Real, executed sysadmin artifacts — not notes — an independent, from-scratch implementation of the UC Berkeley OCF Linux System Administration DeCal (decal.ocf.berkeley.edu), part of a csdiy.wiki full-catalog build. (This student-run course was missing from the csdiy catalog; this repo recovers it.)
The OCF Sysadmin DeCal teaches "the basics of setting up and administering a
production-quality Linux server environment." This repo implements every weekly
topic as runnable, documented scripts and configs that were actually executed
in WSL2 Ubuntu 24.04, capturing real output into results/. It
does not describe how nginx reverse-proxying works — it starts nginx and curls
through it; it does not describe systemd — it installs a unit, enables it, and
reads the heartbeat from journald; it does not describe SSH keys — it stands up
a hardened sshd and logs into it over a key.
Every week follows the same shape: topic scripts + a run.sh that executes them
and writes a verifiable transcript to results/weekNN-*.log.
| Week / Topic | What was built & run | Verified evidence (in results/) |
|---|---|---|
| 1 · Intro to Linux | FHS tour; permissions/ACL demo | setuid/setgid/sticky bits via stat; umask 077→-rw-------; POSIX ACL user:nobody:rw- + inherited default ACL |
| 2 · Shell scripting | log-analyzer, sysreport, text toolkit | 600-line log → status histogram + mean+2σ 5xx burst detector; shellcheck clean ×4 |
| 3 · Packages | dpkg/APT audit; build-from-source | 1527 installed / 102 manual; largest llvm-18-dev 321 MiB; cc+make compile & staged-install sysfetch |
| 4 · Services | user/group/sudoers; systemd unit | svc-heartbeat system account; sudoers parsed OK; unit active (running), journald heartbeats, graceful SIGTERM |
| 5 · Networking | ip/ss triage; dig; BIND zones | live berkeley.edu A/NS/MX/SOA/SPF; both zones named-checkzone → OK |
| 6 · Web servers | nginx vhost + reverse proxy → Py/SQLite | curl-proven: static 200, proxied /api/status JSON, SQLite counter 1→2→3, X-Backend-Saw-XFF: 127.0.0.1 |
| 7 · Security | sshd hardening; live key auth; firewall | >>> KEY AUTH SUCCEEDED; password Permission denied (publickey); 11-rule iptables chain; brute-force ban candidates |
| 8 · VCS & Backups | git workflow; tar+rsync backups | real merge conflict+resolve+tag; restore INTEGRITY VERIFIED (sha256), incrementals hard-link 4/6 files |
| 9 · Docker | docker build image; Compose stack |
image 177 MB, non-root appuser, healthy; nginx+app Compose curl-proven counter 1→2→3 |
| 10 · Nix | packaged tool; dev shell; flake | expressions parse and evaluate to a real .drv (deps coreutils/bash/stdenv); tool runs; closure realise = documented partial (GFW link) |
| 11 · Kubernetes (opt.) | Deployment/Service/proxy manifests + kind config | 6/6 structural validation; live cluster + kubectl = documented partial (network) |
| Bonus · Bandit | OverTheWire wargame 0→24 walkthrough | exact commands/techniques per level; passwords redacted |
- Week 1 — History of UNIX, Intro to Linux, FOSS (FHS, file types,
/proc, permissions, ACLs) - Week 2 — Core Shell & Shell Scripting (pipelines, defensive scripting, log analysis)
- Week 3 — Packages (dpkg/APT auditing, build-from-source + Makefile)
- Week 4 — Services (account provisioning, systemd units, processes & signals)
- Week 5 — Networking 101 (iproute2 triage, DNS with dig, BIND zone authoring)
- Week 6 — Web Servers (nginx static + reverse proxy, Python/SQLite backend)
- Week 7 — Security Fundamentals (SSH hardening + key auth, iptables/ufw, log defence)
- Week 8 — Version Control (git) and Backups (workflow + tested restores)
- Week 9 — Docker (image build, non-root, healthcheck, Compose stack)
- Week 10 — Nix (packaging + dev shell + flake; expressions evaluate to a real
.drv, closure realise = documented partial on this GFW-throttled link) - Week 11 — Kubernetes (optional) — manifests + kind config (live cluster = documented partial)
- Bonus — OverTheWire Bandit walkthrough (levels 0–24)
sysadmin-decal/
├── week01-linux-intro/ filesystem-tour.sh, permissions-acl-demo.sh
├── week02-shell-scripting/ log-analyzer.sh, sysreport.sh, text-processing-demo.sh
├── week03-packages/ pkg-audit.sh, src/{sysfetch.c,Makefile}
├── week04-services/ provision-user.sh, hello-sysadmin.service, heartbeat.sh, processes-demo.sh
├── week05-networking/ net-diagnostics.sh, dns-tool.sh, dns-zone/{db.sysadmin.decal,db.192.0.2}
├── week06-web-servers/ backend/app.py, web/index.html, nginx/sysadmin-decal.conf
├── week07-security/ sshd_hardening.conf, ssh-keygen-demo.sh, firewall-iptables.sh, firewall-ufw.sh, auth-log-scan.sh
├── week08-vcs-backups/ git-workflow-demo.sh, backup.sh, restore.sh
├── week09-docker/ Dockerfile, docker-compose.yml, compose/nginx.conf
├── week10-nix/ default.nix, shell.nix, flake.nix, sysadmin-motd.sh
├── week11-kubernetes/ manifests/*.yaml, kind-cluster.yaml, validate.py
├── bandit-wargame/ README.md (0→24 walkthrough)
├── results/ captured real transcripts (weekNN-*.log)
└── each weekNN/ has its own README.md + run.sh
Everything runs in WSL2 Ubuntu with systemd enabled
(/etc/wsl.conf: [boot]\nsystemd=true). Install the system dependencies once:
sudo apt-get update
sudo apt-get install -y nginx sqlite3 dnsutils bind9-utils openssh-server ufw \
acl shellcheck iproute2 rsync docker.io docker-compose-v2 nix-bin
# Docker Hub is often unreachable here; a registry mirror is configured in
# /etc/docker/daemon.json (e.g. https://docker.m.daocloud.io).
# run any week end-to-end (each writes results/weekNN-*.log):
sudo bash week04-services/run.sh
sudo bash week06-web-servers/run.sh
sudo bash week07-security/run.sh
sudo bash week09-docker/run.sh
# ...etc. Weeks 1-3,5,8,10 don't strictly need root.Each results/weekNN-*.log is a transcript of that week's run.sh executed on
this host. Highlights you can grep for:
results/week06-web-servers.log→X-Backend-Saw-XFF,"visitors": 3results/week07-security.log→KEY AUTH SUCCEEDED,Accepted publickeyresults/week08-vcs-backups.log→INTEGRITY VERIFIED,hard-linked (unchanged) files: 4 / 6results/week09-docker.log→Successfully tagged sysadmin-decal-app:local,Up … (healthy)
Bash, POSIX shell tooling (awk/sed/grep/find), Python 3 (stdlib only), C (the
sysfetch build-from-source demo), SQLite, nginx, systemd, OpenSSH, iproute2,
BIND utils, iptables/ufw, git, tar/rsync, Docker + Compose, Nix, Kubernetes
manifests. Run on WSL2 Ubuntu 24.04.
- The Linux permission and process model (inodes, setuid, cgroups under systemd).
- Treating configuration as code: version it in git, validate it (
sshd -t,nginx -t,named-checkzone,visudo -c), and deploy it reproducibly. - Defence in depth at the edge: key-only SSH, least-privilege sudo, default-deny firewalls, and logs as an intrusion-detection signal.
- Operating services for real: supervision, health checks, reverse proxying, and backups you have actually test-restored.
- Reproducibility and isolation with containers (Docker) and declarative environments (Nix), and orchestration with Kubernetes.
Based on the curriculum of the OCF Linux System Administration DeCal, a student-run course at UC Berkeley (Open Computing Facility). This repository is an independent educational reimplementation; all course materials and specifications belong to their original authors. Original code here is released under the MIT License. Bandit is © the OverTheWire community — passwords are intentionally redacted.