Difference between revisions of "Very Windy"
(→Deploy) |
|||
| (23 intermediate revisions by the same user not shown) | |||
| Line 23: | Line 23: | ||
<br> | <br> | ||
<code>git submodule update</code> Submodule aktualisieren<br> | <code>git submodule update</code> Submodule aktualisieren<br> | ||
<br> | |||
Append information after commit:<br> | |||
<code>git commit --amend --author "Ueli Hans<[email protected]>"</code><br> | |||
<br> | |||
Temporarily store current changes and revert to latest pull:<br> | |||
<code>git stash</code><br> | |||
Go back to stashed changes:<br> | |||
<code>git stash pop</code> | |||
== openssl == | == openssl == | ||
| Line 38: | Line 46: | ||
echo "crt: $crtmd5" ; echo "key: $keymd5" ; printf "Dateien: \"$crt\" & \"$key\" -- " ; \ | echo "crt: $crtmd5" ; echo "key: $keymd5" ; printf "Dateien: \"$crt\" & \"$key\" -- " ; \ | ||
[ "$crtmd5" = "$keymd5" ] && echo "passen zusammen :)" || echo "passen NICHT zusammen :("</nowiki> | [ "$crtmd5" = "$keymd5" ] && echo "passen zusammen :)" || echo "passen NICHT zusammen :("</nowiki> | ||
== ansible == | == ansible == | ||
| Line 63: | Line 69: | ||
Swap: 4G<br> | Swap: 4G<br> | ||
/var-log: 4G<br> | /var-log: 4G<br> | ||
dns: 10.8.3.74 / 10.8.3.174<br> | |||
http://mirror.nat.srv.ch/2025/q4/ubuntu | |||
== IPTables / firewalld == | == IPTables / firewalld == | ||
| Line 136: | Line 145: | ||
<br> | <br> | ||
Encryption of private key can be checked with <code># cat private.key</code> (first line) | Encryption of private key can be checked with <code># cat private.key</code> (first line) | ||
<br> | |||
Use argument <code>-legacy</code> for deprecated ciphers.<br> | |||
Look at certificate:<br> | |||
<code>openssl x509 -text -in /home/local/RootCAIII.crt -noout | grep 'Subject:\|Issuer:'</code> | |||
== SFTP für Endkunden freischalten == | |||
Find high port on mgmt01: <code>nft list ruleset | grep target_host_ip</code><br> | |||
Horizon Security Group Rules (mgmt-ssh-forwarding), allow ingress from client_ip<br> | |||
== openstack cli == | |||
<code>export OS_CLOUD="name"</code> | |||
== icinga2 host vars == | |||
<code>host_vars/host_name/icinga2.yml</code>:<br> | |||
<nowiki>icinga2_agent__host_vars: | |||
mailq: | |||
mailq_servertype: "sendmail"</nowiki> | |||
== mysql == | |||
<code>mysql <dbname> < /home/doobiean/anUpdate.sql</code> Apply sql stuffs to <dbname> database<br> | |||
<code>mysql -e "SHOW DATABASES" | grep 0109</code> look for databases<br> | |||
== ansible-vault == | |||
<code>ansible-vault encrypt_string <string></code> encrypt <string> | |||
== splunk == | |||
<code>grep -i "connected to" /opt/splunkforwarder/var/log/splunk/splunkd.log</code> Check connected servers. | |||
== openDKIM == | |||
<code>chmod -R ug+x /etc/opendkim</code> If key-permissions are denied, even though they appear to be correct. | |||
== n1 == | |||
<code>dig 6bit.ch +short</code><br> | |||
<code>whois $(!!)</code> | |||
== digiz0rt == | |||
=== Standard === | |||
DNS TXT Record, SSL Cert Business, Platform: Linux<br> | |||
=== Special === | |||
UCC16: Many SANs<br> | |||
Wildcard: Wildcard<br> | |||
== icinga2 nginx == | |||
<nowiki>vim /usr/lib/nagios/plugins/check_nginx_status.pl | |||
use lib '/usr/lib/nagios/plugins'; | |||
chmod 755 /usr/lib/nagios/plugins/utils.pm | |||
ln -s /usr/lib/nagios/plugins/utils.pm /usr/local/lib/nagios/plugins/utils.pm</nowiki> | |||
== Deploy == | |||
<code>ansible-playbook -u $USER -b playbook-deploy.yml -l prod --extra-vars "esb_release_tag=v26.8.0 typo3_release_tag=v26.8.0" -D</code> ohne -C<br> | |||
<code>vim files/web/srv/*/www/{typo3,esb}/deploy</code> Version check auskommentieren, für Redeploy | |||
Latest revision as of 10:56, 30 April 2026
lvm procedure
Die VM-Disk /dev/sda wurde vergrössert
1. Ist Zustand prüfen
lsblk
2. Disk "sda" neu einlesen
echo 1 > /sys/block/sda/device/rescan
3. Partition vergrössern
growpart /dev/sda 3
4. PV überprüfen
pvs
4a. allenfalls physical volume vergrössern
pvresize /dev/sda3
5. VG überprüfen
vgs
6. LV vergrössern und Filesystem vergrössern
lvresize -rL+50G /dev/mapper/system-docker
lvextend -rl +100%FREE /dev/mapper/vm208-root
git
git submodule update --init Submodule laden
git submodule update --init --recursive Submodule laden (rekursiv)
git submodule update --remote Submodule laden (remote)
git submodule update Submodule aktualisieren
Append information after commit:
git commit --amend --author "Ueli Hans<[email protected]>"
Temporarily store current changes and revert to latest pull:
git stash
Go back to stashed changes:
git stash pop
openssl
Check CSR:
openssl req -in sample.csr -noout -text
Bash to check private key against certificate (checkssl.sh):
cn=files/reverseproxies/etc/haproxy/certs/www.sexybit.sh
crt="${cn:?Common Name fuer Key und Cert nicht angegebe...}.crt"
key="$cn.key"
crtmd5=$( openssl x509 -noout -modulus -in "$crt" | openssl md5 ) ; \
keymd5=$( openssl rsa -noout -modulus -in "$key" | openssl md5 ) ; \
\
echo "crt: $crtmd5" ; echo "key: $keymd5" ; printf "Dateien: \"$crt\" & \"$key\" -- " ; \
[ "$crtmd5" = "$keymd5" ] && echo "passen zusammen :)" || echo "passen NICHT zusammen :("
ansible
ansible-playbook -C -D playbooks/all.yml -u $USER -t nginx -C (check, dry run), -D (diff, show differences) -u <remote user> -t <tags>
Tags let you run only specific tagged tasks in a playbook instead of executing everything. Multiple tags can be comma-separated.
Tags can be skipped with --skip-tags <tags>
Tasks tagged 'always' will run no matter what tags are selected.
Tasks tagged 'never' only run if explicitly requested with -t never
ln
ln -s ../files
curl
curl -vvv verbose verbose verbose
curl -v --resolve windy.verywindy.ch:443:192.168.161.1 https://windy.verywindy.ch check connection with hardcoded dns
curl -x sexybit.sh https://apod.nasa.gov check connection with proxy
curl -L https://apod.nasa.gov follow redirects
New Systems
Size: 2CPU, 2G RAM, 40G Disk
VG Name: system
/: 10G
Swap: 4G
/var-log: 4G
dns: 10.8.3.74 / 10.8.3.174
http://mirror.nat.srv.ch/2025/q4/ubuntu
IPTables / firewalld
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-p tcp --dport 21022 -m state --state NEW,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="5">-p icmp -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="8">-p udp --sport 53 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="0">-p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="1">-p tcp --sport 21022 -m state --state ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="5">-p icmp -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="6">-p udp --dport 53 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="8">-p tcp --dport 80 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="9">-p tcp --dport 443 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="12">-p udp --dport 123 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="56">-p tcp --dport 5665 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="67">-p udp --dport 67:68 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="69">-m state --state ESTABLISHED,RELATED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="99">-j DROP</rule> </direct>
Show all direct rules (/etc/firewalld/direct.xml):
firewall-cmd --get-all-rules --direct
Clear root Password / disable root login
-d --delete: delete user's password
-l --lock: lock user's password
# passwd -dl root
Start new git project
Create blank repo without README.md
Run ansible-init script (cs)
Monitoring
icinga-Server verbindet sich zum Agent über Port 5665.
Bei Wartungen Downtime erstellen.
Wartung
Snapshots nach 1w löschen.
upremote
$HOME/scripts/
$HOME/log/
Check yo shit front to back
Remount /tmp without noexec flag
mount -o remount,exec /tmp
tmux
Move window to other pane:
Ctrl + b :move-pane -t X
Move window to new pane:
Ctrl + b !
icinga2
Check available commands in Icinga Director / Commands.
After editing monitoring parameters in ansible:
ansible-playbook -D playbooks/all.yml -t icinga2_agent:update-host
pfx/pem conversion
- Extract the private key (you will be prompted to enter the PFX file password and to set a password for the private key)
openssl pkcs12 -in your_certificate.pfx -nocerts -out private_key.key
- Extract the CRT certificate (you will be prompted to enter the PFX file password)
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out certificate.crt
- (Optional) Remove the password from the private key (you will be prompted to enter the password set for the private key)
openssl rsa -in private_key.key -out private_key_nopass.key
Encryption of private key can be checked with # cat private.key (first line)
Use argument -legacy for deprecated ciphers.
Look at certificate:
openssl x509 -text -in /home/local/RootCAIII.crt -noout | grep 'Subject:\|Issuer:'
SFTP für Endkunden freischalten
Find high port on mgmt01: nft list ruleset | grep target_host_ip
Horizon Security Group Rules (mgmt-ssh-forwarding), allow ingress from client_ip
openstack cli
export OS_CLOUD="name"
icinga2 host vars
host_vars/host_name/icinga2.yml:
icinga2_agent__host_vars:
mailq:
mailq_servertype: "sendmail"
mysql
mysql <dbname> < /home/doobiean/anUpdate.sql Apply sql stuffs to <dbname> database
mysql -e "SHOW DATABASES" | grep 0109 look for databases
ansible-vault
ansible-vault encrypt_string <string> encrypt <string>
splunk
grep -i "connected to" /opt/splunkforwarder/var/log/splunk/splunkd.log Check connected servers.
openDKIM
chmod -R ug+x /etc/opendkim If key-permissions are denied, even though they appear to be correct.
n1
dig 6bit.ch +short
whois $(!!)
digiz0rt
Standard
DNS TXT Record, SSL Cert Business, Platform: Linux
Special
UCC16: Many SANs
Wildcard: Wildcard
icinga2 nginx
vim /usr/lib/nagios/plugins/check_nginx_status.pl use lib '/usr/lib/nagios/plugins'; chmod 755 /usr/lib/nagios/plugins/utils.pm ln -s /usr/lib/nagios/plugins/utils.pm /usr/local/lib/nagios/plugins/utils.pm
Deploy
ansible-playbook -u $USER -b playbook-deploy.yml -l prod --extra-vars "esb_release_tag=v26.8.0 typo3_release_tag=v26.8.0" -D ohne -C
vim files/web/srv/*/www/{typo3,esb}/deploy Version check auskommentieren, für Redeploy