Configuring OwnTrack to work With letsencrypt

21 March 2016

These are some notes on getting OwnTracks to work with LetsEncrypt.

Install mosquitto (MQTT Broker) and create a username password combination.

apt install mosquitto mosquitto-clients
mosquitto_passwd -c /etc/mosquitto/passwd <username>

Using the letsencrypt client generate certs only as standalone.

./letsencrypt-auto certonly --standalone -d <domain>

Navigate to /etc/letsencrypt/live/ and copy them to mosquitto.

cp chain.pem /etc/mosquitto/certs/
cp cert.pem /etc/mosquitto/certs/
cat {privkey,fullchain}.pem >> /etc/mosquitto/certs/keyfile.pem

In the mosquitto.conf add the following lines.

cafile /etc/mosquitto/certs/chain.pem
certfile /etc/mosquitto/certs/cert.pem
keyfile /etc/mosquitto/certs/keyfile.pem
password_file /etc/mosquitto/passwd

You might want some more logging or to listen on an alternative port (default on debian was 1883) man mosquitto.conf.

Check it works by subscribbing to the events using:

mosquitto_sub -h localhost -p 1883 -v -t 'owntracks/#'

And manually sending an event with:

mosquitto_pub -h xconf.net -p 1883 -t 'owntracks/test' -m 'hello' -u <username> -P <securepassword>

You can add the Android application using the built in CA certificates as it is verified with letsencrypt.


LXC Containers and rTorrent

21 March 2016

Install LXC stuff on the host machine.

apt install lxc 

Configure a network bridge, this will not be NATed so it will appear on the network as a host device:

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

Append the network config to the defaults /etc/lxc/default.conf:

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0

If you want to store the containers in a non-default location. Set the path in /etc/lxc/lxc.conf

lxc.lxcpath = /data1/LXC/

Create the container:

lxc-create -t download -n torrent

Get tun for the VPN and mount some of the host's directories. Append this to /data1/LXC/torrent/config or the default location.

lxc.mount.entry = /data1/Torrents Torrents none rw,bind 0 0
lxc.cgroup.devices.allow = c 10:200 rwm

Start the container and attach to the console:

lxc-start -n torrent
lxc-attach -n torrent

From inside the container install some things we need:

apt install openvpn rtorrent screen openssh-server vim ufw 

Create the tun mapping:

mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

Set up ssh access, new user with sudo, ufw etc.etc.

In .rtorrent.rc add:

scgi_port = 0.0.0.0:5000

And in nginx either container or localhost add scgi proxy for things like transdroid.

    location /RPC2 {
            scgi_pass   192.168.0.12:5000;
            include     scgi_params;
            scgi_param  SCRIPT_NAME  /RPC2;
    }

Now you have a container which downloads from a VPN and exposes its XML RPC to the network.


Weechat Relay

14 March 2016

Using weechat as a relay turns weechat into a server for clients to connect and control weechat. This can be an android or web interface.

Don't assume these passwords are safe, you should really use /secure.

SSH Relay

Add public key to ~/.ssh/authorized_keys on server. This allows only connections to be opened to the localhost on port 9000 for this SSH key.

no-agent-forwarding,no-X11-forwarding,permitopen="localhost:9000",command="echo 'This account can only be used for weechat relays'" ssh-rsa ...KEY DATA HERE...

Copy private key over to phone, enter key location

/relay add weechat 9000
/set relay.network.password *************

SSL Relay

Generate the needed files. If you want a non-self signed cert you can use letsencrypt. guide

mkdir -p ~/.weechat/ssl
cd ~/.weechat/ssl
openssl req -nodes -newkey rsa:2048 -keyout relay.pem -x509 -days 365 -out relay.pem

And in weechat run:

/relay add ssl.weechat 8080
/relay sslcertkey
/set relay.network.password *************

Weechat and Tor

13 March 2016

Install tor and weechat

sudo apt-get install tor weechat

Uncomment SocksPort 9050 from /etc/tor/torrc to create a SOCKS proxy to the Tor network on the localhost.

In weechat add the proxy, add a server making sure it is over SSL and allows Tor connections.

/proxy add tor socks5 127.0.0.1 9050
/server add <server> -ssl  
/set irc.server.<server>.proxy "tor"

Now you're thinking with Tor.


No Space Left on Device

01 March 2016

A few tips if you are stuck with out any space on the device, and you don't want to resize partitions.

These two will clean up some things, but need at least some space. So might not work:

apt-get autoclean 
apt-get autoremove

If they don't a straight up clean should do the trick.

apt-get clean 

If you're still stuck, then try to remove some old kernels which you might have downloaded:

uname -r
dpkg --get-selections | grep linux-image
apt-get purge <whatever is not your current one>

Hopefully that will have fixed something. You might also want to try and locate some large files, using find but again that might need some disk space to work with.

A very useful tool to locate large files us ncdu(NCurses Disk Usage) is a curses-based version of the well-known 'du', and provides a fast way to see what directories are using your disk space.

To scan and browse the directory you're currently in, all you need is a simple:

ncdu

If you want to scan a full filesystem, your root filesystem, for example, then you'll want to use "-x":

ncdu -x /

Leaving KeePassX for pass

15 January 2016

I've been using KeePassX for over a year now and have found it to be a most helpful tool. I've used it everyday since I moved to it. Highly recommend it. All things get boring and small problems become annoying problems. When using KeePass on more than one device with a file syncing service, KeePass kept complaining about locks which were lies, normally I can ignore it. But at times it can get confusing, then I end up with missing passwords. KeePass is not a small program and simply messes with my workspace-foo. Enter pass!!

Some of pass's key features for me are:

  • Unix philosophy (Do One Thing and Do It Well).
  • Uses GnuPG to encrypt passwords and meta data.
  • Git support. (Works well with dropbox/seafile, et.al too)
  • dmenu support.
  • Android support

It drops nicely into my work flow, up to my neck in terminal windows avoiding GUI/X applications. I can get a password into my clipboard (and have the clipboard cleared and restored after 45s) with as little as three key presses. Without the need to load up any GUI or use my mouse.That's not to say pass does not support GUI (QtPass). If I so wanted I could have it working within firefox

dmenu pass

The above image is pass working with dmenu. I can enter a search term, hit return and the password will be in my clipboard.

But what if you have amassed a large collection of passwords with another system, fear not! For pass has importers for LastPass, KeePass2/X and more.

I wish KeePass all the best and hope that pass will continue to improve and develop. Goodbye KeePass, all hail pass. The standard unix password manager!


GPS and Raspberry Pi

12 January 2016

I ordered a 56 Channel GPS Receiver (GP-20U7) from hobbytronics. The GPS is made by SparkFun, its tiny as you can see below. So far it is working well and was easy to get working.

gps module

Cable things up

I guessed the pinout from the datasheet. Nothing exploded.

RPI -- GPS
GND -> GND
RX  -> TX
3V  -> VCC

Unbind serial

The RPI comes with the serial pins bound to a TTY terminal. This lets you plug it into a USB-TTL cable and use screen to control the PI. To use the PI with a device that uses serial to talk you need to unbind it first.

  • Remove console=ttyAMA0,115200 from /boot/cmdline.txt
  • Remove T0:23:respawn:/sbin/getty -L ttyAMA0 115200 vt100 from /etc/inittab
  • Reboot.

Test and go

Check its working with screen, you'll see the raw NMEA-0183 protocol:

sudo screen /dev/ttyAMA0 9600

Install and start gpsd:

sudo apt-get install gpsd gpsd-clients 
sudo gpsd /dev/ttyAMA0 -F /var/run/gpsd.sock

Use either cgps -s for CLI, or xgps for a GUI.

XGPS cgps

It took a good 15min for the first boot to get all the data. This is normal. After it was able to keep a solid lock inside next to a window.


Laptop Gets its first set of stickers

09 January 2016

After a friend came back from CCC, he gave me a few stickers. Also my wife got me a wonderful giant 'root' sticker for my birthday last year.

There is more than enough space for stickers which I hope to amass from FOSDEM later in the Month.

ThinkPad T450s with stickers

Click to get more pixels


Sublime Text Customisation

08 January 2016

Here are a list of some plugins I like to use with Sublime Text, you can install the Package Manager from: https://packagecontrol.io/installation

I do a lot of markdown editing and pandoc converting. e.g. Markdown to PDF, which first converts it to LaTeX so it looks pretty good.

Plugins

  • Pandoc: Converts markdown into, HTML5, PDF, and Word Documents.
  • Word Count: Displays a word count in the status bar, I like to enable the enable_readtime setting to give me an indication of how long my text will take to read.
  • LaTeX Tools: When I'm working with LaTeX, LaTeXTools provides good enough features for me without getting in my way.
  • SublimeLinter: A framework for linting code. I combine it with the write-good library to lint my English.

Style

Normally I modify the Monokai theme to include some Markdown highlighting found here.

Recently found a theme called 'Markdown Light' which has some really good styles, aside from changing the background colour.


Vagrant with KVM for development

07 January 2016

Vagrant allows for quick deployment of virtual machines for development use. It allows you to provision software, forward ports, and share development environments between people are computers.

First install vagrant and the KVM (libvirtd) provider.

sudo apt-get install vagrant
sudo apt-get install libxslt-dev libxml2-dev libvirt-dev zlib1g-dev
vagrant plugin install vagrant-libvirt

Then create a vagrant configuration file (Vagrantfile), which specifies the image to use. Vagrant calls images Boxes, and they are found over at hashicorp. Make sure that you choose a libvirt image, and not the default VMware.

Vagrant.configure(2) do |config|
  config.vm.box = "naelyn/ubuntu-trusty64-libvirt"

  config.vm.network "forwarded_port", guest: 8001, host: 8001
  config.vm.network "forwarded_port", guest: 8000, host: 8000

  config.vm.provision "shell", path: "install.sh"
end

This config will spin up a Ubuntu based image with two ports forwarded and execute the install script when it is first created. To re-run the provisioning script (install.sh) simply call vagrant provision.

The install file is project specific, and in this case it updates the package manager and installs node and PostgreSQL. It then changes to the shared folder and installs all the dependencies for the node project. Contents of install.sh:

sudo apt-get update
sudo apt-get install -y nodejs npm postgresql
sudo ln -s $(which nodejs) /usr/bin/node 
cd /vagrant 
npm install 

/vagrant is mapped to the relative path of where the Vagrantfile is stored. This is normally stored in the git repository for the project. You will need to run vagrant rsync-auto to sync the changes between the VM and the host.

And that's it Vagrant in a nutshell. All that's left to do is start the VM:

vagrant up

It will update and install the software as specified in the install script.

vagrant ssh

PS. If you have not got KVM working...

apt-get install qemu-kvm libvirt-bin bridge-utils # Install KVM stuff
usermod -a -G libvirtd <user> # Add existing user to libvirtd group