Encrypted Alpine Linux

28 January 2017

Setting up basic LUKS encrypted alpine install.

Create two partitions

One for Boot and one for the rest. Make the boot partition bootable.

/dev/sda1 - Boot
/dev/sda2 - LUKS

Setup Luks

Create the encrypted block.

cryptsetup -y -v luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

Confirm its working as expected.

umount /mnt
cryptsetup close cryptroot
cryptsetup open /dev/sda2 cryptroot
mount /dev/mapper/cryptroot /mnt

Setup Boot

Format the boot partition. This will be in plain text.

mkfs.ext4 /dev/sda1
mkdir /boot
mount /dev/sda1 /mnt/boot


Install the base system to the mounted and unlocked encrypted partition. Make sure that you've mounted the boot partition because it will also install the necessary files there.

setup-disk -m sys /mnt

Chroot into the new system

cd /mnt
mount --bind /dev dev
mount -t devpts devpts dev/pts
mount -t tmpfs tmpfs dev/shm
mount -t proc proc proc
mount -t sysfs sysfs sys
chroot /mnt /bin/ash 

Setup crypttab

Add information about the encrypted file system.

echo "cryptroot /dev/sda2 none luks" > /etc/crypttab 

We also need to make sure that root and boot are mounted automatically via /etc/fstab.

/dev/sda1 /boot ext4 defaults 0 2
/dev/mapper/cryptroot / ext4 errors=remount-ro 0 1

Setup initramfs

Make sure that kernel can be start by loading the drivers needed to deal with an encrypted device.

  • /etc/mkinitfs/mkinitfs.conf - Features should include cryptsetup
  • /etc/update-extlinux.conf - defaultkernelopts should include "cryptroot=/dev/sda2" and "cryptdm=cryptroot"

Rebuild initramfs with the new options.

apk fix linux-grsec

You can ignore the error from extlinux:

/boot is device /dev/sda1
extlinux: cannot open device /dev/sda1

Write the MBR

This is related to the bootloader.

dd bs=440 count=1 conv=notrunc if=/usr/share/syslinux/mbr.bin of=/dev/sda

pdflatex runs out of memory

08 January 2017

Happy New Year! - First post of the year.

Error with pdflatex which complains about memory, something like this:

9287453 words of memory out of 18000000

Use lualatex - apparently it is meant to handle memory better.

Then increase the allocated memory by editing /etc/texmf/texmf.d/00debian.cnf to include:


Update all the things, not sure which of these are needed:

fmtutil-sys --all

If it is still not working, check you have the luatex package installed:

apt-get install texlive-luatex

This was on Ubuntu 16.10.


Firefox configuration steps

17 December 2016

These are my notes for a new Firefox profile. I used to use Ghostry instead of Privacy Badger but decided for a lightweight option which does not push me towards having an account and will not sell my data.

I use a separate password manager (see here) and don't trust PDFs being opened with in firefox. (I like them contained in AppArmour)


Extensions -> Disable Ubuntu Modifications

Plugins -> Asks to Activate 'Shockwave Flash'
Plugins -> Never Activate 'iTunes Application Detector'
Plugins -> Never Activate 'OpenH264 Video Codex provided by Cisco systems'

Languages -> Disabled 'English (South Africa)'


Preferences -> General -> Check Default browser
Preferences -> General -> When Firefox starts 'Show a blank page'

Preferences -> Search -> Disable many One click search engines
Preferences -> Search -> Set default to 'https://search.matrix.ac'

Preferences -> Content -> Check 'Play DRM content'

Preferences -> Applications -> PDF 'Use external application'

Preferences -> Privacy -> Check 'Always apply Do Not Track'

Preferences -> Security -> Un-check 'Remember logins for sites'


browser.backspace_action : 0

browser.fullscreen.autohide : false

browser.tabs.closeWindowWithLastTab : false

security.insecure_password.ui.enabled: true

Install some addons

  • NoScript Security Suite
    • Whitelist -> Removed default sites
    • Embeddings -> Un-Check 'Forbid @font-face'
    • Embeddings -> Un-Check 'Forbid Adobe Flash' (This is set to ask to active)
    • Embeddings -> Check 'Forbid WebGL'
    • Notifications -> Un-Check 'Show message about blocked scripts'
    • Notifications -> Un-Check 'Display the release notes on updates'
  • Privacy Badger
  • uBlock Origin
  • Self-Destructing Cookies
    • Preferences -> Un-Check 'Notifications'
  • HTTPS Everywhere
    • Don't submit sites to them

Whitelist IP addresses based on SSH origin

13 August 2016

Here is how you create a list of IP addresses, to be used with NGINX, based on successful ssh connections.

$ cat /usr/bin/auth-list.sh


# Make sure that we don't add it more than once.
if ! grep -q $PAM_RHOST $WHITELIST; then
    echo allow $PAM_RHOST\; >> $WHITELIST

$ cat /etc/pam.d/sshd

session optional pam_exec.so seteuid /usr/bin/auth-list.sh

Login via ssh and it will add your external IP address to the list.

$ cat /etc/nginx/conf/whitelist.conf


Reload NGINX for it to take affect.

Configuring OwnTrack to work With letsencrypt

21 March 2016

These are some notes on getting OwnTracks to work with LetsEncrypt.

Install mosquitto (MQTT Broker) and create a username password combination.

apt install mosquitto mosquitto-clients
mosquitto_passwd -c /etc/mosquitto/passwd <username>

Using the letsencrypt client generate certs only as standalone.

./letsencrypt-auto certonly --standalone -d <domain>

Navigate to /etc/letsencrypt/live/ and copy them to mosquitto.

cp chain.pem /etc/mosquitto/certs/
cp cert.pem /etc/mosquitto/certs/
cat {privkey,fullchain}.pem >> /etc/mosquitto/certs/keyfile.pem

In the mosquitto.conf add the following lines.

cafile /etc/mosquitto/certs/chain.pem
certfile /etc/mosquitto/certs/cert.pem
keyfile /etc/mosquitto/certs/keyfile.pem
password_file /etc/mosquitto/passwd

You might want some more logging or to listen on an alternative port (default on debian was 1883) man mosquitto.conf.

Check it works by subscribbing to the events using:

mosquitto_sub -h localhost -p 1883 -v -t 'owntracks/#'

And manually sending an event with:

mosquitto_pub -h xconf.net -p 1883 -t 'owntracks/test' -m 'hello' -u <username> -P <securepassword>

You can add the Android application using the built in CA certificates as it is verified with letsencrypt.

LXC Containers and rTorrent

21 March 2016

Install LXC stuff on the host machine.

apt install lxc 

Configure a network bridge, this will not be NATed so it will appear on the network as a host device:

auto br0
iface br0 inet dhcp
        bridge_ports eth0
        bridge_fd 0
        bridge_maxwait 0

Append the network config to the defaults /etc/lxc/default.conf:

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0

If you want to store the containers in a non-default location. Set the path in /etc/lxc/lxc.conf

lxc.lxcpath = /data1/LXC/

Create the container:

lxc-create -t download -n torrent

Get tun for the VPN and mount some of the host's directories. Append this to /data1/LXC/torrent/config or the default location.

lxc.mount.entry = /data1/Torrents Torrents none rw,bind 0 0
lxc.cgroup.devices.allow = c 10:200 rwm

Start the container and attach to the console:

lxc-start -n torrent
lxc-attach -n torrent

From inside the container install some things we need:

apt install openvpn rtorrent screen openssh-server vim ufw 

Create the tun mapping:

mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 0666 /dev/net/tun

Set up ssh access, new user with sudo, ufw etc.etc.

In .rtorrent.rc add:

scgi_port =

And in nginx either container or localhost add scgi proxy for things like transdroid.

    location /RPC2 {
            include     scgi_params;
            scgi_param  SCRIPT_NAME  /RPC2;

Now you have a container which downloads from a VPN and exposes its XML RPC to the network.

Weechat Relay

14 March 2016

Using weechat as a relay turns weechat into a server for clients to connect and control weechat. This can be an android or web interface.

Don't assume these passwords are safe, you should really use /secure.

SSH Relay

Add public key to ~/.ssh/authorized_keys on server. This allows only connections to be opened to the localhost on port 9000 for this SSH key.

no-agent-forwarding,no-X11-forwarding,permitopen="localhost:9000",command="echo 'This account can only be used for weechat relays'" ssh-rsa ...KEY DATA HERE...

Copy private key over to phone, enter key location

/relay add weechat 9000
/set relay.network.password *************

SSL Relay

Generate the needed files. If you want a non-self signed cert you can use letsencrypt. guide

mkdir -p ~/.weechat/ssl
cd ~/.weechat/ssl
openssl req -nodes -newkey rsa:2048 -keyout relay.pem -x509 -days 365 -out relay.pem

And in weechat run:

/relay add ssl.weechat 8080
/relay sslcertkey
/set relay.network.password *************

Weechat and Tor

13 March 2016

Install tor and weechat

sudo apt-get install tor weechat

Uncomment SocksPort 9050 from /etc/tor/torrc to create a SOCKS proxy to the Tor network on the localhost.

In weechat add the proxy, add a server making sure it is over SSL and allows Tor connections.

/proxy add tor socks5 9050
/server add <server> -ssl  
/set irc.server.<server>.proxy "tor"

Now you're thinking with Tor.

No Space Left on Device

01 March 2016

A few tips if you are stuck with out any space on the device, and you don't want to resize partitions.

These two will clean up some things, but need at least some space. So might not work:

apt-get autoclean 
apt-get autoremove

If they don't a straight up clean should do the trick.

apt-get clean 

If you're still stuck, then try to remove some old kernels which you might have downloaded:

uname -r
dpkg --get-selections | grep linux-image
apt-get purge <whatever is not your current one>

Hopefully that will have fixed something. You might also want to try and locate some large files, using find but again that might need some disk space to work with.

A very useful tool to locate large files us ncdu(NCurses Disk Usage) is a curses-based version of the well-known 'du', and provides a fast way to see what directories are using your disk space.

To scan and browse the directory you're currently in, all you need is a simple:


If you want to scan a full filesystem, your root filesystem, for example, then you'll want to use "-x":

ncdu -x /

Leaving KeePassX for pass

15 January 2016

I've been using KeePassX for over a year now and have found it to be a most helpful tool. I've used it everyday since I moved to it. Highly recommend it. All things get boring and small problems become annoying problems. When using KeePass on more than one device with a file syncing service, KeePass kept complaining about locks which were lies, normally I can ignore it. But at times it can get confusing, then I end up with missing passwords. KeePass is not a small program and simply messes with my workspace-foo. Enter pass!!

Some of pass's key features for me are:

  • Unix philosophy (Do One Thing and Do It Well).
  • Uses GnuPG to encrypt passwords and meta data.
  • Git support. (Works well with dropbox/seafile, et.al too)
  • dmenu support.
  • Android support

It drops nicely into my work flow, up to my neck in terminal windows avoiding GUI/X applications. I can get a password into my clipboard (and have the clipboard cleared and restored after 45s) with as little as three key presses. Without the need to load up any GUI or use my mouse.That's not to say pass does not support GUI (QtPass). If I so wanted I could have it working within firefox

dmenu pass

The above image is pass working with dmenu. I can enter a search term, hit return and the password will be in my clipboard.

But what if you have amassed a large collection of passwords with another system, fear not! For pass has importers for LastPass, KeePass2/X and more.

I wish KeePass all the best and hope that pass will continue to improve and develop. Goodbye KeePass, all hail pass. The standard unix password manager!