Keep responses under one page in length. Anything bigger should go in a file.
Keep files organized. Use a schema, but don't be precious about it.
Nate Riffe inkblot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| :INPUT DROP | |
| :FORWARD DROP | |
| :OUTPUT ACCEPT | |
| :newconn - | |
| :compliance - | |
| :knocks - | |
| :knock1 - | |
| :knock2 - | |
| :knock3 - |
inkblot
/ aws-credentials.sh
Last active
January 23, 2025 23:00
Authenticate to vault using IAM instance profile credentials in bash using curl, openssl, and jq
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| _SELF="${0##*/}" | |
| _HERE="$(dirname $(realpath ${0}))" | |
| function aws_instance_profile_arn() { | |
| curl -s http://169.254.169.254/2019-10-01/meta-data/iam/info | jq -r .InstanceProfileArn | |
| } | |
| function aws_instance_profile_name() { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| _SELF="${0##*/}" | |
| _HERE="$(dirname $(realpath ${0}))" | |
| function parse_url() { | |
| local url _url __url proto uphp user_pass host_port user pass host port path query_string | |
| url="${1}" |
inkblot
/ better-amazon-ecs-agent-task-roles.md
Last active
January 20, 2024 22:17
ECS Task Roles - A Better Way
ECS task roles are a great security feature that are hard to set up.
The Amazon ECS documentation on setting up task roles tells you to do some questionable things. Among other things, it tells you to run the ECS agent with host networking (a security risk), use an iptables rule to cut off traffic from bridged containers to the host metadata (brittle), and set up additional iptables rules and sysctl settings to route 169.254.170.2:80 to the ECS agent on 127.0.0.1:51679 (brittle again).
inkblot
/ keybase.md
Created
August 20, 2015 20:20
I hereby claim:
- I am inkblot on github.
- I am nriffe (https://keybase.io/nriffe) on keybase.
- I have a public key whose fingerprint is 0DAC F5CB D182 3165 D757 C466 CD42 12A8 05A0 58E0
To claim this, I am signing this object: