Site Tools


onny:notizen

System setup

# fde1: http://www.brunoparmentier.be/blog/how-to-install-arch-linux-on-an-encrypted-btrfs-partition.html
# fde2: http://danynativel.com/blog/2013/02/10/archlinux-installation-guide-on-encrypted-ssd/
# https://bbs.archlinux.org/viewtopic.php?pid=1187153#p1187153
gdisk /dev/sda
cryptsetup --cipher aes-xts-plain64 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root
mkfs.btrfs /dev/mapper/root
wifi-menu
mount /dev/mapper/root /mnt
pacstrap /mnt base base-devel tmux mosh wipe rsync procps neovim lsof strace htop net-tools pkgfile dnsutils iotop aria2 tcpdump nload btrfs-progs ntp wget acpid alsa-utils cups curl eog evince ffmpeg firefox gedit gimp git vinagre gvfs-mtp gvfs-smb nautilus openvpn gparted pidgin plowshare youtube-dl pulseaudio qt5-wayland samba sigil virt-manager wireshark-gtk unbound unrar unzip valgrind vlc wine-mono winetricks xorg-server-xwayland sshfs efibootmgr ttf-dejavu mpv acpi pm-utils ntfs-3g pavucontrol gnome-disk-utility bluez-utils conky pwgen libreoffice-fresh linux-headers minicom android-udev ansible mlocate terminus-font fail2ban pulseaudio-bluetooth udisks sway pv otf-ipafont xdg-utils devtools atom qpdfview termite brightnessctl nextcloud-client py3status arch-audit grim fragments fish swaylock slurp pdfarranger nftables grc time foliate vlc-bittorrent brave-bin brightnessctl depot-tools-git downgrade  signal-desktop ocenaudio-bin smloadr soulseekqt ttf-font-awesome-4 wcalc anbox-git krop zeronet id3ted redshift-wlr-gamma-control-git split2flac r128gain foo2zjs-nightly tor-browser-en venom pkgbuild-introspection networkmanager-iwd rofi-wifi-menu-git wl-clipboard-git waterfox-current-bin pacaur ripgrep bat fd gnome-passwordsafe
ln -s /usr/lib/udev/rules.d/51-android.rules /etc/udev/rules.d
genfstab -p /mnt >> /mnt/etc/fstab
mount /dev/sda1 /mnt/boot
arch-chroot /mnt
chsh -s $(which fish)
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/^#?SystemMaxUse=.*$/SystemMaxUse=200M/g' /etc/systemd/journald.conf
sed -i 's/^#Color/Color/g' /etc/pacman.conf
mkdir /etc/pacman.d/hooks
ln -s /usr/share/libalpm/hooks/30-systemd-daemon-reload.hook /etc/pacman.d/hooks/
echo "http-pub2" >> /etc/hostname
timedatectl set-timezone Europe/Berlin
sed -i 's/#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
echo "KEYMAP=de" > /etc/vconsole.conf
mkinitcpio -p linux
bootctl install
passwd
useradd -m onny -s /usr/bin/fish
passwd onny
usermod -a -G sudo onny
updatedb
timedatectl set-ntp true
mkdir -p /etc/systemd/system/getty@tty1.service.d
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl enable --now NetworkManager nftables fail2ban iwd
exit
reboot
# gpasswd -a onny lock
# gpasswd -a onny uucp
gpasswd -a onny adbusers # mtp support
gpasswd -a onny storage # polkit-rule mount hdds

core

/etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.
/dev/mapper/root    	/         	btrfs     	rw,relatime,ssd,space_cache,subvolid=5,subvol=/	0 0
UUID=4a8c7d1d-5839-429b-9c85-3cb6046c8b21           	/boot     	ext2      	rw,relatime,stripe=4	0 2


# <file system> <dir> <type> <options> <dump> <pass>

grub

/etc/default/grub
[...]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=17987958-47c1-4566-b56b-83e527d4929b:root:allow-discards"
[...]

systemd-networkd

/etc/systemd/network/wg0.netdev
[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard

[WireGuard]
PrivateKey = ****

[WireGuardPeer]
PublicKey = ****
AllowedIPs = 10.25.0.0/16
Endpoint = 2a01:4f8:191:327::2:51820
Endpoint = 144.76.16.40:51820
PersistentKeepalive = 25
/etc/systemd/network/wg0.network
[Match]
Name = wg0

[Network]
Address = 10.25.40.2/16
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/eno1.network
[Match]
Name = eno1

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/wlan0.network
[Match]
Name = wlan0

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/wlp3s0.network
[Match]
Name = wlp3s0

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/10-tornet.netdev
[NetDev]
Name=tornet
Kind=bridge
/etc/systemd/network/10-tornet.network
[Match]
Name=tornet

[Network]
Address=10.100.100.1/24
ConfigureWithoutCarrier=true
systemctl enable --now systemd-networkd systemd-resolved

nftables

/etc/nftables.conf
table inet filter {
	set tcp_accepted {
		type inet_service
		flags interval
	}

	set udp_accepted {
		type inet_service
		flags interval
	}

	chain base_checks {
		ct state { established, related } accept
		ct state invalid drop
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump base_checks
		iifname "lo" accept
		ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept
		ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		tcp dport @tcp_accepted accept
		udp dport @udp_accepted accept
		iifname "tornet" tcp dport 9040 accept # tornet routing
		iifname "tornet" udp dport 5353 accept # tornet routing
		reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		jump base_checks
		iifname "tornet" oifname "wlan0" ip protocol tcp accept # tornet routing
		iifname "tornet" oifname "wlan0" udp dport 53 accept # tornet routing
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
# nat tables for tornet network interface
table ip nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "tornet" udp dport 53 dnat to 127.0.0.1:5353
		iifname "tornet" ip protocol tcp dnat to 127.0.0.1:9040
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "wlan0" ip saddr 10.100.100.0/24 masquerade
	}
}

pacman

project-insanity build server repo

/etc/pacman.conf
[...]

[projectinsanity]
SigLevel = PackageOptional
Server = https://onny.project-insanity.org/archlinux

autoupdate

/etc/systemd/system/autoupdate.service
[Unit]
 Description=Automatic Update
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
/etc/systemd/system/autoupdate.timer
[Unit]
 Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=autoupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now autoupdate.timer

Nextcloud autosync

~/.config/systemd/user/nextcloud_autosync.service
[Unit]
 Description=Automatic Nextcloud file sync
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org/remote.php/webdav/ 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
~/.config/systemd/user/nextcloud_autosync.timer
[Unit]
 Description=Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=nextcloud_autosync.service

[Install]
 WantedBy=multi-user.target
~/.netrc
default
login onny
password ****
~/.nextcloud/sync-exclude.lst
projects
.cache
.config
.local
.cargo
.nvm
.mozilla
.purple
.jd
.conan
.tor-browser-en
sudo systemctl enable --user --now nextcloud_autosync.timer

misc

hack to power on bluetooth after waking up from suspend:

/etc/systemd/system/root-resume.service
[Unit]
Description=Local system resume actions
After=suspend.target

[Service]
Type=simple
ExecStart=/usr/bin/btmgt power on

[Install]
WantedBy=suspend.target
/etc/systemd/system/activate_bt.service
Unit]
Description=Power on bluetooth on startup

[Service]
ExecStart=/usr/bin/btmgmt power on

[Install]
WantedBy=multi-user.target 
sudo systemctl enable root-resume activate_bt

firefox addons

 ublock origin, https everywhere, cookie auto delete

flatpak

repos

 flatpak remote-add --if-not-exists gnome https://sdk.gnome.org/gnome.flatpakrepo
 flatpak remote-add --if-not-exists tingping https://dl.tingping.se/flatpak/tingping.flatpakrepo
 flatpak remote-add --from gnome-apps https://sdk.gnome.org/gnome-apps.flatpakrepo

apps

 flatpak install --from http://download.documentfoundation.org/libreoffice/flatpak/latest/LibreOffice.flatpak
 flatpak install tingping io.github.TransmissionRemoteGtk
 flatpak install --from https://s3.amazonaws.com/alexlarsson/spotify-repo/spotify.flatpakref
 flatpak install gnome-apps org.gnome.gedit
 flatpak install gnome-apps org.gnome.evince
 flatpak install --from https://firefox-flatpak.mojefedora.cz/firefox-devedition.flatpakref

sway

~/.config/sway/startup.sh
udisks --mount /dev/sda3
udisks --mount /dev/sda2
alias snipping_tool='grim -g ('slurp') ('date').png'
alias nmap="grc nmap"
redshift -m wayland &
firejail brave --ignore-gpu-blacklist &
dunst &
firejail --net=tornet whatsapp-web-desktop &
firejail --net=tornet signal-desktop &
~/.config/sway/config
[...]
set $term termite
[...]
set $menu dmenu_run
[...]
#output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
[...]
input "1:1:AT_Translated_Set_2_keyboard" {
    xkb_layout de
    xkb_variant ,nodeadkeys
    xkb_options grp:alt_shift_toggle
}
[...]
#
# Workspaces:
#
    workspace_auto_back_and_forth yes

# Fancy names for workspaces
set $w1 1: brave
set $w2 2: signal
set $w3 3: whatsapp
set $w4 4
set $w5 5
set $w6 6
set $w7 7
set $w8 8
set $w9 9
set $w10 10

    # switch to workspace
    bindsym $mod+1 workspace $w1
    bindsym $mod+2 workspace $w2
    bindsym $mod+3 workspace $w3
[...]
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bindsym XF86MonBrightnessUp exec brightnessctl set 5%+
bindsym XF86Sleep exec systemctl suspend
bindcode 244 exec swaylock -i /home/onny/pictures/lockbg.jpg --scaling fill
bindcode 156 exec ~/.config/sway/toggle-btaudio.sh

#
# Assign windows to workspaces
#

assign [class="brave-browser"]		 → $w1
assign [class="Signal"]		 → $w2
assign [class="whats-app"]	 → $w3


exec ~/.config/sway/startup.sh
[...]

dunst

.config/dunst/dunstrc
                                                                                                                                                         [global]
    font = lemon 10
    allow_markup = yes
    format = "%s\n%b"
    sort = yes
    indicate_hidden = yes
    alignment = left
    bounce_freq = 0
    show_age_threshold = 60
    word_wrap = yes
    ignore_newline = no
    geometry = "300x10-10+48"
    transparency = 20
    show_indicators = yes
    idle_threshold = 120
    monitor = 0
    follow = mouse
    sticky_history = yes
    line_height = 5
    separator_height = 0
    padding = 10
    horizontal_padding = 10
    separator_color = #bfbfbf
    startup_notification = false
    browser = /usr/bin/firefox -new-tab
    icon_position = left
    icon_folders = /usr/share/icons/Notifications

[frame]
    color = "#000000"
    width = 0

[shortcuts]
    close = ctrl+space
    close_all = ctrl+shift+space
    context = ctrl+shift+period
    history = ctrl+shift 

[urgency_low]
    background = "#ffffff"
    foreground = "#282828"
    timeout = 5

[urgency_normal]
    background = "#ffffff"
    foreground = "#282828"
    timeout = 5

[urgency_critical]
    background = "#ffffff"
    foreground = "#000000"
    timeout = 5

[ignore1]
  appname = pa-applet
  format = ""

[ignore2]
  summary = Volume down notification
  format = ""

[ignore3]
  summary = Volume up notification
  format = ""

[ignore4]
  summary = Volume muted notification
  format = ""

firejail

~/.config/firejail/brave.profile
# Firejail profile for brave
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/brave.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.config/BraveSoftware
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg

mkdir ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.gnupg

# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp

# Redirect
include /etc/firejail/chromium-common.profile
.config/firejail/signal.profile
# Firejail profile for signal-desktop
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/signal-desktop.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.config/Signal
noblacklist ${HOME} # hack

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

mkdir ${HOME}/.config/Signal
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Signal
whitelist ${HOME} # hack
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
#seccomp
#shell none

disable-mnt
private-dev
#private-tmp

#noexec ${HOME}
~/.config/firejail/Whatsapp.profile
noblacklist ~/.config
mkdir ~/.config
whitelist ~/.config
noblacklist /opt/Whatsapp
whitelist /opt/Whatsapp


include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile
include /etc/firejail/electron.local 

brave

echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf

fish config

~/.config/fish/fish.config
export QT_QPA_PLATFORM=wayland-egl
export GDK_BACKEND='wayland,x11'
export CLUTTER_BACKEND=wayland
export XKB_DEFAULT_LAYOUT=de
export TERMINAL=termite
export EDITOR=vim
export BROWSER=firefox
export XDG_SESSION_TYPE=wayland
export XDG_DESKTOP_DIR="/home/onny"
export XDG_DOWNLOAD_DIR="$HOME/downloads"

export ELECTRON_TRASH=gio

[[ -z $DISPLAY && $XDG_VTNR -eq 1 ]] && exec dbus-launch sway

snipping tool

/usr/bin/snipping_tool
if [ "$1" = "-v" ]; then
	wf-recorder -g "$(slurp)" -f "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_wf-recorder.mp4')"
else
	slurp | grim -g - - | wl-copy && wl-paste > "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_grim.png')"
fi

ArchLinux

system

set extra capabilities for process

sudo setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/bin/maddy

directory permissions

namei -l /mnt/external/audio

use acl to grant permission to files for specific user

setfacl -R -m u:maddy:rX /etc/ssl/example.org.crt /etc/ssl/example.org.key

pgrep get process pid by process name

$ pgrep sw3
30636

set system time

timedatectl set-time "2014-05-26 11:13:54"

packaging

git checkout aur package

git clone ssh://aur@aur.archlinux.org/pkgbase.git

commands

update checksums inplace

updpkgsums

building a package in a clean dev chroot, path for pacman conf /usr/share/devtools/pacman-extra.conf

cd <package-patch>
ls PKGBUILD
extra-x86_64-build # -c for cleaning up chroot. ~/chroot/root is a btrfs subvolume and has to be removed with btrfs!
extra-x86_64-build -- -I ~/packages/foobar/foobar-2-1-any.pkg.tar.xz

advanced chroot with own packages preinstalled

mkdir ~/chroot
export CHROOT=$HOME/chroot
mkarchroot $CHROOT/root base-devel
arch-nspawn $CHROOT/root pacman -Syu # updating it
makechrootpkg -r $CHROOT -I package-1.0-1-i686.pkg.tar.xz # -c for clean chroot 
# repackage: makechrootpkg -r /home/onny/chroot -- -R

cheap python virtualenv

mkdir path
ln -s /usr/bin/python2 path/python
export PATH="$srcdir/path:$PATH"

abs deprecated, using asp

asp export linux

PKGBUILD

Installation von Lizenzdateien:

install -D "LICENSE.txt" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

Installation von Systemd-Units:

install -Dm644 "${srcdir}/btlive.service" "${pkgdir}/usr/lib/systemd/system/btlive.service"

Installation von Docs:

install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"

Installation von Tmpfiles:

install -Dm644 "wallace/wallace.tmpfiles.d.conf" "${pkgdir}/usr/lib/tmpfiles.d/wallace.conf"

Installation von Libs:

install -m644 libdouble-conversion.so.0.0.0* "${pkgdir}/usr/lib/"

do not strip binary files

options=('!strip')

Installation von ausführbare Dateien:

install -Dm755 shareLinkCreator "${pkgdir}/usr/bin/sharelinkcreator"

Nginx/Apache Template-Dateien:

 if [[ -n $(which httpd 2> /dev/null) ]]; then
   backup=('etc/httpd/conf/extra/owncloud.conf')
 fi
 package(){
   # install apache .conf file if apache is installed
   if [[ -n $(which httpd 2> /dev/null) ]]; then
      install -d  $pkgdir/etc/httpd/conf/extra 
      install -m 644 $srcdir/owncloud.conf  $pkgdir/etc/httpd/conf/extra/ 
   fi
 }

Zielname der Quelldatei ändern:

source=("$pkgname-$pkgver.tar.gz::https://gitlab.com/gitlab-org/gitlab-ce/repository/archive?ref=v${pkgver}")

Architekturabhängige Build-Anweisung

 build() {
   cd "${srcdir}/oclHashcat"
   if [[ "$CARCH" = "x86_64" ]]; then
     make cudaHashcat64.bin
   else
     make cudaHashcat32.bin
   fi
   make nv_all
 }

pkgver git

 pkgver() {
   cd "mail"
   #git describe --long | sed 's/\([^-]*-g\)/r\1/;s/-/./g'
   git log -1 --format=%cd.%h --date=short|tr -d -
 }

Common install file example

post_install() {
  mkdir /var/lib/zabbix
  getent group lool > /dev/null || groupadd -r lool > /dev/null
  getent passwd lool > /dev/null || useradd lool > /dev/null
  chown -R lool:lool /var/cache/loolwsd \
                     /opt/lool/child-roots
}
 
post_remove() {
   userdel -rf lool
   groupdel lool
}

in pkgbuild reference

install="libreoffice-online-bin.install"

aurutils

install packages into build container

arch-chroot /var/lib/aurbuild/x86_64/root pacman -S git
pacman --root=/var/lib/aurbuild/x86_64/root -S git

add gpg key into build container

sudo -u aur gpg --recv-keys EB774491D9FF06E2

rebuild prebuild package and add to custom AUR repo

fakepkg webkitgtk2
sudo -u aur repo-add /var/cache/pacman/aur/aur.db.tar /tmp/webkitgtk2-3:2.4.11-16-x86_64.pkg.tar.xz
cp /tmp/webkitgtk2-3:2.4.11-16-x86_64.pkg.tar.xz /var/cache/pacman/aur

bluetooth

Example session bluetoothctl

# bluetoothctl 
[bluetooth]# default-agent 
[bluetooth]# scan on
[bluetooth]# pair 00:12:34:56:78:90
[bluetooth]# connect 00:12:34:56:78:90

usefull stuff

pipe stderr to stdout

command 2>&1 >/dev/null | grep 'something'

pipe stderr and stdout both to a file

command &> error_log

locate pacnew files

find /etc -regextype posix-extended -regex ".+\.pac(new|save)" 2> /dev/null

or search entire disk

find / -regextype posix-extended -regex ".+\.pac(new|save)" 2> /dev/null

swapfile on btrfs

swapfile=$(losetup -f) #free loop device
truncate -s 8G /swap   #create 8G sparse swap file
losetup $swapfile /swap #mount file to loop
mkswap  $swapfile
swapon  $swapfile

search library availability in system, print file paths

ldconfig -p | grep blas 

systemd nspawn (container)

pacman -S arch-install-scripts
btrfs subvol create /var/lib/container/archlinux-base
mkdir /etc/systemd/nspawn
pacstrap /var/lib/container/archlinux-base base base-devel
systemctl enable --now systemd-networkd systemd-resolved
systemd-nspawn --boot -nD /var/lib/machines/archlinux-nextcloudcli --template=/var/lib/container/archlinux-base
systemctl start systemd-nspawnd@archlinux-nextcloudcli
machinectl shell root@archlinux-nextcloudcli /bin/bash -c "systemctl enable --now systemd-networkd systemd-resolved" 

quit / exit / kill container: Hold Ctrl press ] three times

kernel

grep kernel config running system

zcat /proc/config.gz | grep VDSO

fish

unset history

fish --private

bash

lzma hado compression and extraction

tar -c --lzma -f my_archive.tar.lzma /some_directory
tar -x --lzma -f my_archive.tar.lzma

run script verbose

sh -x scripname.sh

cheap python virtualenv

mkdir path
ln -s /usr/bin/python2 path/python
export PATH="$srcdir/path:$PATH"

get process runtime by pid, where pid is 1234 in this example

ps -o etime= -p "1234" 

write command output to file and to stdout (python -u for unbuffered output)

python3 -u sperrmuell.py 2>&1 | tee sperrmuell_ka.csv

recurseviley rename string

find . -type f -print0 | xargs -0 sed -i 's/twentytwelve/projectinsanity/g'

overwrite LD_LIBRARY_PATH

LD_LIBRARY_PATH="/home/onny/projects/onlyoffice-documentserver/src/DocumentServer-ONLYOFFICE-DocumentServer-5.2.7/core/build/lib/linux_64/:$LD_LIBRARY_PATH" ./AllFontsGen

compare command line argument to string

#!/bin/bash
if [ "$1" = "-v" ]; then
	wf-recorder -g "$(slurp)" -f "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_wf-recorder.mp4')"
else
	slurp | grim -g - - | wl-copy && wl-paste > "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_grim.png')"
fi

file exists

if [ ! -f /tmp/foo.txt ]; then
    echo "File not found!"
fi

program exit

exit 0 # okay
exit 1 # fail

receive signal bash

trap_with_arg() {
    func="$1" ; shift
    for sig ; do
        trap "$func $sig" "$sig"
    done
}
 
func_trap() {
    echo "Trapped: $1"
}
 
trap_with_arg func_trap INT TERM EXIT
 
echo "Send signals to PID $$ and type [enter] when done."
read # Wait so the script doesn't exit.

sed

Mit sed inplace eine Zeile zu einer Datei hinzufügen:

sed -i '9i#include <algorithm>' liboffsetfinder64/vmem.cpp

Comment out specific line matching a string

sudo sed -e '/pam_securetty.so/ s/^#*/#/' -i delugecontainer/etc/pam.d/login

comment out multiple lines / range

sed -i "28,33 s/# *//" autogen.sh

regex parse value of xml tags

sed -n 's/.*<id>\(.*\)<\/id>.*/\1/p' myfile.txt

delete multiple lines

sed -i '2,3d;5d;8d' file

curl

post data

curl --data "UserId=eb8c2ec5352843d3a16ca11c26d3551c&Name=lolorollo&api_key=a5dc4e***9c9e0a***3" "https://turbotux.de/Playlists?UserId=eb8c2ec5352843d3a16ca11c26d3551c&Name=lolorollo&api_key=a5***d***9e0***3"

download and extract archive

curl http://wordpress.org/latest.tar.gz | tar xvz

set host header

torify curl --header "Host: http.pi" blog.project-insanity.org

tcpdump

specific ports

tcpdump -i eth0 -q '(tcp port 80) or (tcp port 443)' -A

exclude specific host

tcpdump -i eth0 -q '(ip or ip6) and (tcp port 80) or (tcp port 443) and not host ifconfig.co' -A

patching

appling

diff -u original.c new.c > original.patch
patch < original.patch
# patch -p0 < original.patch
# patch -p1 -i packaging-fix.patch

creating patch

git commit -am "meine änderungen"
git format-patch "HEAD^"

rsync

custom ssh port

rsync -rvz -e 'ssh -p 2222' --progress --remove-sent-files ./dir user@host:/path

parallel, threaded

ls -1 | parallel rsync -a {} /destination/directory/

openssh

SSH public key deployen

ssh-copy-id alarm@10.0.0.2

local port forwarding to remote

ssh -R 0.0.0.0:8096:localhost:8096 onny@example.com
/etc/ssh/sshd_config
[...]
GatewayPorts yes
[...]

networking

netcat

netcat -l 4444
netcat playground.pi 4444

nftables

nft list ruleset
nft flush ruleset
nft -f ruleset.nft

display handles, insert rule at position

nft -a list ruleset
nft add rule inet filter input position 17 tcp dport "{http, https}" accept
nft delete rule inet filter input handle 23

sysctl

disable ipv6

sysctl net.ipv6.conf.all.disable_ipv6=1
sysctl net.ipv6.conf.default.disable_ipv6=1
sysctl net.ipv6.conf.lo.disable_ipv6=1

iptables

connection sharing. Iptables-Fu (internet0 ist das Interface, dass mit dem Internet verbunden ist):

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i net0 -o internet0 -j ACCEPT

picloud network sharing & port forwarding openwrt

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i net0 -o wlan0 -j ACCEPT
iptables -I FORWARD -o br-lan -d 192.168.1.2 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
iptables -t nat -A OUTPUT -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
iptables -t nat -I PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22
iptables -t nat -A OUTPUT -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22

</code>

ip

route command example

ip route add 192.168.1.0/24 dev eth0
ip route add default via 192.168.1.1

flush addresses

ip addr flush dev enp8s0

remove interface

ip link delete br0

delete address

ip addr del 192.168.178.20/24 dev eth0

set address

ip address add dev usb0 172.16.42.1/24
ip link set usb0 up

show only specific interface

ip a show wg0

dnsmasq

minimal hostapd and dnsmasq config

/etc/dnsmasq/dnsmasq.conf
interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8 
#port=0 # disable dns
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h
/etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=MyAP
hw_mode=g
channel=11
wpa=1
wpa_passphrase=MyPasswordHere
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_ptk_rekey=600

ifupd

/etc/ifplugd/ifplugd.action
#!/bin/sh
ifname="$1"
action="$2"

case "$action.$ifname" in
up.enp0s10)
	systemctl restart systemd-networkd
	;;
down.enp0s10)
	;;
esac
/etc/ifplugd/ifplugd.conf
INTERFACES="enp0s10"
ARGS="-fwI -u0 -d10"
systemctl restart ifupd@enp0s25
systemctl enable ifupd@enp0s25

document manipulation

pdf document manipulation

compression

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -dNOPAUSE -dQUIET -dBATCH 
-sOutputFile=output.pdf input.pdf

equalize output size and compress, where /printer = 300dpi

gs -sDEVICE=pdfwrite -dPDFSETTINGS=/printer -dNOPAUSE -dQUIET -dBATCH -sPAPERSIZE=a4 -dFIXEDMEDIA -dPDFFitPage -sOutputFile=output.pdf input.pdf

lossless merge

pdfunite in-1.pdf in-2.pdf in-n.pdf out.pdf

extract page range

pdftk campus_italia.pdf cat 1-280 output campus_italia_a1a2.pdf

insert into pdf

pdftk A=bigpdf.pdf B=insert.pdf cat A1-180 B A181-end output output.pdf

imagemagick picture to equal size pdf

i=300; convert a.png b.png -compress jpeg -quality 100 \
      -density ${i}x${i} -units PixelsPerInch \
      -resize $((i*827/100))x$((i*1169/100)) \
      -gravity center \
      -extent $((i*827/100))x$((i*1169/100)) multipage.pdf
convert a.jpeg b.pdf -compress jpeg -quality 70 -density 300x300 -units PixelsPerInch -resize 2481x3507 -gravity center -extent 2481x3507 multipage.pdf

ffmpeg

Constant quality AV1. The CRF value can be from 0–63. Lower values mean better quality.

ffmpeg -i input.mp4 -c:v libaom-av1 -crf 30 -strict experimental av1_test.mp4

Burn subtitles, fast video conversion

ffmpeg -i Kawamata\ -\ La\ passage\ des\ chaises.mkv -vf subtitles=Kawamata\ -\ La\ passage\ des\ chaises.mkv -acodec copy -preset:v ultrafast Kawamata\ -\ La\ passage\ des\ chaises.mp4

batch convert images

for i in *.png ; do gm convert "$i" "${i%.*}.jpg" ; done

lossless mp3 merge

ffmpeg -f concat -i <(printf "file '%s'\n" ./*.mp3) -c copy output.mp3

lossless audio extraction

ffmpeg -i videofile.mp4 -vn -acodec copy audiofile.mp3

extract from mkv

n=`mkvinfo ${base}.mkv |grep "Track type" |grep -n "audio" |cut -d":" -f1`
audTrack=`echo "${n} - 1" |bc`
mkvextract tracks ${base}.mkv ${audTrack}:${base}.ac3

pentesting

subbrute

check for subdomains

torify subbrute leel.de

wfuzz

torify wfuzz -c --hc 404 -w /opt/wfuzz/wordlist/general/megabeast.txt http://www.leeel.de/FUZZ
torify wfuzz -c --hc 404,403 -w /opt/wfuzz/wordlist/general/admin-panels.txt -w /opt/wfuzz/wordlist/general/extensions_common.txt http://www.leeel.de/FUZZFUZ2Z

Preparing data for LFI scan

cat /var/cache/pkgfile/* | grep -a ".*/.*\.conf$" | sort | uniq > lfi

exploit kits

chromium / chrome

disable gpu blacklist, enable nouveau hardware acceleration

chromium --ignore-gpu-blacklist

docker

Short example

 sudo systemctl start docker
 gpasswd -a onny docker
 docker run -d -p 80:80 rootlogin/nextcloud
 docker run -v /home/onny/projects/nextcloud-app-radio:/opt/nextcloud/apps/radio -d --name nextcloud -p 80:80 rootlogin/nextcloud

Debugging it

 docker run -i -t e326cbb922aa /bin/bash # exec shell of image
 docker exec -i -t e326cbb922aa /bin/bash # exec new shell running container 

Pull from repository

 docker pull eugeneware/docker-wordpress-nginx
 docker run -p 80:80 -d docker-wordpress-nginx
 docker ps
 docker commit e5a70884ac44 eugeneware/docker-wordpress-nginx:aenderungen1
 # docker stop / run
 docker run -t -i -v /home/onny/projects/web-whackspace:/usr/share/nginx/www/wp-content/themes/whackspace -p 80:80 -d e326cbb922aa
 docker run -i -t e326cbb922aa /bin/bash

Pull specific tagged image

docker pull rootlogin/nextcloud:develop

Build from Dockerfile

 cd  ~/projects/docker-invoiceplane-nginx
 sudo docker build -t="docker-invoiceplane-nginx" .
 sudo docker run -p 80:80 -d docker-invoiceplane-nginx

Build from URL

docker build -t nextcloud-testing github.com/onny/docker-nextcloud

Delete image

docker rmi <image name / id>

Export and load image

docker save myimage > myimage.tar
docker load < myimage.tar

Remove all images and containers

docker system prune -a

docker stop all container

docker stop (docker ps -a -q)

prevent from auto start

docker update --restart=no 

docker commit container and rerun

$ docker ps  -a
CONTAINER ID        IMAGE                 COMMAND                  CREATED              STATUS                          PORTS               NAMES
    5a8f89adeead        ubuntu:14.04          "/bin/bash"              About a minute ago   Exited (0) About a minute ago                       agitated_newton
$ docker commit 5a8f89adeead newimagename
$ docker run -ti -v "$PWD/dir1":/dir1 -v "$PWD/dir2":/dir2 newimagename /bin/bash

wordpress docker image

docker-compose.yml
version: '3'
 
services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress
 
   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     volumes:
       - .:/var/www/html/wp-content/themes/ausstellung-virtuell        
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
volumes:
    db_data:

Note the mount instruction in the volumes section, providing the local theme to the wordpress container.

docker-compose up -d

Visit http://127.0.0.1:8000

eigenes system setup

signatures

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 # tor-browser-en aur packet

ansible

Run single command

ansible playground.pi -i hosts -m shell -a "whoami"

Limit playbook to specific host from group

ansible-playbook -i hosts archlinux-syssetup.yml -l playground.pi --ask-become-pass

Running single ansible role

picloud.yml
  roles:
     - { role: nsupdate, tags: nsupdate }
 ansible-playbook -i hosts --ask-become-pass picloud.yml --tags 'nsupdate'

Directly define server without inventory file

ansible-playbook -i "192.168.1.23," wgnas.yml --ask-become-pass

Skip specific role by tag

ansible-playbook --inventory-file=.vagrant/provisioners/ansible/inventory -v picloud.yml --skip-tags mount

playbook

Include distribution specific vars, e.g. vars/Archlinux.yml or vars/Debian.yml

tasks/main.yml
- name: Include OS-specific variables.
  include_vars: "{{ ansible_os_family }}.yml"

use encrypted vars with vault

ansible-vault encrypt_string --vault-password-file ~/.ansible_vault_pw my_secret
vars/auth.yml
notsecret: myvalue
mysecret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66386439653236336462626566653063336164663966303231363934653561363964363833313662
          6431626536303530376336343832656537303632313433360a626438346336353331386135323734
          62656361653630373231613662633962316233633936396165386439616533353965373339616234
          3430613539666330390a313736323265656432366236633330313963326365653937323833366536
          34623731376664623134383463316265643436343438623266623965636363326136
other_plain_text: othervalue
ansible-playbook -i hosts -v piradio.yml --ask-become-pass --vault-password-file ~/.ansible_vault_pw

conditions

- name: Enable ufw service
  service:
    name: ufw
    enabled: yes
  when: ufw_state == "enabled"

podcasts

kolhacampus archiv

sendung genre url
PLUG-IN drum&base http://www.icast.co.il/Rss.aspx?ID=515483
https://onny.project-insanity.org/laboumdeluxe/feed.xml # FM4 La Boum de Luxe, Music EDM Techno Radio
https://onny.project-insanity.org/bounce/feed.xml # SRF Virus Bounce, Music Hip Hop Radio

atom editor

plugins

    • Usage CTRL-SHIFT-H
    • Right click on color value (html/css)
  • teletype (collaboration for atom)
  • run script: strg+b
  • atom-beautify
    • Run command palette: Ctrl+Shift+P
    • Type Beautify and run Beautify Editor
  • preview markdown
    • Ctrl+Shift+m

firejail

Running app without networking

firejail --net=none vlc

Running app in private mode (fresh home folder)

firefox --private firefox

Persistent user specific configuration

cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

nextcloud

Sync only a specific folder with nextcloud

nextcloudcmd pictures https://nextcloud.project-insanity.org/remote.php/webdav/pictures

developement

gcc

-Werror=implicit-fallthrough=
-Wno-implicit-fallthrough

git

show remote origin

git remote show origin

change remote origin

git remote set-url origin gitlab@http-new.pi:onny/web-wikidict.git

tagging

git tag -a v0.1 -m 'whackspace wordpress theme init'

merge commits from a remote repository

git fetch https://github.com/rfc2822/davdroid.git master
git branch -r
git merge FETCH_HEAD
"force pull", overwrite local changes
git fetch --all
git reset --hard origin/master
git branch
git branch firefox45
git checkout firefox45

new branch

git branch iss53
git checkout iss53

git show all tags

git log --no-walk --tags --pretty="%h %d %s"

delete last commit

git reset --hard HEAD~1

remove sensitive files from repo

git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA' \
--prune-empty --tag-name-filter cat -- --all
git push origin --force --all
git push origin --force --tags

rebase upstream

git clone git@github.com:croaky/dotfiles.git
cd dotfiles
git remote add upstream git@github.com:thoughtbot/dotfiles.git
git fetch upstream
git rebase upstream/master

git cherry pick commit for specific files

git checkout 13243f2eafc4292917178051fe1bb5aab2774dca -p include/mmc.h drivers/mmc/mmc.c arch/arm/include/asm/arch-exynos/mmc.h drivers/mmc/s5p_sdhci.c common/cmd_mmc.c common/cmd_mmc_spi.c common/env_mmc.c include/sdhci.h

delete branch

git branch # list
git branch -d swaybar

rebase

git remote add upstream https://github.com/whoever/whatever.git
git fetch upstream
git checkout master
git rebase upstream/master
git push -f origin master

yum

yum install rpm-build
rpmbuild --rebuild aiccu-2007.01.15-7.el6.src.rpm
cd /root/rpmbuild/RPMS/x86_64
rpm -i aiccu-2007.01.15-7.el7.centos.x86_64.rpm

tmux

copy all scrollback buffer into a file. Press keys: “Prefix + :”

capture-pane -S -3000
save-buffer filename.txt

wine

installing msi

wine msiexec /i xyz.msi

scanning

wireshark: filter only http traffic

http

arp-scan

arp-scan --interface=wlp3s0 --localnet

nmap use nse script

nmap -p 80 192.168.188.0/24 -n --open --script /usr/share/nmap/scripts/http-title.nse

debian

which package provides file XY

apt-file update
apt-file search netstat

extract deb package

ar x *.deb

Makefile

define variables with preset which can be overwritten

DOCUMENT_ROOT ?= /var/www/onlyoffice/documentserver
LOG_DIR ?= /var/log/onlyoffice/documentserver
DATA_DIR ?= /var/lib/onlyoffice/documentserver/App_Data
CONFIG_DIR ?= /etc/onlyoffice/documentserver
CREATE_USER ?= TRUE

conditions

ifeq ($(CREATE_USER),TRUE)
	adduser --quiet --home ${DESTDIR}${DOCUMENT_ROOT} --system --group onlyoffice
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname {DOCUMENT_ROOT})
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname {LOG_DIR})
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname $(dirname {DATA_DIR}))
endif

mail

echo mail server

echo@univie.ac.at

openssl imaps login

openssl s_client -connect mail.sexypump.de:993 -crlf
A login cypherpunk cypherpunk

get quota

a GETQUOTAROOT INBOX

get msg count of folder

a LIST INBOX *
* LIST (\HasChildren) "." INBOX
* LIST (\HasNoChildren \UnMarked) "." "INBOX.Deleted Messages"
* LIST (\HasNoChildren \UnMarked) "." "INBOX.Sent Messages"
* LIST (\HasNoChildren \UnMarked \Trash) "." INBOX.Trash
* LIST (\HasNoChildren \UnMarked \Sent) "." INBOX.Sent
* LIST (\HasNoChildren \UnMarked) "." INBOX.Notes
* LIST (\HasNoChildren \UnMarked \Junk) "." INBOX.Junk
* LIST (\HasNoChildren \UnMarked \Drafts) "." INBOX.Drafts
* LIST (\HasNoChildren \UnMarked) "." INBOX.AntiSpam
a OK List completed (0.001 + 0.000 secs).
a SELECT INBOX

send smtp mail

echo -n "username" | base64
# dXNlcm5hbWU=
echo -n "password" | base64
# cGFzc3dvcmQ=
openssl s_client -connect mail.agenturserver.de:465
AUTH LOGIN
ZGRkZGRkZGRk
enp6enp6enp6eno=
RCPT TO: <admin@example.local>
Subject: I have some questions!
Question 1: ...
DONE

Android

installed apps

antennapod davx5 dbnavigator fdroid fennec icsx5 jellyfin keepassdx libreoffice vlc nextcloud quicklyric radiodroid signal soundhound spotify tasks documentviewer fdroid-privilegedextension

configurations

  • antennpod subscriptions
  • fdroid pi repo
  • davx calendar & contacts
  • jellyfin config
  • nextcloud config
  • signal backup
  • radiodroid station list
  • spotify config

flash recovery

heimdall flash --RECOVERY twrp-3.2.1-1-serranoltexx.img

anbox

pacman -S anbox-git anbox-image anbox-modules-dkms-git
modprobe binder_linux ashmem_linux
systemctl restart anbox-container-manager
systemctl --user restart anbox-session-manager
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
wget "https://f-droid.org/FDroid.apk"
adb install FDroid.apk

davdroid

https://nextcloud.project-insanity.org/remote.php/dav

In case of 2FA requires device specific password

vim

comment multiple lines

CTRL + V # visual block mode
after selecting
Shift + I # insert mode
type #
ESC

onlyoffice

zitieren

Anführungszeichen öffnend: [Alt Gr] + [V]
Anführungszeichen schließend: [Alt Gr] + [B]

wayland

run x apps with root

xhost +SI:localuser:root
sudo gparted

gpg

==> Verifying source file signatures with gpg...
    aurutils-1.5.3.tar.gz ... FAILED (unknown public key 6BC26A17B9B7018A)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Could not download sources.
onny@http ~ % sudo -u aur gpg --recv-keys 6BC26A17B9B7018A    

tools

  • etcher: create windows, mac and linux usb flash installation sticks
    • github.com/slacka/WoeUSB
  • browsh: graphical terminal browser
  • meld compare folders
  • cpod github
  • flutter sdk
  • deezloader remix
  • scrcpy: access android screen via adb and control ist
ngrep -q -W byline "^(GET|POST) .*"
ngrep -q -W byline "search" host www.google.com and port 80

pages

  • unpaywall hack
https://outline.com/zeit.de/2011/26/Nationalsozialismus-Tagebuecher/komplettansicht

openwrt

udate all packages

opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade 

dbus

dbus system monitor with filter

busctl --match "path=/net/connman/iwd" monitor

list tree

busctl tree net.connman.iwd

introspect available properties

busctl introspect net.connman.iwd /net/connman/iwd/636166652d6d6174732d67617374_psk

systemd

service hardening

PrivateTmp=true
ProtectHome=true
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full
# Ensures that the service process and all its children can never gain new privileges
NoNewPrivileges=true
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true
# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true
# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true
# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

nixos

apply changes to system

nixos-rebuild switch

update channel, rebuild and switch

nixos-rebuild switch --upgrade

search package

nix search gedit

nixos testing environement

nix-shell -p toilet

install unstable package

nix-channel --add https://nixos.org/channels/nixos-unstable unstable
nix-channel --update unstable
nix-env -iA unstable.pdfarranger

custom local repository, list packages

nix-env -f /etc/nixos/apps -qaP '*'

install package from local repo

nix-env -f /etc/nixos/apps -iA xerox6000-6010

package shell script

  # Here we but a shell script into path, which lets us start sway.service (after importing the environment of the login shell).
  environment.systemPackages = with pkgs; [
    (
      pkgs.writeTextFile {
        name = "startsway";
        destination = "/bin/startsway";
        executable = true;
        text = ''
          #! ${pkgs.bash}/bin/bash

          # first import environment variables from the login manager
          systemctl --user import-environment
          # then start the service
          exec systemctl --user start sway.service
        '';
      }
    )
  ];

garbade collector

nix-collect-garbage -d

list package files

find $(nix eval -f /etc/nixos/apps --raw xerox6000-6010.outPath)

install package

nix-env -i icecat

remove package

nix-env -e icecat

list installed packages

# installed via configuration.nix
nixos-option environment.systemPackages | head -2 | tail -1 | sed -e 's/ /\n/g' | cut -d- -f2- | sort | uniq
# + dependencies
nix-store --query --requisites /run/current-system
nix-store --query --requisites /run/current-system | cut -d- -f2- | sort | uniq
# list user packages
nix-env --query

python virtualenv

nix-shell -p python3Packages.virtualenv
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

local repository (nixpkgs clone) as systemwide channel

$ nix-build nixos/release.nix -A channel --arg nixpkgs  '{ outPath = ./. ; revCount = "'$(git rev-list HEAD | wc -l)'"; shortRev = "'$(git rev-parse --short HEAD)'"; }'
...
/nix/store/hash-name/
$ sudo nix-channel --remove nixos
$ sudo nix-channel --add file:///nix/store/hash-name/tarballs/thetarball.tar.xz nixos
$ sudo nix-channel --update

test packages git pull request

let
[...]
  nixpkgs-tars = "https://github.com/NixOS/nixpkgs/archive/";

  # FIXME iwd networks option
  pr75800 = import (fetchTarball
    "${nixpkgs-tars}ba0baf53e24a123a45861cf5fa08e4b3e1377db0.tar.gz")
    { config = config.nixpkgs.config; };
  # FIXME nftables + docker
  pr81172 = import (fetchTarball 
    "${nixpkgs-tars}0b4e135d8e9c76a43346ae24e33572e627951203.tar.gz") 
    { config = config.nixpkgs.config; };
[...]
in
[...]
  nixpkgs.overlays = [
    (self: super:
      {
        # FIXME: add iwd networks option
        inherit (pr75800) iwd;
      }
      )];

retrieve hash

curl -sL https://github.com/NixOS/nixpkgs/pull/64977.patch \
                | head -n 1 | grep -o -E -e "[0-9a-f]{40}"

filesystem

partitioning

reset flash drive

dd if=/dev/zero of=/dev/sdX bs=2M count=32

change label (vfat etc)

fatlabel /dev/sdb1 "mystick"

resize extX partition

sfdisk -l /dev/sdb
# Disk /dev/sdb: 55.9 GiB, 60022480896 bytes, 117231408 sectors
# Disk model: CR60GB External 
# Units: sectors of 1 * 512 = 512 bytes
# Sector size (logical/physical): 512 bytes / 512 bytes
# I/O size (minimum/optimal): 512 bytes / 512 bytes
# Disklabel type: dos
# Disk identifier: 0x2486e7f7
#
# Device     Boot Start       End   Sectors  Size Id Type
# /dev/sdb1        2048 117231407 117229360 55.9G 83 Linux
 
e2fsck -f /dev/sdb1
resize2fs /dev/sdb1 50G
# resize2fs 1.45.5 (07-Jan-2020)
# Resizing the filesystem on /dev/sdb1 to 13107200 (4k) blocks.
# The filesystem on /dev/sdb1 is now 13107200 (4k) blocks long.
fdisk /dev/sdb
# 1. (d) delete partition
# 2. (n) create new partition
# 3. (p) primary
# 4. (1) partition number
# 5. (2048) start block, same as above
# 6. (+52428800K) last sector partition (13107200k*4k)
# 7. (a) partition is bootable flag
# 8. (w) write changes

lvm

restore snapshot

lvconvert --merge /dev/vg0/playground_snap

dd

isoinfo -d -i /dev/cdrom | grep -i -E 'block size|volume size' 
dd if=/dev/cdrom of=test.iso bs=<block size from above> count=<volume size from above> status=progress

mount

mount with offset

# find offset in testdisk, multiplay start sector with sector-bytes
mount -o loop,offset=1048576 /dev/sdb /mnt

mixxx

  • Theme: LateNight
  • Set Microphone Output to default Pulseaudio
./sync.sh
./generate_playlist.sh
env QT_QPA_PLATFORM=xcb mixxx

samba

/etc/samba/smb.conf
[global]
workgroup = WORKGROUP
server role = standalone server
security = user
map to guest = Bad Password

[public]
path = /mnt
writeable = no
browsable = yes
guest ok = yes
systemctl restart smb nmb

avahi

discover local services

avahi-browse --all --ignore-local --resolve --terminate

curlftpfs

curlftpfs ftp.example.com /mnt/ftp/ -o user=username:password,allow_other
onny/notizen.txt · Last modified: 2020/08/06 16:53 by 10.25.0.1