I have a new-to-me-laptop. This post isn’t about setting it up, installing applications, etc. Nor is it about copying data from the old laptop to the new laptop.
This post is about the configuration things which are specific to this laptop, which is known as pro05.int.unixathome.org. It will cover several steps that, because they are carried out so infrequently, I don’t always remember them. Hopefully, this will help me the next time I need to do this.
You may find this useful, but of all my posts, this one is probably the most specific to me. At best, you might get ideas for your own configuration. At worst, you’ll figure out how to easily hack into my systems. Or even worse, tell me how much easier I can do it.
The items covered are:
- hostname
- DNS
- New ssh key
- Distribute that key to other hosts
- OpenVPN
- Firewall
- shell scripts
In this post:
- Mac OSX Sequoia 15.5 (not entirely relevant to this post)
- FreeBSD 14.2 (14.3 is out, but I’ve not updated yet)
- ssl-admin 1.3.0_2
- openvpn 2.6.14 (server)
- viscosity 1.11.5 (Mac OpenVPN client)
- bind 9.18.37
- ansible 11.4.0
- ssh (OpenSSH_9.9p2)
Now, you might ask, why am I setting this host up with a new host name, ssh-key, creds, etc. Go head ask. I’ll wait.
It’s because I’ll have both laptops running at the same time and I’m not a fan of sharing creds, even with myself. It also means that when the old laptop is disposed of, the items to change/delete from configurations is clearly distinct.
hostname
For this post, I’m using the hostname pro05.int.unixathome.org
At the time of writing, I had already completed this part. For this post, I did some searching and this seems like what I did. I found this post and have reproduced the steps here.
The next time I set up a new laptop, I will update this section and the following commands will be known to be correct. Until then, I’m guessing.
| setting | command |
|---|---|
| FDQN |
sudo scutil --set HostName pro05.int.unixathome.org |
| Bonjour hostname |
sudo scutil --set LocalHostName pro05 |
| computer name |
sudo scutil --set ComputerName pro05.int.unixathome.org |
DNS
The DNS entries for the previous host are in these files:
[16:35 mydev dvl ~/dns-PRIVATE] % grep -l pro04 * 0.54.10.in-addr.arpa.db 0.55.10.in-addr.arpa.db 1.8.10.in-addr.arpa.db int.unixathome.org.db vpn.unixathome.org.db
Here’s my edit command: joe 0.54.10.in-addr.arpa.db 0.55.10.in-addr.arpa.db 1.8.10.in-addr.arpa.db int.unixathome.org.db vpn.unixathome.org.db
After I added the entries for pro05, this is the diff I had:
[16:57 ansible root /usr/local/etc/ansible/roles/named/files/dns-private] # svn di Index: 0.54.10.in-addr.arpa.db =================================================================== --- 0.54.10.in-addr.arpa.db (revision 21374) +++ 0.54.10.in-addr.arpa.db (working copy) @@ -1,7 +1,7 @@ $ORIGIN . $TTL 600 ; 10 minutes 0.54.10.in-addr.arpa IN SOA dns1.int.unixathome.org. soa.dvl-software.com. ( - 2025022700 ; serial + 2025061700 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) @@ -39,6 +39,7 @@ 73 PTR DanLangillesiPadPro.wifi.int.unixathome.org. 74 PTR caseta.wifi.int.unixathome.org. 75 PTR pro04.wifi.int.unixathome.org. +76 PTR pro05.wifi.int.unixathome.org. 81 PTR backbedroom.protect.int.unixathome.org. 82 PTR basement.protect.int.unixathome.org. Index: 0.55.10.in-addr.arpa.db =================================================================== --- 0.55.10.in-addr.arpa.db (revision 21374) +++ 0.55.10.in-addr.arpa.db (working copy) @@ -1,7 +1,7 @@ $ORIGIN . $TTL 600 ; 10 minutes 0.55.10.in-addr.arpa IN SOA dns1.int.unixathome.org. soa.dvl-software.com. ( - 2025040600 ; serial + 2025061700 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) @@ -101,6 +101,7 @@ 81 PTR dvl-ingress01.int.unixathome.org. 82 PTR dvl-nginx01.int.unixathome.org. 83 PTR pro04.int.unixathome.org. +84 PTR pro05.int.unixathome.org. 88 PTR floater.int.unixathome.org. 99 PTR wocker.int.unixathome.org. Index: 1.8.10.in-addr.arpa.db =================================================================== --- 1.8.10.in-addr.arpa.db (revision 21374) +++ 1.8.10.in-addr.arpa.db (working copy) @@ -1,7 +1,7 @@ $ORIGIN . $TTL 10 ; 10 seconds 1.8.10.in-addr.arpa IN SOA dns1.int.unixathome.org. soa.dvl-software.com. ( - 2025010400 ; serial + 2025061700 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) @@ -53,3 +53,5 @@ 190 IN PTR nagios03.startpoint.vpn.unixathome.org. 191 IN PTR nagios03.endpoint.vpn.unixathome.org. +200 IN PTR pro05.startpoint.vpn.unixathome.org. +201 IN PTR pro05.endpoint.vpn.unixathome.org. Index: int.unixathome.org.db =================================================================== --- int.unixathome.org.db (revision 21374) +++ int.unixathome.org.db (working copy) @@ -1,7 +1,7 @@ $ORIGIN . $TTL 600 ; 10 minutes int.unixathome.org IN SOA dns1.int.unixathome.org. soa.dvl-software.com. ( - 2025040600 ; serial + 2025061700 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) @@ -15,6 +15,8 @@ $TTL 600 ; 10 minutes +adguard A 10.55.0.16 + air01 A 10.55.0.61 air01.wifi A 10.54.0.61 air01-vpn A 10.8.1.61 @@ -169,6 +171,12 @@ pro04-vpn-startpoint A 10.8.1.180 pro04-vpn-endpoint A 10.8.1.181 +pro05 A 10.55.0.84 +pro05.wifi A 10.54.0.76 +pro05-vpn A 10.8.1.84 +pro05-vpn-startpoint A 10.8.1.200 +pro05-vpn-endpoint A 10.8.1.201 + local-freebsd-repo A 10.55.0.101 packages01 A 10.55.0.31 Index: vpn.unixathome.org.db =================================================================== --- vpn.unixathome.org.db (revision 21374) +++ vpn.unixathome.org.db (working copy) @@ -1,7 +1,7 @@ $ORIGIN . $TTL 600 ; 10 minutes vpn.unixathome.org IN SOA dns1.int.unixathome.org. soa.dvl-software.com. ( - 2025010400 ; serial + 2025061700 ; serial 3600 ; refresh (1 hour) 900 ; retry (15 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) @@ -69,6 +69,9 @@ pro04.startpoint A 10.8.1.180 pro04.endpoint A 10.8.1.181 +pro05.startpoint A 10.8.1.200 +pro05.endpoint A 10.8.1.201 + r720-02.startpoint A 10.8.1.140 r720-02.endpoint A 10.8.1.141 r720-02 A 10.140.0.217
This data is stored in ansible and send off to the gateway host (gw01). From there, it spreads to the secondary DNS servers.
That then needs to be installed on gw01: via
[17:08 ansible root /usr/local/etc/ansible] # ansible-playbook gateway.yml --tags=zone_files --limit=gw01.int.unixathome.org PLAY [gateways] **************************************************************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************************************************************* ok: [gw01.int.unixathome.org] TASK [named : copy zone-files] ************************************************************************************************************************************************* changed: [gw01.int.unixathome.org] PLAY RECAP ********************************************************************************************************************************************************************* gw01.int.unixathome.org : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 [17:12 ansible root /usr/local/etc/ansible] #
And then named needs to be restarted (that isn’t in the Ansible configuration by design):
[17:12 gw01 dvl ~] % sudo service named reload server reload successful
New ssh key
I don’t share keys across devices. I keep them only on that device. Here I am creating a new one.
[13:19 pro05 dvl ~/.ssh] % ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/Users/dvl/.ssh/id_ed25519): Enter passphrase for "/Users/dvl/.ssh/id_ed25519" (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/dvl/.ssh/id_ed25519 Your public key has been saved in /Users/dvl/.ssh/id_ed25519.pub The key fingerprint is: SHA256:ouqHy4dQ5XrIyavQCRAQvNQ83UPdQw/GEXIMOQwKxIY dvl@pro05.int.unixathome.org The key's randomart image is: +--[ED25519 256]--+ |*.*o. oo+oBBo | | E *o..o =+=o | |o oo.. . . .. | |... . | |.+ + . S | |..*... . | |...=. | |....o | |.o=+ | +----[SHA256]-----+ [13:19 pro05 dvl ~/.ssh] %
Here’s my key and this will be used in future steps.
[13:19 pro05 dvl ~/.ssh] % cat id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIr+TOrE8z6mIFYb7oKMVk8httivoB8wBpiLzQgRK8lD dvl@pro05.int.unixathome.org
Distribute that key to other hosts
These are the files which need updating.
With work, I could reduce this number of files. That’s for future me.
[17:26 ansible root /usr/local/etc/ansible] # joe files/public_keys/dvl roles/subversion/files/svn.pgcon.org roles/subversion/files/svn.bsdcan.org roles/subversion/files/x8dtu-svn roles/users-dvl/files/users/dvl/.ssh/authorized_keys
After adding my keys to those files, I need to run these scripts:
[17:53 ansible root /usr/local/etc/ansible] # eval `ssh-agent` Agent pid 78953 [17:54 ansible root /usr/local/etc/ansible] # ssh-add -L The agent has no identities. [17:54 ansible root /usr/local/etc/ansible] # ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [17:54 ansible root /usr/local/etc/ansible] # ansible-playbook users.yml --tags=authorized_keys
OpenVPN
I need to create an OpenVPN key and provide it to the user (me).
[19:36 mydev dvl /usr/local/etc/ssl-admin] % sudo ssl-admin
ssl-admin installed Wed Jan 2 20:46:56 UTC 2013
=====================================================
# SSL-ADMIN v1.3.0 #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: A2
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
C) Generate new Certificate Revokation List (CRL)
q) Quit ssl-admin
Menu Item: 4
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: pro05.int.unixathome.org
File names will use pro05.int.unixathome.org.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [pro05.int.unixathome.org]:
Would you like to password protect the private key (y/n): y
.+...+..........+......+..+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+..+............+............+.+...
...
+++++++++++++++++++++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
===> Serial Number = A2
=========> Signing request for pro05.int.unixathome.org
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
Enter pass phrase for /usr/local/etc/ssl-admin/active/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'DC'
localityName :PRINTABLE:'Washington'
organizationName :PRINTABLE:'BSD Cabal Headquarters'
commonName :PRINTABLE:'pro05.int.unixathome.org'
emailAddress :IA5STRING:'foo@example.org'
Certificate is to be certified until Jun 15 19:38:15 2035 GMT (3650 days)
Write out database with 1 new entries
Database updated
=========> Moving certificates and keys to /usr/local/etc/ssl-admin/active for production.
Can I move signing request (pro05.int.unixathome.org.csr) to the csr directory for archiving? (y/n): ===> pro05.int.unixathome.org.csr moved.
=====================================================
# SSL-ADMIN v1.3.0 #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: A3
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
C) Generate new Certificate Revokation List (CRL)
q) Quit ssl-admin
Menu Item: z
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [pro05.int.unixathome.org]:
=========> Creating .zip file for pro05.int.unixathome.org in /usr/local/etc/ssl-admin/packages
=================> Moving pro05.int.unixathome.org.crt
=================> Moving pro05.int.unixathome.org.key
Is this certificate for an OpenVPN client install? (y/n): y
=================> Zipping File
=================> Cleaning up files: client.crt, client.key.
You may distribute /usr/local/etc/ssl-admin/packages/pro05.int.unixathome.org.zip to the end user.
=====================================================
# SSL-ADMIN v1.3.0 #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: A3
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
C) Generate new Certificate Revokation List (CRL)
q) Quit ssl-admin
Menu Item: q
Remember to chmod o= that file so it is not world-readable.
That file gets copied to the laptop. Yes, and how, exactly, do you do that, without access to the VPN yet?
scp over my wifi network.
I create this directory and copy the files into ~/.Viscosity
Allowing the client into OpenVPN
Within Ansible, I added the host to this file: host_vars/gw01.int.unixathome.org/openvpn.yaml
I copied this file and then customized the new file:
[20:00 ansible root /usr/local/etc/ansible/roles/openvpn/templates/ccd] # svn cp pro04.int.unixathome.org.j2 pro05.int.unixathome.org.j2 A pro05.int.unixathome.org.j2
What was the change in there?
[20:01 ansible root /usr/local/etc/ansible/roles/openvpn/templates/ccd] # svn di pro05.int.unixathome.org.j2 Index: pro05.int.unixathome.org.j2 =================================================================== --- pro05.int.unixathome.org.j2 (revision 2803) +++ pro05.int.unixathome.org.j2 (working copy) @@ -1,5 +1,5 @@ # fixed IP address -ifconfig-push 10.8.1.180 255.255.255.0 +ifconfig-push 10.8.1.200 255.255.255.0 push "route 10.52.0.0 255.255.255.0" push "route 10.53.0.0 255.255.255.0"
How was that value determined?
[16:01 pro04 dvl ~] % host 10.8.1.180 180.1.8.10.in-addr.arpa domain name pointer pro04.startpoint.vpn.unixathome.org. [16:01 pro04 dvl ~] % host pro04.startpoint.vpn.unixathome.org pro04.startpoint.vpn.unixathome.org has address 10.8.1.180 [16:01 pro04 dvl ~] % host pro05.startpoint.vpn.unixathome.org pro05.startpoint.vpn.unixathome.org has address 10.8.1.200 [16:01 pro04 dvl ~] %
Oh, and while I’m here, I should add to the list of things logcheck ignores.
Edit this file: roles/logcheck/files/sets/openvpn-server/local-openvpn-server-verb4
Modify firewall access to allow the new laptop to do things
There are other ansible changes, related to DHCP and to the firewall.
[20:06 ansible root /usr/local/etc/ansible] # joe host_vars/gw01.int.unixathome.org/dhcpd.yaml host_vars/gw01.int.unixathome.org/pf-macros.yaml host_vars/gw01.int.unixathome.org/pf-tables.yaml
Here’s the diff I got:
[20:15 ansible root /usr/local/etc/ansible] # svn di host_vars/gw01.int.unixathome.org/dhcpd.yaml host_vars/gw01.int.unixathome.org/pf-macros.yaml host_vars/gw01.int.unixathome.org/pf-tables.yaml
===================================================================
--- host_vars/gw01.int.unixathome.org/openvpn.yaml (revision 2832)
+++ host_vars/gw01.int.unixathome.org/openvpn.yaml (working copy)
@@ -19,6 +19,7 @@
- pro02.int.unixathome.org
- pro03.int.unixathome.org
- pro04.int.unixathome.org
+ - pro05.int.unixathome.org
- r720-02.unixathome.org
- rose.int.unixathome.org
- snorty.int.unixathome.org
@@ -59,4 +60,3 @@
- name: nagios03
ip4: 10.190.0.0
mask: 255.255.255.0
-
Index: host_vars/gw01.int.unixathome.org/pf-macros.yaml
===================================================================
--- host_vars/gw01.int.unixathome.org/pf-macros.yaml (revision 2810)
+++ host_vars/gw01.int.unixathome.org/pf-macros.yaml (working copy)
@@ -94,6 +94,14 @@
- $pro04_wired
- $pro04_vpn
+ pro05_wifi: 10.54.0.84
+ pro05_wired: 10.55.0.84
+ pro05_vpn: 10.8.1.200
+ pro05:
+ - 10.54.0.84
+ - $pro05_wired
+ - $pro05_vpn
+
rose_wifi: 10.54.0.62
rose_wired: 10.55.0.62
rose_vpn: 10.8.1.120
Index: host_vars/gw01.int.unixathome.org/pf-tables.yaml
===================================================================
--- host_vars/gw01.int.unixathome.org/pf-tables.yaml (revision 2833)
+++ host_vars/gw01.int.unixathome.org/pf-tables.yaml (working copy)
@@ -12,7 +12,7 @@
# lan_net: "{ 10.7.0.0/24 }"
- table const { $vlan2_maint_net, $vlan4_wifi_net, $vlan7_server_net, $vlan219_talos_net }
- - table const { $air01_wifi, $air01_wired, $air01_vpn, $dent_wifi, $dent_wired, $dent_vpn, $Nagios, $pro02_wifi, $pro02_wired, $pro02_vpn, $pro03_wifi, $pro03_wired, $pro03_vpn, $pro04_wifi, $pro04_wired, $pro04_wired, $rose_wifi, $pro04_wired, $pro04_vpn, $ansible }
+ - table const { $air01_wifi, $air01_wired, $air01_vpn, $dent_wifi, $dent_wired, $dent_vpn, $Nagios, $pro02_wifi, $pro02_wired, $pro02_vpn, $pro03_wifi, $pro03_wired, $pro03_vpn, $pro04_wifi, $pro04_wired, $pro04_vpn, $pro05_wifi, $pro05_wired, $pro05_vpn, $rose_wifi, $ansible }
- table const { $cliff1, $cliff2 }
- table const { $ns1_vpn $ns2_vpn $ns3_vpn }
- table const { $dns0, $dns1, $dns2, $dns_vlan2, $dns_vlan3, $dns_vlan4, $dns_vlan219 }
@@ -28,7 +28,7 @@
- table const { $gateway_servers, $gateway_wifi, $gateway_mainteance, $gateway_talosnet }
- "# VPN users who get access to our internal DNS, ssh, etc"
- '#'
- - table const {$air01_vpn $dent_vpn $pro02_vpn $pro03_vpn $pro04_vpn $rose_vpn }
+ - table const {$air01_vpn $dent_vpn $pro02_vpn $pro03_vpn $pro04_vpn $pro05_vpn $rose_vpn }
- table const { $Nagios03 }
- table const { $aws_1 $r720_02_startpoint $tallboy $x8dtu_pg01 $zuul $zuul_mysql $zuul_pg01 $zuul_pg02 }
Now we distribute those values to the firewall:
[20:23 ansible root /usr/local/etc/ansible] # ansible-playbook gateway.yml --limit=gw01.int.unixathome.org --tags=dhcpd
And then to dhcpd:
[20:26 ansible root /usr/local/etc/ansible] # ansible-playbook gateway.yml --limit=gw01.int.unixathome.org --tags=pf,pf_conf_only
Yes, I could combine those two commands by putting the tags together.
These files:
shell scripts
Now that I’m onto the VPN (1748 words later), I can checkout my scripts:
[16:46 pro05 dvl ~/src/scripts] % mkdir ~/src/ [16:46 pro05 dvl ~/src/scripts] % cd ~/src/ [16:46 pro05 dvl ~/src/scripts] % svn co svn+ssh://svnusers@svn.int.unixathome.org/scripts
Links for shell scripts
cd ln -s /Users/dvl/src/scripts/zshrc .zshrc ln -s /Users/dvl/src/scripts/bash_profile .bash_profile ln -s .bash_profile .bashrc cd ~/.ssh ln -s /Users/dvl/src/scripts/ssh-config config
So far, that’s it
So far, that seems to be everything.
