Installing GitLab on Debian 9 with SSL and custom apache vhost

Before you start

First you need to make sure that:
– Your LAMP is up and running
– You have a working DNS for the domain you want to use for gitlab
– You have certbot already installed

Part I – gitlab

Prepare the system for the gitlab install

apt-get update && apt-get upgrade

Install dependencies. Choose “internet site” and press enter.

apt-get install -y curl openssh-server ca-certificates postfix

Add the gitlab repositories

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

Read more “Installing GitLab on Debian 9 with SSL and custom apache vhost”

Auto mount second HD on boot

The new HD you got online finally arrived. After you open your computer and install it (and after looking for badblocks), you’ll need to mount it automatically on boot.

Type lsblk or mount to find the device (or dmesg if you’re brave). In my case, it was /dev/sdb1

/dev/sdb1 on /media/dth/HD2 type ext4 (rw,nosuid,nodev,relatime,data=ordered,uhelper=udisks2)

Now get the device’s UUID and type with blkid

/dev/sdb1: LABEL="HD2" UUID="0d256b26-1782-4f3f-b192-468464DjhdS7" TYPE="ext4" PARTUUID="290cdbb5-01"

Read more “Auto mount second HD on boot”

SSH key-based authentication

First, generate a key without password:

root@example:~# ssh-keygen -f ~/.ssh/id_rsa -q -P ""

You will see id_rsa and id_rsa.pub

root@example:~# ls -la .ssh
total 20
drwx------ 2 root root 4096 Nov 18 15:19 .
drwx------ 7 root root 4096 Apr 14  2018 ..
-rw------- 1 root root 1679 Nov 18 15:19 id_rsa
-rw-r--r-- 1 root root  401 Nov 18 15:19 id_rsa.pub
-rw-r--r-- 1 root root  444 Sep 22  2017 known_hosts

Read more “SSH key-based authentication”

acgrep.sh

https://github.com/xdth/misc/blob/master/acgrep.sh


#!/bin/bash

######################### acgrep.sh v0.1 ###############################
# This script will grep a given set of strings from a text file (syslog)
# and output the result, excluding lines containing another set of
# strings, to a specified location, with a dated file name.
#
# The script will then delete all files in the destination folder older
# than X days and change the ownership of the resulting files to the
# web server.
#
# It can be used, for example, to generate logs from AssaultCube or
# UrbanTerror servers, one log per server.
#
# author: dth@dthlabs.com
#
# To run daily, add to your cron:
# 0 */1 * * * /root/aclogs/acgrep.sh

# #######################################################################
# ## Parameters

# The file to grep
acgrep_filePath="/var/log/syslog"

# Location where the files will be generated. Keep the trailing slash.
acgrep_destinationPath="/root/aclogs/"

# grep this string
acgrep_string="AssaultCube"

# The AC servers' ports
acgrep_substrings="28763 8000 9000 10000 16000"

# Delete generate files after this amount of days
acgrep_keep_days=7

# Regex to skip lines containing these strings
acgrep_skipline="/xskip\|pwd/d"

# #######################################################################
# ## Functions

function acgrep_init {
# feed $YESTERDAY with the syslog format "Jan 31"
YESTERDAY=$(date -d "yesterday 06:00" '+%b %d')
# feed $YESTERDAY2 with yesterday's date in the format 2018-01-31
YESTERDAY2=$(date -d "yesterday 06:00" '+%Y-%m-%d')
}

function acgrep_finish {
# Make destination folder readable to the web server
chown www-data:www-data -R "$acgrep_destinationPath"

# Delete file older than x days
/usr/bin/find "$acgrep_destinationPath" -mtime +$acgrep_keep_days -type f -delete
}

function acgrep_main {
# initialize date variables
acgrep_init

# main loop
for i in $acgrep_substrings
do
# cat /var/log/syslog | grep "AssaultCube" | grep "$YESTERDAY" | grep 8000 > /home/dth/8000_2018-01-31.txt
sed $acgrep_skipline $acgrep_filePath | grep $acgrep_string | grep "$YESTERDAY" | grep $i > "$acgrep_destinationPath"$i"_"$YESTERDAY2.txt
done

# clean up and finish
acgrep_finish
}

# Execute
acgrep_main

qFirewall (qfw) – a quick iptables firewall script

This is my new basic firewall script. For updates, check my github: https://github.com/xdth

Screenshot

Code

#! /bin/bash

# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
#    needs.
# 2. For convenience, add this script to your /usr/bin or alike with
#    chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
#    Site:   https://dthlabs.com
#    github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################


# #######################################################################
# ## Rules function -- edit this according to your needs

function qfw_rules {
  # Block everything
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP
  iptables -t filter -P OUTPUT DROP
  echo "     > Block everything"

  # Don't break established connections
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  echo "     > Don't break established connections"

  # Authorize loopback (127.0.0.1)
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A OUTPUT -o lo -j ACCEPT
  echo "     > Authorize Loopback"

  # ICMP (ping)
  iptables -t filter -A INPUT -p icmp -j ACCEPT
  iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  echo "     > Authorize ICMP (ping)"

  # SSH in/out
  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
  echo "     > Authorize SSH"

  # DNS in/out
  iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  echo "     > Authorize DNS"

  # NTP Out
  iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  echo "     > Authorize NTP outbound"

  # HTTP + HTTPS Out
  iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT

  # HTTP + HTTPS In
  iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  echo "     > Authorize http and https"

  # FTP Out
  iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT

  # FTP In
  iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo "     > Authorize FTP"

  # Mail SMTP
  iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

  # Mail POP3:110
  iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

  # Mail IMAP:143
  iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

  # Mail POP3S:995
  iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  echo "     > Authorize mail"

  # OpenVZ Web Pannel
  # iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
  # echo "     > Authorize OpenVZ panel"

  # Allow WMs
  # iptables -P FORWARD ACCEPT
  # iptables -F FORWARD
  # echo "WMs ok"
  # echo "     > Authorize WMs"

  # Saltstack
  # iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
  # echo "     > Authorize Saltstack"

  # Block UDP attack
  # iptables -A INPUT -m state --state INVALID -j DROP
  # echo "     > Block UDP attack"

}


# #######################################################################
# ## Other functions

function qfw_help {
  echo "qFirewall usage: ./qfw {start|stop}"
  exit 1
}

function qfw_seeya {
  echo "     > Thanks for using qFirewall (qfw) v1. Have a good day."
  echo ""
  echo ""
}

function qfw_separator {
  echo ""
  echo ""
  echo "===================== qFirewall (qfw) v0.1 ====================="
  echo ""
}

function qfw_reset {
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -t mangle -F
  iptables -t mangle -X
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t filter -F
  iptables -t filter -X
}

function qfw_start {
  qfw_separator
  echo "     > Starting qFirewall..."
  qfw_clean
  echo "     > Loading the rules..."
  qfw_rules
  echo "     > Rules loaded"
  echo "     > qFirewall started"
}

function qfw_clean {
  echo "     > Cleaning rules..."
  qfw_reset
  echo "     > Rules cleaned"
}

function qfw_stop {
  qfw_separator
  echo "     > Stopping qFirewall..."
  qfw_clean
  echo "     > qFirewall stopped"
}


# #######################################################################
# ## Main

case "$1" in
  start)
  qfw_start
  ;;
  stop)
  qfw_stop
  ;;
  *)
  qfw_help
  exit 1
  ;;
esac

qfw_seeya

exit 0

Symfony and Doctrine ORM – Many to many bidirectional relation

The classes below illustrate a many to many bidirectional relation with Doctrine ORM, Symfony3 and FOSUserBundle.

Entity User

<?php
// src/AppBundle/Entity/User.php

namespace AppBundle\Entity;

use FOS\UserBundle\Model\User as BaseUser;
use Doctrine\ORM\Mapping as ORM;
use Doctrine\Common\Collections\ArrayCollection;

/**
 * @ORM\Entity
 * @ORM\Table(name="fos_user")
 */
class User extends BaseUser
{
    /**
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    /**
     * @ORM\ManyToMany(targetEntity="UserGroup", inversedBy="users")
     * @ORM\JoinColumn(name="usergroup_id", referencedColumnName="id")
     */
    private $usergroups;

    public function __construct()
    {
        parent::__construct();
        $this->usergroups = new ArrayCollection();
    }
}

Read more “Symfony and Doctrine ORM – Many to many bidirectional relation”

Intel NUC D34010WYK – Accessing and updating the BIOS

For some reason my USB3 external HD wasn’t being recognized by my NUC. I had a very old BIOS version, so I tried updating it, which solved the problem. Here’s how:

Search for the latest bios:
https://downloadcenter.intel.com/search?keyword=D34010WYK

In my case, it was this one. Download and save the .bio file in an USB key.
https://downloadcenter.intel.com/download/26632/NUCs-BIOS-Update-WYLPT10H-86A-

Open your NUC and look for the BIOS security jumper:


Read more “Intel NUC D34010WYK – Accessing and updating the BIOS”

dthUSART – C library for AVR microcontrollers (beta) and example code

I decided to create a simple C library for USART and AVR microcontrollers for the purpose of studying the USART serial interface.

This library is likely to be often updated. Open source code on my github:
https://github.com/xdth/AVR_dthUSART

Below is an example application. It will echo back strings received via serial at 9600 bit rate (defined in dthUSART.h), using the internal oscillator at 1 Mhz.
Read more “dthUSART – C library for AVR microcontrollers (beta) and example code”

Interfacing attiny2313 AVR with HD44780 LCD

We will use an attiny2313 AVR microcontroller to display strings on an HD44780 LCD (4-bit mode).

482 bytes of flash written. Using internal oscillator.

## Connections

+-----------------------------------+----------------+
|            HD44780 LCD            | attiny2313 MCU |
+-----------------------------------+----------------+
| PIN 1 (GND)                       |                |
| PIN 2 (+5V)                       |                |
| PIN 3 (contrast/GND)              |                |
| PIN 4 (reg select)                | PIN 2 (PD0)    |
| PIN 5 (R/W)                       | PIN 3 (PD1)    |
| PIN 6 (Enable)                    | PIN 6 (PD2)    |
| PIN 7                             |                |
| PIN 8                             |                |
| PIN 9                             |                |
| PIN 10                            |                |
| PIN 11                            | PIN 12 (PB0)   |
| PIN 12                            | PIN 13 (PB1)   |
| PIN 13                            | PIN 14 (PB2)   |
| PIN 14                            | PIN 15 (PB3)   |
| PIN 15 (220 Omhs resistor to +5V) |                |
| PIN 16 (GND)                      |                |
+-----------------------------------+----------------+

Read more “Interfacing attiny2313 AVR with HD44780 LCD”