From 6d9ccee1408acaab42ca9d3def22f3ee0949c049 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Fri, 24 Jan 2025 15:59:22 -0500
Subject: [PATCH 01/13] Create ubuntu.md

beginnings of ubuntu setup, incomplete
---
 ubuntu.md | 157 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 157 insertions(+)
 create mode 100644 ubuntu.md

diff --git a/ubuntu.md b/ubuntu.md
new file mode 100644
index 0000000..cd85d97
--- /dev/null
+++ b/ubuntu.md
@@ -0,0 +1,157 @@
+# Ubuntu Server 
+
+Setting up rootless podman on a fresh ubuntu 24.10 server.
+
+> [!WARNING]
+> Perform `sudo apt update && sudo apt upgrade` immediately. Perform reboot if necessary
+
+## SSH
+
+SSH is optional, but highly encouraged. OpenSSH is installed by default and sshd is running by default.
+
+```bash
+## Generate strong key on your laptop or workstation/desktop
+## If you already have keys DO NOT overwrite your previous keys
+
+ssh-keygen
+
+## Optionally set a passphrase
+
+## Copy key to Ubuntu
+ssh-copy-id username@remote_host
+```
+
+## Override `sshd` config
+
+We don't want to allow anyone to login as root remotely ever. You must be a
+`sudoer` with public key auth to elevate to root.
+
+SSH into your server and run `sudoedit /etc/ssh/sshd_config` See [stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi) for reasons to use sudoedit over sudo.
+
+```bash
+## Uncomment PasswordAuthentication and set value to no
+PasswordAuthentication no
+
+## Disable root login
+PermitRootLogin no
+
+## Optionally disable X11 forwarding
+X11Forwarding no
+```
+Save file and then run `systemctl restart ssh` Before closing your session, open a new terminal and test SSH is functioning correctly.
+
+## Podman
+
+Podman is a daemonless container hypervisor. This document prepares a fully
+rootless environment for our containers to run in.
+
+## Install
+
+```bash
+dnf install podman
+systemctl enable --now podman
+```
+
+> [!NOTE]
+> Read the docs.
+> `man podman-systemd.unit`
+
+## Prepare host networking stack
+
+## slirp4netns
+
+> [!NOTE]
+> This may not be necessary but my system is currently using it.
+
+```bash
+dnf install slirp4netns
+```
+
+## Install DNS server for `podman`
+
+> [!NOTE]
+> Not sure how to resolve these correctly yet but the journal logs it
+> so it's running for something.
+
+```bash
+dnf install aardvark-dns
+```
+
+## Allow rootless binding port 80+
+
+> [!NOTE]
+> This is only necessary if you are setting up the reverse proxy.
+
+```bash
+printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-unprivileged-port-binding.conf
+sysctl 'net.ipv4.ip_unprivileged_port_start=80'
+```
+
+## Allow containers to route within multiple networks
+
+```bash
+printf '%s\n' 'net.ipv4.conf.all.rp_filter=2' > /etc/sysctl.d/99-reverse-path-loose.conf
+sysctl -w net.ipv4.conf.all.rp_filter=2
+```
+
+## Prepare container user
+
+This user will be the owner of all containers with no login shell or root
+privileges.
+
+```bash
+# Prepare a group id outside of the normal range
+groupadd --gid 2000 $ctuser
+# Create user with restrictions
+# We need the $HOME to live in
+useradd --create-home \
+    --shell /usr/bin/false \
+    --password $ctuser_pw \
+    --no-user-group \
+    --gid $ctuser \
+    --groups systemd-journal \
+    --uid 2000 \
+    $ctuser
+# Lock user from password login
+usermod --lock $ctuser
+# Add container sub-ids
+usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser
+# Start $ctuser session at boot without login
+loginctl enable-linger $ctuser
+```
+
+> [!TIP]
+> Optionally setup ssh keys to directly login to $ctuser.
+
+> [!NOTE]
+> The login shell doesn't exist. Launch `bash -l` manually to get a shell or
+> else your `ssh` will exit with a status of 1.
+
+## Setup $ctuser env
+
+```bash
+# Switch to user (`-i` doesn't work without a login shell)
+sudo -u $ctuser bash -l
+# Create dirs
+mkdir -p ~/.config/{containers/systemd,environment.d} ~/containers/storage
+# Prepare `systemd --user` env
+echo 'XDG_RUNTIME_DIR=/run/user/2000' >> ~/.config/environment.d/10-xdg.conf
+# Enable container auto-update
+podman system migrate
+# WARNING: Set strict versions for all containers or risk catastrophe
+systemctl --user enable --now podman-auto-update
+exit
+```
+
+> [!WARNING]
+> I disabled SELinux to not deal with this for every container.
+> /etc/selinux/config -> `SELINUX=disabled`
+
+> [!NOTE]
+> Set up the correct policies permanently instead of disabling SELinux
+
+Temporarily set SELinux policy to allow containers to use devices.
+
+```bash
+setsebool -P container_use_devices 1
+```
-- 
2.45.3


From c4910612822544f87744df08ea0623fd58e7217f Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Fri, 24 Jan 2025 23:26:23 -0500
Subject: [PATCH 02/13] Update ubuntu.md

---
 ubuntu.md | 69 ++++++++++++++++++++++++++++---------------------------
 1 file changed, 35 insertions(+), 34 deletions(-)

diff --git a/ubuntu.md b/ubuntu.md
index cd85d97..154eb2a 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -3,7 +3,7 @@
 Setting up rootless podman on a fresh ubuntu 24.10 server.
 
 > [!WARNING]
-> Perform `sudo apt update && sudo apt upgrade` immediately. Perform reboot if necessary
+> Perform `sudo apt update && sudo apt upgrade` immediately. Reboot system.
 
 ## SSH
 
@@ -26,7 +26,9 @@ ssh-copy-id username@remote_host
 We don't want to allow anyone to login as root remotely ever. You must be a
 `sudoer` with public key auth to elevate to root.
 
-SSH into your server and run `sudoedit /etc/ssh/sshd_config` See [stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi) for reasons to use sudoedit over sudo.
+SSH into your server and run `sudoedit /etc/ssh/sshd_config` 
+
+See [stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi) for reasons to use sudoedit over sudo.
 
 ```bash
 ## Uncomment PasswordAuthentication and set value to no
@@ -48,7 +50,9 @@ rootless environment for our containers to run in.
 ## Install
 
 ```bash
-dnf install podman
+sudo apt install podman
+
+## Make sure podman is running
 systemctl enable --now podman
 ```
 
@@ -58,46 +62,44 @@ systemctl enable --now podman
 
 ## Prepare host networking stack
 
-## slirp4netns
+## Pasta or slirp4netns
 
 > [!NOTE]
-> This may not be necessary but my system is currently using it.
+> As of Podman 5.0 Pasta is the default rootless networking tool.
+> 
+> Podman 5.0 is available in standard Ubuntu repo since 24.10.
 
 ```bash
-dnf install slirp4netns
-```
-
-## Install DNS server for `podman`
-
-> [!NOTE]
-> Not sure how to resolve these correctly yet but the journal logs it
-> so it's running for something.
-
-```bash
-dnf install aardvark-dns
+sudo apt install passt
 ```
 
 ## Allow rootless binding port 80+
 
+### Option 1: Modify range of unpriveleged ports
+
 > [!NOTE]
-> This is only necessary if you are setting up the reverse proxy.
+> This is only necessary if you are setting up the reverse proxy (or any service on ports <1024).
 
+`sudoedit /etc/sysctl.conf`
 ```bash
-printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-unprivileged-port-binding.conf
-sysctl 'net.ipv4.ip_unprivileged_port_start=80'
+## Add the following line and save
+net.ipv4.ip_unprivileged_port_start=80
 ```
 
-## Allow containers to route within multiple networks
+### Option 2: Redirect using firewalls
+See [jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](https://blog.jdboyd.net/2024/05/exposing-privileged-ports-with-podman/)
 
-```bash
-printf '%s\n' 'net.ipv4.conf.all.rp_filter=2' > /etc/sysctl.d/99-reverse-path-loose.conf
-sysctl -w net.ipv4.conf.all.rp_filter=2
-```
+>[!WARNING]
+> IF UTILIZING THIS METHOD
+>
+> CREATE RULES TO ALLOW SSH BEFORE ENABLING THE FIREWALL
 
 ## Prepare container user
 
 This user will be the owner of all containers with no login shell or root
-privileges.
+privileges. 
+
+Note $ctuser is a placeholder, replace with your username
 
 ```bash
 # Prepare a group id outside of the normal range
@@ -120,18 +122,17 @@ usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser
 loginctl enable-linger $ctuser
 ```
 
-> [!TIP]
-> Optionally setup ssh keys to directly login to $ctuser.
-
-> [!NOTE]
-> The login shell doesn't exist. Launch `bash -l` manually to get a shell or
-> else your `ssh` will exit with a status of 1.
-
 ## Setup $ctuser env
 
+>[!NOTE]
+> See the following for reasons to use machinectl instead of su
+> [RedHat blog post](https://www.redhat.com/en/blog/sudo-rootless-podman)
+>
+> [reddit post](https://old.reddit.com/r/linuxadmin/comments/rxrczr/in_interesting_tidbit_i_just_learned_about_the/)
+
 ```bash
-# Switch to user (`-i` doesn't work without a login shell)
-sudo -u $ctuser bash -l
+# Switch to $ctuser
+machinectl shell $ctuser
 # Create dirs
 mkdir -p ~/.config/{containers/systemd,environment.d} ~/containers/storage
 # Prepare `systemd --user` env
-- 
2.45.3


From 9325328bd82cc7ec2fd6cb8c1a622e58c5777119 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:16:58 -0500
Subject: [PATCH 03/13] update rootless networking

remove selinux section
---
 ubuntu.md | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/ubuntu.md b/ubuntu.md
index 154eb2a..a760871 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -68,10 +68,8 @@ systemctl enable --now podman
 > As of Podman 5.0 Pasta is the default rootless networking tool.
 > 
 > Podman 5.0 is available in standard Ubuntu repo since 24.10.
-
-```bash
-sudo apt install passt
-```
+>
+> Both are installed with podman see [rootless networking for configuration](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#networking-configuration)
 
 ## Allow rootless binding port 80+
 
@@ -143,16 +141,3 @@ podman system migrate
 systemctl --user enable --now podman-auto-update
 exit
 ```
-
-> [!WARNING]
-> I disabled SELinux to not deal with this for every container.
-> /etc/selinux/config -> `SELINUX=disabled`
-
-> [!NOTE]
-> Set up the correct policies permanently instead of disabling SELinux
-
-Temporarily set SELinux policy to allow containers to use devices.
-
-```bash
-setsebool -P container_use_devices 1
-```
-- 
2.45.3


From 314bf18887d9f0a2ff0362b947cb266bbc0bae82 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:30:05 -0500
Subject: [PATCH 04/13] Fixed commands that require sudo

---
 ubuntu.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ubuntu.md b/ubuntu.md
index a760871..645dda8 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -101,10 +101,10 @@ Note $ctuser is a placeholder, replace with your username
 
 ```bash
 # Prepare a group id outside of the normal range
-groupadd --gid 2000 $ctuser
+sudo groupadd --gid 2000 $ctuser
 # Create user with restrictions
 # We need the $HOME to live in
-useradd --create-home \
+sudo useradd --create-home \
     --shell /usr/bin/false \
     --password $ctuser_pw \
     --no-user-group \
@@ -113,9 +113,9 @@ useradd --create-home \
     --uid 2000 \
     $ctuser
 # Lock user from password login
-usermod --lock $ctuser
+sudo usermod --lock $ctuser
 # Add container sub-ids
-usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser
+sudo usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser
 # Start $ctuser session at boot without login
 loginctl enable-linger $ctuser
 ```
-- 
2.45.3


From 318b9086372e7164a2d35694a40f1be35c7f9468 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sat, 25 Jan 2025 14:52:42 -0500
Subject: [PATCH 05/13] fix @ctuser setup

---
 ubuntu.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ubuntu.md b/ubuntu.md
index 645dda8..37063d0 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -128,9 +128,13 @@ loginctl enable-linger $ctuser
 >
 > [reddit post](https://old.reddit.com/r/linuxadmin/comments/rxrczr/in_interesting_tidbit_i_just_learned_about_the/)
 
+Install systemd-container
+`sudo apt install systemd-container`
+
 ```bash
 # Switch to $ctuser
-machinectl shell $ctuser
+# Note do not remove the trailing @
+machinectl shell $ctuser@ /bin/bash
 # Create dirs
 mkdir -p ~/.config/{containers/systemd,environment.d} ~/containers/storage
 # Prepare `systemd --user` env
-- 
2.45.3


From e77743003fc3d4f506db40d99cc4331831d3b714 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sat, 25 Jan 2025 21:28:28 -0500
Subject: [PATCH 06/13] Update ubuntu.md

---
 ubuntu.md | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/ubuntu.md b/ubuntu.md
index 37063d0..f26e5cc 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -50,7 +50,7 @@ rootless environment for our containers to run in.
 ## Install
 
 ```bash
-sudo apt install podman
+sudo apt install podman systemd-container
 
 ## Make sure podman is running
 systemctl enable --now podman
@@ -95,7 +95,9 @@ See [jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](ht
 ## Prepare container user
 
 This user will be the owner of all containers with no login shell or root
-privileges. 
+privileges.
+
+Container user should have range of uid/gid automatically generated. See [subuid and subgid tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration) to verify range or create if it does not exist.
 
 Note $ctuser is a placeholder, replace with your username
 
@@ -114,8 +116,6 @@ sudo useradd --create-home \
     $ctuser
 # Lock user from password login
 sudo usermod --lock $ctuser
-# Add container sub-ids
-sudo usermod --add-subuids 200000-299999 --add-subgids 200000-299999 $ctuser
 # Start $ctuser session at boot without login
 loginctl enable-linger $ctuser
 ```
@@ -128,9 +128,6 @@ loginctl enable-linger $ctuser
 >
 > [reddit post](https://old.reddit.com/r/linuxadmin/comments/rxrczr/in_interesting_tidbit_i_just_learned_about_the/)
 
-Install systemd-container
-`sudo apt install systemd-container`
-
 ```bash
 # Switch to $ctuser
 # Note do not remove the trailing @
-- 
2.45.3


From cf961614779d47865b569f6ed278f9de0d7d35ab Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sat, 25 Jan 2025 21:42:27 -0500
Subject: [PATCH 07/13] Update ubuntu.md

---
 ubuntu.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ubuntu.md b/ubuntu.md
index f26e5cc..8d52244 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -119,6 +119,8 @@ sudo usermod --lock $ctuser
 # Start $ctuser session at boot without login
 loginctl enable-linger $ctuser
 ```
+>[!NOTE]
+> Consider removing bash history entry that contains the password entered above
 
 ## Setup $ctuser env
 
-- 
2.45.3


From 37502f9bf41d5c63887fa213c8b8855a259d579a Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Sun, 26 Jan 2025 01:26:32 -0500
Subject: [PATCH 08/13] fix spelling error

---
 ubuntu.md | 44 ++++++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 16 deletions(-)

diff --git a/ubuntu.md b/ubuntu.md
index 8d52244..c218b34 100644
--- a/ubuntu.md
+++ b/ubuntu.md
@@ -1,4 +1,4 @@
-# Ubuntu Server 
+# Ubuntu Server
 
 Setting up rootless podman on a fresh ubuntu 24.10 server.
 
@@ -7,7 +7,8 @@ Setting up rootless podman on a fresh ubuntu 24.10 server.
 
 ## SSH
 
-SSH is optional, but highly encouraged. OpenSSH is installed by default and sshd is running by default.
+SSH is optional, but highly encouraged. OpenSSH is installed by default and sshd
+is running by default.
 
 ```bash
 ## Generate strong key on your laptop or workstation/desktop
@@ -26,9 +27,11 @@ ssh-copy-id username@remote_host
 We don't want to allow anyone to login as root remotely ever. You must be a
 `sudoer` with public key auth to elevate to root.
 
-SSH into your server and run `sudoedit /etc/ssh/sshd_config` 
+SSH into your server and run `sudoedit /etc/ssh/sshd_config`
 
-See [stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi) for reasons to use sudoedit over sudo.
+See
+[stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi)
+for reasons to use sudoedit over sudo.
 
 ```bash
 ## Uncomment PasswordAuthentication and set value to no
@@ -40,7 +43,9 @@ PermitRootLogin no
 ## Optionally disable X11 forwarding
 X11Forwarding no
 ```
-Save file and then run `systemctl restart ssh` Before closing your session, open a new terminal and test SSH is functioning correctly.
+
+Save file and then run `systemctl restart ssh` Before closing your session, open
+a new terminal and test SSH is functioning correctly.
 
 ## Podman
 
@@ -57,8 +62,7 @@ systemctl enable --now podman
 ```
 
 > [!NOTE]
-> Read the docs.
-> `man podman-systemd.unit`
+> Read the docs. `man podman-systemd.unit`
 
 ## Prepare host networking stack
 
@@ -66,28 +70,33 @@ systemctl enable --now podman
 
 > [!NOTE]
 > As of Podman 5.0 Pasta is the default rootless networking tool.
-> 
+>
 > Podman 5.0 is available in standard Ubuntu repo since 24.10.
 >
-> Both are installed with podman see [rootless networking for configuration](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#networking-configuration)
+> Both are installed with podman see
+> [rootless networking for configuration](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#networking-configuration)
 
 ## Allow rootless binding port 80+
 
-### Option 1: Modify range of unpriveleged ports
+### Option 1: Modify range of unprivileged ports
 
 > [!NOTE]
-> This is only necessary if you are setting up the reverse proxy (or any service on ports <1024).
+> This is only necessary if you are setting up the reverse proxy (or any service
+> on ports <1024).
 
 `sudoedit /etc/sysctl.conf`
+
 ```bash
 ## Add the following line and save
 net.ipv4.ip_unprivileged_port_start=80
 ```
 
 ### Option 2: Redirect using firewalls
-See [jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](https://blog.jdboyd.net/2024/05/exposing-privileged-ports-with-podman/)
 
->[!WARNING]
+See
+[jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](https://blog.jdboyd.net/2024/05/exposing-privileged-ports-with-podman/)
+
+> [!WARNING]
 > IF UTILIZING THIS METHOD
 >
 > CREATE RULES TO ALLOW SSH BEFORE ENABLING THE FIREWALL
@@ -97,7 +106,9 @@ See [jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](ht
 This user will be the owner of all containers with no login shell or root
 privileges.
 
-Container user should have range of uid/gid automatically generated. See [subuid and subgid tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration) to verify range or create if it does not exist.
+Container user should have range of uid/gid automatically generated. See
+[subuid and subgid tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration)
+to verify range or create if it does not exist.
 
 Note $ctuser is a placeholder, replace with your username
 
@@ -119,12 +130,13 @@ sudo usermod --lock $ctuser
 # Start $ctuser session at boot without login
 loginctl enable-linger $ctuser
 ```
->[!NOTE]
+
+> [!NOTE]
 > Consider removing bash history entry that contains the password entered above
 
 ## Setup $ctuser env
 
->[!NOTE]
+> [!NOTE]
 > See the following for reasons to use machinectl instead of su
 > [RedHat blog post](https://www.redhat.com/en/blog/sudo-rootless-podman)
 >
-- 
2.45.3


From e8abe5c4e6b6b25ba37af65cbb98e19177202d6a Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Mon, 27 Jan 2025 13:32:31 -0500
Subject: [PATCH 09/13] fix ubuntu capitalization

---
 ubuntu.md => Ubuntu.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename ubuntu.md => Ubuntu.md (98%)

diff --git a/ubuntu.md b/Ubuntu.md
similarity index 98%
rename from ubuntu.md
rename to Ubuntu.md
index c218b34..3369b2d 100644
--- a/ubuntu.md
+++ b/Ubuntu.md
@@ -1,6 +1,6 @@
 # Ubuntu Server
 
-Setting up rootless podman on a fresh ubuntu 24.10 server.
+Setting up rootless podman on a fresh Ubuntu 24.10 server.
 
 > [!WARNING]
 > Perform `sudo apt update && sudo apt upgrade` immediately. Reboot system.
-- 
2.45.3


From 03ff5e3af56d9bf303b84ba2314b842718c5745b Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:19:03 -0500
Subject: [PATCH 10/13] fix sshd commands

---
 Ubuntu.md | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/Ubuntu.md b/Ubuntu.md
index 3369b2d..efa3f85 100644
--- a/Ubuntu.md
+++ b/Ubuntu.md
@@ -14,7 +14,7 @@ is running by default.
 ## Generate strong key on your laptop or workstation/desktop
 ## If you already have keys DO NOT overwrite your previous keys
 
-ssh-keygen
+ssh-keygen -t ed25519 -a 32 -f ~/.ssh/$localhost-to-$remotehost
 
 ## Optionally set a passphrase
 
@@ -27,21 +27,13 @@ ssh-copy-id username@remote_host
 We don't want to allow anyone to login as root remotely ever. You must be a
 `sudoer` with public key auth to elevate to root.
 
-SSH into your server and run `sudoedit /etc/ssh/sshd_config`
-
-See
-[stackoverflow question](https://superuser.com/questions/785187/sudoedit-why-use-it-over-sudo-vi)
-for reasons to use sudoedit over sudo.
+SSH into your server and run
 
 ```bash
-## Uncomment PasswordAuthentication and set value to no
-PasswordAuthentication no
-
-## Disable root login
-PermitRootLogin no
-
-## Optionally disable X11 forwarding
-X11Forwarding no
+printf '%s\n' 'PermitRootLogin no' | sudo tee /etc/ssh/sshd_config.d/01-root.conf
+printf '%s\n' \
+    'PubkeyAuthentication yes' \
+    'PasswordAuthentication no' | sudo tee /etc/ssh/sshd_config.d/01-pubkey.conf
 ```
 
 Save file and then run `systemctl restart ssh` Before closing your session, open
-- 
2.45.3


From d9dc7975dcb3f37cac740211cc64ef44ed9e7b29 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:26:13 -0500
Subject: [PATCH 11/13] fix rootless binding port 80+ command

---
 Ubuntu.md | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Ubuntu.md b/Ubuntu.md
index efa3f85..6ec5cac 100644
--- a/Ubuntu.md
+++ b/Ubuntu.md
@@ -76,11 +76,9 @@ systemctl enable --now podman
 > This is only necessary if you are setting up the reverse proxy (or any service
 > on ports <1024).
 
-`sudoedit /etc/sysctl.conf`
-
 ```bash
-## Add the following line and save
-net.ipv4.ip_unprivileged_port_start=80
+printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee /etc/sysctl.d/99-unprivileged-port-binding.conf
+sysctl -w 'net.ipv4.ip_unprivileged_port_start=80'
 ```
 
 ### Option 2: Redirect using firewalls
-- 
2.45.3


From 9001d006e4bd3d0147566fc20067a5b5dc52c6bf Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Mon, 27 Jan 2025 14:42:52 -0500
Subject: [PATCH 12/13] remove firewall option for port redirection

---
 Ubuntu.md | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/Ubuntu.md b/Ubuntu.md
index 6ec5cac..ba9f1cd 100644
--- a/Ubuntu.md
+++ b/Ubuntu.md
@@ -70,7 +70,7 @@ systemctl enable --now podman
 
 ## Allow rootless binding port 80+
 
-### Option 1: Modify range of unprivileged ports
+### Modify range of unprivileged ports
 
 > [!NOTE]
 > This is only necessary if you are setting up the reverse proxy (or any service
@@ -81,16 +81,6 @@ printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee /etc/sysctl.d/
 sysctl -w 'net.ipv4.ip_unprivileged_port_start=80'
 ```
 
-### Option 2: Redirect using firewalls
-
-See
-[jdboyd blog post for PARTIAL examples using UFW, iptables, and nftables](https://blog.jdboyd.net/2024/05/exposing-privileged-ports-with-podman/)
-
-> [!WARNING]
-> IF UTILIZING THIS METHOD
->
-> CREATE RULES TO ALLOW SSH BEFORE ENABLING THE FIREWALL
-
 ## Prepare container user
 
 This user will be the owner of all containers with no login shell or root
-- 
2.45.3


From b4651bdcebadefc22870590a22b6e46c48faaf34 Mon Sep 17 00:00:00 2001
From: EphemeralDev <115334775+EphemeralDev@users.noreply.github.com>
Date: Mon, 27 Jan 2025 20:19:49 -0500
Subject: [PATCH 13/13] summarize machinectl and remove uneeded directory

---
 Ubuntu.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/Ubuntu.md b/Ubuntu.md
index ba9f1cd..888a57c 100644
--- a/Ubuntu.md
+++ b/Ubuntu.md
@@ -117,17 +117,18 @@ loginctl enable-linger $ctuser
 ## Setup $ctuser env
 
 > [!NOTE]
-> See the following for reasons to use machinectl instead of su
-> [RedHat blog post](https://www.redhat.com/en/blog/sudo-rootless-podman)
->
-> [reddit post](https://old.reddit.com/r/linuxadmin/comments/rxrczr/in_interesting_tidbit_i_just_learned_about_the/)
+> Use machinectl instead of sudo or su to get a shell that is fully isolated
+> from the original session. See the developers comments on the problem
+> [with su](https://github.com/systemd/systemd/issues/825#issuecomment-127917622)
+> as well as the purpose of
+> [machinectl shell](https://github.com/systemd/systemd/pull/1022#issuecomment-136133244)
 
 ```bash
 # Switch to $ctuser
 # Note do not remove the trailing @
 machinectl shell $ctuser@ /bin/bash
 # Create dirs
-mkdir -p ~/.config/{containers/systemd,environment.d} ~/containers/storage
+mkdir -p ~/.config/{containers/systemd,environment.d}
 # Prepare `systemd --user` env
 echo 'XDG_RUNTIME_DIR=/run/user/2000' >> ~/.config/environment.d/10-xdg.conf
 # Enable container auto-update
-- 
2.45.3