Category Archives: Linux and OSS hints

(Housekeeping) #Backup Script for #Nextcloud

I don’t know if others need that too, but it seems just naturally to post this tiny little piece of bash which is our Nextcloud backup script. And I am perfectly aware that this is SME style, not big iron. 🙂 And if you don’t like Databases or PHP, have a look at Owncloud Infinite Scale.

These two products have been targeting more and more diverging directions since their fork: Owncloud adresses large scale, scalable datacenter customers (like CERN) and promises 10 times faster speed than their own PHP solution, but Nextcloud is carving out market share from MS365 customers with gazillions of apps in their app store and a large PHP community – with all benefits and downsides. Raise your hand if you never had to deactivate some community app to make an update work! 🙂


Important: your MariaDB-Passwort will be in this file, I didn’t spend much time into investigating workarounds, but a chmod 700 of this file (read-write-execute) for root only seems appropriate. The DB is not listening on anything else but localhost, thus I am ready to accept this. If there’s a simple solution I missed, answer on Twitter or drop me a PM/Mail/Matrix message.

The Backup Script

As you can see I am backing up to a separate volume. I have file servers in several locations that fetch their backups (the tar files) from there. I don’t want the root fs run full, thus I don’t do a backup if /backup is not mounted. Alerting is done elsewhere. 🙂 On other systems, I mount the backup drive during such a script’s run. If you’re (like me) a seasoned but unexperienced Bash starter, add some “sleep 30” between the lines to see what’s happening and to easily break the script’s run. And you may or may not want the option –delete for rsync – your mileage may vary – and sorry for wordpress changing dashes and hyphens (Remember “Non-hyphenated is an example of a hyphenated word”).

# Backing up Nextcloud Server
# Database Root password is in here, so chmod 700 this file!

DIR=/var/www/nextcloud #Source
BACKUPDIR=/backup/nextcloud #Target
if grep -qs /backup /proc/mounts; then
   echoBackup disk is mounted. Proceeding with backup from $DIR/.
   echoEntering nextcloud directory
   cd /var/www/nextcloud
   echoPutting NC into maintenance mode
   sudo -u www-data php occ maintenance:mode –on
   echoBacking up folders and config with Rsync:
   # sleep 30
   /usr/bin/nice -18 /usr/bin/rsync -Aavz –delete $DIR/ $BACKUPDIR/
   echoBacking up MySQL data base ‘nextcloud’ : 
   mysqldump –single-transaction -h localhost -u root -p$DBPASS nextcloud > $BACKUPDIR/nextcloud-sqlbkp_`date +%Y%m%d`.bak
   sudo -u www-data php occ maintenance:mode –off
   /usr/bin/nice -18 /bin/tar -czf $BACKUPTAR $BACKUPDIR
   echoSorry, Backup disk is not mounted, quitting. CU again tomorrow.


I have two aliases on my NC servers:

alias ncd=’cd /var/www/nextcloud’
alias occf=’sudo -u www-data php ./occ’

With these I don’t need to bother about different document root directories (Debian/Ubuntu/Suse) nor remember the sudo… syntax (yes, I’m old) :-).

That proves helpful to do a lot of occ commands, like cleaning up the hard way:

occf trashbin:cleanup –all-users
occf versions:cleanup –all-users

clean up all trashbins and remove all old versions of files (yes ALL!).

If you don’t want Nextcloud to slowly fill up your hard drive / storage, add this to the config.php file:

‘trashbin_retention_obligation’ => ‘auto’,
‘versions_retention_obligation’ => 60, ‘auto’,

These two options will make Nextcloud store only files that are younger than 30 in the trashbin and versions of files no longer than 60 days.

#Leaflet … notice to self… study.

Leaflet – a JavaScript library for interactive maps

Leaflet is the leading open-source JavaScript library for mobile-friendly interactive maps. Weighing just about 39 KB of JS, it has all the mapping features most developers ever need. Leaflet is designed with simplicity, performance and usability in mind. It works efficiently across all major desktop and mobile platforms, can be extended with lots of plugins, has a beautiful, easy to use and well-documented API and a simple, readable source code that is a joy to contribute to.

PGP/S-MIME on Linux Command Line, helping Kontact (and other Mailers)

I recently had to decrypt a PGP/S-MIME encrypted mail. It’s been a long time since I was confronted with that format, and KDE’s Kontact does not seem to support this out of the box– actually only Thunderbird seems to do, and that’s not on my machines. Here’s what I did.

This Mail came in.

Encrypted Mail

With the right PGP-Key I could decrypt it:


Upsii… there’s another encrypted file in there, exactly as the standard RFC from 2001 defines – this way even attachments are hidden from those that don’t have the private PGP key.

Since KDE’s crypto engine couldn’t help, and Thunderbird is not configured on my machines, I went to the command line. I saved the attachment “encrypted.asc” and ran the command “gpg –output uncrypted.asc –decrypt encrypted.asc“:

mfeilner@alquarismi:~/Downloads> gpg –output uncrypted.asc –decrypt encrypted.asc
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/mfeilner/.gnupg’
gpg: verschlüsselt mit 4096-Bit RSA Schlüssel, ID XXXXXXXXXXXXXXXXX, erzeugt 2015-04-24
gpg: verschlüsselt mit 2048-Bit RSA Schlüssel, ID 
XXXXXXXXXXXXXXXXX, erzeugt 2018-12-25

… and that way I got a file named uncrypted.asc that I could open with my favorite text editor or emacs.

#OSS rocks. #Linux Rocks. Autorotate PDFs

#Linux has some mighty PDF Toolkits. One of them is pdftk. I am using it so that we don’t have to bother anymore about orientation of Files on the scanner. We just delete the wrong ones. 🙂

ls *pdf -1 > $INFILE
while IFS=”²” read -r line
PDF='basename $line | rev | cut -c 5- | rev
#Links drehen:
pdftk “$line” cat 1-endwest output “$PDF”_left.pdf
#Rechts drehen:
pdftk “$line” cat 1-endeast output “$PDF”_right
#180 degrees:
pdftk “$line” cat 1-endsouth output “$PDF”_upsidedown.pdf
done <$INFILE

(use the right upticks ` in the basename line, wordpress messes them up…)

Linux Malware, Woodcutters and James Bond stories.

FBI Reports On Linux Drovorub Malware | Hackaday

This is a modern spy story, but not quite what we’ve come to expect in Bond movies. “Well, Moneypenny, it appears Spectre is using the POCO library to generate UUIDs,” is hard to work into a trailer. We prefer the old days when high-tech spying meant nonlinear junction detectors, hacking Selectrics, moon probe heists, and passive bugging.

Pihole explained. Hehehe. Werbefrei surfen auch mit dem iPhone.

Sicher und werbefrei surfen mit dem Raspberry Pi

Diese Hardware brauchst du für den Raspberry Pi mit Pihole:

Einen Raspberry Pi – im Grunde tut es jeder Raspberry, auch der Raspberry Pi 1 oder Zero. Wir empfehlen euch jedoch einen Raspberry Pi 3 und aufwärts, um die Weboberfläche vom Pihole flott nutzen zu können.

Ein Netzteil – oder einen USB-Anschluss mit 2A-Output oder mehr.

Eine Micro-SD-Karte und einen SD-Adapter, der Karten meistens beiliegt.

Optional: Ein Gehäuse für den Raspberry Pi.

Optional: Einen Hoodie, da ihr ein paar einfache Shell-Befehle kopieren werdet und dabei aussehen müsst, wie ein Hacker.

Bluetooth-Autoconnect to Speakers from Command Line

My Desktop in the home office is always connected to the stereo, via Bluetooth. It sucks to click the BT icon or run bluetoothctl manually. Thus some time ago I fixed that by a little research and testing. Here’s what made me happy: 

I added the command echo -e “connect 0C:A6:94:D1:88:5D\n quit” | bluetoothctl to my files. For easier cut and paste: 

echo -e “connect 0C:A6:94:D1:88:5D\n quit” | bluetoothctl

In my case, I added that to my KDE Autostart script and I created an alias that allows me fast switching back after e.g. a Videoconference with a headset. My alias went to ~/.profilerc:

alias büro=’echo -e “connect 0C:A6:94:D1:88:5D\n quit” | bluetoothctl’

Works for me. 

Remember you have to replace the ID with the one from your device (delivered to you by the command devices in the bluetoothctl subshell): 

mfeilner@fibonacci:~> bluetoothctl
Agent registered
[Büro]# devices
Device D4:A6:B7:88:F4:9A D4-A6-B7-88-F4-9A
Device 34:DF:2A:45:E4:C0 Headphones
Device 0C:A6:94:D1:88:5D Büro
[Büro]# list
Controller FC:F8:66:E8:64:A7 fibonacci [default]

#ARM #Linux #BusinessCard: Elektronische BC mit Linux

Reality update: Elektronische Visitenkarte mit Linux | heise online … :

Wie George Hilliard erklärt, kostet die Hardware für seine elektronische Visitenkarte weniger als 3 US-Dollar. Um die Zahl der Bauelemente zu minimieren, suchte er vor allem ein System-on-Chip (SoC), das Linux ausführen kann sowie USB und eingebautes RAM mitbringt. Letzteres sei zwar bei zahlreichen Mikrocontroller-SoCs der Fall, doch die meisten davon eignen sich nur für Echtzeit-Betriebssysteme. Andere Chips wiederum waren zu teuer.

#Raspion: Raspberry Pi gegen “smart devices” spionage

Reality update: Gegenspionage im Heimnetz: So enttarnen Sie Datenschleudern mit dem Raspberry Pi | heise online … :

Der zum Schnüffler umgebaute Raspberry Pi alias c’t-Raspion klinkt sich dafür in den Datenstrom ein und visualisiert ihn. Er spannt ein separates WLAN auf, mit dem Sie die zu beobachtenden Geräte verbinden. Sie brauchen dafür nur einen Raspberry Pi 3 oder 4. Den schließen Sie per Kabel an Ihr bestehendes Netz an, über das er den Geräten dann Zugang zum Internet gewährt (“Uplink”). Somit kann der c’t-Raspion den gesamten Netzwerkverkehr zwischen den zu beobachteten Geräten und dem Internet sehen – er arbeitet letztlich wie ein Router.

In diesem Artikel führen wir durch die simple Installation der Raspion-Erweiterung und stellen die Fähigkeiten der vorinstallierten Werkzeuge vor. Dazu erläutern wir den Aufbau des Systems und wo Sie noch Hand anlegen können. Welche schmutzigen Details wir so gefunden haben und Beispiele zur Vorgehensweise finden Sie in einem weiteren Artikel zu Datenschleudern wie IP-Kameras, Smart-TVs und WLAN-Steckdosen.

#x2x #demomode #remotecontrol – Send Commands to Multiple Desktops with x2x

SEELAB has a nice description of how a good old Unix Tool can help to control e.g. multiple IoT devices over an encrypted line: 

If you would like to send input to more than one computer at a time, use the ‘-shadow ’ option. This can be used multiple times. Here is an example that routes input to boba142 and all 9 powerwall machines:

 ~/bin/x2x -from $LOCALDISPLAY -to boba142:0 \

 -shadow boba231:0 -shadow boba211:0 -shadow boba121:0 \

 -shadow boba141:0 -shadow boba131:0 -shadow boba111:0 \

 -shadow boba232:0 -shadow boba212:0 -shadow boba122:0 \

 -geometry 400×400


Hint: SEELAB claims “left and right mouseclick to leave” the tiny x2x window – on my machine it’s actually left, right _and_ middle mouse button. But I prefer to use the north/south/east/west options anyhow. 

Question: Why do I have areas on the target system that aren’t accessible? There’s a big rectangular space on the top right of my target screen where the x2x-driven mouse pointer can’t go – whereas the local mouse supports it…?