https://blog.wgz.sh/tags/proxmox/ Recent content in Proxmox on wgz.sh Hugo -- 0.153.1 en-us Sun, 26 Apr 2026 20:54:55 -0400 https://blog.wgz.sh/posts/ssh-tunneling/ Sun, 26 Apr 2026 20:54:55 -0400 https://blog.wgz.sh/posts/ssh-tunneling/ <h2 id="intro">Intro</h2> <p>Recently I made a mistake in my firewall rules and locked myself out from having management access to my Proxmox cluster. What&rsquo;s worse is that I could not get into the nodes via <code>SSH</code> because that was blocked as well.</p> <p>This meant I had no easy way to disable these rules, and unfortunately Proxmox lives in a data center very far away from me.</p> <p>This is where SSH tunneling came in handy for me!</p> https://blog.wgz.sh/posts/proxmox-firewall/ Sun, 26 Apr 2026 20:14:30 -0400 https://blog.wgz.sh/posts/proxmox-firewall/ <h2 id="intro">Intro</h2> <p>In my homelab I&rsquo;ve been tediously managing firewall rules using <code>ufw</code>, <code>iptables</code>, and <code>fail2ban</code>. While this works well, I believe it&rsquo;s overly complicated for my setup. This led me down the rabbit hole of how to implement firewall rules in Proxmox.</p> <p>Proxmox&rsquo;s firewall is extremely competent, but it can be tricky as well.</p> <p>One thing I learned about Proxmox is that you need to make sure the firewall is enabled in multiple places. You have several layers of firewalling, one for the hosts, one for the VMs, and one for services running in VNETs. These firewall rules are backed by either <code>iptables</code> or the more modern <code>nftables</code> in the case of VNETs.</p> https://blog.wgz.sh/posts/zfs-commands/ Fri, 20 Feb 2026 07:53:01 -0500 https://blog.wgz.sh/posts/zfs-commands/ <h2 id="abstract">Abstract</h2> <p>Dedicated to <a href="https://en.wikipedia.org/wiki/ZFS">ZFS</a> administration.</p> <h2 id="zpool-administration">Zpool Administration</h2> <h3 id="basic-commands">Basic Commands</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>zpool list </span></span><span style="display:flex;"><span>zpool list &lt;name&gt; </span></span><span style="display:flex;"><span>zpool list -v zroot </span></span><span style="display:flex;"><span>zpool status -x </span></span></code></pre></div><h3 id="creating-pools-and-vdevs">Creating Pools and VDEVs</h3> <ul> <li>Make sure ashift is 4k, <code>vfs.zfs.min_auto_ashift=12</code></li> </ul> <p><img alt="alt text" loading="lazy" src="https://blog.wgz.sh/images/zfs-ashift.png"></p> <ul> <li>Select disks (da1, da2, da3)</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>ls -al /dev/ | grep da </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x5a Nov <span style="color:#ae81ff">14</span> 02:51 da0 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x5b Nov <span style="color:#ae81ff">14</span> 02:51 da0p1 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x5c Nov <span style="color:#ae81ff">14</span> 02:51 da0p2 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x5d Nov <span style="color:#ae81ff">14</span> 02:51 da0p3 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x6a Nov <span style="color:#ae81ff">15</span> 18:46 da1 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x6d Nov <span style="color:#ae81ff">15</span> 18:46 da2 </span></span><span style="display:flex;"><span>crw-r-----   <span style="color:#ae81ff">1</span> root operator 0x70 Nov <span style="color:#ae81ff">15</span> 18:46 da3 </span></span></code></pre></div><ul> <li>We can create a disk, provide it 1gb of swap, and label it.</li> <li>The labels should correspond to device serial numbers and location in production so it&rsquo;s easy to swap out.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>GB swap partition and a large ZFS partition, created with gpart<span style="color:#f92672">(</span>8<span style="color:#f92672">)</span>. </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart create -s gpt da1 </span></span><span style="display:flex;"><span> gpart add -a 1m -s1g -l sw1 -t freebsd-swap da1 </span></span><span style="display:flex;"><span> gpart add -a 1m -l zfs1 -t freebsd-zfs da1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart create -s gpt da2 </span></span><span style="display:flex;"><span> gpart add -a 1m -s1g -l sw2 -t freebsd-swap da2 </span></span><span style="display:flex;"><span> gpart add -a 1m -l zfs2 -t freebsd-zfs da2 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart create -s gpt da3 </span></span><span style="display:flex;"><span> gpart add -a 1m -s1g -l sw3 -t freebsd-swap da3 </span></span><span style="display:flex;"><span> gpart add -a 1m -l zfs3 -t freebsd-zfs da3 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart create -s gpt da4 </span></span><span style="display:flex;"><span> gpart add -a 1m -s1g -l sw4 -t freebsd-swap da4 </span></span><span style="display:flex;"><span> gpart add -a 1m -l zfs4 -t freebsd-zfs da4 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart create -s gpt da5 </span></span><span style="display:flex;"><span> gpart add -a 1m -s1g -l sw5 -t freebsd-swap da5 </span></span><span style="display:flex;"><span> gpart add -a 1m -l zfs5 -t freebsd-zfs da5 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> gpart show -l &lt;device&gt; </span></span><span style="display:flex;"><span> glabel status </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>zpool create &lt;pool-name&gt; /dev/label/zfs1 /dev/label/zfs2 /dev/label/zfs3 </span></span></code></pre></div><h3 id="fix-degraded-pool">Fix Degraded Pool</h3> <ul> <li>Here we see the state is <code>DEGRADED</code></li> </ul> <p><img alt="alt text" loading="lazy" src="https://blog.wgz.sh/images/zfs-tank.jpeg"></p> https://blog.wgz.sh/posts/fail2ban-logging/ Wed, 31 Dec 2025 15:49:37 -0500 https://blog.wgz.sh/posts/fail2ban-logging/ <p>Hello everyone!</p> <p>Today I wanted to discuss how I&rsquo;m keeping track of Fail2ban logs on my Proxmox cluster.</p> <p>For those of you who don&rsquo;t know what <a href="https://github.com/fail2ban/fail2ban">Fail2ban</a> is, it is a simple program that can automatically ban threats via iptables by parsing log files and scanning for regex patterns.</p> <p>Here is a sample file that can be parsed:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#f92672">[</span>Definition<span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span>failregex <span style="color:#f92672">=</span> pvedaemon<span style="color:#ae81ff">\[</span>.*authentication failure; rhost<span style="color:#f92672">=</span>&lt;HOST&gt; user<span style="color:#f92672">=</span>.* msg<span style="color:#f92672">=</span>.* </span></span><span style="display:flex;"><span>ignoreregex <span style="color:#f92672">=</span> </span></span></code></pre></div><p>And here is the the jail configuration:</p> https://blog.wgz.sh/posts/colocating-my-homelab/ Sat, 05 Apr 2025 17:15:21 -0400 https://blog.wgz.sh/posts/colocating-my-homelab/ <p>Hey all,</p> <p>I recently decided to purchase a dedicated server from <a href="https://my.racknerd.com/">RackNerd</a> with the goal of hosting my homelab services remotely.</p> <p>Previously, I ran a high-availability Proxmox cluster out of my one-bedroom apartment in NYC, powered by a few Dell Optiplex 4090s. A few months ago, I moved into a new place and had to decommission that setup.</p> <p>Since my new setup is remote, it presented a few challenges:<br> <em>How am I going to administer my lab? How can I secure it? What services will I host?</em></p>