Elouworld

Code snippets

License

Unless otherwise stated, all code snippets on this page are published under the WTFPLv2 license as published below:

1
2
3
4
5
6
7
8
9
10
11
12
13
        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                    Version 2, December 2004

 Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>

 Everyone is permitted to copy and distribute verbatim or modified
 copies of this license document, and changing it is allowed as long
 as the name is changed.

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. You just DO WHAT THE FUCK YOU WANT TO.

Note that I’d appreciate that you give attribution if you wish so.

nginx

dehydrated setup

Includes systemd units for renewing certificates automatically.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
useradd -m -s /bin/bash -b /var/lib/home dehydrated
mkdir /var/www/acme-challenge
chown dehydrated: /var/www/acme-challenge

cat <<EOF > /etc/nginx/ext.wk.conf
location /.well-known/acme-challenge {
	alias /var/www/acme-challenge;
}
EOF

# TODO update server blocks, especially the default_server
# include "ext.wk.conf";

nginx -t
systemctl reload nginx

sudo -iu dehydrated
git clone https://github.com/lukas2511/dehydrated.git
mkdir workdir
cd workdir

cat <<EOF > config-secp384r1
IP_VERSION=4
WELLKNOWN="/var/www/acme-challenge"
KEY_ALGO=secp384r1
CONTACT_EMAIL="email@website.example"
CERTDIR="\${BASEDIR}/certs-\${KEY_ALGO}"
OCSP_FETCH="yes"
EOF

cat <<EOF > domains.txt
website.example www.website.example
EOF

../dehydrated/dehydrated -f config-secp384r1 --register --accept-terms
../dehydrated/dehydrated -f config-secp384r1 -c # manual test
exit

cat <<EOF > /etc/systemd/system/dehydrated.service
[Unit]
Description=dehydrated
Requisite=nginx.service

[Service]
Type=oneshot
User=root
Group=root
ExecStart=/usr/bin/sudo -u dehydrated /var/lib/home/dehydrated/dehydrated/dehydrated -c -f /var/lib/home/dehydrated/workdir/config-secp384r1 ; /bin/systemctl reload nginx

[Install]
WantedBy=multi-user.target
EOF

cat <<EOF > /etc/systemd/system/dehydrated.timer
[Unit]
Description=dehydrated everyday at 3am

[Timer]
OnCalendar=*-*-* 03:00:00
Persistent=True
Unit=dehydrated.service

[Install]
WantedBy=timers.target
EOF

systemctl daemon-reload
systemctl start dehydrated # manual test
systemctl enable dehydrated.timer
systemctl start dehydrated.timer

cd /etc/nginx

cat <<EOF > ext.tls.conf
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE+AESGCM:ECDHE+CHACHA20:!SHA:!AES128'; # WARN very restrictive
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
EOF

cat <<EOF > ext.hsts.conf
add_header Strict-Transport-Security max-age=15768000;
EOF

cat <<EOF > cert.website.example.conf
ssl_certificate /var/lib/home/dehydrated/workdir/certs-secp384r1/website.example/fullchain.pem;
ssl_certificate_key /var/lib/home/dehydrated/workdir/certs-secp384r1/website.example/privkey.pem;
ssl_stapling_file /var/lib/home/dehydrated/workdir/certs-secp384r1/website.example/ocsp.der;
EOF

# TODO update nginx to use certificates

# - in nginx.conf:
# include "ext.tls.conf";

# - in each appropriate server block:
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# include "ext.hsts.conf";
# include "cert.website.example.conf";
#   (no need for ext.wk.conf here)

nginx -t
systemctl reload nginx

Then go to https://tls.imirhil.fr/ and enjoy your A+ and all 100% scores!

SSH

Heartbeat

In ~/.ssh/config:

1
ServerAliveInterval 60

Host shortcut and custom key

In ~/.ssh/config:

1
2
3
4
Host custom-host
	User real-user
	HostName real-host
	IdentityFile ~/.ssh/id_custom

You can also specify a real host if you omit HostName.

Debian

Launch 32-bit x86 programs on 64-bit x86 system

You can see that running ldd program says not a dynamic executable even if not true.

1
2
3
dpkg --add-architecture i386
apt update
apt install -y libc6:i386 # libstdc++6:i386

By running these commands, 32-bit x86 support will be added and running ldd again will work as expected.

FreeBSD

Working live shell with bootonly iso

Using this isn’t recommended, it is just kept here for recalling my experience.

Booted using Multiboot USB.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
kbdcontrol -l fr # for azerty keyboard
mount -t tmpfs tpmfs /usr/local
mount -t tmpfs tpmfs /var/db/pkg
mkdir /var/cache/pkg
mount -t tmpfs tpmfs /var/cache/pkg
mount -t tmpfs tpmfs /tmp
cp -r /etc /tmp/etc
echo 'nameserver 1.1.1.1' > /tmp/etc/resolv.conf
mount -t nullfs /tmp/etc /etc
export PATH="/usr/local/bin:$PATH"
/etc/rc.d/netif start # outputs the interfaces
dhclient -b alc0 # pick the right interface, aka the one that is not lo
pkg # y
pkg install gmake gcc clang-devel bash git # takes 2 GB installed + 0.5 GB downloaded
# now you got compilers: gcc and clang-devel (clang is included in base image, but not in bootonly)
rm /var/cache/pkg/* # remove cached packages
# oops, you miss a lot of files in /usr/include and /usr/lib!!
cd /tmp
# let's download the base image to get missing files
curl -O http://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.1-RELEASE/base.txz # or a mirror, with the right version
tar xf base.txz ./usr/include
tar xf base.txz ./usr/lib
cp -a /usr/include/. usr/include/
cp -a /usr/lib/. usr/lib/ # ignore warnings
# can do the same for /usr/bin
rm base.txz # necessary to get some memory
mount -t nullfs usr/include /usr/include
mount -t nullfs usr/lib /usr/lib # dangerous, you could loose libc!

Special thanks to people from the #freebsd Freenode IRC channel, including SlashLife, kaktus, VoidChicken, Zirias and wlkO`Rety/mpasternacki!

Latest edition: