25 มีนาคม 2567

Pi-hole Mikrotik container

/system/device-mode/update container=yes

/container config
set registry-url=https://registry-1.docker.io

/interface bridge
add name=Docker

/ip address
add address=10.0.0.1/24 interface=Docker

/ip firewall nat
add chain=srcnat src-address=10.0.0.0/24 action=masquerade

/interface veth
add address=10.0.0.12/24 gateway=10.0.0.1 name=veth-pihole

/interface bridge port
add bridge=Docker interface=veth-pihole

/container envs
add key=TZ name=pihole_envs value=Asia/Bangkok
add key=WEBPASSWORD name=pihole_envs value=mypassword
add key=DNSMASQ_USER name=pihole_envs value=root

/container mounts
add dst=/etc/pihole name=pihole-etc src=/pihole/etc-pihole
add dst=/etc/dnsmasq.d name=pihole-dnsmasq src=/pihole/etc-dnsmasq.d

/container
add interface=veth-pihole remote-image=pihole/pihole:latest envlist=pihole_envs mounts=pihole-etc,pihole-dnsmasq start-on-boot=yes logging=yes

22 มีนาคม 2567

cloudflare docker


container_name: tomcat9-jdk8
network name: tomcat9-jdk8_default
map ports: 8980:8080

Quick Tunnels

# host network
docker run --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --url http://127.0.0.1:8980

# container network
docker run --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --url http://tomcat9-jdk8:8080


with cloudflare account


# host network
public hostname url http://127.0.0.1:8980
 
docker run -d --rm --network host --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX


# container network
public hostname url http://tomcat9-jdk8:8080

docker run -d --rm --network tomcat9-jdk8_default --name cloudflared cloudflare/cloudflared:latest tunnel --no-autoupdate run --token XXXX

11 มีนาคม 2567

acme.sh with alias challenge and cloudflare api

issue domain : domain.tld
alias domain : alias-domain.tld

- set CNAME
_acme-challenge.domain.tld CNAME _acme-challenge.alias-domain.tld

- cloudflare token for edit dns zone alias-dmain.tld


acme.sh command

Issue cert

export CF_Token="xxx"

acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld  -d domain.tld --home /home/user/docker/nginx/acme.sh


Install cert
acme.sh --install-cert -d domain.tld  --key-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.key --fullchain-file /home/user/docker/nginx/etc-nginx-certs/domain.tld.crt --reloadcmd "docker exec nginx /etc/init.d/nginx reload"  --home /home/user/docker/nginx/acme.sh

# renew cert
acme.sh --cron --home /home/user/docker/nginx/acme.sh 

acme.sh docker

Issue cert
docker run --rm -it -e CF_Token="xxx" -v /home/user/docker/nginx/acme.sh:/acme.sh neilpang/acme.sh --issue --server letsencrypt -k ec-256 --dns dns_cf --challenge-alias alias-domain.tld -d domain.tld

Install cert
docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/cert neilpang/acme.sh --install-cert -d domain.tld --key-file /etc/nginx/certs/domain.tld.key --fullchain-file /etc/nginx/certs/domain.tld.crt && docker exec -it nginx /etc/init.d/nginx restart

Renew cert
docker run --rm -it -v /home/user/docker/nginx/acme.sh:/acme.sh -v /home/user/docker/nginx/etc-nginx-certs:/etc/nginx/certs neilpang/acme.sh --cron && docker exec -it nginx /etc/init.d/nginx restart

18 กุมภาพันธ์ 2567

Mikrotik persist route to wireguard server for dynamic wan

Persist route to wireguard server for dynamic wan in case of setting default route via wireguard
 
 
DHCP client script
 
:if ($bound=1) do={
    :ip route remove [/ip route find comment="route-wireguard-wan"]
    :ip route add distance=5 gateway=$"gateway-address" dst-address="1.2.3.4/32" scope=30  target-scope=10  comment="route-wireguard-wan"
} else={
    :ip route remove [/ip route find comment="route-wireguard-wan"]
}

14 กุมภาพันธ์ 2567

Change ubuntu source list to kku mirror

Change ubuntu source list to kku mirror


sed -i "s/th.archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list 

or

sed -i "s/archive.ubuntu.com/mirror.kku.ac.th/" /etc/apt/sources.list

20 พฤศจิกายน 2566

Mikrotik script change wireguard listen port in case of unable to connect

Base on routerOS 7.12 
wireguard name : wg1
port range : 13232 - 13239

/system script
add dont-require-permissions=no name=checkWireguard owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local wgName wg1;\r\
    \n:local newPort [:rndstr length=1 from=\"23456789\"];\r\
    \n:local newPort (\"1323\".\$newPort);\r\
    \n\r\
    \n:if ([/interface wireguard get [find name=\$wgName] running] = true) do={\r\
    \n\r\
    \n  :local pingResult [/ping count=1 10.10.10.1];\r\
    \n\r\
    \n  :if (\$pingResult = 0) do={\r\
    \n\r\
    \n    :log warning \"\$wgName connection lost. Changing listen port...\";\r\
    \n\r\
    \n    /interface wireguard set [find name=\$wgName] disabled=yes\r\
    \n    /interface wireguard set [find name=\$wgName] listen-port=\$newPort;\r\
    \n    /interface wireguard set [find name=\$wgName] disabled=no\r\
    \n\r\
    \n    :local currentPort [/interface wireguard get [find name=\$wgName] listen-port];\r\
    \n    :log warning \"WireGuard \$wgName listen port changed to \$currentPort\";\r\
    \n\r\
    \n  }\r\
    \n  \r\
    \n}"



/system scheduler
add interval=1m name=checkWireguard on-event=checkWireguard start-time=startup

08 พฤศจิกายน 2566

bind9 DNSSEC key with utimaco HSM

- ubuntu 20.04
- libssl 1.1.1f

---
apt -y install build-essential

apt -y install libssl-dev pkg-config
export PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig/

wget https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz
tar -xzf libp11-0.4.12.tar.gz
cd libp11-0.4.12/
./configure prefix="/usr/local/libp11/"
make && make install
export LD_LIBRARY_PATH=/usr/local/libp11/lib/:$LD_LIBRARY_PATH

mkdir -p /opt/utimaco/bin
mkdir -p /opt/utimaco/lib
mkdir /etc/utimaco

cp csadm p11tool2 /opt/utimaco/bin/
chmod +x /opt/utimaco/bin/*
cp ADMIN.key /opt/utimaco/bin/
cp libcs_pkcs11_R3.so /opt/utimaco/lib/
cp cs_pkcs11_R3.cfg /etc/utimaco/

# openssl.conf
EOF
openssl_conf = openssl_init

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /opt/utimaco/lib/libcs_pkcs11_R3.so
init = 0
EOF

systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
rm /etc/resolv.conf

cat << EOF > /etc/resolv.conf
nameserver 192.168.1.1
EOF

add-apt-repository ppa:isc/bind
apt update
apt -y install bind9

/opt/utimaco/bin/p11tool2 slot=0 Label=bind-hsm Login=ADMIN,/opt/utimaco/bin/ADMIN.key InitToken=ask
/opt/utimaco/bin/p11tool2 slot=0 LoginSO=ask InitPin=ask

/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="ksk" PrvKeyAttr=CKA_LABEL="ksk" GenerateKeyPair=RSA
/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask PubKeyAttr=CKA_LABEL="zsk" PrvKeyAttr=CKA_LABEL="zsk" GenerateKeyPair=RSA

/opt/utimaco/bin/p11tool2 slot=0 LoginUser=ask ListObjects

dnssec-keyfromlabel -E pkcs11 -f KSK -a RSASHA256 -l "pkcs11:token=bind-hsm;object=ksk" example.net
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind-hsm;object=zsk" example.net
dnssec-signzone -E pkcs11 -S -o example.net db.example.net