wiki/docs/sysop.md

# Sysop

## Prometheus

### Reload config

    :::shell
    curl -X POST -u simon:$(pass sbruder.de/prometheus|head -n1) https://prometheus.sbruder.de/-/reload

### Remove certain time range from Prometheus

Requires [TSDB Admin APIs to be
enabled](https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis)
(`--web.enable-admin-api`)

    :::shell
    curl -u user:pass -X POST -g 'https://prometheus-endpoint/api/v1/admin/tsdb/delete_series?match[]=metric{label="foo"}&start=TIMESTAMP&end=TIMESTAMP

## OpenSSL

### Get certificate expiry date

    :::shell
    openssl s_client -connect hostname:443 2>& /dev/null <<< '' | openssl x509 -noout -dates

    # starttls
    openssl s_client -connect hostname:587 -starttls smtp 2>& /dev/null <<< '' | openssl x509 -noout -dates

## Docker

### List images by size

    :::shell
    docker image ls --format "table {{.Size}}\t{{.Repository}}:{{.Tag}}\t{{.ID}}"|sort -h

### Enable IPv6 NAT

Makes no sense on first and second thought, but after a while it seems like the
right thing.

`/etc/docker/daemon.json`:

    :::json
    {
      "ipv6": true,
      "fixed-cidr-v6": "fd00:d0ce:d0ce:d0ce::/64"
    }

<!--
This is the right way, but since I did not get `netfilter-persistent` to work,
I have to use iptables.

    :::shell
    nft add table ip6 nat
    nft add chain ip6 nat postrouting \{ type nat hook postrouting priority 100 \; \}
    nft add rule ip6 nat postrouting ip6 saddr fd00:d0ce:d0ce:d0ce::/64 masquerade
-->

    :::shell
    ip6tables -t nat -A POSTROUTING -s fd00:d0ce:d0ce:d0ce::/64 -j MASQUERADE
    ip6tables-save > /etc/iptables/rules.v6

Publishing a port will still use the userland proxy. If you do not want this,
have a look at <https://github.com/robbertkl/docker-ipv6nat>.

    :::shell
    docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_MODULE --net=host robbertkl/ipv6nat

## Misc

### Add swap file

    :::shell
    fallocate -l 1G /swapfile
    chmod 600 /swapfile
    mkswap /swapfile
    swapon /swapfile
Initial commit 2020-11-04 22:35:10 +01:00			`# Sysop`

			`## Prometheus`

			`### Reload config`

			`:::shell`
			`curl -X POST -u simon:$(pass sbruder.de/prometheus\|head -n1) https://prometheus.sbruder.de/-/reload`

			`### Remove certain time range from Prometheus`

			`Requires [TSDB Admin APIs to be`
			`enabled](https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis)`
			(`--web.enable-admin-api`)

			`:::shell`
			`curl -u user:pass -X POST -g 'https://prometheus-endpoint/api/v1/admin/tsdb/delete_series?match[]=metric{label="foo"}&start=TIMESTAMP&end=TIMESTAMP`

			`## OpenSSL`

			`### Get certificate expiry date`

			`:::shell`
			`openssl s_client -connect hostname:443 2>& /dev/null <<< '' \| openssl x509 -noout -dates`

			`# starttls`
			`openssl s_client -connect hostname:587 -starttls smtp 2>& /dev/null <<< '' \| openssl x509 -noout -dates`

			`## Docker`

			`### List images by size`

			`:::shell`
			`docker image ls --format "table {{.Size}}\t{{.Repository}}:{{.Tag}}\t{{.ID}}"\|sort -h`

			`### Enable IPv6 NAT`

			`Makes no sense on first and second thought, but after a while it seems like the`
			`right thing.`

			`/etc/docker/daemon.json`:

			`:::json`
			`{`
			`"ipv6": true,`
			`"fixed-cidr-v6": "fd00:d0ce:d0ce:d0ce::/64"`
			`}`

			`<!--`
			This is the right way, but since I did not get `netfilter-persistent` to work,
			`I have to use iptables.`

			`:::shell`
			`nft add table ip6 nat`
			`nft add chain ip6 nat postrouting \{ type nat hook postrouting priority 100 \; \}`
			`nft add rule ip6 nat postrouting ip6 saddr fd00:d0ce:d0ce:d0ce::/64 masquerade`
			`-->`

			`:::shell`
			`ip6tables -t nat -A POSTROUTING -s fd00:d0ce:d0ce:d0ce::/64 -j MASQUERADE`
			`ip6tables-save > /etc/iptables/rules.v6`

			`Publishing a port will still use the userland proxy. If you do not want this,`
			`have a look at <https://github.com/robbertkl/docker-ipv6nat>.`

			`:::shell`
			`docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro --cap-drop=ALL --cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=SYS_MODULE --net=host robbertkl/ipv6nat`

			`## Misc`

			`### Add swap file`

			`:::shell`
			`fallocate -l 1G /swapfile`
			`chmod 600 /swapfile`
			`mkswap /swapfile`
			`swapon /swapfile`