Today I Learned

- traefik.http.routers.${COMPOSE_PROJECT_NAME}-api.rule=Host(`${TRAEFIK_HOSTNAME}`) && PathPrefix(`/my-route`)
- traefik.http.middlewares.strip-${COMPOSE_PROJECT_NAME}-api.stripprefix.prefixes=/my-route
- traefik.http.routers.${COMPOSE_PROJECT_NAME}-api.middlewares=strip-${COMPOSE_PROJECT_NAME}-api

1. Create a new file tls.yml

tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/certs/your-domain.dev/cert.pem
        keyFile: /etc/traefik/certs/your-domain.dev/privkey.pem

2. Make sure you're copying this file in your Dockerfile

COPY .docker/traefik/conf.d/tls.yml /etc/traefik/tls.yml

3. Mount the certs folder in your docker-compose.yml file

volumes:
  ...
	- .docker/traefik/certs:/etc/traefik/certs
  ...

4. Update the traefik.yml config to support the file provider:

providers:
		...
    file:
      filename: "/etc/traefik/tls.yml
    ...

If you want to make your repository open source, but keep the workflows private, you can do the following:

1. Create a separate repository for your workflows and make it private.
2. In the open source repository, include only the necessary configuration files (e.g. .github/actions) and reference the private repository as a submodule.
3. In the private repository, configure the GitHub Actions workflows as you normally would.
4. When someone clones or forks the open source repository, the submodule reference to the private repository will not be included.

This way, you can keep your workflows private, while still making your repository open source.

Step 1. Make cron persist on restarts

unifi-os shell
curl -L https://github.com/unifi-utilities/unifios-utilities/raw/main/on-boot-script/packages/udm-boot_1.0.5_all.deb -o udm-boot.deb
dpkg -i udm-boot.deb
rm udm-boot.deb
exit

Step 2. Add root ssh keys on restart

cd /mnt/data/on_boot.d
vi 15-add-root-ssh-key.sh

File contents

#!/bin/sh

#####################################################
# ADD RSA KEYS AS BELOW - CHANGE BEFORE RUNNING     #
#####################################################
# set -- "ssh-rsa first key here all keys quoted" \ #
#        "ssh-rsa each line appended with slash " \ #
# 	 "ssh-rsa last one has no backslash"        #
#####################################################
set -- "ssh-rsa ..." \
        "ssh-rsa ...."

KEYS_FILE="/root/.ssh/authorized_keys"

counter=0
for key in "$@"
do
	# Places public key in ~/.ssh/authorized_keys if not present
	if ! grep -Fxq "$key" "$KEYS_FILE"; then
		let counter++
		echo "$key" >> "$KEYS_FILE"
	fi
done

echo $counter keys added to $KEYS_FILE

Make file executable and run it

chmod +x 15-add-root-ssh-key.sh 
./15-add-root-ssh-key.sh 

Step 3. Update banner

cat /dev/null > /issue
cat /dev/null > /etc/issue
cat /dev/null > /etc/motd

vi /etc/motd

# Insert your own banner 

Step 4. Update ssh configuration

UDM uses dropbear as ssh server and therefore the configuration is done on init.

Edit the dropbear configuration file

vi /etc/default/dropbear 
 
// See https://wiki.gentoo.org/wiki/Dropbear
DROPBEAR_OPTS="-sg"

Restart the dropbear service

/etc/init.d/dropbear restart

Whenever you try to athenticate macOS asks for a PIN instead of a password. This happens if you paired your key at some point with macOS.

Just open Terminal.app and unpair it:

sudo /usr/sbin/sc_auth unpair -u YourUserName

or simply

sudo /usr/sbin/sc_auth unpair

Take out your key if you have it plugged in and reboot.

Your key should be unpaired from your username. Remember you don't have to pair your key to use it. You only have to pair it if you want to use it for macOS authentication.