Backup gitea container

Gitea is great when you want a fast, light and yet user-friendly git repositories. Alternatives would be Gogs, Gitlab or even Github.

Gitea documentation tells you to use docker exec to perform a backup. However, this prevents you from using an additional volume to dump the backup into.

Instead, I prefer to use a similar command using docker run. Assuming the following:

  • the container network is called gitea_default, you only need this if you use an external database such as MySQL
  • the container is called gitea
  • the backup directory is in the current directory and named backups
docker run --rm -it --network gitea_default --volumes-from gitea --volume $(pwd)/backups:/backups --user git --workdir /backups --entrypoint '/app/gitea/gitea' gitea/gitea:1.15.10 dump -c /data/gitea/conf/app.ini

Posted in Computer, Linux | Tagged , , , , , | Leave a comment

Applying Audit Policies

If like me, you are trying to enable Audit Policies on Windows computers in a domain using Local Policies > Audit Policy, and it does not work, then you came to the right place.

Legacy Audit Policy: audit object access settings in Local Security Policy

The reason is: that is the legacy way to configure Audit Policies. Like Windows XP legacy.

You will find plenty of resources out there telling you this is because Advanced Audit Policy is enabled and you need to disable it by setting Local Policies > Security Options > Audit: Force audit policy subcategory settings to override audit policy category settings to Disabled to make it work. While it is true that disabling the Advanced Audit Policy will make it work, it will revert to the old, non-granular way of configuring Audit Policies.

You are now supposed to use Advanced Audit Policy Configuration. And by now, I mean since Vista.

Instead of setting Audit Object Access to Success and/or Failure, you can now granularly enable which object type you want to audit: file shares, file system, registry, …

In your GPO or Local Security Policy, scroll down at the bottom of the list and you will see a dedicated folder called Advanced Audit Policy Configuration with many categories, and in each of them, many settings you can now control independently.

Advanced Audit Policy: items in the Object Access category

Now if you apply it using gpupdate /force and you check it using auditpol /get /category:* , you should see a change in the individual items.

As a reminder, you can check which GPO is applying what setting using gpresult /h report.html . You need to be an Administrator to view the Computer configuration.

Posted in Computer, Microsoft | Tagged , , , , | Leave a comment

A Raspberry Pi, a UPS and a couple of ESXi servers walk into a bar

If you have the power of multiple servers connected to a UPS, you probably need to shut them down when the power goes down and before the UPS runs out of juice. Unless your UPS can be connected to the network, you usually can only connect a single device to it using good old serial or brand new USB. That single host now knows about the UPS status, but what about all the other systems? That’s when Network UPS Tools, aka NUT, comes into play.

NUT comes with a server and a client. You install the server on the device connected to the UPS using serial or USB (or even the network). You install the client on all the other devices.

We will install the server on the Raspberry Pi and the client on the ESXi servers.

Raspberry Pi

I will assume the connection is USB. On the raspberry pi, run the following as root:

apt-get install nut nut-client nut-server
nut-scanner -q -N -U > /etc/nut/ups.conf
echo "LISTEN 0.0.0.0 3493" > /etc/nut/upsd.conf
MONITOR nutdev1@localhost 1 master s3cr3tp4ssw0rd master

Write the following into /etc/nut/upsd.users:

[master]
    password = s3cr3tp4ssw0rd
    actions = SET
    instcmds = ALL
    upsmon master
 
[esxi]
    password = s3cr3tp4ssw0rd

Restart all services:

systemctl restart nut-driver
systemctl restart nut-server
systemctl restart nut-client
systemctl restart nut-monitor

ESXi hosts

Download the binaries from rene.margar.fr/2012/05/client-nut-pour-esxi-5-0/ and copy them to your ESXi host(s).

Configure the host to accept community packages: esxcli software acceptance set –level=CommunitySupported

Extract the file: tar -xzvf NutClient-ESXi-<version>.tar.gz

Install the package: ./upsmon-install.sh

Edit advanced system settings and set the following variables (at least):

  • /UserVars/NutUpsName : nutdev1@raspberrypi-ip-address
  • /UserVars/NutUser : esxi
  • /UserVars/NutPassword : s3cr3tp4ssw0rd

You also need to specify how long the ESXi host will wait before it shuts itself down with the following variable:

  • /UserVars/NutFinalDelay : 5 (default value)

If you want email alert, then configure the following variables as well:

Then, go to the services in the Web UI, edit the startup policy to “start and stop with the host” and start the service immediately.

Validate the setup

On the Raspberry Pi, use tcpdump to capture packets on port 3493, you should see your ESXi hosts talk with the NUT server asking for the UPS status, and the Raspberry Pi answering.

In addition, you should perform a real test by unplugging the power supply of the UPS and check that the ESXi hosts shut themselves down. You will probably want to tune the variable NutFinalDelay based on your UPS capacity and load.

Links

Posted in Computer, Linux, Networking | Tagged , , , , , | Leave a comment

Running a PKI using Smallstep certificates with Docker

Recently, I had to set up a new PKI. I was going to go with the good old OpenSSL but it’s 2021, there must be a more userfriendly and, more importantly, automated approach.

There are many open-source possibilities: EJBCA, cfssl, Hashicorp Vault, Smallstep Certificates. I chose to use Smallstep certificates because it has all the features I need and they are not behind a pay-wall:

  • lightweight: small Go binary, you can run it with a file-based database (similar to SQLite)
  • user friendly CLI: compared to openssl commands
  • ACME protocol: useful for Traefik reverse proxy
  • OIDC authentication
  • support: the guys are super friendly and available on their Discord channel
Continue reading
Posted in Computer, Linux, Uncategorized | Tagged , , , , | Leave a comment

Computer case: Antex NX800 mounting tips

If you plan to buy the Antec NX800 for your new build, you should be aware of a couple of things.

First, it is one of the cheap-ish cases that support a 280mm radiator at the top. This is the primary reason I bought this case.

Second, if you mount a radiator at the top, mount it last. Especially, mount it after you screwed the motherboard and plugged all cables (especially CPU power and fans). Accessing them with the radiator mounted will be difficult or even impossible.

Finally, while you can turn on/off the RGB LEDs on the fans with the push of a button, you cannot do the same with fan speed. Fans connected to the controller will run at max speed, and some may find it quite loud.

Apart from that, the case seems solid and will most likely survive many builds. Enjoy.

Posted in Computer, Hardware | Tagged , , , , , | Leave a comment

Tango Luxembourg using private IP addresses for Fiber internet access

When I moved in Luxembourg, I subscribed to Tango Luxembourg Fiber internet access. Back then, I got the usual dynamic public IP address “for free”. It was changing every 36 hours but at least it was a public one.

Recently, I changed my subscription to the 1 gigabit/s offer and soon after, I realized my VPNs and 6to4 tunnel was not working anymore.

After a brief troubleshooting session, I found out I was receiving a private IP address instead of the usual public 94.252.x.x .

A bit of googling later and I found out I was not the only one complaining about it:

Before I switched, I had read their service descriptions and I did not find any mention of it, in any document. Their offer page does not explicitly mention it, they even go as far as say:

No hidden conditions. Once you have chosen your connection speed, surf and download without limit.

Their service description however mentions that “dynamic public IP address” is optional, but you have to look for it.

Honestly, I have to say I am disappointed by such a poor customer service. I guess that is the world we live in now.

Anyway, new customers beware: if you want/need a public IP address, you will have to pay for it.

Posted in Computer, Luxembourg, Networking | Leave a comment

Deprecation of apt-key in Debian-based distributions

I recently installed an Ubuntu 21.04 and when I wanted to install Atom editor, I was given the following warning about apt-key being deprecated:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

After a bit of Googling around, I stumbled on this post on askubuntu.com explaining why apt-key was being deprecated.

Then the folks at docker.com give a nice easy command to convert an old PGP key in base64 to a keyring.

So here are the commands if you wonder. I will assume it’s your first key.

sudo mkdir /etc/apt/local.trusted.gpg.d
cd /etc/apt/local.trusted.gpg.d
curl https://packagecloud.io/AtomEditor/atom/gpgkey > AtomEditor.key
cat AtomEditor.key | sudo gpg --dearmor --output AtomEditor.gpg

We first create a new directory to store our local keys, it is important to separate them from the keys trusted by apt for everything (which are in /etc/apt/trusted.gpg.d).
Then we download the current key in base64 format.
And then we export that keyring to a gpg file format.
Without these steps, apt will not understand the key file.

Then add the new repository to /etc/apt/sources.list.d almost as usual:

sudo sh -c 'echo "deb &#91;arch=amd64 signed-by=/etc/apt/local.trusted.gpg.d/AtomEditor.gpg] https://packagecloud.io/AtomEditor/atom/any/ any main" &gt; /etc/apt/sources.list.d/atom.list'

The key difference is the new option signed-by which references the key. This allows this particular key to only be trusted for Atom repository.

Posted in Computer, Linux, Ubuntu | Tagged , , | Leave a comment

Gitlab-runner and docker behind a proxy

After reading many articles and trying many things, this is how I solved it.

For docker daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/docker.service.d/http-proxy.conf :

&#91;Service]
Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="NO_PROXY=localhost,docker,*.domain.com"

For gitlab-runner daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/gitlab-runner.service.d/http-proxy.conf :

&#91;Service]
Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="NO_PROXY=localhost,docker,*.domain.com"

Reload systemd and restart docker daemon:

systemctl daemon-reload
systemctl restart docker

For git commands run by gitlab-runner to use a proxy, use gitlab-runner config file. In /etc/gitlab-runner/config.toml , under [[runners]] , add the following line:

pre_clone_script = "git config --global http.proxy $HTTP_PROXY; git config --global https.proxy $HTTPS_PROXY"

For containers started by gitlab-runner to have proxy environment variables, use per-user docker config file. Add or edit /home/gitlab-runner/.docker/config.json :

{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://user:pass@proxy.domain.com:3128",
     "httpsProxy": "http://user:pass@proxy.domain.com:3128",
     "noProxy": "localhost,docker,*.domain.com"
   }
 }
}

Restart gitlab-runner daemon:

systemctl restart gitlab-runner

You should be good to go at this point.

Posted in Computer, Linux, Networking | Tagged , , | Leave a comment

Post install steps with Gitlab

It happens I recently had to install Gitlab and was a bit lost about what to do right after the setup finished, perhaps this will help.

By default, Gitlab stores its data files in /var/opt/gitlab and its backups in /var/opt/gitlab/backups . It would be a good idea to use dedicated partitions for each of those directories.
Let’s say you use /dev/sdb1 for Gitlab data and /dev/sdc1 for the backups.

gitlab-ctl stop
mkdir /mnt/gitlab
mount /dev/sdb1 /mnt/gitlab
mkdir /mnt/gitlab/backups
mount /dev/sdc1 /mnt/gitlab/backups
tar -C /var/opt -cf - gitlab | tar -C /mnt -xpsf -
umount /mnt/gitlab/backups
umount /mnt/gitlab
mv /var/opt/gitlab /var/opt/gitlab.old
mkdir /var/opt/gitlab
mount /dev/sdb1 /var/opt/gitlab
mount /dev/sdc1 /var/opt/gitlab/backups
gitlab-ctl start

Do not forget to edit /etc/fstab .

Configure your timezone: docs.gitlab.com/ee/administration/timezone.html
Note: all usual timezones are not available.

Trust your local Certificate Authority: docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

Configure Gitlab to use a proxy: docs.gitlab.com/omnibus/settings/environment-variables.html
Pay attention if you want to clone git repositories or container images, those require the additional settings.

Manually configure HTTPS: docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https
Do not forget to disable Let’s Encrypt, copy the certificate & key files with the appropriate names.

Use external auth: docs.gitlab.com/ce/integration/omniauth.html#initial-omniauth-configuration
I used OpenID Connect against Keycloak: docs.gitlab.com/ce/administration/auth/oidc.html

Enable single sign out: gitlab.com/gitlab-org/gitlab/-/issues/31203
Under Admin > Settings > General > Sign-in restrictions, set After sign-out path to:
https://your.domain/auth/realms/your_realm/protocol/openid-connect/logout?redirect_uri=https://gitlab.your.domain

Disable password authentication for Git over HTTPS . External authentication is not available to access git repositories over HTTPS. Gitlab will prompt your users to set a password. We do not want that. Under Admin > Settings > Sign-in restrictions, Uncheck “Password authentication enabled for Git over HTTP(S)”.

Enable container registry: docs.gitlab.com/ce/administration/packages/container_registry.html
If you want to separate registry storage from the rest of Gitlab data, repeat the steps at the top of this post for /var/opt/gitlab/registry .
Open the firewall (default config uses 5050/tcp).

Disable sign-up. Since we have user federation, we do not want users to create extra accounts without our approval.
You will find the setting under Admin > Settings > General > Sign-up restrictions.

Prevent users from changing their username. Prevent users from creating top level groups.
docs.gitlab.com/ee/administration/user_settings.html

Disable annoying settings:
– third party offers, under Admin > Settings > General > Third party offers
– usage ping, under Admin > Settings > Metrics and Profiling > Usage Statistics
– marketing in emails: under Admin > Settings > Preferences > Email
– marketing in help pages: under Admin > Settings > Preferences > Help page

Change default initial branch name to master because we are old school, under Admin > Settings > Repository > Default initial branch name.

Enable access to Grafana metrics, under Admin > Settings > Metrics and profiling > Metrics – Grafana
If you have configured HTTPS, also change Grafana callback URL under Admin > Applications .

Enable outbound requests to local network, under Admin > Settings > Network > Outbound requests
Either allow access to some resources by filling the text box, or allow access to all resources by checking “Allow requests to the local network from web hooks and services”.

Configure daily backup. Edit crontab:

0 2 * * * /opt/gitlab/bin/gitlab-backup create CRON=1

Set first day of week to Monday under Admin > Settings > Preferences > Localization

I will add more as I discover additional things …

Posted in Computer | Tagged , , , | Leave a comment

IPsec tunnel between Ubuntu 20.04 and Mikrotik router using strongSwan

Here is how to establish an IPsec tunnel between an Ubuntu 20.04 host and a Mikrotik router using IKEv2.

The 2 endpoints of the tunnel are:

  • ubuntu.xentoo.info : the Ubuntu server. This server has a local private subnet 10.0.0.0/24 and a fixed public IPv4 address 1.2.3.4 . The hostname ubuntu.xentoo.info resolves to the public IP address.
  • mikrotik.xentoo.info : the Mikrotik router. This router has a local private subnet 192.168.0.0/24 and a dynamic public IPv4 address.

I will use fqdn identifiers, pre-shared-key and both IKE and ESP will have the same parameters:

  • encryption: AES256
  • integrity: SHA256
  • Diffie-Hellman group: ECP384

Let’s first configure the Mikrotik router. Go straight into the configuration of IPSEC tunnels:

/ip ipsec profile
add dh-group=ecp384 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=sha256 name=ubuntu.xentoo.info &lt;
    nat-traversal=no
/ip ipsec peer
add address=ubuntu.xentoo.info exchange-mode=ike2 name=ubuntu.xentoo.info profile=ubuntu.xentoo.info
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr name=ubuntu.xentoo.info pfs-group=ecp384
/ip ipsec identity
add my-id=fqdn:mikrotik.xentoo.info peer=ubuntu.xentoo.info remote-id=ubuntu.xentoo.info secret=mysecretkey
/ip ipsec policy
add dst-address=10.0.0.0/24 peer=ubuntu.xentoo.info proposal=ubuntu.xentoo.info sa-dst-address=1.2.3.4 \
    sa-src-address=0.0.0.0 src-address=192.168.0.0/24 tunnel=yes

On Ubuntu side, first install the package:

apt-get install strongswan

The tunnels are configured in /etc/ipsec.conf . There are 2 members in a connection: a left one and a right one. I always use the left one for the local host and the right one for the remote host. I name the connection using the remote host name. Since the Mikrotik router has a dynamic public IP address, its IP address is configured with %any.

The configuration for this tunnel is the following:

conn mikrotik.xentoo.info
    leftsubnet=10.0.0.0/24
    left=1.2.3.4
    leftid=fqdn:ubuntu.xentoo.info
    rightsubnet=192.168.0.0/24
    right=%any
    rightid=fqdn:mikrotik.xentoo.info
    authby=psk
    auto=start
    ike=aes256-sha256-ecp384
    keyexchange=ikev2
    esp=aes256-sha256-ecp384
    type=tunnel

The secret keys are stored in /etc/ipsec.secrets . Each line is a different secret. The syntax I use is leftid rightid : PSK "psk" .

fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info : PSK "mysecretkey"

Restart IPSEC service to apply the changes:

systemctl restart ipsec

After you restart the service, you should see the following in /var/log/syslog:

Mar  6 11:35:51 ubuntu charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar  6 11:35:51 ubuntu charon: 00[CFG]   loaded IKE secret for fqdn:ubuntu.xentoo.info fqdn:mikrotik.xentoo.info
...
Mar  6 11:35:51 ubuntu charon: 05[CFG] added configuration 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 09[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (208 bytes)
Mar  6 11:35:57 ubuntu charon: 09[ENC] parsed IKE_SA_INIT request 0 [ No KE SA ]
Mar  6 11:35:57 ubuntu charon: 09[IKE] 6.7.8.9 is initiating an IKE_SA
Mar  6 11:35:57 ubuntu charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Mar  6 11:35:57 ubuntu charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(CHDLESS_SUP) N(MULT_AUTH) ]
Mar  6 11:35:57 ubuntu charon: 09[NET] sending packet: from 1.2.3.4[4500] to 6.7.8.9[4500] (232 bytes)
Mar  6 11:35:57 ubuntu charon: 10[NET] received packet: from 6.7.8.9[4500] to 1.2.3.4[4500] (448 bytes)
Mar  6 11:35:57 ubuntu charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi AUTH IDr N(INIT_CONTACT) SA TSi TSr ]
Mar  6 11:35:57 ubuntu charon: 10[CFG] looking for peer configs matching 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info]
Mar  6 11:35:57 ubuntu charon: 10[CFG] selected peer config 'mikrotik.xentoo.info'
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'mikrotik.xentoo.info' with pre-shared key successful
Mar  6 11:35:57 ubuntu charon: 10[IKE] authentication of 'ubuntu.xentoo.info' (myself) with pre-shared key
Mar  6 11:35:57 ubuntu charon: 10[IKE] IKE_SA mikrotik.xentoo.info[2] established between 1.2.3.4[ubuntu.xentoo.info]...6.7.8.9[mikrotik.xentoo.info]

You can see the secret was loaded correctly, both endpoints were detected correctly. Then the configuration for tunnel mikrotik.xentoo.info was loaded. When a first packet was received from the Mikrotik router, the correct proposal was chosen, the the authentication using pre-shared-key succeeded and the tunnel was established.

Posted in Computer, Linux, Mikrotik, Networking | Leave a comment