Openbsd Restart Failed Services
Nice little one-liner to restart all failed services on OpenBSD:
rcctl start $(rcctl ls failed | awk 'BEGIN{ORS=" "}{print}')
Nice little one-liner to restart all failed services on OpenBSD:
rcctl start $(rcctl ls failed | awk 'BEGIN{ORS=" "}{print}')
So I decided to give the unifi controller a shot on running on OpenBSD and most importantly the plan was to run it alongside all the other daemons on the system, so I don’t need to have a seperate VM / machine running just for the unifi controller. Spoiler: while I was able to get the unifi controller to run on my OpenBSD server I stopped the daemon right away after having all up and running. But why would I go through all the hassles just to not use it, you might ask. Well, if you are not interested about the intricacies of getting the controller up and running, just skip to the conclusion.
All commands are run as root unless otherwise specified.
The whole thing was greatly inspired by Renaud Allard’s piece
It is also possible to use the net/unifi port. But as I didn’t want to pull in the whole ports(7) tree just for one port I decided to go down my own route.
Not only do you need to Download the latest release of the UniFi Network Application (formerly known as Controller) but you also need to install MongoDB and you also need a Java Runtime not newer than 17 for the Controller to run. For the controller we create a new user (make sure to use a UID and GID > 1000 to avoid clashes with system and ports users).
At first we create a user for the UniFi Controller to use.
useradd -g =uid -m -d /var/unifi -L daemon -c 'Unifi daemon' -s /sbin/nologin _unifi
Now you need to install and setup all the dependencies for running the Controller. As you want authentication for basically everything in a mixed environment, you are also setting up MongoDB to use authentication. This also means that you need to setup MongoDB users and databases before running the Unifi controller. Java itself doesn’t need any special configuration.
You will start by installing the packages needed:
pkg_add mongodb--%44 jdk-17.0.10.7.1v0 unzip
Before the first start of mongod we must increase some rlimits:
cat …
After running into more or less the same problem every damn keycloak upgrade it’s time to put some notes into place so I won’t struggle in the future anymore. At least not with the same problem.
Change into the root directory for keycloak
cd /var/www
Download the latest release tarball
curl -LO https://github.com/keycloak/keycloak/releases/download/24.0.3/keycloak-24.0.3.tar.gz
Change ownership
chown _keycloak keycloak-24.0.3
Read the upgrade instructions! Most of the time it boils down to
cp -Rpv keycloak-22.0.5/{conf,providers,themes} keycloak-24.0.3/
for me
Change into the new release directory
cd keycloak-24.0.3/
Stop old keycloak
rcctl stop keycloak
This step is crucial and well hidden within the documentation of keycloak.
JAVA_HOME=/usr/local/jdk-21 bin/kc.sh build
Failing to do the build first before starting keycloak with the --optimized
flag via my rc file
results in an exception due to problems with the jdbc URL:
2024-04-19 13:38:08,815 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: URL format error; must be "jdbc:h2:{ {.|mem:}[name] | [file:]fileName | {tcp|ssl}:[//]server[:port][,server2[:port]]/name }[;key=value...]" but is "jdbc:postgresql://localhost:5432/keycloak" [90046-224]
adjust daemon_execdir to reflect the new version in /etc/rc.d/keycloak
Start the new keycloak
rcctl start keycloak
Clean up behind you
rm -rd /var/www/keycloak-22.0.5
Generate CSR, certificate and private key for fqdn:
fqdn=host.domain.tld
cfssl gencert -ca intermediate/intermediate_ca.pem \
-ca-key intermediate/intermediate_ca-key.pem \
-config config.json \
-profile server certificates/${fqdn}.json | cfssljson -bare certificates/${fqdn}
Generate chain
cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem
Generate PKCS#12
openssl pkcs12 -export \
-in certificates/${fqdn}.pem \
-inkey certificates/${fqdn}-key.pem \
-out certificates/${fqdn}.p12 \
-name ${fqdn} \
-CAfile brank.pem \
-chain
Convert to Java Keystore
keytool -importkeystore \
-deststorepass changeit \
-destkeypass changeit \
-destkeystore foo.keystore \
-srckeystore certificates/${fqdn}.p12 \
-srcstoretype PKCS12 \
-srcstorepass password \
-alias fqdn
Cleaning up
unset fqdn
cfssl gencsr -key intermediate/intermediate_ca-key.pem \
intermediate/intermediate-ca.json |\
cfssljson -bare intermediate/intermediate_ca
cfssl sign -ca root/ca.pem \
-ca-key root/ca-key.pem \
-config config.json \
-profile intermediate_ca \
intermediate/intermediate_ca.csr |\
cfssljson -bare /tmp/intermediate_ca
fqdn=relayd.rand.clacks.xyz
cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${fqdn}-full.pem
unset fqdn
fqdn=host.domain.tld
cfssl gencsr -key certificates/${fqdn}-key.pem \
certificates/${fqdn}.json |\
cfssljson -bare certificates/${fqdn}
cfssl sign -ca intermediate/intermediate_ca.pem \
-ca-key intermediate/intermediate_ca-key.pem \
-config config.json \
-profile server \
certificates/${fqdn}.csr |\
cfssljson -bare certificates/${fqdn}
cat certificates/${fqdn}.pem intermediate/intermediate_ca.pem > certificates/${ …
I am really glad about the paradigm shift the pandemic brought into my workplace with regards to remote work. Being able to stay at home 80% of my time is something I grew to be fond of and it helped a lot overcoming some personally challenging situations during the pandemic. I really enjoy the benefits and having the possibility to adjust my space to my needs which really helps to bring me more often into the flow which is beneficial for both me and my employer.
Sure there are distractions you will never have at the office. But it’s also easier to structure your work around your personal life and still deliver as it gives you greater flexibility. There’s also no denying that remote working fuels my self exploitation more than being on prem as it’s easier to just spin up the machine and start to work on stuff e.g. later in the evening but overall for me, personally, the benefits for both me and my employer outweigh the problems. With one notable exception that I absolutely dislike about remote working and that’s about meetings. Not neccessarily about the meetings themselves but how people in online meetings attend to them in a fashion that seems to be more and more common: inattentive to a point that said attendees almost are phased out of the meeting. I have witnessed more than one meeting in which everybody was leaving but one who apparently did not realize that the meeting concluded.
Signs of which are attendess which do not really attend the meeting but instead go on and work on different things, accept a phone call, read their e-mails or the newest messages in the chat. Obviously they feel like the meeting is a waste of their time but it’s definetely wasted time for others which are e.g. waiting for a response from someone who’s just not paying attention. And most likely it really is wasted time for both of them. This is not something that’s novel or unique to online meetings. You can observe it in presence meetings, …