PROBLEM

You want to generate high-quality GIFs from MP4 files without using extra software or online services.

SOLUTION

Install FFmpeg.

Default FFmpeg conversions often look low quality because GIFs are limited to 256 colors and use a generic color map. So, a two-pass conversion will be used.

# Pass 1: Analyze the video to generate a palette
ffmpeg -i input.mp4 \
  -vf "fps=10,scale=850:-1:flags=lanczos,palettegen" \
  palette.png

# Pass 2: Apply the palette to create the GIF
ffmpeg -i input.mp4 \
  -i palette.png \
  -filter_complex "fps=10,scale=850:-1:flags=lanczos[x];[x][1:v]paletteuse" \
  output.gif

Parameters:

• fps=10: Reduces frame rate and file size.
• scale=850:-1: Sets width to 850px, -1 will keep aspect ratio.
• flags=lanczos: Sharper scaling algorithm.
• palettegen: Generates optimal 256-color palette.
• paletteuse: Applies the generated palette.

The post FFmpeg: High-Quality MP4 to GIF appeared first on My Shitty Code.

Table of Contents

Why Cache Access Token with MSAL?

Building upon the previous post that performs delegated access authentication with MSAL, suppose your program uses this function to get the access token.

def get_access_token():
    app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
    result = app.acquire_token_interactive(scopes=SCOPES)
    access_token = result['access_token']

    return access_token

In this case, it will always launch the browser to complete the authentication flow and retrieve the access token every time the program runs.

While it works, it introduces a slight latency to your program. Fortunately, MSAL provides the capability to cache the access token.

Solution A: Use custom persistence cache

In this solution, we can introduce our custom persistence cache.

First, we can use these functions to load the access token from the cache file and save it to the cache file.

import os
import msal

...
CACHE_FILE = 'msal_token_cache.json'

def load_cache():
    cache = msal.SerializableTokenCache()

    if os.path.exists(CACHE_FILE):
        with open(CACHE_FILE, 'rb') as f:
            cache.deserialize(f.read())

    return cache

def save_cache(cache):
    if cache.has_state_changed:
        with open(CACHE_FILE, 'wb') as f:
            f.write(cache.serialize().encode())

We can first attempt to get a valid access token from the cache. It will only get the token interactively via the browser if the access token doesn’t exist or has expired.

def get_access_token():
    cache = load_cache()
    app = msal.PublicClientApplication(
        CLIENT_ID,
        authority=AUTHORITY,
        token_cache=cache,
    )
    result = None
    accounts = app.get_accounts()

    if accounts:
        result = app.acquire_token_silent(SCOPES, account=accounts[0])

    if not result:
        result = app.acquire_token_interactive(scopes=SCOPES)

    save_cache(cache)
    access_token = result['access_token']

    return access_token

While this solution works, the implementation code is very lengthy. Furthermore, the access token is stored in the cache file as clear text.

Solution B: Use the OS platform’s encrypted vault (PREFERRED)

A Python package called msal-extensions allows the access token to be stored securely in the OS platform’s encrypted vault. For example, If the program runs on MacOS, KeyChain will be used. Windows uses DPAPI, and Linux uses LibSecret.

To begin, install that Python package.

# requirements.txt

msal
msal-extensions

The configuration is much simpler than Solution A.

import msal
from msal_extensions import build_encrypted_persistence, PersistedTokenCache

...
CACHE_FILE = 'msal_token_cache.json'

def get_access_token():
    app = msal.PublicClientApplication(
        CLIENT_ID,
        authority=AUTHORITY,
        token_cache=PersistedTokenCache(build_encrypted_persistence(CACHE_FILE)),
    )

    result = None
    accounts = app.get_accounts()

    if accounts:
        result = app.acquire_token_silent(SCOPES, account=accounts[0])

    if not result:
        result = app.acquire_token_interactive(scopes=SCOPES)

    access_token = result['access_token']

    return access_token

When running the program on MacOS, the access token is stored in the KeyChain.

Note: An empty cache file named msal_token_cache.json has also been created. Unfortunately, there is no option in msal-extensions==1.2.0 to disable the creation of this file at the moment.

The post MSAL: Caching Access Token appeared first on My Shitty Code.

Table of Contents

Why Launch a Specific Browser with MSAL?

Building upon the previous post that performs delegated access authentication with MSAL, your institution may sometimes allow you to access Microsoft 365 products only on the approved browsers.

By default, MSAL launches the default browser on your machine to obtain the access token interactively.

If your institution only allows Chrome and your default browser is Firefox, you will get the following message:

Overriding with BROWSER environment variable

MSAL relies on Python’s built-in module called webbrowser to launch the browser. This allows us to change the browser by setting the BROWSER environment variable to the predefined values (‘firefox’, ‘chrome’, etc.)

For example, to launch Firefox instead of the default browser, we can do this:

import os
import msal

# ... 
os.environ['BROWSER'] = 'firefox'
app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
result = app.acquire_token_interactive(scopes=SCOPES)

What if the BROWSER environment variable’s predefined value doesn’t work?

I discovered that Python’s webbrowser failed to launch the correct browser, especially when dealing with Chromnium-based browsers.

For example, suppose my default browser is Brave, and I set the BROWSER environment variable to Chrome. In that case, it will still launch the Brave browser.

# default browser = Brave

os.environ['BROWSER'] = 'chrome'  # doesn't work
app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
result = app.acquire_token_interactive(scopes=SCOPES)

Fortunately, it is possible to specify a full path ending with ‘%s’ instead:

# default browser = Brave

os.environ['BROWSER'] = 'open -a /Applications/Google\\ Chrome.app %s'  # works
app = msal.PublicClientApplication(CLIENT_ID, authority=AUTHORITY)
result = app.acquire_token_interactive(scopes=SCOPES)

If you are stuck on the “Approve sign in request” or “Set up your device to get access” screen indefinitely, consider clearing the browser cache and then try again.

The post MSAL: Launching Specific Browser with Delegated Access Authentication appeared first on My Shitty Code.

Table of Contents

Problem

When using the Ansible playbook to run Homebrew-related modules, it will prompt for a sudo password where necessary on specific tasks. For example, using the community.general.homebrew_cask module to (un)install the apps under /Applications directory will prompt for a sudo password on each app.

It is not possible to preemptively prompt for a sudo password before running the Ansible playbook:

# Does not work!
sudo -v

ansible-playbook main.yml

It is also not possible to perform clever tricks like this to extend the sudo timeout:

# Does not work, too!
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

ansible-playbook main.yml

Root Cause

This is not an Ansible problem. This behavior exists because Homebrew always clears the sudo password cache to prevent privilege escalation attacks [link 1] [link 2].

The upside is the community.general.homebrew_cask module provides a variable for passing in a sudo password, for example:

- name: Install/Upgrade cask packages
  community.general.homebrew_cask:
    name: '{{ item }}'
    state: upgraded
    greedy: true
    install_options: force,no-quarantine
    sudo_password: "{{ ansible_become_pass }}"
  loop: '{{ homebrew_cask_packages_present }}'

Solution

While storing passwords in a file is not ideal, it prevents these Ansible tasks from prompting for a sudo password each time. The ansible-vault command can be used to store the password (and other secrets) securely.

First, create an encrypted file.

ansible-vault create vault.yml

You will be prompted for a new vault password. Once provided, enter the following into the file.

ansible_become_pass: [YOUR_SUDO_PASSWORD]

Now, your encrypted file should be created in the location you specified with the proper permission set:

$ ls -la
total 88
drwxr-xr-x@ 18 shitty.author  staff   576 Sep  4 09:06 .
drwxr-xr-x  12 shitty.author  staff   384 Jun 27 12:47 ..
-rw-r--r--   1 shitty.author  staff    99 Mar  1  2024 .ansible-lint
-rw-r--r--   1 shitty.author  staff   193 Mar 19 08:57 .editorconfig
drwxr-xr-x  16 shitty.author  staff   512 Sep  4 09:06 .git
-rw-r--r--   1 shitty.author  staff   243 Mar  1  2024 .gitignore
drwxr-xr-x   8 shitty.author  staff   256 Sep  4 09:35 .idea
drwxr-xr-x   6 shitty.author  staff   192 Mar  4  2024 .venv
-rw-r--r--   1 shitty.author  staff    72 Mar  1  2024 .yamllint
-rw-r--r--   1 shitty.author  staff  1079 Mar  1  2024 LICENSE.md
-rw-r--r--@  1 shitty.author  staff  1796 Sep  4 08:39 README.md
-rw-r--r--   1 shitty.author  staff   381 Mar  1  2024 ansible.cfg
-rw-r--r--   1 shitty.author  staff    65 Mar  1  2024 inventory.yml
-rw-r--r--@  1 shitty.author  staff  1450 Sep  4 09:06 main.yml
drwxr-xr-x  16 shitty.author  staff   512 Aug 12 09:32 roles
-rw-------@  1 shitty.author  staff   484 Sep  4 09:01 vault.yml

If you open vault.yml, the content should look gibberish.

$ cat vault.yml                                                                                  ✔
$ANSIBLE_VAULT;1.1;AES256
62343635616463643935613965336336323366653565646137616238663266633936363463611364
6139353639666163323066653733663763323236663361380a646264623465616461646637315661
34396438316137383130366330313431653336396435656562356430333762373866663234383230
6265656164346531660a626431383230326664393839316131626330353562363164313439661863
31343363323236333531303139396662386531626165663732386233626538646338333133375936
6535626465393233386634393934623438393535626365313132

In the Ansible playbook, specify vault.yml under vars_files.

---
- name: My Playbook
  hosts: all
  vars_files:
    - vault.yml
  roles:
    - ...

Finally, run the Ansible playbook with the –ask-vault-pass option, where you will be prompted for the vault password once before Ansible executes the playbook.

ansible-playbook main.yml --ask-vault-pass

Now, you will not be prompted for a sudo password every time Homebrew-related tasks run.

The post Ansible: Handling Sudo Password with Homebrew appeared first on My Shitty Code.

Why WireGuard?

While most modern routers support OpenVPN and WireGuard protocols, the latter is faster and more efficient when traveling through the encrypted tunnels, providing a superior VPN experience.

Why This Extra Step When Using NordVPN?

Unlike other VPN providers, NordVPN builds its proprietary solution, NordLynx, on WireGuard. Thus, it is not possible to configure it directly on your router unless you want to rely on the slower OpenVPN.

Prerequisites

• A NordVPN customer.
• A router that supports WireGuard VPN protocol.
• An environment to run Linux commands. Install jq if it doesn’t exist.
• Expert in CMD/CTRL+C and CMD/CTRL+V.

Step 1: Generate Access Token in NordVPN

• Go to this NordVPN link.
• Click on the Set up NordVPN manually button.

• After completing the email verification, you will land on a page that allows you to generate an access token. Click on the Generate new token button.

• Leave the token expiration as is. Click on the Generate token button.

• Copy the access token to a text file and close the pop-up dialog.

Step 2: Use NordVPN APIs to Extract WireGuard Configuration

Fortunately, NordVPN provides a helpful Rest API that returns a list of recommended servers based on your current location. We can use this to query for a list of WireGuard-compatible servers.

#!/usr/bin/env bash

ACCESS_TOKEN="[YOUR-ACCESS-TOKEN]"
TOTAL_CONFIGS=3
DNS="1.1.1.1"

CREDENTIALS_URL="https://api.nordvpn.com/v1/users/services/credentials"
SERVER_RECOMMENDATIONS_URL="https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=$TOTAL_CONFIGS"

PRIVATE_KEY=$(curl -s -u token:"$ACCESS_TOKEN" "$CREDENTIALS_URL" | jq -r .nordlynx_private_key)

curl -s "$SERVER_RECOMMENDATIONS_URL" | \
  jq -r --arg private_key "$PRIVATE_KEY" --arg dns "$DNS" '
    .[] |
    {
      filename: (.locations[0].country.name + " - " + .locations[0].country.city.name + " - " + .hostname + ".conf"),
      ip: .station,
      publicKey: (.technologies | .[] | select(.identifier == "wireguard_udp") | .metadata | .[] | .value)
    } |
    {
      filename: .filename,
      config: [
        "# " + .filename,
        "",
        "[Interface]",
        "PrivateKey = \($private_key)",
        "Address = 10.5.0.2/32",
        "DNS = \($dns)",
        "",
        "[Peer]",
        "PublicKey = " + .publicKey,
        "AllowedIPs = 0.0.0.0/0, ::/0",
        "Endpoint = " + .ip + ":51820"
      ] | join("\n")
    } |
    "echo \"" + .config + "\" > \"" + .filename + "\""
  ' | sh

Required Changes:

• Line 3: Replace [YOUR-ACCESS-TOKEN] with the access token you have just copied.

Optional Changes:

• Line 4: By default, this script generates 3 different WireGuard config files based on your location. If one of the servers is oversaturated, you can point to a different server next time without rerunning the script.
• Line 5: Currently, I use CloudFlare DNS (1.1.1.1) since it has the fastest response time. However, you can update it to point to your favorite DNS server, for example, Google’s 8.8.8.8.

Other Helpful Explanations:

• Line 10: Retrieve your private key.
• Line 12: Retrieve the recommended WireGuard-compatible servers based on your current location and generate the WireGuard config files.

Suppose you plan to travel to a different location with your travel router. In that case, typically, you want to pre-configure your travel router with the nearest WireGuard servers based on your destinations before departing. To do this, you can choose a desired location in the NordVPN software installed on your current machine before rerunning this script. For example, you might pick Finland because you fancy eating the delicious Kaalikääryleet that you can’t pronounce. Still, you want to do it safely before Instagramming it in real-time during your long weekend.

After running the script, you should see 3 WireGuard configuration files created.

$ ls -a | cat                                                                                ✔ 
.
..
Finland - Helsinki - fi183.nordvpn.com.conf
Finland - Helsinki - fi195.nordvpn.com.conf
Finland - Helsinki - fi198.nordvpn.com.conf
nordvpn-wireguard.sh

Step 3: Configure WireGuard on Router

The following instructions apply to the GL.iNet travel routers, in my case, Beryl AX (GL-MT3000). Follow your router’s instructions as needed.

IMPORTANT: Before proceeding, ensure you have disabled the VPN from your machine so that it relies on the VPN configured on the travel router based on the steps below.

• Change your SSID to point to your travel router.
• Go to http://192.168.8.1/
• Log into the Admin Panel.
• Go to VPN > WireGuard Client.

• Upload the WireGuard configuration files. Rename the New Provider group to NordVPN to make it more meaningful.

• Pick a server and click Start.

• After a few seconds, the icon should change from orange to green.

• Go to https://whatismyipaddress.com/ to verify your IP. The IP should point to your VPN server’s location.

• Enjoy your Kaalikääryleet!

The post NordVPN: Extracting WireGuard Configuration appeared first on My Shitty Code.