Running a PKI using Smallstep certificates with Docker

Posted on September 12, 2021 by blogger

Recently, I had to set up a new PKI. I was going to go with the good old OpenSSL but it’s 2021, there must be a more userfriendly and, more importantly, automated approach.

There are many open-source possibilities: EJBCA, cfssl, Hashicorp Vault, Smallstep Certificates. I chose to use Smallstep certificates because it has all the features I need and they are not behind a pay-wall:

  • lightweight: small Go binary, you can run it with a file-based database (similar to SQLite)
  • user friendly CLI: compared to openssl commands
  • ACME protocol: useful for Traefik reverse proxy
  • OIDC authentication
  • support: the guys are super friendly and available on their Discord channel
Continue reading
Posted in Computer, Linux, Uncategorized | Tagged , , , , | 12 Comments

Computer case: Antex NX800 mounting tips

Posted on August 23, 2021 by blogger

If you plan to buy the Antec NX800 for your new build, you should be aware of a couple of things.

First, it is one of the cheap-ish cases that support a 280mm radiator at the top. This is the primary reason I bought this case.

Second, if you mount a radiator at the top, mount it last. Especially, mount it after you screwed the motherboard and plugged all cables (especially CPU power and fans). Accessing them with the radiator mounted will be difficult or even impossible.

Finally, while you can turn on/off the RGB LEDs on the fans with the push of a button, you cannot do the same with fan speed. Fans connected to the controller will run at max speed, and some may find it quite loud.

Apart from that, the case seems solid and will most likely survive many builds. Enjoy.

Posted in Computer, Hardware | Tagged , , , , , | Leave a comment

Tango Luxembourg using private IP addresses for Fiber internet access

Posted on August 11, 2021 by blogger

When I moved in Luxembourg, I subscribed to Tango Luxembourg Fiber internet access. Back then, I got the usual dynamic public IP address “for free”. It was changing every 36 hours but at least it was a public one.

Recently, I changed my subscription to the 1 gigabit/s offer and soon after, I realized my VPNs and 6to4 tunnel was not working anymore.

After a brief troubleshooting session, I found out I was receiving a private IP address instead of the usual public 94.252.x.x .

A bit of googling later and I found out I was not the only one complaining about it:

Before I switched, I had read their service descriptions and I did not find any mention of it, in any document. Their offer page does not explicitly mention it, they even go as far as say:

No hidden conditions. Once you have chosen your connection speed, surf and download without limit.

Their service description however mentions that “dynamic public IP address” is optional, but you have to look for it.

Honestly, I have to say I am disappointed by such a poor customer service. I guess that is the world we live in now.

Anyway, new customers beware: if you want/need a public IP address, you will have to pay for it.

Posted in Computer, Luxembourg, Networking | Leave a comment

Deprecation of apt-key in Debian-based distributions

Posted on August 7, 2021 by blogger

I recently installed an Ubuntu 21.04 and when I wanted to install Atom editor, I was given the following warning about apt-key being deprecated:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).

After a bit of Googling around, I stumbled on this post on askubuntu.com explaining why apt-key was being deprecated.

Then the folks at docker.com give a nice easy command to convert an old PGP key in base64 to a keyring.

So here are the commands if you wonder. I will assume it’s your first key.

sudo mkdir /etc/apt/local.trusted.gpg.d
cd /etc/apt/local.trusted.gpg.d
curl https://packagecloud.io/AtomEditor/atom/gpgkey > AtomEditor.key
cat AtomEditor.key | sudo gpg --dearmor --output AtomEditor.gpg

We first create a new directory to store our local keys, it is important to separate them from the keys trusted by apt for everything (which are in /etc/apt/trusted.gpg.d).
Then we download the current key in base64 format.
And then we export that keyring to a gpg file format.
Without these steps, apt will not understand the key file.

Then add the new repository to /etc/apt/sources.list.d almost as usual:

sudo sh -c 'echo "deb [arch=amd64 signed-by=/etc/apt/local.trusted.gpg.d/AtomEditor.gpg] https://packagecloud.io/AtomEditor/atom/any/ any main" > /etc/apt/sources.list.d/atom.list'

The key difference is the new option signed-by which references the key. This allows this particular key to only be trusted for Atom repository.

Posted in Computer, Linux, Ubuntu | Tagged , , | Leave a comment

Gitlab-runner and docker behind a proxy

Posted on August 3, 2021 by blogger

After reading many articles and trying many things, this is how I solved it.

For docker daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/docker.service.d/http-proxy.conf :

[Service]
Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="NO_PROXY=localhost,docker,*.domain.com"

For gitlab-runner daemon itself to use a proxy, configure environment variables using systemd file /etc/systemd/system/gitlab-runner.service.d/http-proxy.conf :

[Service]
Environment="HTTP_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="HTTPS_PROXY=http://user:pass@proxy.domain.com:3128/"
Environment="NO_PROXY=localhost,docker,*.domain.com"

Reload systemd and restart docker daemon:

systemctl daemon-reload
systemctl restart docker

For git commands run by gitlab-runner to use a proxy, use gitlab-runner config file. In /etc/gitlab-runner/config.toml , under [[runners]] , add the following line:

pre_clone_script = "git config --global http.proxy $HTTP_PROXY; git config --global https.proxy $HTTPS_PROXY"

For containers started by gitlab-runner to have proxy environment variables, use per-user docker config file. Add or edit /home/gitlab-runner/.docker/config.json :

{
 "proxies":
 {
   "default":
   {
     "httpProxy": "http://user:pass@proxy.domain.com:3128",
     "httpsProxy": "http://user:pass@proxy.domain.com:3128",
     "noProxy": "localhost,docker,*.domain.com"
   }
 }
}

Restart gitlab-runner daemon:

systemctl restart gitlab-runner

You should be good to go at this point.

Posted in Computer, Linux, Networking | Tagged , , | Leave a comment

Post install steps with Gitlab

Posted on July 22, 2021 by blogger

It happens I recently had to install Gitlab and was a bit lost about what to do right after the setup finished, perhaps this will help.

By default, Gitlab stores its data files in /var/opt/gitlab and its backups in /var/opt/gitlab/backups . It would be a good idea to use dedicated partitions for each of those directories.
Let’s say you use /dev/sdb1 for Gitlab data and /dev/sdc1 for the backups.

gitlab-ctl stop
mkdir /mnt/gitlab
mount /dev/sdb1 /mnt/gitlab
mkdir /mnt/gitlab/backups
mount /dev/sdc1 /mnt/gitlab/backups
tar -C /var/opt -cf - gitlab | tar -C /mnt -xpsf -
umount /mnt/gitlab/backups
umount /mnt/gitlab
mv /var/opt/gitlab /var/opt/gitlab.old
mkdir /var/opt/gitlab
mount /dev/sdb1 /var/opt/gitlab
mount /dev/sdc1 /var/opt/gitlab/backups
gitlab-ctl start

Do not forget to edit /etc/fstab .

Configure your timezone: docs.gitlab.com/ee/administration/timezone.html
Note: all usual timezones are not available.

Trust your local Certificate Authority: docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates

Configure Gitlab to use a proxy: docs.gitlab.com/omnibus/settings/environment-variables.html
Pay attention if you want to clone git repositories or container images, those require the additional settings.

Manually configure HTTPS: docs.gitlab.com/omnibus/settings/nginx.html#manually-configuring-https
Do not forget to disable Let’s Encrypt, copy the certificate & key files with the appropriate names.

Use external auth: docs.gitlab.com/ce/integration/omniauth.html#initial-omniauth-configuration
I used OpenID Connect against Keycloak: docs.gitlab.com/ce/administration/auth/oidc.html

Enable single sign out: gitlab.com/gitlab-org/gitlab/-/issues/31203
Under Admin > Settings > General > Sign-in restrictions, set After sign-out path to:
https://your.domain/auth/realms/your_realm/protocol/openid-connect/logout?redirect_uri=https://gitlab.your.domain

Disable password authentication for Git over HTTPS . External authentication is not available to access git repositories over HTTPS. Gitlab will prompt your users to set a password. We do not want that. Under Admin > Settings > Sign-in restrictions, Uncheck “Password authentication enabled for Git over HTTP(S)”.

Enable container registry: docs.gitlab.com/ce/administration/packages/container_registry.html
If you want to separate registry storage from the rest of Gitlab data, repeat the steps at the top of this post for /var/opt/gitlab/registry .
Open the firewall (default config uses 5050/tcp).

Disable sign-up. Since we have user federation, we do not want users to create extra accounts without our approval.
You will find the setting under Admin > Settings > General > Sign-up restrictions.

Prevent users from changing their username. Prevent users from creating top level groups.
docs.gitlab.com/ee/administration/user_settings.html

Disable annoying settings:
– third party offers, under Admin > Settings > General > Third party offers
– usage ping, under Admin > Settings > Metrics and Profiling > Usage Statistics
– marketing in emails: under Admin > Settings > Preferences > Email
– marketing in help pages: under Admin > Settings > Preferences > Help page

Change default initial branch name to master because we are old school, under Admin > Settings > Repository > Default initial branch name.

Enable access to Grafana metrics, under Admin > Settings > Metrics and profiling > Metrics – Grafana
If you have configured HTTPS, also change Grafana callback URL under Admin > Applications .

Enable outbound requests to local network, under Admin > Settings > Network > Outbound requests
Either allow access to some resources by filling the text box, or allow access to all resources by checking “Allow requests to the local network from web hooks and services”.

Configure daily backup. Edit crontab:

0 2 * * * /opt/gitlab/bin/gitlab-backup create CRON=1

Set first day of week to Monday under Admin > Settings > Preferences > Localization

I will add more as I discover additional things …

Posted in Computer | Tagged , , , | Leave a comment

IPsec tunnel between Ubuntu 20.04 and Mikrotik router using strongSwan

Posted on March 6, 2021 by blogger

Here is how to establish an IPsec tunnel between an Ubuntu 20.04 host and a Mikrotik router using IKEv2.

The 2 endpoints of the tunnel are:

  • ubuntu.xentoo.info : the Ubuntu server. This server has a local private subnet 10.0.0.0/24 and a fixed public IPv4 address 1.2.3.4 . The hostname ubuntu.xentoo.info resolves to the public IP address.
  • mikrotik.xentoo.info : the Mikrotik router. This router has a local private subnet 192.168.0.0/24 and a dynamic public IPv4 address.

I will use fqdn identifiers, pre-shared-key and both IKE and ESP will have the same parameters:

  • encryption: AES256
  • integrity: SHA256
  • Diffie-Hellman group: ECP384

Continue reading

Posted in Computer, Linux, Mikrotik, Networking | 2 Comments

Install Firely III on Ubuntu 19.04

Posted on January 5, 2020 by blogger

“Firefly III” is a (self-hosted) manager for your personal finances. You can find more about it on the following sites:

Install prerequisites

Let’s first install the requirements to run Firefly. Firefly documentation says it runs on PHP 7.2 but that’s wrong, it needs >=7.3 . Unfortunately, Ubuntu 19.04 comes with PHP 7.2 by default, so we need to use a PPA to have a more recent version.

ondrej/php PPA has version 7.4 at this time, that will be perfect.

Firefly needs a database, I have chosen to go with PostgreSQL.

sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.4 php7.4-bcmath php7.4-curl php7.4-gd php7.4-intl php7.4-ldap php7.4-mbstring php7.4-xml php7.4-zip unzip postgresql php7.4-pgsql
curl -sS https://getcomposer.org/installer | sudo php -- --install-dir=/usr/local/bin --filename=composer

Install Firefly

To retrieve Firefly, it’s quite simple. Go to version.firefly-iii.org/ , choose the version you want and mention it in the command below. For me, I have chosen the latest stable version at this time: 4.8.2 .

$ composer create-project grumpydictator/firefly-iii --no-dev --prefer-dist firefly-iii 4.8.2
$ sudo chown -R www-data:www-data firefly-iii
$ sudo chmod -R 775 firefly-iii/storage/
$ mv firefly-iii /var/www

Configure PostgreSQL

su - postgres
psql
postgres=# create database firefly;
postgres=# create role firefly with login encrypted password 'secret_firefly_password';
postgres=# exit

You can test the connection is working using the following command. It will prompt for your password.

psql -U firefly -W firefly

If all goes well, you should obtain the following prompt:

firefly=>

Configure Firefly

Edit the file .env at the root of firefly-iii directory. You may want to change the following variables:

APP_ENV=production
SITE_OWNER=your email address
TZ=your timezone
APP_URL=http://youripaddress/firefly-iii

You need to use a database for Firefly. I have chosen to use PostgreSQL.

# Database credentials. Make sure the database exists. I recommend a dedicated user for Firefly III
# For other database types, please see the FAQ: https://docs.firefly-iii.org/support/faq
DB_CONNECTION=pgsql
DB_HOST=localhost
DB_PORT=5432
DB_DATABASE=firefly
DB_USERNAME=firefly
DB_PASSWORD=secret_firefly_password

If you want Firefly to send emails, you need to change the following variables:

# If you want Firefly III to mail you, update these settings
# For instructions, see: https://docs.firefly-iii.org/advanced-installation/email
MAIL_DRIVER=log
MAIL_HOST=your mail server here
MAIL_PORT=25
MAIL_FROM=your@email.address
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

Once you are done, you can initialize the database:

php artisan migrate:refresh --seed
php artisan firefly-iii:upgrade-database
php artisan passport:install

Configure Apache

I have chosen to stick with Apache2 to run Firefly, so let’s configure it.

By default, Apache2 serves files under /var/www/html but we have moved firefly-iii directory under /var/www . Moreover, we must only present public/ directory .

In addition, Firefly uses .htaccess file inside public/ directory, but default configuration of Apache2 denies it. So we need to allow this.

Let’s edit file /etc/apache2/sites-available/000-default.conf to configure all of the above. Put the following code inside block:

Alias /firefly-iii /var/www/firefly-iii-4.8.2/public
<Directory /var/www/firefly-iii/public>
    AllowOverride FileInfo Options=Indexes,MultiViews
</Directory>

In addition, Firefly rewrites URL so we need to enable Apache2 module.

sudo a2enmod rewrite

Then restart Apache2:

sudo systemctl restart apache2
Posted in Computer, Linux | Leave a comment

Using a Mikrotik router with Tango Fiber (Luxembourg)

Posted on May 26, 2018 by blogger

Hi guys,

I moved to Luxembourg and I have opted for Tango Fiber. Their router is a Fritz!box which I do not like at all. I have a spare Mikrotik router, so here is how to configure.

Tango Fiber uses PPPoE over VLAN 35, MTU is 1480. You need to ask the PPP credentials via a contact form on the website, they will answer within a few days.

I have decided to use ether1 to connect the Fiber and create a VLAN interface named ether1.35 on it.

/interface vlan
add interface=ether1 name=ether1.35 vlan-id=35
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=ether1.35 max-mtu=1480 \
    name=TangoFibre password=xxx use-peer-dns=yes user=xxx@tango

Do not forget to adapt your NAT rules to allow exit through this interface.

Posted in Computer, Mikrotik, Networking | Tagged , , | 8 Comments

Compile pjsip with pjsua on Ubuntu 16.04

Posted on May 4, 2017 by blogger

As a personal note to myself :-)

apt-get install make gcc pkg-config libasound2-dev
wget http://www.pjsip.org/release/2.6/pjproject-2.6.tar.bz2
tar -xjf pjproject-2.6.tar.bz2
cd pjproject
./configure && make dep && make
sudo make install
sudo cp pjsip-apps/bin/pjsua-x86_64-unknown-linux-gnu /usr/local/bin/pjsua

That’s it!

Posted in Computer, Linux, VoIP | 1 Comment