Juniper and UniFi

config/linux-general/applications.md

@@ -6,6 +6,72 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+## Docker
+
+### Setup
+
+1. Install: [Docker Documentation: Get Docker Engine - Community for Debian](https://docs.docker.com/install/linux/docker-ce/debian/).
+1. (Optional) Setup swap limit:
+    - If `docker info` contains `WARNING: No swap limit support`, it's not working and should maybe be fixed.
+    - It incurs a small performance degredation and is optional but recommended.
+    - In `/etc/default/grub`, add `cgroup_enable=memory swapaccount=1` to `GRUB_CMDLINE_LINUX`.
+    - Run `update-grub` and reboot.
+1. Configure `/etc/docker/daemon.json`:
+    - Set DNS servers: `"dns": ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"]`
+    - (Optional) Disable automatic IPTables rules: `"iptables": false`
+    - Enable IPv6: `"ipv6": true`
+    - Set IPv6 default subnet: `"fixed-cidr-v6": <64-prefix>`
+1. (Optional, not recommended on servers) Allow certain users to use Docker: Add them to the `docker` group.
+
+### Usage
+
+- Miscellanea:
+    - Show disk usage: `docker system df -v`
+- Cleanup:
+    - Prune unused images: `docker image prune -a`
+    - Prune unused volumes: `docker volume prune`
+- Docker run options:
+    - Set name: `--name=<name>`
+    - Run in detatched mode: `-d`
+    - Run using interactive terminal: `-it`
+    - Automatically remove when stopped: `--rm`
+    - Automatically restart: `--restart=unless-stopped`
+    - Use "tini" as entrypoint and use PID 1: `--init`
+    - Set env var: `-e <var>=<val>`
+    - Publish network port: `-p <host-port>:<cont-port>[/udp]`
+    - Mount volume: `-v <vol>:<cont-path>` (`<vol>` must have a path prefix like `./` or `/` if it is a directory and not a named volume)
+- Networks:
+    - Create bridged network: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --subnet=<ipv6-net> <name>`
+    - Create bridged network connected to host interface: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --gateway=<ipv4-gateway> --subnet=<ipv6-net> --gateway=<ipv6-gateway> -o "com.docker.network.bridge.name=<host-if> <name>`
+    - Run container with network: `docker run --network=<net-name> --ip=<ipv4-addr> --ip6=<ipv6-addr> --dns=<dns-server> <image>`
+
+## Docker Compose
+
+### Setup
+
+1. Install Docker: See above.
+1. Install: [Docker Documentation: Install Docker Compose](https://docs.docker.com/compose/install/).
+1. Install command completion: [Docker Documentation: Command-line completion](https://docs.docker.com/compose/completion/).
+
+### Troubleshooting
+
+#### Fix Docker Compose No-Exec Tmp-Dir
+
+Docker Compose will fail to work if `/tmp` has `noexec`.
+
+1. Move `/usr/local/bin/docker-compose` to `/usr/local/bin/docker-compose-normal`.
+1. Create `/usr/local/bin/docker-compose` with the contents below and make it executable.
+1. Create the new TMPDIR dir.
+
+New `docker-compose`:
+
+```sh
+#!/bin/bash
+# Some dir without noexec
+export TMPDIR=/var/lib/docker-compose-tmp
+/usr/local/bin/docker-compose-normal "$@"
+```
+
 ## smartmontools
 
 - For monitoring disk health.

config/linux-servers/applications.md

@@ -78,67 +78,6 @@ See [Storage: Ceph](../storage/#ceph).
 
 Use [cloudflare-ddns-updater.sh](https://github.com/HON95/scripts/tree/master/server/linux/cloudflare).
 
-## Docker
-
-### Setup
-
-1. Install: [Docker Documentation: Get Docker Engine - Community for Debian](https://docs.docker.com/install/linux/docker-ce/debian/).
-1. (Optional) Setup swap limit:
-    - If `docker info` contains `WARNING: No swap limit support`, it's not working and should maybe be fixed.
-    - It incurs a small performance degredation and is optional but recommended.
-    - In `/etc/default/grub`, add `cgroup_enable=memory swapaccount=1` to `GRUB_CMDLINE_LINUX`.
-    - Run `update-grub` and reboot.
-1. Configure `/etc/docker/daemon.json`:
-    - Set DNS servers: `"dns": ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"]`
-    - (Optional) Disable automatic IPTables rules: `"iptables": false`
-    - Enable IPv6: `"ipv6": true`
-    - Set IPv6 default subnet: `"fixed-cidr-v6": <64-prefix>`
-1. (Optional, not recommended on servers) Allow certain users to use Docker: Add them to the `docker` group.
-
-### Usage
-
-- Docker run options:
-    - Set name: `--name=<name>`
-    - Run in detatched mode: `-d`
-    - Run using interactive terminal: `-it`
-    - Automatically remove when stopped: `--rm`
-    - Automatically restart: `--restart=unless-stopped`
-    - Use "tini" as entrypoint and use PID 1: `--init`
-    - Set env var: `-e <var>=<val>`
-    - Publish network port: `-p <host-port>:<cont-port>[/udp]`
-    - Mount volume: `-v <vol>:<cont-path>` (`<vol>` must have a path prefix like `./` or `/` if it is a directory and not a named volume)
-- Networks:
-    - Create bridged network: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --subnet=<ipv6-net> <name>`
-    - Create bridged network connected to host interface: `docker network create --driver=bridge --ipv6 --subnet=<ipv4-net> --gateway=<ipv4-gateway> --subnet=<ipv6-net> --gateway=<ipv6-gateway> -o "com.docker.network.bridge.name=<host-if> <name>`
-    - Run container with network: `docker run --network=<net-name> --ip=<ipv4-addr> --ip6=<ipv6-addr> --dns=<dns-server> <image>`
-
-## Docker Compose
-
-### Setup
-
-1. Install Docker: See above.
-1. Install: [Docker Documentation: Install Docker Compose](https://docs.docker.com/compose/install/).
-1. Install command completion: [Docker Documentation: Command-line completion](https://docs.docker.com/compose/completion/).
-
-### Troubleshooting
-
-#### Fix Docker Compose No-Exec Tmp-Dir
-
-Docker Compose will fail to work if `/tmp` has `noexec`.
-
-1. Move `/usr/local/bin/docker-compose` to `/usr/local/bin/docker-compose-normal`.
-1. Create `/usr/local/bin/docker-compose` with the contents below and make it executable.
-1. Create the new TMPDIR dir.
-
-New `docker-compose`:
-
-```sh
-#!/bin/bash
-# Some dir without noexec
-export TMPDIR=/var/lib/docker-compose-tmp
-/usr/local/bin/docker-compose-normal "$@"
-```
-
 ## Fail2ban
 
 ### Setup
@@ -550,39 +489,7 @@ TFTP_OPTIONS="--create --secure"
 
 ## UniFi
 
-### Setup
-
-**TODO** This is just horrible, just use some unofficial Docker image instead.
-
-1. Install MongoDB:
-    - See: [MongoDB: Install MongoDB Community Edition on Debian](https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/) or (MongoDB: Install MongoDB on Debian (v3.0))[https://docs.mongodb.com/v3.0/tutorial/install-mongodb-on-debian/]
-    - Download and install [libssl1.0.0(Debian Jessie)](https://packages.debian.org/jessie/libssl1.0.0).
-    - Install for Debian Jessie and MongoDB version 3.4.
-    - Enable and start `mongod`.
-1. Install OpenJDK 8.
-    - Somehow ...
-1. Install UniFi:
-    - See: [UniFi: How to Install and Update via APT on Debian or Ubuntu](https://help.ubnt.com/hc/en-us/articles/220066768-UniFi-How-to-Install-and-Update-via-APT-on-Debian-or-Ubuntu)
-1. Watch logs:
-    - UniFi: `/usr/lib/unifi/logs/server.log`
-    - MongoDB: `/usr/lib/unifi/logs/mongod.log`
-1. Allow the following incoming ports (see [UniFi - Ports Used](https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used)):
-    - UDP 3478: STUN
-    - TCP 8080: Device-controller communication (for devices)
-    - TCP 8443: GUI/API (for admins)
-    - TCP 8880: HTTP portal (for guests)
-    - TCP 8843: HTTPS portal (for guests)
-    - TCP 6789: Mobile speedtest (for admins)
-    - UDP 10001: Device discovery (for devices)
-    - UDP 1900: L2 adoption (optional, for devices)
-
-#### Using jacobalberty's Unofficial Docker Image
-
-1. Add a system user named "unifi": `useradd -r unifi`
-1. Allow the ports through the firewall (see above).
-1. Add a Docker Compose file. See [docker-compose.yml](https://github.com/HON95/misc-configs/blob/master/linux-server/unifi/docker-compose.yml).
-    - Use host networking mode for L2 adoption to work (if you're not using L3 or SSH adoption).
-1. Start the container, open the webpage and follow the wizard.
+See [Ubiquiti UniFi Controller (Debian)](../unifi-debian/).
 
 ## ZFS
 

config/linux-servers/debian.md

@@ -221,7 +221,7 @@ Everything here is optional.
     - Check the locale: `locale`
     - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.
 
-## Miscellaneous Notes
+## Miscellanea
 
 ### Cron
 

config/linux-servers/unifi-debian.md

@@ -1,24 +0,0 @@
----
-title: Ubiquiti UniFi Controller (Debian)
-breadcrumbs:
-- title: Configuration
-- title: Linux Servers
----
-{% include header.md %}
-
-### Using
-{:.no_toc}
-
-UniFi 5 on Debian 9 (Stretch).
-
-## Forewords
-
-UniFi 5 is the latest version and does only officially support Debian 9 (Stretch) and Ubuntu Desktop/Server 16.04 for Linux. It requires Java 8 and other stuff which is an absolute pain to install on later versions of Debian. There is also the official physical Cloud Key device and multiple unofficial Docker images and installation packages for Linux servers.
-
-Official installation instructions: [UniFi - How to Install & Upgrade the UniFi Network Controller Software](https://help.ubnt.com/hc/en-us/articles/360012282453-UniFi-How-to-Install-Upgrade-the-UniFi-Network-Controller-Software)
-
-## Installation
-
-1. Install Debian 9.
-
-{% include footer.md %}

config/network/cisco-ios.md → config/network/cisco-ios-general.md

@@ -1,5 +1,5 @@
 ---
-title: Cisco IOS
+title: Cisco IOS General
 breadcrumbs:
 - title: Configuration
 - title: Network
@@ -16,7 +16,19 @@ breadcrumbs:
 
 - [Cisco Config Analysis Tool (CCAT)](https://github.com/cisco-config-analysis-tool/ccat)
 
-## CLI
+## System
+
+- Memories:
+    - ROM: For bootstrap stuff.
+    - Flash: For IOS images.
+    - NVRAM: For startup configuration files.
+    - RAM: For running config, tables, etc.
+
+### Boot
+
+- IOS image sources (in default order): Flash, TFTP, ROM.
+- Startup config sources (in default order): NVRAM, TFTP, system configuration dialog.
+- Some details may be configured using the configuration register.
 
 ### Modes
 
@@ -36,7 +48,9 @@ breadcrumbs:
     - Completely useless, never use it.
 - ROM monitor mode (aka ROMMON).
 
-### General Usage
+## Configuration
+
+### Usage and Basics
 
 - Most commands take effect immediately.
 - Select range of interfaces: `int range g1/0/1-52` (example)
@@ -45,11 +59,6 @@ breadcrumbs:
     - Tab: Auto-complete.
     - `?`: Prints the allowed keywords.
     - `| <filter>`: Can be used to filter the output using one of the filter commands.
-
-## Configuration
-
-### Basics
-
 - Save running config: `copy run start` or `write mem`
 - Restore startup config: `copy start run`
 - Show configurations: `show [run|start]`
@@ -58,8 +67,33 @@ breadcrumbs:
 ### AAA
 
 - Disable the `password-encryption` service, use encrypted passwords instead. Perferrably type 9 (scrypt) secrets if available.
-
-## Miscellaneous
+- Set enable secret (for entering privileged EXEC mode): `enable algorithm-type scrypt secret <secret>`
+- Enable user auth: `aaa new-model`
+- Local user database:
+    - Enable local database: `aaa authentication login default local`
+    - Add user: `username <username> privilege 15 algorithm-type scrypt secret <password>`
+        - `privilege 15` means the user will enter directly into privileged EXEC mode.
+        - `algorithm-type scrypt` means it will use the secure scrypt password hashing algorithm.
+- TACACS+:
+    - **TODO**
+
+### Lines
+
+- Includes the console line and vty (telnet/SSH) lines.
+- Configured using line conf. mode: `line <con|vty> <n>`
+- Set inactivity logout: `exec-timeout <min> <sec>`
+    - `0 0` disables it, which is practical for labs.
+- Enabel synchronous logging for console: `logging synchronous`
+- (Not recommended) Enable simple password-based console login:
+    1. Enter line conf. mode.
+    1. Enable login: `login`
+    1. Set console password: `password [alg] <password>`
+- (Recommended) Enable user-based console login:
+    1. Enter line conf. mode.
+    1. Enable login: `login`
+    1. Set to use the local database: `login authentication default`
+
+## Miscellanea
 
 ### Version and Image String Notations
 

config/network/juniper-ex.md

@@ -16,6 +16,11 @@ breadcrumbs:
 
 - EX3300 w/ Junos 15.1R7
 
+### WIP
+{:.no_toc}
+
+This page is super not done.
+
 ## Initial Setup
 
 Enter configuration mode as necessary in the steps below with `configure` and `exit`.
@@ -31,6 +36,26 @@ Enter configuration mode as necessary in the steps below with `configure` and `e
 1. Disable alarm for mgmt. port link down.
 1. Commit.
 
+## More Random Notes (TODO)
+
+- `show lldp neighbours`
+- No "unit 0" on LACP slave interfaces.
+- `show | compare`
+- `set virtual-chassis no-split-detection` (VC) (recommended for only 2 members) (The split and merge feature is enabled by default on EX Series and QFX Series Virtual Chassis. You can disable the split and merge feature by using the set virtual-chassis no-split-detection command.) (When disabled, both parts remain active after a split.)
+- `request system zeroize`
+- Discard route for supernet.
+- `show interfaces`, `show interfaces ae0 extensive`, `show interfaces terse`, `show interfaces terse | match ae`, `show interfaces terse ge-* | match up.*up`
+- `show chassis hardware`, `show version`, `show system uptime`
+- Config. nav.: `top`, `exit`
+- Int. range: `set interfaces interface-range <whatever> [member-range ge-0/0/0 to ge-0/0/1]`
+- LACP:
+    - (Optional) Create range or do it per phys. int.
+    - `set interfaces ge-0/0/0 ether-options 802.3ad ae0`
+    - `set interfaces ae0 aggregated-ether-options lacp active`
+- Set IP address: `set interfaces ae0 unit 0 family inet address 10.0.0.1/30`
+- Static route: `set routing-options static route 10.0.0.0/24 next-hop 10.0.1.1`
+- `show configuration [...] | display set`
+
 ## Theory
 
 ### Virtual Chassis

config/network/juniper-junos.md → config/network/juniper-general.md

@@ -1,5 +1,5 @@
 ---
-title: Juniper Junos OS
+title: Juniper General
 breadcrumbs:
 - title: Configuration
 - title: Network

config/network/unifi-aps.md

@@ -1,27 +0,0 @@
----
-title: UniFi Access Points
-breadcrumbs:
-- title: Configuration
-- title: Network
----
-{% include header.md %}
-
-### Using
-{:.no_toc}
-
-- AP
-- AP AC Lite
-- AP AC LR
-
-## General Configuration
-
-### Wireless Uplink (Meshing)
-
-- Old firmware versions can be buggy wrt. wireless uplinks and can cause L2 loops.
-- The APs can be adopted wirelessly if one of them is connected to the network.
-- APs that are adopted wirelessly are will automatically allow meshing to other APs while APs that are adopted while wired will not. This can be changed in the AP settings.
-- Disable wireless uplinks (meshing) if not used:
-  - (Alternative 1) Disable per site: Go to site settings and disable "uplink connectivity monitor".
-  - (Alternative 2) Disable per AP: Go to AP settings, "wireless uplinks" and disable everything.
-
-{% include footer.md %}

config/network/unifi.md

@@ -0,0 +1,62 @@
+---
+title: Ubiquiti UniFi Controller
+breadcrumbs:
+- title: Configuration
+- title: Linux Servers
+---
+{% include header.md %}
+
+### Using
+{:.no_toc}
+
+- Controller v5 on Debian 9 (Stretch)
+- AP AC Lite
+- AP AC LR
+
+## Installation (Debian 9)
+
+UniFi 5 is the latest version and does only officially support Debian 9 (Stretch) and Ubuntu Desktop/Server 16.04 for Linux. It requires Java 8 and other stuff which is an absolute pain to install on later versions of Debian. There is also the official physical Cloud Key device and multiple unofficial Docker images and installation packages for Linux servers.
+
+Official installation instructions: [UniFi: How to Install & Upgrade the UniFi Network Controller Software](https://help.ubnt.com/hc/en-us/articles/360012282453-UniFi-How-to-Install-Upgrade-the-UniFi-Network-Controller-Software)
+
+1. Install Debian 9 (yes, 9).
+1. Configure it: See [Debian Server](../debian/) (for Debian 10).
+1. Allow the following incoming ports (see [UniFi - Ports Used](https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used)):
+    - TCP 8080: Device-controller communication (for devices)
+    - TCP 8443: GUI/API (for admins)
+    - TCP 8880: HTTP portal (for guests)
+    - TCP 8843: HTTPS portal (for guests)
+    - TCP 6789: Mobile speedtest (for admins)
+    - UDP 1900: L2 adoption (for devices, optional)
+    - UDP 3478: STUN (for devices)
+    - UDP 10001: Device discovery (for devices)
+1. (Optional) NAT port 443 to 8443 in IPTables: `iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443`
+1. Go to the UniFi downloads page and download for Linux/Debian.
+1. Install: `apt install <?>.deb`
+1. Configure:
+    - File: `/var/lib/unifi/system.properties`
+    - (Optional) Reduce the pre-allocated memory size: `unifi.xms=256`
+1. (Optional) Check the logs:
+    - UniFi: `/usr/lib/unifi/logs/server.log`
+    - MongoDB: `/usr/lib/unifi/logs/mongod.log`
+1. Set up UniFi in the web UI.
+
+## Access Points
+
+- PoE info: [UniFi: Supported PoE Protocols](https://help.ubnt.com/hc/en-us/articles/115000263008--UniFi-Understanding-PoE-and-How-UniFi-Devices-are-Powered)
+- Adoption methods: [UniFi: Device Adoption Methods for Remote UniFi Controllers](https://help.ubnt.com/hc/en-us/articles/204909754-UniFi-Device-Adoption-Methods-for-Remote-UniFi-Controllers)
+    - The DHCP option is typically the most appropriate IMO.
+- Reset: Hold RESET button until the front light alternate between black, white and blue.
+- Default credentials (after RESET and before adoption): Username `ubnt` with password `ubnt`.
+- IPv6 management: It does not seem to support DHCPv6. I don't know about SLAAC.
+
+### Wireless Uplink (Meshing)
+
+- Old firmware versions can be buggy wrt. wireless uplinks and can cause L2 loops.
+- The APs can be adopted wirelessly if one of them is connected to the network.
+- APs that are adopted wirelessly are will automatically allow meshing to other APs while APs that are adopted while wired will not. This can be changed in the AP settings.
+- Disable wireless uplinks (meshing) if not used:
+  - (Alternative 1) Disable per site: Go to site settings and disable "uplink connectivity monitor".
+  - (Alternative 2) Disable per AP: Go to AP settings, "wireless uplinks" and disable everything.
+
+{% include footer.md %}

index.md

@@ -22,7 +22,6 @@ Random collection of config notes and miscellaneous theory. Technically not a wi
 
 - [Debian Server](config/linux-servers/debian/)
 - [Proxmox VE](config/linux-servers/proxmox-ve/)
-- [Ubiquiti UniFi Controller (Debian)](config/linux-servers/unifi-debian/)
 - [Linux Server Storage](config/linux-servers/storage/)
 - [Linux Server Applications](config/linux-servers/applications/)
 
@@ -60,15 +59,15 @@ Random collection of config notes and miscellaneous theory. Technically not a wi
 #### Specific
 
 - [Brocade ICX Switches](config/network/brocade-icx/)
-- [Cisco IOS](config/network/cisco-ios/)
+- [Cisco IOS General](config/network/cisco-ios-general/)
 - [Cisco IOS Routers](config/network/cisco-ios-routers/)
 - [Cisco IOS Switches](config/network/cisco-ios-switches/)
-- [Juniper Junos OS](config/network/juniper-junos/)
+- [Juniper General](config/network/juniper-general/)
 - [Juniper EX Series Switches](config/network/juniper-ex/)
 - [Linksys LGS Switches](config/network/linksys-lgs/)
 - [Linux Switching & Routing](config/network/linux/)
 - [pfSense](config/network/pfsense/)
-- [UniFi Access Points](config/network/unifi-ap/)
+- [UniFi](config/network/unifi/)
 
 ## Information Technology