Update content for gemtext

3 files changed, 518 insertions, 0 deletions

diff --git a/gemfeed/STUNNEL-NFS-SETUP-R1-R2.md b/gemfeed/STUNNEL-NFS-SETUP-R1-R2.md
new file mode 100644
index 00000000..3c2ff77f
--- /dev/null
+++ b/gemfeed/STUNNEL-NFS-SETUP-R1-R2.md
@@ -0,0 +1,277 @@
+# Stunnel and NFS Configuration for r1 and r2
+
+This document provides step-by-step instructions for configuring stunnel and NFS mounts on r1 and r2 Rocky Linux systems to connect to the f3s storage cluster.
+
+## Prerequisites
+
+- Root access on r1 and r2
+- Network connectivity to f0 (for copying the certificate)
+- Network connectivity to the CARP VIP (192.168.1.138)
+
+## Overview
+
+The configuration provides:
+- Encrypted NFS traffic using stunnel
+- Automatic failover via CARP VIP (192.168.1.138)
+- Persistent mounts across reboots
+- Access to /data/nfs/k3svolumes for Kubernetes storage
+
+## Configuration Steps
+
+### Step 1: Install stunnel
+
+```bash
+dnf install -y stunnel
+```
+
+### Step 2: Copy the stunnel certificate from f0
+
+First, create the directory:
+```bash
+mkdir -p /etc/stunnel
+```
+
+Then copy the certificate from f0. On f0, run:
+```bash
+scp /usr/local/etc/stunnel/stunnel.pem root@r1:/etc/stunnel/
+scp /usr/local/etc/stunnel/stunnel.pem root@r2:/etc/stunnel/
+```
+
+### Step 3: Create stunnel client configuration
+
+Create `/etc/stunnel/stunnel.conf`:
+```bash
+cat > /etc/stunnel/stunnel.conf <<'EOF'
+cert = /etc/stunnel/stunnel.pem
+client = yes
+
+[nfs-ha]
+accept = 127.0.0.1:2323
+connect = 192.168.1.138:2323
+EOF
+```
+
+### Step 4: Create systemd service for stunnel
+
+Create `/etc/systemd/system/stunnel.service`:
+```bash
+cat > /etc/systemd/system/stunnel.service <<'EOF'
+[Unit]
+Description=SSL tunnel for network daemons
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
+ExecStop=/usr/bin/killall stunnel
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+```
+
+### Step 5: Enable and start stunnel
+
+```bash
+systemctl daemon-reload
+systemctl enable stunnel
+systemctl start stunnel
+systemctl status stunnel
+```
+
+### Step 6: Create NFS mount point
+
+```bash
+mkdir -p /data/nfs/k3svolumes
+```
+
+### Step 7: Test mount NFS through stunnel
+
+```bash
+mount -t nfs4 -o port=2323 127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes
+```
+
+### Step 8: Verify the mount
+
+```bash
+mount | grep k3svolumes
+df -h /data/nfs/k3svolumes
+ls -la /data/nfs/k3svolumes/
+```
+
+### Step 9: Configure persistent mount
+
+First unmount the test mount:
+```bash
+umount /data/nfs/k3svolumes
+```
+
+Add to `/etc/fstab`:
+```bash
+echo "127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes nfs4 port=2323,_netdev 0 0" >> /etc/fstab
+```
+
+Mount using fstab:
+```bash
+mount /data/nfs/k3svolumes
+```
+
+## Automated Installation
+
+A script is available to automate all these steps:
+
+```bash
+# Download and run the configuration script
+curl -O https://raw.githubusercontent.com/.../configure-stunnel-nfs-r1-r2.sh
+chmod +x configure-stunnel-nfs-r1-r2.sh
+./configure-stunnel-nfs-r1-r2.sh
+```
+
+## Verification Commands
+
+After configuration, verify everything is working:
+
+```bash
+# Check stunnel service
+systemctl status stunnel
+
+# Check NFS mount
+mount | grep k3svolumes
+df -h /data/nfs/k3svolumes
+
+# Test write access
+echo "Test from $(hostname) at $(date)" > /data/nfs/k3svolumes/test-$(hostname).txt
+cat /data/nfs/k3svolumes/test-$(hostname).txt
+
+# Check stunnel connection
+ss -tlnp | grep 2323
+```
+
+## Troubleshooting
+
+### Stunnel won't start
+
+Check the logs:
+```bash
+journalctl -u stunnel -n 50
+```
+
+Common issues:
+- Certificate file missing or wrong permissions
+- Port 2323 already in use
+- Configuration syntax error
+
+### NFS mount fails
+
+Check connectivity:
+```bash
+# Test if stunnel is listening
+telnet 127.0.0.1 2323
+
+# Check if CARP VIP is reachable
+ping -c 3 192.168.1.138
+
+# Try mounting with verbose output
+mount -v -t nfs4 -o port=2323 127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes
+```
+
+### Mount not persistent after reboot
+
+Verify fstab entry:
+```bash
+grep k3svolumes /etc/fstab
+```
+
+Test fstab mount:
+```bash
+mount -a
+```
+
+Check for systemd mount errors:
+```bash
+systemctl --failed
+journalctl -b | grep mount
+```
+
+### Permission denied errors
+
+The NFS export on f0/f1 maps root, so permission issues are rare. If they occur:
+```bash
+# Check export configuration on NFS server
+showmount -e 192.168.1.138
+
+# Verify your IP is allowed in the exports
+# r0: 192.168.1.120
+# r1: 192.168.1.121
+# r2: 192.168.1.122
+```
+
+## Security Considerations
+
+- All NFS traffic is encrypted through stunnel
+- The certificate provides both authentication and encryption
+- Access is restricted by IP address on the NFS server
+- Root access is mapped (maproot=root) for Kubernetes operations
+
+## Integration with Kubernetes
+
+Once configured, Kubernetes can use this mount for persistent storage:
+
+```yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: nfs-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  nfs:
+    server: 127.0.0.1  # Local stunnel
+    path: /data/nfs/k3svolumes
+  mountOptions:
+    - port=2323
+    - nfsvers=4
+```
+
+## Maintenance
+
+### Restarting services
+
+```bash
+# Restart stunnel
+systemctl restart stunnel
+
+# Remount NFS
+umount /data/nfs/k3svolumes
+mount /data/nfs/k3svolumes
+```
+
+### Updating certificates
+
+When certificates expire (after 10 years):
+1. Generate new certificate on f0
+2. Copy to all clients (r0, r1, r2)
+3. Restart stunnel on all hosts
+
+### Monitoring
+
+Add to your monitoring system:
+- stunnel service status
+- NFS mount presence
+- Disk space on /data/nfs/k3svolumes
+- Network connectivity to 192.168.1.138:2323
+
+## Summary
+
+After completing these steps on both r1 and r2:
+
+1. **Stunnel** provides encrypted tunnel to NFS server
+2. **NFS** mounts through stunnel on port 2323
+3. **CARP VIP** (192.168.1.138) ensures automatic failover
+4. **Persistent mount** via /etc/fstab survives reboots
+5. **Kubernetes** can use /data/nfs/k3svolumes for persistent volumes
+
+The same configuration works on r0, r1, and r2 with no modifications needed.
\ No newline at end of file
diff --git a/gemfeed/configure-stunnel-nfs-r1-r2.sh b/gemfeed/configure-stunnel-nfs-r1-r2.sh
new file mode 100755
index 00000000..58431744
--- /dev/null
+++ b/gemfeed/configure-stunnel-nfs-r1-r2.sh
@@ -0,0 +1,163 @@
+#!/bin/sh
+# Configure stunnel and NFS mounts on r1 and r2 for f3s storage
+# This script should be run on both r1 and r2 Rocky Linux systems
+
+set -e
+
+# Function to print colored status messages
+print_status() {
+    echo -e "\n\033[1;34m>>> $1\033[0m"
+}
+
+print_error() {
+    echo -e "\033[1;31mERROR: $1\033[0m"
+    exit 1
+}
+
+print_success() {
+    echo -e "\033[1;32m✓ $1\033[0m"
+}
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then 
+    print_error "Please run as root"
+fi
+
+# Detect hostname
+HOSTNAME=$(hostname -s)
+if [ "$HOSTNAME" != "r1" ] && [ "$HOSTNAME" != "r2" ]; then
+    print_error "This script should only be run on r1 or r2"
+fi
+
+print_status "Configuring stunnel and NFS on $HOSTNAME"
+
+# Step 1: Install stunnel package
+print_status "Installing stunnel package..."
+dnf install -y stunnel || print_error "Failed to install stunnel"
+print_success "stunnel installed"
+
+# Step 2: Create stunnel directory
+print_status "Creating stunnel configuration directory..."
+mkdir -p /etc/stunnel
+print_success "Directory created"
+
+# Step 3: Copy stunnel certificate from f0
+print_status "Copying stunnel certificate from f0..."
+echo "Please copy the certificate manually:"
+echo "On f0, run: scp /usr/local/etc/stunnel/stunnel.pem root@$HOSTNAME:/etc/stunnel/"
+echo ""
+echo "Press Enter when the certificate has been copied..."
+read -r
+
+# Verify certificate exists
+if [ ! -f /etc/stunnel/stunnel.pem ]; then
+    print_error "Certificate not found at /etc/stunnel/stunnel.pem"
+fi
+print_success "Certificate found"
+
+# Step 4: Create stunnel client configuration
+print_status "Creating stunnel client configuration..."
+cat > /etc/stunnel/stunnel.conf <<'EOF'
+cert = /etc/stunnel/stunnel.pem
+client = yes
+
+[nfs-ha]
+accept = 127.0.0.1:2323
+connect = 192.168.1.138:2323
+EOF
+print_success "Stunnel configuration created"
+
+# Step 5: Create systemd service for stunnel
+print_status "Creating stunnel systemd service..."
+cat > /etc/systemd/system/stunnel.service <<'EOF'
+[Unit]
+Description=SSL tunnel for network daemons
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
+ExecStop=/usr/bin/killall stunnel
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+print_success "Systemd service created"
+
+# Step 6: Enable and start stunnel service
+print_status "Enabling and starting stunnel service..."
+systemctl daemon-reload
+systemctl enable stunnel
+systemctl start stunnel
+systemctl status stunnel --no-pager || print_error "Stunnel failed to start"
+print_success "Stunnel service is running"
+
+# Step 7: Create mount point for NFS
+print_status "Creating NFS mount point..."
+mkdir -p /data/nfs/k3svolumes
+print_success "Mount point created"
+
+# Step 8: Test mount NFS through stunnel
+print_status "Testing NFS mount through stunnel..."
+mount -t nfs4 -o port=2323 127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes || print_error "Failed to mount NFS"
+print_success "NFS mounted successfully"
+
+# Step 9: Verify the mount
+print_status "Verifying NFS mount..."
+mount | grep k3svolumes || print_error "NFS mount not found"
+df -h /data/nfs/k3svolumes
+print_success "NFS mount verified"
+
+# Step 10: Unmount for fstab configuration
+print_status "Unmounting NFS to configure fstab..."
+umount /data/nfs/k3svolumes
+print_success "Unmounted"
+
+# Step 11: Add entry to /etc/fstab for persistent mount
+print_status "Adding NFS mount to /etc/fstab..."
+# Check if entry already exists
+if grep -q "127.0.0.1:/data/nfs/k3svolumes" /etc/fstab; then
+    print_status "Entry already exists in /etc/fstab"
+else
+    echo "127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes nfs4 port=2323,_netdev 0 0" >> /etc/fstab
+    print_success "Added to /etc/fstab"
+fi
+
+# Step 12: Mount using fstab
+print_status "Mounting NFS using fstab entry..."
+mount /data/nfs/k3svolumes || print_error "Failed to mount from fstab"
+print_success "Mounted from fstab"
+
+# Step 13: Final verification
+print_status "Final verification..."
+echo ""
+echo "Stunnel status:"
+systemctl is-active stunnel || print_error "Stunnel is not active"
+echo ""
+echo "NFS mount status:"
+mount | grep k3svolumes
+echo ""
+echo "Disk usage:"
+df -h /data/nfs/k3svolumes
+echo ""
+
+# Step 14: Test write access
+print_status "Testing write access..."
+TEST_FILE="/data/nfs/k3svolumes/test-$HOSTNAME-$(date +%s).txt"
+echo "Test from $HOSTNAME at $(date)" > "$TEST_FILE" || print_error "Failed to write test file"
+cat "$TEST_FILE"
+print_success "Write test successful"
+
+print_success "Configuration complete on $HOSTNAME!"
+echo ""
+echo "Summary:"
+echo "- Stunnel is configured as a client connecting to 192.168.1.138:2323 (CARP VIP)"
+echo "- NFS is mounted through stunnel at /data/nfs/k3svolumes"
+echo "- Mount is persistent across reboots (configured in /etc/fstab)"
+echo "- All traffic between this host and the NFS server is encrypted"
+echo ""
+echo "To verify everything after reboot:"
+echo "  systemctl status stunnel"
+echo "  mount | grep k3svolumes"
+echo "  ls -la /data/nfs/k3svolumes/"
\ No newline at end of file
diff --git a/gemfeed/stunnel-nfs-quick-reference.txt b/gemfeed/stunnel-nfs-quick-reference.txt
new file mode 100644
index 00000000..ca7f577a
--- /dev/null
+++ b/gemfeed/stunnel-nfs-quick-reference.txt
@@ -0,0 +1,78 @@
+STUNNEL + NFS QUICK REFERENCE FOR r1 AND r2
+===========================================
+
+COMPLETE SETUP (run as root on r1 and r2):
+------------------------------------------
+
+# 1. Install stunnel
+dnf install -y stunnel
+
+# 2. Copy certificate from f0 (run on f0)
+scp /usr/local/etc/stunnel/stunnel.pem root@r1:/etc/stunnel/
+scp /usr/local/etc/stunnel/stunnel.pem root@r2:/etc/stunnel/
+
+# 3. Create stunnel config on r1/r2
+mkdir -p /etc/stunnel
+cat > /etc/stunnel/stunnel.conf <<'EOF'
+cert = /etc/stunnel/stunnel.pem
+client = yes
+
+[nfs-ha]
+accept = 127.0.0.1:2323
+connect = 192.168.1.138:2323
+EOF
+
+# 4. Create systemd service
+cat > /etc/systemd/system/stunnel.service <<'EOF'
+[Unit]
+Description=SSL tunnel for network daemons
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
+ExecStop=/usr/bin/killall stunnel
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# 5. Enable and start stunnel
+systemctl daemon-reload
+systemctl enable --now stunnel
+
+# 6. Create mount point
+mkdir -p /data/nfs/k3svolumes
+
+# 7. Test mount
+mount -t nfs4 -o port=2323 127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes
+
+# 8. Verify mount works
+ls -la /data/nfs/k3svolumes/
+
+# 9. Add to fstab for persistence
+echo "127.0.0.1:/data/nfs/k3svolumes /data/nfs/k3svolumes nfs4 port=2323,_netdev 0 0" >> /etc/fstab
+
+# 10. Test fstab mount
+umount /data/nfs/k3svolumes
+mount /data/nfs/k3svolumes
+
+VERIFICATION COMMANDS:
+----------------------
+systemctl status stunnel
+mount | grep k3svolumes
+df -h /data/nfs/k3svolumes
+echo "test" > /data/nfs/k3svolumes/test-$(hostname).txt
+
+TROUBLESHOOTING:
+----------------
+# Check stunnel logs
+journalctl -u stunnel -f
+
+# Test connectivity
+telnet 127.0.0.1 2323
+
+# Restart services
+systemctl restart stunnel
+umount /data/nfs/k3svolumes && mount /data/nfs/k3svolumes
\ No newline at end of file