Change a few things

README.md

@@ -1,3 +1,5 @@
 # HON's Wiki
 
+Random collection of config notes and miscellaneous theory. Technically not a wiki.
+
 Built and hosted with GitHub Pages.

_includes/footer.md

@@ -1,6 +1,7 @@
 <hr />
 <p align="center">
-    <a href="{{ site.github.repository_url }}">{{ site.github.repository_nwo }}</a>
+    | <a href="{% github_edit_link %}">Edit page</a>
+    | <a href="{{ site.github.repository_url }}">{{ site.github.repository_nwo }}</a>
+    | <a href="https://haavard.tech">Håvard O. Nordstrand</a>
     |
-    <a href="{% github_edit_link %}">Edit page</a>
 </p>

config/general/notes.md → config/general/general.md

@@ -8,7 +8,12 @@ breadcrumbs:
 
 ## Resources
 
+### Security
+
 - [Cipherli.st](https://cipherli.st/)
+
+### Miscellaneous
+
 - [Text to ASCII Art Generator (TAAG)](http://patorjk.com/software/taag/#p=display&f=Slant&t=)
 
 ## Addresses

config/hardware/dell-poweredge.md

@@ -1,30 +0,0 @@
----
-title: Dell PowerEdge Series
-breadcrumbs:
-- title: Configuration
-- title: Hardware
----
-{% include header.md %}
-
-### Using
-{:.no_toc}
-2950 (G9); R310, R610, R710 (G11); R720 (G12)
-
-## Firmware Upgrades
-
-### G11 and lower
-There are lots of ways to upgrade the firmware, but most are painful and typically don't even work (e.g. loading firmware files in the Lifecycle Controller, Repository Manager custom ISOs, Repository Manager repositories, Repository Manager firmware files, and the Server Update Utility (SUU)). One way that *does* work is finding a pre-built bootable ISO and booting into it, but finding an ISO is getting harder.
-
-### G12 and higher
-Update through iDRAC 7 using HTTP site `downloads.dell.com`.
-
-## Management
-
-- Password: Lower-case, no special symbols, no spaces. Doing so may break stuff.
-
-## Storage
-
-- PERC 5/i and 6/i do not support disks over 2TB. PERC H200 and similar needs to be flashed to a newer version to support it.
-- Some say the PERC H200, H310, H310 mini etc. need to be flashed from IR (the default) to IT mode in order to pass through unconfigured disks directly instead of presenting them as individual RAID volumes and maybe adding proprietary headers on disk. ZFS (e.g.) needs direct access to the disks to work optimally, meaning you should flash it to IT mode if you intend to use the card as an HBA with ZFS or similar. This can cause the cards to no longer be accepted in the R610 and R710 PCIe-like storage slot and needs to use a normal PCIe slot instead. However, some say that IR cards (not flashed to IT mode) with unconfigured disks work as HBAs and pass them through directly. As they're not flashed to IT mode, they should still work in the storage slot too. My own experience with and R610 and R710 with IR mode H200s in the storage slots and seemingly direct disk access seems to agree with this latter statement.
-
-{% include footer.md %}

config/hosting-providers/bluehost.md

@@ -1,14 +0,0 @@
----
-title: Bluehost
-breadcrumbs:
-- title: Configuration
-- title: Hosting Providers
----
-{% include header.md %}
-
-## Experience
-
-- I spent _a lot_ of time communicating with tech support regarding stuff on their end that should be working but was not. The problems were rarely resolved.
-- As an example, one of the SSL certs which was set to auto renew in their control panel expired, leaving the site with an expired SSL certificate for multiple days.
-
-{% include footer.md %}

config/hosting-providers/one-com.md

@@ -1,13 +0,0 @@
----
-title: One.com
-breadcrumbs:
-- title: Configuration
-- title: Hosting Providers
----
-{% include header.md %}
-
-## Experience
-
-- Does not support non-ASCII characters in file names (tested with basic web hosting). I tried migrating a site with æ, ø and å in the file names, which didn't work at all.
-
-{% include footer.md %}

config/hosting-providers/terrahost.md

@@ -1,14 +0,0 @@
----
-title: Terrahost
-breadcrumbs:
-- title: Configuration
-- title: Hosting Providers
----
-{% include header.md %}
-
-## VPS/Dedicated Server
-
-- Enable IPv6 if not configured: [(Terrahost) IPv6 Setup for Linux/Windows](http://docs.terrahost.no/nettverk/ipv6-setup)
-- Fix locale: `update-locale LANG=en_US.UTF-8`
-
-{% include footer.md %}

config/hosting-providers/webhuset.md

@@ -1,17 +0,0 @@
----
-title: Clevo PCs
-breadcrumbs:
-- title: Configuration
-- title: Hosting Providers
----
-{% include header.md %}
-
-## Experience
-
-- Seems fine.
-
-## Web Hosting
-
-- Webalizer is enabled and publicly available at `/statistikk` (or similar).
-
-{% include footer.md %}

config/iot/raspberry-pi.md

@@ -8,9 +8,11 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Raspbian
 
-## Basic Setup
+- 1B
+- 3B
+
+## Raspbian Basic Setup
 
 - Default credentials: Username `pi`, password `raspberry`.
 - Configure through the menu: `raspi-config`

config/linux-general/applications.md

@@ -0,0 +1,23 @@
+---
+title: Linux Applications
+breadcrumbs:
+- title: Configuration
+- title: Linux General
+---
+{% include header.md %}
+
+## smartmontools
+
+- For monitoring disk health.
+- Install: `apt install smartmontools`
+- Show all info: `smartctl -a <dev>`
+- Tests are available in foreground and background mode, where foreground mode is given higher priority.
+- Tests:
+    - Short test: Can be useful to quickly identify a faulty drive.
+    - Long test: May be used to validate the results found in the short test.
+    - Convoyance test: Intended to quickly discover damage incurred during transportation/shipping.
+    - Select test: Test only the specified LBAs.
+- Run test: `smartctl -t <short|long|conveyance|select> [-C] <dev>`
+    - `-C`: Foreground mode.
+
+{% include footer.md %}

config/linux-general/examples.md

@@ -0,0 +1,111 @@
+---
+title: Linux Examples
+breadcrumbs:
+- title: Configuration
+- title: Linux General
+---
+{% include header.md %}
+
+## Commands
+
+### File Systems and Logical Volume Managers
+
+- Partition disk: `gdisk <dev>` or `fdisk <dev>`
+- Create filesystem: `mkfs.<fs> <dev>`
+
+### Files
+
+- Find files:
+  - By UID: `find / -user <UID>`
+  - Without a user: `find / -nouser`
+  - With setuid permission bit: `find / -perm /4000`
+- Recursive search and replace: `find <dir> \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/123/456/g'`
+  - `-type d -name .git -prune` skips `.git` directories and can be excluded outside of git repos.
+
+### Fun
+
+- Pretty colors: `<something> | lolcat`
+
+### Installations and Packages
+
+- Find packages depending on the package (APT): `apt rdepends --installed <package>`
+
+### Monitoring
+
+- Monitor system and processes: `htop`
+- Monitor interrupt usage: `irqtop`
+- Monitor network load: `nload`
+- Monitor lots of stuff: `glances`
+
+### Performance and Power Efficiency
+
+- Set the CPU frequency scaling governor mode:
+    - High performance: `echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor`
+    - Power save: ` echo powersave | ...`
+- Show current core frequencies: `grep "cpu MHz" /proc/cpuinfo | cut -d' ' -f3`
+
+### Processes and Memory
+
+- Useful ps args: `ps ax o uid,user:12,pid,comm`
+
+### Security
+
+- Show CPU vulnerabilities: `tail -n +1 /sys/devices/system/cpu/vulnerabilities/*`
+
+## Tasks
+
+### Burn Windows ISO
+
+1. Install the graphical application `woeusb` from `ppa:nilarimogard/webupd8`.
+
+### Rip DVD to ISO
+
+CDs and DVDs use 2048 byte sectors and may have both unintentional and intentional data errors.
+Some will explode in size when you try to rip them.
+There are multiple methods to try.
+I recommend using ddrescue since it's the simplest and because of its error handling features.
+
+Install support for encrypted/protected DVDs:
+- Enable the `contrib` or `non-free` repo areas (I'm not sure which).
+- `apt install libdvd-pkg && dpkg-reconfigure libdvd-pkg`
+
+Gather information about the disc:
+- (Once) `apt install genisoimage`
+- `isoinfo -d -i /dev/sr0`
+
+#### Using dvdbackup
+
+1. (Once) `apt install dvdbackup`
+1. (Optional) Inspect the DVD: `dvdbackup -i /dev/sr0 -I`
+1. Rip the whole DVD to a subdirectory: `dvdbackup -i /dev/sr0 -o . -M`
+1. Make an ISO: `genisoimage -dvd-video -udf -o <name>{.iso,}`
+
+#### Using vobcopy
+
+1. (Once) `apt install vobcopy`
+1. Mount the disc: `mkdir -p /media/dvd && mount /dev/dvd /media/dvd`
+1. Rip it to the current dir: `vobcopy -i /media/dvd -l -m`
+1. Unmount the disc: `umount /media/dvd`
+
+#### Using dd
+
+If the disc is damaged, use ddrescue instead.
+
+1. Find sector size and count: `isosize -x /dev/sr0`
+1. `dd if=/dev/sr0 of=<name>.iso bs=2048 count=3659360 conv=noerror status=progress`
+    - `conv=noerror` prevents halting on error and writes zero to the output instead.
+
+#### Using GNU ddrescue
+
+ddrescue is a sophisticated recovery tool which gracefully handles read errors.
+When using a map file, it can be aborted and run multiple times and using different sources to try to fix corrupt sections.
+A typical way to use this method is to run it with fast options first and then optionally with slower options afterwards.
+When the output is a regular file, the corrupt sectors will contain zeros.
+This method can also be used to backup dying hard drives etc., but the options used below are for CD/DVD discs.
+
+1. (Once) `apt install gddrescue`
+1. Make sure the disk/disc is not mounted.
+1. Run without scraping: `ddrescue -n -b2048 /dev/sr0 <name>.{iso,map}`
+1. Run with direct access: `ddrescue -d -r1 -b2048 /dev/sr0 <name>.{iso,map}`
+
+{% include footer.md %}

config/linux-general/general.md

@@ -0,0 +1,27 @@
+---
+title: Linux General Notes
+breadcrumbs:
+- title: Configuration
+- title: Linux General
+---
+{% include header.md %}
+
+## Resources
+
+### Security
+
+- [Linux Hardening Checklist](https://github.com/trimstray/linux-hardening-checklist)
+- [The Practical Linux Hardening Guide](https://github.com/trimstray/the-practical-linux-hardening-guide)
+
+## Distros
+
+| Distro | RHEL/CentOS | Debian/Ubuntu |
+| - | - | - |
+| Nobody user/group | nobody:nobody | nobody:nogroup |
+| Version file(s) | /etc/redhat-release <br /> /etc/centos-release | /etc/debian_version |
+
+## Miscellaneous
+
+- `urandom` VS `random`: `random` blocks when running out of entropy while `urandom` does not. Use `random` for creating keys etc. and urandom for everything else.
+
+{% include footer.md %}

config/linux-server/applications.md

@@ -6,9 +6,12 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+**TODO** Migrate the rest of the config notes from the old Google Doc.
+
 ### Using
 {:.no_toc}
-Debian 10 Buster
+
+- Debian 10 Buster
 
 ## Docker & Docker Compose
 
@@ -25,7 +28,8 @@ Debian 10 Buster
    - In `/etc/default/grub`, add `cgroup_enable=memory swapaccount=1` to `GRUB_CMDLINE_LINUX`.
    - Run `update-grub` and reboot.
 
-### Docker Compose TMPDIR Fix
+### Docker Compose No-Exec Tmp-Dir Fix
+
 Docker Compose will fail to work if `/tmp` has `noexec`.
 
 1. Move `/usr/local/bin/docker-compose` to `/usr/local/bin/docker-compose-normal`.
@@ -232,143 +236,4 @@ Using the unofficial Docker image by jacobalberty.
     - Use host networking mode for L2 adoption to work (if you're not using L3 or SSH adoption).
 1. Start the container, open the webpage and follow the wizard.
 
-## ZFS
-
-### Info
-#### Features
-
-- Filesystem and physical storage decoupled
-- Always consistent
-- Intent log
-- Synchronous or asynchronous
-- Everything checksummed
-- Compression
-- Deduplication
-- Encryption
-- Snapshots
-- Copy-on-write (CoW)
-- Clones
-- Caching
-- Log-strucrured filesystem
-- Tunable
-
-#### Terminology
-
-- Vdev
-- Zpool
-- Zvol
-- ZFS POSIX Layer (ZPL)
-- ZFS Intent Log (ZIL)
-- Adaptive Replacement Cache (ARC)
-- Dataset
-
-### Setup
-
-1. Enable the `contrib` and `non-free` repo areas. (Don't use any backports repo.)
-1. Install (it might give errors): `zfs-dkms zfsutils-linux zfs-zed`
-1. Load the ZFS module: `modprobe zfs`
-1. Fix the ZFS install: `apt install`
-1. Make the import service wait for iSCSI:
-    1. `cp /lib/systemd/system/zfs-import-cache.zervice /etc/systemd/system`
-    1. Add `After=iscsid.service` in `/etc/systemd/system/zfs-import-cache.service`.
-    1. `systemctl enable zfs-import-cache.service`
-1. Set the max ARC size: `echo "options zfs zfs_arc_max=<bytes>" >> /etc/modprobe.d/zfs.conf`
-    - It should typically be around 15-25% of the physical RAM size on general nodes. It defaults to 50%.
-1. Check that the cron scrub script exists.
-    - Typical location: `/etc/cron.d/zfsutils-linux`
-    - If it doesn't exist, add one which runs `/usr/lib/zfs-linux/scrub` e.g. monthly. It'll scrub all disks.
-
-### Usage
-
-- Create a pool: `zpool create -o ashift=<9|12> [level] <drives>+`
-- Create an encrypted pool:
-  - The procedure is basically the same for encrypted datasets.
-  - Children of encrypted datasets can't be unencrypted.
-  - The encryption suite can't be changed after creation, but the keyformat can.
-  - Using a password: `zpool create -O encryption=aes-128-gcm -O keyformat=passphrase ...`
-  - Using a raw key:
-    - Generate the key: `dd if=/dev/random of=/root/keys/zfs/<tank> bs=32 count=1`
-    - Create the pool: `zpool create -O encryption=aes-128-gcm -O keyformat=raw -O keylocation=file:///root/keys/zfs/<tank> ...`
-    - Automatically unlock at boot time: Add and enable [zfs-load-keys.service](https://github.com/HON95/misc-configs/blob/master/linux-server/zfs/zfs-load-keys.service).
-  - Reboot and test.
-  - Check the key status with `zfs get keystatus`.
-- Send and receive snapshots:
-  - `zfs send [-R] <snapshot>` and `zfs recv <snapshot>`.
-  - Uses STDOUT.
-  - Use `zfs get receive_resume_token` and `zfs send -t <token>` to resume an interrupted transfer.
-- View activity: `zpool iostat [-v]`
-- Clear transient device errors: `zpool clear <pool> [device]`
-- If a pool is "UNAVAIL", it means it can't be recovered without corrupted data.
-- Replace a device and automatically copy data from the old device or from redundant devices: `zpool replace <pool> <device> [new-device]`
-- Bring a device online or offline: `zpool (online|offline) <pool> <device>`
-- Re-add device that got wiped: Take it offline and then online again.
-
-### Best Practices and Suggestions
-
-- As far as possible, use raw disks and HBA disk controllers (or RAID controllers in IT mode).
-- Always use `/etc/disk/by-id/X`, not `/dev/sdX`.
-- Always manually set the correct ashift for pools.
-  - Should be the log-2 of the physical block/sector size of the device.
-  - E.g. 12 for 4kB (Advanced Format (AF), common on HDDs) and 9 for 512B (common on SSDs).
-  - Check the physical block size with `smartctl -i <dev>`.
-- Always enable compression. Generally `lz4`. Maybe `zstd` when implemented. Maybe `gzip-9` for archiving. Worst case it does nothing.
-- Never use deduplication. It may brick your ZFS server.
-- Generally always use quotas and reservations.
-- Avoid using more than 80% of the available space.
-- Make sure regular automatic scrubs are enabled. There should be a cron job/script or something. Run it e.g. every 2 weeks or monthly.
-- Snapshots are great for increments backups. They're easy to send places too. If the dataset is encrypted then so is the snapshot.
-
-### Tuning
-
-- Use quotas, reservations and compression.
-- Very frequent reads:
-  - E.g. for a static web root.
-  - Set `atime=off` to disable updating the access time for files.
-- Database:
-  - Disable `atime`.
-  - Use an appropriate recordsize with `recordsize=<size>`.
-    - InnoDB should use 16k for data files and 128k on log files (two datasets).
-    - PostgreSQL should use 8k (or 16k) for both data and WAL.
-  - Disable caching with `primarycache=metadata`. DMBSes typically handle caching themselves.
-    - For InnoDB.
-    - For PostgreSQL if the working set fits in RAM.
-  - Disable the ZIL with `logbias=throughput` to prevent writing twice.
-    - For InnoDB and PostgreSQL.
-    - Consider not using it for high-traffic applications.
-  - PostgreSQL:
-    - Use the same dataset for data and logs.
-    - Use one dataset per database instance. Requires you to specify it when creating the database.
-    - Don't use PostgreSQL checksums or compression.
-    - Example: `su postgres -c 'initdb --no-locale -E=UTF8 -n -N -D /db/pgdb1'`
-
-### Troubleshooting
-
-- `zfs-import-cache.service` fails to import pools because disks are not found:
-  - Set `options scsi_mod scan=sync` in `/etc/modprobe.d/zfs.conf` to wait for iSCSI disks to come online before ZFS starts.
-  - Add `After=iscsid.service` to `zfs-import-cache.service`
-
-### Extra Notes
-
-- ECC memory is recommended but not required. It does not affect data corruption on disk.
-- It does not require large amounts of memory, but more memory allows it to cache more data. A minimum of around 1GB is suggested. Memory caching is termed ARC. By default it's limited to 1/2 of all available RAM. Under memory pressure, it releases some of it to other applications.
-- Compressed ARC is a feature which compresses and checksums the ARC. It's enabled by default.
-- A dedicated disk (e.g. an NVMe SSD) can be used as a secondary read cache. This is termed L2ARC (level 2 ARC). Only frequently accessed blocks are cached. The memory requirement will increase based on the size of the L2ARC. It should only be considered for pools with high read traffic, slow disks and lots of memory available.
-- A dedicated disk (e.g. an NVMe SSD) can be used for the ZFS intent log (ZIL), which is used for synchronized writes. This is termed SLOG (separate intent log). The disk must have low latency, high durability and should preferrably be mirrored for redundancy. It should only be considered for pools with high synchronous write traffic on relatively slow disks.
-- Intel Optane is a perfect choice as both L2ARCs and SLOGs due to its high throughput, low latency and high durability.
-- Some SSD models come with a build-in cache. Make sure it actually flushes it on power loss.
-- ZFS is always consistent, even in case of data loss.
-- Bitrot is real.
-  - 4.2% to 34% of SSDs have one UBER (uncorrectable bit error rate) per year.
-  - External factors:
-    - Temperature.
-    - Bus power consumption.
-    - Data written by system software.
-    - Workload changes due to SSD failure.
-- Early signs of drive failures:
-  - `zpool status <pool>` shows that a scrub has repaired any data.
-  - `zpool status <pool>` shows read, write or checksum errors (all values should be zero).
-- Database conventions:
-  - One app per database.
-  - Encode the environment and DMBS version into the dataset name, e.g. `theapp-prod-pg10`.
-
 {% include footer.md %}

config/linux-server/debian.md

@@ -8,7 +8,8 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Debian 10 Buster
+
+- Debian 10 Buster
 
 ## Basic Setup
 
@@ -18,14 +19,14 @@ Debian 10 Buster
 - Use UEFI if possible.
 - Use the non-graphical installer. It's basically the same as the graphical one.
 - Localization:
-  - Language: United States English
+  - Language: United States English.
   - Location: Your location.
-  - Locale: United States UTF-8 (`en_US.UTF-8`)
+  - Locale: United States UTF-8 (`en_US.UTF-8`).
   - Keymap: Your keyboard's keymap.
 - Use an FQDN as the hostname. It'll set both the shortname and the FQDN.
 - Use separate password for root and your personal admin user.
 - Disk partitioning:
-  - (Recommended) Manually partition the system drive(s). See [system storage](#system-storage) for a suggestion.
+  - (Recommended) Manually partition the system drive(s). See [system storage](../storage/#system-storage).
   - Guided partitioning makes weird partition/volume sizes, try to avoid it.
   - For simple or temporary systems, just use "guided - use entire disk" with all files in one partition.
   - When using LVM: Create the partition for the volume group, configure LVM (separate menu), configure the LVM volumes (filesystem and mount).
@@ -91,6 +92,10 @@ Debian 10 Buster
     - Add a personal user first.
     - Check that the password field (the second field) for root in `/etc/shadow` is something invalid like "\*" or "!", but not empty and not valid password hash. This prevents password login.
     - Clear `/etc/securetty` to prevent root local/console login.
+1. (Optional) Enable persistent logging:
+    - The default journal directory is `/var/log/journal`. By default, it's not automatically created.
+    - In `/etc/systemd/journald.conf`, under `[Journal]`, set `Storage=persistent`.
+    - `auto` (the default) is like `persistent` but does not automatically create the log directory.
 
 ### Machine-Specic Configuration
 
@@ -142,7 +147,6 @@ Debian 10 Buster
 1. Reboot and make sure it still works.
 
 ### Extra
-Optional stuff.
 
 1. Extra package security:
     - Install `apt-listbugs` and `apt-listchanges` and run them before upgrading a package.
@@ -171,39 +175,6 @@ Optional stuff.
     - Example cron job (15 minutes past every 4 hours): `15 */4 * * * root /opt/bin/disk-space-checker`
     - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.
 
-## System Storage
-
-- The system drive doesn’t need to be super fast if not used a lot for service stuff. It's typically built from one SSD (optionally overprovisioned) or 2 mirrored HDDs (as they're less reliable).
-- Set the boot flag on `/boot/efi` (UEFI) or `/boot` (BIOS). It's not used, but some hardware may require it to try booting the drive.
-- Swap can be added either as a partition, as an LVM volume or not added at all.
-- Use LVM or ZFS (if supported/stable) for the whole main disk, except the boot and EFI partitions.
-- Generally use EXT4, but try to use ZFS if appropriate.
-- Optionally use only the first half of the disk for LVM/system stuff and the other half as for ZFS.
-- Storage typically uses base-10 prefixes, not base-2, like speed and unlike memory.
-- SSDs can be overprovisioned in order to improve performance by leaving unused space the SSD can use internally. Factories typically reserve some minimum size appropriate to the drive, but users can overprovision further by leaving space unallocated/unpartitioned at the end of the drive. It's typically not needed to overprovision newer SSDs.
-
-### System Volumes Suggestion
-
-This is just a suggestion for how to partition your main system drive. Since LVM volumes can be expanded later, it's fine to make them initially small. Create the volumes during system installation and set the mount options later in `/etc/fstab`.
-
-| Volume/Mount | Type | Minimal Size (GB) | Mount Options |
-| :--- | :--- | :--- | :--- |
-| `/proc` | Runtime | N/A | hidepid=2,gid=1500 |
-| `/boot/efi` | FAT32 w/ boot flag (UEFI), none (BIOS) | 0.5 | nodev,nosuid,noexec |
-| `/boot` | EXT4 (UEFI), FAT32 w/ boot flag (BIOS) | 0.5 | nodev,nosuid,noexec |
-| Swap | Swap (optional) | 4, 8, 16 | N/A |
-| `vg0` | LVM | 50% or 100% | N/A |
-| Swap | Swap (LVM) (optional) | 4, 8, 16 | N/A |
-| `/` | EXT4 (LVM) | 10 | nodev |
-| `/tmp` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
-| `/var` | EXT4 (LVM) | 5 | nodev,nosuid |
-| `/var/lib` | EXT4 (LVM) | 5 | nodev,nosuid |
-| `/var/log` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
-| `/var/log/audit` | EXT4 (LVM) | 1 | nodev,nosuid,noexec |
-| `/var/tmp` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
-| `/home` | EXT4 (LVM) | 10 | nodev,nosuid |
-| `/srv` | EXT4 (LVM) or none if external | 10 | nodev,nosuid |
-
 ## Miscellaneous
 
 ### Cron

config/linux-server/misc.md

@@ -1,39 +0,0 @@
----
-title: Linux Server Miscellaneous
-breadcrumbs:
-- title: Configuration
-- title: Linux Server
----
-{% include header.md %}
-
-## Distros
-<table>
-  <thead>
-    <tr>
-      <th style="text-align:left">Distro</th>
-      <th style="text-align:left">RHEL/CentOS</th>
-      <th style="text-align:left">Debian/Ubuntu</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td style="text-align:left">Nobody user and group</td>
-      <td style="text-align:left">nobody:nobody</td>
-      <td style="text-align:left">nobody:nogroup</td>
-    </tr>
-    <tr>
-      <td style="text-align:left">Release file(s)</td>
-      <td style="text-align:left">
-        <p>/etc/redhat-release</p>
-        <p>/etc/centos-release</p>
-      </td>
-      <td style="text-align:left">/etc/debian_version</td>
-    </tr>
-  </tbody>
-</table>
-
-## random VS urandom
-
-`random` blocks when running out of entropy while `urandom` does not. Use `random` for creating keys etc. and urandom for everything else.
-
-{% include footer.md %}

config/linux-server/notes.md

@@ -1,14 +0,0 @@
----
-title: Linux Server Notes
-breadcrumbs:
-- title: Configuration
-- title: Linux Server
----
-{% include header.md %}
-
-## Resources
-
-- [Linux Hardening Checklist](https://github.com/trimstray/linux-hardening-checklist)
-- [The Practical Linux Hardening Guide](https://github.com/trimstray/the-practical-linux-hardening-guide)
-
-{% include footer.md %}

config/linux-server/proxmox-ve.md

@@ -7,7 +7,9 @@ breadcrumbs:
 {% include header.md %}
 
 ### Using
-Proxmox VE 6
+{:.no_toc}
+
+- Proxmox VE 6
 
 ## Initial Setup
 
@@ -15,21 +17,49 @@ Proxmox VE 6
 
 1. See [Debian Server: Initial Setup](../debian-server/#initial-setup).
     - **TODO**: Differences.
+1. Setup the PVE repos (assuming no subscription):
+    - In `/etc/apt/sources.list.d/pve-enterprise.list`, comment out the Enterprise repo.
+    - In `/etc/apt/sources.list`, add the PVE No-Subscription repo. See [Package Repositories](https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo).
+    - Update the package index.
 1. Disable the console MOTD:
     - Disable `pvebanner.service`.
     - Clear or update `/etc/issue` (e.g. use use the logo).
-1. Disable IPv6 NDP:
+1. Disable IPv6 NDP (**TODO** Move to Debian?):
     - It's enabled on all bridges by default, meaning the node may become accessible to untrusted bridged networks even when no IPv4 or IPv6 addresses are specified.
     - **TODO**
     - Reboot (now or later) and make sure there's no unexpected neighbors (`ip -6 n`).
 
 ### Setup SPICE Console
 
-1. In the VM hardware, set the display to SPICE.
+1. In the VM hardware configuration, set the display to SPICE.
 1. Install the guest agent:
     - Linux: `spice-vdagent`
     - Windows: `spice-guest-tools`
 1. Install a SPICE compatible viewer on your client:
     - Linux: `virt-viewer`
 
+## Cluster
+
+- `/etc/pve` will get synchronized across all nodes.
+- High availability:
+    - Clusters must be explicitly configured for HA.
+    - Provides live migration.
+    - Requires shared storage (e.h. Ceph).
+
+### Simple Setup
+
+1. Setup a management network for the cluster.
+    - Either isolated or firewalled with internet access.
+1. Setup each node.
+1. Add each other host to each host's hostfile.
+    - So that IP addresses can be more easily changed.
+    - Use short hostnames, not FQDNs.
+1. Create the cluster on one of the nodes: `pvecm create <name>`
+1. Join the cluster on the other hosts: `pvecm add <name>`
+1. Check the status: `pvecm status`
+
+### High Availability Setup
+
+## Ceph
+
 {% include footer.md %}

config/linux-server/storage.md

@@ -0,0 +1,242 @@
+---
+title: Storage
+breadcrumbs:
+- title: Configuration
+- title: Linux Server
+---
+{% include header.md %}
+
+### Using
+{:.no_toc}
+
+- Debian 10 Buster
+
+## Notes
+
+- Storage typically uses base-10 prefixes like speed but unlike memory.
+
+## Guidelines
+
+- Higher-end SSDs provide power loss protection which generally consists of an on-board capacitor used to flush the device cache in case of power loss.
+  Typically DC-grade devices do but cheap consumer devices to not.
+- SSDs can be overprovisioned in order to improve performance by leaving unused space the SSD can use internally.
+  Factories typically reserve some minimum size appropriate to the drive, but users can overprovision further by leaving space unallocated/unpartitioned at the end of the drive.
+  It's typically not needed to overprovision newer SSDs.
+
+### RAID
+
+- HDDs: RAID 1 or RAID 6/7. Never RAID 5. RAID 10 for high load (especially IO).
+- SSDs: RAID 5 if three or more and RAID 1 of only two. RAID 10 for extreme load (especially IO).
+- For lots of devices, create stripes of RAIDs where each raid handles redundancy internally (e.g. RAID 10 and 60).
+- When creating HDD arrays, try to use drives from different batches.
+  If one if the batches has some kind of manufacturing fault, shipping damage etc., you don't want the entire array to die all at once.
+
+## Monitoring
+
+### smartmontools (SMART)
+
+See [smartmontools](../../linux-general/applications/#smartmontools).
+
+#### Some HDD SMART Attributes
+
+These should stay near 0 and should not be rising. If they are, it may indicate the drive is about to commit seppuku.
+
+- 005: Reallocated Sectors Count
+- 187: Reported Uncorrectable Errors
+- 188: Command Timeout
+- 197: Current Pending Sector Count
+- 198: Uncorrectable Sector Count
+
+## System Storage
+
+- The system drive doesn’t need to be super fast if not used a lot for service stuff. It's typically built from one SSD (optionally overprovisioned) or 2 mirrored HDDs (as they're less reliable).
+- Set the boot flag on `/boot/efi` (UEFI) or `/boot` (BIOS). It's not used, but some hardware may require it to try booting the drive.
+- Swap can be added either as a partition, as an LVM volume or not added at all.
+- Preferred volume manager: LVM or ZFS.
+- Preferred file system: EXT4 or ZFS.
+- Optionally use only the first half of the disk for LVM/system stuff and the other half for ZFS.
+
+### System Volumes Suggestion
+
+This is just a suggestion for how to partition your main system drive. Since LVM volumes can be expanded later, it's fine to make them initially small. Create the volumes during system installation and set the mount options later in `/etc/fstab`.
+
+| Volume/Mount | Type | Minimal Size (GB) | Mount Options |
+| :--- | :--- | :--- | :--- |
+| `/proc` | Runtime | N/A | hidepid=2,gid=1500 |
+| `/boot/efi` | FAT32 w/ boot flag (UEFI), none (BIOS) | 0.5 | nodev,nosuid,noexec |
+| `/boot` | EXT4 (UEFI), FAT32 w/ boot flag (BIOS) | 0.5 | nodev,nosuid,noexec |
+| Swap | Swap (optional) | 4, 8, 16 | N/A |
+| `vg0` | LVM | 50% or 100% | N/A |
+| Swap | Swap (LVM) (optional) | 4, 8, 16 | N/A |
+| `/` | EXT4 (LVM) | 10 | nodev |
+| `/tmp` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
+| `/var` | EXT4 (LVM) | 5 | nodev,nosuid |
+| `/var/lib` | EXT4 (LVM) | 5 | nodev,nosuid |
+| `/var/log` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
+| `/var/log/audit` | EXT4 (LVM) | 1 | nodev,nosuid,noexec |
+| `/var/tmp` | EXT4 (LVM) | 5 | nodev,nosuid,noexec |
+| `/home` | EXT4 (LVM) | 10 | nodev,nosuid |
+| `/srv` | EXT4 (LVM) or none if external | 10 | nodev,nosuid |
+  
+## ZFS
+
+### Info
+
+#### Features
+
+- Filesystem and physical storage decoupled
+- Always consistent
+- Intent log
+- Synchronous or asynchronous
+- Everything checksummed
+- Compression
+- Deduplication
+- Encryption
+- Snapshots
+- Copy-on-write (CoW)
+- Clones
+- Caching
+- Log-strucrured filesystem
+- Tunable
+
+#### Terminology
+
+- Vdev
+- Zpool
+- Zvol
+- ZFS POSIX Layer (ZPL)
+- ZFS Intent Log (ZIL)
+- Adaptive Replacement Cache (ARC)
+- Dataset
+
+### Setup
+
+#### Installation
+
+The installation part is highly specific to Debian 10.
+Some guides recommend using backport repos, but this way doesn't require that.
+
+1. Enable the `contrib` and `non-free` repo areas.
+1. Install (it might give errors): `zfs-dkms zfsutils-linux zfs-zed`
+1. Load the ZFS module: `modprobe zfs`
+1. Fix the ZFS install: `apt install`
+
+#### Configuration
+
+1. Make the import service wait for iSCSI:
+    1. **TODO** Test if this is actually working.
+    1. `cp /lib/systemd/system/zfs-import-cache.zervice /etc/systemd/system`
+    1. Add `After=iscsid.service` in `/etc/systemd/system/zfs-import-cache.service`.
+    1. `systemctl enable zfs-import-cache.service`
+1. Set the max ARC size: `echo "options zfs zfs_arc_max=<bytes>" >> /etc/modprobe.d/zfs.conf`
+    - It should typically be around 15-25% of the physical RAM size on general nodes. It defaults to 50%.
+1. Check that the cron scrub script exists.
+    - Typical location: `/etc/cron.d/zfsutils-linux`
+    - If it doesn't exist, add one which runs `/usr/lib/zfs-linux/scrub` e.g. monthly. It'll scrub all disks.
+
+### Usage
+
+- Create a pool: `zpool create -o ashift=<9|12> [level] <drives>+`
+- Create an encrypted pool:
+  - The procedure is basically the same for encrypted datasets.
+  - Children of encrypted datasets can't be unencrypted.
+  - The encryption suite can't be changed after creation, but the keyformat can.
+  - Using a password: `zpool create -O encryption=aes-128-gcm -O keyformat=passphrase ...`
+  - Using a raw key:
+    - Generate the key: `dd if=/dev/random of=/root/keys/zfs/<tank> bs=32 count=1`
+    - Create the pool: `zpool create -O encryption=aes-128-gcm -O keyformat=raw -O keylocation=file:///root/keys/zfs/<tank> ...`
+    - Automatically unlock at boot time: Add and enable [zfs-load-keys.service](https://github.com/HON95/misc-configs/blob/master/linux-server/zfs/zfs-load-keys.service).
+  - Reboot and test.
+  - Check the key status with `zfs get keystatus`.
+- Send and receive snapshots:
+  - `zfs send [-R] <snapshot>` and `zfs recv <snapshot>`.
+  - Uses STDOUT.
+  - Use `zfs get receive_resume_token` and `zfs send -t <token>` to resume an interrupted transfer.
+- View activity: `zpool iostat [-v]`
+- Clear transient device errors: `zpool clear <pool> [device]`
+- If a pool is "UNAVAIL", it means it can't be recovered without corrupted data.
+- Replace a device and automatically copy data from the old device or from redundant devices: `zpool replace <pool> <device> [new-device]`
+- Bring a device online or offline: `zpool (online|offline) <pool> <device>`
+- Re-add device that got wiped: Take it offline and then online again.
+
+### Best Practices and Suggestions
+
+- As far as possible, use raw disks and HBA disk controllers (or RAID controllers in IT mode).
+- Always use `/etc/disk/by-id/X`, not `/dev/sdX`.
+- Always manually set the correct ashift for pools.
+  - Should be the log-2 of the physical block/sector size of the device.
+  - E.g. 12 for 4kB (Advanced Format (AF), common on HDDs) and 9 for 512B (common on SSDs).
+  - Check the physical block size with `smartctl -i <dev>`.
+  - Keep in mind that some 4kB disks emulate/report 512B. They should be used as 4kB disks.
+- Always enable compression.
+    - Generally `lz4`. Maybe `zstd` when implemented. Maybe `gzip-9` for archiving.
+    - For uncompressable data, worst case it that it does nothing (i.e. no loss for enabling it).
+    - The overhead is typically negligible. Only for super-high-bandwidth use cases (large NVMe RAIDs), the compression overhead may become noticable.
+- Never use deduplication.
+    - It's generally not useful, depending on the use case.
+    - It's expensive.
+    - It may brick your ZFS server.
+- Generally always use quotas and reservations.
+- Avoid using more than 80% of the available space.
+- Make sure regular automatic scrubs are enabled.
+    - There should be a cron job/script or something.
+    - Run it e.g. every 2 weeks or monthly.
+- Snapshots are great for incremental backups. They're easy to send places too. If the dataset is encrypted then so is the snapshot.
+- Enabling features like encryption, compression, deduplication is not retro-active. You'll need to move the old data away and back for the features to apply to the data.
+
+### Tuning
+
+- Use quotas, reservations and compression.
+- Very frequent reads:
+  - E.g. for a static web root.
+  - Set `atime=off` to disable updating the access time for files.
+- Database:
+  - Disable `atime`.
+  - Use an appropriate recordsize with `recordsize=<size>`.
+    - InnoDB should use 16k for data files and 128k on log files (two datasets).
+    - PostgreSQL should use 8k (or 16k) for both data and WAL.
+  - Disable caching with `primarycache=metadata`. DMBSes typically handle caching themselves.
+    - For InnoDB.
+    - For PostgreSQL if the working set fits in RAM.
+  - Disable the ZIL with `logbias=throughput` to prevent writing twice.
+    - For InnoDB and PostgreSQL.
+    - Consider not using it for high-traffic applications.
+  - PostgreSQL:
+    - Use the same dataset for data and logs.
+    - Use one dataset per database instance. Requires you to specify it when creating the database.
+    - Don't use PostgreSQL checksums or compression.
+    - Example: `su postgres -c 'initdb --no-locale -E=UTF8 -n -N -D /db/pgdb1'`
+
+### Troubleshooting
+
+**TODO** Test if this is actually working.
+
+- `zfs-import-cache.service` fails to import pools because disks are not found:
+  - Set `options scsi_mod scan=sync` in `/etc/modprobe.d/zfs.conf` to wait for iSCSI disks to come online before ZFS starts.
+  - Add `After=iscsid.service` to `zfs-import-cache.service`
+
+### Extra Notes
+
+- ECC memory is recommended but not required. It does not affect data corruption on disk.
+- It does not require large amounts of memory, but more memory allows it to cache more data. A minimum of around 1GB is suggested. Memory caching is termed ARC. By default it's limited to 1/2 of all available RAM. Under memory pressure, it releases some of it to other applications.
+- Compressed ARC is a feature which compresses and checksums the ARC. It's enabled by default.
+- A dedicated disk (e.g. an NVMe SSD) can be used as a secondary read cache. This is termed L2ARC (level 2 ARC). Only frequently accessed blocks are cached. The memory requirement will increase based on the size of the L2ARC. It should only be considered for pools with high read traffic, slow disks and lots of memory available.
+- A dedicated disk (e.g. an NVMe SSD) can be used for the ZFS intent log (ZIL), which is used for synchronized writes. This is termed SLOG (separate intent log). The disk must have low latency, high durability and should preferrably be mirrored for redundancy. It should only be considered for pools with high synchronous write traffic on relatively slow disks.
+- Intel Optane is a perfect choice as both L2ARCs and SLOGs due to its high throughput, low latency and high durability.
+- Some SSD models come with a build-in cache. Make sure it actually flushes it on power loss.
+- ZFS is always consistent, even in case of data loss.
+- Bitrot is real.
+  - 4.2% to 34% of SSDs have one UBER (uncorrectable bit error rate) per year.
+  - External factors:
+    - Temperature.
+    - Bus power consumption.
+    - Data written by system software.
+    - Workload changes due to SSD failure.
+- Signs of drive failures:
+  - `zpool status <pool>` shows that a scrub has repaired any data.
+  - `zpool status <pool>` shows read, write or checksum errors (all values should be zero).
+- Database conventions:
+  - One app per database.
+  - Encode the environment and DMBS version into the dataset name, e.g. `theapp-prod-pg10`.
+
+{% include footer.md %}

config/hardware/dell-optiplex.md → config/machines/dell-optiplex.md

@@ -2,13 +2,15 @@
 title: Dell OptiPlex Series
 breadcrumbs:
 - title: Configuration
-- title: Hardware
+- title: Machines
 ---
 {% include header.md %}
 
 ### Using
 {:.no_toc}
-780 SFF, 9010 SFF
+
+- 780 SFF
+- 9010 SFF
 
 ## Management
 

config/machines/dell-poweredge.md

@@ -0,0 +1,121 @@
+---
+title: Dell PowerEdge Series
+breadcrumbs:
+- title: Configuration
+- title: Machines
+---
+{% include header.md %}
+
+### Using
+{:.no_toc}
+
+- 2950
+- R310
+- R610
+- R710
+- R320
+- R620
+- R720
+
+## Firmware Upgrades
+
+### G11 and lower
+
+There are lots of ways to upgrade the firmware, but most are painful and typically don't even work (e.g. loading firmware files in the Lifecycle Controller, Repository Manager custom ISOs, Repository Manager repositories, Repository Manager firmware files, and the Server Update Utility (SUU)). One way that *does* work is finding a pre-built bootable ISO and booting into it, but finding an ISO is getting harder.
+
+#### Upgrading From Files Using System Services
+
+1. Download the file.
+    - The one for Windows.
+    - You may need to press "View full driver details" to find it on the Dell download pages.
+1. Format a USB drive using the DOS partition table with one FAT32 partition. (**FIXME** Is DOS necessary?)
+    - E.g. using `fdisk` and `mkfs.fat`.
+1. Copy the file to it.
+1. Connect it to the server.
+1. Start System Services.
+    - Press F10 when booting.
+1. Go to Platform Update.
+1. Select local drive, select the USB drive and enter the filename on the drive.
+1. Success (maybe).
+
+### G12 and higher
+
+Update through iDRAC 7 using HTTP site `downloads.dell.com`.
+
+## Management
+
+- Password:
+    - No special symbols and no spaces. Dash should be fine.
+    - Case sensitivity is inconsistent, so always use lower-case.
+
+## Memory
+
+### R310
+
+The R310 is super picky about memory and the manuals are (fom my experience) insufficient to figure out which types may be used can be used.
+If it doesn't like it, it won't even boot.
+
+Some configurations that work:
+- 4x 8GB 4Rx8 PC3-8500R running at 800MHz.
+- 2x 8GB 4Rx8 PC3-8500R running at 1067MHz.
+- 2x 4GB 2Rx8 PC3-10600E running at 1333MHz.
+
+Some configurations that DOESN'T work:
+- 2x 4GB 2Rx4 PC3-10600R.
+
+### R610 and R710
+
+For max performance, use two dual-rank 1333MHz DIMMS in slots 1 and 2 for all channels (12 DIMMS total).
+Earlier BIOS versions only supported one DIMM per channel for 1333MHz, as written in some outdated manuals.
+
+## Storage
+
+- PERC 5/i and 6/i do not support disks over 2TB. PERC H200 and similar needs to be flashed to a newer version to support it.
+- Some say the PERC H200, H310, H310 mini etc. need to be flashed from IR (the default) to IT mode in order to pass through unconfigured disks directly instead of presenting them as individual RAID volumes and maybe adding proprietary headers on disk. ZFS (e.g.) needs direct access to the disks to work optimally, meaning you should flash it to IT mode if you intend to use the card as an HBA with ZFS or similar. This can cause the cards to no longer be accepted in the R610 and R710 PCIe-like storage slot and needs to use a normal PCIe slot instead. However, some say that IR cards (not flashed to IT mode) with unconfigured disks work as HBAs and pass them through directly. As they're not flashed to IT mode, they should still work in the storage slot too. My own experience with and R610 and R710 with IR mode H200s in the storage slots and seemingly direct disk access seems to agree with this latter statement.
+
+## Power Efficiency
+
+- C-states and C1E: May significantly reduce power usage when idle.
+
+## Theory
+
+### Model Name Convention
+
+#### Generation 9 and Earlier
+
+- Example: `2950`
+- First digit: Class of server.
+    - `1`: 1U server.
+    - `2`: 2U server.
+    - `6`: 4U server.
+- Second figit: Generation.
+- Third digit: Server type.
+    - `0`: Tower.
+    - `5`: Rack.
+- Fourth digit:
+    - `0`: Independent box.
+    - `5`: Blade.
+
+#### Generation 10 and Later
+
+Includes three-digits model names only.
+There are four-digit variants and other exceptions.
+
+- Example: `R710`
+- Letter:
+    - `C`: Cloud.
+    - `F`: Flexible.
+    - `M/MX*`: Modular.
+    - `R`: Rack.
+    - `T`: Tower.
+- First digit: Class of server.
+    - `1-3`: 1 CPU.
+    - `4-7`: Dual CPU.
+    - `8`: Dual or quad CPU.
+    - `9`: Quad CPU.
+- Second digit: Generation, offset by 10.
+- Third digit: Make of CPU.
+    - `0`: Intel.
+    - `5`: AMD.
+
+{% include footer.md %}

config/hardware/clevo.md → config/machines/laptops.md

@@ -1,12 +1,14 @@
 ---
-title: Clevo PCs
+title: Laptops
 breadcrumbs:
 - title: Configuration
-- title: Hardware
+- title: Machines
 ---
 {% include header.md %}
 
-## N950TP (Multicom Kunshan N950T)
+## Clevo N950TP
+
+Aka Multicom Kunshan N950T.
 
 ### Linux
 

config/machines/testing.md

@@ -0,0 +1,42 @@
+---
+title: Hardware Testing
+breadcrumbs:
+- title: Configuration
+- title: Machines
+---
+{% include header.md %}
+
+## Information Gathering
+
+
+### Linux
+
+- Show CPU vulnerabilities: `tail -n +1 /sys/devices/system/cpu/vulnerabilities/*`
+
+## CPU
+
+### Prime95
+
+- For stress testing.
+- For most OSes.
+- Install: [Download](https://www.mersenne.org/download/).
+
+## RAM
+
+### MemTest86
+
+- For health error testing.
+- Standalone/bootable.
+- Install: [Download](https://www.memtest86.com/download.htm)
+    - Use v4 for systems without UEFI support.
+- Not the same as Memtest86+. Memtest86+ is an old fork of Memtest86.
+
+## Storage
+
+### smartmontools
+
+- For health testing.
+- For Linux.
+- See [smartmontools](../../linux-general/applications/#smartmontools).
+
+{% include footer.md %}

config/network/brocade-icx.md

@@ -8,7 +8,11 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Brocade/Ruckus ICX 6610-24 running router/L3 software
+
+- Brocade/Ruckus ICX 6610-24 running router/L3 software (**TODO** Version?)
+
+### Disclaimer
+{:.no_toc}
 
 Security features like port security, dynamic ARP inspection, DHCP snooping, IP source guard, DHCPv6 snooping, IPv6 NDP inspection and IPv6 RA guard will not be covered since I mainly use the switch as a core/dist. switch and not an access switch.
 
@@ -111,10 +115,11 @@ Security features like port security, dynamic ARP inspection, DHCP snooping, IP
     1. Page 269
 21. Save the config: `write memory`
 
-## Usage
+## General Configuration
+
+### Simple Actions
 
 - Console:
-  - Backspace in serial console: `Ctrl+H`
   - Enable logging to the serial console: `logging console`
   - Enable logging to SSH/Telnet: `terminal monitor`(in privileged exec mode)
 - Hardware:
@@ -138,8 +143,13 @@ Security features like port security, dynamic ARP inspection, DHCP snooping, IP
 - Special:
   - Enable SFP+ ports: `speed-duplex 10g-full`
 
-## Notes
+## Theory
+
+### Using the CLI
+
+- Backspace: `Ctrl+H`
 
-- Brocade devices operate in cut-through switching mode instead of store-and-forward.
+### Miscellaneous
+- Brocade devices operate in cut-through switching mode instead of store-and-forward by default.
 
 {% include footer.md %}

config/network/cisco-ios-routers.md

@@ -6,9 +6,16 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+### Related Pages
+{:.no_toc}
+
+- [Cisco IOS](../cisco-ios/)
+- [Cisco IOS Switches](../cisco-ios-switches/)
+
 ### Using
 {:.no_toc}
-None
+
+- ISR 2801 (**TODO** Version?)
 
 ## Initial Configuration
 

config/network/cisco-ios-switches.md

@@ -6,9 +6,18 @@ breadcrumbs:
 ---
 {% include header.md %}
 
+### Related Pages
+{:.no_toc}
+
+- [Cisco IOS](../cisco-ios/)
+- [Cisco IOS Routers](../cisco-ios-routers/)
+
 ### Using
 {:.no_toc}
-Catalyst 2960G, Catalyst 3750G
+
+- Catalyst 2950
+- Catalyst 2960G
+- Catalyst 3750G
 
 ## Initial Configuration
 
@@ -148,70 +157,78 @@ Catalyst 2960G, Catalyst 3750G
     1. **TODO**
 1. Save the config: `copy run start`
 
-## Notes
-
-### Management
+## General Configuration
 
-- Reset the configuration:
-  - Delete the config: `erase startup-config`
-  - Delete the VLAN DB: `delete flash:vlan.dat`
-  - Show files: `sh flash:`
-  - Delete `.renamed` files too.
-  - Reload: `reload`
+### Simple Actions
 
-### AAA
+- Show statuses:
+    - L3 port overview: `sh ip int br`
+    - L2 port overview: `sh int status`
+    - Port statistics: `sh int <if>`
+    - Err-disable: `sh int status err-disabled`
 
-- Disable the `password-encryption` service, use encrypted passwords instead.
-- Use type 9 (scrypt) secrets.
+### Reset the Configuration
 
-### Ports and VLANs
-
-- Show interfaces:
-  - Overview: `sh ip int br`
-  - Details: `sh int`
-- Use trunks between switches. Avoid using native VLANs with trunks if possible.
-- Select range of interfaces: `int range g1/0/1-52` (example)
-- Reset interface(s): `default int [range] <if>[-<end>]`
-- User ports:
-  - Untrusted.
-  - Generally, configure it as an access port.
-  - Disable services/protocols like CDP, VTP, DTP, etc.
-  - Disable automatic PaGP/LACP.
-  - Enable portfast.
-  - Enable BPDU guard, unless configured globally.
-  - Enable port security to limit the amount of MAC addresses using that port. MAC flooding can result in full MAC tables, which causes all frames to be flooded.
-  - Enable ARP inspection to prevent ARP spoofing.
-- Ports to switches:
-  - Generally, configure it as a trunk port without a native VLAN.
-  - Enable root guard if facing switches on lower topological tiers.
-- Unused ports:
-  - Shut them down.
-- Native VLAN:
-  - Be careful not to have a native VLAN spanning the entire area.
-  - Avoid using VLAN 1 (the default VLAN).
-  - Consider adding a new VLAN (e.g. VLAN 2) and shutting it down, then using it as the native VLAN of trunks. This effectively disables the native VLAN for those trunks.
-  - User VLANs should never be a native VLAN on any trunk. It can enable VLAN hopping through double tagging.
+1. Delete the config: `erase startup-config`
+1. Delete the VLAN DB: `delete flash:vlan.dat`
+1. Show files: `sh flash:`
+1. Delete `.renamed` files too.
+1. Reload: `reload`
 
 ### Services and Features
 
 - CDP:
-  - It may leak information.
-  - Disable globally: `no cdp run`
+    - It may leak information.
+    - Disable globally: `no cdp run`
 - VTP:
-  - It may fuck up the trunks when an out-of-sync VTP switch joins.
-  - Disable globally: `vtp mode (off | transparent)`
+    - It may fuck up the trunks when an out-of-sync VTP switch joins.
+    - Disable globally: `vtp mode (off | transparent)`
 - DTP:
-  - It may facilitate switch spoofing and VLAN hopping.
-  - Disable it for each switch port: `switchport nonegotiate`
+    - It may facilitate switch spoofing and VLAN hopping.
+    - Disable it for each switch port: `switchport nonegotiate`
 - UDLD:
-  - Generally only useful for fiber.
-  - Disable globally: **TODO**
+    - Generally only useful for fiber.
+    - Disable globally: **TODO**
 
 ### Spanning Tree
 
 - Enable BPDU guard globally to automatically enable it om ports with portfast. Or don't.
 - Only enable loop guard for links which may become uni-directional and which have UDLD enabled.
 
+## Theory
+
+### Ports and VLANs
+
+- Use trunks between switches. Avoid using native VLANs with trunks if possible.
+- User ports:
+    - Untrusted.
+    - Generally, configure it as an access port.
+    - Disable services/protocols like CDP, VTP, DTP, etc.
+    - Disable automatic PaGP/LACP.
+    - Enable portfast.
+    - Enable BPDU guard, unless configured globally.
+    - Enable port security to limit the amount of MAC addresses using that port. MAC flooding can result in full MAC tables, which causes all frames to be flooded.
+    - Enable ARP inspection to prevent ARP spoofing.
+- Ports to switches:
+    - Generally, configure it as a trunk port without a native VLAN.
+    - Enable root guard if facing switches on lower topological tiers.
+- Unused ports:
+    - Shut them down.
+- Native VLAN:
+    - Be careful not to have a native VLAN spanning the entire area.
+    - Avoid using VLAN 1 (the default VLAN).
+    - Consider adding a new VLAN (e.g. VLAN 2) and shutting it down, then using it as the native VLAN of trunks. This effectively disables the native VLAN for those trunks.
+    - User VLANs should never be a native VLAN on any trunk. It can enable VLAN hopping through double tagging.
+
+### Port Lights
+
+- Status mode:
+    - Off: No link or administratively down.
+    - Green: Link present.
+    - Blinking green: Activity.
+    - Alternating green-amber: Link fault. Could be caused by hardware errors or mismatched speed or duplex.
+    - Amber and blinking amber: Blocked by STP.
+
 ## Resources
 
 - [https://github.com/cisco-config-analysis-tool/ccat](https://github.com/cisco-config-analysis-tool/ccat)

config/network/cisco-ios.md

@@ -0,0 +1,62 @@
+---
+title: Cisco IOS
+breadcrumbs:
+- title: Configuration
+- title: Network
+---
+{% include header.md %}
+
+### Related Pages
+{:.no_toc}
+
+- [Cisco IOS Routers](../cisco-ios-routers/)
+- [Cisco IOS Switches](../cisco-ios-switches/)
+
+## General Configuration
+
+### Simple Actions
+
+- Save running config: `copy run start` or `write mem`
+- Restore startup config: `copy start run`
+- Show configurations: `show [run|start]`
+    - `| section <section>` can be used to show a specific section.
+
+### AAA
+
+- Disable the `password-encryption` service, use encrypted passwords instead.
+- Use type 9 (scrypt) secrets.
+
+## Version String Convention
+
+- Running example: `15.0(2)SE11`
+- Train (`15.0SE`): Like the major versjon number.
+- Throttle (`2`): Like the minor version number.
+- Rebuild (`11`): Like the patch version number. Omitted for rebuild zero. May be specified as a letter directly after the throttle for old versions.
+
+
+## Theory
+
+### CLI
+
+#### Modes
+
+- User EXEC mode (`Router>`).
+- Privileged EXEC mode (`Router#`).
+- Configuration modes:
+    - Global configuration mode (`Router(config)#`).
+    - Interface, line, etc. configuration mode (`Router(config-xxx)#`).
+- Setup mode.
+- ROMMON mode.
+
+#### Using the CLI
+
+- Tab: Auto-complete.
+- `?`: Prints the allowed keywords.
+- `|`: Can be used to filter the output.
+
+##### Configuration Mode
+
+- Select range of interfaces: `int range g1/0/1-52` (example)
+- Reset interface(s): `default int [range] <if>[-<end>]`
+
+{% include footer.md %}

config/network/juniper-ex.md

@@ -0,0 +1,40 @@
+---
+title: Juniper EX Series Switches
+breadcrumbs:
+- title: Configuration
+- title: Network
+---
+{% include header.md %}
+
+### Related Pages
+{:.no_toc}
+
+- [Juniper Junos OS](../juniper-junos/)
+
+### Using
+{:.no_toc}
+
+- EX3300 w/ Junos 15.1R7
+
+## Initial Setup
+
+Enter configuration mode as necessary in the steps below with `configure` and `exit`.
+
+1. Connect to the switch using serial.
+1. Login with username `root` and no password. You'll enter the shell.
+1. Enter the operation mode: `cli`
+1. Set hostname (conf mode): `set system host-name <hostname>`
+
+**TODO**
+1. Setup root authentication.
+1. Disable DHCP auto image upgrade: `delete chassis auto-image-upgrade` (conf mode)
+1. Disable alarm for mgmt. port link down.
+1. Commit.
+
+## Theory
+
+### Virtual Chassis
+
+**TODO**
+
+{% include footer.md %}

config/network/juniper-junos.md

@@ -0,0 +1,181 @@
+---
+title: Juniper Junos OS
+breadcrumbs:
+- title: Configuration
+- title: Network
+---
+{% include header.md %}
+
+### Related Pages
+{:.no_toc}
+
+- [Juniper EX Series Switches](../juniper-ex/)
+
+### Disclaimer
+{:.no_toc}
+This page is based mainly on the devices/series I own.
+Some content may be specific to those devices and should be moved away from this page.
+
+## General Configuration
+
+### Simple Actions
+
+- Show the configuration: `show configuration [statement]`
+    - The optional statement path is space-separated.
+- Show alarms: `show chassis alarms`
+- Show routing engine usage: `show chassis routing-engine`
+- Shut down: `request system <halt|power-off>`
+- Open shell: `request session member <vc-member-id>`
+- Show interfaces:
+    - L2/L3 overview: `show interfaces terse`
+
+### Upgrading Junos Using a USB Drive
+
+1. Format the USB drive using FAT32.
+1. Copy the software file to the drive.
+1. Mount it to `/var/tmp/flash` (see [mount a USB drive](#mount-a-usb-drive)).
+1. Verify that the drive contains the software file: `ls -l /bar/tmp/flash`
+1. (Optional) Copy the file to internal storage (`/var/tmp/`) before installing it.
+1. Install: `request system software add <path> no-validate no-copy [partition] [reboot]`
+    - If installing from internal storage, use the `partition` option.
+    - If not using the `reboot` option, manually reboot afterwards.
+1. Wait for the install to finish.
+    - It may produce some minor errors in the process.
+1. Validate it:
+    - `show system storage partitions`
+    - `show system snapshot media internal`
+1. (Optional) Test that it's working.
+1. Overwrite the alternate root partition: See [Copy the Active Root Partition](#copy-the-active-root-partition)
+
+#### The Harder Way
+
+If the method above did not work, try this instead to completely format and flash the device.
+
+1. Prepare the USB drive like above.
+1. Connect using a serial cable.
+1. When the device is booting, press space at the right time.
+1. Format and flash: `install --format file:///jinstall-whatever.tgz`
+
+### Copy the Active Root Partition
+
+This procedure clones the active partition to the alternate partition.
+This is also how you would clone to and boot from a USB device, but with `media external` instead of `media internal` and `slice alternate`.
+
+1. Clone the active partition to the alternate partition: `request system snapshot slice alternate`
+    - This may not be completely finished when the command returns. If the below commands fail, wait and try again.
+1. Validate it:
+    - `show system storage partitions`
+    - `show system snapshot media internal`
+1. (Optional) Boot to the alternate partition: `request system reboot slice alternate media internal`
+
+### Fix a Corrupt Root Partition
+
+If one of the root partitions get corrupted (e.g. due to sudden power loss),
+the device will boot to the alternate root partition.
+This can be fixed by cloning the new active partition to the alternate, corrupt partition.
+
+See [Copy the Active Root Partition](#copy-the-active-root-partition) or [[EX] Switch boots from backup root partition after file system corruption occurred on the primary root partition (Juniper)](https://kb.juniper.net/InfoCenter/index?page=content&id=KB23180).
+
+### Mount a USB Drive
+
+Note: USB3 drives may not work properly. Use USB2 drives.
+
+1. Make sure the drive is formatted as FAT32 (MS-DOS) (or something else supported).
+1. Don't insert it in the Juniper device yet.
+1. Show current storage devices: `ls -l /dev/da*`
+1. Insert the drive. It should print a few lines to the console.
+1. Show current storage devices again and find the new device.
+1. Create a dir to mount it to: `mkdir /vat/tmp/usb1`
+1. Mount it: `mount_msdosfs <device> /var/tmp/usb1`
+1. Do stuff with it.
+1. Unmount it: `umount /dev/tmp/usb1`
+
+## Theory
+
+### About
+
+- Based on FreeBSD.
+- Used on all Juniper devices.
+- Juniper's next-generation OS "Junos OS evolved" (not Junos OS) is based on Linux.
+
+### Booting
+
+The devices have two partitions; the primary and the backup.
+One of them will be designated as active and that will not be reset when the device is rebooted.
+When the active partition is damaged, the device will boot into the other partition.
+When the backup partition is the active partition, an alarm will be set and a banner shown.
+
+Change active partition and reboot: `request system reboot slice alternate media internal`
+
+### Shutting It Down
+
+The devices should be shut down gracefully instead of just pulling the power.
+This will prevent corrupting the file system.
+
+- Shell: `shutdown -h now`
+- Op mode: `request system <halt|power-off> [local|all-members|member <member-id>]`
+
+### The Configuration
+
+- Hierarchical.
+- Statements:
+    - Container statements: Contains statements. Surround child statements in curly braces.
+    - Leaf statements: Terminated with a semicolon.
+
+### CLI Modes
+
+- Shell: A CSH shell. Entered by default when logging in as root.
+- CLI operational mode (op mode).
+- CLI configuration mode (conf mode).
+
+### Using the CLI
+
+(Not the shell.)
+
+- Space: Like tab, generally.
+- Tab: Auto-complete.
+- `?`: Prints the allowed keywords.
+- `|`: Can be used to filter the output.
+- Commit configuration changes: See commit section.
+
+#### Configuration Mode
+
+- Enter configuration mode: `configure`
+- Exit configuration mode: `exit`
+- Statements can be changed by either entering the container statement and changing it locally, or by specifying the full path for the statement.
+- Enter the container statements: `edit <container-statement>`
+    - Changes the local position in the hierarchy.
+    - Multiple levels can be specified separated by space.
+- Go up one level: `up`
+- Go to the top: `top`
+- Run operational command: `run <command>`
+- Show configuration for current level: `show`
+
+### Making Changes
+
+Changes made in configuration mode are added to the candidate configuration and not immediately applied.
+To apply the candidate configuration to the active configuration, commit the changes.
+
+**TODO** which modes?
+
+- Show changes: `show | compare`
+- Commit the changes: `commit [comment <comment>] [confirmed] [and-quit]` (conf mode)
+    - Try to always add a short comment.
+    - `confirmed` automatically rolls back the commit if it is not confirmed within a time limit.
+    - `and-quit` will quit configuration mode after a successful commit.
+
+**TODO** Confirm how?
+
+### Interface Names
+
+- `lo`: Loopback.
+- `ge`: Gigabit Ethernet.
+- `xe`: 10G Ethernet.
+- `et`: 40G Ethernet.
+- `em` and `fxp`: Management, possibly OOB.
+
+### Fusion
+
+**TODO**
+
+{% include footer.md %}

config/network/linksys-lgs.md

@@ -8,7 +8,8 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-LGS326
+
+- LGS326
 
 **TODO**
 

config/network/linux-router.md → config/network/linux.md

@@ -1,5 +1,5 @@
 ---
-title: Linux Router
+title: Linux Switching & Routing
 breadcrumbs:
 - title: Configuration
 - title: Network
@@ -8,7 +8,21 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Debian 10 Buster
+
+- Debian 10 Buster
+
+### Foreword
+{:.no_toc}
+
+Using Linux servers as switches and routers may often be an inexpensive option and
+allows you to implement most network functionalities in one box.
+They may be virtualized to possibly reduce power usage and noise and take up no physical space.
+It is generally more unreliable than using enterprise routers and switches, though,
+and may require a good amount of time troubleshooting performance issues at times.
+The issues may not become apparent until tested live with tens to houndreds of clients,
+as a simple throughput test will not uncover bottlenecks related to large amounts of connections
+(which can be hard to test realistically in lab environments).
+Issues may also be related to stupid things like which ports you're using on the *same* NIC.
 
 ## Setup
 
@@ -27,13 +41,10 @@ Debian 10 Buster
 - (Optional) Setup a DNS server, like Unbound.
 - **TODO** Multicast routing.
 
-## Security
-
-See [Network Security: Routers](config/network/security#routers).
-
 ## Tuning
 
 - Disabling dynamic frequency and voltage scaling (Intel SpeedStep).
 - Disabling multithreading (Intel Hyper-Threading).
+- Make sure network interrupts are distributed across all cores.
 
 {% include footer.md %}

config/network/pfsense.md

@@ -8,7 +8,8 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-pfSense v2
+
+- pfSense v2
 
 ## Initial Setup
 
@@ -16,7 +17,7 @@ pfSense v2
 
 - Use ZFS for the root device.
 
-### Configuration
+### Initial Configuration
 
 1. Connect to the website and finish the wizard.
 2. Set upstream DNS and NTP servers.
@@ -30,7 +31,7 @@ pfSense v2
 10. Disable TCP segmentation offload (TSO) and large receive offload (LRO). Most hardware/drivers have issues with them.
 11. See [this page](https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html) for NIC-specific tuning.
 
-## Services
+## Configuration
 
 ### FreeRADIUS
 

config/network/vyos.md → config/network/routing.md

@@ -1,14 +1,12 @@
 ---
-title: VyOS
+title: Routing
 breadcrumbs:
 - title: Configuration
 - title: Network
 ---
 {% include header.md %}
 
-### Using
-{:.no_toc}
-**TODO**
+Layer 3 stuff.
 
 **TODO**
 

config/network/security.md

@@ -86,7 +86,7 @@ breadcrumbs:
 
 ## Intrusion Detection Systems (IDSes)
 
-## Extra Notes
+## Theory
 
 ### Firewalls and Intrusion Detection Systems (IDSes)
 

config/network/misc.md → config/network/switching.md

@@ -1,20 +1,34 @@
 ---
-title: Miscellaneous Network Notes
+title: Switching
 breadcrumbs:
 - title: Configuration
 - title: Network
 ---
 {% include header.md %}
 
+Layer 2 stuff.
+
 ## Terms
 
 | Cisco IOS | Brocade ICX |
-| :--- | :--- |
-| Access port (VLAN) | Untagged port |
-| Trunk port (VLAN) | Tagged port |
+| - | - |
+| Access port | Untagged port |
+| Trunk port | Tagged port |
 | Native VLAN | Dual mode |
 
-## Spanning Tree
+## VLAN IDs
+
+Valid VID range (802.1Q): 1-4095
+
+Reserved:
+- 1: Default native VLAN.
+- 1002: FDDI default (Cisco).
+- 1003: Token ring default (Cisco).
+- 1004: FDDI-Net (Cisco).
+- 1005: TRNET (Cisco).
+- 4095: Implementation use.
+
+## Spanning Tree Protocol (STP)
 
 ### Variants
 
@@ -42,12 +56,14 @@ breadcrumbs:
 
 #### Cisco IOS
 
-- Disable VTP, it's dangerous if not used properly. It also doesn't carry MST configuration.
+- VTP can be very dangerous if not used properly and is enabled by default. It also doesn't carry MST configuration.
 - Rapid-PVST+ ignores UplinkFast and BackboneFast and supports UDLD.
 
-### Compatibility Between Switch Models
+### Inter-Model Compatibility Examples
+
+#### Example 1
 
-#### Alternative 1
+**TODO** I have not actually tested this properly.
 
 - Cisco IOS (Cat 3750G): `rapid-pvst`
 - Brocade (ICX 6610): `802.1w`

config/network/unifi.md

@@ -8,11 +8,12 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-AP, AP AC Lite, AP AC LR
 
-Controller v5
+- AP
+- AP AC Lite
+- AP AC LR
 
-## Access Points
+## General Configuration
 
 ### Wireless Uplink (Meshing)
 

config/pc/applications.md

@@ -8,7 +8,7 @@ breadcrumbs:
 
 ## Fancontrol (Linux)
 
-**Warning:** Fancontrol is unreliable and should probably not be used. The fan controller IDs like to change on every reboot which breaks the config.
+**Warning:** Don't use this. The fan controller IDs may change on every reboot which breaks the config.
 
 ### Configure Sensors
 
@@ -137,6 +137,7 @@ GUI for configuring gaming mice.
 - HTML CSS Support (ecmel.vscode-html-css)
 
 ### Config
+
 - Location:
     - Linux: `~/.config/Code/User/settings.json`
     - Windows: `%APPDATA%\Code\User\settings.json`

config/pc/kubuntu.md

@@ -8,7 +8,8 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Kubuntu 19.10
+
+- Kubuntu 19.10
 
 ## Installation
 
@@ -20,20 +21,30 @@ Kubuntu 19.10
 1. Upgrade all packages.
 1. Make sure the correct graphics drivers are in use (e.g. the proprietary Nvidia driver).
 1. Install `vim` and change the default editor to vim by running `update-alternatives --config editor` and selecting `vim.basic`.
-2. Disable password for the sudo group by running `visudo` and changing the sudo group line to `%sudo ALL=(ALL:ALL) NOPASSWD: ALL`.
-3. Enable numlock on boot (search for it).
-4. Appearance:
+1. Disable password for the sudo group by running `visudo` and changing the sudo group line to `%sudo ALL=(ALL:ALL) NOPASSWD: ALL`.
+1. Enable numlock on boot (search for it).
+1. Appearance:
    1. Change to the dark theme.
-   2. Make all fonts 1 size smaller.
-5. Shortcuts:
+   1. Make all fonts 1 size smaller.
+1. Shortcuts:
    1. Disable web shortcuts.
-   2. Add a keyboard shortcut for Dolphin (e.g. `Meta+E`) by running `kmenuedit` and changing System, Dolphin.
-6. Setup panels for all screens. Only show tasks for the current screen.
-7. Setup an IPTables firewall:
+   1. Add a keyboard shortcut for Dolphin (e.g. `Meta+E`) by running `kmenuedit` and changing System, Dolphin.
+1. Setup panels for all screens. Only show tasks for the current screen.
+1. Setup an IPTables firewall:
     - Purge `ufw firewalld`.
     - Install `iptables iptables-persistent netfilter-persistent`.
     - Create and run an IPTables script, e.g. [iptables.sh](https://github.com/HON95/configs/blob/master/pc/linux/iptables/iptables.sh).
 1. Firefox:
     - Disable middle mouse paste by setting `middlemouse.paste=false` in `about:config`.
+1. Setup audio devices:
+    - In `/etc/pulse/daemon.conf`:
+        - Set: `default-sample-format = S24LE`
+        - Set: `default-sample-rate = 48000`
+        - Reload (as user): `pulseaudio -k`
+1. Install encrypted DVD support:
+    - Install: `sudo apt install libdvd-pkg && sudo dpkg-reconfigure libdvd-pkg`
+    - Warning: Don't change the region if not necessary. It's typically limited to five changes.
+1. Install [GameMode](https://github.com/FeralInteractive/gamemode):
+    - `sudo apt install gamemode`
 
 {% include footer.md %}

config/pc/linux.md

@@ -1,58 +0,0 @@
----
-title: Linux
-breadcrumbs:
-- title: Configuration
-- title: PC
----
-{% include header.md %}
-
-### Using
-{:.no_toc}
-Debian 10 Buster
-
-## Examples
-
-### Commands
-
-#### File Systems and Logical Volume Managers
-
-- Partition disk: `gdisk <dev>` (GPT) or `fdisk <dev>` (MBR)
-- Create filesystem: `mkfs.<fs> <dev>`
-- ZFS: See ZFS (**TODO**).
-
-#### Files
-
-- Find files:
-  - By UID: `find / -user <UID>`
-  - Without a user: `find / -nouser`
-  - With setuid permission bit: `find / -perm /4000`
-- Recursive search and replace: `find <dir> \( -type d -name .git -prune \) -o -type f -print0 | xargs -0 sed -i 's/123/456/g'`
-  - `-type d -name .git -prune` skips `.git` directories and can be excluded outside of git repos.
-
-#### Fun
-
-- Pretty colors: `something | lolcat`
-
-#### Installations and Packages
-
-- Find packages depending on the package: `apt rdepends --installed <package>`
-
-#### Performance and Power Efficiency
-
-- Set the CPU frequency scaling governor mode:
-    - High performance: `echo performance | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor`
-    - Power save: ` echo powersave | ...`
-- Monitor system and processes: `htop`
-- Monitor interrupt usage: `irqtop`
-
-#### Processes and Memory
-
-- Useful ps args: `ps ax o uid,user:12,pid,comm`
-
-### Tasks
-
-#### Burn Windows ISO
-
-1. Install the graphical application `woeusb` from `ppa:nilarimogard/webupd8`.
-
-{% include footer.md %}

config/pc/windows.md

@@ -8,12 +8,13 @@ breadcrumbs:
 
 ### Using
 {:.no_toc}
-Windows 10
+
+- Windows 10
 
 ## Installation
 
 - There's no need to provide a product/activation key. If the PC (motherboard?) has been activated before, it will automatically activate when starting the first time.
--  Use a local account. Link to a Microsoft account later if needed, but preferably only for Microsoft apps.
+- Use a local account. Link to a Microsoft account later if needed, but preferably only for Microsoft apps.
 - Say no to everything privacy related.
 
 ## Setup

index.md

@@ -4,60 +4,99 @@ no_toc: true
 ---
 {% include header.md %}
 
-## Audio & Video
+Random collection of config notes and miscellaneous theory. Technically not a wiki.
 
-- [Basics](audio-video/audio/basics/)
+[haavard.tech](https://haavard.tech)
 
 ## Configuration
 
 ### General
 
-- [Notes](config/general/notes/)
+- [General Notes](config/general/general/)
+
+### IoT
+
+- [Raspberry Pi](config/iot/raspberry-pi/)
+
+### Linux General
+
+- [Linux General Notes](config/linux-general/general/)
+- [Linux Applications](config/linux-general/applications/)
+- [Linux Examples](config/linux-general/examples/)
 
 ### Linux Server
 
-- [Notes](config/linux-server/notes/)
-- [Miscellaneous](config/linux-server/misc/)
 - [Debian Server](config/linux-server/debian/)
 - [Proxmox VE](config/linux-server/proxmox-ve/)
-- [Applications](config/linux-server/applications/)
+- [Storage](config/linux-server/storage/)
+- [Linux Server Applications](config/linux-server/applications/)
 
-### PC
+### Machines
 
-- [Linux](config/pc/linux/)
-- [Kubuntu](config/pc/kubuntu/)
-- [Windows](config/pc/windows/)
-- [Applications](config/pc/applications/)
-
-### IoT
-
-- [Raspberry Pi](config/iot/raspberry-pi/)
+- [Dell OptiPlex](config/machines/dell-optiplex/)
+- [Dell PowerEdge](config/machines/dell-poweredge/)
+- [Laptops](config/machines/laptops/)
+- [Testing](config/machines/testing/)
 
 ### Network
 
-- [Miscellaneous](config/network/misc/)
+#### General
+
+- [Switching](config/network/switching/)
+- [WLAN](config/network/wlan/)
+- [Routing](config/network/routing/)
 - [Security](config/network/security/)
+- [Miscellaneous](config/network/misc/)
+
+#### Specific
+
 - [Brocade ICX Switches](config/network/brocade-icx/)
+- [Cisco IOS](config/network/cisco-ios/)
 - [Cisco IOS Routers](config/network/cisco-ios-routers/)
 - [Cisco IOS Switches](config/network/cisco-ios-switches/)
+- [Juniper Junos OS](config/network/juniper-junos/)
+- [Juniper EX Series Switches](config/network/juniper-ex/)
 - [Linksys LGS Switches](config/network/linksys-lgs/)
-- [Linux Router](config/network/linux-router/)
-- [Mikrotik Switches (SwOS)](config/network/mikrotik-swos/)
+- [Linux Switching & Routing](config/network/linux/)
 - [pfSense](config/network/pfsense/)
 - [UniFi](config/network/unifi/)
-- [VyOS](config/network/vyos/)
 
-### Hardware
+### PC
+
+- [Kubuntu](config/pc/kubuntu/)
+- [Windows](config/pc/windows/)
+- [PC Applications](config/pc/applications/)
+
+## Information Technology
+
+### Network
+
+- [Network Architecture](it/network/architecture/)
+- [IPv6](it/network/ipv6/)
+- [Switching](it/network/switching/)
+- [Wireless Basics](it/network/wireless-basics/)
+- [WLAN](it/network/wlan/)
+
+### Services
+
+- [Email](it/services/email/)
+
+## Media
+
+### Audio
+
+- [Audio Basics](media/audio/basics/)
+
+## Software Engineering
+
+### General
 
-- [Dell PowerEdge](config/hardware/dell-poweredge/)
-- [Dell OptiPlex](config/hardware/dell-optiplex/)
-- [Clevo](config/hardware/clevo/)
+- [Licenses](se/general/licenses/)
 
-### Hosting Providers
+### Languages
 
-- [Bluehost](config/hosting-providers/bluehost/)
-- [One.com](config/hosting-providers/one-com/)
-- [Terrahost](config/hosting-providers/terrahost/)
-- [Webhuset](config/hosting-providers/webhuset/)
+- [General](se/langs/general/)
+- [BASH](se/langs/bash/)
+- [Markdown](se/langs/markdown/)
 
 {% include footer.md %}

it/network/architecture.md

@@ -0,0 +1,58 @@
+---
+title: Network Architecture
+breadcrumbs:
+- title: IT
+- title: Network
+---
+{% include header.md %}
+
+## Models
+
+### Single Layer
+
+- Switching, routing and firewalling is all done on the same layer, with clients directly connected.
+
+### Three-layer Hierarchical Model
+
+- Appripriate for large networks spanning multiple regions (e.g. multiple buildings).
+- Scales well.
+- Consists of three layers.
+- Access layer:
+    - L2 switches.
+    - Connected to clients.
+    - Typically one access-layer VLAN spans one or a few access switches.
+    - Should implement first-hop security.
+    - Connected upstream to distribution switches.
+- Distribution layer:
+    - L3 switches or routers.
+    - terminates access-layer VLANs.
+    - Implements features like filtering and QoS.
+    - May manage individual WAN connections.
+    - Connected upstream to core routers and ptionally interconnected with other distribution switches.
+- Core layer:
+    - Routers.
+    - Provides a backbone between distribution regions and toward external networks.
+    - Focuses entirely on high bandwidth, low latency, high reliability and high resilience.
+    - Avoids anything that may slow down traffic, like access lists, policy enforcement, etc.
+    - It's possible to connect multiple core routers and distribution switches by using a switch.
+
+### Collapsed Core
+
+- Similar to the three-layer hierarchical model, but with the core and distribution layers collapsed.
+- Appropriate for medium/small sites without multiples regions.
+
+### Collapsed Distribution
+
+- Similar to the three-layer hierarchical model, but with the distribution and access layers collapsed.
+- Generally not very useful.
+
+### Spine Leaf
+
+**TODO**
+
+## Notes
+
+- VXLAN or Q-in-Q may be used to span VLANs over different areas.
+- Oversubscription: Less uplink capacity than downlink capacity.
+
+{% include footer.md %}

it/network/ipv6.md

@@ -0,0 +1,392 @@
+---
+title: IPv6 Theory
+breadcrumbs:
+- title: IT
+- title: Network
+---
+{% include header.md %}
+
+## Advantages over IPv4
+
+- Designed based on experience with the strengths and limitations of IPv4 and other protocols.
+- IPv4 is becoming obsolete.
+    - An investment in IPv4-only is an investment in EOL technology.
+    - Certain services may only be available over IPv6 in the future.
+    - IPv4 will be provided as a service in the future, making it less performant than native IPv6.
+    - Since you'll need it some day, it's better to get familiar with it early.
+    - While still needed for the full internet, internal networks may be IPv6-only.
+- Larger address space.
+    - Simpler and more structured address plans.
+    - All subnets are /64 regardless of the number of hosts/interfaces.
+    - Extra information can be embedded in the address.
+- No need for NAT.
+    - Restores end-to-end princible.
+    - Better peer-to-peer support.
+- Simpler design and operation.
+- Improved protocols like ICMPv6, NDP, MLD and DHCPv6.
+    - New features.
+    - Security features.
+- Native support for IPsec.
+- Stateless address autoconfiguration (SLAAC) reduces administrative overhead for simple networks.
+- Improved QoS.
+- Improved multicast.
+- Removed broadcast.
+- Interfaces can have multiple addresses.
+    - Link-local address.
+    - Addresses from multiple prefixes from different routers.
+    - Internal addresses in addition to global addresses.
+- More efficient routing due to better address aggregation.
+- More efficient packet processing:
+    - No fragmentation in routers.
+    - Streamlined fixed-length header with extension headers.
+    - No checksum.
+
+## Addressing
+
+- 128 bit addresses.
+- No broadcast.
+- Anycast.
+    - Shared unicast address.
+    - Subnet-router anycast address.
+- Multicast:
+    - Some scopes:
+        - 1: Interface-local.
+        - 2: Link-local.
+        - 5: Site-local.
+        - E: Global.
+    - Some well-known addresses:
+        - `ff02::1`: All nodes.
+        - `ff02::2`: All routers.
+        - `ff02:6a`: All snoopers.
+        - `ff02::1:ff00/24`: Solicited node.
+- Solicited-node multicast address.
+    - Solicited-node prefix plus last 64 bits of an IPv6 address.
+- Interface addresses:
+    - Addresses are assigned to interfaces, not hosts.
+    - Interfaces may have multiple addresses.
+    - All interfaces have a link-scoped address.
+- Permanent and temporary address types.
+- Address assignment:
+    - Static.
+    - Stateless address autoconfiguration (SLAAC).
+    - Stateless DHCP.
+    - Stateful DHCP.
+- SLAAC interface addresses:
+    - EUI-64 (permanent): Deterministically based on the MAC address.
+    - Privacy extensions (temporary): In addition to the permanent. Preferred for sending.
+- The unspecified address: `::`
+- The loopback address: `::1`
+- The first and last addresses in a subnet are not reserved and can be assigned to hosts, unlike IPv4.
+- Neighbor cache.
+    - States:
+        - Incomplete.
+        - Reachable.
+        - Stale.
+        - Delay.
+        - Probe.
+- Destination cache.
+- Address states:
+    - Tenative: Waits for DAD to finish.
+    - Preferred: Can be used.
+    - Deprecated: About to expire. Can be used for existing connections but not new ones.
+    - Valid: Preferred or deprecated.
+    - Invalid: Expired valid.
+    - Optimistic: Like tenative but for Optimistic DAD. Can be used.
+
+## Address Ranges
+
+|Prefix|Description|
+|-|-|
+|`::/32`|IPv4-compatible IPv6 address (deprecated)|
+|`::ffff/32`|IPv4-mapped IPv6 address|
+|`100::/64`|Discard-only|
+|`64:ff9b::/96`|IPv4-IPv6 translation|
+|`2000::/3`|Global unicast address (GUA)|
+|`2001::/32`|Teredo|
+|`2001:db8::/32`|Documentation (non-routable)|
+|`2002::/16`|6to4|
+|`fc00::/7`|Unique local address (ULA)|
+|`fd00::/8`|Locally administered ULA|
+|`fe80::/10`|Link-scoped unicast|
+|`ff00::/8`|Multicast|
+
+## Packet and Transit
+
+- Streamlined header.
+    - 40 bytes base.
+- Extension headers:
+    - Hop-by-hop options header.
+    - Routing header.
+    - Fragment header.
+    - Destination options header.
+    - Authentication header.
+    - Encapsulating security payload header.
+- No checksum.
+- Fragmentation.
+    - Routers don't fragment.
+    - Path MTU discovery.
+    - Not allowed for some NDP messages.
+    - The first fragment must contain all headers.
+
+## Protocols
+
+### Neighbor Discovery (ND)
+
+- Uses ICMPv6.
+- Link-layer address resolution.
+- Neighbor unreachability detection (NUD).
+- Duplicate IP address detection (DAD).
+    - Determines if the address is unique before it can be used.
+    - Opportunistic DAD allows using the address before DAD finishes.
+- Redirect.
+- Router advertisements.
+    - SLAAC.
+- Neighbor advertisements.
+- Uses a hop limit of 255 and received request with lower hop limits are ignored.
+- Suggests using IPsec for ND messages.
+- Identification of ND messages:
+    - All-zero to all-routers: SLAAC.
+    - All-zero to solicited-node: DAD.
+    - Unicast to solicited-node: Link-layer address resolution.
+    - Unicast to unicast: Unreachability detection.
+- Inverse neighbor discovery (IND).
+- Secure neighbor discovery (SEND):
+    - Router authentication.
+    - Cryptographically generated address (CGA).
+    - Some security options.
+- NDP is vulnerable to the same attacks as for ARP and DHCP.
+    - First hop security mechanisms for NDP include ICMP guard.
+    - IPsec and SEND may also prevent certain attacks.
+
+### Multicast Listener Discovery (MLD)
+
+- Uses ICMPv6.
+- For registration of multicast listeners within a subnet.
+- Handled by IGMP in IPv4.
+- Version 1:
+    - Based on IGMPv2.
+    - Any-source multicast (ASM).
+- Version 2:
+    - Based on IGMPv3.
+    - Source-specific multicast (SSM).
+- PIM can be used for routing.
+- MLD snooping can be used by switches.
+- Multicast router discovery (MRD):
+    - Based on MLD.
+    - For discovery of multicast routers.
+
+### Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
+
+- Relies on routing advertisements.
+- Stateless or stateful.
+- Reconfiguration message send by server to indicate changes (lacking in DHCPv4).
+- DHCP Unique Identifier (DUID).
+- Identity Association (IA).
+    - One per interface.
+    - Contains IPv6 addresses plus timers.
+- Clients must perform DAD after being allocated an address by the server.
+- Rapid commit option (only two messages).
+- Renew and rebind.
+- Prefix delegation with prefix exclusion.
+- IPsec can be used.
+- E.g. Android currently does not support DHCPv6, only SLAAC.
+    - To help with traceability, Netflow or periodic NDP cache scans with SNMP can be used.
+
+### Domain Name System (DNS)
+
+- A6 and AAAA type records.
+- Dual stack hosts need two entries.
+- IP6.ARPA. Originally IP6.INT.
+- Dual stack clients query for both a A and an AAAA record for each domain name to resolve.
+- The transport used is independent of the record type being queried for.
+- Native IPv6 is generally preferred over IPv4.
+- DNS whitelisting: Only respond with AAAA records to ISPs with good IPv6 performance.
+- Happy eyeballs:
+    - Clients will attempt to connect using both IPv4 and IPv6 and use the faster one.
+    - IPv6 is preferred.
+    - Different implementations exist.
+- Name space fragmentation:
+    - Every name server from the root (for a certain domain name) must be accessable by the resolver.
+    - IPv4 should always be supported.
+
+### Routing Protocols Summary
+
+- Using one shared instance VS two instances (ships in the night).
+- RIPng:
+    - Limited diameter.
+    - Long routing loop convergence (count to infinity).
+    - Too simple metric.
+- OSPFv3:
+    - Only for IPv6, IPv4 must still use OSPFv2.
+    - Differences from OSPFv2:
+        - Routes to links, not subnets.
+        - Uses link-local addresses for neighbors.
+        - Multiple instances per link.
+        - Removal of addressing semantics. IPv6 addresses are not present in OSPF headers.
+        - Flooding scope.
+        - Authentication.
+- IS-IS:
+    - Single instance for both IPv4 and IPv6.
+- EIGRP.
+- BGP-4:
+    - Uses implicit support for protocols other than IPv4 (multiprotocol NLRI).
+    - BGP-4 routers still require (local) IPv4 addresses because of the BGP identifier.
+
+## Transition Technologies
+
+- Dual-stack:
+    - The best option for clients.
+    - Requires running two separate protocol stacks, which may be extra operationally expensive.
+- Tunneling:
+    - Should use source address verification and ingress filtering.
+    - May bypass firewalls.
+    - Manual or automatic.
+    - Loopback encapsulation and routing-loop nested encapsulation. Partially avoided using the encapsulation limit option.
+- Translation:
+    - Stateless or stateful.
+    - May use the well-known prefix `64:ff9b::/96`.
+    - May need to (re)calculate checksums both at multiple layers.
+    - Differing features (e.g. fragmentation and extension headers) may break.
+    - While NAT44 is required in IPv4 to counteract address depletion, NAT66 is not recommended for IPv6.
+
+### Tunneling Mechanisms
+
+- 6to4:
+    - Deprecated.
+    - Only 6to4 routers/gateways need to be 6to4 aware.
+- IPv6 Rapid Deployment (6rd):
+    - Widely used.
+    - Based on 6to4.
+    - Uses the ISPs own IPv6 range for customers.
+    - Stateless.
+    - Changing the customer IPv4 address also changes the IPv6 prefix.
+- Intra-Site AUtomatic Tunnel Adressing Protocol (ISATAP):
+    - Must be supported by all nodes in the network.
+- Teredo:
+    - May traverse NAT.
+    - Vulnerable if not configured properly.
+    - Should generally be avoided.
+    - May be enabled by default on some OSes. Disable it if not explicitly needed.
+- Tunnel brokers:
+    - E.g. Hurricane Electrics and SixXS.
+    - Requires a public IPv4 address.
+- MPLS.
+- Locator ID Separation Protocol (LISP):
+    - General architecture not purely designed for IPv6 support.
+    - Separates IP addresses into two namespaces: Endpoint identifiers (EIDs) and routing locators (RLOCs).
+- Generic Routing Encapsulation (GRE):
+    - Manual.
+    - Can't traverse NAT.
+- Proto 41 forwarding:
+    - Allows nodes behind NAT to connect to tunnel servers on the internet.
+- SSH.
+
+### Tanslation Mechanisms
+
+- NAT44 (IPv4 only).
+- Carrier grade NAT (CGN) aka NAT444 (IPv4 only).
+- NAT464:
+    - IPv6-only between the customer edge and the privider network.
+    - Uses NAT46 and NAT64 at the two sides.
+- DS-lite:
+    - IPv6-only between customer edge and CGN.
+    - IPv4 traffic is tunneled, not translated.
+    - Uses a DS-Lite basic bridging broadband element (B4) within or directly connected to the CPE.
+    - Uses a DS-Lite address family translation router (AFTR) within the provider network.
+    - The B4 creates a tunnel to the AFTR.
+    - The AFTR also functions as a NAT44.
+    - There is a DHCPv6 option for DS-Lite.
+    - Uses the range `192.0.0.0/29`, where `192.0.0.1` is used by the AFTR and `192.0.0.2` is used by the B4.
+- Stateless NAT64:
+    - Appropriate for IPv4-only servers so they can be reached by IPv6 clients.
+    - Uses prefix `64:ff9b::/96` or a custom prefix.
+    - 1:1 mapping between IPv4 and IPv6 addresses.
+    - Sessions can be initiated from both sides.
+- Stateful NAT64 and DNS64:
+    - Appropriate for IPv6-only edge networks to connect to the IPv4 internet.
+    - Uses prefix `64:ff9b::/96` or a custom prefix.
+    - 1:N mapping between IPv4 and IPv6 addresses.
+    - Sessions can generally only be initiated from the IPv6 side.
+    - No changes are required in the IPv6 client in order to support it.
+    - If the DNS64 server does not find an AAAA record, it synthesizes a AAAA record within the NAT64 prefix.
+    - Limitations:
+        - All clients must be configured to use the the DNS64 server (e.g. through DHCP).
+        - Synthesized AAAA records break DNSSEC.
+        - Connections can't be initiated from the IPv4 side (like NAT masquerading).
+        - Some applications don't support IPv6 or may have IPv4 literals hardcoded.
+        - Users may attempt to enter IPv4 literals instead of using the DNS64 server.
+- XLAT464:
+    - Uses stateful translation in the core and statekess translaton at the edge.
+    - Uses a customer-side translator (CLAT) which translated between 1:1 private IPv4 addresses and global IPv6 addresses.
+    - Uses a provider-side translator (PLAT) which translates between N:1 global IPv6 addresses and global IPv4 addresses.
+    - The NAT64 prefix can be aquired by querying the configured DNS server for `ipv4only.arpa`.
+    - It does not support inbound IPv4 connections or peer-to-peer.
+    - Implemented in Android.
+- MAP.
+- NPTv6 (IPv6 only):
+    - Statelessly translated between two equal-length IPv6 prefixes.
+    - Provides address independence: The internal network does not need to be renumbered when the public/external IPv6 prefix changes.
+    - May be used for multihoming.
+    - Does not need to rewrite port numbers in packets, but may break e.g. IPssec.
+    - May require split DNS since the external and internal addresses differ.
+- NAT66 (IPv6 only):
+    - Like NAT44, including all its problems.
+    - Stateful.
+
+## Address Planning and Implementation
+
+- It should support both IPv4 and IPv6.
+- IPv6 should be native.
+- IPv4 may be provided through dual stack or as a service using translation or tunneling mechanisms.
+    - IPv4 may can be tunneled both over internal core networks and through the internet edge.
+    - If tunneling is appropriate, use 6rd, tunnel brokering or proto 41 forwarding, not ISATAP, 6to4 or Teredo. Prefer stateless.
+    - Try to avoid NAT.
+- For ISPs, native IPv6 with CGN for IPv4 is appropriate since IPv6 is proprotised and will offload IPv4.
+- Internal addresses:
+    - Should be IPv6-only.
+    - May use either GUAs or ULAs.
+    - Interfaces with ULAs which need internet access may:
+        - Be assigned a GUA in addition to the ULA.
+        - Use NPTv6 to translate the ULA prefix to a GUA prefix.
+    - NAT66 is not required for ULAs and should not be used.
+    - ULAs provide global address independence.
+    - ULAs without NPTv6 provide an extra layer of protection for systems that should not be accessible externally.
+- Sites should get a prefix long enough for multiple subnets.
+    - Typically around 48.
+    - Find out how much space you need before requesting it.
+    - If you didn't get enough, ask for more.
+- All subnets should be /64.
+    - Event point-to-point links.
+    - Does not focus on address conservation.
+    - Does not require any VLSM.
+    - Required by SLAAC and many other mechanisms and protocols.
+- Topology aggregation VS policy/service aggregation.
+- Suggested information to include in the prefix:
+    - Region.
+    - Location.
+    - Service type.
+    - Application.
+    - Subnet.
+    - VLAN ID (12 bits) (if the address plan is closely tied to the VLAN plan).
+- Use provisioning tools (IPAM).
+- Don't mirror the IPv4 address plan with all of its legacy problems.
+- Plan both for now and for the future.
+- Try to subnet on nibble boundaries since a nibble is one hex digit.
+- GUA VS ULA.
+- SLAAC VS DHCP.
+    - Android does not support SLAAC.
+    - DHCP provides more accountability.
+- Implement appropriate first-hop security mechanisms, such as ICMP guard and DHCPv6 guard.
+- Consider blocking certain multicast addresses, especially with site scope, to prevent attackers from identifying certain important resources on the network.
+- Deploy both perimeter and host-based firewalls.
+- Consider identity-based firewalls.
+- Implement IPv6 in existing IPv4-only networks step by step. Either in phase with equipment lifecycles or as part of a needed redesign.
+- Make sure Teredo is disabled on all clients not explicitly needing it.
+- GUAs should use the privacy option to prevent tracking. This includes ULAs using NPTv6.
+- PI space (provider independent) can be aquired to prevent network renumbering.
+- Consider multihoming:
+    - Redundancy and load balancing.
+    - Potentally lower costs if the ISPs offer different prices for different services.
+    - IPv6 supports native multihoming since interfaces can be assigned multiple prefixes from different routers.
+
+{% include footer.md %}

it/network/switching.md

@@ -0,0 +1,55 @@
+---
+title: Switching Theory
+breadcrumbs:
+- title: IT
+- title: Network
+---
+{% include header.md %}
+
+## Switching Modes (Ethernet)
+
+- Store and forward switching:
+    - Receive the whole packet befoe forwarding it.
+    - Checks integrity.
+    - Adds delay.
+- Cut-through switching:
+    - Start forwarding as soon as the destination address has been inspected.
+    - Forwards bad packets.
+    - Recuces delay.
+- Fragment-free switching:
+    - Like cut-through switching, but reads at least 64 bytes before forwarding.
+    - Prevent forwarding runt frames, which are less than 64 bytes (the minimum frame length).
+
+## Virtual LAN (VLAN)
+
+### Q-in-Q
+
+- IEEE 802.1ad/802.1Q.
+- For tunneling VLANs using multiple layers of 802.1Q headers.
+
+### Virtual Extensible LAN (VXLAN)
+
+- RFC 7348.
+- For tunneling VLANs using a UDP overlay network (defauylt port 4789).
+- VXLAN network identifiers (VNIs) (24-bit) identify bridge domains.
+- VXLAN tunnel endpoints (VTEPs) encapsulate/decapsulate the traffic.
+- VTEPs may be either on hosts or on switches/routers as gateways.
+- BUM handling using multicast:
+    - Requires multicast-enabled infrastructure.
+    - VNI are mapped to multicast groups (N:1).
+    - VTEPs joins the groups for its VNIs using IGMP.
+    - BUM traffic is only sent to the relevant groups.
+- BUM handlign using head end replication:
+    - Requires BGP EVPN.
+    - Doesn't scale as well as when using multicast.
+    - BUM traffic is replicated and sent as unicast to each VTEP that supports the VNI.
+- Consider using jumbo frames to avoid fragmentation.
+
+## Miscellaneous
+
+- Broadcast, unknown-unicast and multicast traffic (BUM traffic):
+    - Generally flooded.
+    - Doesn't scale well, which is the primary element of how well L2 domains scale.
+    - Throttling and port security helps prevent traffic storms.
+
+{% include footer.md %}

config/network/mikrotik-swos.md → it/network/wireless-basics.md

@@ -1,15 +1,11 @@
 ---
-title: Mikrotik Switches (SwOS)
+title: Wireless Basics
 breadcrumbs:
-- title: Configuration
+- title: IT
 - title: Network
 ---
 {% include header.md %}
 
-### Using
-{:.no_toc}
-CSS326-24G-2S+RM
-
 **TODO**
 
 {% include footer.md %}

it/network/wlan.md

@@ -0,0 +1,43 @@
+---
+title: WLAN Theory
+breadcrumbs:
+- title: IT
+- title: Network
+---
+{% include header.md %}
+
+## Specifications
+
+### Wi-Fi
+
+|Standard|Name|Frequency (GHz)|Bandwidth|Modulation|
+|-|-|-|-|-|
+|802.11b||2.4|22|DSSS|
+|802.11a||5|5/10/20|OFDM|
+|802.11g||2.4|5/10/20|OFDM|
+|802.11n|Wi-Fi 4|2.4 + 5|20/40|MIMO-OFDM|
+|802.11ac|Wi-Fi 5|5|20/40/80/160|MIMO-OFDM|
+|802.11ax|Wi-Fi 6|1-6 (ISM)|20/40/80/80+80|MIMO-OFDM|
+
+### Not Wi-Fi
+
+|Standard|Name|Bands (GHz)|Bandwidth (MHz)|Modulation|
+|-|-|-|-|-|
+|802.11||2.4|22|DSSS/FHSS|
+|802.11ad|WiGig (gen 1)|60|2,160|OFDM|
+
+## Planning & Implementation
+
+- Always perform a survey before to identify internal and external existing WLANs and RF interference.
+- Windows may block relevant frequencies.
+- Don't set stations' transmit power too high.
+    - Other associated stations' max transmit power may be much lower, causing asymmetric connections. They may still roam to them from a more appropriate BSS, though, since the problem is not apparent until after associated.
+    - It increases interference with other stations may contribute to the hidden and exposed node problems.
+    - It may overheat the device.
+    - It may violate regulations.
+- Disable legcy protocols (such as 802.11 a, b and g). Legacy devices take up too much time when accessing the medium.
+- Move as many devices as possible to the 5GHz band. Try to reserve the 2.4GHz band for legacy/simple and distant devices.
+- The 2.4GHz (ISM) band is more susceptible to interference since the frequency is used by e.g. Bluetooth and microwave ovens.
+- Changes in the physical environment may cause changes in the WLAN coverage.
+
+{% include footer.md %}

it/services/email.md

@@ -0,0 +1,88 @@
+---
+title: Email Theory
+breadcrumbs:
+- title: IT
+- title: Services
+---
+{% include header.md %}
+
+## Terminology
+
+- Mail user agent (MUA): Client app for sending messages to an MSA and retrieving messages from an MDA.
+- Mail submission agent (MSA): Server for receiving messages from a MUA and handing them over to an MTA.
+- Mail delivery agent (MDA): Server for receiving messages from MTAs and storing them until a MUA retrieves them.
+- Mail transfer agent (MTA): Server for transferring messages from MSAs to MDAs.
+- (Extended) Simple Mail Transfer Protocol (SMTP/ESMTP): Protocol for sending messages.
+- Post Office Protocol v3 (POP3) and Internet Message Access Protocol (IMAP): Protocols for retrieving messages.
+- Multipurpose Internet Mail Extensions (MIME): Encoding for message contents.
+
+## Common Mailbox Names
+
+Based on [RFC 2142](https://tools.ietf.org/html/rfc2142).
+Does not include useless ones.
+
+- `abuse`: Inappropriate public behavior.
+- `noc`: Network infrastructure operations.
+- `security`: Security incidents and info.
+- `support`: General customer service.
+- `postmaster`: SMTP.
+- `hostmaster`: DNS.
+- `webmaster`: HTTP.
+- `info`: Marketing and info.
+- `marketing`: Marketing.
+- `sales`: Sales.
+
+## Security
+
+- Transport Layer Security (TLS):
+    - For encrypting the transport.
+    - Explicit or using Opportunistic TLS (STARTTLS).
+- STARTTLS:
+    - Opportunistic TLS: Upgrades a non-encrypted connection to en encrypted one if possible.
+    - Weak to the STRIPTLS attack via a MITM attack when not using DANE.
+    - DANE (a part of DNSSEC) allows setting a DNS TLSA record which tells the clients to require TLS.
+- Sender Policy Framework (SPF):
+    - Specifies which IP addresses are allowed to send messages from the the `MAIL FROM` domain.
+    - The record is distrubuted using a DNS TXT record with the same domain name.
+    - Helps prevent email spoofing when used with DMARC.
+    - Don't specify or include more than 10 IP addresses as only 10 will be used.
+    - When used with DMARC, the signing domain for one of the signatures must match the `From:` domain according to the DMARC alignment mode.
+    - Example TXT record: `v=spf1 mx include:example.net ~all`
+        - `mx`: Allow sending from MX records for the same domain.
+        - `include:example.net`: Include SFP records from the specified domain.
+        - `~all`: `all` matches other IP addresses. `~` marks them as SOFTFAIL, `-` marks them as FAIL.
+- DomainKeys Identified Mail (DKIM):
+    - Digitally signs messages using a key specified by a signing domain and a selector.
+    - Must be supported by the sender.
+    - Helps prevent email spoofing when used with DMARC.
+    - There may be several DKIM signatures for a message.
+    - The signing domain need not be the same as the `From:` domain.
+    - The public key is distributed as a DNS TXT record for the subdomain `<selector>._domainkey.<domain>`.
+    - The sender decides which parts of the message is signed, typically the body and some default headers.
+    - When used with DMARC, the `MAIL FROM` domain must match the `From:` domain according to the SPF alignment mode.
+    - Example TXT record: `k=rsa; p=<pubkey>`
+- Domain-based Message Authentication, Reporting and Conformance (DMARC):
+    - Tells the receiver how it should handle SPF and DKIM.
+    - The record is distributed using a DNS TXT record using the `_dmarc` subdomain directly below the `From:` domain.
+    - The alignment mode specifies how the `From:` domain must match the domain name from DKIM and SPF individually.
+        - Strict: They must match exactly.
+        - Relaxed: The Organizational Domains for both domains must match.
+    - Example TXT record: `v=DMARC1; adkim=r; aspf=r; p=quarantine; sp=quarantine; pct=100; rua=mailto:dmarcreports@example.com;`
+        - `p`: Policy for the domain.
+        - `sp`: Policy for subdomains. Defaults to `p`.
+        - `pct`: Percent of bad messages to apply the policy to. Defaults to 100.
+        - `rua`: Email address to send aggregate reports to. Optional.
+        - `adkim` and `aspf`: Alignment mode for DKIM and SPF. Defaults to relaxed.
+- Secure/MIME (S/MIME):
+    - End-to-end encryption and signing of MIME data.
+    - Based on certificate authorities.
+    - The message may contain multiple MIME parts which may be encrypted/signed individually.
+    - Currently vulnerable to the EFAIL attack and should generally not be used until fixed.
+- Pretty Good Privacy (PGP)/GNU Privacy Guard (GPG):
+    - Both PGP and GPG Follow the OpenPGP standard.
+    - End-to-end encryption and signing of email messages and other media.
+    - Based on web of trust (with public keys bound to a username or an email address),
+      but supports CAs as well.
+    - Currently vulnerable to the EFAIL attack (when used with email messages) and should generally not be used until fixed.
+
+{% include footer.md %}

audio-video/audio/basics.md → media/audio/basics.md

@@ -6,8 +6,6 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-## Notes
-
 - Bands:
   - Lows (ca. 20Hz-100Hz)
   - Low midrange (ca. 100Hz-1kHz)

se/general/licenses.md

@@ -0,0 +1,52 @@
+---
+title: Licenses
+breadcrumbs:
+- title: Software Engineering
+- title: General
+---
+{% include header.md %}
+
+## Resources
+
+- [Various Licenses and Comments about Them (GNU Project)](https://www.gnu.org/licenses/license-list.en.html)
+- [How are the various GNU licenses compatible with each other? (GNU Project)](https://www.gnu.org/licenses/gpl-faq.html#AllCompatibility)
+
+## Definitions
+
+- Free software: The software is free to be used, distributed and modified. "Free" as in "free speech," not as in "free beer".
+  (See the four essential freedoms of free software.)
+- Open source software (OSS): The source code is openly shared.
+- Free and open source software (FOSS): Both free and open source, since the two differ in philosophy.
+- Proprietary software: The software is under copyright licensing. The source code is typically not shared.
+- Copyleft license: The work may be freely modified and distributed as long as the derivative works preserve the same rights.
+  Permissive licenses, however, do not put any restrictions on derivative works.
+  In other words, permissive works may be used in proprietary works while copyleft works may not.
+- License compatibility: Licenses are said to be compatible if they can both be applied to a work without conflict.
+  In other words, it must be possible to satisfy both/all the licenses.
+
+## Notes
+
+- Using a library in an application generally means creating a derivative work of the library.
+    - LGPL does not consider dynamic linking as creating a derivative work.
+- "Using" a library applies to running code.
+  The source code may be licensed e.g. under a compatible license like MIT and using e.g. a GPL library
+  and then become subject to the GPL restrictions only after the application is built.
+  This means that build options may cause different licenses to apply based on which libraries/components it uses.
+- Re-licensing a work requires permission from all code owners.
+  Contributed code is typically owned by whoever contributed that code.
+- In some circumstances, multiple programs/libraries may be used by the same system/program without requiring them to be compatible.
+  E.g. multiple applications installed in the same system or multiple modules used at the same time (generally).
+- MIT projects can not use any GPL libraries.
+- GPLv2 and GPLv3 compatibility:
+    - GPLv3 programs may *not* use GPLv2-only libraries.
+    - GPLv2-only programs may *not* use GPLv3 libraries.
+    - GPLv2-or-later programs may use GPLv2 libraries, resulting in a GPLv2 program.
+    - GPLv2-or-later programs may use GPLv3 libraries, resulting in a GPLv3 program.
+    - GPLv2-or-later programs may use GPLv2-or-later libraries, resulting in a GPLv2-or-later program.
+    - GPLv3 programs may use GPLv2-or-later libraries, resulting in a GPLv3 program.
+    - Mixing GPLv2-only and GPLv3 libraries is not possible.
+- GPLv3 is compatible with more licenses than GPLv2.
+- Exceptions can be made to the standard licenses, for instance to modify how the license affects derivative works.
+  The work must still adhere to other imposed licenses, though.
+
+{% include footer.md %}

se/langs/bash.md

@@ -0,0 +1,17 @@
+---
+title: BASH
+breadcrumbs:
+- title: Software Engineering
+- title: Languages
+---
+{% include header.md %}
+
+- Options:
+    - Example fo scripts: `set -euf -o pipefail`
+    - `-e` (errexit): Exit script on command error, except in ultil loops, while loops, if-tests, list constructs, etc.
+    - `-u` (nounset): Treat references to unset variables as an error and exit.
+    - `-f` (noglob): Disable globbing (filename expansion).
+    - `-o pipefail`: Cause pipelines to return the exit status of the last command in the pipe that returned a non-zero return value.
+    - Most options have `+` and `-` variants which do the opposite thing.
+
+{% include footer.md %}

se/langs/general.md

@@ -0,0 +1,15 @@
+---
+title: General
+breadcrumbs:
+- title: Software Engineering
+- title: Languages
+---
+{% include header.md %}
+
+## Formatting
+
+- Always end text files with a new-line.
+- Always use UTF-8.
+- Always use LF for line breaks.
+
+{% include footer.md %}

se/langs/markdown.md

@@ -0,0 +1,19 @@
+---
+title: Markdown
+breadcrumbs:
+- title: Software Engineering
+- title: Languages
+---
+{% include header.md %}
+
+## Formatting & Some Mechanics
+
+- Add empty lines around headings, parapraphs, lists, etc., except for the very start of the file.
+- Lists:
+    - For unordered lists, use `-`, not `*`.
+    - For ordered lists, use `1.`, never `2.` etc.
+    - Lines directly following a list item, indented or not, are interpreted as continuations of the previous line (mechanic).
+    - Indented lines following a list item with a new-line in-between are interpreted as new lines within the item (mechanic).
+    - Indent with four spaces.
+
+{% include footer.md %}