Difference between revisions of "Very Windy"
(→Deploy) |
|||
| Line 209: | Line 209: | ||
ssh-keygen -lf /home/uzer/.ssh/authorized_keys | grep <FINGERPRINT from /var/log/auth.log> | ssh-keygen -lf /home/uzer/.ssh/authorized_keys | grep <FINGERPRINT from /var/log/auth.log> | ||
== Prose == | |||
When trailing slash on source you see, Only the contents will come with me. When no trailing slash is there in sight, The whole directory joins the flight. | |||
Revision as of 13:00, 19 June 2026
lvm procedure
Die VM-Disk /dev/sda wurde vergrössert
1. Ist Zustand prüfen
lsblk
2. Disk "sda" neu einlesen
echo 1 > /sys/block/sda/device/rescan
3. Partition vergrössern
growpart /dev/sda 3
4. PV überprüfen
pvs
4a. allenfalls physical volume vergrössern
pvresize /dev/sda3
5. VG überprüfen
vgs
6. LV vergrössern und Filesystem vergrössern
lvresize -rL+50G /dev/mapper/system-docker
lvextend -rl +100%FREE /dev/mapper/vm208-root
git
git submodule update --init Submodule laden
git submodule update --init --recursive Submodule laden (rekursiv)
git submodule update --remote Submodule laden (remote)
git submodule update Submodule aktualisieren
Append information after commit:
git commit --amend --author "Ueli Hans<[email protected]>"
Temporarily store current changes and revert to latest pull:
git stash
Go back to stashed changes:
git stash pop
openssl
Check CSR:
openssl req -in sample.csr -noout -text
Bash to check private key against certificate (checkssl.sh):
cn=files/reverseproxies/etc/haproxy/certs/www.sexybit.sh
crt="${cn:?Common Name fuer Key und Cert nicht angegebe...}.crt"
key="$cn.key"
crtmd5=$( openssl x509 -noout -modulus -in "$crt" | openssl md5 ) ; \
keymd5=$( openssl rsa -noout -modulus -in "$key" | openssl md5 ) ; \
\
echo "crt: $crtmd5" ; echo "key: $keymd5" ; printf "Dateien: \"$crt\" & \"$key\" -- " ; \
[ "$crtmd5" = "$keymd5" ] && echo "passen zusammen :)" || echo "passen NICHT zusammen :("
ansible
ansible-playbook -C -D playbooks/all.yml -u $USER -t nginx -C (check, dry run), -D (diff, show differences) -u <remote user> -t <tags>
Tags let you run only specific tagged tasks in a playbook instead of executing everything. Multiple tags can be comma-separated.
Tags can be skipped with --skip-tags <tags>
Tasks tagged 'always' will run no matter what tags are selected.
Tasks tagged 'never' only run if explicitly requested with -t never
ln
ln -s ../files
curl
curl -vvv verbose verbose verbose
curl -v --resolve windy.verywindy.ch:443:192.168.161.1 https://windy.verywindy.ch check connection with hardcoded dns
curl -x sexybit.sh https://apod.nasa.gov check connection with proxy
curl -L https://apod.nasa.gov follow redirects
New Systems
Size: 2CPU, 2G RAM, 40G Disk
VG Name: system
/: 10G
Swap: 4G
/var-log: 4G
dns: 10.8.3.74 / 10.8.3.174
http://mirror.nat.srv.ch/2025/q4/ubuntu
IPTables / firewalld
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-p tcp --dport 21022 -m state --state NEW,ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="5">-p icmp -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="INPUT" priority="8">-p udp --sport 53 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="0">-p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="1">-p tcp --sport 21022 -m state --state ESTABLISHED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="5">-p icmp -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="6">-p udp --dport 53 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="8">-p tcp --dport 80 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="9">-p tcp --dport 443 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="12">-p udp --dport 123 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="56">-p tcp --dport 5665 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="67">-p udp --dport 67:68 -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="69">-m state --state ESTABLISHED,RELATED -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="OUTPUT" priority="99">-j DROP</rule> </direct>
Show all direct rules (/etc/firewalld/direct.xml):
firewall-cmd --get-all-rules --direct
Clear root Password / disable root login
-d --delete: delete user's password
-l --lock: lock user's password
# passwd -dl root
Start new git project
Create blank repo without README.md
Run ansible-init script (cs)
Monitoring
icinga-Server verbindet sich zum Agent über Port 5665.
Bei Wartungen Downtime erstellen.
Wartung
Snapshots nach 1w löschen.
upremote
$HOME/scripts/
$HOME/log/
Check yo shit front to back
Remount /tmp without noexec flag
mount -o remount,exec /tmp
tmux
Move window to other pane:
Ctrl + b :move-pane -t X
Move window to new pane:
Ctrl + b !
icinga2
Check available commands in Icinga Director / Commands.
After editing monitoring parameters in ansible:
ansible-playbook -D playbooks/all.yml -t icinga2_agent:update-host
pfx/pem conversion
- Extract the private key (you will be prompted to enter the PFX file password and to set a password for the private key)
openssl pkcs12 -in your_certificate.pfx -nocerts -out private_key.key
- Extract the CRT certificate (you will be prompted to enter the PFX file password)
openssl pkcs12 -in your_certificate.pfx -clcerts -nokeys -out certificate.crt
- (Optional) Remove the password from the private key (you will be prompted to enter the password set for the private key)
openssl rsa -in private_key.key -out private_key_nopass.key
Encryption of private key can be checked with # cat private.key (first line)
Use argument -legacy for deprecated ciphers.
Look at certificate:
openssl x509 -text -in /home/local/RootCAIII.crt -noout | grep 'Subject:\|Issuer:'
SFTP für Endkunden freischalten
Find high port on mgmt01: nft list ruleset | grep target_host_ip
Horizon Security Group Rules (mgmt-ssh-forwarding), allow ingress from client_ip
openstack cli
export OS_CLOUD="name"
icinga2 host vars
host_vars/host_name/icinga2.yml:
icinga2_agent__host_vars:
mailq:
mailq_servertype: "sendmail"
mysql
mysql <dbname> < /home/doobiean/anUpdate.sql Apply sql stuffs to <dbname> database
mysql -e "SHOW DATABASES" | grep 0109 look for databases
ansible-vault
ansible-vault encrypt_string <string> encrypt <string>
splunk
grep -i "connected to" /opt/splunkforwarder/var/log/splunk/splunkd.log Check connected servers.
openDKIM
chmod -R ug+x /etc/opendkim If key-permissions are denied, even though they appear to be correct.
n1
dig 6bit.ch +short
whois $(!!)
digiz0rt
Standard
DNS TXT Record, SSL Cert Business, Platform: Linux
Special
UCC16: Many SANs
Wildcard: Wildcard
icinga2 nginx
vim /usr/lib/nagios/plugins/check_nginx_status.pl use lib '/usr/lib/nagios/plugins'; chmod 755 /usr/lib/nagios/plugins/utils.pm ln -s /usr/lib/nagios/plugins/utils.pm /usr/local/lib/nagios/plugins/utils.pm
Deploy
ansible-playbook -u $USER -b playbook-deploy.yml -l prod --extra-vars "esb_release_tag=v26.8.0 typo3_release_tag=v26.8.0" -D ohne -C
Redeploy bei Fehlern, etc.
vim files/web/srv/*/www/{typo3,esb}/deploy Version check auskommentieren
rm -rf /srv/*/www/{typo3,esb}/deploy/<version> Deployment abräumen
SSSD
0 1 2 6 * /usr/sbin/sss_cache -E && /usr/bin/systemctl restart sssd >> /var/log/sssd_cron.log 2>&1
SSH Fingerprintz
ssh-keygen -lf /home/uzer/.ssh/authorized_keys | grep <FINGERPRINT from /var/log/auth.log>
Prose
When trailing slash on source you see, Only the contents will come with me. When no trailing slash is there in sight, The whole directory joins the flight.