Skeema is a tool for managing MySQL and MariaDB schema changes in a declarative fashion using pure SQL.
Using the VS Code plugin for Ansible, I’m getting an internal error when it lints a YAML file. I know the syntax is OK, as I can run an ansible-playbook with --syntax-check and it works.
But then I’m using a command line that also includes my Ansible vault password file:
ansible-playbook -i inventory.yml --syntax-check desktop-playbook.yml --vault-password-file=~/.ansible/secretThe VS Code linter, doesn’t do this. So if I repeat the call without the vault password file, I get:
ansible-playbook -i inventory.yml --syntax-check desktop-playbook.yml
ERROR! Attempting to decrypt but no vault secrets foundTo solve the puzzle, you need to edit /etc/ansible/ansible.cfg, and put your vault file in the config:
vault_password_file = ~/.ansible/secretNow, when you run the --syntax-check without the --vault-password-file parameter, it should work. Meaning, the VS Code lint should work also.
References
https://github.com/ansible/ansible-lint/issues/115#issuecomment-774472336
Gnome extensions
Theme
Cursors
Icons
Fluent Grey Dark / Fluent Round Dark
I came across Zeal some time ago, and for some reason never really got to using it. Mainly because I’m always online and always have access to reference sources. Also, I find myself with a lesser need for documentation as the product base I deal with shrinks.
Then I find I get asked to get stuck in at the coal face and bring out my old Laravel, PHP and JavaScript skills, to bring more hands to a development project. Out comes VSCode and a bag of helpful plugins, and I rediscover zeal.
Install Zeal onto my desktop. Add a few document sets that I need – Laravel, PHP and JavaScript. Then use the Dash VSCode plugin (It supports Dash – MacOS, Zeal – Linux and Velocity – Windows).
Then a simple CTRL+H in VSCode links me to the Zeal documentation search.
I guess this could fall under the banner of a privateer project. I’m trying to banish adverts from streaming devices and wanted to see if Adguard or Pihole could help. Both of them operate the same way. They act as a DNS server and when a client makes a request for an address, they check a blocklist and reply with an invalid address 0.0.0.0 if they find the domain listed.
I wanted a system that would sit on a small brick PC I already have, running alongside other network services.
Initially, I installed Pihole. Pretty straight forward to do. I used the ready built a docker-compose.yml file and started it up. As a DNS server, I can’t fault it, the GUI is nice and informative, but the inability to change the web GUI to any port other than the default 80, is just a no-go for me. I already run a web service (or two) on that port.
Whilst installing Adguard I found that was not a problem. After the docker container set is started, during the installation process, you get to change ports to make it run how you want it.
After being happy at how the DNS side of things worked, I then started it up with DHCP and now use it as my DHCP and DNS services. Everything on my network is now protected by Adguard.
Once you get either system running, you need to find what block lists suit your usage. You can’t get much easier than OSID. Chose the blocker you use, and add the follow the instructions to set the URL into your blocklists.
If you’re reading this blog, and it’s awash with adverts – headers, footers and sidebars, be sure that I don’t see them. My usage is perfectly clear of them.
Over time I’ve encountered some great pieces of Free and Open Source Software. I just wanted to list a few noteworthy products in a single place I can refer to – in no particular order.
NHAS/WAG – Adds 2FA/MFA to WireGuard VPN’s
allinurl/goaccess – Real Time Nginx log analysis
All our remote users are using LDAP cached credentials using SSSD. This works really well for users that transition online to offline, with one failing. When they attempt to use sudo to elevate permissions to carry out a privileged operation.
For the longest time I could not get this working.
I searched LDAP and compared results with the offline cache.
$ ldapsearch -x -ZZ -H "ldap://ldap:389" -D "cn=admin,dc=domain,dc=tld" -w SuperSecretKey -b "ou=SUDOers,dc=domain,dc=tld" '(&(objectClass=sudoRole)(cn=defaults))'
$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(cn=defaults))'It all seemed to match. What I didn’t spot was that many of the results came back as base64 encoded. I didn’t see this as an issue, as it all worked with sudo-ldap. If I decoded the strings, they looked fine.
sudoOption:: aW5zdWx0cwAAWhich decoded is:
sudoOption: insultsThe bit I was missing is that whilst it decoded a string, the thing I could not see on the end was NULL characters! These did not affect sudo-ldap, but appears to cause mayhem with sss.
To fix this, I exported the LDAP SUDOers branch to an LDIF file. I used a bit of magic from ldapsearch and base64 decoding to help get the correct decoding, and then replaced all the base64 encoded strings with plain text strings in the LDIF file. Import the LDIF back into my LDAP to overwrite all the settings, and now I see clean plain text entries returned by my ldapsearch. A little while later, change my nsswitch.conf entries from ldap to sss, a reboot and cache update. Now I can use sudo and it works.
I have no clue how null characters got into our LDAP. But it has gone through a number of iterations in its lifetime.
Searching for IP addresses in a file or files:
grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' fileI recently had to do an ldapsearch/ldbsearch that returned some base64 encoded results.
$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))'
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=domain
sudoOption:: aW5zdWx0cwAA
sudoOption:: c3lzbG9nPXVzZXIAAA==
sudoOption: mailto=sysadmin@domain.tld
sudoOption:: aWdub3JlX2xvY2FsX3N1ZG9lcnMAAA==
sudoOption:: bWFpbHN1Yj1zdWRvIGFjY2VzcyByZXBvcnQgZnJvbSAlaAA=
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
I can go decode them using base63 -d line by line, but I found this magic spell that did it for me. I have no real clue how it works, it’s written in Perl and that is a dark art to me.
$ sudo ldbsearch -H /var/lib/sss/db/cache_LDAP.ldb '(&(objectClass=sudoRule)(name=defaults))' | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
asq: Unable to register control with rootdse!
# record 1
dn: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
cn: defaults
dataExpireTimestamp: 1668693811
entryUSN: 20220825105355Z
name: defaults
objectCategory: sudoRole
objectCategory: top
objectClass: sudoRule
originalDN: cn=defaults,ou=SUDOers,dc=domain
sudoOption:: insults
sudoOption:: syslog=user
sudoOption: mailto=sysadmin@domain.tld
sudoOption:: ignore_local_sudoers
sudoOption:: mailsub=sudo access report from %h
sudoOption: pwfeedback
sudoOption: passprompt=[sudo-ldap] Password for %u on %H:
sudoOption: env_reset
distinguishedName: name=defaults,cn=sudorules,cn=custom,cn=LDAP,cn=sysdb
# returned 1 records
# 1 entries
# 0 referrals
References
The Grafana dashboards are a really nice interactive display of metrics. What we want to do is take those graphs from a dashboard and share them on a static monthly report.
I found some advice in how to grab shared output using date epochs. This enables me to dynamically specify a URL to grab a view from. But this still requires access to the web service. As our monitoring is only available internally, and we don’t want to expose it to the customers, we need to find a way of taking snapshots of the graphs and presenting them independently of the Grafana server.
I regularly end up writing a bootable USB to start a different version of Linux or different distro. Then I came across Ventoy.
Once a USB stick is installed with Ventoy any ISO that you copy onto the stick appears in the Ventoy boot menu. Select the ISO and it boots! Just copy an ISO onto it. No need for any boot maker tools like, dd or etcher. Just copy on an ISO – that’s it.
So far tested with Manjaro, Debian and even Windows 10 – all on the same USB stick!
Stuff I'm Up To 