Sections here are really just placeholders with enough information to get started on building actual articles...

rDNS

This is gonna get interesting...

What does it take to make rDNS work from outside the network?

Local Mail Service

(This will depend on whether rDNS works out...)

Better Permissions Handling

Proven on:

12 (bookworm)

• sudo apt install acl
• sudo mkdir /FOOBAR
• sudo chown -R :users /FOOBAR
• sudo chmod -R g+ws /FOOBAR
• sudo setfacl -R -m g:users:rwx /FOOBAR

Now, the directory /FOOBAR is writeable by anyone in the users group.

Do keep in mind that users is a default group that all accounts are a member of. You could also create specific groups and add each user to specific groups for finer granularity.

Some Links

• Wikipedia : setuid
• Wikipedia : Access-control list
• StackExchange : Getting new files to inherit group permissions on Linux
• StackExchange : Using setfacl to create recursive permissions for Apache with rsync

Linux USERs and GROUPs

Eventually to be an article about how granular access control works on Linux...

Development Testing for a Backup Server

Proven on:

12 (bookworm)

This will eventually be fully fleshed out as instructions for building proper backup servers on separate machines including off-site backups.

Currently testing on a pair of LXCs, both configured as priveledged containers (tho this may not be needed).

Interesting side-quest: Apparently, unpriviledged containers do a bit of weirdness with bind-mount ownerships. There are instructions to work around this, but I have yet to work through this... For the moment, I'm using priviledged containers to work around it.

• VMID 999001: storage
• VMID 999002: backup

I've created a user named draal with specific responsibility for handling backups.(because remote access by root is stupid...)

draal has an equivalent account on ALL involved machines and is set up with ssh keys to avoid the use of password-based access.

On the PVE Server:

(setting up the storage for the test LXCs...)

• mkdir /mnt/Storage-0
• mkdir /mnt/Storage-1
• mount -L Storage-0 /mnt/Storage-0
• mount -L Storage-1 /mnt/Storage-1
• vi /etc/fstab

LABEL=Storage-0     /mnt/Storage-0    ext4   defaults 0 0
LABEL=Storage-1     /mnt/Storage-1    ext4   defaults 0 0

• pct set 999001 -mp0 /mnt/Storage-0,mp=/mnt/Storage # storage
• pct set 999002 -mp0 /mnt/Storage-1,mp=/mnt/Storage # backup

On "storage"

(logged in as draal)

• ssh-keygen
• ssh-copy-id draal@backup
• sudo apt install acl rsync
• sudo setfacl -R -m u:draal:rwx /mnt/Storage

On "backup"

(logged in as draal)

• ssh-keygen
• ssh-copy-id draal@storage
• sudo apt install acl rsync
• sudo setfacl -R -m u:draal:rwx /mnt/Storage

Testing rsync commands

In order to test things, I've basically dumped a copy of my Documents folder into /mnt/Storage on the storage LXC. This is around 25GB of incredibley mixed & sloppy crap varying from zero-length placeholders to USB binaries...

Everything from here on is done while logged in to storage as draal.

• cd /mnt/Storage
• rsync -Aaiz * backup:/mnt/Storage
  • copies all files to the backup machine
    • Took about 7 minutes... (measured by wrapping the command in a time command)
  • (& if you run it again, only copies NEW or CHANGED files)
    • Every change I made took substantially under 1 second...
• rsync -Aaiz --delete * backup:/mnt/Storage
  • Will actually synchronize. (i.e. It will DELETE any files from the destination that have been removed on the source.)
  • DANGER...DANGER...DANGER
    • This may NOT be exactly what you want to do in a backup situation.
    • (But it might... Your choice...)

Custom LXC Templates

• Create an LXC
  • My example is an NFS capable LXC with VMID 666...
• Configure it
  • Install your preferred standard set of apps & such...

From the PVE command line:

• remove the network interface
  • pct set 666 --delete net0
• Do a backup
  • Gonna need a bunch of available space (I mount a spare 2TB drive specifically for the purpose on the machine where I build these and cd to that drive before this step...)
  • vzdump 666 --mode stop --compress zstd --dumpdir .
• Rename the backup to a more useful name
  • mv vzdump-lxc-666-2025_02_04-14_19_43.tar.zst Deb-12-NFS.tar.zst
• Copy it to someplace you can access it from the PVE UI
  • Option 1: For direct Upload (Some oddities happen... More research needed)
    • scp Deb-12-NFS.tar.zst user@mydesktopmachine:~
  • Option 2: For Download from URL
    • scp Deb-12-NFS.tar.zst user@mywebserver:/var/www/html/LXCtemplates/

Now you can add it to your CT Templates storage on any PVE server you're working on.

Installing OpenVPN & PIA as a client on an LXC

(In actual fact... This set of steps is applicable to pretty much any Debian-derived system if you skip the first step...)

Edit the containers config file (On the PVE host)

Something you may have noticed if you've been playing about with LXCs for a bit... Sometimes, to do tricks, you have to jump through a hoop or two. This particular step is a good example.

Add these 2 lines to the containers configuration (Replace VMID with the actual VMID of the container you're working on, of course...)

• vi /etc/pve/lxc/VMID.conf
  • lxc.cgroup2.devices.allow: c 10:200 rwm
  • lxc.mount.entry: /dev/net dev/net none bind,create=dir

Reboot the container

install openvpn & the PIA files (On the LXC container)

• sudo apt install openvpn unzip whois
• sudo mkdir /etc/openvpn/PIA
• cd /etc/openvpn/PIA
• sudo wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
• sudo unzip openvpn.zip

Configure openvpn (On the LXC container)

• cd /etc/openvpn
  • Copy the exit point you like from inside PIA here & change the extension to .conf
    • sudo cp PIA/ukraine.ovpn ./ukraine.conf # an example...
  • Edit the .conf file and remove the <crl-verify> block. (For some reason PIAs CRL blocks are ALWAYS malformed...)
  • Add /etc/openvpn/auth.txt to the line: auth-user-pass
    • auth-user-pass /etc/openvpn/auth.txt # like this...
• sudo vi auth.txt
  • copy your PIA username & password into this file (on 2 lines...)
    • Bob
    • SecretSquirrel!
• sudo vi /etc/default/openvpn
  • uncomment the #AUTOSTART="all" line
• sudo service openvpn start

From this point on, accessing the internet from the LXC will go through your chosen PIA exit point.

It may take a moment or two to initialise fully. And, startup of the LXC may seems a little slow slow. But patience is a virtue...

Testing

• wget http://ipinfo.io/ip -qO -

Should give you an IP address that does NOT match your actual external IP

• whois `wget http://ipinfo.io/ip -qO -`

Will give you a wall-o-text. In that wall-o-text, you'll find the country code of where ipinfo.io thinks you are. (This, of course, should match your chosen exit point...)