Using Home Assistant to automatically close my garage if its open longer than 10 minutes after sunset and before sunrise

I became a fan of home automation after having kids that would constantly leave lights on as well as times when I would forget to close the garage door. Initially I would use sites such as ITTT for some automations, but ITTT limited options. Enter Home Assistant. Home Assistant gives you the power to combine several automated products from different manufactures under 1 roof. The best part of Home Assistant is the fact that it is Open Source.

I use devices designed for Google Assistant or Alexa without any issues. The best part is using Home Assistant, I can have my Alexa control Google devices and vise-versa. I have been using Home Assistant for about 4 years now and it ties in with my Alexa and Google Assistant seamlessly.

I have an older garage door opener that is extremely quiet and works well, so I didn’t want to purchase a newer opener just to be able to control my garage door via an app. Allot of the garage door wifi devices were dependent on newer models. After researching several devices I found a device that fit my needs: Garadget (available on Amazon). Garadget is also open source and does not need to be cloud dependent. This device goes inline with your existing wired garage door opener that you have in your house. you can either splice the line or connect it at the same place your wired opener goes. So there is no need to train the device with older garage door wireless openers. Automating my garage door was my first step into home automation years ago. Now most everything in my house is automated in some way. My wife loves it….(not so much).

This script was based off the work I had found on an old garadget community post that I can no longer find. I will link it here if I’m able to find it in the future. the script works in 2 parts, the automation itself and the script it calls to open or close the garage itself. First the Automation (which would be placed in your home assistant config directory’s automations.yml:

- id: '1580266666413'
  alias: Garage auto-close
  trigger:
    - platform: state
      entity_id: cover.garage
      to: "open"
      for:
        minutes: 10
    - platform: sun
      event: sunset
      offset: "+00:25:00"
  condition:
    condition: and
    conditions:
      - condition: state
        entity_id: cover.garage
        state: "open"
        for:
          minutes: 10
      - condition: or
        conditions:
          - condition: sun
            after: sunset
            after_offset: "+00:25:00"
          - condition: sun
            before: sunrise
  action:
    service: cover.close_cover
    entity_id: cover.garage

Next add the following to scripts.yaml (also located in home assistant’s config folder):

garage_trigger:
  alias: Garage Trigger
  sequence:
  - entity_id: cover.garage
    service: cover.toggle

Lastly, you would want to make sure Garadget is defined in Home Assistant’s configuration.yaml (Home Assistant calls the garage door a “Cover”). You will need to get your garadget’s device ID assigned via Home Assistant. you will also need to gather you Gardget’s access token, which you can get using this post.

cover:
  - platform: garadget
    covers:
      garadget:
        device: yourdeviceid
        access_token: youraccesstoken
        name: garage
          #username: !locatedinmysecretsfile
          #password: !locatedinmysecretsfile

Watchguard Dimension Server on ProxMox VE 6.4-8

One of my friends needed a WatchGuard Dimension server setup and they were using ProxMox as the host. I figured it *Should* be easy. I initially downloaded the Dimension ova, scp’d the .ova over to proxmox and worked on unpacking the ova and importing the .ovf. the import worked, but the VM would not boot. Next I found Marcus Eaton’s Blog article on Installing WatchGuard Dimension on Proxmox VE. I ran into problems converting the disks initially as my Dimension VM drives were stored in an LVM-Thin volume. This is how I got mine to work:

1.) On ProxMox, I created a directory under /root: mkdir /root/staging

2.) Scp’d WG Dimension’s VMware .ova file to /root/staging

3.) In /root/staging, I unzipp’d the .ova: tar xvf ./watchguard-dimension_2_2.ova

4.) Create a new VM in Proxmox, chose “Do not use any media” and left the default Guest OS type as: Linux/5x-2.6 Kernel. Under the System Tab, I left the defaults. On the “Hard Disk” tab, For Bus/Device, I selected: SATA and set the drive as 160 GB. Under the “CPU” Tab, I selected 2 sockets and 2 Cores. Under the Memory Tab, I selected 4096 (4 GB). Under Network, I changed the Model to E1000 and confirmed the settings. When the vm was finished creating, I edited the VM hardware adding a 2nd Hard drive (SATA) which was also 160 GB. So the VM now had (2) 160 GB hard drives. I left the vm powered down and returned to my ssh session into proxmox.

5.) From the /root/staging directory I ran the following (the commands can take some time to run):

A.) qemu-img convert -f vmdk -O raw watchguard-dimension_2_2_signed-disk1.vmdk /dev/mapper/pve-vm–100–disk–0

B.) qemu-img convert -f vmdk -O raw watchguard-dimension_2_2_signed-disk2.vmdk /dev/mapper/pve-vm–100–disk–1

Once the conversions completed, I was able to power on the Dimension VM and run through its configuration.

Migrating VM’s on XEN to VMware

2 years ago I was tasked with migrating some vm’s off XEN to VMware, these were my notes:

1.) Take SNAPSHOT!!!!

2.) Uninstall Citrix via add/remove programs (dont restart)

3.) Manually run C:\programfilesx86\citrix\xentools uninistaller.exe (dont restart)

4.) Device Manager (uninstall devices w/Citrix driver) (dont reboot) (May have to uninstall twice)

5.) Device mgr (show hidden devices) look for citrix drivers and uninstall if any are shown

6.) Restart machine – take another snapshot (just incase)

7.) open device MGR, double check for XEN drivers (shouldnt be any)

8.) Open the registry editor (regedit) and navigate to:

HKLM\SYSTEM\CurrentControlSet\Services\

Delete all Keys that begin with “XEN*” and repeat it for all “CurrentControlSet” Keys you may have for example

HKLM\SYSTEM\CurrentControlSet1\Services\
HKLM\SYSTEM\CurrentControlSet2\Services\

Now navigate to:

HKLM\SYSTEM\CurrentControlSet\Control\Class\

and delete the “UpperFilters” value found under the contents of the following two Keys:

{4D36E96A-E325-11CE-BFC1-08002BE10318}
{4D36E97D-E325-11CE-BFC1-08002BE10318}

Repeat it for all “CurrentControlSet” Keys you may have for example:

HKLM\SYSTEM\CurrentControlSet1\Control\Class{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet1\Control\Class{4D36E97D-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet2\Control\Class{4D36E96A-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet2\Control\Class{4D36E97D-E325-11CE-BFC1-08002BE10318}

9.) goto c:\windows\system32 & delete all xen drivers

10.) reboot & make sure no BSOD

11.) run vmware converter

Ansible Automation: Gather list of all services on windows servers and clients

I had another audit request to gather all services on windows servers in an environment of about 70+ servers. I knew doing this through Ansible would be allot faster than going to each server individually. In the end it took less than 5 minutes to gather the services on 70+ servers.

When running the script I usually tee the output to text:

IE: ansible-playbook Audit_win_list_all_services.yml | tee /tmp/audit/Windows_services.txt

Here is my playbook:

Audit_win_list_all_services.yml

Ansible Automation: Gather list of all software installed on windows servers and clients

I had a request to gather all software installed on windows servers in an environment of about 70+ servers. I knew doing this through Ansible would be allot faster than going to each server individually. In the end it took less than 5 minutes to gather the installed software on 70+ servers.

I had seen a few playbooks online from other Ansible Admins doing this via Win32_Product, but I have seen warnings about using Win_32Product causing problems.

So after reading this article, I created the following playbook (I initially used a normal debug statement, but the output had allot of unnecessary info, so I split the output by newline and printed that list):

Below is my playbook:

win_list_all_programs.yml

Automating with Ansible: Adding new windows server clients to Prometheus/Grafana

I needed a way to install the Windows_Exporter on our Window systems as well as automating the configuration of the client in Prometheus. I came up with this Ansible playbook to handle this task. I’m sure there may be other ways of doing this and I’m always open to any suggestions. Here is what I have:

Playbooks (Can be downloaded):

win_install_prometheus.yml which calls install_prometheus_part2.yml

I imported a dashboard from Grafana.com, but at the time it only exported the older wmi_exporter. I was able to edit the dashboard and update it to work with the new exporter. Here is my dashboard (in JSON format for importing):

VCenter 6.5 Appliance (VCSA) password recovery procedure failing

The other week I was resetting the root password on a few VCenter appliances. 2 out of the 3 appliances went well. The last one I encountered was not so easy. At first I figured maybe I fat-fingered the password, but after a few retries with the same results I looked elsewhere.

A normal password recovery consist of:

  1. Restart your VCenter appliance and wait for the Photon OS Splash screen during boot
  2. Hit the letter “E” on the keyboard to edit grub menu
  3. Next add the following to the end of the line that starts with linux: rw init=/bin/bash
  4. Hit the F10 key on your keyboard to boot
  5. At the root  prompt, enter passwd (hit enter) set your normal password (twice)
  6.  run: unmount /
  7. run: reboot -f

This is  exactly what I did and the new password would still not work after reboot.  I would enter root as the username, when I entered the password  I would see “account locked after x retries” I then tried using:  pam_tally –reset –user root (directly after resetting my root password during recovery (In between  set 5 & 6, but I still had issues.

The final work-around was to try: pam_tally2 –reset –user root

To recap:

  1. Restart your VCenter appliance and wait for the Photon OS Splash screen during boot
  2. Hit the letter “E” on the keyboard to edit grub menu
  3. Next add the following to the end of the line that starts with linux: rw init=/bin/bash
  4. Hit the F10 key on your keyboard to boot
  5. At the root  prompt, enter passwd (hit enter) set your normal password (twice)
  6.  run: pam_tally2 –reset –user root
  7.  run: unmount /
  8. run: reboot -f

Troubleshooting ASA rules with packet-tracer command (Am I blocked by a rule)

Recently I was at a client site where I created new access rules that looked good and should have been working. In order to troubleshoot why my rules were not working, I used the packet-tracer command for testing (ips have been changed). I was able find another rule that was blocking me. Once I removed that rule, I retested via packet-tracer satisfactory and I was able to access externally.

fw5540(config)# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SC_Stock
nat (dmz,outside) static SC_Stock_External
Additional Information:
NAT divert to egress interface dmz
Untranslate test_External/3389 to 192.168.1.82/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any log
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

So as you can see the SC_Stock rules were blocking me
***************************************************************

Below I retested satisfactory.
fw5540# packet-tracer input outside tcp 8.8.8.8 80 10.192.37.242 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:
NAT divert to egress interface inside
Untranslate 10.192.37.242/3389 to WEBSVR1/3389

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any4 object SVR_NT4 eq 3389
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SVR_NT4
nat (inside,outside) static 10.192.37.242 service tcp 3389 3389
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 139687922, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)

This was done on FTD vs 6.2.3-83. 

Everything I have found on the Cisco FTD is outdated and the latest FTM interface looks nothing like the articles I have seen on the net. Below is a picture of my interface.

  1. In the Top Menu (Monitoring, Policies, Objects, Device), Select Device
  2.  I then select Remote Access VPN
  3. Create a Connection Profile name ( I entered the client domain-VPN)
  4. For AD Realm/Directory I selected the Realm I created earlier:
  5. I then downloaded from Cisco.com the anyconnect-win-4.5.05030-webdeploy-k9.pkg for Windows clients and uploaded it to the ASA and selected Next.
  6. For the certificate of Device Identity, I selected “Create New Internal Certificate”
  7. I then selected “Upload Certificate and Key” and entered in the certificate and keys I created here:
  8. For the outside interface, I selected my external interface
  9. I then entered the FQDN of my external IP. If you don’t have a FQDN for your external ip, you should it will make your life easier.
  10. For the address pool,  I created a new network: IE 192.168.9.0/24 (I didn’t use IPV6)
  11. For DNS and domain name, I entered my internal DNS servers and internal domain name and selected next.
  12.  I set the VPN as NAT Exempt
  13. Select my inside interface and entered my inside network, selected next and finished

Creating a CSR for a Cisco ASA 5508-x running FTD (via FTM)

Creating a CSR for a Cisco ASA 5508-x running FTD (via FTM)

This was done on FTD vs 6.2.3-83. 

  1. The ASA was unable to create a csr, so I took care of that on my linux pc using openssl. You can also get help with that from this page: https://www.digicert.com/easy-csr/openssl.htm
  2. Once I had the csr, I submitted to godaddy and they sent me back two files.
  3. I combined the 2 files into one file by running the following in a linux terminal: cat whatever.crt gd_bundle.crt > combined.crt
  4. I then held the combined.crt along with my domain.key (created during csr) in a known director for later use with the ASA

Please check out my related article:

Setting up AnyConnect VPN’s on the Cisco ASA 5508x (FTD)