Skip to content

Instantly share code, notes, and snippets.

View kfiresmith's full-sized avatar

Kodiak Firesmith kfiresmith

14 followers · 87 following
View GitHub Profile
@kfiresmith
kfiresmith / ansgroups.sh
Created July 10, 2025 17:43
A helper script for Ansible inventory to quickly return a list of group memberships for any given host in inventory. Uses first string match found in inventory, so you can be lazy and enter 'webs' instead of 'webserver01.college.edu'
#!/bin/bash
#
# Purpose:
# Quickly determine which Ansible inventory groups a host belongs to.
# Accepts a partial hostname match (e.g., "webse" instead of "webserver.college.edu") and resolves it to
# the first full hostname found in the inventory.
# Parses the output of `ansible-inventory --graph` to efficiently return
# group membership, including nested groups, with sub-second runtime.
#
# Usage:
@kfiresmith
kfiresmith / vimrc
Created April 30, 2025 15:18
vimrc
" tabstop: Width of tab character
" softtabstop: Fine tunes the amount of white space to be added
" shiftwidth Determines the amount of whitespace to add in normal mode
" expandtab: When on uses space instead of tabs
set tabstop =2
set softtabstop =2
set shiftwidth =2
set expandtab
set autoindent
set smartindent
@kfiresmith
kfiresmith / linux-sysprep.sh
Created February 27, 2025 21:36
#!/bin/bash
# Does the equivalent of sysprep for linux boxes to prepare them for cloning.
# Based on https://lonesysadmin.net/2013/03/26/preparing-linux-template-vms/
AUTHOR='kfiresmith'
BASENAME="${0##*/}"
MODIFIED='20231020'
VERSION='0.1.1'
parse_args() {
@kfiresmith
kfiresmith / ssl-global.conf
Created September 4, 2024 11:30
Global Apache TLS hardening config
<IfModule mod_ssl.c>
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLProxyProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header edit Set-Cookie ^(.*)$ "$1; Secure; HttpOnly; SameSite=Lax"
</IfModule>
@kfiresmith
kfiresmith / demonstrate-pidfile-management.sh
Created August 30, 2024 19:53
Setting a PID file / lock file to prevent duplicate script runs (bash)
#!/bin/bash
# Obtain the name of the script dynamically so that we can re-use this code block on any script
SCRIPT_FULLNAME="${0##*/}"
# Trim off the file extension if one is present
SCRIPT_TRIMMEDNAME="${SCRIPT_FULLNAME%.*}"
# /run is superior to /tmp, but we can't write a lock file there if we aren't root.
# We want to maintain the option of using this code block in scripts not run by root,
@kfiresmith
kfiresmith / redirect-to-https.conf
Last active May 24, 2024 16:57
Example Apache2 config for redirection to HTTPS and A-rating on SSL Labs
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
@kfiresmith
kfiresmith / systemd-network-wait-online.service.md
Last active October 27, 2023 15:14
Cause and resolution to failure of systemd-network-wait-online.service failure on boot.

Long startup times due to systemd-network-wait-online.service

Problem

TL;DR: Essentially because of some quirk with networkd, all interfaces get stuck in a '(configuring)' state forever unless you set an empty link-local address for at least the primary interface (but I set it for both).

Systemd-network-wait-online.service waits for at least one interface to be fully online, and won't consider an interface to be fully online if it's in '(configuring)' status when you run networkctl status some-iface.

Solution

Set link-local: [] to be set on every interface:




  


  




    


          
    

      

        
        

          

              @kfiresmith
          

          

            
                kfiresmith
                / emit-sha512.py
            
            

              Last active
              October 31, 2023 16:28
            

              
                Emit a SHA512 shadow string for /etc/shadow
              
          

        

      

        

  

    
    


        



  


  

        

          
          #!/usr/bin/python
        

        

          
          import crypt
        

        

          
          import getpass
        

        

          
          import re
        

        

          
          import sys
        

        

          
          

        

        

          
          sys.dont_write_bytecode = True
        

        

          
          

        

        

          
          while True:
        

        

          
              password1 = getpass.getpass(prompt='Enter a password string to hash in SHA-512: ')
        

  





    


  




    


          
    

      

        
        

          

              @kfiresmith
          

          

            
                kfiresmith
                / pypi-ufw-rules.sh
            
            

              Last active
              November 30, 2021 14:09
            

              
                A quick and dirty script to generate a large series of UFW rules based on IP ranges, formatted as Ansible variables for use with weareinteractive.ufw, also dumps out a set of bare UFW rules for manual application.
              
          

        

      

        

  

    
    


        



  


  

        

          
          #!/bin/bash
        

        

          
          #
        

        

          
          # A simple script to generate Ansible role weareinteractive.ufw rules for Pypi.org CDN egress
        

        

          
          # https://api.fastly.com/public-ip-list
        

        

          
          #
        

        

          
          # 2021-11-30 Kodiak Firesmith <[email protected]>
        

        

          
          #
        

        

          
          ruleset="23.235.32.0/20 43.249.72.0/22 103.244.50.0/24 103.245.222.0/23 103.245.224.0/24 104.156.80.0/20 140.248.64.0/18 140.248.128.0/17 146.75.0.0/17 151.101.0.0/16 157.52.64.0/18 167.82.0.0/17 167.82.128.0/20 167.82.160.0/20 167.82.224.0/20 172.111.64.0/18 185.31.16.0/22 199.27.72.0/21 199.232.0.0/16"
        

        

          
          

        

        

          
          ports="80,443"
        

  





    


  




    


          
    

      

        
        

          

              @kfiresmith
          

          

            
                kfiresmith
                / create_pie_chart.py
            
            

              Created
              June 2, 2021 21:20
            

          

        

      

        

  

    
    


        



  


  

        

          
          #!/usr/bin/python3
        

        

          
          import pandas as pd
        

        

          
          from matplotlib.pyplot import pie, axis, show
        

        

          
          df = pd.read_csv('syntheticdata.csv')
        

        

          
          # show the csv: print(df.head())
        

        

          
          sums = df.groupby(df["category"])["capacity-tb"].sum()
        

        

          
          axis('equal');
        

        

          
          pie(sums, labels=sums.index, autopct='%.0f%%');
        

        

          
          show()