zngguvnf's Blog

OPNsense: Access AppleTV from different VLAN

<2022-12-16>

I recently bought a new AppleTV, which I tried to integrate with HomeAssistant today.

Since the AppleTV is on a different VLAN than my HomeAssistant, I created an appropriate firewall rule, but HomeAssistant still could not find the AppleTV.

After a long search I found out that I also need to enable mDNS and create an additional firewall rule.

So all in all I did the following to make it work:

  1. Install and configure Multicast DNS Proxy
  2. Create first firewall rule:
    • Action: Pass
    • Interface: DMZ
    • Direction: in
    • TCP/IP Version: IPv4+IPv6
    • Protocol: any
    • Source: HomeAssistant (this is an alias for my Homeassistant ip)
    • Destination: AppleTV (alias)
    • Description: Allow HomeAssistant access to AppleTV
  3. Create second firewall rule:
    • Action: Pass
    • Interface: DMZ
    • Direction: in
    • TCP/IP Version: IPv4
    • Protocal: any
    • Source: HomeAssistant (alias)
    • Destination: Single host or Network: 224.0.0.251/32
    • Description: Allow HomeAssistant access to Bonjour (for AppleTV)
  4. Restart HomeAssistant.

Backup private keys

<2021-05-26>

A few days ago, a good friend asked me: "How do you restore your encrypted offsite backup when you've lost all your other machines".

If all my devices are down at the same time, I might actually have a problem, as I would need at least a PGP key to decrypt my password manager.

So after some research I decided to copy my private ssh and gpg keys to an encrypted veracrypt volume. This is basically a small encrypted folder (~10MB) you can borrow to some of your friends.

Create encrypted volume

# Create a new volume through a text user interface
veracrypt --text --create

# Volume type
1  # normal, default

# Enter volume path:
/private/unencrypted/nextcloud/keys

# Enter volume size:
10M  #  du -sh ~/.gnupg/ ~/.ssh/ # will give you a good idea

# Encryption Algorithm:
1  # For AES, default

# Hash algorithm:
1  # For SHA-512, default

# Filesystem
2  # For FAT, default

# Enter passphrase
MAGA2020!:D

# Enter PIM
# For more information: https://documentation.help/VeraCrypt/Personal%20Iterations%20Multiplier%20(PIM).html
# I leave this empty because I think my passphrase is strong enough

# Enter keyfile
none # default

Decrypt volume and mount it

mkdir /tmp/keys
veracrypt --text /private/unencrypted/nextcloud/keys /tmp/keys

Copy keys

scp -rp ~/.ssh/ /tmp/keys/
scp -rp ~/.gnupg /tmp/keys/
# ...
touch /tmp/keys/FILES_ARE_HIDDEN  # just a hint for the future 

Dismount volume

veracrypt --text --dismount /tmp/keys/
# make sure you are not in /tmp/keys, otherwise you will see:
# Error: umount: /tmp/keys: target is busy.
rm -rf /tmp/keys

Setup Headless RaspberryPi With SSH and WLAN

<2020-04-16>

From time to time I have to setup a Raspberry Pi including ssh and wlan. But it's always super annoying to connect keyboard and screen to setup ssh and wifi. And there are other ways:

  1. Use dd or etcher to flash your (raspbian) image to the Pi
  2. Enable SSH
    • Mount sd card on your Computer (not on your raspberry pi)
    • Create an empty file named ssh and store it on the sd card on /boot
  3. Enable Wifi

    • create /boot/wpa_supplicant.conf
    ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
    network={
        ssid="YOUR_SSID"
        psk="YOUR_WIFI_PASSWORD"
        key_mgmt=WPA-PSK
    }
    
    • Pi will get an IP adress from your DHCP-Server
    • unmount
  4. Start Rarspberry Pi
    • put in sd card
    • power on
  5. Get IP Adress

    On your computer:

    nmap -sP 192.168.XXX.1/24  # replace XXX
    
    • most likely the hostname you are locking for is rasberrypi ;)
  6. Connect to Raspberry Pi:

    ssh pi@IpFromPrevCommand
    # pw: raspberry
    
  7. Configure system

    sudo raspi-config
    # Change default password!
    # Update System
    # Change settings
    

HomeAssistant: How I backup and restore my data!

<2019-12-17>

Update [2021-01-24 Sun]

Assuming you're using hass.io on a raspberry pi:

Backup

There are multiple option of backing up your home assistant data:

1. Build in option

  • Login to WebUI -> in the sidebar go to Hass.io -> snapshots
  • Here your can create a new snapshot
  • after clicking the reload button (upper right corner) you can download your snapshot

2. An automation to create snapshots on a regular base

  • Put the following in your automation.yaml
- alias: Create hourly backup
  trigger:
    - platform: time_pattern
      minutes: '/60'
  action:
    - service: notify.mobile_app_iphone_your_name
      data:
        message: Hourly Backup 💾 is created!
        title: Backup
    - service: hassio.snapshot_full
      data_template:
        name: >
          Backup_{{ now().strftime('%d-%m-%YT%H-%M-%S') }}

3. Automatic offside backups

  • Create new backup user on your server
  • Add the user to the allowed group of ssh users in /etc/ssh/sshd_config
  • sudo systemctl restart sshd
  • Create new ssh key for hass.io
  • Add new ssh pub key to ~/authorized_keys
  • Add this repo to your plugins https://github.com/carstenschroeder/hassio-addons

Addon config:

{
  "ssh_enabled": true,
  "ssh_host": "192.168.178.27",
  "ssh_port": 22,
  "ssh_user": "ms-backup",
  "ssh_key": [
    "-----BEGIN OPENSSH PRIVATE KEY-----",
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
    cat ~/.ssh/hassio-key
    "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ",
    "-----END OPENSSH PRIVATE KEY-----"
  ],
  "remote_directory": "/hpdata/homes/ms-backup/backup_hassio",
  "zip_password": "",
  "keep_local_backup": "48",
  "rsync_enabled": false,
  "rsync_host": "",
  "rsync_rootfolder": "hassio-sync",
  "rsync_user": "",
  "rsync_password": ""
}
  • Add your new private key to the configuration above
  • create a new automation in automations.yaml
- alias: Offside backup
  trigger:
    platform: time_pattern
    minutes: '/60'
  action:
  - service: notify.mobile_app_iphone_your_name
    data:
      message: Offside backup 💾 is created!
      title: Backup
  - service: hassio.addon_start
    data:
      addon: 36883ed7_remote_backup
      #      ^- to get the propper ID go to hass.io -> Addons -> Remote Backup 
      #         I couldn't figure out where this ID comes from
  • This will trigger the remote backup addon. After the backup is done the state of remote backup goes back to stopped till it is triggered the next time. While testing this did not worked for very short intervals < 3 Minutes. For longer intervals it works like expected.

Restore

No matter how you created the backup to restore it, proceed as follows

  • Install latest hass.io to sd card.
  • Boot raspberry pi
  • It will take up to 20 minutes to initialize hass.io
  • Create a tmp account
  • power off
  • copy backup to sd card (/hassos-data/supervisor/backup)
  • Restart raspberry pi
  • In the sidebar go to Hass.io -> Snapshots, choose your snapshot -> wipe and restore, You're done!

I had some problems, with a corrupt database. (HomeAssistant could not add any more new data. I think there was something like (sqlite3.DatabaseError) database disk image is malformed in the logs).

To fix/repair your database:

Copy your (corrupt) database (home-assistant_v2.db) to your local linux system

sqlite3 home-assistant_v2.db ".dump" | sqlite3 home-assistant_v2.db_fixed

Now delete your old (corrupt database) and replace it with home-assistant_v2.db_fixed. To do that delete the corrupt one and rename home-assistant_v2.db_fixed to home-assistant_v2.db. Now, power on your raspberry pi and everything should be fine again.

Remote jupyter notebook

<2018-08-04>

1.) Access the remote server via ssh

2.) Start jupyter server on the remote machine

jupyter notebook --no-browser --port=8889

3.) Forward port 8889 from your remote machine to port 8888 of your local machine

ssh -N -f -L localhost:8888:localhost:8889 remote_user@remote_host

4.) Access the remote notebook from your local browser visiting localhost:8888

I find this very usefull, especially when working with plots and audio.

Comments

If you have comments, questions or opinions please drop me a line at 2018-08-04–remote-jupyter-notebook AT zngguvnf dot org. Please tell me whether it's ok to publish your comment here or not.

Matplotlib on a remote machine

<2018-07-21>

Make sure X forwarding is enabled on your remote machine

cat /etc/ssh/sshd_config | grep X11Forwarding

If the result it not X11Forwarding yes adjust the file.

Access remote machine with X forwarding from your local machine.

ssh -X user@remote-host

On the remote machine: Activate X-compatible backend

import matplotlib
matplotlib.use('tkagg')

On the remote machine: Plot as normal

import matplotlib.pyplot as plt
plt.plot([1,2,3])
plt.show()

See plot on your local machine.

Comments

If you have comments, questions or opinions please drop me a line at 2018-07-21–matplotlib-on-remote-machine AT zngguvnf dot org. Please tell me whether it's ok to publish your comment here or not.

Other posts