Admin on iMil.net

IVPN on NetBSD

Sat, 13 Dec 2025 11:05:02 +0100

Last week, the VPN provider I previously used went dark for days and went back with no explanation. They have an history of not communicating much and their support does suck but TBH I almost never used it, nevertheless I felt it was time for a change. I asked on BlueSky for feedback and one of the suggestions caught my eye: IVPN.
They have very good reviews, support WireGuard and an OpenBSD developer worked there. Their documentation is very Linux-centric but very well put, yet -of course- it lacks examples for NetBSD. So here’s a simple way of setting up a WireGuard VPN with IVPN on NetBSD.

LG-43SQ700S-W DPMS Wake

Mon, 16 Sep 2024 00:00:00 +0000

I got myself a brand new 43 inches monitor, it’s amazing, the visual comfort is life changing.
It all worked pretty much immediately except one little annoying thing: 9 times out of 10, when putting the monitor to sleep with xset dpms force off and waking it up by hitting a key, it would not detect the HDMI signal for about the 30 longest seconds ever.

I finally found that if I change from X11 to the console (Ctrl-Alt-F1 then Ctrl-Alt-F7), it would detect the signal instantly. I suspected that a simple resolution change would do the trick, but changing resolution would also mess the windows positions. Fortunately, here’s what xrandr saw:

NSD Slave DNS

Sat, 27 May 2023 09:02:31 +0200

Ok this is possibly the easiest thing on earth but I didn’t see any clear documentation on the topic apart from a simple text file which actually helped.

The server runs into a FreeBSD jail, I won’t cover this part as there are plenty of good documentation on this matter already.

The first step is obviously to install nsd, for example using pkg:

# pkg install nsd

My master DNS server runs BIND so there’s no specifics regarding nsd, here’s the most basic configuration the slave needs:

Generate An Ansible Report By Updating A Variable

Sat, 29 Oct 2022 22:41:26 +0200

At $(DAYJOB) I was asked to generate some kind of daily report, and I thought ansible would do the job; we basically want to have a couple of key metrics like load average, memory, disk… you see the deal. The result is to be send to MatterMost using mattermost’s ansible module.

It took me way too much time to understand how to update a single variable in order to build a mardown table that would be sent as a single request to the MatterMost server, until neith_speed told me to use hostvars in order to have access to the data gathered by the play for every host.

Using Kibana API as an Elasticsearch Proxy

Fri, 26 Aug 2022 07:44:15 +0200

While searching for an elasticsearch tail -f, I stumble upon this nice piece of software that does exactly that. Reading the configuration file I noticed the server_kibana-proxy section and wondered if that meant that elasticsearch could be queried via kibana, and it turns out that yes, you don’t have to expose ES port (:9200), you can use kibana’s API instead, in particular the console API to be able to query ES directly.

Build a Single in Tree Linux Kernel Module (Debian & Clones)

Sun, 21 Aug 2022 20:43:27 +0200

How misleading and complicated this task should be that I’m writing such an article in 2022?
Anyway, if you struggle compiling a simple, standalone Linux kernel module on Debian, Ubuntu, Mint and the like, here’s the recipe:

Fetch linux-source-<version> and linux-headers-<version>

$ sudo apt install linux-source-5.4.0 linux-headers-$(uname -r)

Do not use apt-get source linux-source-<version>, only pain will you find.

Untar the fetched archive where you’d like

$ tar jxvf /usr/src/linux-source-5.4.0.tar.bz2

Copy your current kernel configuration

$ cd linux-source-5.4.0
$ cp /boot/config-$(uname -r) .config

Prepare the build environment

$ make oldconfig scripts prepare modules_prepare

Copy current kernel exported symbols file

$ cp /usr/src/linux-headers-$(uname -r)/Module.symvers .

Build the module you need

$ make -C . M=arch/x86/kvm

Test it

$ sudo insmod arch/x86/kvm/kvm-intel.ko

Eventually backup the current loaded module (modinfo <module>), replace it with your freshly built one and don’t forget to depmod -a.

Cleaner micro Kubernetes on OSX

Mon, 04 Feb 2019 15:41:17 +0000

While my main workstation is a Linux Mint machine, I occasionally use my OSX ${WORK} laptop for traveling and composing. I’m not really fond of the OS, but at least it’s an UNIX-like, and pkgin runs well with it ;)
When I’m “on the go”, I like to try things and play along with technologies I’m currently obsessed with, among them Kubernetes.
On OSX, the natural choice is to go with minikube, it’s kind of integrated and does the job well, but if you tried it already and also happen to run docker for OSX you might have found yourself struggling with versions and consistency between the two. Added to this that I wanted to have a fully functional Linux virtual machine, preferably Debian GNU/Linux, there was way too much inconsistencies and wasted disk and CPU space to come. So I dug by myself and found a clean and fast solution by spawning my own virtual machine using OSX native hypervisor, which runs Canonical’s microk8s, a nicely done snap package to install a fully working and modular Kubernetes cluster on a Linux machine.

An Elasticsearch from the past

Mon, 19 Nov 2018 14:47:32 +0000

Here’s a procedure I came up with in order to migrate an elasticsearch 1.1 database to version 6 (actually 6.4 but probably any 6.x version).

Fire up a temporary elasticsearch version 1.1

Fetch the tar.gz version from https://www.elastic.co/downloads/past-releases/filebeat-1-1-2 and untar it.

Use the following basic configuration file

$ egrep -v '^[[:space:]]*(#|$)' ~/tmp/elasticsearch-1.1.2/config/elasticsearch.yml 
http.port: 9202
transport.tcp.port: 9302
path.conf: /home/imil/tmp/elasticsearch-1.1.2/config
path.data: /var/db/elasticsearch

Note that I changed the standard ports to $((standard_port + 2)).

From the untarred directory, lauch elasticsearch

OpenVPN routes dynamic NATting

Sat, 10 Nov 2018 08:50:25 +0000

Assume the following scenario: your {Open,Free}BSD pf-enabled (yes, I know what’s missing and it’s a pity, I am well aware of it) gateway connects to an OpenVPN server. This server pushes a couple of routes to your gateway that you’d like to be able to reach from within your own private network. As routers on the other end don’t have routes to your network(s), mandatory NAT is to be configured, but let’s also assume those routes are subject to change, and there’s more than a couple of them, some kind of dynamic rule adding should be considered.

Kubernetes under my desk

Tue, 16 Oct 2018 14:52:05 +0000

I’m diving into Kubernetes for a couple of months now. Discovering the possibilities and philosophy behind the hype definitely changed my mind. Yes, it is huge (in every sense ;) ) and it does change the way we, ex-sysops / ops / syasdmins do our work. Not tomorrow, not soon, now.

I’ve had my hands on various managed kubernetes clusters like GKE (Google Container Engine), EKS (AWS Elastic Container Service) or the more humble minikube but I’m not happy when I don’t understand what a technology is made of. So I googled and googled (yeah sorry Qwant and duckduckgo I needed actual answers), until I found >many >incredibly >useful resources.

date over HTTP

Sat, 05 May 2018 19:03:11 +0000

I always manage to get myself into weird issues… I have this (pretty old) wrt54g router that works well with dd-wrt v3.0-r34311 vpn release. This router is installed in an apartment intended for rental where I happen to crash every now and then. It connects to an OpenVPN hub of mine so I can monit it and be sure guests renting the apartment have working Internet access.

The apartment is located on a small mountain and electricity is not exactly stable, from times to times power goes down and comes back up. And I noticed the openvpn link sometimes fails to reconnect.

Fetch RSVPs from Meetup for further processing

Mon, 23 Apr 2018 06:26:45 +0000

I’m running a couple of demos on how and why to use AWS Athena on a Meetup event tonight here at my hometown of Valencia. Before you start arguing about AWS services being closed source, note that Athena is “just” an hosted version of Apache Hive. Like pretty much every AWS service is a hosted version of a famous FOSS project.
One of the demos is about fetching the RSVP list and process it from a JSON source to a basic \t separated text file to be further read by Athena.
First thing is to get your Meetup API key in order to interact with Meetup’s API. Once done, you can proceed using, for example, curl:

Running Debian from an USB stick on a MacBook Pro

Fri, 04 Aug 2017 12:53:12 +0000

Yeah well, it happened. In my last post I was excited to get back to a BSD UNIX (FreeBSD) for my laptop, I thought I had fought the worse when rebuilding kernel and world in order to have a working DRM module for the Intel Iris 6100 that is bundled with this MacBook Pro generation. But I was wrong. None of the BSDs around had support for the BCM43602 chip that provides WiFi to the laptop. What’s the point of a laptop without WiFi…

Running FreeBSD from an USB stick on a MacBook Pro

Mon, 31 Jul 2017 16:03:14 +0000

It is possible to run FreeBSD on a MacBook Pro from an USB drive. To achieve this, we will first prepare the USB drive from a GNU/Linux machine and make it UEFI friendly:

# apt-get install parted
# parted /dev/sdc
(parted) mklabel gpt
(parted) mkpart ESP fat32 1MiB 513MiB
(parted) set 1 boot on
(parted) quit

From there, install FreeBSD as you would for exmaple using the kvm virtual machine hypervisor on the GNU/Linux machine. Answer “yes” when the installer suggests to create a freebsd-boot partition.

Launch the AWS Console from the CLI or a mobile phone

Sat, 20 May 2017 15:48:47 +0000

At ${DAYJOB} I happen to manipulate quite a few AWS accounts for different customers, and I find it really annoying to log out from one web console, to log into a new one, with the right credentials, account ids and MFA.

Here you can read a good blog post on how to enable cross account access for third parties and use a basic script to open a web browser to switch from one account to the other.
I liked this idea so I pushed it a bit further and wrote this small piece of code which allows you not only to switch accounts, but also to simply open any AWS account from the command line.

Tricking bash HISTTIMEFORMAT

Sun, 30 Apr 2017 14:51:22 +0000

While trying to find a clean method to remove line numbers from the history command, I found an interesting trick by using the HISTTIMEFORMAT environment variable. Here’s what bash’s man says:

       HISTTIMEFORMAT
              If  this  variable  is  set and not null, its value is used as a
              format string for strftime(3) to print the time stamp associated
              with  each  history  entry displayed by the history builtin.  If
              this variable is set, time stamps are  written  to  the  history
              file  so they may be preserved across shell sessions.  This uses
              the history comment character  to  distinguish  timestamps  from
              other history lines.

But it turns out you can actually put pretty much anything in there, and for example, an ANSI escape sequence that does a line feed and erases the current line:

Extract data-bits from your Jenkins jobs

Sun, 26 Mar 2017 10:44:50 +0000

Another quicky.

I read here that cool trick to convert HTML entities to plain text:

alias htmldecode="perl -MHTML::Entities -pe 'decode_entities(\$_)'"

In a Debian based system, this suppose to apt-get install libhtml-parser-perl. Why bother you may ask? Well because the (awful) Jenkins-cli outputs text areas content in encoded HTML entities, and for example I like the idea of being able to test a standalone packer template that’s failing.

Finally, here’s the full usecase:

Ansible playbook with packer in Jenkins

Sat, 25 Mar 2017 12:23:18 +0000

Quick one.

While working on a build chain in order to register home-baked AMIs, I wanted to use the ansible-local packer provisioner to setup the instance with a very basic playbook. I needed to provide ansible a playbook but didn’t find immediately how to achieve this within the Jenkins-packer module. Turns out it’s tricky, in the JSON Template Text (or the template file), declare the playbook_file like this:

  [{
    "type": "ansible-local",
    "playbook_file": "{{ user `test_yml` }}",
    "command": "PYTHONUNBUFFERED=1 ansible-playbook"
  }]

Then in the File Entries field, the Variable Name must be test_yml and File Contents filled with the playbook.

30 python lines Dynamic DNS

Mon, 20 Feb 2017 09:00:11 +0000

Here in Spain, I chose Movistar as my Internet provider, I must say I’m pretty happy with it, symmetric 300Mbps fiber optics and good service. The only annoying aspect is that they do not provide static IP for free, something I was used to and was very convenient.

In order to reach my network from places where I can’t connect to my VPN, I wrote a very simple Dynamic DNS system using dnspython, and it turned out to be fairly easy.

CPU temperature collectd report on NetBSD

Sun, 22 Jan 2017 12:09:00 +0000

pkgsrc’s collectd does not support the thermal plugin, so in order to publish thermal information I had to use the exec plugin:

LoadPlugin exec
# more plugins

<Plugin exec>
        Exec "nobody:nogroup" "/home/imil/bin/temp.sh"
</Plugin>

And write this simple script that reads CPUs temperature from NetBSD’s envstat command:

$ cat bin/temp.sh 
#!/bin/sh

hostname=$(hostname)
interval=10

while :
do
        envstat|awk '/cpu[0-9]/ {printf "%s %s\n",$1,$3}'|while read c t
        do
                echo "PUTVAL ${hostname}/temperature/temperature-zone${c#cpu} interval=${interval} N:${t%%.*}"
        done
        sleep ${interval}
done

I then send those values to an influxdb server:

Ansible and AWS ASG, a (really) dynamic inventory

Fri, 05 Aug 2016 14:07:00 +0000

I found myself searching ridiculously too long to achieve what I believed was a simple task: to apply an Ansible role to newly created instances… started by an Auto Scaling Group. If you’re used to Ansible you know that it relies on an inventory to apply a playbook, but obviously, when you’re firing up EC2 instances with the same playbook, you are not able to know what will be your virtual machines IP addresses, nor can ec2.py, the recommended method to deal with dynamic inventories.

Run CoreOS on FreeBSD's bhyve

Tue, 21 Jun 2016 21:00:17 +0000

No, I’m not following the hype, only I like to test things plus I feel there will be a growing demand for docker at ${DAYWORK}. I read here and there that CoreOS was the Linux distribution of choice to play with docker, so while at it, I picked up this one to dive into the container world. Finally, I’ve been willing to put my hands on bhyve for quite a while, so I took this opportunity to learn all those new (to me) technologies at once.

Migrate FreeBSD root on UFS to ZFS

Thu, 28 Apr 2016 17:24:17 +0000

At ${DAYJOB} I’m using a FreeBSD workstation for quite a while. Everything goes smoothly except for the filesystem. When I first installed it, I chose UFS because FreeBSD installer said that root-on-ZFS was “experimental”. I later learned that nobody uses UFS anymore and that root-on-ZFS is perfectly stable. Thing is, I chose UFS and I deeply regret it. Not because of ZFS’s features that absolutely do not matter for me on the desktop, but because FreeBSD implementation of UFS is terribly, terribly slow when it comes to manipulate big files. When I say slow, I mean that pkg upgrade tends to FREEZE the entire machine while extracting archives. That slow. And before you ask, yes, there’s been a lot of tuning on that side.

Letsencrypt friendly nginx configuration

Sat, 12 Mar 2016 09:19:25 +0000

So I use this great cheat sheet in order to use letsencrypt free Certificate authority on my own servers, but while this small doc is very straightforward it doesn’t explain much about nginx’s configuration. So I’ll drop my own right here so your journey through TLS is even simpler:

$ cat /usr/pkg/etc/nginx/nginx.conf

# this nginx installation comes from pkgsrc for both Linux and NetBSD
# you might have to adapt paths to suit your needs... or switch to pkgsrc ;)

user   nginx  nginx;
worker_processes  2;

events {
    worker_connections  1024;
}

http {
    include       /usr/pkg/etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # a little bit of browser leverage doesn't hurt :)
    gzip  on;
    gzip_vary on;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    gzip_proxied any;

    server {
        # serve boths IPv4 and IPv6 FWIW
        listen       [::]:80;
        listen       80;

        server_name  localhost example.com *.example.com;

        # this is where letsencrypt will drop the callenge
        location /.well-known/acme-challenge {
                default_type "text/plain";
                root /var/www/letsencrypt;
        }

        # redirect everything else to HTTPS
        location / { return 302 https://$host$request_uri; }
    }

    server {
        listen       [::]:443 ssl;
        listen       443 ssl;

        # you'll have to declare those domains accordingly in letsencrypt conf
        server_name  localhost example.com *.example.com;

        # here lies letsencrypt PEM files
        ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;

        # harden used protocols a little
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers  on;

        # and then include actual locations
        include sites/*;
    }
}

A very basic proxy_pass location would be:

5 minutes collectd + facette setup

Wed, 09 Mar 2016 13:19:46 +0000

I recently added a fantastic graphing tool named facette to pkgsrc. Facette knows how to pull data sources from various backends, and among them, the famous collectd.

In this article, we will see how to setup both on NetBSD but keep in mind it should also work for any platform supported by pkgsrc.

First up, collectd installation. It can be done either with pkgin (binary installation) or pkgsrc (source installation):

with pkgin

$ sudo pkgin in collectd collectd-rrdtool

with pkgsrc

 $ cd /usr/pkgsrc/sysutils/collectd
 $ sudo make install clean
 $ cd ../collectd-rrdtool
 $ sudo make install clean

Tune up a minimal collectd configuration

Simpler postfix + dspam

Wed, 02 Mar 2016 15:52:03 +0000

I have read a shitload of overcomplicated setups to bring up a postfix / dspam SMTP + antispam server, and finally came to a much lighter and simpler configuration by basically reading documentation and real life examples. Note this is suitable for a personnal and basic environment, no database, no virtual setup. Basic stuff.

The target system is NetBSD but this short doc should apply to pretty much any UNIX / Linux.

Start pkgsrc's nginx with systemd

Sun, 28 Feb 2016 08:17:20 +0000

Not so long ago, I wrote about using pkgsrc on Debian GNU/Linux, and assumed you’d start an installed service using rc.d. When I setup the new iMil.net server, I decided to give a try to kvm as it is easier to maintain, has good performances (sometimes better than Xen), nice administration tools, plus NetBSD now has a good VirtIO driver but no PVHVM support yet.

The first thing I do when setting up a Debian Jessie server is getting rid of systemd, whose philosophy and quality don’t match my personnal taste; but in that case, I wanted to use libvirtd so I could manage my virtual machines with virt-manager, and as a matter of fact, libvirtd has a hard dependency on systemd. There was no escape this time, I had to learn and use it.

NetBSD/amd64 7.0 on kvm

Fri, 29 Jan 2016 11:04:30 +0000

If you recently tried to install NetBSD 7.0 using Linux KVM you might have encountered the following failure:

This bug have been recently fixed on the 7-branch but the official ISO images are not yet updated, so you’ll have to use NetBSD daily builds mini-ISO which includes Christos fix to bus_dma.c

For the record, here’s the virt-install command I use:

sudo virt-install
    --virt-type kvm
    --name korriban
    --ram 4096 --disk path=/dev/vms/korriban,bus=virtio
    --vcpus 2
    --network bridge:br0,model=virtio
    --graphics vnc
    --accelerate
    --noautoconsole
    --cdrom /home/imil/iso/boot.iso
    --cpu host

Performances are really good, the host is a Debian GNU/Linux 8.0 amd64 running on Online’s Dedibox Classic 2015.

t'es trop VIP

Mon, 28 May 2007 22:44:54 +0000

waiii alors j’entend d’ici “haooon iMil il a cedé aux sirènes du web deux-zero toussaaaa, vla qu’il fait dla CSS et du PHP”. Bon ok ouais chu un peu tombé dans le hype-fashion, mais avouez, le ptit “Tags cloud” là, c’est pas convivial tout plein ? Pour réaliser cette petite mignonnerie, j’ai été piocher ici, et pour réparer l’import de categories-toutes pas-fashion en Tags, il faut suivre ce que dit le monsieur ici. Le cas échéant, on se mange un joli :

you must unLEaaarn what ou have leaaarned

Mon, 09 Apr 2007 03:29:44 +0000

alors voila, pardon. Y’a -fiou- 2 ans, je bavais comme un vilain sur dspam, et là, là, eh bah je m’incline. In-cro-yable efficacité, je lui ai fait bouffer un millier de hams, un millier de spams, et pouf, le vla-t-y pas qu’il me catche un bon 96% de saloperies. Alors attention, c’est sur mon kimloli, c’est du perso, c’est pas mutualisé pour deux sous. Mais intégration à sendmail les doigts dans le nez (+ procmail):

merde, j'ai pas de backup...

Sat, 24 Mar 2007 16:28:15 +0000

Combien de fois cette phrase a retenti dans vos esprits imprudents ? dans mon esprit imprudent à moi, plein. Alors, comme je viens de toper un kimloli sur les conseils de mon bouquetin favori, je me suis dit que, pour une fois, j’y collerais bien une procedure de backup propre.

J’ai déjà parlé et probablement pasté ici même un petit script gentil qui, grâce au couple rsync / rsyncd, permettait de rendre cette opération relativement rapide assez simplement. J’y ai apporté quelques modifs et enrobé le tout d’un chouillat de sécu. Un chouillat j’ai dit, trépigne pas spoty.

Xen vs b44

Sat, 10 Feb 2007 17:50:41 +0000

Après moult heures passées à backporter des bouts de Xen 3.0.4 vers Xen 3.0.3 pour essayer de garder un peu de cohérence dans mon packaging, j’ai fini par choisir la solution de facilité et récupérer Xen 3.0.4 chez XenSource. Eh-bin-ça-marche. Enfin cette saloperie de broadcom 4400 daigne faire transiter des lutins magiques depuis un dom0. Bon leur quenelle est en 2.6.16, le boot est un peu chaotique, mais j’ai du link convivial.

LVM, Xen et snapshots

Fri, 26 Jan 2007 17:32:03 +0000

Alors que j’étais plein d’entrain et que je m’apprétais à utiliser les snapshots LVM avec mon Xen, je lance, confiant, un

et je me mange un

Je cherche donc un peu, et je tombe sur ça http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=343671#msg20 Je m’empresse donc d’éditer le-dit udev-rules, comme mentionné dans le ticket, pis ça marche.

rhaaa mais arrête de kiffer t'en fous partouuuut

Sat, 20 Jan 2007 15:40:42 +0000

Je pouvais evidemment pas résister à transformer tatooine, ma ws ubuntu, en convi-Xen0. Muni d’une carte graphique à base de chipset nvidia, j’avais lu de-ci de-la qu’il existait des patches pour faire fonctionner les drivers du malin sur un domaine 0.Voici donc les quelques liens sur lesquels je me suis basé ainsi que quelques confs

. Procédure de chez OpenSUSE pour patcher les-dits drivers

Perso, j’ai pas litteralement suivi la procédure, après patchage, j’ai simplement executé nvidia-installer, présent à la racine de l’archive NVIDIA-Linux-x86-1.0-9631-pkg1.

MOI GNAIME PAS ÇA TOUS LES GNAGROUTS

Mon, 08 Jan 2007 18:57:25 +0000

Si ton Xen t’insulte tout plein avec des phrases du genre :

Pas de panique ami lutin, le pauvre Xen n’a juste tout plus de devices loopback à disposition. Rend leur heureux, et agrémente ton /etc/modprobe.conf de cette petite ligne magique :

Et tu pourras xm create tout plein de domaines supplémentaires.