Hands-on guides, automation scripts, and CI/CD pipelines for Linux servers, Windows workstations, and the plumbing in between.
Hands-on guides and automation scripts for Linux firewalls and WireGuard VPN access to Windows.
Complete guide to firewalld on Fedora — zones, services, rich rules, and the mental model behind trust levels. From first rule to production lockdown.
UFW from scratch — ordered rules, default policies, logging, and when to drop down to iptables. Straightforward firewall management without the ceremony.
Bash script that automates WireGuard server install on Fedora: key generation, wg0.conf creation, firewalld rules, and systemd service bring-up. Supports --add-peer.
Remote access VPN from Windows to a Fedora host, with SSH locked to the tunnel. Full walk-through from server config to Windows client — plus a concise quick-reference.
Ubuntu server + Windows client setup with UFW rules and SSH bound to the VPN subnet. Includes both the complete guide and a quick-start variant for fast rebuilds.
One-shot Bash hardening pass: AIDE, auditd, fail2ban, SELinux enforcing, USBGuard, password quality, SSH lockdown, and firewalld baseline. Idempotent and log-everything.
Expose a service running inside a libvirt VM on the host's LAN IP. Zone selection, masquerade, IP forwarding, and WireGuard-aware troubleshooting for when it only half-works.
Read/write folder on the Fedora host exposed over SMB to Windows guests on libvirt's default network. Covers SELinux contexts, firewalld in the libvirt zone, and Samba user mapping.
Single-forest Windows Server 2022 domain controller in a libvirt VM: qcow2 provisioning, static IP with self-referencing DNS, Install-ADDSForest, and an OU + test user ready for Exchange to pick up.
Exchange Server 2019 joined to the lab forest: split OS / data disks, AD schema prep, silent install, OWA bring-up, test mailboxes, and a dependency-ordered clean-shutdown script so transaction logs don't strand a database dirty.
Monthly Windows-update runbook for a two-DC pair. Baseline repadmin /replsummary + dcdiag, one-DC-at-a-time ordering, post-patch replication verification, and rollback notes for when DFSR refuses to converge.
Four shutdown procedures for a two-DC pair: single-DC graceful, planned full outage, fast controlled emergency, and minimum-damage imminent power loss. Covers FSMO-host-last ordering, SYSVOL flush, and a post-boot health checklist.
Update playbook for a two-server Exchange 2019 DAG covering both Cumulative and Security Updates. Baseline capture, Move-ActiveMailboxDatabase, StartDagServerMaintenance, silent install, health gate, and copy reactivation by ActivationPreference.
Four shutdown scenarios for a two-server Exchange 2019 DAG: one-at-a-time maintenance, planned full outage, fast controlled emergency, and imminent-power-loss triage. Covers quorum handling, dismount order, and IIS/W3SVC teardown.
Docker Compose stack that ingests Cisco IOS-XE model-driven telemetry over gRPC dial-out. Includes Cisco telemetry ietf subscription templates and ready-to-paste Flux queries for CPU, memory, interface rates, errors, and OSPF neighbor state.
Real GitHub Actions workflows that gate every script in this repo — run on each push, block merges on failure.
A CI/CD pipeline is a set of automated checks that run every time the code in a repo changes. The goal is to catch regressions before a bad commit reaches anyone — the pipeline stops a broken change at the gate, not in production.
This one has three parallel jobs, triggered on every push to main, every pull request, a weekly cron, and a manual dispatch button:
shfmt scan every .sh in the repo without executing it.
Catches real bugs (unquoted variables, cd without || exit, bashisms inside sh scripts) and formatting drift before the code ever runs on a real machine.
ubuntu:24.04 container, creates a non-root user, runs
dev-workstation.sh end-to-end, then asserts every tool the script claims to install (git, node, nvim, rg, fd, tmux, jq, bat) is actually on PATH afterwards.
This is what catches "I refactored the install and now fd isn't installed anymore" — the script exits 0 but the tool is gone.
fedora:latest container and runs Fedora-Server-Hardening-script.sh.
Assertions then grep the declarative outputs (SSH keys in sshd_config, sysctl knobs, pwquality.conf minlen, faillock.conf deny count, audit rules, /etc/shadow permissions) to prove the hardening landed.
systemd-dependent steps (service starts) are tolerated because a container isn't PID 1 init; the config-file surface is what matters.
Green on every commit is the difference between claiming the scripts work and proving they work on a fresh box. The run history is public under the repo's Actions tab — anyone can click in, read the logs, and verify.
One workflow, three parallel jobs. Linting gates every .sh via ShellCheck + shfmt;
two integration jobs run the dev-workstation installer in an Ubuntu container and the Fedora server-hardening
script in a Fedora container, asserting the expected config landed. Runs on every push & PR, plus weekly to catch upstream package regressions.
Silent, unattended installers and deployment scripts for common Windows software stacks.
Bootstraps a fresh dev box on Windows or Ubuntu. Installs VS Code, Git, Node.js, .NET SDK, Docker, plus shell tooling on Linux (ripgrep, fd, fzf, bat, tmux, neovim).
One-shot baseline hardening for Fedora or FreeBSD servers. AIDE, auditd, fail2ban, SELinux enforcing, USBGuard, SSH lockdown, and firewalld on Fedora; PF, SSH hardening, sysctl & blacklist.conf on FreeBSD. Log-everything, idempotent.
Ubuntu 22.04 / 24.04 build agent with every common toolchain: Node, Python, Java, .NET, Go, Rust, Docker. Headless, idempotent, flag-driven (--skip-* / --with-cloud).
--skip-*)ci user (unless --no-ci-user)--with-cloudBootstraps a Fedora workstation into a KVM/libvirt lab host for network automation — hypervisor, dev tools, and a full Python networking stack (Netmiko, NAPALM, Nornir, Scrapli, PyEZ).
@virtualization & enable libvirtdperformanceWhat you'll find here, and what it's for.
A working notebook of infrastructure scripts and operational guides — patterns worth keeping documented somewhere durable and searchable. Everything here is built and tested in a home lab, then trimmed down to the parts that actually matter.
What's covered:
Scripts are written to be read first and run second — skim before you pipe anything to a shell. Nothing here is a finished product; it's a snapshot of a lab that's still being built.