IT
Bash Snippets
Youtube-dl into Ffmpeg
Benötigt youtube-dl, parallel und ffmpeg.
Holt sich die direkte Video-URL via youtube-dl und piped die Video und Sound-Url direkt in ffmpeg.
Ermöglicht alles was ffmpeg kann, z.B. herauschneiden eines Clips:
URL=[url]
START=[start]
TIME=[time]
youtube-dl -g $URL | parallel -N 2 ffmpeg -ss $START -i {1} -i {2} -ss $START -map 0:v -map 1:a -t $TIME -c copy out.webm
#audio stream doesnt seem to allow input seeking (returns 403)
#so we need to do output seeking, which is... slow
#TODO: maybe find some way around that
Archive Stream
STREAM=[URL]
OUTPUT=[PATH]
# as apache to write directly to webdir
sudo -u apache /usr/local/bin/streamlink -o $OUTPUT $STREAM best
# alternative: use at to run at specified time
echo "sudo -u apache /usr/local/bin/streamlink -o $OUTPUT $STREAM best" | at [TIMESPEC]
DD with gzip
# create image
dd if=/dev/[DEVICE] | gzip > [IMAGE].gz
# apply image
gunzip -c [IMAGE].gz | dd of=/dev/[DEVICE]
Filtered Chmod
find . [filters here] -exec chmod [MOD] -- {} +
#z.B. chmod nur Dateien
find . -type f -exec chmod 644 -- {} +
chmod kann bei execute-Rechten nativ Ordner und Dateien unterscheiden:
# setzt +x bei Ordnern, aber behält das execute-Flag bei Dateien unberührt
chmod -R +X [PFAD]
# geht natürlich mit dem vollen Syntax von chmod, z.B.:
chmod -R u=Xrw,g=r,o= [PFAD]
Forge Install
java -jar forge-[version]-installer.jar --installServer
Alacritty Terminfo
# on source
infocmp > alacritty.terminfo
# sftp transfer to target
# on target
tic -x alacritty.terminfo
Telegraf Repo
Debian
curl -sL https://repos.influxdata.com/influxdb.key | apt-key add -
DISTRIB_ID=$(lsb_release -c -s)
echo "deb https://repos.influxdata.com/debian ${DISTRIB_ID} stable" | tee /etc/apt/sources.list.d/influxdb.list
IP
if up/down
ip link set dev <interface> up
ip link set dev <interface> down
htpasswd
# create
htpasswd -c -B -b </path/to/users.htpasswd> <user_name> <password>
# add/change
htpasswd -B -b </path/to/users.htpasswd> <user_name> <password>
Misc
# erkennt Größe der Blockdevice neu
echo 1 > /sys/class/block/sda/device/rescan
Ansible ARA
ARA Setup
Ara wird über Docker-Compose aufgesetzt:
ara.compose:
version: "3"
services:
server:
image: recordsansible/ara-api
container_name: ara-srv
restart: always
networks:
- ara-srv
volumes:
- /srv/ara/:/opt/ara/
ports:
- "8001:8000"
networks:
ara-srv:
ipam:
config:
- subnet: 172.20.110.0/24
/srv/ara/settings.yml:
DATABASE_ENGINE: 'django.db.backends.mysql'
DATABASE_NAME: 'ara'
DATABASE_USER: 'ara'
DATABASE_PASSWORD: '[REDACTED]'
DATABASE_HOST: 192.168.2.70
default:
ALLOWED_HOSTS:
- 127.0.0.1
- ::1
- localhost
- ara.krumel.moe
Reverse Proxy Setup:
/etc/nginx/sites-available/ara.conf:
[..]
auth_basic "";
auth_basic_user_file /etc/nginx/htpasswd/htpasswd_ara;
location / {
proxy_pass http://localhost:8001/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization "";
proxy_set_header X-Forwarded-User $remote_user;
}
[..]
Ansible Setup
Initialsetup:
# im Homeverzeichnis von dediziertem Ansible-User
python3 -m venv venv
source venv/bin/activate
pip3 ansible ara
git clone git@gitea.krumel.moe:krumel/ansible.git
# von außen gitea.krumel.moe:4567
init.sh:
#!/bin/bash
source ~/venv/bin/activate
# Configure Ansible to know where ARA's callback plugin is located
export ANSIBLE_CALLBACK_PLUGINS=$(python3 -m ara.setup.callback_plugins)
# Set up the ARA callback to know where the API server is
export ARA_API_CLIENT=http
export ARA_API_SERVER="http://127.0.0.1:8001"
# Extern
#export ARA_API_SERVER="https://ara.krumel.moe"
# Extern mit Auth
#export ARA_API_USERNAME=user
#export ARA_APU_PASSWORD=password
Ara-Optionen können auch in ansible.cfg konfiguriert werden, aber da diese unterschiedlich von Host zu Host sind, macht es mehr Sinn diese in ENV zu definieren.
Playbooks über Cron
crontab -e:
# zuerst init.sh ausführen, dann ansible-playbook *im* Ansible-Verzeichnis ausführen
# (damit ansible.cfg usw. gefunden wird)
# wenn die playbooks über ara aufgenommen werden, kann stdout auch nach /dev/null redirected werden
0 3 * * 5 ~/./init.sh && d ~/ansible && ansible-playbook playbooks/rpi_patches.yml
Management
docker exec -it ara-srv /bin/bash
ara-manage [command]
OpenSSL
Certificate mit SANs
request.conf
[req]
distinguished_name = dn
prompt = no
req_extensions = req_ext
[dn]
C="DE"
ST="Germany"
L="."
O="ORG"
OU="ORG UNIT"
emailAddress="MAIL"
CN="COMMON NAME"
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = [Domain 1]
DNS.2 = [Domain 2]
DNS.3 = [Domain 3]
# create csr
openssl req -new -key private_key.key -out csr.csr -config request.conf
# check csr
openssl req -text -verify -in csr.csr
# alt.: self-sign
openssl req -new -key private_key.key -x509 -out cert.pem -config request.conf
pkcs12/pfx
# create
openssl pkcs12 -export -out OUT.pfx -inkey KEY.key -in CERT.cer -in INTERMEDIATE.cer -in ROOT.cer
# export
openssl pkcs12 -in file.pfx -out file.withkey.pem -nodes
keys
# rsa
openssl genrsa -out [KEY].key [encryption] [BITS]
# encryption can be omitted for unencrypted key or:
# -aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256
# elliptic curve
# list available curves
openssl ecparam -list_curves
# secp384r1 or secp521r1 is a good curve
openssl ecparam -name [CURVE] -genkey -out [KEY].key
get cert/key content
# cert
openssl x509 -in [CERT].crt -text
# key
openssl rsa -in [RSA-KEY] -text
openssl ec -in [EC-KEY] -text
# csr
openssl req -in [REQUEST] -text
# optionally add -check (keys) or -verify (csr) to check for consistency
# check match key and cert
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
self sign crt
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 365
connection testing
https/smtps
openssl s_client -quiet -connect example.com:443
openssl s_client -quiet -connect mail.yourserver.tld:485
smtp/imap starttls
openssl s_client -quiet -starttls smtp -connect mail.yourserver.tld:25
openssl s_client -quiet -starttls imap -connect mail.yourserver.tld:143
IoT
DeLock Tasmota Einrichtung
Firmware Patches
Patches in folgender Reihenfolge anwenden
| Patch | URL |
|---|---|
| 7.2 (Hersteller) | http://www.delock.de/download/firmware/11826de.bin* |
| 8.5.1 | http://ota.tasmota.com/tasmota/release-8.5.1/tasmota.bin.gz |
| Newest | http://ota.tasmota.com/tasmota/tasmota.bin.gz |
*Adresse ist vorgegeben (für 11827 URL entsprechend anders)
Nach Patches in Console reset durchführen
reset 3
Falls Tasmote Gerät nicht automatisch erkennt, Template anwenden:
{"NAME":"DeLock 11826","GPIO":[32,0,0,0,0,0,0,0,224,576,0,0,0,0],"FLAG":0,"BASE":1}
ODER
{"NAME":"Delock 11827","GPIO":[0,0,0,32,2688,2656,0,0,2624,576,224,0,0,0],"FLAG":0,"BASE":53}
Home Assistant Config
| Setting | Value |
|---|---|
| Host | home.krumel.moe |
| Port | 1883 (default) |
| Client | whatever, default ok |
| User | mqtt |
| Password | siehe Keepass |
| Topic | tasmota_%06X (an sich egal, hauptsache eindeutig) |
Misc
Java OpenJDK11 with javaws iDRAC 8
Download and install https://adoptopenjdk.net/ Download and extract icedtea-web-1.8.win.bin.zip from https://icedtea.wildebeest.org/download/icedtea-web-binaries/1.8/windows/
edit <java>\conf\security\java.security and comment out
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
use bin/javaws.exe from icedtea-web package für iDRAC 8
InfluxDB
Pivot
|> pivot(rowKey: ["_time"], columnKey: ["host"], valueColumn: "_value")
Align Timestamps
|> truncateTimeColumn(unit: 5m)
Map
|> map(fn: (r) => ({_time: r._time, _value: something}))
Stable Diffusion Prompts
Styles
| Prompt | Stil |
|---|---|
| by ilya kuvshinov | Anime-Style Portraits, neigt zu komischen Gesicherten |
| by serge marshennikov | Photographie von Frauen |
| by albert lynch | sehr gute Portraits von Frauen |
| by makoto shinkai | Landschaften, guter Anime-Stil |
| by michael whelan | tierische Körperteile (i.e. Tentakel-Haare), funktioniert manchmal (aber besser als der Rest) |
Full Prompts
Java GC-Tuning
Java 11+
Nimm einfach shenandoah oder zgc. Üblicherweiße kein weiteres Tuning erforderlich.
Java 8 (i.e. G1GC)
# TODO: Parameter und Effekte erklären
java -jar -Xms20G -Xmx20G -javaagent:jolokia-jvm-1.6.2-agent.jar\
-XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:MaxGCPauseMillis=100\
-XX:+DisableExplicitGC -XX:TargetSurvivorRatio=90 -XX:G1NewSizePercent=50\
-XX:G1MaxNewSizePercent=80 -XX:G1MixedGCLiveThresholdPercent=50\
-XX:G1ReservePercent=20 -XX:ConcGCThreads=2 -XX:ParallelGCThreads=4\
-XX:InitiatingHeapOccupancyPercent=25\
-XX:+AlwaysPreTouch -Xloggc:gc.log -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps\
-XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=1M forge-1.16.5-36.0.1.jar nogui
Ansible
Partitionierung
https://docs.ansible.com/ansible/latest/collections/community/general/parted_module.html
https://docs.ansible.com/ansible/latest/collections/community/general/filesystem_module.html
https://docs.ansible.com/ansible/latest/collections/ansible/posix/mount_module.html
Proxmox scsi Zuordnung
SCSI HDDs in Proxmox sind über den Hardware-Mountpoint identifizierbar:
#in Proxmox scsiN
lsscsi -b 0:0:0:N | grep -o -e '/dev/\w*'
#Zuordnung UUID
lsscsi -b | grep -o -e "/dev/sd\w*" | xargs lsblk -no +UUID {}














