Benoit/Website
Benoit/Website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

🚚 Move all pages to docs/

Browse source 
🔥 Also delete old pages
This commit is contained in:
Benoit S 2021-02-20 12:30:09 +09:00
parent eee1c30f6a
commit 1682796065
29 changed files with 0 additions and 2827 deletions
Download patch file Download diff file Expand all files Collapse all files

15
docs/Howtos/HowtoCentOS.md Normal file
View file

@ -0,0 +1,15 @@
# HowtoCentOS
Upgrade from 8 to Stream.
```
dnf install centos-release-stream && dnf update
```
Exclude path when unpacking package. Useful for unprivileged containers.
```
dnf reinstall --downloadonly filesystem
find /var/cache -iname "*filesy*"
rpm -ivh --excludepath=/proc --excludepath=/sys /var/cache/dnf/baseos-504ddb1bf3482a98/packages/filesystem-3.8-3.el8.x86_64.rpm
```

67
docs/Howtos/HowtoCrackWPA.md Normal file
View file

@ -0,0 +1,67 @@
# Monitor mode
For my RTL8188EUS:
```
ip link set wlanX down
iw dev wlanX set type monitor
```
# Scan networks
All channels:
```
airodump-ng wlanX
```
Specific channel:
```
airodump-ng -c 6 wlanX
```
# Save a capture of chosen BSSID
```
airodump-ng -c 6 --bssid 00:23:B1:82:08:xx -w <filename> wlanX
```
You need to wait for a client to connect, or to deauth it and get the 4-way handshake.
```
aireplay-ng -0 1 -a 00:23:B1:82:0C:xx -c D0:37:45:2F:52:xx wlanX
```
`-a` is access point
`-c` is client
Then you should have an EAPOL/WPA handshake.
# Crack WPA passphrase
## For a 8 digits scheme
```
crunch 8 8 0123456789 -s 00000000 | aircrack-ng -w - -b 00:23:B1:82:08:xx <filename>.cap
```
# Wireshark
PSK Generator: <https://www.wireshark.org/tools/wpa-psk.html>
## PMKID method
```
hcxdumptool -i wlanX -o PMKID --enable_status=1
```
TODO...
## WPS method
AP must have WPS enabled with a PIN. Not PBC, push button.
```
reaver -i wlanX -b 00:23:B1:82:84:xx
```
## Resources
<https://github.com/ZerBea/hcxdumptool>
<https://github.com/ZerBea/hcxtools>
<https://wpa-sec.stanev.org/>

17
docs/Howtos/HowtoEncoding.md Normal file
View file

@ -0,0 +1,17 @@
# Convert
# MKV to WebM
~~~
$ ffmpeg -i input.mkv -c:v libvpx -qmin 0 -qmax 50 -crf 10 -b:v 2M -c:a libvorbis output.webm
~~~
# Recording Screen
## Within a specified zone
```
avconv -threads auto -f pulse -i bluez_sink.0C_E0_E4_81_2F_C1.monitor -ac 2 -f pulse -i alsa_input.usb-BLUE_MICROPHONE_Blue_Snowball_201306-00-Snowball.analog-mono -ac 1 -f x11grab -show_region 1 -s 1024x768 -i :0.0+112,111 -c:v libvpx -pre:v libvpx-720p -vsync cfr -r 15 -c:a libvorbis -q:a 6 -filter_complex amix=inputs=2 output.webm
```
With sound from microphone and monitor of input.

64
docs/Howtos/HowtoGPG.md Normal file
View file

@ -0,0 +1,64 @@
# HowtoGPG
## Some commands:
```
gpg --card-status
gpg --export-ssh-key keyID
gpg --armor --export keyID > pubkey.asc
```
## Use Nitrokey from new system:
```
gpg --import pubkey.asc
gpg --card-status
```
## Use GPG Agent as SSH Agent
```
vim .gnupg/gpg-agent.conf
enable-ssh-support
pinentry-program /usr/bin/pinentry-qt
systemctl --user enable --now /usr/lib/systemd/user/gpg-agent*
vim .bashrc
export SSH_AUTH_SOCK="/run/user/$(id -u)/gnupg/S.gpg-agent.ssh"
```
## Export your public key to your web server:
```
$ mkdir openpgpkey
$ gpg --list-options show-only-fpr-mbox -k keyID | /usr/lib/gnupg/gpg-wks-client -v --install-key
```
Then publish to your web server. https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/
My public key is available via: <https://openpgpkey.benpro.fr/.well-known/openpgpkey/benpro.fr/hu/7ue9nu5hdtshxjynnn6haqyohye8716e>
## Get public keys
### From WKD
WKD mean Web Key Directory. Interesting website: <https://metacode.biz/openpgp/web-key-directory>
```
gpg --locate-key user@example.com
```
### From keyserver
#### With keys.openpgp.org
```
echo keyserver hkps://keys.openpgp.org >> ~/.gnupg/gpg.conf
gpg --auto-key-locate keyserver --locate-keys user@example.com
```
#### With sks-keyservers.net
```
gpg --keyserver pool.sks-keyservers.net --recv-keys keyID
```

84
docs/Howtos/HowtoLXD.md Normal file
View file

@ -0,0 +1,84 @@
Some commands:
```
lxc image alias list images:
lxc info <name>
lxc config edit <name>
lxc config sonw <name>
lxc exec <name> bash
lxc config set <name> limits.memory 512MB
lxc config set <name> limits.cpu 2
lxc config device set <name> root size 20GB
lxc launch images:debian/stretch/amd64 <name>
lxc config set <name> environment.LC_ALL=en_US.UTF-8
lxc list
lxc storage volume list <storagename>
# mode privileged
lxc launch ubuntu:16.04 test -c security.privileged=true -c security.nesting=true
lxc config device add test ssh proxy listen=tcp:0.0.0.0:2222 connect=tcp:127.0.0.1:22
# Create a backups volume in the local (default) pool (ZFS) and use it for backups
lxc storage volume create local backups
lxc config set storage.backups_volume local/backups
# Create a images volume in the local (default) pool (ZFS) and use it for images (containers images downloaded)
lxc storage volume create local images
lxc config set storage.images_volume local/images
lxc config device add $containerName $deviceName disk source=/home/foo path=/home/foo
```
Chemins :
Normal : /var/lib/lxd/
Snap : /var/snap/lxd/common/lxd/
Paquets à installer pour se sentir à l'aise sur une Debian ou Ubuntu
```
vim logrotate
etckeeper
iputils-ping
dnsutils
```
N'est plus nécessaire sur les images récentes :
```
# systemctl disable getty@tty{1..4}
# reboot
```
- Activer journald
- Mettre le bon hostname
- Installer postfix
Paquets à installer pour se sentir à l'aise sur une Alpine
```
etckeeper
vim
```
```
sed -i 's/^tty/# tty/g' /etc/inittab
# clean messages
rm /var/log/messages
```
Nginx :
```
set_real_ip_from W.X.Y.Z;
#real_ip_recursive on;
real_ip_header X-Forwarded-For;
log_format custom '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log custom;
```
Aller dans le namespace de LXD (snap0 pour faire des actions genre mount/umount :
```
# nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
```

8
docs/Howtos/HowtoMacOS.md Normal file
View file

@ -0,0 +1,8 @@
## Tips
Thermal info:
```
sudo powermetrics s thermal
sudo powermetrics -s thermal | grep -A2 -i thermal
```

204
docs/Howtos/HowtoSecureMailServer.md Normal file
View file

@ -0,0 +1,204 @@
---
title: Howto Serveur de mail sécurisé avec Mailcow et Scaleway
categories: sysadmin mail
---
# Intro
Ce Howto explique comment monter un serveur de mail sécurisé en utilisant [Mailcow](https://github.com/andryyy/mailcow) et un serveur virtuel chez [Scaleway](https://www.scaleway.com/). L'introduction est à lire sur mon [blog](https://www.lekernelpanique.fr/2017/03/05/votre-propre-serveur-de-mail-securise-pour-3emois/).
La première étape consiste évidement à créer l'instance sur la console de Scaleway en choisissant Debian 8 en OS.
> **Note**: Il est important d'utiliser le noyau Scaleway `x86_64 4.8.14 std #2 (latest)` dans les paramètres avancés, section « bootscript ». Sinon vous n'aurez pas les modules noyau liés au chiffrement. Il vous faudra redémarrer pour appliquer le changement de noyau.
# Mise à jour
L'image Debian de Scaleway n'étant pas « buildé » tous les jours, il se peut qu'il y ait quelques mises à jour à faire. On fait donc une upgrade.
```
# apt update
# apt upgrade
```
# Création du volume /var chiffré
Ce volume accueillera vos mails et journaux systèmes. Il est donc intéressant de le chiffrer. Malheureusement, l'image Scaleway fournit un disque non partitionné. L'`initrd` cherche à amorcer le volume root directement sur `/dev/vda`… On va donc créer un fichier image, puis le chiffrer avec `cryptsetup`. Un `/var` de 35G devrait suffire.
Création du fichier image et montage sur `/dev/loop0`.
```
# dd if=/dev/zero of=/var.img bs=1M count=35000
# chmod 600 /var.img
# losetup /dev/loop0 /var.img
```
On en profite pour aussi créer une swap de 1G tant qu'à faire.
```
# dd if=/dev/zero of=/swapfile.img bs=1M count=1000
# chmod 600 /swapfile.img
# mkswap -LSWAP
# echo "/swapfile.img none swap sw 0 0" >> /etc/fstab
```
On chiffre le volume en LUKS avec `cryptsetup`. Choisissez une passphrase, vous aller devoir la taper à chaque démarrage dans la console de Scaleway. Pas très souvent si tout est stable ! :-)
```
# apt install cryptsetup
# cryptsetup luksFormat --hash sha256 --key-size=512 /dev/loop0
# cryptsetup luksOpen /dev/loop0 crypted-var
```
On formate le tout en EXT4, on monte le volume, on stoppe les services qui utilisent actuellement `/var` et on rsync le tout.
```
# mkfs.ext4 -LVAR /dev/mapper/crypted-var
# mount /dev/mapper/crypted-var /mnt/
# for pid in $(lsof | grep /var | tr -s '\t' ' ' | cut -d' ' -f2 | sort | uniq | grep -v "^1$"); do kill $pid; done
# rsync -avh --progress /var/ /mnt/
# rm -rf /var/*
# umount /mnt
```
On indique le volume chiffré dans `crypttab` et le point de montage dans `fstab` puis on reboot. Préparez-vous à aller taper votre passphrase dans la console Scaleway !
> **Note** : On désactive `unattended-upgrades` qui va planter l'arrêt à cause du /var qui n'existe plus.
```
# echo "crypted-var /var.img none luks" >> /etc/crypttab
# echo "/dev/mapper/crypted-var /var ext4 defaults 0 2" >> /etc/fstab
# systemctl disable unattended-upgrades.service
# reboot
```
Ta-daa ! On a notre `/var` chiffré.
```
root@scw-049d84:~# df -h /var
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/crypted-var 35G 687M 33G 3% /var
```
# Installation de Mailcow
## Pré-requis
Il vous faut un nom de domaine ! Il faudra choisir quel FQDN utiliser, le plus classique étant `mail.domain.tld`.
Au niveau de vos entrées DNS, il vous faudra un champ A et un MX. Plus de détails sur le [README](https://github.com/andryyy/mailcow#before-you-begin-prerequisites).
On supprime exim4, car Mailcow utilise postfix.
```
# apt purge exim4 exim4-base exim4-config exim4-daemon-light
```
## Installation
Puis on télécharge le script d'installation, on édite la configuration et on lance l'installation.
```
# wget -O - https://github.com/andryyy/mailcow/archive/v0.14.tar.gz | tar xfz -
# cd mailcow-0.14
# vim mailcow.config
```
> **Note** : Le webmail par défaut est Roundcube. Si vous allez utiliser un smartphone avec synchronisation des contacts et agenda, choisissez plutôt SOGo dans le fichier de config.
Laissez-vous guider par le script d'installation.
```
# ./install.sh
```
Voilà, c'est fini ! Il vous reste à créer votre premier compte mail via l'interface d'admin.
Si vous avez des questions ou besoin d'aide, n'hésitez pas à ouvrir un ticket (an Anglais !) [ici](https://github.com/andryyy/mailcow/issues). Sinon demandez-moi sur [Twitter](https://twitter.com/benpro82) ou par [mail](mailto:benoit[arobase]benpro.fr).
# Bonus : Certificat client X.509
L'idée est de restreindre l'accès aux services web (webmail et admin), et mail (IMAPS) via un certificat client X.509. Sans ce certificat, impossible d'accéder à quoi que ce soit !
> **Note** : Cela ne remplace pas le certificat Let's Encrypt utilisé par Mailcow. On demande juste que le client présente un certificat émis par notre CA.
Pour cela il faut mettre en place une `PKI` et émettre un certificat client. J'utilise l'outil [shellPKI](https://wiki.evolix.org/HowtoOpenVPN#mise-en-place-dune-pki-avec-shellpki-openbsd-et-debian) pour ça.
## ShellPKI
```
# cd /usr/local
# git clone https://forge.evolix.org/shellpki.git
# cd shellpki
# install -d -m 700 /etc/shellpki /etc/ssl/clients
# sed -i 's#/etc/openvpn/ssl#/etc/shellpki#g' openssl.cnf
# install -m 600 openssl.cnf /etc/shellpki/
# sed -i -e 's#PREFIX=.*#PREFIX=/etc/shellpki#' -e 's#WWWDIR=.*#WWWDIR=/etc/ssl/clients#' shellpki.sh
```
Éditer `/etc/shellpki/openssl.cnf` et initialiser shellPKI. Le plus important est de remplir le « Common Name », par exemple `Myname Root Certificate`.
```
# vim /etc/shellpki/openssl.cnf
# ./shellpki.sh init
```
On génère un certificat client (sans passphrase), soit un utilisateur par exemple. Il faudra choisir un « Common Name » du type `user@domain.tld`.
```
# ./shellpki.sh create
```
Puis on le convertit au format `PKCS#12` avec une passphrase d'export. Cette passphrase sera demandé à l'import dans un navigateur ou smartphone par exemple.
```
# cd /etc/ssl/clients
# openssl pkcs12 -export -in user@mail.domain.tld.crt -inkey user@mail.domain.tld.key -out user@mail.domain.tld.p12
```
Il faudra importer ce certificat client dans les navigateurs et dans diverses applications (Thunderbird, Exchange/GMail sous Android, K9-Mail…).
La dernière étape consiste à dire à dovecot et nginx qu'il est nécessaire de présenter un certificat client.
## Nginx
```
ssl_client_certificate /etc/shellpki/ca/cacert.pem;
ssl_verify_client on;
```
```
# systemctl restart nginx
```
## Dovecot
> **Note** : Attention, si vous avez un webmail qui se connecte en local, imap non chiffré, l'activation de `auth_ssl_require_client_cert`, va imposer d'utiliser un certificat… Cassant votre webmail. Il n'y a pas à ce jour la possibilité d'activer `auth_ssl_require_client_cert` seulement pour imaps… Si vous utilisez un webmail, n'activez pas ceci sur dovecot.
```
# Client certificate
ssl_ca = </etc/shellpki/ca/cacert.pem
ssl_verify_client_cert = yes
ssl_cert_username_field = commonName
protocol !smtp {
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = yes
auth_mechanisms = external
}
```
```
# systemctl restart dovecot.service
```
Vous devez maintenant faire le nécessaire côté client (Thunderbird, K9-Mail…)
# Autres actions
Voici une liste de tâches non exhaustives à faire de votre côté que je ne documente pas, non obligatoire mais conseillé…
- Monter un serveur de MX secondaire ;
- Activer un pare-feu sur votre machine, par exemple `ufw` ;
- Monitorer votre serveur ;
- S'assurer du suivi des mises à jour ;
- Faire des sauvegardes.

237
docs/Howtos/HowtoSysadmin.md Normal file
View file

@ -0,0 +1,237 @@
Get Github or Gitlab user key:
```
curl https://github.com/<username>.keys
curl https://gitlab.com/<username>.keys
```
Enter a namespace, for example LXD (which is in a NS by Snap).
```
nsenter -t $(cat /var/snap/lxd/common/lxd.pid) -m
```
SSH into a machine without checking host key. Useful when servers are in a rescue mode.
~~~
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -o "GlobalKnownHostsFile=/dev/null"
~~~
Certbot manual example.
~~~
certbot certonly --non-interactive --webroot --webroot-path /var/www/html/ -d foo.bar -d www.foo.bar
~~~
GPG-agent list SSH key and remove.
~~~
gpg-connect-agent
KEYINFO --ssh-list --ssh-fpr
DELETE_KEY $HASH
~~~
Show md5 fingerprint of SSH key.
~~~
ssh-keygen -l -E md5 -f .ssh/key.pub
~~~
Password recovery. At grub stage, press `e` to edit the kernel line and add `init=/bin/bash`. It will drop you in a shell before init system (systemd).
~~~
mount -o remount,rw /
passwd
~~~
Mount partitions on an image file using losetup.
~~~
losetup -P -f --show my.img
~~~
List all software installed from particular component (non-free, contrib)
~~~
$ dpkg-query -W -f='${Section}\t${Package}\n' | grep ^non-free
~~~
Manually rotate a file without logrotate, with savelog(8).
~~~
$ savelog
~~~
What processes uses swap?
~~~
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | sort -k 2 -n -r | less
~~~
MySQL "fast" shutdown.
~~~
> set global innodb_max_dirty_pages_pct = 0;
$ mysqladmin ext -i10 | grep dirty
~~~
mkfs.ext4 for old systems in rescue mode (Debian Wheezy, …).
~~~
mkfs.ext4 -O ^64bit,^metadata_csum
~~~
Send a mail from queue.
```
postcat -q ID > mail
< mail sendmail -f FROM TO
```
Python Simple HTTP Server (useful for Munin for example).
```
cd /var/cache/munin/www
python -m SimpleHTTPServer 8080
```
Show custom certs (not a link) and expiration in `/etc/ssl/certs`.
```
find /etc/ssl/certs/ -type f -print -exec openssl x509 -text -in {} \; | grep --color=auto -e etc -e CN= -e DNS: -e After;
```
Edit Bind DNS serial (needs modifications, not generic).
```
sed -ri 's/^\s*[0-9]+\s*; serial/\t\t\t 2017041010\t ; serial/' db.*
```
After Debian/Ubuntu upgrade, merge local config files according to config files shipped in packages.
```
for file in $(find /etc -iname '*.dpkg-dist'); do vimdiff ${file%%.dpkg-dist} $file; rm $file; done
for file in $(find /etc -iname '*.dpkg-old'); do vimdiff ${file%%.dpkg-old} $file; rm $file; done
for file in $(find /etc -iname '*.dpkg-new'); do vimdiff ${file%%.dpkg-new} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-dist'); do vimdiff ${file%%.ucf-dist} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-old'); do vimdiff ${file%%.ucf-old} $file; rm $file; done
for file in $(find /etc -iname '*.ucf-new'); do vimdiff ${file%%.ucf-new} $file; rm $file; done
```
Debug php with strace and php-cgi (especially useful for wp multisites).
```
HTTP_HOST=www.site.com SCRIPT_FILENAME=index.php REDIRECT_STATUS=CGI SERVER_NAME=www.site.com strace -s 65535 -o /tmp/strace php-cgi -f index.php
```
```ps``` with long user fields (here 20).
```
ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm
```
WTF is happening in apache (or other)? Let's strace all apache processes.
```
# strace -p $(ps auwwwx | grep apache | tr -s '\t' ' ' | cut -d' ' -f2 | tr '\n' ' ' | sed 's/ / -p /g') 9999
```
WTF is happening? Let's tail all logs.
```
# tail -f $(lsof | grep -F .log | tr -s '\t' ' ' | cut -d' ' -f10 | sort | uniq | tr -s '\n' ' ')
```
Search for suspects POST in apache.log (often attacks).
```{.bash}
grep -Eo '"POST .*.php' access.log | grep -ve cron -e login -e admin -e xmlrpc -e trackback -e comment -e 404 | sort -u
```
Check for crashed MySQL table in syslog and launch a repair.
```{.bash}
#!/bin/bash
tables=$(grep crashed /var/log/syslog | grep -Eo \'\./.*\' --color=auto | sed s#\'./## | sed s#\'## | uniq | tr -s '\n' ' ')
for tableC in $tables; do
db=${tableC%/*}
table=${tableC#*/}
mysqlcheck --auto-repair --check $db $table
done
```
Get the groups of an user and add another user into these groups.
```{.bash}
for group in $(grep user1 /etc/group | cut -d':' -f1 | sed '/user1/d'); do adduser user2 $group; done
```
Get the last acceded URLs in Squid Access list.
```{.bash}
tail -n100 /var/log/squid3/access.log | grep -oE 'http.*' | cut -d ' ' -f1 | sort | uniq
```
Migrate MySQL users.
```{.bash}
# SRC Server
mysql mysql -e "select * from user WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_user';"
mysql mysql -e "select * from db WHERE USER='user1' OR USER='user2' INTO OUTFILE '/tmp/mysql_db';"
# DST Server
scp server:/tmp/mysql_{db,user} /tmp
chmod 664 /tmp/mysql_{db,user}
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_user' INTO TABLE user;"
mysql mysql -e "LOAD DATA INFILE '/tmp/mysql_db' INTO TABLE db;"
```
Find userid of mails in mailq.
```{.bash}
for i in $(mailq | grep -Eo [A-F0-9]{10} | tr -s '\n' ' '); do postcat -q $i | grep userid | grep -Eo "[0-9]{4,}" >> tmp/userid; done
sort -n /tmp/userid | uniq
```
Kill every MySQL SELECT older than X seconds Original: https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
```{.bash}
#!/bin/bash
# From https://anothersysadmin.wordpress.com/2008/10/29/kill-every-mysql-select-older-than-x-seconds/
SEC=$1
IFS='|'
if [[ $SEC -lt 1 ]]; then
echo "Usage: $0 SECONDS"
exit 1
fi
mysqladmin proc -v|grep Query|grep -Evi "delete|update|insert|alter table" |while read dummy qid qusr qhost qdb qstat qsec qstat2 query; do
if [ $qsec -gt $SEC ]; then
echo "Killing query $qid..."
mysqladmin kill $qid
fi
done
```
List of contacts when sending a mail for technical purpose on a domain which doesn't announce their technical contacts in a whois.
```
abuse@<domain>, admin@<domain>, administrator@<domain>, contact@<domain>, info@<domain>, postmaster@<domain>, support@<domain>, webmaster@<domain>
```
itk change rights.
```{.bash}
find /tmp/ -user www-user.old -exec chown www-user:user {} \;
find /tmp/ -user user.old -exec chown user:user {} \;
* Détecter les fichiers non lisibles par Apache (lecture sur le groupe) : find ./ -type f ! -perm /g=r -exec ls -l {} \;
* Détecter les répertoires non lisibles par Apache (lecture/exécution sur le groupe) : find ./ -type d \( ! -perm /g=r -o ! -perm /g=x \) -exec ls -ld {} \;
* Détecter les fichiers/répertoires accessibles en écriture par Apache (écriture sur le groupe) : find ./ -perm /g=w
* Détecter les fichiers/répertoires accessibles en écriture par tous : find ./ -perm -007 -o -type f -perm -006
```
Get useradd command for migrating account.
```{.bash}
for i in user1 user2 user3...; do echo -n 'useradd -m -s /bin/bash -u '$(grep -E "^$i" /etc/passwd | cut -d':' -f3) && echo -en ' -p' \'$(grep -E "^$i" /etc/shadow | cut -d ':' -f2)\' $i '\n'; done
Output :
useradd -m -s /bin/bash -u USERID -p 'USERPWD' username
```
Find files newert than (mtime) a precise date, and execute an action.
```{.bash}
find . ! -newermt '2012-09-19 11:40:00' -exec cp {} /tmp/mails \;
```

27
docs/Howtos/HowtoZFS.md Normal file
View file

@ -0,0 +1,27 @@
Some commands:
```
apt install zfsutils-linux
zpool create local /dev/xxx
zpool list
zfs create local/home
zfs list
zfs set compression=lz4 local/home
zfs get compression
zfs get compressratio local/home
zfs set dedup=on local/home
zpool get dedupratio local
zfs set mountpoint=/home local/home
apt install nfs-kernel-server nfs-common
systemctl enable --now rpc-statd.service nfs-server.service
zfs set sharenfs="rw=@10.0.1.0/24" local/home
zfs share local/home
zfs get sharenfs
# Import pool after boot/cryptsetup Open
zpool import local
zfs snapshot local/containers/archive@backup
zfs list -t snapshot
zfs send local/containers/archive@backup | ssh zfs@10.0.1.1 sudo zfs recv local/lxd00/containers/archive
zfs destroy local/containers/archive@backup
zfs clone local/containers/archive@backup local/containers/archive-clone
```