Maybe the page you are looking for changed its url, go home to try finding it again?
+ + + + + + +Posted on
+ + +on archlinux, to see when you installed arch on your computer, run this command
+sed -n "/ installed $1/{s/].*/]/p;q}" /var/log/pacman.log
+it will display the date and the time when you ran pacstrap on the live cd to install your system.
on my laptop, i get [2018-10-21 21:05], which is when i switched from fedora back to arch because my school required fedora.
+ +Posted on
+ + +Now that we have a WireGuard VPN with an awesome internal DNS server, let's get a web server with HTTPS!
+You will need to enable the community repo first.
doas apk add caddy
+Create a folder to serve stuff from, I placed it in
+/srv/www
+Create the config in
+/etc/caddy/Caddyfile
+Here's the config, it's very simple to get started:
+intra.philt3r:80
+root * /srv/www
+file_server browse
+This config will only launch an HTTP server, the HTTPS will come later.
+It should work only from the WireGuard peers, since they can resolve the DNS name intra.philt3r.
If there is no index.html in the folder, it will serve static files directly.
Caddy already has a service!
+rc-service caddy startrc-service caddy stoprc-service caddy reloadWe will generate the Root CA, the Intermediate CA.
+Generate these with openssl installed on a computer, preferabbly offline.
Make sure the keys are stored in a safe place, I will store mine inside of a KeePassXC keystore.
+inside a folder, create a file
+config.conf
+In [CA_root], make sure to put your folder dir
# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_root
+
+[ CA_root ]
+# Directory and file locations.
+dir = /home/phil/ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+# Match names with Smallstep naming convention
+private_key = $dir/root_ca_key
+certificate = $dir/root_ca.crt
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 25202
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = supplied
+localityName = supplied
+organizationName = match
+commonName = supplied
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 4096
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country (2 letter code)
+stateOrProvinceName = State or Region
+localityName = City
+commonName = Common Name
+0.organizationName = Organization Name
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+After, run
+mkdir newcerts
+touch index.txt
+echo 1420 > serial
+We are now ready to generate keys and certificates.
+Generate key:
+openssl genrsa -aes256 -out root_ca_key 4096
+It will ask for a passphrase, I generated mine with my KeePassXC.
+Generate root certificate:
+openssl req -config config.conf -key root_ca_key -days 3650 -new -x509 -sha256 -extensions v3_ca -out root_ca.crt
+My root CA will last for 3650 days (10 years).
+Here's the info I provided:
+Country (2 letter code) []:FR
+State or Region []:Bretagne
+City []:Rennes
+Common Name []:philt3r CA
+Organization Name []:philt3r
+I saved the root_ca_key and root_ca.crt inside my KeePassXC.
Generate key:
+openssl genrsa -aes256 -out intermediate_ca_key 4096
+It will ask for a passphrase, I generated mine with my KeePassXC.
+Generate certificate request:
+openssl req -config config.conf -new -sha256 -key intermediate_ca_key -out intermediate_ca.csr.pem
+Here's the info I provided:
+Country (2 letter code) []:FR
+State or Region []:Bretagne
+City []:Rennes
+Common Name []:philt3r Intermediate CA
+Organization Name []:philt3r
+Sign certificate request with Root key:
+openssl ca -config config.conf -keyfile root_ca_key -cert root_ca.crt -extensions v3_intermediate_ca -days 1825 -notext -md sha256 -in intermediate_ca.csr.pem -out intermediate_ca.crt
+My Intermediate certificate will last for 1825 days (5 years).
+Save these files, I saved them in my KeePassXC:
+intermediate_ca_keyintermediate_ca.csr.pemintermediate_ca.crtOnce everything is saved and backed up, delete everything from your computer securely.
+I discovered Smallstep, which allows to become your own ACME server.
+They provide packages for Alpine, but one of them is only in the testing repos.
+Edit
+/etc/apk/repositories
+And add:
+@testing http://mirrors.ircam.fr/pub/alpine/edge/testing
+Afterwards, run
+apk update
+to refresh the packages.
+Install the packages with
+apk add step-cli step-certificates@testing
+The @testing is to tell apk to pull the package from the testing repo.
Start by creating the folder where step will save all the configs:
mkdir /etc/step-ca -p
+Let's configure step-ca!
STEPPATH=/etc/step-ca step ca init --name="philt3r" --acme --address="10.131.111.1:444" --provisioner="philt3r" --deployment-type standalone
+I ask it to run on the address 10.131.111.1 (the WireGuard ip) and on the port 444. The port 443 will be used for a https server, so I picked 443 + 1.
Since I want an ACME server, I asked to get one.
+Step will ask what IP address the clients will use to reach your ca, reply with 10.131.111.1, because only WireGuard peers and the server should be allowed.
This will prompt a password, put one.
+Step will generate a root and intermediate key, as well as an intermediate certificate. We don't want that, since we already generated our own.
+Copy these files in /etc/step-ca/certs:
root_ca.crtintermediate_ca.crtCopy intermediate_ca_key in /etc/step-ca/secrets folder. I use the key directly, but in a safe environment use a Yubikey, but I don't have one.
Run
+step-ca /etc/step-ca/config/ca.json
+to start the server. It will ask your password to decrypt the intermediate_ca_key. Provide the password.
The server should start, stop it.
+We will now create a file containing the password of the intermediate_ca_key, since we want to have the ACME server starting when Alpine will boot.
Why put the password inside a file? Well, simply because we can't type the password at boot. Again, in an ideal environment, use a Yubikey.
+Create a file at
+/etc/step-ca/password.txt
+and place the password inside that file.
+step should run as the user step-ca, so update the permissions on the config folder:
chown step-ca:step-ca -Rv /etc/step-ca/
+To verify that everything worked, run:
+step-ca /etc/step-ca/config/ca.json --password-file=/etc/step-ca/password.txt
+Stop the server again.
+Step already has a service!
+rc-service step-ca startrc-service step-ca stopNow let's tell Caddy to get TLS certificates with our ACME server.
+Edit the /etc/caddy/Caddyfile:
# global
+{
+ # step-ca ACME server
+ acme_ca https://10.131.111.1:444/acme/acme/directory
+}
+
+intra.philt3r intra.philt3r:80 {
+ root * /srv/www
+ file_server browse
+}
+Make sure step-ca is started, and restart Caddy to make sure everything is good:
rc-service caddy restart
+Now we need to tell our system to trust the certificates.
+Download the file containing the certificates. It is available at this URL:
+https://10.131.111.1:444/roots.pem
+On every device you want to trust your certificates, you will need to download the file on the device, then you will need to tell your operating system to trust it.
+Start caddy and step-ca on startup with:
rc-update add step-ca
+rc-update add caddy
+Reboot to make sure everything works.
+Posted on
+ + +Now that we have a WireGuard VPN, let's add a DNS server, to type letters instead of numbers!
+You will need to enable the community repo first.
doas apk add coredns
+Create the config in
+/etc/coredns/Corefile
+# snippets
+(common) {
+ cache 60
+ acl {
+ allow net 127.0.0.1 10.131.110.0/24 10.131.111.0/24
+ block
+ }
+}
+
+# intranet
+philt3r {
+ import common
+ log . {combined} {
+ class denial error success
+ }
+
+ hosts {
+ 10.131.111.1 intra.philt3r
+ falltrough
+ }
+}
+
+# extranet
+. {
+ import common
+
+ # Free DNS
+ forward . 212.27.40.240 212.27.40.241
+}
+My DNS service of choice comes from free.fr. Feel free to put your own favorite DNS service!
+CoreDNS already has a service!
+rc-update add corednsrc-update del corednsrc-statusThe logs of CoreDNS should be available at
+/var/log/coredns/coredns.log
+Now that we have our DNS server, let's use it on our server!
+If you use DHCP to get the ip address of your server, the DNS will always be used from the DHCP.
+We want to use our own DHCP server.
+Create the file (and the folder associated with it)
+/etc/udhcpc/udhcpc.conf
+and put
+RESOLV_CONF="NO"
+Then, edit the
+/etc/resolv.conf
+and put
+nameserver 127.0.0.1
+Restart the server.
+ +Posted on
+ + +Here's a cool tip if you use dd to copy disk images to a disk, or if you want to clone drives.
+As we all know (or should know), dd is a powerful tool; but it can be dangerous if not manipulated correctly.
+By default, dd doesn't give any information on what is it doing; which can be very boring, because you don't know when you'll be able to test that new Linux distro you just discovered!
+Well, good news! You can get some status from dd! This tip works on Linux and OS X.
+When you enter your dd command, add this little snippet at the end:
status=progress
+When dd will be busy doing its thing, you should get some info about its progress.
+Run your dd command normally without status=progress, after that open a new terminal and enter this command:
while pgrep ^dd; do sudo pkill -INFO dd; sleep 30; done;
+And come back into the dd command. When the dd task will be done, the second command we ran will exit as well and you can close that other terminal safely.
+30 is the number of seconds that will update the counter every X seconds.
Posted on
+ + +this guide will show you how to install docker, download the epitech moulinette container and learn how to use it for your projects.
+ubuntu:
+sudo apt install docker.io
+arch:
+sudo pacman -S docker
+to use docker without root privileges run
+sudo usermod -aG docker $USER
+and REBOOT your computer afterwards for changes to take effect.
+to start docker on every boot
+sudo systemctl enable docker
+docker pull epitechcontent/epitest-docker
+will download the epitech moulinette environement. make sure to have fast internet, because the container is about 5 gigabytes.
+go into the directory you want to get a shell in the epitech container.
+docker run -it --rm -v $(pwd):/home/project -w /home/project epitechcontent/epitest-docker /bin/bash
+will get you a bash prompt: you are now in the container. run the commands you want, and exit the shell when you are done.
+if you are using docker on windows (inside powershell), run
+docker run -it --rm -v ${pwd}:/home/project -w /home/project epitechcontent/epitest-docker /bin/bash
+Posted on
+ + +My internal infrastructure is complete. I can now work on my projects, but at some point they need to go out to the world!
+The platform for most of my projects is the web, and the best tool I found so far to deploy them is Docker.
+I want to keep the code on the private infrastructure, but I also want to be in control of where the docker images will be stored.
+The perfect solution is a private Docker registry! But it will not be on the internal infrastructure, it will be publicly available on a regular server.
+That way, projects can be deployed in their final form whenever and wherever, while the source remaining private.
+To start, I will launch a test registry on my machine to make sure everything works.
+I will use these docker images:
+Here's the docker-compose file I used to get started:
+services:
+
+ registry-server:
+ image: registry:2.8.2
+ ports:
+ - 5000:5000
+ volumes:
+ - ./registry-data:/var/lib/registry
+ - ./passwords:/auth/htpasswd
+ environment:
+ REGISTRY_AUTH: 'htpasswd'
+ REGISTRY_AUTH_HTPASSWD_REALM: 'Registry Realm'
+ REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
+ REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[http://registry.example.com]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
+ REGISTRY_STORAGE_DELETE_ENABLED: 'true'
+ container_name: registry-server
+
+ registry-ui:
+ image: joxit/docker-registry-ui:2.5.0
+ ports:
+ - 8001:80
+ environment:
+ SINGLE_REGISTRY: true
+ REGISTRY_TITLE: Docker Registry UI
+ DELETE_IMAGES: true
+ SHOW_CONTENT_DIGEST: true
+ NGINX_PROXY_PASS_URL: http://registry-server:5000
+ SHOW_CATALOG_NB_TAGS: true
+ CATALOG_MIN_BRANCHES: 1
+ CATALOG_MAX_BRANCHES: 1
+ TAGLIST_PAGE_SIZE: 100
+ REGISTRY_SECURED: false
+ CATALOG_ELEMENTS_LIMIT: 1000
+ container_name: registry-ui
+But don't start the services right away.
+I don't want the registry being open to everyone though, let's add some authentication.
+To keep things simple, I will use HTTP basic auth. If you want, there's a possibility to have a more complex setup.
+Here's a quick script to get passwords in a format that Docker will accept:
+#!/bin/sh
+#
+# new-password.sh
+
+if [ -z "$1" ]
+then
+echo "usage: $0 username"
+exit 1
+fi
+
+echo "creating password for user \"$1\""
+htpasswd -nB $1
+How to use it:
+$ ./new-password.sh phil
+creating password for user "phil"
+New password: phil
+Re-type new password: phil
+phil:$2y$05$asxsqfmEQJpg8zuKGyieMOmTirok.Gd/noliF.y48DJXe.97ufGHG
+Copy the last line in the passwords file (see the docker-compose file).
Repeat the process for every user you want to give authentication to your registry.
+Keep in mind I only cover AUTHENTICATION (who can access the registry), and not AUTHORIZATION (who can do what on the registry). With this setup, if you have access to the registry, you can do anything on it.
+Start the services with
+docker compose up
+Now, you can access the webui by going to
+http://localhost:8001
+in a web browser and sign-in with your credentials. You should see an empty list. Let's add some images!
+Pick an image you want on the registry.
+If it's an existing image:
+docker tag name-of-existing-image localhost:5000/existing-image-name
+If you build the image directly:
+docker build -t localhost:5000/new-image-name
+The name of the image must have the domain of the registry, in our case it's localhost:5000.
To sign in to the registry, use
+docker login localhost:5000
+and enter your credentials.
+Simply run the usual docker command to push or pull images. Docker will know which registry to use based of the image's name.
+docker push localhost:5000/new-image-name
+docker pull localhost:5000/existing-image-name
+That's pretty much it!
+I use Caprover to deploy my docker images easily, it comes with a reverse proxy and automatic TLS certificates with Let's encrypt.
+Here's the one-click-app config I created for the registry:
+captainVersion: 4
+
+services:
+ $$cap_appname-registry:
+ image: registry:$$cap_registry_version
+ volumes:
+ - $$cap_appname-data:/var/lib/registry
+ - $$cap_appname-auth:/auth/
+ environment:
+ REGISTRY_AUTH: 'htpasswd'
+ REGISTRY_AUTH_HTPASSWD_REALM: 'Registry Realm'
+ REGISTRY_AUTH_HTPASSWD_PATH: '/auth/htpasswd'
+ REGISTRY_HTTP_HEADERS_Access-Control-Origin: '[https://$$cap_appname-registry.$$cap_root_domain, https://$$cap_appname-ui.$$cap_root_domain]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Credentials: '[true]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
+ REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
+ REGISTRY_STORAGE_DELETE_ENABLED: 'true'
+ caproverExtra:
+ containerHttpPort: '5000'
+
+ $$cap_appname-ui:
+ image: joxit/docker-registry-ui:$$cap_ui_version
+ environment:
+ SINGLE_REGISTRY: true
+ REGISTRY_TITLE: Docker Registry UI
+ DELETE_IMAGES: true
+ SHOW_CONTENT_DIGEST: true
+ NGINX_PROXY_PASS_URL: http://srv-captain--$$cap_appname-registry:5000
+ SHOW_CATALOG_NB_TAGS: true
+ CATALOG_MIN_BRANCHES: 1
+ CATALOG_MAX_BRANCHES: 1
+ TAGLIST_PAGE_SIZE: 100
+ REGISTRY_SECURED: false
+ CATALOG_ELEMENTS_LIMIT: 1000
+
+caproverOneClickApp:
+ variables:
+ - id: '$$cap_registry_version'
+ label: Registry Version
+ defaultValue: '2.8.2'
+ description: Check out the Docker page for the valid tags https://hub.docker.com/_/registry/tags
+ validRegex: "/.{1,}/"
+ - id: '$$cap_ui_version'
+ label: UI Version
+ defaultValue: '2.5.0'
+ description: Check out the Docker page for the valid tags https://hub.docker.com/r/joxit/docker-registry-ui/tags
+ validRegex: "/.{1,}/"
+ instructions:
+ start: |-
+ A private docker registry, with a webui to see images
+ end: |-
+ The registry has been deployed! Look in the "auth" volume to update credentials
+ displayName: docker-registry-with-ui
+ isOfficial: false
+ description: A private docker registry, with a webui to see images
+ documentation: https://docs.docker.com/registry/
+Posted on
+ + +When we sign in to our server, the message of the day (MOTD) is pretty lame. Let's get something better!
+This is the default MOTD of alpine:
+Welcome to Alpine!
+
+The Alpine Wiki contains a large amount of how-to guides and general
+information about administrating Alpine systems.
+See <http://wiki.alpinelinux.org>.
+
+You can setup the system with the command: setup-alpine
+
+You may change this message by editing /etc/motd.
+And here's my new MOTD. I even show the WireGuard ip address:
+
+
+ Name: intra.philt3r
+ Kernel: 6.1.35-0-lts
+ Distro: Alpine Linux v3.18
+ Version 3.18.2
+
+ Uptime: 0 days, 0 hours, 22 minutes
+ CPU Load: 0.00, 0.00, 0.00
+
+ Memory: 468M
+ Free Memory: 217M
+
+ Disk: 6.6G
+ Free Disk: 6.6G
+
+ eth0 Address: 192.168.1.71
+ wg0 Address: 10.131.111.1
+
+
+Start and enable cron at startup (it should be installed by default):
+rc-service crond start
+rc-update add crond
+Let's run a script every 15 minutes to update the /etc/motd file:
/etc/periodic/15min/motd
+Here's the content of my MOTD:
+#!/bin/sh
+#. /etc/os-release
+PRETTY_NAME=`awk -F= '$1=="PRETTY_NAME" { print $2 ;}' /etc/os-release | tr -d '"'`
+VERSION_ID=`awk -F= '$1=="VERSION_ID" { print $2 ;}' /etc/os-release`
+UPTIME_DAYS=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 / 86400)
+UPTIME_HOURS=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 % 86400 / 3600)
+UPTIME_MINUTES=$(expr `cat /proc/uptime | cut -d '.' -f1` % 31556926 % 86400 % 3600 / 60)
+cat > /etc/motd << EOF
+
+
+ Name: `hostname`
+ Kernel: `uname -r`
+ Distro: $PRETTY_NAME
+ Version $VERSION_ID
+
+ Uptime: $UPTIME_DAYS days, $UPTIME_HOURS hours, $UPTIME_MINUTES minutes
+ CPU Load: `cat /proc/loadavg | awk '{print $1 ", " $2 ", " $3}'`
+
+ Memory: `free -m | head -n 2 | tail -n 1 | awk {'print $2'}`M
+ Free Memory: `free -m | head -n 2 | tail -n 1 | awk {'print $4'}`M
+
+ Disk: `df -h / | awk '{ a = $2 } END { print a }'`
+ Free Disk: `df -h / | awk '{ a = $2 } END { print a }'`
+
+ eth0 Address: `ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'`
+ wg0 Address: `ifconfig wg0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}'`
+
+
+EOF
+Make the script executable, and check if it's good:
+chmod a+x /etc/periodic/15min/motd
+run-parts --test /etc/periodic/15min
+If you're lazy and don't want to wait 15 minutes, run the script directly:
+/etc/periodic/15min/motd
+Log out and log back in, you should see the new MOTD!
+https://kingtam.win/archives/apline-custom.html
+I just copy/pasted and changed the MOTD.
+ +Posted on
+ + +i code on my linux machine, and i use vim as my text editor.
+i've been using vim for almost 4 years, and i started to make my config file.
+i store it with git, along all my config files for my linux setup (aka my dot files).
here's the thing, i also use windows to code, and i also use vim.
+i also want to use the same config that i store in git.
to do so i need to do a symbolink link to my vimrc file. i dunno how to do that on windows.
+here's how to do it:
+if you use the old school, black boxed cmd.exe, you need to run these commands:
+cd c:\users\_username_
+mklink .vimrc _path-to-vimrc_
+and you should be good to go.
+just make sure it has been linked correctly with vim ~/.vimrc
if you use the new, blue boxed powershell.exe, it's a bit different:
+you can make it with powershell's language (or whatever they call the stuff they're using), but some require admin privileges, some require custom functions or something like that...
or you can keep it simple and use the cmd command to use cmd.exe to run the mklink program to make the symlink:
+cd c:\users\_username_
+cmd /c mklink .vimrc _path-to-vimrc_
+i found this blog post to find out how to do symlinks on cmd,
+and i used this wikipedia article and this stackoverflow thread to learn how to do it on powershell.
Posted on
+ + +you read it right! i am a contributor to the linux kernel!
+... but you are going to be dissapointed: my contributions are not going to change the world, just comments, alignments and documentation and stuff...
+i submited something like 10 patches (as of april 10, 2018) and 3 patches have been accepted and are now into the kernel!
+if you wanna check them out, you can read them on kernel.org.
+yes, i am aware that Linus has a copy of the repo on github, but when i try to see my commits on github, i can't get them because there is too many commits and github can't get me the list.
+so, here are my kernel contributions, listed by date:
+ + +Posted on
+ + +just installed openbsd on my chromebook, seems to be working fine!
+since it's my first time using openbsd, here are some stuff that i will start to do on my machines after installing openbsd:
+doasdoas is kinda the equivalent of sudo. to enable it, run cp /etc/examples/doas.conf /etc to copy the doas config file.
now that doas is ready, we dont need to root account anymore. to disable it, run usermod -p'*' root to set the root password to *. this will prevent root from log on directly to the machine (with su as an example), but with doas we can run doas sh to get a shell.
maybe your wifi card isn't working? or maybe you can't display any graphical interface? maybe that's because you don't have the firmware for it: here's how to install it:
+run doas fw_update -i to see the missing firmwares.
so grab a flash drive, format it in fat filesystem format, go to firmware.openbsd.org, download the missing firmwares, along with the SHA256.sig and index.txt files, and put them on the usb key.
+mount the flash drive on openbsd, and run doas fw_update -p *path of flash drive* to install the firmwares from the flash drive.
your missing firmware should not be anymore.
+ +Posted on
+ + +did you know that you can restart chrome/chromium with a simple url?
+here is it: about://restart !
+but this trick does not work with the <a> html tag, which seems logical, copy the link and paste it in a new tab to get it to work
it'd be annoying as fuck if you could click on links that restart your browser, imagine if an extension could replace every clickable link with this one! 😊
+i think its usage is for chrome developers, the end user doesn't really care to type a url to restart their browser, they click on the x and they reopen it (duh).
Posted on
+ + +Now we have a basic internal infrastructure with:
+But everything is on the same machine. While it could be okay, I will host the services I want on other machines.
+I will run them on the same Proxmox cluster, but the possibilities are endless (as long you can get WireGuard running).
+Install Alpine. Setup ssh and repositories.
+We will set up WireGuard, but not a server, a regular peer that will connect to the WireGuard server.
+Create a new peer on the WireGuard server, and get the config file ready.
+Install WireGuard:
+apk add wireguard-tools
+To load the WireGuard module on startup, edit
+/etc/modules
+and simply add
+wireguard
+and reboot.
+Put the WireGuard config to
+/etc/wireguard/wg0.conf
+Copy the init.d script for WireGuard like we did for the original server.
And ask it to start on boot.
+Reboot and make sure everything works, you should see WireGuard logs when the machine is starting.
+And the DNS should be working! Try to ping an internal DNS name.
+Sometimes the DNS will go back to the system's default (probably your DHCP server's), so force the DNS as seen in the post about CoreDNS.
+In the main server, edit CoreDNS to add a new DNS entry for the newly added peer.
+Save and restart CoreDNS.
+Add the dynamic MOTD if you feel like it. I did.
+Before installing and starting services, let's add a reverse proxy for security + some sweet TLS certs.
+I'll be using caddy. You will need to enable the community repo first.
apk add caddy
+Let's get a hello world:
+/etc/caddy/Caddyfile
+# global
+{
+ # step-ca ACME server
+ acme_ca https://10.131.111.1:444/acme/acme/directory
+}
+
+docker.philt3r docker.philt3r:80 {
+ respond "Hello, world!"
+}
+I start the service on ports 80 and 443 to get the initial TLS certificate, I will remove access on port 80 afterward.
Don't start caddy yet.
+On our new server, we need to trust the root ca. Download the root ca, and ask the system to trust it:
+apk add ca-certificates ca-certificates-bundle
+wget --no-check-certificate https://10.131.111.1:444/roots.pem -O /usr/local/share/ca-certificates/philt3r.crt
+update-ca-certificates
+Now we can start caddy and enable it on boot:
+rc-service caddy start
+rc-update add caddy
+You should get a Hello World on port 443. If you do, you can disable access from port 80 in the Caddyfile and restart caddy.
Now we can install the service we want to host, start it, and configure caddy to be a reverse proxy for it.
+Repeat the process for the other services you want to host.
+Protip: serve the services on 127.0.0.1 and use caddy to restrict access only from the WireGuard peers (since there is the DNS restriction).
Sample Caddyfile:
# global
+{
+ # step-ca ACME server
+ acme_ca https://10.131.111.1:444/acme/acme/directory
+}
+
+docker.philt3r {
+ reverse_proxy 127.0.0.1:3000
+}
+Since I'll be using Docker to host most services, I'll install it:
+apk add docker docker-compose
+rc-update add docker
+rc-service docker start
+Then spin up your docker containers and route them with caddy.
+ +Posted on
+ + +i need to warn you that you are on your own. even though it works fine, i'm not responsible of what you do.
+you have a thinkpad. it's beautiful, it's fast, it's perfect, it doesn't run windows; there's just one thing that could be perfect: the boot logo.
+by default on new models, your boot logo look like this:
+
to get a custom boot logo, you need:
+to install your custom boot logo, you need to flash a BIOS update.
+to download the BIOS update, go on lenovo's support website, choose drivers and updates and find your model.
+next, go in the section BIOS/UEFI and download the BIOS Update (Bootable CD). it will download a iso image.
+if you can't find the update image, that means that you're out of luck, and you can't get a custom boot logo. sorry.
+now that you have the iso image, you need to convert it to a img file. to do so, run the following command in a terminal:
+geteltorito -o bios-image.img bios-image-downloaded.iso
+if you don't have geteltorito, look online to install it.
+now it's time to flash the image on your usb drive. get the name of your flash drive using lsblk, plug your usb drive, and run lsblk again to see your drive.
go into the folder where the img file is located, and run in a terminal:
+sudo dd if=bios-image.img of=/dev/sdX bs=1M status=progress oflag=sync
+where X is your drive letter that you know thanks to lsblk.
if you want, i already have this selection of images ready to be used, or you can make your own!
+ +you can see the requirements, go in your usb drive, open the readme.txt in the flash folder.
+put the gif image in the flash folder, and name it LOGO1.JPG. copy that image, and name that one LOGO2.JPG.
+check the readme.txt file to see the filenames, they might differ on different models.
+reboot your computer, and boot on the usb flash drive. if you don't know how, the internet should help you with that.
+now that the flash utility has booted, choose the second option, and follow the instructions.
+the computer will reboot, flash the update, and when it will reboot, you should get your custom boot logo!
+
if you want to go back to the default logo, simply reflash the bios update, when when asked if you want to use your custom logo, say no, and the default logo will be put back.
+ +Posted on
+ + +Let's do this baremetal, no Docker!
+I will do this inside a Proxmox virtual machine.
+Start by installing Alpine Linux: Run the installer, next, next, next, and boot the os once it's done.
+Copy ssh key (run this on your local machine):
+
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ ssh-copy-id -i ~/.ssh/id_rsa.pub user@ip
+Login via ssh, and install your favorite editor:
+doas apk add vim
+Edit ssh config to force ssh key use:
+doas vim /etc/ssh/sshd_config
+Find and update these statements:
+PermitRootLogin no
+PubkeyAuthentication yes
+Restart ssh service, logout, and log back in
+doas rc-service sshd restart
+I use mirrors.ircam.fr as my mirror
Open
+/etc/apk/repositories
+add the community repo, and run updates:
+doas apk -U upgrade
+Install WireGuard:
+doas apk add wireguard-tools
+Load the module
+doas modprobe wireguard
+To launch the module on startup, edit
+/etc/modules
+and simply add
+wireguard
+at the bottom, and save the file.
+Edit
+/etc/sysctl.conf
+and add
+net.ipv4.ip_forward = 1
+at the bottom of the file, and save
+Launch sysctl on startup with
+doas rc-update add sysctl
+and reboot.
+Pick a range if ip addresses to use: RFC 1918
+I'll pick 10.131.111.x for the WireGuard peers.
Calculate your CIDR: https://www.ipaddressguide.com/cidr
+Here's my network layout:
+10.131.110.0/2310.131.110.010.131.111.255Network services:
+10.131.110.0/2410.131.110.255/24WireGuard:
+10.131.111.0/2410.131.111.255/24Do everything as root (doas is the equivalent of sudo):
+doas su
+Move to the wireguard configuration, I'll store everything there for easy access:
+cd /etc/wireguard/
+Generate the private and public key, store them in files (we'll use them later):
+wg genkey | tee philt3r-privatekey | wg pubkey > philt3r-publickey
+All the server configuration will happen in
+/etc/wireguard/wg0.conf
+Protip for vim users: To add content of a file in current buffer directly: StackOverflow answer
+[Interface]
+# Name = wg0
+Address = 10.131.111.1/24
+ListenPort = 51820
+PrivateKey = <server-private-key>
+PostUp = iptables -t nat -A POSTROUTING -s 10.131.111.0/24 -o %i -j MASQUERADE;
+PostUp = iptables -t nat -A POSTROUTING -s 10.131.110.0/24 -o %i -j MASQUERADE;
+PostUp = iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT;
+PostUp = iptables -A FORWARD -i %i -j ACCEPT;
+PostUp = iptables -A FORWARD -o %i -j ACCEPT;
+PostDown = iptables -t nat -D POSTROUTING -s 10.131.111.0/24 -o %i -j MASQUERADE;
+PostDown = iptables -t nat -D POSTROUTING -s 10.131.110.0/24 -o %i -j MASQUERADE;
+PostDown = iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT;
+PostDown = iptables -D FORWARD -i %i -j ACCEPT;
+PostDown = iptables -D FORWARD -o %i -j ACCEPT;
+Once it's good, make sure only root can read and write to the files:
+chmod 600 /etc/wireguard/*
+You will need to repeat this for each new peer
+cd /etc/wireguard/
+Starting now, name is a placeholder for the name of the peer.
I typically use the format name-of-person followed by device-name. For example, the peer for my phone will be phil-iphone.
+Create folder to store keys for the peer:
+mkdir -p peers/name
+Generate preshared key (not required):
+wg genpsk | tee peers/name/preshared.psk
+Generate private and public keys for the peer:
+wg genkey | tee peers/name/private.key | wg pubkey > peers/name/public.key
+Edit your wg0.conf, add at the bottom:
[Peer]
+# Name = name
+PublicKey = <peers/name/public.key>
+PresharedKey = <peers/name/preshared.psk>
+AllowedIPs = 10.131.111.2/32
+AllowedIPs = 10.131.110.0/24
+AllowedIPs = 10.131.111.0/24
+Now let's create the configuration to give to the peer:
+Create the file
+peers/name/philt3r-name.wg.conf
+And put the following
+[Interface]
+PrivateKey = <peers/name/private.key>
+Address = 10.131.111.2/24
+#DNS = 10.131.111.1
+
+[Peer]
+PublicKey = <server-public-key>
+PresharedKey = <peers/name/preshared.psk>
+Endpoint = <server-ip>:51820
+AllowedIPs = 10.131.110.0/24
+AllowedIPS = 10.131.111.0/24
+PersistentKeepalive = 25
+DNS info is not used yet, it's normal, I will enable it once my DNS server will be created (not in this blog post though).
+Either give the configuration file we just created, or you can have multiple choices.
+Start by installing
+apk add libqrencode
+And run
+qrencode -t ansiutf8 < peers/name/philt3r-name.wg.conf
+Note: I'm using base64 on Alpine, which comes from BusyBox, the CLI may be different depending on the operating system you're using.
Encode the configuration file to a base64 string:
+cat philt3r-name.wg.conf | base64 -w 0
+And on the other device, decode the string and save to a file:
+base64 -d > philt3r-name.wg.conf
+Put the base64 encoded string, and send a EOF (usually ctrl + d).
If you already have WireGuard running, simply run
+rc-service wg restart
+to restart the server with your new peer.
+Make sure to open the port on your router in UDP mode! I spent a lot of time debugging to realize that my port was in TCP, double check!
+Make sure to be root before, don't use doas or sudo!
wg-quick up wg0
+On the peer, start the tunnel.
+On the server, run
+wg
+to check the status of WireGuard. You should see the peer and some stats it is connected.
+If you do not see info about the peer even if it is not connected, that means you did something wrong in the configuration!
+From your peer, you should be able to ping the WireGuard internal IP:
+10.131.111.1
+pingIf you can ping the ip, you're good!
+You may not be able to go on the internet, or even make DNS requests, it's normal.
+We are just testing if the tunnel works. You can stop the tunnel.
+wg-quick down wg0
+To start WireGuard on startup, we will write an OpenRC script. It will be located in
+/etc/init.d/wg
+Put the following:
+#!/sbin/openrc-run
+#
+
+description="WireGuard"
+
+depend() {
+ need localmount net sysctl
+ after bootmisc
+}
+
+start() {
+ ebegin "Starting WireGuard"
+ wg-quick up wg0
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping WireGuard"
+ wg-quick down wg0
+ eend $?
+}
+
+status() {
+ wg show wg0
+}
+Give it executable access
+chmod +x /etc/init.d/wg
+rc-service wg startrc-service wg stoprc-service wg restartrc-service wg statusrc-update add wgrc-update del wgrc-statusReboot and make sure everything works, you should see WireGuard logs when your server is starting.
+These resources helped me when setting up my WireGuard server. Thanks!
+ + +Posted on
+ + +do you use zsh and ohmyzsh ?
+do you run into an issue when you are about to edit a file with vim, and you use the Tab key to autocomplete the filename, but instead you get something like this:
+$ vim ~/filena<TAB>
+_arguments:448: _vim_files: function definition file not found
+annoying af, right ?
+here's how to fix it: delete the zcompdump directory off your personal directory, and reload your zsh config file (or close and open a new shell).
+rm -rf ~/.zcompdump*; source ~/.zshrc;
+it took me at least 15 mins to find that .... hopefully i save some time for you .
+stackoverflow and github
+ +