Custom WiFi enabled nightlight with ESPHome and Home Assistant

I built this custom night light for my kids as a fun little project. It’s pretty easy so thought someone else might be inspired to do something similar.

Custom WiFi connected nightlight

Hardware

The core hardware is just an ESP8266 module and an Adafruit NeoPixel Ring. I also bought a 240V bunker light and took the guts out to use as the housing, as it looked nice and had a diffuser (you could pick anything that you like).

Continue reading Custom WiFi enabled nightlight with ESPHome and Home Assistant

OwnTracks recorder in a container on Fedora with Let’s Encrypt and nginx

OwnTracks Recorder is a web application which maps locations over time. Generally, it connects to an MQTT server and subscribes to owntracks/+ topics for any location updates, but it also has a built in function to receive updates over HTTP.

I have been using OwnTracks with MQTT for a while, but found it to be too unreliable on Android (disconnects in the background and doesn’t reconnect nicely). Using HTTP is supposed to be more reliable, so this is how I set it up. The idea is to use OwnTracks on Android to post directly to the OwnTracks recorder over HTTP instead of MQTT and have recorder post the MQTT messages on our behalf using LUA scripts (for Home Assistant).

Friends is an important feature (to let members of the family see where eachother is located) and fortunately it is supported in HTTP mode (but it requires a little bit more configuration).

Continue reading OwnTracks recorder in a container on Fedora with Let’s Encrypt and nginx

Securing Linux with Ansible

The Ansible Hardening role from the OpenStack project is a great way to secure Linux boxes in a reliable, repeatable and customisable manner.

It was created by former colleague of mine Major Hayden and while it was spun out of OpenStack, it can be applied generally to a number of the major Linux distros (including Fedora, RHEL, CentOS, Debian, SUSE).

The role is based on the Secure Technical Implementation Guide (STIG) out of the Unites States for RHEL, which provides recommendations on how best to secure a host and the services it runs (category one for highly sensitive systems, two for medium and three for low). This is similar to the Information Security Manual (ISM) we have in Australia, although the STIG is more explicit.

Continue reading Securing Linux with Ansible

Manage and tweak Fedora with Ansible (and apply Korora settings by default)

Korora Project is a Linux distro I created over 13 years ago, which (since 2010) takes Fedora and applies dozens of tweaks in an effort to make it more usable “out of the box” for every day users.

Even with one or two others helping, it has been a lot of work so I’ve taken a break from the project for the last year to focus on other things. There has been no release of Korora since and so lately I’ve been running stock Fedora 29 Workstation (GNOME) on my laptop.

I enjoy the Korora defaults though and given that my family also runs Korora, I wanted a way to be able to move them to stock Fedora while keeping the same packages as well as the look and feel.

So, I created a Korora Ansible Role (it’s also on Ansible Galaxy) to apply the same Korora tweaks for stock Fedora Workstation (GNOME) plus an example playbook which uses it.

I tried to make it flexible by using variables so that users can change default package lists and settings for each machine, as required.

Running it on your local machine is pretty trivial, there’s a shell script with a sample inventory for localhost.

Continue reading Manage and tweak Fedora with Ansible (and apply Korora settings by default)

Resurrect Nexus 4 with red light of death by using wireless charger

I should have posted this ages ago. There is a well known problem which may affect Nexus 4 devices where it powers off and won’t power on again. When you plug it into the USB charger you get a solid red light and it never recovers.

If you search for the problem the main advice is to return the phone for a factory fix, however there’s an easier trick that’s worked for me; using a wireless charger.

Every time I’ve had this problem (on a few different Nexus 4 phones) I’ve been able to bring the phone back by sitting it on my Nexus wireless charger for a few minutes, then pressing the power button and it springs to life.

After that, you can charge and use the phone as normal. I am writing this now because I was reminded after using this trick to fix a friend’s phone tonight (he’d been googling the problem for a while with no luck).

Maybe someone still has one in their bottom drawer and can make use of it again by using this trick!

Playing with Ubuntu Touch on Nexus 4

I figured it was time to re-visit Ubuntu Touch on my Nexus 4 and see how it was going.

I was already running stock Lollipop and just kicked up the Ubuntu 14.10 GNOME live image under KVM on my Korora 21 laptop and passed the USB device through.

Following the instructions was really easy to get it going. Actually it was just one command and I was soon booting into Ubuntu, so that was quite impressive.

It booted up and asked me the usual things, connected to Wifi, etc. The interface is still the same as it was last time I checked, unsurprisingly, however it seems to work much better now. The animations are smooth and it’s quite clean looking. The Apps screen is easy to follow and you can easily filter by app group.

apps
Apps

Continue reading Playing with Ubuntu Touch on Nexus 4

Creating a DMZ in OpenWRT

In computing, a DMZ (demilitarized zone) is a method for separating untrusted traffic from a trusted network. One of the most common implementations of this would be for supporting a publicly accessible server (such as web) on a local internet connection. The server sits in the DMZ and can be accessed from the Internet, but it cannot access the trusted network.

OpenWRT probably needs no introduction, the brilliant open source and community driven Linux based embedded router stack. I run it on my Netgear WNDR3800.

Netgear WNDR3800 running OpenWRT
Netgear WNDR3800 running OpenWRT

I have an ODRIOD-U3 (little ARM box) running Fedora, which runs a web server. This is what I want to make publicly available in my DMZ.

So, how to create a DMZ in OpenWRT? Some commercial routers have a single button “make a DMZ” and everything is handled behind the scenes for you. Not so with OpenWRT; it’s powerful, transparent, and only does what you tell it to, so we have to create it manually.
Continue reading Creating a DMZ in OpenWRT

TRIM on LVM on LUKS on SSD

Update2: systemd now has support for enabling trim on luks partitions by passing in the rd.luks.options=discard option and rebuilding grub config
Update: The latest versions of Fedora now support the discard option in crypttab, not allow-discards.

I have an (unfortunately too small) Samsung 840 Pro in my laptop and it’s been a long time since I’ve re-installed (no time for Korora for months) and I’ve noticed it getting a little sluggish. Most noticeable is long pauses while the drive goes nuts. I figured it was probably time to get some TRIM action on the drive, something I never bothered with before because I didn’t really care.

My setup is reasonably common, I imagine. I have a regular old boot partition and a second encrypted partition which is used as a physical volume for lvm. Hence any and all lv are automatically encrypted. If you’re using encryption, it’s possible that enabling trim could give an attacker insight into what blocks have/haven’t been used, but for me it’s just to make it harder for someone to get my data if I lose the laptop or it’s stolen.

Filesystem
First things first, the file system needs to support trim (ext4 does). If you’re using Fedora 18 you may have to edit your /etc/fstab and add the discard mount option to any partition you want to trim.
/dev/sda1 /boot ext4 defaults,discard 1 2

Under Fedora 19, my non-encrypted, non-lvm /boot partition works with fstrim out of the box (I didn’t have to set the discard mount option), so that’s good.

chris@localhost ~ $ sudo fstrim -v /boot
[sudo] password for chris:
/boot: 407 MiB (426762240 bytes) trimmed

With my / and /home partitions however it’s a different story, I get this:
chris@localhost ~ $ sudo fstrim -v /home
fstrim: /home: FITRIM ioctl failed: Operation not supported

So, problem is that somewhere along the way the discard commands aren’t reaching the device.

I have filesystem, lvm, luks, block layers I guess and I know it’s not the first or the last, so that leaves lvm and luks. Thanks to this post, it was pretty easy to enable on the latter two.

LVM
I edited the /etc/lvm/lvm.conf file and enabled the issue_discards option:
issue_discards = 1

LUKS
Now to ensure that discards are sent to my crypto layer by adding the allow-discards option to /etc/crypttab
luks-blah-blah-blah UUID=blah-blah-blah none allow-discards

Note: Thanks to chesty for pointing out that on Debian and other distros the format of that file and discards option may be different. Check man crypttab for the right option, but it may be something like this:
luks-blah-blah-blah UUID=blah-blah-blah none luks,discard

Initramfs
OK, so config files are in place, no as both of these configs are included in the initramfs, time to rebuild it:
chris@localhost ~ $ sudo dracut --force

Note: For Fedora 18 I had to tell dracut to include the crypttab file, as per this bug report.
chris@localhost ~ $ sudo dracut --force -I /etc/crypttab

Note2: Again, on Debian updating initramfs is different, try the update-initramfs command.

You can confirm that crypttab is in the initramfs with:
chris@localhost ~ $ sudo lsinitrd |grep crypttab

Test
After a reboot, I can test out fstrim again, which now works! (By the way, it’s fast.)
chris@localhost ~ $ time sudo fstrim -v /home
/home: 332.6 MiB (348778496 bytes) trimmed
 
real 0m0.194s
user 0m0.007s
sys 0m0.015s

Cron it
Finally, set this as an hourly cron job and enjoy the benefits.
root@localhost ~ # echo -e "fstrim /\nfstrim /home\nfstrim /boot" > /etc/cron.hourly/fstrim

ricci and libvirt with luci = error

If you’re setting up a cluster on RHEL with ricci and the machine is also a virtual host, you might have problems adding it to the cluster in luci (even though everything looks good – firewall is open and you can communicate on the port).

The error is something like:
unable to receive header from server on 11111

This is because the server is looking for a .libvirt configuration directory for the ricci user, but it doesn’t exist. Simply log onto the node and perform the following as root:
mkdir /var/lib/ricci/.libvirt
chown ricci:ricci /var/lib/ricci/.libvirt

Now you can successfully add the node to the cluster using luci.

-c