(Mostly) Code Snippets


It's not obvious to find out under which ARN you operate in the AWS web frontend. If you have CLI access with the same account, type aws sts get-caller-identity to find the ARN.

⚠️ You can't use wildcards in an "assumed-role" ARN. If you use an assumed-role ARN, it has to be complete.

Remove Role History from Console

After assuming roles, the roles end up in the "Role History". There is no easy way to remove this history. When a name or color was chosen, it can't be changed anymore. The only way I found to alter the Role History is by deleting the cookie noflush_awsc-roleInfo. In Safari this can be done via the Web Inspector -> Storage -> Cookies.


Create a random string cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1


Install old versions of packages

General Software

Reserved usernames


Multi-line commit messages with -m "..." -m "...". Bash (and other shells) allow for typing -m "... ⏎ ..."

Checkout a file from a branch with checkout <branch> -- <file or directory> to get the state of a branch's file or directory into the current branch.


Access to an account over https

Create an access token for this user and use it for git like https://user:token@git...

Big files over https

Gitea supports ssh access and has no file size limitations that I am aware of. Access via an Nginx proxy can lead to a 413 status code. Nginx has to accept bigger bodies client_max_body_size 100M; or any other reasonable size.

Java Web Start

JNLP files can be executed under linux with icedtea-web.


Table of System Calls


grep -E -o ".{0,5}pattern.{0,5}" file.txt shows 5 characters before and after the found pattern.

Intel 3945AGB WiFi adapter

An old laptop has the 3945 integrated. On CentOS 8, the installation is as follows:

  • Make sure the 3945 firmware is installed (search with dnf. Was installed for me by default)
  • Enable the ElRepo, which contains the package kmod-iwlegacy

Explanation iwlegacy: Usually the kernel module iwlwifi contains the drivers for the chipset. Support for 3945 was removed not too long ago, so a lot of documentation still refers to the iwlwifi package. Only iwlegacy still supports the chipset.

  • Install kmod-iwlegacy
  • Install package crda, which contains the 'regulatory.db' file, so the wifi chip knows which local regulations to follow.
  • Install NetworkManager-wifi or other preferred way of handling wifi connections

If things don't work, check lspci, dmesg, journalctl -u NetworkManager -e and other logs for hints.

PXE Boot OpenWRT

How to install Debian via PXE using an OpenWRT router only: First it's handy to have more storage on a USB drive attached to the router. My drive was formatted with NTFS, so I had to install the ntfs-3g package to be able to mount the drive on the router opkg install ntfs-3g (then mount /dev/sda /mnt).

Next step is to enable PXE boot on dnsmasq. The GUI has a tab for TFTP. Enable the TFTP server and configure the mounted USB drive as TFTP root.

Debian has a handy package ready for downloading called "netboot". After unpacking, it reveals the pxelinux.0 file and a folder structure that is preconfigured to PXE boot Debian. Only make sure the pxelinux.0 resides in the TFTP root folder together with everything else that was included in the netboot archive. Link to the pxelinux.0 from the GUI. Now PXE is ready in the network.


My RSS reader miniflux supports Auth Proxy, which means any header can be used to pass an (existing) username. I use an internal PKI anyway, so I wanted to authenticate myself with a certificate on my server.

Nginx config snippet

ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client on;

Inside the location section I put proxy_set_header X-Forwarded-For $ssl_client_s_dn;

The problem here is that $ssl_client_s_dn extracts the Common Name (CN) from the client certificate like this CN=username which miniflux does not understand. To solve this, I wrote a variable mapping for Nginx

map  $ssl_client_s_dn  $ssl_client_s_dn_cn {
        default "";
        ~CN=(.*) $1;

And used the new variable $ssl_client_s_dn_cn inside the location section. What the map does:

  1. Take the original CN=... string
  2. If anything goes wrong, return "" by default
  3. Match a regex ~, capture everything after the CN= in a group and return the first group $1

Miniflux only needs one configuration parameter AUTH_PROXY_HEADER="X-Forwarded-For"


Remove quarantine attribute from executable xattr -rd com.apple.quarantine <executable-file> Alternatively you can locate the Application, ctrl-click -> Open to override the security permissions for this App.

Force Quit Window: CMD + Option + Esc



Stream like a CTO Very professional, expensive setup for streaming. I like the tooling advise. And once money is very little object, this home office setup seems to be a lot of fun, including camera, microfone, UPS, screens, Lenovo ThinkStation and what so not.



Use SSH SOCKS proxy ssh -D 1337 -q -C -N user@server (-D Socks, -q quiet, -C compress -N no output (-i private key))


Convert .pfx / .p12 to .pem openssl pkcs12 -in client.pfx -out client.pem, as used with anyconnect or openconnect.

Or the other way round, crt to pfx openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt