Skip to content

Install Firefox PPA version over Snap version

It was time to update my laptop, and I already knew that the update will bring Snap, and installs the Snap Firefox version. Along with many known problems. Previously the laptop was on 20.04 LTS, but this version is about to loose support.

I ran through the upgrade, and then added an Ansible Playbook to handle the Firefox installation, remove the Snap version and install the PPA version. Most of my laptop configuration is handled using Ansible Playbooks.

 

 

Continue reading "Install Firefox PPA version over Snap version"

Using fail2ban to block unfriendly web requests

Every time I peek into the webserver logfiles, I find quite a few 404 requests trying to figure out if certain exploits exist on this server. Now I get that these are automated attempts, and the number of requests coming from one IP show that they try several different exploits and path names. Nevertheless I thought that I don’t need this in my log, and on my webserver. fail2ban for the rescue.

 

Continue reading "Using fail2ban to block unfriendly web requests"

PGSQL Phriday #001: Two truths and a lie

Uh, what is this #PGSQLPhriday thing about? Everyone is writing blog posts about this today ... For details, please read the introduction from Ryan Booz.

This month's topic: pick your three favorite or most important best pratices for #PostgreSQL. Tell them in a form that two are true, one is a lie. See if you can spot which one is true and which one is false. The resolution is at the end of this blog posting.

Let's dive in: These days it's rare that I start with a fresh PostgreSQL installation which is not in any way already modified. Whenever we install a new database at work, it's already coming with a templated configuration, backup (if necessary: despite running many hundred databases not all of them need a backup), monitoring, and pre-configured access. Even the database on my private laptop is configured using Ansible. But that's a good example by itself: what are the steps I find important enough to have a Playbook for. My top three list:

  1. Change a few most important configuration parameters, then restart the database
  2. Use pg_dump for backups
  3. Create necessary accounts

Which one is the lie?

 

Continue reading "PGSQL Phriday #001: Two truths and a lie"

Read a JSON text into a variable in Ansible without parsing it

For one project I need to insert the content of a local file into another file on the remote system, and the first file happens to be JSON. The JSON file is in compact format (jq --compact-output) and is supposed to stay this way. When Ansible reads the content of the file, it determines that the content is JSON, and parses the content into the variable - and along the way is uncompressing the format. Not what I want.

 

Continue reading "Read a JSON text into a variable in Ansible without parsing it"

Ansible and string comparisation for IDs

Was running in a stupid problem where Ansible (version 2.9.x) throws an error when a variable is defined. The Play:

- name: Check if id is defined
  fail:
    msg: "No id defined for {{ inventory_hostname }}!"
  when: id is not defined or id|length == 0

And the error:

TASK [Check if id is defined] *****************************************
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"msg": "The conditional check 'id is not defined or id|length == 0' failed. The error was: Unexpected templating type error occurred on ({% if id is not defined or id|length == 0 %} True {% else %} False {% endif %}): object of type 'int' has no len()\n\nThe error appears to be in '/path/to/playbook/configuration.yml': line 57, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: Check if id is defined\n      ^ here\n"}

Ok, it tries to compare an integer, fine. There are two ways to fix this problem:

1: Change the type to a string by updating the inventory:

From:

id=1

to:

id="1"

But this might have other consequences, as the other parts of the Playbook might depend on this being an integer.

2: Compare as string

when: id is not defined or id|string|length == 0

This casts the integer to a string, and then the length() function works.

Ansible, "copy" module and "become"

For testing I did spin up a couple of new virtual (Ubuntu 20.04 LTS) instances, installed PostgreSQL, and wanted to copy over a .sql file to install in the database:

- name: copy files to PostgreSQL data directory
  copy:
    src: "files/{{ item }}"
    dest: "{{ item }}"
    mode: 0700
  become: yes
  become_user: postgres
  loop:
    - file1.sql
    - file2.sql

And ran into a meaningless error message:

TASK [copy files to PostgreSQL data directory] ***********
fatal: [xxx.xxx.xxx.xxx]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of '/var/tmp/ansible-tmp-1618521951.848439-176484068031965/': Operation not permitted\nchown: changing ownership of '/var/tmp/ansible-tmp-1618521951.848439-176484068031965/source': Operation not permitted\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

 

 

Continue reading "Ansible, "copy" module and "become""

Make Ansible "postgresql_ping" fail if the database does not exist

Ansible has a very useful module "postgresql_ping" which checks connectivity to the database server. I'm using it in quite a few Playbooks as first step just to ensure that the database server is present - this fails early if there is a problem which otherwise just prevents the rest of the Playbook to work properly.

TASK [Check if database is available]
[WARNING]: PostgreSQL server is unavailable: could not connect to server: No such file or directory         Is the server running locally and accepting         connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed_when_result": true, "is_available": false, "server_version": {}}

 

However this module does not check if the database exists, just if the server is reachable. Example Playbook:

- name: Check if database is available
  postgresql_ping:
    db: "testdb"
  become: yes
  become_user: postgres

When I run the Playbook:

TASK [Check if database is available]
[WARNING]: PostgreSQL server is unavailable: FATAL:  database "testdb" does not exist
ok: [127.0.0.1]

 

As you can see, the database "testdb" does not exist. Which for the module is a reason to raise a warning, but not  a reason to fail.

One possible solution is to let this module do it's work, and add a "postgresql_db" call next, which ensures that the database is created. But not every Playbook is supposed to create and populate a database, and has all the required parameters (owner, encoding, template ect) available. Therefore it would be nice if "postgresql_ping" fails early if the database in question doesn't exist. That's possible, with two more lines of code:

- name: Check if database is available
  postgresql_ping:
    db: "testdb"
  become: yes
  become_user: postgres
  register: ping_database
  failed_when: ping_database.warnings is defined

And the Playbook run:

TASK [Check if database is available]
[WARNING]: PostgreSQL server is unavailable: FATAL:  database "testdb" does not exist
fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed_when_result": true, "is_available": false, "server_version": {}}

Together with "any_errors_fatal: True" this ends the entire Playbook early enough before I have to debug the problem later on.

Online indicator for remote controllable power plugs in openHAB

Recently I installed a number of new power sockets (like this one). The Hue bridge can not only add each switch to a light group, but also reports each plug as a Thing in openHAB. There I thought it will be a nice touch if openHAB actually reports when it sees a device plugged in. The power socket has a LED which turns on when the plug is on. The Hue bridge reports OFFLINE and ONLINE. That's useful.

The plan is to turn the LED light - and the power plug - on and off for a few second.

 

Continue reading "Online indicator for remote controllable power plugs in openHAB"

Restic backup

Was asked quite a few times how I do my backups with Restic.

For more than 10 years I was using "Duplicity" for backups, but in 2019 I changed to Restic. The main reason for the change was that Duplicity still can't handle "Big Data", as in: larger directories. In 2009 someone opened an issue on the Duplicity bugtracker, and this problem still exists as of today. For about two years I was shifting around the problem, excluding files, trying to make the sigfile smaller. But at some point I decided that it is enough and I need to change the tool.

Duplicity knows two backup modes: "full backup" and "incremental backup". Once in a while you take a full backup, and then you add incremental backups to that full backup. In order to restore a certain backup you need the full backup and the incremental backups. Therefore my go-to mode was to always have two full backups and a couple incremental backups in-between. Even if something goes wrong with the latest full backup, I can still go back to the previous full backup (of course with some changes lost, but that's still better than nothing). When taking a new full backup, the oldest one is only deleted when the new one is completed. Accordingly when a new incremental backup is created, it's a new set of files. Removing the backup removes all the files from this incremental backup. That worked well, but needed scheduling. Over time I wrote a wrapper script around Duplicity, which did schedule new full and incremental backups.

Restic works in a different way. There is no concept of "full backup" and "incremental backup". Basically every backup is a full backup, and Restic figures out which files changed, got deleted, or added. Also it does deduplication: if files are moved around, or appear multiple times, they are not added multiple times into the backup. Deduplication is something which Duplicity can't do. But because Restic can do deduplication, there is no common set of files which belong to a single snapshot. Data blobs from one backup can stay in the repository forever, removing snapshots might not remove any files at all.

Restic on the other hand needs "prune" to remove old data. A snapshot can be removed according to the policy specified, but this does not remove the data from the backup directory. A "prune" run will go over the data and remove any block which is no longer needed.

My first question - after figuring out which other backup tool to use: shall I replicate the wrapper script, or try something else? Given that the backup doesn't need complex scheduling, I decided against writing a complex wrapper. And since I am now deploying all devices with Ansible, I decided to integrate this into my Playbooks, and deploy a set of shell scripts. The goal was to have a small number of dedicated scripts doing the daily backup work, and another set of "helper" scripts which I can use to inspect the backup, modify it, or restore something.

My main goals for this: "small number of programs/scripts" (Unix style: each tool does one job), "rapid development" (don't spend weeks writing another scheduler), "rapid deployment" (re-run Playbooks and let Ansible deploy this to all devices).

 

Continue reading "Restic backup"

Add a Google Calendar to openHAB

openHAB can integrate Google Calendars. The functionality is kind of limited, it can only see the current and the next calendar event, but in my case that is enough. More about the use case in another blog post.

There are three different calendar bindings available, let's have a quick look:

  • CalDAV Personal Binding: this is a v1 binding, which means it will no longer work in the soon-to-be-released openHAB v3. Apparently this works with Google calendars, but has performance issues. It can show the current and next event.
  • Google Calendar Scheduler: also a v1 binding. Needs more work for presense simulation, and additional bindings.
  • iCalendar Binding: v2 binding, should work with v3. It can show the current and next event. That's the one I'm going to use.

 

Continue reading "Add a Google Calendar to openHAB"

openHAB: faster loading of rules files

openHAB rules files are lazy loaded. When a rule is used the first time, the entire rule file is loaded and compiled, which apparently is single-threaded and takes a couple seconds. Even on a reasonable powerful Rasperry Pi 4. This happens both after restarting openHAB and after changing the rules file. It also means that whatever the rule in question is supposed to do has to wait a couple seconds when requested for the first time. Imagine you have a light switch, enter a room, press the switch, and it takes 5-10 seconds until the light comes on.

To work around this problem, I add a piece of code in all rules files which triggers an immediate action right after loading the file. This way the rules file is already pre-loaded (which again takes a couple seconds, but likely at a time when the rule is not needed right now).

 

Continue reading "openHAB: faster loading of rules files"

Audio reminders in openHAB

A while ago someone mentioned "reminders" used in their home audio system, and I took that idea and implemented something similar in openHAB.

The basic idea is that I can send scheduled notifications to any audio sink openHAB is using, possibly more than one audio sink for one message. Also I want to differentiate between a simple audio sound, and text output.

For the text audio output I installed Text-to-Speech a while ago, this enables the ability to output text as audio in different languages. In addition I want an information when a reminder is "fired" in my Telegram control channel. As audio sink I'm mostly using ChromeCasts here, but anything openHAB can connect to is usable here.

 

 

Continue reading "Audio reminders in openHAB"

openHAB, Telegram Bot and quoting URLs

A while ago I integrated DWD warnings (Deutscher Wetterdienst) into our home automation system, and receive severe weather notifications ever since then. That works quite good, but it was missing a weblink with more details - or if you want to forward the warning to someone it would be useful to have a link to the warning as well. The DWD binding does not provide that piece of information, but it is easy enough to add - or so I thought.

 

Continue reading "openHAB, Telegram Bot and quoting URLs"