Rath NiceRath

## openvpn_profile_chromeos.sh
#!/bin/bash

# onc file format reference: https://chromium.googlesource.com/chromium/src/+/main/components/onc/docs/onc_spec.md#OpenVPN-connections-and-types
# NOTE: it seems tls-crypt is not supported

# TLSAuth
tlsauth="$(cat tlsauth.key | sed '1,3d' | sed ':a;N;$!ba;s/\n/\\n/g')"

# CA Certificate
ca="$(cat ca.crt | sed '1,1d' | sed '$d' | sed ':a;N;$!ba;s/\n//g')"

## graylog_pipeline_rules.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                NiceRath
                / graylog_pipeline_rules.md
            
            
              Last active
              May 23, 2024 07:47
            
              
                Graylog Pipeline Rules to extract fields for some common Services
              
          
    Graylog menu: Graylog - System - Pipelines - Manage rules
All rules will assume you pre-filter your logs on an application-basis. Else the matching will get horrible.
Use regex101.com for testing expressions. Make sure to escape all the backslashes \\ (and so on..) before adding it as Graylog rule.
GENERIC: Use lookup tables to translate IPs to Hostnames

/*


## recursive_file_checksum.sh
#!/usr/bin/env bash

# NOTES:
#   perfoms md5sum on all files in the directory, sorts them and creates an overall md5sum
#   WARNING: the sort order & checksum will change if you do not use the same LANG/LC_ALL!

EXCLUDES=('dir1' 'dir2/*')

set -eo pipefail

## linuxha_cluster_floatingIP.txt
# bash > crm configure
primitive resHAProxy systemd:haproxy \
        op monitor interval=5
clone clone_HAProxy resHAProxy

primitive resIP_LB IPaddr2 \
        params ip=172.x.x.x nic=ens18 cidr_netmask=32 \
        op monitor interval=10s \
        meta target-role=Started
location cli-prefer-resIP_LB resIP_LB role=Started inf: node01  # prefer node01 if available

## luks_cryptmount_resize.sh
#!/bin/bash

set -eE -o pipefail

# to create such a volume - use: https://gist.github.com/NiceRath/c794caa26a28fc90fc628a047648722b

if [ $# -lt 3 ]
then
  cat << EOF
You must provide:

## luks_cryptmount_remote_key.sh
#!/bin/bash

set -eE -o pipefail

# to create such a volume - use: https://gist.github.com/NiceRath/c794caa26a28fc90fc628a047648722b
# move the created key from <PATH-TO-KEY-DIR> to the remote host and securly delete them (p.e. using 'shred')
# run example: "bash /usr/local/sbin/cryptmount/cryptmount.sh vg0-lv1 crypt-lv1 /data"

ENC_LV_NAME="$1"
DECRYPT_LV_NAME="$2"

## luks_cryptmount_create.sh
#!/bin/bash

set -eE -o pipefail

# script to encrypt an existing LVM volume
# to move the encryption keys to a remote host - use: https://gist.github.com/NiceRath/65511409c8dbbbbb98ae6f1a668b7d5d

ENC_PATH='<PATH-TO-KEY-DIR>'
KEY_SIZE='8192'
PASS_FILE="${ENC_PATH}/<GPG-PASSPHRASE-FILE>"

## macos_update_notification_jamf.sh
#!/bin/bash

set -euo pipefail

# NOTES:
#  as Apple is not able to provide any good option to force updates on managed clients - you might want to notify users to install them
#  will be silent if no updates are available

# see also: https://ss64.com/osx/softwareupdate.html

## google_takeout_mail_analysis.sh
#!/bin/bash

set -eo pipefail

# NOTES:
#   to use on backup files created by Google Takeout: https://support.google.com/accounts/answer/3024190?hl=en
#   creates lists of top N mail senders & distribution-lists @ /tmp
#   can be used to create Google Vault retentions to clean-up old mails or spam: https://support.google.com/vault/answer/2990828?hl=en

if [-z "$1" ]

## check_for_expired_ocsp.sh
#!/usr/bin/env bash

set -eo pipefail

if [ -z "$1" ]
then
  echo "You need to supply the path to a certificate-directory to scan"
  exit 1
fi
	#!/bin/bash

	# onc file format reference: https://chromium.googlesource.com/chromium/src/+/main/components/onc/docs/onc_spec.md#OpenVPN-connections-and-types
	# NOTE: it seems tls-crypt is not supported

	# TLSAuth
	tlsauth="$(cat tlsauth.key \| sed '1,3d' \| sed ':a;N;$!ba;s/\n/\\n/g')"

	# CA Certificate
	ca="$(cat ca.crt \| sed '1,1d' \| sed '$d' \| sed ':a;N;$!ba;s/\n//g')"
	#!/usr/bin/env bash

	# NOTES:
	# perfoms md5sum on all files in the directory, sorts them and creates an overall md5sum
	# WARNING: the sort order & checksum will change if you do not use the same LANG/LC_ALL!

	EXCLUDES=('dir1' 'dir2/*')

	set -eo pipefail
	# bash > crm configure
	primitive resHAProxy systemd:haproxy \
	op monitor interval=5
	clone clone_HAProxy resHAProxy

	primitive resIP_LB IPaddr2 \
	params ip=172.x.x.x nic=ens18 cidr_netmask=32 \
	op monitor interval=10s \
	meta target-role=Started
	location cli-prefer-resIP_LB resIP_LB role=Started inf: node01 # prefer node01 if available
	#!/bin/bash

	set -eE -o pipefail

	# to create such a volume - use: https://gist.github.com/NiceRath/c794caa26a28fc90fc628a047648722b

	if [ $# -lt 3 ]
	then
	cat << EOF
	You must provide:
	#!/bin/bash

	set -eE -o pipefail

	# script to encrypt an existing LVM volume
	# to move the encryption keys to a remote host - use: https://gist.github.com/NiceRath/65511409c8dbbbbb98ae6f1a668b7d5d

	ENC_PATH='<PATH-TO-KEY-DIR>'
	KEY_SIZE='8192'
	PASS_FILE="${ENC_PATH}/<GPG-PASSPHRASE-FILE>"
	#!/bin/bash

	set -euo pipefail

	# NOTES:
	# as Apple is not able to provide any good option to force updates on managed clients - you might want to notify users to install them
	# will be silent if no updates are available

	# see also: https://ss64.com/osx/softwareupdate.html
	#!/usr/bin/env bash

	set -eo pipefail

	if [ -z "$1" ]
	then
	echo "You need to supply the path to a certificate-directory to scan"
	exit 1
	fi