Skip to content

appleweiping/sysadmin-decal

Repository files navigation

Sysadmin DeCal — Linux System Administration, Done For Real

Real, executed sysadmin artifacts — not notes — an independent, from-scratch implementation of the UC Berkeley OCF Linux System Administration DeCal (decal.ocf.berkeley.edu), part of a csdiy.wiki full-catalog build. (This student-run course was missing from the csdiy catalog; this repo recovers it.)

status shell docker license

Overview

The OCF Sysadmin DeCal teaches "the basics of setting up and administering a production-quality Linux server environment." This repo implements every weekly topic as runnable, documented scripts and configs that were actually executed in WSL2 Ubuntu 24.04, capturing real output into results/. It does not describe how nginx reverse-proxying works — it starts nginx and curls through it; it does not describe systemd — it installs a unit, enables it, and reads the heartbeat from journald; it does not describe SSH keys — it stands up a hardened sshd and logs into it over a key.

Every week follows the same shape: topic scripts + a run.sh that executes them and writes a verifiable transcript to results/weekNN-*.log.

Results (measured on WSL2 Ubuntu 24.04, x86_64, 16 vCPU, CPU-only)

Week / Topic What was built & run Verified evidence (in results/)
1 · Intro to Linux FHS tour; permissions/ACL demo setuid/setgid/sticky bits via stat; umask 077-rw-------; POSIX ACL user:nobody:rw- + inherited default ACL
2 · Shell scripting log-analyzer, sysreport, text toolkit 600-line log → status histogram + mean+2σ 5xx burst detector; shellcheck clean ×4
3 · Packages dpkg/APT audit; build-from-source 1527 installed / 102 manual; largest llvm-18-dev 321 MiB; cc+make compile & staged-install sysfetch
4 · Services user/group/sudoers; systemd unit svc-heartbeat system account; sudoers parsed OK; unit active (running), journald heartbeats, graceful SIGTERM
5 · Networking ip/ss triage; dig; BIND zones live berkeley.edu A/NS/MX/SOA/SPF; both zones named-checkzone → OK
6 · Web servers nginx vhost + reverse proxy → Py/SQLite curl-proven: static 200, proxied /api/status JSON, SQLite counter 1→2→3, X-Backend-Saw-XFF: 127.0.0.1
7 · Security sshd hardening; live key auth; firewall >>> KEY AUTH SUCCEEDED; password Permission denied (publickey); 11-rule iptables chain; brute-force ban candidates
8 · VCS & Backups git workflow; tar+rsync backups real merge conflict+resolve+tag; restore INTEGRITY VERIFIED (sha256), incrementals hard-link 4/6 files
9 · Docker docker build image; Compose stack image 177 MB, non-root appuser, healthy; nginx+app Compose curl-proven counter 1→2→3
10 · Nix packaged tool; dev shell; flake expressions parse and evaluate to a real .drv (deps coreutils/bash/stdenv); tool runs; closure realise = documented partial (GFW link)
11 · Kubernetes (opt.) Deployment/Service/proxy manifests + kind config 6/6 structural validation; live cluster + kubectl = documented partial (network)
Bonus · Bandit OverTheWire wargame 0→24 walkthrough exact commands/techniques per level; passwords redacted

Implemented topics

  • Week 1 — History of UNIX, Intro to Linux, FOSS (FHS, file types, /proc, permissions, ACLs)
  • Week 2 — Core Shell & Shell Scripting (pipelines, defensive scripting, log analysis)
  • Week 3 — Packages (dpkg/APT auditing, build-from-source + Makefile)
  • Week 4 — Services (account provisioning, systemd units, processes & signals)
  • Week 5 — Networking 101 (iproute2 triage, DNS with dig, BIND zone authoring)
  • Week 6 — Web Servers (nginx static + reverse proxy, Python/SQLite backend)
  • Week 7 — Security Fundamentals (SSH hardening + key auth, iptables/ufw, log defence)
  • Week 8 — Version Control (git) and Backups (workflow + tested restores)
  • Week 9 — Docker (image build, non-root, healthcheck, Compose stack)
  • Week 10 — Nix (packaging + dev shell + flake; expressions evaluate to a real .drv, closure realise = documented partial on this GFW-throttled link)
  • Week 11 — Kubernetes (optional) — manifests + kind config (live cluster = documented partial)
  • Bonus — OverTheWire Bandit walkthrough (levels 0–24)

Project structure

sysadmin-decal/
├── week01-linux-intro/       filesystem-tour.sh, permissions-acl-demo.sh
├── week02-shell-scripting/   log-analyzer.sh, sysreport.sh, text-processing-demo.sh
├── week03-packages/          pkg-audit.sh, src/{sysfetch.c,Makefile}
├── week04-services/          provision-user.sh, hello-sysadmin.service, heartbeat.sh, processes-demo.sh
├── week05-networking/        net-diagnostics.sh, dns-tool.sh, dns-zone/{db.sysadmin.decal,db.192.0.2}
├── week06-web-servers/       backend/app.py, web/index.html, nginx/sysadmin-decal.conf
├── week07-security/          sshd_hardening.conf, ssh-keygen-demo.sh, firewall-iptables.sh, firewall-ufw.sh, auth-log-scan.sh
├── week08-vcs-backups/       git-workflow-demo.sh, backup.sh, restore.sh
├── week09-docker/            Dockerfile, docker-compose.yml, compose/nginx.conf
├── week10-nix/               default.nix, shell.nix, flake.nix, sysadmin-motd.sh
├── week11-kubernetes/        manifests/*.yaml, kind-cluster.yaml, validate.py
├── bandit-wargame/           README.md (0→24 walkthrough)
├── results/                  captured real transcripts (weekNN-*.log)
└── each weekNN/ has its own README.md + run.sh

How to run

Everything runs in WSL2 Ubuntu with systemd enabled (/etc/wsl.conf: [boot]\nsystemd=true). Install the system dependencies once:

sudo apt-get update
sudo apt-get install -y nginx sqlite3 dnsutils bind9-utils openssh-server ufw \
     acl shellcheck iproute2 rsync docker.io docker-compose-v2 nix-bin
# Docker Hub is often unreachable here; a registry mirror is configured in
# /etc/docker/daemon.json (e.g. https://docker.m.daocloud.io).

# run any week end-to-end (each writes results/weekNN-*.log):
sudo bash week04-services/run.sh
sudo bash week06-web-servers/run.sh
sudo bash week07-security/run.sh
sudo bash week09-docker/run.sh
# ...etc. Weeks 1-3,5,8,10 don't strictly need root.

Verification

Each results/weekNN-*.log is a transcript of that week's run.sh executed on this host. Highlights you can grep for:

  • results/week06-web-servers.logX-Backend-Saw-XFF, "visitors": 3
  • results/week07-security.logKEY AUTH SUCCEEDED, Accepted publickey
  • results/week08-vcs-backups.logINTEGRITY VERIFIED, hard-linked (unchanged) files: 4 / 6
  • results/week09-docker.logSuccessfully tagged sysadmin-decal-app:local, Up … (healthy)

Tech stack

Bash, POSIX shell tooling (awk/sed/grep/find), Python 3 (stdlib only), C (the sysfetch build-from-source demo), SQLite, nginx, systemd, OpenSSH, iproute2, BIND utils, iptables/ufw, git, tar/rsync, Docker + Compose, Nix, Kubernetes manifests. Run on WSL2 Ubuntu 24.04.

Key ideas / what this course teaches

  • The Linux permission and process model (inodes, setuid, cgroups under systemd).
  • Treating configuration as code: version it in git, validate it (sshd -t, nginx -t, named-checkzone, visudo -c), and deploy it reproducibly.
  • Defence in depth at the edge: key-only SSH, least-privilege sudo, default-deny firewalls, and logs as an intrusion-detection signal.
  • Operating services for real: supervision, health checks, reverse proxying, and backups you have actually test-restored.
  • Reproducibility and isolation with containers (Docker) and declarative environments (Nix), and orchestration with Kubernetes.

Credits & license

Based on the curriculum of the OCF Linux System Administration DeCal, a student-run course at UC Berkeley (Open Computing Facility). This repository is an independent educational reimplementation; all course materials and specifications belong to their original authors. Original code here is released under the MIT License. Bandit is © the OverTheWire community — passwords are intentionally redacted.

About

Real, executed UC Berkeley OCF Linux System Administration DeCal — 11 weekly topics + OverTheWire Bandit walkthrough, run in WSL2 with captured evidence

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors