605 private links
Passwordstore is a great password manager, and I rely on it also in my Ansible playbooks, where it works by causing the gpg-agent to prompt me for the passphrase of my gpg key.
This prompt is a GUI prompt, which is very suitable when sitting at the computer in question. But a small annoyance is that it does not work at all when working on a remote computer via ssh (the prompt shows up on the remote computer's desktop, and the Ansible playbook in the terminal just freezes until it eventually fails).
It would be so much nicer if those ssh terminal sessions would instead get the gpg-agent prompt in the terminal. So far I have not found a method that achieves this without also sacrificing the GUI desktop prompt for non-remote work.
Desktop and laptop running Ubuntu 22.04 with i3wm desktop.
The relevant parts of my config can be seen in https://codeberg.org/ansible/dotfiles.
I considered the following related Q:s&A:s but did not achieve the desired outcome.
- https://unix.stackexchange.com/questions/554153/what-is-the-proper-configuration-for-gpg-ssh-and-gpg-agent-to-use-gpg-auth-sub
- https://stackoverflow.com/questions/17769831/how-to-make-gpg-prompt-for-passphrase-on-cli
- https://superuser.com/questions/1189602/how-to-configure-gpg2-to-ask-for-passphrase-on-the-console-instead-of-in-a-popup
- https://unix.stackexchange.com/questions/217737/pinentry-fails-with-gpg-agent-and-ssh
Some more tests
In the SSH session (no effect, unfortunately):
gpg-connect-agent updatestartuptty /bye
Learned that the gpg-agent is running in --supervised
mode, and its ENV variables include DISPLAY=:0
:
solarchemist@desktop:~
$ sudo cat /proc/2652288/environ
HOME=/home/solarchemist LANG=en_US.UTF-8 LC_TIME=sv_SE.UTF-8 LOGNAME=solarchemist
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/snap/bin
SHELL=/bin/bash SYSTEMD_EXEC_PID=2652288 USER=solarchemist
XDG_DATA_DIRS=/home/solarchemist/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop
XDG_RUNTIME_DIR=/run/user/1000 QT_ACCESSIBILITY=1
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus DISPLAY=:0 XAUTHORITY=/home/solarchemist/.Xauthority
MANAGERPID=1532 LISTEN_PID=2652288 LISTEN_FDS=4
LISTEN_FDNAMES=browser:extra:std:ssh INVOCATION_ID=<stuff> JOURNAL_STREAM=<stuff>
(the PID of the gpg-agent process is easily identified with ps aux | grep [g]pg
).
Manual work-around
Manual work-around is to set pinentry-program /usr/bin/pinentry-tty
in ~/.gnupg/gpg-agent.conf
and reload the agent gpg-connect-agent reloadagent /bye
.
To revert to the default (GUI) pinentry behaviour, just remove the line and reload the agent again.
Will add more as I learn about them. I only care about FOSS projects.
LXD
See my Ansible role that installs and configures LXD and provisions LXC containers.
Docker
I have some experience with Docker containers. Prefer LXC if I have the choice.
I have written an Ansible playbook to setup containers with docker-compose as part of a as-yet not-public project for InvenioRDM.
Podman
No hands-on experience yet.
Singularity
Hm, interesting. Could it be better than Docker for sharing something like a thesis with "all batteries included", I wonder?
Singularity can convert Docker containers to Singularity, or can run containers directly from Docker Hub
https://blogs.oregonstate.edu/learningbydoing/2022/01/04/docker-and-singularity-containers-which-one-is-better/
Learn the skills required to sysadmin a remote Linux server from the commandline.
Course restarts every first Monday of the month
What an interesting idea. A Python script that given an existing system creates an Ansible playbook that will duplicate it.
I wanted to create an ASCII art "bismillah" for use in the terminal.
Found this beautiful calligraphy by Nuria Garcia Masip. After cropping it, rotating it slightly and making the background monochromatic, I tried the ascii-image-converter by Zoraiz Hassan, and it worked great with the --braille
flag:
This converter tool was really easy to install (just run the binary), and the output was automatically resized to fit the terminal window size, which was a convenient feature.
I discovered some other ASCII art CLI tools (never tested them though):
- https://dns-lookup.jvns.ca/.
- https://zone.vision (queries the authoritative nameservers for a domain directly)
- https://mxtoolbox.com (oriented towards MX/SPF queries)
- https://toolbox.googleapps.com/apps/dig/#A/
Via Julia Evans.
Guides and how-tos
- Introduction to Ansible playbooks
- Playbooks vs roles, and explain the difference between task, role, play and playbook
- How to install and configure Ansible on Ubuntu 18.04 - DigitalOcean
- Linux hardening using idempotency with Ansible
Ansible playbooks and roles
- I haven't published all roles that I've written, but all the roles that I do publish are collected at codeberg.org/ansible
- Ansible module (Python code) to install R packages, by yutannihilation
- Ansible role to install TeXLive
- https://ansible.jeffgeerling.com/
- https://robertdebock.nl/ansible.html
This could perhaps be a much more stable alternative to my reverse SSH tunnels for keeping connections with various servers, especially desktops inside FM-NET and other machines inside other LANs.
The main downside is that Tailscale is not FOSS. So perhaps we should look for other solutions built on WireGuard, or perhaps learn to configure WireGuard directly.
The command and its typical output (highlights not shown due to technical limitations in Markdown):
me@host:~/ansible/playbooks
$ find . -type f -name "playbook.log" -exec sh -c 'tac {} | grep -m 1 -A1 "^Playbook last committed by"' \; | grep --color -E "^|git/ansible/[A-Za-z]+?/[A-Za-z-]+?.yml|(19|20)[0-9][0-9]-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01]) [0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}"
Playbook last committed by me@host on Fri Apr 17 22:02:15 2020 +0200 (afd13a3b3b3f43d3f84bb16b1c91a6b5bec2cfe1)
2020-04-19 00:40:30,925 p=32526 u=me n=ansible | task path: /home/me/ansible/playbooks/luxor/playbook-host.yml:99
Playbook last committed by me@host on Wed Jan 29 14:34:38 2020 +0100 (5157cd051e276abfe99e93c37a8ad0c79dd4d3dc)
2020-03-29 01:39:34,874 p=14553 u=me n=ansible | task path: /home/me/ansible/playbooks/damietta/playbook-heliopolis.yml:31
Playbook last committed by me@host on Tue Feb 18 17:30:19 2020 +0100 (ae6c02965f4471d8089c5e4d2a427cb0cbfbc6b8)
2020-02-23 19:58:30,188 p=1050 u=me n=ansible | task path: /home/me/ansible/playbooks/abydos/playbook-webserver.yml:35
Playbook last committed by me@host on Sun Jan 5 09:44:27 2020 +0100 (26392ab778deaf86430f36bc7aed942ae04a938c)
2020-01-08 13:26:35,647 p=me u=27195 | changed: [hunan.domain.se -> localhost] => {"changed": true, "cmd": "git log --pretty=\"Playbook last committed by %cn on %cd (%H)\" -1 >> playbook.log", "delta": "0:00:00.003510", "end": "2020-01-08 13:26:35.628135", "rc": 0, "start": "2020-01-08 13:26:35.624625", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
Playbook last committed by me@host on Thu Mar 26 14:57:00 2020 +0100 (2c9aa2030192c2942c5dfb0bcf5976f46fefd774)
2020-04-01 15:44:19,057 p=10821 u=me n=ansible | task path: /home/me/ansible/playbooks/alexandria/playbook.yml:137
The first find
command lists all playbook.log
files below the current directory (recursing into child directories). tac
is the opposite of cat
and lists each file backwards (from last line to first). We use grep
to look for a string ("Playbook last committed") that my Ansible playbooks always insert into the log-file at the end of a run. Note the use of the -A1
flag that gets the matched line and one line after (but because we used tac
, we actually get the line before, which is what we want). The final grep
uses extended regular expressions (-E
) to color highlight several parts of the output (while displaying all of the output, that's what the initial caret does - it effectively matches all lines).
Pretty neat, if I may say so myself.
Some of the refs I consulted to figure out this one-liner:
https://serverfault.com/questions/197123/getting-the-last-match-in-a-file-using-grep
https://unix.stackexchange.com/questions/112159/grep-from-the-end-of-a-file-to-the-beginning
https://stackoverflow.com/questions/307015/how-do-i-include-a-pipe-in-my-linux-find-exec-command
https://superuser.com/questions/914856/grep-display-all-output-but-highlight-search-matches
https://unix.stackexchange.com/questions/366/convince-grep-to-output-all-lines-not-just-those-with-matches
https://unix.stackexchange.com/questions/37313/how-do-i-grep-for-multiple-patterns-with-pattern-having-a-pipe-character
https://en.wikipedia.org/wiki/Regular_expression#POSIX_extended
Discusses entropy as a measure of password strength, and includes two useful tables.
For example, a 30-character password using alphanumeric characters (mixing both small- and upper-case letters) achieves around 160 bits of entropy.
The article also includes guidelines for strong passwords, reproduced below:
- Use a minimum password length of 10 or more characters if permitted.
- Include lowercase and uppercase alphabetic characters, numbers and symbols if permitted.
- Generate passwords randomly where feasible.
- Avoid using the same password twice (e.g., across multiple user accounts and/or software systems).
- Avoid character repetition, keyboard patterns, dictionary words, letter or number sequences.
- Avoid using information that is or might become publicly associated with the user or the account, such as username, ancestors' names or dates.
- Avoid using information that the user's colleagues and/or acquaintances might know to be associated with the user, such as relative or pet names, romantic links (current or past) and biographical information (e.g., ID numbers, ancestors' names or dates)..
- Do not use passwords which consist wholly of any simple combination of the aforementioned weak components.
Setup your Pi-hole:
- Connect the Raspberry Pi to your router
- Open the Ubiquiti router's dashboard in your browser, and open the Services tab
- Click on the Actions button, select View Leases
- Identify your Raspberry Pi in the list (look for the hostname of your Raspberry or its MAC address)
- Click the Map Static IP button, and give your Raspberry Pi a static IP address
- Click on the Details tab inside the open dialog, and enter the IP address you just chose into the "DNS 1" field. Feel free to add another DNS provider in the "DNS 2" field (this is used in case your Pi-Hole stops working).
- Restart the Raspberry Pi
You should now be able to login to your Pi-Hole web dashboard from your browser by going to http://<ip-address>/admin
(click on login and enter your password to see everything).