3 files changed, 347 insertions, 2 deletions
diff --git a/continuous_integration/debian_bookworm_setup.mdwn b/continuous_integration/debian_bookworm_setup.mdwn
new file mode 100644
index 0000000..36cc145
--- /dev/null
+++ b/continuous_integration/debian_bookworm_setup.mdwn
@@ -0,0 +1,249 @@
+[[!meta title="Continuous Integration Debian Bookworm Setup"]]
+[[!meta author="Kyllikki"]]
+[[!meta date="2024-05-01T12:46:14Z"]]
+
+
+[[!toc]]
+
+## Debian 12 (Bookworm) OS install
+
+### amd64 VDS install
+
+[[Virtual server setup|virtual_host_server]]
+
+Install minimal system direct from `https://deb.debian.org/debian/dists/bookworm/main/installer-amd64/` ensure virtual server is booting from UEFI using a modern chipset (Q35)
+
+Debian Installer Config options:
+
+-   In the "role" selection select "ssh server" and "system utilities" only.
+-   The whole disc default partitioning is fine
+-   The base user the install insists on creating should be the netsurf user.
+
+
+Once installed:
+
+-   edit /etc/default/grub
+
+    GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8"
+
+as root update grub
+
+    update-grub2
+
+### arm64 VDS install
+
+[[ARM64 virtual server setup|virtual_host_server_arm64]]
+
+Once installed:
+
+-   create netsurf user
+-   install sudo package and add netsurf user to sudo group
+-   edit /etc/inittab comment pty 3 through 6 and uncomment serial T0
+-   enable backports
+
+`echo "deb `[`http://http.debian.net/debian`](http://http.debian.net/debian)` buster-backports main" > /etc/apt/sources.list.d/backports.list`  
+`apt-get update`
+
+
+## Packaged CI worker install
+
+Do a base OS install
+
+The recommended hostname for CI workers is "nsciworker17" this allows us
+to clearly identify CI worker nodes. Note historically we have used
+"cislave1" which has been objected to by several users. See
+[[changing hostname|https://wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this.
+
+On master jenkins use "manage nodes" to create new node. Ensure "remote
+fs root" is set to /var/lib/jenkins add variable JENKINS\_HOME set to
+/var/lib/jenkins
+
+Note: replace arm64 with architecture name as required (armhf etc.)
+
+As superuser:
+
+create jenkins user
+
+    adduser --system --group --home /var/lib/jenkins/ --disabled-login jenkins
+
+Install https transport
+
+    apt-get install apt-transport-https
+
+Add CI server repo to slave apt sources
+
+    echo "deb [allow-insecure=yes] https://ci.netsurf-browser.org/debian/ bookworm/amd64/" >> /etc/apt/sources.list.d/netsurf-browser.list
+
+update repos
+
+    apt-get update
+
+install ci worker package. accept the large package list and the
+ unsigned package install for ns-ci-slave
+
+    apt-get install ns-ci-worker
+
+edit /etc/default/ns-ci-worker to set the correct url and secret parameters
+
+ensure /opt is setup correctly to allow toolchains to be built on the node 
+
+    mkdir -p /opt/netsurf
+    chown jenkins:jenkins /opt/netsurf
+
+become jenkins user
+
+    su -s/bin/bash - jenkins
+
+create ssh keypair (accept defaults - no password)
+
+    ssh-keygen -t rsa -C "netsurf@nsciworker12.netsurf-browser.org"
+
+copy .ssh/id\_rsa.pub from worker to jenkins master node and append
+    to /home/netsurf/.ssh/authorized\_keys
+
+    scp /home/jenkins/.ssh/id_rsa.pub netsurf@ci.netsurf-browser.org:nsciworker12_id_rsa.pub
+
+exit jenkins user shell
+
+start CI worker daemon
+
+    systemctl start ns-ci-worker.service
+
+
+
+## Pbuilder setup
+
+This allows a worker to build Debian packages. The worker should be
+installed as a normal CI worker node and then:
+
+as superuser on node:
+
+    # apt-get install pbuilder
+    # addgroup pbuilder
+    # addgroup jenkins pbuilder
+
+create /etc/sudoers.d/pbuilder
+
+    jenkins  ALL = NOPASSWD:/usr/sbin/pbuilder
+
+`visudo` and alter Defaults
+
+    Defaults        env_reset,env_keep="DIST ARCH"
+
+replace `/etc/pbuilderrc`
+
+    # this is your configuration file for pbuilder.
+    # the file in /usr/share/pbuilder/pbuilderrc is the default template.
+    # /etc/pbuilderrc is the one meant for overwriting defaults in
+    # the default template
+    #
+    # read pbuilderrc.5 document for notes on specific options.
+    
+    # List of Debian suites.
+    DEBIAN_SUITES=("sid", "buster", "jessie", "wheezy", "squeeze")
+    
+    # List of Ubuntu suites.
+    UBUNTU_SUITES=("vivid" "utopic" "trusty" "saucy" "raring" "quantal" "precise" "oneiric" "natty" "lucid" "hardy")
+    
+    # Mirrors to use. Update these to your preferred mirror.
+    DEBIAN_MIRROR="ftp.uk.debian.org"
+    UBUNTU_MIRROR="mirrors.kernel.org"
+    
+    # set a default distribution if none is used.
+    : ${DIST:="$(lsb_release --short --codename)"}
+    
+    # set the architecture to the host architecture if none set.
+    : ${ARCH:="$(dpkg --print-architecture)"}
+    
+    NAME="$DIST"
+    if [ -n "${ARCH}" ]; then
+        NAME="$NAME-$ARCH"
+        DEBOOTSTRAPOPTS=("--arch" "$ARCH" "${DEBOOTSTRAPOPTS[@]}")
+    fi
+    BASETGZ="/var/cache/pbuilder/$NAME-base.tgz"
+    DISTRIBUTION="$DIST"
+    BUILDRESULT="/var/cache/pbuilder/$NAME/result/"
+    APTCACHE="/var/cache/pbuilder/$NAME/aptcache/"
+    BUILDPLACE="/var/cache/pbuilder/build/"
+    
+    if $(echo ${DEBIAN_SUITES[@]} | grep -q $DIST); then
+        # Debian configuration
+        MIRRORSITE="http://$DEBIAN_MIRROR/debian/"
+        COMPONENTS="main contrib non-free"
+        if $(echo "$STABLE_CODENAME stable" | grep -q $DIST); then
+            OTHERMIRROR="$OTHERMIRROR | deb $MIRRORSITE $STABLE_BACKPORTS_SUITE $COMPONENTS"
+        fi
+    elif $(echo ${UBUNTU_SUITES[@]} | grep -q $DIST); then
+        # Ubuntu configuration
+        MIRRORSITE="http://$UBUNTU_MIRROR/ubuntu/"
+        COMPONENTS="main restricted universe multiverse"
+    else
+        echo "Unknown distribution: $DIST"
+        exit 1
+    fi
+
+The architecture is assumed to be the native one from
+
+    dpkg --print-architecture
+
+This can be set by passing ARCH to pbuilder (useful for i386 maybe?)
+
+for each distribution this node will build for:
+
+create pbuilder result directory and set ownership permissions
+
+    # mkdir -p /var/cache/pbuilder/buster-armhf/result
+    # chown root:pbuilder /var/cache/pbuilder/buster-armhf/result
+    # chmod g+w /var/cache/pbuilder/buster-armhf/result
+
+become jenkins user
+
+    su -s/bin/bash - jenkins
+
+create pbuilder base for distribution
+
+    sudo DIST=buster pbuilder create
+
+if desired additional packages and config can be made to the base with
+
+`sudo DIST=buster pbuilder login --save-after-login`
+
+## distcc worker node
+
+Do a basic OS install but \*not\* a CI worker setup.
+
+A recommended hostname for distcc worker is something like "cicpu0" this
+allows us to use systems as processing node for other purposes than just
+distcc in future. See debians
+[[changing hostname|https://wiki.debian.org/howto/changehostname_changing_hostname]] on how to achive this.
+
+The Netsurf repository has necessary updated packages in it and can be
+accessed by doing the following:
+
+Add CI server repo to worker apt sources
+
+    echo "deb https://ci.netsurf-browser.org/builds/debian/ buster/amd64/" >> /etc/apt/sources.list
+
+update repos
+
+    apt-get update
+
+use apt to install these packages:
+
+    build-essential
+    gcc
+    clang
+    distcc
+
+edit /etc/default/distcc
+
+    STARTDISTCC="true"
+    ALLOWEDNETS="192.168.211.0/24"
+    LISTEN="0.0.0.0"
+    JOBS="8"
+
+start the service
+
+    service distcc start
+
+ensure the client has hosts set to use the new worker
diff --git a/continuous_integration/debian_buster_setup.mdwn b/continuous_integration/debian_buster_setup.mdwn
index b216b14..e4a4d8d 100644
--- a/continuous_integration/debian_buster_setup.mdwn
+++ b/continuous_integration/debian_buster_setup.mdwn
@@ -5,7 +5,7 @@
 
 [[!toc]]
 
-## Debian 9 (Buster) OS install
+## Debian 10 (Buster) OS install
 
 ### amd64 VDS install from media
 
diff --git a/virtual_host_server.mdwn b/virtual_host_server.mdwn
index 4fccfc5..59579ba 100644
--- a/virtual_host_server.mdwn
+++ b/virtual_host_server.mdwn
@@ -8,7 +8,12 @@ virtual host services for the NetSurf project is currently named phoenix.
 
 Access is \*only\* via the NetSurf VPN. For VPN access contact vince@netsurf-browser.org Developers can also use their ssh key access to ci.netsurf-browser.org and on from there
 
-phoenix IP address is currently 192.168.211.50 if the DNS is unavailable
+if the DNS is unavailable IP address are:
+
+    phoenix 192.168.211.50 
+    phoenixii 192.168.211.51
+    phoenixiii 192.168.211.52 
+    phoenixiv 192.168.211.53
 
 Creating a new VPS
 ------------------
@@ -89,3 +94,94 @@ You can either use virsh on phoenix to directly admin consoles or
 alternatively use virt-admin over the VPN which is by far the easier
 option.
 
+Setup
+-----
+
+Phoenix is currently in its fourth iteration (phoenixiv) which is a
+supermicro 1u dual socket E5-2680v2 with 64G of DDR3 memory.
+
+### Network
+
+network configuration is a l2tp tunnel over a wireguard point to point link.
+
+to setup a new wireguard link:
+
+on ci.netsurf-browser.org:
+
+might need to update dnsmasq interfaces
+
+    # cd /etc/wireguard/
+	# umask 077; wg genkey | tee phoenixiv.key | wg pubkey > phoenixiv.pub
+	# echo "" >>wg0.conf
+	# echo "# phoenixiv peer" >> wg0.conf
+	# echo "[Peer]" >> wg0.conf
+	# echo "PublicKey = $(cat phoenixiv.pub)" >> wg0.conf
+	# echo "AllowedIPs = 172.16.100.4/32 >> wg0.conf
+
+edit `/etc/network/interfaces.d/wg0` to add `post-up` and `pre-down` entries for the additional l2tp link
+
+edit `firewall.sh` to add l2tp ingress port e.g. 5002
+
+on the remote system:
+
+install wireguard and bridge-utils
+
+`/etc/network/interfaces.d/br0` create a bridge on br0 which the l2tp link is inserted into when it comes up
+
+    auto br0
+    iface br0 inet static
+        bridge_ports tap_netsurf
+        address 192.168.211.53
+        netmask 255.255.255.0
+        network 192.168.211.0
+        broadcast 192.168.211.255
+        bridge_fd 9
+        bridge_hello 2
+        bridge_maxage 12
+        bridge_stp off
+
+
+`/etc/network/interfaces.d/wg0` creates the wireguard link
+
+    auto wg0
+    iface wg0 inet static
+    	address 172.16.100.4/24
+    
+        pre-up ip link add $IFACE type wireguard
+    
+	    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
+    
+	    post-up ip l2tp add tunnel tunnel_id 8000 peer_tunnel_id 7000 encap udp local 172.16.100.4 remote 172.16.100.1 udp_sport 6002 udp_dport 5002
+	    post-up ip l2tp add session tunnel_id 8000 session_id 6000 peer_session_id 5000 name l2tpphoenixiv
+	    post-up ip link set l2tpphoenixiv up mtu 1500
+	    post-up brctl addif br0 l2tpphoenixiv
+    
+	    pre-down brctl delif br0 l2tpphoenixiv
+	    pre-down ip l2tp del tunnel tunnel_id 8000
+    
+    	post-down ip link del $IFACE
+
+
+`/etc/wireguard/wg0.conf` configures the remote client
+
+    [Interface]
+    
+    PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
+    
+    [Peer]
+    
+    PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
+    
+    AllowedIPs = 172.16.100.0/24
+    
+    # endpoint is ip address as dns not available here
+    # ci.netsurf-browser.org = 93.93.129.191
+    Endpoint = 93.93.129.191:51820
+    PersistentKeepalive = 20
+
+
+### virtualisation
+
+    # apt install --no-install-recommends qemu-system libvirt-clients libvirt-daemon-system ovmf
+	# adduser vince libvirt
+