Home A - Z
Page Index

An Otter Wiki

Commit d74dc5

2026-05-25 16:19:25 Wiki Migration: Migrate pages from Wiki.js: immich guide, windows, wireguard, inventory
/dev/null .. crunchbits/immich guide.md
@@ 0,0 1,152 @@
+ # Immich Guide
+
+ In an age where we take pictures of everything and use digital media as a path to look back at memories, Have you ever thought how to safeguard those memories?
+
+ Immich is an awesome project that makes it easy to both access, modify, sort and backup your photos and videos. With syncing features and apps available for just every platform you can think of, it is the perfect alternative to google photos.
+
+ ### Buying a VPS
+ Buy a VPS and install it with Ubuntu 22.04 as this guide follows Ubuntu 22.04.
+
+ Login to your VPS via SSH and make sure you're under the `root` user.
+
+ ### Installing required packages
+
+ First we'll start by installing some required packages.
+ ```bash
+ apt update && apt upgrade -y && apt install -y curl nginx certbot python3-certbot-nginx
+ ```
+
+ Next, we can install docker and enable its systemd unit file.
+ ```bash
+ curl -sSL https://get.docker.com/ | CHANNEL=stable bash
+ ```
+ ```bash
+ systemctl enable --now docker
+ ```
+
+ We have now installed all required packages to run immich.
+
+ ### Initial Configuration
+
+ Let's start by creating a dedicated directory for immich and its files. In this guide, we'll be creating it under `/home`.
+
+ ```bash
+ mkdir /home/immich-app
+ ```
+
+ Now, We can go to the file and get the docker-compose and the needed `.env` file.
+ ```bash
+ cd /home/immich-app && wget -O docker-compose.yml https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml && wget -O .env https://github.com/immich-app/immich/releases/latest/download/example.env
+ ```
+
+ Now we have all the files we'll need to configure and run immich.
+
+ ### Configuring Immich Server
+
+ We will now need to do the following things.
+ 1. Set the Database password to secure our install. (You may only use `A-Za-z0-9`)
+ 2. Change the timezone. All timezones can be found here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+
+ Start by opening the `.env` file.
+ ```bash
+ nano .env
+ ```
+
+ Now, It should look like this:
+ ```
+ # You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+
+ # The location where your uploaded files are stored
+ UPLOAD_LOCATION=./library
+ # The location where your database files are stored
+ DB_DATA_LOCATION=./postgres
+
+ # To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+ # TZ=Etc/UTC
+
+ # The Immich version to use. You can pin this to a specific version like "v1.71.0"
+ IMMICH_VERSION=release
+
+ # Connection secret for postgres. You should change it to a random password
+ # Please use only the characters `A-Za-z0-9`, without special characters or spaces
+ DB_PASSWORD=postgres
+
+ # The values below this line do not need to be changed
+ ###################################################################################
+ ```
+
+ We will be changing the `TZ` and `DB_PASSWORD`.
+
+ Uncomment the TZ line and state your timezone. It should look like this:
+
+ ```
+ TZ=Asia/Kolkata
+ ```
+
+ Then, Modify the `DB_PASSWORD` and set a strong password. It should look like this.
+
+ ```
+ DB_PASSWORD=Th1s1sarand0mpa55w0rd
+ ```
+
+ Now that this is done, You can press `Ctrl` + `X` on your keyboard, Then press `Enter`, Then press `Y` to exit.
+
+ ### Starting Immich
+
+ ```
+ docker compose up -d
+ ```
+
+ Now our immich server is deployed.
+
+ ### Configuring nginx
+
+ Before we continue, Make sure you have a domain that is pointed to the server's IP. For this guide, we'll use immich.crunchbits.net.
+
+ Let's create a new config file for nginx.
+
+ ```bash
+ nano /etc/nginx/conf.d/immich.conf
+ ```
+
+ An empty file should open, Paste the following here:
+
+ ```
+ server {
+ listen 80;
+ server_name immich.crunchbits.net;
+
+ location / {
+
+ proxy_pass http://localhost:2283;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection 'upgrade';
+ proxy_set_header Host $host;
+ proxy_cache_bypass $http_upgrade;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ }
+ ```
+
+ Change `immich.crunchbits.net` with the domain you pointed to the server.
+
+ Now, we can restart nginx to apply the changes.
+ ```bash
+ nginx -s reload
+ ```
+
+ ### Securing immich with SSL
+
+ We can now generate a free SSL certificate from Let's Encrypt and secure our immich server.
+
+ ```bash
+ certbot --nginx
+ ```
+
+ Follow what it says on-screen and voila! Our immich is ready!
+
+ Now open the website on your browser and create your account.
+
+ > Note: The first user is always created as the admin user.
/dev/null .. internal/inventory.md
@@ 0,0 1,30 @@
+ # Inventory
+
+ ## Home
+
+ List of home servers:
+ - PVE1-H (192.168.0.9)
+ - PVE2-H (192.168.0.16)
+ - PVE-PREM (192.168.0.15)
+
+ > All servers run Proxmox 8.
+
+ ---
+
+ ### PVE1-H
+
+ Small Dell WYSE Thin Client:
+ - AMD G-T48E (2C/2T @ 1.4Ghz)
+ - 4GB RAM — *Unknown DDR/Speed Specification*
+ - 128GB Samsung SSD
+
+ **Use-case:** Mostly for lightweight workloads but reliable ops like DNS for home, reverse proxies etc.
+
+ **Current Inventory:**
+
+ | Service Name | Service Type | Port | Domains | Hosting | Remarks |
+ |---|---|---|---|---|---|
+ | Nginx-DNS-Block-Page | Core (Always-on) | 443/80 (also portforwarded to home static IP) | **Reverse Proxy:** vault.sen.li, paperless.sen.li, ha.typicalgta.com, cloud.typicalgta.com, scan.home.lan — **Hosting:** home.sen.li, home.typicalgta.com, home.arpan.ovh | Reverse-Proxy @ Home — IP: 192.168.0.11 | Very Important for home IT OPS to work. |
+ | monitor | Secondary | 80 | None | Bandwidth Monitoring — IP: 192.168.0.110 | Simple PHP App running on Apache that collects data every min and displays it on dashboard accurately. Keeps track of total home bandwidth usage with historical data. |
+ | technitiumdns | Core | 53/5380 | **Authoritative:** home.lan, *.home.lan — **Rewrites:** cloud.typicalgta.com, ha.typicalgta.com, cloud.tunnel.arpan.ovh, paperless.sen.li, vault.sen.li, home.typicalgta.com | DNS Authoritative/Recursive — IP: 192.168.0.25 | Serves as main DNS server for home. Rewrites domains to local IPs and hosts local authoritative records. Also does DNS-level blocking as recursive. |
+ | homebridge | Deprecated | N/A | N/A | homebridge project app — IP: 192.168.0.14 | Used to be for homebridge before Home Assistant. To be deleted soon. |
/dev/null .. internal/windows.md
@@ 0,0 1,10 @@
+ # Windows
+
+ ### Windows Licenses
+ Activate Windows for free from GVLK license.
+ ```
+ cscript slmgr.vbs /upk
+ cscript slmgr.vbs /ipk [LICENSE_KEY]
+ cscript slmgr.vbs /skms 149.56.31.14:1688
+ cscript slmgr.vbs /ato
+ ```
/dev/null .. internal/wireguard hub-spoke guide.md
@@ 0,0 1,172 @@
+ # WireGuard Hub-and-Spoke VPN Setup Guide
+
+ A step-by-step guide to creating a secure VPN with a central hub and multiple spokes.
+
+ ![Diagram](https://i.imgur.com/L4yYfJ9.png)
+
+ ---
+
+ ## Prerequisites
+
+ Before you start, gather the public IP addresses of all three virtual machines:
+ - **VM A Public IP:** `VM_A_PUBLIC_IP`
+ - **VM B Public IP:** `VM_B_PUBLIC_IP`
+ - **VM C Public IP:** `VM_C_PUBLIC_IP`
+
+ ---
+
+ ## Step 1: Install WireGuard on All Three VMs
+
+ **On Ubuntu / Debian:**
+ ```bash
+ sudo apt update
+ sudo apt install wireguard -y
+ ```
+
+ **On AlmaLinux / Rocky Linux / RHEL:**
+ ```bash
+ # Enable the EPEL repository
+ sudo dnf install epel-release -y
+
+ # Install WireGuard tools
+ sudo dnf install wireguard-tools -y
+ ```
+
+ ---
+
+ ## Step 2: Generate Keys on All Three VMs
+
+ Each VM needs its own unique pair of cryptographic keys. **Perform these commands on VM A, VM B, and VM C.**
+
+ ```bash
+ # Create a directory for the keys
+ mkdir -p ~/.wireguard
+ cd ~/.wireguard
+
+ # Generate the keys
+ wg genkey | tee privatekey | wg pubkey > publickey
+
+ # Secure the private key file
+ chmod 600 privatekey
+
+ # View the keys so you can copy them
+ echo "--- PUBLIC KEY (Share this) ---"
+ cat publickey
+ echo "--- PRIVATE KEY (Keep this secret) ---"
+ cat privatekey
+ ```
+
+ > **Important:** Copy and paste each VM's public and private key into a text editor. Label them clearly (e.g., "VM A Public Key," "VM B Private Key") so you don't mix them up.
+
+ ---
+
+ ## Step 3: Configure the Hub (VM B)
+
+ This is the central server. It will listen for connections from VM A and VM C and forward their traffic.
+
+ **1. Enable IP Forwarding**
+ ```bash
+ # Enable forwarding now
+ sudo sysctl -w net.ipv4.ip_forward=1
+
+ # Make it permanent across reboots
+ echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
+ ```
+
+ **2. Create `/etc/wireguard/wg0.conf` on VM B**
+
+ > Replace `eth0` in the `PostUp`/`PostDown` lines with your VM's actual public network interface (find it with `ip a`).
+
+ ```ini
+ # /etc/wireguard/wg0.conf on VM B (The Hub)
+ [Interface]
+ # VM B's private key and tunnel IP
+ PrivateKey = <PASTE_VM_B_PRIVATE_KEY_HERE>
+ Address = 10.10.0.1/24
+ ListenPort = 51820
+
+ # Firewall rules to NAT traffic from peers to the internet
+ PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+ PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+ # --- Peer 1: VM A ---
+ [Peer]
+ # VM A's public key and assigned tunnel IP
+ PublicKey = <PASTE_VM_A_PUBLIC_KEY_HERE>
+ AllowedIPs = 10.10.0.2/32
+
+ # --- Peer 2: VM C ---
+ [Peer]
+ # VM C's public key and assigned tunnel IP
+ PublicKey = <PASTE_VM_C_PUBLIC_KEY_HERE>
+ AllowedIPs = 10.10.0.3/32
+ ```
+
+ ---
+
+ ## Step 4: Configure the Spokes (VM A & VM C)
+
+ **On VM A** — create `/etc/wireguard/wg0.conf`:
+ ```ini
+ # /etc/wireguard/wg0.conf on VM A (Spoke 1)
+ [Interface]
+ PrivateKey = <PASTE_VM_A_PRIVATE_KEY_HERE>
+ Address = 10.10.0.2/24
+
+ [Peer]
+ PublicKey = <PASTE_VM_B_PUBLIC_KEY_HERE>
+ Endpoint = <VM_B_PUBLIC_IP>:51820
+ AllowedIPs = 10.10.0.0/24, 93.184.216.34/32
+ PersistentKeepalive = 25
+ ```
+
+ **On VM C** — create `/etc/wireguard/wg0.conf`:
+ ```ini
+ # /etc/wireguard/wg0.conf on VM C (Spoke 2)
+ [Interface]
+ PrivateKey = <PASTE_VM_C_PRIVATE_KEY_HERE>
+ Address = 10.10.0.3/24
+
+ [Peer]
+ PublicKey = <PASTE_VM_B_PUBLIC_KEY_HERE>
+ Endpoint = <VM_B_PUBLIC_IP>:51820
+ AllowedIPs = 10.10.0.0/24, 93.184.216.34/32
+ PersistentKeepalive = 25
+ ```
+
+ ---
+
+ ## Step 5: Start the Tunnels
+
+ Bring the `wg0` interface up on all three machines:
+ ```bash
+ sudo wg-quick up wg0
+ ```
+
+ To make WireGuard start automatically on boot:
+ ```bash
+ sudo systemctl enable wg-quick@wg0
+ ```
+
+ ---
+
+ ## Step 6: Verification
+
+ **1. Check Tunnel Status**
+
+ On any VM, run `sudo wg`. You should see your interface details and the latest handshake information for your peers.
+
+ **2. Ping Across the Tunnel**
+ - From VM A, ping the hub: `ping 10.10.0.1`
+ - From VM A, ping VM C: `ping 10.10.0.3`
+ - From VM C, ping VM A: `ping 10.10.0.2`
+
+ **3. Test the Specific Route**
+
+ On VM A or VM C, use `traceroute` to see the path your traffic takes:
+ ```bash
+ # Install if needed: sudo apt install traceroute
+ traceroute example.com
+ ```
+
+ The **first hop** should be the hub's tunnel IP (`10.10.0.1`). This confirms traffic is correctly going through the VPN.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9