I'm a Linux/Unix sysadmin with experience in High Availability, scaling and clustering, security, (Open)SSL and general linux system administration. I've worked as a sysadmin (devops) for Certificate Authorities, Hospitals, Managed Service providers, Datacenters Development shops and large Internet Service providers. I currently work for an Openstack provider. I like to design, build and manage large, complex and high available systems. I like to work with configuration management tools and version control systems. Documentation, monitoring and backups are things I do first, not when the time allows it later.
This is my personal website, please do note that these articles do not reflect opinions or policies of any of my (previous) employers, only my personal one.

Latest Items

Ansible: access group vars for groups the current host is not a member of

27-01-2017 | Remy van Elst

This guide shows you how to access group variables for a group the current host is not a member of. In Ansible you can access other host variables using `hostvars['hostname']` but not group variables. The way described here is workable, but do I consider it a dirty hack. So why did I need this? I have a setup where ssl is offloaded by haproxy servers, but the virtual hosts and ssl configuration are defined in Apache servers. The loadbalancers and appservers are two different hostgroups, the ssl settings are in the appserver group_vars, which the hosts in the loadbalancer group need to access. The best way to do this is change the haproxy playbooks and configuration and define the certificates there, but in this specific case that wasn't a workable solution. Editing two yaml files (one for the appservers and one for the loadbalancers) was not an option in this situation.


haproxy: restrict specific URLs to specific IP addresses

09-01-2017 | Remy van Elst

This snippet shows you how to use haproxy to restrict certain URLs to certain IP addresses. For example, to make sure your admin interface can only be accessed from your company IP address.


OpenStack: Quick and automatic instance snapshot backup and restore (and before an apt upgrade) with nova backup

20-12-2016 | Remy van Elst

This is a guide that shows you how to create OpenStack instance snapshots automatically, quick and easy. This allows you to create a full backup of the entire instance. This guide has a script that makes creating snapshots from an OpenStack VM automatic via cron. The script uses the `nova backup` function, therefore it also has retention and rotation of the backups. It also features an option to create a snapshot before every apt action, upgrade/install/remove. This way, you can easily restore from the snapshot when something goes wrong after an upgrade. Snapshots are very usefull to restore the entire instance to an earlier state. Do note that this is not the same as a file based backup, you can't select a few files to restore, it's all or nothing.


Create a PDP-8 OS8 RK05 system disk from RX01 floppies with SIMH (and get text files in and out of the PDP-8)

07-12-2016 | Remy van Elst

This guide shows you how to build an RK05 bootable system disk with OS/8 on it for the PDP-8, in the SIMH emulator. We will use two RX01 floppies as the build source, copy over all the files and set up the LPT printer and the PTR/PIP paper tape punch/readers. As an added bonus the article also shows you how to get text files in and out of the PDP-8 sytem using the printer and papertape reader / puncher.


Overflow the Investigatory Powers Bill!

24-11-2016 | Remy van Elst

I read an article on The Register regarding the Investigatory Powers Bill. The part were ISP's are forced to save their customers browsing history for a year is the most horryfing part, just as that whole bill. Let's hope the political process and organizations like the Open Rights Group and the EFF have enough lobbying power to change people's minds. If that fails, then we can all try to overflow the logging. Just as some people put keywords in their mail signatures to trigger automatic filters and generate noise, we should all generate as much data and noise as possible. This way the information they do gather will not be usefull, it will take too much time, storage and effort to process it and thus the project will fail. 2 years ago I wrote a small Python script which browser the web for you, all the time. Running that on one or two Raspberry Pi's or other small low power computers 24/7 will generate a lot of noise in the logging and filtering.


Build a FreeBSD 11.0-release Openstack Image with bsd-cloudinit

14-11-2016 | Remy van Elst

We are going to prepare a FreeBSD image for Openstack deployment. We do this by creating a FreeBSD 11.0-RELEASE instance, installing it and converting it using bsd-cloudinit. We'll use the CloudVPS public Openstack cloud for this. We'll be using the Openstack command line tools, like nova, cinder and glance. A FreeBSD image with Cloud Init will automatically resize the disk to the size of the flavor and it will add your SSH key right at boot. You can use Cloud Config to execute a script at first boott, for example, to bootstrap your system into Puppet or Ansible. If you use Ansible to manage OpenStack instances you can integrate it without manually logging in or doing anything manually.


Nitrokey gnuk firmware update via DFU

11-10-2016 | Remy van Elst

The Nitrokey (start, all of them) can be upgraded to a newer GNUK firmware. However, this can only be done via ST Link or DFU, if you use the Gnuk USB firmware upgrade you will brick the device. This guide shows you how to attach a DFU adapter and how to flash firmware to a Nitrokey, both for upgrading or unbricking an USB upgraded one.


MySQL restore after a crash and disk issues

10-10-2016 | Remy van Elst

Recently I had to restore a MySQL server. The hardware had issues with the storage and required some FSCK's, disk replacements and a lot of RAID and LVM love to get working again. Which was the easy part. MySQL was a bit harder to fix. This post describes the proces I used to get MySQL working again with a recent backup. In this case it was a replicated setup so the client had no actual downtime.


Firefox History stats with Bash

25-09-2016 | Remy van Elst

This is a small script to gather some statistics from your Firefox history. First we use sqlite3 to parse the Firefox history database and get the last three months, then we remove all the IP addresses and port numbers and finally we sort and count it.


Create /etc/shadow crypted password entries

23-09-2016 | Remy van Elst

These small snippets create password strings you can put in /etc/shadow when you need to reset a password on a system.


Mouse movement via the keyboard with xdotool and xbindkeys

13-09-2016 | Remy van Elst

I had a request from a friend to figure out how she could use her mouse via the keyboard. Normally you would use Mouse Keys, but she uses a kinesis freestyle2 keyboard which has no numpad. By using xbindkeys together with xdotool we can use our own key combination to move the mouse keys, in any window manager.


IPSEC VPN on Ubuntu 16.04 with StrongSwan

12-09-2016 | Remy van Elst

This is a guide on setting up an IPSEC VPN server on Ubuntu 16.04 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSEC protocol stack because of vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default. More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.


Nagios 4 + Nagiosgraph (latest) installation on Ubuntu

11-09-2016 | Remy van Elst

This is a guide on installing the latest Nagios Core (4.2.1) on Ubuntu 12.04 and 14.04. Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved. The version in the Ubuntu 12.04 repositories is quite old, it is still the in the 3 branch. This guide helps to fix that by using the latest Nagios version. We also install Nagiosgraph, a plugin for Nagios which gives you graps of the metrics.


Ansible - Create OpenStack servers with Ansible 2.0 and the os_server module and a dynamic inventory

10-09-2016 | Remy van Elst

I regularly deploy clusters and single servers on OpenStack with Ansible. However, Ansible 2.0 comes with new OpenStack modules my playbooks still used the old ones. I reserved some time to convert these playbooks to the new modules and ansible 2. This article shows a very simple example, it creates three servers in OpenStack and adds them to different hostgroups based on variables. For example, to create one loadbalancer and two appservers and run specific playbooks on those hosts based on their role.


FST-01 gnuk firmware update via USB

09-09-2016 | Remy van Elst

The FST-01 (Flying Stone 1) is a small STM32F103TB based USB device designed to run gnuk and NeuG (gpg usb token or true random number generator). This guide shows you how to upgrade the firmware on the FST-01 so that you can enjoy newer gnuk features like 4096 bit RSA keys.


Ansible - create playbooks and role file and folder structure

08-09-2016 | Remy van Elst

Because I always forget which folders and files go into a playbook folder.


Reset iptables to ACCEPT all (backup and remove all existing rules)

03-09-2016 | Remy van Elst

Here's a small bash script that removes all iptables rules and sets up a default ACCEPT ALL state. Before the reset, it creates a backup of the current rules. I use this often to troubleshoot servers with networking issues. If you just blindly do an `iptables -F` you might lock yourself out of a server since the INPUT policy might be DROP.


Nitrokey Start: Getting started guide (gnuk openpgp token)

14-08-2016 | Remy van Elst

The Nitrokey Start is an OpenPGP USB token. It supports three 2048 bit GPG keys and is based on gnuk. Gnuk is an implementation of USB cryptographic token for GPG. Cryptographic token is a store of private keys and it computes cryptographic functions on the device. The main difference with other GPG cards like the Nitrokey Pro or the OpenPGP card is that this device does not use a smartcard. Whereas the other devices are basically USB smartcard readers, the Nitrokey Start has everything in it's firmware. This article is a getting started guide where I talk about the initial setup of the device, setting up a user PIN, an admin PIN and a reset code, generating the key and subkeys on the device, or loading external keys into the device and usage examples with GPG, OpenSSH and Thunderbird.


Nitrokey HSM/SmartCard-HSM and Raspberry Pi web cluster

01-08-2016 | Remy van Elst

This article sets up a Nitrokey HSM/SmartCard-HSM web cluster and has a lot of benchmarks. This specific HSM is not a fast HSM since it's very inexpensive and targeted at secure key storage, not performance. But, what if you do want more performance? Then you scale horizontally, just add some more HSM's and a loadbalancer in front. The cluster consists of Raspberry Pi's and Nitrokey HSM's and SmartCard-HSM's, softwarewise we use Apache, `mod_nss` and haproxy. We benchmark a small HTML file and a Wordpress site, with a regular 4096 bit RSA certificate without using the HSM's, a regular 2048 bit RSA certificate without using the HSM's, a 2048 bit RSA certificate in the HSM, a 1024 bit RSA certificate in the HSM and an EC prime256v1 key in the HSM. We do these benchmarks with the `OpenSC` module and with the `sc-hsm-embedded` module to see if that makes any difference.


Raspberry Pi unattended upgrade Raspbian to Debian Testing

27-07-2016 | Remy van Elst

I'm working on a Nitrokey/SmartCard-HSM cluster article and therefore I needed three identical computers. The current version of Raspbian (2016-05-27) is based on Debian Jessie and comes with a version of OpenSC that is too old (0.14) to work with the Nitrokey/SmartCard-HSM. Since there is no Ubuntu 16.04 official image yet I decided to upgrade Raspbian to Debian Testing. Since I don't want to answer yes to any config file changes or service restarts I figured out how to do an unattended dist-upgrade.


Storing arbitraty data in the Nitrokey HSM/SmartCard-HSM with Elementary Files (EF)

17-07-2016 | Remy van Elst

This is a guide which shows you how to write small elementary files to a nitrokey HSM. This can be usefull if you want to securely store data protected by a user pin. You can enter the wrong pin only three times, so offline brute forcing is out of the picture.


All Items