dotfiles/debian
2
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Compare commits

base: dotfiles:d85d99fa5c660d29ca570b7410c925530386a891
Branches Tags
dotfiles:master dotfiles:blackbeard-captain-hook
...
compare: dotfiles:master
Branches Tags
dotfiles:master dotfiles:blackbeard-captain-hook

22 Commits
d85d99fa5c ... master

Author SHA1 Message Date
Charles Reid
aecfefd2f1 update vimrc 2022-08-22 18:09:15 -07:00
Charles Reid
15e7a59e38 fix hostname 2022-08-22 18:03:43 -07:00
Charles Reid
8ad19851bc fix vpp and fix socks 2022-08-22 17:11:01 -07:00
Charles Reid
4f37228dad fix uuidgen 2022-08-22 16:21:40 -07:00
Charles Reid
53190fd805 fix typo 2022-08-21 15:29:46 -07:00
Charles Reid
af3d4c1768 add script to generate ch4zm ssh key 2022-07-19 22:51:24 -07:00
Charles Reid
038fb927ff update debian dotfiles 2022-07-19 19:28:29 -07:00
Charles Reid
93659ea9fe fix find cmd 2022-07-16 13:56:47 -07:00
Charles Reid
2256de8e0e pare down functions 2022-07-09 23:47:26 -07:00
Charles Reid
9bccba22a5 fix 2022-07-09 23:42:01 -07:00
Charles Reid
9d99efd720 update 2022-07-09 23:39:29 -07:00
Charles Reid
d7e4965d14 update .aliases 2022-07-09 23:37:15 -07:00
Charles Reid
85e1baab05 update tmux config file 2022-03-17 15:08:22 -07:00
Charles Reid
ff9790e7ea remove backslash shortcut (randal no like) 2021-12-16 19:14:00 -08:00
Charles Reid
976a76a257 fix pyenv for debian 2021-12-05 10:35:13 -08:00
Charles Reid
97a76d807a update bash prompt machine colors 2021-11-30 13:47:59 -08:00
Charles Reid
eb94148598 correct syntax in bespin crontab 2021-09-10 13:15:41 -07:00
Charles Reid
39aff8105d update bespin crontab 2021-09-09 16:24:58 -07:00
Charles Reid
ba994a16ea update bespin crontab 2021-09-07 12:22:53 -07:00
Charles Reid
f06074820c add iptables for pihole/tinc setup 2021-09-07 12:22:53 -07:00
Charles Reid
38437019c4 add lars sudo crontab 2021-08-22 14:52:48 -07:00
Charles Reid
4badfe329c remove bear firewall (use ansible role instead) 2021-01-30 15:55:16 -08:00
13 changed files with 289 additions and 154 deletions
Expand all files Collapse all files

4
crontab/bespin.crontab
View File

@@ -5,6 +5,6 @@
# DOW (day of week): 0-6 or Sun-Sat # DOW (day of week): 0-6 or Sun-Sat
# #
# MIN HR DOM MONTH DOW CMD # MIN HR DOM MONTH DOW CMD
5 3 * * * /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh 3 3 * * * /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh
6 3 * * * /home/charles/pod-private-wiki/utils-backup/wikifiles_dump.sh 6 3 * * * /home/charles/pod-private-wiki/utils-backup/wikifiles_dump.sh
12 3 * * * bash -c '/usr/bin/test -d /media/charles/usb && /bin/ls -1 -t /home/charles/backups | /usr/bin/head -n1 | /usr/bin/xargs -IREPL cp -r /home/charles/backups/REPL /media/charles/usb/backups/.'

8
crontab/lars.sudo.crontab Normal file
View File

@@ -0,0 +1,8 @@
# MIN: 0-59
# HOUR: 0-23
# DOM (day of month): 1-31
# MONTH: 1-12 or Jan-Dec
# DOW (day of week): 0-6 or Sun-Sat
#
# MIN HR DOM MONTH DOW CMD
3 2 * * Sun cd /home/charles/pod-gollyx-mongo/d-mongodb/ && ./make_mongo_pem.sh

95
dotfiles/.aliases
View File

@@ -20,12 +20,17 @@ alias ipy='ipython --pylab'
alias ip="curl -4 icanhazip.com" alias ip="curl -4 icanhazip.com"
alias ipaddr="curl -4 icanhazip.com" alias ipaddr="curl -4 icanhazip.com"
# uuid generator
alias uuid="uuidgen"
# python stuff # python stuff
# ------------ # ------------
# https://unix.stackexchange.com/a/459586 # https://unix.stackexchange.com/a/459586
alias vp="[ -d vp ] || virtualenv -p python3 vp && source vp/bin/activate" alias vp="[ -d vp ] || virtualenv -p python3 vp && source vp/bin/activate"
if [[ "${HOSTNAME}" == "burro" ]]; then
alias vpp="[ -d vpp ] || virtualenv --python ${HOME}/.pyenv/versions/pypy3.9-7.3.9/bin/pypy3 vpp && source vpp/bin/activate"
fi
# one-letter aliases # one-letter aliases
# --------------- # ---------------
@@ -122,13 +127,79 @@ alias c='clear'
# socks proxy thru charlesreid1 # socks proxy thru seawater for private wiki access
# (forwards http traffic thru charlesreid1 port 8080) # (use with foxyproxy, point to localhost:5778)
# --------------- # ---------------
alias socks='ssh -fN -D 8080 charles@charlesreid1.com' alias socks='ssh -D 5778 -p 5778 charles@charlesreid1.party -f -N'
# tinc vpn
# ---------------
alias seawatervpn="seawatervpn"
function seawatervpn() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.30.1"
ssh -p 5778 -Y charles@${IP} # the actual ssh call
}
alias randalvpn="randalvpn"
function randalvpn() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.30.10"
ssh -p 5778 -Y charles@${IP} # the actual ssh call
}
alias mayavpn="mayavpn"
function mayavpn() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.30.20"
ssh -Y charles@${IP} # the actual ssh call
}
alias bearvpn="bearvpn"
function bearvpn() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.30.40"
ssh -p 5778 -Y charles@${IP} # the actual ssh call
}
alias emmettvpn="emmettvpn"
function emmettvpn() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.30.55"
ssh -p 5778 -Y charles@${IP} # the actual ssh call
}
# Local machines
# ---------------
alias randal="randal"
function randal() {
ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null
rm -f ~/ssh.file
export IP="192.168.0.10"
ssh -p 5778 -Y charles@${IP} # the actual ssh call
}
# Remote machines # Remote machines
# --------------- # ---------------
@@ -149,27 +220,27 @@ function bear() {
~/ssh.file > /dev/null ~/ssh.file > /dev/null
rm -f ~/ssh.file rm -f ~/ssh.file
export IP="173.255.249.79" export IP="173.255.249.79"
ssh -Y charles@${IP} # the actual ssh call ssh -p 5778 -Y charles@${IP} # the actual ssh call
} }
alias bespin="bespin" alias emmett="emmett"
function bespin() { function emmett() {
ssh-agent > ~/ssh.file # env vars in ssh.file ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null ~/ssh.file > /dev/null
rm -f ~/ssh.file rm -f ~/ssh.file
export IP="bespin" export IP="173.255.252.181"
ssh -Y charles@${IP} # the actual ssh call ssh -p 5778 -Y charles@${IP} # the actual ssh call
} }
alias dorky="dorky" alias seawater="seawater"
function dorky() { function seawater() {
ssh-agent > ~/ssh.file # env vars in ssh.file ssh-agent > ~/ssh.file # env vars in ssh.file
chmod +x ~/ssh.file # execute file chmod +x ~/ssh.file # execute file
~/ssh.file > /dev/null ~/ssh.file > /dev/null
rm -f ~/ssh.file rm -f ~/ssh.file
export IP="charlesreid1.party" export IP="charlesreid1.party"
ssh -Y charles@${IP} # the actual ssh call ssh -p 5778 -Y charles@${IP} # the actual ssh call
} }

1
dotfiles/.bash_profile
View File

@@ -60,6 +60,7 @@ export PATH="$GOENV_ROOT/bin:$PATH"
# https://github.com/pyenv/pyenv-installer # https://github.com/pyenv/pyenv-installer
export PYENV_ROOT="$HOME/.pyenv" export PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH" export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init --path)"
eval "$(pyenv init -)" eval "$(pyenv init -)"
export PATH export PATH

18
dotfiles/.bash_prompt
View File

@@ -41,24 +41,14 @@ else
white="\e[1;37m"; white="\e[1;37m";
fi; fi;
if [[ "${HOSTNAME}" == "rojo" ]]; then if [[ "${HOSTNAME}" == "bear" ]]; then
userStyle="${red}" userStyle="${red}"
elif [[ "${HOSTNAME}" == "jupiter" ]]; then elif [[ "${HOSTNAME}" == "randal" ]]; then
userStyle="${green}"
elif [[ "${HOSTNAME}" == "krash" ]]; then
userStyle="${cyan}"
elif [[ "${HOSTNAME}" == "bear" ]]; then
userStyle="${red}"
elif [[ "${HOSTNAME}" == "bespin" ]]; then
userStyle="${purple}" userStyle="${purple}"
elif [[ "${HOSTNAME}" == "dorky" ]]; then
userStyle="${yellow}"
elif [[ "${HOSTNAME}" == "emmett" ]]; then elif [[ "${HOSTNAME}" == "emmett" ]]; then
userStyle="${green}" userStyle="${green}"
elif [[ "${HOSTNAME}" == "dudley" ]]; then elif [[ "${HOSTNAME}" == "seawater" ]]; then
userStyle="${cyan}" userStyle="${green}"
elif [[ "${HOSTNAME}" == "lars" ]]; then
userStyle="${white}"
else else
userStyle="${yellow}" userStyle="${yellow}"
fi fi

2
dotfiles/.bashrc
View File

@@ -1 +1,3 @@
[ -n "$PS1" ] && source ~/.bash_profile; [ -n "$PS1" ] && source ~/.bash_profile;
## uh... maybe just this?
#source ~/.bash_profile

41
dotfiles/.functions
View File

@@ -5,11 +5,6 @@ function mkd() {
mkdir -p "$@" && cd "$_"; mkdir -p "$@" && cd "$_";
} }
# Change working directory to the top-most Finder window location
function cdf() { # short for `cdfinder`
cd "$(osascript -e 'tell app "Finder" to POSIX path of (insertion location as alias)')";
}
# Create a .tar.gz archive, using `zopfli`, `pigz` or `gzip` for compression # Create a .tar.gz archive, using `zopfli`, `pigz` or `gzip` for compression
function targz() { function targz() {
local tmpFile="${@%/}.tar"; local tmpFile="${@%/}.tar";
@@ -58,14 +53,6 @@ function fs() {
fi; fi;
} }
# Use Gits colored diff when available
hash git &>/dev/null;
if [ $? -eq 0 ]; then
function diff() {
git diff --no-index --color-words "$@";
}
fi;
# Create a data URL from a file # Create a data URL from a file
function dataurl() { function dataurl() {
local mimeType=$(file -b --mime-type "$1"); local mimeType=$(file -b --mime-type "$1");
@@ -84,24 +71,6 @@ function server() {
python -c $'import SimpleHTTPServer;\nmap = SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map;\nmap[""] = "text/plain";\nfor key, value in map.items():\n\tmap[key] = value + ";charset=UTF-8";\nSimpleHTTPServer.test();' "$port"; python -c $'import SimpleHTTPServer;\nmap = SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map;\nmap[""] = "text/plain";\nfor key, value in map.items():\n\tmap[key] = value + ";charset=UTF-8";\nSimpleHTTPServer.test();' "$port";
} }
# Start a PHP server from a directory, optionally specifying the port
# (Requires PHP 5.4.0+.)
function phpserver() {
local port="${1:-4000}";
local ip=$(ipconfig getifaddr en1);
sleep 1 && open "http://${ip}:${port}/" &
php -S "${ip}:${port}";
}
# Compare original and gzipped file size
function gz() {
local origsize=$(wc -c < "$1");
local gzipsize=$(gzip -c "$1" | wc -c);
local ratio=$(echo "$gzipsize * 100 / $origsize" | bc -l);
printf "orig: %d bytes\n" "$origsize";
printf "gzip: %d bytes (%2.2f%%)\n" "$gzipsize" "$ratio";
}
# Syntax-highlight JSON strings or files # Syntax-highlight JSON strings or files
# Usage: `json '{"foo":42}'` or `echo '{"foo":42}' | json` # Usage: `json '{"foo":42}'` or `echo '{"foo":42}' | json`
function json() { function json() {
@@ -160,16 +129,6 @@ function getcertnames() {
fi; fi;
} }
# `s` with no arguments opens the current directory in Sublime Text, otherwise
# opens the given location
function s() {
if [ $# -eq 0 ]; then
subl .;
else
subl "$@";
fi;
}
# `v` with no arguments opens the current directory in Vim, otherwise opens the # `v` with no arguments opens the current directory in Vim, otherwise opens the
# given location # given location
function v() { function v() {

59
dotfiles/.tmux.conf
View File

@@ -15,10 +15,11 @@
set -g default-terminal "screen-256color" set -g default-terminal "screen-256color"
set-option -g default-terminal screen-256color set-option -g default-terminal screen-256color
# Use C-a, since it's on the home row and easier to hit than C-b # Use C-t instead
set-option -g prefix C-a set-option -g prefix C-t
unbind C-a unbind C-t
bind C-a send-prefix bind C-t send-prefix
# Set parent terminal title to reflect current window in tmux session # Set parent terminal title to reflect current window in tmux session
set -g set-titles on set -g set-titles on
@@ -44,7 +45,7 @@ bind enter next-layout
# use vim-like keys for splits and windows # use vim-like keys for splits and windows
# #
# Control-A plus: # Control-T plus:
# #
# s = horizontal split # s = horizontal split
# v = vertical split # v = vertical split
@@ -59,52 +60,55 @@ bind h select-pane -L
bind j select-pane -D bind j select-pane -D
bind k select-pane -U bind k select-pane -U
bind l select-pane -R bind l select-pane -R
bind C-h select-pane -L
bind C-l select-pane -R
# smart pane switching with awareness of vim splits # smart pane switching with awareness of vim splits
# (these interfere with the often-used Control-L shortcut
# to clear the screen, so that gets really annoying.)
# #
# Control plus: # Control then:
# #
# h = pick left pane # h = pick left pane
# j = pick left pane # j = pick down pane
# k = pick left pane # k = pick up pane
# l = pick left pane # l = pick right pane
# \ = pick another pane (?)
# #
bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L" # bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L"
bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D" # bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D"
bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U" # bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U"
bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R" # bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R"
bind -n C-\ run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys 'C-\\') || tmux select-pane -l"
# Control-A then Control-L clears the screen # Control-T then Control-O swaps out windows in their respective positions
bind C-l send-keys 'C-l'
# Control-A then Control-O swaps out windows in their respective positions
bind C-o rotate-window bind C-o rotate-window
# Control-A plus + makes existing windows have horizontal layout # Control-T then + makes existing windows have vertical layout
bind + select-layout main-horizontal bind + select-layout main-vertical
# Control-A plus = makes existing windows have vertical layout # Control-T then = makes existing windows have horizontal layout
bind = select-layout main-vertical bind = select-layout main-horizontal
# Control-T Control-N makes a new window in the path of the current pane
bind C-n new-window -c '#{pane_current_path}'
## (no idea what this does) ## (no idea what this does)
#set-window-option -g other-pane-height 25 #set-window-option -g other-pane-height 25
#set-window-option -g other-pane-width 80 #set-window-option -g other-pane-width 80
# Control-A plus [ or ] moves into copy mode or paste mode # Control-T plus [ or ] moves into copy mode or paste mode
bind [ copy-mode bind [ copy-mode
bind ] paste-buffer bind ] paste-buffer
# (no idea) # (no idea)
set-window-option -g display-panes-time 1500 set-window-option -g display-panes-time 1500
# Control-A plus | or _ splits panes vertically (|) or horizontally (_) # Control-T plus | or _ splits panes vertically (|) or horizontally (_)
# (this is better than using percent, but now we've got muscle memory for %)
bind | split-window -h -c "#{pane_current_path}" bind | split-window -h -c "#{pane_current_path}"
bind _ split-window -v -c "#{pane_current_path}" bind _ split-window -v -c "#{pane_current_path}"
# because we were using this before
bind % split-window -h -c "#{pane_current_path}"
# Status Bar # Status Bar
set-option -g status-interval 1 set-option -g status-interval 1
set-option -g status-left '' set-option -g status-left ''
@@ -120,6 +124,7 @@ set -g visual-activity on
# Allow the arrow key to be used immediately after changing windows # Allow the arrow key to be used immediately after changing windows
set-option -g repeat-time 0 set-option -g repeat-time 0
# Set up easy go-to sessions with shortcuts # Set up easy go-to sessions with shortcuts
bind s source-file ~/.tmux.session1 bind s source-file ~/.tmux.session1

45
dotfiles/.vimrc
View File

@@ -184,20 +184,24 @@ let g:go_fmt_command = "goimports"
" don't move comment hashtag to the first column. " don't move comment hashtag to the first column.
" smartindent is unnecessary for python anyway. " smartindent is unnecessary for python anyway.
" http://stackoverflow.com/questions/2063175/vim-insert-mode-comments-go-to-start-of-line " http://stackoverflow.com/questions/2063175/vim-insert-mode-comments-go-to-start-of-line
au! FileType python setl nosmartindent au! FileType python setl textwidth=0 nosmartindent
" golang " golang
" see https://github.com/paulswanson/congo/blob/master/congo.sh " see https://github.com/paulswanson/congo/blob/master/congo.sh
" ------------------------ " ------------------------
au BufRead,BufNewFile *.go set noexpandtab au BufRead,BufNewFile *.go set textwidth=0 noexpandtab
" Makefiles " Makefiles
" ------------------------ " ------------------------
au BufRead,BufNewFile Makefile*,*.make,*.mk set noexpandtab au BufRead,BufNewFile Makefile*,*.make,*.mk set textwidth=0 noexpandtab
" C++ " C++
" ------------------------ " ------------------------
au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set tabstop=4 shiftwidth=4 softtabstop=4 nowrap au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set textwidth=0 tabstop=4 shiftwidth=4 softtabstop=4 nowrap
" shell scripts
" ------------------------
au BufRead,BufNewFile *.sh set textwidth=0 noexpandtab
" Snakemake files: Snakefile, .rule, .snake, .settings, .smk " Snakemake files: Snakefile, .rule, .snake, .settings, .smk
" ------------------------ " ------------------------
@@ -219,7 +223,7 @@ endfunction
" Javascript " Javascript
" ------------------------- " -------------------------
au BufRead,BufNewFile *.js,*.javascript set tabstop=2 shiftwidth=2 softtabstop=2 nowrap au BufRead,BufNewFile *.js,*.javascript set textwidth=0 tabstop=2 shiftwidth=2 softtabstop=2 nowrap
@@ -537,18 +541,18 @@ noremap <Leader>W :w !sudo tee % > /dev/null<cr>
" ---------------------------- " ----------------------------
" colorrrzzzzz " colorrrzzzzz
" ---------------------------- " ----------------------------
set background=dark """ set background=dark
"""
set t_Co=256 """ set t_Co=256
"""
function! BgToggle() """ function! BgToggle()
if &background == "light" """ if &background == "light"
execute ":set background=dark" """ execute ":set background=dark"
else """ else
execute ":set background=light" """ execute ":set background=light"
endif """ endif
endfunction """ endfunction
""" nnoremap <F5> :call BgToggle()<cr> """ nnoremap <F5> :call BgToggle()<cr>
@@ -598,4 +602,9 @@ vmap <C-j> xp`[V`]
" ----------------------------- " -----------------------------
" Jedi Autocomplete Plugin " Jedi Autocomplete Plugin
" ----------------------------- " -----------------------------
"let g:jedi#auto_initialization = 0
"" -----------------------
"" Black shortcut
"" -----------------------

2
dotfiles/diff_dotfiles.sh
View File

@@ -4,7 +4,7 @@
#find . -type f -maxdepth 1 -name ".*" | xargs -t -n1 -I% diff % ~/% #find . -type f -maxdepth 1 -name ".*" | xargs -t -n1 -I% diff % ~/%
# The (more careful) loop version: # The (more careful) loop version:
for file in $(find . -type f -maxdepth 1 -name ".*"); do for file in $(find . -maxdepth 1 -type f -name ".*"); do
if [[ -f ~/$file ]]; then if [[ -f ~/$file ]]; then
echo "------------" echo "------------"
echo "$file exists in home directory, calculating diff..." echo "$file exists in home directory, calculating diff..."

39
firewall/bear_ufw.sh
View File

@@ -1,39 +0,0 @@
#!/bin/bash
#
# Set up the ufw firewall for bear.
# 22 - ssh
# 80 - http
# 443 - https
# 8080, 8888, 8000 - for something to use
if [ "$(id -u)" != "0" ]; then
echo ""
echo ""
echo "This script must be run as root!"
echo ""
echo ""
exit 1;
fi
set -x
# Start by setting defaults on ufw
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw allow 22
ufw allow 80
ufw allow 443
ufw --force enable
# allow ufw to nat connections from
# external interface to internal
# (docker) interfaces
sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
ufw reload
# enable packet masquerading so we can
# get the real IP of clients inside
# docker containers.
iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE

119
firewall/bespin_iptables_pihole_tinc.sh Executable file
View File

@@ -0,0 +1,119 @@
#!/bin/bash
set -e
ipt="sudo /sbin/iptables"
# Set default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
# Flush and clear everything
$ipt -t nat -F
$ipt -t mangle -F
$ipt -F
$ipt -X
# Name of main ethernet connection device
ETH="wlan0"
# Name of PIA VPN tunnel device
PIATUN="tun1"
# Name of tinc tunnel device
TINCTUN="master"
# Name of loopback interface for PiHole DNS server
PHDNS="lo:1"
########### LOOPBACK ##########
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i lo:1 -j ACCEPT
########### INCOMING ##########
# Allow any established connection to come in or out
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
########### PING ##############
# Allow incoming ping requests
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
########### SSH ###############
# Allow incoming SSH sessions, new or established
$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow incoming SSH traffic, if part of established conversation
$ipt -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
########### TINC ##############
# Allow incoming VPN sessions destined for 655, new or established
$ipt -A INPUT -p udp --dport 655 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow incoming VPN traffic coming from 655, part of established conversation
$ipt -A INPUT -p udp --sport 655 -m conntrack --ctstate ESTABLISHED -j ACCEPT
########### HTTP/HTTPS ########
# Allow incoming HTTP/HTTPS traffic, part of established conversation
$ipt -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow incoming HTTP/HTTPS requests from tinc tunnel
$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 443 -j ACCEPT
# Allow incoming HTTP/HTTPS requests from local ethernet
$ipt -A INPUT -p tcp -i ${ETH} --dport 80 -j ACCEPT
$ipt -A INPUT -p tcp -i ${ETH} --dport 443 -j ACCEPT
########### PIHOLE UI #########
# Allow incoming requests to 8888/8443 via tinc tunnel
$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8888 -j ACCEPT
$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8443 -j ACCEPT
########### TELEMETRY #########
# Allow node exporter traffic from source port 9100
$ipt -A INPUT -p tcp --dport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --sport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow cadvisor on port 8080
$ipt -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --sport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow nginx on port 9113
$ipt -A INPUT -p tcp --dport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --sport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
########### DHCP ##############
# Allow any DHCP traffic to come in or out
$ipt -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
$ipt -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
########### DNS ###############
PROTOCOLS="tcp udp"
for prot in $PROTOCOLS; do
# General DNS Traffic:
# Allow incoming DNS traffic coming from 53, part of established conversation
$ipt -A INPUT -p $prot --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# PiHole self-accept traffic from port 53
$ipt -A INPUT -p $prot -i ${PHDNS} --dport 53 -j ACCEPT
# # PiHole DNS (lo:1) <-> PIA VPN Tunnel (tun0):
# # PiHole can always send DNS queries out through tunnel
# $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${PIATUN} --dport 53 -j ACCEPT
# # Responses to PiHole can always return via tunnel
# $ipt -A FORWARD -p $prot -i ${PIATUN} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# PiHole DNS (lo:1) <-> ethernet
# PiHole can always send DNS queries out through tunnel
$ipt -A FORWARD -p $prot -i ${PHDNS} -o ${ETH} --dport 53 -j ACCEPT
# Responses to PiHole can always return via ethernet
$ipt -A FORWARD -p $prot -i ${ETH} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
done
# # Enable logging
# $ipt -N LOGGING
# $ipt -A INPUT -j LOGGING
# $ipt -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " --log-level 4
# $ipt -A LOGGING -j DROP
# Make rules persistent
sudo netfilter-persistent save
# Restore docker iptables rules
sudo service docker restart

10
tasks/secrets/ch4zm_gen_ssh_keys.sh Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
#
# this is where you would add any
# pre-baked public keys.
set -x
yes | ssh-keygen -f $HOME/.ssh/id_rsa_ch4zm -t rsa -N ''
chmod 700 $HOME/.ssh
touch $HOME/.ssh/authorized_keys
chmod 600 $HOME/.ssh/authorized_keys