --keep-going; eclean distfiles
+{{< /highlight >}}
+
+After all this completes it is time to evaluate configuration changes :
+{{< highlight sh >}}
+etc-update
+{{< /highlight >}}
+
+If a new kernel has been emerged, have a look at [the specific process for that]({{< ref "kernel_upgrades" >}}).
+
+## Post-upgrade
+
+Depending of the changes it is now time to :
+- restart services that have been upgraded
+- reboot if the kernel or a crucial system component (like openssl) has been upgraded
diff --git a/content/docs/openbsd/_index.md b/content/docs/openbsd/_index.md
new file mode 100644
index 0000000..c79bf9b
--- /dev/null
+++ b/content/docs/openbsd/_index.md
@@ -0,0 +1,6 @@
+---
+title: "OpenBSD"
+description: OpenBSD related articles
+---
+
+I am a long time openbsd user, my first installation dating back to 2008.
diff --git a/content/docs/openbsd/pf.md b/content/docs/openbsd/pf.md
new file mode 100644
index 0000000..0eaafc4
--- /dev/null
+++ b/content/docs/openbsd/pf.md
@@ -0,0 +1,39 @@
+---
+title: pf.conf
+description: The template I use on new installations
+---
+
+## pf.conf
+
+The open ports list is refined depending on the usage obviously, and not all servers listen for wireguard... It is just a template :
+
+{{< highlight conf >}}
+vpns="{ wg0 }"
+
+table <myself> const { self }
+table <private> const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 }
+table <internet> const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 }
+
+##### Basic rules #####
+set skip on lo
+set syncookies adaptive (start 25%, end 12%)
+set block-policy return
+block drop in log quick from urpf-failed label uRPF
+block return log
+
+##### This firewall #####
+block drop in on egress
+pass in on egress proto { icmp, icmp6 } from <internet> to <myself>
+pass in on egress proto tcp from <internet> to <myself> port { http, https, imaps, smtp, smtps, ssh, submission }
+pass out from <myself> to any
+
+##### VPNs #####
+pass in on egress proto udp from <internet> to <myself> port 342
+pass in on $vpns from <private> to <myself>
+
+##### Openbsd stock rules #####
+# By default, do not permit remote connections to X11
+block return in on ! lo0 proto tcp to port 6000:6010
+# Port build user does not need network
+block return out log proto {tcp udp} user _pbuild
+{{< /highlight >}}