Skip to content

Instantly share code, notes, and snippets.

View jult's full-sized avatar
🏠
Working from home

Julius Thyssen jult

🏠
Working from home
7 followers · 5 following
View GitHub Profile
@jult
jult / certbot_cloudflare_dns.sh
Last active August 23, 2021 08:49
script to install latest certbot with cloudflare dns-01 challenge plugin (for debian 9/stretch)
#!/bin/sh
# Check if user has root privileges
if [[ $EUID -ne 0 ]]; then
echo "You must run the script as root or using sudo"
exit 1
fi
## Reconfigure Dash
echo "dash dash/sh boolean false" | debconf-set-selections
@jult
jult / nc_update.sh
Last active February 26, 2021 11:51
nextcloud update and post-update occ commands, file and database integrity fixes
#!/bin/bash
find /etc -type f -name "php.ini" -exec sed -i 's/output_buffering/;output_buffering/g' {} +
sudo -u www-data sed -i "s/output_buffering=.*/output_buffering='Off'/" /var/www/nextcloud/.user.ini
sudo -u www-data php /var/www/nextcloud/occ app:disable survey_client
sudo -u www-data php /var/www/nextcloud/occ app:disable firstrunwizard
sudo -u www-data php /var/www/nextcloud/occ app:enable admin_audit
sudo -u www-data php /var/www/nextcloud/occ app:enable files_pdfviewer
sudo -u www-data php /var/www/nextcloud/occ maintenance:mode --on
nohup chown -R www-data:www-data /var/www/nextcloud &
@jult
jult / CORS
Last active December 23, 2020 14:16
NGINX config for pi-hole
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
@jult
jult / TLS
Last active December 7, 2020 00:10
My nginx include for TLS A+ rating at ssllabs.com/ssltest using nginx/1.14.* and openssl 1.1.1*
# version 2020 feb 24
ssl_certificate /etc/letsencrypt/live/yardomain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yardomain.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/yardomain.org/chain.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
@jult
jult / update-blocklist.sh
Last active March 7, 2020 15:41
iptables blocklist script (using ipset hash..)
#!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp
IP_BLACKLIST_CUSTOM=/etc/ip-blacklist-custom.conf # optional
list="chinese nigerian russian lacnic exploited-servers"
BLACKLISTS=(
"http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
# "http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes, who would refuse those accessing your server?
# "http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
@jult
jult / https_only
Last active December 16, 2019 12:23
[NGINX] Redirect all hostnames and requests from http to https serverwide
# To have port 80 requests go to their 443 equivalents for an entire webserver, put this file in /etc/nginx/conf.d/
# Note that to specify the catch-all name or default server you
# need to use the *listen* directive, not the server_name directive!
# See also https://nginx.org/en/docs/http/request_processing.html
#
# - $host catches subdomain names.
# - 307 and 308 include both POST and GET request URIs.
# - 307 is Temporary, change to the Permanent 308 after thorough testing: # return 308 https://$host$request_uri;
server {
@jult
jult / jult.ini
Last active September 18, 2019 12:21
Dark Forest skin for Midnight Commander ( dark mc colors theme with sufficient contrast )
# Being unsatisfied with the look of mc in console/terminal windows, I made this for my own use.
# Version 3.7, subject to change over the years.. <j@jult.nl>
# I N S T A L L
# Put this file (jult.ini) in either of these skin-directories:
# /etc/mc/skins/
# /usr/share/mc/skins/
# ~/.local/share/mc/skins/
@jult
jult / main.cf
Last active February 14, 2019 10:11
current postfix and some related config (partly managed by ISPconfig)
# this is most of my /etc/postfix/main.cf file:
inet_protocols = all
inet_interfaces = all
recipient_delimiter = +
smtpd_banner = Blah ESMTP
empty_address_recipient = admin
@jult
jult / hostsupdater.sh
Last active February 1, 2019 17:56
grab and sort hosts to block for dnsmasq (this existed way before pihole)
#!/bin/bash
# We create a new /tmp/block file first, then append to it
# the 'sleep 1's are inserted because we suffered from slow/delayed disk cache writes
# which often caused this script to skip or not entirely finish pasting lists
wget -qO - --limit-rate=1500k https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt > /tmp/block
sleep 1
wget -qO - --limit-rate=1500k https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts >> /tmp/block
sleep 1
@jult
jult / encback.sh
Last active January 16, 2019 09:51
Back-up files from server to server using ssh/rsync, and encrypt heavily using openssl before transfer because of insecure remote machine owned by other(s)
#!/bin/sh
# backup files files from server to server using ssh/rsync
# encrypt heavily using openssl before transfer to less secure location
# create the files
tar -zcpf /somepath/etc.tar.gz -C / etc
# tar -cv --exclude='root/io'-f /somepath/root.tar -find /root ! -type l
mysqldump --dump-date -uwp_admin -pSomedbpass -h localhost wordprass > /somepath/zichtbaar.sql