SSH authorized_keys command=

On the host with files that need to be copied

 rsync -v --remove-source-files -r -e "ssh -vi .ssh/id_rsa" src_dir/ user@host:dest_dir/

SSH verbose out will contain something like 

debug1: Sending command: rsync --server -vre.iLsfxCIvu --remove-source-files . dest_dir/

Then constrain authorized_keys with command= and the restrict keyword which disables a variety of things like port forwarding, agents, X11 and PTY allocation.  See man authorized_keys.

command="rsync --server -vre.iLsfxCIvu --remove-source-files . dest_dir/",restrict ssh-rsa ...

Finally drop the -v from the initial rsync command.

Motion + Telegram

Quick and dirty Motion + Telegram setup.

Camera config

 on_movie_end /home/djhedges/send_telegram.py %f

BotFarther

Send /newbot to @BotFarther to generate bot API key.

Create chat group with new bot.

Send a getUpdates request by modifying the script below to find the chat id.

Telegram Script

#!/usr/bin/python3

import os

import requests

import subprocess

import sys

API_KEY = ''

CHAT_ID = ''

def GenerateThumbnail(filepath):

    output_path = filepath[:-3] + '.jpg'

    ff_mpeg_cmd = ['ffmpeg', '-i', filepath, '-ss', '00:00:00.000', '-vframes', '1', output_path]

    subprocess.call(ff_mpeg_cmd)

    return output_path

def PostRequest(method, data, files):

    url = f'https://api.telegram.org/bot{API_KEY}/{method}'

    return requests.post(url=url, data=data, files=files, timeout=1000)

def SendVideo(filepath):

    thumbnail_path = GenerateThumbnail(filepath)

    with open(thumbnail_path, 'rb') as thumbnail_file:

        with open(filepath, 'rb') as video_file:

            response = PostRequest(

                    'sendVideo', {

                        'text': 'test',

                        'chat_id': CHAT_ID},

                    {'thumb': (os.path.basename(thumbnail_path), thumbnail_file),

                     'video': (os.path.basename(filepath), video_file)})

def main():

    filepath = sys.argv[1]

    if filepath.endswith('mp4'):

        SendVideo(filepath)

if __name__ == '__main__':

    main()

PS4 Tunneling

While setting up a couple of PS4s at work on a guest wifi network we ran into issues getting them to play well with each online.  The play station would complain about the NAT type being 3 or restrictive.  We could join a lobby that another play had hosted but not one of our own.  If we were both in the same lobby we could not see each other's cars.

The first solution I came up with involved tunneling the traffic through a Raspberry PI and GCE instance using Wireguard, IPtables and Dnsmasq.
PS4 --> Switch --> Pi --> Wifi --> GCE --> Internet

For my personal record a few snippets of the configs.

root@wireguard:~# cat /etc/rc.local
#! /bin/sh -e
ip link add dev wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set up dev wg0
ip address add dev wg0 172.16.0.1/24
# Roue packets back
ip route add 192.168.3.0/24 dev wg0
exit 0 

root@wireguard:~# cat /etc/wireguard/wg0.conf
[Interface]
ListenPort = *****
PrivateKey = *****
[Peer]
PublicKey = *****
AllowedIPs = 0.0.0.0/0
Endpoint = ***** 

root@wireguard:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Wed Jul 31 01:22:23 2019
*filter
:INPUT ACCEPT [67:11564]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45:5251]
-A FORWARD -i eth0 -p udp -m udp --dport 3478:3480 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 3478:3480 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 1935 -j ACCEPT
-A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Jul 31 01:22:23 2019
# Generated by iptables-save v1.6.0 on Wed Jul 31 01:22:23 2019
*nat
:PREROUTING ACCEPT [2:160]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [4:240]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p udp -m udp --dport 3478:3480 -j DNAT --to-destination 192.168.3.4
-A PREROUTING -i eth0 -p tcp -m tcp --dport 3478:3480 -j DNAT --to-destination 192.168.3.4
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1935 -j DNAT --to-destination 192.168.3.4
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jul 31 01:22:23 2019

And on the PI.  Note the MTU was dropped to 1432 in the DHCP config.

 pi@raspberrypi:~ $ cat /etc/rc.local
#!/bin/sh -e
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
# Wireguard interface
ip link add dev wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set up dev wg0
ip address add dev wg0 172.16.0.3/24
# Default route magic
wg set wg0 fwmark 1234
ip route add default dev wg0 table 2468
ip rule add not fwmark 1234 table 2468
ip rule add table main suppress_prefixlength 0
exit 0

root@raspberrypi:~# cat /etc/wireguard/wg0.conf
[Interface]
ListenPort = ****
PrivateKey = *****
[Peer]
PublicKey = ****
AllowedIPs = 0.0.0.0/0
Endpoint = **** 

root@raspberrypi:~# grep -e '^#' -v /etc/dhcpcd.conf
....
interface eth0
static ip_address=192.168.3.3/24
root@raspberrypi:~# grep -e '^#' -e '^$' -v /etc/dnsmasq.conf | tr -s \n
interface=eth0
dhcp-range=192.168.3.50,192.168.3.150,12h
dhcp-host=,2c:cc:44:6a:ae:32,192.168.3.4,12h
dhcp-option-force=26,1432
dhcp-mac=set:client_is_a_pi,B8:27:EB:*:*:*
dhcp-reply-delay=tag:client_is_a_pi,2

The max MTU size was discovered by sending pings with increasing sizes until they no longer work.

# ping google.com -c 1 -s 1432

Useful tcpdump commands

  tcpdump -i eth0 -v port 53
  tcpdump -i wg0 host 192.168.3.129
  tcpdump host 192.168.3.129 port 53
  tcpdump -i eth0
  tcpdump -i eth0 port 53
  tcpdump -i eth0 port 53 -v
  tcpdump -i eth0 portrange 3478-3480 or port 1935 -n
  tcpdump -i eth0,wg0 portrange 3478-3480 or port 1935 -n
  tcpdump -i eth0 -i wg0 portrange 3478-3480 or port 1935 -n

We noticed once the playstations were connected that most of the link light traffic on the switch was for the PS4s and not the PI.  The latest theory is that maybe uPNP is being used to discovery each other and connect locally instead through the internet.  Had this not been the case I was playing on adding a NAT rule on the PI for the PS4 hosting the lobby.  Since the traffic is local maybe we can get away without the tunnel and have the PI NAT the guest WIFI.  I cringed as I typed that.

USB Ubuntu Install

Installing Ubuntu to a USB drive without a separate drive or CD.

sudo qemu-system-x86_64 -boot d -cdrom ubuntu-16.04.1-desktop-amd64.iso -m 4096 -usb -usbdevice disk:/dev/sdb

Quick & Dirty PXE Boot

sudo apt-get install tftpd-hpa
$ cat /etc/default/tftpd-hpa
# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftpboot"
TFTP_ADDRESS="[::]:69"
TFTP_OPTIONS="--secure"

sudo -i
cd /var/lib/tftpboot
wget http://archive.ubuntu.com/ubuntu/dists/trusty-updates/main/installer-amd64/current/images/netboot/netboot.tar.gz
tar xvzf netboot.tar.gz

Notes on HP 1020 printer setup with Google Cloud print.

Notes on HP 1020 printer setup with Google Cloud print. This is a very scattered post and long TODO item.

Installed the printer with this guide.
http://tkjacobsen.wordpress.com/2008/12/15/hp-laserjet-1020-on-fedora-10/

https://support.google.com/a/answer/2906017?hl=en
python generate_cloudprint_config.py

Confused a bit about the instructions so I added a symlink called "Service State" that points to the config.
ls /etc/google-cloud-print/ -l
total 4
-rw-r--r-- 1 root root 736 Jan 25 19:22 dj-server.conf
lrwxrwxrwx 1 root root  14 Jan 25 19:24 Service State -> dj-server.conf

I've been abusing /etc/rc.d/rc.local for a lot of my startup scripts.  This server setup has been a more get it working kind of approach.  Note the --user-data-dir flag reference the directory I created with the config not the exact config file.

vi /etc/rc.d/rc.local
su - djhedges -c '/usr/bin/screen -dmt cloud-print -S cloud-print /opt/google/chrome/chrome --type=service --enable-cloud-print-proxy --no-service-autorun --noerrdialogs --user-data-dir=/etc/google-cloud-print/  --enable-logging=stderr --v=1 --enable-logging --v=1'

From there I can share the printer from some sort of printer setting I found linked with my Google account.

Cisco WPA

My wireless on my router quit working for a while.  I think it was power cycled and something from the config wasn't written to flash.  I spent hours trying to reconfigure it, how hard could setting up WPA be?  The examples I found online showed the following and even my old configs had something similar.

interface Dot11Radio0
 no ip address
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid dj-ap
    vlan 2
    max-associations 1
    authentication open mac-address 00:00:00:00:00:00
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 password_hash

This for some reason was the missing piece.  If I recall correctly as soon as I added the world-mode line everything started working.  It goes under the Dot11 interface but I always overlooked it because of indentation from the ssid bit above.

 world-mode dot11d country US both
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 station-role root

Separate network SSID instead of bridging it with the ethernet ports like I used to.   I plan to add a guest SSID and prevent their traffic from talking to my network.

interface Dot11Radio0.2
 encapsulation dot1Q 2
 ip address 172.16.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly