Update Proxmox and misc. config notes

config/linux-general/examples.md

@@ -27,7 +27,9 @@ breadcrumbs:
 
 ### Fun
 
-- Pretty colors: `<something> | lolcat`
+- Color text from STDIN: `lolcat`
+- `cowsay`
+- `fortune`
 
 ### Installations and Packages
 
@@ -80,6 +82,10 @@ breadcrumbs:
 
 - Show CPU vulnerabilities: `tail -n +1 /sys/devices/system/cpu/vulnerabilities/*`
 
+### Storage
+
+- Test read speed: `hdparm -t <dev>` (safe)
+
 ### System
 
 - Get version info:
@@ -89,11 +95,16 @@ breadcrumbs:
         - CentOS: `/etc/centos-release`
     - General release info: `uname -a`
     - Slightly more distro-specific release info: `lsb_release -a`
-- Monitor system and processes: `htop`
+- Monitor a mix of everything: 
+    - `glances`
+    - `ytop`
+- Monitor system and processes:
+    - `htop`
 - Monitor interrupts:
     - `irqtop`
     - `watch -n0.1 /proc/interrupts`
-- Monitor lots of stuff: `glances`
+- Stress test:
+    - Stress CPU: `stress-ng -c $(nproc) -t 600`
 
 ## Tasks
 

config/linux-servers/applications.md

@@ -6,13 +6,54 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-**TODO** Migrate the rest of the config notes from the old Google Doc.
-
 ### Using
 {:.no_toc}
 
 - Debian 10 Buster
 
+## Apache
+
+**Outdated and missing information**
+
+## Setup
+
+1. Install: `apt install apache2`
+1. Update `security.conf`:
+    ```
+    ServerTokens Prod
+    ServerSignature Off
+    ```
+
+## Usage
+
+- Enable/disable stuff: `a2<en|dis><conf|mod|site> <...>`
+- Test configuration: `apache2ctl`
+
+## AWS CLI
+
+**Possibly outdated**
+
+### Setup
+
+- Guide: [AWS: Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html)
+- Install `awscli` through pip3
+- Fix permissions: `chmod +x /usr/local/bin/aws`
+
+### Usage
+
+- Login: `aws configure [--profile <profile>]`
+    - This will store the credentials for the current Linux user.
+    - London region: `eu-west-2`
+    - Output format: `json`
+- Examples:
+    - Upload file: `aws s3 cp <local_file> s3://<bucket>/`
+
+## bitwarden_rs
+
+A free community backend for Bitwarden.
+
+**TODO**
+
 ## Ceph
 
 See [Storage: Ceph](../storage/#ceph).
@@ -37,22 +78,51 @@ See [Storage: Ceph](../storage/#ceph).
 
 Use [cloudflare-ddns-updater.sh](https://github.com/HON95/scripts/tree/master/server/linux/cloudflare).
 
-## Docker & Docker Compose
-
-**TODO**
+## Docker
 
 ### Setup
 
-1. [Install Docker (Debian)](https://docs.docker.com/install/linux/docker-ce/debian/).
-1. [Install Docker Compose](https://docs.docker.com/compose/install/).
-1. [Install Docker Compose command completion](https://docs.docker.com/compose/completion/).
+1. Install: [Docker Documentation: Get Docker Engine - Community for Debian](https://docs.docker.com/install/linux/docker-ce/debian/).
 1. (Optional) Setup swap limit:
     - If `docker info` contains `WARNING: No swap limit support`, it's not working and should maybe be fixed.
     - It incurs a small performance degredation and is optional but recommended.
     - In `/etc/default/grub`, add `cgroup_enable=memory swapaccount=1` to `GRUB_CMDLINE_LINUX`.
     - Run `update-grub` and reboot.
+1. Configure `/etc/docker/daemon.json`:
+    - Set DNS servers: `"dns": ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"]`
+    - (Optional) Disable automatic IPTables rules: `"iptables": false`
+    - Enable IPv6: `"ipv6": true`
+    - Set IPv6 default subnet: `"fixed-cidr-v6": <64-prefix>`
+1. (Optional, not recommended on servers) Allow certain users to use Docker: Add them to the `docker` group.
 
-### Docker Compose No-Exec Tmp-Dir Fix
+### Usage
+
+- Docker run options:
+    - Set name: `--name=<name>`
+    - Run in detatched mode: `-d`
+    - Run using interactive terminal: `-it`
+    - Automatically remove when stopped: `--rm`
+    - Automatically restart: `--restart=unless-stopped`
+    - Use "tini" as entrypoint and use PID 1: `--init`
+    - Set env var: `-e <var>=<val>`
+    - Publish network port: `-p <host-port>:<cont-port>[/udp]`
+    - Mount volume: `-v <vol>:<cont-path>` (`<vol>` must have a path prefix like `./` or `/` if it is a directory and not a named volume)
+- Networks:
+    - Create bridged network: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --subnet=<ipv6-net> <name>`
+    - Create bridged network connected to host interface: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --gateway=<ipv4-gateway> --subnet=<ipv6-net> --gateway=<ipv6-gateway> -o "com.docker.network.bridge.name=<host-if> <name>`
+    - Run container with network: `docker run --network=<net-name> --ip=<ipv4-addr> --ip6=<ipv6-addr> --dns=<dns-server> <image>`
+
+## Docker Compose
+
+### Setup
+
+1. Install Docker: See above.
+1. Install: [Docker Documentation: Install Docker Compose](https://docs.docker.com/compose/install/).
+1. Install command completion: [Docker Documentation: Command-line completion](https://docs.docker.com/compose/completion/).
+
+### Troubleshooting
+
+#### Fix Docker Compose No-Exec Tmp-Dir
 
 Docker Compose will fail to work if `/tmp` has `noexec`.
 
@@ -60,6 +130,8 @@ Docker Compose will fail to work if `/tmp` has `noexec`.
 1. Create `/usr/local/bin/docker-compose` with the contents below and make it executable.
 1. Create the new TMPDIR dir.
 
+New `docker-compose`:
+
 ```sh
 #!/bin/bash
 # Some dir without noexec
@@ -110,6 +182,35 @@ export TMPDIR=/var/lib/docker-compose-tmp
 1. Prepare it for removal: `isdct start -intelssd <target> -standby`
 1. Reconnect the drives or restart the system.
 
+## Google Authenticator
+
+**Possibly outdated**
+
+This setup requires pubkey plus MFA (if configured) plus password.
+
+### Setup
+
+- Warning: Keep a shell open and test with a new shell during the process to make sure you don’t lock yourself out.
+- Install: `apt install libpam-google-authenticator`
+- In `/etc/pam.d/sshd`, add `auth required pam_google_authenticator.so nullok` after `@include common-auth`.
+- In `/etc/ssh/sshd_config`, set:
+    ```
+    ChallengeResponseAuthentication yes
+    UsePAM yes
+    AuthenticationMethods publickey,keyboard-interactive
+    ```
+- Restart `sshd` and check that you can login with pubkey and MFA now.
+- (Optional) Add my [google-auth-config-prompter.sh](https://github.com/HON95/scripts/blob/master/server/linux/general/google-auth-config-prompter.sh) profile script to `/etc/profile.d/` to ask user to configure Google Auth on login.
+- To allow a group to use only pubkey (no password or OTP):
+    - In `/etc/ssh/sshd_config`, add `Match Group no-mfa` containing `AuthenticationMethods publickey` (indented) at the bottom.
+    - Add the system group `no-mfa` and add special users to it.
+- To manually configure MFA for a user:
+    - Example: `google-authenticator -tduW`
+    - Use time-based tokens.
+    - Restrict usage of the same token multiple times.
+    - Don’t rate limit.
+    - Allow 3 concurrent codes (1 before, 1 after).
+
 ## ISC DHCP Server
 
 ### Notes
@@ -218,6 +319,29 @@ This is not considered secure at all and should only be used on trusted networks
 1. In `/etc/ntp.conf`, replace existing servers/pools with `ntp.justervesenet.no` with the `iburst` option.
 1. Test with `ntpq -pn` (it may take a minute to synchronize).
 
+## OpenSSL
+
+### Usage
+
+- Many OpenSSL default options are insecure and must be specified.
+- Specifying `-noout -text` prints the data as formatted text instead of raw Base64.
+
+## Pi-hole (Docker)
+ 
+- (Optional) Set up an upstream DNS server.
+- Image: pihole/pihole
+- Run on LAN-accessible bridge.
+- Don’t give capability NET_ADMIN.
+- Add a reject rule in the firewall to more easily block HTTPS ads.
+- Find the admin password with `docker logs pihole 2>&1 | grep "random password"`
+- Specify the upstream DNS server twice so that it doesn’t choose the second itself.
+- Whitelists and blacklists:
+    - Blacklist (example): https://v.firebog.net/hosts/lists.php
+    - Whitelist (example): https://github.com/anudeepND/whitelist
+    - Add blocklists to `/etc/pihole/adlists.list`.
+    - Add whitelist domains to `/etc/pihole/whitelist.txt`.
+    - Run `pihole -g` to update lists.
+
 ## Postfix
 
 ### Satellite system
@@ -231,34 +355,34 @@ This is not considered secure at all and should only be used on trusted networks
 
 1. Install: `postfix libsasl2-modules mailutils`
     - If asked, choose to configure Postfix as a satellite system.
-2. Set the FQDN:
+1. Set the FQDN:
     1. Update it in `/etc/postfix/main.cf`.
     1. Link mailname to hostname (must be FQDN): `ln -sf /etc/hostname /etc/mailname`
-3. Update the root alias in `/etc/aliases` and run `newaliases`.
-4. Update the `main.cf` config (example not provided here).
-    1. Only listen to localhost: Set “inet\_interfaces = loopback-only”
-    2. Disable relaying: Set “mynetworks = 127.0.0.0/8 \[::ffff:127.0.0.0\]/104 \[::1\]/128”
-    3. Anonymize banner: “smtpd\_banner = $myhostname ESMTP”
-5. Relay guides:
-    1. Mailgun:
-      1. [How To Start Sending Email (Mailgun)](https://documentation.mailgun.com/en/latest/quickstart-sending.html)
-      2. [How to Set Up a Mail Relay with Postfix and Mailgun on Ubuntu 16.04 (](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)[DigitalOcean)](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)
-    2. SendGrid:
-      1. [Postfix (SendGrid)](https://sendgrid.com/docs/for-developers/sending-email/postfix/)
-      2. Use API-key with permission to send mail only.
-      3. The API-key username is `apikey`.
-6. Setup address rewrite rules:
+1. Update the root alias in `/etc/aliases` and run `newaliases`.
+1. Update the `main.cf` config (example not provided here).
+    1. Only listen to localhost: Set `inet\_interfaces = loopback-only`
+    1. Disable relaying: Set `mynetworks = 127.0.0.0/8 \[::ffff:127.0.0.0\]/104 \[::1\]/128`
+    1. Anonymize banner: `smtpd\_banner = $myhostname ESMTP`
+1. See the specific relay guides:
+    - Mailgun:
+        - [How To Start Sending Email (Mailgun)](https://documentation.mailgun.com/en/latest/quickstart-sending.html)
+        - [How to Set Up a Mail Relay with Postfix and Mailgun on Ubuntu 16.04 (](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)[DigitalOcean)](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)
+    - SendGrid:
+        - [Postfix (SendGrid)](https://sendgrid.com/docs/for-developers/sending-email/postfix/)
+        - Use API-key with permission to send mail only.
+        - The API-key username is `apikey`.
+1. Setup address rewrite rules:
     - For fixing the `To` and `From` fields, which is typically from root to root.
     - Add the rewrite config (see example below).
     - Reference the config using `smtp_header_checks` in the main config.
     - Test: `postmap -fq "From: root@<FQDN>" regexp:smtp_header_checks`
-7. Setup relay credentials (SASL):
+1. Setup relay credentials (SASL):
     1. Credentials file: `/etc/postfix/sasl_passwd`
     2. Add your credentials using format: `[relay_domain]:port user@domain:password`
     3. Run: `postmap sasl_passwd`
     4. Fix permissions: `chmod 600 sasl_passwd*`
-8. Restart `postfix`.
-9. Try sending an email: `echo "Test from $(hostname) at time $(date)." | mail -s "Test" root`
+1. Restart `postfix`.
+1. Try sending an email: `echo "Test from $(hostname) at time $(date)." | mail -s "Test" root`
 
 #### Examples
 
@@ -274,7 +398,7 @@ This is not considered secure at all and should only be used on trusted networks
 - Send a test mail: `echo "Test from $HOSTNAME at time $(date)." | mail -s "Test" root`
 - Test the config: `postconf > /dev/null`
 - Print the config: `postconf -n`
-- If mails are stuck in the mail queue (`mailq`) because of previous errors, run `postqueue -f` to flush them.
+- If `mailq` tells you mails are stuck in the mail queue because of previous errors, run `postqueue -f` to flush them.
 
 ## Pterodactyl
 
@@ -321,11 +445,20 @@ This is not considered secure at all and should only be used on trusted networks
 #### Setup
 
 1. Install: `apt install samba`
-1. Open TCP port 445.
+1. Open TCP port 445 (and 139 if using NetBIOS).
+1. (Optional) Disable NetBIOS: `systemctl disable --now nmbd` and `systemctl mask nmbd`
 1. Configure it (see usage).
 
 #### Usage
 
+- Enforce encryption and signing (`server signing` and `smb encrypt`) on important volumes.
+- Performance tuning:
+    - Socket options: `socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY`
+    - If the stuff is not important and the network is secure and high throughput is desired: `smb encrypt = disabled`
+    - Raw IO: `read raw = yes` and `read raw = yes`
+    - Sendfile: `use sendfile = yes`
+    - Zero-copy from net to FS (doesn't work for signed connections): `min receivefile size = 16384`
+    - Async RW for large files: `aio read size = 16384` and `aio write size = 16384`
 - Making changes:
     - Change the configuration file: `/etc/samba/smb.conf`
     - Test the configuration: `testparm -t`
@@ -388,25 +521,23 @@ TFTP_OPTIONS="--create --secure"
 ### Setup
 
 1. Install: `unbound dns-root-data`
-2. Setup the config: `/etc/unbound/unbound.conf`
-3. Add hostname variants to `/etc/hosts`.
-4. Configure it in `/etc/resolv.conf`:
-    1. `nameserver 127.0.0.1`
-    2. `search <domain>`
-    3. `domain <domain>`
-5. Configure it in `/etc/systemd/resolved.conf`:
-    1. `DNSStubListener=no`
-    2. `DNS=127.0.0.1`
-    3. Restart `systemd-resolved`.
-6. Test DNSSEC:
+1. Setup the config: `/etc/unbound/unbound.conf`
+1. Test DNSSEC:
     1. `drill sigfail.verteiltesysteme.net` should give an rcode of `SERVFAIL`.
     2. `drill sigok.verteiltesysteme.net` should give an rcode of `NOERROR`.
-7. Make sure dns-root-data is updating root hints in file `/usr/share/dns/root.hints`.
-
-### Troubleshooting
-
-- It sometimes stops resolving names and responds with "servfail".
-  - I don't know why. Restarting it works.
+1. Make sure dns-root-data is updating root hints in file `/usr/share/dns/root.hints`.
+
+#### Setup the Local Host to Use It
+
+1. Add hostname variants to `/etc/hosts`.
+1. Configure the local host to use it in `/etc/resolv.conf`:
+    - `nameserver 127.0.0.1`
+    - `search <domain>`
+    - `domain <domain>`
+1. Configure the local host to use it in `/etc/systemd/resolved.conf`:
+    - `DNSStubListener=no`
+    - `DNS=::1`
+    - Restart `systemd-resolved`.
 
 ### Notes
 

config/linux-servers/debian.md

@@ -88,7 +88,8 @@ breadcrumbs:
       ```
     - Restart `sshd`.
 1. Update MOTD:
-    - Clear `/etc/motd`.
+    - Clear `/etc/motd` and `/etc/issue`.
+    - (Optional) Add a MOTD script (see below).
 1. (Not recommended) Prevent root login:
     - Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
     - Add a personal user first.
@@ -98,25 +99,12 @@ breadcrumbs:
     - The default journal directory is `/var/log/journal`. By default, it's not automatically created.
     - In `/etc/systemd/journald.conf`, under `[Journal]`, set `Storage=persistent`.
     - `auto` (the default) is like `persistent` but does not automatically create the log directory.
-1. (Optional) Add swap file:
-    1. Show if swap is already enabled: `swapon --show`
-    1. Allocate the swap file: `fallocate -l <size> /swapfile`
-        - Alternatively, use dd.
-    1. Fix the permissions: `chmod 600 /swapfile`
-    1. Setup the swap file: `mkswap /swapfile`
-    1. Activate the swap file: `swapon /swapfile`
-        - Check: `swapon --show`
-    1. Add it to fstab using this line: `/swapfile swap swap defaults 0 0`
-        - Check: `mount -a`
-    1. (Optional) Reduce swappiness: Add `vm.swappiness = 10` to `/etc/sysctl.conf`.
-1. (Recommended) Postfix mail relay: **TODO**
+1. (Recommended) Postfix mail relay: See [Linux Server Applications: Postfix](../applications/#postfix) (satellite system).
 
 ### Machine-Specific Configuration
 
 #### Physical Host
 
-1. **TODO** SSD optimizations. (Not super important any more.)
-1. (Optional) Reduce swappiness: Add `vm.swappiness = 10` to `/etc/sysctl.conf`.
 1. Install extra firmware:
     - Install `firmware-linux` or `firmware-linux-free` for some common firmware and microcode.
     - APT package examples: `firmware-atheros -bnx2 -bnx2x -ralink -realtek`
@@ -125,6 +113,18 @@ breadcrumbs:
 1. Install `smartmontools` and run `smartctl -s on <dev>` for all physical drives to enable SMART monitoring.
 1. Install `lm-sensors` and run `sensors-detect` to detect temperatur sensors etc. Add the modules to `/etc/modules` when asked.
 1. Mask `ctrl-alt-del.target` to disable CTRL+ALT+DEL reboot at the login screen.
+1. (Optional) Set up a swap file:
+    1. (Note) Avoid using swapping if possible. If you really need it but don't intend on using it too often (e.g. for hibernation), consider putting it on a larger, slower disk.
+    1. Show if swap is already enabled: `swapon --show`
+    1. Allocate the swap file: `fallocate -l <size> /swapfile`
+        - Alternatively, use dd.
+    1. Fix the permissions: `chmod 600 /swapfile`
+    1. Setup the swap file: `mkswap /swapfile`
+    1. Activate the swap file: `swapon /swapfile`
+        - Check: `swapon --show`
+    1. Add it to fstab using this line: `/swapfile swap swap defaults 0 0`
+        - Check: `mount -a`
+    1. (Optional) Reduce swappiness: Add `vm.swappiness = 10` to `/etc/sysctl.conf`.
 
 #### QEMU Virtual Host
 
@@ -142,19 +142,19 @@ breadcrumbs:
     1. Restart the system and check if still working. This will also kill any dhclient daemons which could trigger a DHCP renew at some point.
 1. (Other alternative) Setup networking using ifupdown2:
     1. Install `ifupdown2`. (This may take the network down, so do it locally.)
-    1. Restart `networking.service` afterward.
+    1. For VLAN support, install `vlan`.
+    1. For bond support, install `ifenslave`.
+    1. Restart `networking.service` afterwards.
     1. Configure `/etc/network/interfaces`.
-    - For VLAN support, install `vlan`.
-    - For bond support, install `ifenslave`.
 1. (Recommended alternative) Setup DNS with systemd-resolved:
     1. (Optional) In `/etc/systemd/resolved.conf`, set `DNS` to a space separated list of DNS servers.
-       If not set, this will use the DNS servers specified by the network config.
+       If not set, this will just use the DNS servers specified by the network config.
     1. (Optional) If you're hosting a DNS server on this machine, set `DNSStubListener=no` to avoid binding to port 53.
     1. Enable and start `systemd-resolved.service`.
     1. Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
     1. Check status: `resolvectl`
 1. (Other alternative) Setup DNS without systemd-resolved:
-    1. Configure `/etc/resolv.conf`.
+    1. Manually configure `/etc/resolv.conf`.
 1. Setup time and NTP:
     1. Set the timezone: `timedatectl set-timezone Europe/Oslo`
     1. Enable network time: `timedatectl set-ntp true`
@@ -164,8 +164,8 @@ breadcrumbs:
     1. Check status works: `timedatectl` and `timedatectl timesync-status`
 1. Setup firewall:
     - Install: `apt install iptables iptables-persistent netfilter-persistent`
-        - Don't save the current rules.
-    - Add som [simple](https://github.com/HON95/configs/blob/master/server/linux/iptables/iptables-simple.sh) or [complex](https://github.com/HON95/configs/blob/master/server/linux/iptables/iptables-complex.sh) rules.
+        - Don't save the current rules when it asks.
+    - Add [a simple iptables script](https://github.com/HON95/configs/blob/master/server/linux/iptables/iptables-simple.sh) or something more complex.
 1. Reboot and make sure it still works.
 
 ### Extra
@@ -189,15 +189,15 @@ Everything here is optional.
     - Install `lynis`.
     - Run `lynis audit system`.
 1. MOTD:
-    - Clear `/etc/motd`.
-    - Download [dmotd.sh](https://github.com/HON95/configs/blob/master/server/linux/profile/dmotd.sh) to `/etc/profile.d/`.
+    - Clear `/etc/motd` and `/etc/issue`.
+    - Download [dmotd.sh](https://github.com/HON95/scripts/blob/master/server/linux/general/dmotd.sh) to `/etc/profile.d/`.
     - Install the dependencies: `neofetch lolcat`
     - Add an ASCII art (or Unicode art) logo to `/etc/logo`, using e.g. [TAAG](http://patorjk.com/software/taag/).
     - (Optional) Add a MOTD to `/etc/motd`.
     - (Optional) Clear or change the pre-login message in `/etc/issue`.
     - Test it (as a normal user): `bash /etc/profile.d/dmotd.sh`
 1. Monitor free disk space:
-    - Download [disk-space-checker.sh](https://github.com/HON95/configs/blob/master/server/linux/cron/disk-space-checker.sh) either to `/cron/cron.daily/` or to `/opt/bin` and create a cron job for it.
+    - Download [disk-space-checker.sh](https://github.com/HON95/scripts/blob/master/server/linux/general/disk-space-checker.sh) either to `/cron/cron.daily/` or to `/opt/bin` and create a cron job for it.
     - Example cron job (15 minutes past every 4 hours): `15 */4 * * * root /opt/bin/disk-space-checker`
     - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.
 

config/linux-servers/proxmox-ve.md

@@ -13,21 +13,40 @@ breadcrumbs:
 
 ## Host
 
-**TODO** Ignore this whole section for now.
-
-- Initial setup
-- Notes from Google Docs
-- `localhost` must resolve to both 127.0.0.1 and ::1 and the domain name must resolve to the mgmt. interface IP addresses (v4+v6).
-
-1. See [Debian Server: Initial Setup](../debian-server/#initial-setup).
-    - **TODO**: Differences.
-1. Setup the PVE repos (assuming no subscription):
+### Installation
+
+1. Find a mouse.
+    - Just a keyboard is not enough.
+    - You don't need the mouse too often, though, so you can hot-swap between the keyboard and mouse during the install.
+1. Download PVE and boot from the installation medium in UEFI mode (if supported).
+1. Storage:
+    - Use 1-2 mirrored SSDs with ZFS.
+    - (ZFS) enable compression and checksums and set the correct ashift for the SSD(s). If in doubt, use ashift=12.
+1. Localization:
+    - (Nothing special.)
+1. Administrator user:
+    - Set a root password. It should be different from your personal password.
+    - Set the email to "root@localhost" or something. It's not important before actually setting up email.
+1. Network:
+    - (Nothing special.)
+
+### Initial Configuration
+
+Follow the instructions for [Debian server basic setup](../debian-server/#initial-setup), but with the following exceptions and extra steps:
+
+1. Before installing updates, setup the PVE repos (assuming no subscription):
     - In `/etc/apt/sources.list.d/pve-enterprise.list`, comment out the Enterprise repo.
-    - In `/etc/apt/sources.list`, add the PVE No-Subscription repo. See [Package Repositories](https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo).
-    - Update the package index.
-1. Disable the console MOTD:
-    - Disable `pvebanner.service`.
-    - Clear or update `/etc/issue` (e.g. use use the logo).
+    - In `/etc/apt/sources.list`, add the PVE No-Subscription repo: `deb http://download.proxmox.com/debian/pve buster pve-no-subscription`
+    - More info: [Proxmox VE: Package Repositories](https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo)
+1. Update network config and hostname:
+    - Do NOT manually modify the configs for network, DNS, NTP, firewall, etc. as specified in the Debian guide.
+    - Update network config: Use the web GUI.
+    - Update hostname: See the Debian guide.
+    - Update `/etc/hosts`: The short and FQDN hostnames must resolve to the IPv4 and IPv6 management address.
+1. Update MOTD:
+    - Disable the special PVE banner: `systemctl disable --now pvebanner.service`
+    - Clear or update `/etc/issue` and `/etc/motd`.
+    - (Optional) Set up dynamic MOTD: See the Debian guide.
 1. Setup firewall:
     - Open an SSH session, as this will prevent full lock-out.
     - Enable the cluster/datacenter firewall.
@@ -36,6 +55,33 @@ breadcrumbs:
     - Enable the host/node firewall.
     - Make sure ping, SSH and the web GUI is working both for IPv4 and IPv6.
 
+### Setup PCI(e) Passthrough
+
+**Possibly outdated**
+
+- Guide: [Proxmox VE: Pci passthrough](https://pve.proxmox.com/wiki/Pci_passthrough)
+- Requires support for  IOMMU, IOMMU interrupt remapping, and for dome PCI devices, UEFI support
+- Only 4 devices are are supported
+- For graphics cards, additional steps are required
+- Setup BIOS/UEFI features:
+    - Enable UEFI
+    - Enable VT-d and SR-IOV Global Enable
+    - Disable I/OAT
+- Enable SR-IOT for NICs in BIOS/ROM
+- Enable IOMMU: Add `intel_iommu=on` to GRUB command line (edit `/etc/default/grub` and add to line `GRUB_CMDLINE_LINUX_DEFAULT`) and run `update-grub`
+- Enable modules: Add `vfio vfio_iommu_type1 vfio_pci vfio_virqfd pci_stub` (newline-separated) to `/etc/modules` and run `update-initramfs -u -k all`
+- Reboot
+- Test for IOMMU interrupt remapping: Run `dmesg | grep ecap` and check if the last character of the `ecap` value is 8, 9, a, b, c, d, e, or an f. Also, run `dmesg | grep vfio` to check for - errors. If it is not supported, set `options vfio_iommu_type1 allow_unsafe_interrupts=1` in `/etc/modules`, which also makes the host vulnerable to interrupt injection attacks.
+- Test NIC SR-IOV support: `lspci -s <NIC_BDF> -vvv | grep -i "Single Root I/O Virtualization"`
+- List PCI devices: `lspci`
+- List PCI devices and their IOMMU groups: `find /sys/kernel/iommu_groups/ -type l`
+- A device with all of its functions can be added by removing the function suffix of the path
+- Add PCIe device to VM:
+    - Add `machine: q35` to the config
+- Add `hostpci<n>: <pci-path>,pcie=1,driver=vfio` to the config for every device
+- Test if the VM can see the PCI card: Run `qm monitor <vm-id>`, then `info pci` inside
+
+
 ## Cluster
 
 - `/etc/pve` will get synchronized across all nodes.

config/linux-servers/storage.md

@@ -32,6 +32,11 @@ breadcrumbs:
 - Hard drives often experience performance degredation before failing completely.
   This may lead to high latencies, reduced bandwidth and possibly read/write errors.
   High latencies and low bandwidth is hard to detect automatically and may result in reduced performance for the whole system.
+- SSD/HDD optimiztions:
+    - Most modern tools on modern Linux versions will automatically align file systems and partitions correctly.
+    - The `relatime` mount flag is set by default, to reduce disk writes when a file is read.
+    - For SSDs, don't enable TRIM (using neither the `discard` mount option nor `fstrim.timer`). TRIM typically don't provide much benefit and may actually reduce performance. Since SSDs are generally overprovisioned and may be overprovisioned further by the user (generally not needed), TRIM is generally not needed any more.
+    - `vm.swappiness` should possibly be set to some reasonable value to reduce swapping pressure on the swap disk(s).
 
 ### SSDs
 

config/pc/applications.md

@@ -89,6 +89,12 @@ GUI for configuring gaming mice.
 - In `Window > Appearance`, change font to Consolas, regular, size 10.
 - In `Window > Colours`, set all ANSI non-bold colors to the same as the bold ones.
 
+## SMB
+
+### Troubleshooting
+
+- If using DNS instead of NetBIOS and the client freezes while connecting to a share, try enabling the "Routing and Remote Access" service.
+
 ## Speedfan (Windows)
 
 - **Warning:** The controller symlinks likes to change on boot, meaning the config may break every boot. This makes it literally useless.