Alternate test

This was written with GitHuber

These are custom PC-based firewalls running OPNSense, an open-source firewall system. These are deployed at BCARS sites, connected to Crowsnest to provide firewall and routing services to the rest of the site.

file

Specs

Micro ITX PC EMB-CV1 Mobo
12V/5A DC Power Supply
Intel Atom D2550 1.86Ghz
8Gb RAM DDR3
64Gb mSATA hard drive

GMRS is pretty cheap and easy

I got myself a GMRS license 2 years ago. They are $80 for 5 years, and they allow an entire "immediate" family to use it. That's spouse, children, parents, in-laws. I thought I was going to put play around with some GMRS repeater/text data modes, never did.

Flash forward to more recent. Picked up a 4-pack of Baofeng BF-888S radios. These go for about $13 apiece and $42 for a 4-pack. They're 2-watt radios, and channelized (16 channels). Program with a computer, dead simple for others. Gave one to my wife's sister who lives 2 miles down the road. She can talk crystal clear to my son from inside her house. I drove around town with one able to talk to my son as well.

Adding a frequency list to the back is good if you want to talk to someone else.

FRS is limited to specific radios and 1/2 watt. These BF-888S radios are NOT FRS compliant. T GMRS allows 5W on FRS shared frequencies and 50 watts on dedicated. Amateur radio requires a control operator to be physically near the radio. With today's cheap radios, you can get high powered FRS radios, or use MURS frequencies, or find some off the books frequencies; There are lots of space between the FRS channels, and there are some old airplane to ground cellular frequencies that have been phased out. No one is monitoring and even at 5W, you're not going to bother anyone enough to draw enforcement. However, GMRS is probably the cheapest and easiest way to get long range legal communications going for a family (or small business). In my case if you consider 4 people will be using it, it comes to $4/user/year. We could even put a repeater on the roof, or some higher powered vehicle antennas if desired. We probably won't, because the whole goal is to replace my son's (now dead) walkie talkies with something that really works. The fact that he can talk to his Aunt down the road is a big bonus.

I browse pornhub for the articles. Not only is this an interesting article on the drop in traffic during the Hawaii Missile Alert, I also discovered that their insight's blog has a lot of good data analysis type articles. The blog itself is SFW with no bad images, though of course the logo and items mentioned in the articles themselves would not be. #yourtech-dailies

First impressions with emacs

Learning emacs really sucks. Let's do this.

My current stack

Because I'm insane, I decided to give Emacs a try. While I'm still pretty pleased with Omnifocus, I do find limitations with it. I also store all kinds of notes in Quiver. Anytime I'm working on anything, I keep my notes in Quiver. I had been keeping a worklog in it, but it got goofy when work (and the associated notes) span multiple days. I also use PyCharm as my IDE. That I definitely like, but if I want to open a single file, I'm going to pop open vim, sublime text, or even just textedit.

Why I'm looking at Emacs

For years, I've been hearing amazing things about orgmode. It's used for todo lists, project planning, documents, and journals. People also like using emacs as an python ide. Everyone that uses emacs seems to really like it, and it keeps showing up as a good looking solution to different problems I'd like to solve. There's even a slack client for it. I decided that I should really give emacs a shot before discarding any solution because it happened to be emacs based. You see, emacs has a super steep learning curve, and when you use it, you essentially join a cult.

Round 1

So I decided to dive in. I found a number of people recommending How to learn emacs as a good place for beginners. The first page has this juicy tidbit:

What I need from you is commitment (a couple of dedicated hours of study per week, and to use Emacs as your day-to-day editor) and patience (be willing to give up your favorite IDE’s features, at least for a month or two).

That's pretty intimidating, but to be fair, Vim takes a long time to master. Those firs starting out need to learn what a modal editor is, how to switch between insert and command mode, how to navigate, how to do search and replace, how to delete lines, and possibly how to use vim's internal clipboard operations. That's all before you get into customizing and extending the program to turn it into an ide.

I put a couple hours in the first weekend, and a little bit of time the following week going through the examples. But I got bored and real life kept me away.

Round 2

Seeing sometime ahead of me, I figured I'd try again. I went back and forth between plain emacs, spacemacs and prelude. I did research all over about how people got started with emacs. Lots of heavy opinions on "starting pure", or using a starter pack like spacemacs/prelude. For those with vim leanings, there is an "evil mode" that provides some vim keybindings and emulation. I came across the Mastering Emacs book which gots some good feedback on reddit.
I started reading a copy of the book with pure emacs open. It's 277 pages long and I got to about page 30 before I started falling asleep. However, here are some key things to know:

  • Emacs isn't based on files, but based on buffers (which may contain a file).
  • What we call a window, emacs calls a frame.
  • A frame contains multiple windows (or window panes)
  • You can assign any buffer to any window, or even have multiple windows showing the same buffer.

Round 3 - Just edit some python already

Screw reading books and working through tutorials. I'm just going to go ahead and start using emacs and then google every time I got stuck. That's how I learned vim back in the late 90s, except I didn't have google back then. In fact, I didn't even have Internet at home back then. I had to go to school, search altavista, download manuals and deb packages to floppy disk, then take them home and transfer them.

I figure, just use the stupid program this week and expect normal operations to take longer while I work things out.

I don't know how to exit vim

So first things first, I took the popular advice and installed spacemacs, which gives me fancy color themes and evil mode.

  1. If you fire up emacs, it's a decent gui, complete with helpful menus and mouse integration. You can open a file, edit, save it exit almost as easily as any other text editor. File -> Visit new file and File -> Open do make you type in the path the file instead of a file open dialog gui, but there is a sort of autocomplete/directory listing interface.
  2. Emacs with spacemacs takes a long time to load. It's on par with pycharm slow load times. Kind of sucks if emacs is closed and you just want to open a file. The one book I says that I should run emacs in a a server mode and just use the emacsclient binary for all subsequent starts. Ok, fine - if I have emacs up all day long, that's doable.
  3. Emacs can run a shell. You can run shell which runs your default shell (bash in my case) in a buffer. Emacs fans call this the inferior shell. The "emacs shell" or shell is promoted as superior. It's a bash-inspired shell written in elisp. Both shells suck. I thought I'd be able to run a terminal in a window below the file I'm editing like I do in pycharm, but it's extremely frustrating working in this shell. Ctrl-C is "C-c C-c", and it's really easy to end up no typing over output from a pervious command. Worst of all, I could not activate a virtualenv in either shell. This means I couldn't drop to a shell and run python ad-hoc python tools. While there may be some amazing tweaks and features these shells bring, I found it much like working on a bad serial connection.
  4. When I opened a python file, spacemacs detected this and asked if I wanted to install the python layer. This gave me nice syntax highlighting, but I didn't get any autocomplete like I was hoping for. I know that "helm" is enabled, but there is perhaps something else I have to do for autocomplete to work.

projectile for projects

Spacemacs bundled an add-on called projectile. This is pretty nice. Incidentally, "bbatsov" writes a lot of stuff for emacs, including the previously mentioned prelude. People recommend prelude over spacemacs because they feel spacemacs adds could add complexity that could confuse a beginner once they get past the initial learning curve. Ie, spacemacs is good for super beginners, but bad for intermediate users. Or so I've heard.

Anyways, this add some nice functionality. Open a file inside a directory that is under git control, and it establishes all files in the directory as a project. If you have all your projects in a directory like ~/projects, you can teach emacs about all them at once.

M-x projectile-discover-projects-in-directory ~/projects

Once you scan them all, you can run C-c p F to show a list of all known projects and select one to open. Open a file in any project and it puts you in project mode. There are shortcuts to see all files in the project, if you open a shell it drops you in the project directory. You can also quickly switch between recently opened files, perform in-project search and replace.

org-mode

So far, org-mode has been my most positive experience. I wrote up a general outline of a software I'm working on and I found it much easier to write with and organize than when I write in markdown.

It's not markdown, and expecting to be able to use things like markdown code blocks will disapoint you. But it's definitely learnable and I can see myself using it.

You just go ahead and open a file ending in .org and start writing. Headers start with * instead of # but otherwise will be familiar to a markdown user.

The real nice bit of org mode is as you learn the hot keys and easy shortcuts. Key combinations will create new headings and list entry, or you can move an entire section up, down, indent or outdent.

If you type < s <TAB>, it expands to a ‘src’ code block:

#+BEGIN_SRC 

#+END_SRC

I only did some basic outlining, but it seemed workable. I can see emacs/orgmode possibly replacing quiver as my primary notebook. It won't be easy, because quiver has a this nice feature were you just start writing a note and that note may or may not get a title. There is no need to save that note to a file, because it's saved within the quiver datastore. Emacs will want me to save a file for each note.

Probably a next step is to test out the orgmode-journal. After that, dive into orgmode and Getting Things Done. If I can put my omnifocus tasks into emacs and use it as a daily work notebook, then this time invested so far won't be entirely put to waste.

Follow up: I came across this orgmode day planner approach, which seems even more workable than the GTD approach linked above.

Vault Standup

This is a little walkthrough of settng up a "production-like" vault server with etcd backend (Not really production, no TLS and one person with all the keys). Hashicorp Vault is incredibly easy to setup. Going through the dev walkthrough is pretty easy, but when you want to get a little more advanced, you start getting bounced around the documentation. So these are my notes of setting up a vault server with an etcd backend and a few policies/tokens for access. Consider this part 1, and in "part 2", I'll setup an ldap backend.

Q: Why etcd instead of consul?
A: Most of the places I know that run consul, run it across multiple datacenters, and a few thousand servers, and interacts with lots of different services. Even if the secrets are protected, the metadata is quite visible. I want a rather compact and isolated backend for my eventual cluster.

Let's get started.

First off, create a configuration file for vault.

vaultserver.hcl:

metaladmin@vaultcore01:~$ cat vaultserver.hcl
storage "etcd" {
  address  = "http://localhost:2379"
  etcd_api = "v2"
  path = "corevault"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}

disable_mlock = true
cluster_name = "corevault"

Start the server (in its own terminal)

metaladmin@vaultcore01:~$ vault server -config=vaultserver.hcl
==> Vault server configuration:

                     Cgo: disabled
              Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")

Init the server

dfzmbp:~ ytjohn$ export VAULT_ADDR=http://vaultcore01.pool.lab.ytnoc.net:8200
dfzmbp:~ ytjohn$ vault init
Unseal Key 1: f9XJwuxla/H86t8pbWVPnI6Tfi3nQtkasq303Oi8B+ep
Unseal Key 2: jFqEmE1c/lei+C1aIju6JM2t5fSI534g26E7Nv83t9RV
Unseal Key 3: ty/P+Jubm1BukPcdZ16eJFD0JQ9BFGqOSgft35/fvHXr
Unseal Key 4: 6k4aPjuKgz0UNe+hTVAOKUzrIvbS9w8UszB0HX3Au496
Unseal Key 5: PYNjRe9vBvHAGE9peiotrtjoYuVlAV/9QJ0NvqZScd2a
Initial Root Token: b6eac78d-f278-4d32-6894-a8168d055340

That Initial Root Token is your only means of accessing the vault once it's unsealed. Don't lose it until you replace it.

And this creates a directory in etcd (or consul)

metaladmin@vaultcore01:~$ etcdctl ls
/test1
/corevault
metaladmin@vaultcore01:~$ etcdctl ls /corevault
/corevault/sys
/corevault/core

Unseal it:

dfzmbp:~ ytjohn$ vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1
Unseal Nonce: d860cb16-f084-925d-6f41-d80ef15e297c
dfzmbp:~ ytjohn$ vault unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 2
Unseal Nonce: d860cb16-f084-925d-6f41-d80ef15e297c
dfzmbp:~ ytjohn$ vault unseal
Key (will be hidden):
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Unseal Nonce:
dfzmbp:~ ytjohn$ vault unseal
Vault is already unsealed.

Now let's take that root token and save it in our home directory. Not safe, because it's the all-powerful root token, you shold create a user token for yourself. But that's later.

Save your token (or export it as VAULT_TOKEN), then write and read some secrets.

echo b6eac78d-f278-4d32-6894-a8168d055340 > ~/.vault-token
dfzmbp:~ ytjohn$ vault read secret/hello
Key                 Value
---                 -----
refresh_interval    768h0m0s
value               world

dfzmbp:~ ytjohn$ vault read -format=json secret/hello
{
    "request_id": "a4b199e7-ff7c-e249-2944-17424bf1f05c",
    "lease_id": "",
    "lease_duration": 2764800,
    "renewable": false,
    "data": {
        "value": "world"
    },
    "warnings": null
}

dfzmbp:~ ytjohn$ helloworld=`vault read -field=value secret/hello`
dfzmbp:~ ytjohn$ echo $helloworld
world

Ok, that's the basics of getting vault up and running. Now we want to get more users to access it. What I want is to create three "users" and give them each a path.

infra admins = able to create, read, and write to secret/infra/*
infra compute = work within the secret/infra/compute area.
infra network = work within the secret/infra/network area

infraadmin.hcl

path "secret/infra/*" {
  capabilities = ["create"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

infracompute.hcl

path "secret/infra/compute/*" {
  capabilities = ["create"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

infranetwork.hcl

path "secret/infra/network/*" {
  capabilities = ["create"]
}

path "secret/infra/compute/obm/*" {
  capabilities = ["read"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

Now, we write these policies in.

dfzmbp:vault ytjohn$ vault policy-write infraadmin infraadmin.hcl
Policy 'infraadmin' written.
dfzmbp:vault ytjohn$ vault policy-write infracompute infracompute.hcl
Policy 'infracompute' written.
dfzmbp:vault ytjohn$ vault policy-write infranetwork infranetwork.hcl
Policy 'infranetwork' written.

Let's create a token "user" for each policy.

dfzmbp:vault ytjohn$ vault token-create -policy="infraadmin"
Key             Value
---             -----
token           d16dd3dc-cd9e-15e1-8e41-fef4168a429e
token_accessor  50a1162f-58a2-474c-466d-ec68fac9a2f9
token_duration  768h0m0s
token_renewable true
token_policies  [default infraadmin]

dfzmbp:vault ytjohn$ vault token-create -policy="infracompute"
Key             Value
---             -----
token           d156326d-1ee6-7a93-d9d3-428e2211962d
token_accessor  daf3beb4-6c31-4115-2d00-ba811c50b05b
token_duration  768h0m0s
token_renewable true
token_policies  [default infracompute]

dfzmbp:vault ytjohn$ vault token-create -policy="infranetwork"
Key             Value
---             -----
token           84faa448-20d9-b472-349f-1053c81ff4c9
token_accessor  68eea7ec-78c0-4be1-03c4-f2ec155b66de
token_duration  768h0m0s
token_renewable true
token_policies  [default infranetwork]

Let's login as with the infranetwork token and attempt to write to compute. I have not yet created secret/infra/compute or secret/infra/network and I'm curious if infraadmin is needed to make those first.

dfzmbp:vault ytjohn$ vault auth 84faa448-20d9-b472-349f-1053c81ff4c9
Successfully authenticated! You are now logged in.
token: 84faa448-20d9-b472-349f-1053c81ff4c9
token_duration: 2764764
token_policies: [default infranetwork]
dfzmbp:vault ytjohn$ vault write secret/infra/compute/notallowed try=wemust
Error writing data to secret/infra/compute/notallowed: Error making API request.

URL: PUT http://vaultcore01.pool.lab.ytnoc.net:8200/v1/secret/infra/compute/notallowed
Code: 403. Errors:

* permission denied
dfzmbp:vault ytjohn$ vault write secret/infra/network/allowed alreadyexists=maybe
Success! Data written to: secret/infra/network/allowed

I got blocked from creating a path inside of compute, and I didn't need secret/infra/network created before making a child path. That infraadmin account is really not needed at all. Let's go ahead and try infracompute.

$ vault auth d156326d-1ee6-7a93-d9d3-428e2211962d # auth as infracompute
$ vault write secret/infra/compute/obm/idrac/oem username=root password=calvin
Success! Data written to: secret/infra/compute/obm/idrac/oem
$ vault read secret/infra/compute/obm/idrac/oem
Error reading secret/infra/compute/obm/idrac/oem: Error making API request.

URL: GET http://vaultcore01.pool.lab.ytnoc.net:8200/v1/secret/infra/compute/obm/idrac/oem
Code: 403. Errors:

* permission denied

Oh my. I gave myself create, but not read permissions. New policies.

infranetwork.hcl

path "secret/infra/network/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "secret/infra/compute/obm/*" {
  capabilities = ["read", "list"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

infracompute.hcl

path "secret/infra/compute/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "auth/token/lookup-self" {
  capabilities = ["read"]
}

Let's update our policy list and cleanup.

vault auth b6eac78d-f278-4d32-6894-a8168d055340 # auth as root token
vault policy-delete infraadmin # delete unneeded infradmin policy
vault token-revoke d16dd3dc-cd9e-15e1-8e41-fef4168a429e # remove infraadmin token
vault policy-write infranetwork infranetwork.hcl
vault policy-write infracompute infracompute.hcl

Try again:

$ vault auth d156326d-1ee6-7a93-d9d3-428e2211962d # auth as infracompute
Successfully authenticated! You are now logged in.
token: d156326d-1ee6-7a93-d9d3-428e2211962d
token_duration: 2762315
token_policies: [default infracompute]
$ vault read secret/infra/compute/obm/idrac/oem
Key                 Value
---                 -----
refresh_interval    768h0m0s
password            calvin
username            root

And as network

$ vault auth 84faa448-20d9-b472-349f-1053c81ff4c9 #infranetwork
$ vault list secret/infra/compute
Error reading secret/infra/compute/: Error making API request.

URL: GET http://vaultcore01.pool.lab.ytnoc.net:8200/v1/secret/infra/compute?list=true
Code: 403. Errors:

* permission denied
$ vault list secret/infra/compute/obm
Keys
----
idrac/

$ vault list secret/infra/compute/obm/idrac
Keys
----
oem

$ vault read secret/infra/compute/obm/idrac/oem
Key                 Value
---                 -----
refresh_interval    768h0m0s
password            calvin
username            root