Skip to content

Instantly share code, notes, and snippets.

services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: secret
ports:
- "5432:5432"
volumes:
- pgdata:/var/lib/postgresql/data
@rechner
rechner / printer.conf
Created July 22, 2023 22:07 — forked from jasonehines/printer.conf
Ender 3 Pro Creality 4.2.7 with bltouch - Klipper printer Configuration
# This file contains pin mappings for the Creality "v4.2.7" board. To
# use this config, during "make menuconfig" select the STM32F103 with
# a "28KiB bootloader" and serial (on USART1 PA10/PA9) communication.
# If you prefer a direct serial connection, in "make menuconfig"
# select "Enable extra low-level configuration options" and select
# serial (on USART3 PB11/PB10), which is broken out on the 10 pin IDC
# cable used for the LCD module as follows:
# 3: Tx, 4: Rx, 9: GND, 10: VCC
# ~/.config/systemd/user/turntable-stream.service
# Systemd user unit for streaming audio from a soundcard to a snapcast TCP server source
[Unit]
Description=Stream turntable input to snapserver
Wants=avahi-daemon.service
After=network-online.target time-sync.target sound.target avahi-daemon.service
[Service]
ExecStart=/usr/bin/gst-launch-1.0 -v pulsesrc ! audioresample ! audioconvert ! audio/x-raw,rate=44100,channels=2,format=S16LE ! wavenc ! tcpclientsink host=snapserver.local port=4953
@rechner
rechner / install-ca.sh
Created April 23, 2022 08:30
Installs an IPA root certificate locally
#!/bin/bash
# vim: set ts=4 sw=4 expandtab sts=4 smartindent
set -o pipefail
if [ $UID -ne 0 ]; then
echo "Please run as root"
exit 1
fi
# Setting up Proxmox with a certificate from FreeIPA.
# This assumes you've already joined the machine with ipa-client-install
# Get a ticket as someone that can issue certificates
kinit admin
cat <<EOF > /usr/local/sbin/set-ssl-permissions
#!/bin/bash
FILES=/etc/pve/nodes/proxmox/{pve-ssl.key,pve-ssl.pem}
# cp suspend-fix.service /etc/systemd/system && systemctl enable --now suspend-fix.service
[Unit]
Description=Disable suspend wakeup interrupts except for LID
[Service]
Type=oneshot
ExecStart=/bin/sh -c "echo SLPB GLAN XHC > /proc/acpi/wakeup"
[Install]
WantedBy=multi-user.target

Flavoured for a Debian 10 IPA-joined web server, and based on these pages from the FreeIPA wiki:

Install pre-requisites

# Install pre-requisites
sudo apt install libapache2-mod-authnz-pam libapache2-mod-auth-kerb libapache2-mod-auth-gssapi

# libapache2-mod-nss isn't packaged for Buster for some reason, but oldstable package works fine:
@rechner
rechner / freeipa-openvpn.md
Last active February 13, 2024 14:51
FreeIPA setup for OpenVPN logins

This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.

  • IPA join your VPN machine: ipa-client-install --mkhomedir
  • Get a kerberos ticket: kinit
  • Create a Kerberos service principle and HBAC rule for openvpn access:
ipa service-add openvpn/`hostname`
  • Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to:
@rechner
rechner / ldap-auth.py
Created November 18, 2019 23:47
LDAP Auth script for HomeAssistant
import os
from ldap3 import Server, Connection, ALL, core
# XXX: Update these with settings apropriate to your environment:
# (I use FreeIPA and an homeassistant group assignment)
SERVER = "ipa.example.com"
USERDN = "uid={},cn=users,cn=accounts,dc=example,dc=com"
TIMEOUT = 3
BASEDN = USERDN
SCOPE = "base"