/etc/systemd/system - default location for system units ~/.config/systemd/user - default location for user units


Flags for operating on user units are given in []


A simple service unit


Description=example service



foobar.timer A simple timer unit

Description=example timer

# run every 15 minutes (aligns to the hour)
# run timer immediately if script is enabled and is past due


Basic Arch Install

Generic Linux Install










Config examples

/etc/lxc/lxc.conf - set path for containers to be stored (default /var/lib/lxc)

/etc/lxc/default.conf - config options for all newly created containers to inherit

etc/default/lxc-net* - it may be necessary to add /etc/lxc/dnsasq.conf to the apparmor profile (/etc/apparmor.d*dnsmasq) with read privileges


iptables config

## Evan Widloski - 2016-11-11
# Diode iptables rules

# filter table: flush all chains, and delete all user added chains
iptables -F
iptables -X
# nat table: flush all chains, and delete all user added chains
iptables -t nat -F
iptables -t nat -X

# set default policies to DROP packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow inbound outbound traffic on host 
iptables -A OUTPUT -o enp6s0f0 -d -j ACCEPT 
iptables -A INPUT -i enp6s0f0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# set up chain for sshguard
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

# allow ssh
iptables -A INPUT -i enp6s0f0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o enp6s0f0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# allow mosh
iptables -A INPUT -i enp6s0f0 -p udp --dport 60000:61000 -j ACCEPT
iptables -A OUTPUT -o enp6s0f0 -p udp --sport 60000:61000 -j ACCEPT

# allow connections to varnish service
#iptables -A INPUT -i enp6s0f0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o enp6s0f0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# allow host to access LXC targets via network
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s -j ACCEPT

# allow outbound traffic for lxc containers
iptables -A FORWARD -i lxcbr0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE

# after incoming packets have been NAT'ed (see below), allow them to pass through
# the forward chain to their intended LXC target
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

##------------ evan --------------
## ssh
iptables -t nat -A PREROUTING -p tcp --dport 20022 -j DNAT --to-destination


New Container Setup

New LXC containers are very barebones and need a bit of setup to be useful. Here is an overview of steps for various distros.


Setup PATH

Install packages


Install packages



Checking state and simulating failure

Replacing a failed drive (sdc)

Notifying on harddrive failure (gmail)



AUTO +imsm +1.x -all
ARRAY /dev/md/pv00 level=raid5 num-devices=4 UUID=1327a02b:b19f6696:0e3f8ac7:9615591c

Growing RAID size

This is useful if the RAID array needs to be grown by using up more free space (no added harddrive)

Accessing via Live CD

If the array gets screwed up somehow, you can try mounting it on a livecd.

Installing GRUB on a Live CD Mounted System

Mounting Images

Disk /tmp/sdcard.img: 162 MiB, 169869824 bytes, 331777 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device           Boot Start    End Sectors  Size Id Type
/tmp/sdcard.img1 *        1  65536   65536   32M  c W95 FAT32 (LBA)
/tmp/sdcard.img2      65537 331776  266240  130M 83 Linux

Auto FS

Auto FS + SSHFS allows the system to mount ssh filesystems on access and then automatically unmount after a certain timeout. The necessary tools are autofs and sshfs.

/etc/auto.master or /etc/auto.master.d/foobar.autofs or /etc/autofs/auto.master


AutoFS runs as root, so ensure that the host fingerprint has been added to root.ssh/known_hosts. You can add this easily by attempting to ssh login to from root.

Resizing LUKS encrypted LVM

Fixing Nodejs


DNS Tunneling with iodine

Most of this was taken from

Domain Setup

On a domain you own (e.g., create an A record pointing to the ip of a server you own and an NS record pointing to

To verify the setup is working, you can do:

Server Setup

Client Setup

Alternatively, you can download a script that does this part from



block - smallest addressable unit of storage

Block size is defined in the hardware of a hard drive, but the OS can define a virtual block size which chains multiple blocks together.

There are three primary boot options involving UEFI and BIOS firmwares

    • required if dualbooting windows
    • max addressable disk space is 2^32 * 512 = 2 TiB on a system with 512 byte blocks.

GPT - GUID Partition Table

protective mbr - a small partition at the beginning of the GPT disk (where the MBR would normally be) that prevents older MBR tools from damaging the GPT formatting

This partition contains a fake partition record which spans the entirety of the disk. MBR programs will see that there is a partition of unknown type that spans the entire disk and will refuse to operate.

A GPT disk is formatted like so:

Protective MBR 512B
GPT Header 512B
GPT Partition Table 16KB
* Partitions *
Backup Partition Table 16KB
Backup Header 512B

So there should be 17KB and 16.5KB of free space at the beginning and end of a GPT disk.

Random facts

  • grub2-install invokes efibootmgr to install (aka register) entries in the nvram
  • these nvram entries point to .efi executables on the ESP
  • the harddrive UEFI menu entries are for legacy booting these devices
  • efi/boot/bootx64.efi is the .efi executable location for removable devices and doesn't require any nvram registration

SMART Status

smartctl -a /dev/sdX

smartctl -t short /dev/sdX

Network interfaces and bridging

Simulating network disconnect

Ubuntu VNC Server

To automatically run the server at login, add a startup script:

Add a new item called "VNC" with the command field set to

Remember to set the machine to never suspend in the system power settings.


Useful options

  • toolchain > enable wchar support
  • bootloaders > grub2
  • toolchain > C library
  • filesystem images > iso image