thomsh

SSH Tunnel/jump memo for sweet devs :)

SSH tunnels

The basic LocalForward

Goal : let you access to a private port, example a database listening on 127.0.0.1 only on the remote server
SSH -L <choose a localport on your laptop>:<destinationip>:<destinationport> me@myserver
Example with the database:
ssh -L 50000:127.0.0.1:5432 me@server
or with a remote database
ssh -L 50000:123.254.99.21:3306 me@server

thomsh

#!/bin/bash
# [unchecked] !
set -euxo pipefail
gpg --recv-keys 0x937BB869E3A238C5 --keyserver keys.gnupg.net || gpg --recv-keys 0x937BB869E3A238C5 --keyserver pgp.mit.edu
gpg --with-fingerprint -k 0x937BB869E3A238C5 |grep -B 1 'F0CB 1A32 6BDF 3F3E FA3A  01FA 937B B869 E3A2 38C5'
wget https://www.internic.net/domain/named.cache.sig -O /tmp/named.cache.sig
wget https://www.internic.net/domain/named.cache -O /tmp/named.cache
cd /tmp/ &&  gpg --with-fingerprint --verify named.cache.sig
install -m 0644 /tmp/named.cache /var/lib/unbound/root.hints
echo installed

thomsh

#!/usr/bin/env bash
echo "Get CPU credits Usage and remaining via local metadata on EC2"
set -euo pipefail
AWS_DEFAULT_REGION="$(curl -s 169.254.169.254/latest/meta-data/placement/availability-zone)"
AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION::-1}" # strip char from az
INSTANCE="$(curl -s 169.254.169.254/latest/meta-data/instance-id )"
FREQUENCY=600 # Get a point every 10 min
LAST="180 minutes ago"
START="$(date +'%Y-%m-%dT%H:%M:59Z' --utc -d "${LAST}" )"
END="$(date +'%Y-%m-%dT%H:%M:59Z' --utc )"

thomsh

#!/usr/bin/env python3
# python3 boto3 script to allow your ip on a EC2 security group (Like your dev VM, boring & recuring task)
import boto3
from pprint import pprint
import requests


SG_ID = 'sg-CHANGEME'  # You security group ID
# REGION https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
# or can be provided via env var or in your .aws/config

thomsh

#!/usr/bin/env bash
set -euxo pipefail
echo "[*] Clean up exited or created but unused containers"
docker ps -a -q -f status=exited |xargs -r --  docker rm -v
docker ps -a -q -f status=created |xargs -r --  docker rm -v
echo "[*] Remove dangling images"
docker images -f dangling=true -q |xargs -r -- docker rmi
echo "[*] Purge system ressources & volumes"
docker volume prune -f
docker system prune -f

thomsh

#!/usr/bin/env bash
#
# Script to remove GPG user (recipient) with git-crypt
#
# It will re-initialize git-crypt for the repository and re-add all keys except
# the one requested for removal.
#
# Note: You still need to change all your secrets to fully protect yourself.
# Removing a user will prevent them from reading future changes but they will
# still have a copy of the data up to the point of their removal.

thomsh

#!/usr/bin/env bash
# Simple script to handle iptables rule before swithing to nftable
# This script should not be interrupted in case of error : this will break iptables
# Add custom script in /etc/iptables.d
set -x
CUSTOM_RULES="/etc/iptables.d"
DISABLE_SSH_RULE="/etc/firewall-disable-auto-ssh" # create this file to disable ssh auto rule

if [ "$(id -u)" -ne 0 ];then
    echo "Re-run $0 as root"

thomsh

#!/usr/bin/env bash

# Enable all sysrq https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
sysctl -w kernel.sysrq=1 # 1 mean all

# Ask the kernel to keep 3% of the ram free
sysctl -w vm.min_free_kbytes="$(grep '^MemTotal:' /proc/meminfo |awk '{print int($2*0.03)}')"
# Ask the kernel to keep 3% of the ram for admin things
sysctl -w vm.admin_reserve_kbytes="$(grep '^MemTotal:' /proc/meminfo |awk '{print int($2*0.03)}')"

thomsh

#!/opt/chef-workstation/embedded/bin/ruby
require "chef/encrypted_data_bag_item"
require "json"

if ARGV.length != 2
  puts "usage: encrypt_databag.rb /path/to/plain_json_data_bag KEY"
  abort
end

plaindata_path = ARGV[0]

thomsh

#!/opt/chef-workstation/embedded/bin/ruby
require "chef/encrypted_data_bag_item"
require "json"

if ARGV.length != 2
  puts "usage: decrypt_databag.rb /path/to/cipher_json_data_bag KEY"
  abort
end

cipherdata_path = ARGV[0]