Site Tools


onny:onny_notizen

System setup

# fde1: http://www.brunoparmentier.be/blog/how-to-install-arch-linux-on-an-encrypted-btrfs-partition.html
# fde2: http://danynativel.com/blog/2013/02/10/archlinux-installation-guide-on-encrypted-ssd/
# https://bbs.archlinux.org/viewtopic.php?pid=1187153#p1187153
gdisk /dev/sda
cryptsetup --cipher aes-xts-plain64 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root
mkfs.btrfs /dev/mapper/root
wifi-menu
mount /dev/mapper/root /mnt
pacstrap /mnt base base-devel tmux mosh wipe rsync procps vim lsof strace htop net-tools pkgfile dnsutils iotop aria2 tcpdump nload btrfs-progs ntp wget acpid alsa-utils cups curl eog evince ffmpeg firefox gedit gimp git gksu gst-libav gst-plugins-bad gst-plugins-base gst-plugins-good gst-plugins-ugly gstreamer gstreamer0.10 gstreamer0.10-bad gstreamer0.10-base gstreamer0.10-bad-plugins gstreamer0.10-base-plugins gstreamer0.10-ffmpeg gstreamer0.10-good gstreamer0.10-good-plugins gstreamer0.10-ugly gstreamer0.10-ugly-plugins vinagre guayadeque gvfs-mtp gvfs-smb jre8-openjdk-headless keepassxc nautilus openvpn gparted pidgin plowshare youtube-dl pulseaudio qt5-wayland samba sigil virt-manager wireshark-gtk unbound unrar unzip valgrind vlc wine-mono winetricks xorg-server-xwayland sshfs efibootmgr ttf-dejavu mpv acpi pm-utils ntfs-3g pavucontrol gnome-disk-utility bluez-utils conky pwgen libreoffice-fresh linux-headers minicom android-udev ansible mlocate terminus-font fail2ban pulseaudio-bluetooth udisks sway pv otf-ipafont xdg-utils devtools atom qpdfview termite brightnessctl fd nextcloud-client py3status arch-audit grim fragments fish swaylock slurp pdfarranger nftables grc time
ln -s /usr/lib/udev/rules.d/51-android.rules /etc/udev/rules.d
genfstab -p /mnt >> /mnt/etc/fstab
mount /dev/sda1 /mnt/boot
arch-chroot /mnt
chsh -s $(which fish)
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/^#?SystemMaxUse=.*$/SystemMaxUse=200M/g' /etc/systemd/journald.conf
sed -i 's/^#Color/Color/g' /etc/pacman.conf
mkdir /etc/pacman.d/hooks
ln -s /usr/share/libalpm/hooks/30-systemd-daemon-reload.hook /etc/pacman.d/hooks/
echo "http-pub2" >> /etc/hostname
timedatectl set-timezone Europe/Berlin
sed -i 's/#en_US.UTF-8/en_US.UTF-8/' /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
echo "KEYMAP=de" > /etc/vconsole.conf
mkinitcpio -p linux
bootctl install
passwd
useradd -m onny -s /usr/bin/fish
passwd onny
usermod -a -G sudo onny
sudo -u onny curl "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz" | tar xz -C /tmp/
chown -R onny:onny /tmp/aurutils /home/onny
cd /tmp/aurutils
sudo -u onny makepkg -si --skipinteg
cd /home/onny
sudo -u aur aur sync -c brave-bin aurutils brightnessctl caddy depot-tools-git downgrade etcher flacgain signal ocenaudio-bin smloadr soulseekqt ttf-font-awesome-4 wcalc whatsapp-web-desktop anbox-git krop peerflix zeronet id3ted redshift-wlr-gamma-control-git split2flac rgain foo2zjs-nightly tor-browser-en venom pkgbuild-introspection foliate networkmanager-iwd rofi-wifi-menu-git wl-clipboard-git
updatedb
timedatectl set-ntp true
mkdir -p /etc/systemd/system/getty@tty1.service.d
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
systemctl enable --now NetworkManager nftables fail2ban iwd
exit
reboot
# gpasswd -a onny lock
# gpasswd -a onny uucp
gpasswd -a onny adbusers # mtp support
gpasswd -a onny storage # polkit-rule mount hdds

core

/etc/fstab
# Static information about the filesystems.
# See fstab(5) for details.
/dev/mapper/root    	/         	btrfs     	rw,relatime,ssd,space_cache,subvolid=5,subvol=/	0 0
UUID=4a8c7d1d-5839-429b-9c85-3cb6046c8b21           	/boot     	ext2      	rw,relatime,stripe=4	0 2


# <file system> <dir> <type> <options> <dump> <pass>

grub

/etc/default/grub
[...]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=17987958-47c1-4566-b56b-83e527d4929b:root:allow-discards"
[...]

systemd-networkd

/etc/systemd/network/wg0.netdev
[NetDev]
Name = wg0
Kind = wireguard
Description = Wireguard

[WireGuard]
PrivateKey = ****

[WireGuardPeer]
PublicKey = ****
AllowedIPs = 10.25.0.0/16
Endpoint = 2a01:4f8:191:327::2:51820
Endpoint = 144.76.16.40:51820
PersistentKeepalive = 25
/etc/systemd/network/wg0.network
[Match]
Name = wg0

[Network]
Address = 10.25.40.2/16
DNS=10.25.0.1
DNSSEC=false

[Link]
MTUBytes=1500
/etc/systemd/network/eno1.network
[Match]
Name = eno1

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/wlan0.network
[Match]
Name = wlan0

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/wlp3s0.network
[Match]
Name = wlp3s0

[Network]
DHCP=yes
DNS=10.25.0.1
DNSSEC=false
/etc/systemd/network/10-tornet.netdev
[NetDev]
Name=tornet
Kind=bridge
/etc/systemd/network/10-tornet.network
[Match]
Name=tornet

[Network]
Address=10.100.100.1/24
ConfigureWithoutCarrier=true
systemctl enable --now systemd-networkd systemd-resolved

nftables

/etc/nftables.conf
table inet filter {
	set tcp_accepted {
		type inet_service
		flags interval
	}

	set udp_accepted {
		type inet_service
		flags interval
	}

	chain base_checks {
		ct state { established, related } accept
		ct state invalid drop
	}

	chain input {
		type filter hook input priority filter; policy drop;
		jump base_checks
		iifname "lo" accept
		ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } accept
		ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
		tcp dport @tcp_accepted accept
		udp dport @udp_accepted accept
		iifname "tornet" tcp dport 9040 accept # tornet routing
		iifname "tornet" udp dport 5353 accept # tornet routing
		reject
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		jump base_checks
		iifname "tornet" oifname "wlan0" ip protocol tcp accept # tornet routing
		iifname "tornet" oifname "wlan0" udp dport 53 accept # tornet routing
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}
# nat tables for tornet network interface
table ip nat {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "tornet" udp dport 53 dnat to 127.0.0.1:5353
		iifname "tornet" ip protocol tcp dnat to 127.0.0.1:9040
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "wlan0" ip saddr 10.100.100.0/24 masquerade
	}
}

pacman

/etc/pacman.conf
[...]
Include = /etc/pacman.d/aur
/etc/pacman.d/aur
[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur
/etc/suders
[...]
aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg
aur ALL = NOPASSWD: /usr/bin/arch-nspawn
[...]
sudo useradd -m aur
sudo install -d /var/cache/pacman/aur -o aur
sudo repo-add /var/cache/pacman/aur/aur.db.tar
sudo chown -R aur:aur /var/cache/pacman/aur
sudo -u aur gpg --recv-keys 6BC26A17B9B7018A
/etc/systemd/system/aurupdate.service
[Unit]
 Description=Automatic update AUR repository.
 After=network-online.target 

[Service]
 Type=simple
 User=aur
 ExecStart=/usr/bin/aur sync --no-view -cu
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
/etc/systemd/system/aurupdate.timer
[Unit]
 Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes.

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=aurupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now aurupdate.timer

archlinux auto update

/etc/systemd/system/autoupdate.service
[Unit]
 Description=Automatic Update
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
/etc/systemd/system/autoupdate.timer
[Unit]
 Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=autoupdate.service

[Install]
 WantedBy=multi-user.target
sudo systemctl enable autoupdate.timer

Nextcloud autosync

~/.config/systemd/user/nextcloud_autosync.service
[Unit]
 Description=Automatic Nextcloud file sync
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/nextcloudcmd -h -n --exclude /home/onny/.nextcloud/sync-exclude.lst /home/onny/. https://nextcloud.project-insanity.org/remote.php/webdav/ 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
~/.config/systemd/user/nextcloud_autosync.timer
[Unit]
 Description=Automatic sync files with Nextcloud when booted up after 5 minutes then rerun every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=nextcloud_autosync.service

[Install]
 WantedBy=multi-user.target
~/.netrc
default
login onny
password ****
~/.nextcloud/sync-exclude.lst
projects
.cache
.config
.local
.cargo
.nvm
.mozilla
.purple
.jd
.conan
.tor-browser-en
sudo systemctl enable --user --now nextcloud_autosync.timer

misc

hack to power on bluetooth after waking up from suspend:

/etc/systemd/system/root-resume.service
[Unit]
Description=Local system resume actions
After=suspend.target

[Service]
Type=simple
ExecStart=/usr/bin/btmgt power on

[Install]
WantedBy=suspend.target
/etc/systemd/system/activate_bt.service
Unit]
Description=Power on bluetooth on startup

[Service]
ExecStart=/usr/bin/btmgmt power on

[Install]
WantedBy=multi-user.target 
sudo systemctl enable root-resume activate_bt

firefox addons

 ublock origin, https everywhere, cookie auto delete

flatpak

repos

 flatpak remote-add --if-not-exists gnome https://sdk.gnome.org/gnome.flatpakrepo
 flatpak remote-add --if-not-exists tingping https://dl.tingping.se/flatpak/tingping.flatpakrepo
 flatpak remote-add --from gnome-apps https://sdk.gnome.org/gnome-apps.flatpakrepo

apps

 flatpak install --from http://download.documentfoundation.org/libreoffice/flatpak/latest/LibreOffice.flatpak
 flatpak install tingping io.github.TransmissionRemoteGtk
 flatpak install --from https://s3.amazonaws.com/alexlarsson/spotify-repo/spotify.flatpakref
 flatpak install gnome-apps org.gnome.gedit
 flatpak install gnome-apps org.gnome.evince
 flatpak install --from https://firefox-flatpak.mojefedora.cz/firefox-devedition.flatpakref

sway

~/.config/sway/startup.sh
udisks --mount /dev/sda3
udisks --mount /dev/sda2
alias snipping_tool='grim -g ('slurp') ('date').png'
alias nmap="grc nmap"
redshift -m wayland &
firejail brave --ignore-gpu-blacklist &
dunst &
firejail --net=tornet whatsapp-web-desktop &
firejail --net=tornet signal-desktop &
~/.config/sway/config
[...]
set $term termite
[...]
set $menu dmenu_run
[...]
#output * bg /usr/share/backgrounds/sway/Sway_Wallpaper_Blue_1920x1080.png fill
[...]
input "1:1:AT_Translated_Set_2_keyboard" {
    xkb_layout de
    xkb_variant ,nodeadkeys
    xkb_options grp:alt_shift_toggle
}
[...]
#
# Workspaces:
#
    workspace_auto_back_and_forth yes

# Fancy names for workspaces
set $w1 1: brave
set $w2 2: signal
set $w3 3: whatsapp
set $w4 4
set $w5 5
set $w6 6
set $w7 7
set $w8 8
set $w9 9
set $w10 10

    # switch to workspace
    bindsym $mod+1 workspace $w1
    bindsym $mod+2 workspace $w2
    bindsym $mod+3 workspace $w3
[...]
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bar {
	status_command py3status
	font pango:Source Sans Pro, FontAwesome 8
	#tray_output primary
	strip_workspace_numbers yes
}

input "2:7:SynPS/2_Synaptics_TouchPad" {
	tap enabled
}

bindsym XF86AudioRaiseVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') +5%
bindsym XF86AudioLowerVolume exec pactl set-sink-volume $(pacmd list-sinks |awk '/* index:/{print $3}') -5%
bindsym XF86AudioMute exec pactl set-sink-mute $(pacmd list-sinks |awk '/* index:/{print $3}') toggle
bindsym XF86MonBrightnessDown exec brightnessctl set 5%-
bindsym XF86MonBrightnessUp exec brightnessctl set 5%+
bindsym XF86Sleep exec systemctl suspend
bindcode 244 exec swaylock -i /home/onny/pictures/lockbg.jpg --scaling fill
bindcode 156 exec ~/.config/sway/toggle-btaudio.sh

#
# Assign windows to workspaces
#

assign [class="brave-browser"]		 → $w1
assign [class="Signal"]		 → $w2
assign [class="whats-app"]	 → $w3


exec ~/.config/sway/startup.sh
[...]

dunst

.config/dunst/dunstrc
                                                                                                                                                         [global]
    font = lemon 10
    allow_markup = yes
    format = "%s\n%b"
    sort = yes
    indicate_hidden = yes
    alignment = left
    bounce_freq = 0
    show_age_threshold = 60
    word_wrap = yes
    ignore_newline = no
    geometry = "300x10-10+48"
    transparency = 20
    show_indicators = yes
    idle_threshold = 120
    monitor = 0
    follow = mouse
    sticky_history = yes
    line_height = 5
    separator_height = 0
    padding = 10
    horizontal_padding = 10
    separator_color = #bfbfbf
    startup_notification = false
    browser = /usr/bin/firefox -new-tab
    icon_position = left
    icon_folders = /usr/share/icons/Notifications

[frame]
    color = "#000000"
    width = 0

[shortcuts]
    close = ctrl+space
    close_all = ctrl+shift+space
    context = ctrl+shift+period
    history = ctrl+shift 

[urgency_low]
    background = "#ffffff"
    foreground = "#282828"
    timeout = 5

[urgency_normal]
    background = "#ffffff"
    foreground = "#282828"
    timeout = 5

[urgency_critical]
    background = "#ffffff"
    foreground = "#000000"
    timeout = 5

[ignore1]
  appname = pa-applet
  format = ""

[ignore2]
  summary = Volume down notification
  format = ""

[ignore3]
  summary = Volume up notification
  format = ""

[ignore4]
  summary = Volume muted notification
  format = ""

firejail

~/.config/firejail/brave.profile
# Firejail profile for brave
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/brave.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.config/BraveSoftware
# brave uses gpg for built-in password manager
noblacklist ${HOME}/.gnupg

mkdir ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.config/BraveSoftware
whitelist ${HOME}/.gnupg

# noexec /tmp is included in chromium-common.profile and breaks Brave
ignore noexec /tmp

# Redirect
include /etc/firejail/chromium-common.profile
.config/firejail/signal.profile
# Firejail profile for signal-desktop
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/signal-desktop.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${HOME}/.config/Signal
noblacklist ${HOME} # hack

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

mkdir ${HOME}/.config/Signal
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/Signal
whitelist ${HOME} # hack
include /etc/firejail/whitelist-common.inc
include /etc/firejail/whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6,netlink
#seccomp
#shell none

disable-mnt
private-dev
#private-tmp

#noexec ${HOME}
~/.config/firejail/Whatsapp.profile
noblacklist ~/.config
mkdir ~/.config
whitelist ~/.config
noblacklist /opt/Whatsapp
whitelist /opt/Whatsapp


include /etc/firejail/whitelist-common.inc
include /etc/firejail/default.profile
include /etc/firejail/electron.local 

brave

echo kernel.unprivileged_userns_clone = 1 | sudo tee /etc/sysctl.d/00-local-userns.conf

fish config

~/.config/fish/fish.config
export QT_QPA_PLATFORM=wayland-egl
export GDK_BACKEND='wayland,x11'
export CLUTTER_BACKEND=wayland
export XKB_DEFAULT_LAYOUT=de
export TERMINAL=urxvt
export EDITOR=vim
export BROWSER=firefox
export XDG_SESSION_TYPE=wayland
export XDG_DESKTOP_DIR="/home/onny"
export XDG_DOWNLOAD_DIR="$HOME/downloads"

export ELECTRON_TRASH=gio

[[ -z $DISPLAY && $XDG_VTNR -eq 1 ]] && exec dbus-launch sway

snipping tool

/usr/bin/snipping_tool
if [ "$1" = "-v" ]; then
	wf-recorder -g "$(slurp)" -f "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_wf-recorder.mp4')"
else
	slurp | grim -g - - | wl-copy && wl-paste > "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_grim.png')"
fi

ArchLinux

system

set extra capabilities for process

sudo setcap 'CAP_NET_BIND_SERVICE=+ep' /usr/bin/maddy

directory permissions

namei -l /mnt/external/audio

packaging

commands

update checksums inplace

updpkgsums

building a package in a clean dev chroot

cd <package-patch>
ls PKGBUILD
extra-x86_64-build # -c for cleaning up chroot. ~/chroot/root is a btrfs subvolume and has to be removed with btrfs!
extra-x86_64-build -- -I ~/packages/foobar/foobar-2-1-any.pkg.tar.xz

advanced chroot with own packages preinstalled

mkdir ~/chroot
export CHROOT=$HOME/chroot
mkarchroot $CHROOT/root base-devel
arch-nspawn $CHROOT/root pacman -Syu # updating it
makechrootpkg -r $CHROOT -I package-1.0-1-i686.pkg.tar.xz # -c for clean chroot 
# repackage: makechrootpkg -r /home/onny/chroot -- -R

cheap python virtualenv

mkdir path
ln -s /usr/bin/python2 path/python
export PATH="$srcdir/path:$PATH"

abs deprecated, using asp

asp export linux

PKGBUILD

Installation von Lizenzdateien:

install -D "LICENSE.txt" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"

Installation von Systemd-Units:

install -Dm644 "${srcdir}/btlive.service" "${pkgdir}/usr/lib/systemd/system/btlive.service"

Installation von Docs:

install -Dm644 README.md "$pkgdir/usr/share/doc/$pkgname/README.md"

Installation von Tmpfiles:

install -Dm644 "wallace/wallace.tmpfiles.d.conf" "${pkgdir}/usr/lib/tmpfiles.d/wallace.conf"

Installation von Libs:

install -m644 libdouble-conversion.so.0.0.0* "${pkgdir}/usr/lib/"

Installation von ausführbare Dateien:

install -Dm755 shareLinkCreator "${pkgdir}/usr/bin/sharelinkcreator"

Nginx/Apache Template-Dateien:

 if [[ -n $(which httpd 2> /dev/null) ]]; then
   backup=('etc/httpd/conf/extra/owncloud.conf')
 fi
 package(){
   # install apache .conf file if apache is installed
   if [[ -n $(which httpd 2> /dev/null) ]]; then
      install -d  $pkgdir/etc/httpd/conf/extra 
      install -m 644 $srcdir/owncloud.conf  $pkgdir/etc/httpd/conf/extra/ 
   fi
 }

Zielname der Quelldatei ändern:

source=("$pkgname-$pkgver.tar.gz::https://gitlab.com/gitlab-org/gitlab-ce/repository/archive?ref=v${pkgver}")

Architekturabhängige Build-Anweisung

 build() {
   cd "${srcdir}/oclHashcat"
   if [[ "$CARCH" = "x86_64" ]]; then
     make cudaHashcat64.bin
   else
     make cudaHashcat32.bin
   fi
   make nv_all
 }

pkgver git

 pkgver() {
   cd "mail"
   git describe --long | sed 's/\([^-]*-g\)/r\1/;s/-/./g'
 }

Common install file example

post_install() {
  mkdir /var/lib/zabbix
  getent group lool > /dev/null || groupadd -r lool > /dev/null
  getent passwd lool > /dev/null || useradd lool > /dev/null
  chown -R lool:lool /var/cache/loolwsd \
                     /opt/lool/child-roots
}
 
post_remove() {
   userdel -rf lool
   groupdel lool
}

in pkgbuild reference

install="libreoffice-online-bin.install"

aurutils

install packages into build container

sudo arch-chroot /var/lib/aurbuild/x86_64/root pacman -S git

add gpg key into build container

sudo -u aur gpg --recv-keys EB774491D9FF06E2

rebuild prebuild package and add to custom AUR repo

fakepkg webkitgtk2
sudo -u aur repo-add /var/cache/pacman/aur/aur.db.tar /tmp/webkitgtk2-3:2.4.11-16-x86_64.pkg.tar.xz
cp /tmp/webkitgtk2-3:2.4.11-16-x86_64.pkg.tar.xz /var/cache/pacman/aur

bluetooth

Example session bluetoothctl

# bluetoothctl 
[bluetooth]# default-agent 
[bluetooth]# scan on
[bluetooth]# pair 00:12:34:56:78:90
[bluetooth]# connect 00:12:34:56:78:90

usefull stuff

pipe stderr to stdout

command 2>&1 >/dev/null | grep 'something'

pipe stderr and stdout both to a file

command &> error_log

locate pacnew files

find /etc -regextype posix-extended -regex ".+\.pac(new|save)" 2> /dev/null

or search entire disk

find / -regextype posix-extended -regex ".+\.pac(new|save)" 2> /dev/null

swapfile on btrfs

swapfile=$(losetup -f) #free loop device
truncate -s 8G /swap   #create 8G sparse swap file
losetup $swapfile /swap #mount file to loop
mkswap  $swapfile
swapon  $swapfile

search library availability in system, print file paths

ldconfig -p | grep blas 

android

Installed apps

TinyScanner

systemd nspawn (container)

pacman -S arch-install-scripts
btrfs subvol create /var/lib/container/archlinux-base
mkdir /etc/systemd/nspawn
pacstrap /var/lib/container/archlinux-base base base-devel
systemctl enable --now systemd-networkd systemd-resolved
systemd-nspawn -nD /var/lib/machines/archlinux-nextcloudcli --template=/var/lib/container/archlinux-base
systemctl start systemd-nspawnd@archlinux-nextcloudcli
machinectl shell root@archlinux-nextcloudcli /bin/bash -c "systemctl enable --now systemd-networkd systemd-resolved" 

kernel

grep kernel config running system

zcat /proc/config.gz | grep VDSO

fish

unset history

set -x fish_histfile ""

bash

lzma hado compression and extraction

tar -c --lzma -f my_archive.tar.lzma /some_directory
tar -x --lzma -f my_archive.tar.lzma

run script verbose

sh -x scripname.sh

cheap python virtualenv

mkdir path
ln -s /usr/bin/python2 path/python
export PATH="$srcdir/path:$PATH"

get process runtime by pid, where pid is 1234 in this example

ps -o etime= -p "1234" 

write command output to file and to stdout (python -u for unbuffered output)

python3 -u sperrmuell.py 2>&1 | tee sperrmuell_ka.csv

recurseviley rename string

find . -type f -print0 | xargs -0 sed -i 's/twentytwelve/projectinsanity/g'

overwrite LD_LIBRARY_PATH

LD_LIBRARY_PATH="/home/onny/projects/onlyoffice-documentserver/src/DocumentServer-ONLYOFFICE-DocumentServer-5.2.7/core/build/lib/linux_64/:$LD_LIBRARY_PATH" ./AllFontsGen

compare command line argument to string

#!/bin/bash
if [ "$1" = "-v" ]; then
	wf-recorder -g "$(slurp)" -f "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_wf-recorder.mp4')"
else
	slurp | grim -g - - | wl-copy && wl-paste > "$(xdg-user-dir PICTURES)/$(date +'%Y-%m-%d-%H%M%S_grim.png')"
fi

sed

Mit sed inplace eine Zeile zu einer Datei hinzufügen:

sed -i '9i#include <algorithm>' liboffsetfinder64/vmem.cpp

Comment out specific line matching a string

sudo sed -e '/pam_securetty.so/ s/^#*/#/' -i delugecontainer/etc/pam.d/login

comment out multiple lines / range

sed -i "28,33 s/# *//" autogen.sh

regex parse value of xml tags

sed -n 's/.*<id>\(.*\)<\/id>.*/\1/p' myfile.txt

delete multiple lines

sed -i '2,3d;5d;8d' file

curl

post data

curl --data "UserId=eb8c2ec5352843d3a16ca11c26d3551c&Name=lolorollo&api_key=a5dc4e***9c9e0a***3" "https://turbotux.de/Playlists?UserId=eb8c2ec5352843d3a16ca11c26d3551c&Name=lolorollo&api_key=a5***d***9e0***3"

download and extract archive

curl http://wordpress.org/latest.tar.gz | tar xvz

tcpdump

specific ports

tcpdump -i eth0 -q '(tcp port 80) or (tcp port 443)' -A

exclude specific host

tcpdump -i eth0 -q '(ip or ip6) and (tcp port 80) or (tcp port 443) and not host ifconfig.co' -A

patching

appling

diff -u original.c new.c > original.patch
patch < original.patch
# patch -p0 < original.patch
# patch -p1 -i packaging-fix.patch

creating patch

git commit -am "meine änderungen"
git format-patch "HEAD^"

rsync

custom ssh port

rsync -rvz -e 'ssh -p 2222' --progress --remove-sent-files ./dir user@host:/path

openssh

SSH public key deployen

ssh-copy-id alarm@10.0.0.2

local port forwarding to remote

ssh -R 0.0.0.0:8096:localhost:8096 onny@example.com
/etc/ssh/sshd_config
[...]
GatewayPorts yes
[...]

networking

netcat

netcat -l 4444
netcat playground.pi 4444

nftables

nft list ruleset
nft flush ruleset
nft -f ruleset.nft

display handles, insert rule at position

nft -a list ruleset
nft add rule inet filter input position 17 tcp dport "{http, https}" accept
nft delete rule inet filter input handle 23

sysctl

disable ipv6

sysctl net.ipv6.conf.all.disable_ipv6=1
sysctl net.ipv6.conf.default.disable_ipv6=1
sysctl net.ipv6.conf.lo.disable_ipv6=1

iptables

connection sharing. Iptables-Fu (internet0 ist das Interface, dass mit dem Internet verbunden ist):

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i net0 -o internet0 -j ACCEPT

picloud network sharing & port forwarding openwrt

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i net0 -o wlan0 -j ACCEPT
iptables -I FORWARD -o br-lan -d 192.168.1.2 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
iptables -t nat -A OUTPUT -p tcp --dport 8096 -j DNAT --to 192.168.1.2:8096
iptables -t nat -I PREROUTING -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22
iptables -t nat -A OUTPUT -p tcp --dport 2222 -j DNAT --to 192.168.1.2:22

</code>

ip

route command example

ip route add 192.168.1.0/24 dev eth0
ip route add default via 192.168.1.1

flush addresses

ip addr flush dev enp8s0

remove interface

ip link delete br0

dnsmasq

minimal hostapd and dnsmasq config

/etc/dnsmasq/dnsmasq.conf
interface=wlan0
listen-address=172.24.1.1
bind-interfaces
server=8.8.8.8 
#port=0 # disable dns
domain-needed
bogus-priv
dhcp-range=172.24.1.50,172.24.1.150,12h
/etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=MyAP
hw_mode=g
channel=11
wpa=1
wpa_passphrase=MyPasswordHere
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_ptk_rekey=600

ifupd

/etc/ifplugd/ifplugd.action
#!/bin/sh
ifname="$1"
action="$2"

case "$action.$ifname" in
up.enp0s10)
	systemctl restart systemd-networkd
	;;
down.enp0s10)
	;;
esac
/etc/ifplugd/ifplugd.conf
INTERFACES="enp0s10"
ARGS="-fwI -u0 -d10"
systemctl restart ifupd@enp0s25
systemctl enable ifupd@enp0s25

document manipulation

pdf document manipulation

compression

gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen -dNOPAUSE -dQUIET -dBATCH 
-sOutputFile=output.pdf input.pdf

equalize output size and compress, where /printer = 300dpi

gs -sDEVICE=pdfwrite -dPDFSETTINGS=/printer -dNOPAUSE -dQUIET -dBATCH -sPAPERSIZE=a4 -dFIXEDMEDIA -dPDFFitPage -sOutputFile=output.pdf input.pdf

lossless merge

pdfunite in-1.pdf in-2.pdf in-n.pdf out.pdf

extract page range

pdftk campus_italia.pdf cat 1-280 output campus_italia_a1a2.pdf

insert into pdf

pdftk A=bigpdf.pdf B=insert.pdf cat A1-180 B A181-end output output.pdf

video compression

Constant quality AV1. The CRF value can be from 0–63. Lower values mean better quality.

ffmpeg -i input.mp4 -c:v libaom-av1 -crf 30 -strict experimental av1_test.mp4

batch convert images

for i in *.png ; do gm convert "$i" "${i%.*}.jpg" ; done

lossless mp3 merge

ffmpeg -f concat -i <(printf "file '%s'\n" ./*.mp3) -c copy output.mp3

lossless audio extraction

ffmpeg -i videofile.mp4 -vn -acodec copy audiofile.mp3

extract from mkv

n=`mkvinfo ${base}.mkv |grep "Track type" |grep -n "audio" |cut -d":" -f1`
audTrack=`echo "${n} - 1" |bc`
mkvextract tracks ${base}.mkv ${audTrack}:${base}.ac3

pentesting

subbrute

check for subdomains

torify subbrute leel.de

wfuzz

torify wfuzz -c --hc 404 -w /opt/wfuzz/wordlist/general/megabeast.txt http://www.leeel.de/FUZZ
torify wfuzz -c --hc 404,403 -w /opt/wfuzz/wordlist/general/admin-panels.txt -w /opt/wfuzz/wordlist/general/extensions_common.txt http://www.leeel.de/FUZZFUZ2Z

Preparing data for LFI scan

cat /var/cache/pkgfile/* | grep -a ".*/.*\.conf$" | sort | uniq > lfi

exploit kits

chromium / chrome

disable gpu blacklist, enable nouveau hardware acceleration

chromium --ignore-gpu-blacklist

docker

Short example

 sudo systemctl start docker
 gpasswd -u onny docker
 docker run -d -p 80:80 rootlogin/nextcloud
 docker run -v /home/onny/projects/nextcloud-app-radio:/opt/nextcloud/apps/radio -d --name nextcloud -p 80:80 rootlogin/nextcloud

Debugging it

 docker run -i -t e326cbb922aa /bin/bash # exec shell of image
 docker exec -i -t e326cbb922aa /bin/bash # exec new shell running container 

Pull from repository

 docker pull eugeneware/docker-wordpress-nginx
 docker run -p 80:80 -d docker-wordpress-nginx
 docker ps
 docker commit e5a70884ac44 eugeneware/docker-wordpress-nginx:aenderungen1
 # docker stop / run
 docker run -t -i -v /home/onny/projects/web-whackspace:/usr/share/nginx/www/wp-content/themes/whackspace -p 80:80 -d e326cbb922aa
 docker run -i -t e326cbb922aa /bin/bash

Pull specific tagged image

docker pull rootlogin/nextcloud:develop

Build from Dockerfile

 cd  ~/projects/docker-invoiceplane-nginx
 sudo docker build -t="docker-invoiceplane-nginx" .
 sudo docker run -p 80:80 -d docker-invoiceplane-nginx

Build from URL

docker build -t nextcloud-testing github.com/onny/docker-nextcloud

Delete image

docker rmi <image name / id>

Export and load image

docker save myimage > myimage.tar
docker load < myimage.tar

Remove all images and containers

docker system prune -a

wordpress docker image

docker-compose.yml
version: '3'
 
services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress
 
   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     volumes:
       - .:/var/www/html/wp-content/themes/ausstellung-virtuell        
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
volumes:
    db_data:

Note the mount instruction in the volumes section, providing the local theme to the wordpress container.

docker-compose up -d

Visit http://127.0.0.1:8000

eigenes system setup

signatures

gpg --keyserver pool.sks-keyservers.net --recv-keys 0x4E2C6E8793298290 # tor-browser-en aur packet

ansible

Run single command

ansible playground.pi -i hosts -m shell -a "whoami"

Limit playbook to specific host from group

ansible-playbook -i hosts archlinux-syssetup.yml -l playground.pi --ask-become-pass

Running single ansible role

picloud.yml
  roles:
     - { role: nsupdate, tags: nsupdate }
 ansible-playbook -i hosts --ask-become-pass picloud.yml --tags 'nsupdate'

Directly define server without inventory file

ansible-playbook -i "192.168.1.23," wgnas.yml --ask-become-pass

Skip specific role by tag

ansible-playbook --inventory-file=.vagrant/provisioners/ansible/inventory -v picloud.yml --skip-tags mount

playbook

Include distribution specific vars, e.g. vars/Archlinux.yml or vars/Debian.yml

tasks/main.yml
- name: Include OS-specific variables.
  include_vars: "{{ ansible_os_family }}.yml"

use encrypted vars with vault

ansible-vault encrypt_string --vault-password-file ~/.ansible_vault_pw my_secret
vars/auth.yml
notsecret: myvalue
mysecret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66386439653236336462626566653063336164663966303231363934653561363964363833313662
          6431626536303530376336343832656537303632313433360a626438346336353331386135323734
          62656361653630373231613662633962316233633936396165386439616533353965373339616234
          3430613539666330390a313736323265656432366236633330313963326365653937323833366536
          34623731376664623134383463316265643436343438623266623965636363326136
other_plain_text: othervalue
ansible-playbook -i hosts -v piradio.yml --ask-become-pass --vault-password-file ~/.ansible_vault_pw

conditions

- name: Enable ufw service
  service:
    name: ufw
    enabled: yes
  when: ufw_state == "enabled"

podcasts

kolhacampus archiv

sendung genre url
PLUG-IN drum&base http://www.icast.co.il/Rss.aspx?ID=515483
https://onny.project-insanity.org/laboumdeluxe/feed.xml # FM4 La Boum de Luxe, Music EDM Techno Radio
https://onny.project-insanity.org/bounce/feed.xml # SRF Virus Bounce, Music Hip Hop Radio

atom editor

plugins

    • Usage CTRL-SHIFT-H
    • Right click on color value (html/css)
  • teletype (collaboration for atom)
  • run script: strg+b
  • atom-beautify
    • Run command palette: Ctrl+Shift+P
    • Type Beautify and run Beautify Editor
  • preview markdown
    • Ctrl+Shift+m

firejail

Running app without networking

firejail --net=none vlc

Running app in private mode (fresh home folder)

firefox --private firefox

Persistent user specific configuration

cat ~/.config/firejail/vlc.profile
include /etc/firejail/vlc.profile
net none

nextcloud

Sync only a specific folder with nextcloud

nextcloudcmd pictures https://nextcloud.project-insanity.org/remote.php/webdav/pictures

developement

gcc

-Werror=implicit-fallthrough=
-Wno-implicit-fallthrough

git

show remote origin

git remote show origin

change remote origin

git remote set-url origin gitlab@http-new.pi:onny/web-wikidict.git

tagging

git tag -a v0.1 -m 'whackspace wordpress theme init'

merge commits from a remote repository

git fetch https://github.com/rfc2822/davdroid.git master
git branch -r
git merge FETCH_HEAD
"force pull", overwrite local changes
git fetch --all
git reset --hard origin/master
git branch
git branch firefox45
git checkout firefox45

new branch

git branch iss53
git checkout iss53

git show all tags

git log --no-walk --tags --pretty="%h %d %s"

delete last commit

git reset --hard HEAD~1

remove sensitive files from repo

git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch PATH-TO-YOUR-FILE-WITH-SENSITIVE-DATA' \
--prune-empty --tag-name-filter cat -- --all
git push origin --force --all
git push origin --force --tags

rebase upstream

git clone git@github.com:croaky/dotfiles.git
cd dotfiles
git remote add upstream git@github.com:thoughtbot/dotfiles.git
git fetch upstream
git rebase upstream/master

yum

yum install rpm-build
rpmbuild --rebuild aiccu-2007.01.15-7.el6.src.rpm
cd /root/rpmbuild/RPMS/x86_64
rpm -i aiccu-2007.01.15-7.el7.centos.x86_64.rpm

tmux

copy all scrollback buffer into a file. Press keys: “Prefix + :”

capture-pane -S -3000
save-buffer filename.txt

wine

installing msi

wine msiexec /i xyz.msi

scanning

wireshark: filter only http traffic

http

arp-scan

arp-scan --interface=wlp3s0 --localnet

nmap use nse script

nmap -p 80 192.168.188.0/24 -n --open --script /usr/share/nmap/scripts/http-title.nse

debian

which package provides file XY

apt-file update
apt-file search netstat

extract deb package

ar x *.deb

Makefile

define variables with preset which can be overwritten

DOCUMENT_ROOT ?= /var/www/onlyoffice/documentserver
LOG_DIR ?= /var/log/onlyoffice/documentserver
DATA_DIR ?= /var/lib/onlyoffice/documentserver/App_Data
CONFIG_DIR ?= /etc/onlyoffice/documentserver
CREATE_USER ?= TRUE

conditions

ifeq ($(CREATE_USER),TRUE)
	adduser --quiet --home ${DESTDIR}${DOCUMENT_ROOT} --system --group onlyoffice
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname {DOCUMENT_ROOT})
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname {LOG_DIR})
	chown onlyoffice:onlyoffice -R ${DESTDIR}$(dirname $(dirname {DATA_DIR}))
endif

mail

echo mail server

echo@univie.ac.at

openssl imaps login

openssl s_client -connect mail.sexypump.de:993 -crlf
A login cypherpunk cypherpunk

get quota

a GETQUOTAROOT INBOX

get msg count of folder

a LIST INBOX *
* LIST (\HasChildren) "." INBOX
* LIST (\HasNoChildren \UnMarked) "." "INBOX.Deleted Messages"
* LIST (\HasNoChildren \UnMarked) "." "INBOX.Sent Messages"
* LIST (\HasNoChildren \UnMarked \Trash) "." INBOX.Trash
* LIST (\HasNoChildren \UnMarked \Sent) "." INBOX.Sent
* LIST (\HasNoChildren \UnMarked) "." INBOX.Notes
* LIST (\HasNoChildren \UnMarked \Junk) "." INBOX.Junk
* LIST (\HasNoChildren \UnMarked \Drafts) "." INBOX.Drafts
* LIST (\HasNoChildren \UnMarked) "." INBOX.AntiSpam
a OK List completed (0.001 + 0.000 secs).
a SELECT INBOX

send smtp mail

echo -n "username" | base64
# dXNlcm5hbWU=
echo -n "password" | base64
# cGFzc3dvcmQ=
openssl s_client -connect mail.agenturserver.de:465
AUTH LOGIN
ZGRkZGRkZGRk
enp6enp6enp6eno=
RCPT TO: <admin@example.local>
Subject: I have some questions!
Question 1: ...
DONE

Android

flash recovery

heimdall flash --RECOVERY twrp-3.2.1-1-serranoltexx.img

anbox

aur sync -cu anbox-git anbox-image anbox-modules-dkms-git
pacman -Sy anbox-git anbox-image anbox-modules-dkms-git
modprobe binder_linux ashmem_linux
systemctl restart anbox-container-manager
systemctl --user restart anbox-session-manager
anbox launch --package=org.anbox.appmgr --component=org.anbox.appmgr.AppViewActivity
wget "https://f-droid.org/FDroid.apk"
adb install FDroid.apk

davdroid

https://nextcloud.project-insanity.org/remote.php/dav

In case of 2FA requires device specific password

vim

comment multiple lines

CTRL + V # visual block mode
after selecting
Shift + I # insert mode
type #
ESC

onlyoffice

zitieren

Anführungszeichen öffnend: [Alt Gr] + [V]
Anführungszeichen schließend: [Alt Gr] + [B]

wayland

run x apps with root

xhost +SI:localuser:root
sudo gparted

gpg

==> Verifying source file signatures with gpg...
    aurutils-1.5.3.tar.gz ... FAILED (unknown public key 6BC26A17B9B7018A)
==> ERROR: One or more PGP signatures could not be verified!
==> ERROR: Could not download sources.
onny@http ~ % sudo -u aur gpg --recv-keys 6BC26A17B9B7018A    

tools

  • etcher: create windows, mac and linux usb flash installation sticks
    • github.com/slacka/WoeUSB
  • browsh: graphical terminal browser
  • meld compare folders
  • cpod github
  • flutter sdk
  • deezloader remix
  • scrcpy: access android screen via adb and control ist
ngrep -q -W byline "^(GET|POST) .*"
ngrep -q -W byline "search" host www.google.com and port 80

pages

  • unpaywall hack
https://outline.com/zeit.de/2011/26/Nationalsozialismus-Tagebuecher/komplettansicht

openwrt

udate all packages

opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade 
onny/onny_notizen.txt · Last modified: 2019/10/17 08:36 by 2a02:8071:3eba:0:466d:57ff:fe22:1dfc