|
|
|
---
|
|
|
|
title: OpenBSD
|
|
|
|
date: 2023-11-29T20:33:48+0100
|
|
|
|
lastmod: 2024-04-25T18:57:43+0000
|
|
|
|
tags:
|
|
|
|
- openbsd
|
|
|
|
- python
|
|
|
|
- cloudlog
|
|
|
|
- zsh-shell
|
|
|
|
- git
|
|
|
|
- rust
|
|
|
|
- neovim
|
|
|
|
- apache2
|
|
|
|
- mod_md
|
|
|
|
- certbot
|
|
|
|
|
|
|
|
#showDate: false
|
|
|
|
showReadingTime: false
|
|
|
|
showWordCount: false
|
|
|
|
showPagination: false
|
|
|
|
#showAuthor: false
|
|
|
|
showBreadcrumbs: true
|
|
|
|
|
|
|
|
feed_exclude: true
|
|
|
|
# site_exclude: true
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
These are random notes -- more or less about OpenBSD. Some may
|
|
|
|
not fit here well, but they could relate to OpenBSD or similar
|
|
|
|
operating systems in some way...
|
|
|
|
|
|
|
|
## Apache with wildcard certificates
|
|
|
|
|
|
|
|
I often got errors when I clicked a link on my main website for example
|
|
|
|
to the weather page. It was complaining about different
|
|
|
|
<abbr title="Server Name Indication">SNI</abbr> because both hosts used different
|
|
|
|
certificates and I wasn't sure how I could fix that easily. I thought wildcard
|
|
|
|
certs could fix that because I'd only have one cert for all the domains.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas pkg_add certbot
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Run and follow instructions:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas certbot certonly --manual --preferred-challenges dns \
|
|
|
|
--server https://acme-v02.api.letsencrypt.org/directory \
|
|
|
|
--manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
|
|
|
|
|
|
|
|
[...]
|
|
|
|
Successfully received certificate.
|
|
|
|
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
|
|
|
|
Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
|
|
|
|
This certificate expires on 2024-04-25.
|
|
|
|
These files will be updated when the certificate renews.
|
|
|
|
|
|
|
|
NEXT STEPS:
|
|
|
|
- This certificate will not be renewed automatically. Autorenewal of --manual
|
|
|
|
certificates requires the use of an authentication hook script (--manual-auth-hook)
|
|
|
|
but one was not provided. To renew this certificate, repeat this same certbot
|
|
|
|
command before the certificate's expiry date.
|
|
|
|
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
|
|
If you like Certbot, please consider supporting our work by:
|
|
|
|
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
|
|
|
|
* Donating to EFF: https://eff.org/donate-le
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Also adding my .net domain to the certs:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas certbot certonly --manual --manual-public-ip-logging-ok \
|
|
|
|
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
|
|
|
|
-d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Some changes to the apache2 configuration were made:
|
|
|
|
|
|
|
|
~~~apache
|
|
|
|
<MDomain oe7drt.com oe7drt.net>
|
|
|
|
MDMember *.oe7drt.com
|
|
|
|
MDMember *.oe7drt.net
|
|
|
|
MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
|
|
|
|
MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
|
|
|
|
</MDomain>
|
|
|
|
|
|
|
|
MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
|
|
|
|
MDCertificateAgreement accepted
|
|
|
|
MDContactEmail {email_redacted}
|
|
|
|
MDCAChallenges dns-01
|
|
|
|
~~~
|
|
|
|
|
|
|
|
It seems Apache likes this:
|
|
|
|
|
|
|
|
![cropped output of apaches status website /md-status](./mod-status-certs.png)
|
|
|
|
|
|
|
|
This is **currently testing** because I have no idea if mod_md will update these certs
|
|
|
|
itself or if I should run certbot again when it's needed. In the meantime I monitor my
|
|
|
|
website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
|
|
|
|
expiring certificates.
|
|
|
|
|
|
|
|
The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
|
|
|
|
[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
|
|
|
|
|
|
|
|
An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
|
|
|
|
They would also create a second wildcard cert of another issuer in case the first one
|
|
|
|
would get compromised so they would actually replace your main cert with a backup cert
|
|
|
|
just with a whoooop.
|
|
|
|
|
|
|
|
Certbot commands have been taken from
|
|
|
|
[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
|
|
|
|
at dev.to.
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
**Update on April 25 2024**
|
|
|
|
I've now seen that no certificate gets renewed automatically.
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
The actual certificate got renewed with the command from above (including
|
|
|
|
the .net domain). The output of that command clearly states:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
NEXT STEPS:
|
|
|
|
- This certificate will not be renewed automatically. Autorenewal of
|
|
|
|
--manual certificates requires the use of an authentication hook script
|
|
|
|
(--manual-auth-hook) but one was not provided. To renew this certificate,
|
|
|
|
repeat this same certbot command before the certificate's expiry date.
|
|
|
|
~~~
|
|
|
|
|
|
|
|
I will execute the same certbot command before the certificate's expiry date
|
|
|
|
the next time to enhance my experience :wink:
|
|
|
|
|
|
|
|
## Get some filesystem information
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ dumpfs /dev/rsd1a
|
|
|
|
magic 19540119 (FFS2) time Thu Nov 16 21:14:34 2023
|
|
|
|
[...] (snip; lots of output...)
|
|
|
|
~~~
|
|
|
|
|
|
|
|
This can be helpful if you want to know, which filesystem you actually
|
|
|
|
use on your OpenBSD box.
|
|
|
|
|
|
|
|
## Create a Win95 FAT32 USB stick
|
|
|
|
|
|
|
|
When you `fdisk -iy sd2` (for example) a USB stick, you usually create
|
|
|
|
one single OpenBSD partition at the 4<sup>th</sup> position. When you then
|
|
|
|
try to `newfs_msdos -F 32 -L Label sd2i` the layout is gone -- happened to
|
|
|
|
me several times until I got fed up and investigated.
|
|
|
|
|
|
|
|
I don't know why that happened, but I got my way to create USB sticks, that
|
|
|
|
actually work with other devices like my amateur radios that need those fancy
|
|
|
|
microSD cards.
|
|
|
|
|
|
|
|
Delete the first bytes on the stick:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas dd if=/dev/zero bs=1m count=1 of=/dev/rsd2c
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Create the needed partition:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ echo -n 'edit 0\n0c\n\n2048\n*\nq\n' | doas fdisk -e sd2
|
|
|
|
~~~
|
|
|
|
|
|
|
|
A short explanation (`\n` is basically a newline; the <kbd>Enter</kbd> key):
|
|
|
|
|
|
|
|
- `edit 0\n`: edit the first entry (`fdisk -iy sd2` would edit the 4th entry)
|
|
|
|
- `0c\n`: selects **Win95 FAT32L** as file system format
|
|
|
|
- `\n`: only hit enter and use the default _[n]_
|
|
|
|
- `2048\n`: Start of the partition
|
|
|
|
- `*\n`: Special size value -- means the remainder of the disk (like `-1` on many other tools)
|
|
|
|
- `q\n`: write MBR and quits the program
|
|
|
|
|
|
|
|
This results in a partition table like this:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ fdisk sd2
|
|
|
|
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
|
|
|
|
Offset: 0 Signature: 0xAA55
|
|
|
|
Starting Ending LBA Info:
|
|
|
|
#: id C H S - C H S [ start: size ]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
0: 0C 0 32 33 - 966 80 10 [ 2048: 15521792 ] Win95 FAT32L
|
|
|
|
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
~~~
|
|
|
|
|
|
|
|
whereas a `fdisk -iy sd2` creates a table like this:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ fdisk sd2
|
|
|
|
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
|
|
|
|
Offset: 0 Signature: 0xAA55
|
|
|
|
Starting Ending LBA Info:
|
|
|
|
#: id C H S - C H S [ start: size ]
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
|
|
|
|
*3: A6 0 1 2 - 966 80 10 [ 64: 15523776 ] OpenBSD
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Don't forget to create the file system:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas newfs_msdos -F 32 -L 8GB_Stick sd2i
|
|
|
|
~~~
|
|
|
|
|
|
|
|
## Mounting disk images
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas vnconfig /dev/vnd0c /path/to/imagefile.img
|
|
|
|
$ doas mount_msdos /dev/vnd0i ~/mnt/disk
|
|
|
|
~~~
|
|
|
|
|
|
|
|
## Packages / Ports
|
|
|
|
|
|
|
|
### ...because of libraries
|
|
|
|
|
|
|
|
Updating dependencies before installing (switch `-U`) does help sometimes...
|
|
|
|
|
|
|
|
> Can't install [package] because of libraries
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ doas pkg_add -uiU
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Should fix that.
|
|
|
|
|
|
|
|
## Python
|
|
|
|
|
|
|
|
### ModuleNotFoundError
|
|
|
|
|
|
|
|
Install python modules with pip.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ python3 -m pip install --user --upgrade ${example_module}
|
|
|
|
~~~
|
|
|
|
|
|
|
|
## Rust
|
|
|
|
|
|
|
|
### starship prompt
|
|
|
|
|
|
|
|
This is usually blocked via the rust-battery crate, as there is still no progress
|
|
|
|
made on issue [#19](https://github.com/svartalf/rust-battery/issues/19), which probably
|
|
|
|
leads to no progress on issue [#2267](https://github.com/starship/starship/issues/2276).
|
|
|
|
|
|
|
|
Though, there is a [comment](https://github.com/starship/starship/issues/2276#issuecomment-782818302)
|
|
|
|
that disables the optional features (battery).
|
|
|
|
|
|
|
|
So the final installation of Starship looks like:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ cargo install starship --locked --no-default-features
|
|
|
|
~~~
|
|
|
|
|
|
|
|
The compilation took about 9½ minutes.
|
|
|
|
|
|
|
|
## Git
|
|
|
|
|
|
|
|
## Cloudlog (server)
|
|
|
|
|
|
|
|
Cloudlog is a webapplication written in PHP that allows ham radio amateurs
|
|
|
|
to log contacts online. I host my own instance on my server and I finally
|
|
|
|
looked into why I never got satellites shown in <kbd>SAT Timers</kbd>.
|
|
|
|
|
|
|
|
I use php-fpm and it is running as the user `www`. It is kind of jailed and it
|
|
|
|
cannot read `/etc/ssl/cert.pem` -- so the https connections cannot be verified
|
|
|
|
and it failes at downloading the satellites infos from other websites.
|
|
|
|
|
|
|
|
I solved this by copying `/etc/ssl` to `/var/www/etc/ssl` via rsync, keeping file
|
|
|
|
permissions intact. I may setup a cronjob for this maybe.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ cd /var/www
|
|
|
|
$ doas rsync -avhzrp /etc/ssl/ etc/ssl
|
|
|
|
sending incremental file list
|
|
|
|
created directory etc/ssl
|
|
|
|
./
|
|
|
|
cert.pem
|
|
|
|
ikeca.cnf
|
|
|
|
openssl.cnf
|
|
|
|
x509v3.cnf
|
|
|
|
private/
|
|
|
|
|
|
|
|
sent 155.82K bytes received 133 bytes 311.90K bytes/sec
|
|
|
|
total size is 344.08K speedup is 2.21
|
|
|
|
$ doas rcctl restart php80_fpm
|
|
|
|
php80_fpm(ok)
|
|
|
|
php80_fpm(ok)
|
|
|
|
~~~
|
|
|
|
|
|
|
|
## Cloudlog (client)
|
|
|
|
|
|
|
|
Use of the online logging tool Cloudlog on my OpenBSD machine.
|
|
|
|
|
|
|
|
First off, connect the TX-500 with the computer (CAT cable) and
|
|
|
|
start `rigctld`:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 -v
|
|
|
|
~~~
|
|
|
|
|
|
|
|
I use `2014` which is actually a Kenwood TS-2000 -- but on OpenBSD hamlib is currently
|
|
|
|
at version 4.4 and the TX-500 is only available on
|
|
|
|
[version ≥4.5](https://github.com/Hamlib/Hamlib/blob/master/NEWS#L199).
|
|
|
|
|
|
|
|
For newer hamlib versions (≥4.5) use the rig 2050 like:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ rigctld -m 2050 -r /dev/cuaU0 -s 9600 -v
|
|
|
|
~~~
|
|
|
|
|
|
|
|
In combination with Digirig I would probably use something like this,
|
|
|
|
because otherwise Digirig would instantly key the transceiver:
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 --set-conf=rts_state=OFF -v
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Well, I tested this on my desk at home but never used my Laptop for
|
|
|
|
doing digital modes with my TX-500 though -- but I want this to be noted
|
|
|
|
here just in case I should need it someday.
|
|
|
|
|
|
|
|
On another terminal start [`cloudlogbashcat.sh`](https://github.com/g0wfv/CloudlogBashCat):
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ cloudlogbashcat.sh
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Now, if you open the website of your Cloudlog installation (and if you have
|
|
|
|
setup your rigs) and select the radio that uses cloudlogbashcat.
|
|
|
|
|
|
|
|
![cloudlog radio selection dialog](radio-settings-cloudlog.png "You can select your pre-defined radio in the Live QSO tab")
|
|
|
|
|
|
|
|
## Z-Shell
|
|
|
|
|
|
|
|
### Where is this alias defined?
|
|
|
|
|
|
|
|
I defined an alias `ls` but I forgot where it was.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ PS4='+%x:%I>' zsh -i -x -c '' |& grep ls
|
|
|
|
~~~
|
|
|
|
|
|
|
|
There will be a lot of screen output probably.
|
|
|
|
|
|
|
|
### Renaming multiple directories
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ count=1; zmv -n '*' '$f[1,4]/$((count++))-$f[12,-1]'
|
|
|
|
mv -- 2023-08-05-problems-with-apt-keys-on-my-hotspots 2023/51-problems-with-apt-keys-on-my-hotspots
|
|
|
|
mv -- 2023-08-26-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd 2023/52-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd
|
|
|
|
mv -- 2023-09-16-openbsd-current-built-from-source 2023/53-openbsd-current-built-from-source
|
|
|
|
~~~
|
|
|
|
|
|
|
|
Moves subdirectories into other folder structure with a counting variable.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ count=16; zmv -Q '*(/)' '$((count++))-$f[12,-1]'
|
|
|
|
mv -- 2021-08-08-win10-grub2-and-uefi 16-win10-grub2-and-uefi
|
|
|
|
mv -- 2021-08-12-running-n1mm-logger-on-linux 17-running-n1mm-logger-on-linux
|
|
|
|
mv -- 2021-10-03-winlink-and-vara-on-linux 18-winlink-and-vara-on-linux
|
|
|
|
mv -- 2021-10-03-wordlist-generation 19-wordlist-generation
|
|
|
|
mv -- 2021-10-26-processes-accessing-mountpoints 20-processes-accessing-mountpoints
|
|
|
|
~~~
|
|
|
|
|
|
|
|
That was the second part, counting from where we stopped from the previous directory.
|
|
|
|
|
|
|
|
There was a draft post left in `2022` which I deleted, now I had to renumber the folders
|
|
|
|
from `28-*` to `34-` to a number lower by 1.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ for i in {29..34}; do zmv -n -W $i'*' $((--i))'*'; done
|
|
|
|
mv -- 29-using-nfs-on-a-raspberry-pi 28-using-nfs-on-a-raspberry-pi
|
|
|
|
mv -- 30-vpn-tunnel-into-hamnet-on-fedora-36 29-vpn-tunnel-into-hamnet-on-fedora-36
|
|
|
|
mv -- 31-winlink-on-linux-fix-invalid-handle-on-logfiles 30-winlink-on-linux-fix-invalid-handle-on-logfiles
|
|
|
|
mv -- 32-hamnet-on-the-pfsense 31-hamnet-on-the-pfsense
|
|
|
|
mv -- 33-changing-network-metrics-on-linux 32-changing-network-metrics-on-linux
|
|
|
|
mv -- 34-change-git-submodule-url 33-change-git-submodule-url
|
|
|
|
~~~
|
|
|
|
|
|
|
|
So, there is still one post left that is actually a draft post and I'd like to
|
|
|
|
remove the leading number from that directory.
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ zmv -n -W '59-*' '*'
|
|
|
|
mv -- 59-pat-winlink-on-openbsd pat-winlink-on-openbsd
|
|
|
|
~~~
|
|
|
|
|
|
|
|
## Neovim
|
|
|
|
|
|
|
|
### Update plugins that use `make`
|
|
|
|
|
|
|
|
GNU make and BSD make are not compatible, and it is kind of annoying if people
|
|
|
|
think everybody has installed the same tools to compile software on their boxes.
|
|
|
|
|
|
|
|
In this example I often get some errors when I try to update plugins from withing
|
|
|
|
AstroNvim, a plugin-packaged neovim confgiuration framework.
|
|
|
|
|
|
|
|
- Open Neovim and initiate the update procedure (<kbd>space</kbd>, <kbd>p</kbd>, <kbd>a</kbd>)
|
|
|
|
- Remember what folder the errors occur
|
|
|
|
- Visit those folders and update the file `Makefile` (usually)
|
|
|
|
- in `Makefile` replace `make` with `gmake`
|
|
|
|
(you need that installed, `pkg_add gmake`)
|
|
|
|
- run the update procedure again
|
|
|
|
|
|
|
|
If that does not work, it is mostly a submodule. You can try to update and compile by hand.
|
|
|
|
Switch to the folder, update `make` with `gmake` and finally run `gmake` in that folder.
|
|
|
|
That will produce a compiled output (a library) and the updated procedure will pick that up
|
|
|
|
at the next run and the submodule will usually be ignored unless the main repo has new commits
|
|
|
|
in its tree. You may then stash the local changes and re-run the update procedure again.
|
|
|
|
|
|
|
|
## Concatenate sound files (.wav)
|
|
|
|
|
|
|
|
~~~console
|
|
|
|
$ sox *.wav one-big-soundfile.wav
|
|
|
|
~~~
|
|
|
|
|
|
|
|
`cat *.wav > bigfile.wav` works too, but different. That would put all
|
|
|
|
audio files into separate streams at the output file whereas `sox`
|
|
|
|
appends one file after another in the big output file.
|
|
|
|
|