update vimrc

fix hostname
fix vpp and fix socks
2022-08-22 18:09:15 -07:00 · 2022-08-22 18:03:43 -07:00 · 2022-08-22 17:11:01 -07:00 · 2022-08-22 16:21:40 -07:00 · 2022-08-21 15:29:46 -07:00 · 2022-07-19 22:51:24 -07:00
14 changed files with 302 additions and 185 deletions
--- a/crontab/bespin.crontab
+++ b/crontab/bespin.crontab
@@ -5,6 +5,6 @@
 # DOW (day of week): 0-6 or Sun-Sat
 #
 # MIN   HR  DOM   MONTH   DOW   CMD
-  5     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh
+  3     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh
  6     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikifiles_dump.sh
-
+  12    3   *     *       *     bash -c '/usr/bin/test -d /media/charles/usb && /bin/ls -1 -t /home/charles/backups | /usr/bin/head -n1 | /usr/bin/xargs -IREPL cp -r /home/charles/backups/REPL /media/charles/usb/backups/.'
--- a/crontab/lars.sudo.crontab
+++ b/crontab/lars.sudo.crontab
@@ -0,0 +1,8 @@
+# MIN: 0-59
+# HOUR: 0-23
+# DOM (day of month): 1-31
+# MONTH: 1-12 or Jan-Dec
+# DOW (day of week): 0-6 or Sun-Sat
+#
+# MIN   HR  DOM   MONTH   DOW   CMD
+  3     2   *     *       Sun   cd /home/charles/pod-gollyx-mongo/d-mongodb/ && ./make_mongo_pem.sh
--- a/dotfiles/.aliases
+++ b/dotfiles/.aliases
@@ -20,12 +20,17 @@ alias ipy='ipython --pylab'
 alias ip="curl -4 icanhazip.com"
 alias ipaddr="curl -4 icanhazip.com"

+# uuid generator
+alias uuid="uuidgen"
+

 # python stuff
 # ------------
 # https://unix.stackexchange.com/a/459586
 alias vp="[ -d vp ] || virtualenv -p python3 vp && source vp/bin/activate"
-
+if [[ "${HOSTNAME}" == "burro" ]]; then
+    alias vpp="[ -d vpp ] || virtualenv --python ${HOME}/.pyenv/versions/pypy3.9-7.3.9/bin/pypy3 vpp && source vpp/bin/activate"
+fi

 # one-letter aliases
 # ---------------
@@ -122,13 +127,79 @@ alias c='clear'



-# socks proxy thru charlesreid1
-# (forwards http traffic thru charlesreid1 port 8080)
+# socks proxy thru seawater for private wiki access
+# (use with foxyproxy, point to localhost:5778)
 # ---------------
-alias socks='ssh -fN -D 8080 charles@charlesreid1.com'
+alias socks='ssh -D 5778 -p 5778 charles@charlesreid1.party -f -N'



+# tinc vpn
+# ---------------
+
+alias seawatervpn="seawatervpn"
+function seawatervpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.1"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias randalvpn="randalvpn"
+function randalvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.10"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias mayavpn="mayavpn"
+function mayavpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.20"
+  ssh -Y charles@${IP} # the actual ssh call
+}
+
+alias bearvpn="bearvpn"
+function bearvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.40"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias emmettvpn="emmettvpn"
+function emmettvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.55"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+# Local machines
+# ---------------
+
+alias randal="randal"
+function randal() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.0.10"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
 # Remote machines
 # ---------------

@@ -149,27 +220,27 @@ function bear() {
  ~/ssh.file > /dev/null
  rm -f ~/ssh.file
  export IP="173.255.249.79"
-  ssh -Y charles@${IP} # the actual ssh call
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }

-alias bespin="bespin"
-function bespin() {
+alias emmett="emmett"
+function emmett() {
  ssh-agent > ~/ssh.file # env vars in ssh.file
  chmod +x ~/ssh.file # execute file
  ~/ssh.file > /dev/null
  rm -f ~/ssh.file
-  export IP="bespin"
-  ssh -Y charles@${IP} # the actual ssh call
+  export IP="173.255.252.181"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }

-alias dorky="dorky"
-function dorky() {
+alias seawater="seawater"
+function seawater() {
  ssh-agent > ~/ssh.file # env vars in ssh.file
  chmod +x ~/ssh.file # execute file
  ~/ssh.file > /dev/null
  rm -f ~/ssh.file
  export IP="charlesreid1.party"
-  ssh -Y charles@${IP} # the actual ssh call
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }


--- a/dotfiles/.bash_profile
+++ b/dotfiles/.bash_profile
@@ -60,6 +60,7 @@ export PATH="$GOENV_ROOT/bin:$PATH"
 # https://github.com/pyenv/pyenv-installer
 export PYENV_ROOT="$HOME/.pyenv"
 export PATH="$PYENV_ROOT/bin:$PATH"
+eval "$(pyenv init --path)"
 eval "$(pyenv init -)"

 export PATH
--- a/dotfiles/.bash_prompt
+++ b/dotfiles/.bash_prompt
@@ -41,24 +41,14 @@ else
 	white="\e[1;37m";
 fi;

-if [[ "${HOSTNAME}" == "rojo" ]]; then
+if [[ "${HOSTNAME}" == "bear" ]]; then
    userStyle="${red}"
-elif [[ "${HOSTNAME}" == "jupiter" ]]; then
-    userStyle="${green}"
-elif [[ "${HOSTNAME}" == "krash" ]]; then
-    userStyle="${cyan}"
-elif [[ "${HOSTNAME}" == "bear" ]]; then
-    userStyle="${red}"
-elif [[ "${HOSTNAME}" == "bespin" ]]; then
+elif [[ "${HOSTNAME}" == "randal" ]]; then
    userStyle="${purple}"
-elif [[ "${HOSTNAME}" == "dorky" ]]; then
-    userStyle="${yellow}"
 elif [[ "${HOSTNAME}" == "emmett" ]]; then
-    userStyle="${yellow}"
-elif [[ "${HOSTNAME}" == "dudley" ]]; then
-    userStyle="${orange}"
-elif [[ "${HOSTNAME}" == "lars" ]]; then
-    userStyle="${white}"
+    userStyle="${green}"
+elif [[ "${HOSTNAME}" == "seawater" ]]; then
+    userStyle="${green}"
 else
    userStyle="${yellow}"
 fi
--- a/dotfiles/.bashrc
+++ b/dotfiles/.bashrc
@@ -1 +1,3 @@
 [ -n "$PS1" ] && source ~/.bash_profile;
+## uh... maybe just this?
+#source ~/.bash_profile
--- a/dotfiles/.functions
+++ b/dotfiles/.functions
@@ -5,11 +5,6 @@ function mkd() {
 	mkdir -p "$@" && cd "$_";
 }

-# Change working directory to the top-most Finder window location
-function cdf() { # short for `cdfinder`
-	cd "$(osascript -e 'tell app "Finder" to POSIX path of (insertion location as alias)')";
-}
-
 # Create a .tar.gz archive, using `zopfli`, `pigz` or `gzip` for compression
 function targz() {
 	local tmpFile="${@%/}.tar";
@@ -58,14 +53,6 @@ function fs() {
 	fi;
 }

-# Use Git’s colored diff when available
-hash git &>/dev/null;
-if [ $? -eq 0 ]; then
-	function diff() {
-		git diff --no-index --color-words "$@";
-	}
-fi;
-
 # Create a data URL from a file
 function dataurl() {
 	local mimeType=$(file -b --mime-type "$1");
@@ -84,24 +71,6 @@ function server() {
 	python -c $'import SimpleHTTPServer;\nmap = SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map;\nmap[""] = "text/plain";\nfor key, value in map.items():\n\tmap[key] = value + ";charset=UTF-8";\nSimpleHTTPServer.test();' "$port";
 }

-# Start a PHP server from a directory, optionally specifying the port
-# (Requires PHP 5.4.0+.)
-function phpserver() {
-	local port="${1:-4000}";
-	local ip=$(ipconfig getifaddr en1);
-	sleep 1 && open "http://${ip}:${port}/" &
-	php -S "${ip}:${port}";
-}
-
-# Compare original and gzipped file size
-function gz() {
-	local origsize=$(wc -c < "$1");
-	local gzipsize=$(gzip -c "$1" | wc -c);
-	local ratio=$(echo "$gzipsize * 100 / $origsize" | bc -l);
-	printf "orig: %d bytes\n" "$origsize";
-	printf "gzip: %d bytes (%2.2f%%)\n" "$gzipsize" "$ratio";
-}
-
 # Syntax-highlight JSON strings or files
 # Usage: `json '{"foo":42}'` or `echo '{"foo":42}' | json`
 function json() {
@@ -160,16 +129,6 @@ function getcertnames() {
 	fi;
 }

-# `s` with no arguments opens the current directory in Sublime Text, otherwise
-# opens the given location
-function s() {
-	if [ $# -eq 0 ]; then
-		subl .;
-	else
-		subl "$@";
-	fi;
-}
-
 # `v` with no arguments opens the current directory in Vim, otherwise opens the
 # given location
 function v() {
--- a/dotfiles/.gvimrc
+++ b/dotfiles/.gvimrc
@@ -1,6 +1,3 @@
-" Use the Solarized Dark theme
-set background=dark
-colorscheme solarized
 " Use 14pt Monaco
 set guifont=Monaco:h14
 " Don’t blink cursor in normal mode
--- a/dotfiles/.tmux.conf
+++ b/dotfiles/.tmux.conf
@@ -15,10 +15,11 @@
 set -g default-terminal "screen-256color"
 set-option -g default-terminal screen-256color

-# Use C-a, since it's on the home row and easier to hit than C-b
-set-option -g prefix C-a
-unbind C-a
-bind C-a send-prefix
+# Use C-t instead
+set-option -g prefix C-t
+unbind C-t
+bind C-t send-prefix
+

 # Set parent terminal title to reflect current window in tmux session
 set -g set-titles on
@@ -44,7 +45,7 @@ bind enter next-layout

 # use vim-like keys for splits and windows
 # 
-#   Control-A plus:
+#   Control-T plus:
 # 
 #   s = horizontal split
 #   v = vertical split
@@ -59,52 +60,55 @@ bind h select-pane -L
 bind j select-pane -D
 bind k select-pane -U
 bind l select-pane -R
-bind C-h select-pane -L
-bind C-l select-pane -R

 # smart pane switching with awareness of vim splits
+# (these interfere with the often-used Control-L shortcut
+# to clear the screen, so that gets really annoying.)
 # 
-# Control plus:
+# Control then:
 # 
 #   h = pick left pane
-#   j = pick left pane
-#   k = pick left pane
-#   l = pick left pane
-#   \ = pick another pane (?)
+#   j = pick down pane
+#   k = pick up pane
+#   l = pick right pane
 #
-bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L"
-bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D"
-bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U"
-bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R"
-bind -n C-\ run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys 'C-\\') || tmux select-pane -l"
+# bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L"
+# bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D"
+# bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U"
+# bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R"

-# Control-A then Control-L clears the screen
-bind C-l send-keys 'C-l'
-
-# Control-A then Control-O swaps out windows in their respective positions
+# Control-T then Control-O swaps out windows in their respective positions
 bind C-o rotate-window

-# Control-A plus + makes existing windows have horizontal layout
-bind + select-layout main-horizontal
+# Control-T then + makes existing windows have vertical layout
+bind + select-layout main-vertical

-# Control-A plus = makes existing windows have vertical layout
-bind = select-layout main-vertical
+# Control-T then = makes existing windows have horizontal layout
+bind = select-layout main-horizontal
+
+# Control-T Control-N makes a new window in the path of the current pane
+bind C-n new-window -c '#{pane_current_path}'

 ## (no idea what this does)
 #set-window-option -g other-pane-height 25
 #set-window-option -g other-pane-width 80

-# Control-A plus [ or ] moves into copy mode or paste mode
+# Control-T plus [ or ] moves into copy mode or paste mode
 bind [ copy-mode
 bind ] paste-buffer

 # (no idea)
 set-window-option -g display-panes-time 1500

-# Control-A plus | or _ splits panes vertically (|) or horizontally (_)
+# Control-T plus | or _ splits panes vertically (|) or horizontally (_)
+# (this is better than using percent, but now we've got muscle memory for %)
 bind | split-window -h -c "#{pane_current_path}"
 bind _ split-window -v -c "#{pane_current_path}"

+# because we were using this before
+bind % split-window -h -c "#{pane_current_path}"
+
+
 # Status Bar
 set-option -g status-interval 1
 set-option -g status-left ''
@@ -120,6 +124,7 @@ set -g visual-activity on

 # Allow the arrow key to be used immediately after changing windows
 set-option -g repeat-time 0
+
 # Set up easy go-to sessions with shortcuts 
 bind s source-file ~/.tmux.session1

--- a/dotfiles/.vimrc
+++ b/dotfiles/.vimrc
@@ -184,20 +184,24 @@ let g:go_fmt_command = "goimports"
 " don't move comment hashtag to the first column.
 " smartindent is unnecessary for python anyway.
 " http://stackoverflow.com/questions/2063175/vim-insert-mode-comments-go-to-start-of-line
-au! FileType python setl nosmartindent
+au! FileType python setl textwidth=0 nosmartindent

 " golang
 " see https://github.com/paulswanson/congo/blob/master/congo.sh
 " ------------------------
-au BufRead,BufNewFile *.go set noexpandtab
+au BufRead,BufNewFile *.go set textwidth=0 noexpandtab

 " Makefiles
 " ------------------------
-au BufRead,BufNewFile Makefile*,*.make,*.mk set noexpandtab
+au BufRead,BufNewFile Makefile*,*.make,*.mk set textwidth=0 noexpandtab

 " C++
 " ------------------------
-au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set tabstop=4 shiftwidth=4 softtabstop=4 nowrap
+au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set textwidth=0 tabstop=4 shiftwidth=4 softtabstop=4 nowrap
+
+" shell scripts
+" ------------------------
+au BufRead,BufNewFile *.sh set textwidth=0 noexpandtab

 " Snakemake files: Snakefile, .rule, .snake, .settings, .smk
 " ------------------------
@@ -217,6 +221,10 @@ function! DisableIndentY()
        set indentexpr&
 endfunction

+" Javascript
+" -------------------------
+au BufRead,BufNewFile *.js,*.javascript set textwidth=0 tabstop=2 shiftwidth=2 softtabstop=2 nowrap
+


 " ------------------------
@@ -533,53 +541,26 @@ noremap <Leader>W :w !sudo tee % > /dev/null<cr>
 " ----------------------------
 " colorrrzzzzz
 " ----------------------------
-
+
+""" set background=dark
+""" 
+""" set t_Co=256
+""" 
+""" function! BgToggle()
+"""   if &background == "light"
+"""     execute ":set background=dark"
+"""   else
+"""     execute ":set background=light"
+"""   endif
+""" endfunction
 """ nnoremap <F5> :call BgToggle()<cr>
-
-set t_Co=256
-
-function! BgToggle()
-  if &background == "light"
-    execute ":set background=dark"
-  else
-    execute ":set background=light"
-  endif
-endfunction
-nnoremap <F5> :call BgToggle()<cr>
-
-" to install vim-colors-solarized plugin:
-" git clone git://github.com/altercation/vim-colors-solarized.git ~/.vim/bundle/vim-colors-solarized
-"
-let g:solarized_termcolors=256
-
-"" If the following line is commented out,
-"" F5/background toggle will change from
-"" dark to light. If the line is enabled,
-"" the background color will remain the same
-"" dark default terminal backgorund color.
-"let g:solarized_termtrans = 1
-"
-let g:solarized_degrade = 0
-let g:solarized_bold = 1
-let g:solarized_underline = 1
-let g:solarized_italic = 1
-let g:solarized_contrast = "normal"
-let g:solarized_visibility= "normal"
-
-" install solarized by getting the
-" solarized color scheme in vim format
-" (solarized.vim) from here:
-"
-" wget https://raw.githubusercontent.com/altercation/vim-colors-solarized/master/colors/solarized.vim -O ~/.vim/colors/solarized.vim
-"
-" put it in ~/.vim/colors/solarized.vim


 " more color schemes:
 "colorscheme blue
 "colorscheme darkblue
 "colorscheme default
-"colorscheme delek
+"colorscheme delek
 colorscheme desert " <-- old standby
 "colorscheme elflord
 "colorscheme evening
@@ -610,7 +591,20 @@ nnoremap <S-L> :join<CR>
 " move up and down n lines
 map <S-j> 7j
 map <S-k> 7k
+
+" Bubble text up/down
+" Single line:
+nmap <C-k> ddkP
+nmap <C-j> ddp
+" Multiple lines:
+vmap <C-k> xkP`[V`]
+vmap <C-j> xp`[V`]

 " -----------------------------
 " Jedi Autocomplete Plugin
-" -----------------------------
+" -----------------------------
+"let g:jedi#auto_initialization = 0
+
+"" -----------------------
+""  Black shortcut
+"" -----------------------
--- a/dotfiles/diff_dotfiles.sh
+++ b/dotfiles/diff_dotfiles.sh
@@ -4,7 +4,7 @@
 #find . -type f -maxdepth 1 -name ".*" | xargs -t -n1 -I% diff % ~/%

 # The (more careful) loop version:
-for file in $(find . -type f -maxdepth 1 -name ".*"); do
+for file in $(find . -maxdepth 1 -type f  -name ".*"); do
    if [[ -f ~/$file ]]; then
        echo "------------"
        echo "$file exists in home directory, calculating diff..."
--- a/firewall/bear_ufw.sh
+++ b/firewall/bear_ufw.sh
@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Set up the ufw firewall for bear.
-# 22 - ssh
-# 80 - http
-# 443 - https
-# 8080, 8888, 8000 - for something to use
-
-if [ "$(id -u)" != "0" ]; then
-    echo ""
-    echo ""
-    echo "This script must be run as root!"
-    echo ""
-    echo ""
-    exit 1;
-fi
-
-set -x
-
-# Start by setting defaults on ufw
-ufw --force reset
-ufw default deny incoming
-ufw default allow outgoing
-ufw allow 22
-ufw allow 80
-ufw allow 443
-ufw --force enable
-
-# allow ufw to nat connections from
-# external interface to internal 
-# (docker) interfaces
-sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
-ufw reload
-
-# enable packet masquerading so we can
-# get the real IP of clients inside
-# docker containers.
-iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
-
--- a/firewall/bespin_iptables_pihole_tinc.sh
+++ b/firewall/bespin_iptables_pihole_tinc.sh
@@ -0,0 +1,119 @@
+#!/bin/bash
+set -e
+
+ipt="sudo /sbin/iptables"
+
+# Set default policies
+$ipt -P INPUT DROP
+$ipt -P FORWARD DROP
+$ipt -P OUTPUT ACCEPT
+
+# Flush and clear everything
+$ipt -t nat -F
+$ipt -t mangle -F
+$ipt -F
+$ipt -X
+
+# Name of main ethernet connection device
+ETH="wlan0"
+# Name of PIA VPN tunnel device
+PIATUN="tun1"
+# Name of tinc tunnel device
+TINCTUN="master"
+# Name of loopback interface for PiHole DNS server
+PHDNS="lo:1"
+
+########### LOOPBACK ##########
+$ipt -A INPUT -i lo -j ACCEPT
+$ipt -A INPUT -i lo:1 -j ACCEPT
+
+########### INCOMING ##########
+# Allow any established connection to come in or out
+$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+$ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+########### PING ##############
+# Allow incoming ping requests
+$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+########### SSH ###############
+# Allow incoming SSH sessions, new or established
+$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow incoming SSH traffic, if part of established conversation
+$ipt -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+########### TINC ##############
+# Allow incoming VPN sessions destined for 655, new or established
+$ipt -A INPUT -p udp --dport 655 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow incoming VPN traffic coming from 655, part of established conversation
+$ipt -A INPUT -p udp --sport 655 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+########### HTTP/HTTPS ########
+# Allow incoming HTTP/HTTPS traffic, part of established conversation
+$ipt -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Allow incoming HTTP/HTTPS requests from tinc tunnel
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 80 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 443 -j ACCEPT
+
+# Allow incoming HTTP/HTTPS requests from local ethernet
+$ipt -A INPUT -p tcp -i ${ETH} --dport 80 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${ETH} --dport 443 -j ACCEPT
+
+########### PIHOLE UI #########
+# Allow incoming requests to 8888/8443 via tinc tunnel
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8888 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8443 -j ACCEPT
+
+########### TELEMETRY #########
+# Allow node exporter traffic from source port 9100
+$ipt -A INPUT -p tcp --dport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow cadvisor on port 8080
+$ipt -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow nginx on port 9113
+$ipt -A INPUT -p tcp --dport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+
+########### DHCP ##############
+# Allow any DHCP traffic to come in or out
+$ipt -A INPUT  -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+$ipt -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+
+########### DNS ###############
+PROTOCOLS="tcp udp"
+for prot in $PROTOCOLS; do
+    # General DNS Traffic:
+    # Allow incoming DNS traffic coming from 53, part of established conversation
+    $ipt -A INPUT  -p $prot --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+    # PiHole self-accept traffic from port 53
+    $ipt -A INPUT -p $prot -i ${PHDNS} --dport 53 -j ACCEPT
+
+    # # PiHole DNS (lo:1) <-> PIA VPN Tunnel (tun0):
+    # # PiHole can always send DNS queries out through tunnel
+    # $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${PIATUN} --dport 53 -j ACCEPT
+    # # Responses to PiHole can always return via tunnel
+    # $ipt -A FORWARD -p $prot -i ${PIATUN} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+    # PiHole DNS (lo:1) <-> ethernet
+    # PiHole can always send DNS queries out through tunnel
+    $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${ETH} --dport 53 -j ACCEPT
+    # Responses to PiHole can always return via ethernet
+    $ipt -A FORWARD -p $prot -i ${ETH} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+done
+
+# # Enable logging
+# $ipt -N LOGGING
+# $ipt -A INPUT -j LOGGING
+# $ipt -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " --log-level 4
+# $ipt -A LOGGING -j DROP
+
+# Make rules persistent
+sudo netfilter-persistent save
+
+# Restore docker iptables rules
+sudo service docker restart
--- a/tasks/secrets/ch4zm_gen_ssh_keys.sh
+++ b/tasks/secrets/ch4zm_gen_ssh_keys.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# 
+# this is where you would add any
+# pre-baked public keys.
+set -x
+
+yes | ssh-keygen -f $HOME/.ssh/id_rsa_ch4zm -t rsa -N ''
+chmod 700 $HOME/.ssh
+touch $HOME/.ssh/authorized_keys
+chmod 600 $HOME/.ssh/authorized_keys
Author	SHA1	Message	Date
Charles Reid	aecfefd2f1	update vimrc	2022-08-22 18:09:15 -07:00
Charles Reid	15e7a59e38	fix hostname	2022-08-22 18:03:43 -07:00
Charles Reid	8ad19851bc	fix vpp and fix socks	2022-08-22 17:11:01 -07:00
Charles Reid	4f37228dad	fix uuidgen	2022-08-22 16:21:40 -07:00
Charles Reid	53190fd805	fix typo	2022-08-21 15:29:46 -07:00
Charles Reid	af3d4c1768	add script to generate ch4zm ssh key	2022-07-19 22:51:24 -07:00
Charles Reid	038fb927ff	update debian dotfiles	2022-07-19 19:28:29 -07:00
Charles Reid	93659ea9fe	fix find cmd	2022-07-16 13:56:47 -07:00
Charles Reid	2256de8e0e	pare down functions	2022-07-09 23:47:26 -07:00
Charles Reid	9bccba22a5	fix	2022-07-09 23:42:01 -07:00
Charles Reid	9d99efd720	update	2022-07-09 23:39:29 -07:00
Charles Reid	d7e4965d14	update .aliases	2022-07-09 23:37:15 -07:00
Charles Reid	85e1baab05	update tmux config file	2022-03-17 15:08:22 -07:00
Charles Reid	ff9790e7ea	remove backslash shortcut (randal no like)	2021-12-16 19:14:00 -08:00
Charles Reid	976a76a257	fix pyenv for debian	2021-12-05 10:35:13 -08:00
Charles Reid	97a76d807a	update bash prompt machine colors	2021-11-30 13:47:59 -08:00
Charles Reid	eb94148598	correct syntax in bespin crontab	2021-09-10 13:15:41 -07:00
Charles Reid	39aff8105d	update bespin crontab	2021-09-09 16:24:58 -07:00
Charles Reid	ba994a16ea	update bespin crontab	2021-09-07 12:22:53 -07:00
Charles Reid	f06074820c	add iptables for pihole/tinc setup	2021-09-07 12:22:53 -07:00
Charles Reid	38437019c4	add lars sudo crontab	2021-08-22 14:52:48 -07:00
Charles Reid	4badfe329c	remove bear firewall (use ansible role instead)	2021-01-30 15:55:16 -08:00
Charles Reid	d85d99fa5c	remove solarized color scheme from gvimrc	2021-01-20 19:30:05 -08:00
Charles Reid	b1a6738ce1	update prompt colors	2020-12-31 14:53:13 -08:00
Charles Reid	426c5fe9b9	fix colorscheme problem	2020-12-05 17:07:04 -08:00