Homelab 设置

今天在家里忙碌了一天，还挺有一点成就感！

几个月前，在 Amazon 上买了一个 Beelink SER5 Max 迷你机，32GB 内存，500GB SSD。

用了一段时间，感觉性能还不错。于是 Prime Day 的时候又去买了一个 2TB SSD

一直想在家里做一个像样点儿的 Homelab，有了这个小盒子，这个设想可以实际操作一下了！

1. Proxmox 虚拟机环境

先在 2TB 的 SSD 上安装了 Proxmox 虚拟机环境。这是一个基于 Debian Linux 的虚拟机管理系统。

2. Windows 11 Pro 虚拟机

因为工作用的 Windows PC 无法访问中国网站，连中国银行网站都不行，我一直希望有一个自己的 Windows 系统，那样有一些与中国联系所需的软件，如腾讯会议，我可以有地方安装。所以这台迷你 PC 上原装的 Windows 11 Pro 我还要保留。

3. 笔记软件

希望安装一个笔记软件系统，不仅在家，还可以在外面使用。一圈儿研究下来，很多人推荐 Obsidian 这款。于是安装了 Sync-in 服务器，用它可以做 Obsidian 的后台。

4. 密码系统

原来在工作中使用过一个密码系统，后来那家公司出了一次数据泄露的大新闻，之后医院就解除了与这家公司的合同，停止了这款密码管理软件的使用。

同事有使用 Bitwarden，网上推荐这款软件的也不少。我搜了很久，找到 Vaultwarden 这款开源的版本。

安装这些系统，折腾 Windows 11 虚拟机花了最长时间……这就是我为什么喜欢开源软件的原因。

Try again!

Removing it first:

> Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Path          :
Online        : True
RestartNeeded : False

Checking:

> Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

Install again:

> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Add-WindowsCapability : The operation could not be completed due to pending operations.
At line:1 char:1
+ Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-WindowsCapability], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand

Really?

When in doubt, reboot!?

Rebooted. Try again! Same message!!

Trying to post a question in Microsoft Windows Community. I got a stern warning:

It seems that I cannot even add the OpenSSH Client feature using the Windows Settings app.

It tries. Then it just says Couldn't add.

Adding OpenSSH Server seems to work -- It says Added.

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : Installed

However, there is no OpenSSH Server service in the Services app.

Sigh!

One of the frustrating thing about OpenSSH on Windows is that all the logs are in Windows Event Logs, and there's not much it does log about what is going on, even though Copilot had me change the log level in sshd_config:

LogLevel DEBUG3

Will try to get more out of the logs later.

SSH is a secure shell, a remote access tool that Linux/UNIX users have been using for years and years. Many projects have attempted to get SSH onto Windows over the years, with various level of success. So I was thrilled when Microsoft finally seems to embrace it and made it a feature of Windows 10 and then 11.

Windows is such a confused and confusing beast for so long! One has to marvel at its monstrosity!

Back to OpenSSH on Windows. I recently got myself a Windows 11 mini PC. I normally just use Remote Desktop with it. But I want to use it for coding so I would like to get SSH working with a key instead of using password.

I thought that would be easy!

And I would be wrong!

Windows is dead set to deny connection using an SSH key!

It accepts my password. But when I put this in sshd_config:

PasswordAuthentication no

It simply responds with Permission denied (publickey).

I asked Microsoft Copilot about the error. It suggested that I should make sure that my public key is in the C:\Users\<target-username>\.ssh\authorized_keys file and make sure that it has proper permissions:

icacls "$env:USERPROFILE\.ssh\authorized_keys" /inheritance:r
icacls "$env:USERPROFILE\.ssh\authorized_keys" /grant "$env:USERNAME:F"

We went back and forth about icacls working differently in a PowerShell window vs. Command, verifying that the permissions were right, stopping and restarting sshd service numerous times, etc.. Nothing worked! On the client (Linux) side, ssh -vvv showed that various keys were presented to the server, none were accepted.

Copilot suggested creating a new pair of keys and ssh-copy-id the new public key to the remote host and test with that specifically. Didn't work!

Copilot suggested to debug with an interactive sshd.exe -ddd run in Windows. That got me some complaints about UNPROTECTED PRIVATE KEY FILE!. Now that seems to indicate that sshd may also have the same issue reading private host keys when starting as a service.

Copilot thought so, too. It said that this is the breakthrough we needed.

It told me to open up the Command Prompt as Administrator and ran these commands:

cd C:\ProgramData\ssh

:: Remove inheritance
icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

:: Remove all existing permissions
icacls ssh_host_rsa_key /remove:g Everyone
icacls ssh_host_ecdsa_key /remove:g Everyone
icacls ssh_host_ed25519_key /remove:g Everyone

:: Grant SYSTEM and Administrators full control
icacls ssh_host_rsa_key /grant SYSTEM:F
icacls ssh_host_rsa_key /grant Administrators:F

icacls ssh_host_ecdsa_key /grant SYSTEM:F
icacls ssh_host_ecdsa_key /grant Administrators:F

icacls ssh_host_ed25519_key /grant SYSTEM:F
icacls ssh_host_ed25519_key /grant Administrators:F

But sshd still complained about UNPROTECTED PRIVATE KEY FILE!.

Copilot gave more suggestions:

cd C:\ProgramData\ssh

:: Remove all existing permissions
icacls ssh_host_rsa_key /reset
icacls ssh_host_ecdsa_key /reset
icacls ssh_host_ed25519_key /reset

:: Remove inheritance
icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

:: Grant SYSTEM full control
icacls ssh_host_rsa_key /grant SYSTEM:F
icacls ssh_host_ecdsa_key /grant SYSTEM:F
icacls ssh_host_ed25519_key /grant SYSTEM:F

:: Grant Administrators full control
icacls ssh_host_rsa_key /grant Administrators:F
icacls ssh_host_ecdsa_key /grant Administrators:F
icacls ssh_host_ed25519_key /grant Administrators:F

We verified permissions:

icacls ssh_host_rsa_key
ssh_host_rsa_key BUILTIN\Administrators:(F)
                 NT AUTHORITY\SYSTEM:(F)

Successfully processed 1 files; Failed processing 0 files

At one point along the way, the icacls command complained that ssh_host_rsa_key: Access is denied.

And we did more:

takeown /F ssh_host_rsa_key
takeown /F ssh_host_ecdsa_key
takeown /F ssh_host_ed25519_key

Reset permissions:

icacls ssh_host_rsa_key /reset
icacls ssh_host_ecdsa_key /reset
icacls ssh_host_ed25519_key /reset

Remove inheritance:

icacls ssh_host_rsa_key /inheritance:r
icacls ssh_host_ecdsa_key /inheritance:r
icacls ssh_host_ed25519_key /inheritance:r

Grant Only SYSTEM and Administrators Full Control:

icacls ssh_host_rsa_key /grant "SYSTEM:F"
icacls ssh_host_rsa_key /grant "Administrators:F"

icacls ssh_host_ecdsa_key /grant "SYSTEM:F"
icacls ssh_host_ecdsa_key /grant "Administrators:F"

icacls ssh_host_ed25519_key /grant "SYSTEM:F"
icacls ssh_host_ed25519_key /grant "Administrators:F"

Now, sshd.exe -ddd no longer complained in Command Prompt. But the OpenSSH service would not start anymore.

I was frustrated enough at that point. I removed the OpenSSH feature from Windows. I found an OpenSSH Preview package with version 9.8.3.0. I tried that.

The OpenSSH Server service process would NOT start.

Uninstalled that. Put the regular OpsnSSH feature back in.

The OpenSSH Server service process would NOT start.

I gave up! Even Copilot is confused. I am going to try StackOverflow, SuperUser, or some other community.

[EDIT] 2025-09-28 -- Posted it to Superuser.

Recently, I have been dealing with an issue with rsyslog server, where it logs error messages with TLS connections. I posted a question on ServerFault but have not received any response for 10 days.

It is hard to debug TLS connection issue as application data is encrypted in the traffic. I tried tcpdump to capture some packets anyways.

Looking through the captured packets, it seems that the syslog client, in this case an EPIC server, may have dropped the TLS connection without properly closing it.

Checking this theory with ChatGPT - here is what may have been happening:

1. A party to a TCP connection should send a close_notify inside the TLS stream to properly close the connection;
2. TLS library receives data until end-of-stream (read returns 0 or error) OR a close_notify is processed.
3. If a close_notify was received before end-of-stream, the TLS library can report a clean shutdown; otherwise, it may report an error or truncated data.
4. If a peer closes its TCP write side without sending close_notify, your TLS library will report an unexpected EOF, truncated data, or similar error.

That seems to match the errors emitted by rsyslogd. For now, we're just going to chalk it up to that unless any further issues pop up. If I have time, I might dig into the rsyslog source code on GitHub.

I have been using rsyslog for many years now to provide a centralized logging service to the enterprise. Previously I have used syslog-ng. Since the Linux distributions used at work switched to rsyslog. I went along.

I have set up the syslog/rsyslog services and they just ran. For years, I just let them be. But as complexity grew in these services, I started to encounter problems. Thus this blog entry. I expect more to follow.

Rsyslog Configuration

First thing to discuss is the rsyslog configuration.

Traditionally, syslog configuration uses a legacy syntax. Both rsyslog and syslog-ng support those. The legacy syntax starts simple but it brings along some complexity of its own. Here is a few examples from Ubuntu:

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog

You can kind of guess what those lines mean.

Rsyslog, on the other hand, has a new RainerScript system for configuration, which I use quite extensively in work. More on that later.

Performance

Another learning experience for me is about rsyslog performance. It had worked wonderfully for me for years without looking under the hood...until something (or, a combination of things) happened.

Troubleshooting

Troubleshooting rsyslog issues is still new to me -- even though I have been using the software, but I have not actually run into many problems until recently. It is of interest to me to write down the experiences.

That's it for today. Have a nice weenend!

Bought a 43" Hisense QD6 QLED TV from Costco around Christmas to use as a computer monitor. I work from home for the most part of the last few years since the COVID-19 pandemic. My work involves mostly running commands remotely in terminals, writing code using VS Code, reading / writing documents, and web browsing. I am used to a lot of browser tabs and windows, so having a large monitor makes those tasks easier.

Having used this TV as an external monitor on my laptop for a few weeks now, I like the crispy display of text, images, etc., but there are a few quirks (OK, problems) that really bother me.

First, this TV is really built as a TV, that doesn't seem to want to work as a monitor: It cuts off the HDMI interface to the PC whenever something happens, like when the PC goes into screen saver mode, or if you press the Home button on the TV remote, not to mention when the PC is powered off then comes back, or reboot.

When that happens, all windows open on this secondary monitor go over to the laptop screen. I would have to rearrange things. Then I have to do it again when I walk away to make some coffee, then again after lunch.

Besides that, the TV monitor somehow turns off the media control media control buttons on the USB keyboard made by Dell, which I use on the laptop while sitting at the desk and it have worked with other external HDMI monitors before.

Another issue is that the PC's Windows 10 sound system seems to get confused when the TV is used as an external monitor. System sound would be directed to the TV sometimes even though it has been on the internal sound system previously.

I wonder if these quirks have more to do with the fact that this TV is branded as a FireTV, which is an Amazon technology. So I am not sure if these quirks reflect more on Amazon's arrogance or bad implementation by the TV manufacturer.

I don't know my writing down these quirks would do anything. If possible, I would like to get this to people at Hisense, so maybe...just maybe we can get a firmware update or something so it can be more useful.

Fraud on the Internet is nothing new. But I believe I did have a new encounter yesterday.

While browsing in the Google app on my iPhone, I ran into an ad for the Samsung 990 Pro 2 PCIe 4.0 NVMe SSD that had a lowest price of $95. I was intrigued!

I clicked it...and again, that first entry looked interesting!

4TB!! For $95!! That's crazy!! Did someone make a typo?

The details look right. . . but why does the page has Adorama on it? I know that is a legitimate camera shop who do sell storage devices as well. But who is skxhnvn.shop?! That's not ADORAMA!

Oh, well. Looks like it's actually some entrepreneurial soul in Chengdu -- a lovely city in the Sichuan Province, China.

I have been receiving calls about package delivery, messages from strangers pretending to be a long lost acquaintance, This looks like a new one.

I guess I could report this to abuse@west.cn . . . but do they really care?

Yahoo! supports oAuth2. So I am trying to use the nodebb-plugin-sso-oauth2-multiple, which does not work yet.

I believe I have configured it correctly. However, when I try to use it to register an account, I get some JSON object containing a non-descriptive error message:

{
  "error":{
    "localizedMessage":"not found",
    "errorId":"NOT_FOUND",
    "message":"not found"
  }
}

Reported the issue on GitHub. No update yet. Probably need to ask in the NodeBB Community.

Just got the plugin updated from 1.4.1 to 1.4.2. Let's see what next.