update vimrc

crontab/bespin.crontab

@@ -5,6 +5,6 @@
 # DOW (day of week): 0-6 or Sun-Sat
 #
 # MIN   HR  DOM   MONTH   DOW   CMD
-  5     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh
+  3     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikidb_dump.sh
   6     3   *     *       *     /home/charles/pod-private-wiki/utils-backup/wikifiles_dump.sh
-
+  12    3   *     *       *     bash -c '/usr/bin/test -d /media/charles/usb && /bin/ls -1 -t /home/charles/backups | /usr/bin/head -n1 | /usr/bin/xargs -IREPL cp -r /home/charles/backups/REPL /media/charles/usb/backups/.'

crontab/lars.sudo.crontab

@@ -0,0 +1,8 @@
+# MIN: 0-59
+# HOUR: 0-23
+# DOM (day of month): 1-31
+# MONTH: 1-12 or Jan-Dec
+# DOW (day of week): 0-6 or Sun-Sat
+#
+# MIN   HR  DOM   MONTH   DOW   CMD
+  3     2   *     *       Sun   cd /home/charles/pod-gollyx-mongo/d-mongodb/ && ./make_mongo_pem.sh

dotfiles/.aliases

@@ -20,12 +20,17 @@ alias ipy='ipython --pylab'
 alias ip="curl -4 icanhazip.com"
 alias ipaddr="curl -4 icanhazip.com"
 
+# uuid generator
+alias uuid="uuidgen"
+
 
 # python stuff
 # ------------
 # https://unix.stackexchange.com/a/459586
 alias vp="[ -d vp ] || virtualenv -p python3 vp && source vp/bin/activate"
-
+if [[ "${HOSTNAME}" == "burro" ]]; then
+    alias vpp="[ -d vpp ] || virtualenv --python ${HOME}/.pyenv/versions/pypy3.9-7.3.9/bin/pypy3 vpp && source vpp/bin/activate"
+fi
 
 # one-letter aliases
 # ---------------
@@ -122,13 +127,79 @@ alias c='clear'
 
 
 
-# socks proxy thru charlesreid1
-# (forwards http traffic thru charlesreid1 port 8080)
+# socks proxy thru seawater for private wiki access
+# (use with foxyproxy, point to localhost:5778)
 # ---------------
-alias socks='ssh -fN -D 8080 charles@charlesreid1.com'
+alias socks='ssh -D 5778 -p 5778 charles@charlesreid1.party -f -N'
 
 
 
+# tinc vpn
+# ---------------
+
+alias seawatervpn="seawatervpn"
+function seawatervpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.1"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias randalvpn="randalvpn"
+function randalvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.10"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias mayavpn="mayavpn"
+function mayavpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.20"
+  ssh -Y charles@${IP} # the actual ssh call
+}
+
+alias bearvpn="bearvpn"
+function bearvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.40"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+alias emmettvpn="emmettvpn"
+function emmettvpn() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.30.55"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
+# Local machines
+# ---------------
+
+alias randal="randal"
+function randal() {
+  ssh-agent > ~/ssh.file # env vars in ssh.file
+  chmod +x ~/ssh.file # execute file
+  ~/ssh.file > /dev/null
+  rm -f ~/ssh.file
+  export IP="192.168.0.10"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
+}
+
 # Remote machines
 # ---------------
 
@@ -149,27 +220,27 @@ function bear() {
   ~/ssh.file > /dev/null
   rm -f ~/ssh.file
   export IP="173.255.249.79"
-  ssh -Y charles@${IP} # the actual ssh call
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }
 
-alias bespin="bespin"
-function bespin() {
+alias emmett="emmett"
+function emmett() {
   ssh-agent > ~/ssh.file # env vars in ssh.file
   chmod +x ~/ssh.file # execute file
   ~/ssh.file > /dev/null
   rm -f ~/ssh.file
-  export IP="bespin"
-  ssh -Y charles@${IP} # the actual ssh call
+  export IP="173.255.252.181"
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }
 
-alias dorky="dorky"
-function dorky() {
+alias seawater="seawater"
+function seawater() {
   ssh-agent > ~/ssh.file # env vars in ssh.file
   chmod +x ~/ssh.file # execute file
   ~/ssh.file > /dev/null
   rm -f ~/ssh.file
   export IP="charlesreid1.party"
-  ssh -Y charles@${IP} # the actual ssh call
+  ssh -p 5778 -Y charles@${IP} # the actual ssh call
 }
 
 

dotfiles/.bash_profile

@@ -60,6 +60,7 @@ export PATH="$GOENV_ROOT/bin:$PATH"
 # https://github.com/pyenv/pyenv-installer
 export PYENV_ROOT="$HOME/.pyenv"
 export PATH="$PYENV_ROOT/bin:$PATH"
+eval "$(pyenv init --path)"
 eval "$(pyenv init -)"
 
 export PATH

dotfiles/.bash_prompt

@@ -41,24 +41,14 @@ else
 	white="\e[1;37m";
 fi;
 
-if [[ "${HOSTNAME}" == "rojo" ]]; then
+if [[ "${HOSTNAME}" == "bear" ]]; then
     userStyle="${red}"
-elif [[ "${HOSTNAME}" == "jupiter" ]]; then
-    userStyle="${green}"
-elif [[ "${HOSTNAME}" == "krash" ]]; then
-    userStyle="${cyan}"
-elif [[ "${HOSTNAME}" == "bear" ]]; then
-    userStyle="${red}"
-elif [[ "${HOSTNAME}" == "bespin" ]]; then
+elif [[ "${HOSTNAME}" == "randal" ]]; then
     userStyle="${purple}"
-elif [[ "${HOSTNAME}" == "dorky" ]]; then
-    userStyle="${yellow}"
 elif [[ "${HOSTNAME}" == "emmett" ]]; then
     userStyle="${green}"
-elif [[ "${HOSTNAME}" == "dudley" ]]; then
-    userStyle="${cyan}"
-elif [[ "${HOSTNAME}" == "lars" ]]; then
-    userStyle="${white}"
+elif [[ "${HOSTNAME}" == "seawater" ]]; then
+    userStyle="${green}"
 else
     userStyle="${yellow}"
 fi

dotfiles/.bashrc

@@ -1 +1,3 @@
 [ -n "$PS1" ] && source ~/.bash_profile;
+## uh... maybe just this?
+#source ~/.bash_profile

dotfiles/.functions

@@ -5,11 +5,6 @@ function mkd() {
 	mkdir -p "$@" && cd "$_";
 }
 
-# Change working directory to the top-most Finder window location
-function cdf() { # short for `cdfinder`
-	cd "$(osascript -e 'tell app "Finder" to POSIX path of (insertion location as alias)')";
-}
-
 # Create a .tar.gz archive, using `zopfli`, `pigz` or `gzip` for compression
 function targz() {
 	local tmpFile="${@%/}.tar";
@@ -58,14 +53,6 @@ function fs() {
 	fi;
 }
 
-# Use Git’s colored diff when available
-hash git &>/dev/null;
-if [ $? -eq 0 ]; then
-	function diff() {
-		git diff --no-index --color-words "$@";
-	}
-fi;
-
 # Create a data URL from a file
 function dataurl() {
 	local mimeType=$(file -b --mime-type "$1");
@@ -84,24 +71,6 @@ function server() {
 	python -c $'import SimpleHTTPServer;\nmap = SimpleHTTPServer.SimpleHTTPRequestHandler.extensions_map;\nmap[""] = "text/plain";\nfor key, value in map.items():\n\tmap[key] = value + ";charset=UTF-8";\nSimpleHTTPServer.test();' "$port";
 }
 
-# Start a PHP server from a directory, optionally specifying the port
-# (Requires PHP 5.4.0+.)
-function phpserver() {
-	local port="${1:-4000}";
-	local ip=$(ipconfig getifaddr en1);
-	sleep 1 && open "http://${ip}:${port}/" &
-	php -S "${ip}:${port}";
-}
-
-# Compare original and gzipped file size
-function gz() {
-	local origsize=$(wc -c < "$1");
-	local gzipsize=$(gzip -c "$1" | wc -c);
-	local ratio=$(echo "$gzipsize * 100 / $origsize" | bc -l);
-	printf "orig: %d bytes\n" "$origsize";
-	printf "gzip: %d bytes (%2.2f%%)\n" "$gzipsize" "$ratio";
-}
-
 # Syntax-highlight JSON strings or files
 # Usage: `json '{"foo":42}'` or `echo '{"foo":42}' | json`
 function json() {
@@ -160,16 +129,6 @@ function getcertnames() {
 	fi;
 }
 
-# `s` with no arguments opens the current directory in Sublime Text, otherwise
-# opens the given location
-function s() {
-	if [ $# -eq 0 ]; then
-		subl .;
-	else
-		subl "$@";
-	fi;
-}
-
 # `v` with no arguments opens the current directory in Vim, otherwise opens the
 # given location
 function v() {

dotfiles/.tmux.conf

@@ -15,10 +15,11 @@
 set -g default-terminal "screen-256color"
 set-option -g default-terminal screen-256color
 
-# Use C-a, since it's on the home row and easier to hit than C-b
-set-option -g prefix C-a
-unbind C-a
-bind C-a send-prefix
+# Use C-t instead
+set-option -g prefix C-t
+unbind C-t
+bind C-t send-prefix
+
 
 # Set parent terminal title to reflect current window in tmux session
 set -g set-titles on
@@ -44,7 +45,7 @@ bind enter next-layout
 
 # use vim-like keys for splits and windows
 # 
-#   Control-A plus:
+#   Control-T plus:
 # 
 #   s = horizontal split
 #   v = vertical split
@@ -59,52 +60,55 @@ bind h select-pane -L
 bind j select-pane -D
 bind k select-pane -U
 bind l select-pane -R
-bind C-h select-pane -L
-bind C-l select-pane -R
 
 # smart pane switching with awareness of vim splits
+# (these interfere with the often-used Control-L shortcut
+# to clear the screen, so that gets really annoying.)
 # 
-# Control plus:
+# Control then:
 # 
 #   h = pick left pane
-#   j = pick left pane
-#   k = pick left pane
-#   l = pick left pane
-#   \ = pick another pane (?)
+#   j = pick down pane
+#   k = pick up pane
+#   l = pick right pane
 #
-bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L"
-bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D"
-bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U"
-bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R"
-bind -n C-\ run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys 'C-\\') || tmux select-pane -l"
+# bind -n C-h run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-h) || tmux select-pane -L"
+# bind -n C-j run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-j) || tmux select-pane -D"
+# bind -n C-k run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-k) || tmux select-pane -U"
+# bind -n C-l run "(tmux display-message -p '#{pane_current_command}' | grep -iqE '(^|\/)vim$' && tmux send-keys C-l) || tmux select-pane -R"
 
-# Control-A then Control-L clears the screen
-bind C-l send-keys 'C-l'
-
-# Control-A then Control-O swaps out windows in their respective positions
+# Control-T then Control-O swaps out windows in their respective positions
 bind C-o rotate-window
 
-# Control-A plus + makes existing windows have horizontal layout
-bind + select-layout main-horizontal
+# Control-T then + makes existing windows have vertical layout
+bind + select-layout main-vertical
 
-# Control-A plus = makes existing windows have vertical layout
-bind = select-layout main-vertical
+# Control-T then = makes existing windows have horizontal layout
+bind = select-layout main-horizontal
+
+# Control-T Control-N makes a new window in the path of the current pane
+bind C-n new-window -c '#{pane_current_path}'
 
 ## (no idea what this does)
 #set-window-option -g other-pane-height 25
 #set-window-option -g other-pane-width 80
 
-# Control-A plus [ or ] moves into copy mode or paste mode
+# Control-T plus [ or ] moves into copy mode or paste mode
 bind [ copy-mode
 bind ] paste-buffer
 
 # (no idea)
 set-window-option -g display-panes-time 1500
 
-# Control-A plus | or _ splits panes vertically (|) or horizontally (_)
+# Control-T plus | or _ splits panes vertically (|) or horizontally (_)
+# (this is better than using percent, but now we've got muscle memory for %)
 bind | split-window -h -c "#{pane_current_path}"
 bind _ split-window -v -c "#{pane_current_path}"
 
+# because we were using this before
+bind % split-window -h -c "#{pane_current_path}"
+
+
 # Status Bar
 set-option -g status-interval 1
 set-option -g status-left ''
@@ -120,6 +124,7 @@ set -g visual-activity on
 
 # Allow the arrow key to be used immediately after changing windows
 set-option -g repeat-time 0
+
 # Set up easy go-to sessions with shortcuts 
 bind s source-file ~/.tmux.session1
 

dotfiles/.vimrc

@@ -184,20 +184,24 @@ let g:go_fmt_command = "goimports"
 " don't move comment hashtag to the first column.
 " smartindent is unnecessary for python anyway.
 " http://stackoverflow.com/questions/2063175/vim-insert-mode-comments-go-to-start-of-line
-au! FileType python setl nosmartindent
+au! FileType python setl textwidth=0 nosmartindent
 
 " golang
 " see https://github.com/paulswanson/congo/blob/master/congo.sh
 " ------------------------
-au BufRead,BufNewFile *.go set noexpandtab
+au BufRead,BufNewFile *.go set textwidth=0 noexpandtab
 
 " Makefiles
 " ------------------------
-au BufRead,BufNewFile Makefile*,*.make,*.mk set noexpandtab
+au BufRead,BufNewFile Makefile*,*.make,*.mk set textwidth=0 noexpandtab
 
 " C++
 " ------------------------
-au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set tabstop=4 shiftwidth=4 softtabstop=4 nowrap
+au BufRead,BufNewFile *.cpp,*.cxx,*.cc,*.c,*.h,*.hpp,*.hxx,*.hh set textwidth=0 tabstop=4 shiftwidth=4 softtabstop=4 nowrap
+
+" shell scripts
+" ------------------------
+au BufRead,BufNewFile *.sh set textwidth=0 noexpandtab
 
 " Snakemake files: Snakefile, .rule, .snake, .settings, .smk
 " ------------------------
@@ -219,7 +223,7 @@ endfunction
 
 " Javascript
 " -------------------------
-au BufRead,BufNewFile *.js,*.javascript set tabstop=2 shiftwidth=2 softtabstop=2 nowrap
+au BufRead,BufNewFile *.js,*.javascript set textwidth=0 tabstop=2 shiftwidth=2 softtabstop=2 nowrap
 
 
 
@@ -537,18 +541,18 @@ noremap <Leader>W :w !sudo tee % > /dev/null<cr>
 " ----------------------------
 " colorrrzzzzz
 " ----------------------------
-
-set background=dark
-
-set t_Co=256
-
-function! BgToggle()
-  if &background == "light"
-    execute ":set background=dark"
-  else
-    execute ":set background=light"
-  endif
-endfunction
+
+""" set background=dark
+""" 
+""" set t_Co=256
+""" 
+""" function! BgToggle()
+"""   if &background == "light"
+"""     execute ":set background=dark"
+"""   else
+"""     execute ":set background=light"
+"""   endif
+""" endfunction
 """ nnoremap <F5> :call BgToggle()<cr>
 
 
@@ -598,4 +602,9 @@ vmap <C-j> xp`[V`]
 
 " -----------------------------
 " Jedi Autocomplete Plugin
-" -----------------------------
+" -----------------------------
+"let g:jedi#auto_initialization = 0
+
+"" -----------------------
+""  Black shortcut
+"" -----------------------

dotfiles/diff_dotfiles.sh

@@ -4,7 +4,7 @@
 #find . -type f -maxdepth 1 -name ".*" | xargs -t -n1 -I% diff % ~/%
 
 # The (more careful) loop version:
-for file in $(find . -type f -maxdepth 1 -name ".*"); do
+for file in $(find . -maxdepth 1 -type f  -name ".*"); do
     if [[ -f ~/$file ]]; then
         echo "------------"
         echo "$file exists in home directory, calculating diff..."

firewall/bear_ufw.sh

@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Set up the ufw firewall for bear.
-# 22 - ssh
-# 80 - http
-# 443 - https
-# 8080, 8888, 8000 - for something to use
-
-if [ "$(id -u)" != "0" ]; then
-    echo ""
-    echo ""
-    echo "This script must be run as root!"
-    echo ""
-    echo ""
-    exit 1;
-fi
-
-set -x
-
-# Start by setting defaults on ufw
-ufw --force reset
-ufw default deny incoming
-ufw default allow outgoing
-ufw allow 22
-ufw allow 80
-ufw allow 443
-ufw --force enable
-
-# allow ufw to nat connections from
-# external interface to internal 
-# (docker) interfaces
-sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
-ufw reload
-
-# enable packet masquerading so we can
-# get the real IP of clients inside
-# docker containers.
-iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
-

firewall/bespin_iptables_pihole_tinc.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+set -e
+
+ipt="sudo /sbin/iptables"
+
+# Set default policies
+$ipt -P INPUT DROP
+$ipt -P FORWARD DROP
+$ipt -P OUTPUT ACCEPT
+
+# Flush and clear everything
+$ipt -t nat -F
+$ipt -t mangle -F
+$ipt -F
+$ipt -X
+
+# Name of main ethernet connection device
+ETH="wlan0"
+# Name of PIA VPN tunnel device
+PIATUN="tun1"
+# Name of tinc tunnel device
+TINCTUN="master"
+# Name of loopback interface for PiHole DNS server
+PHDNS="lo:1"
+
+########### LOOPBACK ##########
+$ipt -A INPUT -i lo -j ACCEPT
+$ipt -A INPUT -i lo:1 -j ACCEPT
+
+########### INCOMING ##########
+# Allow any established connection to come in or out
+$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+$ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+########### PING ##############
+# Allow incoming ping requests
+$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+
+########### SSH ###############
+# Allow incoming SSH sessions, new or established
+$ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow incoming SSH traffic, if part of established conversation
+$ipt -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+########### TINC ##############
+# Allow incoming VPN sessions destined for 655, new or established
+$ipt -A INPUT -p udp --dport 655 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow incoming VPN traffic coming from 655, part of established conversation
+$ipt -A INPUT -p udp --sport 655 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+########### HTTP/HTTPS ########
+# Allow incoming HTTP/HTTPS traffic, part of established conversation
+$ipt -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+
+# Allow incoming HTTP/HTTPS requests from tinc tunnel
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 80 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 443 -j ACCEPT
+
+# Allow incoming HTTP/HTTPS requests from local ethernet
+$ipt -A INPUT -p tcp -i ${ETH} --dport 80 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${ETH} --dport 443 -j ACCEPT
+
+########### PIHOLE UI #########
+# Allow incoming requests to 8888/8443 via tinc tunnel
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8888 -j ACCEPT
+$ipt -A INPUT -p tcp -i ${TINCTUN} --dport 8443 -j ACCEPT
+
+########### TELEMETRY #########
+# Allow node exporter traffic from source port 9100
+$ipt -A INPUT -p tcp --dport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow cadvisor on port 8080
+$ipt -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 8080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+# Allow nginx on port 9113
+$ipt -A INPUT -p tcp --dport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+$ipt -A INPUT -p tcp --sport 9113 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+
+########### DHCP ##############
+# Allow any DHCP traffic to come in or out
+$ipt -A INPUT  -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+$ipt -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
+
+########### DNS ###############
+PROTOCOLS="tcp udp"
+for prot in $PROTOCOLS; do
+    # General DNS Traffic:
+    # Allow incoming DNS traffic coming from 53, part of established conversation
+    $ipt -A INPUT  -p $prot --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+    # PiHole self-accept traffic from port 53
+    $ipt -A INPUT -p $prot -i ${PHDNS} --dport 53 -j ACCEPT
+
+    # # PiHole DNS (lo:1) <-> PIA VPN Tunnel (tun0):
+    # # PiHole can always send DNS queries out through tunnel
+    # $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${PIATUN} --dport 53 -j ACCEPT
+    # # Responses to PiHole can always return via tunnel
+    # $ipt -A FORWARD -p $prot -i ${PIATUN} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+    # PiHole DNS (lo:1) <-> ethernet
+    # PiHole can always send DNS queries out through tunnel
+    $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${ETH} --dport 53 -j ACCEPT
+    # Responses to PiHole can always return via ethernet
+    $ipt -A FORWARD -p $prot -i ${ETH} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+done
+
+# # Enable logging
+# $ipt -N LOGGING
+# $ipt -A INPUT -j LOGGING
+# $ipt -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " --log-level 4
+# $ipt -A LOGGING -j DROP
+
+# Make rules persistent
+sudo netfilter-persistent save
+
+# Restore docker iptables rules
+sudo service docker restart

tasks/secrets/ch4zm_gen_ssh_keys.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# 
+# this is where you would add any
+# pre-baked public keys.
+set -x
+
+yes | ssh-keygen -f $HOME/.ssh/id_rsa_ch4zm -t rsa -N ''
+chmod 700 $HOME/.ssh
+touch $HOME/.ssh/authorized_keys
+chmod 600 $HOME/.ssh/authorized_keys