Friday, September 15, 2023

Ubuntu Jammy Install MySQL via the Oracle PPA with Modern GPG / Public Key Keyring Method

export GNUPGHOME=/tmp/gpg
mkdir -p /etc/apt/keyrings/
mkdir -p /tmp/gpg
cd /tmp/gpg

gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '859BE8D7C586F538430B19C2467B942D3A79BD29'
gpg --batch --export '859BE8D7C586F538430B19C2467B942D3A79BD29' > /etc/apt/keyrings/mysql.gpg
echo 'deb [ signed-by=/etc/apt/keyrings/mysql.gpg ] http://repo.mysql.com/apt/ubuntu/ jammy mysql-8.0' > /etc/apt/sources.list.d/mysql.list



gpgconf --kill all
rm -rf /tmp/gpg

apt install mysql-server

#todo: script initial config & removal of insecure logins

Friday, April 21, 2023

Javascript OOP Classes are not real-- it is just syntactic sugar!

class MyBaseClass {
    constructor(thingOne, thingTwo) {
        this.thingOne = thingOne;
        this.thingTwo = thingTwo;
    }
    getThingOne() {
        return this.thingOne;
    }
    getThingTwo {
        return this.thingTwo;
    }
}

class MyExtendedClass extends MyBaseClass {
    constructor(thingOne, thingTwo, thingThree) {
        super(thingOne, thingTwo);
        this.thingThree = "thingThree"
    }

    getThingThree() {
        return this.thingThree;
    }
}

let theThings = new MyExtendedClass("foo", "bar", "baz");



This is the helper way to write the following:



function MyBaseClass (thingOne, thingTwo) {
    let newMyBaseClass = Object.create(myBaseClassConstructor);
    newMyBaseClass.thingOne = thingOne;
    newMyBaseClass.thingTwo = thingTwo;
    return newMyBaseClass;
}

let myBaseClassConstructor = {
    getThingOne: function() {
        return this.thingOne;
    },
    getThingTwo: function() {
        return this.thingTwo;
    }
}

function MyExtendedClass(thingOne, thingTwo, thingThree) {
    let newMyExtendedClass = MyBaseClass(thingOne, thingTwo);
    Object.setPrototypeOf(newMyExtendedClass, myExtendedClassConstructor);
    newMyExtendedClass.thingThree = thingThree;
    return newMyExtendedClass;
}

let myExtendedClassConstructor = {
    getThingThree: function() {
        return this.thingThree;
    }
}

Object.setPrototypeOf(myExtendedClassConstructor, myBaseClassConstructor);

const theSquare = MyBaseClass(2,3);
theSquareArea = theSquare.getThingOne() * theSquare.getThingTwo();

const theBox = MyExtendedClass(2, 3, 5);
theCubicVolume = theBox.getThingOne() * theBox.getThingTwo() * theBox.getThingThree();

Monday, October 24, 2022

*buntu ( Kubuntu ) Install Sublime Text

sudo wget -O /tmp/sublime-text.gpg https://download.sublimetext.com/sublimehq-pub.gpg

sudo gpg --no-default-keyring --keyring /etc/apt/keyrings/sublime-text.gpg --import /tmp/sublime-text.gpg

echo 'deb [signed-by=/etc/apt/keyrings/sublime-text.gpg] https://download.sublimetext.com/ apt/stable/' | sudo tee /etc/apt/sources.list.d/sublime-text.list > /dev/null 2>&1

sudo apt update

sudo apt upgrade

sudo apt install sublime-text

Sunday, October 23, 2022

*buntu ( Kubuntu ) Install Google Chrome Browser

sudo wget https://dl.google.com/linux/linux_signing_key.pub -O /tmp/google-chrome.pub

sudo gpg --no-default-keyring --keyring /etc/apt/keyrings/google-chrome.gpg --import /tmp/google-chrome.pub

echo 'deb [arch=amd64 signed-by=/etc/apt/keyrings/google-chrome.gpg] http://dl.google.com/linux/chrome/deb/ stable main' | sudo tee /etc/apt/sources.list.d/google-chrome.list > /dev/null 2>&1

sudo apt update

sudo apt upgrade

sudo apt install google-chrome-stable

Friday, September 16, 2022

How to Turn JSON String Data into a Proper JavaScript Object

Because when writing JavaScript I forget, this is simply how to turn what is usually API response data into a JavaScript object.

data = { "this":"thing" };

object = JSON.parse(data);

Monday, September 12, 2022

Adding PHP Environment Variables with Lines in /etc/php/8.1/php-fpm/pool.d/www.conf

I finally found a clean enough way to inject PHP environment variables into my applications that doesn't completely pucker my parts where the sun does not shine-- in this case the app environment(dev, test, prod) coincidentally and hostname. The example is dripping in Debian/*buntu flavor, you have been warned.

As a "twofer", this is how you might set up the capsule for the Cartalyst Sentinel library in an implementation loaded from Composer, as an example of how to create and use the values.

Example variables to put into my www.conf file of my php-fpm config. For me this file lives under /etc/php/8.1/fpm/conf.d/www.conf . Just right at the bottom of the file, append your environment variable definitions right there at the end. I restart my php-fpm process with brad@hostname$sudo systemctl restart php8.1-fpm for lack of any reason to do otherwise.

env[environment] = 'prod'


env[sentinelDriver] = 'mysql'

env[sentinelHost] = 'hostname-that-might-be-localhost'

env[sentinelDatabase] = 'sentinel-database-name'

env[sentinelUsername] = 'sentinel-database-username'

env[sentinelPassword] = 'sentinel-database-password'

env[sentinelCharset] = 'utf8'

env[sentinelCollation] = 'utf8_unicode_ci'


And then where the rubber meets the road in your PHP files:


$capsule = new Capsule;


$capsule->addConnection([

    'driver'    => $_SERVER['sentinelDriver'];

    'host'      => $_SERVER['sentinelHost'];

    'database'  => $_SERVER['sentinelDatabase'];

    'username'  => $_SERVER['sentinelUsername'];

    'password'  => $_SERVER['sentinelPassword'];

    'charset'   => $_SERVER['sentinelCharset'];

    'collation' => $_SERVER['sentinelCollation'];

];

A word of caution. The php-fpm www.conf default for showing the system environment variables is:

clear_env = yes

However, you won't see that configuration setting. So, for me, the following default that I do see in every configuration of every system I have ever provisioned is correct:

;clear_env = no

I don't want my real system environment variables available via my application so far. Possible, yes. Desired functionality, no.

clear_env = no

Friday, September 9, 2022

My Port 80 Nginx Config Going Forward

So I hadn't ever considered it, but we can logically tell bots to look for our .well-known directory content wherever we want. Like in the normal webroot instead of a directory I don't want in my app.

server {
  if ($host = hostname.tld) {
    return 301 https://$host$request_uri;
  }
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name hostname.tld;
  server_tokens off;
  location /.well-known/acme-challenge/ { root /var/www/html; try_files $uri =404; } return 404;
}

Saturday, January 11, 2020

Playing with the FreeIPA Identity, Permissions, and Audit Server software with an Automated Install on Debian Sid -- Unattended Install Success!

So, I did it. FreeIPA installs without any user intervention after you kick of the Linode server build from Stackscripts. I use a Comodo (Sectigo) SSL certificate purchased via the Namecheap DNS registrar. The chain certificate that defines the trust relationship in various certificates all the way up to the root certificate-- where the "Subject" and the "Issuer" fields are the same, that certificate I got from my registrar was missing the root certificate. You can see it built supposedly properly in the script. Using a different Certificate Authority(CA) may or may not need the partial chain fortified all the way up to the Root CA certificate. FreeIPA doesn't seem to allow any certificates with an incomplete chain certificate.

There is a caveat-- the SSL certificates. I did not find a way I liked to import the certificates into the script in the same manner as the hostname, domain, and various passwords-- so they are hardcoded in. Sub-optimal. An inline expect script was the best I could do to respond to the kinit requested input of AdminUserPassword.

I am quasi-satisfied as it is. Time to show it off and receive the proper criticisms. Thank you in advance to everyone who was grumpy and doesn't hold back. I won't be better if I don't get the proper WTF admonishings...



================== Linode Stack Script =======================

#!/usr/bin/env bash

date +%s > /tmp/start.txt

#<UDF name="hostname" label="The new Linode's Host Name" default="ipa">
# HOSTNAME=

#<UDF name="domain" label="The new Linode's Domain" default="example.com">
# DOMAIN=

#<UDF name="kerberospass" label="The password for the Kerberos database" default="KerberosPassword">
# KERBEROSPASS=

#<UDF name="ADMINUSERPASS" label="The password for the IPA Admin User" default="AdminUserPassword">
# ADMINUSERPASS=

#<UDF name="DIRMGRPASS" label="The password for the Directory Manager" default="DirectoryManagerPassword">
# DIRMGRPASS=

#<UDF name="P12CERTPASS" label="The password for the pkcs12 certificate" default="p12-cert-password">
# P12CERTPASS=

cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICqTCCAZECAQAwZDELMAkGA1UEBhMCVVMxDTALBgNVBAgMBE9ISU8xETAPBgNV
BAcMCEVBU1RMQUtFMRAwDgYDVQQKDAdFWEFNUExFMQswCQYDVQQLDAJJVDEUMBIG
A1UEAwwLRVhBTVBMRS5DT00wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC54Z91je+HQ1U8jcQDJOCIMeDxub6EtraWMdolj+3d5CxIqaXDTcTbiBO3wwKw
1rATnhN6gr/sj2/eyZjcp1J51Ss0Ibvpkw5png/3A+mLfP2BU+8l2qUtC9zqJjuU
s4sC0LfQcoTMbYNGwvpijh0xOM74irJAt3nr9+82emVThERaAMeQXWMpl9ZerA4E
i94xM/NNVS4gnTBln2HiZBAPkED+fSW8knhWSm3tUKDNS2uhi+hExy4q1SflMTWX
FdylXfUzFt4a/L+ivbS7QZUThlbO5B0gPVF0s1wwgr+MXGaCSSm70jMoF+w9B3Iv
JPPwlx3myWQWKYlX6FpBV/GFAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAtL9z
NT0zLCB9JA7IQvuUHle4bYcG/aMSiXZVYsU7qvmhDP48czjx4EQGWT2KuzDKrc0l
J2IdhLqWR7WNC4ToCEpOjVVBrmUOoB01GbjmuCqJZhCTvFPPHW0LSxRh2elzGLFz
2BaEzq8lwGo8rZ+/pS8zVdlIg5GwWxQxu0sErrrT71bnRCsbMYLtRQa/R7inAwT1
AOy511wLqJPcQVs+cI5UTZu8J5QVd8Z/xjHI0Nf0EiCdsyzGJUrN8Rw8TDafp0XL
LgSMqydkfCrfNmiTtd1AZJlK59pZ6XHdIyM6j3bA+zoniSIxA3Vbi2C0Qry9ltcI
sd4WPW1LF4aN1ZOD6Q==
-----END CERTIFICATE REQUEST-----"
EOF

cat << EOF > /etc/ssl/certs/addtrust.root.chain.crt
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
EOF

cat << EOF > /etc/ssl/certs/usertrust.chain.crt
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
EOF

cat << EOF > /etc/ssl/certs/sectigo.chain.crt
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
EOF

# the one place where I could NOT abuse the 'cat' command... but DID ANYWAYS!

cat << EOF > /etc/ssl/certs/full.chain.crt
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
0fKtirOMxyHNwu8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
EOF

cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.crt
-----BEGIN CERTIFICATE-----
MIIDnjCCAoagAwIBAgIJAKB7jY2KwQ3eMA0GCSqGSIb3DQEBCwUAMGQxCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIDARPSElPMREwDwYDVQQHDAhFQVNUTEFLRTEQMA4GA1UE
CgwHRVhBTVBMRTELMAkGA1UECwwCSVQxFDASBgNVBAMMC0VYQU1QTEUuQ09NMB4X
DTIwMDExMTA4MzMyNVoXDTIwMDIxMDA4MzMyNVowZDELMAkGA1UEBhMCVVMxDTAL
BgNVBAgMBE9ISU8xETAPBgNVBAcMCEVBU1RMQUtFMRAwDgYDVQQKDAdFWEFNUExF
MQswCQYDVQQLDAJJVDEUMBIGA1UEAwwLRVhBTVBMRS5DT00wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC68zZBgZ/NLH74iuQI1zKgahaFFpSWkQlVUbU1
LEqq+3TuV+IGr98ztk2YY8eoBirXneD/umClfn2EMZttQqXJMv2MEGVhUUKwY6mK
wp92B/COIeY+LxUioA12IPDHahAf1EbgCL3FDQ7As6e/kUI/NKSeQbmWY/mnwFbB
mWoztbe2aegwRXHSWHiEk0SbizTYvyrNe6czhMznxKTpr66u+5CX2neR0Wu+vWLA
tgikn2Wl5qfu3TIZEvUw49Lwe1VFcrfnJIp6fBBtfRHLW+A9KSm5G5yW2f/2asKn
Tl880r5WHZ5u6sAFaUQK/kO5IQht5TqtZJRdk72LOFgeL6djAgMBAAGjUzBRMB0G
A1UdDgQWBBQ5uhlDtZ3WlJX8I2fq0Ss/3SxsoTAfBgNVHSMEGDAWgBQ5uhlDtZ3W
lJX8I2fq0Ss/3SxsoTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQCkzQ5IIIE4jYx1bKRGCsPESNSxEpuv9wIeG8BU2F/XMqp5Pm1odkKr6AKRb0RU
44qhM6tlsorCBCGnEN3ij07Ctuu+hbvVzfyKrhtFK/NC6wQx24aWiBuhhkZZgBTV
yPtslEZwNfMKuXlNhajea7f4HrB6pfxEVUAlhF2XCLlaQ7DNx6pL39zItWVBAvHA
50Xns1sIR9V7RRm49ilsU3+P7hcXP2WmmpXYZn0ObtTC6IIOEeDLMNf4G8tGganx
qSaOfpZjuM+E3LMlMf5vKJQI0LtrJqY12uD6JaoP8JW1MVske2YpPe7h2hL5Sz8B
B2wrROUQ8M1HMMFt5RdcHD1U
-----END CERTIFICATE-----
EOF

cat << EOF > /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.pkey
-----BEGIN PRIVATE KEY-----                                                                                                          
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC54Z91je+HQ1U8                                                                     
jcQDJOCIMeDxub6EtraWMdolj+3d5CxIqaXDTcTbiBO3wwKw1rATnhN6gr/sj2/e                                                                     
yZjcp1J51Ss0Ibvpkw5png/3A+mLfP2BU+8l2qUtC9zqJjuUs4sC0LfQcoTMbYNG                                                                     
wvpijh0xOM74irJAt3nr9+82emVThERaAMeQXWMpl9ZerA4Ei94xM/NNVS4gnTBl                                                                     
n2HiZBAPkED+fSW8knhWSm3tUKDNS2uhi+hExy4q1SflMTWXFdylXfUzFt4a/L+i                                                                     
vbS7QZUThlbO5B0gPVF0s1wwgr+MXGaCSSm70jMoF+w9B3IvJPPwlx3myWQWKYlX
6FpBV/GFAgMBAAECggEBAJPaPH1D/e/ohgcZeH1LuvF6Q0PjDAECWK+VTcCtAHaM
BRFzJ6/2zwwT7CMyEZTZ38pq5XGASOsAmOpsDpQM35SbE7du0cqTt1YZbPd9fCoA
rKBPRB0nElWHZxw0dxXrzjnaDSvXu3vj7BTACGuWQPAjELYvlGPXzTn9x5/csXZA
lEaBLtX5hNJD7J3YU/kVxcJUFEcZvegakcBjba5JR5khUFHeaKjgMqswnWAVGKos
Zwtbr8E2ULirfkHAO6I0HvVZ1WvdY44iUSK1nozm/32orHmjbeEJvPJl4EWKxHDo
Yi+yAvkBtwzpgX9v9mDIX9R0ASvHGIRMKCjSNMmMY4ECgYEA99Cit10jvQUKuO3N
iUA+wGre/xB4ZWcoCXnT9kKneBtJDURyVWdHYsbGTLaEz+p+IMh+kuhjSCCB+eZ6
dgDGdYgumRa2O/JbQuJdqylA+ZdFMnIvaJ7IfJOJSoqTLnWpaqLAd0uH2Pf+fjlE
DwPQSNePnfNq1xCE9x5v2KpvveECgYEAwAVQ705gM1UA3EZDN6dm4S8CI3/Sh7R4
gcNT9SjteOaOuh4LSt+R7lceN1HIu7Bven6Zgms5xzb4A6HlQzJsfT18Jw9YSuyG
6cNrzXfeanEj6qmZ45qRUdnvtaF2N/jmlQnmN4EOyawDYLif0ZUHdM3EB+epE8Ag
NybuKI5hgCUCgYEAqX4xTGiPwQBpzQIYyf7+7GwsCRgiwHhFkfWZW51LHYLL/B8M
dA0nbg+2IVHUlMA1dAatS51WCkbxnxJcP8lX85spA9vc2DNy59QbbK3SmuMzmMUw
V8YCKfJevHT7JZOkRCL8sJsgVu2HSp2wRvS8yJVmzQln0aCi0MIojXBE7QECgYBx
gbL6AsZzEYhUrWQGffoemn8VJPX6KgAiFKiIfw0BLqin9CKQu9+zl+PQp5OU/xKm
wjdUFLYuwJuS6hxvwFrJHZNKM5Ppli+Z916+MmFTYlXs3RyOokvMqps8LpmHNKZ4
60UfAjcPl5LXlctDRGkH7qo2UgZsGmHwuB6H8sJH0QKBgQCrdGnuCxiOi1zPu6Ii
ESEbarDy+R/q/aUZgVXIDyZRZ4ce5BIhUslftkhr/T9FDR7KxHcV1wYO6BngLOA3
51HgSNtuILtd7VWBphBVdsJEiH3Q66K2MeIOkWVitQrDuf/g29nIqd/c5Z911f2H
PRST/vdUhCgnw4dbO4uy9+sLEw==
-----END PRIVATE KEY-----
EOF

hostnamectl set-hostname $HOSTNAME.$DOMAIN

IPADDR=$(hostname --ip-address)

echo "$IPADDR $HOSTNAME.$DOMAIN $HOSTNAME" > /etc/hosts

DEBIAN_FRONTEND=noninteractive

echo "deb http://deb.debian.org/debian/ unstable main contrib non-free" > /etc/apt/sources.list
echo "" >> /etc/apt/sources.list
echo "#deb http://ftp.us.debian.org/debian bullseye main contrib non-free" >> /etc/apt/sources.list
echo "##deb http://security.debian.org/ bullseye/updates main contrib non-free" >> /etc/apt/sources.list
echo "#deb http://ftp.us.debian.org/debian bullseye-updates main contrib non-free" >> /etc/apt/sources.list

apt update

echo 'libc6 libraries/restart-without-asking boolean true' | debconf-set-selections
echo 'samba-common samba-common/dhcp boolean false' | debconf-set-selections

DEBIAN_FRONTEND=noninteractive apt -y dist-upgrade

DEBIAN_FRONTEND=noninteractive apt install -y rng-tools ssh ufw vim

echo 'HRNGDEVICE=/dev/urandom' >> /etc/default/rng-tools

#Roughly three minutes to this point...

systemctl enable ssh
systemctl start ssh

systemctl enable ufw
systemctl start ufw

for i in 80 88 389 443 464 636; do ufw allow proto tcp from any to any port $i; done

for i in 88 123 464 123; do ufw allow proto udp from any to any port $i; done

ufw reload

apt install -y debconf-utils tree

echo '[libdefaults]' > /etc/krb5.conf
echo "default_realm = ${DOMAIN^^}" >> /etc/krb5.conf
echo 'kdc_timesync = 1' >> /etc/krb5.conf
echo 'ccache_type = 4' >> /etc/krb5.conf
echo 'forwardable = true' >> /etc/krb5.conf
echo 'proxiable = true' >> /etc/krb5.conf
echo 'fcc-mit-ticketflags = true' >> /etc/krb5.conf
echo '[realms]' >> /etc/krb5.conf
echo "${DOMAIN^^} = {" >> /etc/krb5.conf
echo "kdc = ${HOSTNAME}.${DOMAIN}" >> /etc/krb5.conf
echo "admin_server = ${HOSTNAME}.${DOMAIN}" >> /etc/krb5.conf
echo "default_domain = ${DOMAIN}" >> /etc/krb5.conf
echo '}' >> /etc/krb5.conf
echo '[domain_realm]' >> /etc/krb5.conf
echo ".${DOMAIN} = ${DOMAIN^^}" >> /etc/krb5.conf
echo "${DOMAIN} = ${DOMAIN^^}" >> /etc/krb5.conf

cd /etc
tree > /tmp/etc-tree-before.txt
debconf-get-selections > /tmp/debconf-selections-before.txt

echo "krb5-admin-server krb5-admin-server/newrealm note" | debconf-set-selections

echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections
echo "krb5-config krb5-config/add_servers_realm string ${DOMAIN^^}" | debconf-set-selections
echo "krb5-config krb5-config/admin_server string ${HOSTNAME}" | debconf-set-selections
echo "krb5-config krb5-config/default_realm string ${DOMAIN^^}" | debconf-set-selections
echo "krb5-config krb5-config/kerberos_servers string ${HOSTNAME}" | debconf-set-selections
echo "krb5-config krb5-config/read_conf boolean true" | debconf-set-selections

echo "krb5-kdc krb5-kdc/debconf boolean true" | debconf-set-selections
echo "krb5-kdc krb5-kdc/purge_data_too boolean true" | debconf-set-selections

cd /etc
tree > /tmp/etc-tree-middle.txt
debconf-get-selections > /tmp/debconf-selections-middle.txt

DEBIAN_FRONTEND=noninteractive apt install -y krb5-kdc krb5-admin-server krb5-config softhsm expect

cd /etc
tree > /tmp/etc-tree-between.txt
debconf-get-selections > /tmp/debconf-selections-between.txt

kdb5_util create -s -r ${DOMAIN^^} -P ${KERBEROSPASS}

echo "krb5-admin-server krb5-admin-server/newrealm note" | debconf-set-selections

echo "krb5-config krb5-config/add_servers boolean false" | debconf-set-selections
echo "krb5-config krb5-config/add_servers_realm string ${DOMAIN^^}" | debconf-set-selections
echo "krb5-config krb5-config/admin_server string ${HOSTNAME}" | debconf-set-selections
echo "krb5-config krb5-config/default_realm string ${DOMAIN^^}" | debconf-set-selections
echo "krb5-config krb5-config/kerberos_servers string ${HOSTNAME}" | debconf-set-selections
echo "krb5-config krb5-config/read_conf boolean true" | debconf-set-selections

echo "krb5-kdc krb5-kdc/debconf boolean true" | debconf-set-selections
echo "krb5-kdc krb5-kdc/purge_data_too boolean true" | debconf-set-selections

DEBIAN_FRONTEND=noninteractive apt install -y freeipa-server

ipa-server-install --realm=${DOMAIN^^} --domain=${DOMAIN} --ds-password=${DIRMGRPASS} --admin-password=${ADMINUSERPASS} --hostname=${HOSTNAME}.${DOMAIN} --unattended > /tmp/ipa-install-output.txt

cd /etc
tree > /tmp/etc-tree-after.txt
debconf-get-selections > /tmp/debconf-selections-after.txt

date +%s > /tmp/ipa-installed.txt

expect <(cat <<'EOD'
spawn kinit admin
expect "*:"
send -- "${ADMINUSERPASS}\r"
sleep 1
send -- "\r\n"
EOD
)

ipa-cacert-manage install /etc/ssl/certs/addtrust.root.chain.crt

ipa-certupdate

ipa-cacert-manage install /etc/ssl/certs/usertrust.chain.crt

ipa-certupdate

ipa-cacert-manage install /etc/ssl/certs/sectigo.chain.crt

ipa-certupdate

openssl pkcs12 -export -chain -CAfile /etc/ssl/certs/full.chain.crt -in /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.crt -inkey /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.pkey -name ${HOSTNAME}.${DOMAIN} -out /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.p12 -password pass:${P12CERTPASS}

# Be sure to back up the CA certificates stored in /root/cacert.p12

ipactl restart

ipa-server-certinstall -w -d /etc/ssl/certs/${HOSTNAME}.${DOMAIN}.p12 --pin=${P12CERTPASS} --dirman-password ${DIRMGRPASS}

ipactl restart

date +%s > /tmp/certs-installed.txt

apt remove -y expect debconf-utils tree

apt autoremove -y

# https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/T5AHK6FTTUWVBIDU5HSOYKRIKMWUZ3OH/

Friday, January 3, 2020

JPG Images to MP4 Videos How To

First, I needed to rename my images in a numeric series. The images are named 001.jpg to 523.jpg.

I used some random bash one-liner from stack overflow to rename them in series by date. ...Which I seem to have misplaced.

I eventually cobbled together a sort of working ffmpeg command which you won't need-- but ffmpeg doesn't respect whatever EXIF data there is regarding rotation. To make the actual image match the EXIF data orientation, I used the exiftran command.

exiftran -ai *.jpeg

After getting everything right side up, the video size became the geometry of the first image. My first image was in portrait and the landscape images were stretched to match, unfortunately. I was fortunate that my maximum width and height were 4,032 pixels. To solve this problem I made my images square. I did this with gimp to create a 4,032 x 4,032 black image-- because black bars around the pictures is all fine enough for me. I then used the composite command from the imagemagick library to overlay and center all my images on that black square background saving the new image to a subdirectory. You'll need a square background, you can do it! And then the composite command from imagemagick.

I was lazy and used the Calc spreadsheet.

I gave myself a vertical column with a filename on each line.

ls -1

I put the filenames in column A1.

=CONCAT("composite -gravity center ", A1, " black.jpg square/", A1)

That will yeild a vertical column of commands to cut and paste into the CLI.

composite -gravity center 001.jpg black.jpg square/001.jpg

Now I have a directory full of square images in numeric sequence. FFMPEG time. Change the present working directory to the directory with all your square images. In this case, the square directory.

cd square

ffmpeg -framerate 1/3 -i '%03d.jpg' -vf fps=5 -pix_fmt yuv420p out.mp4

And then I tried the OpenShot video editor which felt slower, but had results I liked better. So there was that. Also, I think it respects EXIF data-- but I had already flipped everything.

Wednesday, September 4, 2019

Just a Nothing Special Gitea with SSH CLI Install

Starting with my default Debian build, I want a local gitea machine for acting as a centralized git repo with a graphical UI available via a web browser and I want it to at least look like I care about security.

The link to the description of my default install:
Debian Buster Ultra Basic Install

Okay, first things first.

If it is orange, this is likely something that will be special and unique to your install, so change the values where necessary.

Prerequisites.

We'll need a few things.

$ sudo apt install -y curl default-jre git golang-go mariadb-client mariadb-server ufw

$ sudo ufw allow dns

$ sudo ufw allow OpenSSH

$ sudo ufw allow 443/tcp


$ sudo systemctl enable ufw

$ sudo systemctl restart ufw


$ sudo systemctl enable mariadb.service

$ sudo systemctl restart mariadb.service

For SSL we will need the SSL certificate and key files. You'll see these again when we write the app.ini file. Adjust the filenames as needed on your part, the names don't matter, they just need to match what is in the app.ini file.

$ sudo cp wildcard-domain.com.* /etc/ssl/certs/

$ sudo chmod 440 /etc/ssl/certs/wildcard-domain.com.*

Bear with me, we are going to imitate the mysql_secure_install database modifications.

$ mysql -uroot -p -e "DROP DATABASE IF EXISTS test;"

$ mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"

$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES";

$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'127.0.0.1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"
$ mysql -uroot -pdb-root-password -e "GRANT ALL PRIVILEGES ON *.* TO 'root-user'@'::1' IDENTIFIED BY 'db-root-password' WITH GRANT OPTION;"

$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='';"
$ mysql -uroot -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"

$ mysql -uroot -pdb-root-password -e "FLUSH PRIVILEGES;"

$ mysql -uroot-user -pdb-root-password -e "DELETE FROM mysql.user WHERE User='root';"

$ mysql -uroot-user -pdb-root-password -e "CREATE USER 'backup'@'localhost' IDENTIFIED BY 'db-backup-user-password';"
$ mysql -uroot-user -pdb-root-password -e "GRANT SELECT, SHOW VIEW, RELOAD, REPLICATION CLIENT, EVENT, TRIGGER ON *.* TO 'backup-user'@'localhost';"

$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES";

$ sudo systemctl restart mariadb.service

Now for the Gitea specific database work we need to complete.
$ mysql -uroot-user -pdb-root-password -e "CREATE DATABASE IF NOT EXISTS gitea CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;"

$ mysql -u"$root-user" -pdb-root-password -e "GRANT ALL ON gitea.* TO 'gitea-user'@'localhost' IDENTIFIED BY 'gitea-db-password';"


$ mysql -uroot-user -pdb-root-password -e "FLUSH PRIVILEGES;"

$ sudo mkdir -p /var/lib/gitea/{custom,data,indexers,log,public}
$ sudo chown -R git:git /var/lib/gitea
$ sudo chmod 750 /var/lib/gitea

$ sudo mkdir /etc/gitea
$ sudo chown root:git /etc/gitea

$ sudo chmod 770 /etc/gitea

$ sudo mkdir /root/gitea

$ cd /tmp

$ sudo curl -o gitea https://dl.gitea.io/gitea/1.9.1/gitea-1.9.1-linux-amd64

$ sudo chmod 550 gitea

$ sudo mv gitea /usr/local/bin/gitea

If we want to avoid the GUI UI to make an app.ini file, we need to provide an app.ini file. Use your favorite editor (nano, vi, emacs...) to put the following configuration into /usr/local/bin/gitea/custom/conf/app.ini .

APP_NAME = PROJECT_NAME
RUN_USER = root
RUN_MODE = prod

[ui]
DEFAULT_THEME = arc-green

[database]
DB_TYPE  = mysql
HOST     = 127.0.0.1:3306
NAME     = gitea
USER     = GITEA_DB_USER
PASSWD   = GITEA_DB_PASSWORD
SSL_MODE = disable
CHARSET  = utf8mb4
PATH     = /usr/local/bin/data/gitea.db

[repository]
ROOT = /root/gitea-repositories

[server]
SSH_DOMAIN       = DOMAIN.COM
DOMAIN           = DOMAIN.COM
HTTP_PORT        = 3000
ROOT_URL         = https://DOMAIN.COM:3000/
DISABLE_SSH      = false
SSH_PORT         = 22
LFS_START_SERVER = false
LFS_CONTENT_PATH = /usr/local/bin/data/lfs
LFS_JWT_SECRET   = GITEA_JWT_SECRET
OFFLINE_MODE     = false
PROTOCOL         = https
CERT_FILE        = /etc/ssl/certs/DOMAIN.COM.crt
KEY_FILE         = /etc/ssl/certs/DOMAIN.COM.key

[mailer]
ENABLED        = true
HOST           = MAILGUN_SMTP_HOST:465
FROM           = GITEA_SYSTEM_EMAIL
USER           = MAILGUN_SMTP_USER
PASSWD         = MAILGUN_SMTP_PASSWORD
IS_TLS_ENABLED = true

[service]
ACTIVE_CODE_LIVE_MINUTES          = 1440
RESET_PASSWD_CODE_LIVE_MINUTES    = 1440
REGISTER_EMAIL_CONFIRM            = true
ENABLE_NOTIFY_MAIL                = true
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = true
REQUIRE_SIGNIN_VIEW               = true
DEFAULT_KEEP_EMAIL_PRIVATE        = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING       = true
NO_REPLY_ADDRESS                  = noreply

[security]
INTERNAL_TOKEN        = GITEA_INTERNAL_TOKEN
INSTALL_LOCK          = true
SECRET_KEY            = GITEA_SECRET_KEY
LOGIN_REMEMBER_DAYS   = 7
COOKIE_USERNAME       = gitea_awesome
COOKIE_REMEMBER_NAME  = gitea_incredible
MIN_PASSWORD_LENGTH   = 8
IMPORT_LOCAL_PATHS    = false
DISABLE_GIT_HOOKS     = false
PASSWORD_HASH_ALGO    = pbkdf2
CSRF_COOKIE_HTTP_ONLY = true

[picture]
DISABLE_GRAVATAR        = false
ENABLE_FEDERATED_AVATAR = true

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[oauth2]
JWT_SECRET=GITEA_JWT_SECRET

[session]
PROVIDER = file

[log]
MODE      = file
LEVEL     = info
ROOT_PATH = /usr/local/bin/log

We are ready to mimic the last of the install processes kicked off by the GUI install. The benevolent Gitea developers have blessed us with a little script we can run from the command line. Bless you Gitea devs!

$ sudo gitea migrate

Now to create a service to manage Gitea and start it at boot.

$ sudo touch /etc/systemd/system/gitea.service

Use your favorite editor (nano, vi, emacs...) to put the following configuration into /etc/systemd/system/gitea.service .

[Unit]

Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
#Requires=mysql.service
Requires=mariadb.service
#Requires=postgresql.service
#Requires=memcached.service
#Requires=redis.service

[Service]
# Modify these two values and uncomment them if you have
# repos with lots of files and get an HTTP error 500 because
# of that
###
#LimitMEMLOCK=infinity
#LimitNOFILE=65535
RestartSec=2s
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/gitea web
Restart=always
Environment=USER=root HOME=/root/gitea
# If you want to bind Gitea to a port below 1024 uncomment
# the two values below
###
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
#AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

Lastly, what we do is enable and start the service with the following commands.

$ sudo systemctl enable gitea
$ sudo systemctl daemon-reload
$ sudo systemctl start gitea

That should more or less do it. Navigate to https://domain.com:3000/ to see your handiwork...

(The reason I left my installation listening on port 3000 is because I usually have a whole network reverse proxy running and using the SNI hostname on port 443 to direct the proper web traffic to each host.)


Followers