Stan's blog Thanks for stopping by.
Posts with the tag Sysadmin:

Ansible 2.8 + snapcraft: my first big FOSS contribution!

About a year ago, I started to manage my laptop via Ansible (as much as I could, at least). I had some software installed via snapcraft, a new package manager from Canonical.

There was no Ansible module for snaps at the time, which was pretty surprising considering snapcraft has been getting quite some traction in the past few years. I assume it’s mostly used on desktops, and Ansible is mostly used on servers, hence the missing module.

Elasticsearch 6 shard/replica settings for single-node cluster

I have trouble finding this every time I need so I figured out I’d make a post out of it.

Single-node Elasticsearch clusters make sense for non-critical data when money has to be saved, or testing/dev.

By default, ES will create multiple shards for each index, with at least one replica. However, on one node the shards will never get replicated, so the cluster health will always be yellow.

To fix that, you need to create a template that will match all futures indexes and set those settings. Ideally you’ll want to do that before indexing anything.

How I did (not) recover from a data loss (featuring ZFS, LXD and PostgreSQL)

As some may know, I’m running a Mastodon instance. It’s a quite big instance with about 1000 weekly active users and 13k local accounts in total.

My current setup is a Hetzner Cloud CX41 VM running LXC containers with LXD. They are stored on a dedicated zpool on a separate partition of the disk. In this case, I have a dedicated container for the PostgreSQL server.

I was quite surprised when I looked at the state of my zpool last week:

Quick and easy Ansible linting CI pipeline

Recently, I have been publishing some Ansible roles on GitHub, so I have been thinking about what kind of CI to set up.

The most famous tool for this task is Molecule (that’s what we use at work). It can run entire test playbooks to make sure they work exactly as expected.

I really don’t have the time to do that, and my roles are not critical for production, so I settled for a simple linting pipeline. I am using the also well-know ansible-lint which will validate the YAML files and enforce Ansible best practices.

How to setup a VPN server using WireGuard (with NAT and IPv6)

WireGuard is a fast and modern VPN protocol.

It is a point-to-point VPN, which means it does not have a client-server architecture, but peers, and does not rely on a PKI, unlike OpenVPN. It is super simple to setup to connect multiple machines together.

WireGuard supports roaming, which means you can switch between network connections and not have to reconnect to your peers. On servers, it’s rarely useful, but when one of the peer is a mobile client like a laptop or a smartphone, it’s a life saver, because the usage of WireGuard is completely transparent.

How to configure IPv6 on FreeBSD on an Online.net Dedibox

Despite Online.net supporting FreeBSD, they don’t mention it at all in their IPv6 wiki page.

After a bit of research, I found two posts about that.

The first one uses WIDE DHCPv6 (also known as KAME DHCPv6, dhcp6c or dhcp6.

Since this is the only functioning tutorial I found, I will write here the steps I did to get IPv6:

  1. Enable IPv6 on the console and get your DUID.
  2. Enable IPv6 on the NIC:
ifconfig igb0 inet6 -ifdisabled accept_rtadv up
  1. Transform the DUID into a binary file (needed for dhcp6c):
echo <DUID> | awk '{ gsub(":"," "); printf "0: 0a 00 %s\n", $0 }' | xxd -r > /var/db/dhcp6c_duid
  1. Add this in /usr/local/etc/dhcp6c.conf:
id-assoc pd {
        prefix-interface igb0 {
        };
};

id-assoc na {
};

interface igb0 {
    send ia-pd 0;
    send ia-na 0;
};
  1. Now run dhpc6c manually or start the service:
dhcp6c -Df -c /usr/local/etc/dhcp6c.conf em0

# or

service dhcp6c restart
  1. You should have your public IPv6 /128 now (2001:bc8:...).
ifconfig igb0
root@fdb:~ # ping6 -c 3 angristan.xyz
PING6(56=40+8+8 bytes) 2001:bc8:xxx::1 --> 2a01:4f8:1c1c:2cc3::bad:c0de
16 bytes from 2a01:4f8:1c1c:2cc3::bad:c0de, icmp_seq=0 hlim=55 time=21.645 ms
16 bytes from 2a01:4f8:1c1c:2cc3::bad:c0de, icmp_seq=1 hlim=55 time=22.948 ms
16 bytes from 2a01:4f8:1c1c:2cc3::bad:c0de, icmp_seq=2 hlim=55 time=21.708 ms

--- angristan.xyz ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 21.645/22.100/22.948/0.600 ms
  1. Automate all of this at boot time by adding this to /etc/rc.conf:
ifconfig_igb0_ipv6="inet6 -ifdisabled accept_rtadv up"
dhcp6c_enable="YES"
dhcp6c_interfaces="igb0"
rtsold_enable="YES"

Done!

How to set a static IPv4 address on a Raspberry Pi using dhcpd

Here’s a quick tip, that also applies to any linux machine using dhcpd.

Every now and then my Raspberry Pi or my router can reboot, and I’m not certain than my Pi will get the same IP address from the DHCP server.

Sure, I could fix it on the DHCP server using the Pi’s MAC address, but if you’re a lazy bum like me you can tell dhcpd to request a specific IPv4 address.

How to manually install FreeBSD on a remote server (with UFS, ZFS, encryption...)

I recently got a Dedibox from Online.net in order to move my Nextcloud instance over (need that storage!).

Since I’m really interesting in FreeBSD these days, I decided to use it on this new server along with ZFS.

FreeBSD 12.0-RELEASE only came out a few days ago so there is no installation option available on the online.net console yet. However, FreeBSD 11.1-RELEASE is available. The thing, it only allows to use UFS. I don’t like proprietary installers anyway, so I decided that I’d install FreeBSD manually on this box. Plus, it really feels great being in total control of my machine, in the sense that I know how it is set up.

How to use encrypted block storage volumes on Hetzner Cloud

Hetzner recently introduced Block Volumes for their cloud product. It’s a very useful feature that allows to add tons of fast and redounded storage to VMs.

I wanted to move my Nextcloud over Hetzner Cloud for quite some time now, but was unable to do so because of the available storage. Now I can!

Since my Nextcloud contains sensitive and personal data, I don’t really want to my files to be written on a public Ceph storage cluster… Fortunately, I can encrypt my volume very easily thanks to cryptsetup. In this tutorial, I will show you how.

How to measure a Raspberry Pi's temperature and CPU frequency with Telegraf

After 3 years of service, my Raspberry Pi’s filesystem finally got corrupted. I expected it to crash earlier, but it lasted for quite a while!

Even if I had backups, I did have to reinstall it from scratch. I was using Munin to monitor my Raspberry Pi, and I think it’s a good solution for this kind of device because it’s lightweight and performs very little I/O.

Anyway I decided to upgrade my monitoring stack, as on the rest of my infrastructure, with the Telegraf - InfluxDB - Grafana (TIG) stack. I used an USB key (🤷🏻‍♂️) as the storage for InfluxDB. We’ll see how it runs in the long term!