DevOps
& Infrastructure

Hands-on guides, automation scripts, and CI/CD pipelines for Linux servers, Windows workstations, and the plumbing in between.

View Guides Contact
8
DevOps Guides
4
CI Jobs (lint + integration)
5
Silent Installers
3
OS Families Covered

DevOps Guides

Hands-on guides and automation scripts for Linux firewalls and WireGuard VPN access to Windows.

Fedora Firewalls: The Essentials

Complete guide to firewalld on Fedora — zones, services, rich rules, and the mental model behind trust levels. From first rule to production lockdown.

Fedora firewalld nftables
Read guide →

Ubuntu Firewalls: The Essentials

UFW from scratch — ordered rules, default policies, logging, and when to drop down to iptables. Straightforward firewall management without the ceremony.

Ubuntu UFW iptables
Read guide →

WireGuard Fedora Setup Script

Bash script that automates WireGuard server install on Fedora: key generation, wg0.conf creation, firewalld rules, and systemd service bring-up. Supports --add-peer.

Bash WireGuard systemd
Script → README →

WireGuard: Fedora ↔ Windows

Remote access VPN from Windows to a Fedora host, with SSH locked to the tunnel. Full walk-through from server config to Windows client — plus a concise quick-reference.

Fedora Windows SSH hardening
Full guide → Quick ref →

WireGuard: Ubuntu ↔ Windows

Ubuntu server + Windows client setup with UFW rules and SSH bound to the VPN subnet. Includes both the complete guide and a quick-start variant for fast rebuilds.

Ubuntu Windows UFW
Full guide → Quick ref →

Fedora 43 Server Hardening Script

One-shot Bash hardening pass: AIDE, auditd, fail2ban, SELinux enforcing, USBGuard, password quality, SSH lockdown, and firewalld baseline. Idempotent and log-everything.

Fedora Bash SELinux auditd
Read script →

firewalld Port Forwarding: Host → VM

Expose a service running inside a libvirt VM on the host's LAN IP. Zone selection, masquerade, IP forwarding, and WireGuard-aware troubleshooting for when it only half-works.

firewalld libvirt Fedora
Read guide →

Samba Share: Fedora Host ↔ Windows KVM

Read/write folder on the Fedora host exposed over SMB to Windows guests on libvirt's default network. Covers SELinux contexts, firewalld in the libvirt zone, and Samba user mapping.

Samba Windows KVM SELinux
Read guide →

Windows AD + Exchange Lab on KVM

qemu-img + virt-install one-liners to spin up Server 2022 VMs for an Active Directory + Exchange lab: correct disk perms, host-passthrough CPU, split OS/data disks, SPICE console, and libvirt network wiring.

Windows Server libvirt Active Directory Exchange
Read guide →

Observability: Grafana + InfluxDB + Telegraf

Docker Compose stack that ingests Cisco IOS-XE model-driven telemetry over gRPC dial-out. Includes Cisco telemetry ietf subscription templates and ready-to-paste Flux queries for CPU, memory, interface rates, errors, and OSPF neighbor state.

Grafana InfluxDB Telegraf Cisco MDT
Read guide → View on GitHub →

CI/CD Pipelines

Real GitHub Actions workflows that gate every script in this repo — run on each push, block merges on failure.

CI — Lint & Multi-OS Integration

GitHub Actions · 4 jobs

One workflow, four parallel jobs. Linting gates every .sh and .md; integration jobs run each script end-to-end on a fresh OS image and assert the expected state landed. Runs on every push & PR, plus weekly to catch upstream package regressions.

shell-lint
(ShellCheck + shfmt)
markdown-lint
(markdownlint + lychee)
ubuntu-workstation
Ubuntu 24.04 container
freebsd-hardening
FreeBSD 14 VM
# .github/workflows/ci.yml name: CI on: [push, pull_request, workflow_dispatch] schedule: - cron: '0 6 * * 1' # weekly jobs: shell-lint: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ludeeus/action-shellcheck@2.0.0 - run: shfmt -d -i 4 -ci $(shfmt -f .) markdown-lint: runs-on: ubuntu-latest steps: - uses: DavidAnson/markdownlint-cli2-action@v16 - uses: lycheeverse/lychee-action@v2 ubuntu-workstation: runs-on: ubuntu-latest container: ubuntu:24.04 steps: - run: bash scripts/dev-workstation.sh - run: for b in git node docker rg fd nvim; do command -v $b; done freebsd-hardening: runs-on: ubuntu-latest steps: - uses: vmactions/freebsd-vm@v1 with: release: '14.1' run: sh scripts/bsd_server_hardening.sh

Automated Installs

Silent, unattended installers and deployment scripts for common Windows software stacks.

Developer Workstation

~15 min unattended

Bootstraps a fresh dev box on Windows or Ubuntu. Installs VS Code, Git, Node.js, .NET SDK, Docker, plus shell tooling on Linux (ripgrep, fd, fzf, bat, tmux, neovim).

  1. Install package manager (Chocolatey on Windows, apt on Ubuntu)
  2. Deploy curated package list, skipping anything already present
  3. Add Docker's official repo on Ubuntu & enable the service
  4. Idempotent — safe to re-run
Windows (PowerShell as admin)
Ubuntu (bash)

Server Base Image

~15 min unattended

One-shot baseline hardening for Fedora or FreeBSD servers. AIDE, auditd, fail2ban, SELinux enforcing, USBGuard, SSH lockdown, and firewalld on Fedora; PF, SSH hardening, sysctl & blacklist.conf on FreeBSD. Log-everything, idempotent.

  1. Install security tooling (AIDE, auditd, fail2ban, rkhunter)
  2. Enforce SELinux / configure PF firewall
  3. Lock down SSH — no root login, key-only, limited ciphers
  4. Write a timestamped log of every change made
Fedora 43 (bash as root)
FreeBSD 14+ (sh as root)

Build Agent Node

~20 min unattended

Ubuntu 22.04 / 24.04 build agent with every common toolchain: Node, Python, Java, .NET, Go, Rust, Docker. Headless, idempotent, flag-driven (--skip-* / --with-cloud).

  1. Install language SDKs & runtimes (skip any with --skip-*)
  2. Install Docker Engine from the official repo
  3. Create a sandboxed ci user (unless --no-ci-user)
  4. Optionally install AWS / Azure / GCP CLIs with --with-cloud
Ubuntu (bash as root)

Fedora Network Lab Host

~10 min unattended

Bootstraps a Fedora workstation into a KVM/libvirt lab host for network automation — hypervisor, dev tools, and a full Python networking stack (Netmiko, NAPALM, Nornir, Scrapli, PyEZ).

  1. Install @virtualization & enable libvirtd
  2. Set CPU governor to performance
  3. Install Python netops libraries via pip
  4. Open SSH in firewalld & fix libvirt image perms
Fedora (bash)

About this site

What you'll find here, and what it's for.

A working notebook of infrastructure scripts and operational guides — patterns worth keeping documented somewhere durable and searchable. Everything here is built and tested in a home lab, then trimmed down to the parts that actually matter.

What's covered:

  • Server provisioning and hardening across Linux, Windows, and BSD
  • Networking: firewalls, port forwarding, site-to-site WireGuard
  • Virtualization with KVM/QEMU, including Windows guests and Samba shares
  • Observability: telemetry pipelines, time-series storage, dashboards
  • CI/CD wiring: shell + markdown linting, multi-OS integration tests
  • Reproducible installers behind one-line bootstrap commands

Scripts are written to be read first and run second — skim before you pipe anything to a shell. Nothing here is a finished product; it's a snapshot of a lab that's still being built.