Skip to content

Instantly share code, notes, and snippets.

Andrew Ho andrewlkho

Block or report user

Report or block andrewlkho

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View zotfile.wildcards.user
# Format: {%a }{%y }{%1|%j}
{"1":{"default":{"field":"journalAbbreviation","operations":[{"function":"replace","regex":"\\.","replacement":""}]}}}
@andrewlkho
andrewlkho / gist:3d05108ddb363243198d93526980522e
Created Mar 23, 2017
Expanding storage on a Raspberry Pi using Amazon S3
View gist:3d05108ddb363243198d93526980522e

I've been playing around with a Raspberry Pi hosted with Mythic Beasts and wanted a way to keep a large number of infrequently-accessed files on the server. A cost-effective place to store such data is on Amazon S3. After looking around at ways to mount an S3 bucket on the Raspberry Pi and have it appear as a regular filesystem, I came across s3backer. This provides a single file, divided into blocks, each of which is stored as an S3 object. A filesystem is mounted onto this file using a loopback mount. This setup has many benefits which are explained well in the README. Here's how to set it up on the Raspberry Pi.

I'm going to assume that you have an S3 bucket mybucket created and a user with credentials to access it. Although not explicitly specified, some of the commands below need to be run as root.

First, install prerequisites (the first line is

@andrewlkho
andrewlkho / debian-strongswan.md
Last active Jul 21, 2019
Setting up a secure VPN with strongSwan on debian
View debian-strongswan.md

With heightening concern regarding the state of internet privacy (fuelled in part by the passing of the Investigatory Powers Act in the UK), I have set up a VPN server on the virtual server I have hosted with Mythic Beasts. This uses strongSwan and certificate-based IKEv2 authentication.

Assumptions:

  • Debian Jessie server already set up and accessible via debian.example.com, a public IPv4 of 203.0.113.1 and a public IPv6 of 2001:db8::1
  • Client username of me
  • Clients are running the latest versions of macOS and iOS (Sierra and 10 respectively at the time of writing)
  • No need to support any other operating systems (although the setup is easily translated)

For automated deployment of a similar setup, albeit Ubuntu-based and using ansible for deployment, I recommend you take a look at Algo VPN. I used that project as a basis for my configuration.

@andrewlkho
andrewlkho / rules.v4
Last active Oct 24, 2018
ip(6)tables rules
View rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
@andrewlkho
andrewlkho / notes.tex
Created Apr 28, 2016
Minimal template for notes
View notes.tex
\documentclass[a4paper,10pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[scaled]{helvet}
\renewcommand{\familydefault}{\sfdefault}
\usepackage[margin=1in]{geometry}
\setlength{\parindent}{0pt}
\setlength{\parskip}{\baselineskip}
@andrewlkho
andrewlkho / README.md
Created Apr 6, 2016
How to run sshd as a Tor hidden service on a Raspberry Pi
View README.md

I keep a Raspberry Pi at a relative's house which backs up my cloud storage to a Time Machine on their network. Previously I had port 22 NAT'd to the Raspberry Pi so that I could ssh in for occasional admin. However, I found that even with iptables/fail2ban installed, there were daily attempts at getting hacked. As I only infrequently need to access the server, I decided to set up sshd as a Tor hidden service which did not require port 22 to be exposed to the wider internet.

Setup sshd as a hidden service

The first step is to install tor:

# apt-get install tor

Add the following lines to /etc/tor/torrc:

@andrewlkho
andrewlkho / README.md
Last active Sep 3, 2018
Implementing HTTPS on NFSN (nearlyfreespeech.net) hosting using Let's Encrypt
View README.md

These instructions are for implementing HTTPS on a NFSN-hosted static site using a certificate from Let's Encrypt. The certificate is generated manually on a separate computer.

Start off by installing the letsencrypt client. This requires sudo privileges and will install a bunch of packages:

% curl -O https://dl.eff.org/certbot-auto
% chmod +x ./certbot-auto
% ./certbot-auto

Generate the certificate. This will require you to publish some challenge responses on NFSN. I find it easiest to use tmux with letsencrypt running in one window and an SSH session to NFSN in another:

@andrewlkho
andrewlkho / gist:ef90563e76e0c4e03e03
Last active Jan 10, 2016
Roast pork belly recipe
View gist:ef90563e76e0c4e03e03

Adapted from Nigella.

Ingredients

  • 1.5 kg pork belly
  • 4-6 tbsp tahini
  • 4-6 tbsp soy sauce
  • Juice of 1 lemon
  • Juice of 1 lime
  • Salt
@andrewlkho
andrewlkho / gist:6f3ed6d32e8f1071e62f
Created May 20, 2015
How to edit RAW files produced by Fujifilm XQ1 in Photos (OS X)
View gist:6f3ed6d32e8f1071e62f

OS X does not, as of May 2015, support the RAW (*.RAF) files produced by the Fujifilm XQ1. The easiest way to edit them is to download the Adobe Camera RAW and DNG Converter. This can be used to convert RAF files into DNG files. Importantly, "Compatibility" must be set to "Camera Raw 6.6 and later". The default setting of "Camera Raw 7.1 and later" creates files that OS X cannot handle.

@andrewlkho
andrewlkho / gist:e9a8c996c4bc1df23cd2
Last active Dec 6, 2018
How to secure debian with two factor authentication (TOTP/HOTP)
View gist:e9a8c996c4bc1df23cd2

First, install the necesssary packages:

% apt-get install libpam-oath oathtool

Generate a key and write it to /etc/users.oath (NB the key will be in hexadecimal; if you are using Authy you will want to convert it to BASE32):

% KEY=$( head -c 1024 /dev/urandom | openssl sha1 | awk '{ print $2 }' )
% echo "HOTP/T30/6 andrewlkho - ${KEY}" >> /etc/security/users.oath
% chmod 600 /etc/users.oath
You can’t perform that action at this time.