Sea of Fate - User contributions [en]

Pfsense

2025-07-13T15:38:56Z

Sailor: /* VPNnet and Terminals */

==Introduction==

Pfsense on Pear is designed to keep the virtual networks separate from the physical NIC. It is has an interface on each of the virtual networks and the WAN interface on the same network as the physical NIC. The install does not have any plugins.

==Interfaces==

There several LAN networks including Production, Infra, VPNnet and terminals for the virtual machines to use. There is also another LAN called mgt that is reserved for management.

===Production===

The production network is reserved for the main production VMs, mainly Webhosts and hosts that support them. Juniper has also been moved to production as it will be hosting jellyfin and n8n.

===Infra===

Infra or infrastructure is used for the LAN services such as the nameserver and the monitoring hosts.

===VPNnet and Terminals===

The VPN servers are on VPMnet and the desktops are on Terminals. The desktops will probably be moved to production but the two VPN servers (Wireguard and Openvpn) will stay where they are as they need to be kept separate for security reasons.

===MGT===

This management network is highly restricted and reserved purely to do management functions, particularly for the management of the web GUI of pfsense which means that it is not possible to manage Pfsense from any remote computer, all Pfsense management must be done from the console while logged on to Pear. Also any other management should be done from the mgt network. To make this possible the VM host Lemon has been created with firefox and passwordless ssh to most relevant hosts. Keepass has also been installed to keep track of all passwords used on Pear.

Pfsense

2025-07-13T15:27:20Z

Sailor: /* production */

==Introduction==

Pfsense on Pear is designed to keep the virtual networks separate from the physical NIC. It is has an interface on each of the virtual networks and the WAN interface on the same network as the physical NIC. The install does not have any plugins.

==Interfaces==

There several LAN networks including Production, Infra, VPNnet and terminals for the virtual machines to use. There is also another LAN called mgt that is reserved for management.

===Production===

The production network is reserved for the main production VMs, mainly Webhosts and hosts that support them. Juniper has also been moved to production as it will be hosting jellyfin and n8n.

===Infra===

Infra or infrastructure is used for the LAN services such as the nameserver and the monitoring hosts.

===VPNnet and Terminals===

===MGT===

This management network is highly restricted and reserved purely to do management functions, particularly for the management of the web GUI of pfsense which means that it is not possible to manage Pfsense from any remote computer, all Pfsense management must be done from the console while logged on to Pear. Also any other management should be done from the mgt network. To make this possible the VM host Lemon has been created with firefox and passwordless ssh to most relevant hosts. Keepass has also been installed to keep track of all passwords used on Pear.

Pfsense

2025-07-13T15:26:59Z

Sailor: /* Introduction */

==Introduction==

Pfsense on Pear is designed to keep the virtual networks separate from the physical NIC. It is has an interface on each of the virtual networks and the WAN interface on the same network as the physical NIC. The install does not have any plugins.

==Interfaces==

There several LAN networks including Production, Infra, VPNnet and terminals for the virtual machines to use. There is also another LAN called mgt that is reserved for management.

===production===

The production network is reserved for the main production VMs, mainly Webhosts and hosts that support them. Juniper has also been moved to production as it will be hosting jellyfin and n8n.

===Infra===

Infra or infrastructure is used for the LAN services such as the nameserver and the monitoring hosts.

===VPNnet and Terminals===

===MGT===

This management network is highly restricted and reserved purely to do management functions, particularly for the management of the web GUI of pfsense which means that it is not possible to manage Pfsense from any remote computer, all Pfsense management must be done from the console while logged on to Pear. Also any other management should be done from the mgt network. To make this possible the VM host Lemon has been created with firefox and passwordless ssh to most relevant hosts. Keepass has also been installed to keep track of all passwords used on Pear.

Other temporary projects

2025-03-21T12:59:42Z

Sailor: /* Download another model */

==Introduction==

My early investigations of AI with stable Diffusion. I will leave these early notes long past there date so my confusion can be seen and hopefully see some progression.

==Using the GPU on My Windows 11 PC==

I have downloaded the components to install the Stable Diffusion components. I installed Python but an early version (3.10.6) because I was told that it wouldn't work on the later versions, not sure how true that is but I did it anyway. I also installed github because it looks like that is required as well. The Stable Diffusion Web UI is Automatic1111 and if I want more models they have to match the Automatic1111 system.

===Running In a Browser===

The first model has been installed and works inside a browser. To start it going we need to open a command prompt or git bash (remember git bash is like Linux bash) and cd to
D:\stable-diffusion\stable-diffusion-webui
or if in the Git Bash
/d/stable-diffusion\stable-diffusion-webui
from here you can call the webui-user.bat script by typing the following command and pressing Enter
webui-user.bat
or if on Git Bash
./webui-user.bat
If there are updates
* The script will download any necessary updates and start the Web UI.
Once the process is complete, you'll see a message in the terminal with the local URL, Open the URL in your web browser. There shouldn't be any error messages but this still quite experimental so some update could easily break it.

===Download another model===

I also downloaded the comfyUI Windows portable cu126.7z.002 with models.zip.001 and followed instructions from https://github.com/YanWenKun/ComfyUI-Windows-Portable?tab=readme-ov-file. I named the directory comfyUIWindowsPortable however it would not extractfor the time being i will move on

2025-03-16T22:53:37Z

Sailor: /* Initial Setup */

==Introduction==

The host plum.seaoffate.net will be at an IP address of production.20. The purpose will be to show photos using Piwigo. The main premise is that plum will have a SSD hard drive for it's OS as normal but it will have a large hard drive from the ZFS Proxmox storage to store the photos and video. We can add the hd as soon as the VM is created but leave it to be formatted and mounted later.

==Initial Setup==

The first things we need to do is to install Apache and configure the webserver, as soon as that is done we should setup the reverse proxy on Raisin. The good news is that we have some scripts to do that as it is just boiler plate stuff all we need to say here is that the website will be called photo or more precisely photo.seaoffate.net. To use the wonderful scripts we must first copy them from Lemon so open a terminal on lemon and cd to ~/templates once that is done enter the command
scp create_apache_config.sh lamp_client_install.sh nigel@plum:~/
This will copy the files to the home dir of nigel (if SSH is not ready yet on plum look here). When the two are copied they will need to be made executable and make sure they are owned by the set user so login to plum and
sudo chown nigel:nigel create_apache_config.sh
sudo chown nigel:nigel lamp_client_install.sh
sudo chmod 755 lamp_client_install.sh
sudo chmod 755 create_apache_config.sh
Now that we have the first scripts we can execute them
./lamp_client_install.sh
and then setup the websites with the other script
./create_apache_config.sh photo
This script will create the configs for the hostname(plum) and the parameter in this case photo. We will get 6 configs both the http and https for plum.seaofffate.local and photo.seaoffate.local and photo.seaoffate.net. We will should check that the seaoffate.crt is in the /etc/ssl/certs dir
ls -l /etc/ssl/certs/
If it is missing then we should get the cert and key and mv it to the /etc/ssl/ dirs it should be called "seaoffate" (.crt & .key) to match the Apache configs that we just created. The next thing we need to do is get the piwigo zip file. Probably the best thing is to get it downloaded on to one of the desktop Linux VMs and scp it to this at the home dir. We will need to copy the zip to the public_html (best to cp rather than mv in case we need to redo the install and we would just delete everything in public_html). First we install zip, then cp the zip file then cd to where we want to extract to
sudo apt install zip
sudo cp piwigo-15.4.0.zip /var/www/plum.seaoffate.local
cd /var/www/plum.seaoffate.local
Then delete the existing public_html
sudo rm -rf /var/www/plum.seaoffate.local/public_html
and then unzip the file with
sudo unzip piwigo-15.4.0.zip -d .
This will create a dir called piwigo and so we rename it to public_html
sudo mv piwigo /var/www/plum.seaoffate.local/public_html
so we now should have all of the files extracted in to the docroot of our website we now need to change the ownersip to the apache user
sudo chown -R www-data:www-data /var/www/plum.seaoffate.local/public_html/
Before we can proceed with the installation at a web browser we have to create a database and for piwigo to use so ssh to mandarin and start a MySQL session with
sudo mysql -u root -p
at the mysql> prompt we need to create the database
CREATE DATABASE piwigo_db;
and then the user with privileges to the database, we will restrict this user to the plum host only
CREATE USER 'piwigo_user'@'192.168.100.22' IDENTIFIED BY 'your_strong_password';
GRANT ALL PRIVILEGES ON piwigo_db.* TO 'piwigo_user'@'192.168.100.22';
FLUSH PRIVILEGES;
exit?
Armed with our newly created database and user we can now start the web installation so we need to go get a web browser to https://photo.seaoffate.local. if that takes us to the nginix holding page we will need to setup raisin to do the reverse proxy thing or we could continue from a client inside the Pfsense but if we do that we still have to do the raisin set up at some point. so we may as well do so now so SSH to raisin
cd /etc/nginx/sites-available
sudo cp wiki.conf photo.conf
sudo cp wiki.seaoffate.local.ssl.conf photo.seaoffate.local.ssl.conf
sudo cp wiki.seaoffate.net.conf photo.seaoffate.net.conf
Then modify them to replace the servernames and ip addresses. While it is not pretty it does work and the scripts that we had generated forwarding loops so we can't use them. It looks like the reverse proxy was redirecting as well as the origin so it was causing a problem for browsers, we should only have the origin browser do any redirect between 80 and 443. Once this is done proceed to the web browser part of the piwigi installation. Keep a record of passwords in a password manager. Most of the install is now done. we could use the application as is but we would run out of storage for photos before too long so we will add a big hard drive to the installation mounting it inside public_html.

Plum (Photo)

2025-03-16T08:51:04Z

Sailor: /* Initial Setup */

Plum (Photo)

2025-03-16T08:23:37Z

Sailor: /* Initial Setup */

2025-03-15T05:57:49Z

Sailor: /* Website Config */

==Introduction==

Some scripts to help with the deployment of webservers. Back to the main page '''[[Virtual Machines#Installation Scripts | here]]'''

==Apache Webservers==

====Install packages====

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

====Website Config====

Once Apache and it supporting packages are done we will need to create the config files. We will need 6 configs created.
* hostname.seaoffate.local as http
* hostname.seaoffate.local as https
* purpose.seaoffate.local as http
* purpose.seaoffate.local as https
* purpose.seaoffate.net as http
* purpose.seaoffate.net as https
The file will be stored in the Templates dir on nigel login on lemon Although there are six websites they all will serve from the same docroot. we will get one of the names from the hostname of the VM and the other will be the parameter in the call.
./apache_config.sh purpose
purpose will be what the reason for having the webserver eg wiki or photo. We do not need the .seaofffate.local or .net as that is assumed

#!/bin/bash

# Script to create Apache configuration files for a website.

# Get website name from user input
read -p "Enter website name: " website_name

# Get the hostname of the vm
hostname=$(hostname)

# Define document root
docroot="/var/www/${website_name}.seaoffate.net/public_html"

# Create directory structure
mkdir -p "$docroot"
echo "Directory structure created: $docroot"

# Set permissions and ownership
chown -R www-data:www-data "/var/www/${website_name}.seaoffate.net"
chmod -R 755 "/var/www/${website_name}.seaoffate.net"
echo "Permissions and ownership set for: /var/www/${website_name}.seaoffate.net"

# Create index.php
cat <<EOF > "$docroot/index.php"
<?php
date_default_timezone_set('Europe/London');
\$ukTime = date('l, F j, Y, g:i:s A');

date_default_timezone_set('Europe/Madrid');
\$spainTime = date('l, F j, Y, g:i:s A');

date_default_timezone_set('America/New_York');
\$nyTime = date('l, F j, Y, g:i:s A');
?>
<!DOCTYPE html>
<html>
<head>
<title>Time Display</title>
<style>
body {
display: flex;
justify-content: center;
align-items: center;
height: 100vh;
margin: 0;
font-family: sans-serif;
}

#time-container {
text-align: center;
}

#uk-time, #spain-time, #ny-time {
font-size: 24px;
margin: 10px;
}
</style>
</head>
<body>

<div id="time-container">
<div id="uk-time">UK (London): <?php echo \$ukTime; ?></div>
<div id="spain-time">Spain (Madrid): <?php echo \$spainTime; ?></div>
<div id="ny-time">New York: <?php echo \$nyTime; ?></div>
</div>

</body>
</html>
EOF
echo "index.php created in: $docroot"

# Create Apache configuration files
cat <<EOF > "/etc/apache2/sites-available/${website_name}.seaoffate.local.conf"
<VirtualHost *:80>
ServerName ${website_name}.seaoffate.local
DocumentRoot "$docroot"
ErrorLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.local-error.log
CustomLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.local-access.log combined
</VirtualHost>
EOF
echo "HTTP config created: /etc/apache2/sites-available/${website_name}.seaoffate.local.conf"

cat <<EOF > "/etc/apache2/sites-available/${website_name}.seaoffate.local-ssl.conf"
<VirtualHost *:443>
ServerName ${website_name}.seaoffate.local
DocumentRoot "$docroot"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/${website_name}.seaoffate.local.crt
SSLCertificateKeyFile /etc/ssl/private/${website_name}.seaoffate.local.key
ErrorLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.local-ssl-error.log
CustomLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.local-ssl-access.log combined
</VirtualHost>
EOF
echo "HTTPS config created: /etc/apache2/sites-available/${website_name}.seaoffate.local-ssl.conf"

cat <<EOF > "/etc/apache2/sites-available/${website_name}.seaoffate.net.conf"
<VirtualHost *:80>
ServerName ${website_name}.seaoffate.net
DocumentRoot "$docroot"
ErrorLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.net-error.log
CustomLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.net-access.log combined
</VirtualHost>
EOF
echo "HTTP config created: /etc/apache2/sites-available/${website_name}.seaoffate.net.conf"

cat <<EOF > "/etc/apache2/sites-available/${website_name}.seaoffate.net-ssl.conf"
<VirtualHost *:443>
ServerName ${website_name}.seaoffate.net
DocumentRoot "$docroot"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/${website_name}.seaoffate.net.crt
SSLCertificateKeyFile /etc/ssl/private/${website_name}.seaoffate.net.key
ErrorLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.net-ssl-error.log
CustomLog \${APACHE_LOG_DIR}/${website_name}.seaoffate.net-ssl-access.log combined
</VirtualHost>
EOF
echo "HTTPS config created: /etc/apache2/sites-available/${website_name}.seaoffate.net-ssl.conf"

cat <<EOF > "/etc/apache2/sites-available/${hostname}.seaoffate.local.conf"
<VirtualHost *:80>
ServerName ${hostname}.seaoffate.local
DocumentRoot "$docroot"
ErrorLog \${APACHE_LOG_DIR}/${hostname}.seaoffate.local-error.log
CustomLog \${APACHE_LOG_DIR}/${hostname}.seaoffate.local-access.log combined
</VirtualHost>
EOF

echo "HTTP config created: /etc/apache2/sites-available/${hostname}.seaoffate.local.conf"

cat <<EOF > "/etc/apache2/sites-available/${hostname}.seaoffate.local-ssl.conf"
<VirtualHost *:443>
ServerName ${hostname}.seaoffate.local
DocumentRoot "$docroot"
SSLEngine on
SSLCertificateFile /etc/ssl/certs/${hostname}.seaoffate.local.crt
SSLCertificateKeyFile /etc/ssl/private/${hostname}.seaoffate.local.key
ErrorLog \${APACHE_LOG_DIR}/${hostname}.seaoffate.local-ssl-error.log
CustomLog \${APACHE_LOG_DIR}/${hostname}.seaoffate.local-ssl-access.log combined
</VirtualHost>
EOF

echo "HTTPS config created: /etc/apache2/sites-available/${hostname}.seaoffate.local-ssl.conf"

#Remove the backslashes from the APACHE_LOG_DIR variable
sed -i 's/\\\${APACHE_LOG_DIR}/${APACHE_LOG_DIR}/g' /etc/apache2/sites-available/*.conf
echo "Removed backslashes from APACHE_LOG_DIR in config files"

echo "All configuration files created and corrected."

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash
#
# Script to configure Nginx as a reverse proxy
#
# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"
#
# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi
#
# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"
#
# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
#
# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
#
# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
#
# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
#
# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/
#
# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/
#
# Restart Nginx
sudo systemctl restart nginx
#
echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash
#
# Script to remove an Nginx reverse proxy website configuration
#
# Get website name from command line
WEBSITE_NAME="$1"
#
# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi
#
# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"
#
# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"
#
# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"
#
# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"
#
# Restart Nginx
sudo systemctl restart nginx
#
echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"
#
# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Plum (Photo)

2025-03-15T03:44:16Z

Sailor: /* Initial Setup */

Plum (Photo)

2025-03-15T03:05:47Z

Sailor: /* Initial Setup */

Plum (Photo)

2025-03-15T03:04:08Z

Sailor: /* Introduction */

Plum (Photo)

2025-03-15T01:58:48Z

Sailor: Replaced content with "==Introduction== The host plum.seaoffate.net will be at an IP address of production.20. The purpose will be to show photos using Piwigo. The main premise is that plum will have a hard drive for it's OS as normal but read only access to the photo archive."

==Introduction==

The host plum.seaoffate.net will be at an IP address of production.20. The purpose will be to show photos using Piwigo. The main premise is that plum will have a hard drive for it's OS as normal but read only access to the photo archive.

2025-03-15T01:25:57Z

Sailor: /* Webserver Setup */

==Introduction==

There will be a variety of Virtual Machines contained within the '''[[Home Lab]]'''. A Brief description will be provided here with a more complete set of notes on each individual VM on the links.

==Virtual Machine Installation & Configuration Notes==

===Qemu Agent Install===

All VMs should have the qemu guest installed even server installs, it will allow the guest VM to communicate with Proxmox and give better options from the Proxmox . For Debian / Ubuntu type.
sudo apt update && install qemu-guest-agent
For Windows VMs there is a cd that can be referenced when defining the VM. On the OS page as soon as the Guest OS "Microsoft Windows" is selected a tick box, with the title "Add additional drive for VirtIO Drivers" appears. When selected find an ISO image "Virtio-win.iso". If it is not available it can be added to the ISO library on Proxmox by downloading it from [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso] or [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso].

==Virtual Machines==
A fairly high description of each of the VMs in use in the [[Home Lab]].

===Firewall===

====[[Pfsense]]====

The firewall and gateway to the whole of the [[Home Lab]]. The Virgin router will forward all incoming traffic from the Internet to the WAN port of the firewall at 192.168.0.125. The Firewall has five other internal interfaces to link to the Home Lab environment. 192.168.99.10/24 is the MGT VLAN it should be severely restricted to maintain security it is the only VLAN to be able to access the WebGUI of Pfsense. The Production VLAN is where all of the file and web servers are, the gateway address is 192.168.100.1/24. The Infra VLAN gateway 192.168.110.10/24 is where any supporting services will be located, at present there is only a Nameserver. I have reserved a VLAN called VPNnet with a gateway address of 192.168.130.1/24 for a VPN server to provide a VPN tunnel from remote terminals, there will not be many concurrent connections so a /24 network will be more than sufficient. The last VLAN has a Pfsense interface of 192.168.111.1/24 for any Desktop VM terminals that I will use while i am out, I have called this terminals. Further details of the [[Pfsense]] firewall can be found [[Pfsense | here]].

===MGT VLAN===

====[[Management kiosk]]====

A desktop Linux used to configure other VMs including Pfsense. As it is so sensitive i have kept it isolated on the MGT VLAN. There I have setup passwordless ssh to various other VMs as well. The host is called Lemon and has an IP Address of MGT.20.

====[[CA Server]]====

I have setup a host specifically to issue SSL certificates. The host name is Alpine with an IP of 192.168.99.25/24.

===Infra Vlan===

====[[Nameserver]]====

There is only one nameserver at the moment called ns1 Infra.11. It is the only host on the Infra VLAN.

===VPNNet VLAN===

====[[VPNserver]]====

There will be a VPN server called vanilla at VPNnet.5. It will control VPN access to the rest of the network.

===Terminals===

====[[Remote Access Terminal]]====

There will be two VMs setup on teminals VLAN with a desktop that I will provide for remote access one of them will be Linux (Ubuntu), hostname Lychee and the other will be Windows 11 Pro with a hostname Wahoo.

===Prodution===

====[[Reverse Proxy]]====

The Reverse proxy Ngnix install is hosted on Raisin production.9. It should be setup to fetch SSL certs from Letsencrypt and copy the certs to the various webservers that need them. It's primary role, of course is to manage access to the webservers.

===[[Webservers]]===

There wil be at least three webservers, One hosting www.seaoffate.net, another hosting plum.seaoffate.net and another hosting wiki.seaoffate.net. These will also be servicing .local addresses. MySQL will be on a different host. There will be other hosts that have some sort of webserver on them but not as a primary role.

===[[File server]]===

There is a file server called fig at Production.11. It will also have a webserver installed and will answer to files.seaoffate.net & files.seaoffate.local. It should be configured to serve files using NFS,FTP and SMB locally but only SFTP externally.

===[[MySQL Server]]===

Manderin at Production.8 is hosting the MySQL Databases.I will probably install phpmyadmin at some point to make DB management a bit easier but I doubt if I will give it external access.

===[[UpLoad Server]]===

There is an server especially set for SFTP and SMB serving. It will be on Production.25. It will have a large HD that will be used to import and export all pictures from the network.

===[[Backup Server]]===

We will have a dedicated backup server, Strawberry, that will share files with other servers like the '''[[Plum (Photo)]]''' server by NFS. It will mostly do not too much except monitor the files for others. If it looks like NFS is creating too much of a bottleneck we can look at storing photos directly on Plum and grabbing them periodically to upload. i will be doin just that so this note will change when i have reconfigured the '''[[Plum (Photo)]]''' and this server Strawberry.

===Future VMs===

I may well setup a streaming server with some sort of NFS RO share from the file server.

==Installation Scripts==

We are creating several scripts to speed up the installation of the VMs. some are long and major time savers and some are not much more than one or two lines.

=====[[Webserver Setup]]=====

Some Apache and Gninx scrips to speed up creation and deployment of webservers.

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh

=====[[Add a Hostname & IP Address to DNSmsaq]]=====

There is a script that can be run to add a dns record to dnsmasq
sudo ./add_dns_record.sh <hostname> <ip_address>
It will have two parameters one for hostname and the other for the IP Address of the host we would be dealing with. The script can be found here

As a quick check to make sure dns looks right there is a quick list of all dns entries called with
sudo ./list_dns_entries.sh

The third thing we will want to do from time to time is to delete a record. Call this with the hostname of the dns entry that is to be removed
sudo ./delete_dns_record.sh hostname
hostname can be either FQDN or just the hostname.

Virtual Machines

2025-03-15T01:24:58Z

Sailor: /* Add a Hostname & IP Address to DNSmsaq */

==Introduction==

There will be a variety of Virtual Machines contained within the '''[[Home Lab]]'''. A Brief description will be provided here with a more complete set of notes on each individual VM on the links.

==Virtual Machine Installation & Configuration Notes==

===Qemu Agent Install===

All VMs should have the qemu guest installed even server installs, it will allow the guest VM to communicate with Proxmox and give better options from the Proxmox . For Debian / Ubuntu type.
sudo apt update && install qemu-guest-agent
For Windows VMs there is a cd that can be referenced when defining the VM. On the OS page as soon as the Guest OS "Microsoft Windows" is selected a tick box, with the title "Add additional drive for VirtIO Drivers" appears. When selected find an ISO image "Virtio-win.iso". If it is not available it can be added to the ISO library on Proxmox by downloading it from [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso] or [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso].

==Virtual Machines==
A fairly high description of each of the VMs in use in the [[Home Lab]].

===Firewall===

====[[Pfsense]]====

The firewall and gateway to the whole of the [[Home Lab]]. The Virgin router will forward all incoming traffic from the Internet to the WAN port of the firewall at 192.168.0.125. The Firewall has five other internal interfaces to link to the Home Lab environment. 192.168.99.10/24 is the MGT VLAN it should be severely restricted to maintain security it is the only VLAN to be able to access the WebGUI of Pfsense. The Production VLAN is where all of the file and web servers are, the gateway address is 192.168.100.1/24. The Infra VLAN gateway 192.168.110.10/24 is where any supporting services will be located, at present there is only a Nameserver. I have reserved a VLAN called VPNnet with a gateway address of 192.168.130.1/24 for a VPN server to provide a VPN tunnel from remote terminals, there will not be many concurrent connections so a /24 network will be more than sufficient. The last VLAN has a Pfsense interface of 192.168.111.1/24 for any Desktop VM terminals that I will use while i am out, I have called this terminals. Further details of the [[Pfsense]] firewall can be found [[Pfsense | here]].

===MGT VLAN===

====[[Management kiosk]]====

A desktop Linux used to configure other VMs including Pfsense. As it is so sensitive i have kept it isolated on the MGT VLAN. There I have setup passwordless ssh to various other VMs as well. The host is called Lemon and has an IP Address of MGT.20.

====[[CA Server]]====

I have setup a host specifically to issue SSL certificates. The host name is Alpine with an IP of 192.168.99.25/24.

===Infra Vlan===

====[[Nameserver]]====

There is only one nameserver at the moment called ns1 Infra.11. It is the only host on the Infra VLAN.

===VPNNet VLAN===

====[[VPNserver]]====

There will be a VPN server called vanilla at VPNnet.5. It will control VPN access to the rest of the network.

===Terminals===

====[[Remote Access Terminal]]====

There will be two VMs setup on teminals VLAN with a desktop that I will provide for remote access one of them will be Linux (Ubuntu), hostname Lychee and the other will be Windows 11 Pro with a hostname Wahoo.

===Prodution===

====[[Reverse Proxy]]====

The Reverse proxy Ngnix install is hosted on Raisin production.9. It should be setup to fetch SSL certs from Letsencrypt and copy the certs to the various webservers that need them. It's primary role, of course is to manage access to the webservers.

===[[Webservers]]===

There wil be at least three webservers, One hosting www.seaoffate.net, another hosting plum.seaoffate.net and another hosting wiki.seaoffate.net. These will also be servicing .local addresses. MySQL will be on a different host. There will be other hosts that have some sort of webserver on them but not as a primary role.

===[[File server]]===

There is a file server called fig at Production.11. It will also have a webserver installed and will answer to files.seaoffate.net & files.seaoffate.local. It should be configured to serve files using NFS,FTP and SMB locally but only SFTP externally.

===[[MySQL Server]]===

Manderin at Production.8 is hosting the MySQL Databases.I will probably install phpmyadmin at some point to make DB management a bit easier but I doubt if I will give it external access.

===[[UpLoad Server]]===

There is an server especially set for SFTP and SMB serving. It will be on Production.25. It will have a large HD that will be used to import and export all pictures from the network.

===[[Backup Server]]===

We will have a dedicated backup server, Strawberry, that will share files with other servers like the '''[[Plum (Photo)]]''' server by NFS. It will mostly do not too much except monitor the files for others. If it looks like NFS is creating too much of a bottleneck we can look at storing photos directly on Plum and grabbing them periodically to upload. i will be doin just that so this note will change when i have reconfigured the '''[[Plum (Photo)]]''' and this server Strawberry.

===Future VMs===

I may well setup a streaming server with some sort of NFS RO share from the file server.

==Installation Scripts==

We are creating several scripts to speed up the installation of the VMs. some are long and major time savers and some are not much more than one or two lines.

=====[[Webserver Setup]]=====

Some Apache and Gninx scrips to speed up creation and deployment of webservers.

=====[[Add a Hostname & IP Address to DNSmsaq]]=====

There is a script that can be run to add a dns record to dnsmasq
sudo ./add_dns_record.sh <hostname> <ip_address>
It will have two parameters one for hostname and the other for the IP Address of the host we would be dealing with. The script can be found here

As a quick check to make sure dns looks right there is a quick list of all dns entries called with
sudo ./list_dns_entries.sh

The third thing we will want to do from time to time is to delete a record. Call this with the hostname of the dns entry that is to be removed
sudo ./delete_dns_record.sh hostname
hostname can be either FQDN or just the hostname.

Virtual Machines

2025-03-15T01:23:51Z

Sailor: /* Add a Hostname & IP Address to DNSmsaq */