alexander/lenovo-gentoo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add backup and security hardening

Browse Source
This commit is contained in:
Alexander Hinrichs
2025-11-08 00:28:17 +01:00
parent 8de3f16ee6
commit 96f521a474
23 changed files with 5696 additions and 939 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
USER-GUIDE.md
View File

@@ -8,10 +8,13 @@ Quick reference for everyday tasks on your Gentoo workstation.
- [Network Management](#network-management)
- [Audio Management](#audio-management)
- [Bluetooth Management](#bluetooth-management)
- [Backup Management](#backup-management)
- [Dotfile Management](#dotfile-management)
- [System Updates](#system-updates)
- [Kernel Management](#kernel-management)
- [Display & Monitors](#display--monitors)
- [Power Management](#power-management)
- [Security](#security)
- [System Information](#system-information)
---
@@ -314,6 +317,278 @@ exit
---
## Backup Management
Automated backup system with network trigger and multiple backup types.
### Using backup-setup Script
```bash
# Show backup status
backup-setup status
# Trigger manual backup
backup-setup backup [TYPE]
# List backups on NAS
backup-setup list
# View recent logs
backup-setup logs
# Test NAS connection
backup-setup test
```
### Backup Types
```bash
# Full system backup (large, slow)
backup-setup backup full
# Home directory only (medium)
backup-setup backup home
# Incremental backup (small, fast)
backup-setup backup incremental
# Configuration files only (tiny, very fast)
backup-setup backup configs
```
### Network Trigger Service
```bash
# Check monitor status
sudo rc-service backup-monitor status
# View monitor logs
tail -f ~/.local/var/log/backup-monitor.log
# View backup logs
tail -f ~/.local/var/log/backup.log
# Start/stop monitor
sudo rc-service backup-monitor start
sudo rc-service backup-monitor stop
```
### Manual Backup Scripts
```bash
# Run backup scripts directly
/usr/local/bin/backup-full
/usr/local/bin/backup-home
/usr/local/bin/backup-incremental
/usr/local/bin/backup-configs
```
For complete backup guide, see: `Backup-Setup.md`
---
## Dotfile Management
Dotfiles (configuration files) are managed with **chezmoi** for cross-platform sync across machines.
### Quick Start
```bash
# Edit a dotfile
chezmoi edit ~/.zshrc
# Preview changes
chezmoi diff
# Apply changes
chezmoi apply
# Update from remote repository
chezmoi update
```
### Common Tasks
#### Edit Configuration Files
```bash
# Edit shell config
chezmoi edit ~/.zshrc
# Edit git config
chezmoi edit ~/.gitconfig
# Edit neovim config
chezmoi edit ~/.config/nvim/init.lua
```
#### Add New Configuration Files
```bash
# Add a new dotfile
chezmoi add ~/.newconfig
# Add entire directory
chezmoi add --recursive ~/.config/newtool
# Add as template (for cross-platform configs)
chezmoi add --template ~/.config/tool/config
```
#### View Changes
```bash
# See what would change
chezmoi diff
# See rendered template
chezmoi cat ~/.zshrc
# Check which files are managed
chezmoi managed
# Show status
chezmoi status
```
#### Sync Changes
```bash
# Pull and apply latest changes from git
chezmoi update
# Apply without pulling
chezmoi apply
# Just pull without applying
chezmoi cd
git pull
```
#### Commit and Push Changes
```bash
# Go to chezmoi source directory
chezmoi cd
# Check what changed
git status
git diff
# Commit changes
git add .
git commit -m "feat: update zsh config"
git push
# Return to previous directory
exit # or Ctrl+D
```
### Advanced Usage
#### Convert File to Template
```bash
# Make a file a template (adds .tmpl extension)
chezmoi chattr +template ~/.zshrc
# Edit the template
chezmoi edit ~/.zshrc
# Add OS-specific logic:
# {{ if eq .chezmoi.os "darwin" -}}
# macOS-specific config
# {{- else if eq .osid "linux-gentoo" -}}
# Gentoo-specific config
# {{- end }}
```
#### Test Without Applying
```bash
# Dry run (preview what would happen)
chezmoi apply --dry-run --verbose
# View rendered template
chezmoi cat ~/.config/tool/config
# Execute template expression
chezmoi execute-template "{{ .chezmoi.os }}"
```
#### View Configuration
```bash
# Show chezmoi data (OS, machine type, etc.)
chezmoi data
# Edit chezmoi config
chezmoi edit-config
# Show source path
chezmoi source-path
```
### Dotfiles Repository Structure
```
~/repository/git.hinrichs.dev/alexander/dotfiles/ # Main repo
~/.local/share/chezmoi/ # Chezmoi working copy
~/.config/chezmoi/chezmoi.yaml # Generated config
```
### Adding New Tools
When you install a new tool with configuration:
**Step 1: Create the config**
```bash
# Configure the tool normally
nvim ~/.config/newtool/config
```
**Step 2: Test the config**
```bash
# Make sure it works
newtool --version
```
**Step 3: Add to chezmoi**
```bash
# Add to dotfile management
chezmoi add ~/.config/newtool/config
# Or add entire directory
chezmoi add --recursive ~/.config/newtool
```
**Step 4: Commit**
```bash
# Go to dotfiles repo
chezmoi cd
# Commit
git add .
git commit -m "feat: add newtool configuration"
git push
```
Now the config will sync to all your machines!
### Troubleshooting
```bash
# Reset and regenerate config
chezmoi init
# Force re-apply everything
chezmoi apply --force
# Remove a file from management
chezmoi forget ~/.file
# Purge chezmoi (removes all managed files)
chezmoi purge
```
For detailed documentation, see:
- `Dotfiles-Management.md` - Complete guide
- `~/repository/git.hinrichs.dev/alexander/dotfiles/README.md` - Dotfiles repo docs
---
## System Updates
### Full System Update
@@ -472,6 +747,88 @@ loginctl suspend
---
## Security
### Firewall Management (nftables)
```bash
# Start firewall
sudo rc-service nftables start
# Check firewall status
sudo rc-service nftables status
# View firewall rules
sudo nft list ruleset
# Reload configuration
sudo rc-service nftables restart
# Enable at boot
sudo rc-update add nftables default
```
### Intrusion Prevention (fail2ban)
```bash
# Check fail2ban status
sudo fail2ban-client status
# Check SSH jail status
sudo fail2ban-client status sshd
# View banned IPs
sudo fail2ban-client status sshd
# Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4
# View fail2ban log
sudo tail -f /var/log/fail2ban.log
# Enable at boot
sudo rc-update add fail2ban default
```
### SSH Security
```bash
# Test SSH configuration
sudo sshd -t
# Restart SSH service
sudo rc-service sshd restart
# View SSH logs
sudo tail -f /var/log/auth.log
# View recent SSH logins
last -10
# View failed SSH attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
```
### Security Monitoring
```bash
# Check open ports
sudo ss -tlnp
# Check SSH login attempts
sudo grep "sshd" /var/log/auth.log | tail -20
# Check for security updates
glsa-check -l
# View system logs
sudo tail -f /var/log/messages
```
For complete security hardening guide, see: `Security-Hardening.md`
---
## System Information
### Hardware Information
@@ -690,6 +1047,9 @@ sudo rm -rf /var/tmp/portage/*
| WiFi connect | `wifi-setup connect "SSID"` |
| Audio switch | `audio-setup output 2` |
| Bluetooth pair | `bluetooth-setup pair MAC` |
| Backup status | `backup-setup status` |
| Trigger backup | `backup-setup backup incremental` |
| Firewall status | `sudo nft list ruleset` |
| Check logs | `tail -f /var/log/messages` |
| Disk usage | `df -h` |
| Free memory | `free -h` |
@@ -715,12 +1075,31 @@ apropos keyword
- **Package Search**: https://packages.gentoo.org
### Local Documentation
- Main system overview: `Claude.md`
**Quick Reference & Overview:**
- This guide: `USER-GUIDE.md` - Quick reference for everyday tasks
- System overview: `System-Overview.md` - Hardware, software, design
- Feature status: `Feature-Status.md` - Working features, session history
- Troubleshooting: `Troubleshooting.md` - Troubleshooting all components
**Complete Guides:**
- Backup system: `Backup-Setup.md`
- Security hardening: `Security-Hardening.md`
- Power management: `Power-Management-Setup.md`
- Bluetooth setup: `Bluetooth-Setup.md`
- Dotfile management: `Dotfiles-Management.md`
- Lid automation: `Lid-Automation-Working-Solution.md`
**Script Documentation:**
- WiFi setup: `scripts/wifi-setup/README.md`
- Bluetooth setup: `scripts/bluetooth-setup/README.md`
- Audio setup: `scripts/audio-setup/README.md`
- Power management: `Power-Management-Setup.md`
- Battery conservation: `scripts/battery-setup/README.md`
- Monitor management: `scripts/monitor-setup/README.md`
**For Claude Code:**
- Operational guidelines: `CLAUDE.md`
---
**Last Updated**: 2025-11-05
**Last Updated**: 2025-11-07