dominic
/
oe7drt-website
1
1
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '323cf4e856'
${ noResults }
oe7drt-website/content/notes/openbsd/index.md

445 lines
14 KiB
Raw Blame History

---
title: OpenBSD
date: 2023-11-29T20:33:48+0100
lastmod: 2024-04-28T09:30:28+0000
tags:
- openbsd
- python
- cloudlog
- zsh-shell
- git
- rust
- neovim
- apache2
- mod_md
- certbot
#showDate: false
showReadingTime: false
showWordCount: false
showPagination: false
#showAuthor: false
showBreadcrumbs: true
feed_exclude: true
# site_exclude: true
---
These are random notes -- more or less about OpenBSD. Some may
not fit here well, but they could relate to OpenBSD or similar
operating systems in some way...
## Apache with wildcard certificates
I often got errors when I clicked a link on my main website for example
to the weather page. It was complaining about different
<abbr title="Server Name Indication">SNI</abbr> because both hosts used different
certificates and I wasn't sure how I could fix that easily. I thought wildcard
certs could fix that because I'd only have one cert for all the domains.
~~~console
$ doas pkg_add certbot
~~~
Run and follow instructions:
~~~console
$ doas certbot certonly --manual --preferred-challenges dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual-public-ip-logging-ok -d '*.oe7drt.com' -d oe7drt.com
[...]
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/oe7drt.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/oe7drt.com/privkey.pem
This certificate expires on 2024-04-25.
These files will be updated when the certificate renews.
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual
certificates requires the use of an authentication hook script (--manual-auth-hook)
but one was not provided. To renew this certificate, repeat this same certbot
command before the certificate's expiry date.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~~~
Also adding my .net domain to the certs:
~~~console
$ doas certbot certonly --manual --manual-public-ip-logging-ok \
--preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory \
-d "*.oe7drt.com" -d "*.oe7drt.net" -d oe7drt.com -d oe7drt.net
~~~
Some changes to the apache2 configuration were made:
~~~apache
<MDomain oe7drt.com oe7drt.net>
MDMember *.oe7drt.com
MDMember *.oe7drt.net
MDCertificateFile /etc/letsencrypt/live/oe7drt.com/fullchain.pem
MDCertificateKeyFile /etc/letsencrypt/live/oe7drt.com/privkey.pem
</MDomain>
MDChallengeDns01 /etc/apache2/dns/dns-challenge.phar --
MDCertificateAgreement accepted
MDContactEmail {email_redacted}
MDCAChallenges dns-01
~~~
It seems Apache likes this:
![cropped output of apaches status website /md-status](./mod-status-certs.png)
This is **currently testing** because I have no idea if mod_md will update these certs
itself or if I should run certbot again when it's needed. In the meantime I monitor my
website with [UptimeKuma](https://github.com/louislam/uptime-kuma) which alerts me on
expiring certificates.
The binary (`dns-challenge.phar`) that actually does the DNS Challenge is taken from
[kategray/dns-challenge-cloudflare](https://github.com/kategray/dns-challenge-cloudflare).
An **easier way** to obtain wildcard certificates would be the use of **Cloudflares proxy**.
They would also create a second wildcard cert of another issuer in case the first one
would get compromised so they would actually replace your main cert with a backup cert
just with a whoooop.
Certbot commands have been taken from
[this article by nabbisen](https://dev.to/nabbisen/let-s-encrypt-wildcard-certificate-with-certbot-plo)
at dev.to.
{{< alert >}}
**Update on April 25 2024**
I've now seen that no certificate gets renewed automatically.
{{< /alert >}}
The actual certificate got renewed with the command from above (including
the .net domain). The output of that command clearly states:
~~~console
NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of
--manual certificates requires the use of an authentication hook script
(--manual-auth-hook) but one was not provided. To renew this certificate,
repeat this same certbot command before the certificate's expiry date.
~~~
I will execute the same certbot command before the certificate's expiry date
the next time to enhance my experience :wink:
## Get some filesystem information
~~~console
$ dumpfs /dev/rsd1a
magic 19540119 (FFS2) time Thu Nov 16 21:14:34 2023
[...] (snip; lots of output...)
~~~
This can be helpful if you want to know, which filesystem you actually
use on your OpenBSD box.
## Create a Win95 FAT32 USB stick
When you `fdisk -iy sd2` (for example) a USB stick, you usually create
one single OpenBSD partition at the 4<sup>th</sup> position. When you then
try to `newfs_msdos -F 32 -L Label sd2i` the layout is gone -- happened to
me several times until I got fed up and investigated.
I don't know why that happened, but I got my way to create USB sticks, that
actually work with other devices like my amateur radios that need those fancy
microSD cards.
Delete the first bytes on the stick:
~~~console
$ doas dd if=/dev/zero bs=1m count=1 of=/dev/rsd2c
~~~
Create the needed partition:
~~~console
$ echo -n 'edit 0\n0c\n\n2048\n*\nq\n' | doas fdisk -e sd2
~~~
A short explanation (`\n` is basically a newline; the <kbd>Enter</kbd> key):
- `edit 0\n`: edit the first entry (`fdisk -iy sd2` would edit the 4th entry)
- `0c\n`: selects **Win95 FAT32L** as file system format
- `\n`: only hit enter and use the default _[n]_
- `2048\n`: Start of the partition
- `*\n`: Special size value -- means the remainder of the disk (like `-1` on many other tools)
- `q\n`: write MBR and quits the program
This results in a partition table like this:
~~~console
$ fdisk sd2
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 0C 0 32 33 - 966 80 10 [ 2048: 15521792 ] Win95 FAT32L
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
~~~
whereas a `fdisk -iy sd2` creates a table like this:
~~~console
$ fdisk sd2
Disk: sd2 geometry: 966/255/63 [15523840 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] Unused
*3: A6 0 1 2 - 966 80 10 [ 64: 15523776 ] OpenBSD
~~~
Don't forget to create the file system:
~~~console
$ doas newfs_msdos -F 32 -L 8GB_Stick sd2i
~~~
## Mounting disk images
~~~console
$ doas vnconfig /dev/vnd0c /path/to/imagefile.img
$ doas mount_msdos /dev/vnd0i ~/mnt/disk
~~~
## Packages / Ports
### ...because of libraries
Updating dependencies before installing (switch `-U`) does help sometimes...
> Can't install [package] because of libraries
~~~console
$ doas pkg_add -uiU
~~~
Should fix that.
## Python
### ModuleNotFoundError
Install python modules with pip.
~~~console
$ python3 -m pip install --user --upgrade ${example_module}
~~~
## Rust
### starship prompt
This is usually blocked via the rust-battery crate, as there is still no progress
made on issue [#19](https://github.com/svartalf/rust-battery/issues/19), which probably
leads to no progress on issue [#2267](https://github.com/starship/starship/issues/2276).
Though, there is a [comment](https://github.com/starship/starship/issues/2276#issuecomment-782818302)
that disables the optional features (battery).
So the final installation of Starship looks like:
~~~console
$ cargo install starship --locked --no-default-features
~~~
The compilation took about 9½ minutes.
## Git
## Cloudlog (server)
Cloudlog is a webapplication written in PHP that allows ham radio amateurs
to log contacts online. I host my own instance on my server and I finally
looked into why I never got satellites shown in <kbd>SAT Timers</kbd>.
I use php-fpm and it is running as the user `www`. It is kind of jailed and it
cannot read `/etc/ssl/cert.pem` -- so the https connections cannot be verified
and it failes at downloading the satellites infos from other websites.
I solved this by copying `/etc/ssl` to `/var/www/etc/ssl` via rsync, keeping file
permissions intact. I may setup a cronjob for this maybe.
~~~console
$ cd /var/www
$ doas rsync -avhzrp /etc/ssl/ etc/ssl
sending incremental file list
created directory etc/ssl
./
cert.pem
ikeca.cnf
openssl.cnf
x509v3.cnf
private/
sent 155.82K bytes received 133 bytes 311.90K bytes/sec
total size is 344.08K speedup is 2.21
$ doas rcctl restart php80_fpm
php80_fpm(ok)
php80_fpm(ok)
~~~
## Cloudlog (client)
Use of the online logging tool Cloudlog on my OpenBSD machine.
First off, connect the TX-500 with the computer (CAT cable) and
start `rigctld`:
~~~console
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 -v
~~~
I use `2014` which is actually a Kenwood TS-2000 -- but on OpenBSD hamlib is currently
at version 4.4 and the TX-500 is only available on
[version ≥4.5](https://github.com/Hamlib/Hamlib/blob/master/NEWS#L199).
For newer hamlib versions (≥4.5) use the rig 2050 like:
~~~console
$ rigctld -m 2050 -r /dev/cuaU0 -s 9600 -v
~~~
In combination with Digirig I would probably use something like this,
because otherwise Digirig would instantly key the transceiver:
~~~console
$ rigctld -m 2014 -r /dev/cuaU0 -s 9600 --set-conf=rts_state=OFF -v
~~~
Well, I tested this on my desk at home but never used my Laptop for
doing digital modes with my TX-500 though -- but I want this to be noted
here just in case I should need it someday.
On another terminal start [`cloudlogbashcat.sh`](https://github.com/g0wfv/CloudlogBashCat):
~~~console
$ cloudlogbashcat.sh
~~~
Now, if you open the website of your Cloudlog installation (and if you have
setup your rigs) and select the radio that uses cloudlogbashcat.
![cloudlog radio selection dialog](radio-settings-cloudlog.png "You can select your pre-defined radio in the Live QSO tab")
## Z-Shell
### Where is this alias defined?
I defined an alias `ls` but I forgot where it was.
~~~console
$ PS4='+%x:%I>' zsh -i -x -c '' |& grep ls
~~~
There will be a lot of screen output probably.
### Renaming multiple directories
~~~console
$ count=1; zmv -n '*' '$f[1,4]/$((count++))-$f[12,-1]'
mv -- 2023-08-05-problems-with-apt-keys-on-my-hotspots 2023/51-problems-with-apt-keys-on-my-hotspots
mv -- 2023-08-26-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd 2023/52-dmrhost-on-a-raspberrypi4-with-openbsd-or-freebsd
mv -- 2023-09-16-openbsd-current-built-from-source 2023/53-openbsd-current-built-from-source
~~~
Moves subdirectories into other folder structure with a counting variable.
~~~console
$ count=16; zmv -Q '*(/)' '$((count++))-$f[12,-1]'
mv -- 2021-08-08-win10-grub2-and-uefi 16-win10-grub2-and-uefi
mv -- 2021-08-12-running-n1mm-logger-on-linux 17-running-n1mm-logger-on-linux
mv -- 2021-10-03-winlink-and-vara-on-linux 18-winlink-and-vara-on-linux
mv -- 2021-10-03-wordlist-generation 19-wordlist-generation
mv -- 2021-10-26-processes-accessing-mountpoints 20-processes-accessing-mountpoints
~~~
That was the second part, counting from where we stopped from the previous directory.
There was a draft post left in `2022` which I deleted, now I had to renumber the folders
from `28-*` to `34-` to a number lower by 1.
~~~console
$ for i in {29..34}; do zmv -n -W $i'*' $((--i))'*'; done
mv -- 29-using-nfs-on-a-raspberry-pi 28-using-nfs-on-a-raspberry-pi
mv -- 30-vpn-tunnel-into-hamnet-on-fedora-36 29-vpn-tunnel-into-hamnet-on-fedora-36
mv -- 31-winlink-on-linux-fix-invalid-handle-on-logfiles 30-winlink-on-linux-fix-invalid-handle-on-logfiles
mv -- 32-hamnet-on-the-pfsense 31-hamnet-on-the-pfsense
mv -- 33-changing-network-metrics-on-linux 32-changing-network-metrics-on-linux
mv -- 34-change-git-submodule-url 33-change-git-submodule-url
~~~
So, there is still one post left that is actually a draft post and I'd like to
remove the leading number from that directory.
~~~console
$ zmv -n -W '59-*' '*'
mv -- 59-pat-winlink-on-openbsd pat-winlink-on-openbsd
~~~
## Neovim
### Update plugins that use `make`
GNU make and BSD make are not compatible, and it is kind of annoying if people
think everybody has installed the same tools to compile software on their boxes.
In this example I often get some errors when I try to update plugins from withing
AstroNvim, a plugin-packaged neovim confgiuration framework.
- Open Neovim and initiate the update procedure (<kbd>space</kbd>, <kbd>p</kbd>, <kbd>a</kbd>)
- Remember what folder the errors occur
- Visit those folders and update the file `Makefile` (usually)
- in `Makefile` replace `make` with `gmake`
(you need that installed, `pkg_add gmake`)
- run the update procedure again
If that does not work, it is mostly a submodule. You can try to update and compile by hand.
Switch to the folder, update `make` with `gmake` and finally run `gmake` in that folder.
That will produce a compiled output (a library) and the updated procedure will pick that up
at the next run and the submodule will usually be ignored unless the main repo has new commits
in its tree. You may then stash the local changes and re-run the update procedure again.
## Concatenate sound files (.wav)
~~~console
$ sox *.wav one-big-soundfile.wav
~~~
`cat *.wav > bigfile.wav` works too, but different. That would put all
audio files into separate streams at the output file whereas `sox`
appends one file after another in the big output file.
## Manual page sections
| Section | Description |
| :--- | :--- |
| 1 | General Commands |
| 2 | System Calls |
| 3 | Library Functions |
| 3p | Perl Library |
| 4 | Device Drivers |
| 5 | File Formats |
| 6 | Games |
| 7 | Miscallaneous Information |
| 8 | System Manager's Manual |
| 9 | Kernel Developer's Manual |
Reference in new issue View Git Blame Copy Permalink